From 52e847832c1bd41327449fee6d692f93a826398e Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Fri, 6 Oct 2023 11:29:05 +0200 Subject: [PATCH 01/12] Replace Terraform with OpenTofu Resolves #594 Signed-off-by: Roman Hros --- playbooks/dependencies.yaml | 55 ++++++++++++++++++++++++++++++++----- terraform/Makefile | 38 ++++++++++++------------- terraform/main.tf | 2 +- 3 files changed, 68 insertions(+), 27 deletions(-) diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index a9c47096..78d606c0 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,17 +7,17 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - tf_version: "1.4.6" + opentofu_version: "1.6.0-alpha2" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" roles: - role: ensure-pip # https://zuul-ci.org/docs/zuul-jobs/latest/python-roles.html#role-ensure-pip - - role: ensure-terraform # https://zuul-ci.org/docs/zuul-jobs/latest/hashicorp-roles.html#role-ensure-terraform - vars: - terraform_version: "{{ tf_version }}" - terraform_install_dir: "{{ install_dir }}" tasks: + - name: Make sure installation directory exists + file: + path: "{{ install_dir }}" + state: directory - name: Install jq get_url: url: "https://github.com/jqlang/jq/releases/download/jq-{{ jq_version }}/jq-linux64" @@ -44,6 +44,47 @@ extra_args: --user - name: Install ip command package: - name: - - iproute2 + name: iproute2 become: true + - name: Install OpenTofu + # TODO: write separate role ensure-opentofu, see https://opendev.org/zuul/zuul-jobs/src/branch/master/roles/ensure-terraform + block: + - name: Check if unzip is installed + command: "unzip -v" + failed_when: false + register: _unzip_probe + - name: Install unzip + when: _unzip_probe.rc != 0 + package: + name: unzip + become: true + - name: Create temp directory + tempfile: + state: directory + register: tofu_install_tempdir + - name: Download OpenTofu archive + get_url: + url: "https://github.com/opentofu/opentofu/releases/download/v{{ opentofu_version }}/tofu_{{ opentofu_version }}_linux_amd64.zip" + dest: "{{ tofu_install_tempdir.path }}/opentofu.zip" + # TODO: checksum + - name: Create OpenTofu package directory + file: + path: "{{ tofu_install_tempdir.path }}/opentofu" + state: directory + - name: Unarchive OpenTofu + unarchive: + src: "{{ tofu_install_tempdir.path }}/opentofu.zip" + dest: "{{ tofu_install_tempdir.path }}/opentofu" + remote_src: true + - name: Install OpenTofu + copy: + src: "{{ tofu_install_tempdir.path }}/opentofu/tofu" + dest: "{{ install_dir }}/tofu" + mode: "+x" + remote_src: true + - name: Remove temp directory + file: + path: "{{ tofu_install_tempdir }}" + state: absent + - name: Output OpenTofu version + command: "tofu version" diff --git a/terraform/Makefile b/terraform/Makefile index 897e25dc..8ba0cb9b 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -19,7 +19,7 @@ else endif USERNAME=$(shell ( grep '^ssh_username' environments/environment-$(ENVIRONMENT).tfvars || echo ubuntu ) | $(SED) 's@^ssh_username[^=]*= *"*\([^"]*\).*$$@\1@' ) -# if enabled, use s3 for remote terraform state +# if enabled, use s3 for remote tofu state ifneq (,$(wildcard ./minio.env)) include minio.env endif @@ -48,20 +48,20 @@ GITREFERENCE=$(shell git rev-parse HEAD) GITREPO=$(shell git config --get remote.origin.url | $(SED) 's%git@\([^:]*\):%https://\1/%') init: mycloud - @if [ ! -d .terraform/plugins ]; then terraform init; fi - @terraform workspace select ${ENVIRONMENT} || terraform workspace new ${ENVIRONMENT} + @if [ ! -d .terraform/plugins ]; then tofu init; fi + @tofu workspace select ${ENVIRONMENT} || tofu workspace new ${ENVIRONMENT} attach: init - @terraform import -var-file="environments/environment-$(ENVIRONMENT).tfvars" $(RESOURCE) $(PARAMS) + @tofu import -var-file="environments/environment-$(ENVIRONMENT).tfvars" $(RESOURCE) $(PARAMS) detach: init - @terraform state rm $(RESOURCE) $(PARAMS) + @tofu state rm $(RESOURCE) $(PARAMS) state-push: init - @terraform state push $(STATE) + @tofu state push $(STATE) dry-run: init - terraform plan -var-file="environments/environment-$(ENVIRONMENT).tfvars" -var "git_reference=$(GITREFERENCE)" $(PARAMS) + tofu plan -var-file="environments/environment-$(ENVIRONMENT).tfvars" -var "git_reference=$(GITREFERENCE)" $(PARAMS) mycloud: environments/environment-$(ENVIRONMENT).tfvars @if [ -f "clouds.yaml" ]; then \ @@ -88,18 +88,18 @@ create: init echo "Management cluster with prefix $(PREFIX) already exists. This is not supported due to unexpected side-effects." && exit 1; \ else \ touch .deploy.