heat_template_version: 2016-10-14

description: >
  Kubernetes cluster with one master and one or more worker nodes
  (as specified by the number_of_minions parameter, which defaults to 3).

parameters:
  ssh_key_name:
    type: string
    description: name of ssh key to be provisioned on our server

  external_network:
    type: string
    description: uuid/name of a network to use for floating ip addresses
    default: public

  lbaas_version:
    type: string
    description: version of OpenStack LBaaS service. not specifying means auto detect

  server_image:
    type: string
    description: glance image used to boot the server

  master_flavor:
    type: string
    default: m1.small
    description: flavor to use when booting the server

  minion_flavor:
    type: string
    default: m1.small
    description: flavor to use when booting the server

  dns_nameserver:
    type: string
    description: address of a dns nameserver reachable in your environment
    default: 8.8.8.8

  number_of_minions:
    type: number
    description: how many kubernetes minions to spawn initially
    default: 3

  max_number_of_minions:
    type: number
    description: maximum number of kubernetes minions to spawn
    default: 10

  fixed_network_cidr:
    type: string
    description: network range for fixed ip network
    default: 10.0.0.0/24

  cluster_cidr:
    type: string
    description: network range for pod IPs
    default: 10.244.0.0/16

  service_cluster_cidr:
    type: string
    description: network range for service IPs
    default: 10.10.0.0/16

  master_pod_cidr:
    type: string
    description: >-
      network range for master pod IPs (ignored, but must not conflict
      with other subnets)
    default: 10.245.1.0/24

  kubernetes_server_url:
    type: string
    description: URL of kubernetes server binary. Must be tar.gz.

  kubernetes_salt_url:
    type: string
    description: URL of kubernetes salt scripts. Must be tar.gz.

  apiserver_user:
    type: string
    description: User name used for api-server
    default: user

  apiserver_password:
    type: string
    description: Password used for api-server
    default: password

  token_kubelet:
    type: string
    description: Token used by kubelet
    default: TokenKubelet

  token_kube_proxy:
    type: string
    description: Token used by kube-proxy
    default: TokenKubeproxy

  wait_condition_timeout:
    type: number
    description : >
      timeout for the Wait Conditions
    default: 6000

  os_auth_url:
    type: string
    description: OpenStack Auth URL
    default: false

  os_username:
    type: string
    description: OpenStack Username
    default: false

  os_password:
    type: string
    description: OpenStack Password
    default: false

  os_region_name:
    type: string
    description: OpenStack Region Name
    default: false

  os_tenant_name:
    type: string
    description: OpenStack Tenant Name
    default: false

  os_user_domain_name:
    type: string
    description: OpenStack User Domain Name (Domain-level authorization scope for keystone v3)

  enable_proxy:
    type: string
    description: Whether or not to enable proxy settings
    default: false

  ftp_proxy:
    type: string
    description: FTP Proxy URL
    default: localhost

  http_proxy:
    type: string
    description: HTTP Proxy URL
    default: localhost

  https_proxy:
    type: string
    description: HTTPS Proxy URL
    default: localhost

  socks_proxy:
    type: string
    description: SOCKS Proxy URL
    default: localhost

  no_proxy:
    type: string
    description: Comma seperated list of domains/addresses that bypass proxying.
    default: localhost
    
  assign_floating_ip:
    type: boolean
    description: Indicates whether floating IPs will be generated for minions
    default: true

resources:

  master_wait_handle:
    type: OS::Heat::WaitConditionHandle

  master_wait_condition:
    type: OS::Heat::WaitCondition
    depends_on: kube_master
    properties:
      handle: {get_resource: master_wait_handle}
      timeout: {get_param: wait_condition_timeout}

  ######################################################################
  #
  # network resources.  allocate a network and router for our server.
  #

  fixed_network:
    type: OS::Neutron::Net

  fixed_subnet:
    type: OS::Neutron::Subnet
    properties:
      cidr: {get_param: fixed_network_cidr}
      network: {get_resource: fixed_network}
      dns_nameservers:
        - {get_param: dns_nameserver}

  extrouter:
    type: OS::Neutron::Router
    properties:
      external_gateway_info:
        network: {get_param: external_network}

  extrouter_inside:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: {get_resource: extrouter}
      subnet: {get_resource: fixed_subnet}

