fix contrib/<file>.md errors identified by markdownlint

*	docs/azure-csi.md
* docs/azure.md
* docs/bootstrap-os.md
*	docs/calico.md
* docs/debian.md
* docs/fcos.md
*	docs/vagrant.md
* docs/gcp-lb.md
* docs/kubernetes-apps/registry.md
* docs/setting-up-your-first-cluster.md
* docs/vagrant.md
*	docs/vars.md

.gitignore

@@ -3,7 +3,10 @@
 **/vagrant_ansible_inventory
 *.iml
 temp
+contrib/offline/offline-files
+contrib/offline/offline-files.tar.gz
 .idea
+.vscode
 .tox
 .cache
 *.bak
@@ -11,6 +14,7 @@ temp
 *.tfstate.backup
 .terraform/
 contrib/terraform/aws/credentials.tfvars
+.terraform.lock.hcl
 /ssh-bastion.conf
 **/*.sw[pon]
 *~
@@ -102,10 +106,10 @@ ENV/
 
 # molecule
 roles/**/molecule/**/__pycache__/
-roles/**/molecule/**/*.conf
 
 # macOS
 .DS_Store
 
 # Temp location used by our scripts
 scripts/tmp/
+tmp.md

.gitlab-ci.yml

@@ -8,7 +8,7 @@ stages:
   - deploy-special
 
 variables:
-  KUBESPRAY_VERSION: v2.17.1
+  KUBESPRAY_VERSION: v2.19.0
   FAILFASTCI_NAMESPACE: 'kargo-ci'
   GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
   ANSIBLE_FORCE_COLOR: "true"
@@ -27,13 +27,14 @@ variables:
   ANSIBLE_INVENTORY: ./inventory/sample/${CI_JOB_NAME}-${BUILD_NUMBER}.ini
   IDEMPOT_CHECK: "false"
   RESET_CHECK: "false"
+  REMOVE_NODE_CHECK: "false"
   UPGRADE_TEST: "false"
   MITOGEN_ENABLE: "false"
   ANSIBLE_LOG_LEVEL: "-vv"
   RECOVER_CONTROL_PLANE_TEST: "false"
   RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube_control_plane[1:]"
   TERRAFORM_VERSION: 1.0.8
-  ANSIBLE_MAJOR_VERSION: "2.10"
+  ANSIBLE_MAJOR_VERSION: "2.11"
 
 before_script:
   - ./tests/scripts/rebase.sh
@@ -80,3 +81,4 @@ include:
   - .gitlab-ci/terraform.yml
   - .gitlab-ci/packet.yml
   - .gitlab-ci/vagrant.yml
+  - .gitlab-ci/molecule.yml

.gitlab-ci/lint.yml

@@ -23,9 +23,8 @@ ansible-lint:
   extends: .job
   stage: unit-tests
   tags: [light]
-  # lint every yml/yaml file that looks like it contains Ansible plays
-  script: |-
-    grep -Rl '^- hosts: \|^  hosts: ' --include \*.yml --include \*.yaml . | xargs -P 4 -n 25 ansible-lint -v
+  script:
+    - ansible-lint -v
   except: ['triggers', 'master']
 
 syntax-check:
@@ -53,7 +52,7 @@ tox-inventory-builder:
     - ./tests/scripts/rebase.sh
     - apt-get update && apt-get install -y python3-pip
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible
+    - python -m pip uninstall -y ansible ansible-base ansible-core
     - python -m pip install -r tests/requirements.txt
   script:
     - pip3 install tox
@@ -69,6 +68,13 @@ markdownlint:
   script:
     - markdownlint $(find . -name '*.md' | grep -vF './.git') --ignore docs/_sidebar.md --ignore contrib/dind/README.md
 
+check-readme-versions:
+  stage: unit-tests
+  tags: [light]
+  image: python:3
+  script:
+    - tests/scripts/check_readme_versions.sh
+
 ci-matrix:
   stage: unit-tests
   tags: [light]

.gitlab-ci/molecule.yml

@@ -0,0 +1,86 @@
+---
+
+.molecule:
+  tags: [c3.small.x86]
+  only: [/^pr-.*$/]
+  except: ['triggers']
+  image: quay.io/kubespray/vagrant:$KUBESPRAY_VERSION
+  services: []
+  stage: deploy-part1
+  before_script:
+    - tests/scripts/rebase.sh
+    - apt-get update && apt-get install -y python3-pip
+    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
+    - python -m pip uninstall -y ansible ansible-base ansible-core
+    - python -m pip install -r tests/requirements.txt
+    - ./tests/scripts/vagrant_clean.sh
+  script:
+    - ./tests/scripts/molecule_run.sh
+  after_script:
+    - chronic ./tests/scripts/molecule_logs.sh
+  artifacts:
+    when: always
+    paths:
+      - molecule_logs/
+
+# CI template for periodic CI jobs
+# Enabled when PERIODIC_CI_ENABLED var is set
+.molecule_periodic:
+  only:
+    variables:
+      - $PERIODIC_CI_ENABLED
+  allow_failure: true
+  extends: .molecule
+
+molecule_full:
+  extends: .molecule_periodic
+
+molecule_no_container_engines:
+  extends: .molecule
+  script:
+    - ./tests/scripts/molecule_run.sh -e container-engine
+  when: on_success
+
+molecule_docker:
+  extends: .molecule
+  script:
+    - ./tests/scripts/molecule_run.sh -i container-engine/cri-dockerd
+  when: on_success
+
+molecule_containerd:
+  extends: .molecule
+  script:
+    - ./tests/scripts/molecule_run.sh -i container-engine/containerd
+  when: on_success
+
+molecule_cri-o:
+  extends: .molecule
+  stage: deploy-part2
+  script:
+    - ./tests/scripts/molecule_run.sh -i container-engine/cri-o
+  when: on_success
+
+# Stage 3 container engines don't get as much attention so allow them to fail
+molecule_kata:
+  extends: .molecule
+  stage: deploy-part3
+  allow_failure: true
+  script:
+    - ./tests/scripts/molecule_run.sh -i container-engine/kata-containers
+  when: on_success
+
+molecule_gvisor:
+  extends: .molecule
+  stage: deploy-part3
+  allow_failure: true
+  script:
+    - ./tests/scripts/molecule_run.sh -i container-engine/gvisor
+  when: on_success
+
+molecule_youki:
+  extends: .molecule
+  stage: deploy-part3
+  allow_failure: true
+  script:
+    - ./tests/scripts/molecule_run.sh -i container-engine/youki
+  when: on_success

.gitlab-ci/packet.yml

@@ -31,18 +31,9 @@ packet_ubuntu20-calico-aio:
   variables:
     RESET_CHECK: "true"
 
-# Exericse ansible variants
-packet_ubuntu20-calico-aio-ansible-2_9:
-  stage: deploy-part1
-  extends: .packet_pr
-  when: on_success
-  variables:
-    ANSIBLE_MAJOR_VERSION: "2.9"
-    RESET_CHECK: "true"
-
 packet_ubuntu20-calico-aio-ansible-2_11:
   stage: deploy-part1
-  extends: .packet_pr
+  extends: .packet_periodic
   when: on_success
   variables:
     ANSIBLE_MAJOR_VERSION: "2.11"
@@ -65,12 +56,22 @@ packet_ubuntu18-calico-aio:
   extends: .packet_pr
   when: on_success
 
+packet_ubuntu22-aio-docker:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_ubuntu22-calico-aio:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
 packet_centos7-flannel-addons-ha:
   extends: .packet_pr
   stage: deploy-part2
   when: on_success
 
-packet_centos8-crio:
+packet_almalinux8-crio:
   extends: .packet_pr
   stage: deploy-part2
   when: on_success
@@ -100,16 +101,6 @@ packet_ubuntu16-flannel-ha:
   extends: .packet_pr
   when: manual
 
-packet_ubuntu16-kube-router-sep:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_ubuntu16-kube-router-svc-proxy:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
 packet_debian10-cilium-svc-proxy:
   stage: deploy-part2
   extends: .packet_periodic
@@ -145,27 +136,27 @@ packet_centos7-calico-ha-once-localhost:
   services:
     - docker:19.03.9-dind
 
-packet_centos8-kube-ovn:
+packet_almalinux8-kube-ovn:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
 
-packet_centos8-calico:
+packet_almalinux8-calico:
   stage: deploy-part2
   extends: .packet_pr
   when: on_success
 
-packet_centos8-docker:
+packet_rockylinux8-calico:
   stage: deploy-part2
   extends: .packet_pr
   when: on_success
 
-packet_fedora34-docker-weave:
+packet_almalinux8-docker:
   stage: deploy-part2
   extends: .packet_pr
   when: on_success
 
-packet_fedora35-kube-router:
+packet_fedora36-docker-weave:
   stage: deploy-part2
   extends: .packet_pr
   when: on_success
@@ -203,7 +194,7 @@ packet_ubuntu18-flannel-ha-once:
   when: manual
 
 # Calico HA eBPF
-packet_centos8-calico-ha-ebpf:
+packet_almalinux8-calico-ha-ebpf:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
@@ -218,29 +209,24 @@ packet_centos7-calico-ha:
   extends: .packet_pr
   when: manual
 
-packet_centos7-kube-router:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
 packet_centos7-multus-calico:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
 
-packet_oracle7-canal-ha:
+packet_centos7-canal-ha:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
 
-packet_fedora35-docker-calico:
+packet_fedora36-docker-calico:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
   variables:
     RESET_CHECK: "true"
 
-packet_fedora34-calico-selinux:
+packet_fedora35-calico-selinux:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
@@ -255,12 +241,12 @@ packet_amazon-linux-2-aio:
   extends: .packet_pr
   when: manual
 
-packet_centos8-calico-nodelocaldns-secondary:
+packet_almalinux8-calico-nodelocaldns-secondary:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
 
-packet_fedora34-kube-ovn:
+packet_fedora36-kube-ovn:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
@@ -268,7 +254,14 @@ packet_fedora34-kube-ovn:
 # ### PR JOBS PART3
 # Long jobs (45min+)
 
-packet_centos7-docker-weave-upgrade-ha:
+packet_centos7-weave-upgrade-ha:
+  stage: deploy-part3
+  extends: .packet_periodic
+  when: on_success
+  variables:
+    UPGRADE_TEST: basic
+
+packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha:
   stage: deploy-part3
   extends: .packet_periodic
   when: on_success
@@ -281,14 +274,27 @@ packet_ubuntu20-calico-ha-wireguard:
   extends: .packet_pr
   when: manual
 
-packet_debian10-calico-upgrade:
+packet_debian11-calico-upgrade:
   stage: deploy-part3
   extends: .packet_pr
   when: on_success
   variables:
     UPGRADE_TEST: graceful
 
-packet_debian10-calico-upgrade-once:
+packet_almalinux8-calico-remove-node:
+  stage: deploy-part3
+  extends: .packet_pr
+  when: on_success
+  variables:
+    REMOVE_NODE_CHECK: "true"
+    REMOVE_NODE_NAME: "instance-3"
+
+packet_ubuntu20-calico-etcd-kubeadm:
+  stage: deploy-part3
+  extends: .packet_pr
+  when: on_success
+
+packet_debian11-calico-upgrade-once:
   stage: deploy-part3
   extends: .packet_periodic
   when: on_success

.gitlab-ci/shellcheck.yml

@@ -11,6 +11,6 @@ shellcheck:
     - cp shellcheck-"${SHELLCHECK_VERSION}"/shellcheck /usr/bin/
     - shellcheck --version
   script:
-    # Run shellcheck for all *.sh except contrib/
-    - find . -name '*.sh' -not -path './contrib/*' -not -path './.git/*' | xargs shellcheck --severity error
+    # Run shellcheck for all *.sh
+    - find . -name '*.sh' -not -path './.git/*' | xargs shellcheck --severity error
   except: ['triggers', 'master']

.gitlab-ci/terraform.yml

@@ -60,11 +60,11 @@ tf-validate-openstack:
     PROVIDER: openstack
     CLUSTER: $CI_COMMIT_REF_NAME
 
-tf-validate-packet:
+tf-validate-metal:
   extends: .terraform_validate
   variables:
     TF_VERSION: $TERRAFORM_VERSION
-    PROVIDER: packet
+    PROVIDER: metal
     CLUSTER: $CI_COMMIT_REF_NAME
 
 tf-validate-aws:

.gitlab-ci/vagrant.yml

@@ -1,28 +1,5 @@
 ---
 
-molecule_tests:
-  tags: [c3.small.x86]
-  only: [/^pr-.*$/]
-  except: ['triggers']
-  image: quay.io/kubespray/vagrant:$KUBESPRAY_VERSION
-  services: []
-  stage: deploy-part1
-  before_script:
-    - tests/scripts/rebase.sh
-    - apt-get update && apt-get install -y python3-pip
-    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible
-    - python -m pip install -r tests/requirements.txt
-    - ./tests/scripts/vagrant_clean.sh
-  script:
-    - ./tests/scripts/molecule_run.sh
-  after_script:
-    - chronic ./tests/scripts/molecule_logs.sh
-  artifacts:
-    when: always
-    paths:
-      - molecule_logs/
-
 .vagrant:
   extends: .testcases
   variables:
@@ -38,7 +15,7 @@ molecule_tests:
   before_script:
     - apt-get update && apt-get install -y python3-pip
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible
+    - python -m pip uninstall -y ansible ansible-base ansible-core
     - python -m pip install -r tests/requirements.txt
     - ./tests/scripts/vagrant_clean.sh
   script:
@@ -66,3 +43,24 @@ vagrant_ubuntu20-flannel:
   stage: deploy-part2
   extends: .vagrant
   when: on_success
+
+vagrant_ubuntu16-kube-router-sep:
+  stage: deploy-part2
+  extends: .vagrant
+  when: manual
+
+# Service proxy test fails connectivity testing
+vagrant_ubuntu16-kube-router-svc-proxy:
+  stage: deploy-part2
+  extends: .vagrant
+  when: manual
+
+vagrant_fedora35-kube-router:
+  stage: deploy-part2
+  extends: .vagrant
+  when: on_success
+
+vagrant_centos7-kube-router:
+  stage: deploy-part2
+  extends: .vagrant
+  when: manual

.markdownlint.yaml

@@ -1,2 +1,3 @@
 ---
 MD013: false
+MD029: false

.pre-commit-config.yaml

@@ -0,0 +1,48 @@
+---
+repos:
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.27.1
+    hooks:
+      - id: yamllint
+        args: [--strict]
+
+  - repo: https://github.com/markdownlint/markdownlint
+    rev: v0.11.0
+    hooks:
+      - id: markdownlint
+        args: [ -r, "~MD013,~MD029" ]
+        exclude: "^.git"
+
+  - repo: local
+    hooks:
+      - id: ansible-lint
+        name: ansible-lint
+        entry: ansible-lint -v
+        language: python
+        pass_filenames: false
+        additional_dependencies:
+          - .[community]
+
+      - id: ansible-syntax-check
+        name: ansible-syntax-check
+        entry: env ANSIBLE_INVENTORY=inventory/local-tests.cfg ANSIBLE_REMOTE_USER=root ANSIBLE_BECOME="true" ANSIBLE_BECOME_USER=root ANSIBLE_VERBOSITY="3" ansible-playbook --syntax-check
+        language: python
+        files: "^cluster.yml|^upgrade-cluster.yml|^reset.yml|^extra_playbooks/upgrade-only-k8s.yml"
+
+      - id: tox-inventory-builder
+        name: tox-inventory-builder
+        entry: bash -c "cd contrib/inventory_builder && tox"
+        language: python
+        pass_filenames: false
+
+      - id: check-readme-versions
+        name: check-readme-versions
+        entry: tests/scripts/check_readme_versions.sh
+        language: script
+        pass_filenames: false
+
+      - id: ci-matrix
+        name: ci-matrix
+        entry: tests/scripts/md-table/test.sh
+        language: script
+        pass_filenames: false

CONTRIBUTING.md

@@ -16,7 +16,12 @@ pip install -r tests/requirements.txt
 
 #### Linting
 
-Kubespray uses `yamllint` and `ansible-lint`. To run them locally use `yamllint .` and `ansible-lint`. It is a good idea to add call these tools as part of your pre-commit hook and avoid a lot of back end forth on fixing linting issues (<https://support.gitkraken.com/working-with-repositories/githooksexample/>).
+Kubespray uses [pre-commit](https://pre-commit.com) hook configuration to run several linters, please install this tool and use it to run validation tests before submitting a PR.
+
+```ShellSession
+pre-commit install
+pre-commit run -a  # To run pre-commit hook on all files in the repository, even if they were not modified
+```
 
 #### Molecule
 
@@ -33,7 +38,9 @@ Vagrant with VirtualBox or libvirt driver helps you to quickly spin test cluster
 1. Submit an issue describing your proposed change to the repo in question.
 2. The [repo owners](OWNERS) will respond to your issue promptly.
 3. Fork the desired repo, develop and test your code changes.
-4. Sign the CNCF CLA (<https://git.k8s.io/community/CLA.md#the-contributor-license-agreement>)
-5. Submit a pull request.
-6. Work with the reviewers on their suggestions.
-7. Ensure to rebase to the HEAD of your target branch and squash un-necessary commits (<https://blog.carbonfive.com/always-squash-and-rebase-your-git-commits/>) before final merger of your contribution.
+4. Install [pre-commit](https://pre-commit.com) and install it in your development repo).
+5. Addess any pre-commit validation failures.
+6. Sign the CNCF CLA (<https://git.k8s.io/community/CLA.md#the-contributor-license-agreement>)
+7. Submit a pull request.
+8. Work with the reviewers on their suggestions.
+9. Ensure to rebase to the HEAD of your target branch and squash un-necessary commits (<https://blog.carbonfive.com/always-squash-and-rebase-your-git-commits/>) before final merger of your contribution.

