terraform-hcloud-kube-hetzner/master.tf

resource "hcloud_server" "first_control_plane" {
  name = "k3s-control-plane-0"

  image              = data.hcloud_image.linux.name
  rescue             = "linux64"
  server_type        = var.control_plane_server_type
  location           = var.location
  ssh_keys           = [hcloud_ssh_key.k3s.id]
  firewall_ids       = [hcloud_firewall.k3s.id]
  placement_group_id = hcloud_placement_group.k3s.id

  labels = {
    "provisioner" = "terraform",
    "engine"      = "k3s"
  }

  connection {
    user           = "root"
    private_key    = local.ssh_private_key
    agent_identity = local.ssh_identity
    host           = self.ipv4_address
  }

  provisioner "file" {
    content = templatefile("${path.module}/templates/config.ign.tpl", {
      name           = self.name
      ssh_public_key = local.ssh_public_key
    })
    destination = "/root/config.ign"
  }

  # Install MicroOS
  provisioner "remote-exec" {
    inline = local.microOS_install_commands
  }

  # Issue a reboot command and wait for the node to reboot
  provisioner "local-exec" {
    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
  }
  provisioner "local-exec" {
    command = <<-EOT
      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
      do
        echo "Waiting for MicroOS to reboot and become available..."
        sleep 2
      done
    EOT
  }

  # Generating k3s master config file
  provisioner "file" {
    content = yamlencode({
      node-name                = self.name
      cluster-init             = true
      disable-cloud-controller = true
      disable                  = ["servicelb", "local-storage"]
      flannel-iface            = "eth1"
      kubelet-arg              = "cloud-provider=external"
      node-ip                  = local.first_control_plane_network_ip
      advertise-address        = local.first_control_plane_network_ip
      token                    = random_password.k3s_token.result
      node-taint               = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]
      node-label               = var.automatically_upgrade_k3s ? ["k3s_upgrade=true"] : []
    })
    destination = "/tmp/config.yaml"
  }


  # Install k3s server
  provisioner "remote-exec" {
    inline = local.install_k3s_server
  }

  # Issue a reboot command and wait for the node to reboot
  provisioner "local-exec" {
    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
  }
  provisioner "local-exec" {
    command = <<-EOT
      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
      do
        echo "Waiting for MicroOS to reboot and become available..."
        sleep 2
      done
    EOT
  }

  # Upon reboot verify that the k3s server is starts, and wait for k3s to be ready to receive commands
  provisioner "remote-exec" {
    inline = [
      # prepare the post_install directory
      "mkdir -p /tmp/post_install",
      # wait for k3s to become ready
      <<-EOT
      timeout 120 bash <<EOF
        until systemctl status k3s > /dev/null; do
          echo "Waiting for the k3s server to start..."
          sleep 1
        done
        until [ -e /etc/rancher/k3s/k3s.yaml ]; do
          echo "Waiting for kubectl config..."
          sleep 1
        done
        until [[ "\$(kubectl get --raw='/readyz' 2> /dev/null)" == "ok" ]]; do
          echo "Waiting for the cluster to become ready..."
          sleep 1
        done
      EOF
      EOT
    ]
  }

  # Upload kustomization.yaml, containing Hetzner CSI & CSM, as well as kured.
  provisioner "file" {
    content = yamlencode({
      apiVersion = "kustomize.config.k8s.io/v1beta1"
      kind       = "Kustomization"
      resources = [
        "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/${local.ccm_version}/ccm-networks.yaml",
        "https://raw.githubusercontent.com/hetznercloud/csi-driver/${local.csi_version}/deploy/kubernetes/hcloud-csi.yml",
        "https://github.com/weaveworks/kured/releases/download/${local.kured_version}/kured-${local.kured_version}-dockerhub.yaml",
        "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml",
        "./traefik.yaml",
      ]
      patchesStrategicMerge = [
        file("${path.module}/patches/kured.yaml"),
        file("${path.module}/patches/ccm.yaml")
      ]
    })
    destination = "/tmp/post_install/kustomization.yaml"
  }

