From 3da3b33ec19f2f12650be82a18885b5cc9b53e63 Mon Sep 17 00:00:00 2001 From: Silvio Ankermann Date: Thu, 26 Oct 2023 13:50:57 +0200 Subject: [PATCH 1/2] flake: replace terraform with opentofu --- flake.lock | 17 ----------------- flake.nix | 1 - nix/dependencies.nix | 2 +- 3 files changed, 1 insertion(+), 19 deletions(-) diff --git a/flake.lock b/flake.lock index 3363574de..61883560b 100644 --- a/flake.lock +++ b/flake.lock @@ -49,22 +49,6 @@ "type": "github" } }, - "nixpkgs-terraform157": { - "locked": { - "lastModified": 1694118906, - "narHash": "sha256-XN5GagDT6y+5/+ztPzCn2h0HyWEsyJPZwJrMhmnRPmM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "39ed4b64ba5929e8e9221d06b719a758915e619b", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "39ed4b64ba5929e8e9221d06b719a758915e619b", - "type": "github" - } - }, "nixpkgs-vault1148": { "locked": { "lastModified": 1701876149, @@ -85,7 +69,6 @@ "inputs": { "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", - "nixpkgs-terraform157": "nixpkgs-terraform157", "nixpkgs-vault1148": "nixpkgs-vault1148" } } diff --git a/flake.nix b/flake.nix index 1c4384017..fbdd142d4 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,5 @@ { inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; - inputs.nixpkgs-terraform157.url = "github:NixOS/nixpkgs/39ed4b64ba5929e8e9221d06b719a758915e619b"; inputs.nixpkgs-vault1148.url = "github:NixOS/nixpkgs/7cf8d6878561e8b2e4b1186f79f1c0e66963bdac"; inputs.flake-parts.url = "github:hercules-ci/flake-parts"; diff --git a/nix/dependencies.nix b/nix/dependencies.nix index 5c4d29698..29d3556a7 100644 --- a/nix/dependencies.nix +++ b/nix/dependencies.nix @@ -35,8 +35,8 @@ moreutils openssh openssl + opentofu pre-commit - inputs'.nixpkgs-terraform157.legacyPackages.terraform util-linux # for uuidgen ]; pythonPackages = ps: -- GitLab From 89a34ca022674cdfc58864dfdc72d5385faf7c23 Mon Sep 17 00:00:00 2001 From: Steve Starke Date: Thu, 26 Oct 2023 12:47:47 +0200 Subject: [PATCH 2/2] Use OpenTofu as in-place replacement for Terraform As HashiCorp changed the license of Terraform from MPL to BUSL, we're switching to the community-driven in-place replacement fork OpenTofu to avoid legal risks. This commit replaces all mentions of Terraform in the documentation with OpenTofu, replaces terraform with opentofu in the dependencies and adds a wrapper script to ensure backwards compatibility. Addresses: #601 https://opentofu.org/ --- CHANGELOG.rst | 62 +++++++++---------- actions/apply-all.sh | 2 +- actions/apply-terraform.sh | 4 +- actions/destroy.sh | 2 +- actions/lib.sh | 12 ++-- docs/developer/guide/coding-guide.rst | 2 +- docs/developer/guide/simulate-bm.rst | 12 ++-- docs/user/explanation/dualstack.rst | 10 +-- .../guide/monitoring/prometheus-stack.rst | 2 +- docs/user/reference/actions-references.rst | 6 +- docs/user/reference/cluster-configuration.rst | 2 +- docs/user/reference/cluster-repository.rst | 10 +-- .../reference/environmental-variables.rst | 8 +-- docs/user/reference/options/yk8s.infra.rst | 2 +- .../user/reference/options/yk8s.openstack.rst | 4 +- .../user/reference/options/yk8s.terraform.rst | 22 +++---- nix/dependencies.nix | 5 ++ nix/yk8s/infra.nix | 2 +- nix/yk8s/node-scheduling.nix | 4 +- nix/yk8s/openstack.nix | 8 +-- nix/yk8s/terraform.nix | 36 +++++------ templates/yaook-k8s-env.template.sh | 2 +- 22 files changed, 112 insertions(+), 107 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 472cde195..85a87c72a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -277,7 +277,7 @@ Breaking changes ├── state/ # Auto-generated files that need to be preserved. MUST be checked into version control │ ├── wireguard/ │ │ └── ipam.toml # WireGuard IP address management - │ ├── terraform/ # Terraform specific state files + │ ├── terraform/ # OpenTofu specific state files ┊ ┊ @@ -304,7 +304,7 @@ Breaking changes The migration script will point out these cases. _ (`!1265 `_) -- The following Terraform resources are deprecated and have been updated: +- The following OpenTofu resources are deprecated and have been updated: - ``openstack_compute_floatingip_associate_v2`` replaced by ``openstack_networking_floatingip_associate_v2`` @@ -432,7 +432,7 @@ Changed functionality _ (`!1456 `_) - Most options from the terraform configuration section have moved into one of two new sections, either ``openstack`` for OpenStack specific options or ``infra`` for options used by all clusters. Have a look at the deprecation warnings during Nix evaluation. (`!1466 `_) - ``vault.cluster_name`` now defaults to ``infra.cluster_name`` (`!1466 `_) -- Cloud&Heat specific default have been removed from the Terraform module. (`!1504 `_) +- Cloud&Heat specific default have been removed from the OpenTofu module. (`!1504 `_) - Depending on the IP version enabled, node address autodetection is explicitly set to ``{}``. (`!1529 `_) - Additional testing in the CI pipeline has been added that verifies that :doc:`Kubernetes certificate signing ` is functional. (`!1543 `_) - The default blackbox-exporter version has been bumped to v9.1.0. (`!1575 `_) @@ -477,7 +477,7 @@ Bugfixes - Thanos compactor is now restarted on failure. Previously it just stopped operation but never exited (see `issue #724 `_). (`!1592 `_) -- The YAOOK/K8s Terraform module does not fail anymore +- The YAOOK/K8s OpenTofu module does not fail anymore if there are multiple Openstack images with the same name