From 53e3bf3cd91437df958b77572c5cd769418e3fc8 Mon Sep 17 00:00:00 2001
From: trown <trown@redhat.com>
Date: Fri, 3 May 2019 15:42:43 -0400
Subject: [PATCH] openstack: Remove the Service VM

The experimental OpenStack backend used to create an extra server
running DNS and load balancer services that the cluster needed.
OpenStack does not always come with DNSaaS or LBaaS so we had to provide
the functionality the OpenShift cluster depends on (e.g. the etcd SRV
records, the api-int records & load balancing, etc.).

This approach is undesirable for two reasons: first, it adds an extra
node that the other IPI platforms do not need. Second, this node is a
single point of failure.

The Baremetal platform has faced the same issues and they have solved
them with a few virtual IP addresses managed by keepalived in
combination with coredns static pod running on every node using the mDNS
protocol to update records as new nodes are added or removed and a
similar static pod haproxy to load balance the control plane internally.

The VIPs are defined here in the installer and they use the
PlatformStatus field to be passed to the necessary
machine-config-operator fields:

https://github.com/openshift/api/pull/374

The Bare Metal IPI Networking Infrastructure document is broadly
applicable here as well:

https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md

Notable differences in OpenStack:

* We only use the API and DNS VIPs right now
* Instead of Baremetal's Ingress VIP (which is attached to the OpenShift
  routers) our haproxy static pods balance the 80 & 443 pods to the
  worker nodes
* We do not run coredns on the bootstrap node. Instead, bootstrap itself
  uses one of the masters for DNS.

These differences are not fundamental to OpenStack and we will be
looking at aligning more closely with the Baremetal provider in the
future.

There is also a great oportunity to share some of the configuration
files and scripts here.

This change needs several other pull requests:

Keepalived plus the coredns & haproxy static pods in the MCO:
openshift/machine-config-operator/pull/740

Passing the API and DNS VIPs through the installer:
https://github.com/openshift/installer/pull/1998

Vendoring the OpenStack PlatformStatus changes in the MCO:
https://github.com/openshift/machine-config-operator/pull/978

Allowing to use PlatformStatus in the MCO templates:
https://github.com/openshift/machine-config-operator/pull/943

Co-authored-by: Emilio Garcia <egarcia@redhat.com>
Co-authored-by: John Trowbridge <trown@redhat.com>
Co-authored-by: Martin Andre <m.andre@redhat.com>
Co-authored-by: Tomas Sedovic <tsedovic@redhat.com>

Massive thanks to the Bare Metal and oVirt people!
---
 .../files/usr/local/bin/bootkube.sh.template  |   2 +
 .../files/etc/keepalived/keepalived.conf.tmpl |  25 ++
 .../openstack/files/usr/local/bin/fletcher8   |  10 +
 .../files/usr/local/bin/get_vip_subnet_cidr   |  24 ++
 .../usr/local/bin/keepalived.sh.template      |  48 +++
 .../systemd/units/keepalived.service          |  18 +
 data/data/openstack/bootstrap/main.tf         |  62 +++-
 data/data/openstack/bootstrap/variables.tf    |   5 +-
 data/data/openstack/main.tf                   |  59 ++--
 data/data/openstack/masters/main.tf           |   4 +-
 data/data/openstack/masters/variables.tf      |   8 -
 data/data/openstack/service/main.tf           | 320 ------------------
 data/data/openstack/service/variables.tf      |  57 ----
 data/data/openstack/topology/outputs.tf       |  16 -
 .../openstack/topology/private-network.tf     |  65 ++--
 data/data/openstack/topology/sg-lb.tf         |  85 -----
 data/data/openstack/topology/sg-master.tf     |  35 +-
 data/data/openstack/topology/variables.tf     |   5 +
 data/data/openstack/variables-openstack.tf    |   2 +-
 pkg/asset/ignition/bootstrap/bootstrap.go     |   2 +
 pkg/asset/ignition/machine/node.go            |   5 +-
 pkg/asset/manifests/infrastructure.go         |   4 +
 22 files changed, 277 insertions(+), 584 deletions(-)
 create mode 100644 data/data/bootstrap/openstack/files/etc/keepalived/keepalived.conf.tmpl
 create mode 100755 data/data/bootstrap/openstack/files/usr/local/bin/fletcher8
 create mode 100755 data/data/bootstrap/openstack/files/usr/local/bin/get_vip_subnet_cidr
 create mode 100755 data/data/bootstrap/openstack/files/usr/local/bin/keepalived.sh.template
 create mode 100644 data/data/bootstrap/openstack/systemd/units/keepalived.service
 delete mode 100644 data/data/openstack/service/main.tf
 delete mode 100644 data/data/openstack/service/variables.tf
 delete mode 100644 data/data/openstack/topology/sg-lb.tf

diff --git a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
index f78c925ba30..b07f1cffcdd 100755
--- a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
+++ b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
@@ -19,6 +19,8 @@ fi
 MACHINE_CONFIG_OPERATOR_IMAGE=$(podman run --quiet --rm ${release} image machine-config-operator)
 MACHINE_CONFIG_OSCONTENT=$(podman run --quiet --rm ${release} image machine-os-content)
 MACHINE_CONFIG_ETCD_IMAGE=$(podman run --quiet --rm ${release} image etcd)
+# FIXME(shadower): without this, the etcd containers later on keep failing with our custom MCO. Investigate what's goin on.
+podman pull --quiet $MACHINE_CONFIG_ETCD_IMAGE
 MACHINE_CONFIG_KUBE_CLIENT_AGENT_IMAGE=$(podman run --quiet --rm ${release} image kube-client-agent)
 MACHINE_CONFIG_INFRA_IMAGE=$(podman run --quiet --rm ${release} image pod)
 