$(ENVIRONMENT); \ - terraform apply -auto-approve -var-file="environments/environment-$(ENVIRONMENT).tfvars" -var "git_reference=$(GITREFERENCE)" -var "git_repo=$(GITREPO)"; \ + tofu apply -auto-approve -var-file="environments/environment-$(ENVIRONMENT).tfvars" -var "git_reference=$(GITREFERENCE)" -var "git_repo=$(GITREPO)"; \ fi show: init - @terraform show + @tofu show clean: init @if test -e ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); then source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \ ssh -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS "timeout 320 ~/bin/cleanup.sh || true"; fi - terraform destroy -auto-approve -var-file="environments/environment-$(ENVIRONMENT).tfvars" $(PARAMS) - @terraform workspace select default - terraform workspace delete $(ENVIRONMENT) + tofu destroy -auto-approve -var-file="environments/environment-$(ENVIRONMENT).tfvars" $(PARAMS) + @tofu workspace select default + tofu workspace delete $(ENVIRONMENT) @if test -e ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); then source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); ssh-keygen -R $$MGMTCLUSTER_ADDRESS -f ~/.ssh/known_hosts; fi @rm -f .deploy.$(ENVIRONMENT) .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT) mycloud.$(ENVIRONMENT).yaml @rm -f .kubeconfig.$(ENVIRONMENT) $(TESTCLUSTER).yaml.$(ENVIRONMENT) clusterctl.$(TESTCLUSTER).yaml.$(ENVIRONMENT) $(TESTCLUSTER)-config.yaml.$(ENVIRONMENT) @@ -115,7 +115,7 @@ forceclean: $(MAKE) clean purge: - @echo "Warning, going to delete ALL resources in $(ENVIRONMENT), even those that have not been created by the CAPI or terraform. The SSH-Key $(PREFIX)-keypair will be removed for all projects." + @echo "Warning, going to delete ALL resources in $(ENVIRONMENT), even those that have not been created by the CAPI or tofu. The SSH-Key $(PREFIX)-keypair will be removed for all projects." @echo "Application credentials $(PREFIX)-appcred and $(PREFIX)-$(TESTCLUSTER)-appcred will be also removed for all projects." @read -p "Continue? (y/n) " -r; \ if [[ ! $$REPLY =~ ^[Yy] ]]; \ @@ -126,8 +126,8 @@ purge: @$(OPENSTACK) application credential delete $(PREFIX)-appcred || true @$(OPENSTACK) application credential delete $(PREFIX)-$(TESTCLUSTER)-appcred || true @ospurge --purge-own-project --os-cloud $(ENVIRONMENT) --verbose || true - @terraform workspace select default - @terraform workspace delete -force $(ENVIRONMENT) || true + @tofu workspace select default + @tofu workspace delete -force $(ENVIRONMENT) || true @if test -e ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); then source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); ssh-keygen -R $$MGMTCLUSTER_ADDRESS -f ~/.ssh/known_hosts; fi @rm -f .deploy.$(ENVIRONMENT) .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT) mycloud.$(ENVIRONMENT).yaml @rm -f .kubeconfig.$(ENVIRONMENT) $(TESTCLUSTER).yaml.$(ENVIRONMENT) clusterctl.$(TESTCLUSTER).yaml.$(ENVIRONMENT) $(TESTCLUSTER)-config.yaml.$(ENVIRONMENT) @@ -137,7 +137,7 @@ purge: @ospurge --purge-own-project --os-cloud $(ENVIRONMENT) --verbose list: init - @terraform state list + @tofu state list ssh: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT) @source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \ @@ -165,15 +165,15 @@ console: .deploy.$(ENVIRONMENT) @xdg-open $$( $(OPENSTACK) console url show $(CONSOLE) -f value -c url ) .deploy.$(ENVIRONMENT): init - @STAT=$$(terraform state list); \ + @STAT=$$(tofu state list); \ if test -n "$$STAT"; then touch .deploy.$(ENVIRONMENT); else echo 'please, use "make create"'; exit 1; fi .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT): .deploy.$(ENVIRONMENT) - @MGMTCLUSTER_ADDRESS=$$(terraform output mgmtcluster_address); \ + @MGMTCLUSTER_ADDRESS=$$(tofu output mgmtcluster_address); \ echo "MGMTCLUSTER_ADDRESS=$$MGMTCLUSTER_ADDRESS" > $@; .deploy.id_rsa.$(ENVIRONMENT): .deploy.$(ENVIRONMENT) - @PRIVATE_KEY=$$(terraform output private_key); \ + @PRIVATE_KEY=$$(tofu output private_key); \ echo "$$PRIVATE_KEY" > $@; \ chmod 0600 $@ diff --git a/terraform/main.tf b/terraform/main.tf index c636f624..659195af 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -4,7 +4,7 @@ provider "openstack" { } terraform { - required_version = ">= 1.4.6, < 1.6.0" + required_version = ">= 1.4.6" required_providers { openstack = { From 3556da2738b214b8bac8fb09267575e050c98233 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Wed, 18 Oct 2023 10:14:29 +0200 Subject: [PATCH 02/12] Replace github action Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 18 +++++++++--------- terraform/main.tf | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index 109f79f7..9b9c2af0 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -24,18 +24,18 @@ jobs: - name: create credentials run: cp secure.yaml.sample secure.yaml working-directory: ./terraform - - name: Setup terraform - uses: hashicorp/setup-terraform@v2 + - name: Setup OpenTofu + uses: opentofu/setup-opentofu@v1.0.0 with: - terraform_version: 1.4.6 # renovate: datasource=github-releases depName=hashicorp/terraform - - name: Terraform init - run: terraform init + tofu_version: 1.6.0-alpha2 # renovate: datasource=github-releases depName=opentofu/opentofu + - name: Tofu init + run: tofu init working-directory: ./terraform - - name: Terraform validate - run: terraform validate + - name: Tofu validate + run: tofu validate working-directory: ./terraform env: ENVIRONMENT: gx-betacloud - - name: Terraform format - run: terraform fmt -check + - name: Tofu format + run: tofu fmt -check working-directory: ./terraform diff --git a/terraform/main.tf b/terraform/main.tf index 659195af..f495ad46 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -4,7 +4,7 @@ provider "openstack" { } terraform { - required_version = ">= 1.4.6" + required_version = ">= 1.6.0" required_providers { openstack = { From 7a9c9c07e579371b795ed2bded531291a0b61c4f Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Thu, 19 Oct 2023 14:19:49 +0200 Subject: [PATCH 03/12] Ansible Lint Signed-off-by: Roman Hros --- .ansible-lint | 1 - playbooks/dependencies.yaml | 28 ++++++++++++++-------------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 79001acc..03698861 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,6 +5,5 @@ skip_list: # Roles and modules imported from https://opendev.org/zuul/zuul-jobs mock_roles: - ensure-pip - - ensure-terraform mock_modules: - zuul_return diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index aac5ea84..4f81bb2e 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -15,9 +15,10 @@ - role: ensure-pip # https://zuul-ci.org/docs/zuul-jobs/latest/python-roles.html#role-ensure-pip tasks: - name: Make sure installation directory exists - file: + ansible.builtin.file: path: "{{ install_dir }}" state: directory + mode: 0755 - name: Install jq ansible.builtin.get_url: url: "https://github.com/jqlang/jq/releases/download/jq-{{ jq_version }}/jq-linux64" @@ -49,42 +50,41 @@ - name: Install OpenTofu # TODO: write separate role ensure-opentofu, see https://opendev.org/zuul/zuul-jobs/src/branch/master/roles/ensure-terraform block: - - name: Check if unzip is installed - command: "unzip -v" - failed_when: false - register: _unzip_probe - name: Install unzip - when: _unzip_probe.rc != 0 - package: + ansible.builtin.package: name: unzip become: true - name: Create temp directory - tempfile: + ansible.builtin.tempfile: state: directory register: tofu_install_tempdir - name: Download OpenTofu archive - get_url: + ansible.builtin.get_url: url: "https://github.com/opentofu/opentofu/releases/download/v{{ opentofu_version }}/tofu_{{ opentofu_version }}_linux_amd64.zip" dest: "{{ tofu_install_tempdir.path }}/opentofu.zip" + mode: 0644 # TODO: checksum - name: Create OpenTofu package directory - file: + ansible.builtin.file: path: "{{ tofu_install_tempdir.path }}/opentofu" state: directory + mode: 0755 - name: Unarchive OpenTofu - unarchive: + ansible.builtin.unarchive: src: "{{ tofu_install_tempdir.path }}/opentofu.zip" dest: "{{ tofu_install_tempdir.path }}/opentofu" remote_src: true - name: Install OpenTofu - copy: + ansible.builtin.copy: src: "{{ tofu_install_tempdir.path }}/opentofu/tofu" dest: "{{ install_dir }}/tofu" mode: "+x" remote_src: true - name: Remove temp directory - file: + ansible.builtin.file: path: "{{ tofu_install_tempdir }}" state: absent - name: Output OpenTofu version - command: "tofu version" + ansible.builtin.command: "tofu version" + register: tofu_version + changed_when: tofu_version.rc != 0 From 2006eca03bbc0316410197486d194e4697e4c935 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Thu, 19 Oct 2023 14:27:56 +0200 Subject: [PATCH 04/12] Release alpha3 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index 9b9c2af0..f3c92fb8 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1.0.0 with: - tofu_version: 1.6.0-alpha2 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0-alpha3 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index 4f81bb2e..a936d7f7 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-alpha2" + opentofu_version: "1.6.0-alpha3" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From cfe75f855f6e59a2179bdcbabfd6537e7e40b636 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Tue, 31 Oct 2023 08:02:39 +0100 Subject: [PATCH 05/12] Github action v1.0.1 It is now possible write only 'v1' instead of 'v1.0.1' Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index f3c92fb8..0b6658a3 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -25,7 +25,7 @@ jobs: run: cp secure.yaml.sample secure.yaml working-directory: ./terraform - name: Setup OpenTofu - uses: opentofu/setup-opentofu@v1.0.0 + uses: opentofu/setup-opentofu@v1 with: tofu_version: 1.6.0-alpha3 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init From 2cf0e01870844d5fc36bf781cfc6c93d495a5100 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Fri, 10 Nov 2023 13:56:28 +0100 Subject: [PATCH 06/12] Release alpha4 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index 0b6658a3..8d214ec9 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: - tofu_version: 1.6.0-alpha3 