but simply selects the most recent one. (`!1598 `_) - A bug has been fixed which caused Kubernetes upgrades to fail if :ref:`configuration-options.yk8s.kubernetes.controller_manager.enable_signing_requests` is enabled. (`!1608 `_, `!1675 `_) @@ -498,7 +498,7 @@ Changes in the Documentation - A short description about ``tools/vault/update.sh`` has been added. (`!1599 `_) - A user facing :doc:`tutorial ` has been created, which describes how to upgrade to a new YAOOK/K8s release. (`!1602 `_, `!1660 `_) -- The Terraform developer reference documentation has been dropped in favor of :ref:`configuration-options.yk8s.terraform`. (`!1611 `_) +- The OpenTofu developer reference documentation has been dropped in favor of :ref:`configuration-options.yk8s.terraform`. (`!1611 `_) - Some typos have been fixed (`!1615 `_) - Minor fixes in the docs. (`!1642 `_) @@ -720,12 +720,12 @@ v8.0.0 (2024-08-28) Breaking changes ~~~~~~~~~~~~~~~~ -- The YAOOK/K8s Terraform module now allows worker nodes +- The YAOOK/K8s OpenTofu module now allows worker nodes to be joined into individual anti affinity groups. .. attention:: Action required - You must migrate your Terraform state + You must migrate your OpenTofu state by running the migration script. .. code:: shell @@ -733,10 +733,10 @@ Breaking changes ./managed-k8s/actions/migrate-to-release.sh _ (`!1317 `_) -- The YAOOK/K8s Terraform module +- The YAOOK/K8s OpenTofu module does not build a default set of nodes (3 masters + 4 workers) anymore when no nodes are given. (`!1317 `_) -- The automatic just-in-time migration of Terraform resources +- The automatic just-in-time migration of OpenTofu resources from ``count`` to ``for_each`` introduced in July 2022 was removed in favor of a once-and-for-all migration. @@ -745,7 +745,7 @@ Breaking changes ./managed-k8s/actions/migrate-to-release.sh _ (`!1317 `_) -- YAOOK/K8s Terraform does not implicitly assign +- YAOOK/K8s OpenTofu does not implicitly assign nodes to availability zones anymore if actually none was configured for a node. @@ -761,9 +761,9 @@ Breaking changes .. attention:: Action required - To prevent Terraform from unneccessarily rebuilding master and worker nodes, + To prevent OpenTofu from unneccessarily rebuilding master and worker nodes, you must run the migration script. - This will determine each nodes' availability zone in the Terraform state + This will determine each nodes' availability zone in the OpenTofu state to set in the config for you. .. code:: @@ -773,10 +773,10 @@ Breaking changes _ (`!1317 `_) - The format of the ``[terraform]`` config section changed significantly. - Terraform nodes are now to be configured as blocks of values + OpenTofu nodes are now to be configured as blocks of values rather than across separate lists for each type of value. - Furthermore you now have control over the whole name of Terraform nodes, + Furthermore you now have control over the whole name of OpenTofu nodes, see :ref:`the documentation ` for further details. @@ -874,7 +874,7 @@ Breaking changes .. attention:: Action required - To prevent Terraform from unnecessarily rebuilding gateway nodes, + To prevent OpenTofu from unnecessarily rebuilding gateway nodes, you must run the migration script. .. code:: shell @@ -887,8 +887,8 @@ Breaking changes New Features ~~~~~~~~~~~~ -- Terraform: Anti affinity group settings are now configurable per worker node. (`!1317 `_) -- Terraform: The amount of gateway nodes created is not dependent +- OpenTofu: Anti affinity group settings are now configurable per worker node. (`!1317 `_) +- OpenTofu: The amount of gateway nodes created is not dependent on the amount of availability zones anymore and can be set with ``[terraform].gateway_count``. The setting's default yields the previous behavior @@ -905,7 +905,7 @@ New Features Changed functionality ~~~~~~~~~~~~~~~~~~~~~ -- The minimum Terraform version is increased to 1.3 (`!1317 `_) +- The minimum OpenTofu version is increased to 1.3 (`!1317 `_) Bugfixes @@ -917,7 +917,7 @@ Bugfixes Other Tasks ~~~~~~~~~~~ -- The Terraform code responsible for generating the instance resources +- The OpenTofu code responsible for generating the instance resources was streamlined. (`!1317 `_) - `!1441 `_, `!1442 `_, `!1444 `_, `!1445 `_ @@ -959,7 +959,7 @@ Breaking changes -dualstack_support = false +ipv6_enabled = false - Existing clusters running on OpenStack must execute the Terraform stage once: + Existing clusters running on OpenStack must execute the OpenTofu stage once: .. code:: console @@ -1005,7 +1005,7 @@ Changes in the Documentation in the :doc:`Release and Versioning Policy ` (`!1376 `_) - The documentation now links to the latest version of the Calico docs instead of a specific version (where possible). (`!1408 `_) -- The generated Terraform docs was updated. (`!1434 `_) +- The generated OpenTofu docs was updated. (`!1434 `_) Deprecations and Removals @@ -1291,14 +1291,14 @@ Breaking changes If you have ``[terraform].create_root_disk_on_volume = true`` set in your config, you must migrate the ``openstack_blockstorage_volume_v2`` resources - in your Terraform state to the v3 resource type + in your OpenTofu state to the v3 resource type in order to prevent rebuilds of all servers and their volumes. .. code:: shell # Execute the lines produced by the following script # This will import all v2 volumes as v3 volumes - # and remove the v2 volume resources from