diff --git a/data/data/bootstrap/openstack/files/etc/keepalived/keepalived.conf.tmpl b/data/data/bootstrap/openstack/files/etc/keepalived/keepalived.conf.tmpl
new file mode 100644
index 00000000000..4f188baf74c
--- /dev/null
+++ b/data/data/bootstrap/openstack/files/etc/keepalived/keepalived.conf.tmpl
@@ -0,0 +1,25 @@
+vrrp_script chk_ocp {
+    # NOTE(mandre) the fake kube-api server doesn't responds to the
+    # https://0:6443/readyz URL, we need to find another check
+    script "ss -tnl | grep 6443"
+    interval 1
+    weight 50
+}
+
+vrrp_instance ${CLUSTER_NAME}_API {
+    state BACKUP
+    interface ${INTERFACE}
+    virtual_router_id ${API_VRID}
+    priority 50
+    advert_int 1
+    authentication {
+        auth_type PASS
+        auth_pass ${CLUSTER_NAME}_api_vip
+    }
+    virtual_ipaddress {
+        ${API_VIP}/${NET_MASK}
+    }
+    track_script {
+        chk_ocp
+    }
+}
diff --git a/data/data/bootstrap/openstack/files/usr/local/bin/fletcher8 b/data/data/bootstrap/openstack/files/usr/local/bin/fletcher8
new file mode 100755
index 00000000000..901544f3675
--- /dev/null
+++ b/data/data/bootstrap/openstack/files/usr/local/bin/fletcher8
@@ -0,0 +1,10 @@
+#!/usr/libexec/platform-python
+import sys
+
+data = map(ord, sys.argv[1])
+ckA = ckB = 0
+
+for b in data:
+    ckA = (ckA + b) & 0xf
+    ckB = (ckB + ckA) & 0xf
+print((ckB << 4) | ckA )
diff --git a/data/data/bootstrap/openstack/files/usr/local/bin/get_vip_subnet_cidr b/data/data/bootstrap/openstack/files/usr/local/bin/get_vip_subnet_cidr
new file mode 100755
index 00000000000..4868cca81ac
--- /dev/null
+++ b/data/data/bootstrap/openstack/files/usr/local/bin/get_vip_subnet_cidr
@@ -0,0 +1,24 @@
+#!/usr/libexec/platform-python
+import sys
+import socket
+import struct
+
+vip = sys.argv[1]
+iface_cidrs = sys.argv[2].split()
+vip_int = struct.unpack("!I", socket.inet_aton(vip))[0]
+
+for iface_cidr in iface_cidrs:
+    ip, prefix = iface_cidr.split('/')
+    ip_int = struct.unpack("!I", socket.inet_aton(ip))[0]
+    prefix_int = int(prefix)
+    mask = int('1' * prefix_int + '0' * (32 - prefix_int), 2)
+    subnet_ip_int_min = ip_int & mask
+    subnet_ip = socket.inet_ntoa(struct.pack("!I", subnet_ip_int_min))
+    subnet_ip_int_max = subnet_ip_int_min | int('1' * (32 - prefix_int), 2)
+    subnet_ip_max = socket.inet_ntoa(struct.pack("!I", subnet_ip_int_max))
+    sys.stderr.write('Is %s between %s and %s\n' % (vip, subnet_ip, subnet_ip_max))
+    if subnet_ip_int_min < vip_int < subnet_ip_int_max:
+        subnet_ip = socket.inet_ntoa(struct.pack("!I", subnet_ip_int_min))
+        print('%s/%s' % (subnet_ip, prefix))
+        sys.exit(0)
+sys.exit(1)
diff --git a/data/data/bootstrap/openstack/files/usr/local/bin/keepalived.sh.template b/data/data/bootstrap/openstack/files/usr/local/bin/keepalived.sh.template
new file mode 100755
index 00000000000..55addacdce2
--- /dev/null
+++ b/data/data/bootstrap/openstack/files/usr/local/bin/keepalived.sh.template
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -e
+
+mkdir --parents /etc/keepalived
+
+# TODO(shadower): switch to the keepalived image from the release:
+# https://github.com/openshift/installer/pull/2025/files#diff-ce82c1d8a44f7dfc41dfc024085ccfeeR24
+KEEPALIVED_IMAGE=quay.io/celebdor/keepalived:latest
+if ! podman inspect "$KEEPALIVED_IMAGE" &>/dev/null; then
+    echo "Pulling release image..."
+    podman pull "$KEEPALIVED_IMAGE"
+fi
+
+# TODO(shadower): at least some of these can be passed into this
+# template rather than discovered at runtime:
+API_DNS="$(sudo awk -F[/:] '/apiServerURL/ {print $5}' /opt/openshift/manifests/cluster-infrastructure-02-config.yml)"
+CLUSTER_NAME="$(awk -F. '{print $2}' <<< "$API_DNS")"
+API_VIP="{{ .InstallConfig.Platform.OpenStack.APIVIP }}"
+IFACE_CIDRS="$(ip addr show | grep -v "scope host" | grep -Po 'inet \K[\d.]+/[\d.]+' | xargs)"
+SUBNET_CIDR="$(/usr/local/bin/get_vip_subnet_cidr "$API_VIP" "$IFACE_CIDRS")"
+NET_MASK="$(echo "$SUBNET_CIDR" | cut -d "/" -f 2)"
+INTERFACE="$(ip -o addr show to "$SUBNET_CIDR" | head -n 1 | awk '{print $2}')"
+CLUSTER_DOMAIN="${API_DNS#*.}"
+
+# Virtual Router IDs. They must be different and 8 bit in length
+API_VRID=$(/usr/local/bin/fletcher8 "$CLUSTER_NAME-api")
+DNS_VRID=$(/usr/local/bin/fletcher8 "$CLUSTER_NAME-dns")
+
+export API_VIP
+export CLUSTER_NAME
+export INTERFACE
+export API_VRID
+export NET_MASK
+envsubst < /etc/keepalived/keepalived.conf.tmpl | sudo tee /etc/keepalived/keepalived.conf
+
+MATCHES="$(sudo podman ps -a --format "{{`{{.Names}}`}}" | awk '/keepalived$/ {print $0}')"
+if [[ -z "$MATCHES" ]]; then
+    # TODO(bnemec): Figure out how to run with less perms
+    podman create \
+            --name keepalived \
+            --volume /etc/keepalived:/etc/keepalived:z \
+            --network=host \
+            --privileged \
+            --cap-add=ALL \
+            "${KEEPALIVED_IMAGE}" \
+            /usr/sbin/keepalived -f /etc/keepalived/keepalived.conf \
+                --dont-fork -D -l -P
+fi
diff --git a/data/data/bootstrap/openstack/systemd/units/keepalived.service b/data/data/bootstrap/openstack/systemd/units/keepalived.service
new file mode 100644
index 00000000000..ea9ee29d419
--- /dev/null
+++ b/data/data/bootstrap/openstack/systemd/units/keepalived.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Manage node VIPs with keepalived
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+WorkingDirectory=/etc/keepalived
+ExecStartPre=/usr/local/bin/keepalived.sh
+ExecStart=/usr/bin/podman start -a keepalived
+ExecStop=/usr/bin/podman stop -t 10 keepalived
+ConditionPathExists=!/etc/pivot/image-pullspec
+
+Restart=on-failure
+RestartSec=5
+TimeoutStartSec=600
+
+[Install]
+WantedBy=multi-user.target
diff --git a/data/data/openstack/bootstrap/main.tf b/data/data/openstack/bootstrap/main.tf
index 7c456c2a1fe..59c1dfcdf66 100644
--- a/data/data/openstack/bootstrap/main.tf
+++ b/data/data/openstack/bootstrap/main.tf
@@ -18,40 +18,73 @@ data "ignition_config" "redirect" {
 
