Use Exoscale

Currently the Terraform module which this component uses for Exoscale only supports provisioning VSHN-managed OCP4 clusters on Exoscale.
See the Exoscale installation how-to for a comprehensive how-to for setting up OCP4 on Exoscale.

The following steps show how to set up Terraform with Exoscale.

The component currently assumes that the Git repositories live on a GitLab instance.

Setup credentials

  1. Set up three new API keys in portal.exoscale.com. Two of them are used for the Terraform pipeline.

    1. The first key should be created with the a read-only IAM role:

      Read-only role
      {
  "name": "openshift4-terraform-ro",
  "policy": {
    "default-service-strategy": "deny",
    "services": {
      "compute": {
        "type": "rules",
        "rules": [
          {
            "action": "allow",
            "expression": "matches(operation, '(get|list)-.*')"
          }
        ]
      },
      "dns": {
        "type": "rules",
        "rules": [
          {
            "action": "allow",
            "expression": "matches(operation, '(get|list)-.*')"
          }
        ]
      }
    }
  }
}

    2. The second key can be created with a role with full permissions

      Full permissions role configuration
      {
  "name": "unrestricted",
  "policy": { "default-service-strategy": "allow" }
}

    3. The third key needs the following IAM role (this key will be deployed onto the LBs for Floaty):

      Floaty IAM role
      {
  "name": "floaty",
  "policy": {
    "default-service-strategy": "deny",
    "services": {
      "compute-legacy": {
        "type": "rules",
        "rules": [
          {
            "action": "allow",
            "expression": "operation in ['compute-add-ip-to-nic', 'compute-list-nics', 'compute-list-resource-details', 'compute-list-virtual-machines', 'compute-query-async-job-result', 'compute-remove-ip-from-nic']"
          }
        ]
      }
    }
  }
}

  2. Create a "Project Access Token" for the hieradata repository. The token requires the following permissions:

    • api

    • read_repository

    • write_repository

    The user which is created will be named project_<project-id>_bot, where <project-id> is the project ID of the GitLab project. If the project already has access tokens the user will be named project_<project-id>_bot<N> instead, where N is a running counter (1 for the second token, etc.)

  3. Set up a "Servers API" token on control.vshn.net.

  4. If there’s no access token configured on the APPUiO hieradata repo, create one. Otherwise check Vault for the token.

Setup component

  1. Configure component parameters

    openshift4_terraform:
  provider: exoscale
  gitlab_ci:
    git: (1)
      username: Max Mustermann
      email: mm@example.com
  terraform_variables:
    # Required parameters
    rhcos_template: TheTemplateNameForRHCOS
    base_domain: ${openshift:baseDomain}
    ignition_ca: |-
      -----BEGIN CERTIFICATE-----
      ...
    ssh_key: ssh-ed25519 AA...
    bootstrap_bucket: https://sos-${facts:region}.exo.io/${cluster:name}-bootstrap
    hieradata_repo_user: project_123_bot (2)

    # Optional parameters:
    worker_count: 3
    worker_size: Extra-large
    1 The Git author name and email address. Used when creating hieradata commits. If not specified, the GitLab CI defaults will be used.
    2 The user created for the hieradata project access token. Please note that the Terraform module currently only supports the VSHN APPUiO hieradata

  2. Compile the cluster catalog

  3. Configure the cluster catalog GitLab repository CI/CD

    • Settings  CI/CD  General pipelines  Configuration file
      manifests/openshift4-terraform/gitlab-ci.yml

    • Settings  CI/CD  Variables

      • EXOSCALE_API_SECRET_RO

      • EXOSCALE_API_KEY_RO

      • EXOSCALE_API_SECRET_RW

      • EXOSCALE_API_KEY_RW

      • EXOSCALE_FLOATY_KEY

      • EXOSCALE_FLOATY_SECRET

      • HIERADATA_REPO_TOKEN — the VSHN APPUiO hieradata project access token

      • CONTROL_VSHN_NET_TOKEN