merging staging changes to pr 173
This commit is contained in:
commit
22585f6210
2
.github/workflows/validate-terraform.yaml
vendored
2
.github/workflows/validate-terraform.yaml
vendored
@ -15,7 +15,7 @@ jobs:
|
|||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
- name: Setup Terraform
|
- name: Setup Terraform
|
||||||
uses: hashicorp/setup-terraform@v1
|
uses: hashicorp/setup-terraform@v2
|
||||||
- name: Terraform Format
|
- name: Terraform Format
|
||||||
run: terraform fmt -check -diff
|
run: terraform fmt -check -diff
|
||||||
- name: Terraform Init
|
- name: Terraform Init
|
||||||
|
15
README.md
15
README.md
@ -137,6 +137,13 @@ _To turn off k3s upgrades, you can either remove the `k3s_upgrade=true` label or
|
|||||||
kubectl -n system-upgrade label node <node-name> k3s_upgrade-
|
kubectl -n system-upgrade label node <node-name> k3s_upgrade-
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Alternatively, you can disable the k3s automatic upgrade without individually editing the labels on the nodes. Instead you can just delete the two system controller upgrade plans with:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
kubectl delete plan k3s-agent -n system-upgrade
|
||||||
|
kubectl delete plan k3s-server -n system-upgrade
|
||||||
|
```
|
||||||
|
|
||||||
### Individual Components Upgrade
|
### Individual Components Upgrade
|
||||||
|
|
||||||
Rarely needed, but can be handy in the long run. During the installation, we automatically download a backup of the kustomization to a `kustomization_backup.yaml` file. You will find it next to your `kubeconfig.yaml` at the root of your project.
|
Rarely needed, but can be handy in the long run. During the installation, we automatically download a backup of the kustomization to a `kustomization_backup.yaml` file. You will find it next to your `kubeconfig.yaml` at the root of your project.
|
||||||
@ -212,6 +219,14 @@ module "kube-hetzner" {
|
|||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Use in Terraform cloud</summary>
|
||||||
|
|
||||||
|
To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned above, but also change the execution mode from `remote` to `local`.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
## Debugging
|
## Debugging
|
||||||
|
|
||||||
First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in.
|
First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in.
|
||||||
|
@ -1,16 +1,23 @@
|
|||||||
locals {
|
locals {
|
||||||
|
# ssh public key
|
||||||
ssh_public_key = trimspace(file(var.public_key))
|
ssh_public_key = trimspace(file(var.public_key))