Dockerfile

@@ -1,5 +1,9 @@
-# Use imutable image tags rather than mutable tags (like ubuntu:18.04)
-FROM ubuntu:bionic-20200807
+# Use imutable image tags rather than mutable tags (like ubuntu:20.04)
+FROM ubuntu:focal-20220531
+
+ARG ARCH=amd64
+ARG TZ=Etc/UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 
 RUN apt update -y \
     && apt install -y \
@@ -8,7 +12,7 @@ RUN apt update -y \
     && rm -rf /var/lib/apt/lists/*
 RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
     && add-apt-repository \
-    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+    "deb [arch=$ARCH] https://download.docker.com/linux/ubuntu \
     $(lsb_release -cs) \
     stable" \
     && apt update -y && apt-get install --no-install-recommends -y docker-ce \
@@ -28,6 +32,6 @@ RUN /usr/bin/python3 -m pip install --no-cache-dir pip -U \
     && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
 
 RUN KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
-    && curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl \
+    && curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$ARCH/kubectl \
     && chmod a+x kubectl \
     && mv kubectl /usr/local/bin/kubectl

OWNERS_ALIASES

@@ -4,10 +4,10 @@ aliases:
     - chadswen
     - mirwan
     - miouge1
-    - woopstar
     - luckysb
     - floryut
     - oomichi
+    - cristicalin
   kubespray-reviewers:
     - holmsten
     - bozzo
@@ -15,7 +15,9 @@ aliases:
     - oomichi
     - jayonlau
     - cristicalin
+    - liupeng0518
   kubespray-emeritus_approvers:
     - riverzhang
     - atoms
     - ant31
+    - woopstar

README.md

@@ -19,10 +19,10 @@ To deploy the cluster you can use :
 
 #### Usage
 
-```ShellSession
-# Install dependencies from ``requirements.txt``
-sudo pip3 install -r requirements.txt
+Install Ansible according to [Ansible installation guide](/docs/ansible.md#installing-ansible)
+then run the following steps:
 
+```ShellSession
 # Copy ``inventory/sample`` as ``inventory/mycluster``
 cp -rfp inventory/sample inventory/mycluster
 
@@ -57,10 +57,10 @@ A simple way to ensure you get all the correct version of Ansible is to use the
 You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mounts/) to get the inventory and ssh key into the container, like this:
 
 ```ShellSession
-docker pull quay.io/kubespray/kubespray:v2.17.1
+docker pull quay.io/kubespray/kubespray:v2.19.0
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
   --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.17.1 bash
+  quay.io/kubespray/kubespray:v2.19.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -75,10 +75,11 @@ python -V && pip -V
 ```
 
 If this returns the version of the software, you're good to go. If not, download and install Python from here <https://www.python.org/downloads/source/>
-Install the necessary requirements
+
+Install Ansible according to [Ansible installation guide](/docs/ansible.md#installing-ansible)
+then run the following step:
 
 ```ShellSession
-sudo pip install -r requirements.txt
 vagrant up
 ```
 
@@ -110,20 +111,23 @@ vagrant up
 - [Adding/replacing a node](docs/nodes.md)
 - [Upgrades basics](docs/upgrades.md)
 - [Air-Gap installation](docs/offline-environment.md)
+- [NTP](docs/ntp.md)
+- [Hardening](docs/hardening.md)
 - [Roadmap](docs/roadmap.md)
 
 ## Supported Linux Distributions
 
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bullseye, Buster, Jessie, Stretch
-- **Ubuntu** 16.04, 18.04, 20.04
-- **CentOS/RHEL** 7, [8](docs/centos8.md)
-- **Fedora** 34, 35
+- **Ubuntu** 16.04, 18.04, 20.04, 22.04
+- **CentOS/RHEL** 7, [8](docs/centos.md#centos-8)
+- **Fedora** 35, 36
 - **Fedora CoreOS** (see [fcos Note](docs/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
-- **Oracle Linux** 7, [8](docs/centos8.md)
-- **Alma Linux** [8](docs/centos8.md)
-- **Rocky Linux** [8](docs/centos8.md)
+- **Oracle Linux** 7, [8](docs/centos.md#centos-8)
+- **Alma Linux** [8](docs/centos.md#centos-8)
+- **Rocky Linux** [8](docs/centos.md#centos-8)
+- **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/amazonlinux.md))
 
 Note: Upstart/SysV init based OS types are not supported.
@@ -131,27 +135,40 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.22.5
-  - [etcd](https://github.com/coreos/etcd) v3.5.0
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.24.3
+  - [etcd](https://github.com/etcd-io/etcd) v3.5.4
   - [docker](https://www.docker.com/) v20.10 (see note)
-  - [containerd](https://containerd.io/) v1.5.8
-  - [cri-o](http://cri-o.io/) v1.22 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) v1.6.6
+  - [cri-o](http://cri-o.io/) v1.24 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) v1.0.1
-  - [calico](https://github.com/projectcalico/calico) v3.20.3
+  - [cni-plugins](https://github.com/containernetworking/plugins) v1.1.1
+  - [calico](https://github.com/projectcalico/calico) v3.23.3
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.9.11
-  - [flanneld](https://github.com/flannel-io/flannel) v0.15.1
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.8.1
-  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.3.2
+  - [cilium](https://github.com/cilium/cilium) v1.11.7
+  - [flannel](https://github.com/flannel-io/flannel) v0.18.1
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.9.7
+  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.5.1
   - [multus](https://github.com/intel/multus-cni) v3.8
   - [weave](https://github.com/weaveworks/weave) v2.8.1
+  - [kube-vip](https://github.com/kube-vip/kube-vip) v0.4.2
 - Application
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.9.0
+  - [coredns](https://github.com/coredns/coredns) v1.8.6
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.3.0
+  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.3
+  - [argocd](https://argoproj.github.io/) v2.4.7
+  - [helm](https://helm.sh/) v3.9.2
+  - [metallb](https://metallb.universe.tf/)  v0.12.1
+  - [registry](https://github.com/distribution/distribution) v2.8.1
+- Storage Plugin
   - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
-  - [coredns](https://github.com/coredns/coredns) v1.8.0
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.4
+  - [aws-ebs-csi-plugin](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) v0.5.0
+  - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
+  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0
+  - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.4.0
+  - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.22
+  - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.4.0
 
 ## Container Runtime Notes
 
@@ -160,8 +177,8 @@ Note: Upstart/SysV init based OS types are not supported.
 
 ## Requirements
 
-- **Minimum required version of Kubernetes is v1.20**
-- **Ansible v2.9.x, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands, Ansible 2.10.x is experimentally supported for now**
+- **Minimum required version of Kubernetes is v1.22**
+- **Ansible v2.11+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.
 - If using IPv6 for pods and services, the target servers are configured to allow **IPv6 forwarding**.

RELEASE.md

@@ -2,17 +2,18 @@
 
 The Kubespray Project is released on an as-needed basis. The process is as follows:
 
-1. An issue is proposing a new release with a changelog since the last release
+1. An issue is proposing a new release with a changelog since the last release. Please see [a good sample issue](https://github.com/kubernetes-sigs/kubespray/issues/8325)
 2. At least one of the [approvers](OWNERS_ALIASES) must approve this release
 3. The `kube_version_min_required` variable is set to `n-1`
-4. Remove hashes for [EOL versions](https://github.com/kubernetes/sig-release/blob/master/releases/patch-releases.md) of kubernetes from `*_checksums` variables.
-5. An approver creates [new release in GitHub](https://github.com/kubernetes-sigs/kubespray/releases/new) using a version and tag name like `vX.Y.Z` and attaching the release notes
-6. An approver creates a release branch in the form `release-X.Y`
-7. The corresponding version of [quay.io/kubespray/kubespray:vX.Y.Z](https://quay.io/repository/kubespray/kubespray) and [quay.io/kubespray/vagrant:vX.Y.Z](https://quay.io/repository/kubespray/vagrant) docker images are built and tagged
-8. The `KUBESPRAY_VERSION` variable is updated in `.gitlab-ci.yml`
-9. The release issue is closed
-10. An announcement email is sent to `kubernetes-dev@googlegroups.com` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
-11. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
+4. Remove hashes for [EOL versions](https://github.com/kubernetes/website/blob/main/content/en/releases/patch-releases.md) of kubernetes from `*_checksums` variables.
+5. Create the release note with [Kubernetes Release Notes Generator](https://github.com/kubernetes/release/blob/master/cmd/release-notes/README.md). See the following `Release note creation` section for the details.
+6. An approver creates [new release in GitHub](https://github.com/kubernetes-sigs/kubespray/releases/new) using a version and tag name like `vX.Y.Z` and attaching the release notes
+7. An approver creates a release branch in the form `release-X.Y`
+8. The corresponding version of [quay.io/kubespray/kubespray:vX.Y.Z](https://quay.io/repository/kubespray/kubespray) and [quay.io/kubespray/vagrant:vX.Y.Z](https://quay.io/repository/kubespray/vagrant) container images are built and tagged. See the following `Container image creation` section for the details.
+9. The `KUBESPRAY_VERSION` variable is updated in `.gitlab-ci.yml`
+10. The release issue is closed
+11. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
+12. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
 
 ## Major/minor releases and milestones
 
@@ -46,3 +47,37 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
   then Kubespray v2.1.0 may be bound to only minor changes to `kube_version`, like v1.5.1
   and *any* changes to other components, like etcd v4, or calico 1.2.3.
   And Kubespray v3.x.x shall be bound to `kube_version: 2.x.x` respectively.
+
+## Release note creation
+
+You can create a release note with:
+
+```shell
+export GITHUB_TOKEN=<your-github-token>
+export ORG=kubernetes-sigs
+export REPO=kubespray
+release-notes --start-sha <The start commit-id> --end-sha <The end commit-id> --dependencies=false --output=/tmp/kubespray-release-note --required-author=""
+```
+
+If the release note file(/tmp/kubespray-release-note) contains "### Uncategorized" pull requests, those pull requests don't have a valid kind label(`kind/feature`, etc.).
+It is necessary to put a valid label on each pull request and run the above release-notes command again to get a better release note)
+
+## Container image creation
+
+The container image `quay.io/kubespray/kubespray:vX.Y.Z` can be created from Dockerfile of the kubespray root directory:
+
+```shell
+cd kubespray/
+nerdctl build -t quay.io/kubespray/kubespray:vX.Y.Z .
+nerdctl push quay.io/kubespray/kubespray:vX.Y.Z
+```
+
+The container image `quay.io/kubespray/vagrant:vX.Y.Z` can be created from build.sh of test-infra/vagrant-docker/:
+
+```shell
+cd kubespray/test-infra/vagrant-docker/
+./build vX.Y.Z
+```
+
+Please note that the above operation requires the permission to push container images into quay.io/kubespray/.
+If you don't have the permission, please ask it on the #kubespray-dev channel.

Vagrantfile

@@ -26,9 +26,12 @@ SUPPORTED_OS = {
   "centos-bento"        => {box: "bento/centos-7.6",           user: "vagrant"},
   "centos8"             => {box: "centos/8",                   user: "vagrant"},
   "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
-  "fedora34"            => {box: "fedora/34-cloud-base",       user: "vagrant"},
+  "almalinux8"          => {box: "almalinux/8",                user: "vagrant"},
+  "almalinux8-bento"    => {box: "bento/almalinux-8",          user: "vagrant"},
+  "rockylinux8"         => {box: "generic/rocky8",             user: "vagrant"},
   "fedora35"            => {box: "fedora/35-cloud-base",       user: "vagrant"},
-  "opensuse"            => {box: "bento/opensuse-leap-15.2",   user: "vagrant"},
+  "fedora36"            => {box: "fedora/36-cloud-base",       user: "vagrant"},
+  "opensuse"            => {box: "opensuse/Leap-15.3.x86_64",  user: "vagrant"},
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
   "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},
@@ -53,7 +56,7 @@ $subnet_ipv6 ||= "fd3c:b398:0698:0756"
 $os ||= "ubuntu1804"
 $network_plugin ||= "flannel"
 # Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
-$multi_networking ||= false
+$multi_networking ||= "False"
 $download_run_once ||= "True"
 $download_force_cache ||= "False"
 # The first three nodes are etcd servers
@@ -68,9 +71,12 @@ $kube_node_instances_with_disks_size ||= "20G"
 $kube_node_instances_with_disks_number ||= 2
 $override_disk_size ||= false
 $disk_size ||= "20GB"
-$local_path_provisioner_enabled ||= false
+$local_path_provisioner_enabled ||= "False"
 $local_path_provisioner_claim_root ||= "/opt/local-path-provisioner/"
 $libvirt_nested ||= false
+# boolean or string (e.g. "-vvv")
+$ansible_verbosity ||= false
+$ansible_tags ||= ENV['VAGRANT_ANSIBLE_TAGS'] || ""
 
 $playbook ||= "cluster.yml"
 
@@ -167,7 +173,7 @@ Vagrant.configure("2") do |config|
           # always make /dev/sd{a/b/c} so that CI can ensure that
           # virtualbox and libvirt will have the same devices to use for OSDs
           (1..$kube_node_instances_with_disks_number).each do |d|
-            lv.storage :file, :device => "hd#{driverletters[d]}", :path => "disk-#{i}-#{d}-#{DISK_UUID}.disk", :size => $kube_node_instances_with_disks_size, :bus => "ide"
+            lv.storage :file, :device => "hd#{driverletters[d]}", :path => "disk-#{i}-#{d}-#{DISK_UUID}.disk", :size => $kube_node_instances_with_disks_size, :bus => "scsi"
           end
         end
       end
@@ -238,9 +244,11 @@ Vagrant.configure("2") do |config|
       }
 
       # Only execute the Ansible provisioner once, when all the machines are up and ready.
+      # And limit the action to gathering facts, the full playbook is going to be ran by testcases_run.sh
       if i == $num_instances
         node.vm.provision "ansible" do |ansible|
           ansible.playbook = $playbook
+          ansible.verbose = $ansible_verbosity
           $ansible_inventory_path = File.join( $inventory, "hosts.ini")
           if File.exist?($ansible_inventory_path)
             ansible.inventory_path = $ansible_inventory_path
@@ -250,7 +258,9 @@ Vagrant.configure("2") do |config|
           ansible.host_key_checking = false
           ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache", "-e ansible_become_pass=vagrant"]
           ansible.host_vars = host_vars
-          #ansible.tags = ['download']
+          if $ansible_tags != ""
+            ansible.tags = [$ansible_tags]
+          end
           ansible.groups = {
             "etcd" => ["#{$instance_name_prefix}-[1:#{$etcd_instances}]"],
             "kube_control_plane" => ["#{$instance_name_prefix}-[1:#{$kube_master_instances}]"],

ansible.cfg

@@ -1,6 +1,6 @@
 [ssh_connection]
 pipelining=True
-ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
+ansible_ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
 #control_path = ~/.ssh/ansible-%%r@%%h:%%p
 [defaults]
 # https://github.com/ansible/ansible/issues/56930 (to ignore group names with - and .)
@@ -10,11 +10,11 @@ host_key_checking=False
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = /tmp
-fact_caching_timeout = 7200
+fact_caching_timeout = 86400
 stdout_callback = default
 display_skipped_hosts = no
 library = ./library
-callback_whitelist = profile_tasks
+callbacks_enabled = profile_tasks,ara_default
 roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles:/usr/share/kubespray/roles
 deprecation_warnings=False
 inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo, .creds, .gpg

ansible_version.yml

@@ -3,32 +3,20 @@
   gather_facts: false
   become: no
   vars:
-    minimal_ansible_version: 2.9.0
-    minimal_ansible_version_2_10: 2.10.11
-    maximal_ansible_version: 2.12.0
+    minimal_ansible_version: 2.11.0
+    maximal_ansible_version: 2.13.0
     ansible_connection: local
   tags: always
   tasks:
     - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
       assert:
-        msg: "Ansible must be between {{ minimal_ansible_version }} and {{ maximal_ansible_version }}"
+        msg: "Ansible must be between {{ minimal_ansible_version }} and {{ maximal_ansible_version }} exclusive"
         that:
           - ansible_version.string is version(minimal_ansible_version, ">=")
           - ansible_version.string is version(maximal_ansible_version, "<")
       tags:
         - check
 
-    - name: "Check Ansible version > {{ minimal_ansible_version_2_10 }} when using ansible 2.10"
-      assert:
-        msg: "When using Ansible 2.10, the minimum supported version is {{ minimal_ansible_version_2_10 }}"
-        that:
-          - ansible_version.string is version(minimal_ansible_version_2_10, ">=")
-          - ansible_version.string is version(maximal_ansible_version, "<")
-      when:
-        - ansible_version.string is version('2.10.0', ">=")
-      tags:
-        - check
-
     - name: "Check that python netaddr is installed"
       assert:
         msg: "Python netaddr is not present"

cluster.yml

@@ -46,7 +46,7 @@
       vars:
         etcd_cluster_setup: true
         etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
-      when: not etcd_kubeadm_enabled| default(false)
+      when: etcd_deployment_type != "kubeadm"
 
 - hosts: k8s_cluster
   gather_facts: False
@@ -59,7 +59,7 @@
       vars:
         etcd_cluster_setup: false
         etcd_events_cluster_setup: false
-      when: not etcd_kubeadm_enabled| default(false)
+      when: etcd_deployment_type != "kubeadm"
 
 - hosts: k8s_cluster
   gather_facts: False
@@ -118,7 +118,8 @@
     - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }
     - { role: kubernetes-apps, tags: apps }
 
-- hosts: k8s_cluster
+- name: Apply resolv.conf changes now that cluster DNS is up
+  hosts: k8s_cluster
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"

contrib/azurerm/README.md

@@ -47,6 +47,10 @@ If you need to delete all resources from a resource group, simply call:
 
 **WARNING** this really deletes everything from your resource group, including everything that was later created by you!
 
+## Installing Ansible and the dependencies
+
+Install Ansible according to [Ansible installation guide](/docs/ansible.md#installing-ansible)
+
 ## Generating an inventory for kubespray
 
 After you have applied the templates, you can generate an inventory with this call:
@@ -59,6 +63,5 @@ It will create the file ./inventory which can then be used with kubespray, e.g.:
 
 ```shell
 cd kubespray-root-dir
-sudo pip3 install -r requirements.txt
 ansible-playbook -i contrib/azurerm/inventory -u devops --become -e "@inventory/sample/group_vars/all/all.yml" cluster.yml
 ```

contrib/dind/run-test-distros.sh

@@ -17,7 +17,7 @@ pass_or_fail() {
 test_distro() {
     local distro=${1:?};shift
     local extra="${*:-}"
-    local prefix="$distro[${extra}]}"
+    local prefix="${distro[${extra}]}"
     ansible-playbook -i hosts dind-cluster.yaml -e node_distro=$distro
     pass_or_fail "$prefix: dind-nodes" || return 1
     (cd ../..
@@ -71,15 +71,15 @@ for spec in ${SPECS}; do
     echo "Loading file=${spec} ..."
     . ${spec} || continue
     : ${DISTROS:?} || continue
-    echo "DISTROS=${DISTROS[@]}"
+    echo "DISTROS:" "${DISTROS[@]}"
     echo "EXTRAS->"
     printf "  %s\n" "${EXTRAS[@]}"
     let n=1
-    for distro in ${DISTROS[@]}; do
+    for distro in "${DISTROS[@]}"; do
         for extra in "${EXTRAS[@]:-NULL}"; do
             # Magic value to let this for run once:
             [[ ${extra} == NULL ]] && unset extra
-            docker rm -f ${NODES[@]}
+            docker rm -f "${NODES[@]}"
             printf -v file_out "%s/%s-%02d.out" ${OUTPUT_DIR} ${spec} $((n++))
             {
                 info "${distro}[${extra}] START: file_out=${file_out}"

contrib/inventory_builder/inventory.py

@@ -83,11 +83,15 @@ class KubesprayInventory(object):
         self.config_file = config_file
         self.yaml_config = {}
         loadPreviousConfig = False
+        printHostnames = False
         # See whether there are any commands to process
         if changed_hosts and changed_hosts[0] in AVAILABLE_COMMANDS:
             if changed_hosts[0] == "add":
                 loadPreviousConfig = True
                 changed_hosts = changed_hosts[1:]
+            elif changed_hosts[0] == "print_hostnames":
+                loadPreviousConfig = True
+                printHostnames = True
             else:
                 self.parse_command(changed_hosts[0], changed_hosts[1:])
                 sys.exit(0)
@@ -105,6 +109,10 @@ class KubesprayInventory(object):
                 print(e)
                 sys.exit(1)
 
