add rke2 support

9b8da7f7 · Tim Kreuzer · c2f57237 · 9b8da7f7 · 9b8da7f7
Commit 9b8da7f7 authored 1 month ago by Tim Kreuzer
--- a/managed_clusters/create.sh
+++ b/managed_clusters/create.sh
@@ -2,9 +2,24 @@

 ### Customization

-NAME="loki-1" # Enter a (ideally) unique name for the cluster
-PROJECT_ID="da90a49b04a54afca1298491a5e23ba5" # project id from the users project, where the k8s cluster should be created
-SUBNET_CIDR="10.0.180.0/24" # Unique CIDR (10.0.x.0/24) , each cluster needs a different subnet CIDR.
+NAME="blabladork8s" # Enter a (ideally) unique name for the cluster
+PROJECT_ID="3f8a1f8047b44653babe4b67af7ac84a" # project id from the users project, where the k8s cluster should be created
+SUBNET_CIDR="10.0.151.0/24" # Unique CIDR (10.0.x.0/24) , each cluster needs a different subnet CIDR.
+
+###
+# It is easier to setup a network, which uses the Management router to access the internet.
+# However, sometimes this is not the desired solution.
+# This flag allows you to use a project specific router.
+###
+USE_OWN_ROUTER="true"
+# Only required if USE_OWN_ROUTER is set to true
+if [[ $USE_OWN_ROUTER == "true" ]]; then
+    MANAGEMENT_ROUTER_INTERNAL_ID=5e048465-53ed-4f24-8eec-871cf7d668d5
+    USER_ROUTER_NAME=blablador_router
+fi
+
+USE_RKE2="true"
+

 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

@@ -21,8 +36,7 @@ mkdir -p ${DIR}/${NAME}

 # Some variables for our `jsc-cloud-team` management project
 MANAGEMENT_PROJECT_ID=2092d29f72ca4f32ac416cc545986007
-MANAGEMENT_ROUTER_ID=90d2a94c-3bff-4a79-88d2-00dc6626e278
-#MANAGEMENT_ROUTER_INTERNAL_ID=5e048465-53ed-4f24-8eec-871cf7d668d5
+MANAGEMENT_ROUTER_ID=0cb50dae-dcf9-4c40-8286-f14423a3d471
 MANAGEMENT_NETWORK_CIDR="10.0.1.0/24"
 MANAGEMENT_GATEWAY_INTERNAL="10.0.1.253"
 MANAGEMENT_SECGROUP_ID=7b7de2f9-a561-4f3c-929a-fd8bc26a0d2c
@@ -45,13 +59,16 @@ fi
 source ${DIR}/management_credentials.sh

 if [[ $CREATE == "true" ]]; then
-    # Add port from shared network to jsc-cloud-team's internal router
-    #INTERNAL_ROUTER_PORT_ID=$(openstack port create --network $USER_NETWORK_ID -f value -c id ${NAME})
-    #INTERNAL_ROUTER_PORT_IP=$(openstack port show $INTERNAL_ROUTER_PORT_ID -f json -c fixed_ips | jq -r '.fixed_ips[0].ip_address')
-    #openstack router add port $MANAGEMENT_ROUTER_INTERNAL_ID $INTERNAL_ROUTER_PORT_ID
-    openstack router add subnet $MANAGEMENT_ROUTER_ID $USER_SUBNET_ID
+    if [[ $USE_OWN_ROUTER == "true" ]]; then
+        # Create new port in shared network and attach it to the internal router
+        INTERNAL_ROUTER_PORT_ID=$(openstack port create --network $USER_NETWORK_ID -f value -c id ${NAME})
+        INTERNAL_ROUTER_PORT_IP=$(openstack port show $INTERNAL_ROUTER_PORT_ID -f json -c fixed_ips | jq -r '.fixed_ips[0].ip_address')
+        openstack router add port $MANAGEMENT_ROUTER_INTERNAL_ID $INTERNAL_ROUTER_PORT_ID
        # Set static route for external (default) router
-    #openstack router set --route destination=$SUBNET_CIDR,gateway=$MANAGEMENT_GATEWAY_INTERNAL $MANAGEMENT_ROUTER_ID
+        openstack router set --route destination=$SUBNET_CIDR,gateway=$MANAGEMENT_GATEWAY_INTERNAL $MANAGEMENT_ROUTER_ID
+    else
+        openstack router add subnet $MANAGEMENT_ROUTER_ID $USER_SUBNET_ID
+    fi
    # Add security group rules to allow new cluster to reach Rancher VMs
    openstack security group rule create --dst-port 443 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Rancher access for ${NAME} cluster" $MANAGEMENT_SECGROUP_ID -f value -c id
    openstack security group rule create --dst-port 111 --remote-ip=$SUBNET_CIDR --protocol tcp --description "NFS access for ${NAME} cluster" $MANAGEMENT_SECGROUP_ID -f value -c id
@@ -64,12 +81,32 @@ fi
 source ${DIR}/${NAME}_credentials.sh

 if [[ $CREATE == "true" ]]; then
+    if [[ $USE_OWN_ROUTER == "true" ]]; then
        # Set static route for <user> project router
-    # openstack router set --route destination=$MANAGEMENT_NETWORK_CIDR,gateway=$INTERNAL_ROUTER_PORT_IP $USER_ROUTER_ID
+        USER_ROUTER_ID=$(openstack router show -f value -c id ${USER_ROUTER_NAME})
+        openstack router add subnet $USER_ROUTER_ID $USER_SUBNET_ID
+        openstack router set --route destination=$MANAGEMENT_NETWORK_CIDR,gateway=$INTERNAL_ROUTER_PORT_IP $USER_ROUTER_ID
+    fi

