From 0c1768dff7ffaefdde79fd03d71fdc5745f5d417 Mon Sep 17 00:00:00 2001
From: trown <trown@redhat.com>
Date: Fri, 12 Jul 2019 11:05:22 -0400
Subject: [PATCH] openstack: Remove the Service VM

The experimental OpenStack backend used to create an extra server
running DNS and load balancer services that the cluster needed.
OpenStack does not always come with DNSaaS or LBaaS so we had to provide
the functionality the OpenShift cluster depends on (e.g. the etcd SRV
records, the api-int records & load balancing, etc.).

This approach is undesirable for two reasons: first, it adds an extra
node that the other IPI platforms do not need. Second, this node is a
single point of failure.

The Baremetal platform has faced the same issues and they have solved
them with a few virtual IP addresses managed by keepalived in
combination with coredns static pod running on every node using the mDNS
protocol to update records as new nodes are added or removed and a
similar static pod haproxy to load balance the control plane internally.

The VIPs are defined here in the installer and they use the
PlatformStatus field to be passed to the necessary
machine-config-operator fields:

https://github.com/openshift/api/pull/374

The Bare Metal IPI Networking Infrastructure document is applicable here as
well:

https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md

There is also a great opportunity to share some of the configuration
files and scripts here.

This change needs several other pull requests:

Keepalived plus the coredns & haproxy static pods in the MCO:
https://github.com/openshift/machine-config-operator/pull/740

Co-authored-by: Emilio Garcia <egarcia@redhat.com>
Co-authored-by: John Trowbridge <trown@redhat.com>
Co-authored-by: Martin Andre <m.andre@redhat.com>
Co-authored-by: Tomas Sedovic <tsedovic@redhat.com>

Massive thanks to the Bare Metal and oVirt people!
---
 .../files/usr/local/bin/bootkube.sh.template  |   4 +
 data/data/openstack/bootstrap/main.tf         |  43 +--
 data/data/openstack/bootstrap/variables.tf    |  10 -
 data/data/openstack/main.tf                   |  53 +--
 data/data/openstack/masters/main.tf           |  25 +-
 data/data/openstack/masters/variables.tf      |  25 --
 data/data/openstack/service/main.tf           | 320 ------------------
 data/data/openstack/service/variables.tf      |  57 ----
 data/data/openstack/topology/outputs.tf       |  24 --
 .../openstack/topology/private-network.tf     | 117 +++++--
 data/data/openstack/topology/sg-lb.tf         |  85 -----
 data/data/openstack/topology/sg-master.tf     |  35 +-
 data/data/openstack/topology/sg-worker.tf     |   6 +
 data/data/openstack/topology/variables.tf     |  17 +
 data/data/openstack/variables-openstack.tf    |  17 +-
 pkg/asset/cluster/tfvars.go                   |  16 +
 pkg/asset/ignition/bootstrap/bootstrap.go     |   2 +-
 pkg/asset/ignition/machine/node.go            |   9 +
 pkg/asset/manifests/infrastructure.go         |  18 +
 pkg/asset/tls/mcscertkey.go                   |   9 +
 pkg/tfvars/openstack/openstack.go             |   8 +-
 pkg/types/openstack/defaults/platform.go      |  30 ++
 pkg/types/openstack/validation/platform.go    |   4 +-
 .../openstack/validation/platform_test.go     |   2 +-
 pkg/types/validation/installconfig.go         |   2 +-
 pkg/types/validation/installconfig_test.go    |  19 +-
 26 files changed, 313 insertions(+), 644 deletions(-)
 delete mode 100644 data/data/openstack/service/main.tf
 delete mode 100644 data/data/openstack/service/variables.tf
 delete mode 100644 data/data/openstack/topology/sg-lb.tf

diff --git a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
index d4656230224..fa7e1201fa2 100755
--- a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
+++ b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
@@ -219,6 +219,10 @@ then
             cp mco-bootstrap/baremetal/manifests/* /etc/kubernetes/manifests/
             cp --recursive mco-bootstrap/baremetal/static-pod-resources/* /etc/kubernetes/static-pod-resources/
         fi
+	if [ -d mco-bootstrap/openstack/manifests ]; then
+		cp mco-bootstrap/openstack/manifests/* /etc/kubernetes/manifests/
+		cp --recursive mco-bootstrap/openstack/static-pod-resources/* /etc/kubernetes/static-pod-resources/
+	fi
 	cp mco-bootstrap/manifests/* manifests/
 
 	# /etc/ssl/mcs/tls.{crt, key} are locations for MachineConfigServer's tls assets.
diff --git a/data/data/openstack/bootstrap/main.tf b/data/data/openstack/bootstrap/main.tf
index 7c456c2a1fe..b4a430f4a0a 100644
--- a/data/data/openstack/bootstrap/main.tf
+++ b/data/data/openstack/bootstrap/main.tf
@@ -18,45 +18,51 @@ data "ignition_config" "redirect" {
 
   files = [
     data.ignition_file.hostname.id,
-    data.ignition_file.bootstrap_ifcfg.id,
+    data.ignition_file.dns_conf.id,
+    data.ignition_file.dhcp_conf.id,
   ]
 }
 
-data "ignition_file" "bootstrap_ifcfg" {
+data "ignition_file" "dhcp_conf" {
   filesystem = "root"
-  mode       = "420" // 0644
-  path       = "/etc/sysconfig/network-scripts/ifcfg-eth0"
+  mode       = "420"
+  path       = "/etc/NetworkManager/conf.d/dhcp-client.conf"
 
   content {
     content = <<EOF
-DEVICE="eth0"
-BOOTPROTO="dhcp"
-ONBOOT="yes"
-TYPE="Ethernet"
-PERSISTENT_DHCLIENT="yes"
-DNS1="${var.service_vm_fixed_ip}"
-PEERDNS="no"
-NM_CONTROLLED="yes"
+[main]
+dhcp=dhclient
 EOF
+  }
+}
 
+data "ignition_file" "dns_conf" {
+  filesystem = "root"
+  mode = "420"
+  path = "/etc/dhcp/dhclient.conf"
+
+  content {
+    content = <<EOF
+send dhcp-client-identifier = hardware;
+prepend domain-name-servers 127.0.0.1;
+EOF
   }
 }
 
 data "ignition_file" "hostname" {
   filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/hostname"
+  mode       = "420" // 0644
+  path       = "/etc/hostname"
 
   content {
     content = <<EOF
 ${var.cluster_id}-bootstrap
 EOF
-
   }
 }
 
 data "openstack_images_image_v2" "bootstrap_image" {
-  name        = var.image_name
+  name = var.image_name
   most_recent = true
 }
 
@@ -65,9 +71,9 @@ data "openstack_compute_flavor_v2" "bootstrap_flavor" {
 }
 
 resource "openstack_compute_instance_v2" "bootstrap" {
-  name      = "${var.cluster_id}-bootstrap"
+  name = "${var.cluster_id}-bootstrap"
   flavor_id = data.openstack_compute_flavor_v2.bootstrap_flavor.id
-  image_id  = data.openstack_images_image_v2.bootstrap_image.id
+  image_id = data.openstack_images_image_v2.bootstrap_image.id
 
   user_data = data.ignition_config.redirect.rendered
 
@@ -81,4 +87,3 @@ resource "openstack_compute_instance_v2" "bootstrap" {
     openshiftClusterID = var.cluster_id
   }
 }
-
diff --git a/data/data/openstack/bootstrap/variables.tf b/data/data/openstack/bootstrap/variables.tf
index 1e8c96a4fb5..769703f2a48 100644
--- a/data/data/openstack/bootstrap/variables.tf
+++ b/data/data/openstack/bootstrap/variables.tf
@@ -13,11 +13,6 @@ variable "cluster_id" {
   description = "The identifier for the cluster."
 }
 
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
 variable "ignition" {
   type        = string
   description = "The content of the bootstrap ignition file."
@@ -32,8 +27,3 @@ variable "bootstrap_port_id" {
   type        = string
   description = "The subnet ID for the bootstrap node."
 }
-
-variable "service_vm_fixed_ip" {
-  type = string
-}
-
diff --git a/data/data/openstack/main.tf b/data/data/openstack/main.tf
index b37df363264..49c0c9ac907 100644
--- a/data/data/openstack/main.tf
+++ b/data/data/openstack/main.tf
@@ -22,68 +22,45 @@ provider "openstack" {
   user_name           = var.openstack_credentials_user_name
 }
 
-module "service" {
-  source = "./service"
+module "bootstrap" {
+  source = "./bootstrap"
 
   swift_container   = openstack_objectstorage_container_v1.container.name
   cluster_id        = var.cluster_id
-  cluster_domain    = var.cluster_domain
   image_name        = var.openstack_base_image
   flavor_name       = var.openstack_master_flavor_name
   ignition          = var.ignition_bootstrap
-  lb_floating_ip    = var.openstack_lb_floating_ip
-  service_port_id   = module.topology.service_port_id
-  service_port_ip   = module.topology.service_port_ip
-  master_ips        = module.topology.master_ips
-  master_port_names = module.topology.master_port_names
-  bootstrap_ip      = module.topology.bootstrap_port_ip
-}
-
-module "bootstrap" {
-  source = "./bootstrap"
-
-  swift_container     = openstack_objectstorage_container_v1.container.name
-  cluster_id          = var.cluster_id
-  cluster_domain      = var.cluster_domain
-  image_name          = var.openstack_base_image
-  flavor_name         = var.openstack_master_flavor_name
-  ignition            = var.ignition_bootstrap
-  bootstrap_port_id   = module.topology.bootstrap_port_id
-  service_vm_fixed_ip = module.topology.service_vm_fixed_ip
+  bootstrap_port_id = module.topology.bootstrap_port_id
 }
 
 module "masters" {
   source = "./masters"
 
-  base_image          = var.openstack_base_image
-  bootstrap_ip        = module.topology.bootstrap_port_ip
-  cluster_id          = var.cluster_id
-  cluster_domain      = var.cluster_domain
-  flavor_name         = var.openstack_master_flavor_name
-  instance_count      = var.master_count
-  lb_floating_ip      = var.openstack_lb_floating_ip
-  master_ips          = module.topology.master_ips
-  master_port_ids     = module.topology.master_port_ids
-  master_port_names   = module.topology.master_port_names
-  user_data_ign       = var.ignition_master
-  service_vm_fixed_ip = module.topology.service_vm_fixed_ip
+  base_image      = var.openstack_base_image
+  cluster_id      = var.cluster_id
+  flavor_name     = var.openstack_master_flavor_name
+  instance_count  = var.master_count
+  master_port_ids = module.topology.master_port_ids
+  user_data_ign   = var.ignition_master
   master_sg_ids = concat(
     var.openstack_master_extra_sg_ids,
     [module.topology.master_sg_id],
   )
 }
 
-# TODO(shadower) add a dns module here
-
 module "topology" {
   source = "./topology"
 
   cidr_block          = var.machine_cidr
   cluster_id          = var.cluster_id
+  cluster_domain      = var.cluster_domain
   external_network    = var.openstack_external_network
   external_network_id = var.openstack_external_network_id
   masters_count       = var.master_count
   lb_floating_ip      = var.openstack_lb_floating_ip
+  api_int_ip          = var.openstack_api_int_ip
+  node_dns_ip         = var.openstack_node_dns_ip
+  ingress_ip          = var.openstack_ingress_ip
   trunk_support       = var.openstack_trunk_support
   octavia_support     = var.openstack_octavia_support
 }
@@ -94,9 +71,11 @@ resource "openstack_objectstorage_container_v1" "container" {
   # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
   metadata = merge(
     {
-      "Name"               = "${var.cluster_id}-ignition-master"
+      "Name"               = "${var.cluster_id}-ignition"
       "openshiftClusterID" = var.cluster_id
     },
+    # FIXME(mandre) the openstack_extra_tags should be applied to all resources
+    # created
     var.openstack_extra_tags,
   )
 }
diff --git a/data/data/openstack/masters/main.tf b/data/data/openstack/masters/main.tf
index 624ec41ee45..748bcfa459e 100644
--- a/data/data/openstack/masters/main.tf
+++ b/data/data/openstack/masters/main.tf
@@ -16,21 +16,6 @@ data "ignition_file" "hostname" {
   content {
     content = <<EOF
 ${var.cluster_id}-master-${count.index}
-EOF
-
-  }
-}
-
-data "ignition_file" "clustervars" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/kubernetes/static-pod-resources/clustervars"
-
-  content {
-    content = <<EOF
-export FLOATING_IP=${var.lb_floating_ip}
-export BOOTSTRAP_IP=${var.bootstrap_ip}
-${replace(join("\n", formatlist("export MASTER_FIXED_IPS_%s=%s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
 EOF
   }
 }
@@ -43,17 +28,16 @@ data "ignition_config" "master_ignition_config" {
   }
 
   files = [
-    element(data.ignition_file.hostname.*.id, count.index),
-    data.ignition_file.clustervars.id,
+    element(data.ignition_file.hostname.*.id, count.index)
   ]
 }
 
 resource "openstack_compute_instance_v2" "master_conf" {
-  name  = "${var.cluster_id}-master-${count.index}"
+  name = "${var.cluster_id}-master-${count.index}"
   count = var.instance_count
 
-  flavor_id       = data.openstack_compute_flavor_v2.masters_flavor.id
-  image_id        = data.openstack_images_image_v2.masters_img.id
+  flavor_id = data.openstack_compute_flavor_v2.masters_flavor.id
+  image_id = data.openstack_images_image_v2.masters_img.id
   security_groups = var.master_sg_ids
   user_data = element(
     data.ignition_config.master_ignition_config.*.rendered,
@@ -65,6 +49,7 @@ resource "openstack_compute_instance_v2" "master_conf" {
   }
 
   metadata = {
+    # FIXME(mandre) shouldn't it be "${var.cluster_id}-master-${count.index}" ?
     Name = "${var.cluster_id}-master"
     # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
     openshiftClusterID = var.cluster_id
diff --git a/data/data/openstack/masters/variables.tf b/data/data/openstack/masters/variables.tf
index c2fb2a3f88a..7e73d627d3c 100644
--- a/data/data/openstack/masters/variables.tf
+++ b/data/data/openstack/masters/variables.tf
@@ -2,20 +2,11 @@ variable "base_image" {
   type = string
 }
 
-variable "bootstrap_ip" {
-  type = string
-}
-
 variable "cluster_id" {
   type        = string
   description = "The identifier for the cluster."
 }
 
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
 variable "flavor_name" {
   type = string
 }
@@ -24,14 +15,6 @@ variable "instance_count" {
   type = string
 }
 
-variable "lb_floating_ip" {
-  type = string
-}
-
-variable "master_ips" {
-  type = list(string)
-}
-
 variable "master_sg_ids" {
   type        = list(string)
   default     = ["default"]
@@ -43,14 +26,6 @@ variable "master_port_ids" {
   description = "List of port ids for the master nodes"
 }
 
-variable "master_port_names" {
-  type = list(string)
-}
-
 variable "user_data_ign" {
   type = string
 }
-
-variable "service_vm_fixed_ip" {
-  type = string
-}
diff --git a/data/data/openstack/service/main.tf b/data/data/openstack/service/main.tf
deleted file mode 100644
index 367a9d8d556..00000000000
--- a/data/data/openstack/service/main.tf
+++ /dev/null
@@ -1,320 +0,0 @@
-data "openstack_images_image_v2" "bootstrap_image" {
-  name        = var.image_name
-  most_recent = true
-}
-
-data "openstack_compute_flavor_v2" "bootstrap_flavor" {
-  name = var.flavor_name
-}
-
-data "ignition_systemd_unit" "haproxy_unit" {
-  name    = "haproxy.service"
-  enabled = true
-
-  content = <<EOF
-[Unit]
-Description=Load balancer for the OpenShift services
-
-[Service]
-ExecStartPre=/sbin/setenforce 0
-ExecStartPre=/bin/systemctl disable --now bootkube kubelet progress openshift
-ExecStart=/bin/podman run --rm -ti --net=host -v /etc/haproxy:/usr/local/etc/haproxy:ro docker.io/library/haproxy:1.7
-ExecStop=/bin/podman stop -t 10 haproxy
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_systemd_unit" "haproxy_unit_watcher" {
-  name = "haproxy-watcher.service"
-  enabled = true
-
-  content = <<EOF
-[Unit]
-Description=HAproxy config updater
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/bin/haproxy-watcher.sh
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_systemd_unit" "haproxy_timer_watcher" {
-  name    = "haproxy-watcher.timer"
-  enabled = true
-
-  content = <<EOF
-[Timer]
-OnCalendar=*:0/2
-
-[Install]
-WantedBy=timers.target
-EOF
-
-}
-
-data "ignition_file" "haproxy_watcher_script" {
-  filesystem = "root"
-  mode = "489" // 0755
-  path = "/usr/local/bin/haproxy-watcher.sh"
-
-  content {
-    content = <<TFEOF
-#!/bin/bash
-
-set -x
-
-# NOTE(flaper87): We're doing this here for now
-# because our current vendored verison for terraform
-# doesn't support appending to an ignition_file. This
-# is coming in 2.3
-grep -qxF "127.0.0.1 api.${var.cluster_domain}" /etc/hosts || echo "127.0.0.1 api.${var.cluster_domain}" | sudo tee -a /etc/hosts
-
-mkdir -p /etc/haproxy
-export KUBECONFIG=/opt/openshift/auth/kubeconfig
-TEMPLATE="{{range .items}}{{\$addresses:=.status.addresses}}{{range .status.conditions}}{{if eq .type \"Ready\"}}{{if eq .status \"True\" }}{{range \$addresses}}{{if eq .type \"InternalIP\"}}{{.address}}{{end}}{{end}}{{end}}{{end}}{{end}} {{end}}"
-MASTERS=$(oc get nodes -l node-role.kubernetes.io/master -ogo-template="$TEMPLATE")
-WORKERS=$(oc get nodes -l node-role.kubernetes.io/worker -ogo-template="$TEMPLATE")
-
-update_cfg_and_restart() {
-    CHANGED=$(diff /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.new)
-
-    if [[ ! -f /etc/haproxy/haproxy.cfg ]] || [[ ! -z "$CHANGED" ]];
-    then
-        cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.backup || true
-        cp /etc/haproxy/haproxy.cfg.new /etc/haproxy/haproxy.cfg
-        systemctl restart haproxy
-    fi
-}
-
-if [[ -z "$MASTERS" ]];
-then
-cat > /etc/haproxy/haproxy.cfg.new << EOF
-listen ${var.cluster_id}-api-masters
-    bind 0.0.0.0:6443
-    bind 0.0.0.0:22623
-    mode tcp
-    balance roundrobin
-    server bootstrap-22623 ${var.bootstrap_ip} check port 22623
-    server bootstrap-6443 ${var.bootstrap_ip} check port 6443
-    ${replace(join("\n    ", formatlist("server master-%s %s check port 6443", var.master_port_names, var.master_ips)), "master-port-", "")}
-EOF
-    update_cfg_and_restart
-    exit 0
-fi
-
-for master in $MASTERS;
-do
-    MASTER_LINES="$MASTER_LINES
-    server $master $master check port 6443"
-done
-
-for worker in $WORKERS;
-do
-    WORKER_LINES="$WORKER_LINES
-    server $worker $worker check port 443"
-done
-
-cat > /etc/haproxy/haproxy.cfg.new << EOF
-listen ${var.cluster_id}-api-masters
-    bind 0.0.0.0:6443
-    bind 0.0.0.0:22623
-    mode tcp
-    balance roundrobin$MASTER_LINES
-
-listen ${var.cluster_id}-api-workers
-    bind 0.0.0.0:80
-    bind 0.0.0.0:443
-    mode tcp
-    balance roundrobin$WORKER_LINES
-EOF
-
-update_cfg_and_restart
-TFEOF
-
-}
-}
-
-data "ignition_file" "corefile" {
-  filesystem = "root"
-  mode       = "420" // 0644
-  path       = "/etc/coredns/Corefile"
-
-  content {
-    content = <<EOF
-. {
-    log
-    errors
-    reload 10s
-
-${length(var.lb_floating_ip) == 0 ? "" : "    file /etc/coredns/db.${var.cluster_domain} api.${var.cluster_domain} {\n    }\n"}
-
-    hosts {
-        ${replace(join("\n", formatlist("%s %s", var.master_ips, var.master_port_names)), "port-", "")}
-        fallthrough
-    }
-
-
-    file /etc/coredns/db.${var.cluster_domain} _etcd-server-ssl._tcp.${var.cluster_domain} {
-    }
-
-    file /etc/coredns/db.${var.cluster_domain} bootstrap.${var.cluster_domain} {
-        upstream /etc/resolv.conf
-    }
-
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} master-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} etcd-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-
-    forward . /etc/resolv.conf {
-    }
-}
-
-${var.cluster_domain} {
-    log
-    errors
-    reload 10s
-
-    file /etc/coredns/db.${var.cluster_domain} {
-        upstream /etc/resolv.conf
-    }
-}
-
-EOF
-
-  }
-}
-
-data "ignition_file" "coredb" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/coredns/db.${var.cluster_domain}"
-
-  content {
-    content = <<EOF
-$ORIGIN ${var.cluster_domain}.
-@    3600 IN SOA host.${var.cluster_domain}. hostmaster (
-                                2017042752 ; serial
-                                7200       ; refresh (2 hours)
-                                3600       ; retry (1 hour)
-                                1209600    ; expire (2 weeks)
-                                3600       ; minimum (1 hour)
-                                )
-
-${length(var.lb_floating_ip) == 0 ? "api  IN  A  ${var.service_port_ip}" : "api  IN  A  ${var.lb_floating_ip}"}
-${length(var.lb_floating_ip) == 0 ? "*.apps  IN  A  ${var.service_port_ip}" : "*.apps  IN  A  ${var.lb_floating_ip}"}
-
-api-int  IN  A  ${var.service_port_ip}
-
-bootstrap.${var.cluster_domain}  IN  A  ${var.bootstrap_ip}
-${replace(join("\n", formatlist("%s  IN  A %s", var.master_port_names, var.master_ips)), "port-", "")}
-${replace(join("\n", formatlist("master-%s  IN  A %s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
-
-${replace(join("\n", formatlist("etcd-%s  IN  A  %s", var.master_port_names, var.master_ips)), "${var.cluster_id}-master-port-", "")}
-${replace(join("\n", formatlist("_etcd-server-ssl._tcp  8640  IN  SRV  0  10  2380   etcd-%s.${var.cluster_domain}.", var.master_port_names)), "${var.cluster_id}-master-port-", "")}
-
-EOF
-
-  }
-}
-
-data "ignition_systemd_unit" "local_dns" {
-  name = "local-dns.service"
-
-  content = <<EOF
-[Unit]
-Description=Internal DNS serving the required OpenShift records
-
-[Service]
-ExecStart=/bin/podman run --rm -i -t -m 128m --net host --cap-add=NET_ADMIN -v /etc/coredns:/etc/coredns:Z quay.io/openshift/origin-coredns:v4.0 -conf /etc/coredns/Corefile
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-}
-
-data "ignition_file" "hostname" {
-  filesystem = "root"
-  mode = "420" // 0644
-  path = "/etc/hostname"
-
-  content {
-    content = <<EOF
-${var.cluster_id}-api
-EOF
-
-  }
-}
-
-data "ignition_user" "core" {
-  name = "core"
-}
-
-resource "openstack_objectstorage_object_v1" "service_ignition" {
-  container_name = var.swift_container
-  name           = "load-balancer.ign"
-  content        = var.ignition
-}
-
-resource "openstack_objectstorage_tempurl_v1" "service_ignition_tmpurl" {
-  container = var.swift_container
-  method    = "get"
-  object    = openstack_objectstorage_object_v1.service_ignition.name
-  ttl       = 3600
-}
-
-data "ignition_config" "service_redirect" {
-  append {
-    source = openstack_objectstorage_tempurl_v1.service_ignition_tmpurl.url
-  }
-
-  files = [
-    data.ignition_file.hostname.id,
-    data.ignition_file.haproxy_watcher_script.id,
-    data.ignition_file.corefile.id,
-    data.ignition_file.coredb.id,
-  ]
-
-  systemd = [
-    data.ignition_systemd_unit.haproxy_unit.id,
-    data.ignition_systemd_unit.haproxy_unit_watcher.id,
-    data.ignition_systemd_unit.haproxy_timer_watcher.id,
-    data.ignition_systemd_unit.local_dns.id,
-  ]
-
-  users = [
-    data.ignition_user.core.id,
-  ]
-}
-
-resource "openstack_compute_instance_v2" "load_balancer" {
-  name      = "${var.cluster_id}-api"
-  flavor_id = data.openstack_compute_flavor_v2.bootstrap_flavor.id
-  image_id  = data.openstack_images_image_v2.bootstrap_image.id
-
-  user_data = data.ignition_config.service_redirect.rendered
-
-  network {
-    port = var.service_port_id
-  }
-
-  metadata = {
-    Name     = "${var.cluster_id}-api"
-    Hostname = "${var.cluster_id}-api.${var.cluster_domain}"
-    # "kubernetes.io/cluster/${var.cluster_id}" = "owned"
-    openshiftClusterID = var.cluster_id
-  }
-}
-
diff --git a/data/data/openstack/service/variables.tf b/data/data/openstack/service/variables.tf
deleted file mode 100644
index f33a4bee006..00000000000
--- a/data/data/openstack/service/variables.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-variable "image_name" {
-  type        = string
-  description = "The name of the Glance image for the bootstrap node."
-}
-
-variable "swift_container" {
-  type        = string
-  description = "The Swift container name for bootstrap ignition file."
-}
-
-variable "cluster_id" {
-  type        = string
-  description = "The identifier for the cluster."
-}
-
-variable "cluster_domain" {
-  type        = string
-  description = "The domain name of the cluster. All DNS records must be under this domain."
-}
-
-variable "ignition" {
-  type        = string
-  description = "The content of the bootstrap ignition file."
-}
-
-variable "flavor_name" {
-  type        = string
-  default     = "m1.medium"
-  description = "The Nova flavor for the bootstrap node."
-}
-
-variable "service_port_id" {
-  type        = string
-  description = "The subnet ID for the service node."
-}
-
-variable "service_port_ip" {
-  type        = string
-  description = "The subnet IP for the service node."
-}
-
-variable "master_ips" {
-  type = list(string)
-}
-
-variable "master_port_names" {
-  type = list(string)
-}
-
-variable "bootstrap_ip" {
-  type = string
-}
-
-variable "lb_floating_ip" {
-  type = string
-}
-
diff --git a/data/data/openstack/topology/outputs.tf b/data/data/openstack/topology/outputs.tf
index 017fa597be8..0e1cef91fe6 100644
--- a/data/data/openstack/topology/outputs.tf
+++ b/data/data/openstack/topology/outputs.tf
@@ -1,31 +1,7 @@
-output "service_port_id" {
-  value = openstack_networking_port_v2.service_port.id
-}
-
-output "service_port_ip" {
-  value = openstack_networking_port_v2.service_port.all_fixed_ips[0]
-}
-
 output "bootstrap_port_id" {
   value = openstack_networking_port_v2.bootstrap_port.id
 }
 
-output "bootstrap_port_ip" {
-  value = openstack_networking_port_v2.bootstrap_port.all_fixed_ips[0]
-}
-
-output "master_ips" {
-  value = flatten(openstack_networking_port_v2.masters.*.all_fixed_ips)
-}
-
-output "master_port_names" {
-  value = openstack_networking_port_v2.masters.*.name
-}
-
-output "service_vm_fixed_ip" {
-  value = openstack_networking_port_v2.service_port.all_fixed_ips[0]
-}
-
 output "master_sg_id" {
   value = openstack_networking_secgroup_v2.master.id
 }
diff --git a/data/data/openstack/topology/private-network.tf b/data/data/openstack/topology/private-network.tf
index ea2551fabdb..1e3e1af7122 100644
--- a/data/data/openstack/topology/private-network.tf
+++ b/data/data/openstack/topology/private-network.tf
@@ -1,6 +1,5 @@
 locals {
-  nodes_cidr_block   = cidrsubnet(var.cidr_block, 1, 0)
-  service_cidr_block = cidrsubnet(var.cidr_block, 1, 1)
+  nodes_cidr_block = var.cidr_block
 }
 
 data "openstack_networking_network_v2" "external_network" {
@@ -15,21 +14,22 @@ resource "openstack_networking_network_v2" "openshift-private" {
   tags           = ["openshiftClusterID=${var.cluster_id}"]
 }
 
-resource "openstack_networking_subnet_v2" "service" {
-  name       = "${var.cluster_id}-service"
-  cidr       = local.service_cidr_block
+resource "openstack_networking_subnet_v2" "nodes" {
+  name       = "${var.cluster_id}-nodes"
+  cidr       = local.nodes_cidr_block
   ip_version = 4
   network_id = openstack_networking_network_v2.openshift-private.id
   tags       = ["openshiftClusterID=${var.cluster_id}"]
-}
 
-resource "openstack_networking_subnet_v2" "nodes" {
-  name            = "${var.cluster_id}-nodes"
-  cidr            = local.nodes_cidr_block
-  ip_version      = 4
-  network_id      = openstack_networking_network_v2.openshift-private.id
-  tags            = ["openshiftClusterID=${var.cluster_id}"]
-  dns_nameservers = [openstack_networking_port_v2.service_port.all_fixed_ips[0]]
+  # We reserve some space at the beginning of the CIDR to use for the VIPs
+  # It would be good to make this more dynamic by calculating the number of
+  # addresses in the provided CIDR. This currently assumes at least a /18.
+  # FIXME(mandre) if we let the ports pick up VIPs automatically, we don't have
+  # to do any of this.
+  allocation_pool {
+    start = cidrhost(local.nodes_cidr_block, 10)
+    end   = cidrhost(local.nodes_cidr_block, 16000)
+  }
 }
 
 resource "openstack_networking_port_v2" "masters" {
@@ -41,8 +41,55 @@ resource "openstack_networking_port_v2" "masters" {
   security_group_ids = [openstack_networking_secgroup_v2.master.id]
   tags               = ["openshiftClusterID=${var.cluster_id}"]
 
+  extra_dhcp_option {
+    name  = "domain-search"
+    value = var.cluster_domain
+  }
+
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.nodes.id
+  }
+
+  allowed_address_pairs {
+    ip_address = var.api_int_ip
+  }
+
+  allowed_address_pairs {
+    ip_address = var.node_dns_ip
+  }
+
+  allowed_address_pairs {
+    ip_address = var.ingress_ip
+  }
+}
+
+resource "openstack_networking_port_v2" "api_port" {
+  name = "${var.cluster_id}-api-port"
+
+  admin_state_up     = "true"
+  network_id         = openstack_networking_network_v2.openshift-private.id
+  security_group_ids = [openstack_networking_secgroup_v2.master.id]
+  tags               = ["openshiftClusterID=${var.cluster_id}"]
+
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.nodes.id
+    # FIXME(mandre) we could let the installer automatically pick up the address
+    ip_address = var.api_int_ip
+  }
+}
+
+resource "openstack_networking_port_v2" "ingress_port" {
+  name = "${var.cluster_id}-ingress-port"
+
+  admin_state_up     = "true"
+  network_id         = openstack_networking_network_v2.openshift-private.id
+  security_group_ids = [openstack_networking_secgroup_v2.worker.id]
+  tags               = ["openshiftClusterID=${var.cluster_id}"]
+
   fixed_ip {
     subnet_id = openstack_networking_subnet_v2.nodes.id
+    # FIXME(mandre) we could let the installer automatically pick up the address
+    ip_address = var.ingress_ip
   }
 }
 
@@ -62,28 +109,43 @@ resource "openstack_networking_port_v2" "bootstrap_port" {
   network_id         = openstack_networking_network_v2.openshift-private.id
   security_group_ids = [openstack_networking_secgroup_v2.master.id]
   tags               = ["openshiftClusterID=${var.cluster_id}"]
+  extra_dhcp_option {
+    name  = "domain-search"
+    value = var.cluster_domain
+  }
 
   fixed_ip {
     subnet_id = openstack_networking_subnet_v2.nodes.id
   }
-}
-
-resource "openstack_networking_port_v2" "service_port" {
-  name = "${var.cluster_id}-service-port"
 
-  admin_state_up     = "true"
-  network_id         = openstack_networking_network_v2.openshift-private.id
-  security_group_ids = [openstack_networking_secgroup_v2.api.id]
-  tags               = ["openshiftClusterID=${var.cluster_id}"]
+  allowed_address_pairs {
+    ip_address = var.api_int_ip
+  }
 
-  fixed_ip {
-    subnet_id = openstack_networking_subnet_v2.service.id
+  allowed_address_pairs {
+    ip_address = var.node_dns_ip
   }
 }
 
-resource "openstack_networking_floatingip_associate_v2" "service_fip" {
+// Assign the floating IP to one of the masters.
+//
+// Strictly speaking, this is not required to finish the installation. We
+// support environments without floating IPs. However, since the installer
+// is running outside of the nodes subnet (often outside of the OpenStack
+// cluster itself), it needs a floating IP to monitor the progress.
+//
+// This IP address is not expected to be the final solution for providing HA.
+// It is only here to let the installer finish without any errors. Configuring
+// a load balancer and providing external connectivity is a post-installation
+// step that can't always be automated (we need to support OpenStack clusters)
+// that do not have or do not want to use Octavia.
+//
+// If the floating IP is not provided, the installer will time out waiting for
+// bootstrapping to complete, but the OpenShift cluster itself should come up
+// as expected.
+resource "openstack_networking_floatingip_associate_v2" "api_fip" {
   count       = length(var.lb_floating_ip) == 0 ? 0 : 1
-  port_id     = openstack_networking_port_v2.service_port.id
+  port_id     = openstack_networking_port_v2.api_port.id
   floating_ip = var.lb_floating_ip
 }
 
@@ -102,11 +164,6 @@ resource "openstack_networking_router_v2" "openshift-external-router" {
   tags                = ["openshiftClusterID=${var.cluster_id}"]
 }
 
-resource "openstack_networking_router_interface_v2" "service_router_interface" {
-  router_id = openstack_networking_router_v2.openshift-external-router.id
-  subnet_id = openstack_networking_subnet_v2.service.id
-}
-
 resource "openstack_networking_router_interface_v2" "nodes_router_interface" {
   router_id = openstack_networking_router_v2.openshift-external-router.id
   subnet_id = openstack_networking_subnet_v2.nodes.id
diff --git a/data/data/openstack/topology/sg-lb.tf b/data/data/openstack/topology/sg-lb.tf
deleted file mode 100644
index 67b98337459..00000000000
--- a/data/data/openstack/topology/sg-lb.tf
+++ /dev/null
@@ -1,85 +0,0 @@
-resource "openstack_networking_secgroup_v2" "api" {
-  name = "${var.cluster_id}-api"
-  tags = ["openshiftClusterID=${var.cluster_id}"]
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_mcs" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22623
-  port_range_max    = 22623
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_https" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 6443
-  port_range_max    = 6443
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "router_http" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 80
-  port_range_max    = 80
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "router_https" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 443
-  port_range_max    = 443
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_dns_udp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "udp"
-  port_range_min    = 53
-  port_range_max    = 53
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_dns_tcp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 53
-  port_range_max    = 53
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_ssh_tcp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22
-  port_range_max    = 22
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "api_ingress_icmp" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "icmp"
-  port_range_min    = 0
-  port_range_max    = 0
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = openstack_networking_secgroup_v2.api.id
-}
-
diff --git a/data/data/openstack/topology/sg-master.tf b/data/data/openstack/topology/sg-master.tf
index 7159db7bfed..1f6ca608e2c 100644
--- a/data/data/openstack/topology/sg-master.tf
+++ b/data/data/openstack/topology/sg-master.tf
@@ -9,7 +9,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
   protocol          = "tcp"
   port_range_min    = 22623
   port_range_max    = 22623
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
   protocol          = "icmp"
   port_range_min    = 0
   port_range_max    = 0
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -33,6 +33,26 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 53
+  port_range_max    = 53
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.master.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "udp"
+  port_range_min    = 53
+  port_range_max    = 53
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.master.id}"
+}
+
 resource "openstack_networking_secgroup_rule_v2" "master_ingress_mdns_udp" {
   direction         = "ingress"
   ethertype         = "IPv4"
@@ -49,7 +69,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_http" {
   protocol          = "tcp"
   port_range_min    = 80
   port_range_max    = 80
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -59,7 +79,7 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_https" {
   protocol          = "tcp"
   port_range_min    = 6443
   port_range_max    = 6445
-  remote_ip_prefix  = var.cidr_block
+  remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
@@ -242,3 +262,10 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services" {
   security_group_id = openstack_networking_secgroup_v2.master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = 112
+  security_group_id = openstack_networking_secgroup_v2.master.id
+}
+
diff --git a/data/data/openstack/topology/sg-worker.tf b/data/data/openstack/topology/sg-worker.tf
index 9d6ef9decde..17ecbaf28f8 100644
--- a/data/data/openstack/topology/sg-worker.tf
+++ b/data/data/openstack/topology/sg-worker.tf
@@ -147,3 +147,9 @@ resource "openstack_networking_secgroup_rule_v2" "worker_ingress_services" {
   security_group_id = openstack_networking_secgroup_v2.worker.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "worker_ingress_vrrp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = 112
+  security_group_id = openstack_networking_secgroup_v2.worker.id
+}
diff --git a/data/data/openstack/topology/variables.tf b/data/data/openstack/topology/variables.tf
index daaf794b35e..2d2679ba415 100644
--- a/data/data/openstack/topology/variables.tf
+++ b/data/data/openstack/topology/variables.tf
@@ -6,6 +6,11 @@ variable "cluster_id" {
   type = string
 }
 
+variable "cluster_domain" {
+  type        = string
+  description = "The domain name of the cluster. All DNS records must be under this domain."
+}
+
 variable "external_network" {
   description = "Name of the external network providing Floating IP addresses."
   type        = string
@@ -34,6 +39,18 @@ variable "masters_count" {
   type = string
 }
 
+variable "api_int_ip" {
+  type = string
+}
+
+variable "node_dns_ip" {
+  type = string
+}
+
+variable "ingress_ip" {
+  type = string
+}
+
 variable "trunk_support" {
   type = string
 }
diff --git a/data/data/openstack/variables-openstack.tf b/data/data/openstack/variables-openstack.tf
index c4e105b2ae6..43e6efcc991 100644
--- a/data/data/openstack/variables-openstack.tf
+++ b/data/data/openstack/variables-openstack.tf
@@ -240,7 +240,7 @@ variable "openstack_extra_tags" {
   default = {}
 
   description = <<EOF
-(optional) Extra AWS tags to be applied to created resources.
+(optional) Extra tags to be applied to created resources.
 
 Example: `{ "key" = "value", "foo" = "bar" }`
 EOF
@@ -269,6 +269,21 @@ EOF
 
 }
 
+variable "openstack_api_int_ip" {
+  type        = string
+  description = "IP on the node subnet reserved for api-int VIP."
+}
+
+variable "openstack_node_dns_ip" {
+  type        = string
+  description = "IP on the nodes subnet reserved for node dns VIP."
+}
+
+variable "openstack_ingress_ip" {
+  type        = string
+  description = "IP on the nodes subnet reserved for the ingress VIP."
+}
+
 variable "openstack_master_flavor_name" {
   type        = string
   description = "Instance size for the master node(s). Example: `m1.medium`."
diff --git a/pkg/asset/cluster/tfvars.go b/pkg/asset/cluster/tfvars.go
index ec108e73411..0da5ccc5d2c 100644
--- a/pkg/asset/cluster/tfvars.go
+++ b/pkg/asset/cluster/tfvars.go
@@ -38,6 +38,7 @@ import (
 	"github.com/openshift/installer/pkg/types/libvirt"
 	"github.com/openshift/installer/pkg/types/none"
 	"github.com/openshift/installer/pkg/types/openstack"
+	openstackdefaults "github.com/openshift/installer/pkg/types/openstack/defaults"
 	"github.com/openshift/installer/pkg/types/vsphere"
 	"github.com/openshift/installer/pkg/version"
 )
@@ -246,11 +247,26 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 		if err != nil {
 			return err
 		}
+		apiVIP, err := openstackdefaults.APIVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
+		dnsVIP, err := openstackdefaults.DNSVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
+		ingressVIP, err := openstackdefaults.IngressVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
 		data, err = openstacktfvars.TFVars(
 			masters[0].Spec.ProviderSpec.Value.Object.(*openstackprovider.OpenstackProviderSpec),
 			installConfig.Config.Platform.OpenStack.Region,
 			installConfig.Config.Platform.OpenStack.ExternalNetwork,
 			installConfig.Config.Platform.OpenStack.LbFloatingIP,
+			apiVIP.String(),
+			dnsVIP.String(),
+			ingressVIP.String(),
 			installConfig.Config.Platform.OpenStack.TrunkSupport,
 			installConfig.Config.Platform.OpenStack.OctaviaSupport,
 		)
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
index cf5c040a7d5..bbb47891c0b 100644
--- a/pkg/asset/ignition/bootstrap/bootstrap.go
+++ b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -290,7 +290,7 @@ func (a *Bootstrap) addSystemdUnits(uri string, templateData *bootstrapTemplateD
 		"chown-gatewayd-key.service":      {},
 		"systemd-journal-gatewayd.socket": {},
 		"approve-csr.service":             {},
-		// baremetal platform services
+		// baremetal & openstack platform services
 		"keepalived.service": {},
 		"coredns.service":    {},
 	}
diff --git a/pkg/asset/ignition/machine/node.go b/pkg/asset/ignition/machine/node.go
index d1930d25559..8d46fa0b608 100644
--- a/pkg/asset/ignition/machine/node.go
+++ b/pkg/asset/ignition/machine/node.go
@@ -9,6 +9,8 @@ import (
 
 	"github.com/openshift/installer/pkg/types"
 	baremetaltypes "github.com/openshift/installer/pkg/types/baremetal"
+	openstacktypes "github.com/openshift/installer/pkg/types/openstack"
+	openstackdefaults "github.com/openshift/installer/pkg/types/openstack/defaults"
 )
 
 // pointerIgnitionConfig generates a config which references the remote config
@@ -20,6 +22,13 @@ func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, ro
 		// Baremetal needs to point directly at the VIP because we don't have a
 		// way to configure DNS before Ignition runs.
 		ignitionHost = fmt.Sprintf("%s:22623", installConfig.BareMetal.APIVIP)
+	case openstacktypes.Name:
+		apiVIP, err := openstackdefaults.APIVIP(installConfig.Networking)
+		if err == nil {
+			ignitionHost = fmt.Sprintf("%s:22623", apiVIP.String())
+		} else {
+			ignitionHost = fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain())
+		}
 	default:
 		ignitionHost = fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain())
 	}
diff --git a/pkg/asset/manifests/infrastructure.go b/pkg/asset/manifests/infrastructure.go
index 5f38001b01f..a49cb2da995 100644
--- a/pkg/asset/manifests/infrastructure.go
+++ b/pkg/asset/manifests/infrastructure.go
@@ -20,6 +20,7 @@ import (
 	"github.com/openshift/installer/pkg/types/libvirt"
 	"github.com/openshift/installer/pkg/types/none"
 	"github.com/openshift/installer/pkg/types/openstack"
+	openstackdefaults "github.com/openshift/installer/pkg/types/openstack/defaults"
 	"github.com/openshift/installer/pkg/types/vsphere"
 )
 
@@ -117,6 +118,23 @@ func (i *Infrastructure) Generate(dependencies asset.Parents) error {
 		config.Status.PlatformStatus.Type = configv1.NonePlatformType
 	case openstack.Name:
 		config.Status.PlatformStatus.Type = configv1.OpenStackPlatformType
+		apiVIP, err := openstackdefaults.APIVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
+		dnsVIP, err := openstackdefaults.DNSVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
+		ingressVIP, err := openstackdefaults.IngressVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
+		config.Status.PlatformStatus.OpenStack = &configv1.OpenStackPlatformStatus{
+			APIServerInternalIP: apiVIP.String(),
+			NodeDNSIP:           dnsVIP.String(),
+			IngressIP:           ingressVIP.String(),
+		}
 	case vsphere.Name:
 		config.Status.PlatformStatus.Type = configv1.VSpherePlatformType
 	default:
diff --git a/pkg/asset/tls/mcscertkey.go b/pkg/asset/tls/mcscertkey.go
index cd0a5c79b9f..9377c4d2d80 100644
--- a/pkg/asset/tls/mcscertkey.go
+++ b/pkg/asset/tls/mcscertkey.go
@@ -8,6 +8,8 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	baremetaltypes "github.com/openshift/installer/pkg/types/baremetal"
+	openstacktypes "github.com/openshift/installer/pkg/types/openstack"
+	openstackdefaults "github.com/openshift/installer/pkg/types/openstack/defaults"
 )
 
 // MCSCertKey is the asset that generates the MCS key/cert pair.
@@ -45,6 +47,13 @@ func (a *MCSCertKey) Generate(dependencies asset.Parents) error {
 	case baremetaltypes.Name:
 		cfg.IPAddresses = []net.IP{net.ParseIP(installConfig.Config.BareMetal.APIVIP)}
 		cfg.DNSNames = []string{hostname, installConfig.Config.BareMetal.APIVIP}
+	case openstacktypes.Name:
+		apiVIP, err := openstackdefaults.APIVIP(installConfig.Config.Networking)
+		if err != nil {
+			return err
+		}
+		cfg.IPAddresses = []net.IP{apiVIP}
+		cfg.DNSNames = []string{hostname, apiVIP.String()}
 	default:
 		cfg.DNSNames = []string{hostname}
 	}
diff --git a/pkg/tfvars/openstack/openstack.go b/pkg/tfvars/openstack/openstack.go
index d1a76b6eb02..409f503cba4 100644
--- a/pkg/tfvars/openstack/openstack.go
+++ b/pkg/tfvars/openstack/openstack.go
@@ -14,12 +14,15 @@ type config struct {
 	Cloud           string `json:"openstack_credentials_cloud,omitempty"`
 	FlavorName      string `json:"openstack_master_flavor_name,omitempty"`
 	LbFloatingIP    string `json:"openstack_lb_floating_ip,omitempty"`
+	APIVIP          string `json:"openstack_api_int_ip,omitempty"`
+	DNSVIP          string `json:"openstack_node_dns_ip,omitempty"`
+	IngressVIP      string `json:"openstack_ingress_ip,omitempty"`
 	TrunkSupport    string `json:"openstack_trunk_support,omitempty"`
 	OctaviaSupport  string `json:"openstack_octavia_support,omitempty"`
 }
 
 // TFVars generates OpenStack-specific Terraform variables.
-func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, region string, externalNetwork string, lbFloatingIP string, trunkSupport string, octaviaSupport string) ([]byte, error) {
+func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, region string, externalNetwork string, lbFloatingIP string, apiVIP string, dnsVIP string, ingressVIP string, trunkSupport string, octaviaSupport string) ([]byte, error) {
 	cfg := &config{
 		Region:          region,
 		BaseImage:       masterConfig.Image,
@@ -27,6 +30,9 @@ func TFVars(masterConfig *v1alpha1.OpenstackProviderSpec, region string, externa
 		Cloud:           masterConfig.CloudName,
 		FlavorName:      masterConfig.Flavor,
 		LbFloatingIP:    lbFloatingIP,
+		APIVIP:          apiVIP,
+		DNSVIP:          dnsVIP,
+		IngressVIP:      ingressVIP,
 		TrunkSupport:    trunkSupport,
 		OctaviaSupport:  octaviaSupport,
 	}
diff --git a/pkg/types/openstack/defaults/platform.go b/pkg/types/openstack/defaults/platform.go
index b7817671302..7dc1547ca70 100644
--- a/pkg/types/openstack/defaults/platform.go
+++ b/pkg/types/openstack/defaults/platform.go
@@ -1,9 +1,39 @@
 package defaults
 
 import (
+	"net"
+
+	"github.com/apparentlymart/go-cidr/cidr"
+
+	"github.com/openshift/installer/pkg/types"
 	"github.com/openshift/installer/pkg/types/openstack"
 )
 
 // SetPlatformDefaults sets the defaults for the platform.
 func SetPlatformDefaults(p *openstack.Platform) {
 }
+
+// APIVIP returns the internal virtual IP address (VIP) put in front
+// of the Kubernetes API server for use by components inside the
+// cluster. The DNS static pods running on the nodes resolve the
+// api-int record to APIVIP.
+func APIVIP(networking *types.Networking) (net.IP, error) {
+	return cidr.Host(&networking.MachineCIDR.IPNet, 5)
+}
+
+// DNSVIP returns the internal virtual IP address (VIP) put in front
+// of the DNS static pods running on the nodes. Unlike the DNS
+// operator these services provide name resolution for the nodes
+// themselves.
+func DNSVIP(networking *types.Networking) (net.IP, error) {
+	return cidr.Host(&networking.MachineCIDR.IPNet, 6)
+}
+
+// IngressVIP returns the internal virtual IP address (VIP) put in
+// front of the OpenShift router pods. This provides the internal
+// accessibility to the internal pods running on the worker nodes,
+// e.g. `console`. The DNS static pods running on the nodes resolve
+// the wildcard apps record to IngressVIP.
+func IngressVIP(networking *types.Networking) (net.IP, error) {
+	return cidr.Host(&networking.MachineCIDR.IPNet, 7)
+}
diff --git a/pkg/types/openstack/validation/platform.go b/pkg/types/openstack/validation/platform.go
index c5be6eb1abf..e99fcc3cbf5 100644
--- a/pkg/types/openstack/validation/platform.go
+++ b/pkg/types/openstack/validation/platform.go
@@ -5,11 +5,12 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
+	"github.com/openshift/installer/pkg/types"
 	"github.com/openshift/installer/pkg/types/openstack"
 )
 
 // ValidatePlatform checks that the specified platform is valid.
-func ValidatePlatform(p *openstack.Platform, fldPath *field.Path, fetcher ValidValuesFetcher) field.ErrorList {
+func ValidatePlatform(p *openstack.Platform, n *types.Networking, fldPath *field.Path, fetcher ValidValuesFetcher) field.ErrorList {
 	allErrs := field.ErrorList{}
 	validClouds, err := fetcher.GetCloudNames()
 	if err != nil {
@@ -59,6 +60,7 @@ func ValidatePlatform(p *openstack.Platform, fldPath *field.Path, fetcher ValidV
 	if p.DefaultMachinePlatform != nil {
 		allErrs = append(allErrs, ValidateMachinePool(p.DefaultMachinePlatform, fldPath.Child("defaultMachinePlatform"))...)
 	}
+
 	return allErrs
 }
 
diff --git a/pkg/types/openstack/validation/platform_test.go b/pkg/types/openstack/validation/platform_test.go
index 8dc44054304..552874739c9 100644
--- a/pkg/types/openstack/validation/platform_test.go
+++ b/pkg/types/openstack/validation/platform_test.go
@@ -170,7 +170,7 @@ func TestValidatePlatform(t *testing.T) {
 					MaxTimes(1)
 			}
 
-			err := ValidatePlatform(tc.platform, field.NewPath("test-path"), fetcher).ToAggregate()
+			err := ValidatePlatform(tc.platform, nil, field.NewPath("test-path"), fetcher).ToAggregate()
 			if tc.valid {
 				assert.NoError(t, err)
 			} else {
diff --git a/pkg/types/validation/installconfig.go b/pkg/types/validation/installconfig.go
index 2f19c5ebac2..6411094c306 100644
--- a/pkg/types/validation/installconfig.go
+++ b/pkg/types/validation/installconfig.go
@@ -232,7 +232,7 @@ func validatePlatform(platform *types.Platform, fldPath *field.Path, openStackVa
 	}
 	if platform.OpenStack != nil {
 		validate(openstack.Name, platform.OpenStack, func(f *field.Path) field.ErrorList {
-			return openstackvalidation.ValidatePlatform(platform.OpenStack, f, openStackValidValuesFetcher)
+			return openstackvalidation.ValidatePlatform(platform.OpenStack, network, f, openStackValidValuesFetcher)
 		})
 	}
 	if platform.VSphere != nil {
diff --git a/pkg/types/validation/installconfig_test.go b/pkg/types/validation/installconfig_test.go
index 3d29261bdbc..19544c4e6eb 100644
--- a/pkg/types/validation/installconfig_test.go
+++ b/pkg/types/validation/installconfig_test.go
@@ -104,6 +104,15 @@ func validBareMetalPlatform() *baremetal.Platform {
 	}
 }
 
+func validOpenStackPlatform() *openstack.Platform {
+	return &openstack.Platform{
+		Region:          "test-region",
+		Cloud:           "test-cloud",
+		ExternalNetwork: "test-network",
+		FlavorName:      "test-flavor",
+	}
+}
+
 func TestValidateInstallConfig(t *testing.T) {
 	cases := []struct {
 		name          string
@@ -439,12 +448,7 @@ func TestValidateInstallConfig(t *testing.T) {
 			installConfig: func() *types.InstallConfig {
 				c := validInstallConfig()
 				c.Platform = types.Platform{
-					OpenStack: &openstack.Platform{
-						Region:          "test-region",
-						Cloud:           "test-cloud",
-						ExternalNetwork: "test-network",
-						FlavorName:      "test-flavor",
-					},
+					OpenStack: validOpenStackPlatform(),
 				}
 				return c
 			}(),
@@ -454,8 +458,9 @@ func TestValidateInstallConfig(t *testing.T) {
 			installConfig: func() *types.InstallConfig {
 				c := validInstallConfig()
 				c.Platform = types.Platform{
-					OpenStack: &openstack.Platform{},
+					OpenStack: validOpenStackPlatform(),
 				}
+				c.Platform.OpenStack.Cloud = ""
 				return c
 			}(),
 			expectedError: `^platform\.openstack\.cloud: Unsupported value: "": supported values: "test-cloud"$`,