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0-alpha4 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index a936d7f7..89c7de5e 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-alpha3" + opentofu_version: "1.6.0-alpha4" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From f3177d62c24ca2963db1ad7112ecaeb16793a81a Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Tue, 21 Nov 2023 08:37:14 +0100 Subject: [PATCH 07/12] Release alpha5 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index 8d214ec9..49fc13f7 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: - tofu_version: 1.6.0-alpha4 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0-alpha5 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index 89c7de5e..e18f15fd 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-alpha4" + opentofu_version: "1.6.0-alpha5" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From 40a2d92657b05d88d28026cfe204a299c0569f97 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Thu, 30 Nov 2023 09:30:53 +0100 Subject: [PATCH 08/12] Release beta1 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index 49fc13f7..840b573a 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: - tofu_version: 1.6.0-alpha5 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0-beta1 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index e18f15fd..63813285 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-alpha5" + opentofu_version: "1.6.0-beta1" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From a229ae572f085cfe0ffb95001ca96ea236f7bed5 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Wed, 6 Dec 2023 11:19:37 +0100 Subject: [PATCH 09/12] Release beta2 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index 840b573a..b2d1c632 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: - tofu_version: 1.6.0-beta1 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0-beta2 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index 63813285..f57baa89 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-beta1" + opentofu_version: "1.6.0-beta2" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From f82da07dfdcdabf30a3488aa737fb27cf8f36813 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Mon, 18 Dec 2023 10:14:31 +0100 Subject: [PATCH 10/12] Release beta5 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index b2d1c632..bfc58f5a 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: - tofu_version: 1.6.0-beta2 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0-beta5 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index f57baa89..3590b624 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-beta2" + opentofu_version: "1.6.0-beta5" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From 0ec44c8ac95e7764bd96f26a8111c8d1ba27d40b Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Fri, 12 Jan 2024 12:56:21 +0100 Subject: [PATCH 11/12] Stable release v1.6.0 Signed-off-by: Roman Hros --- .github/workflows/check-terraform-syntax.yml | 2 +- playbooks/dependencies.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-terraform-syntax.yml index bfc58f5a..520377ff 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-terraform-syntax.yml @@ -27,7 +27,7 @@ jobs: - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: - tofu_version: 1.6.0-beta5 # renovate: datasource=github-releases depName=opentofu/opentofu + tofu_version: 1.6.0 # renovate: datasource=github-releases depName=opentofu/opentofu - name: Tofu init run: tofu init working-directory: ./terraform diff --git a/playbooks/dependencies.yaml b/playbooks/dependencies.yaml index 3590b624..84021f7a 100644 --- a/playbooks/dependencies.yaml +++ b/playbooks/dependencies.yaml @@ -7,7 +7,7 @@ kubectl_version: "1.28.1" openstackclient_version: "6.2.0" octaviaclient_version: "3.4.0" - opentofu_version: "1.6.0-beta5" + opentofu_version: "1.6.0" install_dir: "{{ ansible_user_dir }}/.local/bin" environment: PATH: "{{ install_dir }}:{{ ansible_env.PATH }}" From cdd4a3f3dd38a391e70d505b6ed7884a80470476 Mon Sep 17 00:00:00 2001 From: Roman Hros Date: Fri, 12 Jan 2024 13:42:50 +0100 Subject: [PATCH 12/12] Replace terraform with opentofu in the docs Signed-off-by: Roman Hros --- ...m-syntax.yml => check-opentofu-syntax.yml} | 8 +++--- doc/Upgrade-Guide.md | 2 +- doc/application-credentials.md | 2 +- doc/continuous-integration.md | 4 +-- doc/make-reference.md | 26 +++++++++---------- doc/overview.md | 2 +- doc/quickstart.md | 2 +- doc/requirements.md | 4 +-- .../containter-registry-configuration.md | 8 +++--- doc/usage/custom-ca.md | 2 +- doc/usage/harbor.md | 2 +- playbooks/e2e.yaml | 2 +- terraform/mgmtcluster.tf | 2 +- terraform/neutron.tf | 6 ++--- 14 files changed, 36 insertions(+), 36 deletions(-) rename .github/workflows/{check-terraform-syntax.yml => check-opentofu-syntax.yml} (85%) diff --git a/.github/workflows/check-terraform-syntax.yml