Add terraform for provisioning s390x build cluster on ibmcloud

Signed-off-by: Sudharshan Muralidharan <[email protected]>

Author: sudharshanibm

infra/ibmcloud/terraform/k8s-s390x-build-cluster/bastion.tf

@@ -0,0 +1,129 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+resource "ibm_is_instance" "bastion" {
+  count          = var.bastion.count
+  name           = "bastion-s390x-${count.index + 1}"
+  vpc            = data.ibm_is_vpc.vpc.id
+  zone           = var.zone
+  profile        = var.bastion.profile
+  image          = var.image_id
+  keys           = [ibm_is_ssh_key.k8s_ssh_key.id]
+  resource_group = data.ibm_resource_group.resource_group.id
+  primary_network_interface {
+    name            = "public-nic"
+    subnet          = data.ibm_is_subnet.subnet.id
+    security_groups = [data.ibm_is_security_group.bastion_sg.id]
+  }
+
+  boot_volume {
+    name = "boot-vol-bastion-${count.index}"
+    size = var.bastion.boot_volume.size
+  }
+
+  user_data = <<-EOF
+              #cloud-config
+              package_update: true
+              package_upgrade: true
+              packages:
+                - tcpdump
+                - net-tools
+                - iptables-persistent
+              write_files:
+                - path: /etc/ssh/sshd_config.d/99-bastion.conf
+                  content: |
+                    AllowTcpForwarding yes
+                    GatewayPorts yes
+                    PermitTunnel yes
+                    PermitRootLogin prohibit-password
+                    PasswordAuthentication no
+                    ClientAliveInterval 120
+                    ClientAliveCountMax 3
+                    MaxSessions 50
+                    MaxStartups 50:30:100
+                - path: /etc/systemd/network/10-eth1.network
+                  content: |
+                    [Match]
+                    Name=eth1
+                    [Network]
+                    Address=${data.ibm_is_subnet.subnet.ipv4_cidr_block}
+                    DNS=8.8.8.8
+                    DNS=8.8.4.4
+              runcmd:
+                - [sysctl, -w, net.ipv4.ip_forward=1]
+                - [echo, "net.ipv4.ip_forward = 1", ">>", /etc/sysctl.conf]
+                - [iptables, -t, nat, -A, POSTROUTING, -o, eth0, -j, MASQUERADE]
+                - [iptables, -A, FORWARD, -i, eth1, -o, eth0, -j, ACCEPT]
+                - [iptables, -A, FORWARD, -i, eth0, -o, eth1, -m, state, --state, RELATED,ESTABLISHED, -j, ACCEPT]
+                - [netfilter-persistent, save]
+                - [systemctl, restart, systemd-networkd]
+                - [systemctl, restart, sshd]
+                - [hostnamectl, set-hostname, "bastion-s390x-${count.index + 1}.s390x-vpc.cloud.ibm.com"]
+                - [echo, "bastion-s390x-${count.index + 1}.s390x-vpc.cloud.ibm.com", ">", /etc/hostname]
+                - [sed, -i, "s/^127.0.1.1.*/127.0.1.1\tbastion-s390x-${count.index + 1}.s390x-vpc.cloud.ibm.com/", /etc/hosts]
+              EOF
+}
+
+resource "ibm_is_floating_ip" "bastion_fip" {
+  count          = var.bastion.count
+  name           = "bastion-fip-${count.index}"
+  target         = ibm_is_instance.bastion[count.index].primary_network_interface[0].id
+  resource_group = data.ibm_resource_group.resource_group.id
+}
+
+resource "time_sleep" "wait_for_bastion" {
+  count      = var.bastion.count
+  depends_on = [ibm_is_floating_ip.bastion_fip]
+
+  create_duration = "180s" # Wait 3 minutes for full initialization
+}
+
+resource "null_resource" "bastion_setup" {
+  count      = var.bastion.count
+  depends_on = [time_sleep.wait_for_bastion]
+
+  connection {
+    type        = "ssh"
+    user        = "root"
+    host        = ibm_is_floating_ip.bastion_fip[count.index].address
+    private_key = data.ibm_sm_arbitrary_secret.ssh_private_key.payload
+    timeout     = "5m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      # Network verification
+      "echo '=== Network Interfaces ==='",
+      "ip -4 addr show",
+      "echo '=== Routing Table ==='",
+      "ip route",
+      "echo '=== NAT Configuration ==='",
+      "iptables -t nat -L -n -v",
+      "echo '=== IP Forwarding ==='",
+      "sysctl net.ipv4.ip_forward",
+
+      # Hostname verification
+      "echo '=== Hostname ==='",
+      "hostname",
+      "hostnamectl",
+      "cat /etc/hostname",
+
+      # Final security updates
+      "command -v apt-get >/dev/null && apt-get update -y && apt-get upgrade -y --security || true",
+      "command -v yum >/dev/null && yum update -y --security || true",
+      "command -v dnf >/dev/null && dnf update -y --security || true"
+    ]
+  }
+}