   files = [
     data.ignition_file.hostname.id,
-    data.ignition_file.bootstrap_ifcfg.id,
+    data.ignition_file.dns_conf.id,
+    data.ignition_file.dhcp_conf.id,
+    data.ignition_file.hosts.id,
   ]
 }
 
-data "ignition_file" "bootstrap_ifcfg" {
+data "ignition_file" "dhcp_conf" {
   filesystem = "root"
-  mode       = "420" // 0644
-  path       = "/etc/sysconfig/network-scripts/ifcfg-eth0"
+  mode       = "420"
+  path       = "/etc/NetworkManager/conf.d/dhcp-client.conf"
 
   content {
     content = <<EOF
-DEVICE="eth0"
-BOOTPROTO="dhcp"
-ONBOOT="yes"
-TYPE="Ethernet"
-PERSISTENT_DHCLIENT="yes"
-DNS1="${var.service_vm_fixed_ip}"
-PEERDNS="no"
-NM_CONTROLLED="yes"
+[main]
+dhcp=dhclient
 EOF
+  }
+}
 
+data "ignition_file" "dns_conf" {
+  filesystem = "root"
+  mode = "420"
+  path = "/etc/dhcp/dhclient.conf"
+
+  # FIXME(mandre) this will likely cause delay with bootstrap node networking
+  # until the master come up and are able to serve DNS queries.  Not sure the
+  # bootstrap is trying to resolve anything it doesn't have in its hosts
+  # file...
+  # BareMetal solved this by running coredns on the bootstrap node
+  #
+  # NOTE(shadower) bootstrap's waiting for the etcd cluster seems to
+  # always fail the first time because of this. The second attempt
+  # succeeds, but we should probably run the core dns there too so
+  # that:
+  # 1. We don't show spurious errors in the logs
+  # 2. Align better with what the baremetal platfrorm is doing
+  content {
+    content = <<EOF
+send dhcp-client-identifier = hardware;
+prepend domain-name-servers ${var.node_dns_ip};
+EOF
   }
 }
 
 data "ignition_file" "hostname" {
   filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/hostname"
+  mode       = "420" // 0644
+  path       = "/etc/hostname"
 
   content {
     content = <<EOF
 ${var.cluster_id}-bootstrap
 EOF
+  }
+}
+
+data "ignition_file" "hosts" {
+  filesystem = "root"
+  mode = "420" // 0644
+  path = "/etc/hosts"
 
+  content {
+    content = <<EOF
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+${var.api_int_ip} api-int.${var.cluster_domain} api.${var.cluster_domain}
+EOF
   }
 }
 
@@ -81,4 +114,3 @@ resource "openstack_compute_instance_v2" "bootstrap" {
     openshiftClusterID = var.cluster_id
   }
 }
-
diff --git a/data/data/openstack/bootstrap/variables.tf b/data/data/openstack/bootstrap/variables.tf
index 1e8c96a4fb5..2fcd12a3673 100644
--- a/data/data/openstack/bootstrap/variables.tf
+++ b/data/data/openstack/bootstrap/variables.tf
@@ -33,7 +33,10 @@ variable "bootstrap_port_id" {
   description = "The subnet ID for the bootstrap node."
 }
 
-variable "service_vm_fixed_ip" {
+variable "api_int_ip" {
   type = string
 }
 
+variable "node_dns_ip" {
+  type = string
+}
diff --git a/data/data/openstack/main.tf b/data/data/openstack/main.tf
index 62dc76a0f2d..ad4870e8486 100644
--- a/data/data/openstack/main.tf
+++ b/data/data/openstack/main.tf
@@ -22,8 +22,8 @@ provider "openstack" {
   user_name           = var.openstack_credentials_user_name
 }
 
