prskr/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: upgrade K8s to 1.29

Browse source 
- replace Hetzner DNS with CloudFlare
This commit is contained in:
Peter 2024-03-22 11:28:40 +01:00
parent b1c0e83887
commit 9bd3f45172
Signed by: prskr
GPG key ID: F56BED6903BC5E37
9 changed files with 115 additions and 177 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
infrastructure/dns.tf
View file

@ -1,91 +1,46 @@
resource "hetznerdns_zone" "icb4dc0de" {
name = "icb4dc0.de"
ttl = 86400
resource "cloudflare_zone" "icb4dc0de" {
account_id = var.cloudflare_account_id
zone = "icb4dc0.de"
lifecycle {
ignore_changes = [ account_id ]
}
}
resource "hetznerdns_record" "ns_primary" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "NS"
value = "helium.ns.hetzner.de."
resource "cloudflare_record" "mx_primary" {
zone_id = cloudflare_zone.icb4dc0de.id
name = "@"
type = "MX"
value = "mx01.mail.icloud.com"
priority = 10
}
resource "hetznerdns_record" "ns_secondary" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "NS"
value = "oxygen.ns.hetzner.com."
resource "cloudflare_record" "mx_secondary" {
zone_id = cloudflare_zone.icb4dc0de.id
name = "@"
type = "MX"
value = "mx02.mail.icloud.com"
priority = 10
}
resource "hetznerdns_record" "ns_ternary" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "NS"
value = "hydrogen.ns.hetzner.com."
resource "cloudflare_record" "apple_proof" {
zone_id = cloudflare_zone.icb4dc0de.id
name = "@"
type = "TXT"
value = "apple-domain=chwbVvzH8hWIgg1l"
}
resource "hetznerdns_record" "soa" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "SOA"
value = "hydrogen.ns.hetzner.com. dns.hetzner.com. 2023120305 86400 10800 3600000 3600"
resource "cloudflare_record" "apple_spf" {
zone_id = cloudflare_zone.icb4dc0de.id
name = "@"
type = "TXT"
value = "\"v=spf1 include:icloud.com ~all\""
}
resource "hetznerdns_record" "mx_primary" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "MX"
value = "10 mx01.mail.icloud.com."
}
resource "hetznerdns_record" "mx_secondary" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "MX"
value = "10 mx02.mail.icloud.com."
}
resource "hetznerdns_record" "apple_proof" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "TXT"
value = "apple-domain=chwbVvzH8hWIgg1l"
}
resource "hetznerdns_record" "apple_spf" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "@"
type = "TXT"
value = "\"v=spf1 include:icloud.com ~all\""
}
resource "hetznerdns_record" "apple_sig_domainkey" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "sig1._domainkey"
type = "CNAME"
value = "sig1.dkim.icb4dc0.de.at.icloudmailadmin.com."
}
resource "hetznerdns_record" "wildcard_ipv4" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "*"
type = "A"
value = "65.109.42.5"
ttl = 300
}
resource "hetznerdns_record" "wildcard_ipv6" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "*"
type = "AAAA"
value = "2a01:4f9:c01d:4f1::1"
ttl = 300
}
resource "hetznerdns_record" "k8s" {
zone_id = hetznerdns_zone.icb4dc0de.id
name = "k8s"
type = "AAAA"
value = "2a01:4f9:c012:7d4b::1"
ttl = 60
resource "cloudflare_record" "apple_sig_domainkey" {
zone_id = cloudflare_zone.icb4dc0de.id
name = "sig1._domainkey"
type = "CNAME"
value = "sig1.dkim.icb4dc0.de.at.icloudmailadmin.com"
}

36
infrastructure/k8s_control_plane.tf
View file

@ -1,3 +1,9 @@
resource "null_resource" "cp-config" {
triggers = {
version = var.control_plane_k3s_version
}
}
resource "hcloud_server" "control-plane" {
for_each = var.k3s_control_plane
name = each.key
@ -7,6 +13,10 @@ resource "hcloud_server" "control-plane" {
backups = false
lifecycle {
replace_triggered_by = [ null_resource.cp-config ]
}
ssh_keys = [
hcloud_ssh_key.provisioning_key.id,
hcloud_ssh_key.default.id
@ -25,7 +35,7 @@ resource "hcloud_server" "control-plane" {
public_net {
ipv4_enabled = true
ipv6_enabled = false
ipv6_enabled = true
}
# boot into rescue OS
@ -34,7 +44,7 @@ resource "hcloud_server" "control-plane" {
connection {
host = self.ipv4_address
private_key = tls_private_key.provisioning.private_key_pem
timeout = "2m"
timeout = "5m"
}
provisioner "file" {
@ -68,6 +78,28 @@ resource "hcloud_server" "control-plane" {
}
}
resource "cloudflare_record" "cp-host-ipv4" {
for_each = var.k3s_control_plane
depends_on = [ hcloud_server.control-plane ]
zone_id = cloudflare_zone.icb4dc0de.id
name = "${each.key}.k8s"
type = "A"
value = hcloud_server.control-plane[each.key].ipv4_address
}
resource "cloudflare_record" "cp-host-ipv6" {
for_each = var.k3s_control_plane
depends_on = [ hcloud_server.control-plane ]
zone_id = cloudflare_zone.icb4dc0de.id
name = "${each.key}.k8s"
type = "AAAA"
value = hcloud_server.control-plane[each.key].ipv6_address
}
data "ct_config" "machine-ignitions-cp" {
for_each = var.k3s_control_plane
strict = true

12
infrastructure/k8s_flatcar_machines.tf
View file

@ -1,3 +1,9 @@
resource "null_resource" "worker-config" {
triggers = {
version = var.worker_k3s_version
}
}
resource "tls_private_key" "provisioning" {
algorithm = "RSA"
rsa_bits = 4096
@ -31,6 +37,10 @@ resource "hcloud_server" "machine" {
backups = false
lifecycle {
replace_triggered_by = [ null_resource.worker-config ]
}
ssh_keys = [
hcloud_ssh_key.provisioning_key.id,
hcloud_ssh_key.default.id
@ -57,7 +67,7 @@ resource "hcloud_server" "machine" {
connection {
host = self.ipv4_address
private_key = tls_private_key.provisioning.private_key_pem
timeout = "2m"
timeout = "5m"
}
provisioner "file" {

79
infrastructure/lb.tf
View file

@ -1,79 +0,0 @@
resource "hcloud_load_balancer" "k8s_lb" {
name = "k8s-lb"
load_balancer_type = "lb11"
location = "hel1"
}
resource "hcloud_load_balancer_network" "k8s_lb_net" {
load_balancer_id = hcloud_load_balancer.k8s_lb.id
network_id = hcloud_network.k8s_net.id
ip = "172.23.2.5"
}
resource "hcloud_load_balancer_target" "k8s_lb_target" {
type = "label_selector"
label_selector = "node_type=worker"
load_balancer_id = hcloud_load_balancer.k8s_lb.id
use_private_ip = true
}
resource "hcloud_managed_certificate" "icb4dc0de_20230613_001" {
name = "icb4dc0de_20230613_001"
domain_names = [
"icb4dc0.de",
"*.icb4dc0.de",
"*.inetmock.icb4dc0.de",
"*.buildr.icb4dc0.de",
"*.prskr.icb4dc0.de",
"*.fider.icb4dc0.de",
"*.ide.icb4dc0.de",
]
labels = {
}
}
resource "hcloud_load_balancer_service" "k8s_lb_svc_https" {
load_balancer_id = hcloud_load_balancer.k8s_lb.id
protocol = "https"
destination_port = 32080
health_check {
protocol = "tcp"
port = 32080
interval = 5
timeout = 3
retries = 3
http {
domain = "code.icb4dc0.de"
path = "/"
tls = false
status_codes = [
"2??",
"3??"
]
}
}
http {
redirect_http = true
certificates = [
hcloud_managed_certificate.icb4dc0de_20230613_001.id
]
}
}
resource "hcloud_load_balancer_service" "k8s_lb_svc_ssh" {
load_balancer_id = hcloud_load_balancer.k8s_lb.id
protocol = "tcp"
destination_port = 32022
listen_port = 22
health_check {
protocol = "tcp"
port = 32022
interval = 5
timeout = 3
retries = 3
}
}

4
infrastructure/main.tf
View file

@ -1,3 +1,7 @@
provider "hcloud" {
token = var.hcloud_token
}
provider "cloudflare" {
api_token = var.cloudflare_api_token
}

12
infrastructure/tf.sh
View file

@ -1,12 +1,14 @@
#!/usr/bin/env bash
export AWS_ACCESS_KEY=$(rbw get --raw "CloudFlare TFState" | jq -r ".data.username")
export AWS_SECRET_KEY=$(rbw get --raw "CloudFlare TFState" | jq -r ".data.password")
export HETZNER_DNS_API_TOKEN=$(rbw get --raw "Hetzner DNS" | jq -r '.fields[0].value')
export AWS_ACCESS_KEY=$(rbw get -f username "CloudFlare TFState")
export AWS_SECRET_KEY=$(rbw get "CloudFlare TFState")
export HETZNER_DNS_API_TOKEN=$(rbw get -f "API Token" "Hetzner DNS")
export TF_VAR_hcloud_token="$(rbw get "HCloud API")"
export TF_VAR_k3s_token="$(rbw get "K3s Token")"
export TF_VAR_litestream_access_key="$(rbw get --raw "Litestream" | jq -r ".data.username")"
export TF_VAR_litestream_access_key="$(rbw get -f username "Litestream")"
export TF_VAR_litestream_secret_key="$(rbw get "Litestream")"
export TF_VAR_litestream_endpoint="$(rbw get --raw "Litestream" | jq -r ".fields[0].value")"
export TF_VAR_litestream_endpoint="$(rbw get -f Endpoint "Litestream")"
export TF_VAR_cloudflare_api_token="$(rbw get -f "DNS API Token" "CloudFlare")"
export TF_VAR_cloudflare_account_id="$(rbw get -f "Account ID" "CloudFlare")"
tofu $@

16
infrastructure/vars.tf
View file

@ -1,8 +1,20 @@
variable "hcloud_token" {
type = string
sensitive = true
}
variable "cloudflare_api_token" {
type = string
sensitive = true
}
variable "cloudflare_account_id" {
type = string
sensitive = true
}
variable "k3s_token" {
type = string
sensitive = true
}
@ -27,12 +39,12 @@ variable "litestream_version" {
variable "control_plane_k3s_version" {
type = string
default = "v1.28.4+k3s2"
default = "v1.29.2+k3s1"
}
variable "worker_k3s_version" {
type = string
default = "v1.28.4+k3s2"
default = "v1.29.2+k3s1"
}
variable "k3s_sans" {

10
infrastructure/versions.tf
View file

@ -17,12 +17,14 @@ terraform {
required_providers {
hcloud = {
source = "hetznercloud/hcloud"
version = "1.44.1"
version = "1.45.0"
}
hetznerdns = {
source = "timohirt/hetznerdns"
version = "2.2.0"
cloudflare = {
source = "cloudflare/cloudflare"
version = "4.26.0"
}
ct = {
source = "poseidon/ct"
version = "0.13.0"

8
infrastructure/vms.auto.tfvars
View file

@ -1,5 +1,5 @@
k3s_control_plane = {
"cp1-cax11-hel1-gen3" = {
"cp1-cax11-hel1-gen4" = {
server_type = "cax11",
private_ip = "172.23.2.10"
location = "hel1"
@ -14,19 +14,19 @@ k3s_sans = [
]
k3s_workers = {
"w1-cx21-hel1-gen1" = {
"w1-cx21-hel1-gen2" = {
server_type = "cx21"
private_ip = "172.23.2.20"
location = "hel1"
}
"w2-cax21-hel1-gen6" = {
"w2-cax21-hel1-gen7" = {
server_type = "cax21"
private_ip = "172.23.2.21"
location = "hel1"
}
"w3-cax21-hel1-gen6" = {
"w3-cax21-hel1-gen7" = {
server_type = "cax21"
private_ip = "172.23.2.22"
location = "hel1"