Merge pull request #73 from Sashwat-K/hpvs-icic-example

feat: add terraform example to provision HPCR RHVS on ICIC

Author: sandeep-at-ibm

terraform-hpcr-rhvs/README.md

@@ -0,0 +1,40 @@
+## IBM Hyper Protect Container Runtime for Red Hat Virtualization Services for On Prem Examples
+
+## Preparation
+
+1. Make sure to have the [OpenSSL](https://www.openssl.org/) binary installed (see [details](#openssl)).
+2. Install the [terraform CLI](https://learn.hashicorp.com/tutorials/terraform/install-cli) for your environment.
+3. Make sure you have valid API Key for push logs to IBM Cloud Logs.
+4. Follow the description for [HPCR](https://cloud.ibm.com/docs/vpc?topic=vpc-about-se#hpcr_setup_logging) to setup a logging instance.
+5. Set either environment variables or fill the template file according to the example README.
+
+## Examples
+
+Follow the README in the subdirectory of the examples for further instructions:
+
+- [IBM Cloud Infrastructure Center](hello-world/README.md) - An Example to bring up nginx through ICIC
+  
+
+## OpenSSL
+
+The [terraform provider](https://registry.terraform.io/providers/ibm-hyper-protect/hpcr/) leverages the [OpenSSL](https://www.openssl.org/) binary for all cryptographic operations in favour of the [golang crypto](https://pkg.go.dev/crypto) packages. This is because the golang libraries are not [FIPS](https://en.wikipedia.org/wiki/FIPS_140-2) certified whereas there exist certified OpenSSL binaries a customer can select. 
+
+Make sure to have the binaries installed for your platform. **Note:** on some platforms the default binary is actually a [LibreSSL](https://www.libressl.org/) installation, which is **not** compatible.
+
+Verify your installation via running:
+
+```bash
+openssl version
+```
+
+this should give an output similar to the following:
+
+```text
+OpenSSL 1.1.1q  5 Jul 2022
+```
+
+In case you cannot change the OpenSSL binary in the path, you may override the version used by the [terraform provider](https://registry.terraform.io/providers/ibm-hyper-protect/hpcr/) by setting the `OPENSSL_BIN` environment variable to the absolute path of the correct binary, e.g. 
+
+```cmd
+OPENSSL_BIN="C:\Program Files\OpenSSL-Win64\bin\openssl.exe"
+```

terraform-hpcr-rhvs/ibm-cloud-infrastructure-center/README.md

@@ -0,0 +1,86 @@
+## Deploy Hyper Protect Container Runtime with RedHat Virtualization Services (HPCR RHVS) on IBM Cloud Infrastructure Center (ICIC)
+
+### Preparation
+
+1. Setup ICIC Management node and compute nodes [see details](https://www.ibm.com/products/cloud-infrastructure-center) and make sure to have details like username, password, tenant name, authentication URL and domain name.
+2. Prepare your environment according to [these steps](../README.md)
+
+### Provision on ICIC
+
+Initialize terraform:
+
+```bash
+terraform init
+```
+
+Deploy the example:
+
+```bash
+terraform apply
+```
+
+### Settings
+
+Use one of the following options to set your settings:
+
+#### Template file
+
+1. Copy contents of `my-settings.auto.tfvars-template` to `my-settings.auto.tfvars`.
+    ```bash
+    cp my-settings.auto.tfvars-template my-settings.auto.tfvars
+    ```
+2. Update `my-settings.auto.tfvars` to appropriate values.
+
+#### Environment variables
+
+Set the following environment variables:
+
+```text
+TF_VAR_icic_username="ICIC username"
+TF_VAR_icic_password="ICIC password"
+TF_VAR_icic_tenant_name="ICIC tenant name"
+TF_VAR_icic_auth_url="ICIC authentication URL"
+TF_VAR_icic_domain_name="ICIC domain name"
+
+TF_VAR_prefix = "prefix for names"
+TF_VAR_hpcr_rhvs_image_path = "path to HPCR RHVS qcow2"
+TF_VAR_icic_network_name = "ICIC network name"
+TF_VAR_icic_target_compute_node = "Target compute node to bring up instance"
+
+TF_VAR_icl_iam_apikey="Your IBM Cloud Logs IAM API Key"
+TF_VAR_icl_hostname="Your IBM Cloud Logs Hostname"
+
+TF_VAR_hpcr_rhvs_image_cert_path = "HPCR RHVS encryption certificate path"
+```
+
+### Run the Example
+
+Initialize terraform:
+
+```bash
+terraform init
+```
+
+Deploy the example:
+
+```bash
+terraform apply
+```
+
+#### Test if the example works
+
+Use your browser to access:
+
+```text
+http://<IP>
+```
+
+This will show a screen like this:
+
+![nginx](images/nginx.png)
+
+Destroy the created resources:
+
+```bash
+terraform destroy
+```

terraform-hpcr-rhvs/ibm-cloud-infrastructure-center/images/nginx.png

@@ -0,0 +1,15 @@
+icic_username="ICIC username"
+icic_password="ICIC password"
+icic_tenant_name="ICIC tenant name"
+icic_auth_url="ICIC authentication URL"
+icic_domain_name="ICIC domain name"
+
+prefix = "prefix for names"
+hpcr_rhvs_image_path = "path to HPCR RHVS qcow2"
+icic_network_name = "ICIC network name"
+icic_target_compute_node = "Target compute node to bring up instance"
+
+icl_iam_apikey="Your IBM Cloud Logs IAM API Key"
+icl_hostname="Your IBM Cloud Logs Hostname"
+
+hpcr_rhvs_image_cert_path = "HPCR RHVS encryption certificate path"

terraform-hpcr-rhvs/ibm-cloud-infrastructure-center/my-settings.auto.tfvars-template

