From 2a81c11c8aae57f6a76d00e0a9830a05167c58a4 Mon Sep 17 00:00:00 2001 From: Mauritz Uphoff Date: Wed, 11 Jun 2025 15:07:19 +0200 Subject: [PATCH] cleanup repository --- 00-provider.tf | 4 +- 01-config.tf | 52 ++----------------- 03-network.tf | 9 ---- 04-master.tf | 11 +--- 05-backup.tf | 11 +--- 06-ha.tf | 20 -------- README.md | 71 +++++--------------------- STACKIT-CLI-GUIDE.md | 118 +++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 139 insertions(+), 157 deletions(-) create mode 100644 STACKIT-CLI-GUIDE.md diff --git a/00-provider.tf b/00-provider.tf index 723accf..f508563 100644 --- a/00-provider.tf +++ b/00-provider.tf @@ -13,13 +13,13 @@ terraform { required_providers { stackit = { source = "stackitcloud/stackit" - version = "0.47.0" + version = "0.55.0" } } } # Configure the STACKIT Provider provider "stackit" { - region = "eu01" + default_region = "eu01" service_account_token = var.STACKIT_SERVICE_ACCOUNT_TOKEN } diff --git a/01-config.tf b/01-config.tf index 77c0406..fca8df6 100644 --- a/01-config.tf +++ b/01-config.tf @@ -1,43 +1,3 @@ -/* -Copyright 2023 Schwarz IT KG -Copyright 2024-2025 STACKIT GmbH & Co. KG - -Use of this source code is governed by an MIT-style -license that can be found in the LICENSE file or at -https://opensource.org/licenses/MIT. -*/ - -# -# Custom User Settings -# - -# STACKIT Availability Zone -variable "zone" { - type = string - description = "" - default = "eu01-m" -} - -# STACKIT VM Flavor -variable "flavor" { - type = string - description = "" - default = "c1.2" -} - -# Local VPC Subnet to create STACKIT Network -variable "LOCAL_SUBNET" { - type = string - description = "" - default = "10.0.0.0/24" -} - -############################################ - -# -# System Settings (do not edit) -# - # STACKIT Service Account Token variable "STACKIT_SERVICE_ACCOUNT_TOKEN" { type = string @@ -54,13 +14,7 @@ variable "debian_image" { default = "b641bf53-4dd4-4ba9-a1ff-9739920fbe73" } -resource "random_shuffle" "az" { - input = ["eu01-1", "eu01-2", "eu01-3"] - result_count = 1 -} - -# SSH Key Pair -resource "stackit_key_pair" "admin-keypair" { - name = "brunsch-keypair" - public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUswz82ZkG2G/2ZYZjo1/Q3srmqcB0zIwpO9GD1X7baH41QEKRY3FGb7KpD6gU1zEKcQYDI8cSmF9ICN51GgRD/+P+B4b59S/z5KUQ10H5QaeFGxBIKxgcWmSGFTMhamMmn/8nG+vI4HEHWSEgpiOQ1vjRDboncW2ac4EH+eZkk2dJAYPWcQorPTW89cRYzaBrhLO+3gpCEyK9Ke4Tf3emnCilYbS+g/qQqo67qR7tW3lYYpJbAEm/ARQhVeyP5mYhOYXwMkiaBOqQ7Wgip0Gc6p9KbGS5ZOe04bhomDJqgK88N03xgGo2st2mbVAKBDpE4kcwxNF08jIeA7UGQ8Si1YJ/vfchTE+dRWwTf5GuB2/Kh/CqaOM8Tb2yFGMPVobeg7EIJd+d5OteX4/9entwXIWkPLtQdWsTubTsSM+eVbgVJ5cv62LkhD8bpm2cEDrvuFWrCO0A2q3KEdlUa2alK8yhgez8mzIgEPDfOcB0SZoQMvilVYVGqnlkriwB9jKRb3WXhqksv8UaPyfE3rlIKAdXEmaWpTNOhsk4RrMjiivSm6L+p/oqwntRE6rqug+jHLqXwfbxwwMl0ouF0GPm2pFdPo4Ki6VE3JBEo71t//GugCHbFb7bRdHEHxKvfTcpIywz3MlDkHWsQKMCRDacpED/i3Snt9Mwxr2ApNli4Q==" +resource "stackit_key_pair" "admin_keypair" { + name = "admin-keypair" + public_key = file("~/.ssh/id_rsa.pub") } diff --git a/03-network.tf b/03-network.tf index 06e05f8..168b8b5 100644 --- a/03-network.tf +++ b/03-network.tf @@ -1,12 +1,3 @@ -/* -Copyright 2023 Schwarz IT KG -Copyright 2024-2025 STACKIT GmbH & Co. KG - -Use of this source code is governed by an MIT-style -license that can be found in the LICENSE file or at -https://opensource.org/licenses/MIT. -*/ - # Create vNET Network resource "stackit_network" "default" { project_id = var.STACKIT_PROJECT_ID diff --git a/04-master.tf b/04-master.tf index 3fbf1b6..7e34a78 100644 --- a/04-master.tf +++ b/04-master.tf @@ -1,12 +1,3 @@ -/* -Copyright 2023 Schwarz IT KG -Copyright 2024-2025 STACKIT GmbH & Co. KG - -Use of this source code is governed by an MIT-style -license that can be found in the LICENSE file or at -https://opensource.org/licenses/MIT. -*/ - # Create virtual Server resource "stackit_server" "example01" { project_id = var.STACKIT_PROJECT_ID @@ -20,7 +11,7 @@ resource "stackit_server" "example01" { } machine_type = "c1.4" availability_zone = "eu01-1" - keypair_name = stackit_key_pair.admin-keypair.name + keypair_name = stackit_key_pair.admin_keypair.name depends_on = [stackit_network_interface.example01] } diff --git