Add terraform for provisioning s390x build cluster on ibmcloud

[sudharshanibm]

Add terraform for provisioning s390x build cluster on ibmcloud

• k8s-s390x-infra-setup: Terraform resources to set up the necessary infrastructure in an IBM Cloud account, which will serve as prerequisites for the k8s-s390x-build-cluster automation.
• k8s-s390x-build-cluster: Terraform resources to provision the s390x Build Cluster infrastructure in IBM Cloud.

[k8s-ci-robot]

Welcome @sudharshanibm!

It looks like this is your first PR to kubernetes/k8s.io 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/k8s.io has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @sudharshanibm. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sudharshanibm
Once this PR has been reviewed and has the lgtm label, please assign upodroid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• infra/ibmcloud/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryantbiggs]

this is not very declarative - is this truly required or can the verification be run as a one-off by someone? do we expect things to not be setup correct via Terraform (i.e. - verification here fails) periodically or at all? (if so - that seems problematic and who or what is intended to fix that 😅 )

[sudharshanibm]

The bastion instance’s initial setup and networking configuration are handled through a cloud-init script in user_data. Runtime verification of the bastion’s internal state is treated as an operational concern, and can be performed outside of Terraform via automation/manual checks.

[bryantbiggs]

can we use an improved alternate terminology? main, primary, control-plane?

[sudharshanibm]

updated all occurrences of master to control-plane

[bryantbiggs]

the use of k8s-* throughout the file names, resource names, etc. seems to be redundant (i.e. - its defined in a K8s repo/org so its assumed to be for K8s, no need to re-state that in the names)

[sudharshanibm]

Hi @bryantbiggs , thanks for pointing that out
I followed the same naming convention since the existing s390x setup is already connected to ArgoCD with k8s-* prefixed names (ref: #8332 ).

[bryantbiggs]

the names should be viewed as a hierarchy level just below the resource type, but read together. so ibm_is_lb.k8s_load_balancer is essentially IBM load balancer - Kubernetes load balancer

what about something shorter and more descriptive public (ibm_is.lb.public)?

[sudharshanibm]

Updated k8s_load_balancer to public

[bryantbiggs]

again, the name is very redundant. Its in a K8s repo, is this infrastructure deployed in an account that hosts resources for things outside of K8s? If yes = fine, keep the k8s, if not, drop it. Also, the resource is a load balancer so no need to add that to the name (my name is Bryant Biggs not Bryant Biggs human 😅 ). Lastly, I assume this is only for testing on s390x platforms so is that adding anything to the name? Maybe it is, maybe it isn't - I don't have enough context to say. But what about something more descriptive as to its intent and aligned with resources already defined in the repo

k8s.io/infra/aws/terraform/kops-infra-ci/locals.tf

Line 19 in 384da9f

kops-infra-ci-name = "kops-infra-ci"

what about s390x-ci? or if you desire the full name k8s-s390x-ci?

[bryantbiggs]

Note: this same thinking above applies throughout the change set

[sudharshanibm]

updated k8s-s390x-lb to k8s-s390x-ci

[bryantbiggs]

6443 appears in a number of places - good chance it should be a local variable to avoid mis-matches

[sudharshanibm]

refactored to use a variable api_server_port (default 6443)

[bryantbiggs]

Suggested change

	data "ibm_is_security_group" "bastion_sg" {
	data "ibm_is_security_group" "bastion" {

Security group is already in the resource type - don't repeat in the resource name

[sudharshanibm]

I already have resource ibm_is_instance bastion defined in bastion.tf, so reusing bastion here would cause a naming conflict

[bryantbiggs]

no - thats a different resource from this data source so no conflict

[sudharshanibm]

renamed bastion_sg --> bastion

[bryantbiggs]

this should be a for_each so that we avoid amplifying disruptions

[sudharshanibm]

updated the control-plane to use for_each in nodes.tf

[bryantbiggs]

should this be a variable?

[sudharshanibm]

Removed the variable, Thanks!

[bryantbiggs]

should this be a variable?

[sudharshanibm]

bastion now generated in locals

[bryantbiggs]

should this be a variable?

[sudharshanibm]

control-plane now generated in locals

[bryantbiggs]

should this be a variable?

[sudharshanibm]

compute now generated in locals

[bryantbiggs]

variables are mostly used in modules - I would argue, are these required? Should they be local variables instead (if they are used in multiple places but not intended to be configured dynamically outside of whats stored in git)?

[sudharshanibm]

In this case, these values are intended to be configurable by automation (Ansible playbooks) rather than hard-coded in the repo

[bryantbiggs]

ansible to deploy Terraform - why?

[sudharshanibm]

Thanks for circling back on this. I realize my earlier explanation may have caused some confusion. What I meant is that while we do have downstream automation that consumes certain outputs for cluster setup, that doesn’t mean all of the Terraform configuration itself needs to be exposed as variables.