+        if printHostnames:
+            self.print_hostnames()
+            sys.exit(0)
+
         self.ensure_required_groups(ROLES)
 
         if changed_hosts:

contrib/inventory_builder/tests/test_inventory.py

@@ -13,6 +13,7 @@
 # under the License.
 
 import inventory
+from test import support
 import unittest
 from unittest import mock
 
@@ -26,6 +27,28 @@ if path not in sys.path:
 import inventory  # noqa
 
 
+class TestInventoryPrintHostnames(unittest.TestCase):
+
+    @mock.patch('ruamel.yaml.YAML.load')
+    def test_print_hostnames(self, load_mock):
+        mock_io = mock.mock_open(read_data='')
+        load_mock.return_value = OrderedDict({'all': {'hosts': {
+            'node1': {'ansible_host': '10.90.0.2',
+                      'ip': '10.90.0.2',
+                      'access_ip': '10.90.0.2'},
+            'node2': {'ansible_host': '10.90.0.3',
+                      'ip': '10.90.0.3',
+                      'access_ip': '10.90.0.3'}}}})
+        with mock.patch('builtins.open', mock_io):
+            with self.assertRaises(SystemExit) as cm:
+                with support.captured_stdout() as stdout:
+                    inventory.KubesprayInventory(
+                        changed_hosts=["print_hostnames"],
+                        config_file="file")
+            self.assertEqual("node1 node2\n", stdout.getvalue())
+            self.assertEqual(cm.exception.code, 0)
+
+
 class TestInventory(unittest.TestCase):
     @mock.patch('inventory.sys')
     def setUp(self, sys_mock):

contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml

@@ -28,7 +28,7 @@
   sysctl:
     name: net.ipv4.ip_forward
     value: 1
-    sysctl_file: /etc/sysctl.d/ipv4-ip_forward.conf
+    sysctl_file: "{{ sysctl_file_path }}"
     state: present
     reload: yes
 
@@ -37,7 +37,7 @@
     name: "{{ item }}"
     state: present
     value: 0
-    sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
+    sysctl_file: "{{ sysctl_file_path }}"
     reload: yes
   with_items:
     - net.bridge.bridge-nf-call-arptables

contrib/mitogen/mitogen.yml

@@ -5,8 +5,8 @@
 - hosts: localhost
   strategy: linear
   vars:
-    mitogen_version: 0.3.0rc1
-    mitogen_url: https://github.com/dw/mitogen/archive/v{{ mitogen_version }}.tar.gz
+    mitogen_version: 0.3.2
+    mitogen_url: https://github.com/mitogen-hq/mitogen/archive/refs/tags/v{{ mitogen_version }}.tar.gz
     ansible_connection: local
   tasks:
     - name: Create mitogen plugin dir
@@ -38,7 +38,12 @@
     - name: add strategy to ansible.cfg
       ini_file:
         path: ansible.cfg
-        section: defaults
-        option: strategy
-        value: mitogen_linear
         mode: 0644
+        section: "{{ item.section | d('defaults') }}"
+        option: "{{ item.option }}"
+        value: "{{ item.value }}"
+      with_items:
+        - option: strategy
+          value: mitogen_linear
+        - option: strategy_plugins
+          value: plugins/mitogen/ansible_mitogen/plugins/strategy

contrib/network-storage/glusterfs/roles/glusterfs/README.md

@@ -14,12 +14,16 @@ This role performs basic installation and setup of Gluster, but it does not conf
 
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
-    glusterfs_default_release: ""
+```yaml
+glusterfs_default_release: ""
+```
 
 You can specify a `default_release` for apt on Debian/Ubuntu by overriding this variable. This is helpful if you need a different package or version for the main GlusterFS packages (e.g. GlusterFS 3.5.x instead of 3.2.x with the `wheezy-backports` default release on Debian Wheezy).
 
-    glusterfs_ppa_use: yes
-    glusterfs_ppa_version: "3.5"
+```yaml
+glusterfs_ppa_use: yes
+glusterfs_ppa_version: "3.5"
+```
 
 For Ubuntu, specify whether to use the official Gluster PPA, and which version of the PPA to use. See Gluster's [Getting Started Guide](https://docs.gluster.org/en/latest/Quick-Start-Guide/Quickstart/) for more info.
 
@@ -29,9 +33,11 @@ None.
 
 ## Example Playbook
 
+```yaml
     - hosts: server
       roles:
         - geerlingguy.glusterfs
+```
 
 For a real-world use example, read through [Simple GlusterFS Setup with Ansible](http://www.jeffgeerling.com/blog/simple-glusterfs-setup-ansible), a blog post by this role's author, which is included in Chapter 8 of [Ansible for DevOps](https://www.ansiblefordevops.com/).
 

contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml

@@ -3,6 +3,7 @@
   template:
     src: "{{ item.file }}"
     dest: "{{ kube_config_dir }}/{{ item.dest }}"
+    mode: 0644
   with_items:
     - { file: glusterfs-kubernetes-endpoint.json.j2, type: ep, dest: glusterfs-kubernetes-endpoint.json}
     - { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}

contrib/offline/README.md

@@ -9,7 +9,8 @@ This script has two features:
 (2) Deploy local container registry and register the container images to the registry.
 
 Step(1) should be done online site as a preparation, then we bring the gotten images
-to the target offline environment.
+to the target offline environment. if images are from a private registry,
+you need to set `PRIVATE_REGISTRY` environment variable.
 Then we will run step(2) for registering the images to local registry.
 
 Step(1) can be operated with:
@@ -28,16 +29,37 @@ manage-offline-container-images.sh   register
 
 This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main.yml` file.
 
-Run this script will generates three files, all downloaded files url in files.list, all container images in images.list, all component version in generate.sh.
+Run this script will execute `generate_list.yml` playbook in kubespray root directory and generate four files,
+all downloaded files url in files.list, all container images in images.list, jinja2 templates in *.template.
 
 ```shell
-bash generate_list.sh
+./generate_list.sh
 tree temp
 temp
 ├── files.list
-├── generate.sh
-└── images.list
-0 directories, 3 files
+├── files.list.template
+├── images.list
+└── images.list.template
+0 directories, 5 files
 ```
 
-In some cases you may want to update some component version, you can edit `generate.sh` file, then run `bash generate.sh | grep 'https' > files.list` to update file.list or run `bash generate.sh | grep -v 'https'> images.list` to update images.list.
+In some cases you may want to update some component version, you can declare version variables in ansible inventory file or group_vars,
+then run `./generate_list.sh -i [inventory_file]` to update file.list and images.list.
+
+## manage-offline-files.sh
+
+This script will download all files according to `temp/files.list` and run nginx container to provide offline file download.
+
+Step(1) generate `files.list`
+
+```shell
+./generate_list.sh
+```
+
+Step(2) download files and run nginx container
+
+```shell
+./manage-offline-files.sh
+```
+
+when nginx container is running, it can be accessed through <http://127.0.0.1:8080/>.

contrib/offline/generate_list.sh

@@ -5,53 +5,29 @@ CURRENT_DIR=$(cd $(dirname $0); pwd)
 TEMP_DIR="${CURRENT_DIR}/temp"
 REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"
 
-: ${IMAGE_ARCH:="amd64"}
-: ${ANSIBLE_SYSTEM:="linux"}
-: ${ANSIBLE_ARCHITECTURE:="x86_64"}
 : ${DOWNLOAD_YML:="roles/download/defaults/main.yml"}
-: ${KUBE_VERSION_YAML:="roles/kubespray-defaults/defaults/main.yaml"}
 
 mkdir -p ${TEMP_DIR}
 
-# ARCH used in convert {%- if image_arch != 'amd64' -%}-{{ image_arch }}{%- endif -%} to {{arch}}
-if [ "${IMAGE_ARCH}" != "amd64" ]; then ARCH="${IMAGE_ARCH}"; fi
-
-cat > ${TEMP_DIR}/generate.sh << EOF
-arch=${ARCH}
-image_arch=${IMAGE_ARCH}
-ansible_system=${ANSIBLE_SYSTEM}
-ansible_architecture=${ANSIBLE_ARCHITECTURE}
-EOF
-
-# generate all component version by $DOWNLOAD_YML
-grep 'kube_version:' ${REPO_ROOT_DIR}/${KUBE_VERSION_YAML} \
-| sed 's/: /=/g' >> ${TEMP_DIR}/generate.sh
-grep '_version:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
-| sed 's/: /=/g;s/{{/${/g;s/}}/}/g' | tr -d ' ' >> ${TEMP_DIR}/generate.sh
-sed -i 's/kube_major_version=.*/kube_major_version=${kube_version%.*}/g' ${TEMP_DIR}/generate.sh
-sed -i 's/crictl_version=.*/crictl_version=${kube_version%.*}.0/g' ${TEMP_DIR}/generate.sh
-
-# generate all download files url
+# generate all download files url template
 grep 'download_url:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
-| sed 's/: /=/g;s/ //g;s/{{/${/g;s/}}/}/g;s/|lower//g;s/^.*_url=/echo /g' >> ${TEMP_DIR}/generate.sh
+    | sed 's/^.*_url: //g;s/\"//g' > ${TEMP_DIR}/files.list.template
 
-# generate all images list
-grep -E '_repo:|_tag:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
-| sed "s#{%- if image_arch != 'amd64' -%}-{{ image_arch }}{%- endif -%}#{{arch}}#g" \
-| sed 's/: /=/g;s/{{/${/g;s/}}/}/g' | tr -d ' ' >> ${TEMP_DIR}/generate.sh
+# generate all images list template
 sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
-| sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' | sed 's/{{/${/g;s/}}/}/g' \
-| sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/^/echo /g' >> ${TEMP_DIR}/generate.sh
+    | sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' \
+    | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template
 
-# special handling for https://github.com/kubernetes-sigs/kubespray/pull/7570
-sed -i 's#^coredns_image_repo=.*#coredns_image_repo=${kube_image_repo}$(if printf "%s\\n%s\\n" v1.21 ${kube_version%.*} | sort --check=quiet --version-sort; then echo -n /coredns/coredns;else echo -n /coredns; fi)#' ${TEMP_DIR}/generate.sh
-sed -i 's#^coredns_image_tag=.*#coredns_image_tag=$(if printf "%s\\n%s\\n" v1.21 ${kube_version%.*} | sort --check=quiet --version-sort; then echo -n ${coredns_version};else echo -n ${coredns_version/v/}; fi)#' ${TEMP_DIR}/generate.sh
-
-# add kube-* images to images list
+# add kube-* images to images list template
+# Those container images are downloaded by kubeadm, then roles/download/defaults/main.yml
+# doesn't contain those images. That is reason why here needs to put those images into the
+# list separately.
 KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"
-echo "${KUBE_IMAGES}" | tr ' ' '\n' | xargs -L1 -I {} \
-echo 'echo ${kube_image_repo}/{}:${kube_version}' >> ${TEMP_DIR}/generate.sh
+for i in $KUBE_IMAGES; do
+    echo "{{ kube_image_repo }}/$i:{{ kube_version }}" >> ${TEMP_DIR}/images.list.template
+done
 
-# print files.list and images.list
-bash ${TEMP_DIR}/generate.sh | grep 'https' | sort > ${TEMP_DIR}/files.list
-bash ${TEMP_DIR}/generate.sh | grep -v 'https' | sort > ${TEMP_DIR}/images.list
+# run ansible to expand templates
+/bin/cp ${CURRENT_DIR}/generate_list.yml ${REPO_ROOT_DIR}
+
+(cd ${REPO_ROOT_DIR} && ansible-playbook $* generate_list.yml && /bin/rm generate_list.yml) || exit 1

contrib/offline/generate_list.yml

@@ -0,0 +1,19 @@
+---
+- hosts: localhost
+  become: no
+
+  roles:
+    # Just load default variables from roles.
+    - role: kubespray-defaults
+      when: false
+    - role: download
+      when: false
+
+  tasks:
+    # Generate files.list and images.list files from templates.
+    - template:
+        src: ./contrib/offline/temp/{{ item }}.list.template
+        dest: ./contrib/offline/temp/{{ item }}.list
+      with_items:
+        - files
+        - images

contrib/offline/manage-offline-container-images.sh

@@ -15,7 +15,7 @@ function create_container_image_tar() {
 	IMAGES=$(kubectl describe pods --all-namespaces | grep " Image:" | awk '{print $2}' | sort | uniq)
 	# NOTE: etcd and pause cannot be seen as pods.
 	# The pause image is used for --pod-infra-container-image option of kubelet.
-	EXT_IMAGES=$(kubectl cluster-info dump | egrep "quay.io/coreos/etcd:|k8s.gcr.io/pause:" | sed s@\"@@g)
+	EXT_IMAGES=$(kubectl cluster-info dump | egrep "quay.io/coreos/etcd:|registry.k8s.io/pause:" | sed s@\"@@g)
 	IMAGES="${IMAGES} ${EXT_IMAGES}"
 
 	rm -f  ${IMAGE_TAR_FILE}
@@ -46,15 +46,16 @@ function create_container_image_tar() {
 
 		# NOTE: Here removes the following repo parts from each image
 		# so that these parts will be replaced with Kubespray.
-		# - kube_image_repo: "k8s.gcr.io"
+		# - kube_image_repo: "registry.k8s.io"
 		# - gcr_image_repo: "gcr.io"
 		# - docker_image_repo: "docker.io"
 		# - quay_image_repo: "quay.io"
 		FIRST_PART=$(echo ${image} | awk -F"/" '{print $1}')
-		if [ "${FIRST_PART}" = "k8s.gcr.io" ] ||
+		if [ "${FIRST_PART}" = "registry.k8s.io" ] ||
 		   [ "${FIRST_PART}" = "gcr.io" ] ||
 		   [ "${FIRST_PART}" = "docker.io" ] ||
-		   [ "${FIRST_PART}" = "quay.io" ]; then
+		   [ "${FIRST_PART}" = "quay.io" ] ||
+		   [ "${FIRST_PART}" = "${PRIVATE_REGISTRY}" ]; then
 			image=$(echo ${image} | sed s@"${FIRST_PART}/"@@)
 		fi
 		echo "${FILE_NAME}  ${image}" >> ${IMAGE_LIST}
@@ -152,7 +153,8 @@ else
 	echo "(2) Deploy local container registry and register the container images to the registry."
 	echo ""
 	echo "Step(1) should be done online site as a preparation, then we bring"
-	echo "the gotten images to the target offline environment."
+	echo "the gotten images to the target offline environment. if images are from"
+	echo "a private registry, you need to set PRIVATE_REGISTRY environment variable."
 	echo "Then we will run step(2) for registering the images to local registry."
 	echo ""
 	echo "${IMAGE_TAR_FILE} is created to contain your container images."

contrib/offline/manage-offline-files.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+CURRENT_DIR=$( dirname "$(readlink -f "$0")" )
+OFFLINE_FILES_DIR_NAME="offline-files"
+OFFLINE_FILES_DIR="${CURRENT_DIR}/${OFFLINE_FILES_DIR_NAME}"
+OFFLINE_FILES_ARCHIVE="${CURRENT_DIR}/offline-files.tar.gz"
+FILES_LIST=${FILES_LIST:-"${CURRENT_DIR}/temp/files.list"}
+NGINX_PORT=8080
+
+# download files
+if [ ! -f "${FILES_LIST}" ]; then
+    echo "${FILES_LIST} should exist, run ./generate_list.sh first."
+    exit 1
+fi
+
+rm -rf "${OFFLINE_FILES_DIR}"
+rm "${OFFLINE_FILES_ARCHIVE}"
+mkdir  "${OFFLINE_FILES_DIR}"
+
+wget -x -P "${OFFLINE_FILES_DIR}" -i "${FILES_LIST}"
+tar -czvf "${OFFLINE_FILES_ARCHIVE}"  "${OFFLINE_FILES_DIR_NAME}"
+
+[ -n "$NO_HTTP_SERVER" ] && echo "skip to run nginx" && exit 0
+
+# run nginx container server
+if command -v nerdctl 1>/dev/null 2>&1; then
+    runtime="nerdctl"
+elif command -v podman 1>/dev/null 2>&1; then
+    runtime="podman"
+elif command -v docker 1>/dev/null 2>&1; then
+    runtime="docker"
+else
+    echo "No supported container runtime found"
+    exit 1
+fi
+
+sudo "${runtime}" container inspect nginx >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    sudo "${runtime}" run \
+        --restart=always -d -p ${NGINX_PORT}:80 \
+        --volume "${OFFLINE_FILES_DIR}:/usr/share/nginx/html/download" \
+        --volume "$(pwd)"/nginx.conf:/etc/nginx/nginx.conf \
+        --name nginx nginx:alpine
+fi

contrib/offline/nginx.conf

@@ -0,0 +1,39 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+include /usr/share/nginx/modules/*.conf;
+events {
+    worker_connections 1024;
+}
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log  /var/log/nginx/access.log  main;
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+    default_type        application/octet-stream;
+    include /etc/nginx/conf.d/*.conf;
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        include /etc/nginx/default.d/*.conf;
+        location / {
+            root    /usr/share/nginx/html/download;
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        }
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+}

contrib/terraform/aws/README.md

@@ -36,8 +36,7 @@ terraform apply -var-file=credentials.tfvars
 ```
 
 - Terraform automatically creates an Ansible Inventory file called `hosts` with the created infrastructure in the directory `inventory`
-- Ansible will automatically generate an ssh config file for your bastion hosts. To connect to hosts with ssh using bastion host use generated ssh-bastion.conf.
-  Ansible automatically detects bastion and changes ssh_args  
+- Ansible will automatically generate an ssh config file for your bastion hosts. To connect to hosts with ssh using bastion host use generated `ssh-bastion.conf`. Ansible automatically detects bastion and changes `ssh_args`
 
