terraform-hcloud-kube-hetzner/master.tf

resource "hcloud_server" "first_control_plane" {
  name = "k3s-control-plane-0"

  image              = data.hcloud_image.linux.name
  rescue             = "linux64"
  server_type        = var.control_plane_server_type
  location           = var.location
  ssh_keys           = [hcloud_ssh_key.k3s.id]
  firewall_ids       = [hcloud_firewall.k3s.id]
  placement_group_id = hcloud_placement_group.k3s.id

  labels = {
    "provisioner" = "terraform",
    "engine"      = "k3s"
  }

  connection {
    user           = "root"
    private_key    = local.ssh_private_key
    agent_identity = local.ssh_identity
    host           = self.ipv4_address
  }

  provisioner "file" {
    content = templatefile("${path.module}/templates/config.ign.tpl", {
      name           = self.name
      ssh_public_key = local.ssh_public_key
    })
    destination = "/root/config.ign"
  }

  # Install MicroOS
  provisioner "remote-exec" {
    inline = local.MicroOS_install_commands
  }

  # Issue a reboot command
  provisioner "local-exec" {
    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
  }

  # Wait for MicroOS to reboot and be ready
  provisioner "local-exec" {
    command = <<-EOT
      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
      do
        echo "Waiting for MicroOS to reboot and become available..."
        sleep 2
      done
    EOT
  }

  # Generating k3s master config file
  provisioner "file" {
    content = yamlencode({
      node-name                = self.name
      cluster-init             = true
      disable-cloud-controller = true
      disable                  = ["servicelb", "local-storage"]
      flannel-iface            = "eth1"
      kubelet-arg              = "cloud-provider=external"
      node-ip                  = local.first_control_plane_network_ip
      advertise-address        = local.first_control_plane_network_ip
      token                    = random_password.k3s_token.result
      node-taint               = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]
    })
    destination = "/etc/rancher/k3s/config.yaml"
  }

  # Run the first control plane
  provisioner "remote-exec" {
    inline = [
      # set the hostname in a persistent fashion
      "hostnamectl set-hostname ${self.name}",
      # first we disable automatic reboot (after transactional updates), and configure the reboot method as kured
      "rebootmgrctl set-strategy off && echo 'REBOOT_METHOD=kured' > /etc/transactional-update.conf",
      # then we initiate the cluster
      "systemctl enable k3s-server",
      # prepare a directory for our post-installation kustomizations
      "mkdir -p /tmp/post_install",
      # start k3s and wait for the cluster to be ready
      <<-EOT
        until systemctl status k3s-server > /dev/null
        do
          systemctl start k3s-server
          echo "Initiating the cluster..."
          sleep 2
        done
        timeout 120 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%%{http_code}'' curl -k https://localhost:6443/readyz)" != "200" ]]; do echo "Waiting for cluster to become ready" ; sleep 1; done'
      EOT
    ]
  }

  # Upload kustomization.yaml, containing Hetzner CSI & CSM, as well as kured.
  provisioner "file" {
    content     = local.post_install_kustomization
    destination = "/tmp/post_install/kustomization.yaml"
  }

  # Upload traefik config
  provisioner "file" {
    content     = local.traefik_config
    destination = "/tmp/post_install/traefik.yaml"
  }

  provisioner "remote-exec" {
    inline = [
      "kubectl -n kube-system create secret generic hcloud --from-literal=token=${var.hcloud_token} --from-literal=network=${hcloud_network.k3s.name}",
      "kubectl -n kube-system create secret generic hcloud-csi --from-literal=token=${var.hcloud_token}",
      "kubectl apply -k /tmp/post_install",
      "rm -rf /tmp/post_install"
    ]
  }

  network {
    network_id = hcloud_network.k3s.id
    ip         = local.first_control_plane_network_ip
  }

