From a8c5a0afdc1049b410ee4c14c4d2de48c2935884 Mon Sep 17 00:00:00 2001
From: Hugo Blom <bl0m1@users.noreply.github.com>
Date: Mon, 7 Oct 2019 13:09:09 +0200
Subject: [PATCH] Make it possible to disable access_ip (openstack provider)
 (#5239)

* Add a variable do disable access_ip

* Document the use of use_access_ip
---
 contrib/terraform/openstack/README.md         |  5 ++++-
 contrib/terraform/openstack/kubespray.tf      |  1 +
 .../openstack/modules/compute/main.tf         | 20 ++++++++++++++++++-
 .../openstack/modules/compute/variables.tf    |  2 ++
 .../openstack/modules/ips/variables.tf        |  2 +-
 contrib/terraform/openstack/variables.tf      |  4 ++++
 contrib/terraform/terraform.py                |  5 +++++
 7 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md
index acd00648a..8aebbf52b 100644
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -426,7 +426,10 @@ resolvconf_mode: host_resolvconf
 ```
 node_volume_attach_limit: 26
 ```
-
+- Disable access_ip, this will make all innternal cluster traffic to be sent over local network when a floating IP is attached (default this value is set to 1)
+```
+use_access_ip: 0
+```
 
 ### Deploy Kubernetes
 
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index f7ffaba56..b26961d6f 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -70,6 +70,7 @@ module "compute" {
   supplementary_node_groups                    = "${var.supplementary_node_groups}"
   worker_allowed_ports                         = "${var.worker_allowed_ports}"
   wait_for_floatingip                          = "${var.wait_for_floatingip}"
+  use_access_ip                                = "${var.use_access_ip}"
 
   network_id = "${module.network.router_id}"
 }
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index abca8ab72..c181ccfe6 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -114,6 +114,7 @@ resource "openstack_compute_instance_v2" "bastion" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "bastion"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -149,6 +150,7 @@ resource "openstack_compute_instance_v2" "bastion_custom_volume_size" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "bastion"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -176,6 +178,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -212,8 +215,9 @@ resource "openstack_compute_instance_v2" "k8s_master_custom_volume_size" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
-
+  
   provisioner "local-exec" {
     command = "sed s/USER/${var.ssh_user}/ ../../contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > group_vars/no-floating.yml"
   }
@@ -239,6 +243,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -275,6 +280,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd_custom_volume_size"
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -300,6 +306,7 @@ resource "openstack_compute_instance_v2" "etcd" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "etcd,vault,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -330,6 +337,7 @@ resource "openstack_compute_instance_v2" "etcd_custom_volume_size" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "etcd,vault,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -353,6 +361,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -385,6 +394,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_custom_volum
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -408,6 +418,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-master,${var.supplementary_master_groups},k8s-cluster,vault,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -440,6 +451,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd_cust
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-master,${var.supplementary_master_groups},k8s-cluster,vault,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -463,6 +475,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-node,k8s-cluster,${var.supplementary_node_groups}"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -499,6 +512,7 @@ resource "openstack_compute_instance_v2" "k8s_node_custom_volume_size" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-node,k8s-cluster,${var.supplementary_node_groups}"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 
   provisioner "local-exec" {
@@ -526,6 +540,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-node,k8s-cluster,no-floating,${var.supplementary_node_groups}"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -558,6 +573,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip_custom_volume_
     ssh_user         = "${var.ssh_user}"
     kubespray_groups = "kube-node,k8s-cluster,no-floating,${var.supplementary_node_groups}"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -647,6 +663,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
     ssh_user         = "${var.ssh_user_gfs}"
     kubespray_groups = "gfs-cluster,network-storage,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
@@ -677,6 +694,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip_custom_v
     ssh_user         = "${var.ssh_user_gfs}"
     kubespray_groups = "gfs-cluster,network-storage,no-floating"
     depends_on       = "${var.network_id}"
+    use_access_ip    = "${var.use_access_ip}"
   }
 }
 
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 06d48aa5a..4a9680e6f 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -105,3 +105,5 @@ variable "supplementary_node_groups" {
 variable "worker_allowed_ports" {
   type = "list"
 }
+
+variable "use_access_ip" {}
\ No newline at end of file
diff --git a/contrib/terraform/openstack/modules/ips/variables.tf b/contrib/terraform/openstack/modules/ips/variables.tf
index acc3ced38..a2cb54538 100644
--- a/contrib/terraform/openstack/modules/ips/variables.tf
+++ b/contrib/terraform/openstack/modules/ips/variables.tf
@@ -14,4 +14,4 @@ variable "network_name" {}
 
 variable "router_id" {
   default = ""
-}
+}
\ No newline at end of file
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index b22ac5b14..218c82add 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -206,3 +206,7 @@ variable "worker_allowed_ports" {
     },
   ]
 }
+
+variable "use_access_ip" {
+  default = 1
+}
diff --git a/contrib/terraform/terraform.py b/contrib/terraform/terraform.py
index f339539f2..fa490d816 100755
--- a/contrib/terraform/terraform.py
+++ b/contrib/terraform/terraform.py
@@ -339,14 +339,19 @@ def iter_host_ips(hosts, ips):
     '''Update hosts that have an entry in the floating IP list'''
     for host in hosts:
         host_id = host[1]['id']
+        use_access_ip = host[1]['metadata']['use_access_ip']
         if host_id in ips:
             ip = ips[host_id]
+            
             host[1].update({
                 'access_ip_v4': ip,
                 'access_ip': ip,
                 'public_ipv4': ip,
                 'ansible_ssh_host': ip,
             })
+
+            if use_access_ip == "0":
+                host[1].pop('access_ip')
         yield host
 
 
-- 
GitLab