  ######################################################################
  #
  # security groups.  we need to permit network traffic of various
  # sorts.
  #

  secgroup_base:
    type: OS::Neutron::SecurityGroup
    properties:
      rules:
        - protocol: icmp
        - protocol: tcp
          port_range_min: 22
          port_range_max: 22
        - remote_mode: remote_group_id

  secgroup_master:
    type: OS::Neutron::SecurityGroup
    properties:
      rules:
        - protocol: tcp # api-server
          port_range_min: 443
          port_range_max: 443

  secgroup_node:
    type: OS::Neutron::SecurityGroup
    properties:
      rules:
        - protocol: icmp
        - protocol: tcp
        - protocol: udp

  ######################################################################
  #
  # software configs.  these are components that are combined into
  # a multipart MIME user-data archive.
  #

  write_heat_params:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
          template: {get_file: fragments/write-heat-params.yaml}
          params:
            "$KUBERNETES_SERVER_URL": {get_param: kubernetes_server_url}
            "$KUBERNETES_SALT_URL": {get_param: kubernetes_salt_url}
            "$MASTER_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}

  proxy_config:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
          template: {get_file: fragments/configure-proxy.sh}
          params:
            "$ENABLE_PROXY": {get_param: enable_proxy }
            "$FTP_PROXY": {get_param: ftp_proxy }
            "$HTTP_PROXY": {get_param: http_proxy }
            "$HTTPS_PROXY": {get_param: https_proxy }
            "$SOCKS_PROXY": {get_param: socks_proxy }
            "$NO_PROXY": {get_param: no_proxy }

  hostname_hack:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config: {get_file: fragments/hostname-hack.yaml}

  hostname_hack_script:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config: {get_file: fragments/hostname-hack.sh}

  kube_user:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config: {get_file: fragments/kube-user.yaml}

  provision_network_master:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config: {get_file: fragments/provision-network-master.sh}

  deploy_kube_auth_files_master:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
          template: {get_file: fragments/deploy-kube-auth-files-master.yaml}
          params:
            "$apiserver_user": {get_param: apiserver_user}
            "$apiserver_password": {get_param: apiserver_password}
            "$token_kubelet": {get_param: token_kubelet}
            "$token_kube_proxy": {get_param: token_kube_proxy}

  configure_salt_master:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
          template: {get_file: fragments/configure-salt.yaml}
          params:
            "$MASTER_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
            "$OS_AUTH_URL": {get_param: os_auth_url}
            "$OS_USERNAME": {get_param: os_username}
            "$OS_PASSWORD": {get_param: os_password}
            "$OS_REGION_NAME": {get_param: os_region_name}
            "$OS_TENANT_NAME": {get_param: os_tenant_name}
            "$OS_USER_DOMAIN_NAME": {get_param: os_user_domain_name}
            "$LBAAS_VERSION": {get_param: lbaas_version}
            "$SUBNET_ID": {get_resource: fixed_subnet}
            "$FLOATING_NETWORK_ID": {get_attr: [kube_master_floating, floating_network_id]}
            "$role": "kubernetes-master"
            "$router_id": {get_resource: extrouter}
            "$cluster_cidr": {get_param: cluster_cidr}
            "$MASTER_IP_RANGE": {get_param: master_pod_cidr}

  run_salt:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
          template: {get_file: fragments/run-salt.sh}
          params:
            "$$wc_notify": {get_attr: [master_wait_handle, curl_cli]}

  kube_master_init:
    type: OS::Heat::MultipartMime
    properties:
      parts:
        - config: {get_resource: write_heat_params}
        - config: {get_resource: proxy_config}
        - config: {get_resource: hostname_hack}
        - config: {get_resource: hostname_hack_script}
        - config: {get_resource: kube_user}
        - config: {get_resource: provision_network_master}
        - config: {get_resource: deploy_kube_auth_files_master}
        - config: {get_resource: configure_salt_master}
        - config: {get_resource: run_salt}