 ```commandline
 ssh -F ./ssh-bastion.conf user@$ip

contrib/terraform/aws/create-infrastructure.tf

@@ -20,20 +20,20 @@ module "aws-vpc" {
 
   aws_cluster_name         = var.aws_cluster_name
   aws_vpc_cidr_block       = var.aws_vpc_cidr_block
-  aws_avail_zones          = slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names))
+  aws_avail_zones          = data.aws_availability_zones.available.names
   aws_cidr_subnets_private = var.aws_cidr_subnets_private
   aws_cidr_subnets_public  = var.aws_cidr_subnets_public
   default_tags             = var.default_tags
 }
 
-module "aws-elb" {
-  source = "./modules/elb"
+module "aws-nlb" {
+  source = "./modules/nlb"
 
   aws_cluster_name      = var.aws_cluster_name
   aws_vpc_id            = module.aws-vpc.aws_vpc_id
-  aws_avail_zones       = slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names))
+  aws_avail_zones       = data.aws_availability_zones.available.names
   aws_subnet_ids_public = module.aws-vpc.aws_subnet_ids_public
-  aws_elb_api_port      = var.aws_elb_api_port
+  aws_nlb_api_port      = var.aws_nlb_api_port
   k8s_secure_api_port   = var.k8s_secure_api_port
   default_tags          = var.default_tags
 }
@@ -54,7 +54,6 @@ resource "aws_instance" "bastion-server" {
   instance_type               = var.aws_bastion_size
   count                       = var.aws_bastion_num
   associate_public_ip_address = true
-  availability_zone           = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
   subnet_id                   = element(module.aws-vpc.aws_subnet_ids_public, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
@@ -79,8 +78,7 @@ resource "aws_instance" "k8s-master" {
 
   count = var.aws_kube_master_num
 
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
-  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
+  subnet_id = element(module.aws-vpc.aws_subnet_ids_private, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
@@ -98,10 +96,10 @@ resource "aws_instance" "k8s-master" {
   }))
 }
 
-resource "aws_elb_attachment" "attach_master_nodes" {
-  count    = var.aws_kube_master_num
-  elb      = module.aws-elb.aws_elb_api_id
-  instance = element(aws_instance.k8s-master.*.id, count.index)
+resource "aws_lb_target_group_attachment" "tg-attach_master_nodes" {
+  count            = var.aws_kube_master_num
+  target_group_arn = module.aws-nlb.aws_nlb_api_tg_arn
+  target_id        = element(aws_instance.k8s-master.*.private_ip, count.index)
 }
 
 resource "aws_instance" "k8s-etcd" {
@@ -110,8 +108,7 @@ resource "aws_instance" "k8s-etcd" {
 
   count = var.aws_etcd_num
 
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
-  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
+  subnet_id = element(module.aws-vpc.aws_subnet_ids_private, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
@@ -134,8 +131,7 @@ resource "aws_instance" "k8s-worker" {
 
   count = var.aws_kube_worker_num
 
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
-  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
+  subnet_id = element(module.aws-vpc.aws_subnet_ids_private, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
@@ -168,7 +164,7 @@ data "template_file" "inventory" {
     list_node                 = join("\n", aws_instance.k8s-worker.*.private_dns)
     connection_strings_etcd   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.private_dns, aws_instance.k8s-etcd.*.private_ip))
     list_etcd                 = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_dns) : (aws_instance.k8s-master.*.private_dns)))
-    elb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
+    nlb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-nlb.aws_nlb_api_fqdn}\""
   }
 }
 

contrib/terraform/aws/modules/elb/main.tf

@@ -1,57 +0,0 @@
-resource "aws_security_group" "aws-elb" {
-  name   = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
-  vpc_id = var.aws_vpc_id
-
-  tags = merge(var.default_tags, tomap({
-    Name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
-  }))
-}
-
-resource "aws_security_group_rule" "aws-allow-api-access" {
-  type              = "ingress"
-  from_port         = var.aws_elb_api_port
-  to_port           = var.k8s_secure_api_port
-  protocol          = "TCP"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.aws-elb.id
-}
-
-resource "aws_security_group_rule" "aws-allow-api-egress" {
-  type              = "egress"
-  from_port         = 0
-  to_port           = 65535
-  protocol          = "TCP"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.aws-elb.id
-}
-
-# Create a new AWS ELB for K8S API
-resource "aws_elb" "aws-elb-api" {
-  name            = "kubernetes-elb-${var.aws_cluster_name}"
-  subnets         = var.aws_subnet_ids_public
-  security_groups = [aws_security_group.aws-elb.id]
-
-  listener {
-    instance_port     = var.k8s_secure_api_port
-    instance_protocol = "tcp"
-    lb_port           = var.aws_elb_api_port
-    lb_protocol       = "tcp"
-  }
-
-  health_check {
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 3
-    target              = "HTTPS:${var.k8s_secure_api_port}/healthz"
-    interval            = 30
-  }
-
-  cross_zone_load_balancing   = true
-  idle_timeout                = 400
-  connection_draining         = true
-  connection_draining_timeout = 400
-
-  tags = merge(var.default_tags, tomap({
-    Name = "kubernetes-${var.aws_cluster_name}-elb-api"
-  }))
-}

contrib/terraform/aws/modules/elb/outputs.tf

@@ -1,7 +0,0 @@
-output "aws_elb_api_id" {
-  value = aws_elb.aws-elb-api.id
-}
-
-output "aws_elb_api_fqdn" {
-  value = aws_elb.aws-elb-api.dns_name
-}

contrib/terraform/aws/modules/nlb/main.tf

@@ -0,0 +1,41 @@
+# Create a new AWS NLB for K8S API
+resource "aws_lb" "aws-nlb-api" {
+  name                             = "kubernetes-nlb-${var.aws_cluster_name}"
+  load_balancer_type               = "network"
+  subnets                          = length(var.aws_subnet_ids_public) <= length(var.aws_avail_zones) ? var.aws_subnet_ids_public : slice(var.aws_subnet_ids_public, 0, length(var.aws_avail_zones))
+  idle_timeout                     = 400
+  enable_cross_zone_load_balancing = true
+
+  tags = merge(var.default_tags, tomap({
+    Name = "kubernetes-${var.aws_cluster_name}-nlb-api"
+  }))
+}
+
+# Create a new AWS NLB Instance Target Group
+resource "aws_lb_target_group" "aws-nlb-api-tg" {
+  name        = "kubernetes-nlb-tg-${var.aws_cluster_name}"
+  port        = var.k8s_secure_api_port
+  protocol    = "TCP"
+  target_type = "ip"
+  vpc_id      = var.aws_vpc_id
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    interval            = 30
+    protocol            = "HTTPS"
+    path                = "/healthz"
+  }
+}
+
+# Create a new AWS NLB Listener listen to target group
+resource "aws_lb_listener" "aws-nlb-api-listener" {
+  load_balancer_arn = aws_lb.aws-nlb-api.arn
+  port              = var.aws_nlb_api_port
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.aws-nlb-api-tg.arn
+  }
+}

contrib/terraform/aws/modules/nlb/outputs.tf

@@ -0,0 +1,11 @@
+output "aws_nlb_api_id" {
+  value = aws_lb.aws-nlb-api.id
+}
+
+output "aws_nlb_api_fqdn" {
+  value = aws_lb.aws-nlb-api.dns_name
+}
+
+output "aws_nlb_api_tg_arn" {
+  value = aws_lb_target_group.aws-nlb-api-tg.arn
+}

contrib/terraform/aws/modules/nlb/variables.tf

@@ -6,8 +6,8 @@ variable "aws_vpc_id" {
   description = "AWS VPC ID"
 }
 
-variable "aws_elb_api_port" {
-  description = "Port for AWS ELB"
+variable "aws_nlb_api_port" {
+  description = "Port for AWS NLB"
 }
 
 variable "k8s_secure_api_port" {

contrib/terraform/aws/modules/vpc/main.tf

@@ -25,13 +25,14 @@ resource "aws_internet_gateway" "cluster-vpc-internetgw" {
 
 resource "aws_subnet" "cluster-vpc-subnets-public" {
   vpc_id            = aws_vpc.cluster-vpc.id
-  count             = length(var.aws_avail_zones)
-  availability_zone = element(var.aws_avail_zones, count.index)
+  count             = length(var.aws_cidr_subnets_public)
+  availability_zone = element(var.aws_avail_zones, count.index % length(var.aws_avail_zones))
   cidr_block        = element(var.aws_cidr_subnets_public, count.index)
 
   tags = merge(var.default_tags, tomap({
     Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public"
-    "kubernetes.io/cluster/${var.aws_cluster_name}" = "member"
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "shared"
+    "kubernetes.io/role/elb" = "1"
   }))
 }
 
@@ -43,12 +44,14 @@ resource "aws_nat_gateway" "cluster-nat-gateway" {
 
 resource "aws_subnet" "cluster-vpc-subnets-private" {
   vpc_id            = aws_vpc.cluster-vpc.id
-  count             = length(var.aws_avail_zones)
-  availability_zone = element(var.aws_avail_zones, count.index)
+  count             = length(var.aws_cidr_subnets_private)
+  availability_zone = element(var.aws_avail_zones, count.index % length(var.aws_avail_zones))
   cidr_block        = element(var.aws_cidr_subnets_private, count.index)
 
   tags = merge(var.default_tags, tomap({
     Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb" = "1"
   }))
 }
 

contrib/terraform/aws/output.tf

@@ -14,8 +14,8 @@ output "etcd" {
   value = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_ip) : (aws_instance.k8s-master.*.private_ip)))
 }
 
-output "aws_elb_api_fqdn" {
-  value = "${module.aws-elb.aws_elb_api_fqdn}:${var.aws_elb_api_port}"
+output "aws_nlb_api_fqdn" {
+  value = "${module.aws-nlb.aws_nlb_api_fqdn}:${var.aws_nlb_api_port}"
 }
 
 output "inventory" {

contrib/terraform/aws/sample-inventory/cluster.tfvars

@@ -33,9 +33,9 @@ aws_kube_worker_size = "t2.medium"
 
 aws_kube_worker_disk_size = 50
 
-#Settings AWS ELB
+#Settings AWS NLB
 
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
 
 k8s_secure_api_port = 6443
 

contrib/terraform/aws/templates/inventory.tpl

@@ -24,4 +24,4 @@ kube_control_plane
 calico_rr
 
 [k8s_cluster:vars]
-${elb_api_fqdn}
+${nlb_api_fqdn}

contrib/terraform/aws/terraform.tfvars

@@ -32,7 +32,7 @@ aws_kube_worker_size      = "t3.medium"
 aws_kube_worker_disk_size = 50
 
 #Settings AWS ELB
-aws_elb_api_port    = 6443
+aws_nlb_api_port    = 6443
 k8s_secure_api_port = 6443
 
 default_tags = {

contrib/terraform/aws/terraform.tfvars.example

@@ -25,7 +25,7 @@ aws_kube_worker_size = "t3.medium"
 aws_kube_worker_disk_size = 50
 
 #Settings AWS ELB
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
 k8s_secure_api_port = 6443
 
 default_tags = { }

contrib/terraform/aws/variables.tf

@@ -104,11 +104,11 @@ variable "aws_kube_worker_size" {
 }
 
 /*
-* AWS ELB Settings
+* AWS NLB Settings
 *
 */
-variable "aws_elb_api_port" {
-  description = "Port for AWS ELB"
+variable "aws_nlb_api_port" {
+  description = "Port for AWS NLB"
 }
 
 variable "k8s_secure_api_port" {

contrib/terraform/exoscale/README.md

@@ -31,9 +31,7 @@ The setup looks like following
 
 ## Requirements
 
-* Terraform 0.13.0 or newer
-
-*0.12 also works if you modify the provider block to include version and remove all `versions.tf` files*
+* Terraform 0.13.0 or newer (0.12 also works if you modify the provider block to include version and remove all `versions.tf` files)
 
 ## Quickstart
 

contrib/terraform/gcp/README.md

@@ -74,14 +74,23 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 * `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
 * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
 * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
+* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
 
 ### Optional
 
 * `prefix`: Prefix to use for all resources, required to be unique for all clusters in the same project *(Defaults to `default`)*
-* `master_sa_email`: Service account email to use for the master nodes *(Defaults to `""`, auto generate one)*
-* `master_sa_scopes`: Service account email to use for the master nodes *(Defaults to `["https://www.googleapis.com/auth/cloud-platform"]`)*
+* `master_sa_email`: Service account email to use for the control plane nodes *(Defaults to `""`, auto generate one)*
+* `master_sa_scopes`: Service account email to use for the control plane nodes *(Defaults to `["https://www.googleapis.com/auth/cloud-platform"]`)*
+* `master_preemptible`: Enable [preemptible](https://cloud.google.com/compute/docs/instances/preemptible)
+  for the control plane nodes *(Defaults to `false`)*
+* `master_additional_disk_type`: [Disk type](https://cloud.google.com/compute/docs/disks/#disk-types)
+  for extra disks added on the control plane nodes *(Defaults to `"pd-ssd"`)*
 * `worker_sa_email`: Service account email to use for the worker nodes *(Defaults to `""`, auto generate one)*
 * `worker_sa_scopes`: Service account email to use for the worker nodes *(Defaults to `["https://www.googleapis.com/auth/cloud-platform"]`)*
+* `worker_preemptible`: Enable [preemptible](https://cloud.google.com/compute/docs/instances/preemptible)
+  for the worker nodes *(Defaults to `false`)*
+* `worker_additional_disk_type`: [Disk type](https://cloud.google.com/compute/docs/disks/#disk-types)
+  for extra disks added on the worker nodes *(Defaults to `"pd-ssd"`)*
 
 An example variables file can be found `tfvars.json`
 

contrib/terraform/gcp/main.tf

@@ -1,8 +1,16 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+  }
+}
+
 provider "google" {
   credentials = file(var.keyfile_location)
   region      = var.region
   project     = var.gcp_project_id
-  version     = "~> 3.48"
 }
 
 module "kubernetes" {
@@ -13,12 +21,17 @@ module "kubernetes" {
   machines    = var.machines
   ssh_pub_key = var.ssh_pub_key
 
-  master_sa_email  = var.master_sa_email
-  master_sa_scopes = var.master_sa_scopes
-  worker_sa_email  = var.worker_sa_email
-  worker_sa_scopes = var.worker_sa_scopes
+  master_sa_email    = var.master_sa_email
+  master_sa_scopes   = var.master_sa_scopes
+  master_preemptible = var.master_preemptible
+  master_additional_disk_type = var.master_additional_disk_type
+  worker_sa_email    = var.worker_sa_email
+  worker_sa_scopes   = var.worker_sa_scopes
+  worker_preemptible = var.worker_preemptible
+  worker_additional_disk_type = var.worker_additional_disk_type
 
   ssh_whitelist        = var.ssh_whitelist
   api_server_whitelist = var.api_server_whitelist
   nodeport_whitelist   = var.nodeport_whitelist
+  ingress_whitelist    = var.ingress_whitelist
 }

contrib/terraform/gcp/modules/kubernetes-cluster/main.tf

@@ -5,6 +5,8 @@
 
 resource "google_compute_network" "main" {
   name = "${var.prefix}-network"
+
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "main" {
@@ -20,6 +22,8 @@ resource "google_compute_firewall" "deny_all" {
 
   priority = 1000
 
+  source_ranges = ["0.0.0.0/0"]
+
   deny {
     protocol = "all"
   }
@@ -39,6 +43,8 @@ resource "google_compute_firewall" "allow_internal" {
 }
 
 resource "google_compute_firewall" "ssh" {
+  count = length(var.ssh_whitelist) > 0 ? 1 : 0
+
   name    = "${var.prefix}-ssh-firewall"
   network = google_compute_network.main.name
 
@@ -53,6 +59,8 @@ resource "google_compute_firewall" "ssh" {
 }
 
 resource "google_compute_firewall" "api_server" {
+  count = length(var.api_server_whitelist) > 0 ? 1 : 0
+
   name    = "${var.prefix}-api-server-firewall"
   network = google_compute_network.main.name
 
@@ -67,6 +75,8 @@ resource "google_compute_firewall" "api_server" {
 }
 
 resource "google_compute_firewall" "nodeport" {
+  count = length(var.nodeport_whitelist) > 0 ? 1 : 0
+
   name    = "${var.prefix}-nodeport-firewall"
   network = google_compute_network.main.name
 
@@ -81,11 +91,15 @@ resource "google_compute_firewall" "nodeport" {
 }
 
 resource "google_compute_firewall" "ingress_http" {
+  count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
   name    = "${var.prefix}-http-ingress-firewall"
   network = google_compute_network.main.name
 
   priority = 100
 
+  source_ranges = var.ingress_whitelist
+
   allow {
     protocol = "tcp"
     ports    = ["80"]
@@ -93,11 +107,15 @@ resource "google_compute_firewall" "ingress_http" {
 }
 
 resource "google_compute_firewall" "ingress_https" {
+  count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
   name    = "${var.prefix}-https-ingress-firewall"
   network = google_compute_network.main.name
 
   priority = 100
 
+  source_ranges = var.ingress_whitelist
+
   allow {
     protocol = "tcp"
     ports    = ["443"]
@@ -173,7 +191,7 @@ resource "google_compute_disk" "master" {
    }
 
   name = "${var.prefix}-${each.key}"
-  type = "pd-ssd"
+  type = var.master_additional_disk_type
   zone = each.value.machine.zone
   size = each.value.disk_size
 
@@ -229,19 +247,28 @@ resource "google_compute_instance" "master" {
 
   # Since we use google_compute_attached_disk we need to ignore this
   lifecycle {
-    ignore_changes = ["attached_disk"]
+    ignore_changes = [attached_disk]
+  }
+
+  scheduling {
+    preemptible = var.master_preemptible
+    automatic_restart = !var.master_preemptible
   }
 }
 
 resource "google_compute_forwarding_rule" "master_lb" {
+  count = length(var.api_server_whitelist) > 0 ? 1 : 0
+
   name = "${var.prefix}-master-lb-forward-rule"
 
   port_range = "6443"
 
-  target = google_compute_target_pool.master_lb.id
+  target = google_compute_target_pool.master_lb[count.index].id
 }
 
 resource "google_compute_target_pool" "master_lb" {
+  count = length(var.api_server_whitelist) > 0 ? 1 : 0
+
   name      = "${var.prefix}-master-lb-pool"
   instances = local.master_target_list
 }
@@ -258,7 +285,7 @@ resource "google_compute_disk" "worker" {
    }
 
   name = "${var.prefix}-${each.key}"
-  type = "pd-ssd"
+  type = var.worker_additional_disk_type
   zone = each.value.machine.zone
   size = each.value.disk_size
 
