Added kubernetes cluster

clank_kustomization_backup.yaml

@@ -0,0 +1,50 @@
+"apiVersion": "kustomize.config.k8s.io/v1beta1"
+"kind": "Kustomization"
+"patchesStrategicMerge":
+- |
+  apiVersion: apps/v1
+  kind: DaemonSet
+  metadata:
+    name: kured
+    namespace: kube-system
+  spec:
+    selector:
+      matchLabels:
+        name: kured
+    template:
+      metadata:
+        labels:
+          name: kured
+      spec:
+        serviceAccountName: kured
+        containers:
+          - name: kured
+            command:
+              - /usr/bin/kured
+              - --reboot-command=/usr/bin/systemctl reboot
+- |
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: system-upgrade-controller
+    namespace: system-upgrade
+  spec:
+    template:
+      spec:
+        containers:
+          - name: system-upgrade-controller
+            volumeMounts:
+              - name: ca-certificates
+                mountPath: /var/lib/ca-certificates
+        volumes:
+          - name: ca-certificates
+            hostPath:
+              path: /var/lib/ca-certificates
+              type: Directory
+- "ccm.yaml"
+"resources":
+- "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.12.1/ccm-networks.yaml"
+- "https://github.com/weaveworks/kured/releases/download/1.9.2/kured-1.9.2-dockerhub.yaml"
+- "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml"
+- "https://raw.githubusercontent.com/hetznercloud/csi-driver/v1.6.0/deploy/kubernetes/hcloud-csi.yml"
+- "traefik_config.yaml"

main.tf

@@ -1,10 +1,28 @@
+terraform {
+  required_version = ">= 1.2.0"
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = ">= 1.0.0"
+    }
+  }
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
 module "kube-hetzner" {
+  providers = {
+    hcloud = hcloud
+  }
+
   source = "kube-hetzner/kube-hetzner/hcloud"
 
   hcloud_token = var.hcloud_token
 
-  public_key  = ".keys/id_ed25519.pub"
+  ssh_public_key  = file(".keys/id_ed25519.pub")
-  private_key = ".keys/id_ed25519"
+  ssh_private_key = file(".keys/id_ed25519")
 
   network_region = "eu-central" # change to `us-east` if location is ash
   control_plane_nodepools = [
@@ -49,7 +67,7 @@ module "kube-hetzner" {
       location    = "nbg1",
       labels      = [],
       taints      = [],
-      count       = 1
+      count       = 0
     },
     {
       name        = "storage1",
@@ -61,13 +79,14 @@ module "kube-hetzner" {
       taints = [
         "server-usage=storage:NoSchedule"
       ],
-      count = 2
+      count = 1
     }
   ]
 
   load_balancer_type            = "lb11"
   load_balancer_location        = "fsn1"
   traefik_enabled               = true
+  traefik_additional_options = ["--log.level=DEBUG", "--tracing=true"]
   metrics_server_enabled        = true
   automatically_upgrade_k3s     = true
   initial_k3s_channel           = "stable"
@@ -95,10 +114,7 @@ module "kube-hetzner" {
     }
   ]
 
-  # If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/
+  enable_cert_manager        = false
-  # Example: traefik_additional_options = ["--log.level=DEBUG", "--tracing=true"]
-  traefik_additional_options = ["--tracing=true"]
-  enable_cert_manager        = true
 }
 
 module "dns" {
@@ -121,13 +137,13 @@ module "dns" {
   ]
 }
 
-module "flux" {
+#module "flux" {
-  source    = "./modules/flux"
+#  source    = "./modules/flux"
-  path      = "clank"
+#  path      = "clank"
-  namespace = "flux-system"
+#  namespace = "flux-system"
-  url       = "ssh://git@git.front.kjuulh.io/clank/kubernetes-state.git"
+#  url       = "ssh://git@git.front.kjuulh.io/clank/kubernetes-state.git"
-  branch    = "main"
+#  branch    = "main"
-
+#
-  ssh_private_key_pem = file(".keys/id_clank")
+#  ssh_private_key_pem = file(".keys/id_clank")
-  ssh_public_key_pem = file(".keys/id_clank.pub")
+#  ssh_public_key_pem = file(".keys/id_clank.pub")
-}
+#}