  depends_on = [
    hcloud_network_subnet.k3s,
    hcloud_firewall.k3s
  ]
}
initial commit 2021-07-30 10:12:37 +02:00			`resource "hcloud_server" "first_control_plane" {`
k3os ok 2021-12-03 02:11:52 +01:00			`name = "k3s-control-plane-0"`
initial commit 2021-07-30 10:12:37 +02:00
Add Hetzner placement group and link servers to it 2022-01-29 21:15:23 +01:00			`image = data.hcloud_image.linux.name`
			`rescue = "linux64"`
			`server_type = var.control_plane_server_type`
			`location = var.location`
microOS prep 2022-02-05 00:02:25 +01:00			`ssh_keys = [hcloud_ssh_key.k3s.id]`
Add Hetzner placement group and link servers to it 2022-01-29 21:15:23 +01:00			`firewall_ids = [hcloud_firewall.k3s.id]`
pre master 2022-02-10 03:01:40 +01:00			`placement_group_id = hcloud_placement_group.k3s.id`
initial commit 2021-07-30 10:12:37 +02:00
			`labels = {`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`"provisioner" = "terraform",`
k3os master ok 2021-11-30 23:09:34 +01:00			`"engine" = "k3s"`
initial commit 2021-07-30 10:12:37 +02:00			`}`

use resource-level connection blocks... this is now possible, since all our provisioners are using the same settings. And it saves a bunch of lines 2022-02-11 16:00:19 +01:00			`connection {`
			`user = "root"`
			`private_key = local.ssh_private_key`
			`agent_identity = local.ssh_identity`
			`host = self.ipv4_address`
			`}`

k3os master ok 2021-11-30 23:09:34 +01:00			`provisioner "file" {`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`content = templatefile("${path.module}/templates/config.ign.tpl", {`
k3os ok 2021-12-03 02:11:52 +01:00			`name = self.name`
			`ssh_public_key = local.ssh_public_key`
			`})`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`destination = "/root/config.ign"`
			`}`

			`# Install MicroOS`
			`provisioner "remote-exec" {`
			`inline = local.MicroOS_install_commands`
initial commit 2021-07-30 10:12:37 +02:00			`}`

Reduce reboot time 2022-02-07 09:11:07 +01:00			`# Issue a reboot command`
			`provisioner "local-exec" {`
remove root from ssh_args... because scp does not take the username via -l, so we just re-add it to the commands themselves. 2022-02-07 13:19:06 +01:00			`command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"`
Reduce reboot time 2022-02-07 09:11:07 +01:00			`}`

initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`# Wait for MicroOS to reboot and be ready`
			`provisioner "local-exec" {`
Avoid connection timeout errors while waiting for reboot 2022-02-07 22:50:44 +01:00			`command = <<-EOT`
			`until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null`
			`do`
pre master 2022-02-10 03:31:20 +01:00			`echo "Waiting for MicroOS to reboot and become available..."`
Avoid connection timeout errors while waiting for reboot 2022-02-07 22:50:44 +01:00			`sleep 2`
			`done`
			`EOT`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`}`