the Terraform state. + # and remove the v2 volume resources from the OpenTofu state. terraform_module="managed-k8s/terraform" terraform_config="../../terraform/config.tfvars.json" @@ -1455,7 +1455,7 @@ Bugfixes Changes in the Documentation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Terraform references updated (`!1189 `_) +- OpenTofu references updated (`!1189 `_) - A guide on how to simulate a self-managed bare metal cluster on top of OpenStack has been added to the :doc:`documentation `. (`!1231 `_) - Instructions to install Vault have been added to the installation guide (`!1247 `_) @@ -1515,7 +1515,7 @@ Breaking changes ``[terraform].prevent_disruption`` has been added in the config to allow the environment variable to be overridden - when Terraform is used (``TF_USAGE=true``). + when OpenTofu is used (``TF_USAGE=true``). It is set to ``true`` by default. Ultimately this prevents unintended destruction of the harbour infrastructure @@ -1758,7 +1758,7 @@ Bugfixes - Fix & generalize scheduling_key usage for managed K8s services (`!1088 `_) - Fix vault import for non-OpenStack clusters (`!1090 `_) - Don't create Flux PodMonitos if monitoring is disabled (`!1092 `_) -- Fix a bug which prevented nuking a cluster if Gitlab is used as Terraform backend (`!1093 `_) +- Fix a bug which prevented nuking a cluster if Gitlab is used as OpenTofu backend (`!1093 `_) - Fix tool ``tools/assemble_cephcluster_storage_nodes_yaml.py`` to produce valid yaml. @@ -1854,7 +1854,7 @@ Deprecations and Removals Other Tasks ~~~~~~~~~~~ -- Update flake dependencies and allow unfree license for Terraform (`!929 `_) +- Update flake dependencies and allow unfree license for OpenTofu (`!929 `_) Misc @@ -1942,7 +1942,7 @@ New Features - Add option to allow snippet annotations for NGINX Ingress controller (`!906 `_) - Add configuration option for persistent storage for Prometheus (`!917 `_) - Add optional configuration options for soft and hard disk pressure eviction to the ``config.toml``. (`!948 `_) -- Additionally pull a local copy of the Terraform state for disaster recovery purposes if Gitlab is configured as backend. (`!968 `_) +- Additionally pull a local copy of the OpenTofu state for disaster recovery purposes if Gitlab is configured as backend. (`!968 `_) Changed functionality @@ -2011,7 +2011,7 @@ Bugfixes makes it less likely that two backup nodes attempt to become primary at the same time, avoiding race conditions and flappiness. (`!841 `_) - Fix Thanos v1 cleanup tasks during migration to prevent accidental double deletion of resources (`!849 `_) -- Fixed incorrect templating of Thanos secrets for buckets managed by Terraform and clusters with custom names (`!854 `_) +- Fixed incorrect templating of Thanos secrets for buckets managed by OpenTofu and clusters with custom names (`!854 `_) - Rename rook_on_openstack field in config.toml to on_openstack (`!888 `_) - (`!889 `_, `!910 `_) - Fixed configuration of host network mode for rook/ceph (`!899 `_) @@ -2030,7 +2030,7 @@ Bugfixes - It is ensured that the values passed to the cloud-config secret are proper strings. (`!980 `_) - Fix configuration of Grafana resource limits & requests (`!982 `_) - Bump to latest K8s patch releases (`!994 `_) -- Fix the behaviour of the Terraform backend +- Fix the behaviour of the OpenTofu backend when multiple users are maintaining the same cluster, especially when migrating the backend from local to http. (`!998 `_) - Constrain kubernetes-validate pip package on Kubernetes nodes (`!1004 `_) @@ -2048,7 +2048,7 @@ Changes in the Documentation - The repo link to the prometheus blackbox exporter changed (`!840 `_) - (`!851 `_, `!853 `_, `!908 `_, `!979 `_) - Added clarification in initialization for the different ``.envrc`` used. (`!852 `_) -- Update and convert Terraform documentation to restructured Text (`!904 `_) +- Update and convert OpenTofu documentation to restructured Text (`!904 `_) - rook-ceph: Clarify role of mon_volume_storage_class (`!955 `_) diff --git a/actions/apply-all.sh b/actions/apply-all.sh index 9f5fbc5c7..dfccf05d9 100755 --- a/actions/apply-all.sh +++ b/actions/apply-all.sh @@ -14,7 +14,7 @@ check_venv set_kubeconfig -# Invoke Terraform, if configured +# Invoke OpenTofu, if configured if [ "${tf_usage:-true}" == 'true' ]; then run "$actions_dir/apply-terraform.sh" fi diff --git a/actions/apply-terraform.sh b/actions/apply-terraform.sh index 66063f665..f2a7856f0 100755 --- a/actions/apply-terraform.sh +++ b/actions/apply-terraform.sh @@ -13,7 +13,7 @@ load_conf_vars check_venv if [ "$("$actions_dir/helpers/semver2.sh" "$(terraform -v -json | jq -r '.terraform_version')" "$terraform_min_version")" -lt 0 ]; then - errorf 'Please upgrade Terraform to at least v'"$terraform_min_version" + errorf 'Please upgrade OpenTofu to at least v'"$terraform_min_version" exit 5 fi @@ -49,7 +49,7 @@ fi run terraform -chdir="$terraform_module" apply "$terraform_plan" if [ "$(jq -r .backend.type "$terraform_state_dir/.terraform/terraform.tfstate")" == 'http' ]; then - notef 'Pulling latest Terraform state from Gitlab for disaster recovery purposes.' + notef 'Pulling latest OpenTofu state from Gitlab for disaster recovery purposes.' # don't use the "run" function here as it would print the token curl -s -o "$terraform_state_dir/disaster-recovery.tfstate.bak" \ --header "Private-Token: $TF_HTTP_PASSWORD" "$backend_address" diff --git