From 9b7375e42472e49582bc58da31c14d0dc62559db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wa=C3=ABl=20Ammar?= Date: Sat, 29 Jan 2022 21:15:23 +0100 Subject: [PATCH 1/4] Add Hetzner placement group and link servers to it --- agents.tf | 13 +++++++------ main.tf | 10 ++++++++++ master.tf | 13 +++++++------ servers.tf | 13 +++++++------ 4 files changed, 31 insertions(+), 18 deletions(-) diff --git a/agents.tf b/agents.tf index 3ec7d14..f128556 100644 --- a/agents.tf +++ b/agents.tf @@ -2,12 +2,13 @@ resource "hcloud_server" "agents" { count = var.agents_num name = "k3s-agent-${count.index}" - image = data.hcloud_image.linux.name - rescue = "linux64" - server_type = var.agent_server_type - location = var.location - ssh_keys = [hcloud_ssh_key.default.id] - firewall_ids = [hcloud_firewall.k3s.id] + image = data.hcloud_image.linux.name + rescue = "linux64" + server_type = var.agent_server_type + location = var.location + ssh_keys = [hcloud_ssh_key.default.id] + firewall_ids = [hcloud_firewall.k3s.id] + placement_group_id = hcloud_placement_group.k3s_placement_group.id labels = { diff --git a/main.tf b/main.tf index ed3591e..7e31d1d 100644 --- a/main.tf +++ b/main.tf @@ -174,3 +174,13 @@ resource "local_file" "traefik_config" { file_permission = "0644" directory_permission = "0755" } + + +resource "hcloud_placement_group" "k3s_placement_group" { + name = "k3s-placement-group" + type = "spread" + labels = { + "provisioner" = "terraform", + "engine" = "k3s" + } +} diff --git a/master.tf b/master.tf index 561e1ab..506e5bd 100644 --- a/master.tf +++ b/master.tf @@ -1,12 +1,13 @@ resource "hcloud_server" "first_control_plane" { name = "k3s-control-plane-0" - image = data.hcloud_image.linux.name - rescue = "linux64" - server_type = var.control_plane_server_type - location = var.location - ssh_keys = [hcloud_ssh_key.default.id] - firewall_ids = [hcloud_firewall.k3s.id] + image = data.hcloud_image.linux.name + rescue = "linux64" + server_type = var.control_plane_server_type + location = var.location + ssh_keys = [hcloud_ssh_key.default.id] + firewall_ids = [hcloud_firewall.k3s.id] + placement_group_id = hcloud_placement_group.k3s_placement_group.id labels = { "provisioner" = "terraform", diff --git a/servers.tf b/servers.tf index ba31ff3..2e4ef39 100644 --- a/servers.tf +++ b/servers.tf @@ -2,12 +2,13 @@ resource "hcloud_server" "control_planes" { count = var.servers_num - 1 name = "k3s-control-plane-${count.index + 1}" - image = data.hcloud_image.linux.name - rescue = "linux64" - server_type = var.control_plane_server_type - location = var.location - ssh_keys = [hcloud_ssh_key.default.id] - firewall_ids = [hcloud_firewall.k3s.id] + image = data.hcloud_image.linux.name + rescue = "linux64" + server_type = var.control_plane_server_type + location = var.location + ssh_keys = [hcloud_ssh_key.default.id] + firewall_ids = [hcloud_firewall.k3s.id] + placement_group_id = hcloud_placement_group.k3s_placement_group.id labels = { "provisioner" = "terraform", From 538464386695694f4b7326495b66b55648a4fda2 Mon Sep 17 00:00:00 2001 From: Karim Naufal Date: Sun, 30 Jan 2022 01:20:43 +0100 Subject: [PATCH 2/4] tweaked readme --- README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/README.md b/README.md index 02b1396..8c40b7e 100644 --- a/README.md +++ b/README.md @@ -155,14 +155,6 @@ Any contributions you make are **greatly appreciated**. 4. Push to the Branch (`git push origin AmazingFeature`) 5. Open a Pull Request - - -## Contributors - -- Karim Naufal - [@mysticaltech](https://github.com/mysticaltech) -- Dennis Hoppe - [@dhoppe](https://github.com/dhoppe) -- Paul Härle - [@phaer](https://github.com/phaer) - ## Acknowledgements From 285e115475c9aeb41362b73963f727b0edd40906 Mon Sep 17 00:00:00 2001 From: Olivier Wenger Date: Tue, 1 Feb 2022 23:32:10 +0100 Subject: [PATCH 3/4] added letsencrypt configuration for traefik --- main.tf | 8 +++++--- templates/traefik_config.yaml.tpl | 6 ++++++ terraform.tfvars.example | 4 ++++ variables.tf | 13 +++++++++++++ 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 7e31d1d..bfd468e 100644 --- a/main.tf +++ b/main.tf @@ -166,9 +166,11 @@ resource "local_file" "hetzner_csi_config" { resource "local_file" "traefik_config" { content = templatefile("${path.module}/templates/traefik_config.yaml.tpl", { - lb_disable_ipv6 = var.lb_disable_ipv6 - lb_server_type = var.lb_server_type - location = var.location + lb_disable_ipv6 = var.lb_disable_ipv6 + lb_server_type = var.lb_server_type + location = var.location + traefik_acme_tls = var.traefik_acme_tls + traefik_acme_email = var.traefik_acme_email }) filename = "${path.module}/templates/rendered/traefik_config.yaml" file_permission = "0644" diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl index 4b03c7a..4ccf29b 100644 --- a/templates/traefik_config.yaml.tpl +++ b/templates/traefik_config.yaml.tpl @@ -24,3 +24,9 @@ spec: - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" +%{ if traefik_acme_tls ~} + - "--certificatesresolvers.le.acme.httpchallenge=true" + - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.le.acme.email=${traefik_acme_email}" + - "--certificatesresolvers.le.acme.storage=/data/acme.json" +%{ endif ~} \ No newline at end of file diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 6cf5b54..15d500b 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -25,3 +25,7 @@ agents_num = 2 # that is probably the more "vanilla" option to keep these components always updated. # hetzner_ccm_containers_latest = true # hetzner_csi_containers_latest = true + +# If you want to use letsencrypt with tls Challenge, the email address is used to send you certificates expiration notices +# traefik_acme_tls = true +# traefik_acme_email = "mail@example.com" diff --git a/variables.tf b/variables.tf index 51dc3bd..3aa4598 100644 --- a/variables.tf +++ b/variables.tf @@ -78,3 +78,16 @@ variable "hetzner_csi_containers_latest" { default = false description = "Whether to kustomize the Hetzner CSI manifest with the latest or canary tags for containers" } + +variable "traefik_acme_tls" { + type = bool + default = false + description = "Wheter to include the TLS configuration with the Traefik configuration" +} + +variable "traefik_acme_email" { + type = string + default = false + description = "Email used to recieved expiration notice for certificate" +} + From 23d17382ac48d91aa2456edeca7cd4eed30d1290 Mon Sep 17 00:00:00 2001 From: Olivier Wenger Date: Wed, 2 Feb 2022 23:44:46 +0100 Subject: [PATCH 4/4] Replaced httpChallenge with tlsChallenge Co-authored-by: Marco Nenciarini --- templates/traefik_config.yaml.tpl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl index 4ccf29b..62e9c26 100644 --- a/templates/traefik_config.yaml.tpl +++ b/templates/traefik_config.yaml.tpl @@ -25,8 +25,7 @@ spec: - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" %{ if traefik_acme_tls ~} - - "--certificatesresolvers.le.acme.httpchallenge=true" - - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.le.acme.tlschallenge=true" - "--certificatesresolvers.le.acme.email=${traefik_acme_email}" - "--certificatesresolvers.le.acme.storage=/data/acme.json" %{ endif ~} \ No newline at end of file