b/.github/workflows/check-opentofu-syntax.yml similarity index 85% rename from .github/workflows/check-terraform-syntax.yml rename to .github/workflows/check-opentofu-syntax.yml index 520377ff..987dec2c 100644 --- a/.github/workflows/check-terraform-syntax.yml +++ b/.github/workflows/check-opentofu-syntax.yml @@ -1,18 +1,18 @@ --- -name: Check terraform syntax +name: Check opentofu syntax "on": push: paths: - 'terraform/**' - - '.github/workflows/check-terraform-syntax.yml' + - '.github/workflows/check-opentofu-syntax.yml' pull_request: paths: - 'terraform/**' - - '.github/workflows/check-terraform.yml' + - '.github/workflows/check-opentofu-syntax.yml' jobs: - check-terraform-syntax: + check-opentofu-syntax: runs-on: ubuntu-latest steps: diff --git a/doc/Upgrade-Guide.md b/doc/Upgrade-Guide.md index e65f12fc..4704009b 100644 --- a/doc/Upgrade-Guide.md +++ b/doc/Upgrade-Guide.md @@ -151,7 +151,7 @@ on the cluster unless you have changed its configuration by tweaking `cluster-template.yaml` (which you almost never do!) or `clusterctl.yaml` (which you do often). -The other template file that changed -- however, some terraform logic is used to +The other template file that changed -- however, some opentofu logic is used to prefill it with values. So you can't copy it from git. ##### R2 to R3 diff --git a/doc/application-credentials.md b/doc/application-credentials.md index 2eb9a27d..d1431f07 100644 --- a/doc/application-credentials.md +++ b/doc/application-credentials.md @@ -1,6 +1,6 @@ # Application Credentials -The terraform creates an [application credential](https://docs.openstack.org/keystone/wallaby/user/application_credentials.html) that it passes into the created VM. This one is then used to authenticate the cluster API provider against the OpenStack API to allow it to create resources needed for the k8s cluster. +OpenTofu creates an [application credential](https://docs.openstack.org/keystone/wallaby/user/application_credentials.html) that it passes into the created VM. This one is then used to authenticate the cluster API provider against the OpenStack API to allow it to create resources needed for the k8s cluster. The AppCredential has a few advantages: diff --git a/doc/continuous-integration.md b/doc/continuous-integration.md index 95803d5a..e2e17b3d 100644 --- a/doc/continuous-integration.md +++ b/doc/continuous-integration.md @@ -80,7 +80,7 @@ This section describes Zuul jobs defined within the k8s-cluster-api-provider pro availability in Zuul worker node. Parent job also defines a Zuul semaphore `semaphore-openstack-access`, that ensures that only one `openstack-access-base` job (or its children) can run at a time - See a high level `k8s-cluster-api-provider-e2e-conformance` job steps: - - Pre-run playbook `dependencies.yaml` installs project prerequisites, e.g. terraform, yq, etc. + - Pre-run playbook `dependencies.yaml` installs project prerequisites, e.g. opentofu, yq, etc. - Main playbook `e2e.yaml` spawns a k8s cluster, runs sonobuoy conformance test, and cleans created infrastructure, all by k8s-cluster-api-provider scripts - Cleanup-run playbook `cleanup.yaml` runs `ospurge`, cleanup created application credentials and keypair to ensure that multiple e2e runs do not interfere @@ -90,7 +90,7 @@ This section describes Zuul jobs defined within the k8s-cluster-api-provider pro availability in Zuul worker node. Parent job also defines a Zuul semaphore `semaphore-openstack-access`, that ensures that only one `openstack-access-base` job (or its children) can run at a time - See a high level `k8s-cluster-api-provider-e2e-quick` job steps: - - Pre-run playbook `dependencies.yaml` installs project prerequisites, e.g. terraform, yq, etc. + - Pre-run playbook `dependencies.yaml` installs project prerequisites, e.g. opentofu, yq, etc. - Main playbook `e2e.yaml` spawns a k8s cluster, runs sonobuoy quick test, and cleans created infrastructure, all by k8s-cluster-api-provider scripts - Cleanup-run playbook `cleanup.yaml` runs `ospurge`, cleanup created application credentials and keypair to ensure that multiple e2e runs do not interfere diff --git a/doc/make-reference.md b/doc/make-reference.md index 8c5a2527..67d46938 100644 --- a/doc/make-reference.md +++ b/doc/make-reference.md @@ -80,13 +80,13 @@ want to open by setting the ``CONSOLE`` variable. The default is ``capi-mgmtclus ### Make clean ``make clean`` does ssh to the capi management server to clean up the created clusters prior -to terraform cleaning up the resources it has created. This is sometimes insufficient to clean up +to opentofu cleaning up the resources it has created. This is sometimes insufficient to clean up unfortunately, some error in the deployment may result in resources left around. ### Make fullclean ``make fullclean`` uses a custom script `cleanup/cleanup.sh` (using the openstack CLI) to clean up -everything while trying to