@@ -326,35 +353,48 @@ resource "google_compute_instance" "worker" {
 
   # Since we use google_compute_attached_disk we need to ignore this
   lifecycle {
-    ignore_changes = ["attached_disk"]
+    ignore_changes = [attached_disk]
+  }
+
+  scheduling {
+    preemptible = var.worker_preemptible
+    automatic_restart = !var.worker_preemptible
   }
 }
 
 resource "google_compute_address" "worker_lb" {
+  count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
   name         = "${var.prefix}-worker-lb-address"
   address_type = "EXTERNAL"
   region       = var.region
 }
 
 resource "google_compute_forwarding_rule" "worker_http_lb" {
+  count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
   name = "${var.prefix}-worker-http-lb-forward-rule"
 
-  ip_address = google_compute_address.worker_lb.address
+  ip_address = google_compute_address.worker_lb[count.index].address
   port_range = "80"
 
-  target = google_compute_target_pool.worker_lb.id
+  target = google_compute_target_pool.worker_lb[count.index].id
 }
 
 resource "google_compute_forwarding_rule" "worker_https_lb" {
+  count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
   name = "${var.prefix}-worker-https-lb-forward-rule"
 
-  ip_address = google_compute_address.worker_lb.address
+  ip_address = google_compute_address.worker_lb[count.index].address
   port_range = "443"
 
-  target = google_compute_target_pool.worker_lb.id
+  target = google_compute_target_pool.worker_lb[count.index].id
 }
 
 resource "google_compute_target_pool" "worker_lb" {
+  count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
   name      = "${var.prefix}-worker-lb-pool"
   instances = local.worker_target_list
 }

contrib/terraform/gcp/modules/kubernetes-cluster/output.tf

@@ -19,9 +19,9 @@ output "worker_ip_addresses" {
 }
 
 output "ingress_controller_lb_ip_address" {
-  value = google_compute_address.worker_lb.address
+  value = length(var.ingress_whitelist) > 0 ? google_compute_address.worker_lb.0.address : ""
 }
 
 output "control_plane_lb_ip_address" {
-  value = google_compute_forwarding_rule.master_lb.ip_address
+  value = length(var.api_server_whitelist) > 0 ? google_compute_forwarding_rule.master_lb.0.ip_address : ""
 }

contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf

@@ -27,6 +27,14 @@ variable "master_sa_scopes" {
   type = list(string)
 }
 
+variable "master_preemptible" {
+  type = bool
+}
+
+variable "master_additional_disk_type" {
+  type = string
+}
+
 variable "worker_sa_email" {
   type = string
 }
@@ -35,6 +43,14 @@ variable "worker_sa_scopes" {
   type = list(string)
 }
 
+variable "worker_preemptible" {
+  type = bool
+}
+
+variable "worker_additional_disk_type" {
+  type = string
+}
+
 variable "ssh_pub_key" {}
 
 variable "ssh_whitelist" {
@@ -49,6 +65,11 @@ variable "nodeport_whitelist" {
   type = list(string)
 }
 
+variable "ingress_whitelist" {
+  type = list(string)
+  default = ["0.0.0.0/0"]
+}
+
 variable "private_network_cidr" {
   default = "10.0.10.0/24"
 }

contrib/terraform/gcp/tfvars.json

@@ -16,6 +16,9 @@
   "nodeport_whitelist": [
     "1.2.3.4/32"
   ],
+  "ingress_whitelist": [
+    "0.0.0.0/0"
+  ],
 
   "machines": {
     "master-0": {
@@ -24,7 +27,7 @@
       "zone": "us-central1-a",
       "additional_disks": {},
       "boot_disk": {
-        "image_name": "ubuntu-os-cloud/ubuntu-1804-bionic-v20201116",
+        "image_name": "ubuntu-os-cloud/ubuntu-2004-focal-v20220118",
         "size": 50
       }
     },
@@ -38,7 +41,7 @@
         }
       },
       "boot_disk": {
-        "image_name": "ubuntu-os-cloud/ubuntu-1804-bionic-v20201116",
+        "image_name": "ubuntu-os-cloud/ubuntu-2004-focal-v20220118",
         "size": 50
       }
     },
@@ -52,7 +55,7 @@
         }
       },
       "boot_disk": {
-        "image_name": "ubuntu-os-cloud/ubuntu-1804-bionic-v20201116",
+        "image_name": "ubuntu-os-cloud/ubuntu-2004-focal-v20220118",
         "size": 50
       }
     }

contrib/terraform/gcp/variables.tf

@@ -44,6 +44,16 @@ variable "master_sa_scopes" {
   default = ["https://www.googleapis.com/auth/cloud-platform"]
 }
 
+variable "master_preemptible" {
+  type    = bool
+  default = false
+}
+
+variable "master_additional_disk_type" {
+  type = string
+  default = "pd-ssd"
+}
+
 variable "worker_sa_email" {
   type    = string
   default = ""
@@ -54,6 +64,16 @@ variable "worker_sa_scopes" {
   default = ["https://www.googleapis.com/auth/cloud-platform"]
 }
 
+variable "worker_preemptible" {
+  type    = bool
+  default = false
+}
+
+variable "worker_additional_disk_type" {
+  type = string
+  default = "pd-ssd"
+}
+
 variable ssh_pub_key {
   description = "Path to public SSH key file which is injected into the VMs."
   type        = string
@@ -70,3 +90,8 @@ variable api_server_whitelist {
 variable nodeport_whitelist {
   type = list(string)
 }
+
+variable "ingress_whitelist" {
+  type = list(string)
+  default = ["0.0.0.0/0"]
+}

contrib/terraform/hetzner/README.md

@@ -97,6 +97,7 @@ terraform destroy --var-file default.tfvars ../../contrib/terraform/hetzner
 * `prefix`: Prefix to add to all resources, if set to "" don't set any prefix
 * `ssh_public_keys`: List of public SSH keys to install on all machines
 * `zone`: The zone where to run the cluster
+* `network_zone`: the network zone where the cluster is running
 * `machines`: Machines to provision. Key of this object will be used as the name of the machine
   * `node_type`: The role of this node *(master|worker)*
   * `size`: Size of the VM

contrib/terraform/hetzner/default.tfvars

@@ -1,6 +1,6 @@
 prefix = "default"
 zone   = "hel1"
-
+network_zone = "eu-central"
 inventory_file = "inventory.ini"
 
 ssh_public_keys = [

contrib/terraform/hetzner/main.tf

@@ -10,6 +10,7 @@ module "kubernetes" {
   machines = var.machines
 
   ssh_public_keys = var.ssh_public_keys
+  network_zone = var.network_zone
 
   ssh_whitelist        = var.ssh_whitelist
   api_server_whitelist = var.api_server_whitelist
@@ -34,9 +35,9 @@ data "template_file" "inventory" {
       keys(module.kubernetes.worker_ip_addresses),
       values(module.kubernetes.worker_ip_addresses).*.public_ip,
     values(module.kubernetes.worker_ip_addresses).*.private_ip))
-
     list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
     list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
+    network_id = module.kubernetes.network_id
   }
 }
 

contrib/terraform/hetzner/modules/kubernetes-cluster/main.tf

@@ -6,7 +6,7 @@ resource "hcloud_network" "kubernetes" {
 resource "hcloud_network_subnet" "kubernetes" {
   type         = "cloud"
   network_id   = hcloud_network.kubernetes.id
-  network_zone = "eu-central"
+  network_zone = var.network_zone
   ip_range     = var.private_subnet_cidr
 }
 

contrib/terraform/hetzner/modules/kubernetes-cluster/output.tf

@@ -21,3 +21,7 @@ output "worker_ip_addresses" {
 output "cluster_private_network_cidr" {
   value = var.private_subnet_cidr
 }
+
+output "network_id" {
+  value = hcloud_network.kubernetes.id
+}

contrib/terraform/hetzner/modules/kubernetes-cluster/variables.tf

@@ -39,3 +39,6 @@ variable "private_network_cidr" {
 variable "private_subnet_cidr" {
   default = "10.0.10.0/24"
 }
+variable "network_zone" {
+  default = "eu-central"
+}

contrib/terraform/hetzner/templates/inventory.tpl

@@ -14,3 +14,6 @@ ${list_worker}
 [k8s-cluster:children]
 kube-master
 kube-node
+
+[k8s-cluster:vars]
+network_id=${network_id}

contrib/terraform/hetzner/variables.tf

@@ -1,6 +1,10 @@
 variable "zone" {
   description = "The zone where to run the cluster"
 }
+variable "network_zone" {
+  description = "The network zone where the cluster is running"
+  default = "eu-central"
+}
 
 variable "prefix" {
   description = "Prefix for resource names"

contrib/terraform/metal/README.md

@@ -35,7 +35,7 @@ now six total etcd replicas.
 ## Requirements
 
 - [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
-- Install dependencies: `sudo pip install -r requirements.txt`
+- [Install Ansible dependencies](/docs/ansible.md#installing-ansible)
 - Account with Equinix Metal
 - An SSH key pair
 
@@ -60,9 +60,9 @@ Terraform will be used to provision all of the Equinix Metal resources with base
 Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):
 
 ```ShellSession
-cp -LRp contrib/terraform/packet/sample-inventory inventory/$CLUSTER
+cp -LRp contrib/terraform/metal/sample-inventory inventory/$CLUSTER
 cd inventory/$CLUSTER
-ln -s ../../contrib/terraform/packet/hosts
+ln -s ../../contrib/terraform/metal/hosts
 ```
 
 This will be the base for subsequent Terraform commands.
@@ -101,7 +101,7 @@ This helps when identifying which hosts are associated with each cluster.
 While the defaults in variables.tf will successfully deploy a cluster, it is recommended to set the following values:
 
 - cluster_name = the name of the inventory directory created above as $CLUSTER
-- packet_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above
+- metal_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above
 
 #### Enable localhost access
 
@@ -119,7 +119,7 @@ Once the Kubespray playbooks are run, a Kubernetes configuration file will be wr
 
 In the cluster's inventory folder, the following files might be created (either by Terraform
 or manually), to prevent you from pushing them accidentally they are in a
-`.gitignore` file in the `terraform/packet` directory :
+`.gitignore` file in the `terraform/metal` directory :
 
 - `.terraform`
 - `.tfvars`
@@ -135,7 +135,7 @@ plugins. This is accomplished as follows:
 
 ```ShellSession
 cd inventory/$CLUSTER
-terraform init ../../contrib/terraform/packet
+terraform init ../../contrib/terraform/metal
 ```
 
 This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
@@ -146,7 +146,7 @@ You can apply the Terraform configuration to your cluster with the following com
 issued from your cluster's inventory directory (`inventory/$CLUSTER`):
 
 ```ShellSession
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/packet
+terraform apply -var-file=cluster.tfvars ../../contrib/terraform/metal
 export ANSIBLE_HOST_KEY_CHECKING=False
 ansible-playbook -i hosts ../../cluster.yml
 ```
@@ -156,7 +156,7 @@ ansible-playbook -i hosts ../../cluster.yml
 You can destroy your new cluster with the following command issued from the cluster's inventory directory:
 
 ```ShellSession
-terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/packet
+terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/metal
 ```
 
 If you've started the Ansible run, it may also be a good idea to do some manual cleanup:

contrib/terraform/metal/kubespray.tf

@@ -1,16 +1,15 @@
 # Configure the Equinix Metal Provider
-provider "packet" {
-  version = "~> 2.0"
+provider "metal" {
 }
 
-resource "packet_ssh_key" "k8s" {
+resource "metal_ssh_key" "k8s" {
   count      = var.public_key_path != "" ? 1 : 0
   name       = "kubernetes-${var.cluster_name}"
   public_key = chomp(file(var.public_key_path))
 }
 
-resource "packet_device" "k8s_master" {
-  depends_on = [packet_ssh_key.k8s]
+resource "metal_device" "k8s_master" {
+  depends_on = [metal_ssh_key.k8s]
 
   count            = var.number_of_k8s_masters
   hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
@@ -18,12 +17,12 @@ resource "packet_device" "k8s_master" {
   facilities       = [var.facility]
   operating_system = var.operating_system
   billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.metal_project_id
   tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane", "etcd", "kube_node"]
 }
 
-resource "packet_device" "k8s_master_no_etcd" {
-  depends_on = [packet_ssh_key.k8s]
+resource "metal_device" "k8s_master_no_etcd" {
+  depends_on = [metal_ssh_key.k8s]
 
   count            = var.number_of_k8s_masters_no_etcd
   hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
@@ -31,12 +30,12 @@ resource "packet_device" "k8s_master_no_etcd" {
   facilities       = [var.facility]
   operating_system = var.operating_system
   billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.metal_project_id
   tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane"]
 }
 
-resource "packet_device" "k8s_etcd" {
-  depends_on = [packet_ssh_key.k8s]
+resource "metal_device" "k8s_etcd" {
+  depends_on = [metal_ssh_key.k8s]
 
   count            = var.number_of_etcd
   hostname         = "${var.cluster_name}-etcd-${count.index + 1}"
@@ -44,12 +43,12 @@ resource "packet_device" "k8s_etcd" {
   facilities       = [var.facility]
   operating_system = var.operating_system
   billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.metal_project_id
   tags             = ["cluster-${var.cluster_name}", "etcd"]
 }
 
-resource "packet_device" "k8s_node" {
-  depends_on = [packet_ssh_key.k8s]
+resource "metal_device" "k8s_node" {
+  depends_on = [metal_ssh_key.k8s]
 
   count            = var.number_of_k8s_nodes
   hostname         = "${var.cluster_name}-k8s-node-${count.index + 1}"
@@ -57,7 +56,7 @@ resource "packet_device" "k8s_node" {
   facilities       = [var.facility]
   operating_system = var.operating_system
   billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.metal_project_id
   tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_node"]
 }
 

contrib/terraform/metal/output.tf

@@ -0,0 +1,16 @@
+output "k8s_masters" {
+  value = metal_device.k8s_master.*.access_public_ipv4
+}
+
+output "k8s_masters_no_etc" {
+  value = metal_device.k8s_master_no_etcd.*.access_public_ipv4
+}
+
+output "k8s_etcds" {
+  value = metal_device.k8s_etcd.*.access_public_ipv4
+}
+
+output "k8s_nodes" {
+  value = metal_device.k8s_node.*.access_public_ipv4
+}
+

contrib/terraform/metal/sample-inventory/cluster.tfvars

@@ -2,7 +2,7 @@
 cluster_name = "mycluster"
 
 # Your Equinix Metal project ID. See hhttps://metal.equinix.com/developers/docs/accounts/
-packet_project_id = "Example-API-Token"
+metal_project_id = "Example-API-Token"
 
 # The public SSH key to be uploaded into authorized_keys in bare metal Equinix Metal nodes provisioned
 # leave this value blank if the public key is already setup in the Equinix Metal project

contrib/terraform/metal/variables.tf

@@ -2,12 +2,12 @@ variable "cluster_name" {
   default = "kubespray"
 }
 
-variable "packet_project_id" {
+variable "metal_project_id" {
   description = "Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/"
 }
 
 variable "operating_system" {
-  default = "ubuntu_16_04"
+  default = "ubuntu_20_04"
 }
 
 variable "public_key_path" {
@@ -24,23 +24,23 @@ variable "facility" {
 }
 
 variable "plan_k8s_masters" {
-  default = "c2.medium.x86"
+  default = "c3.small.x86"
 }
 
 variable "plan_k8s_masters_no_etcd" {
-  default = "c2.medium.x86"
+  default = "c3.small.x86"
 }
 
 variable "plan_etcd" {
-  default = "c2.medium.x86"
+  default = "c3.small.x86"
 }
 
 variable "plan_k8s_nodes" {
-  default = "c2.medium.x86"
+  default = "c3.medium.x86"
 }
 
 variable "number_of_k8s_masters" {
-  default = 0
+  default = 1
 }
 
 variable "number_of_k8s_masters_no_etcd" {
@@ -52,6 +52,6 @@ variable "number_of_etcd" {
 }
 
 variable "number_of_k8s_nodes" {
-  default = 0
+  default = 1
 }
 

contrib/terraform/metal/versions.tf

@@ -2,8 +2,8 @@
 terraform {
   required_version = ">= 0.12"
   required_providers {
-    packet = {
-      source = "terraform-providers/packet"
+    metal = {
+      source = "equinix/metal"
     }
   }
 }

contrib/terraform/openstack/README.md

@@ -17,9 +17,10 @@ most modern installs of OpenStack that support the basic services.
 - [ELASTX](https://elastx.se/)
 - [EnterCloudSuite](https://www.entercloudsuite.com/)
 - [FugaCloud](https://fuga.cloud/)
-- [Open Telekom Cloud](https://cloud.telekom.de/) : requires to set the variable `wait_for_floatingip = "true"` in your cluster.tfvars
+- [Open Telekom Cloud](https://cloud.telekom.de/)
 - [OVH](https://www.ovh.com/)
 - [Rackspace](https://www.rackspace.com/)
+- [Safespring](https://www.safespring.com)
 - [Ultimum](https://ultimum.io/)
 - [VexxHost](https://vexxhost.com/)
 - [Zetta](https://www.zetta.io/)
@@ -247,6 +248,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`cluster_name` | All OpenStack resources will use the Terraform variable`cluster_name` (default`example`) in their name to make it easier to track. For example the first compute resource will be named`example-kubernetes-1`. |
 |`az_list` | List of Availability Zones available in your OpenStack cluster. |
 |`network_name` | The name to be given to the internal network that will be generated |
+|`use_existing_network`| Use an existing network with the name of `network_name`. `false` by default |
 |`network_dns_domain` | (Optional) The dns_domain for the internal network that will be generated |
 |`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. |
 |`floatingip_pool` | Name of the pool from which floating IPs will be allocated |
@@ -271,7 +273,6 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
 |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
 |`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
-|`wait_for_floatingip` | Let Terraform poll the instance until the floating IP has been associated, `false` by default. |
 |`node_root_volume_size_in_gb` | Size of the root volume for nodes, 0 to use ephemeral storage |
 |`master_root_volume_size_in_gb` | Size of the root volume for masters, 0 to use ephemeral storage |
 |`master_volume_type` | Volume type of the root volume for control_plane, 'Default' by default |
@@ -283,7 +284,10 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`node_server_group_policy` | Enable and use openstack nova servergroups for nodes with set policy, default: "" (disabled) |
 |`etcd_server_group_policy` | Enable and use openstack nova servergroups for etcd with set policy, default: "" (disabled) |
 |`use_access_ip` | If 1, nodes with floating IPs will transmit internal cluster traffic via floating IPs; if 0 private IPs will be used instead. Default value is 1. |
+|`port_security_enabled` | Allow to disable port security by setting this to `false`. `true` by default |
+|`force_null_port_security` | Set `null` instead of `true` or `false` for `port_security`. `false` by default |
 |`k8s_nodes` | Map containing worker node definition, see explanation below |
+|`k8s_masters` | Map containing master node definition, see explanation for k8s_nodes and `sample-inventory/cluster.tfvars` |
 
