diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 472cde195425dd77b603a4f928a1d04f30b246e0..85a87c72a0e04030e1bfd32bceb577f61ce2b086 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -277,7 +277,7 @@ Breaking changes ├── state/ # Auto-generated files that need to be preserved. MUST be checked into version control │ ├── wireguard/ │ │ └── ipam.toml # WireGuard IP address management - │ ├── terraform/ # Terraform specific state files + │ ├── terraform/ # OpenTofu specific state files ┊ ┊ @@ -304,7 +304,7 @@ Breaking changes The migration script will point out these cases. _ (`!1265 `_) -- The following Terraform resources are deprecated and have been updated: +- The following OpenTofu resources are deprecated and have been updated: - ``openstack_compute_floatingip_associate_v2`` replaced by ``openstack_networking_floatingip_associate_v2`` @@ -432,7 +432,7 @@ Changed functionality _ (`!1456 `_) - Most options from the terraform configuration section have moved into one of two new sections, either ``openstack`` for OpenStack specific options or ``infra`` for options used by all clusters. Have a look at the deprecation warnings during Nix evaluation. (`!1466 `_) - ``vault.cluster_name`` now defaults to ``infra.cluster_name`` (`!1466 `_) -- Cloud&Heat specific default have been removed from the Terraform module. (`!1504 `_) +- Cloud&Heat specific default have been removed from the OpenTofu module. (`!1504 `_) - Depending on the IP version enabled, node address autodetection is explicitly set to ``{}``. (`!1529 `_) - Additional testing in the CI pipeline has been added that verifies that :doc:`Kubernetes certificate signing ` is functional. (`!1543 `_) - The default blackbox-exporter version has been bumped to v9.1.0. (`!1575 `_) @@ -477,7 +477,7 @@ Bugfixes - Thanos compactor is now restarted on failure. Previously it just stopped operation but never exited (see `issue #724 `_). (`!1592 `_) -- The YAOOK/K8s Terraform module does not fail anymore +- The YAOOK/K8s OpenTofu module does not fail anymore if there are multiple Openstack images with the same name but simply selects the most recent one. (`!1598 `_) - A bug has been fixed which caused Kubernetes upgrades to fail if :ref:`configuration-options.yk8s.kubernetes.controller_manager.enable_signing_requests` is enabled. (`!1608 `_, `!1675 `_) @@ -498,7 +498,7 @@ Changes in the Documentation - A short description about ``tools/vault/update.sh`` has been added. (`!1599 `_) - A user facing :doc:`tutorial ` has been created, which describes how to upgrade to a new YAOOK/K8s release. (`!1602 `_, `!1660 `_) -- The Terraform developer reference documentation has been dropped in favor of :ref:`configuration-options.yk8s.terraform`. (`!1611 `_) +- The OpenTofu developer reference documentation has been dropped in favor of :ref:`configuration-options.yk8s.terraform`. (`!1611 `_) - Some typos have been fixed (`!1615 `_) - Minor fixes in the docs. (`!1642 `_) @@ -720,12 +720,12 @@ v8.0.0 (2024-08-28) Breaking changes ~~~~~~~~~~~~~~~~ -- The YAOOK/K8s Terraform module now allows worker nodes +- The YAOOK/K8s OpenTofu module now allows worker nodes to be joined into individual anti affinity groups. .. attention:: Action required - You must migrate your Terraform state + You must migrate your OpenTofu state by running the migration script. .. code:: shell @@ -733,10 +733,10 @@ Breaking changes ./managed-k8s/actions/migrate-to-release.sh _ (`!1317 `_) -- The YAOOK/K8s Terraform module +- The YAOOK/K8s OpenTofu module does not build a default set of nodes (3 masters + 4 workers) anymore when no nodes are given. (`!1317 `_) -- The automatic just-in-time migration of Terraform resources +- The automatic just-in-time migration of OpenTofu resources from ``count`` to ``for_each`` introduced in July 2022 was removed in favor of a once-and-for-all migration. @@ -745,7 +745,7 @@ Breaking changes ./managed-k8s/actions/migrate-to-release.sh _ (`!1317 `_) -- YAOOK/K8s Terraform does not implicitly assign +- YAOOK/K8s OpenTofu does not implicitly assign nodes to availability zones anymore if actually none was configured for a node. @@ -761,9 +761,9 @@ Breaking changes .. attention:: Action required - To prevent Terraform from unneccessarily rebuilding master and worker nodes, + To prevent OpenTofu from unneccessarily rebuilding master and worker nodes, you must run the migration script. - This will determine each nodes' availability zone in the Terraform state + This will determine each nodes' availability zone in the OpenTofu state to set in the config for you. .. code:: @@ -773,10 +773,10 @@ Breaking changes _ (`!1317 `_) - The format of the ``[terraform]`` config section changed significantly. - Terraform nodes are now to be configured as blocks of values + OpenTofu nodes are now to be configured as blocks of values rather than across separate lists for each type of value. - Furthermore you now have control over the whole name of Terraform nodes, + Furthermore you now have control over the whole name of OpenTofu nodes, see :ref:`the documentation ` for further details. @@ -874,7 +874,7 @@ Breaking changes .. attention:: Action required - To prevent Terraform from unnecessarily rebuilding gateway nodes, + To prevent OpenTofu from unnecessarily rebuilding gateway nodes, you must run the migration script. .. code:: shell @@ -887,8 +887,8 @@ Breaking changes New Features ~~~~~~~~~~~~ -- Terraform: Anti affinity group settings are now configurable per worker node. (`!1317 `_) -- Terraform: The amount of gateway nodes created is not dependent +- OpenTofu: Anti affinity group settings are now configurable per worker node. (`!1317 `_) +- OpenTofu: The amount of gateway nodes created is not dependent on the amount of availability zones anymore and can be set with ``[terraform].gateway_count``. The setting's default yields the previous behavior @@ -905,7 +905,7 @@ New Features Changed functionality ~~~~~~~~~~~~~~~~~~~~~ -- The minimum Terraform version is increased to 1.3 (`!1317 `_) +- The minimum OpenTofu version is increased to 1.3 (`!1317 `_) Bugfixes @@ -917,7 +917,7 @@ Bugfixes Other Tasks ~~~~~~~~~~~ -- The Terraform code responsible for generating the instance resources +- The OpenTofu code responsible for generating the instance resources was streamlined. (`!1317 `_) - `!1441 `_, `!1442 `_, `!1444 `_, `!1445 `_ @@ -959,7 +959,7 @@ Breaking changes -dualstack_support = false +ipv6_enabled = false - Existing clusters running on OpenStack must execute the Terraform stage once: + Existing clusters running on OpenStack must execute the OpenTofu stage once: .. code:: console @@ -1005,7 +1005,7 @@ Changes in the Documentation in the :doc:`Release and Versioning Policy ` (`!1376 `_) - The documentation now links to the latest version of the Calico docs instead of a specific version (where possible). (`!1408 `_) -- The generated Terraform docs was updated. (`!1434 `_) +- The generated OpenTofu docs was updated. (`!1434 `_) Deprecations and Removals @@ -1291,14 +1291,14 @@ Breaking changes If you have ``[terraform].create_root_disk_on_volume = true`` set in your config, you must migrate the ``openstack_blockstorage_volume_v2`` resources - in your Terraform state to the v3 resource type + in your OpenTofu state to the v3 resource type in order to prevent rebuilds of all servers and their volumes. .. code:: shell # Execute the lines produced by the following script # This will import all v2 volumes as v3 volumes - # and remove the v2 volume resources from the Terraform state. + # and remove the v2 volume resources from the OpenTofu state. terraform_module="managed-k8s/terraform" terraform_config="../../terraform/config.tfvars.json" @@ -1455,7 +1455,7 @@ Bugfixes Changes in the Documentation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Terraform references updated (`!1189 `_) +- OpenTofu references updated (`!1189 `_) - A guide on how to simulate a self-managed bare metal cluster on top of OpenStack has been added to the :doc:`documentation `. (`!1231 `_) - Instructions to install Vault have been added to the installation guide (`!1247 `_) @@ -1515,7 +1515,7 @@ Breaking changes ``[terraform].prevent_disruption`` has been added in the config to allow the environment variable to be overridden - when Terraform is used (``TF_USAGE=true``). + when OpenTofu is used (``TF_USAGE=true``). It is set to ``true`` by default. Ultimately this prevents unintended destruction of the harbour infrastructure @@ -1758,7 +1758,7 @@ Bugfixes - Fix & generalize scheduling_key usage for managed K8s services (`!1088 `_) - Fix vault import for non-OpenStack clusters (`!1090 `_) - Don't create Flux PodMonitos if monitoring is disabled (`!1092 `_) -- Fix a bug which prevented nuking a cluster if Gitlab is used as Terraform backend (`!1093 `_) +- Fix a bug which prevented nuking a cluster if Gitlab is used as OpenTofu backend (`!1093 `_) - Fix tool ``tools/assemble_cephcluster_storage_nodes_yaml.py`` to produce valid yaml. @@ -1854,7 +1854,7 @@ Deprecations and Removals Other Tasks ~~~~~~~~~~~ -- Update flake dependencies and allow unfree license for Terraform (`!929 `_) +- Update flake dependencies and allow unfree license for OpenTofu (`!929 `_) Misc @@ -1942,7 +1942,7 @@ New Features - Add option to allow snippet annotations for NGINX Ingress controller (`!906 `_) - Add configuration option for persistent storage for Prometheus (`!917 `_) - Add optional configuration options for soft and hard disk pressure eviction to the ``config.toml``. (`!948 `_) -- Additionally pull a local copy of the Terraform state for disaster recovery purposes if Gitlab is configured as backend. (`!968 `_) +- Additionally pull a local copy of the OpenTofu state for disaster recovery purposes if Gitlab is configured as backend. (`!968 `_) Changed functionality @@ -2011,7 +2011,7 @@ Bugfixes makes it less likely that two backup nodes attempt to become primary at the same time, avoiding race conditions and flappiness. (`!841 `_) - Fix Thanos v1 cleanup tasks during migration to prevent accidental double deletion of resources (`!849 `_) -- Fixed incorrect templating of Thanos secrets for buckets managed by Terraform and clusters with custom names (`!854 `_) +- Fixed incorrect templating of Thanos secrets for buckets managed by OpenTofu and clusters with custom names (`!854 `_) - Rename rook_on_openstack field in config.toml to on_openstack (`!888 `_) - (`!889 `_, `!910 `_) - Fixed configuration of host network mode for rook/ceph (`!899 `_) @@ -2030,7 +2030,7 @@ Bugfixes - It is ensured that the values passed to the cloud-config secret are proper strings. (`!980 `_) - Fix configuration of Grafana resource limits & requests (`!982 `_) - Bump to latest K8s patch releases (`!994 `_) -- Fix the behaviour of the Terraform backend +- Fix the behaviour of the OpenTofu backend when multiple users are maintaining the same cluster, especially when migrating the backend from local to http. (`!998 `_) - Constrain kubernetes-validate pip package on Kubernetes nodes (`!1004 `_) @@ -2048,7 +2048,7 @@ Changes in the Documentation - The repo link to the prometheus blackbox exporter changed (`!840 `_) - (`!851 `_, `!853 `_, `!908 `_, `!979 `_) - Added clarification in initialization for the different ``.envrc`` used. (`!852 `_) -- Update and convert Terraform documentation to restructured Text (`!904 `_) +- Update and convert OpenTofu documentation to restructured Text (`!904 `_) - rook-ceph: Clarify role of mon_volume_storage_class (`!955 `_) diff --git a/actions/apply-all.sh b/actions/apply-all.sh index 9f5fbc5c75bd73dd44d404047d8f558765351f36..dfccf05d9fd586b13fba47b032c264ebf5f78a55 100755 --- a/actions/apply-all.sh +++ b/actions/apply-all.sh @@ -14,7 +14,7 @@ check_venv set_kubeconfig -# Invoke Terraform, if configured +# Invoke OpenTofu, if configured if [ "${tf_usage:-true}" == 'true' ]; then run "$actions_dir/apply-terraform.sh" fi diff --git a/actions/apply-terraform.sh b/actions/apply-terraform.sh index 66063f6658c5b529af390ff2348ff430daa3211b..f2a7856f0a8457a2716244010139876a7eafbe93 100755 --- a/actions/apply-terraform.sh +++ b/actions/apply-terraform.sh @@ -13,7 +13,7 @@ load_conf_vars check_venv if [ "$("$actions_dir/helpers/semver2.sh" "$(terraform -v -json | jq -r '.terraform_version')" "$terraform_min_version")" -lt 0 ]; then - errorf 'Please upgrade Terraform to at least v'"$terraform_min_version" + errorf 'Please upgrade OpenTofu to at least v'"$terraform_min_version" exit 5 fi @@ -49,7 +49,7 @@ fi run terraform -chdir="$terraform_module" apply "$terraform_plan" if [ "$(jq -r .backend.type "$terraform_state_dir/.terraform/terraform.tfstate")" == 'http' ]; then - notef 'Pulling latest Terraform state from Gitlab for disaster recovery purposes.' + notef 'Pulling latest OpenTofu state from Gitlab for disaster recovery purposes.' # don't use the "run" function here as it would print the token curl -s -o "$terraform_state_dir/disaster-recovery.tfstate.bak" \ --header "Private-Token: $TF_HTTP_PASSWORD" "$backend_address" diff --git a/actions/destroy.sh b/actions/destroy.sh index fe734c78c714babfe700882ca454431a9fa1254c..6007fcb6e5d5ca583d6021f2f0ddc6fcd041fb63 100755 --- a/actions/destroy.sh +++ b/actions/destroy.sh @@ -16,7 +16,7 @@ require_harbour_disruption require_ansible_disruption if [ "$("$actions_dir/helpers/semver2.sh" "$(terraform -v -json | jq -r '.terraform_version')" "$terraform_min_version")" -lt 0 ]; then - errorf 'Please upgrade Terraform to at least v'"$terraform_min_version" + errorf 'Please upgrade OpenTofu to at least v'"$terraform_min_version" exit 5 fi diff --git a/actions/lib.sh b/actions/lib.sh index 51fa0f454cab361ccd5a7c2fcc10e32f246bb739..d529ef335b696c8f1d4dd121cf32440f6425df0a 100644 --- a/actions/lib.sh +++ b/actions/lib.sh @@ -106,7 +106,7 @@ function harbour_disruption_allowed() { load_conf_vars [ "${MANAGED_K8S_DISRUPT_THE_HARBOUR:-}" = 'true' ] \ && [ "${tf_usage:-true}+${terraform_prevent_disruption:-true}" != 'true+true' ] - # when Terraform is used also factor in its config + # when OpenTofu is used also factor in its config } function require_ansible_disruption() { @@ -352,7 +352,7 @@ function tf_init() { if all_gitlab_vars_are_set; then if tf_state_present_on_gitlab && [ -f "$terraform_state_dir/terraform.tfstate" ]; then - errorf "Several Terraform statefiles were found: locally and on GitLab." + errorf "Several OpenTofu statefiles were found: locally and on GitLab." exit 1 fi fi @@ -389,7 +389,7 @@ EOF else if ! all_gitlab_vars_are_set && ! all_gitlab_vars_are_unset; then errorf "'gitlab_backend=false' but some GitLab variables are provided." - errorf "(1) If you want to migrate the Terraform backend method from 'http' to 'local'," + errorf "(1) If you want to migrate the OpenTofu backend method from 'http' to 'local'," errorf "you should provide all the GitLab variables" errorf "(2) If you want to init a cluster with local backend," errorf "make sure that all the following GitLab variables are unset:" @@ -402,18 +402,18 @@ EOF if all_gitlab_vars_are_set; then if tf_state_present_on_gitlab; then rm -f "$OVERRIDE_FILE" - notef "Terraform statefile on GitLab found. Migration from http to local." + notef "OpenTofu statefile on GitLab found. Migration from http to local." if tf_init_local_migrate; then # delete tf_statefile from GitLab GITLAB_RESPONSE=$(curl -Is --header "Private-Token: $TF_HTTP_PASSWORD" -o "/dev/null" -w "%{http_code}" --request DELETE "$backend_address") check_return_code "$GITLAB_RESPONSE" else - warningf "Terraform init was not successful. The Terraform state on GitLab was not deleted." + warningf "OpenTofu init was not successful. The OpenTofu state on GitLab was not deleted." fi else errorf "'gitlab_backend=false', all GitLab variables are provided," errorf "but the Terrafrom state file could not be found on GitLab in order to migrate from 'http' to 'local'." - errorf "(1) If you want to migrate, make sure the Terraform state file exists on GitLab." + errorf "(1) If you want to migrate, make sure the OpenTofu state file exists on GitLab." errorf "(2) If you want to init a cluster with local backend," errorf "make sure that all the following GitLab variables are unset:" for var in "${all_gitlab_vars[@]}"; do diff --git a/docs/developer/guide/coding-guide.rst b/docs/developer/guide/coding-guide.rst index b6cd1c4af71a5343509b3dcf8c4ba30ffd8fc6ab..811ca4d9c617269b31ff5041fabdb637522ace26 100644 --- a/docs/developer/guide/coding-guide.rst +++ b/docs/developer/guide/coding-guide.rst @@ -311,7 +311,7 @@ Use ``to_json`` in templates when writing YAML or JSON effects or syntax errors can occur. ``to_json`` will properly encode the data. -Terraform Styleguide +OpenTofu Styleguide -------------------- Use jsonencode in templates when writing YAML diff --git a/docs/developer/guide/simulate-bm.rst b/docs/developer/guide/simulate-bm.rst index 87f0bcaccf08b1ea8f900df5a8806f27df240c94..9840f100029bba8d04fca89eed1a521a3f2dd8b6 100644 --- a/docs/developer/guide/simulate-bm.rst +++ b/docs/developer/guide/simulate-bm.rst @@ -6,7 +6,7 @@ can be simulated with OpenStack resources. That's useful if you want to verify this use case without having spare hardware available to do so. -The general approach is to utilize the Terraform stage +The general approach is to utilize the OpenTofu stage to create the harbour infrastructure but then disable and remove everything in the environment that is specific to the Openstack based setup path @@ -21,7 +21,7 @@ Cluster repository initialization Follow the cluster :doc:`initialization documentation`. Disable Wireguard, -but enable Terraform because we want to use it to create +but enable OpenTofu because we want to use it to create OpenStack resources, and configure the infrastructure layer. @@ -99,7 +99,7 @@ Reconfigure the inventory ``inventory/yaook-k8s/hosts``: Also remove the ``[gateways]`` section from ``config/hosts`` and replace ``gateways`` with ``masters`` in the ``[frontend:children]`` section. -We can now disable Terraform: +We can now disable OpenTofu: .. code:: nix @@ -138,13 +138,13 @@ Creating and attaching a floating ip to the jump host: The jump host should be accessible via the attached floating IP now. We still want to harden it though. For the LCM to work, we have to adjust the hosts file -which has been created previously by Terraform +which has been created previously by OpenTofu ``config/hosts``. * Set ``openstack.enabled`` to ``false`` -* Set ``networking_fixed_ip`` to the networking fixed ip created by Terraform +* Set ``networking_fixed_ip`` to the networking fixed ip created by OpenTofu * Check out the following vars-file: ``inventory/yaook-k8s/group_vars/all/terraform_networking-trampoline.yaml`` -* Set ``subnet_cidr`` to the subnet cidr created by Terraform (and configured above) +* Set ``subnet_cidr`` to the subnet cidr created by OpenTofu (and configured above) * Check out the following vars-file: ``inventory/yaook-k8s/group_vars/all/terraform_networking-trampoline.yaml`` * Add the jump host as target diff --git a/docs/user/explanation/dualstack.rst b/docs/user/explanation/dualstack.rst index bf15afa9ceb395eb50a124117463fd4228cd7007..e5b2e7170e02ec7e5765174e7dc11907ed437950 100644 --- a/docs/user/explanation/dualstack.rst +++ b/docs/user/explanation/dualstack.rst @@ -42,7 +42,7 @@ Prerequisites - Calico ``v3.11`` or later - For managed YAOOK/K8s on OpenStack clusters: - - Terraform ``v0.12`` or later + - OpenTofu ``v0.12`` or later - `ch-k8s-lbaas `__ ``v0.3.3`` or later @@ -58,7 +58,7 @@ Adjust your config to meet the following statements: - specify ``terraform.subnet_v6_cidr`` - - this is the IPv6 subnet that will be created via Terraform + - this is the IPv6 subnet that will be created via OpenTofu - e.g.: - ``terraform.subnet_v6_cidr = "fd00::/120"`` @@ -87,12 +87,12 @@ DualStack-Support in OpenStack A Kubernetes cluster with DualStack support requires IPv4 and IPv6 connectivity between the cluster nodes. As we are deploying on top of -OpenStack, we need to adjust Terraform to fulfill the prerequisites. +OpenStack, we need to adjust OpenTofu to fulfill the prerequisites. In order for pods to be reachable from the outside world over IPv6 the cluster nodes must provide this IPv6 connectivity. This is enabled with the dual stack support option -and rolled out on the underlying OpenStack nodes via Terraform. +and rolled out on the underlying OpenStack nodes via OpenTofu. `Enabling a DualStack network `__ in OpenStack requires: @@ -154,7 +154,7 @@ DualStack support for the K8s control plane The ``controlPlaneEndpoint`` either has to be *one* IP address or a domain name. Because using a domain name would lead to the DNS resolution overhead, we decided to let the control plane be IPv4-only -for now. However, a VIPv6 is created via Terraform and configured in +for now. However, a VIPv6 is created via OpenTofu and configured in HAProxy such that it can be used to connect to the control plane. IPv6 load-balanced services diff --git a/docs/user/guide/monitoring/prometheus-stack.rst b/docs/user/guide/monitoring/prometheus-stack.rst index 8145a9d7e2cf30c8d09839c9d822d8e9bbef0019..d2af8a61aa40fcd5865a7143ee1d597f808895cb 100644 --- a/docs/user/guide/monitoring/prometheus-stack.rst +++ b/docs/user/guide/monitoring/prometheus-stack.rst @@ -217,7 +217,7 @@ Automated bucket management is created on top of OpenStack and a valid OpenStack RC file is sourced. This method is enabled by default. -This will let Terraform create an object storage container +This will let OpenTofu create an object storage container inside your OpenStack project and automatically configures Thanos to use that container as primary storage. diff --git a/docs/user/reference/actions-references.rst b/docs/user/reference/actions-references.rst index ca85f95c331d2fece4b2759d06dcc39cd00f7356..e1c542447f822cda9f874837216813cfd2538311 100644 --- a/docs/user/reference/actions-references.rst +++ b/docs/user/reference/actions-references.rst @@ -220,7 +220,7 @@ of the gateway nodes in front of the Kubernetes cluster. .. figure:: /img/apply-terraform.svg :scale: 80% - :alt: Apply Terraform Script Visualization + :alt: Apply OpenTofu Script Visualization :align: center | @@ -369,8 +369,8 @@ For further information on Ansible meta information take a look ``manual-terraform.sh`` ----------------------- -This is a thin wrapper around Terraform. The arguments are passed on to -Terraform, and the environment for it is set to use the same module and +This is a thin wrapper around OpenTofu. The arguments are passed on to +OpenTofu, and the environment for it is set to use the same module and state as when run from ``apply-terraform.sh``. This is useful for operational interventions, debugging and development diff --git a/docs/user/reference/cluster-configuration.rst b/docs/user/reference/cluster-configuration.rst index 65bd018d1bebbdc22305df351e87a4b319236334..9cf0ef3c51a32770cd407e77889b127e1fafc1f3 100644 --- a/docs/user/reference/cluster-configuration.rst +++ b/docs/user/reference/cluster-configuration.rst @@ -25,7 +25,7 @@ The cluster repository layout ├── state/ # Auto-generated files that need to be preserved. MUST be checked into version control │ ├── wireguard/ │ │ └── ipam.toml # WireGuard IP address management - │ ├── terraform/ # Terraform specific state files + │ ├── terraform/ # OpenTofu specific state files ┊ ┊ The ``./config`` directory is completely handled by the user. diff --git a/docs/user/reference/cluster-repository.rst b/docs/user/reference/cluster-repository.rst index b4bff0cbcfb6780d5093cb1b0065c94708c4f89e..3a9aacdbd30a5402acaf112428f4aa1f58ba1842 100644 --- a/docs/user/reference/cluster-repository.rst +++ b/docs/user/reference/cluster-repository.rst @@ -7,7 +7,7 @@ consists of: - The version of the LCM code to deploy the cluster - The version of the WireGuard user information -- State of Terraform +- State of OpenTofu - State of the WireGuard IP address management (IPAM) - Secrets and credentials obtained while deploying the cluster - A :doc:`configuration ` file which @@ -40,13 +40,13 @@ will most certainly have more files than these. ├── state/ # Place for state files │ ├── wireguard/ │ | └── ipam.toml # WireGuard IPAM - │ ├── terraform/ # Terraform specific state files + │ ├── terraform/ # OpenTofu specific state files │ | ├── .terraform/ │ | │ └── plugins/ │ | │ └── linux_amd64/ - │ | │ └── lock.json # Terraform plugin version lock - │ | ├── terraform.tfstate # Terraform state - │ | └── terraform.tfstate.backup # Terraform state backup + │ | │ └── lock.json # OpenTofu plugin version lock + │ | ├── terraform.tfstate # OpenTofu state + │ | └── terraform.tfstate.backup # OpenTofu state backup ├── vault/ # Local vault data ├── .envrc # direnv (environment variables) configuration ├── .gitattributes diff --git a/docs/user/reference/environmental-variables.rst b/docs/user/reference/environmental-variables.rst index be62b2316cb94259011ca362102367a22688ad44..51df78ae652d77c4c01b1c4d69722b23da9bd7ac 100644 --- a/docs/user/reference/environmental-variables.rst +++ b/docs/user/reference/environmental-variables.rst @@ -99,7 +99,7 @@ provide. - These **MUST** be set if you want to deploy on OpenStack. -- These variables are used by Terraform to create, maintain and destroy +- These variables are used by OpenTofu to create, maintain and destroy the underlying harbour infrastructure layer. They are also needed by the `Cloud Controller Manager `__ when applying the k8s-base layer. @@ -167,9 +167,9 @@ Environment Variable Default ``MANAGED_K8S_GIT_BRANCH`` If set and ``MANAGED_K8S_LATEST_RELEASE`` set to ``false``, the specified branch will be checked out by ``init-cluster-repo.sh``. -``TERRAFORM_MODULE_PATH`` ``../terraform`` Path to the Terraform root module to +``TERRAFORM_MODULE_PATH`` ``../terraform`` Path to the OpenTofu root module to change the working directory for the - execution of the Terraform commands. + execution of the OpenTofu commands. ======================================= ======================================================================= =================================================== .. _environment-variables.secret-management: @@ -265,7 +265,7 @@ operations. Environment Variable Default Description =========================================== =========== =================== ``MANAGED_K8S_RELEASE_THE_KRAKEN`` ``false`` Boolean value which defaults to false. If set to ``true``, this allows the LCM to perform disruptive actions with Ansible. See the documentation on Disruption actions for details. By default, Ansible will avoid to perform any actions which could cause a loss of data or loss of availability to the customer. This comes at the cost of not performing certain operations or refusing to continue at some places. -``MANAGED_K8S_DISRUPT_THE_HARBOUR`` ``false`` Boolean value which defaults to false. If set to ``true``, this allows the LCM to perform disruptive actions to the harbour infrastructure (with Terraform). +``MANAGED_K8S_DISRUPT_THE_HARBOUR`` ``false`` Boolean value which defaults to false. If set to ``true``, this allows the LCM to perform disruptive actions to the harbour infrastructure (with OpenTofu). ``MANAGED_K8S_NUKE_FROM_ORBIT`` ``false`` Boolean value which defaults to false. If set to ``true``, it will delete all Thanos monitoring data from the object store before destruction. ``MANAGED_K8S_IGNORE_WIREGUARD_ROUTE`` By default, ``wg-up.sh`` will check if an explicit route for the cluster network exists on your machine. If such a route exists and does not belong to the wireguard interface set via ``wg_conf_name``, the script will abort with an error. The reason for that is that it is unlikely that you’ll be able to connect to the cluster this way and that weird stuff is bound to happen. If you know what you’re doing (I certainly don’t), you can set to any non-empty value to override this check. ``AFLAGS`` This allows to pass additional flags to Ansible. The variable is interpolated into the ansible call without further quoting, so it can be used to do all kinds of fun stuff. A primary use is to force diff output or only execute some tags: ``AFLAGS="--diff -t some-tag"``. diff --git a/docs/user/reference/options/yk8s.infra.rst b/docs/user/reference/options/yk8s.infra.rst index 9df8bc8dcb1f3110b39d2c10a391ad073433225a..7330ddae1ecf97fc587f00b199a1280fbaab6e65 100644 --- a/docs/user/reference/options/yk8s.infra.rst +++ b/docs/user/reference/options/yk8s.infra.rst @@ -10,7 +10,7 @@ Infra Configuration ^^^^^^^^^^^^^^^^^^^ This section contains various configuration options necessary for all -cluster types, Terraform and bare-metal based. +cluster types, OpenTofu and bare-metal based. .. _configuration-options.yk8s.infra.cluster_name: diff --git a/docs/user/reference/options/yk8s.openstack.rst b/docs/user/reference/options/yk8s.openstack.rst index 89260a83a0039d2a018b0281c83da1f02d0ab99b..3bca1dc2cf552539ba6f9dcc05d27703cc33fdc1 100644 --- a/docs/user/reference/options/yk8s.openstack.rst +++ b/docs/user/reference/options/yk8s.openstack.rst @@ -14,14 +14,14 @@ yk8s.openstack It defaults to the number of elements in the ``azs`` array when ``spread_gateways_across_azs=true`` and 3 otherwise. -.. [1] Caveat: Changing the role of a Terraform node +.. [1] Caveat: Changing the role of a OpenTofu node will completely rebuild the node. .. attention:: You must configure at least one master node. -You can add and delete Terraform nodes simply +You can add and delete OpenTofu nodes simply by adding and removing their entries to/from the config or tuning ``gateway_count`` for gateway nodes. Consider the following example: diff --git a/docs/user/reference/options/yk8s.terraform.rst b/docs/user/reference/options/yk8s.terraform.rst index e7e4a43bdf6a9d9e288207215b62a9564840ddec..d42ee6d66adac106beced6ea4580bf7d4b2e12cc 100644 --- a/docs/user/reference/options/yk8s.terraform.rst +++ b/docs/user/reference/options/yk8s.terraform.rst @@ -4,11 +4,11 @@ yk8s.terraform ^^^^^^^^^^^^^^ -Gitlab Terraform backend +Gitlab OpenTofu backend """""""""""""""""""""""" -To activate automatic backend of Terraform statefiles to Gitlab, -adapt the Terraform section of your config: +To activate automatic backend of OpenTofu statefiles to Gitlab, +adapt the OpenTofu section of your config: set `gitlab_backend` to True, set the URL of the Gitlab project and the name of the Gitlab state object. @@ -30,20 +30,20 @@ read/write access to the API. Please see GitLab documentation for creating a `personal access token `__. -To successful migrate from the "local" to "http" Terraform backend method, +To successful migrate from the "local" to "http" OpenTofu backend method, ensure that `gitlab_backend` is set to `true` and all other required variables are set correctly. Incorrect data entry may result in an HTTP error respond, such as a HTTP/401 error for incorrect credentials. Assuming correct credentials in the case of an HTTP/404 error, -Terraform is executed and the state is migrated to Gitlab. +OpenTofu is executed and the state is migrated to Gitlab. -To migrate from the "http" to "local" Terraform backend method, +To migrate from the "http" to "local" OpenTofu backend method, set `gitlab_backend=false`, `MANAGED_K8S_NUKE_FROM_ORBIT=true`, and assume that all variables above are properly set -and the Terraform state exists on GitLab. +and the OpenTofu state exists on GitLab. Once the migration is successful, unset the variables above to continue using the "local" backend method. @@ -79,8 +79,8 @@ https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix ``yk8s.terraform.gitlab_backend`` ################################# -Whether to enable GitLab-managed Terraform backend -If true, the Terraform state will be stored inside the provided gitlab project. +Whether to enable GitLab-managed OpenTofu backend +If true, the OpenTofu state will be stored inside the provided gitlab project. If set, the environment `TF_HTTP_USERNAME` and `TF_HTTP_PASSWO = mkOptionD` must be configured in a separate file `~/.config/yaook-k8s/env`. . @@ -158,7 +158,7 @@ https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix ``yk8s.terraform.gitlab_state_name`` #################################### -The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state' +The name of the Gitlab state object in which to store the OpenTofu state, e.g. 