feat: public ingress option (#181)

Author: in-1911

modules/roks-ingress/main.tf

@@ -0,0 +1,225 @@
+locals {
+
+  prefix_used = var.prefix != "" && var.prefix != null ? "${var.prefix}-" : ""
+  # First entry in NLB DNS is the cluster's private ingress
+  ingress_alb_hostname = data.ibm_container_nlb_dns.cluster_nlb_dns.nlb_config[0].lb_hostname
+
+  workload_nlb_dns_data = jsondecode(restapi_object.workload_nlb_dns.create_response)
+
+  # NLB DNS API returns different structures in create and read operations
+  ingress_subdomain   = can(local.workload_nlb_dns_data.Nlb) ? local.workload_nlb_dns_data.Nlb.nlbSubdomain : local.workload_nlb_dns_data.nlbSubdomain
+  cluster_id          = can(local.workload_nlb_dns_data.Nlb) ? local.workload_nlb_dns_data.Nlb.cluster : local.workload_nlb_dns_data.cluster
+  ingress_secret_name = split(".", local.ingress_subdomain)[0]
+
+  cluster_workload_ingress_alb_hostname = data.kubernetes_service.ingress_router_service.status[0].load_balancer[0].ingress[0].hostname
+
+  nlb_dns_data = jsonencode({
+    cluster      = var.cluster_name
+    dnsType      = "public"
+    nlbSubdomain = local.ingress_subdomain
+    lbHostname   = local.cluster_workload_ingress_alb_hostname # new ALB provisioned by the ingress controller
+    #checkov:skip=CKV_SECRET_6:This is a designated namespace for igress TLS certificate
+    secretNamespace = "openshift-ingress"
+    type            = "public"
+  })
+
+  # Pick the first "Deny all" rule in the ACL to place new rules before that
+  cluster_acl_deny_rule = [for rule in data.ibm_is_network_acl_rules.alb_acl_rules.rules : rule.rule_id if rule.action == "deny"][0]
+}
+
+data "ibm_container_nlb_dns" "cluster_nlb_dns" {
+  cluster = var.cluster_name
+}
+
+# First create an NLB DNS entry - it will pick the next NLB DNS index for the name like
+# <cluster name>-<guid>-<NLB DNS index>.<region>.containers.appdomain.cloud
+# Initially the NLB DNS will point to the cluster's default load balancer
+# Once the ingress controller provisions new public ALB, this NLB DNS entry will be updated
+resource "restapi_object" "workload_nlb_dns" {
+  path          = "/v2/nlb-dns/getNlbDetails"
+  read_path     = "/v2/nlb-dns/getNlbDetails?cluster=${var.cluster_name}&nlbSubdomain={id}"
+  read_method   = "GET"
+  create_path   = "/v2/nlb-dns/vpc/createNlbDNS"
+  create_method = "POST"
+  data = jsonencode({
+    cluster         = var.cluster_name
+    dnsType         = "public"
+    lbHostname      = local.ingress_alb_hostname
+    secretNamespace = "openshift-ingress"
+    type            = "public"
+  })
+  id_attribute = "nlbSubdomain"
+  # The destruction cannot be handled in this resources because the {id} needs to be in the request body
+  # and the create and read API data structures do not match so copy_keys are not working as intended
+  # This is just a stub to avoid API errors, the actual remove operation will be done in the "patch/cleanup" resource
+  destroy_method = "GET"
+  destroy_path   = "/v2/nlb-dns/getNlbDetails?cluster=${var.cluster_name}&nlbSubdomain={id}"