infra/ibmcloud/terraform/k8s-s390x-build-cluster/data.tf

@@ -0,0 +1,55 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+data "ibm_resource_group" "resource_group" {
+  name = "rg-build-cluster"
+}
+
+data "ibm_is_vpc" "vpc" {
+  name = "k8s-s390x-vpc"
+}
+
+data "ibm_is_subnet" "subnet" {
+  name = "k8s-s390x-subnet"
+}
+
+data "ibm_is_security_group" "bastion_sg" {
+  name = "k8s-vpc-s390x-bastion-sg"
+  vpc  = data.ibm_is_vpc.vpc.id
+}
+
+data "ibm_is_security_group" "master_sg" {
+  name = "k8s-vpc-s390x-master-sg"
+  vpc  = data.ibm_is_vpc.vpc.id
+}
+
+data "ibm_is_security_group" "worker_sg" {
+  name = "k8s-vpc-s390x-worker-sg"
+  vpc  = data.ibm_is_vpc.vpc.id
+}
+
+data "ibm_sm_arbitrary_secret" "ssh_private_key" {
+  instance_id       = var.secrets_manager_id
+  region            = var.region
+  name              = "zvsi-ssh-private-key"
+  secret_group_name = "default"
+}
+
+data "ibm_sm_arbitrary_secret" "ssh_public_key" {
+  instance_id       = var.secrets_manager_id
+  region            = var.region
+  name              = "zvsi-ssh-public-key"
+  secret_group_name = "default"
+}

infra/ibmcloud/terraform/k8s-s390x-build-cluster/load_balancer.tf

@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+resource "ibm_is_lb" "k8s_load_balancer" {
+  name            = "k8s-s390x-lb"
+  type            = "public"
+  subnets         = [data.ibm_is_subnet.subnet.id]
+  resource_group  = data.ibm_resource_group.resource_group.id
+  security_groups = [data.ibm_is_security_group.master_sg.id]
+}
+
+resource "ibm_is_lb_pool" "k8s_api_pool" {
+  name                = "k8s-api-server-pool"
+  lb                  = ibm_is_lb.k8s_load_balancer.id
+  protocol            = "tcp"
+  algorithm           = "round_robin"
+  health_delay        = 5
+  health_retries      = 2
+  health_timeout      = 2
+  health_type         = "tcp"
+  health_monitor_url  = "/"
+  health_monitor_port = 6443
+}
+
+resource "ibm_is_lb_listener" "k8s_api_listener" {
+  lb           = ibm_is_lb.k8s_load_balancer.id
+  protocol     = "tcp"
+  port         = 6443
+  default_pool = ibm_is_lb_pool.k8s_api_pool.pool_id
+}
+
+resource "ibm_is_lb_pool_member" "k8s_api_members" {
+  count          = var.control_plane.count
+  lb             = ibm_is_lb.k8s_load_balancer.id
+  pool           = ibm_is_lb_pool.k8s_api_pool.pool_id
+  port           = 6443
+  target_address = ibm_is_instance.control_plane[count.index].primary_network_interface[0].primary_ipv4_address
+}