a/actions/destroy.sh b/actions/destroy.sh index fe734c78c..6007fcb6e 100755 --- a/actions/destroy.sh +++ b/actions/destroy.sh @@ -16,7 +16,7 @@ require_harbour_disruption require_ansible_disruption if [ "$("$actions_dir/helpers/semver2.sh" "$(terraform -v -json | jq -r '.terraform_version')" "$terraform_min_version")" -lt 0 ]; then - errorf 'Please upgrade Terraform to at least v'"$terraform_min_version" + errorf 'Please upgrade OpenTofu to at least v'"$terraform_min_version" exit 5 fi diff --git a/actions/lib.sh b/actions/lib.sh index 51fa0f454..d529ef335 100644 --- a/actions/lib.sh +++ b/actions/lib.sh @@ -106,7 +106,7 @@ function harbour_disruption_allowed() { load_conf_vars [ "${MANAGED_K8S_DISRUPT_THE_HARBOUR:-}" = 'true' ] \ && [ "${tf_usage:-true}+${terraform_prevent_disruption:-true}" != 'true+true' ] - # when Terraform is used also factor in its config + # when OpenTofu is used also factor in its config } function require_ansible_disruption() { @@ -352,7 +352,7 @@ function tf_init() { if all_gitlab_vars_are_set; then if tf_state_present_on_gitlab && [ -f "$terraform_state_dir/terraform.tfstate" ]; then - errorf "Several Terraform statefiles were found: locally and on GitLab." + errorf "Several OpenTofu statefiles were found: locally and on GitLab." exit 1 fi fi @@ -389,7 +389,7 @@ EOF else if ! all_gitlab_vars_are_set && ! all_gitlab_vars_are_unset; then errorf "'gitlab_backend=false' but some GitLab variables are provided." - errorf "(1) If you want to migrate the Terraform backend method from 'http' to 'local'," + errorf "(1) If you want to migrate the OpenTofu backend method from 'http' to 'local'," errorf "you should provide all the GitLab variables" errorf "(2) If you want to init a cluster with local backend," errorf "make sure that all the following GitLab variables are unset:" @@ -402,18 +402,18 @@ EOF if all_gitlab_vars_are_set; then if tf_state_present_on_gitlab; then rm -f "$OVERRIDE_FILE" - notef "Terraform statefile on GitLab found. Migration from http to local." + notef "OpenTofu statefile on GitLab found. Migration from http to local." if tf_init_local_migrate; then # delete tf_statefile from GitLab GITLAB_RESPONSE=$(curl -Is --header "Private-Token: $TF_HTTP_PASSWORD" -o "/dev/null" -w "%{http_code}" --request DELETE "$backend_address") check_return_code "$GITLAB_RESPONSE" else - warningf "Terraform init was not successful. The Terraform state on GitLab was not deleted." + warningf "OpenTofu init was not successful. The OpenTofu state on GitLab was not deleted." fi else errorf "'gitlab_backend=false', all GitLab variables are provided," errorf "but the Terrafrom state file could not be found on GitLab in order to migrate from 'http' to 'local'." - errorf "(1) If you want to migrate, make sure the Terraform state file exists on GitLab." + errorf "(1) If you want to migrate, make sure the OpenTofu state file exists on GitLab." errorf "(2) If you want to init a cluster with local backend," errorf "make sure that all the following GitLab variables are unset:" for var in "${all_gitlab_vars[@]}"; do diff --git a/docs/developer/guide/coding-guide.rst b/docs/developer/guide/coding-guide.rst index b6cd1c4af..811ca4d9c 100644 --- a/docs/developer/guide/coding-guide.rst +++ b/docs/developer/guide/coding-guide.rst @@ -311,7 +311,7 @@ Use ``to_json`` in templates when writing YAML or JSON effects or syntax errors can occur. ``to_json`` will properly encode the data. -Terraform Styleguide +OpenTofu Styleguide -------------------- Use jsonencode in templates when writing YAML diff --git a/docs/developer/guide/simulate-bm.rst b/docs/developer/guide/simulate-bm.rst index 87f0bcacc..9840f1000 100644 --- a/docs/developer/guide/simulate-bm.rst +++ b/docs/developer/guide/simulate-bm.rst @@ -6,7 +6,7 @@ can be simulated with OpenStack resources. That's useful if you want to verify this use case without having spare hardware available to do so. -The general approach is to utilize the Terraform stage +The general approach is to utilize the OpenTofu stage to create the harbour infrastructure but then disable and remove everything in the environment that is specific to the Openstack based setup path @@ -21,7 +21,7 @@ Cluster repository initialization Follow the cluster :doc:`initialization documentation`. Disable Wireguard, -but enable Terraform because we want to use it to create +but enable OpenTofu because we want to use it to create OpenStack resources, and configure the infrastructure layer. @@ -99,7 +99,7 @@ Reconfigure the inventory ``inventory/yaook-k8s/hosts``: Also remove the ``[gateways]`` section from ``config/hosts`` and replace ``gateways`` with ``masters`` in the ``[frontend:children]`` section. -We can now disable Terraform: +We can now disable OpenTofu: .. code:: nix @@ -138,13 +138,13 @@ Creating and attaching a floating ip to the jump host: The jump host should be accessible via the attached floating IP now. We still want to harden it though. For the LCM to work, we have to adjust the hosts file -which has been created previously by Terraform +which has been created previously by OpenTofu ``config/hosts``. * Set ``openstack.enabled`` to ``false`` -* Set ``networking_fixed_ip`` to the networking fixed ip created by Terraform +* Set ``networking_fixed_ip`` to the networking fixed ip created by OpenTofu * Check out the following vars-file: ``inventory/yaook-k8s/group_vars/all/terraform_networking-trampoline.yaml`` -* Set ``subnet_cidr`` to the subnet cidr created by Terraform (and configured above) +* Set ``subnet_cidr`` to the subnet cidr created by OpenTofu (and configured above) * Check out the following vars-file: ``inventory/yaook-k8s/group_vars/all/terraform_networking-trampoline.yaml`` * Add the jump host as target diff --git a/docs/user/explanation/dualstack.rst b/docs/user/explanation/dualstack.rst index bf15afa9c..e5b2e7170 100644 --- a/docs/user/explanation/dualstack.rst +++ b/docs/user/explanation/dualstack.rst @@ -42,7 +42,7 @@ Prerequisites - Calico ``v3.11`` or later - For managed YAOOK/K8s on OpenStack clusters: - - Terraform ``v0.12`` or later + - OpenTofu ``v0.12`` or later - `ch-k8s-lbaas `__ ``v0.3.3`` or later @@ -58,7 +58,7 @@ Adjust your config to meet the following statements: - specify ``terraform.subnet_v6_cidr`` - - this is the IPv6 subnet that will be created via Terraform + - this is the IPv6 subnet that will be created via OpenTofu - e.g.: - ``terraform.subnet_v6_cidr = "fd00::/120"`` @@ -87,12 +87,12 @@ DualStack-Support in OpenStack A Kubernetes cluster with DualStack support requires IPv4 and IPv6 connectivity between the cluster nodes. As we are deploying on top of -OpenStack, we need to adjust Terraform to fulfill the prerequisites. +OpenStack, we need to adjust OpenTofu to fulfill the prerequisites. In order for pods to be reachable from the outside world over IPv6 the cluster nodes must provide this IPv6 connectivity. This is enabled with the dual stack support option -and rolled out on the underlying OpenStack nodes via Terraform. +and rolled out on the underlying OpenStack nodes via OpenTofu. `Enabling a DualStack network `__ in OpenStack requires: @@ -154,7 +154,7 @@ DualStack support for the K8s control plane The ``controlPlaneEndpoint`` either has to be *one* IP address or a domain name. Because using a domain name would lead to the DNS resolution overhead, we decided to let the control plane be IPv4-only -for now. However, a VIPv6 is created via Terraform and configured in +for now. However, a VIPv6 is created via OpenTofu and configured in HAProxy such that it can be used to connect to the control plane. IPv6 load-balanced services diff --git a/docs/user/guide/monitoring/prometheus-stack.rst b/docs/user/guide/monitoring/prometheus-stack.rst index 8145a9d7e..d2af8a61a 100644 --- a/docs/user/guide/monitoring/prometheus-stack.rst +++ b/docs/user/guide/monitoring/prometheus-stack.rst @@ -217,7 +217,7 @@ Automated bucket management is created on top of OpenStack and a valid OpenStack RC file is sourced. This method is enabled by default. -This will let Terraform create an object storage container +This will let OpenTofu create an object storage container inside your OpenStack project and automatically configures Thanos to use that container as primary storage. diff --git a/docs/user/reference/actions-references.rst b/docs/user/reference/actions-references.rst index ca85f95c3..e1c542447 100644 --- a/docs/user/reference/actions-references.rst +++ b/docs/user/reference/actions-references.rst @@ -220,7 +220,7 @@ of the gateway nodes in front of the Kubernetes cluster. .. figure:: /img/apply-terraform.svg :scale: 80% - :alt: Apply Terraform Script Visualization + :alt: Apply OpenTofu Script Visualization :align: center | @@ -369,8 +369,8 @@ For further information on Ansible meta information take a look ``manual-terraform.sh`` ----------------------- -This is a thin wrapper around Terraform. The arguments are passed on to -Terraform, and the environment for it is set to use the same module and +This is a thin wrapper around OpenTofu. The arguments are passed on to +OpenTofu, and the environment for it is set to use the same module and state as when run from ``apply-terraform.sh``. This is useful for operational interventions, debugging and development diff --git a/docs/user/reference/cluster-configuration.rst b/docs/user/reference/cluster-configuration.rst index 65bd018d1..9cf0ef3c5 100644 --- a/docs/user/reference/cluster-configuration.rst +++ b/docs/user/reference/cluster-configuration.rst @@ -25,7 +25,7 @@ The cluster repository layout ├── state/ # Auto-generated files that need to be preserved. MUST be checked into version control │ ├── wireguard/ │ │ └── ipam.toml # WireGuard IP address management - │ ├── terraform/ # Terraform specific state files + │ ├── terraform/ # OpenTofu specific state files ┊ ┊ The ``./config`` directory is completely handled by the user. diff --git a/docs/user/reference/cluster-repository.rst b/docs/user/reference/cluster-repository.rst index b4bff0cbc..3a9aacdbd 100644 --- a/docs/user/reference/cluster-repository.rst +++ b/docs/user/reference/cluster-repository.rst @@ -7,7 +7,7 @@ consists of: - The version of the LCM code to deploy the cluster - The version of the WireGuard user information -- State of Terraform +- State of OpenTofu - State of the WireGuard IP address management (IPAM) - Secrets and credentials obtained while deploying the cluster - A :doc:`configuration ` file which @@ -40,13 +40,13 @@ will most certainly have more files than these. ├── state/ # Place for state files │ ├── wireguard/ │ | └── ipam.toml # WireGuard IPAM - │ ├── terraform/ # Terraform specific state files + │ ├── terraform/ # OpenTofu specific state files │ | ├── .terraform/ │ | │ └── plugins/ │ | │ └── linux_amd64/ - │ | │ └── lock.json # Terraform plugin version lock - │ | ├── terraform.tfstate # Terraform state - │ | └── terraform.tfstate.backup # Terraform state backup + │ | │ └── lock.json # OpenTofu plugin version lock + │ | ├── terraform.tfstate # OpenTofu state + │ | └── terraform.tfstate.backup # OpenTofu state backup ├── vault/ # Local vault data ├── .envrc # direnv (environment variables) configuration ├── .gitattributes diff --git a/docs/user/reference/environmental-variables.rst b/docs/user/reference/environmental-variables.rst index be62b2316..51df78ae6 100644 --- a/docs/user/reference/environmental-variables.rst +++ b/docs/user/reference/environmental-variables.rst @@ -99,7 +99,7 @@ provide. - These **MUST** be set if you want to deploy on OpenStack. -- These variables are used by Terraform to create, maintain and destroy +- These variables are used by OpenTofu to create, maintain and destroy the underlying harbour infrastructure layer. They are also needed by the `Cloud Controller Manager `__ when applying the k8s-base layer. @@ -167,9 +167,9 @@ Environment Variable Default ``MANAGED_K8S_GIT_BRANCH`` If set and ``MANAGED_K8S_LATEST_RELEASE`` set to ``false``, the specified branch will be checked out by ``init-cluster-repo.sh``. -``TERRAFORM_MODULE_PATH`` ``../terraform`` Path to the Terraform root module to +``TERRAFORM_MODULE_PATH`` ``../terraform`` Path to the OpenTofu root module to change the working directory for the - execution of the Terraform commands. + execution of the OpenTofu commands. ======================================= ======================================================================= =================================================== .. _environment-variables.secret-management: @@ -265,7 +265,7 @@ operations. Environment Variable Default Description =========================================== =========== =================== ``MANAGED_K8S_RELEASE_THE_KRAKEN`` ``false`` Boolean value which defaults to false. If set to ``true``, this allows the LCM to perform disruptive actions with Ansible. See the documentation on Disruption actions for details. By default, Ansible will avoid to perform any actions which could cause a loss of data or loss of availability to the customer. This comes at the cost of not performing certain operations or refusing to continue at some places. -``MANAGED_K8S_DISRUPT_THE_HARBOUR`` ``false`` Boolean value which defaults to false. If set to ``true``, this allows the LCM to perform disruptive actions to the harbour infrastructure (with Terraform). +``MANAGED_K8S_DISRUPT_THE_HARBOUR`` ``false`` Boolean value which defaults to false. If set to ``true``, this allows the LCM to perform disruptive actions to the harbour infrastructure (with OpenTofu). ``MANAGED_K8S_NUKE_FROM_ORBIT`` ``false`` Boolean value which defaults to false. If set to ``true``, it will delete all Thanos monitoring data from the object store before destruction. ``MANAGED_K8S_IGNORE_WIREGUARD_ROUTE`` By default, ``wg-up.sh`` will check if an explicit route for the cluster network exists on your machine. If such a route exists and does not belong to the wireguard interface set via ``wg_conf_name``, the script will abort with an error. The reason for that is that it is unlikely that you’ll be able to connect to the cluster this way and that weird stuff is bound to happen. If you know what you’re doing (I certainly don’t), you can set to any non-empty value to override this check. ``AFLAGS`` This allows to pass additional flags to Ansible. The variable is interpolated into the ansible call without further quoting, so it can be used to do all kinds of fun stuff. A primary use is to force diff output or only execute some tags: ``AFLAGS="--diff -t some-tag"``. diff --git a/docs/user/reference/options/yk8s.infra.rst b/docs/user/reference/options/yk8s.infra.rst index 9df8bc8dc..7330ddae1 100644 --- a/docs/user/reference/options/yk8s.infra.rst +++ b/docs/user/reference/options/yk8s.infra.rst @@ -10,7 +10,7 @@ Infra Configuration ^^^^^^^^^^^^^^^^^^^ This section contains various configuration options necessary for all -cluster types, Terraform and bare-metal based. +cluster types, OpenTofu and bare-metal based. .. _configuration-options.yk8s.infra.cluster_name: diff --git a/docs/user/reference/options/yk8s.openstack.rst b/docs/user/reference/options/yk8s.openstack.rst index 89260a83a..3bca1dc2c 100644 --- a/docs/user/reference/options/yk8s.openstack.rst +++ b/docs/user/reference/options/yk8s.openstack.rst @@ -14,14 +14,14 @@ yk8s.openstack It defaults to the number of elements in the ``azs`` array when ``spread_gateways_across_azs=true`` and 3 otherwise. -.. [1] Caveat: Changing the role of a Terraform node +.. [1] Caveat: Changing the role of a OpenTofu node will completely rebuild the node. .. attention:: You must configure at least one master node. -You can add and delete Terraform nodes simply +You can add and delete OpenTofu nodes simply by adding and removing their entries to/from the config or tuning ``gateway_count`` for gateway nodes. Consider the following example: diff --git a/docs/user/reference/options/yk8s.terraform.rst b/docs/user/reference/options/yk8s.terraform.rst index e7e4a43bd..d42ee6d66 100644 --- a/docs/user/reference/options/yk8s.terraform.rst +++ b/docs/user/reference/options/yk8s.terraform.rst @@ -4,11 +4,11 @@ yk8s.terraform ^^^^^^^^^^^^^^ -Gitlab Terraform backend +Gitlab OpenTofu backend """""""""""""""""""""""" -To activate automatic