+  # Update is also a stub - it needs the {id} (nlbSubdomain in the request body)
+  update_method = "GET"
+  update_path   = "/v2/nlb-dns/getNlbDetails?cluster=${var.cluster_name}&nlbSubdomain={id}"
+}
+
+# ALB private IPs take some time to get available - needed for ACL update
+resource "time_sleep" "wait_for_alb_provisioning" {
+  depends_on = [restapi_object.workload_nlb_dns]
+
+  destroy_duration = "5s"
+  create_duration  = "10m"
+}
+
+# Public ingress controller will result in provisioning a public load balancer in the cluster's VPC
+# assigned to worker nodes subnets
+resource "kubernetes_manifest" "workload_ingress" {
+  manifest = {
+    apiVersion = "operator.openshift.io/v1"
+    kind       = "IngressController"
+    metadata = {
+      name      = "${local.prefix_used}${var.public_ingress_controller_name}"
+      namespace = "openshift-ingress-operator"
+    }
+    spec = {
+      replicas = 2
+      domain   = local.ingress_subdomain
+      defaultCertificate = {
+        name = local.ingress_secret_name
+      }
+      routeSelector = {
+        matchLabels = {
+          ingress = var.public_ingress_selector_label
+        }
+      }
+      endpointPublishingStrategy = {
+        type = "LoadBalancerService"
+        loadBalancer = {
+          dnsManagementPolicy = "Managed"
+          scope               = "External"
+        }
+      }
+    }
+  }
+  wait {
+    # Wait until the ingress controller is fully available
+    # This requires a TLS secret to be created
+    # and will give time for the ALB to finish provisioning (private IPs are available)
+    condition {
+      type   = "Available"
+      status = "True"
+    }
+  }
+}
+
+data "kubernetes_service" "ingress_router_service" {
+  metadata {
+    name      = "router-${kubernetes_manifest.workload_ingress.object.metadata.name}"
+    namespace = "openshift-ingress"
+  }
+}
+
+# The "patch" resource is needed to update the ALB hostname in the NLB DNS entry
+# to point to the new ALB created by the ingress controller
+# It will update the resource created by restapi_object" "workload_nlb_dns
+# and on destry will delete the TLS secret
+resource "restapi_object" "workload_nlb_dns_patch" {
+  path         = "/v2/nlb-dns/getNlbDetails"
+  query_string = "cluster=${var.cluster_name}&nlbSubdomain=${local.ingress_subdomain}"
+  read_path    = "/v2/nlb-dns/getNlbDetails"
+  read_method  = "GET"
+  # Update existing entry with new ALB hostname instead of creating a new one
+  create_path    = "/v2/nlb-dns/vpc/replaceLBHostname"
+  create_method  = "POST"
+  data           = local.nlb_dns_data
+  object_id      = local.ingress_subdomain
+  destroy_method = "POST"
+  destroy_path   = "/v2/nlb-dns/deleteSecret"
+  # Delete ingress secret, the NLB DNS is removed by the resource creating it
+  destroy_data = jsonencode({
+    cluster   = var.cluster_name
+    subdomain = local.ingress_subdomain
+  })
+  update_method = "POST"
+  update_path   = "/v2/nlb-dns/vpc/replaceLBHostname"
+  update_data   = local.nlb_dns_data
+}
+
+# This resource is just to implement the destroy operation because it cannot be done