-module "service" {
-  source = "./service"
+module "bootstrap" {
+  source = "./bootstrap"
 
   swift_container   = openstack_objectstorage_container_v1.container.name
   cluster_id        = var.cluster_id
@@ -31,57 +31,38 @@ module "service" {
   image_name        = var.openstack_base_image
   flavor_name       = var.openstack_master_flavor_name
   ignition          = var.ignition_bootstrap
-  lb_floating_ip    = var.openstack_lb_floating_ip
-  service_port_id   = module.topology.service_port_id
-  service_port_ip   = module.topology.service_port_ip
-  master_ips        = module.topology.master_ips
-  master_port_names = module.topology.master_port_names
-  bootstrap_ip      = module.topology.bootstrap_port_ip
-}
-
-module "bootstrap" {
-  source = "./bootstrap"
-
-  swift_container     = openstack_objectstorage_container_v1.container.name
-  cluster_id          = var.cluster_id
-  cluster_domain      = var.cluster_domain
-  image_name          = var.openstack_base_image
-  flavor_name         = var.openstack_master_flavor_name
-  ignition            = var.ignition_bootstrap
-  bootstrap_port_id   = module.topology.bootstrap_port_id
-  service_vm_fixed_ip = module.topology.service_vm_fixed_ip
+  bootstrap_port_id = module.topology.bootstrap_port_id
+  api_int_ip        = var.openstack_api_int_ip
+  node_dns_ip       = var.openstack_node_dns_ip
 }
 
 module "masters" {
   source = "./masters"
 
-  base_image          = var.openstack_base_image
-  bootstrap_ip        = module.topology.bootstrap_port_ip
-  cluster_id          = var.cluster_id
-  cluster_domain      = var.cluster_domain
-  flavor_name         = var.openstack_master_flavor_name
-  instance_count      = var.master_count
-  lb_floating_ip      = var.openstack_lb_floating_ip
-  master_ips          = module.topology.master_ips
-  master_port_ids     = module.topology.master_port_ids
-  master_port_names   = module.topology.master_port_names
-  user_data_ign       = var.ignition_master
-  service_vm_fixed_ip = module.topology.service_vm_fixed_ip
-  api_int_ip          = var.openstack_api_int_ip
-  node_dns_ip         = var.openstack_node_dns_ip
+  base_image      = var.openstack_base_image
+  bootstrap_ip    = module.topology.bootstrap_port_ip
+  cluster_id      = var.cluster_id
+  cluster_domain  = var.cluster_domain
+  flavor_name     = var.openstack_master_flavor_name
+  instance_count  = var.master_count
+  lb_floating_ip  = var.openstack_lb_floating_ip
+  master_ips      = module.topology.master_ips
+  master_port_ids = module.topology.master_port_ids
+  user_data_ign   = var.ignition_master
+  api_int_ip      = var.openstack_api_int_ip
+  node_dns_ip     = var.openstack_node_dns_ip
   master_sg_ids = concat(
     var.openstack_master_extra_sg_ids,
     [module.topology.master_sg_id],
   )
 }
 
-# TODO(shadower) add a dns module here
-
 module "topology" {
   source = "./topology"
 
   cidr_block          = var.machine_cidr
   cluster_id          = var.cluster_id
+  cluster_domain      = var.cluster_domain
   external_network    = var.openstack_external_network
   external_network_id = var.openstack_external_network_id
   masters_count       = var.master_count
@@ -98,9 +79,11 @@ resource "openstack_objectstorage_container_v1" "container" {
   # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
   metadata = merge(
     {
-      "Name"               = "${var.cluster_id}-ignition-master"
+      "Name"               = "${var.cluster_id}-ignition"
       "openshiftClusterID" = var.cluster_id
     },
+    # FIXME(mandre) the openstack_extra_tags should be applied to all resources
+    # created
     var.openstack_extra_tags,
   )
 }
diff --git a/data/data/openstack/masters/main.tf b/data/data/openstack/masters/main.tf
index 85ca44a707f..7689ca0b017 100644
--- a/data/data/openstack/masters/main.tf
+++ b/data/data/openstack/masters/main.tf
@@ -17,7 +17,6 @@ data "ignition_file" "hostname" {
     content = <<EOF
 ${var.cluster_id}-master-${count.index}
 EOF
-
   }
 }
 
@@ -30,9 +29,7 @@ data "ignition_file" "clustervars" {
     content = <<EOF
 export API_VIP=${var.api_int_ip}
 export DNS_VIP=${var.node_dns_ip}
-export FLOATING_IP=${var.lb_floating_ip}
 export BOOTSTRAP_IP=${var.bootstrap_ip}
-${replace(join("\n", formatlist("export MASTER_FIXED_IPS_%s=%s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
 EOF
   }
 }
@@ -67,6 +64,7 @@ resource "openstack_compute_instance_v2" "master_conf" {
   }
 
   metadata = {
+    # FIXME(mandre) shouldn't it be "${var.cluster_id}-master-${count.index}" ?
     Name = "${var.cluster_id}-master"
     # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
     openshiftClusterID = var.cluster_id
diff --git a/data/data/openstack/masters/variables.tf b/data/data/openstack/masters/variables.tf
index e0249b456a9..2d225edec1e 100644
--- a/data/data/openstack/masters/variables.tf
+++ b/data/data/openstack/masters/variables.tf
@@ -43,10 +43,6 @@ variable "master_port_ids" {
   description = "List of port ids for the master nodes"
 }
 