After revisiting your feedback, I’ve updated the code so that only true external inputs like API key, region, secrets manager ID, counts, profiles, etc., remain as variables. The structured definitions for bastion, control-plane, and compute nodes are now generated in locals, which keeps the interface cleaner and avoids over-exposing internal implementation details

[bryantbiggs]

I still don't grok why most of these variables need to exist (ignoring the API key for now). for example, we can't simply change the region nor do I believe we intended on doing so. if we need to set the name of the region in multiple locations, thats what a local variable is good for.

variables are public inputs for a public interface
local variables are a private implementation detail

[bryantbiggs]

likewise, use for_each

[sudharshanibm]

updated the compute to use for_each in nodes.tf

[bryantbiggs]

this doesn't appear to be doing anything - can it be removed?

[bryantbiggs]

outputs are intended to be consumed elsewhere - are all of these intended to be consumed somewhere else?

[sudharshanibm]

Yes, these outputs are consumed in our Ansible automation for installing Kubernetes. Specifically, the IPs and load balancer hostname are passed into the Ansible playbook ansible-playbook -v -i examples/k8s-build-cluster/hosts.yml install-k8s-ha.yaml -e @group_vars/bastion_configuration --extra-vars @group_vars/all to configure the bastion, control-plane, and worker nodes.

[bryantbiggs]

hmm, I don't know I fully follow this. so the plan would be to write these outputs to file or? how do you bridge the gap between an output in Terraform and said output landing in a file on disk that ansible then uses? Is that ansible definition going to live in this repo as well? Should we store these values somewhere that Ansible can readily retrieve - S3/SSM/etc?

[sudharshanibm]

Hi @bryantbiggs
Hope you're doing well! I wanted to follow up on this PR. I’ve addressed all the review comments you provided earlier, and the PR is ready for your re-review whenever you get a chance.
Thanks so much for your time! 🙂

[bryantbiggs]

IAM roles and short lived/ephemeral credentials should be used in place of static access and secret keys

[bryantbiggs]

who or what is intended to modify these variables? variables are only warranted on re-usable artifacts like modules. otherwise things should be declared statically or with local variables if the value needs to be kept in sync in various locations

[bryantbiggs]

we really need to think long and hard about how secrets are handled - I don't think any of these options (nit: why are there options?) are sufficient

[bryantbiggs]

seems a bit like YAGNI - usually one bastion host is sufficient

[bryantbiggs]

all of these names throughout this file are redundant

if you have to reference a 2nd resource group or a 2nd vpc, what will the data source name be? "resource_group_2"/"vpc2"? use the value provided to name is usually a safe route

Suggested change

	data "ibm_resource_group" "resource_group" {
	data "ibm_resource_group" "build_cluster" {

[bryantbiggs]

avoid the redundant naming where possible

Suggested change

	resource "ibm_is_lb_pool" "k8s_api_pool" {
	resource "ibm_is_lb_pool" "k8s_api_server" {

[bryantbiggs]

Suggested change

	resource "ibm_is_lb_listener" "k8s_api_listener" {
	resource "ibm_is_lb_listener" "k8s_api_server" {

[bryantbiggs]

Suggested change

	resource "ibm_is_lb_pool_member" "k8s_api_members" {
	resource "ibm_is_lb_pool_member" "k8s_api_server" {

[bryantbiggs]

this is the same as count #8413 (comment) FYI

I am not familiar with IBM cloud but this feels like they should be instance groups similar to an AWS autoscaling group instead of iterating over individual instances in Terraform. Do you agree? (cattle vs pets)

[bryantbiggs]

this is a redundant validation - simply drop the default = "" and you achieve the same outcome without needing to specify the validation block

[bryantbiggs]

redundant naming

Suggested change

	resource "ibm_resource_group" "build_resource_group" {
	resource "ibm_resource_group" "build_cluster" {

[bryantbiggs]

this appears to only be used in one place so just use the value directly; no need for local variable

[bryantbiggs]

this doesn't appear to be used anywhere - should we remove it?

[bryantbiggs]

description, type, and default (if there is one)

[bryantbiggs]

https://github.com/kubernetes/k8s.io/pull/8413/files#r2346779469

[bryantbiggs]

again, all of these are redundant names. since this is a module, the convention is typically to just call this this for the resource names and only use distinct names where 2 or more resources of the same time are utilized

[bryantbiggs]

drop the redundant resource name from the naming scheme throughout

• remove -vpc here

[bryantbiggs]

Suggested change

	name = "k8s-s390x-public-gw"
	name = "k8s-s390x"

[bryantbiggs]

most likely you can create a local variable of

locals {
  name = "k8s-s390x"
}

and for all these resource names, just simple update to use

  name = local.name

Don't add the -gw or -sg or -vpc, etc.

[bryantbiggs]

this would become

Suggested change

	name = "k8s-vpc-s390x-bastion-sg"
	name = "${local.name}-bastion"

[bryantbiggs]

https://github.com/kubernetes/k8s.io/pull/8413/files#r2491389305

[bryantbiggs]

FYI - I don't have approval authority on changes such as these in this repo; these are just my suggestions based on working with Terraform in various capacities over the years

the sig-k8s-infra-leads are the final approving authority