 ##### k8s_nodes
 
@@ -411,18 +415,39 @@ plugins. This is accomplished as follows:
 
 ```ShellSession
 cd inventory/$CLUSTER
-terraform init ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" init
 ```
 
 This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
 
+### Customizing with cloud-init
+
+You can apply cloud-init based customization for the openstack instances before provisioning your cluster.
+One common template is used for all instances. Adjust the file shown below:
+`contrib/terraform/openstack/modules/compute/templates/cloudinit.yaml`
+For example, to enable openstack novnc access and ansible_user=root SSH access:
+
+```ShellSession
+#cloud-config
+## in some cases novnc console access is required
+## it requires ssh password to be set
+ssh_pwauth: yes
+chpasswd:
+  list: |
+    root:secret
+  expire: False
+
+## in some cases direct root ssh access via ssh key is required
+disable_root: false
+```
+
 ### Provisioning cluster
 
 You can apply the Terraform configuration to your cluster with the following command
 issued from your cluster's inventory directory (`inventory/$CLUSTER`):
 
 ```ShellSession
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" apply -var-file=cluster.tfvars
 ```
 
 if you chose to create a bastion host, this script will create
@@ -437,7 +462,7 @@ pick it up automatically.
 You can destroy your new cluster with the following command issued from the cluster's inventory directory:
 
 ```ShellSession
-terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" destroy -var-file=cluster.tfvars
 ```
 
 If you've started the Ansible run, it may also be a good idea to do some manual cleanup:

contrib/terraform/openstack/kubespray.tf

@@ -1,14 +1,15 @@
 module "network" {
   source = "./modules/network"
 
-  external_net       = var.external_net
-  network_name       = var.network_name
-  subnet_cidr        = var.subnet_cidr
-  cluster_name       = var.cluster_name
-  dns_nameservers    = var.dns_nameservers
-  network_dns_domain = var.network_dns_domain
-  use_neutron        = var.use_neutron
-  router_id          = var.router_id
+  external_net          = var.external_net
+  network_name          = var.network_name
+  subnet_cidr           = var.subnet_cidr
+  cluster_name          = var.cluster_name
+  dns_nameservers       = var.dns_nameservers
+  network_dns_domain    = var.network_dns_domain
+  use_neutron           = var.use_neutron
+  port_security_enabled = var.port_security_enabled
+  router_id             = var.router_id
 }
 
 module "ips" {
@@ -23,6 +24,7 @@ module "ips" {
   network_name                  = var.network_name
   router_id                     = module.network.router_id
   k8s_nodes                     = var.k8s_nodes
+  k8s_masters                   = var.k8s_masters
   k8s_master_fips               = var.k8s_master_fips
   bastion_fips                  = var.bastion_fips
   router_internal_port_id       = module.network.router_internal_port_id
@@ -43,6 +45,7 @@ module "compute" {
   number_of_bastions                           = var.number_of_bastions
   number_of_k8s_nodes_no_floating_ip           = var.number_of_k8s_nodes_no_floating_ip
   number_of_gfs_nodes_no_floating_ip           = var.number_of_gfs_nodes_no_floating_ip
+  k8s_masters                                  = var.k8s_masters
   k8s_nodes                                    = var.k8s_nodes
   bastion_root_volume_size_in_gb               = var.bastion_root_volume_size_in_gb
   etcd_root_volume_size_in_gb                  = var.etcd_root_volume_size_in_gb
@@ -69,6 +72,7 @@ module "compute" {
   flavor_bastion                               = var.flavor_bastion
   k8s_master_fips                              = module.ips.k8s_master_fips
   k8s_master_no_etcd_fips                      = module.ips.k8s_master_no_etcd_fips
+  k8s_masters_fips                             = module.ips.k8s_masters_fips
   k8s_node_fips                                = module.ips.k8s_node_fips
   k8s_nodes_fips                               = module.ips.k8s_nodes_fips
   bastion_fips                                 = module.ips.bastion_fips
@@ -80,7 +84,6 @@ module "compute" {
   supplementary_node_groups                    = var.supplementary_node_groups
   master_allowed_ports                         = var.master_allowed_ports
   worker_allowed_ports                         = var.worker_allowed_ports
-  wait_for_floatingip                          = var.wait_for_floatingip
   use_access_ip                                = var.use_access_ip
   master_server_group_policy                   = var.master_server_group_policy
   node_server_group_policy                     = var.node_server_group_policy
@@ -88,8 +91,11 @@ module "compute" {
   extra_sec_groups                             = var.extra_sec_groups
   extra_sec_groups_name                        = var.extra_sec_groups_name
   group_vars_path                              = var.group_vars_path
-
-  network_id = module.network.router_id
+  port_security_enabled                        = var.port_security_enabled
+  force_null_port_security                     = var.force_null_port_security
+  network_router_id                            = module.network.router_id
+  network_id                                   = module.network.network_id
+  use_existing_network                         = var.use_existing_network
 }
 
 output "private_subnet_id" {

contrib/terraform/openstack/modules/compute/main.tf

@@ -15,6 +15,15 @@ data "openstack_images_image_v2" "image_master" {
   name = var.image_master == "" ? var.image : var.image_master
 }
 
+data "template_file" "cloudinit" {
+  template = file("${path.module}/templates/cloudinit.yaml")
+}
+
+data "openstack_networking_network_v2" "k8s_network" {
+  count = var.use_existing_network ? 1 : 0
+  name  = var.network_name
+}
+
 resource "openstack_compute_keypair_v2" "k8s" {
   name       = "kubernetes-${var.cluster_name}"
   public_key = chomp(file(var.public_key_path))
@@ -150,16 +159,25 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
 locals {
 # master groups
   master_sec_groups = compact([
-    openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+    openstack_networking_secgroup_v2.k8s_master.id,
+    openstack_networking_secgroup_v2.k8s.id,
+    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].id : "",
   ])
 # worker groups
   worker_sec_groups = compact([
-    openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-    var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].name : "",
+    openstack_networking_secgroup_v2.k8s.id,
+    openstack_networking_secgroup_v2.worker.id,
+    var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].id : "",
   ])
+# bastion groups
+  bastion_sec_groups = compact(concat([
+    openstack_networking_secgroup_v2.k8s.id,
+    openstack_networking_secgroup_v2.bastion[0].id,
+  ]))
+# etcd groups
+  etcd_sec_groups = compact([openstack_networking_secgroup_v2.k8s.id])
+# glusterfs groups
+  gfs_sec_groups = compact([openstack_networking_secgroup_v2.k8s.id])
 
 # Image uuid
   image_to_use_node = var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.vm_image[0].id
@@ -169,12 +187,27 @@ locals {
   image_to_use_master = var.image_master_uuid != "" ? var.image_master_uuid : var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.image_master[0].id
 }
 
+resource "openstack_networking_port_v2" "bastion_port" {
+  count                 = var.number_of_bastions
+  name                  = "${var.cluster_name}-bastion-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.bastion_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "bastion" {
   name       = "${var.cluster_name}-bastion-${count.index + 1}"
   count      = var.number_of_bastions
   image_id   = var.bastion_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
   flavor_id  = var.flavor_bastion
   key_pair   = openstack_compute_keypair_v2.k8s.name
+  user_data  = data.template_file.cloudinit.rendered
 
   dynamic "block_device" {
     for_each = var.bastion_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -189,25 +222,35 @@ resource "openstack_compute_instance_v2" "bastion" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.bastion_port.*.id, count.index)
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    element(openstack_networking_secgroup_v2.bastion.*.name, count.index),
-  ]
-
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "bastion"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
   provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${var.bastion_fips[0]}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_master_port" {
+  count                 = var.number_of_k8s_masters
+  name                  = "${var.cluster_name}-k8s-master-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_master" {
   name              = "${var.cluster_name}-k8s-master-${count.index + 1}"
   count             = var.number_of_k8s_masters
@@ -215,6 +258,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
   image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
   flavor_id         = var.flavor_k8s_master
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
 
   dynamic "block_device" {
@@ -231,11 +275,9 @@ resource "openstack_compute_instance_v2" "k8s_master" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_port.*.id, count.index)
   }
 
-  security_groups = local.master_sec_groups
-
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
     content {
@@ -246,15 +288,87 @@ resource "openstack_compute_instance_v2" "k8s_master" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "etcd,kube_control_plane,${var.supplementary_master_groups},k8s_cluster"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
   provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_masters_port" {
+  for_each              = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 && var.number_of_k8s_masters_no_floating_ip == 0 && var.number_of_k8s_masters_no_floating_ip_no_etcd == 0 ? var.k8s_masters : {}
+  name                  = "${var.cluster_name}-k8s-${each.key}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
+resource "openstack_compute_instance_v2" "k8s_masters" {
+  for_each          = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 && var.number_of_k8s_masters_no_floating_ip == 0 && var.number_of_k8s_masters_no_floating_ip_no_etcd == 0 ? var.k8s_masters : {}
+  name              = "${var.cluster_name}-k8s-${each.key}"
+  availability_zone = each.value.az
+  image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
+  flavor_id         = each.value.flavor
+  key_pair          = openstack_compute_keypair_v2.k8s.name
+
+  dynamic "block_device" {
+    for_each = var.master_root_volume_size_in_gb > 0 ? [local.image_to_use_master] : []
+    content {
+      uuid                  = local.image_to_use_master
+      source_type           = "image"
+      volume_size           = var.master_root_volume_size_in_gb
+      volume_type           = var.master_volume_type
+      boot_index            = 0
+      destination_type      = "volume"
+      delete_on_termination = true
+    }
+  }
+
+  network {
+    port = openstack_networking_port_v2.k8s_masters_port[each.key].id
+  }
+
+  dynamic "scheduler_hints" {
+    for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
+    content {
+      group = openstack_compute_servergroup_v2.k8s_master[0].id
+    }
+  }
+
+  metadata = {
+    ssh_user         = var.ssh_user
+    kubespray_groups = "%{if each.value.etcd == true}etcd,%{endif}kube_control_plane,${var.supplementary_master_groups},k8s_cluster%{if each.value.floating_ip == false},no_floating%{endif}"
+    depends_on       = var.network_router_id
+    use_access_ip    = var.use_access_ip
+  }
+
+  provisioner "local-exec" {
+    command = "%{if each.value.floating_ip}sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, [for key, value in var.k8s_masters_fips : value.address]), 0)}/ > ${var.group_vars_path}/no_floating.yml%{else}true%{endif}"
+  }
+}
+
+resource "openstack_networking_port_v2" "k8s_master_no_etcd_port" {
+  count                 = var.number_of_k8s_masters_no_etcd
+  name                  = "${var.cluster_name}-k8s-master-ne-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
   name              = "${var.cluster_name}-k8s-master-ne-${count.index + 1}"
   count             = var.number_of_k8s_masters_no_etcd
@@ -262,6 +376,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
   image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
   flavor_id         = var.flavor_k8s_master
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
 
   dynamic "block_device" {
@@ -278,11 +393,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_no_etcd_port.*.id, count.index)
   }
 
-  security_groups = local.master_sec_groups
-
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
     content {
@@ -293,15 +406,29 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_control_plane,${var.supplementary_master_groups},k8s_cluster"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
   provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
   }
 }
 
+resource "openstack_networking_port_v2" "etcd_port" {
+  count                 = var.number_of_etcd
+  name                  = "${var.cluster_name}-etcd-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.etcd_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "etcd" {
   name              = "${var.cluster_name}-etcd-${count.index + 1}"
   count             = var.number_of_etcd
@@ -309,6 +436,7 @@ resource "openstack_compute_instance_v2" "etcd" {
   image_id          = var.etcd_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
   flavor_id         = var.flavor_etcd
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
   dynamic "block_device" {
     for_each = var.etcd_root_volume_size_in_gb > 0 ? [local.image_to_use_master] : []
@@ -323,13 +451,11 @@ resource "openstack_compute_instance_v2" "etcd" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.etcd_port.*.id, count.index)
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name]
-
   dynamic "scheduler_hints" {
-    for_each = var.etcd_server_group_policy ? [openstack_compute_servergroup_v2.k8s_etcd[0]] : []
+    for_each = var.etcd_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_etcd[0]] : []
     content {
       group = openstack_compute_servergroup_v2.k8s_etcd[0].id
     }
@@ -338,11 +464,25 @@ resource "openstack_compute_instance_v2" "etcd" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "etcd,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_master_no_floating_ip_port" {
+  count                 = var.number_of_k8s_masters_no_floating_ip
+  name                  = "${var.cluster_name}-k8s-master-nf-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
   name              = "${var.cluster_name}-k8s-master-nf-${count.index + 1}"
   count             = var.number_of_k8s_masters_no_floating_ip
@@ -365,11 +505,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_no_floating_ip_port.*.id, count.index)
   }
 
-  security_groups = local.master_sec_groups
-
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
     content {
@@ -380,11 +518,25 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "etcd,kube_control_plane,${var.supplementary_master_groups},k8s_cluster,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_master_no_floating_ip_no_etcd_port" {
+  count                 = var.number_of_k8s_masters_no_floating_ip_no_etcd
+  name                  = "${var.cluster_name}-k8s-master-ne-nf-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
   name              = "${var.cluster_name}-k8s-master-ne-nf-${count.index + 1}"
   count             = var.number_of_k8s_masters_no_floating_ip_no_etcd
@@ -392,6 +544,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
   image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
   flavor_id         = var.flavor_k8s_master
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
   dynamic "block_device" {
     for_each = var.master_root_volume_size_in_gb > 0 ? [local.image_to_use_master] : []
@@ -407,11 +560,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_no_floating_ip_no_etcd_port.*.id, count.index)
   }
 
-  security_groups = local.master_sec_groups
-
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
     content {
@@ -422,11 +573,25 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_control_plane,${var.supplementary_master_groups},k8s_cluster,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_node_port" {
+  count                 = var.number_of_k8s_nodes
+  name                  = "${var.cluster_name}-k8s-node-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_node" {
   name              = "${var.cluster_name}-k8s-node-${count.index + 1}"
   count             = var.number_of_k8s_nodes
@@ -434,6 +599,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
   image_id          = var.node_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
   flavor_id         = var.flavor_k8s_node
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
   dynamic "block_device" {
     for_each = var.node_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -449,10 +615,9 @@ resource "openstack_compute_instance_v2" "k8s_node" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_node_port.*.id, count.index)
   }
 
-  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -464,15 +629,29 @@ resource "openstack_compute_instance_v2" "k8s_node" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_node,k8s_cluster,${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
   provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_node_fips), 0)}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_node_fips), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_node_no_floating_ip_port" {
+  count                 = var.number_of_k8s_nodes_no_floating_ip
+  name                  = "${var.cluster_name}-k8s-node-nf-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
   name              = "${var.cluster_name}-k8s-node-nf-${count.index + 1}"
   count             = var.number_of_k8s_nodes_no_floating_ip
@@ -480,6 +659,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
   image_id          = var.node_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
   flavor_id         = var.flavor_k8s_node
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
   dynamic "block_device" {
     for_each = var.node_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -495,11 +675,9 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_node_no_floating_ip_port.*.id, count.index)
   }
 
-  security_groups = local.worker_sec_groups
-
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
     content {
@@ -510,11 +688,25 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_node,k8s_cluster,no_floating,${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
+resource "openstack_networking_port_v2" "k8s_nodes_port" {
+  for_each              = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? var.k8s_nodes : {}
+  name                  = "${var.cluster_name}-k8s-node-${each.key}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "k8s_nodes" {
   for_each          = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? var.k8s_nodes : {}
   name              = "${var.cluster_name}-k8s-node-${each.key}"
@@ -522,6 +714,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
   image_id          = var.node_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
   flavor_id         = each.value.flavor
   key_pair          = openstack_compute_keypair_v2.k8s.name
+  user_data         = data.template_file.cloudinit.rendered
 
   dynamic "block_device" {
     for_each = var.node_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -537,11 +730,9 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
   }
 
   network {
-    name = var.network_name
+    port = openstack_networking_port_v2.k8s_nodes_port[each.key].id
   }
 
-  security_groups = local.worker_sec_groups
-
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
     content {
@@ -552,15 +743,29 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_node,k8s_cluster,%{if each.value.floating_ip == false}no_floating,%{endif}${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
   provisioner "local-exec" {
-    command = "%{if each.value.floating_ip}sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, [for key, value in var.k8s_nodes_fips : value.address]), 0)}/ > ${var.group_vars_path}/no_floating.yml%{else}true%{endif}"
+    command = "%{if each.value.floating_ip}sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, [for key, value in var.k8s_nodes_fips : value.address]), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml%{else}true%{endif}"
   }
 }
 
+resource "openstack_networking_port_v2" "glusterfs_node_no_floating_ip_port" {
+  count                 = var.number_of_gfs_nodes_no_floating_ip
+  name                  = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
+  admin_state_up        = "true"
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.gfs_sec_groups : null
+  no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
+}
+
 resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
   name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
   count             = var.number_of_gfs_nodes_no_floating_ip
@@ -582,11 +787,9 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
   }
 
   network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.glusterfs_node_no_floating_ip_port.*.id, count.index)
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name]
-
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
     content {
@@ -597,44 +800,46 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
   metadata = {
     ssh_user         = var.ssh_user_gfs
     kubespray_groups = "gfs-cluster,network-storage,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
-resource "openstack_compute_floatingip_associate_v2" "bastion" {
+resource "openstack_networking_floatingip_associate_v2" "bastion" {
   count                 = var.number_of_bastions
   floating_ip           = var.bastion_fips[count.index]
-  instance_id           = element(openstack_compute_instance_v2.bastion.*.id, count.index)
-  wait_until_associated = var.wait_for_floatingip
+  port_id               = element(openstack_networking_port_v2.bastion_port.*.id, count.index)
 }
 
 
-resource "openstack_compute_floatingip_associate_v2" "k8s_master" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_master" {
   count                 = var.number_of_k8s_masters
-  instance_id           = element(openstack_compute_instance_v2.k8s_master.*.id, count.index)
   floating_ip           = var.k8s_master_fips[count.index]
-  wait_until_associated = var.wait_for_floatingip
+  port_id               = element(openstack_networking_port_v2.k8s_master_port.*.id, count.index)
 }
 
-resource "openstack_compute_floatingip_associate_v2" "k8s_master_no_etcd" {
-  count       = var.master_root_volume_size_in_gb == 0 ? var.number_of_k8s_masters_no_etcd : 0
-  instance_id = element(openstack_compute_instance_v2.k8s_master_no_etcd.*.id, count.index)
-  floating_ip = var.k8s_master_no_etcd_fips[count.index]
+resource "openstack_networking_floatingip_associate_v2" "k8s_masters" {
+  for_each              = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 && var.number_of_k8s_masters_no_floating_ip == 0 && var.number_of_k8s_masters_no_floating_ip_no_etcd == 0 ? { for key, value in var.k8s_masters : key => value if value.floating_ip } : {}
+  floating_ip           = var.k8s_masters_fips[each.key].address
+  port_id               = openstack_networking_port_v2.k8s_masters_port[each.key].id
 }
 