  # Upload traefik config
  provisioner "file" {
    content = templatefile(
      "${path.module}/templates/traefik_config.yaml.tpl",
      {
        lb_disable_ipv6    = var.lb_disable_ipv6
        lb_server_type     = var.lb_server_type
        location           = var.location
        traefik_acme_tls   = var.traefik_acme_tls
        traefik_acme_email = var.traefik_acme_email
    })
    destination = "/tmp/post_install/traefik.yaml"
  }

  # Upload the system upgrade controller plans config
  provisioner "file" {
    content = templatefile(
      "${path.module}/templates/plans.yaml.tpl",
      {
        channel = var.k3s_upgrade_channel
    })
    destination = "/tmp/post_install/plans.yaml"
  }

  # Deploy secrets, logging is automatically disabled due to sensitive variables
  provisioner "remote-exec" {
    inline = [
      "set -ex",
      "kubectl -n kube-system create secret generic hcloud --from-literal=token=${var.hcloud_token} --from-literal=network=${hcloud_network.k3s.name}",
      "kubectl -n kube-system create secret generic hcloud-csi --from-literal=token=${var.hcloud_token}",
    ]
  }

  # Deploy our post-installation kustomization
  provisioner "remote-exec" {
    inline = [
      "set -ex",
      # This ugly hack is here, because terraform serializes the
      # embedded yaml files with "- |2", when there is more than
      # one yamldocument in the embedded file. Kustomize does not understand
      # that syntax and tries to parse the blocks content as a file, resulting
      # in weird errors. so gnu sed with funny escaping is used to
      # replace lines like "- |3" by "- |" (yaml block syntax).
      # due to indendation this should not changes the embedded
      # manifests themselves
      "sed -i 's/^- |[0-9]\\+$/- |/g' /tmp/post_install/kustomization.yaml",
      "kubectl apply -k /tmp/post_install",
      "echo 'Waiting for the system-upgrade-controller deployment to become available...' && kubectl -n system-upgrade wait --for=condition=available --timeout=300s deployment/system-upgrade-controller",
      "kubectl apply -f /tmp/post_install/plans.yaml"
    ]
  }

  network {
    network_id = hcloud_network.k3s.id
    ip         = local.first_control_plane_network_ip
  }

  depends_on = [
    hcloud_network_subnet.k3s,
    hcloud_firewall.k3s
  ]
}
initial commit 2021-07-30 10:12:37 +02:00			`resource "hcloud_server" "first_control_plane" {`
k3os ok 2021-12-03 02:11:52 +01:00			`name = "k3s-control-plane-0"`
initial commit 2021-07-30 10:12:37 +02:00
Add Hetzner placement group and link servers to it 2022-01-29 21:15:23 +01:00			`image = data.hcloud_image.linux.name`
			`rescue = "linux64"`
			`server_type = var.control_plane_server_type`
			`location = var.location`
microOS prep 2022-02-05 00:02:25 +01:00			`ssh_keys = [hcloud_ssh_key.k3s.id]`
Add Hetzner placement group and link servers to it 2022-01-29 21:15:23 +01:00			`firewall_ids = [hcloud_firewall.k3s.id]`
pre master 2022-02-10 03:01:40 +01:00			`placement_group_id = hcloud_placement_group.k3s.id`
initial commit 2021-07-30 10:12:37 +02:00
			`labels = {`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`"provisioner" = "terraform",`
k3os master ok 2021-11-30 23:09:34 +01:00			`"engine" = "k3s"`
initial commit 2021-07-30 10:12:37 +02:00			`}`

use resource-level connection blocks... this is now possible, since all our provisioners are using the same settings. And it saves a bunch of lines 2022-02-11 16:00:19 +01:00			`connection {`
			`user = "root"`
			`private_key = local.ssh_private_key`
			`agent_identity = local.ssh_identity`
			`host = self.ipv4_address`
			`}`

k3os master ok 2021-11-30 23:09:34 +01:00			`provisioner "file" {`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`content = templatefile("${path.module}/templates/config.ign.tpl", {`
k3os ok 2021-12-03 02:11:52 +01:00			`name = self.name`
			`ssh_public_key = local.ssh_public_key`
			`})`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`destination = "/root/config.ign"`
			`}`

