feat: enable rancher helm chart values (rancher#105)

Signed-off-by: matttrach <matt.trachier@suse.com>

Author: matttrach

examples/three/README.md

@@ -0,0 +1,11 @@
+# Three
+
+This module was developed working closely with specific customer feedback.
+
+## Goals
+
+- three node HA Rancher cluster where each node has all Kubernetes roles
+- the ability to specify a helm repo for the Rancher install (specifically the prime repo)
+- the ability to specify custom values for Rancher helm chart
+- the ability to use a remote backend, updating the infrastructure using a CI tool
+

examples/three/main.tf

@@ -24,8 +24,8 @@ provider "rancher2" {
 
 terraform {
   backend "s3" {
-    # This needs to be set in the backend configs on the command line.
-    # bucket = local.identifier
+    # This needs to be set in the backend configs on the command line or somewhere that your identifier can be set.
+    # terraform init -reconfigure -backend-config="bucket=<identifier>"
     # https://developer.hashicorp.com/terraform/language/backend/s3
     # https://developer.hashicorp.com/terraform/language/backend#partial-configuration
     key = "tfstate"
@@ -62,10 +62,25 @@ locals {
   acme_server_url      = "https://acme-v02.api.letsencrypt.org"
   owner                = var.owner
   rke2_version         = var.rke2_version
+  rancher_helm_repo    = "https://releases.rancher.com/server-charts"
+  rancher_helm_channel = "stable"
+  helm_chart_strategy  = "provide"
+  # These options use the Let's Encrypt cert that the module generates for you when you deploy the VPC and Domain.
+  # WARNING! "hostname" must be an fqdn
+  helm_chart_values = {
+    "hostname"               = "${local.domain}.${local.zone}"
+    "replicas"               = "2"
+    "bootstrapPassword"      = "admin"
+    "ingress.enabled"        = "true"
+    "ingress.tls.source"     = "secret"
+    "ingress.tls.secretName" = "tls-rancher-ingress"
+    "privateCA"              = "true"
+    "agentTLSMode"           = "system-store"
+  }
   local_file_path      = var.file_path
   runner_ip            = chomp(data.http.myip.response_body) # "runner" is the server running Terraform
   rancher_version      = var.rancher_version
-  cert_manager_version = "1.16.3" # "1.13.1"
+  cert_manager_version = "1.18.1" #"1.16.3"
   os                   = "sle-micro-61"
 }
 
@@ -115,8 +130,13 @@ module "rancher" {
     }
   }
   # rancher
-  cert_manager_version = local.cert_manager_version
-  rancher_version      = local.rancher_version
+  cert_manager_version            = local.cert_manager_version
+  configure_cert_manager          = false # use the cert generated at the project level
+  rancher_version                 = local.rancher_version
+  rancher_helm_repo               = local.rancher_helm_repo
+  rancher_helm_channel            = local.rancher_helm_channel
+  rancher_helm_chart_use_strategy = local.helm_chart_strategy
+  rancher_helm_chart_values       = local.helm_chart_values
 }
 
 data "rancher2_cluster" "local" {

flake.lock

@@ -28,14 +28,19 @@ locals {
   cni                = var.cni
   node_configuration = var.node_configuration
   # rancher
-  cert_manager_version = var.cert_manager_version
-  rancher_version      = var.rancher_version
-  ip_family            = "ipv4"
-  # ingress_controller   = "nginx"
-  bootstrap_rancher      = var.bootstrap_rancher
-  install_cert_manager   = var.install_cert_manager
-  configure_cert_manager = var.configure_cert_manager
-  cert_manager_config    = var.cert_manager_configuration
+  cert_name                       = (var.tls_cert_name != "" ? var.tls_cert_name : module.cluster.cert.name)
+  cert_key                        = (var.tls_cert_key != "" ? var.tls_cert_key : module.cluster.cert.key_id)
+  cert_manager_version            = var.cert_manager_version
+  rancher_version                 = var.rancher_version
+  rancher_helm_repo               = var.rancher_helm_repo
+  rancher_helm_channel            = var.rancher_helm_channel
+  ip_family                       = "ipv4"
+  rancher_helm_chart_values       = var.rancher_helm_chart_values
+  rancher_helm_chart_use_strategy = var.rancher_helm_chart_use_strategy
+  bootstrap_rancher               = var.bootstrap_rancher
+  install_cert_manager            = var.install_cert_manager
+  configure_cert_manager          = var.configure_cert_manager
+  cert_manager_config             = var.cert_manager_configuration
 }
 
 data "aws_route53_zone" "zone" {
@@ -59,7 +64,6 @@ module "cluster" {
   cni                = local.cni
   node_configuration = local.node_configuration
   ip_family          = local.ip_family
-  # ingress_controller = local.ingress_controller
   skip_cert_creation = local.skip_cert
 }
 
@@ -72,8 +76,8 @@ module "install_cert_manager" {
   project_domain             = local.fqdn
   zone                       = local.zone
   zone_id                    = data.aws_route53_zone.zone.zone_id
-  project_cert_name          = module.cluster.cert.name
-  project_cert_key_id        = module.cluster.cert.key_id
+  project_cert_name          = local.cert_name
+  project_cert_key_id        = local.cert_key
   path                       = local.local_file_path
   cert_manager_version       = local.cert_manager_version
   configure_cert_manager     = local.configure_cert_manager
@@ -85,15 +89,19 @@ module "rancher_bootstrap" {
     module.cluster,
     module.install_cert_manager,
   ]
-  count                = (local.bootstrap_rancher ? 1 : 0)
-  source               = "./modules/rancher_bootstrap"
-  path                 = local.local_file_path
-  project_domain       = local.fqdn
-  zone_id              = data.aws_route53_zone.zone.zone_id
-  region               = local.cert_manager_config.aws_region
-  email                = local.cert_manager_config.acme_email
-  acme_server_url      = local.cert_manager_config.acme_server_url
-  rancher_version      = local.rancher_version
-  cert_manager_version = local.cert_manager_version
-  externalTLS          = (local.configure_cert_manager ? false : true)
+  count                           = (local.bootstrap_rancher ? 1 : 0)
+  source                          = "./modules/rancher_bootstrap"
+  path                            = local.local_file_path
+  project_domain                  = local.fqdn
+  zone_id                         = data.aws_route53_zone.zone.zone_id
+  region                          = local.cert_manager_config.aws_region
+  email                           = local.cert_manager_config.acme_email
+  acme_server_url                 = local.cert_manager_config.acme_server_url
+  rancher_version                 = local.rancher_version
+  rancher_helm_repo               = local.rancher_helm_repo
+  rancher_helm_channel            = local.rancher_helm_channel
+  cert_manager_version            = local.cert_manager_version
+  externalTLS                     = (local.configure_cert_manager ? false : true)
+  rancher_helm_chart_values       = local.rancher_helm_chart_values
+  rancher_helm_chart_use_strategy = local.rancher_helm_chart_use_strategy
 }

main.tf

@@ -25,11 +25,6 @@ locals {
     var.file_path != "" ? (var.file_path == path.root ? "${path.root}/rke2" : var.file_path) :
     "${path.root}/rke2"
   )
-  # # tflint-ignore: terraform_unused_declarations
-  # local_file_path_validate = (can(regex(
-  #     "^\\.",
-  #     local.local_file_path
-  # )) ? false : one([local.local_file_path, "local_file_path_must_be_relative"])) # used like this we can validate local variables
 
   install_method       = var.install_method
   download             = (local.install_method == "tar" ? "download" : "skip")
@@ -182,8 +177,7 @@ module "deploy_initial_node" {
   user_workfolder          = strcontains(each.value.os, "cis") ? "/var/tmp" : "/home/${local.username}"
   timeout                  = 10
 }))}"
-    server_domain_name       = "${substr("${local.project_name}-${md5(each.key)}", 0, 25)}"
-    server_domain_zone       = "${local.zone}"
+    server_add_domain        = false
     install_use_strategy     = "${local.install_method}"
     local_file_use_strategy  = "${local.download}"
     local_file_path          = "${each.value.deploy_path}/configs"
@@ -227,7 +221,7 @@ strcontains(each.value.type, "database") ? local.database_config :
 }
 
 # There are many ways to orchestrate Terraform configurations with the goal of breaking it down
-# In this example I am using Terraform resources to orchestrate Terraform
+# In this module I am using Terraform resources to orchestrate Terraform
 #   I felt this was the best way to accomplish the goal without incurring additional dependencies
 module "deploy_additional_nodes" {
   source = "../deploy"
@@ -271,8 +265,7 @@ module "deploy_additional_nodes" {
   user_workfolder          = strcontains(each.value.os, "cis") ? "/var/tmp" : "/home/${local.username}"
   timeout                  = 10
 }))}"
-    server_domain_name       = "${substr("${local.project_name}-${md5(each.key)}", 0, 25)}"
-    server_domain_zone       = "${local.zone}"
+    server_add_domain        = false
     install_use_strategy     = "${local.install_method}"
     local_file_use_strategy  = "${local.download}"
     local_file_path          = "${each.value.deploy_path}/configs"
@@ -318,7 +311,7 @@ strcontains(each.value.type, "database") ? local.database_config :
   EOT
 }
 
-resource "local_file" "kubeconfig" {
+resource "local_sensitive_file" "kubeconfig" {
   depends_on = [
     module.deploy_initial_node,
     module.deploy_additional_nodes,

modules/cluster/main.tf

@@ -28,7 +28,7 @@ variable "zone" {
 # access
 variable "key_name" {
   type        = string
-  description = "The name of an ssh key that already exists in AWS of that you want to create."
+  description = "The name of an ssh key that already exists in AWS."
 }
 variable "key" {
   type        = string
@@ -112,10 +112,6 @@ variable "ip_family" {
   type        = string
   description = "The IP family to use. Must be 'ipv4', 'ipv6', or 'dualstack'."
 }
-# variable "ingress_controller" {
-#   type        = string
-#   description = "The ingress controller to use. Must be 'nginx' or 'traefik'. Currently only supports 'nginx'."
-# }
 variable "skip_cert_creation" {
   type        = bool
   description = "Skip the generation of a certificate, useful when configuring cert manager."

modules/cluster/variables.tf

@@ -3,7 +3,6 @@ variable "cert_manager_version" {
   description = <<-EOT
     The version of cert manager to install.
   EOT
-  default     = "v1.13.1"
 }
 variable "cert_manager_configuration" {
   type = object({
@@ -18,13 +17,7 @@ variable "cert_manager_configuration" {
     https://cert-manager.io/docs/configuration/acme/dns01/route53/#ambient-credentials
     https://docs.aws.amazon.com/sdkref/latest/guide/environment-variables.html
   EOT
-  default = {
-    aws_region            = ""
-    aws_session_token     = ""
-    aws_access_key_id     = ""
-    aws_secret_access_key = ""
-  }
-  sensitive = true
+  sensitive   = true
 }
 variable "zone" {
   type        = string

modules/install_cert_manager/configured/variables.tf

@@ -30,13 +30,12 @@ module "deploy_cert_manager" {
     KUBECONFIG       = "${abspath(local.path)}/kubeconfig"
   }
   inputs = <<-EOT
+    cert_manager_version       = "${local.cert_manager_version}"
+    project_cert_name          = "${local.project_cert_name}"
+    project_cert_key_id        = "${local.project_cert_key_id}"
     project_domain             = "${local.rancher_domain}"
     zone                       = "${local.zone}"
     zone_id                    = "${local.zone_id}"
-    project_cert_name          = "${local.project_cert_name}"
-    project_cert_key_id        = "${local.project_cert_key_id}"
-    cert_manager_version       = "${local.cert_manager_version}"
-    configure_cert_manager     = "${local.configure_cert_manager}"
     cert_manager_configuration = {
       aws_region            = "${local.cert_manager_config.aws_region}"
       aws_session_token     = "${local.cert_manager_config.aws_session_token}"

modules/install_cert_manager/main.tf

@@ -3,19 +3,16 @@ variable "cert_manager_version" {
   description = <<-EOT
     The version of cert manager to install.
   EOT
-  default     = "v1.13.1"
 }
 variable "project_cert_key_id" {
   type        = string
   description = <<-EOT
     The key name to retrieve the project's cert's private key from AWS
   EOT
-  default     = ""
 }
 variable "project_cert_name" {
   type        = string
   description = <<-EOT
     The project's cert name
   EOT
-  default     = ""
 }

modules/install_cert_manager/unconfigured/variables.tf

@@ -45,7 +45,6 @@ variable "cert_manager_version" {
   description = <<-EOT
     The version of cert manager to install.
   EOT
-  default     = "v1.13.1"
 }
 variable "configure_cert_manager" {
   type        = bool
@@ -75,14 +74,3 @@ variable "cert_manager_configuration" {
   }
   sensitive = true
 }
-# variable "backend_file" {
-#   type        = string
-#   description = <<-EOT
-#     Path to a .tfbackend file.
-#     This allows the user to pass a backend file.
-#     The backend file will be added to the terraform run and will allow state data to be saved remotely.
-#     Please note that this is a separate state file, and this backend should be independent of the main module's state and any other submodules' states.
-#     See https://developer.hashicorp.com/terraform/language/backend#file for more information.
-#   EOT
-#   default     = ""
-# }