feat: added support to specify the operating system for OCP cluster workers using new input operating_system (#848)

Co-authored-by: Khuzaima-Shakeel <Khuzaima.Shakeel@ibm.com>
Co-authored-by: Conall Ó Cofaigh <ocofaigh@ie.ibm.com>

Author: 3 people

README.md

@@ -908,7 +908,7 @@ module "cluster_pattern" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_appid"></a> [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    keys           = optional(list(string))<br>    use_appid      = bool<br>  })</pre> | <pre>{<br>  "use_appid": false<br>}</pre> | no |
 | <a name="input_atracker"></a> [atracker](#input\_atracker) | atracker variables | <pre>object({<br>    resource_group        = string<br>    receive_global_events = bool<br>    collector_bucket_name = string<br>    add_route             = bool<br>  })</pre> | n/a | yes |
-| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                                = string           # Name of Cluster<br>      vpc_name                            = string           # Name of VPC<br>      subnet_names                        = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet                  = number           # Worker nodes per subnet.<br>      machine_type                        = string           # Worker node flavor<br>      kube_type                           = string           # iks or openshift<br>      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement                         = optional(string) # entitlement option for openshift<br>      secondary_storage                   = optional(string) # Secondary storage type<br>      pod_subnet                          = optional(string) # Portable subnet for pods<br>      service_subnet                      = optional(string) # Portable subnet for services<br>      resource_group                      = string           # Resource Group used for cluster<br>      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags                         = optional(list(string), [])<br>      boot_volume_crk_name                = optional(string)      # Boot volume encryption key name<br>      disable_public_endpoint             = optional(bool, true)  # disable cluster public, leaving only private endpoint<br>      disable_outbound_traffic_protection = optional(bool, false) # public outbound access from the cluster workers<br>      cluster_force_delete_storage        = optional(bool, false) # force the removal of persistent storage associated with the cluster during cluster deletion<br>      kms_wait_for_apply                  = optional(bool, true)  # make terraform wait until KMS is applied to master and it is ready and deployed<br>      addons = optional(object({                                  # Map of OCP cluster add-on versions to install<br>        debug-tool                = optional(string)<br>        image-key-synchronizer    = optional(string)<br>        openshift-data-foundation = optional(string)<br>        vpc-file-csi-driver       = optional(string)<br>        static-route              = optional(string)<br>        cluster-autoscaler        = optional(string)<br>        vpc-block-csi-driver      = optional(string)<br>        ibm-storage-operator      = optional(string)<br>      }), {})<br>      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                                = string           # Name of Cluster<br>      vpc_name                            = string           # Name of VPC<br>      subnet_names                        = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet                  = number           # Worker nodes per subnet.<br>      machine_type                        = string           # Worker node flavor<br>      kube_type                           = string           # iks or openshift<br>      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement                         = optional(string) # entitlement option for openshift<br>      secondary_storage                   = optional(string) # Secondary storage type<br>      pod_subnet                          = optional(string) # Portable subnet for pods<br>      service_subnet                      = optional(string) # Portable subnet for services<br>      resource_group                      = string           # Resource Group used for cluster<br>      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags                         = optional(list(string), [])<br>      boot_volume_crk_name                = optional(string)       # Boot volume encryption key name<br>      disable_public_endpoint             = optional(bool, true)   # disable cluster public, leaving only private endpoint<br>      disable_outbound_traffic_protection = optional(bool, false)  # public outbound access from the cluster workers<br>      cluster_force_delete_storage        = optional(bool, false)  # force the removal of persistent storage associated with the cluster during cluster deletion<br>      operating_system                    = optional(string, null) #The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available .<br>      kms_wait_for_apply                  = optional(bool, true)   # make terraform wait until KMS is applied to master and it is ready and deployed<br>      addons = optional(object({                                   # Map of OCP cluster add-on versions to install<br>        debug-tool                = optional(string)<br>        image-key-synchronizer    = optional(string)<br>        openshift-data-foundation = optional(string)<br>        vpc-file-csi-driver       = optional(string)<br>        static-route              = optional(string)<br>        cluster-autoscaler        = optional(string)<br>        vpc-block-csi-driver      = optional(string)<br>        ibm-storage-operator      = optional(string)<br>      }), {})<br>      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br><br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>            operating_system     = optional(string) # The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available .<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_cos"></a> [cos](#input\_cos) | Object describing the cloud object storage instance, buckets, and keys. Set `use_data` to false to create instance | <pre>list(<br>    object({<br>      name           = string<br>      use_data       = optional(bool)<br>      resource_group = string<br>      plan           = optional(string)<br>      random_suffix  = optional(bool) # Use a random suffix for COS instance<br>      access_tags    = optional(list(string), [])<br>      buckets = list(object({<br>        name                  = string<br>        storage_class         = string<br>        endpoint_type         = string<br>        force_delete          = bool<br>        single_site_location  = optional(string)<br>        region_location       = optional(string)<br>        cross_region_location = optional(string)<br>        kms_key               = optional(string)<br>        access_tags           = optional(list(string), [])<br>        allowed_ip            = optional(list(string), [])<br>        hard_quota            = optional(number)<br>        archive_rule = optional(object({<br>          days    = number<br>          enable  = bool<br>          rule_id = optional(string)<br>          type    = string<br>        }))<br>        expire_rule = optional(object({<br>          days                         = optional(number)<br>          date                         = optional(string)<br>          enable                       = bool<br>          expired_object_delete_marker = optional(string)<br>          prefix                       = optional(string)<br>          rule_id                      = optional(string)<br>        }))<br>        activity_tracking = optional(object({<br>          activity_tracker_crn = string<br>          read_data_events     = bool<br>          write_data_events    = bool<br>        }))<br>        metrics_monitoring = optional(object({<br>          metrics_monitoring_crn  = string<br>          request_metrics_enabled = optional(bool)<br>          usage_metrics_enabled   = optional(bool)<br>        }))<br>      }))<br>      keys = optional(<br>        list(object({<br>          name        = string<br>          role        = string<br>          enable_HMAC = bool<br>        }))<br>      )<br><br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no |
 | <a name="input_f5_template_data"></a> [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | <pre>object({<br>    tmos_admin_password     = optional(string)<br>    license_type            = optional(string)<br>    byol_license_basekey    = optional(string)<br>    license_host            = optional(string)<br>    license_username        = optional(string)<br>    license_password        = optional(string)<br>    license_pool            = optional(string)<br>    license_sku_keyword_1   = optional(string)<br>    license_sku_keyword_2   = optional(string)<br>    license_unit_of_measure = optional(string)<br>    do_declaration_url      = optional(string)<br>    as3_declaration_url     = optional(string)<br>    ts_declaration_url      = optional(string)<br>    phone_home_url          = optional(string)<br>    template_source         = optional(string)<br>    template_version        = optional(string)<br>    app_id                  = optional(string)<br>    tgactive_url            = optional(string)<br>    tgstandby_url           = optional(string)<br>    tgrefresh_url           = optional(string)<br>  })</pre> | <pre>{<br>  "license_type": "none"<br>}</pre> | no |