    # Create security group
    # More details: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements
    USER_SEC_GROUP_ID=$(openstack security group create ${NAME} -c id -f value)
+    if [[ $USE_RKE2 == "true" ]]; then
+        openstack security group rule create --dst-port 9345 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Node registration" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 6443 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Kubernetes API" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 8472 --remote-ip=$SUBNET_CIDR --protocol udp --description "Flannel VXLAN" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 10250 --remote-ip=$SUBNET_CIDR --protocol tcp --description "kubelet, metrics server" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 2379 --remote-ip=$SUBNET_CIDR --protocol tcp --description "etcd client port" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 2380 --remote-ip=$SUBNET_CIDR --protocol tcp --description "etcd peer port" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 30000:32767 --remote-ip=$SUBNET_CIDR --protocol tcp --description "NodePort port range" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 30000:32767 --remote-ip=$SUBNET_CIDR --protocol udp --description "NodePort port range" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 5473 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Calico" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 80 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Rancher UI/API" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 443 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Rancher agent, UI/API, kubectl" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 22 --remote-ip=$SUBNET_CIDR --protocol tcp --description "ssh" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 22 --remote-ip=$MANAGEMENT_NETWORK_CIDR --protocol tcp --description "SSH provisioning of node by RKE" $USER_SEC_GROUP_ID -f value -c id
+        openstack security group rule create --dst-port 2376 --remote-ip=$MANAGEMENT_NETWORK_CIDR --protocol tcp --description "Docker daemon TLS port used by node driver" $USER_SEC_GROUP_ID -f value -c id
+    else
        openstack security group rule create --dst-port 22 --remote-ip=$MANAGEMENT_NETWORK_CIDR --protocol tcp --description "SSH provisioning of node by RKE" $USER_SEC_GROUP_ID -f value -c id
        openstack security group rule create --dst-port 2376 --remote-ip=$MANAGEMENT_NETWORK_CIDR --protocol tcp --description "Docker daemon TLS port used by node driver" $USER_SEC_GROUP_ID -f value -c id
        openstack security group rule create --dst-port 80 --remote-ip=$SUBNET_CIDR --protocol tcp --description "http ingress" $USER_SEC_GROUP_ID -f value -c id
@@ -83,6 +120,7 @@ if [[ $CREATE == "true" ]]; then
        openstack security group rule create --dst-port 10254 --remote-ip=$SUBNET_CIDR --protocol tcp --description "Ingress controller livenessProbe/readinessProbe" $USER_SEC_GROUP_ID -f value -c id
        openstack security group rule create --dst-port 30000:32767 --remote-ip=$SUBNET_CIDR --protocol tcp --description "NodePort port range" $USER_SEC_GROUP_ID -f value -c id
        openstack security group rule create --dst-port 30000:32767 --remote-ip=$SUBNET_CIDR --protocol udp --description "NodePort port range" $USER_SEC_GROUP_ID -f value -c id
+    fi

    # Create a keypair, will be used to bootstrap VMs of the new cluster
    openstack keypair create ${NAME} > ${DIR}/${NAME}/keypair.key
@@ -99,9 +137,12 @@ echo "applicationCredentialId:     ${OS_APPLICATION_CREDENTIAL_ID}"
 echo "applicationCredentialSecret: ${OS_APPLICATION_CREDENTIAL_SECRET}"
 echo "authUrl:                     https://cloud.jsc.fz-juelich.de:5000/v3"
 echo "domainId:                    default"
+echo "flavorId:                    bccc50e4-b3e2-4486-a8f2-628b662b3e15 (16Cpu / 64GB)"
+echo "flavorId:                    044f173e-bf2b-4d5a-b326-cf4e2e7416fe (16Cpu / 32GB)"
+echo "flavorId:                    373b1465-5a84-4ac6-b264-182099406441 (4Cpu / 16GB)"
 echo "flavorId:                    d468d3fb-18da-4bd3-94ce-9c4793cf2082 (4Cpu / 8GB)"
 echo "flavorId:                    05572232-73cc-4dfc-87af-b9f84d56bd33 (2Cpu / 4GB)"
-echo "imageId:                     1b14ce21-5bd3-4776-860f-8d77a0232d24"
+echo "imageId:                     efee49e6-c2ab-4242-83ca-5ca78f4548fa"
 echo "keypairName:                 ${NAME}"
 echo "netId:                       ${USER_NETWORK_ID}"
 echo "privateKeyFile:"

--- a/managed_clusters/delete.sh
+++ b/managed_clusters/delete.sh
@@ -2,8 +2,8 @@

 ### Customization

-NAME=""
-SUBNET_CIDR=""
+NAME="blablador"
+SUBNET_CIDR="10.0.150.0/24"

 ###