			`# Install MicroOS`
			`provisioner "remote-exec" {`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`inline = local.microOS_install_commands`
initial commit 2021-07-30 10:12:37 +02:00			`}`

k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`# Issue a reboot command and wait for the node to reboot`
Reduce reboot time 2022-02-07 09:11:07 +01:00			`provisioner "local-exec" {`
remove root from ssh_args... because scp does not take the username via -l, so we just re-add it to the commands themselves. 2022-02-07 13:19:06 +01:00			`command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"`
Reduce reboot time 2022-02-07 09:11:07 +01:00			`}`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`provisioner "local-exec" {`
Avoid connection timeout errors while waiting for reboot 2022-02-07 22:50:44 +01:00			`command = <<-EOT`
			`until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null`
			`do`
pre master 2022-02-10 03:31:20 +01:00			`echo "Waiting for MicroOS to reboot and become available..."`
Avoid connection timeout errors while waiting for reboot 2022-02-07 22:50:44 +01:00			`sleep 2`
			`done`
			`EOT`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`}`

			`# Generating k3s master config file`
microOS eth1 still down 2022-02-05 01:22:35 +01:00			`provisioner "file" {`
use yamlencode for k3s configs... ...and remove the now, hopefully unneeded workaround for agent.conf, all values are in config.yaml now 2022-02-07 12:56:13 +01:00			`content = yamlencode({`
			`node-name = self.name`
			`cluster-init = true`
			`disable-cloud-controller = true`
Use yaml list for disabled k3s features Co-authored-by: Marco Nenciarini <mnencia@kcore.it> 2022-02-08 14:14:23 +01:00			`disable = ["servicelb", "local-storage"]`
use yamlencode for k3s configs... ...and remove the now, hopefully unneeded workaround for agent.conf, all values are in config.yaml now 2022-02-07 12:56:13 +01:00			`flannel-iface = "eth1"`
			`kubelet-arg = "cloud-provider=external"`
			`node-ip = local.first_control_plane_network_ip`
			`advertise-address = local.first_control_plane_network_ip`
			`token = random_password.k3s_token.result`
terraform fmt 2022-02-08 09:12:16 +01:00			`node-taint = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`node-label = var.automatically_upgrade_k3s ? ["k3s_upgrade=true"] : []`
microOS eth1 still down 2022-02-05 01:22:35 +01:00			`})`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`destination = "/tmp/config.yaml"`
			`}`



			`# Install k3s server`
			`provisioner "remote-exec" {`
			`inline = local.install_k3s_server`
			`}`