modules/flux/main.tf

@@ -1,116 +1,128 @@
 # Install
 
-data "flux_install" "main" {
+#data "flux_install" "main" {
-  target_path    = var.path
+#  target_path    = var.path
-  network_policy = false
+#  network_policy = false
-  version        = "latest"
+#  version        = "latest"
-}
+#}
-
+#
-resource "kubernetes_namespace" "flux_system" {
+#resource "kubernetes_namespace" "flux_system" {
-  metadata {
+#  metadata {
-    name = var.namespace
+#    name = var.namespace
-  }
+#  }
-
+#
-  lifecycle {
+#  lifecycle {
-    ignore_changes = [
+#    ignore_changes = [
-      metadata[0].labels,
+#      metadata[0].labels,
-    ]
+#    ]
-  }
+#  }
-}
+#}
-
+#
-resource "kubernetes_namespace" "prod" {
+#resource "kubernetes_namespace" "prod" {
-  metadata {
+#  metadata {
-    name = "prod"
+#    name = "prod"
-  }
+#  }
-
+#
-  lifecycle {
+#  lifecycle {
-    ignore_changes = [
+#    ignore_changes = [
-      metadata[0].labels,
+#      metadata[0].labels,
-    ]
+#    ]
-  }
+#  }
-}
+#}
-
+#
-data "kubectl_file_documents" "apply" {
+#resource "kubernetes_namespace" "platform" {
-  content = data.flux_install.main.content
+#  metadata {
-}
+#    name = "platform"
-
+#  }
-# Convert documents list to include parsed yaml data
+#
-locals {
+#  lifecycle {
-  apply = [for v in data.kubectl_file_documents.apply.documents : {
+#    ignore_changes = [
-    data : yamldecode(v)
+#      metadata[0].labels,
-    content : v
+#    ]
-    }
+#  }
-  ]
+#}
-}
+#
-
+#data "kubectl_file_documents" "apply" {
-# Apply manifests on the cluster
+#  content = data.flux_install.main.content
-resource "kubectl_manifest" "apply" {
+#}
-  for_each   = { for v in local.apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
+#
-  depends_on = [kubernetes_namespace.flux_system]
+## Convert documents list to include parsed yaml data
-  yaml_body  = each.value
+#locals {
-}
+#  apply = [for v in data.kubectl_file_documents.apply.documents : {
-
+#    data : yamldecode(v)
-# Sync
+#    content : v
-
+#    }
-data "flux_sync" "main" {
+#  ]
-  target_path = var.path
+#}
-  url         = var.url
+#
-  branch      = var.branch
+## Apply manifests on the cluster
-}
+#resource "kubectl_manifest" "apply" {
-
+#  for_each   = { for v in local.apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
-# Split multi-doc YAML with
+#  depends_on = [kubernetes_namespace.flux_system]
-# https://registry.terraform.io/providers/gavinbunney/kubectl/latest
+#  yaml_body  = each.value
-data "kubectl_file_documents" "sync" {
+#}
-  content = data.flux_sync.main.content
+#
-}
+## Sync
-
+#
-# Convert documents list to include parsed yaml data
+#data "flux_sync" "main" {
-locals {
+#  target_path = var.path
-  sync = [for v in data.kubectl_file_documents.sync.documents : {
+#  url         = var.url
-    data : yamldecode(v)
+#  branch      = var.branch
-    content : v
+#}
-    }
+#
-  ]
+## Split multi-doc YAML with
-}
+## https://registry.terraform.io/providers/gavinbunney/kubectl/latest
-
+#data "kubectl_file_documents" "sync" {
-# Apply manifests on the cluster
+#  content = data.flux_sync.main.content
-resource "kubectl_manifest" "sync" {
+#}
-  for_each   = { for v in local.sync : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
+#