+# in the resource that creates the NLB DNS entry (see comment on restapi_object.workload_nlb_dns)
+resource "restapi_object" "workload_nlb_dns_cleanup" {
+  path         = "/v2/nlb-dns/getNlbDetails"
+  query_string = "cluster=${var.cluster_name}&nlbSubdomain=${local.ingress_subdomain}"
+  read_path    = "/v2/nlb-dns/getNlbDetails"
+  read_method  = "GET"
+  # Update existing entry with new ALB hostname instead of creating a new one
+  create_path   = "/v2/nlb-dns/vpc/replaceLBHostname"
+  create_method = "POST"
+  data          = local.nlb_dns_data
+  object_id     = local.ingress_subdomain
+  # Delete the ALB assignment from the NLB DNS, needs to use ingress/v2/dns API, otherwise the NLB DNS entry is not deleted
+  destroy_method = "POST"
+  destroy_path   = "/ingress/v2/dns/deleteDomain"
+  destroy_data = jsonencode({
+    cluster   = var.cluster_name
+    subdomain = local.ingress_subdomain
+  })
+  update_method = "POST"
+  update_path   = "/v2/nlb-dns/vpc/replaceLBHostname"
+  update_data   = local.nlb_dns_data
+  depends_on    = [restapi_object.workload_nlb_dns_patch]
+}
+
+# Need to get private IPs (private_ips) of the ALB to include in ACL
+data "ibm_is_lb" "ingress_vpc_alb" {
+  name       = "kube-${local.cluster_id}-${replace(data.kubernetes_service.ingress_router_service.metadata[0].uid, "-", "")}"
+  depends_on = [time_sleep.wait_for_alb_provisioning]
+}
+
+# Assuming all SLZ zones for the ALB subnet will have the same ACL
+data "ibm_is_subnet" "cluster_subnet" {
+  identifier = tolist(data.ibm_is_lb.ingress_vpc_alb.subnets)[0]
+}
+
+data "ibm_is_network_acl" "alb_acl" {
+  network_acl = data.ibm_is_subnet.cluster_subnet.network_acl
+}
+data "ibm_is_network_acl_rules" "alb_acl_rules" {
+  network_acl = data.ibm_is_network_acl.alb_acl.id
+}
+
+# Add ACL rules to allow HTTPS requests from the outside to the new public load balancer
+resource "ibm_is_network_acl_rule" "alb_https_req" {
+  count       = var.cluster_zone_count
+  network_acl = data.ibm_is_network_acl.alb_acl.id
+  before      = local.cluster_acl_deny_rule
+  name        = "${local.prefix_used}public-ingress-lba-zone${count.index + 1}-https-req"
+  action      = "allow"
+  source      = "0.0.0.0/0"
+  destination = "${data.ibm_is_lb.ingress_vpc_alb.private_ips[count.index]}/32"
+  direction   = "inbound"
+  tcp {
+    port_max        = 443
+    port_min        = 443
+    source_port_max = 65535
+    source_port_min = 1024
+  }
+  lifecycle {
+    ignore_changes = [before]
+  }
+}
+resource "ibm_is_network_acl_rule" "alb_https_resp" {
+  count       = var.cluster_zone_count
+  network_acl = data.ibm_is_network_acl.alb_acl.id
+  before      = local.cluster_acl_deny_rule
+  name        = "${local.prefix_used}public-ingress-lba-zone${count.index + 1}-https-resp"
+  action      = "allow"
+  source      = "${data.ibm_is_lb.ingress_vpc_alb.private_ips[count.index]}/32"
+  destination = "0.0.0.0/0"
+  direction   = "outbound"
+  tcp {
+    port_max        = 65535
+    port_min        = 1024
+    source_port_max = 443
+    source_port_min = 443
+  }
+  lifecycle {
+    ignore_changes = [before]
+  }
+}

