Fix infra issues

1382d7ad · freesky-edward · 5114373e · 1382d7ad · 1382d7ad · 1382d7ad
6 changed file
--- a/environment/huaweicloud/README.md
+++ b/environment/huaweicloud/README.md
-# Useage
+# Infrastructure setup

-### Prerequisites 
+This folder houses  the infrastructure setup. it includes the following resources building:
+
+- ***Network***.  setup one vpc and one subnet.
+- ***Nat***.  create a nat gateway to make the k8s node accessible to internet.
+- ***EIPs***. create 3 EIPs. one for mailman-web, one for mailman-exim4, one for nat
+- ***Load balance***.  two LBs, one use for mailman-web. one for mailman-exim4.
+- ***DNS***.  several dns records. for mailman-web and mailman-exim4 sub-domain. dkim and spf authentication.
+- ***CCE***. The K8S cluster on huaweicloud.
+
+### Usage.
+
+The whole resources manged by [terraform](https://terraform.io) with [terraform-provider-huaweicloud](https://github.com/terraform-providers/terraform-provider-huaweicloud).
+
+Firstly. download terraform

- download terraform 
-  
 ```
-https://releases.hashicorp.com/terraform/0.12.7/terraform_0.12.7_linux_amd64.zip 
+https://releases.hashicorp.com/terraform/0.12.7/terraform_0.12.7_linux_amd64.zip
 unzip terraform_0.12.7_linux_amd64.zip
 ```

- create the keypaire named it ```KeyPair-infra```
-
- modify the account information in provider.tf
-
- setting service authorization for CCE if you are first time use CCE service. please go to CCE page for more detailed information.
+Before starting to setup the resources. please prepare the following resources.

-### Running the scripts
+- The huaweicloud accounts. fill the ```provider.tf ``` with your account info. please refer to [terraform doc](https://www.terraform.io/docs/providers/huaweicloud/index.html) for more detailed guide.        
+- The public/private key pairs.  used to DKIM authentication. please refer to [root README](../../README.md) for more detailed guide.   
+- The cloud key-pair. the key pair for node login.  ``` KeyPair-infra```  is the default name. 

+Provision the resources

 ```
 terraform init
-terraform apply
+terraform apply -var -var "dkim_public_key=<your-public-key>"
 ```

-### TODO
+### Inputs
+
+All of the following parameters can be changed according to your environment via ```terraform  -var “name=value”```. but I recommend to use the default if you are not familiar with the whole project.
+
+```dkim_public_key```(required). the public key will register the dns records.    
+ 
+```domain```(optional). the domain name where to publish the mail system endpoints. e.g. newto.me.
+```email```(optional). the email for domain and system administration.
+```keypair```(optional). the key pair name that generate on huaweicloud console which is used for node ssh authentication.     
+```az```(optional). the available zone where to run the mail system. default is ```ap-southeast-1a```      
+```node_flavor```(optional) the vm flavor of k8s. default value is ```s3.xlarge.4```      
+```selector```(optional)  the dkim selector name in dns records. which is used to dkim authentication by email receiver.     
+```sub_domain_mail```(optional) the sub domain name for mailman-exim4 server. the default value is ```mail```, that means the exim4 will serve on ```mail.<domain-name>```.    
+```sub_domain_web```(optional) the sub domain name for mailman-web.  default is ```web```.    
+
+### Outputs
+
+After the ```terraform apply``` completely run over. the command will output the following key information that will use in next stage to run k8s command or yaml configuration.
+
+```cce_clusters``` is a array list of the cce cluster endpoints and authentication datas. which is used to configuration ```kubectl``` command.           
+```cce_users``` is a array list of the users who have the accessible to k8s cluster. which is also used to configuration ```kubectl``` command.           
+```exim4_elb_id``` the elb id for exim4 service. which will use to k8s service configuration.      
+```web_elb_id``` the elb id for web service. being used to web service configuration.      
+```exim4_eip``` the internet ip address that exim4 will serve at.      
+```web_eip``` the internet ip address that web will serve at.      
+```web_domain``` the full domain name for web service. e.g. web.newto.me     
+```exim4_domain``` the full domain name for exim4 service. e.g. mail.newto.me     
+```dkim_selector``` the selector name that has record into dns configuration. 