-variable "master_port_names" {
-  type = list(string)
-}
-
 variable "user_data_ign" {
   type = string
 }
@@ -58,7 +54,3 @@ variable "api_int_ip" {
 variable "node_dns_ip" {
   type = string
 }
-
-variable "service_vm_fixed_ip" {
-  type = string
-}
diff --git a/data/data/openstack/service/main.tf b/data/data/openstack/service/main.tf
deleted file mode 100644
index 367a9d8d556..00000000000
--- a/data/data/openstack/service/main.tf
+++ /dev/null
@@ -1,320 +0,0 @@
-data "openstack_images_image_v2" "bootstrap_image" {
-  name        = var.image_name
-  most_recent = true
-}
-
-data "openstack_compute_flavor_v2" "bootstrap_flavor" {
-  name = var.flavor_name
-}
-
-data "ignition_systemd_unit" "haproxy_unit" {
-  name    = "haproxy.service"
-  enabled = true
-
-  content = <<EOF
-[Unit]
-Description=Load balancer for the OpenShift services
-
-[Service]
-ExecStartPre=/sbin/setenforce 0
-ExecStartPre=/bin/systemctl disable --now bootkube kubelet progress openshift
-ExecStart=/bin/podman run --rm -ti --net=host -v /etc/haproxy:/usr/local/etc/haproxy:ro docker.io/library/haproxy:1.7
-ExecStop=/bin/podman stop -t 10 haproxy
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_systemd_unit" "haproxy_unit_watcher" {
-  name = "haproxy-watcher.service"
-  enabled = true
-
-  content = <<EOF
-[Unit]
-Description=HAproxy config updater
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/bin/haproxy-watcher.sh
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_systemd_unit" "haproxy_timer_watcher" {
-  name    = "haproxy-watcher.timer"
-  enabled = true
-
-  content = <<EOF
-[Timer]
-OnCalendar=*:0/2
-
-[Install]
-WantedBy=timers.target
-EOF
-
-}
-
-data "ignition_file" "haproxy_watcher_script" {
-  filesystem = "root"
-  mode = "489" // 0755
-  path = "/usr/local/bin/haproxy-watcher.sh"
-
-  content {
-    content = <<TFEOF
-#!/bin/bash
-
-set -x
-
-# NOTE(flaper87): We're doing this here for now
-# because our current vendored verison for terraform
-# doesn't support appending to an ignition_file. This
-# is coming in 2.3
-grep -qxF "127.0.0.1 api.${var.cluster_domain}" /etc/hosts || echo "127.0.0.1 api.${var.cluster_domain}" | sudo tee -a /etc/hosts
-
-mkdir -p /etc/haproxy
-export KUBECONFIG=/opt/openshift/auth/kubeconfig
-TEMPLATE="{{range .items}}{{\$addresses:=.status.addresses}}{{range .status.conditions}}{{if eq .type \"Ready\"}}{{if eq .status \"True\" }}{{range \$addresses}}{{if eq .type \"InternalIP\"}}{{.address}}{{end}}{{end}}{{end}}{{end}}{{end}} {{end}}"
-MASTERS=$(oc get nodes -l node-role.kubernetes.io/master -ogo-template="$TEMPLATE")
-WORKERS=$(oc get nodes -l node-role.kubernetes.io/worker -ogo-template="$TEMPLATE")
-
-update_cfg_and_restart() {
-    CHANGED=$(diff /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.new)
-
-    if [[ ! -f /etc/haproxy/haproxy.cfg ]] || [[ ! -z "$CHANGED" ]];
-    then
-        cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.backup || true
-        cp /etc/haproxy/haproxy.cfg.new /etc/haproxy/haproxy.cfg
-        systemctl restart haproxy
-    fi
-}
-
-if [[ -z "$MASTERS" ]];
-then
-cat > /etc/haproxy/haproxy.cfg.new << EOF
-listen ${var.cluster_id}-api-masters
-    bind 0.0.0.0:6443
-    bind 0.0.0.0:22623
-    mode tcp
-    balance roundrobin
-    server bootstrap-22623 ${var.bootstrap_ip} check port 22623
-    server bootstrap-6443 ${var.bootstrap_ip} check port 6443
-    ${replace(join("\n    ", formatlist("server master-%s %s check port 6443", var.master_port_names, var.master_ips)), "master-port-", "")}
-EOF
-    update_cfg_and_restart
-    exit 0
-fi
-
-for master in $MASTERS;
-do
-    MASTER_LINES="$MASTER_LINES
-    server $master $master check port 6443"
-done
-
-for worker in $WORKERS;
-do
-    WORKER_LINES="$WORKER_LINES
-    server $worker $worker check port 443"
-done
-
-cat > /etc/haproxy/haproxy.cfg.new << EOF
-listen ${var.cluster_id}-api-masters
-    bind 0.0.0.0:6443
-    bind 0.0.0.0:22623
-    mode tcp
-    balance roundrobin$MASTER_LINES
-
-listen ${var.cluster_id}-api-workers
-    bind 0.0.0.0:80
-    bind 0.0.0.0:443
-    mode tcp
-    balance roundrobin$WORKER_LINES
-EOF
-
-update_cfg_and_restart
-TFEOF
-
-}
-}
-
-data "ignition_file" "corefile" {
-  filesystem = "root"
-  mode       = "420" // 0644
-  path       = "/etc/coredns/Corefile"
-
-  content {
-    content = <<EOF
-. {
-    log
-    errors
-    reload 10s
-
-${length(var.lb_floating_ip) == 0 ? "" : "    file /etc/coredns/db.${var.cluster_domain} api.${var.cluster_domain} {\n    }\n"}
-
-    hosts {
-        ${replace(join("\n", formatlist("%s %s", var.master_ips, var.master_port_names)), "port-", "")}
-        fallthrough
-    }
-
-
-    file /etc/coredns/db.${var.cluster_domain} _etcd-server-ssl._tcp.${var.cluster_domain} {
-    }
-
-    file /etc/coredns/db.${var.cluster_domain} bootstrap.${var.cluster_domain} {
-        upstream /etc/resolv.conf
-    }
-
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} master-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} etcd-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-
-    forward . /etc/resolv.conf {
-    }
-}
-
-${var.cluster_domain} {
-    log
-    errors
-    reload 10s
-
-    file /etc/coredns/db.${var.cluster_domain} {
-        upstream /etc/resolv.conf
-    }
-}
-
-EOF
-
-  }
-}
-
-data "ignition_file" "coredb" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/coredns/db.${var.cluster_domain}"
-
-  content {
-    content = <<EOF
-$ORIGIN ${var.cluster_domain}.
