From fb9d563d57a6230df9a12ee51e0c6e02446ec91a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Apr 2022 07:30:39 +0000 Subject: [PATCH 1/5] Bump hashicorp/setup-terraform from 1 to 2 Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 1 to 2. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v1...v2) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/validate-terraform.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-terraform.yaml b/.github/workflows/validate-terraform.yaml index f258ebc..270a5d9 100644 --- a/.github/workflows/validate-terraform.yaml +++ b/.github/workflows/validate-terraform.yaml @@ -15,7 +15,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v2 - name: Terraform Format run: terraform fmt -check -diff - name: Terraform Init From a356122b2d1713741986f92c884d5cb1e3bd631f Mon Sep 17 00:00:00 2001 From: Karim Naufal Date: Sun, 24 Apr 2022 19:13:25 +0200 Subject: [PATCH 2/5] tweaked tfvars.example --- terraform.tfvars.example | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 888bb8a..3e30c7c 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -8,14 +8,14 @@ # * Your Hetzner project API token hcloud_token = "xxxxxxxxxxxxxxxxxxYYYYYYYYYYYYYYYYYYYzzzzzzzzzzzzzzzzzzzzz" # * Your public key -public_key = "/home/username/.ssh/id_ed25519.pub" +public_key = "/home/username/.ssh/id_ed25519.pub" # * Your private key must be "private_key = null" when you want to use ssh-agent for a Yubikey-like device authentification or an SSH key-pair with a passphrase. # For more details on SSH see https://github.com/kube-hetzner/kube-hetzner/blob/master/docs/ssh.md -private_key = "/home/username/.ssh/id_ed25519" +private_key = "/home/username/.ssh/id_ed25519" # These can be customized, or left with the default values # * For Hetzner locations see https://docs.hetzner.com/general/others/data-centers-and-connection/ -network_region = "eu-central" # change to `us-east` if location is ash +network_region = "eu-central" # change to `us-east` if location is ash # For the control planes, at least three nodes are the minimum for HA. Otherwise, you need to turn off the automatic upgrade (see ReadMe). # As per rancher docs, it must always be an odd number, never even! See https://rancher.com/docs/k3s/latest/en/installation/ha-embedded/ @@ -137,25 +137,24 @@ load_balancer_location = "fsn1" # use_cluster_name_in_node_name = false # Adding extra firewall rules, like opening a port -# In this example, we allow port TCP 5432 for a Postgres service that we will open via a node port and also allow outgoing SMTP traffic on port TCP 465 # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall # extra_firewall_rules = [ +# # For Postgres # { -# direction = "in" -# protocol = "tcp" -# port = "5432" -# source_ips = [ -# "0.0.0.0/0" -# ] +# direction = "in" +# protocol = "tcp" +# port = "5432" +# source_ips = ["0.0.0.0/0", "::/0"] +# destination_ips = [] # Won't be used for this rule # }, +# # To Allow ArgoCD access to resources via SSH # { -# direction = "out" -# protocol = "tcp" -# port = "465" -# destination_ips = [ -# "0.0.0.0/0" -# ] -# }, +# direction = "out" +# protocol = "tcp" +# port = "22" +# source_ips = [] # Won't be used for this rule +# destination_ips = ["0.0.0.0/0", "::/0"] +# } # ] # If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/ @@ -174,4 +173,4 @@ load_balancer_location = "fsn1" # If you want to disable the automatic use of placement group "spread". See https://docs.hetzner.com/cloud/placement-groups/overview/ # That may be useful if you need to deploy more than 500 nodes! The default is "false". -# placement_group_disable = true \ No newline at end of file +# placement_group_disable = true From 136cdb5ecdb7246ae85763c54252bf3bd137ae76 Mon Sep 17 00:00:00 2001 From: Karim Naufal Date: Wed, 27 Apr 2022 09:27:57 +0200 Subject: [PATCH 3/5] tweaked readme --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 6415be5..7e87f03 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,13 @@ _To turn off k3s upgrades, you can either remove the `k3s_upgrade=true` label or kubectl -n system-upgrade label node k3s_upgrade- ``` +Alternatively, you can disable the k3s automatic upgrade without individually editing the labels on the nodes. Instead you can just delete the two system controller upgrade plans with: + +```sh +kubectl delete plan k3s-agent -n system-upgrade +kubectl delete plan k3s-server -n system-upgrade +``` + ### Individual Components Upgrade Rarely needed, but can be handy in the long run. During the installation, we automatically download a backup of the kustomization to a `kustomization_backup.yaml` file. You will find it next to your `kubeconfig.yaml` at the root of your project. @@ -212,6 +219,14 @@ module "kube-hetzner" { +
