Felix Nehrke
4f9ea90f8e
By applying this change the kubernetes cluster gets a gitea-server setup. Note, that I use a custom-image which I have to automate in future. The customization is necessary since I use asciidoc very often and the default-gitea doesn't render these files, so it becomes a bit cumbersome to read them on the web.
Hetzer Infra
This repository is meant to setup my kubernetes-cluster on Hetzner Cloud. The setup is split into 2 dedicated parts:
-
Create necessary machines in Hetzner Cloud via terraform.
-
Install/Upgrade kubernetes-cluster and other software via ansible.
TL;DR
terraform init
terraform apply
sleep 300 # Wait 5 minutes since the machines start _slow_ sometimes
ansible-galaxy install -r requirements.yml
ansible-playbook site.ymlPreparation
-
Ensure
terraformis installed -
Ensure
ansibleis installed
Setup
The project is split into different steps, each responsible for another task.
terraform
I use terraform to provide the required infrastructure to run a kubernetes-cluster.
Make sure config.auto.tfvars with all the needed configuration-secrets is present otherwise the module cannot be applied!
The file is savely stored in the password-manager.
|
terraform init (1)
terraform apply (2)| 1 | Init the terraform modules if necessary |
| 2 | Setup infrastructure and create/update inventory.ini |
The setup will take longer than just the terraform apply, since terraform returns as soon as the machine is provided.
Though it hasn’t been started the machines, yet.
As a rule of thumb wait ca. 5 minutes after the apply to do other work.
|
ansible
Use ansible to setup a k3s installation and provide a set of foundational services in the cluster. The provided services are:
- cert-manager
-
This allows issuing TLS certificates. The certificates are issued via let’s encrypt and can be issued for the staging and production stage of let’s encrypt.
- minio
-
Allow me to store data in an object storage.
TODO: Not setup yet!
- concourse-ci
-
A powerful CI-cervice which I like to use to automate all kind of workloads.
TODO: Not setup yet!
- gitea
-
My personal favourite git-server.
TODO: Not setup yet!
- snappass
-
A secure and reliable tool to share password.
TODO: Not setup yet!
The k3s-setup requires a inventory.ini which is automatically created by terraform.
So, make sure to apply the infra at least once, before running these playbooks.
|
ansible-galaxy install -r requirements.yml (1)
ansible-playbook site.yml (2)| 1 | Install required ansible collections to create a k3s-cluster (can be omitted in subsequent runs) |
| 2 | Install k3s and download kube-config to .kube/config |
| The second step will override any existing kube config, this might destroy any existing settings! |
|
To apply the playbook you may need to install additional packages: |
Configured tags
- init
-
Everything needed for the initial setup
- add-server
-
Everything needed to add a new server to the cluster
- add-agent
-
Everything needed to add a new agent to the cluster
- update
-
Everything needed to update the cluster
- config
-
Everything needed to update the local kube-config
- k8s
-
Everything needed to provide the foundational services
The affected scope of the ansible-playbook can be limited with tags (--tags tag1,tag2):
|
Enlarge / Reduce size of cluster
- Increase
-
Simply adjust the number of agents/servers in your
infra/config.auto.tfvars. -
Then run the ansible-playbook of k3s again
- Decrease
If you want shrink the cluster DO NOT reduce the agent-amount directly! Instead proceed as the following:
-
Open k9s and go to
:nodes -
Select the highest agent and press
rto drain it -
Afterward that succeeded delete it with
Ctrl-d -
Finally reduce the amount of agents in terraform and apply the change
Responsibilities
- terraform
-
-
Creation of network for the kubernetes-cluster
-
A public subnet exposed to the internet for the kubernetes-servers
-
A private subnet for the kubernetes-agents
-
-
Routing between the networks
-
Firewall rules to block everything from the servers except of:
-
ping (protocol:
icmp) -
kubernetes api (Usually port
6443) -
ssh (I prefer to use a non-standard port (usually port
1022) -
public services, e.g. http and https (port
80and443) but also git-ssh (port22)
-
-
Creating the machines for kubernetes-servers in the public subnet
-
Creating the machines for kubernetes-agents in the private subnet
-
Creating DNS-records in Hetzer Cloud
-
- ansible
-
-
Setup SSH-connections
-
Setting up routing on all servers
-
Installing k3s
-
Keep the software up-to-date
-
Add foundational services to the cluster
-