modules/roks-ingress/outputs.tf

@@ -0,0 +1,24 @@
+output "cluster_workload_ingress_subdomain" {
+  description = "Public ingress subdomain"
+  value       = local.ingress_subdomain
+}
+
+output "cluster_workload_ingress_controller" {
+  description = "Ingress controller attributes"
+  value       = kubernetes_manifest.workload_ingress
+}
+
+output "cluster_workload_ingress_service" {
+  description = "Ingress controller service attributes"
+  value       = data.kubernetes_service.ingress_router_service
+}
+
+output "vpc_public_load_balancer" {
+  description = "Public ALB attributes "
+  value       = data.ibm_is_lb.ingress_vpc_alb
+}
+
+output "vpc_alb_acl" {
+  description = "ACL attributes for public ALB"
+  value       = data.ibm_is_network_acl.alb_acl
+}

modules/roks-ingress/variables.tf

@@ -0,0 +1,28 @@
+variable "prefix" {
+  description = "Prefix for resources to be created"
+  type        = string
+}
+
+variable "cluster_name" {
+  description = "Cluster name"
+  type        = string
+}
+
+# Need to have the count of zones to determine how many rules to add to the ACL for public ingress
+variable "cluster_zone_count" {
+  description = "Number of zones the cluster nodes are deployed in"
+  type        = number
+  default     = 2
+}
+
+variable "public_ingress_controller_name" {
+  description = "Name for the ingress controller to be created"
+  type        = string
+  default     = "ingress-public"
+}
+
+variable "public_ingress_selector_label" {
+  description = "Value for ingress label to select routes admitted to public ingress"
+  type        = string
+  default     = "ingress-public"
+}

modules/roks-ingress/version.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.67.1"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = ">= 1.19.1"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9.1"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.32.0"
+    }
+  }
+  required_version = ">= 1.3.0"
+}

solutions/banking/main.tf

@@ -106,6 +106,21 @@ resource "ibm_resource_instance" "cd_instance" {
   resource_group_id = data.ibm_resource_group.toolchain_resource_group_id.id
 }
 
+# ----------------------- Cluster deployment options
+module "cluster_ingress" {
+  providers = {
+    restapi = restapi.oc_api
+    ibm     = ibm.ibm_resources
+  }
+  count              = var.cluster_name != null && var.provision_public_ingress ? 1 : 0
+  source             = "../../modules/roks-ingress"
+  prefix             = var.prefix
+  cluster_name       = var.cluster_name
+  cluster_zone_count = var.cluster_zone_count
+}
+
+
+# ----------------------- Watson services configuration
 module "configure_wml_project" {
   providers = {
     ibm                           = ibm.ibm_resources
@@ -270,6 +285,28 @@ resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_integration_id_pip
   value       = module.configure_watson_assistant.watsonx_assistant_integration_id
 }
 
+# Update CI pipeline with public ingress subdomain
+resource "ibm_cd_tekton_pipeline_property" "cluster_public_ingress_subdomain_pipeline_property_ci" {
+  count       = var.cluster_name != null && var.provision_public_ingress ? 1 : 0
+  provider    = ibm.ibm_resources
+  depends_on  = [local.cd_instance]
+  name        = "cluster_public_ingress_subdomain"
+  pipeline_id = var.ci_pipeline_id
+  type        = "text"
+  value       = module.cluster_ingress[0].cluster_workload_ingress_subdomain
+}
+
+# Update CD pipeline with public ingress subdomain
+resource "ibm_cd_tekton_pipeline_property" "cluster_public_ingress_subdomain_pipeline_property_cd" {
+  count       = var.cluster_name != null && var.provision_public_ingress ? 1 : 0
+  provider    = ibm.ibm_resources
+  depends_on  = [local.cd_instance]
+  name        = "cluster_public_ingress_subdomain"
+  pipeline_id = var.cd_pipeline_id
+  type        = "text"
+  value       = module.cluster_ingress[0].cluster_workload_ingress_subdomain
+}
+
 # Random string for webhook token
 resource "random_string" "webhook_secret" {
   length  = 48

solutions/banking/outputs.tf

@@ -47,3 +47,13 @@ output "elastic_collection_count" {
   description = "Count of sample data items uplaoded to elastic index"
   value       = local.use_elastic_index ? module.configure_elastic_index[0].elastic_upload_count : 0
 }
+
+output "cluster_workload_ingress_subdomain" {
+  description = "Subdomain of the cluster's public ingress"
+  value       = var.cluster_name != null && var.provision_public_ingress ? module.cluster_ingress[0].cluster_workload_ingress_subdomain : null
+}
+
+output "sample_app_public_url" {
+  description = "URL of the public route of the sample app deployed on ROKS cluster"
+  value       = var.cluster_name != null && var.provision_public_ingress ? "https://gen-ai-rag-sample-app-tls-dev.${module.cluster_ingress[0].cluster_workload_ingress_subdomain}" : null
+}