- Add Nat configuration for cluster

- Add ELB configuration for service 
--- a/environment/huaweicloud/elb/elb.tf
+++ b/environment/huaweicloud/elb/elb.tf
-resource "huaweicloud_elb_loadbalancer" "elb" {
+resource "huaweicloud_lb_loadbalancer_v2" "this" {
  count          = "${length(var.loadbalancers)}"
  name           = "${lookup(var.loadbalancers[count.index], "name", null)}"
-  type           = "${lookup(var.loadbalancers[count.index], "type", "External")}"
  description    = "${lookup(var.loadbalancers[count.index], "description", "")}"
-  vpc_id         = "${lookup(var.loadbalancers[count.index], "vpc_id", null)}"
-  admin_state_up = 1
-  vip_address    = "${lookup(var.loadbalancers[count.index], "eip", null)}"
+  vip_subnet_id  = "${lookup(var.loadbalancers[count.index], "subnet_id", null)}"
+  admin_state_up = true
 }

-
+resource "huaweicloud_networking_floatingip_associate_v2" "this" {
+  count       = "${length(var.loadbalancers)}" 
+  floating_ip = "${lookup(var.loadbalancers[count.index], "eip", null)}"
+  port_id     = "${huaweicloud_lb_loadbalancer_v2.this[count.index].vip_port_id}"
+}
--- a/environment/huaweicloud/elb/out_puts.tf
+++ b/environment/huaweicloud/elb/out_puts.tf
+output "this_elb_ids" {
+  description = "List of IDs of the elbs"
+  value       = "${join(",",huaweicloud_lb_loadbalancer_v2.this.*.id)}"
+}
+
+output "this_port_ids" {
+  description = "List of the port ids of all elbs"
+  value       = "${join(",",huaweicloud_lb_loadbalancer_v2.this.*.vip_port_id)}"
+}
--- a/environment/huaweicloud/output.tf
+++ b/environment/huaweicloud/output.tf
@@ -5,3 +5,33 @@ output "cce_clusters" {
 output "cce_users" {
    value = "${module.cce.users}"
 }
+
+output "exim4_elb_id" {
+    value = "${length(split(",", module.elb.this_elb_ids)) > 1 ? split(",", module.elb.this_elb_ids)[1] : null}"
+}
+
+output "web_elb_id"  {
+    value = "${length(split(",", module.elb.this_elb_ids)) > 0 ? split(",", module.elb.this_elb_ids)[0] : null}"
+}
+
+output "exim4_eip" {
+    value = "${length(split(",", module.internet.this_eip_addresses)) > 1? split(",", module.internet.this_eip_addresses)[2] : null}"
+}
+
+output "web_eip" {
+    value = "${length(split(",", module.internet.this_eip_addresses)) > 0 ? split(",", module.internet.this_eip_addresses)[1] : null}"
+}
+
+
+output "exim4_domain" {
+    value = "${var.sub_domain_mail}.${var.domain}"
+}
+
+output "web_domain" {
+    value = "${var.sub_domain_web}.${var.domain}"
+}
+
+output "dkim_selector" {
+   value = "${var.selector}"
+}
+
--- a/environment/huaweicloud/resources.tf
+++ b/environment/huaweicloud/resources.tf
@@ -15,47 +15,12 @@ module "network" {
  ]
 }