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginxdemos
+spec:
+  containers:
+  - name: nginxdemos
+    image: docker.io/nginxdemos/hello@sha256:dedfbe85183df66f3fdc99accf53e1b2171908dffd4d6556603ba4810b1fce6e
+    ports:
+    - containerPort: 80
+      hostPort: 80
+  restartpolicy: Always

terraform-hpcr-rhvs/ibm-cloud-infrastructure-center/pods/pods.yaml

@@ -0,0 +1,124 @@
+terraform {
+  required_providers {
+    openstack = {
+      source  = "terraform-provider-openstack/openstack"
+      version = ">= 2.1.0"
+    }
+    hpcr = {
+      source  = "ibm-hyper-protect/hpcr"
+      version = ">= 0.1.4"
+    }
+  }
+}
+
+# Initialise openstack
+provider "openstack" {
+  user_name   = var.icic_username
+  password    = var.icic_password
+  tenant_name = var.icic_tenant_name
+  auth_url    = var.icic_auth_url
+  domain_name = var.icic_domain_name
+  insecure    = true
+}
+
+# Create HPCR RHVS Image on ICIC
+resource "openstack_images_image_v2" "icic_hpcr_rhvs_image" {
+  name             = "${var.prefix}-image"
+  local_file_path  = var.hpcr_rhvs_image_path
+  container_format = "bare"
+  disk_format      = "qcow2"
+  properties = {
+    os_name          = "Linux"
+    os_distro        = "Rhel9"
+    architecture     = "s390x"
+    disk_type        = "SCSI"
+    secure_execution = "True"
+    hypervisor_type  = "kvm"
+  }
+}
+
+# Create flavour to define resource requirements for HPCR-RHVS
+resource "openstack_compute_flavor_v2" "icic_hpcr_rhvs_flavor" {
+  name  = "${var.prefix}-flavor"
+  ram   = "4096"
+  vcpus = "2"
+  disk  = "10"
+}
+
+# Create security group
+resource "openstack_networking_secgroup_v2" "icic_hpcr_rhvs_sg" {
+  name        = "${var.prefix}-sg"
+  description = "HPCR RHVS ICIC security group"
+}
+
+# Allow inbound HTTP (port 80)
+resource "openstack_networking_secgroup_rule_v2" "icic_hpcr_rhvs_sg_rule_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.icic_hpcr_rhvs_sg.id
+}
+
+# Allow all outbound traffic
+resource "openstack_networking_secgroup_rule_v2" "icic_hpcr_rhvs_rule_all_outbound" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 1
+  port_range_max    = 65535
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.icic_hpcr_rhvs_sg.id
+}
+
+# Generates base64 of archive of pods.yaml
+resource "hpcr_tgz" "contract" {
+  folder = "pods"
+}
+
+locals {
+  # contract in clear text
+  contract = yamlencode({
+    "env" : {
+      "type" : "env",
+      "logging" : {
+        "logRouter" : {
+          "iamApiKey" : var.icl_iam_apikey,
+          "hostname" : var.icl_hostname,
+        }
+      }
+    },
+    "workload" : {
+      "type" : "workload",
+      "play" : {
+        "archive" : hpcr_tgz.contract.rendered
+      }
+    }
+  })
+}
+
+# Generates encrypted contract
+resource "hpcr_contract_encrypted" "contract" {
+  contract = local.contract
+  cert = file(var.hpcr_rhvs_image_cert_path)
+}
+
+# Provision HPCR RHVS instance
+resource "openstack_compute_instance_v2" "icic_hpcr_rhvs_instance" {
+  name      = "${var.prefix}-instance"
+  image_id  = openstack_images_image_v2.icic_hpcr_rhvs_image.id
+  flavor_id = openstack_compute_flavor_v2.icic_hpcr_rhvs_flavor.id
+  
+  network {
+    name = var.icic_network_name
+  }
+
+  scheduler_hints {
+    query = ["==", "hypervisor_hostname", var.icic_target_compute_node]
+  }
+
+  security_groups = [ openstack_networking_secgroup_v2.icic_hpcr_rhvs_sg.name ]
+  user_data = hpcr_contract_encrypted.contract.rendered
+}

terraform-hpcr-rhvs/ibm-cloud-infrastructure-center/terraform.tf

@@ -0,0 +1,64 @@
+variable "icic_username" {
+  type        = string
+  default     = "root"
+  description = "Username to access ICIC"
+}
+
+variable "icic_password" {
+  type        = string
+  description = "Password to access ICIC"
+}
+
+variable "icic_tenant_name" {
+  type        = string
+  default     = "ibm-default"
+  description = "Tenant name for ICIC account"
+}
+
+variable "icic_auth_url" {
+  type        = string
+  description = "ICIC authentication URL"
+}
+
+variable "prefix" {
+  type = string
+  description = "name prefix"
+  default = "hpcr-rhvs"
+}
+
+variable "icic_domain_name" {
+  type        = string
+  default     = "default"
+  description = "ICIC domain name"
+}
+
+variable "hpcr_rhvs_image_path" {
+  type = string
+  description = "Path to HPCR RHVS image"
+}
+
+variable "icic_network_name" {
+  type = string
+  description = "ICIC network name"
+}
+
+variable "icic_target_compute_node" {
+  type = string
+  description = "Target compute node"
+}
+
+variable "icl_iam_apikey" {
+  type        = string
+  sensitive   = true
+  description = "IAM Key of IBM Cloud Logs"
+}
+
+variable "icl_hostname" {
+  type        = string
+  description = "Hostname of IBM Cloud Logs"
+}
+
+variable "hpcr_rhvs_image_cert_path" {
+  type = string
+  description = "Path to your HPCR image certificate"
+}