+ +Use in Terraform cloud + +To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned above, but also change the "execution-mode" from "remote" to "local". + +
+ ## Debugging First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in. From bfdca599b9aab9c981fe50392f706a76046f3061 Mon Sep 17 00:00:00 2001 From: Karim Naufal Date: Wed, 27 Apr 2022 09:29:58 +0200 Subject: [PATCH 4/5] tweaked readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7e87f03..0b0229f 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,7 @@ module "kube-hetzner" { Use in Terraform cloud -To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned above, but also change the "execution-mode" from "remote" to "local". +To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned above, but also change the execution mode from `remote` to `local`. From bbe66ee977837d584c168bb3c1138a8cd274e14e Mon Sep 17 00:00:00 2001 From: Karim Naufal Date: Wed, 4 May 2022 02:27:24 +0200 Subject: [PATCH 5/5] fixed k3s selinux failed update --- modules/host/locals.tf | 7 +++++++ modules/host/main.tf | 20 ++++++++++++++++---- modules/host/templates/userdata.yaml.tpl | 11 +++++++++++ modules/host/variables.tf | 6 ++++++ 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/modules/host/locals.tf b/modules/host/locals.tf index 4edc40e..3ffa723 100644 --- a/modules/host/locals.tf +++ b/modules/host/locals.tf @@ -1,16 +1,23 @@ locals { + # ssh public key ssh_public_key = trimspace(file(var.public_key)) # ssh_private_key is either the contents of var.private_key or null to use a ssh agent. ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key)) + # ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use. # For terraforms provisioner.connection.agent_identity, we need the public key as a string. ssh_identity = var.private_key == null ? local.ssh_public_key : null + # ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file # if an ssh agent is used. ssh_identity_file = var.private_key == null ? var.public_key : var.private_key + # shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning. ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}" + # Final list of packages to install + needed_packages = join(" ", concat(["k3s-selinux"], var.packages_to_install)) + # the hosts name with its unique suffix attached name = "${var.name}-${random_string.server.id}" } diff --git a/modules/host/main.tf b/modules/host/main.tf index be7637d..be8e0be 100644 --- a/modules/host/main.tf +++ b/modules/host/main.tf @@ -65,11 +65,12 @@ resource "hcloud_server" "server" { EOT } - # Install k3s-selinux (compatible version) + # Install k3s-selinux (compatible version) and open-iscsi provisioner "remote-exec" { - inline = [ - "set -ex", - "transactional-update shell <<< 'rpm --import https://rpm.rancher.io/public.key;zypper install -y https://github.com/k3s-io/k3s-selinux/releases/download/v0.5.stable.1/k3s-selinux-0.5-1.sle.noarch.rpm'" + inline = [<<-EOT + set -ex + transactional-update shell <<< "zypper --gpg-auto-import-keys install -y ${local.needed_packages}" + EOT ] } @@ -84,6 +85,17 @@ resource "hcloud_server" "server" { done EOT } + + # Enable open-iscsi + provisioner "remote-exec" { + inline = [<<-EOT + set -ex + if [[ $(systemctl list-units --all -t service --full --no-legend "iscsid.service" | sed 's/^\s*//g' | cut -f1 -d' ') == iscsid.service ]]; then + systemctl enable --now iscsid + fi + EOT + ] + } } resource "hcloud_server_network" "server" { diff --git a/modules/host/templates/userdata.yaml.tpl b/modules/host/templates/userdata.yaml.tpl index 51ff107..297f3ed 100644 --- a/modules/host/templates/userdata.yaml.tpl +++ b/modules/host/templates/userdata.yaml.tpl @@ -23,6 +23,17 @@ write_files: REBOOT_METHOD=kured path: /etc/transactional-update.conf +# Create Rancher repo config +- content: | + [rancher-k3s-common-stable] + name=Rancher K3s Common (stable) + baseurl=https://rpm.rancher.io/k3s/stable/common/microos/noarch + enabled=1 + gpgcheck=1 + repo_gpgcheck=0 + gpgkey=https://rpm.rancher.io/public.key + path: /etc/zypp/repos.d/rancher-k3s-common.repo + # Add ssh authorized keys ssh_authorized_keys: %{ for key in sshAuthorizedKeys ~} diff --git a/modules/host/variables.tf b/modules/host/variables.tf index a8a454e..c6ab0ea 100644 --- a/modules/host/variables.tf +++ b/modules/host/variables.tf @@ -62,3 +62,9 @@ variable "server_type" { description = "The server type" type = string } + +variable "packages_to_install" { + description = "Packages to install" + type = list(string) + default = [] +}