-@    3600 IN SOA host.${var.cluster_domain}. hostmaster (
-                                2017042752 ; serial
-                                7200       ; refresh (2 hours)
-                                3600       ; retry (1 hour)
-                                1209600    ; expire (2 weeks)
-                                3600       ; minimum (1 hour)
-                                )
-
-${length(var.lb_floating_ip) == 0 ? "api  IN  A  ${var.service_port_ip}" : "api  IN  A  ${var.lb_floating_ip}"}
-${length(var.lb_floating_ip) == 0 ? "*.apps  IN  A  ${var.service_port_ip}" : "*.apps  IN  A  ${var.lb_floating_ip}"}
-
-api-int  IN  A  ${var.service_port_ip}
-
-bootstrap.${var.cluster_domain}  IN  A  ${var.bootstrap_ip}
-${replace(join("\n", formatlist("%s  IN  A %s", var.master_port_names, var.master_ips)), "port-", "")}
-${replace(join("\n", formatlist("master-%s  IN  A %s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
-
-${replace(join("\n", formatlist("etcd-%s  IN  A  %s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
-${replace(join("\n", formatlist("_etcd-server-ssl._tcp  8640  IN  SRV  0  10  2380   etcd-%s.${var.cluster_domain}.", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-EOF
-
-  }
-}
-
-data "ignition_systemd_unit" "local_dns" {
-  name = "local-dns.service"
-
-  content = <<EOF
-[Unit]
-Description=Internal DNS serving the required OpenShift records
-
-[Service]
-ExecStart=/bin/podman run --rm -i -t -m 128m --net host --cap-add=NET_ADMIN -v /etc/coredns:/etc/coredns:Z quay.io/openshift/origin-coredns:v4.0 -conf /etc/coredns/Corefile
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_file" "hostname" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/hostname"
-
-  content {
-    content = <<EOF
-${var.cluster_id}-api
-EOF
-
-  }
-}
-
-data "ignition_user" "core" {
-  name = "core"
-}
-
-resource "openstack_objectstorage_object_v1" "service_ignition" {
-  container_name = var.swift_container
-  name           = "load-balancer.ign"
-  content        = var.ignition
-}
-
-resource "openstack_objectstorage_tempurl_v1" "service_ignition_tmpurl" {
-  container = var.swift_container
-  method    = "get"
-  object    = openstack_objectstorage_object_v1.service_ignition.name
-  ttl       = 3600
-}
-
-data "ignition_config" "service_redirect" {
-  append {
-    source = openstack_objectstorage_tempurl_v1.service_ignition_tmpurl.url
-  }
-
-  files = [
-    data.ignition_file.hostname.id,
-    data.ignition_file.haproxy_watcher_script.id,
-    data.ignition_file.corefile.id,
-    data.ignition_file.coredb.id,
-  ]
-
-  systemd = [
-    data.ignition_systemd_unit.haproxy_unit.id,
-    data.ignition_systemd_unit.haproxy_unit_watcher.id,
-    data.ignition_systemd_unit.haproxy_timer_watcher.id,
-    data.ignition_systemd_unit.local_dns.id,
-  ]
-
-  users = [
-    data.ignition_user.core.id,
-  ]
-}
-
-resource "openstack_compute_instance_v2" "load_balancer" {
-  name      = "${var.cluster_id}-api"
-  flavor_id = data.openstack_compute_flavor_v2.bootstrap_flavor.id
-  image_id  = data.openstack_images_image_v2.bootstrap_image.id
-
-  user_data = data.ignition_config.service_redirect.rendered
-
-  network {
-    port = var.service_port_id
-  }
-
-  metadata = {
-    Name     = "${var.cluster_id}-api"
-    Hostname = "${var.cluster_id}-api.${var.cluster_domain}"
-    # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
-    openshiftClusterID = var.cluster_id
-  }
-}
-
diff --git a/data/data/openstack/service/variables.tf b/data/data/openstack/service/variables.tf
deleted file mode 100644
index f33a4bee006..00000000000
--- a/data/data/openstack/service/variables.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-variable "image_name" {
-  type        = string
-  description = "The name of the Glance image for the bootstrap node."
-}
-
-variable "swift_container" {
-  type        = string
-  description = "The Swift container name for bootstrap ignition file."
-}
-
-variable "cluster_id" {
-  type        = string
-  description = "The identifier for the cluster."
-}
-
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
-variable "ignition" {
-  type        = string
-  description = "The content of the bootstrap ignition file."
-}
-
-variable "flavor_name" {
-  type        = string
-  default     = "m1.medium"
-  description = "The Nova flavor for the bootstrap node."
-}
-
-variable "service_port_id" {
-  type        = string
-  description = "The subnet ID for the service node."
-}
-
-variable "service_port_ip" {
-  type        = string
-  description = "The subnet IP for the service node."
-}
-
-variable "master_ips" {
-  type = list(string)
-}
-
-variable "master_port_names" {
-  type = list(string)
-}
-
-variable "bootstrap_ip" {
-  type = string
-}
-
-variable "lb_floating_ip" {
-  type = string
-}
-
diff --git a/data/data/openstack/topology/outputs.tf b/data/data/openstack/topology/outputs.tf
index 017fa597be8..f1de3aa6cf9 100644
--- a/data/data/openstack/topology/outputs.tf
+++ b/data/data/openstack/topology/outputs.tf
@@ -1,11 +1,3 @@
-output "service_port_id" {
-  value = openstack_networking_port_v2.service_port.id
-}
-
-output "service_port_ip" {
-  value = openstack_networking_port_v2.service_port.all_fixed_ips[0]
-}
-
 output "bootstrap_port_id" {
   value = openstack_networking_port_v2.bootstrap_port.id
 }
@@ -18,14 +10,6 @@ output "master_ips" {
   value = flatten(openstack_networking_port_v2.masters.*.all_fixed_ips)
 }
 