-module "security_group" {
-  source ="./sg/"
-
-  // Security Group
-  name        = "sg-community"
-  description = "This is community security group"
-
-  // Security Group Rule
-  rules = [
-    {
-      direction      = "ingress",
-      ethertype      = "IPv4",
-      protocol       = "tcp",
-      port_range_min = "22",
-      port_range_max = "22",
-      remote_ip_cidr = "0.0.0.0/0"
-    },
-    {
-      direction      = "ingress",
-      ethertype      = "IPv4",
-      protocol       = "tcp",
-      port_range_min = "80",
-      port_range_max = "80",
-      remote_ip_cidr = "0.0.0.0/0"
-    },
-    {
-      direction      = "ingress",
-      ethertype      = "IPv4",
-      protocol       = "tcp",
-      port_range_min = "25",
-      port_range_max = "25",
-      remote_ip_cidr = "0.0.0.0/0"
-    }
-  ]
-}

 module "cce" {
  source = "./cce"
 
  name   = "cce-community"
-  description = "This is comunity cce cluster"
+  description = "This is cce cluster for community"
  vpc_id = "${module.network.this_vpc_id}"
  subnet_id = "${split(",", module.network.this_network_ids)[0]}"
  flavor_id = "cce.s1.large"
@@ -63,22 +28,22 @@ module "cce" {
  nodes = [
    {
      name    = "node1",
-      ssh_key = "KeyPair-infra",
-      az      = "ap-southeast-1a",
-      flavor_id = "s3.xlarge.4"
+      ssh_key = "${var.keypair}",
+      az      = "${var.az}",
+      flavor_id = "${var.node_flavor}"
    },
    {
-      name    = "node2",
-      ssh_key = "KeyPair-infra",
-      az      = "ap-southeast-1a",
-      flavor_id = "s3.xlarge.4"
+      name    = "node1",
+      ssh_key = "${var.keypair}",
+      az      = "${var.az}",
+      flavor_id = "${var.node_flavor}"
    },
    {
-      name    = "node3",
-      ssh_key = "KeyPair-infra",
-      az      = "ap-southeast-1a",
-      flavor_id = "s3.xlarge.4"
-    },
+      name    = "node1",
+      ssh_key = "${var.keypair}",
+      az      = "${var.az}",
+      flavor_id = "${var.node_flavor}"
+    }
  ]  
 }

@@ -97,11 +62,11 @@ module "internet" {
    {
      bandwidth-name = "bandwidth-03",
      size           = "5"
-    }, 
+    },
    {
      bandwidth-name = "bandwidth-04",
      size           = "5"
-    }
+    } 
  ]
 }

@@ -128,26 +93,23 @@ module "elb" {
  
  loadbalancers = [
    {
-      name  =  "elb-website"
-      description = "The load balancer of website"
-      type = "External"
-      vpc_id = "${module.network.this_vpc_id}"
-      eip    = "${split(",", module.internet.this_eip_addresses)[3]}"
+      name  =  "elb-web"
+      description = "The load balancer of mailman-web"
+      subnet_id = "${split(",", module.network.this_subnet_ids)[0]}"
+      eip    = "${split(",", module.internet.this_eip_addresses)[1]}"
    },
    {
-      name  =  "elb-mailweb"
-      description = "The load balancer of mailweb"
-      type = "External"
-      vpc_id = "${module.network.this_vpc_id}"
+      name  =  "elb-mta"
+      description = "The load balancer of mail MTA"
+      subnet_id = "${split(",", module.network.this_subnet_ids)[0]}"
      eip    = "${split(",", module.internet.this_eip_addresses)[2]}"
    },
    {
-      name  =  "elb-mta"
-      description = "The load balancer of mail MTA"
-      type = "External"
-      vpc_id = "${module.network.this_vpc_id}"
-      eip    = "${split(",", module.internet.this_eip_addresses)[1]}"
-    }
+      name  =  "elb-website"
+      description = "The load balancer of website"
+      subnet_id = "${split(",", module.network.this_subnet_ids)[0]}"
+      eip    = "${split(",", module.internet.this_eip_addresses)[3]}"
+    },
  ]
 }
  