|
||||||
# ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
|
# ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
|
||||||
ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
|
ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
|
||||||
|
|
||||||
# ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
|
# ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
|
||||||
# For terraforms provisioner.connection.agent_identity, we need the public key as a string.
|
# For terraforms provisioner.connection.agent_identity, we need the public key as a string.
|
||||||
ssh_identity = var.private_key == null ? local.ssh_public_key : null
|
ssh_identity = var.private_key == null ? local.ssh_public_key : null
|
||||||
|
|
||||||
# ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
|
# ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
|
||||||
# if an ssh agent is used.
|
# if an ssh agent is used.
|
||||||
ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
|
ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
|
||||||
|
|
||||||
# shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
|
# shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
|
||||||
ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
|
ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
|
||||||
|
|
||||||
|
# Final list of packages to install
|
||||||
|
needed_packages = join(" ", concat(["k3s-selinux"], var.packages_to_install))
|
||||||
|
|
||||||
# the hosts name with its unique suffix attached
|
# the hosts name with its unique suffix attached
|
||||||
name = "${var.name}-${random_string.server.id}"
|
name = "${var.name}-${random_string.server.id}"
|
||||||
}
|
}
|
||||||
|
@ -65,11 +65,12 @@ resource "hcloud_server" "server" {
|
|||||||
EOT
|
EOT
|
||||||
}
|
}
|
||||||
|
|
||||||
# Install k3s-selinux (compatible version)
|
# Install k3s-selinux (compatible version) and open-iscsi
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [<<-EOT
|
||||||
"set -ex",
|
set -ex
|
||||||
"transactional-update shell <<< 'rpm --import https://rpm.rancher.io/public.key; zypper install -y open-iscsi https://github.com/k3s-io/k3s-selinux/releases/download/v0.5.stable.1/k3s-selinux-0.5-1.sle.noarch.rpm'"
|
transactional-update shell <<< "zypper --gpg-auto-import-keys install -y ${local.needed_packages}"
|
||||||
|
EOT
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -87,9 +88,12 @@ resource "hcloud_server" "server" {
|
|||||||
|
|
||||||
# Enable open-iscsi
|
# Enable open-iscsi
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [<<-EOT
|
||||||
"set -ex",
|
set -ex
|
||||||
"systemctl enable --now iscsid"
|
if [[ $(systemctl list-units --all -t service --full --no-legend "iscsid.service" | sed 's/^\s*//g' | cut -f1 -d' ') == iscsid.service ]]; then
|
||||||
|
systemctl enable --now iscsid
|
||||||
|
fi
|
||||||
|
EOT
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -23,6 +23,17 @@ write_files:
|
|||||||
REBOOT_METHOD=kured
|
REBOOT_METHOD=kured
|
||||||
path: /etc/transactional-update.conf
|
path: /etc/transactional-update.conf
|
||||||
|
|
||||||
|
# Create Rancher repo config
|
||||||
|
- content: |
|
||||||
|
[rancher-k3s-common-stable]
|
||||||
|
name=Rancher K3s Common (stable)
|
||||||
|
baseurl=https://rpm.rancher.io/k3s/stable/common/microos/noarch
|
||||||
|
enabled=1
|
||||||
|
gpgcheck=1
|
||||||
|
repo_gpgcheck=0
|
||||||
|
gpgkey=https://rpm.rancher.io/public.key
|
||||||
|
path: /etc/zypp/repos.d/rancher-k3s-common.repo
|
||||||
|
|
||||||
# Add ssh authorized keys
|
# Add ssh authorized keys
|
||||||
ssh_authorized_keys:
|
ssh_authorized_keys:
|
||||||
%{ for key in sshAuthorizedKeys ~}
|
%{ for key in sshAuthorizedKeys ~}
|
||||||
|
@ -62,3 +62,9 @@ variable "server_type" {
|
|||||||
description = "The server type"
|
description = "The server type"
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "packages_to_install" {
|
||||||
|
description = "Packages to install"
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
@ -146,25 +146,24 @@ load_balancer_location = "fsn1"
|
|||||||
# use_cluster_name_in_node_name = false
|
# use_cluster_name_in_node_name = false
|
||||||
|
|
||||||
# Adding extra firewall rules, like opening a port
|
# Adding extra firewall rules, like opening a port
|
||||||
# In this example, we allow port TCP 5432 for a Postgres service that we will open via a node port and also allow outgoing SMTP traffic on port TCP 465
|
|
||||||
# More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
|
# More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
|
||||||
# extra_firewall_rules = [
|
# extra_firewall_rules = [
|
||||||
|
# # For Postgres
|
||||||
# {
|
# {
|
||||||
# direction = "in"
|
# direction = "in"
|
||||||
# protocol = "tcp"
|
# protocol = "tcp"
|
||||||
# port = "5432"
|
# port = "5432"
|
||||||
# source_ips = [
|
# source_ips = ["0.0.0.0/0", "::/0"]
|
||||||
# "0.0.0.0/0"
|
# destination_ips = [] # Won't be used for this rule
|
||||||
# ]
|
|
||||||
# },
|
# },
|
||||||
|
# # To Allow ArgoCD access to resources via SSH
|
||||||
# {
|
# {
|
||||||
# direction = "out"
|
# direction = "out"
|
||||||
# protocol = "tcp"
|
# protocol = "tcp"
|
||||||
# port = "465"
|
# port = "22"
|
||||||
# destination_ips = [
|
# source_ips = [] # Won't be used for this rule
|
||||||
# "0.0.0.0/0"
|
# destination_ips = ["0.0.0.0/0", "::/0"]
|
||||||
# ]
|
# }
|
||||||
# },
|
|
||||||
# ]
|
# ]
|
||||||
|
|
||||||
# If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/
|
# If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/
|
||||||
|
Loading…
Reference in New Issue
Block a user