-output "master_port_names" {
-  value = openstack_networking_port_v2.masters.*.name
-}
-
-output "service_vm_fixed_ip" {
-  value = openstack_networking_port_v2.service_port.all_fixed_ips[0]
-}
-
 output "master_sg_id" {
   value = openstack_networking_secgroup_v2.master.id
 }
diff --git a/data/data/openstack/topology/private-network.tf b/data/data/openstack/topology/private-network.tf
index 6002a892695..994908ae580 100644
--- a/data/data/openstack/topology/private-network.tf
+++ b/data/data/openstack/topology/private-network.tf
@@ -1,6 +1,5 @@
 locals {
-  nodes_cidr_block   = cidrsubnet(var.cidr_block, 1, 0)
-  service_cidr_block = cidrsubnet(var.cidr_block, 1, 1)
+  nodes_cidr_block = var.cidr_block
 }
 
 data "openstack_networking_network_v2" "external_network" {
@@ -15,21 +14,12 @@ resource "openstack_networking_network_v2" "openshift-private" {
   tags           = ["openshiftClusterID=${var.cluster_id}"]
 }
 
-resource "openstack_networking_subnet_v2" "service" {
-  name       = "${var.cluster_id}-service"
-  cidr       = local.service_cidr_block
+resource "openstack_networking_subnet_v2" "nodes" {
+  name       = "${var.cluster_id}-nodes"
+  cidr       = local.nodes_cidr_block
   ip_version = 4
   network_id = openstack_networking_network_v2.openshift-private.id
   tags       = ["openshiftClusterID=${var.cluster_id}"]
-}
-
-resource "openstack_networking_subnet_v2" "nodes" {
-  name            = "${var.cluster_id}-nodes"
-  cidr            = local.nodes_cidr_block
-  ip_version      = 4
-  network_id      = openstack_networking_network_v2.openshift-private.id
-  tags            = ["openshiftClusterID=${var.cluster_id}"]
-  dns_nameservers = [openstack_networking_port_v2.service_port.all_fixed_ips[0]]
 
   # We reserve some space at the beginning of the CIDR to use for the VIPs
   # It would be good to make this more dynamic by calculating the number of
@@ -49,6 +39,11 @@ resource "openstack_networking_port_v2" "masters" {
   security_group_ids = [openstack_networking_secgroup_v2.master.id]
   tags               = ["openshiftClusterID=${var.cluster_id}"]
 
+  extra_dhcp_option {
+    name  = "domain-search"
+    value = var.cluster_domain
+  }
+
   fixed_ip {
     subnet_id = openstack_networking_subnet_v2.nodes.id
   }
@@ -78,28 +73,39 @@ resource "openstack_networking_port_v2" "bootstrap_port" {
   network_id         = openstack_networking_network_v2.openshift-private.id
   security_group_ids = [openstack_networking_secgroup_v2.master.id]
   tags               = ["openshiftClusterID=${var.cluster_id}"]
+  extra_dhcp_option {
+    name  = "domain-search"
+    value = var.cluster_domain
+  }
 
   fixed_ip {
     subnet_id = openstack_networking_subnet_v2.nodes.id
   }
-}
 
-resource "openstack_networking_port_v2" "service_port" {
-  name = "${var.cluster_id}-service-port"
-
-  admin_state_up     = "true"
-  network_id         = openstack_networking_network_v2.openshift-private.id
-  security_group_ids = [openstack_networking_secgroup_v2.api.id]
-  tags               = ["openshiftClusterID=${var.cluster_id}"]
-
-  fixed_ip {
-    subnet_id = openstack_networking_subnet_v2.service.id
+  allowed_address_pairs {
+    ip_address = var.api_int_ip
   }
 }
 
-resource "openstack_networking_floatingip_associate_v2" "service_fip" {
+// Assign the floating IP to one of the masters.
+//
+// Strictly speaking, this is not required to finish the installation. We
+// support environments without floating IPs. However, since the installer
+// is running outside of the nodes subnet (often outside of the OpenStack
+// cluster itself), it needs a floating IP to monitor the progress.
+//
+// This IP address is not expected to be the final solution for providing HA.
+// It is only here to let the installer finish without any errors. Configuring
+// a load balancer and providing external connectivity is a post-installation
+// step that can't always be automated (we need to support OpenStack clusters)
+// that do not have or do not want to use Octavia.
+//
+// If the floating IP is not provided, the installer will time out waiting for
+// bootstrapping to complete, but the OpenShift cluster itself should come up
+// as expected.
+resource "openstack_networking_floatingip_associate_v2" "api_fip" {
   count       = length(var.lb_floating_ip) == 0 ? 0 : 1
-  port_id     = openstack_networking_port_v2.service_port.id
+  port_id     = openstack_networking_port_v2.masters[0].id
   floating_ip = var.lb_floating_ip
 }
 
@@ -110,11 +116,6 @@ resource "openstack_networking_router_v2" "openshift-external-router" {
   tags                = ["openshiftClusterID=${var.cluster_id}"]
 }
 