-resource "openstack_compute_floatingip_associate_v2" "k8s_node" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_master_no_etcd" {
+  count                 = var.master_root_volume_size_in_gb == 0 ? var.number_of_k8s_masters_no_etcd : 0
+  floating_ip           = var.k8s_master_no_etcd_fips[count.index]
+  port_id               = element(openstack_networking_port_v2.k8s_master_no_etcd_port.*.id, count.index)
+}
+
+resource "openstack_networking_floatingip_associate_v2" "k8s_node" {
   count                 = var.node_root_volume_size_in_gb == 0 ? var.number_of_k8s_nodes : 0
   floating_ip           = var.k8s_node_fips[count.index]
-  instance_id           = element(openstack_compute_instance_v2.k8s_node[*].id, count.index)
-  wait_until_associated = var.wait_for_floatingip
+  port_id               = element(openstack_networking_port_v2.k8s_node_port.*.id, count.index)
 }
 
-resource "openstack_compute_floatingip_associate_v2" "k8s_nodes" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
   for_each              = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? { for key, value in var.k8s_nodes : key => value if value.floating_ip } : {}
   floating_ip           = var.k8s_nodes_fips[each.key].address
-  instance_id           = openstack_compute_instance_v2.k8s_nodes[each.key].id
-  wait_until_associated = var.wait_for_floatingip
+  port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
 }
 
 resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {

contrib/terraform/openstack/modules/compute/templates/cloudinit.yaml

@@ -0,0 +1,17 @@
+# yamllint disable rule:comments
+#cloud-config
+## in some cases novnc console access is required
+## it requires ssh password to be set
+#ssh_pwauth: yes
+#chpasswd:
+#  list: |
+#    root:secret
+#  expire: False
+
+## in some cases direct root ssh access via ssh key is required
+#disable_root: false
+
+## in some cases additional CA certs are required
+#ca-certs:
+#  trusted: |
+#      -----BEGIN CERTIFICATE-----

contrib/terraform/openstack/modules/compute/variables.tf

@@ -68,6 +68,14 @@ variable "network_id" {
   default = ""
 }
 
+variable "use_existing_network" {
+  type = bool
+}
+
+variable "network_router_id" {
+  default = ""
+}
+
 variable "k8s_master_fips" {
   type = list
 }
@@ -80,6 +88,10 @@ variable "k8s_node_fips" {
   type = list
 }
 
+variable "k8s_masters_fips" {
+  type = map
+}
+
 variable "k8s_nodes_fips" {
   type = map
 }
@@ -104,9 +116,9 @@ variable "k8s_allowed_egress_ips" {
   type = list
 }
 
-variable "k8s_nodes" {}
+variable "k8s_masters" {}
 
-variable "wait_for_floatingip" {}
+variable "k8s_nodes" {}
 
 variable "supplementary_master_groups" {
   default = ""
@@ -165,3 +177,11 @@ variable "image_master_uuid" {
 variable "group_vars_path" {
   type = string
 }
+
+variable "port_security_enabled" {
+  type = bool
+}
+
+variable "force_null_port_security" {
+  type = bool
+}

contrib/terraform/openstack/modules/ips/main.tf

@@ -14,6 +14,12 @@ resource "openstack_networking_floatingip_v2" "k8s_master" {
   depends_on = [null_resource.dummy_dependency]
 }
 
+resource "openstack_networking_floatingip_v2" "k8s_masters" {
+  for_each   = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 ? { for key, value in var.k8s_masters : key => value if value.floating_ip } : {}
+  pool       = var.floatingip_pool
+  depends_on = [null_resource.dummy_dependency]
+}
+
 # If user specifies pre-existing IPs to use in k8s_master_fips, do not create new ones.
 resource "openstack_networking_floatingip_v2" "k8s_master_no_etcd" {
   count      = length(var.k8s_master_fips) > 0 ? 0 : var.number_of_k8s_masters_no_etcd

contrib/terraform/openstack/modules/ips/outputs.tf

@@ -3,6 +3,10 @@ output "k8s_master_fips" {
   value = length(var.k8s_master_fips) > 0 ? var.k8s_master_fips : openstack_networking_floatingip_v2.k8s_master[*].address
 }
 
+output "k8s_masters_fips" {
+  value = openstack_networking_floatingip_v2.k8s_masters
+}
+
 # If k8s_master_fips is already defined as input, keep the same value since new FIPs have not been created.
 output "k8s_master_no_etcd_fips" {
   value = length(var.k8s_master_fips) > 0 ? var.k8s_master_fips : openstack_networking_floatingip_v2.k8s_master_no_etcd[*].address

contrib/terraform/openstack/modules/ips/variables.tf

@@ -16,6 +16,8 @@ variable "router_id" {
   default = ""
 }
 
+variable "k8s_masters" {}
+
 variable "k8s_nodes" {}
 
 variable "k8s_master_fips" {}

contrib/terraform/openstack/modules/network/main.tf

@@ -11,10 +11,11 @@ data "openstack_networking_router_v2" "k8s" {
 }
 
 resource "openstack_networking_network_v2" "k8s" {
-  name           = var.network_name
-  count          = var.use_neutron
-  dns_domain     = var.network_dns_domain != null ? var.network_dns_domain : null
-  admin_state_up = "true"
+  name                  = var.network_name
+  count                 = var.use_neutron
+  dns_domain            = var.network_dns_domain != null ? var.network_dns_domain : null
+  admin_state_up        = "true"
+  port_security_enabled = var.port_security_enabled
 }
 
 resource "openstack_networking_subnet_v2" "k8s" {

contrib/terraform/openstack/modules/network/outputs.tf

@@ -2,6 +2,10 @@ output "router_id" {
   value = "%{if var.use_neutron == 1} ${var.router_id == null ? element(concat(openstack_networking_router_v2.k8s.*.id, [""]), 0) : var.router_id} %{else} %{endif}"
 }
 
+output "network_id" {
+  value = element(concat(openstack_networking_network_v2.k8s.*.id, [""]),0)
+}
+
 output "router_internal_port_id" {
   value = element(concat(openstack_networking_router_interface_v2.k8s.*.id, [""]), 0)
 }

contrib/terraform/openstack/modules/network/variables.tf

@@ -10,6 +10,10 @@ variable "dns_nameservers" {
   type = list
 }
 
+variable "port_security_enabled" {
+  type = bool
+}
+
 variable "subnet_cidr" {}
 
 variable "use_neutron" {}

contrib/terraform/openstack/sample-inventory/cluster.tfvars

@@ -32,6 +32,28 @@ number_of_k8s_masters_no_floating_ip_no_etcd = 0
 
 flavor_k8s_master = "<UUID>"
 
+k8s_masters = {
+  # "master-1" = {
+  #   "az"          = "nova"
+  #   "flavor"      = "<UUID>"
+  #   "floating_ip" = true
+  #   "etcd" = true
+  # },
+  # "master-2" = {
+  #   "az"          = "nova"
+  #   "flavor"      = "<UUID>"
+  #   "floating_ip" = false
+  #   "etcd" = true
+  # },
+  # "master-3" = {
+  #   "az"          = "nova"
+  #   "flavor"      = "<UUID>"
+  #   "floating_ip" = true
+  #   "etcd" = true
+  # },
+}
+
+
 # nodes
 number_of_k8s_nodes = 2
 
@@ -52,6 +74,9 @@ number_of_k8s_nodes_no_floating_ip = 4
 # networking
 network_name = "<network>"
 
+# Use a existing network with the name of network_name. Set to false to create a network with name of network_name.
+# use_existing_network = true
+
 external_net = "<UUID>"
 
 subnet_cidr = "<cidr>"
@@ -59,3 +84,6 @@ subnet_cidr = "<cidr>"
 floatingip_pool = "<pool>"
 
 bastion_allowed_remote_ips = ["0.0.0.0/0"]
+
+# Force port security to be null. Some cloud providers do not allow to set port security.
+# force_null_port_security = false

contrib/terraform/openstack/variables.tf

@@ -137,6 +137,12 @@ variable "network_name" {
   default     = "internal"
 }
 
+variable "use_existing_network" {
+  description = "Use an existing network"
+  type        = bool
+  default     = "false"
+}
+
 variable "network_dns_domain" {
   description = "dns_domain for the internal network"
   type        = string
@@ -148,6 +154,18 @@ variable "use_neutron" {
   default     = 1
 }
 
+variable "port_security_enabled" {
+  description = "Enable port security on the internal network"
+  type        = bool
+  default     = "true"
+}
+
+variable "force_null_port_security" {
+  description = "Force port security to be null. Some providers does not allow setting port security"
+  type        = bool
+  default     = "false"
+}
+
 variable "subnet_cidr" {
   description = "Subnet CIDR block."
   type        = string
@@ -268,6 +286,10 @@ variable "router_internal_port_id" {
   default     = null
 }
 
+variable "k8s_masters" {
+  default = {}
+}
+
 variable "k8s_nodes" {
   default = {}
 }

contrib/terraform/packet/output.tf

@@ -1,16 +0,0 @@
-output "k8s_masters" {
-  value = packet_device.k8s_master.*.access_public_ipv4
-}
-
-output "k8s_masters_no_etc" {
-  value = packet_device.k8s_master_no_etcd.*.access_public_ipv4
-}
-
-output "k8s_etcds" {
-  value = packet_device.k8s_etcd.*.access_public_ipv4
-}
-
-output "k8s_nodes" {
-  value = packet_device.k8s_node.*.access_public_ipv4
-}
-

contrib/terraform/terraform.py

@@ -114,10 +114,10 @@ def iterhosts(resources):
 
 
 def iterips(resources):
-    '''yield ip tuples of (instance_id, ip)'''
+    '''yield ip tuples of (port_id, ip)'''
     for module_name, key, resource in resources:
         resource_type, name = key.split('.', 1)
-        if resource_type == 'openstack_compute_floatingip_associate_v2':
+        if resource_type == 'openstack_networking_floatingip_associate_v2':
             yield openstack_floating_ips(resource)
 
 
@@ -195,8 +195,8 @@ def parse_bool(string_form):
         raise ValueError('could not convert %r to a bool' % string_form)
 
 
-@parses('packet_device')
-def packet_device(resource, tfvars=None):
+@parses('metal_device')
+def metal_device(resource, tfvars=None):
     raw_attrs = resource['primary']['attributes']
     name = raw_attrs['hostname']
     groups = []
@@ -212,15 +212,15 @@ def packet_device(resource, tfvars=None):
         'project_id': raw_attrs['project_id'],
         'state': raw_attrs['state'],
         # ansible
-        'ansible_ssh_host': raw_attrs['network.0.address'],
-        'ansible_ssh_user': 'root',  # Use root by default in packet
+        'ansible_host': raw_attrs['network.0.address'],
+        'ansible_ssh_user': 'root',  # Use root by default in metal
         # generic
         'ipv4_address': raw_attrs['network.0.address'],
         'public_ipv4': raw_attrs['network.0.address'],
         'ipv6_address': raw_attrs['network.1.address'],
         'public_ipv6': raw_attrs['network.1.address'],
         'private_ipv4': raw_attrs['network.2.address'],
-        'provider': 'packet',
+        'provider': 'metal',
     }
 
     if raw_attrs['operating_system'] == 'flatcar_stable':
@@ -228,10 +228,10 @@ def packet_device(resource, tfvars=None):
         attrs.update({'ansible_ssh_user': 'core'})
 
     # add groups based on attrs
-    groups.append('packet_operating_system=' + attrs['operating_system'])
-    groups.append('packet_locked=%s' % attrs['locked'])
-    groups.append('packet_state=' + attrs['state'])
-    groups.append('packet_plan=' + attrs['plan'])
+    groups.append('metal_operating_system=' + attrs['operating_system'])
+    groups.append('metal_locked=%s' % attrs['locked'])
+    groups.append('metal_state=' + attrs['state'])
+    groups.append('metal_plan=' + attrs['plan'])
 
     # groups specific to kubespray
     groups = groups + attrs['tags']
@@ -243,13 +243,13 @@ def openstack_floating_ips(resource):
     raw_attrs = resource['primary']['attributes']
     attrs = {
         'ip': raw_attrs['floating_ip'],
-        'instance_id': raw_attrs['instance_id'],
+        'port_id': raw_attrs['port_id'],
     }
     return attrs
 
 def openstack_floating_ips(resource):
     raw_attrs = resource['primary']['attributes']
-    return raw_attrs['instance_id'], raw_attrs['floating_ip']
+    return raw_attrs['port_id'], raw_attrs['floating_ip']
 
 @parses('openstack_compute_instance_v2')
 @calculate_mantl_vars
@@ -282,6 +282,7 @@ def openstack_host(resource, module_name):
         # generic
         'public_ipv4': raw_attrs['access_ip_v4'],
         'private_ipv4': raw_attrs['access_ip_v4'],
+        'port_id' : raw_attrs['network.0.port'],
         'provider': 'openstack',
     }
 
@@ -291,16 +292,16 @@ def openstack_host(resource, module_name):
     try:
         if 'metadata.prefer_ipv6' in raw_attrs and raw_attrs['metadata.prefer_ipv6'] == "1":
             attrs.update({
-                'ansible_ssh_host': re.sub("[\[\]]", "", raw_attrs['access_ip_v6']),
+                'ansible_host': re.sub("[\[\]]", "", raw_attrs['access_ip_v6']),
                 'publicly_routable': True,
             })
         else:
             attrs.update({
-                'ansible_ssh_host': raw_attrs['access_ip_v4'],
+                'ansible_host': raw_attrs['access_ip_v4'],
                 'publicly_routable': True,
             })
     except (KeyError, ValueError):
-        attrs.update({'ansible_ssh_host': '', 'publicly_routable': False})
+        attrs.update({'ansible_host': '', 'publicly_routable': False})
 
     # Handling of floating IPs has changed: https://github.com/terraform-providers/terraform-provider-openstack/blob/master/CHANGELOG.md#010-june-21-2017
 
@@ -339,16 +340,16 @@ def openstack_host(resource, module_name):
 def iter_host_ips(hosts, ips):
     '''Update hosts that have an entry in the floating IP list'''
     for host in hosts:
-        host_id = host[1]['id']
+        port_id = host[1]['port_id']
 
-        if host_id in ips:
-            ip = ips[host_id]
+        if port_id in ips:
+            ip = ips[port_id]
 
             host[1].update({
                 'access_ip_v4': ip,
                 'access_ip': ip,
                 'public_ipv4': ip,
-                'ansible_ssh_host': ip,
+                'ansible_host': ip,
             })
 
         if 'use_access_ip' in host[1]['metadata'] and host[1]['metadata']['use_access_ip'] == "0":
@@ -388,7 +389,7 @@ def query_list(hosts):
 def query_hostfile(hosts):
     out = ['## begin hosts generated by terraform.py ##']
     out.extend(
-        '{}\t{}'.format(attrs['ansible_ssh_host'].ljust(16), name)
+        '{}\t{}'.format(attrs['ansible_host'].ljust(16), name)
         for name, attrs, _ in hosts
     )
 

contrib/terraform/upcloud/README.md

@@ -104,9 +104,36 @@ terraform destroy --var-file cluster-settings.tfvars \
 * `zone`: The zone where to run the cluster
 * `machines`: Machines to provision. Key of this object will be used as the name of the machine
   * `node_type`: The role of this node *(master|worker)*
+  * `plan`: Preconfigured cpu/mem plan to use (disables `cpu` and `mem` attributes below)
   * `cpu`: number of cpu cores
   * `mem`: memory size in MB
   * `disk_size`: The size of the storage in GB
   * `additional_disks`: Additional disks to attach to the node.
     * `size`: The size of the additional disk in GB
     * `tier`: The tier of disk to use (`maxiops` is the only one you can choose atm)
+* `firewall_enabled`: Enable firewall rules
+* `firewall_default_deny_in`: Set the firewall to deny inbound traffic by default. Automatically adds UpCloud DNS server and NTP port allowlisting.
+* `firewall_default_deny_out`: Set the firewall to deny outbound traffic by default.
+* `master_allowed_remote_ips`: List of IP ranges that should be allowed to access API of masters
+  * `start_address`: Start of address range to allow
+  * `end_address`: End of address range to allow
+* `k8s_allowed_remote_ips`: List of IP ranges that should be allowed SSH access to all nodes
+  * `start_address`: Start of address range to allow
+  * `end_address`: End of address range to allow
+* `master_allowed_ports`: List of port ranges that should be allowed to access the masters
+  * `protocol`: Protocol *(tcp|udp|icmp)*
+  * `port_range_min`: Start of port range to allow
+  * `port_range_max`: End of port range to allow
+  * `start_address`: Start of address range to allow
+  * `end_address`: End of address range to allow
+* `worker_allowed_ports`: List of port ranges that should be allowed to access the workers
+  * `protocol`: Protocol *(tcp|udp|icmp)*
+  * `port_range_min`: Start of port range to allow
+  * `port_range_max`: End of port range to allow
+  * `start_address`: Start of address range to allow
+  * `end_address`: End of address range to allow
+* `loadbalancer_enabled`: Enable managed load balancer
+* `loadbalancer_plan`: Plan to use for load balancer *(development|production-small)*
+* `loadbalancers`: Ports to load balance and which machines to forward to. Key of this object will be used as the name of the load balancer frontends/backends
+  * `port`: Port to load balance.
+  * `backend_servers`: List of servers that traffic to the port should be forwarded to.