cluster.tf

@@ -59,6 +59,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
   # if kube_version is older than 4.15, default this value to null, otherwise provider will fail
   disable_outbound_traffic_protection = startswith((lookup(each.value, "kube_version", null) == "default" || lookup(each.value, "kube_version", null) == null ? local.default_kube_version[each.value.kube_type] : each.value.kube_version), "4.12") || startswith((lookup(each.value, "kube_version", null) == "default" || lookup(each.value, "kube_version", null) == null ? local.default_kube_version[each.value.kube_type] : each.value.kube_version), "4.13") || startswith((lookup(each.value, "kube_version", null) == "default" || lookup(each.value, "kube_version", null) == null ? local.default_kube_version[each.value.kube_type] : each.value.kube_version), "4.14") ? null : each.value.disable_outbound_traffic_protection
   force_delete_storage                = each.value.cluster_force_delete_storage
+  operating_system                    = each.value.operating_system
   crk                                 = each.value.boot_volume_crk_name == null ? null : regex("key:(.*)", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
   kms_instance_id                     = each.value.boot_volume_crk_name == null ? null : regex(".*:(.*):key:.*", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
   kms_account_id                      = each.value.boot_volume_crk_name == null ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0] == data.ibm_iam_account_settings.iam_account_settings.account_id ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]

patterns/roks-quickstart/main.tf

@@ -39,6 +39,7 @@ locals {
          "resource_group": "workload-rg",
          "disable_outbound_traffic_protection": true,
          "cluster_force_delete_storage": true,
+         "operating_system": null,
          "kms_wait_for_apply": true,
          "kms_config": {
             "crk_name": "roks-key",

patterns/roks/main.tf

@@ -52,6 +52,7 @@ module "roks_landing_zone" {
   license_username                       = var.license_username
   disable_outbound_traffic_protection    = var.disable_outbound_traffic_protection
   cluster_force_delete_storage           = var.cluster_force_delete_storage
+  operating_system                       = var.operating_system
   license_password                       = var.license_password
   license_pool                           = var.license_pool
   license_sku_keyword_1                  = var.license_sku_keyword_1

patterns/roks/module/config.tf

@@ -92,6 +92,7 @@ locals {
         boot_volume_crk_name                = "${var.prefix}-roks-key"
         disable_outbound_traffic_protection = var.disable_outbound_traffic_protection
         cluster_force_delete_storage        = var.cluster_force_delete_storage
+        operating_system                    = var.operating_system
         kms_wait_for_apply                  = var.kms_wait_for_apply
         # By default, create dedicated pool for logging
         worker_pools = [

patterns/roks/module/variables.tf

@@ -202,6 +202,16 @@ variable "cluster_force_delete_storage" {
   default     = false
 }
 
+variable "operating_system" {
+  type        = string
+  description = "The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available ."
+  default     = null
+  validation {
+    error_message = "RHEL 8 (REDHAT_8_64) or Red Hat Enterprise Linux CoreOS (RHCOS) are the allowed OS values. RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS."
+    condition     = var.operating_system == null || var.operating_system == "REDHAT_8_64" || var.operating_system == "RHCOS"
+  }
+}
+
 ##############################################################################
 
 

patterns/roks/override.json

@@ -16,6 +16,7 @@
             "resource_group": "slz-management-rg",
             "disable_outbound_traffic_protection": false,
             "cluster_force_delete_storage": false,
+            "operating_system": null,
             "kms_wait_for_apply": true,
             "kms_config": {
                 "crk_name": "slz-roks-key",

patterns/roks/variables.tf

@@ -211,6 +211,16 @@ variable "cluster_force_delete_storage" {
   default     = false
 }
 
+variable "operating_system" {
+  type        = string
+  description = "The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available ."
+  default     = null
+  validation {
+    error_message = "RHEL 8 (REDHAT_8_64) or Red Hat Enterprise Linux CoreOS (RHCOS) are the allowed OS values. RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS."
+    condition     = var.operating_system == null || var.operating_system == "REDHAT_8_64" || var.operating_system == "RHCOS"
+  }
+}
+
 ##############################################################################