-resource "openstack_networking_router_interface_v2" "service_router_interface" {
-  router_id = openstack_networking_router_v2.openshift-external-router.id
-  subnet_id = openstack_networking_subnet_v2.service.id
-}
-
 resource "openstack_networking_router_interface_v2" "nodes_router_interface" {
   router_id = openstack_networking_router_v2.openshift-external-router.id
   subnet_id = openstack_networking_subnet_v2.nodes.id
diff --git a/data/data/openstack/topology/sg-lb.tf b/data/data/openstack/topology/sg-lb.tf
deleted file mode 100644
index 67b98337459..00000000000
--- a/data/data/openstack/topology/sg-lb.tf
+++ /dev/null
@@ -1,85 +0,0 @@
-resource "openstack_networking_secgroup_v2" "api" {
-  name = "${var.cluster_id}-api"
-  tags = ["openshiftClusterID=${var.cluster_id}"]
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_mcs" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22623
-  port_range_max    = 22623
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_https" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 6443
-  port_range_max    = 6443
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "router_http" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 80
-  port_range_max    = 80
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "router_https" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 443
-  port_range_max    = 443
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_dns_udp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "udp"
-  port_range_min    = 53
-  port_range_max    = 53
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_dns_tcp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 53
-  port_range_max    = 53
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_ssh_tcp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22
-  port_range_max    = 22
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_icmp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "icmp"
-  port_range_min    = 0
-  port_range_max    = 0
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
diff --git a/data/data/openstack/topology/sg-master.tf b/data/data/openstack/topology/sg-master.tf
index 7159db7bfed..1f6ca608e2c 100644
--- a/data/data/openstack/topology/sg-master.tf
+++ b/data/data/openstack/topology/sg-master.tf
@@ -9,7 +9,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
   protocol          = "tcp"
   port_range_min    = 22623
   port_range_max    = 22623
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
   protocol          = "icmp"
   port_range_min    = 0
   port_range_max    = 0
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -33,6 +33,26 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 53
+  port_range_max    = 53
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.master.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "udp"
+  port_range_min    = 53
+  port_range_max    = 53
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.master.id}"
+}
+
 resource "openstack_networking_secgroup_rule_v2" "master_ingress_mdns_udp" {
   direction         = "ingress"
   ethertype         = "IPv4"
@@ -49,7 +69,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_http" {
   protocol          = "tcp"
   port_range_min    = 80
   port_range_max    = 80
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -59,7 +79,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_https" {
   protocol          = "tcp"
   port_range_min    = 6443
   port_range_max    = 6445
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -242,3 +262,10 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services" {
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = 112
+  security_group_id = openstack_networking_secgroup_v2.master.id
+}
+
diff --git a/data/data/openstack/topology/variables.tf b/data/data/openstack/topology/variables.tf
index b1f36b9b88a..fad1ae945f9 100644
--- a/data/data/openstack/topology/variables.tf
+++ b/data/data/openstack/topology/variables.tf
@@ -6,6 +6,11 @@ variable "cluster_id" {
   type = string
 }
 
+variable "cluster_domain" {
+  type        = string
+  description = "The domain name of the cluster. All DNS records must be under this domain."
+}
+
 variable "external_network" {
   description = "Name of the external network providing Floating IP addresses."
   type        = string
diff --git a/data/data/openstack/variables-openstack.tf b/data/data/openstack/variables-openstack.tf
index 373f753a0db..e11bc1a1ac3 100644
--- a/data/data/openstack/variables-openstack.tf
+++ b/data/data/openstack/variables-openstack.tf
@@ -240,7 +240,7 @@ variable "openstack_extra_tags" {
   default = {}
 
   description = <<EOF
-(optional) Extra AWS tags to be applied to created resources.
+(optional) Extra tags to be applied to created resources.
 
 Example: `{ "key" = "value", "foo" = "bar" }`
 EOF
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
index dd420e2740e..bc8489cfaf6 100644
--- a/pkg/asset/ignition/bootstrap/bootstrap.go
+++ b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -45,6 +45,7 @@ type bootstrapTemplateData struct {
 	ReleaseImage string
 	Proxy        *configv1.ProxyStatus
 	Registries   []sysregistriesv2.Registry
+	InstallConfig     *types.InstallConfig
 }
 
 // Bootstrap is an asset that generates the ignition config for bootstrap nodes.
@@ -217,6 +218,7 @@ func (a *Bootstrap) getTemplateData(installConfig *types.InstallConfig, releaseI
 
 	return &bootstrapTemplateData{
 		PullSecret:   installConfig.PullSecret,
+		InstallConfig:     installConfig,
 		ReleaseImage: releaseImage,
 		EtcdCluster:  strings.Join(etcdEndpoints, ","),
 		Proxy:        &proxy.Status,
diff --git a/pkg/asset/ignition/machine/node.go b/pkg/asset/ignition/machine/node.go
index 681851c5c40..571ed87fef5 100644
--- a/pkg/asset/ignition/machine/node.go
+++ b/pkg/asset/ignition/machine/node.go
@@ -22,10 +22,7 @@ func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, ro
 		// way to configure DNS before Ignition runs.
 		ignitionHost = fmt.Sprintf("%s:22623", installConfig.BareMetal.APIVIP)
 	case openstacktypes.Name:
-		// We can't actually set this to the VIP until we have keepalived patches
-		// merged to machine-config-operator
-		// ignitionHost = fmt.Sprintf("%s:22623", installConfig.Config.OpenStack.APIVIP)
-		ignitionHost = fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain())
+		ignitionHost = fmt.Sprintf("%s:22623", installConfig.OpenStack.APIVIP)
 	default:
 		ignitionHost = fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain())
 	}
diff --git a/pkg/asset/manifests/infrastructure.go b/pkg/asset/manifests/infrastructure.go
index 129e935975f..092f4b5f439 100644
--- a/pkg/asset/manifests/infrastructure.go
+++ b/pkg/asset/manifests/infrastructure.go
@@ -115,6 +115,10 @@ func (i *Infrastructure) Generate(dependencies asset.Parents) error {
 		config.Status.PlatformStatus.Type = configv1.NonePlatformType
 	case openstack.Name:
 		config.Status.PlatformStatus.Type = configv1.OpenStackPlatformType
+		config.Status.PlatformStatus.OpenStack = &configv1.OpenStackPlatformStatus{
+			APIServerInternalIP: installConfig.Config.Platform.OpenStack.APIVIP,
+			NodeDNSIP: installConfig.Config.Platform.OpenStack.DNSVIP,
+		}
 	case vsphere.Name:
 		config.Status.PlatformStatus.Type = configv1.VSpherePlatformType
 	default: