terraform-hcloud-kube-hetzner/main.tf

resource "random_password" "k3s_token" {
  length  = 48
  special = false
}

resource "hcloud_ssh_key" "k3s" {
  name       = "k3s"
  public_key = local.ssh_public_key
}

resource "hcloud_network" "k3s" {
  name     = "k3s"
  ip_range = var.network_ip_range
}

resource "hcloud_network_subnet" "subnet" {
  for_each     = var.network_subnets
  network_id   = hcloud_network.k3s.id
  type         = "cloud"
  network_zone = var.network_region
  ip_range     = each.value
}

resource "hcloud_firewall" "k3s" {
  name = "k3s"

  # Allowing internal cluster traffic and Hetzner metadata service and cloud API IPs
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "any"
    source_ips = [
      var.network_ip_range,
      "127.0.0.1/32",
      "169.254.169.254/32",
      "213.239.246.1/32"
    ]
  }
  rule {
    direction = "in"
    protocol  = "udp"
    port      = "any"
    source_ips = [
      var.network_ip_range,
      "127.0.0.1/32",
      "169.254.169.254/32",
      "213.239.246.1/32"
    ]
  }
  rule {
    direction = "in"
    protocol  = "icmp"
    source_ips = [
      var.network_ip_range,
      "127.0.0.1/32",
      "169.254.169.254/32",
      "213.239.246.1/32"
    ]
  }

  # Allow all traffic to the kube api server
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "6443"
    source_ips = [
      "0.0.0.0/0"
    ]
  }

  # Allow all traffic to the ssh port
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "22"
    source_ips = [
      "0.0.0.0/0"
    ]
  }

  # Allow ping on ipv4
  rule {
    direction = "in"
    protocol  = "icmp"
    source_ips = [
      "0.0.0.0/0"
    ]
  }

  # Allow basic out traffic
  # ICMP to ping outside services
  rule {
    direction = "out"
    protocol  = "icmp"
    destination_ips = [
      "0.0.0.0/0"
    ]
  }

  # DNS
  rule {
    direction = "out"
    protocol  = "tcp"
    port      = "53"
    destination_ips = [
      "0.0.0.0/0"
    ]
  }
  rule {
    direction = "out"
    protocol  = "udp"
    port      = "53"
    destination_ips = [
      "0.0.0.0/0"
    ]
  }

  # HTTP(s)
  rule {
    direction = "out"
    protocol  = "tcp"
    port      = "80"
    destination_ips = [
      "0.0.0.0/0"
    ]
  }
  rule {
    direction = "out"
    protocol  = "tcp"
    port      = "443"
    destination_ips = [
      "0.0.0.0/0"
    ]
  }

  #NTP
  rule {
    direction = "out"
    protocol  = "udp"
    port      = "123"
    destination_ips = [
      "0.0.0.0/0"
    ]
  }

}

resource "hcloud_placement_group" "k3s" {
  name = "k3s"
  type = "spread"
  labels = {
    "provisioner" = "terraform",
    "engine"      = "k3s"
  }
}

data "hcloud_load_balancer" "traefik" {
  name = "traefik"

  depends_on = [null_resource.kustomization]
}

resource "null_resource" "destroy_traefik_loadbalancer" {
  # this only gets triggered before total destruction of the cluster, but when the necessary elements to run the commands are still available
  triggers = {
    kustomization_id = null_resource.kustomization.id
  }

  # Important when issuing terraform destroy, otherwise the LB will not let the network get deleted
  provisioner "local-exec" {
    when       = destroy
    command    = <<-EOT
      kubectl -n kube-system delete service traefik --kubeconfig ${path.module}/kubeconfig.yaml
    EOT
    on_failure = continue
  }

  depends_on = [
    local_file.kubeconfig,
    null_resource.control_planes[0],
    hcloud_network_subnet.subnet,
    hcloud_network.k3s,
    hcloud_firewall.k3s,
    hcloud_placement_group.k3s,
    hcloud_ssh_key.k3s
  ]
}
k3os master ok 2021-11-30 23:09:34 +01:00			`resource "random_password" "k3s_token" {`
initial commit 2021-07-30 10:12:37 +02:00			`length = 48`
			`special = false`
			`}`

microOS prep 2022-02-05 00:02:25 +01:00			`resource "hcloud_ssh_key" "k3s" {`
			`name = "k3s"`
k3os master ok 2021-11-30 23:09:34 +01:00			`public_key = local.ssh_public_key`
initial commit 2021-07-30 10:12:37 +02:00			`}`

			`resource "hcloud_network" "k3s" {`
microOS prep 2022-02-05 00:02:25 +01:00			`name = "k3s"`
add specific subnet for nodepool 2022-02-25 19:16:38 +01:00			`ip_range = var.network_ip_range`
initial commit 2021-07-30 10:12:37 +02:00			`}`

add specific subnet for nodepool 2022-02-25 19:16:38 +01:00			`resource "hcloud_network_subnet" "subnet" {`
			`for_each = var.network_subnets`
initial commit 2021-07-30 10:12:37 +02:00			`network_id = hcloud_network.k3s.id`
			`type = "cloud"`
Use a variable for `network_region` ..instead of hardcoding it to `eu-central` 2022-01-29 20:21:30 +01:00			`network_zone = var.network_region`
add specific subnet for nodepool 2022-02-25 19:16:38 +01:00			`ip_range = each.value`
initial commit 2021-07-30 10:12:37 +02:00			`}`

Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`resource "hcloud_firewall" "k3s" {`
microOS prep 2022-02-05 00:02:25 +01:00			`name = "k3s"`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00
fixed comment 2021-12-10 00:48:45 +01:00			`# Allowing internal cluster traffic and Hetzner metadata service and cloud API IPs`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "any"`
			`source_ips = [`
add specific subnet for nodepool 2022-02-25 19:16:38 +01:00			`var.network_ip_range,`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`"127.0.0.1/32",`
			`"169.254.169.254/32",`
			`"213.239.246.1/32"`
			`]`
			`}`
			`rule {`
			`direction = "in"`
			`protocol = "udp"`
			`port = "any"`
			`source_ips = [`
add specific subnet for nodepool 2022-02-25 19:16:38 +01:00			`var.network_ip_range,`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`"127.0.0.1/32",`
			`"169.254.169.254/32",`
			`"213.239.246.1/32"`
			`]`
			`}`
			`rule {`
			`direction = "in"`
			`protocol = "icmp"`
			`source_ips = [`
add specific subnet for nodepool 2022-02-25 19:16:38 +01:00			`var.network_ip_range,`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`"127.0.0.1/32",`
			`"169.254.169.254/32",`
			`"213.239.246.1/32"`
			`]`
			`}`

			`# Allow all traffic to the kube api server`
			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "6443"`
			`source_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`

			`# Allow all traffic to the ssh port`
			`rule {`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "22"`
			`source_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`
initial commit 2021-07-30 10:12:37 +02:00
k3os master ok 2021-11-30 23:09:34 +01:00			`# Allow ping on ipv4`
			`rule {`
			`direction = "in"`
			`protocol = "icmp"`
			`source_ips = [`
			`"0.0.0.0/0"`
			`]`
initial commit 2021-07-30 10:12:37 +02:00			`}`
added traefik 2022-01-05 15:04:22 +01:00
			`# Allow basic out traffic`
			`# ICMP to ping outside services`
			`rule {`
			`direction = "out"`
			`protocol = "icmp"`
			`destination_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`

			`# DNS`
			`rule {`
			`direction = "out"`
			`protocol = "tcp"`
			`port = "53"`
			`destination_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`
			`rule {`
			`direction = "out"`
			`protocol = "udp"`
			`port = "53"`
			`destination_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`

			`# HTTP(s)`
			`rule {`
			`direction = "out"`
			`protocol = "tcp"`
			`port = "80"`
			`destination_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`
			`rule {`
			`direction = "out"`
			`protocol = "tcp"`
			`port = "443"`
			`destination_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`

			`#NTP`
			`rule {`
			`direction = "out"`
			`protocol = "udp"`
			`port = "123"`
			`destination_ips = [`
			`"0.0.0.0/0"`
			`]`
			`}`

initial commit 2021-07-30 10:12:37 +02:00			`}`

pre master 2022-02-10 03:01:40 +01:00			`resource "hcloud_placement_group" "k3s" {`
			`name = "k3s"`
Add Hetzner placement group and link servers to it 2022-01-29 21:15:23 +01:00			`type = "spread"`
			`labels = {`
			`"provisioner" = "terraform",`
			`"engine" = "k3s"`
			`}`
			`}`
Expose load balancer ip in outputs 2022-02-14 00:24:08 +01:00
			`data "hcloud_load_balancer" "traefik" {`
			`name = "traefik"`
load balancer ip depends on deployed CCM... ...so a finished first control plane, more or less 2022-02-14 11:14:14 +01:00
First control plane node is not special anymore The first control plane node is now identical to any other server node. The cluster initialization happens once in two steps: first, make sure that the k3s cluster is initialized and then apply our configurations while the other nodes join. This change makes the initialization more resilient and even faster than before. 2022-02-22 08:50:54 +01:00			`depends_on = [null_resource.kustomization]`
Expose load balancer ip in outputs 2022-02-14 00:24:08 +01:00			`}`
added null ressouce to destroy lb 2022-02-24 01:44:56 +01:00
traefik deletes successfully 2022-02-25 00:21:28 +01:00			`resource "null_resource" "destroy_traefik_loadbalancer" {`
			`# this only gets triggered before total destruction of the cluster, but when the necessary elements to run the commands are still available`
added null ressouce to destroy lb 2022-02-24 01:44:56 +01:00			`triggers = {`
traefik deletes successfully 2022-02-25 00:21:28 +01:00			`kustomization_id = null_resource.kustomization.id`
added null ressouce to destroy lb 2022-02-24 01:44:56 +01:00			`}`

			`# Important when issuing terraform destroy, otherwise the LB will not let the network get deleted`
			`provisioner "local-exec" {`
traefik deletes successfully 2022-02-25 00:21:28 +01:00			`when = destroy`
			`command = <<-EOT`
			`kubectl -n kube-system delete service traefik --kubeconfig ${path.module}/kubeconfig.yaml`
added null ressouce to destroy lb 2022-02-24 01:44:56 +01:00			`EOT`
			`on_failure = continue`
			`}`
traefik deletes successfully 2022-02-25 00:21:28 +01:00
			`depends_on = [`
			`local_file.kubeconfig,`
			`null_resource.control_planes[0],`
fix missing reference 2022-02-25 20:36:20 +01:00			`hcloud_network_subnet.subnet,`
traefik deletes successfully 2022-02-25 00:21:28 +01:00			`hcloud_network.k3s,`
			`hcloud_firewall.k3s,`
			`hcloud_placement_group.k3s,`
			`hcloud_ssh_key.k3s`
			`]`
added null ressouce to destroy lb 2022-02-24 01:44:56 +01:00			`}`