-  depends_on = [kubernetes_namespace.flux_system]
+## Convert documents list to include parsed yaml data
-  yaml_body  = each.value
+#locals {
-}
+#  sync = [for v in data.kubectl_file_documents.sync.documents : {
-
+#    data : yamldecode(v)
-locals {
+#    content : v
-  known_hosts = <<EOT
+#    }
-git.front.kjuulh.io ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJdO0Tw0e/Fa78g1Xszc4oKaOPbTwl7RTAaGQb0TrV8
+#  ]
-git.front.kjuulh.io ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO61xoa0ON2Y8rpIB6R9PFxg9HUxMym8Z5I4vYUC+/UnzaDx9YUEGo3Vig9wBo6Hc2lAp0BIwH/d5d6uBBEIj/Y=
+#}
-EOT
+#
-}
+## Apply manifests on the cluster
-
+#resource "kubectl_manifest" "sync" {
-# Generate a Kubernetes secret with the Git credentials
+#  for_each   = { for v in local.sync : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
-resource "kubernetes_secret" "main" {
+#  depends_on = [kubernetes_namespace.flux_system]
-  depends_on = [kubectl_manifest.apply]
+#  yaml_body  = each.value
-
+#}
-  metadata {
+#
-    name      = data.flux_sync.main.secret
+#locals {
-    namespace = data.flux_sync.main.namespace
+#  known_hosts = <<EOT
-  }
+#git.front.kjuulh.io ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJdO0Tw0e/Fa78g1Xszc4oKaOPbTwl7RTAaGQb0TrV8
-
+#git.front.kjuulh.io ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO61xoa0ON2Y8rpIB6R9PFxg9HUxMym8Z5I4vYUC+/UnzaDx9YUEGo3Vig9wBo6Hc2lAp0BIwH/d5d6uBBEIj/Y=
-  data = {
+#EOT
-    identity = var.ssh_private_key_pem
+#}
-    "identity.pub" = var.ssh_public_key_pem
+#
-    #    identity       = <<EOT
+## Generate a Kubernetes secret with the Git credentials
-    #-----BEGIN OPENSSH PRIVATE KEY-----
+#resource "kubernetes_secret" "main" {
-    #b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+#  depends_on = [kubectl_manifest.apply]
-    #QyNTUxOQAAACBYZYPLAjLRZhUHfk4yTLmiQTDmdWPIgZTI+dGLgpY/GAAAAJgGvLdRBry3
+#
-    #UQAAAAtzc2gtZWQyNTUxOQAAACBYZYPLAjLRZhUHfk4yTLmiQTDmdWPIgZTI+dGLgpY/GA
+#  metadata {
-    #AAAEBmqJkdSt8H6HIVzV6Na8ukBOj4Bywd970sQVPWAz8Ug1hlg8sCMtFmFQd+TjJMuaJB
+#    name      = data.flux_sync.main.secret
-    #MOZ1Y8iBlMj50YuClj8YAAAAEWNvbnRhY3RAa2p1dWxoLmlvAQIDBA==
+#    namespace = data.flux_sync.main.namespace
-    #-----END OPENSSH PRIVATE KEY-----
+#  }
-    #EOT
+#
-    #    "identity.pub" = <<EOT
+#  data = {
-    #ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhlg8sCMtFmFQd+TjJMuaJBMOZ1Y8iBlMj50YuClj8Y contact@kjuulh.io
+#    identity = var.ssh_private_key_pem
-    #EOT
+#    "identity.pub" = var.ssh_public_key_pem
-    known_hosts    = local.known_hosts
+#    #    identity       = <<EOT
-  }
+#    #-----BEGIN OPENSSH PRIVATE KEY-----
-}
+#    #b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+#    #QyNTUxOQAAACBYZYPLAjLRZhUHfk4yTLmiQTDmdWPIgZTI+dGLgpY/GAAAAJgGvLdRBry3
+#    #UQAAAAtzc2gtZWQyNTUxOQAAACBYZYPLAjLRZhUHfk4yTLmiQTDmdWPIgZTI+dGLgpY/GA
+#    #AAAEBmqJkdSt8H6HIVzV6Na8ukBOj4Bywd970sQVPWAz8Ug1hlg8sCMtFmFQd+TjJMuaJB
+#    #MOZ1Y8iBlMj50YuClj8YAAAAEWNvbnRhY3RAa2p1dWxoLmlvAQIDBA==
+#    #-----END OPENSSH PRIVATE KEY-----
+#    #EOT
+#    #    "identity.pub" = <<EOT
+#    #ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhlg8sCMtFmFQd+TjJMuaJBMOZ1Y8iBlMj50YuClj8Y contact@kjuulh.io
+#    #EOT
+#    known_hosts    = local.known_hosts
+#  }
+#}