From 5f7d47783b894db66e8625b3847e614e76eba178 Mon Sep 17 00:00:00 2001
From: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Date: Wed, 23 Feb 2022 19:36:03 +0100
Subject: [PATCH 1/2] Switch to cloud-init for host initialization

---
 locals.tf                                |  4 +-
 modules/host/locals.tf                   | 55 +-----------------------
 modules/host/main.tf                     | 55 ++++++++++++++++++------
 modules/host/templates/boothook.sh.tpl   |  5 +++
 modules/host/templates/userdata.yaml.tpl | 35 +++++++++++++++
 modules/host/versions.tf                 |  4 ++
 6 files changed, 88 insertions(+), 70 deletions(-)
 create mode 100644 modules/host/templates/boothook.sh.tpl
 create mode 100644 modules/host/templates/userdata.yaml.tpl

diff --git a/locals.tf b/locals.tf
index 0fe2a8c..d4fec46 100644
--- a/locals.tf
+++ b/locals.tf
@@ -145,9 +145,9 @@ locals {
     "[ -e /etc/rancher/k3s/k3s.yaml ] && exit 0",
   ]
 
-  install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"])
+  install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"])
 
-  install_k3s_agent = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"])
+  install_k3s_agent = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"])
 
   agent_nodepools = merge([
     for nodepool_name, nodepool_obj in var.agent_nodepools : {
diff --git a/modules/host/locals.tf b/modules/host/locals.tf
index 08306d6..2da653d 100644
--- a/modules/host/locals.tf
+++ b/modules/host/locals.tf
@@ -15,60 +15,7 @@ locals {
     "set -ex",
     "apt-get update",
     "apt-get install -y aria2",
-    "aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2.meta4",
+    "aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-OpenStack-Cloud.qcow2.meta4",
     "qemu-img convert -p -f qcow2 -O host_device $(ls -a | grep -ie '^opensuse.*microos.*qcow2$') /dev/sda",
-    "sgdisk -e /dev/sda",
-    "parted -s /dev/sda resizepart 4 99%",
-    "parted -s /dev/sda mkpart primary ext2 99% 100%",
-    "partprobe /dev/sda && udevadm settle && fdisk -l /dev/sda",
-    "mount /dev/sda4 /mnt/ && btrfs filesystem resize max /mnt && umount /mnt",
-    "mke2fs -L ignition /dev/sda5",
-    "mount /dev/sda5 /mnt",
-    "mkdir /mnt/ignition",
-    "cp /root/config.ign /mnt/ignition/config.ign",
-    "mkdir /mnt/combustion",
-    "cp /root/script /mnt/combustion/script",
-    "umount /mnt"
   ]
-
-  ignition_config = jsonencode({
-    ignition = {
-      version = "3.0.0"
-    }
-    passwd = {
-      users = [{
-        name              = "root"
-        sshAuthorizedKeys = concat([local.ssh_public_key], var.additional_public_keys)
-      }]
-    }
-    storage = {
-      files = [
-        {
-          path      = "/etc/sysconfig/network/ifcfg-eth1"
-          mode      = 420
-          overwrite = true
-          contents  = { "source" = "data:,BOOTPROTO%3D%27dhcp%27%0ASTARTMODE%3D%27auto%27" }
-        },
-        {
-          path      = "/etc/ssh/sshd_config.d/kube-hetzner.conf"
-          mode      = 420
-          overwrite = true
-          contents  = { "source" = "data:,PasswordAuthentication%20no%0AX11Forwarding%20no%0AMaxAuthTries%202%0AAllowTcpForwarding%20no%0AAllowAgentForwarding%20no%0AAuthorizedKeysFile%20.ssh%2Fauthorized_keys" }
-        }
-      ]
-    }
-  })
-
-  combustion_script = <<EOF
-#!/bin/bash
-sed -i 's#NETCONFIG_NIS_SETDOMAINNAME="yes"#NETCONFIG_NIS_SETDOMAINNAME="no"#g' /etc/sysconfig/network/config
-sed -i 's#WAIT_FOR_INTERFACES="30"#WAIT_FOR_INTERFACES="60"#g' /etc/sysconfig/network/config
-sed -i 's#CHECK_DUPLICATE_IP="yes"#CHECK_DUPLICATE_IP="no"#g' /etc/sysconfig/network/config
-# combustion: network
-rpm --import https://rpm.rancher.io/public.key
-zypper refresh
-zypper --gpg-auto-import-keys install -y https://rpm.rancher.io/k3s/stable/common/microos/noarch/k3s-selinux-0.4-1.sle.noarch.rpm
-udevadm settle || true
-EOF
-
 }
diff --git a/modules/host/main.tf b/modules/host/main.tf
index beb8e99..6e0f41d 100644
--- a/modules/host/main.tf
+++ b/modules/host/main.tf
@@ -8,10 +8,20 @@ resource "hcloud_server" "server" {
   ssh_keys           = var.ssh_keys
   firewall_ids       = var.firewall_ids
   placement_group_id = var.placement_group_id
-
+  user_data          = data.template_cloudinit_config.config.rendered
 
   labels = var.labels
 
+  # Prevent destroying the whole cluster if the user changes
+  # any of the attributes that force to recreate the servers.
+  lifecycle {
+    ignore_changes = [
+      location,
+      ssh_keys,
+      user_data,
+    ]
+  }
+
   connection {
     user           = "root"
     private_key    = local.ssh_private_key
@@ -19,17 +29,6 @@ resource "hcloud_server" "server" {
     host           = self.ipv4_address
   }
 
-  provisioner "file" {
-    content     = local.ignition_config
-    destination = "/root/config.ign"
-  }
-
-  # Combustion script file to install k3s-selinux
-  provisioner "file" {
-    content     = local.combustion_script
-    destination = "/root/script"
-  }
-
   # Install MicroOS
   provisioner "remote-exec" {
     inline = local.microOS_install_commands
@@ -57,8 +56,6 @@ resource "hcloud_server" "server" {
       "set -ex",
       "rebootmgrctl set-strategy off",
       "echo 'REBOOT_METHOD=kured' > /etc/transactional-update.conf",
-      # set the hostname
-      "hostnamectl set-hostname ${self.name}"
     ]
   }
 }
@@ -68,3 +65,33 @@ resource "hcloud_server_network" "server" {
   server_id = hcloud_server.server.id
   subnet_id = var.ipv4_subnet_id
 }
+
+data "template_cloudinit_config" "config" {
+  gzip          = true
+  base64_encode = true
+
+  # Main cloud-config configuration file.
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config"
+    content = templatefile(
+      "${path.module}/templates/userdata.yaml.tpl",
+      {
+        hostname          = var.name
+        sshAuthorizedKeys = concat([local.ssh_public_key], var.additional_public_keys)
+      }
+    )
+  }
+
+  # Initialization script (runs at every reboot)
+  part {
+    content_type = "text/cloud-boothook"
+    filename     = "boothook.sh"
+    content = templatefile(
+      "${path.module}/templates/boothook.sh.tpl",
+      {
+        hostname = var.name
+      }
+    )
+  }
+}
diff --git a/modules/host/templates/boothook.sh.tpl b/modules/host/templates/boothook.sh.tpl
new file mode 100644
index 0000000..0b1f461
--- /dev/null
+++ b/modules/host/templates/boothook.sh.tpl
@@ -0,0 +1,5 @@
+#!/bin/sh
+#cloud-boothook
+
+# Fix hostname after reboot
+hostnamectl hostname "${hostname}"
diff --git a/modules/host/templates/userdata.yaml.tpl b/modules/host/templates/userdata.yaml.tpl
new file mode 100644
index 0000000..0e4ef50
--- /dev/null
+++ b/modules/host/templates/userdata.yaml.tpl
@@ -0,0 +1,35 @@
+#cloud-config
+write_files:
+
+# Configure private network
+- content: |
+    BOOTPROTO='dhcp'
+    STARTMODE='auto'
+  path: /etc/sysconfig/network/ifcfg-eth1
+
+# Disable ssh password authentication
+- content: |
+    PasswordAuthentication no
+    X11Forwarding no
+    MaxAuthTries 2
+    AllowTcpForwarding no
+    AllowAgentForwarding no
+    AuthorizedKeysFile .ssh/authorized_keys
+  path: /etc/ssh/sshd_config.d/kube-hetzner.conf
+
+# Add ssh authorized keys
+ssh_authorized_keys:
+%{ for key in sshAuthorizedKeys ~}
+  - ${key}
+%{ endfor ~}
+
+runcmd:
+
+# Activate the private network
+- systemctl reload network
+
+# Activate ssh configuration
+- systemctl reload sshd
+
+# Fix hostname (during first boot)
+- hostnamectl hostname ${hostname}
diff --git a/modules/host/versions.tf b/modules/host/versions.tf
index fe79022..7c8da9d 100644
--- a/modules/host/versions.tf
+++ b/modules/host/versions.tf
@@ -12,5 +12,9 @@ terraform {
       source  = "tenstad/remote"
       version = "~> 0.0.23"
     }
+    template = {
+      source  = "hashicorp/template"
+      version = "~> 2.2.0"
+    }
   }
 }

From c70571a5757c214db85965a93f10ca26a70f9ea5 Mon Sep 17 00:00:00 2001
From: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Date: Mon, 28 Feb 2022 10:56:40 +0100
Subject: [PATCH 2/2] Add missing variables in terraform.tfvars.example

---
 terraform.tfvars.example | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/terraform.tfvars.example b/terraform.tfvars.example
index f6e7334..fbbcf2f 100644
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@@ -15,13 +15,19 @@ network_region   = "eu-central" # change to `us-east` if location is ash
 
 # You can have up to as many subnets as you want (preferably if the form of 10.X.0.0/16),
 # their primary use is to logically separate the nodes.
+# The control_plane network is mandatory.
 network_ipv4_subnets = {
   control_plane = "10.1.0.0/16"
   agent_big     = "10.2.0.0/16"
   agent_small   = "10.3.0.0/16"
 }
 
-# As for the agent nodepools, below is just an example, if you do not want nodepools, just use one,  
+# At least 3 server nodes is recommended for HA, otherwise you need to turn off automatic upgrade (see ReadMe).
+control_plane_count       = 3
+control_plane_server_type = "cpx11"
+load_balancer_type        = "lb11"
+
+# As for the agent nodepools, below is just an example, if you do not want nodepools, just use one,
 # and change the name to what you want, it need not be "agent-big" or "agent-small", also give them the subnet prefer.
 agent_nodepools = {
   agent-big = {