merging staging changes to pr 173

This commit is contained in:
Karim Naufal 2022-05-04 02:33:42 +02:00
commit 22585f6210
No known key found for this signature in database
GPG Key ID: 9CB4A7C28C139CA5
7 changed files with 67 additions and 25 deletions

View File

@ -15,7 +15,7 @@ jobs:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Setup Terraform - name: Setup Terraform
uses: hashicorp/setup-terraform@v1 uses: hashicorp/setup-terraform@v2
- name: Terraform Format - name: Terraform Format
run: terraform fmt -check -diff run: terraform fmt -check -diff
- name: Terraform Init - name: Terraform Init

View File

@ -137,6 +137,13 @@ _To turn off k3s upgrades, you can either remove the `k3s_upgrade=true` label or
kubectl -n system-upgrade label node <node-name> k3s_upgrade- kubectl -n system-upgrade label node <node-name> k3s_upgrade-
``` ```
Alternatively, you can disable the k3s automatic upgrade without individually editing the labels on the nodes. Instead you can just delete the two system controller upgrade plans with:
```sh
kubectl delete plan k3s-agent -n system-upgrade
kubectl delete plan k3s-server -n system-upgrade
```
### Individual Components Upgrade ### Individual Components Upgrade
Rarely needed, but can be handy in the long run. During the installation, we automatically download a backup of the kustomization to a `kustomization_backup.yaml` file. You will find it next to your `kubeconfig.yaml` at the root of your project. Rarely needed, but can be handy in the long run. During the installation, we automatically download a backup of the kustomization to a `kustomization_backup.yaml` file. You will find it next to your `kubeconfig.yaml` at the root of your project.
@ -212,6 +219,14 @@ module "kube-hetzner" {
</details> </details>
<details>
<summary>Use in Terraform cloud</summary>
To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned above, but also change the execution mode from `remote` to `local`.
</details>
## Debugging ## Debugging
First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in. First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in.

View File

@ -1,16 +1,23 @@
locals { locals {
# ssh public key
ssh_public_key = trimspace(file(var.public_key)) ssh_public_key = trimspace(file(var.public_key))
# ssh_private_key is either the contents of var.private_key or null to use a ssh agent. # ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key)) ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
# ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use. # ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
# For terraforms provisioner.connection.agent_identity, we need the public key as a string. # For terraforms provisioner.connection.agent_identity, we need the public key as a string.
ssh_identity = var.private_key == null ? local.ssh_public_key : null ssh_identity = var.private_key == null ? local.ssh_public_key : null
# ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file # ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
# if an ssh agent is used. # if an ssh agent is used.
ssh_identity_file = var.private_key == null ? var.public_key : var.private_key ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
# shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning. # shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}" ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
# Final list of packages to install
needed_packages = join(" ", concat(["k3s-selinux"], var.packages_to_install))
# the hosts name with its unique suffix attached # the hosts name with its unique suffix attached
name = "${var.name}-${random_string.server.id}" name = "${var.name}-${random_string.server.id}"
} }

View File

@ -65,11 +65,12 @@ resource "hcloud_server" "server" {
EOT EOT
} }
# Install k3s-selinux (compatible version) # Install k3s-selinux (compatible version) and open-iscsi
provisioner "remote-exec" { provisioner "remote-exec" {
inline = [ inline = [<<-EOT
"set -ex", set -ex
"transactional-update shell <<< 'rpm --import https://rpm.rancher.io/public.key; zypper install -y open-iscsi https://github.com/k3s-io/k3s-selinux/releases/download/v0.5.stable.1/k3s-selinux-0.5-1.sle.noarch.rpm'" transactional-update shell <<< "zypper --gpg-auto-import-keys install -y ${local.needed_packages}"
EOT
] ]
} }
@ -87,9 +88,12 @@ resource "hcloud_server" "server" {
# Enable open-iscsi # Enable open-iscsi
provisioner "remote-exec" { provisioner "remote-exec" {
inline = [ inline = [<<-EOT
"set -ex", set -ex
"systemctl enable --now iscsid" if [[ $(systemctl list-units --all -t service --full --no-legend "iscsid.service" | sed 's/^\s*//g' | cut -f1 -d' ') == iscsid.service ]]; then
systemctl enable --now iscsid
fi
EOT
] ]
} }
} }

View File

@ -23,6 +23,17 @@ write_files:
REBOOT_METHOD=kured REBOOT_METHOD=kured
path: /etc/transactional-update.conf path: /etc/transactional-update.conf
# Create Rancher repo config
- content: |
[rancher-k3s-common-stable]
name=Rancher K3s Common (stable)
baseurl=https://rpm.rancher.io/k3s/stable/common/microos/noarch
enabled=1
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://rpm.rancher.io/public.key
path: /etc/zypp/repos.d/rancher-k3s-common.repo
# Add ssh authorized keys # Add ssh authorized keys
ssh_authorized_keys: ssh_authorized_keys:
%{ for key in sshAuthorizedKeys ~} %{ for key in sshAuthorizedKeys ~}

View File

@ -62,3 +62,9 @@ variable "server_type" {
description = "The server type" description = "The server type"
type = string type = string
} }
variable "packages_to_install" {
description = "Packages to install"
type = list(string)
default = []
}

View File

@ -146,25 +146,24 @@ load_balancer_location = "fsn1"
# use_cluster_name_in_node_name = false # use_cluster_name_in_node_name = false
# Adding extra firewall rules, like opening a port # Adding extra firewall rules, like opening a port
# In this example, we allow port TCP 5432 for a Postgres service that we will open via a node port and also allow outgoing SMTP traffic on port TCP 465
# More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
# extra_firewall_rules = [ # extra_firewall_rules = [
# # For Postgres
# { # {
# direction = "in" # direction = "in"
# protocol = "tcp" # protocol = "tcp"
# port = "5432" # port = "5432"
# source_ips = [ # source_ips = ["0.0.0.0/0", "::/0"]
# "0.0.0.0/0" # destination_ips = [] # Won't be used for this rule
# ]
# }, # },
# # To Allow ArgoCD access to resources via SSH
# { # {
# direction = "out" # direction = "out"
# protocol = "tcp" # protocol = "tcp"
# port = "465" # port = "22"
# destination_ips = [ # source_ips = [] # Won't be used for this rule
# "0.0.0.0/0" # destination_ips = ["0.0.0.0/0", "::/0"]
# ] # }
# },
# ] # ]
# If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/ # If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/