'tf-state' **Type:**:: @@ -185,7 +185,7 @@ https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix ``yk8s.terraform.prevent_disruption`` ##################################### -If true, prevent Terraform from performing disruptive action +If true, prevent OpenTofu from performing disruptive action defaults to true if unset diff --git a/flake.lock b/flake.lock index 3363574deb275045b2e6b428a42b687ae03d61d5..61883560bad6f8bb6e01c6de54c7342190d2a2b2 100644 --- a/flake.lock +++ b/flake.lock @@ -49,22 +49,6 @@ "type": "github" } }, - "nixpkgs-terraform157": { - "locked": { - "lastModified": 1694118906, - "narHash": "sha256-XN5GagDT6y+5/+ztPzCn2h0HyWEsyJPZwJrMhmnRPmM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "39ed4b64ba5929e8e9221d06b719a758915e619b", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "39ed4b64ba5929e8e9221d06b719a758915e619b", - "type": "github" - } - }, "nixpkgs-vault1148": { "locked": { "lastModified": 1701876149, @@ -85,7 +69,6 @@ "inputs": { "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", - "nixpkgs-terraform157": "nixpkgs-terraform157", "nixpkgs-vault1148": "nixpkgs-vault1148" } } diff --git a/flake.nix b/flake.nix index 1c438401725cb36a95733362cd298e5a52e24014..fbdd142d4b6e193e42781026b16054045610b2a7 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,5 @@ { inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; - inputs.nixpkgs-terraform157.url = "github:NixOS/nixpkgs/39ed4b64ba5929e8e9221d06b719a758915e619b"; inputs.nixpkgs-vault1148.url = "github:NixOS/nixpkgs/7cf8d6878561e8b2e4b1186f79f1c0e66963bdac"; inputs.flake-parts.url = "github:hercules-ci/flake-parts"; diff --git a/nix/dependencies.nix b/nix/dependencies.nix index 5c4d29698cec308bb877b8539bec3471558b8cfe..0239b51332d7fbdaf84bce1abf5ccc6b8a08f4c0 100644 --- a/nix/dependencies.nix +++ b/nix/dependencies.nix @@ -35,8 +35,13 @@ moreutils openssh openssl + opentofu + # provide a wrapper to ensure backwards compatibility + (writeScriptBin "terraform" '' + #!/usr/bin/env bash + exec tofu $@ + '') pre-commit - inputs'.nixpkgs-terraform157.legacyPackages.terraform util-linux # for uuidgen ]; pythonPackages = ps: diff --git a/nix/yk8s/infra.nix b/nix/yk8s/infra.nix index ad5a73afedb7097e85f698e5709a2fa762ee1fd1..d49beeff189ac29e40770f5f6730a88ec0c53c60 100644 --- a/nix/yk8s/infra.nix +++ b/nix/yk8s/infra.nix @@ -21,7 +21,7 @@ in { ^^^^^^^^^^^^^^^^^^^ This section contains various configuration options necessary for all - cluster types, Terraform and bare-metal based. + cluster types, OpenTofu and bare-metal based. ''; cluster_name = mkOption { diff --git a/nix/yk8s/node-scheduling.nix b/nix/yk8s/node-scheduling.nix index 23fddb008204ad7270e90375649aa3544fa93ba5..4dd4dac248d9f9950391f8ce2391f50794da6b05 100644 --- a/nix/yk8s/node-scheduling.nix +++ b/nix/yk8s/node-scheduling.nix @@ -48,7 +48,7 @@ in { builtins.seq (builtins.all (e: if config.yk8s.terraform.enabled -> builtins.elem e nodeNames then true - else throw "(node-scheduling) Label defined for ${e}, but node not found in Terraform config") (builtins.attrNames v)) + else throw "(node-scheduling) Label defined for ${e}, but node not found in OpenTofu config") (builtins.attrNames v)) v; }; taints = mkOption { @@ -66,7 +66,7 @@ in { builtins.seq (builtins.all (e: if config.yk8s.terraform.enabled -> builtins.elem e nodeNames then true - else throw "(node-scheduling) Taint defined for ${e}, but node not found in Terraform config") (builtins.attrNames v)) + else throw "(node-scheduling) Taint defined for ${e}, but node not found in OpenTofu config") (builtins.attrNames v)) v; }; }; diff --git a/nix/yk8s/openstack.nix b/nix/yk8s/openstack.nix index 11378334e9f31531caeb5f6cbfb07a24885749a5..1c7b7f7c484eed9ac14ebfa40bff5df642c8f303 100644 --- a/nix/yk8s/openstack.nix +++ b/nix/yk8s/openstack.nix @@ -39,7 +39,7 @@ }; }; # NOTE: Some options are not used by Ansible but other parts of the LCM, - # such as Terraform. Therefore they are filtered out. + # such as OpenTofu. Therefore they are filtered out. nonAnsibleOptions = [ "public_network" "keypair" @@ -70,14 +70,14 @@ in { It defaults to the number of elements in the ``azs`` array when ``spread_gateways_across_azs=true`` and 3 otherwise. - .. [1] Caveat: Changing the role of a Terraform node + .. [1] Caveat: Changing the role of a OpenTofu node will completely rebuild the node. .. attention:: You must configure at least one master node. - You can add and delete Terraform nodes simply + You can add and delete OpenTofu nodes simply by adding and removing their entries to/from the config or tuning ``gateway_count`` for gateway nodes. Consider the following example: @@ -328,7 +328,7 @@ in { } { assertion = config.yk8s.infra.ipv4_enabled; - message = "YAOOK/k8s Terraform does not yet support IPv6-only, see #685"; + message = "YAOOK/k8s OpenTofu does not yet support IPv6-only, see #685"; } (let current_config_file = diff --git a/nix/yk8s/terraform.nix b/nix/yk8s/terraform.nix index 