not hit any resources not created by the CAPI or terraform for +everything while trying to not hit any resources not created by the CAPI or opentofu for clusters from this management host. It is the recommended way for doing cleanups if ``make clean`` fails. Watch out for leftover floating IP addresses and persistent volumes, as these can not be easily traced back to the @@ -99,7 +99,7 @@ case we don't need the force options. You can purge the whole project via ``make purge``. Be careful with that command as it will purge *all resources in the OpenStack project* even those that have not been created through this -Terraform script or the Cluster API. +OpenTofu script or the Cluster API. It requires the [``ospurge``](https://opendev.org/x/ospurge) tool. Install it with ``python3 -m pip install git+https://git.openstack.org/openstack/ospurge``. @@ -139,13 +139,13 @@ This will run tests of the configuration on testcluster using sonobuoy of the st This will run tests of the configuration on testcluster using sonobuoy of the CSI. -## Terraform commands +## OpenTofu commands ### make init ``make init`` -This will initialize terraform. It will download the required providers and modules. +This will initialize opentofu. It will download the required providers and modules. It will also select or create a new workspace for you. The workspace name is the same as the ``ENVIROMENT`` variable. @@ -153,38 +153,38 @@ It will also select or create a new workspace for you. The workspace name is the ``make attach RESOURCE= PARAMS=...`` -This will attach a resource to the terraform state. This is useful if you have created a resource outside of terraform -and want to manage it with terraform. +This will attach a resource to the opentofu state. This is useful if you have created a resource outside of opentofu +and want to manage it with opentofu. ### make detach ``make detach RESOURCE= PARAMS=...`` -This will detach a resource from the terraform state. This is useful if you have changed a resource outside of terraform -or you no longer want to manage it with terraform. +This will detach a resource from the opentofu state. This is useful if you have changed a resource outside of opentofu +or you no longer want to manage it with opentofu. ### make state-push ``make state-push`` -This will push the terraform state to specified storage if set. This is useful if you don't want to store the state +This will push the opentofu state to specified storage if set. This is useful if you don't want to store the state locally. ### make dry-run ``make dry-run`` -This will run a dry-run of the terraform apply command. This is useful if you want to see what terraform will do before +This will run a dry-run of the opentofu apply command. This is useful if you want to see what opentofu will do before actually doing it. ### make show ``make show`` -This will show the terraform state. This is useful if you want to see what terraform is managing. +This will show the opentofu state. This is useful if you want to see what opentofu is managing. ### make list ``make list`` -This will list all the resources managed by terraform. This is useful if you want to see what terraform is managing. +This will list all the resources managed by opentofu. This is useful if you want to see what opentofu is managing. diff --git a/doc/overview.md b/doc/overview.md index ace0b2d5..809692d2 100644 --- a/doc/overview.md +++ b/doc/overview.md @@ -13,6 +13,6 @@ Once we as the SCS Community have the gitops style cluster control working, the The provided solution covers the following two main topics: -1. Automation (terraform, Makefile) to bootstrap a cluster-API management server by installing kind on a vanilla Ubuntu image and deploying some tools on this node ([kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), [openstack CLI tools](https://docs.openstack.org/newton/user-guide/common/cli-install-openstack-command-line-clients.html), [k9s](https://github.com/derailed/k9s), [cilium](https://cilium.io/), [calico](https://www.tigera.io/tigera-products/calico/), [helm](https://helm.sh/), [flux](https://fluxcd.io/) ...) and deploying [cluster-API](https://cluster-api.sigs.k8s.io/) (clusterctl) and the [OpenStack cluster-api provider](https://github.com/kubernetes-sigs/cluster-api-provider-openstack) along with suitable credentials. The terraform automation is driven by a Makefile for convenience. The tooling also contains all the logic to clean up again. The newly deployed node clones this git repository early in the bootstrap process and uses the thus received files to set up the management cluster and scripts. +1. Automation (opentofu, Makefile) to bootstrap a cluster-API management server by installing kind on a vanilla Ubuntu image and deploying some tools on this node ([kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), [openstack CLI