rancher install ok

init.tf

@@ -88,9 +88,11 @@ resource "null_resource" "kustomization" {
           "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml",
         ],
         var.disable_hetzner_csi ? [] : ["https://raw.githubusercontent.com/hetznercloud/csi-driver/${local.csi_version}/deploy/kubernetes/hcloud-csi.yml"],
-        var.enable_longhorn ? ["longhorn.yaml"] : [],
         local.is_single_node_cluster ? [] : var.traefik_enabled ? ["traefik_config.yaml"] : [],
-        var.cni_plugin == "calico" ? ["https://projectcalico.docs.tigera.io/manifests/calico.yaml"] : []
+        var.cni_plugin == "calico" ? ["https://projectcalico.docs.tigera.io/manifests/calico.yaml"] : [],
+        var.enable_longhorn ? ["longhorn.yaml"] : [],
+        var.enable_cert_manager || var.enable_rancher ? ["cert-manager.yaml"] : [],
+        var.enable_rancher ? ["rancher.yaml"] : [],
       ),
       patchesStrategicMerge = concat(
         [
@@ -160,6 +162,26 @@ resource "null_resource" "kustomization" {
     destination = "/var/post_install/longhorn.yaml"
   }
 
+  # Upload the cert-manager config
+  provisioner "file" {
+    content = templatefile(
+      "${path.module}/templates/cert-manager.yaml.tpl",
+    {})
+    destination = "/var/post_install/cert-manager.yaml"
+  }
+
+  # Upload the rancher config
+  provisioner "file" {
+    content = templatefile(
+      "${path.module}/templates/rancher.yaml.tpl",
+      {
+        rancher_install_channel    = var.rancher_install_channel
+        rancher_hostname           = var.rancher_hostname
+        number_control_plane_nodes = length(local.control_plane_nodes)
+    })
+    destination = "/var/post_install/rancher.yaml"
+  }
+
   # Deploy secrets, logging is automatically disabled due to sensitive variables
   provisioner "remote-exec" {
     inline = [

templates/cert-manager.yaml.tpl

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: kube-system
+spec:
+  chart: cert-manager
+  repo: https://charts.jetstack.io
+  targetNamespace: cert-manager
+  valuesContent: |-
+    installCRDs: true

templates/rancher.yaml.tpl

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cattle-system
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: rancher
+  namespace: kube-system
+spec:
+  chart: rancher
+  repo: https://releases.rancher.com/server-charts/${rancher_install_channel}
+  targetNamespace: cattle-system
+  valuesContent: |-
+    ingress:
+      tls:
+        source: rancher
+    hostname: ${rancher_hostname}
+    replicas: ${number_control_plane_nodes}

terraform.tfvars.example

@@ -183,3 +183,23 @@ load_balancer_location = "fsn1"
 # If you want to disable the automatic use of placement group "spread". See https://docs.hetzner.com/cloud/placement-groups/overview/
 # That may be useful if you need to deploy more than 500 nodes! The default is "false".
 # placement_group_disable = true
+
+# You can enable cert-manager (installed by Helm behind the scenes) with the following flag, the default is "false".
+# enable_cert_manager = true
+
+# You can enable rancher (installed by Helm behind the scenes) with the following flag, the default is "false".
+# When rancher is enabled, it automatically installs cert-manager too, and it uses rancher's own certificates.
+# As for the number of replicas, it is set to the numbe of control plane nodes.
+# You can customized all of the above by creating and applying a HelmChartConfig to pass the helm chart values of your choice. 
+# See https://rancher.com/docs/k3s/latest/en/helm/ 
+# and https://rancher.com/docs/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/
+# enable_rancher = true
+
+# When rancher is deployed, by default is uses the "stable" channel. But this can be customized.
+# The allowed values are "stable", "latest", and "alpha".
+# rancher_install_channel = "latest"
+
+# Set your rancher hostname, the default is "rancher.example.com".
+# It is a required value when using rancher, but up to you to point the DNS to it or not. 
+# You can also not point the DNS, and just port-forward locally via kubectl to get access to the dashboard.
+# rancher_hostname = "rancher.xyz.dev"

variables.tf

@@ -107,7 +107,7 @@ variable "initial_k3s_channel" {
   description = "Allows you to specify an initial k3s channel"
 
   validation {
-    condition     = contains(["stable", "latest", "testing", "v1.16", "v1.17", "v1.18", "v1.19", "v1.20", "v1.21", "v1.22", "v1.23"], var.initial_k3s_channel)
+    condition     = contains(["stable", "latest", "testing", "v1.16", "v1.17", "v1.18", "v1.19", "v1.20", "v1.21", "v1.22", "v1.23", "v1.24"], var.initial_k3s_channel)
     error_message = "The initial k3s channel must be one of stable, latest or testing."
   }
 }
@@ -175,3 +175,32 @@ variable "disable_hetzner_csi" {
   default     = false
   description = "Disable hetzner csi driver"
 }
+
+variable "enable_cert_manager" {
+  type        = bool
+  default     = false
+  description = "Enable cert manager"
+}
+
+variable "enable_rancher" {
+  type        = bool
+  default     = false
+  description = "Enable rancher"
+}
+
+variable "rancher_install_channel" {
+  type        = string
+  default     = "stable"
+  description = "Rancher install channel"
+
+  validation {
+    condition     = contains(["stable", "latest", "alpha"], var.rancher_install_channel)
+    error_message = "The allowed values for the rancher install channel are stable, latest, or alpha."
+  }
+}
+
+variable "rancher_hostname" {
+  type        = string
+  default     = "rancher.example.com"
+  description = "Enable rancher"
+}