Define a basic but working complete k3s-kubernetes setup

2025-03-10 01:21:02 +01:00
parent 2d93766c09
commit 1eb2ce341a
11 changed files with 404 additions and 32 deletions
--- a/modules/hetzner/kubernetes/agent-init.yaml.tftpl
+++ b/modules/hetzner/kubernetes/agent-init.yaml.tftpl
@@ -0,0 +1,25 @@
+#cloud-config
+packages:
+- curl
+users:
+- name: cluster
+  shell: /bin/bash
+runcmd:
+# configure correct routing via NAT
+- ip route add default via ${network_gateway}
+- NIC=$(ifconfig | grep -q enp7s0 && echo enp7s0 || echo ens10)
+- echo "[Match]" > /etc/systemd/network/10-$NIC.network
+- echo "Name=$NIC" >> /etc/systemd/network/10-$NIC.network
+- echo "[Network]" >> /etc/systemd/network/10-$NIC.network
+- echo "DHCP=yes" >> /etc/systemd/network/10-$NIC.network
+- echo "Gateway=${network_gateway}" >> /etc/systemd/network/10-$NIC.network
+- sed -e "s/#DNS=/DNS=${dns_servers}/" -i /etc/systemd/resolved.conf
+- systemctl restart systemd-resolved
+# update system dependency-lists
+- apt-get update -y
+# install k3s but do not start yet
+- curl -sfL https://get.k3s.io | tee install-k3s | INSTALL_K3S_SKIP_ENABLE=true sh -s -
+# wait for the server node to be ready by trying to connect to it
+- until curl -k https://${server_ip}:6443; do sleep 5; done
+# Enable and start k3s-agent
+- cat install-k3s | K3S_TOKEN=${k3s_token} sh -s - agent --server https://${server_ip}:6443
--- a/modules/hetzner/kubernetes/main.tf
+++ b/modules/hetzner/kubernetes/main.tf
@@ -0,0 +1,141 @@
+locals {
+  network           = "10.0.0.0/16"
+  subnet_eu_central = "10.0.0.0/24"
+  servers = {
+    for idx, config in var.servers : "${var.name}-server-${idx + 1}" => merge(
+      config,
+      {
+        ip       = cidrhost(local.subnet_eu_central, idx + 2)
+        first_ip = idx == 0 ? "" : cidrhost(local.subnet_eu_central, 2)
+      }
+    )
+  }
+  agents = merge([
+    for idx, config in var.agents : {
+      for n in range(0, config.count) : "${var.name}-agent-${idx + 1}-${n + 1}" => merge(
+        config,
+        { ip = cidrhost(local.subnet_eu_central, 255 - (idx * 20) - n - 1) }
+      )
+    }
+  ]...)
+}
+
+resource "hcloud_network" "this" {
+  name     = var.name
+  ip_range = local.network
+}
+
+resource "hcloud_network_subnet" "this" {
+  type         = "cloud"
+  network_id   = hcloud_network.this.id
+  network_zone = "eu-central"
+  ip_range     = local.subnet_eu_central
+}
+
+resource "hcloud_network_route" "this" {
+  network_id  = hcloud_network.this.id
+  destination = "0.0.0.0/0"
+  gateway     = cidrhost(local.subnet_eu_central, 2)
+}
+
+resource "random_string" "k3s_token" {
+  length  = 100
+  special = false
+}
+
+resource "hcloud_firewall" "this" {
+  name = var.name
+  rule {
+    direction = "in"
+    protocol = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "22"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "80"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "443"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "6443"
+    source_ips = concat([local.network], var.development_ips)
+  }
+  dynamic "rule" {
+    for_each = length(var.development_ips) == 0 ? {} : { ips = 1 }
+    content {
+      direction = "in"
+      protocol = "tcp"
+      port = "1022"
+      source_ips = var.development_ips
+    }
+  }
+}
+
+resource "hcloud_server" "server" {
+  depends_on  = [hcloud_network_subnet.this]
+  for_each    = local.servers
+  name        = each.key
+  image       = "ubuntu-24.04"
+  server_type = each.value.type
+  location    = each.value.location
+  ssh_keys    = var.ssh_keys
+  public_net {
+    ipv4 = each.value.ipv4_id
+    ipv6 = each.value.ipv6_id
+  }
+  network {
+    network_id = hcloud_network.this.id
+    ip         = each.value.ip
+  }
+  user_data = templatefile(
+    "${path.module}/server-init.yaml.tftpl",
+    {
+      network_ip_range = local.network
+      k3s_token        = random_string.k3s_token.result
+      first_ip         = each.value.first_ip
+    }
+  )
+  firewall_ids = [hcloud_firewall.this.id]
+}
+
+resource "hcloud_server" "agent" {
+  depends_on = [hcloud_server.server]
+  for_each   = local.agents
+
+  name        = each.key
+  image       = "ubuntu-24.04"
+  server_type = each.value.type
+  location    = each.value.location
+  ssh_keys    = var.ssh_keys
+  public_net {
+    ipv4_enabled = false
+    ipv6_enabled = false
+  }
+  network {
+    network_id = hcloud_network.this.id
+    ip         = each.value.ip
+  }
+  user_data = templatefile(
+    "${path.module}/agent-init.yaml.tftpl",
+    {
+      server_ip       = cidrhost(local.subnet_eu_central, 2)
+      network_gateway = cidrhost(local.subnet_eu_central, 1)
+      dns_servers     = "8.8.8.8 8.8.4.4"
+      k3s_token       = random_string.k3s_token.result
+    }
+  )
+}
--- a/modules/hetzner/kubernetes/outputs.tf
+++ b/modules/hetzner/kubernetes/outputs.tf
--- a/modules/hetzner/kubernetes/server-init.yaml.tftpl
+++ b/modules/hetzner/kubernetes/server-init.yaml.tftpl
@@ -0,0 +1,29 @@
+#cloud-config
+packages:
+- curl
+users:
+- name: cluster
+  shell: /bin/bash
+runcmd:
+# update system dependency-lists
+- apt-get update -y
+# configure NAT
+- echo '#!/bin/bash' > /etc/networkd-dispatcher/routable.d/10-eth0-post-up
+- echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >> /etc/networkd-dispatcher/routable.d/10-eth0-post-up
+- echo 'iptables -t nat -A POSTROUTING -s ${network_ip_range} -o eth0 -j MASQUERADE' >> /etc/networkd-dispatcher/routable.d/10-eth0-post-up
+- chmod +x /etc/networkd-dispatcher/routable.d/10-eth0-post-up
+- /etc/networkd-dispatcher/routable.d/10-eth0-post-up
+# install k3s but do not start yet
+- curl -sfL https://get.k3s.io | tee install-k3s | INSTALL_K3S_SKIP_ENABLE=true sh -s -
+%{ if first_ip != "" ~}
+- until curl -k https://${first_ip}:6443; do sleep 5; done
+%{ endif ~}
+# Enable and start k3s-server
+%{ if first_ip == "" ~}
+- cat install-k3s | K3S_TOKEN=${k3s_token} sh -s - server --cluster-init
+%{~ else ~}
+- cat install-k3s | INSTALL_K3S_SKIP_DOWNLOAD=true K3S_TOKEN=${k3s_token} sh -s - server --server https://${first_ip}:6443
+%{~ endif }
+- chown cluster:cluster /etc/rancher/k3s/k3s.yaml
+- chown cluster:cluster /var/lib/rancher/k3s/server
+- chown cluster:cluster /var/lib/rancher/k3s/server/node-token
--- a/modules/hetzner/kubernetes/variables.tf
+++ b/modules/hetzner/kubernetes/variables.tf
@@ -0,0 +1,29 @@
+variable "name" {
+  type = string
+}
+
+variable "ssh_keys" {
+  type = list(string)
+}
+
+variable "servers" {
+  type = list(object({
+    ipv4_id  = number
+    ipv6_id  = number
+    type     = string
+    location = string
+  }))
+}
+
+variable "agents" {
+  type = list(object({
+    count    = optional(number, 1)
+    type     = string
+    location = string
+  }))
+}
+
+variable "development_ips" {
+  type    = list(string)
+  default = []
+}
--- a/modules/hetzner/kubernetes/versions.tf
+++ b/modules/hetzner/kubernetes/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+      version = "1.50.0"
+    }
+    random = {
+      source = "hashicorp/random"
+      version = "3.7.1"
+    }
+  }
+}
+
+