tools](https://docs.openstack.org/newton/user-guide/common/cli-install-openstack-command-line-clients.html), [k9s](https://github.com/derailed/k9s), [cilium](https://cilium.io/), [calico](https://www.tigera.io/tigera-products/calico/), [helm](https://helm.sh/), [flux](https://fluxcd.io/) ...) and deploying [cluster-API](https://cluster-api.sigs.k8s.io/) (clusterctl) and the [OpenStack cluster-api provider](https://github.com/kubernetes-sigs/cluster-api-provider-openstack) along with suitable credentials. The opentofu automation is driven by a Makefile for convenience. The tooling also contains all the logic to clean up again. The newly deployed node clones this git repository early in the bootstrap process and uses the thus received files to set up the management cluster and scripts. 2. This node can be connected to via ssh and the deployed scripts there can be used to manage workload clusters and then deploy various standardized tools (such as e.g. [OpenStack Cloud Controller Manager](https://github.com/kubernetes/cloud-provider-openstack)(OCCM), [cinder CSI](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md), calico or cilium CNI, [nginx ingress controller](https://kubernetes.github.io/ingress-nginx/), [cert-manager](https://cert-manager.io/), ...) and run tests (e.g. CNCF conformance with [sonobuoy](https://sonobuoy.io/)). The tools and artifacts can be updated via `git pull` at any time and the updated settings rolled out to the workload clusters. Note that the script collection will eventually be superseded by the [capi-helm-charts](https://github.com/stackhpc/capi-helm-charts). The medium-term goal is to actually create a reconciliation loop here that would perform life-cycle-management for clusters according to the cluster configuration stored in an enhanced [cluster-api style](https://cluster-api.sigs.k8s.io/clusterctl/configuration.html) clusterctl.yaml from git repositories and thus allow a pure [gitops](https://www.weave.works/technologies/gitops/) style cluster management without ever ssh'ing to the management server. diff --git a/doc/quickstart.md b/doc/quickstart.md index be81c5cd..94e9590f 100644 --- a/doc/quickstart.md +++ b/doc/quickstart.md @@ -7,7 +7,7 @@ via [cluster-api](https://cluster-api.sigs.k8s.io/)(CAPI). - make - kubectl -- terraform +- opentofu - yq - python3-openstackclient, python3-octaviaclient diff --git a/doc/requirements.md b/doc/requirements.md index 8acbcaea..48f5efb6 100644 --- a/doc/requirements.md +++ b/doc/requirements.md @@ -12,12 +12,12 @@ Linux/MacOS/WSL laptop. Requirements for the deployment host: - You need to have installed: - - Terraform (). + - OpenTofu (). - `yq` (python3-yq or yq snap) - GNU make - openstack (python3-openstackclient) and plugin for octavia (python3-octaviaclient) Via pip or your distribution. *Needed only in case you want to clean the management server or interact with openstack directly.* -- You must have credentials to access the cloud. Terraform will look for `clouds.yaml` and optionally `secure.yaml` in +- You must have credentials to access the cloud. OpenTofu will look for `clouds.yaml` and optionally `secure.yaml` in the current working directory (`terraform`), in `~/.config/openstack/` or `/etc/openstack` (in this order), just like the [openstack client](https://docs.openstack.org/python-openstackclient/latest/configuration/index.html#clouds-yaml). - The API endpoints of the OpenStack cloud should have a certificate signed by a trusted CA. (Self-signed or custom CAs diff --git a/doc/usage/containter-registry-configuration.md b/doc/usage/containter-registry-configuration.md index d00863d7..8a7144f2 100644 --- a/doc/usage/containter-registry-configuration.md +++ b/doc/usage/containter-registry-configuration.md @@ -18,7 +18,7 @@ This feature could be useful in various uses cases, e.g.: SCS KaaS reference implementation allows users to pass container registry host config files to configure containerd. Containerd configuration is applied cluster wide as it is CRI used in SCS KaaS clusters. Additional registry host config files for containerd -could be passed through the `containerd_registry_files` terraform variable. This variable +could be passed through the `containerd_registry_files` opentofu variable. This variable expects an object with two attributes: - `hosts` attribute defines additional registry host config files for containerd. @@ -33,11 +33,11 @@ The default value of the `containerd_registry_files` variable instructs containe container registry, see related issue [#417](https://github.com/SovereignCloudStack/k8s-cluster-api-provider/issues/417). The host config file used as a default is -defined [here](https://github.com/SovereignCloudStack/k8s-cluster-api-provider/blob/1b6ef9d4c64c94bc77144a072e0309d484de54be/terraform/files/containerd/docker.io). +defined [here](https://github.com/SovereignCloudStack/k8s-cluster-api-provider/blob/main/terraform/files/containerd/docker.io). This