  ######################################################################
  #
  # kubernetes master server.
  #

  kube_master:
    type: OS::Nova::Server
    depends_on:
      - extrouter_inside
    properties:
      image: {get_param: server_image}
      flavor: {get_param: master_flavor}
      key_name: {get_param: ssh_key_name}
      user_data_format: RAW
      user_data: {get_resource: kube_master_init}
      networks:
        - port: {get_resource: kube_master_eth0}
      name:
        list_join: [-, [{get_param: "OS::stack_name"}, master]]

  kube_master_eth0:
    type: OS::Neutron::Port
    properties:
      network: {get_resource: fixed_network}
      security_groups:
        - {get_resource: secgroup_base}
        - {get_resource: secgroup_master}
      fixed_ips:
        - subnet: {get_resource: fixed_subnet}
      allowed_address_pairs:
        - ip_address: 10.246.0.0/16
      replacement_policy: AUTO

  kube_master_floating:
    type: OS::Neutron::FloatingIP
    properties:
      floating_network: {get_param: external_network}
      port_id: {get_resource: kube_master_eth0}

  ######################################################################
  #
  # kubernetes minions. This is an autoscaling group that will initially
  # create <number_of_minions> minions, and will scale up to
  # <max_number_of_minions> based on CPU utilization.
  #

  kube_minions:
    type: OS::Heat::AutoScalingGroup
    depends_on:
      - extrouter_inside
      - master_wait_condition
    properties:
      resource:
        type: kubeminion.yaml
        properties:
          kubernetes_server_url: {get_param: kubernetes_server_url}
          kubernetes_salt_url: {get_param: kubernetes_salt_url}
          ssh_key_name: {get_param: ssh_key_name}
          server_image: {get_param: server_image}
          minion_flavor: {get_param: minion_flavor}
          token_kubelet: {get_param: token_kubelet}
          token_kube_proxy: {get_param: token_kube_proxy}
          fixed_network: {get_resource: fixed_network}
          fixed_subnet: {get_resource: fixed_subnet}
          cluster_cidr: {get_param: cluster_cidr}
          kube_master_ip: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
          external_network: {get_param: external_network}
          wait_condition_timeout: {get_param: wait_condition_timeout}
          metadata: {"metering.stack": {get_param: "OS::stack_id"}}
          cluster_name: {get_param: "OS::stack_name"}
          secgroup_base: {get_resource: secgroup_base}
          secgroup_node: {get_resource: secgroup_node}
          os_auth_url: {get_param: os_auth_url}
          os_username: {get_param: os_username}
          os_password: {get_param: os_password}
          os_region_name: {get_param: os_region_name}
          os_tenant_name: {get_param: os_tenant_name}
          os_user_domain_name: {get_param: os_user_domain_name}
          enable_proxy: {get_param: enable_proxy }
          ftp_proxy: {get_param: ftp_proxy }
          http_proxy: {get_param: http_proxy }
          https_proxy: {get_param: https_proxy }
          socks_proxy: {get_param: socks_proxy }
          no_proxy: {get_param: no_proxy }
          assign_floating_ip: {get_param: assign_floating_ip }
      min_size: {get_param: number_of_minions}
      desired_capacity: {get_param: number_of_minions}
      max_size: {get_param: max_number_of_minions}

outputs:

  kube_master:
    value: {get_attr: [kube_master_floating, floating_ip_address]}
    description: >
      This is the "public" IP address of the Kubernetes master node. Use this IP address
      to log in to the Kubernetes master via ssh or to access the Kubernetes API
      from outside the cluster.

  kube_minions:
    value: {get_attr: [kube_minions, outputs_list, kube_minion_ip]}
    description: >
      Here is the list of the "private" addresses of all Kubernetes worker nodes.

  kube_minions_external:
    value: {get_attr: [kube_minions, outputs_list, kube_minion_external_ip]}
    description: >
      Here is the list of the "public" addresses of all Kubernetes worker nodes.