5ded0a574b55d354b0e6f602ad96d1224abb2590..46f37c9b2ffe686a2437458d48903fd09cb25e23 100644 --- a/nix/yk8s/terraform.nix +++ b/nix/yk8s/terraform.nix @@ -17,7 +17,7 @@ inherit (builtins) fromJSON readFile pathExists length; tfvars_file_path = "terraform/config.tfvars.json"; - openstackTerraformOptions = [ + openstackOpenTofuOptions = [ "public_network" "keypair" "azs" @@ -33,7 +33,7 @@ "worker_defaults" "nodes" ]; - infraTerraformOptions = [ + infraOpenTofuOptions = [ "cluster_name" "ipv4_enabled" "ipv6_enabled" @@ -67,11 +67,11 @@ in { options.yk8s.terraform = mkTopSection { _docs.order = 1; _docs.preface = '' - Gitlab Terraform backend + Gitlab OpenTofu backend """""""""""""""""""""""" - To activate automatic backend of Terraform statefiles to Gitlab, - adapt the Terraform section of your config: + To activate automatic backend of OpenTofu statefiles to Gitlab, + adapt the OpenTofu section of your config: set `gitlab_backend` to True, set the URL of the Gitlab project and the name of the Gitlab state object. @@ -93,20 +93,20 @@ in { Please see GitLab documentation for creating a `personal access token `__. - To successful migrate from the "local" to "http" Terraform backend method, + To successful migrate from the "local" to "http" OpenTofu backend method, ensure that `gitlab_backend` is set to `true` and all other required variables are set correctly. Incorrect data entry may result in an HTTP error respond, such as a HTTP/401 error for incorrect credentials. Assuming correct credentials in the case of an HTTP/404 error, - Terraform is executed and the state is migrated to Gitlab. + OpenTofu is executed and the state is migrated to Gitlab. - To migrate from the "http" to "local" Terraform backend method, + To migrate from the "http" to "local" OpenTofu backend method, set `gitlab_backend=false`, `MANAGED_K8S_NUKE_FROM_ORBIT=true`, and assume that all variables above are properly set - and the Terraform state exists on GitLab. + and the OpenTofu state exists on GitLab. Once the migration is successful, unset the variables above to continue using the "local" backend method. @@ -123,7 +123,7 @@ in { prevent_disruption = mkOption { description = '' - If true, prevent Terraform from performing disruptive action + If true, prevent OpenTofu from performing disruptive action defaults to true if unset ''; type = types.bool; @@ -136,8 +136,8 @@ in { }; gitlab_backend = mkEnableOption '' - GitLab-managed Terraform backend - If true, the Terraform state will be stored inside the provided gitlab project. + GitLab-managed OpenTofu backend + If true, the OpenTofu state will be stored inside the provided gitlab project. If set, the environment `TF_HTTP_USERNAME` and `TF_HTTP_PASSWO = mkOptionD` must be configured in a separate file `~/.config/yaook-k8s/env`. ''; @@ -169,7 +169,7 @@ in { gitlab_state_name = mkOption { description = '' - The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state' + The name of the Gitlab state object in which to store the OpenTofu state, e.g. 'tf-state' ''; type = with types; nullOr nonEmptyStr; default = null; @@ -190,7 +190,7 @@ in { if config.yk8s.state_directory != null && builtins.pathExists "${config.yk8s.state_directory}/${source}" then [(linkToPath "${config.yk8s.state_directory}/${source}" target)] else - builtins.trace "INFO: ${config.yk8s._state_base_path}/${source} does not yet exist. Terraform stage needs to be run first." + builtins.trace "INFO: ${config.yk8s._state_base_path}/${source} does not yet exist. OpenTofu stage needs to be run first." []; in (linkTfstateIfExists "terraform/rendered/hosts" "hosts") @@ -200,12 +200,12 @@ in { _state_packages = [ ( let - filteredTerraformCfg = yk8s-lib.removeAttrsByPath config.yk8s.terraform [["enabled"] ["prevent_disruption"]]; - filteredInfraCfg = lib.attrsets.getAttrs infraTerraformOptions config.yk8s.infra; - filteredOpenstackCfg = lib.attrsets.getAttrs openstackTerraformOptions config.yk8s.openstack; + filteredOpenTofuCfg = yk8s-lib.removeAttrsByPath config.yk8s.terraform [["enabled"] ["prevent_disruption"]]; + filteredInfraCfg = lib.attrsets.getAttrs infraOpenTofuOptions config.yk8s.infra; + filteredOpenstackCfg = lib.attrsets.getAttrs openstackOpenTofuOptions config.yk8s.openstack; mergedCfg = builtins.foldl' (acc: e: lib.attrsets.recursiveUpdate acc (removeObsoleteOptions e)) {} - [filteredTerraformCfg filteredInfraCfg filteredOpenstackCfg]; + [filteredOpenTofuCfg filteredInfraCfg filteredOpenstackCfg]; transformations = [filterInternal filterNull]; varsFile = mkJson "tfvars.json" (pipe mergedCfg transformations); in (pkgs.runCommandLocal "tfvars.json" {} '' diff --git a/templates/yaook-k8s-env.template.sh b/templates/yaook-k8s-env.template.sh index 789083ad4dabe952630ffe16e298e8f7359277da..8056a502e3cc052f95a4d7ed314d87007a81af28 100644 --- a/templates/yaook-k8s-env.template.sh +++ b/templates/yaook-k8s-env.template.sh @@ -33,7 +33,7 @@ export TF_VAR_keypair='firstnamelastname-hostname-gendate' # Set to true if you are using rootless docker or podman #VAULT_IN_DOCKER_USE_ROOTLESS=true -# Terraform backup on Gitlab: To store the state remotely in a gitlab repo, +# OpenTofu backup on Gitlab: To store the state remotely in a gitlab repo, # Gitlab username and Gitlab token must be configured here. # The token needs API scope and at least maintainer permissions. #export TF_HTTP_USERNAME=""