@@ -155,45 +117,50 @@ module "elb" {
 module "dns" {
  source = "./dns"
  
-  domain = "openeuler.org"
-  email  = "freesky.edward@gmail.com"
+  domain = "${var.domain}."
+  email  = "${var.email}"
  
  records = [
    {
-      domain = "mail"
+      domain = "${var.domain}."
+      type = "A"
+      value = "${split(",", module.internet.this_eip_addresses)[3]}"
+    },
+    {
+      domain = "${var.sub_domain_mail}.${var.domain}."
      type  =  "A"
-      value = "${split(",", module.internet.this_eip_addresses)[1]}"
+      value = "${split(",", module.internet.this_eip_addresses)[2]}"
    },
    {
-      domain = "mailweb"
+      domain = "${var.sub_domain_web}.${var.domain}."
      type = "A"
-      value = "${split(",", module.internet.this_eip_addresses)[2]}"
+      value = "${split(",", module.internet.this_eip_addresses)[1]}"
    },
    {
-      domain = "@"
+      domain = "${var.domain}."
      type = "MX"
-      value = "mail.openeuler.org"
+      value = "1 ${var.sub_domain_mail}.${var.domain}."
    },
    {
-      domain = "@"
+      domain = "${var.domain}."
      type = "TXT"
-      value = "v=spf1 a mx ip4:${split(",", module.internet.this_eip_addresses)[0]}  ~all"
+      value = "\"v=spf1 a mx ip4:${split(",", module.internet.this_eip_addresses)[0]}  ~all\""
    },
    {
-      domain = "_dmarc"
+      domain = "_dmarc.${var.domain}."
      type = "TXT"
-      value = "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;fo=1;rf=afrf;pct=100;ruf=mailto:405121670@qq.com;ri=86400"
+      value = "\"v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;fo=1;rf=afrf;pct=100;ruf=mailto:${var.email};ri=86400\""
    },
    {
-      domain = "${var.handler}._domainkey"
+      domain = "${var.selector}._domainkey.${var.domain}."
      type = "TXT"
-      value = "v=DKIM1;k=rsa;p=${var.dkim_public_key}"
+      value = "\"v=DKIM1;k=rsa;p=${var.dkim_public_key}\""
    }
  ]

  ptrs = [
    {
-       domain = "openeuler.org"
+       domain = "${var.domain}."
       ip     = "${split(",", module.internet.this_eip_ids)[0]}"
    }
  ]

--- a/environment/huaweicloud/vars.tf
+++ b/environment/huaweicloud/vars.tf
-variable "handler" {
-    description = "The DKIM hander name"
+#Required vars
+variable "domain" {
+    description = "The email domain that will be served on. e.g. example.com"
+    default  = "openeuler.org"
+}
+
+variable "email" {
+    description = "The admin email of dns domain. e.g. example@gmail.com"
+    default  = "freesky.edward@gmail.com"
 }

 variable "dkim_public_key" {
-    description = "The DKIM public key"
+    description = "The DKIM public key, must be rsa more than 1024, 2048 should be plus"
+}
+
+#
+#Optional vars
+#
+
+## The cluster vars
+variable "keypair" {
+    description = "The key pair for cce cluster node login."
+    default = "KeyPair-infra"
+}
+
+variable "az" {
+    description = "The AZ that system will run on"
+    default = "ap-southeast-1a"
+}
+
+variable "node_flavor" {
+    description = "The default flavor of cce node"
+    default = "s3.xlarge.4"
+}
+
+## The dns configuation vars
+variable "selector" {
+    description = "The DKIM hander name"
+    default = "20191010"
+}
+
+variable "sub_domain_mail" {
+    description = "The sub domain that exim4 will serve on"
+    default = "mail"
+}
+
+variable "sub_domain_web" {
+    description = "The sub domain that mailman web will serve on"
+    default = "mailweb"
 }