merging staging changes to pr 173

.github/workflows/validate-terraform.yaml

@@ -15,7 +15,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
       - name: Terraform Format
         run: terraform fmt -check -diff
       - name: Terraform Init

README.md

@@ -137,6 +137,13 @@ _To turn off k3s upgrades, you can either remove the `k3s_upgrade=true` label or
 kubectl -n system-upgrade label node <node-name> k3s_upgrade-
 ```
 
+Alternatively, you can disable the k3s automatic upgrade without individually editing the labels on the nodes. Instead you can just delete the two system controller upgrade plans with:
+
+```sh
+kubectl delete plan k3s-agent -n system-upgrade
+kubectl delete plan k3s-server -n system-upgrade
+```
+
 ### Individual Components Upgrade
 
 Rarely needed, but can be handy in the long run. During the installation, we automatically download a backup of the kustomization to a `kustomization_backup.yaml` file. You will find it next to your `kubeconfig.yaml` at the root of your project.
@@ -212,6 +219,14 @@ module "kube-hetzner" {
 
 </details>
 
+<details>
+
+<summary>Use in Terraform cloud</summary>
+
+To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned above, but also change the execution mode from `remote` to `local`.
+
+</details>
+
 ## Debugging
 
 First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in.

modules/host/locals.tf

@@ -1,16 +1,23 @@
 locals {
+  # ssh public key
   ssh_public_key = trimspace(file(var.public_key))
   # ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
   ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
+
   # ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
   # For terraforms provisioner.connection.agent_identity, we need the public key as a string.
   ssh_identity = var.private_key == null ? local.ssh_public_key : null
+
   # ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
   # if an ssh agent is used.
   ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
+
   # shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
   ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
 
+  # Final list of packages to install
+  needed_packages = join(" ", concat(["k3s-selinux"], var.packages_to_install))
+
   # the hosts name with its unique suffix attached
   name = "${var.name}-${random_string.server.id}"
 }

modules/host/main.tf

@@ -65,11 +65,12 @@ resource "hcloud_server" "server" {
     EOT
   }
 
-  # Install k3s-selinux (compatible version)
+  # Install k3s-selinux (compatible version) and open-iscsi
   provisioner "remote-exec" {
-    inline = [
+    inline = [<<-EOT
-      "set -ex",
+      set -ex
-      "transactional-update shell <<< 'rpm --import https://rpm.rancher.io/public.key; zypper install -y open-iscsi https://github.com/k3s-io/k3s-selinux/releases/download/v0.5.stable.1/k3s-selinux-0.5-1.sle.noarch.rpm'"
+      transactional-update shell <<< "zypper --gpg-auto-import-keys install -y ${local.needed_packages}"
+      EOT
     ]
   }
 
@@ -87,9 +88,12 @@ resource "hcloud_server" "server" {
 
   # Enable open-iscsi
   provisioner "remote-exec" {
-    inline = [
+    inline = [<<-EOT
-      "set -ex",
+      set -ex
-      "systemctl enable --now iscsid"
+      if [[ $(systemctl list-units --all -t service --full --no-legend "iscsid.service" | sed 's/^\s*//g' | cut -f1 -d' ') == iscsid.service ]]; then
+        systemctl enable --now iscsid
+      fi
+      EOT
     ]
   }
 }

modules/host/templates/userdata.yaml.tpl

@@ -23,6 +23,17 @@ write_files:
     REBOOT_METHOD=kured
   path: /etc/transactional-update.conf
 
+# Create Rancher repo config
+- content: |
+    [rancher-k3s-common-stable]
+    name=Rancher K3s Common (stable)
+    baseurl=https://rpm.rancher.io/k3s/stable/common/microos/noarch
+    enabled=1
+    gpgcheck=1
+    repo_gpgcheck=0
+    gpgkey=https://rpm.rancher.io/public.key
+  path: /etc/zypp/repos.d/rancher-k3s-common.repo
+
 # Add ssh authorized keys
 ssh_authorized_keys:
 %{ for key in sshAuthorizedKeys ~}

modules/host/variables.tf

@@ -62,3 +62,9 @@ variable "server_type" {
   description = "The server type"
   type        = string
 }
+
+variable "packages_to_install" {
+  description = "Packages to install"
+  type        = list(string)
+  default     = []
+}

terraform.tfvars.example

@@ -8,14 +8,14 @@
 # * Your Hetzner project API token
 hcloud_token = "xxxxxxxxxxxxxxxxxxYYYYYYYYYYYYYYYYYYYzzzzzzzzzzzzzzzzzzzzz"
 # * Your public key
-public_key   = "/home/username/.ssh/id_ed25519.pub"
+public_key = "/home/username/.ssh/id_ed25519.pub"
 # * Your private key must be "private_key = null" when you want to use ssh-agent for a Yubikey-like device authentification or an SSH key-pair with a passphrase.
 # For more details on SSH see https://github.com/kube-hetzner/kube-hetzner/blob/master/docs/ssh.md
-private_key  = "/home/username/.ssh/id_ed25519"
+private_key = "/home/username/.ssh/id_ed25519"
 
 # These can be customized, or left with the default values
 # * For Hetzner locations see https://docs.hetzner.com/general/others/data-centers-and-connection/
-network_region   = "eu-central" # change to `us-east` if location is ash
+network_region = "eu-central" # change to `us-east` if location is ash
 
 # For the control planes, at least three nodes are the minimum for HA. Otherwise, you need to turn off the automatic upgrade (see ReadMe).
 # As per rancher docs, it must always be an odd number, never even! See https://rancher.com/docs/k3s/latest/en/installation/ha-embedded/
@@ -146,25 +146,24 @@ load_balancer_location = "fsn1"
 # use_cluster_name_in_node_name = false
 
 # Adding extra firewall rules, like opening a port
-# In this example, we allow port TCP 5432 for a Postgres service that we will open via a node port and also allow outgoing SMTP traffic on port TCP 465
 # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
 # extra_firewall_rules = [
+#   # For Postgres
 #   {
-#     direction = "in"
+#     direction       = "in"
-#     protocol  = "tcp"
+#     protocol        = "tcp"
-#     port      = "5432"
+#     port            = "5432"
-#     source_ips = [
+#     source_ips      = ["0.0.0.0/0", "::/0"]
-#       "0.0.0.0/0"
+#     destination_ips = [] # Won't be used for this rule 
-#     ]
 #   },
+#   # To Allow ArgoCD access to resources via SSH
 #   {
-#     direction = "out"
+#     direction       = "out"
-#     protocol  = "tcp"
+#     protocol        = "tcp"
-#     port      = "465"
+#     port            = "22"
-#     destination_ips = [
+#     source_ips      = [] # Won't be used for this rule 
-#       "0.0.0.0/0"
+#     destination_ips = ["0.0.0.0/0", "::/0"]
-#     ]
+#   }
-#   },
 # ]
 
 # If you want to configure additional Arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/