backend of Terraform statefiles to Gitlab, -adapt the Terraform section of your config: +To activate automatic backend of OpenTofu statefiles to Gitlab, +adapt the OpenTofu section of your config: set `gitlab_backend` to True, set the URL of the Gitlab project and the name of the Gitlab state object. @@ -30,20 +30,20 @@ read/write access to the API. Please see GitLab documentation for creating a `personal access token `__. -To successful migrate from the "local" to "http" Terraform backend method, +To successful migrate from the "local" to "http" OpenTofu backend method, ensure that `gitlab_backend` is set to `true` and all other required variables are set correctly. Incorrect data entry may result in an HTTP error respond, such as a HTTP/401 error for incorrect credentials. Assuming correct credentials in the case of an HTTP/404 error, -Terraform is executed and the state is migrated to Gitlab. +OpenTofu is executed and the state is migrated to Gitlab. -To migrate from the "http" to "local" Terraform backend method, +To migrate from the "http" to "local" OpenTofu backend method, set `gitlab_backend=false`, `MANAGED_K8S_NUKE_FROM_ORBIT=true`, and assume that all variables above are properly set -and the Terraform state exists on GitLab. +and the OpenTofu state exists on GitLab. Once the migration is successful, unset the variables above to continue using the "local" backend method. @@ -79,8 +79,8 @@ https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix ``yk8s.terraform.gitlab_backend`` ################################# -Whether to enable GitLab-managed Terraform backend -If true, the Terraform state will be stored inside the provided gitlab project. +Whether to enable GitLab-managed OpenTofu backend +If true, the OpenTofu state will be stored inside the provided gitlab project. If set, the environment `TF_HTTP_USERNAME` and `TF_HTTP_PASSWO = mkOptionD` must be configured in a separate file `~/.config/yaook-k8s/env`. . @@ -158,7 +158,7 @@ https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix ``yk8s.terraform.gitlab_state_name`` #################################### -The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state' +The name of the Gitlab state object in which to store the OpenTofu state, e.g. 'tf-state' **Type:**:: @@ -185,7 +185,7 @@ https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix ``yk8s.terraform.prevent_disruption`` ##################################### -If true, prevent Terraform from performing disruptive action +If true, prevent OpenTofu from performing disruptive action defaults to true if unset diff --git a/nix/dependencies.nix b/nix/dependencies.nix index 29d3556a7..0239b5133 100644 --- a/nix/dependencies.nix +++ b/nix/dependencies.nix @@ -36,6 +36,11 @@ openssh openssl opentofu + # provide a wrapper to ensure backwards compatibility + (writeScriptBin "terraform" '' + #!/usr/bin/env bash + exec tofu $@ + '') pre-commit util-linux # for uuidgen ]; diff --git a/nix/yk8s/infra.nix b/nix/yk8s/infra.nix index ad5a73afe..d49beeff1 100644 --- a/nix/yk8s/infra.nix +++ b/nix/yk8s/infra.nix @@ -21,7 +21,7 @@ in { ^^^^^^^^^^^^^^^^^^^ This section contains various configuration options necessary for all - cluster types, Terraform and bare-metal based. + cluster types, OpenTofu and bare-metal based. ''; cluster_name = mkOption { diff --git a/nix/yk8s/node-scheduling.nix b/nix/yk8s/node-scheduling.nix index 23fddb008..4dd4dac24 100644 --- a/nix/yk8s/node-scheduling.nix +++ b/nix/yk8s/node-scheduling.nix @@ -48,7 +48,7 @@ in { builtins.seq (builtins.all (e: if config.yk8s.terraform.enabled -> builtins.elem e nodeNames then true - else throw "(node-scheduling) Label defined for ${e}, but node not found in Terraform config") (builtins.attrNames v)) + else throw "(node-scheduling) Label defined for ${e}, but node not found in OpenTofu config") (builtins.attrNames v)) v; }; taints = mkOption { @@ -66,7 +66,7 @@ in { builtins.seq (builtins.all (e: if config.yk8s.terraform.enabled -> builtins.elem e nodeNames then true - else throw "(node-scheduling) Taint defined for ${e}, but node not found in Terraform config") (builtins.attrNames v)) + else throw "(node-scheduling) Taint defined for ${e}, but node not found in OpenTofu config") (builtins.attrNames v)) v; }; }; diff --git a/nix/yk8s/openstack.nix b/nix/yk8s/openstack.nix index 11378334e..1c7b7f7c4 100644 --- a/nix/yk8s/openstack.nix +++ b/nix/yk8s/openstack.nix @@ -39,7 +39,7 @@ }; }; # NOTE: Some options are not used by Ansible but other parts of the LCM, - # such as Terraform. Therefore they are filtered out. + # such as OpenTofu. Therefore they are filtered out. nonAnsibleOptions = [ "public_network" "keypair" @@ -70,14 +70,14 @@ in { It defaults to the number of elements in the ``azs`` array when ``spread_gateways_across_azs=true`` and 3 otherwise. - .. [1] Caveat: Changing the role of a Terraform node + .. [1] Caveat: Changing the role of a OpenTofu node will completely rebuild the node. .. attention:: You must configure at least one master node. - You can add and delete Terraform nodes simply + You can add and delete OpenTofu nodes simply by adding and removing their entries to/from the config or tuning ``gateway_count`` for gateway nodes. Consider the following example: @@ -328,7 +328,7 @@ in { } { assertion = config.yk8s.infra.ipv4_enabled; - message = "YAOOK/k8s Terraform does not yet support IPv6-only, see #685"; + message = "YAOOK/k8s OpenTofu does not yet support IPv6-only, see #685"; } (let current_config_file = diff --git a/nix/yk8s/terraform.nix b/nix/yk8s/terraform.nix index 5ded0a574..46f37c9b2 100644 --- a/nix/yk8s/terraform.nix +++ b/nix/yk8s/terraform.nix @@ -17,7 +17,7 @@ inherit (builtins) fromJSON readFile pathExists length; tfvars_file_path = "terraform/config.tfvars.json"; - openstackTerraformOptions = [ + openstackOpenTofuOptions = [ "public_network" "keypair" "azs" @@ -33,7 +33,7 @@ "worker_defaults" "nodes" ]; - infraTerraformOptions = [ + infraOpenTofuOptions = [ "cluster_name" "ipv4_enabled" "ipv6_enabled" @@ -67,11 +67,11 @@ in { options.yk8s.terraform = mkTopSection { _docs.order = 1; _docs.preface = '' - Gitlab Terraform backend + Gitlab OpenTofu backend """""""""""""""""""""""" - To activate automatic backend of Terraform statefiles to Gitlab, - adapt the Terraform section of your config: + To activate automatic backend of OpenTofu statefiles to Gitlab, + adapt the OpenTofu section of your config: set `gitlab_backend` to True, set the URL of the Gitlab project and the name of the Gitlab state object. @@ -93,20 +93,20 @@ in { Please see GitLab documentation for creating a `personal access token `__. - To successful migrate from the "local" to "http" Terraform backend method, + To successful migrate from the "local" to "http" OpenTofu backend method, ensure that `gitlab_backend` is set to `true` and all other required variables are set correctly. Incorrect data entry may result in an HTTP error respond, such as a HTTP/401 error for incorrect credentials. Assuming correct credentials in the case of an HTTP/404 error, - Terraform is executed and the state is migrated to Gitlab. + OpenTofu is executed and the state is migrated to Gitlab. - To migrate from the "http" to "local" Terraform backend method, + To migrate from the "http" to "local" OpenTofu backend method, set `gitlab_backend=false`, `MANAGED_K8S_NUKE_FROM_ORBIT=true`, and assume that all variables above are properly set - and the Terraform state exists on GitLab. + and the OpenTofu state exists on GitLab. Once the migration is successful, unset the variables above to continue using the "local" backend method. @@ -123,7 +123,7 @@ in { prevent_disruption = mkOption { description = '' - If true, prevent Terraform from performing disruptive action + If true, prevent OpenTofu from performing disruptive action defaults to true if unset ''; type = types.bool; @@ -136,8 +136,8 @@ in { }; gitlab_backend = mkEnableOption '' - GitLab-managed Terraform backend - If true, the Terraform state will be stored inside the provided gitlab project. + GitLab-managed OpenTofu backend + If true, the OpenTofu state will be stored inside the provided gitlab project. If set, the environment `TF_HTTP_USERNAME` and `TF_HTTP_PASSWO = mkOptionD` must be configured in a separate file `~/.config/yaook-k8s/env`. ''; @@ -169,7 +169,7 @@ in { gitlab_state_name = mkOption { description = '' - The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state' + The name of the Gitlab state object in which to store the OpenTofu state, e.g. 'tf-state' ''; type = with types; nullOr nonEmptyStr; default = null; @@ -190,7 +190,7 @@ in { if config.yk8s.state_directory != null && builtins.pathExists "${config.yk8s.state_directory}/${source}" then [(linkToPath "${config.yk8s.state_directory}/${source}" target)] else - builtins.trace "INFO: ${config.yk8s._state_base_path}/${source} does not yet exist. Terraform stage needs to be run first." + builtins.trace "INFO: ${config.yk8s._state_base_path}/${source} does not yet exist. OpenTofu stage needs to be run first." []; in (linkTfstateIfExists "terraform/rendered/hosts" "hosts") @@ -200,12 +200,12 @@ in { _state_packages = [ ( let - filteredTerraformCfg = yk8s-lib.removeAttrsByPath config.yk8s.terraform [["enabled"] ["prevent_disruption"]]; - filteredInfraCfg = lib.attrsets.getAttrs infraTerraformOptions config.yk8s.infra; - filteredOpenstackCfg = lib.attrsets.getAttrs openstackTerraformOptions config.yk8s.openstack; + filteredOpenTofuCfg = yk8s-lib.removeAttrsByPath config.yk8s.terraform [["enabled"] ["prevent_disruption"]]; + filteredInfraCfg = lib.attrsets.getAttrs infraOpenTofuOptions config.yk8s.infra; + filteredOpenstackCfg = lib.attrsets.getAttrs openstackOpenTofuOptions config.yk8s.openstack; mergedCfg = builtins.foldl' (acc: e: lib.attrsets.recursiveUpdate acc (removeObsoleteOptions e)) {} - [filteredTerraformCfg filteredInfraCfg filteredOpenstackCfg]; + [filteredOpenTofuCfg filteredInfraCfg filteredOpenstackCfg]; transformations = [filterInternal filterNull]; varsFile = mkJson "tfvars.json" (pipe mergedCfg transformations); in (pkgs.runCommandLocal "tfvars.json" {} '' diff --git a/templates/yaook-k8s-env.template.sh b/templates/yaook-k8s-env.template.sh index 789083ad4..8056a502e 100644 --- a/templates/yaook-k8s-env.template.sh +++ b/templates/yaook-k8s-env.template.sh @@ -33,7 +33,7 @@ export TF_VAR_keypair='firstnamelastname-hostname-gendate' # Set to true if you are using rootless docker or podman #VAULT_IN_DOCKER_USE_ROOTLESS=true -# Terraform backup on Gitlab: To store the state remotely in a gitlab repo, +# OpenTofu backup on Gitlab: To store the state remotely in a gitlab repo, # Gitlab username and Gitlab token must be configured here. # The token needs API scope and at least maintainer permissions. #export TF_HTTP_USERNAME="" -- GitLab