infra/ibmcloud/terraform/k8s-s390x-build-cluster/nodes.tf

@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+resource "ibm_is_ssh_key" "k8s_ssh_key" {
+  name           = "k8s-s390x-ssh-key"
+  public_key     = data.ibm_sm_arbitrary_secret.ssh_public_key.payload
+  resource_group = data.ibm_resource_group.resource_group.id
+}
+
+resource "ibm_is_instance" "control_plane" {
+  count          = var.control_plane.count
+  name           = "master-s390x-${count.index + 1}"
+  vpc            = data.ibm_is_vpc.vpc.id
+  zone           = var.zone
+  profile        = var.control_plane.profile
+  image          = var.image_id
+  keys           = [ibm_is_ssh_key.k8s_ssh_key.id]
+  resource_group = data.ibm_resource_group.resource_group.id
+
+  primary_network_interface {
+    subnet          = data.ibm_is_subnet.subnet.id
+    security_groups = [data.ibm_is_security_group.master_sg.id]
+  }
+
+  boot_volume {
+    name = "boot-vol-master-${count.index + 1}"
+    size = var.control_plane.boot_volume.size
+  }
+}
+
+resource "ibm_is_instance" "compute" {
+  count          = var.compute.count
+  name           = "worker-s390x-${count.index + 1}"
+  vpc            = data.ibm_is_vpc.vpc.id
+  zone           = var.zone
+  profile        = var.compute.profile
+  image          = var.image_id
+  keys           = [ibm_is_ssh_key.k8s_ssh_key.id]
+  resource_group = data.ibm_resource_group.resource_group.id
+
+  primary_network_interface {
+    subnet          = data.ibm_is_subnet.subnet.id
+    security_groups = [data.ibm_is_security_group.worker_sg.id]
+  }
+
+  boot_volume {
+    name = "boot-vol-worker-${count.index + 1}"
+    size = var.compute.boot_volume.size
+  }
+}
+
+resource "null_resource" "node_setup" {
+  for_each = merge(
+    { for idx, instance in ibm_is_instance.control_plane : "master-${idx}" => instance },
+    { for idx, instance in ibm_is_instance.compute : "worker-${idx}" => instance }
+  )
+  depends_on = [time_sleep.wait_for_bastion]
+  triggers = {
+    instance_id = each.value.id
+    retry_count = 0
+  }
+  connection {
+    type         = "ssh"
+    user         = "root"
+    host         = each.value.primary_network_interface[0].primary_ipv4_address
+    private_key  = data.ibm_sm_arbitrary_secret.ssh_private_key.payload
+    bastion_host = ibm_is_floating_ip.bastion_fip[0].address
+    timeout      = "5m"
+    agent        = false
+
+  }
+}

infra/ibmcloud/terraform/k8s-s390x-build-cluster/outputs.tf

@@ -0,0 +1,43 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+output "bastion_public_ips" {
+  description = "Public Floating IP(s) assigned to the bastion"
+  value       = ibm_is_floating_ip.bastion_fip[*].address
+}
+
+output "bastion_private_ips" {
+  description = "Private IP address(es) of the bastion host(s)"
+  value       = ibm_is_instance.bastion[*].primary_network_interface[0].primary_ipv4_address
+}
+
+output "master_node_ips" {
+  description = "Private IP addresses of control plane nodes"
+  value       = ibm_is_instance.control_plane[*].primary_network_interface[0].primary_ipv4_address
+}
+
+output "worker_node_ips" {
+  description = "Private IP addresses of worker nodes"
+  value       = ibm_is_instance.compute[*].primary_network_interface[0].primary_ipv4_address
+}
+
+output "api_load_balancer_hostname" {
+  description = "Hostname of the Kubernetes API load balancer"
+  value       = ibm_is_lb.k8s_load_balancer.hostname
+}
+output "subnet_cidr" {
+  description = "CIDR block of the public subnet"
+  value       = data.ibm_is_subnet.subnet.ipv4_cidr_block
+}

infra/ibmcloud/terraform/k8s-s390x-build-cluster/providers.tf

@@ -0,0 +1,32 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+locals {
+  key    = var.ibmcloud_api_key
+  region = "eu-de"
+  zone   = "eu-de-1"
+}
+
+provider "ibm" {
+  ibmcloud_api_key = local.key
+  region           = local.region
+  zone             = local.zone
+}
+
+provider "ibm" {
+  alias            = "vpc"
+  ibmcloud_api_key = local.key
+  region           = "eu-de"
+}