			`# Issue a reboot command and wait for the node to reboot`
			`provisioner "local-exec" {`
			`command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"`
			`}`
			`provisioner "local-exec" {`
			`command = <<-EOT`
			`until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null`
			`do`
			`echo "Waiting for MicroOS to reboot and become available..."`
			`sleep 2`
			`done`
			`EOT`
microOS eth1 still down 2022-02-05 01:22:35 +01:00			`}`
pre master 2022-02-10 03:31:20 +01:00
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`# Upon reboot verify that the k3s server is starts, and wait for k3s to be ready to receive commands`
initial commit 2021-07-30 10:12:37 +02:00			`provisioner "remote-exec" {`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`inline = [`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`# prepare the post_install directory`
fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`"mkdir -p /tmp/post_install",`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`# wait for k3s to become ready`
pre master 2022-02-10 03:01:40 +01:00			`<<-EOT`
(hopefully) simplify wait for cluster ready 2022-02-11 23:49:16 +01:00			`timeout 120 bash <<EOF`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`until systemctl status k3s > /dev/null; do`
			`echo "Waiting for the k3s server to start..."`
fix waiting for the cluster once again 2022-02-11 23:57:18 +01:00			`sleep 1`
			`done`
(hopefully) simplify wait for cluster ready 2022-02-11 23:49:16 +01:00			`until [ -e /etc/rancher/k3s/k3s.yaml ]; do`
fix waiting for the cluster once again 2022-02-11 23:57:18 +01:00			`echo "Waiting for kubectl config..."`
(hopefully) simplify wait for cluster ready 2022-02-11 23:49:16 +01:00			`sleep 1`
			`done`
fix for error messages 2022-02-12 01:45:25 +01:00			`until [[ "\$(kubectl get --raw='/readyz' 2> /dev/null)" == "ok" ]]; do`
fix typo 2022-02-12 01:49:33 +01:00			`echo "Waiting for the cluster to become ready..."`
(hopefully) simplify wait for cluster ready 2022-02-11 23:49:16 +01:00			`sleep 1`
pre master 2022-02-10 03:01:40 +01:00			`done`
(hopefully) simplify wait for cluster ready 2022-02-11 23:49:16 +01:00			`EOF`
pre master 2022-02-10 03:01:40 +01:00			`EOT`
cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`]`
			`}`

fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`# Upload kustomization.yaml, containing Hetzner CSI & CSM, as well as kured.`
			`provisioner "file" {`
replace kustomization.yaml.tpl with yamlencode benefit is replacing inline strings in yaml with proper files locally while still just deploying a single file to the remote host. 2022-02-11 23:49:54 +01:00			`content = yamlencode({`
			`apiVersion = "kustomize.config.k8s.io/v1beta1"`
			`kind = "Kustomization"`
			`resources = [`
			`"https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/${local.ccm_version}/ccm-networks.yaml",`
			`"https://raw.githubusercontent.com/hetznercloud/csi-driver/${local.csi_version}/deploy/kubernetes/hcloud-csi.yml",`
			`"https://github.com/weaveworks/kured/releases/download/${local.kured_version}/kured-${local.kured_version}-dockerhub.yaml",`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`"https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml",`
			`"./traefik.yaml",`
replace kustomization.yaml.tpl with yamlencode benefit is replacing inline strings in yaml with proper files locally while still just deploying a single file to the remote host. 2022-02-11 23:49:54 +01:00			`]`
			`patchesStrategicMerge = [`
			`file("${path.module}/patches/kured.yaml"),`
removed latest csi and latest ccm containers option, as it was causing problems over time 2022-02-15 22:33:22 +01:00			`file("${path.module}/patches/ccm.yaml")`
replace kustomization.yaml.tpl with yamlencode benefit is replacing inline strings in yaml with proper files locally while still just deploying a single file to the remote host. 2022-02-11 23:49:54 +01:00			`]`
			`})`
fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`destination = "/tmp/post_install/kustomization.yaml"`
			`}`

			`# Upload traefik config`
			`provisioner "file" {`
replace kustomization.yaml.tpl with yamlencode benefit is replacing inline strings in yaml with proper files locally while still just deploying a single file to the remote host. 2022-02-11 23:49:54 +01:00			`content = templatefile(`
			`"${path.module}/templates/traefik_config.yaml.tpl",`
			`{`
			`lb_disable_ipv6 = var.lb_disable_ipv6`
			`lb_server_type = var.lb_server_type`
			`location = var.location`
			`traefik_acme_tls = var.traefik_acme_tls`
			`traefik_acme_email = var.traefik_acme_email`
			`})`
fix /tmp/post_install... ...without an explicit mkdir before, it just writes the latest file to /tmp/post_install (which is a file, not a directory) 2022-02-11 23:11:20 +01:00			`destination = "/tmp/post_install/traefik.yaml"`
			`}`

k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`# Upload the system upgrade controller plans config`
			`provisioner "file" {`
			`content = templatefile(`
			`"${path.module}/templates/plans.yaml.tpl",`
			`{`
			`channel = var.k3s_upgrade_channel`
			`})`
			`destination = "/tmp/post_install/plans.yaml"`
			`}`

split provisioning for better logging 2022-02-12 00:32:11 +01:00			`# Deploy secrets, logging is automatically disabled due to sensitive variables`
cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`provisioner "remote-exec" {`
			`inline = [`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`"set -ex",`
cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`"kubectl -n kube-system create secret generic hcloud --from-literal=token=${var.hcloud_token} --from-literal=network=${hcloud_network.k3s.name}",`
Expose kubeconfig in outputs... * To do so, we need to ensure that the generated kubeconfig is part of terraforms dependency graph. This has the additional benefit of not depending on local files anymore which should enable multi-user setups. * This also means that we can't deploy CCM, CSI & Traefik from our local host, because we don't have kubeconfig.yaml locally while provisioning the control plane, only afterwards. * So we just run kubectl apply on the control plane itself, after k3s is ready. * To do so, we need to deploy all manifests. I've merged the patches into a single kustomization.yaml file, because that makes the deployment of those files to the control-plane server easier. * we could also put the traefik config into the same kustomization file, which would save us one of the file provisioner blocks. I didn't want this PR to get any bigger, and will consider merging this config later on. kustomization.yaml is small enough that we could yamlencode() for it and store the patches in separate files again, not as inline-strings which is kind of ugly. 2022-02-11 12:45:03 +01:00			`"kubectl -n kube-system create secret generic hcloud-csi --from-literal=token=${var.hcloud_token}",`
split provisioning for better logging 2022-02-12 00:32:11 +01:00			`]`
			`}`

			`# Deploy our post-installation kustomization`
			`provisioner "remote-exec" {`
			`inline = [`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`"set -ex",`
fix post-install kustomization, keep file... this risks exposing secrets from the deployed manifests, but those are currently deployed beforehand so we should be good as long as kustomization.yaml does not contain any. 2022-02-12 00:52:13 +01:00			`# This ugly hack is here, because terraform serializes the`
			`# embedded yaml files with "- \|2", when there is more than`
			`# one yamldocument in the embedded file. Kustomize does not understand`
			`# that syntax and tries to parse the blocks content as a file, resulting`
			`# in weird errors. so gnu sed with funny escaping is used to`
			`# replace lines like "- \|3" by "- \|" (yaml block syntax).`
			`# due to indendation this should not changes the embedded`
			`# manifests themselves`
			`"sed -i 's/^- \|[0-9]\\+$/- \|/g' /tmp/post_install/kustomization.yaml",`
cleanup first control plane provisioning... * move yaml to subdirectory of /tmp * reformat loop waiting for /readyz endpoint * add logging message * split provisioner because sensitive var.hcloud_token prohibits log output 2022-02-11 22:47:57 +01:00			`"kubectl apply -k /tmp/post_install",`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`"echo 'Waiting for the system-upgrade-controller deployment to become available...' && kubectl -n system-upgrade wait --for=condition=available --timeout=300s deployment/system-upgrade-controller",`
			`"kubectl apply -f /tmp/post_install/plans.yaml"`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00			`]`
k3s-install ready for testing 2022-02-16 03:18:40 +01:00			`}`
initial k3s on MicroOS on Hetzner ok 2022-02-06 08:40:51 +01:00
initial commit 2021-07-30 10:12:37 +02:00			`network {`
			`network_id = hcloud_network.k3s.id`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`ip = local.first_control_plane_network_ip`
initial commit 2021-07-30 10:12:37 +02:00			`}`

			`depends_on = [`
Added Hetzner firewall and fixed addresses 2021-09-01 00:37:11 +02:00			`hcloud_network_subnet.k3s,`
			`hcloud_firewall.k3s`
initial commit 2021-07-30 10:12:37 +02:00			`]`
			`}`