contrib/terraform/upcloud/cluster-settings.tfvars

@@ -20,6 +20,8 @@ ssh_public_keys = [
 machines = {
   "master-0" : {
     "node_type" : "master",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -30,6 +32,8 @@ machines = {
   },
   "worker-0" : {
     "node_type" : "worker",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -49,6 +53,8 @@ machines = {
   },
   "worker-1" : {
     "node_type" : "worker",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -68,6 +74,8 @@ machines = {
   },
   "worker-2" : {
     "node_type" : "worker",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -86,3 +94,37 @@ machines = {
     }
   }
 }
+
+firewall_enabled          = false
+firewall_default_deny_in  = false
+firewall_default_deny_out = false
+
+master_allowed_remote_ips = [
+  {
+    "start_address" : "0.0.0.0"
+    "end_address" : "255.255.255.255"
+  }
+]
+
+k8s_allowed_remote_ips = [
+  {
+    "start_address" : "0.0.0.0"
+    "end_address" : "255.255.255.255"
+  }
+]
+
+master_allowed_ports = []
+worker_allowed_ports = []
+
+loadbalancer_enabled = false
+loadbalancer_plan    = "development"
+loadbalancers = {
+  # "http" : {
+  #   "port" : 80,
+  #   "backend_servers" : [
+  #     "worker-0",
+  #     "worker-1",
+  #     "worker-2"
+  #   ]
+  # }
+}

contrib/terraform/upcloud/main.tf

@@ -22,6 +22,18 @@ module "kubernetes" {
   machines = var.machines
 
   ssh_public_keys = var.ssh_public_keys
+
+  firewall_enabled          = var.firewall_enabled
+  firewall_default_deny_in  = var.firewall_default_deny_in
+  firewall_default_deny_out = var.firewall_default_deny_out
+  master_allowed_remote_ips = var.master_allowed_remote_ips
+  k8s_allowed_remote_ips    = var.k8s_allowed_remote_ips
+  master_allowed_ports      = var.master_allowed_ports
+  worker_allowed_ports      = var.worker_allowed_ports
+
+  loadbalancer_enabled = var.loadbalancer_enabled
+  loadbalancer_plan    = var.loadbalancer_plan
+  loadbalancers        = var.loadbalancers
 }
 
 #

contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf

@@ -10,6 +10,16 @@ locals {
     ]
   ])
 
+  lb_backend_servers = flatten([
+    for lb_name, loadbalancer in var.loadbalancers : [
+      for backend_server in loadbalancer.backend_servers : {
+        port = loadbalancer.port
+        lb_name = lb_name
+        server_name = backend_server
+      }
+    ]
+  ])
+
   # If prefix is set, all resources will be prefixed with "${var.prefix}-"
   # Else don't prefix with anything
   resource-prefix = "%{ if var.prefix != ""}${var.prefix}-%{ endif }"
@@ -45,8 +55,9 @@ resource "upcloud_server" "master" {
   }
 
   hostname = "${local.resource-prefix}${each.key}"
-  cpu      = each.value.cpu
-  mem      = each.value.mem
+  plan     = each.value.plan
+  cpu      = each.value.plan == null ? each.value.cpu : null
+  mem      = each.value.plan == null ? each.value.mem : null
   zone     = var.zone
 
   template {
@@ -65,6 +76,13 @@ resource "upcloud_server" "master" {
     network = upcloud_network.private.id
   }
 
+  # Ignore volumes created by csi-driver
+  lifecycle {
+    ignore_changes = [storage_devices]
+  }
+  
+  firewall  = var.firewall_enabled
+
   dynamic "storage_devices" {
     for_each = {
       for disk_key_name, disk in upcloud_storage.additional_disks :
@@ -94,8 +112,9 @@ resource "upcloud_server" "worker" {
   }
 
   hostname = "${local.resource-prefix}${each.key}"
-  cpu      = each.value.cpu
-  mem      = each.value.mem
+  plan     = each.value.plan
+  cpu      = each.value.plan == null ? each.value.cpu : null
+  mem      = each.value.plan == null ? each.value.mem : null
   zone     = var.zone
 
   template {
@@ -114,6 +133,13 @@ resource "upcloud_server" "worker" {
     network = upcloud_network.private.id
   }
 
+  # Ignore volumes created by csi-driver
+  lifecycle {
+    ignore_changes = [storage_devices]
+  }
+
+  firewall  = var.firewall_enabled
+
   dynamic "storage_devices" {
     for_each = {
       for disk_key_name, disk in upcloud_storage.additional_disks :
@@ -134,3 +160,363 @@ resource "upcloud_server" "worker" {
     create_password = false
   }
 }
+
+resource "upcloud_firewall_rules" "master" {
+  for_each = upcloud_server.master
+  server_id = each.value.id
+
+  dynamic firewall_rule {
+    for_each = var.master_allowed_remote_ips
+
+    content {
+      action                 = "accept"
+      comment                = "Allow master API access from this network"
+      destination_port_end   = "6443"
+      destination_port_start = "6443"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = "tcp"
+      source_address_end     = firewall_rule.value.end_address
+      source_address_start   = firewall_rule.value.start_address
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = length(var.master_allowed_remote_ips) > 0 ? [1] : []
+
+    content {
+      action                 = "drop"
+      comment                = "Deny master API access from other networks"
+      destination_port_end   = "6443"
+      destination_port_start = "6443"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = "tcp"
+      source_address_end     = "255.255.255.255"
+      source_address_start   = "0.0.0.0"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.k8s_allowed_remote_ips
+
+    content {
+      action                 = "accept"
+      comment                = "Allow SSH from this network"
+      destination_port_end   = "22"
+      destination_port_start = "22"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = "tcp"
+      source_address_end     = firewall_rule.value.end_address
+      source_address_start   = firewall_rule.value.start_address
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = length(var.k8s_allowed_remote_ips) > 0 ? [1] : []
+
+    content {
+      action                 = "drop"
+      comment                = "Deny SSH from other networks"
+      destination_port_end   = "22"
+      destination_port_start = "22"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = "tcp"
+      source_address_end     = "255.255.255.255"
+      source_address_start   = "0.0.0.0"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.master_allowed_ports
+
+    content {
+      action                 = "accept"
+      comment                = "Allow access on this port"
+      destination_port_end   = firewall_rule.value.port_range_max
+      destination_port_start = firewall_rule.value.port_range_min
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value.protocol
+      source_address_end     = firewall_rule.value.end_address
+      source_address_start   = firewall_rule.value.start_address
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value
+      source_address_end     = "94.237.40.9"
+      source_address_start   = "94.237.40.9"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value
+      source_address_end     = "94.237.127.9"
+      source_address_start   = "94.237.127.9"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+      source_address_end     = "2a04:3540:53::1"
+      source_address_start   = "2a04:3540:53::1"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+      source_address_end     = "2a04:3544:53::1"
+      source_address_start   = "2a04:3544:53::1"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "NTP Port"
+      destination_port_end   = "123"
+      destination_port_start = "123"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value
+      source_address_end     = "255.255.255.255"
+      source_address_start   = "0.0.0.0"
+    }
+  }
+
+  firewall_rule {
+    action    = var.firewall_default_deny_in ? "drop" : "accept"
+    direction = "in"
+  }
+
+  firewall_rule {
+    action    = var.firewall_default_deny_out ? "drop" : "accept"
+    direction = "out"
+  }
+}
+
+resource "upcloud_firewall_rules" "k8s" {
+  for_each = upcloud_server.worker
+  server_id = each.value.id
+
+  dynamic firewall_rule {
+    for_each = var.k8s_allowed_remote_ips
+
+    content {
+      action                 = "accept"
+      comment                = "Allow SSH from this network"
+      destination_port_end   = "22"
+      destination_port_start = "22"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = "tcp"
+      source_address_end     = firewall_rule.value.end_address
+      source_address_start   = firewall_rule.value.start_address
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = length(var.k8s_allowed_remote_ips) > 0 ? [1] : []
+
+    content {
+      action                 = "drop"
+      comment                = "Deny SSH from other networks"
+      destination_port_end   = "22"
+      destination_port_start = "22"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = "tcp"
+      source_address_end     = "255.255.255.255"
+      source_address_start   = "0.0.0.0"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.worker_allowed_ports
+
+    content {
+      action                 = "accept"
+      comment                = "Allow access on this port"
+      destination_port_end   = firewall_rule.value.port_range_max
+      destination_port_start = firewall_rule.value.port_range_min
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value.protocol
+      source_address_end     = firewall_rule.value.end_address
+      source_address_start   = firewall_rule.value.start_address
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value
+      source_address_end     = "94.237.40.9"
+      source_address_start   = "94.237.40.9"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value
+      source_address_end     = "94.237.127.9"
+      source_address_start   = "94.237.127.9"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+      source_address_end     = "2a04:3540:53::1"
+      source_address_start   = "2a04:3540:53::1"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "UpCloud DNS"
+      destination_port_end   = "53"
+      destination_port_start = "53"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+      source_address_end     = "2a04:3544:53::1"
+      source_address_start   = "2a04:3544:53::1"
+    }
+  }
+
+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "NTP Port"
+      destination_port_end   = "123"
+      destination_port_start = "123"
+      direction              = "in"
+      family                 = "IPv4"
+      protocol               = firewall_rule.value
+      source_address_end     = "255.255.255.255"
+      source_address_start   = "0.0.0.0"
+    }
+  }
+
+  firewall_rule {
+    action    = var.firewall_default_deny_in ? "drop" : "accept"
+    direction = "in"
+  }
+
+  firewall_rule {
+    action    = var.firewall_default_deny_out ? "drop" : "accept"
+    direction = "out"
+  }
+}
+
+resource "upcloud_loadbalancer" "lb" {
+  count             = var.loadbalancer_enabled ? 1 : 0
+  configured_status = "started"
+  name              = "${local.resource-prefix}lb"
+  plan              = var.loadbalancer_plan
+  zone              = var.zone
+  network           = upcloud_network.private.id
+}
+
+resource "upcloud_loadbalancer_backend" "lb_backend" {
+  for_each = var.loadbalancer_enabled ? var.loadbalancers : {}
+
+  loadbalancer = upcloud_loadbalancer.lb[0].id
+  name         = "lb-backend-${each.key}"
+}
+
+resource "upcloud_loadbalancer_frontend" "lb_frontend" {
+  for_each = var.loadbalancer_enabled ? var.loadbalancers : {}
+  
+  loadbalancer         = upcloud_loadbalancer.lb[0].id
+  name                 = "lb-frontend-${each.key}"
+  mode                 = "tcp"
+  port                 = each.value.port
+  default_backend_name = upcloud_loadbalancer_backend.lb_backend[each.key].name
+}
+
+resource "upcloud_loadbalancer_static_backend_member" "lb_backend_member" {
+  for_each = {
+    for be_server in local.lb_backend_servers: 
+      "${be_server.server_name}-lb-backend-${be_server.lb_name}" => be_server
+      if var.loadbalancer_enabled
+  }
+
+  backend      = upcloud_loadbalancer_backend.lb_backend[each.value.lb_name].id
+  name         = "${local.resource-prefix}${each.key}"
+  ip           = merge(upcloud_server.master, upcloud_server.worker)[each.value.server_name].network_interface[1].ip_address
+  port         = each.value.port
+  weight       = 100
+  max_sessions = var.loadbalancer_plan == "production-small" ? 50000 : 1000
+  enabled      = true
+}

contrib/terraform/upcloud/modules/kubernetes-cluster/output.tf

@@ -18,3 +18,7 @@ output "worker_ip" {
     }
   }
 }
+
+output "loadbalancer_domain" {
+  value = var.loadbalancer_enabled ? upcloud_loadbalancer.lb[0].dns_name : null
+}

contrib/terraform/upcloud/modules/kubernetes-cluster/variables.tf

@@ -16,6 +16,7 @@ variable "machines" {
   description = "Cluster machines"
   type = map(object({
     node_type       = string
+    plan            = string
     cpu             = string
     mem             = string
     disk_size       =  number
@@ -29,3 +30,66 @@ variable "machines" {
 variable "ssh_public_keys" {
   type = list(string)
 }
+
+variable "firewall_enabled" {
+  type = bool
+}
+
+variable "master_allowed_remote_ips" {
+  type = list(object({
+    start_address = string
+    end_address   = string
+  }))
+}
+
+variable "k8s_allowed_remote_ips" {
+  type = list(object({
+    start_address = string
+    end_address   = string
+  }))
+}
+
+variable "master_allowed_ports" {
+  type = list(object({
+    protocol       = string
+    port_range_min = number
+    port_range_max = number
+    start_address  = string
+    end_address    = string
+  }))
+}
+
+variable "worker_allowed_ports" {
+  type = list(object({
+    protocol       = string
+    port_range_min = number
+    port_range_max = number
+    start_address  = string
+    end_address    = string
+  }))
+}
+
+variable "firewall_default_deny_in" {
+  type = bool
+}
+
+variable "firewall_default_deny_out" {
+  type = bool
+}
+
+variable "loadbalancer_enabled" {
+  type = bool
+}
+
+variable "loadbalancer_plan" {
+  type = string
+}
+
+variable "loadbalancers" {
+  description = "Load balancers"
+
+  type = map(object({
+    port            = number
+    backend_servers = list(string)
+  }))
+}

contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source = "UpCloudLtd/upcloud"
-      version = "~>2.0.0"
+      version = "~>2.5.0"
     }
   }
   required_version = ">= 0.13"

contrib/terraform/upcloud/output.tf

@@ -6,3 +6,7 @@ output "master_ip" {
 output "worker_ip" {
   value = module.kubernetes.worker_ip
 }
+
+output "loadbalancer_domain" {
+  value = module.kubernetes.loadbalancer_domain
+}

contrib/terraform/upcloud/sample-inventory/cluster.tfvars

@@ -20,6 +20,8 @@ ssh_public_keys = [
 machines = {
   "master-0" : {
     "node_type" : "master",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -30,6 +32,8 @@ machines = {
   },
   "worker-0" : {
     "node_type" : "worker",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -49,6 +53,8 @@ machines = {
   },
   "worker-1" : {
     "node_type" : "worker",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -68,6 +74,8 @@ machines = {
   },
   "worker-2" : {
     "node_type" : "worker",
+    # plan to use instead of custom cpu/mem
+    "plan" : null,
     #number of cpu cores
     "cpu" : "2",
     #memory size in MB
@@ -86,3 +94,38 @@ machines = {
     }
   }
 }
+
+firewall_enabled          = false
+firewall_default_deny_in  = false
+firewall_default_deny_out = false
+
+
+master_allowed_remote_ips = [
+  {
+    "start_address" : "0.0.0.0"
+    "end_address" : "255.255.255.255"
+  }
+]
+
+k8s_allowed_remote_ips = [
+  {
+    "start_address" : "0.0.0.0"
+    "end_address" : "255.255.255.255"
+  }
+]
+
+master_allowed_ports = []
+worker_allowed_ports = []
+
+loadbalancer_enabled = false
+loadbalancer_plan = "development"
+loadbalancers = {
+  # "http" : {
+  #   "port" : 80,
+  #   "backend_servers" : [
+  #     "worker-0",
+  #     "worker-1",
+  #     "worker-2"
+  #   ]
+  # }
+}

contrib/terraform/upcloud/variables.tf

@@ -28,6 +28,7 @@ variable "machines" {
 
   type = map(object({
     node_type = string
+    plan      = string
     cpu       = string
     mem       = string
     disk_size = number
@@ -54,3 +55,78 @@ variable "UPCLOUD_USERNAME" {
 variable "UPCLOUD_PASSWORD" {
   description = "Password for UpCloud API user"
 }
+
+variable "firewall_enabled" {
+  description = "Enable firewall rules"
+  default     = false
+}
+
+variable "master_allowed_remote_ips" {
+  description = "List of IP start/end addresses allowed to access API of masters"
+  type = list(object({
+    start_address = string
+    end_address   = string
+  }))
+  default = []
+}
+
+variable "k8s_allowed_remote_ips" {
+  description = "List of IP start/end addresses allowed to SSH to hosts"
+  type = list(object({
+    start_address = string
+    end_address   = string
+  }))
+  default = []
+}
+
+variable "master_allowed_ports" {
+  description = "List of ports to allow on masters"
+  type = list(object({
+    protocol       = string
+    port_range_min = number
+    port_range_max = number
+    start_address  = string
+    end_address    = string
+  }))
+}
+
+variable "worker_allowed_ports" {
+  description = "List of ports to allow on workers"
+  type = list(object({
+    protocol       = string
+    port_range_min = number
+    port_range_max = number
+    start_address  = string
+    end_address    = string
+  }))
+}
+
+variable "firewall_default_deny_in" {
+  description = "Add firewall policies that deny all inbound traffic by default"
+  default     = false
+}
+
+variable "firewall_default_deny_out" {
+  description = "Add firewall policies that deny all outbound traffic by default"
+  default     = false
+}
+
+variable "loadbalancer_enabled" {
+  description = "Enable load balancer"
+  default     = false
+}
+
+variable "loadbalancer_plan" {
+  description = "Load balancer plan (development/production-small)"
+  default     = "development"
+}
+
+variable "loadbalancers" {
+  description = "Load balancers"
+
+  type = map(object({
+    port            = number
+    backend_servers = list(string)
+  }))
+  default = {}
+}

contrib/terraform/upcloud/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>2.0.0"
+      version = "~>2.5.0"
     }
   }
   required_version = ">= 0.13"

contrib/terraform/vsphere/README.md

@@ -35,9 +35,7 @@ This setup assumes that the DHCP is disabled in the vSphere cluster and IP addre
 
 ## Requirements
 
-* Terraform 0.13.0 or newer
-
-*0.12 also works if you modify the provider block to include version and remove all `versions.tf` files*
+* Terraform 0.13.0 or newer (0.12 also works if you modify the provider block to include version and remove all `versions.tf` files)
 
 ## Quickstart
 
@@ -105,8 +103,7 @@ ansible-playbook -i inventory.ini ../../cluster.yml -b -v
 * `vsphere_datacenter`: The identifier of vSphere data center
 * `vsphere_compute_cluster`: The identifier of vSphere compute cluster
 * `vsphere_datastore`: The identifier of vSphere data store
-* `vsphere_server`: The address of vSphere server
-* `vsphere_hostname`: The IP address of vSphere hostname
+* `vsphere_server`: This is the vCenter server name or address for vSphere API operations.
 * `ssh_public_keys`: List of public SSH keys to install on all machines
 * `template_name`: The name of a base image (the OVF template be defined in vSphere beforehand)
 
@@ -125,5 +122,7 @@ ansible-playbook -i inventory.ini ../../cluster.yml -b -v
 * `worker_cores`: The number of CPU cores for the worker nodes (default: 16)
 * `worker_memory`: The amount of RAM for the worker nodes in MB (default: 8192)
 * `worker_disk_size`: The amount of disk space for the worker nodes in GB (default: 100)
+* `vapp`: Boolean to set the template type to vapp. (Default: false)
+* `interface_name`: Name of the interface to configure. (Default: ens192)
 
 An example variables file can be found `default.tfvars`

contrib/terraform/vsphere/default.tfvars

@@ -34,6 +34,5 @@ vsphere_datacenter      = "i-did-not-read-the-docs"
 vsphere_compute_cluster = "i-did-not-read-the-docs" # e.g. Cluster
 vsphere_datastore       = "i-did-not-read-the-docs" # e.g. ssd-000000
 vsphere_server          = "i-did-not-read-the-docs" # e.g. vsphere.server.com
-vsphere_hostname        = "i-did-not-read-the-docs" # e.g. 192.168.0.2
 
 template_name = "i-did-not-read-the-docs" # e.g. ubuntu-bionic-18.04-cloudimg