feat: upgrade K8s to 1.29
- replace Hetzner DNS with CloudFlare
This commit is contained in:
parent
b1c0e83887
commit
9bd3f45172
9 changed files with 115 additions and 177 deletions
|
@ -1,91 +1,46 @@
|
||||||
resource "hetznerdns_zone" "icb4dc0de" {
|
resource "cloudflare_zone" "icb4dc0de" {
|
||||||
name = "icb4dc0.de"
|
account_id = var.cloudflare_account_id
|
||||||
ttl = 86400
|
zone = "icb4dc0.de"
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
ignore_changes = [ account_id ]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hetznerdns_record" "ns_primary" {
|
resource "cloudflare_record" "mx_primary" {
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
name = "@"
|
name = "@"
|
||||||
type = "NS"
|
type = "MX"
|
||||||
value = "helium.ns.hetzner.de."
|
value = "mx01.mail.icloud.com"
|
||||||
|
priority = 10
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hetznerdns_record" "ns_secondary" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
resource "cloudflare_record" "mx_secondary" {
|
||||||
name = "@"
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
type = "NS"
|
name = "@"
|
||||||
value = "oxygen.ns.hetzner.com."
|
type = "MX"
|
||||||
|
value = "mx02.mail.icloud.com"
|
||||||
|
priority = 10
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hetznerdns_record" "ns_ternary" {
|
resource "cloudflare_record" "apple_proof" {
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
name = "@"
|
name = "@"
|
||||||
type = "NS"
|
type = "TXT"
|
||||||
value = "hydrogen.ns.hetzner.com."
|
value = "apple-domain=chwbVvzH8hWIgg1l"
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hetznerdns_record" "soa" {
|
resource "cloudflare_record" "apple_spf" {
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
name = "@"
|
name = "@"
|
||||||
type = "SOA"
|
type = "TXT"
|
||||||
value = "hydrogen.ns.hetzner.com. dns.hetzner.com. 2023120305 86400 10800 3600000 3600"
|
value = "\"v=spf1 include:icloud.com ~all\""
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hetznerdns_record" "mx_primary" {
|
resource "cloudflare_record" "apple_sig_domainkey" {
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
name = "@"
|
name = "sig1._domainkey"
|
||||||
type = "MX"
|
type = "CNAME"
|
||||||
value = "10 mx01.mail.icloud.com."
|
value = "sig1.dkim.icb4dc0.de.at.icloudmailadmin.com"
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "mx_secondary" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "@"
|
|
||||||
type = "MX"
|
|
||||||
value = "10 mx02.mail.icloud.com."
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "apple_proof" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "@"
|
|
||||||
type = "TXT"
|
|
||||||
value = "apple-domain=chwbVvzH8hWIgg1l"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "apple_spf" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "@"
|
|
||||||
type = "TXT"
|
|
||||||
value = "\"v=spf1 include:icloud.com ~all\""
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "apple_sig_domainkey" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "sig1._domainkey"
|
|
||||||
type = "CNAME"
|
|
||||||
value = "sig1.dkim.icb4dc0.de.at.icloudmailadmin.com."
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "wildcard_ipv4" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "*"
|
|
||||||
type = "A"
|
|
||||||
value = "65.109.42.5"
|
|
||||||
ttl = 300
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "wildcard_ipv6" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "*"
|
|
||||||
type = "AAAA"
|
|
||||||
value = "2a01:4f9:c01d:4f1::1"
|
|
||||||
ttl = 300
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hetznerdns_record" "k8s" {
|
|
||||||
zone_id = hetznerdns_zone.icb4dc0de.id
|
|
||||||
name = "k8s"
|
|
||||||
type = "AAAA"
|
|
||||||
value = "2a01:4f9:c012:7d4b::1"
|
|
||||||
ttl = 60
|
|
||||||
}
|
}
|
|
@ -1,3 +1,9 @@
|
||||||
|
resource "null_resource" "cp-config" {
|
||||||
|
triggers = {
|
||||||
|
version = var.control_plane_k3s_version
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "hcloud_server" "control-plane" {
|
resource "hcloud_server" "control-plane" {
|
||||||
for_each = var.k3s_control_plane
|
for_each = var.k3s_control_plane
|
||||||
name = each.key
|
name = each.key
|
||||||
|
@ -7,6 +13,10 @@ resource "hcloud_server" "control-plane" {
|
||||||
|
|
||||||
backups = false
|
backups = false
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
replace_triggered_by = [ null_resource.cp-config ]
|
||||||
|
}
|
||||||
|
|
||||||
ssh_keys = [
|
ssh_keys = [
|
||||||
hcloud_ssh_key.provisioning_key.id,
|
hcloud_ssh_key.provisioning_key.id,
|
||||||
hcloud_ssh_key.default.id
|
hcloud_ssh_key.default.id
|
||||||
|
@ -25,7 +35,7 @@ resource "hcloud_server" "control-plane" {
|
||||||
|
|
||||||
public_net {
|
public_net {
|
||||||
ipv4_enabled = true
|
ipv4_enabled = true
|
||||||
ipv6_enabled = false
|
ipv6_enabled = true
|
||||||
}
|
}
|
||||||
|
|
||||||
# boot into rescue OS
|
# boot into rescue OS
|
||||||
|
@ -34,7 +44,7 @@ resource "hcloud_server" "control-plane" {
|
||||||
connection {
|
connection {
|
||||||
host = self.ipv4_address
|
host = self.ipv4_address
|
||||||
private_key = tls_private_key.provisioning.private_key_pem
|
private_key = tls_private_key.provisioning.private_key_pem
|
||||||
timeout = "2m"
|
timeout = "5m"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
|
@ -68,6 +78,28 @@ resource "hcloud_server" "control-plane" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "cloudflare_record" "cp-host-ipv4" {
|
||||||
|
for_each = var.k3s_control_plane
|
||||||
|
|
||||||
|
depends_on = [ hcloud_server.control-plane ]
|
||||||
|
|
||||||
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
|
name = "${each.key}.k8s"
|
||||||
|
type = "A"
|
||||||
|
value = hcloud_server.control-plane[each.key].ipv4_address
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "cloudflare_record" "cp-host-ipv6" {
|
||||||
|
for_each = var.k3s_control_plane
|
||||||
|
|
||||||
|
depends_on = [ hcloud_server.control-plane ]
|
||||||
|
|
||||||
|
zone_id = cloudflare_zone.icb4dc0de.id
|
||||||
|
name = "${each.key}.k8s"
|
||||||
|
type = "AAAA"
|
||||||
|
value = hcloud_server.control-plane[each.key].ipv6_address
|
||||||
|
}
|
||||||
|
|
||||||
data "ct_config" "machine-ignitions-cp" {
|
data "ct_config" "machine-ignitions-cp" {
|
||||||
for_each = var.k3s_control_plane
|
for_each = var.k3s_control_plane
|
||||||
strict = true
|
strict = true
|
||||||
|
|
|
@ -1,3 +1,9 @@
|
||||||
|
resource "null_resource" "worker-config" {
|
||||||
|
triggers = {
|
||||||
|
version = var.worker_k3s_version
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "tls_private_key" "provisioning" {
|
resource "tls_private_key" "provisioning" {
|
||||||
algorithm = "RSA"
|
algorithm = "RSA"
|
||||||
rsa_bits = 4096
|
rsa_bits = 4096
|
||||||
|
@ -31,6 +37,10 @@ resource "hcloud_server" "machine" {
|
||||||
|
|
||||||
backups = false
|
backups = false
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
replace_triggered_by = [ null_resource.worker-config ]
|
||||||
|
}
|
||||||
|
|
||||||
ssh_keys = [
|
ssh_keys = [
|
||||||
hcloud_ssh_key.provisioning_key.id,
|
hcloud_ssh_key.provisioning_key.id,
|
||||||
hcloud_ssh_key.default.id
|
hcloud_ssh_key.default.id
|
||||||
|
@ -57,7 +67,7 @@ resource "hcloud_server" "machine" {
|
||||||
connection {
|
connection {
|
||||||
host = self.ipv4_address
|
host = self.ipv4_address
|
||||||
private_key = tls_private_key.provisioning.private_key_pem
|
private_key = tls_private_key.provisioning.private_key_pem
|
||||||
timeout = "2m"
|
timeout = "5m"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
|
|
|
@ -1,79 +0,0 @@
|
||||||
resource "hcloud_load_balancer" "k8s_lb" {
|
|
||||||
name = "k8s-lb"
|
|
||||||
load_balancer_type = "lb11"
|
|
||||||
location = "hel1"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hcloud_load_balancer_network" "k8s_lb_net" {
|
|
||||||
load_balancer_id = hcloud_load_balancer.k8s_lb.id
|
|
||||||
network_id = hcloud_network.k8s_net.id
|
|
||||||
ip = "172.23.2.5"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hcloud_load_balancer_target" "k8s_lb_target" {
|
|
||||||
type = "label_selector"
|
|
||||||
label_selector = "node_type=worker"
|
|
||||||
load_balancer_id = hcloud_load_balancer.k8s_lb.id
|
|
||||||
use_private_ip = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hcloud_managed_certificate" "icb4dc0de_20230613_001" {
|
|
||||||
name = "icb4dc0de_20230613_001"
|
|
||||||
domain_names = [
|
|
||||||
"icb4dc0.de",
|
|
||||||
"*.icb4dc0.de",
|
|
||||||
"*.inetmock.icb4dc0.de",
|
|
||||||
"*.buildr.icb4dc0.de",
|
|
||||||
"*.prskr.icb4dc0.de",
|
|
||||||
"*.fider.icb4dc0.de",
|
|
||||||
"*.ide.icb4dc0.de",
|
|
||||||
]
|
|
||||||
labels = {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hcloud_load_balancer_service" "k8s_lb_svc_https" {
|
|
||||||
load_balancer_id = hcloud_load_balancer.k8s_lb.id
|
|
||||||
protocol = "https"
|
|
||||||
destination_port = 32080
|
|
||||||
|
|
||||||
health_check {
|
|
||||||
protocol = "tcp"
|
|
||||||
port = 32080
|
|
||||||
interval = 5
|
|
||||||
timeout = 3
|
|
||||||
retries = 3
|
|
||||||
|
|
||||||
http {
|
|
||||||
domain = "code.icb4dc0.de"
|
|
||||||
path = "/"
|
|
||||||
tls = false
|
|
||||||
status_codes = [
|
|
||||||
"2??",
|
|
||||||
"3??"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
redirect_http = true
|
|
||||||
certificates = [
|
|
||||||
hcloud_managed_certificate.icb4dc0de_20230613_001.id
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "hcloud_load_balancer_service" "k8s_lb_svc_ssh" {
|
|
||||||
load_balancer_id = hcloud_load_balancer.k8s_lb.id
|
|
||||||
protocol = "tcp"
|
|
||||||
destination_port = 32022
|
|
||||||
listen_port = 22
|
|
||||||
|
|
||||||
health_check {
|
|
||||||
protocol = "tcp"
|
|
||||||
port = 32022
|
|
||||||
interval = 5
|
|
||||||
timeout = 3
|
|
||||||
retries = 3
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,3 +1,7 @@
|
||||||
provider "hcloud" {
|
provider "hcloud" {
|
||||||
token = var.hcloud_token
|
token = var.hcloud_token
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "cloudflare" {
|
||||||
|
api_token = var.cloudflare_api_token
|
||||||
|
}
|
|
@ -1,12 +1,14 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
export AWS_ACCESS_KEY=$(rbw get --raw "CloudFlare TFState" | jq -r ".data.username")
|
export AWS_ACCESS_KEY=$(rbw get -f username "CloudFlare TFState")
|
||||||
export AWS_SECRET_KEY=$(rbw get --raw "CloudFlare TFState" | jq -r ".data.password")
|
export AWS_SECRET_KEY=$(rbw get "CloudFlare TFState")
|
||||||
export HETZNER_DNS_API_TOKEN=$(rbw get --raw "Hetzner DNS" | jq -r '.fields[0].value')
|
export HETZNER_DNS_API_TOKEN=$(rbw get -f "API Token" "Hetzner DNS")
|
||||||
export TF_VAR_hcloud_token="$(rbw get "HCloud API")"
|
export TF_VAR_hcloud_token="$(rbw get "HCloud API")"
|
||||||
export TF_VAR_k3s_token="$(rbw get "K3s Token")"
|
export TF_VAR_k3s_token="$(rbw get "K3s Token")"
|
||||||
export TF_VAR_litestream_access_key="$(rbw get --raw "Litestream" | jq -r ".data.username")"
|
export TF_VAR_litestream_access_key="$(rbw get -f username "Litestream")"
|
||||||
export TF_VAR_litestream_secret_key="$(rbw get "Litestream")"
|
export TF_VAR_litestream_secret_key="$(rbw get "Litestream")"
|
||||||
export TF_VAR_litestream_endpoint="$(rbw get --raw "Litestream" | jq -r ".fields[0].value")"
|
export TF_VAR_litestream_endpoint="$(rbw get -f Endpoint "Litestream")"
|
||||||
|
export TF_VAR_cloudflare_api_token="$(rbw get -f "DNS API Token" "CloudFlare")"
|
||||||
|
export TF_VAR_cloudflare_account_id="$(rbw get -f "Account ID" "CloudFlare")"
|
||||||
|
|
||||||
tofu $@
|
tofu $@
|
|
@ -1,8 +1,20 @@
|
||||||
variable "hcloud_token" {
|
variable "hcloud_token" {
|
||||||
|
type = string
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cloudflare_api_token" {
|
||||||
|
type = string
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cloudflare_account_id" {
|
||||||
|
type = string
|
||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "k3s_token" {
|
variable "k3s_token" {
|
||||||
|
type = string
|
||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -27,12 +39,12 @@ variable "litestream_version" {
|
||||||
|
|
||||||
variable "control_plane_k3s_version" {
|
variable "control_plane_k3s_version" {
|
||||||
type = string
|
type = string
|
||||||
default = "v1.28.4+k3s2"
|
default = "v1.29.2+k3s1"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "worker_k3s_version" {
|
variable "worker_k3s_version" {
|
||||||
type = string
|
type = string
|
||||||
default = "v1.28.4+k3s2"
|
default = "v1.29.2+k3s1"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "k3s_sans" {
|
variable "k3s_sans" {
|
||||||
|
|
|
@ -17,12 +17,14 @@ terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
hcloud = {
|
hcloud = {
|
||||||
source = "hetznercloud/hcloud"
|
source = "hetznercloud/hcloud"
|
||||||
version = "1.44.1"
|
version = "1.45.0"
|
||||||
}
|
}
|
||||||
hetznerdns = {
|
|
||||||
source = "timohirt/hetznerdns"
|
cloudflare = {
|
||||||
version = "2.2.0"
|
source = "cloudflare/cloudflare"
|
||||||
|
version = "4.26.0"
|
||||||
}
|
}
|
||||||
|
|
||||||
ct = {
|
ct = {
|
||||||
source = "poseidon/ct"
|
source = "poseidon/ct"
|
||||||
version = "0.13.0"
|
version = "0.13.0"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
k3s_control_plane = {
|
k3s_control_plane = {
|
||||||
"cp1-cax11-hel1-gen3" = {
|
"cp1-cax11-hel1-gen4" = {
|
||||||
server_type = "cax11",
|
server_type = "cax11",
|
||||||
private_ip = "172.23.2.10"
|
private_ip = "172.23.2.10"
|
||||||
location = "hel1"
|
location = "hel1"
|
||||||
|
@ -14,19 +14,19 @@ k3s_sans = [
|
||||||
]
|
]
|
||||||
|
|
||||||
k3s_workers = {
|
k3s_workers = {
|
||||||
"w1-cx21-hel1-gen1" = {
|
"w1-cx21-hel1-gen2" = {
|
||||||
server_type = "cx21"
|
server_type = "cx21"
|
||||||
private_ip = "172.23.2.20"
|
private_ip = "172.23.2.20"
|
||||||
location = "hel1"
|
location = "hel1"
|
||||||
}
|
}
|
||||||
|
|
||||||
"w2-cax21-hel1-gen6" = {
|
"w2-cax21-hel1-gen7" = {
|
||||||
server_type = "cax21"
|
server_type = "cax21"
|
||||||
private_ip = "172.23.2.21"
|
private_ip = "172.23.2.21"
|
||||||
location = "hel1"
|
location = "hel1"
|
||||||
}
|
}
|
||||||
|
|
||||||
"w3-cax21-hel1-gen6" = {
|
"w3-cax21-hel1-gen7" = {
|
||||||
server_type = "cax21"
|
server_type = "cax21"
|
||||||
private_ip = "172.23.2.22"
|
private_ip = "172.23.2.22"
|
||||||
location = "hel1"
|
location = "hel1"
|
||||||
|
|
Loading…
Reference in a new issue