a/05-backup.tf b/05-backup.tf index 5fca48c..a1445aa 100644 --- a/05-backup.tf +++ b/05-backup.tf @@ -1,12 +1,3 @@ -/* -Copyright 2023 Schwarz IT KG -Copyright 2024-2025 STACKIT GmbH & Co. KG - -Use of this source code is governed by an MIT-style -license that can be found in the LICENSE file or at -https://opensource.org/licenses/MIT. -*/ - # Create virtual Server resource "stackit_server" "example02" { project_id = var.STACKIT_PROJECT_ID @@ -20,7 +11,7 @@ resource "stackit_server" "example02" { } machine_type = "c1.4" availability_zone = "eu01-2" - keypair_name = stackit_key_pair.admin-keypair.name + keypair_name = stackit_key_pair.admin_keypair.name depends_on = [stackit_network_interface.example02] } diff --git a/06-ha.tf b/06-ha.tf index 11d0bc6..9c30e2d 100644 --- a/06-ha.tf +++ b/06-ha.tf @@ -1,23 +1,3 @@ -/* -Copyright 2023 Schwarz IT KG -Copyright 2024-2025 STACKIT GmbH & Co. KG - -Use of this source code is governed by an MIT-style -license that can be found in the LICENSE file or at -https://opensource.org/licenses/MIT. -*/ - -# Create VIP Port -#resource "terraform_data" "spoke-local-1" { -# provisioner "local-exec" { -# command = "curl --location 'https://iaas.api.eu01.stackit.cloud/v1alpha1/projects/${var.STACKIT_PROJECT_ID}/networks/${stackit_network.default.network_id}/virtual-ips' --header 'Content-Type: application/json' --header 'Authorization: Bearer ${var.STACKIT_SERVICE_ACCOUNT_TOKEN}' --data '{\"ip\":\"10.1.2.10\",\"labels\":{\"key\":\"sap\"},\"members\":[\"${stackit_network_interface.example01.network_interface_id}\",\"${stackit_network_interface.example02.network_interface_id}\"],\"name\":\"vip01\"}'" -# } -# depends_on = [ -# stackit_network_interface.example01, -# stackit_network_interface.example02 -# ] -#} - resource "stackit_network_interface" "vip01" { project_id = var.STACKIT_PROJECT_ID network_id = stackit_network.default.network_id diff --git a/README.md b/README.md index 73cc0cb..1ba25a9 100644 --- a/README.md +++ b/README.md @@ -1,67 +1,24 @@ -# Basic HA Setup (VRRP) +# Basic High Availability (HA) Setup Using VRRP -Documentation on how to set up an active passive VRRP Cluster -All the needed Commands use the STACKIT Cli. +This guide provides step-by-step instructions for setting up a basic active/passive Virtual Router Redundancy Protocol (VRRP) high availability (HA) cluster using the STACKIT CLI. This configuration ensures one virtual machine (VM) acts as the active primary node while the other remains on standby as a failover. -Overview core components: +All operations below are performed using the STACKIT CLI. -VRRP Sync between two Virtual Machines including Security Groups and Port Security setup (additional adresses) -![](docs/ha.svg) +## Overview of Core Components -![](docs/vip.svg) +- Two virtual machines in an active/passive configuration. +- VRRP synchronization between the nodes. +- Security group rules for VRRP and ICMP traffic. +- A dedicated internal virtual IP (vIP) bound to a shared NIC port. +- Public IP binding for external access to HA endpoint. -## Basic Network Config -Creation of a STACKIT Network where the VMs and NIC adapters will be placed. -```bash -NETWORKID=$(stackit network create --name demo --ipv4-dns-name-servers "1.1.1.1,8.8.8.8,9.9.9.9" --ipv4-prefix "10.1.2.0/24" -y -o json | jq -r .networkId) -``` +Diagrams: -## Security Groups +- HA Traffic Flow: -Basic Security Group to allow VRRP & ICMP Traffic for failover + ![](docs/ha.svg) -**Create the Security Group**: -```bash -SECGROUPID=$(stackit security-group create --name VRRP -y -o json | jq -r .id) -``` +- vIP Binding Concept: -**Create the Security Rules**: -Allow VRRP & ICMP for testing only -```bash -stackit security-group rule create --security-group-id $SECGROUPID --direction ingress --protocol-name icmp -stackit security-group rule create --security-group-id $SECGROUPID --direction ingress --protocol-name vrrp -``` + ![](docs/vip.svg) -## Network Adapters - -We need three network interfaces. -One for each server an the third for registering the internal vip address. - -**Network Interface for the VIP**: -```bash -VIPNICID=$(stackit network-interface create --network-id $NETWORKID --name vipPort -y -o json | jq -r .id) -``` - -**Get the (v)IP of the NIC**: -```bash -VIPIP=$(stackit network-interface describe $VIPNICID --network-id $NETWORKID -o json | jq -r .ipv4) -``` - -**Network Interface for the VMs**: -```bash -NICID=$(stackit network-interface create --network-id $NETWORKID --allowed-addresses $VIPIP --name --security-groups $SECGROUPID, -y -o json | jq -r .id) -``` - -## Set up the virtual Machines - -Create two VMs with a Debian 12 as OS. - -```bash -stackit server create --boot-volume-performance-class storage_premium_perf4 --boot-volume-size 32 --boot-volume-source-type image --boot-volume-source-id 03e19c6a-d73a-4ba9-96af-4bd03cf905d3 --keypair-name --availability-zone eu01-1 --machine-type c1.2 --name --network-interface-ids $NICID -``` - -## External floating Addresses (HA) -To access the HA cluster from the Internet bind a Public IP to our vIP NIC adapter so the WAN ip is always pointed to the active replica. -```bash -stackit public-ip create --associated-resource-id $VIPNICID -``` \ No newline at end of file diff --git a/STACKIT-CLI-GUIDE.md b/STACKIT-CLI-GUIDE.md new file mode 100644 index 0000000..cfa6927 --- /dev/null +++ b/STACKIT-CLI-GUIDE.md @@ -0,0 +1,118 @@ +## Step 1: Create a STACKIT Network + +Create a new network where the VMs and network interfaces will be deployed. + +```bash +NETWORKID=$(stackit network create \ + --name demo \ + --ipv4-dns-name-servers "1.1.1.1,8.8.8.8,9.9.9.9" \ + --ipv4-prefix "10.1.2.0/24" \ + -y -o json | jq -r .networkId) +``` + +--- + +## Step 2: Configure Security Groups + +Create a security group allowing VRRP and ICMP traffic between the two VMs. + +Create the security group: + +```bash +SECGROUPID=$(stackit security-group create \ + --name VRRP \ + -y -o json | jq -r .id) +``` + +Add security rules: + +```bash +# Allow ICMP (for ping and monitoring) +stackit security-group rule create \ + --security-group-id $SECGROUPID \ + --direction ingress \ + --protocol-name icmp + +# Allow VRRP protocol (protocol number 112) +stackit security-group rule create \ + --security-group-id $SECGROUPID \ + --direction ingress \ + --protocol-name vrrp +``` + +Note: Restrict these rules further in production environments by specifying source CIDRs or specific IPs. + +--- + +## Step 3: Create Network Interfaces + +We will create: + +- A shared VIP interface (to bind the internal HA IP) +- One interface for each VM with access to the VIP + +Create a shared network adapter for the virtual IP: + +```bash +VIPNICID=$(stackit network-interface create \ + --network-id $NETWORKID \ + --name vipPort \ + -y -o json | jq -r .id) +``` + +Fetch the vIP address: + +```bash +VIPIP=$(stackit network-interface describe $VIPNICID \ + --network-id $NETWORKID \ + -o json | jq -r .ipv4) +``` + +Create network interfaces for the VMs (replace and accordingly): + +```bash +NICID=$(stackit network-interface create \ + --network-id $NETWORKID \ + --allowed-addresses $VIPIP \ + --name \ + --security-groups $SECGROUPID, \ + -y -o json | jq -r .id) +``` + +Repeat the step above to create a second NIC for the second VM. + +--- + +## Step 4: Create the Virtual Machines + +Provision two virtual machines with attached network interfaces and required configuration. + +Sample command to create a VM (replace placeholders accordingly): + +```bash +stackit server create \ + --boot-volume-performance-class storage_premium_perf4 \ + --boot-volume-size 32 \ + --boot-volume-source-type image \ + --boot-volume-source-id 03e19c6a-d73a-4ba9-96af-4bd03cf905d3 \ # Debian 12 image ID + --keypair-name \ + --availability-zone eu01-1 \ + --machine-type c1.2 \ + --name \ + --network-interface-ids $NICID +``` + +Repeat the process to create the second VM with a different serverName and NIC ID. + +--- + +## Step 5: Bind a Public IP (Optional — for external access) + +To allow access to your HA cluster from outside the private network, bind a public IP address to the shared VIP NIC. + +```bash +stackit public-ip create \ + --associated-resource-id $VIPNICID +``` + +This ensures that regardless of which VM is active, the public IP always routes to the current primary node via the shared virtual IP. \ No newline at end of file