should prevent issues with pull rate limiting from DockerHub public container registry, e.g. [#414](https://github.com/SovereignCloudStack/k8s-cluster-api-provider/issues/414). -The above default value could be overridden using any techniques that Terraform allows, e.g. +The above default value could be overridden using any techniques that OpenTofu allows, e.g. via environment variable: ```bash @@ -80,7 +80,7 @@ upgrade existing environments (workload clusters) with stable releases which are tested. This tutorial instructs (advanced) users what needs to be done on the cluster management -instance without re-deploying it via Terraform. Patches described in this tutorial +instance without re-deploying it via OpenTofu. Patches described in this tutorial modify existing environment with changes that have been developed within "containerd registry"-related PRs: - PR#432 - PR#447 diff --git a/doc/usage/custom-ca.md b/doc/usage/custom-ca.md index d4a699ee..dff4eb96 100644 --- a/doc/usage/custom-ca.md +++ b/doc/usage/custom-ca.md @@ -28,7 +28,7 @@ Here the file `ca-bundle.pem` contains custom root CA and potentially intermedia Steps of what happens with the custom cacert in k8s-cluster-api-provider: 1. `cacert` setting is provided inside clouds.yaml 2. Cacert file referenced by `cacert` key (1.) is copied to the management server - directory `~/cluster-defaults/${cloud_provider}-cacert` by Terraform + directory `~/cluster-defaults/${cloud_provider}-cacert` by OpenTofu 3. During the management server bootstrap process cacert is injected to the *~/cluster-defaults/cluster-template.yaml* to *KubeadmControlPlane* and *KubeadmConfigTemplate* files as file with cacert content from already defined secret *${CLUSTER_NAME}-cloud-config* and will be later diff --git a/doc/usage/harbor.md b/doc/usage/harbor.md index 469e2857..04d77574 100644 --- a/doc/usage/harbor.md +++ b/doc/usage/harbor.md @@ -4,7 +4,7 @@ Project [k8s-harbor](https://github.com/SovereignCloudStack/k8s-harbor) is used container registry deployment https://registry.scs.community/. With this project, it is possible to deploy Harbor in a similar way into the workload cluster. -If you want to deploy Harbor, set terraform variable `deploy_harbor = true`. It will deploy +If you want to deploy Harbor, set opentofu variable `deploy_harbor = true`. It will deploy Harbor with [default options](#default-deployment). The recommended approach is to set up also [persistence](#persistence) and [ingress with tls](#ingress-and-tls). diff --git a/playbooks/e2e.yaml b/playbooks/e2e.yaml index b799ca75..189d9330 100644 --- a/playbooks/e2e.yaml +++ b/playbooks/e2e.yaml @@ -82,7 +82,7 @@ executable: /bin/bash register: mtu changed_when: false - - name: Set mtu for the default interface # workaround for terraform file provisioner scp error + - name: Set mtu for the default interface # workaround for opentofu file provisioner scp error ansible.builtin.command: "ip link set {{ dev.stdout }} mtu 1500" become: true when: mtu.stdout != "1500" diff --git a/terraform/mgmtcluster.tf b/terraform/mgmtcluster.tf index 7275c0bd..07ccef00 100644 --- a/terraform/mgmtcluster.tf +++ b/terraform/mgmtcluster.tf @@ -75,7 +75,7 @@ resource "openstack_compute_instance_v2" "mgmtcluster_server" { } lifecycle { - # Prevents Terraform from trying to destroy the instance when it was created before update with labeling its volume + # Prevents OpenTofu from trying to destroy the instance when it was created before update with labeling its volume ignore_changes = [block_device] } diff --git a/terraform/neutron.tf b/terraform/neutron.tf index aadddd5c..2557a948 100644 --- a/terraform/neutron.tf +++ b/terraform/neutron.tf @@ -2,7 +2,7 @@ # used for cluster-api-nodes resource "openstack_compute_secgroup_v2" "security_group_ssh" { name = "${var.prefix}-allow-ssh" - description = "security group for ssh 22/tcp (managed by terraform)" + description = "security group for ssh 22/tcp (managed by opentofu)" rule { cidr = "0.0.0.0/0" @@ -29,7 +29,7 @@ resource "openstack_compute_secgroup_v2" "security_group_icmp" { # resource "openstack_compute_secgroup_v2" "security_group_mgmt" { name = "${var.prefix}-mgmt" - description = "security group for mgmtcluster (managed by terraform)" + description = "security group for mgmtcluster (managed by opentofu)" dynamic "rule" { for_each = var.restrict_mgmt_server @@ -75,7 +75,7 @@ data "openstack_networking_network_v2" "external" { resource "openstack_networking_router_v2" "router_mgmt" { name = "${var.prefix}-rtr" - description = "router for mgmtcluster (managed by terraform)" + description = "router for mgmtcluster (managed by opentofu)" external_network_id = data.openstack_networking_network_v2.external.id availability_zone_hints = [var.availability_zone] # comment this out if your cloud does not have network AZs }