forked from identiops/terraform-hcloud-k3s
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlocals.tf
More file actions
122 lines (120 loc) · 4.98 KB
/
locals.tf
File metadata and controls
122 lines (120 loc) · 4.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Copyright 2024, identinet GmbH. All rights reserved.
# SPDX-License-Identifier: MIT
locals {
# See https://linuxopsys.com/topics/ubuntu-automatic-updates
base_packages = [
"ca-certificates",
"fail2ban",
"haproxy",
"jq",
"unattended-upgrades",
]
cluster_cidr_network = cidrsubnet(var.network_cidr, var.cluster_cidr_network_bits - 8, var.cluster_cidr_network_offset)
service_cidr_network = cidrsubnet(var.network_cidr, var.service_cidr_network_bits - 8, var.service_cidr_network_offset)
# cmd_node_external_ip = "$(ip -4 -j a s dev eth0 | jq '.[0].addr_info[0].local' -r),$(ip -6 -j a s dev eth0 | jq '.[0].addr_info[0].local' -r)"
cmd_node_external_ip = hcloud_server.gateway.ipv4_address
kube-apiserver-args = var.oidc_enabled ? {
oidc-username-claim = "email"
oidc-groups-claim = "groups"
oidc-issuer-url = var.oidc_issuer_url
oidc-client-id = var.oidc_client_id
} : {}
default_gateway = cidrhost(var.network_cidr, 1)
haproxy_setup = <<-EOT
export NU_VERSION="${var.nu_version}"
curl -Lo /tmp/nu.tar.gz "https://github.com/nushell/nushell/releases/download/$NU_VERSION/nu-$NU_VERSION-x86_64-unknown-linux-gnu.tar.gz"
tar xvzfC /tmp/nu.tar.gz /tmp "nu-$NU_VERSION-x86_64-unknown-linux-gnu/nu"
mv "/tmp/nu-$NU_VERSION-x86_64-unknown-linux-gnu/nu" /usr/local/bin
mkdir -p /etc/haproxy/haproxy.d
echo 'EXTRAOPTS="-f /etc/haproxy/haproxy.d"' >> /etc/default/haproxy
systemctl restart haproxy
systemctl enable --now haproxy-k8s.timer
systemctl start haproxy-k8s
EOT
security_setup = <<-EOT
set -eu
# Remove hc-utils package due to the conflict it causes between dhcpd and systemd-networkd https://github.com/identiops/terraform-hcloud-k3s/issues/27
dpkg -r hc-utils
# SSH
sed -i -e 's/^#*PermitRootLogin .*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
sed -i -e 's/^#*PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config
systemctl restart ssh
# Firewall - all other ports are opened automatically by kubernetes
ufw allow proto tcp from any to any port 22
ufw default deny incoming
ufw default allow outgoing
ufw --force enable
systemctl restart systemd-networkd.service
EOT
# Required open ports, see https://kubernetes.io/docs/reference/networking/ports-and-protocols/
# + 4244 for Cilium hubble https://docs.cilium.io/en/stable/observability/hubble/setup/
control_plane_k8s_security_setup = <<-EOT
ufw allow proto tcp from any to any port 2379:2380,6443,10257,10259
EOT
k8s_security_setup = <<-EOT
ufw allow proto tcp from any to any port 4244
ufw allow proto tcp from any to any port 10250
ufw allow proto tcp from any to any port 30000:32767
# Audit log directory, if required. See https://docs.k3s.io/security/hardening-guide
mkdir -p -m 700 /var/lib/rancher/k3s/server/logs
sysctl --system
EOT
package_updates = <<-EOT
killall apt-get || true
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y ${join(" ", concat(local.base_packages, var.additional_packages))}
EOT
dist_upgrade = <<-EOT
DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y
EOT
k8s_ha_host = "127.0.0.1"
k8s_ha_port = 16443
k3s_url = <<-EOT
export K3S_URL='https://${local.k8s_ha_host}:${local.k8s_ha_port}'
check-cluster-readiness 600 "$K3S_URL/cacerts"
EOT
k3s_install = <<-EOT
export INSTALL_K3S_CHANNEL="${var.k3s_channel}"
export INSTALL_K3S_VERSION="${var.k3s_version}"
export K3S_TOKEN="${random_string.k3s_token.result}"
wget -qO- https://get.k3s.io | \
EOT
common_arguments = <<-EOT
--node-external-ip="${local.cmd_node_external_ip}" \
--kubelet-arg 'cloud-provider=external' \
EOT
control_plane_arguments = <<-EOT
--tls-san="${hcloud_server_network.gateway.ip}" \
--flannel-backend=none \
--disable-kube-proxy \
--disable-network-policy \
--disable-cloud-controller \
--disable-helm-controller \
--egress-selector-mode disabled \
--cluster-cidr="${local.cluster_cidr_network}" \
--service-cidr="${local.service_cidr_network}" \
--disable local-storage \
--disable metrics-server \
--disable servicelb \
--disable traefik \
${local.common_arguments~}
EOT
prices = jsondecode(data.http.prices.response_body).pricing
costs_gateway = [for server_type in local.prices.server_types :
[for price in server_type.prices :
{ net = tonumber(price.price_monthly.net), gross = tonumber(price.price_monthly.gross) } if price.location == var.default_location
][0] if server_type.name == var.gateway_server_type][0]
}
data "http" "prices" {
url = "https://api.hetzner.cloud/v1/pricing"
request_headers = {
Accept = "application/json"
Authorization = "Bearer ${var.hcloud_token_read_only}"
}
lifecycle {
postcondition {
condition = self.status_code == 200
error_message = "Status code invalid"
}
}
}