			`# Generating k3s master config file`
microOS eth1 still down 2022-02-05 01:22:35 +01:00			`provisioner "file" {`
use yamlencode for k3s configs... ...and remove the now, hopefully unneeded workaround for agent.conf, all values are in config.yaml now 2022-02-07 12:56:13 +01:00			`content = yamlencode({`
			`node-name = self.name`
			`cluster-init = true`
			`disable-cloud-controller = true`
Use yaml list for disabled k3s features Co-authored-by: Marco Nenciarini <mnencia@kcore.it> 2022-02-08 14:14:23 +01:00			`disable = ["servicelb", "local-storage"]`
use yamlencode for k3s configs... ...and remove the now, hopefully unneeded workaround for agent.conf, all values are in config.yaml now 2022-02-07 12:56:13 +01:00			`flannel-iface = "eth1"`
			`kubelet-arg = "cloud-provider=external"`
			`node-ip = local.first_control_plane_network_ip`
			`advertise-address = local.first_control_plane_network_ip`
			`token = random_password.k3s_token.result`
terraform fmt 2022-02-08 09:12:16 +01:00			`node-taint = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]`
microOS eth1 still down 2022-02-05 01:22:35 +01:00			`})`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`destination = "/etc/rancher/k3s/config.yaml"`
microOS eth1 still down 2022-02-05 01:22:35 +01:00			`}`
pre master 2022-02-10 03:31:20 +01:00
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`# Run the first control plane`
initial commit 2021-07-30 10:12:37 +02:00			`provisioner "remote-exec" {`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`inline = [`
pre master 2022-02-10 03:01:40 +01:00			`# set the hostname in a persistent fashion`
			`"hostnamectl set-hostname ${self.name}",`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`# first we disable automatic reboot (after transactional updates), and configure the reboot method as kured`
			`"rebootmgrctl set-strategy off && echo 'REBOOT_METHOD=kured' > /etc/transactional-update.conf",`
			`# then we initiate the cluster`
pre master 2022-02-10 03:01:40 +01:00			`"systemctl enable k3s-server",`
fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`# prepare a directory for our post-installation kustomizations`
			`"mkdir -p /tmp/post_install",`
			`# start k3s and wait for the cluster to be ready`
pre master 2022-02-10 03:01:40 +01:00			`<<-EOT`
			`until systemctl status k3s-server > /dev/null`
			`do`
			`systemctl start k3s-server`
			`echo "Initiating the cluster..."`
			`sleep 2`
			`done`
fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`timeout 120 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%%{http_code}'' curl -k https://localhost:6443/readyz)" != "200" ]]; do echo "Waiting for cluster to become ready" ; sleep 1; done'`
pre master 2022-02-10 03:01:40 +01:00			`EOT`
cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`]`
			`}`

fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`# Upload kustomization.yaml, containing Hetzner CSI & CSM, as well as kured.`
			`provisioner "file" {`
			`content = local.post_install_kustomization`
			`destination = "/tmp/post_install/kustomization.yaml"`
			`}`

			`# Upload traefik config`
			`provisioner "file" {`
			`content = local.traefik_config`
			`destination = "/tmp/post_install/traefik.yaml"`
			`}`

cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`provisioner "remote-exec" {`
			`inline = [`
			`"kubectl -n kube-system create secret generic hcloud --from-literal=token=${var.hcloud_token} --from-literal=network=${hcloud_network.k3s.name}",`
Expose kubeconfig in outputs... * To do so, we need to ensure that the generated kubeconfig is part of terraforms dependency graph. This has the additional benefit of not depending on local files anymore which should enable multi-user setups. * This also means that we can't deploy CCM, CSI & Traefik from our local host, because we don't have kubeconfig.yaml locally while provisioning the control plane, only afterwards. * So we just run kubectl apply on the control plane itself, after k3s is ready. * To do so, we need to deploy all manifests. I've merged the patches into a single kustomization.yaml file, because that makes the deployment of those files to the control-plane server easier. * we could also put the traefik config into the same kustomization file, which would save us one of the file provisioner blocks. I didn't want this PR to get any bigger, and will consider merging this config later on. kustomization.yaml is small enough that we could yamlencode() for it and store the patches in separate files again, not as inline-strings which is kind of ugly. 2022-02-11 12:45:03 +01:00			`"kubectl -n kube-system create secret generic hcloud-csi --from-literal=token=${var.hcloud_token}",`
cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`"kubectl apply -k /tmp/post_install",`
			`"rm -rf /tmp/post_install"`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`]`
initial commit 2021-07-30 10:12:37 +02:00			`}`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00
initial commit 2021-07-30 10:12:37 +02:00			`network {`
			`network_id = hcloud_network.k3s.id`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`ip = local.first_control_plane_network_ip`
initial commit 2021-07-30 10:12:37 +02:00			`}`

			`depends_on = [`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`hcloud_network_subnet.k3s,`
			`hcloud_firewall.k3s`
initial commit 2021-07-30 10:12:37 +02:00			`]`
			`}`