Last active
February 1, 2021 15:57
-
-
Save rlobillo/9a4b549d8ecfb8f7a0feae3fb2081e82 to your computer and use it in GitHub Desktop.
OSP SG creation for deploying a new OCP worker on a separate subnet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Required Python packages: | |
# | |
# ansible | |
# openstackclient | |
# openstacksdk | |
- hosts: localhost | |
gather_facts: no | |
vars: | |
ansible_python_interpreter: "/var/tmp/venv_shade/bin/python" | |
tasks: | |
- name: 'Compute resource names' | |
set_fact: | |
infraID: "ostest-p7sj6" # update this with the proper value | |
os_subnet_range: '10.128.0.0/14' # update this with the proper value | |
os_new_subnet_range: '192.168.123.0/24' | |
- name: 'Compute resource names' | |
set_fact: | |
cluster_id_tag: "openshiftClusterID={{ infraID }}" | |
os_infra_id: "{{ infraID }}" | |
os_network: "{{ infraID }}-network" | |
os_subnet: "{{ infraID }}-nodes" | |
os_router: "{{ infraID }}-external-router" | |
# Port names | |
os_port_api: "{{ infraID }}-api-port" | |
os_port_ingress: "{{ infraID }}-ingress-port" | |
os_port_bootstrap: "{{ infraID }}-bootstrap-port" | |
os_port_master: "{{ infraID }}-master-port" | |
os_port_worker: "{{ infraID }}-worker-port" | |
# Security groups names | |
os_sg_master: "{{ infraID }}-master" | |
os_sg_worker: "{{ infraID }}-worker" | |
os_sg_new_worker: "{{ infraID }}-worker-additional" | |
# Server names | |
os_bootstrap_server_name: "{{ infraID }}-bootstrap" | |
os_cp_server_name: "{{ infraID }}-master" | |
os_cp_server_group_name: "{{ infraID }}-master" | |
os_compute_server_name: "{{ infraID }}-worker" | |
# Trunk names | |
os_cp_trunk_name: "{{ infraID }}-master-trunk" | |
os_compute_trunk_name: "{{ infraID }}-worker-trunk" | |
# Subnet pool name | |
subnet_pool: "{{ infraID }}-kuryr-pod-subnetpool" | |
# Service network name | |
os_svc_network: "{{ infraID }}-kuryr-service-network" | |
# Service subnet name | |
os_svc_subnet: "{{ infraID }}-kuryr-service-subnet" | |
# Ignition files | |
os_bootstrap_ignition: "{{ infraID }}-bootstrap-ignition.json" | |
- name: 'Create the additional worker security group' | |
os_security_group: | |
name: "{{ os_sg_new_worker }}" | |
- name: 'Set worker security group tag' | |
command: | |
cmd: "openstack security group set {{ os_sg_new_worker }} " | |
- name: 'Create master-sg rule "machine config server"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 22623 | |
port_range_max: 22623 | |
- name: 'Create master-sg rule "DNS (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
protocol: tcp | |
port_range_min: 53 | |
port_range_max: 53 | |
- name: 'Create master-sg rule "DNS (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
protocol: udp | |
port_range_min: 53 | |
port_range_max: 53 | |
- name: 'Create master-sg rule "mDNS"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
protocol: udp | |
port_range_min: 5353 | |
port_range_max: 5353 | |
- name: 'Create master-sg rule "VXLAN"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 4789 | |
port_range_max: 4789 | |
- name: 'Create master-sg rule "Geneve"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 6081 | |
port_range_max: 6081 | |
- name: 'Create master-sg rule "ovndb"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 6641 | |
port_range_max: 6642 | |
- name: 'Create master-sg rule "master ingress internal (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create master-sg rule "master ingress internal (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create master-sg rule "kube scheduler"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 10259 | |
port_range_max: 10259 | |
- name: 'Create master-sg rule "kube controller manager"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 10257 | |
port_range_max: 10257 | |
- name: 'Create master-sg rule "master ingress kubelet secure"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 10250 | |
port_range_max: 10250 | |
- name: 'Create master-sg rule "etcd"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 2379 | |
port_range_max: 2380 | |
- name: 'Create master-sg rule "master ingress services (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create master-sg rule "master ingress services (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create master-sg rule "VRRP"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_master }}" | |
protocol: '112' | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
- name: 'Create worker-sg rule "mDNS"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 5353 | |
port_range_max: 5353 | |
- name: 'Create worker-sg rule "router"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 1936 | |
port_range_max: 1936 | |
- name: 'Create worker-sg rule "VXLAN"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 4789 | |
port_range_max: 4789 | |
- name: 'Create worker-sg rule "Geneve"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 6081 | |
port_range_max: 6081 | |
- name: 'Create worker-sg rule "worker ingress internal (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create worker-sg rule "worker ingress internal (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create worker-sg rule "worker ingress kubelet insecure"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 10250 | |
port_range_max: 10250 | |
- name: 'Create worker-sg rule "worker ingress services (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create worker-sg rule "worker ingress services (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create worker-sg rule "VRRP"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_worker }}" | |
protocol: '112' | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
- name: 'Create worker-sg rule "ICMP"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: icmp | |
- name: 'Create worker-sg rule "SSH"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
port_range_min: 22 | |
port_range_max: 22 | |
- name: 'Create worker-sg rule "mDNS"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 5353 | |
port_range_max: 5353 | |
- name: 'Create worker-sg rule "Ingress HTTP"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
port_range_min: 80 | |
port_range_max: 80 | |
- name: 'Create worker-sg rule "Ingress HTTPS"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
port_range_min: 443 | |
port_range_max: 443 | |
- name: 'Create worker-sg rule "router"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 1936 | |
port_range_max: 1936 | |
- name: 'Create worker-sg rule "VXLAN"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 4789 | |
port_range_max: 4789 | |
- name: 'Create worker-sg rule "Geneve"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 6081 | |
port_range_max: 6081 | |
- name: 'Create worker-sg rule "worker ingress internal (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create worker-sg rule "worker ingress internal (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create worker-sg rule "worker ingress kubelet insecure"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 10250 | |
port_range_max: 10250 | |
- name: 'Create worker-sg rule "worker ingress services (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create worker-sg rule "worker ingress services (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create worker-sg rule "VRRP"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: '112' | |
remote_ip_prefix: "{{ os_new_subnet_range }}" | |
- name: 'Create worker-sg rule "mDNS"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 5353 | |
port_range_max: 5353 | |
- name: 'Create worker-sg rule "router"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 1936 | |
port_range_max: 1936 | |
- name: 'Create worker-sg rule "VXLAN"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 4789 | |
port_range_max: 4789 | |
- name: 'Create worker-sg rule "Geneve"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 6081 | |
port_range_max: 6081 | |
- name: 'Create worker-sg rule "worker ingress internal (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create worker-sg rule "worker ingress internal (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 9000 | |
port_range_max: 9999 | |
- name: 'Create worker-sg rule "worker ingress kubelet insecure"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 10250 | |
port_range_max: 10250 | |
- name: 'Create worker-sg rule "worker ingress services (TCP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: tcp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create worker-sg rule "worker ingress services (UDP)"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: udp | |
remote_ip_prefix: "{{ os_subnet_range }}" | |
port_range_min: 30000 | |
port_range_max: 32767 | |
- name: 'Create worker-sg rule "VRRP"' | |
os_security_group_rule: | |
security_group: "{{ os_sg_new_worker }}" | |
protocol: '112' | |
remote_ip_prefix: "{{ os_subnet_range }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment