github-personal/matchbox
1
0
Fork 0
mirror of https://github.com/outbackdingo/matchbox.git synced 2026-01-27 10:19:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refresh Terraform examples and docs

Browse Source 
* Update Terraform examples to use Terraform v0.13
* Refresh examples to show Fedora CoreOS and Flatcar Linux
* Remove the etcd3 example, not worth it to maintain
This commit is contained in:
Dalton Hubble
2020-10-13 23:29:35 -07:00
parent da0df01763
commit 04f1c32ba2
32 changed files with 284 additions and 623 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES.md
View File

@@ -8,7 +8,7 @@ Notable changes between releases.
* Publish Matchbox images from internal infra to Quay (`quay.io/poseidon/matchbox`)
* Update Go version from v1.13.4 to v1.14.9
* Update base image from `alpine:3.10` to `alpine:3.12` ([#784](https://github.com/poseidon/matchbox/pull/784))
* Refresh docs and examples for Fedora CoreOS and Flatcar Linux ([#815](https://github.com/poseidon/matchbox/pull/815))
* Refresh docs and examples for Fedora CoreOS and Flatcar Linux ([#815](https://github.com/poseidon/matchbox/pull/815), [#816](https://github.com/poseidon/matchbox/pull/816))
* Update Kubernetes manifest examples ([#791](https://github.com/poseidon/matchbox/pull/791))
* Include `contrib/k8s` in release tarballs ([#788](https://github.com/poseidon/matchbox/pull/788))
* Remove RPM spec file (Copr publishing stopped in v0.6)

8
README.md
View File

@@ -23,14 +23,14 @@ Matchbox can be installed from a binary or a container image.
## Tutorials
[Getting started](docs/getting-started.md) provisioning machines with Fedora CoreOS or Flatcar Linux.
Start provisioning machines with Fedora CoreOS or Flatcar Linux.
* [Terraform Usage](docs/getting-started.md)
* Fedora CoreOS (PXE install to disk)
* Flatcar Linux (PXE install to disk)
* [Local QEMU/KVM](docs/getting-started-docker.md)
* Fedora CoreOS (live PXE or PXE install to disk)
* Flatcar Linux (live PXE or PXE install to disk)
* Clusters
* [etcd3](docs/getting-started-docker.md) - Install a 3-node etcd3 cluster
* [etcd3](https://github.com/poseidon/matchbox/tree/master/examples/terraform/etcd3-install) - Install a 3-node etcd3 cluster (terraform-based)
## Contrib

5
docs/deployment.md
View File

@@ -8,10 +8,9 @@ This guide walks through deploying the `matchbox` service on a Linux host (as a
Choose one of the supported installation options:
* [CoreOS Container Linux](#coreos-container-linux)
* [Generic Linux (binary)](#generic-linux)
* [With docker](#docker)
* [Kubernetes Service](#kubernetes)
* [With docker](#docker)
## Download
@@ -118,7 +117,7 @@ Export `SAN` to set the Subject Alt Names which should be used in certificates.
```sh
# DNS or IP Subject Alt Names where matchbox runs
$ export SAN=DNS.1:matchbox.example.com,IP.1:172.18.0.2
$ export SAN=DNS.1:matchbox.example.com,IP.1:172.17.0.2
```
Generate a `ca.crt`, `server.crt`, `server.key`, `client.crt`, and `client.key`.

212
docs/getting-started.md
View File

@@ -1,6 +1,6 @@
# Getting started
In this tutorial, we'll use `matchbox` with Terraform to provision Container Linux machines.
In this tutorial, we'll use `matchbox` with Terraform to provision Fedora CoreOS or Flatcar Linux machines.
We'll install the `matchbox` service, setup a PXE network boot environment, and use Terraform configs to declare infrastructure and apply resources on `matchbox`.
@@ -8,7 +8,7 @@ We'll install the `matchbox` service, setup a PXE network boot environment, and
Install `matchbox` on a host server or Kubernetes cluster. Generate TLS credentials and enable the gRPC API as directed. Save the `ca.crt`, `client.crt`, and `client.key` on your local machine (e.g. `~/.matchbox`).
* Installing on [Container Linux / other distros](deployment.md)
* Installing on a [Linux distro](deployment.md)
* Installing on [Kubernetes](deployment.md#kubernetes)
* Running with [docker](deployment.md#docker)
@@ -30,115 +30,139 @@ $ openssl s_client -connect matchbox.example.com:8081 \
## Terraform
Install [Terraform][terraform-dl] v0.11+ on your system.
Install [Terraform][https://www.terraform.io/downloads.html] v0.13+ on your system.
```sh
$ terraform version
Terraform v0.11.13
Terraform v0.13.3
```
Add the [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox) plugin binary for your system to `~/.terraform.d/plugins/`, noting the final name.
### Examples
```sh
wget https://github.com/poseidon/terraform-provider-matchbox/releases/download/v0.2.3/terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
tar xzf terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
mv terraform-provider-matchbox-v0.2.3-linux-amd64/terraform-provider-matchbox ~/.terraform.d/plugins/terraform-provider-matchbox_v0.2.3
```
```sh
$ wget https://github.com/poseidon/terraform-provider-matchbox/releases/download/v0.2.3/terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
$ tar xzf terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
```
## First cluster
Clone the matchbox source and take a look at the Terraform examples.
Clone the matchbox source.
```sh
$ git clone https://github.com/poseidon/matchbox.git
$ cd matchbox/examples/terraform
```
Let's start with the `simple-install` example. With `simple-install`, any machines which PXE boot from matchbox will install Container Linux to `dev/sda`, reboot, and have your SSH key set. Its not much of a cluster, but we'll get to that later.
Select from the Terraform [examples](https://github.com/poseidon/matchbox/tree/master/examples/terraform). For example,
* `fedora-coreos-install` - PXE boot, install Fedora CoreOS to disk, reboot, and machines come up with your SSH authorized key set
* `flatcar-install` - PXE boot, install Flatcar Linux to disk, reboot, and machines come up with your SSH authorized key set
These aren't exactly full clusters, but they show declarations and network provisioning.
```sh
$ cd simple-install
$ cd fedora-coreos-install # or flatcar-install
```
Configure the variables in `variables.tf` by creating a `terraform.tfvars` file.
!!! note
Fedora CoreOS images are only served via HTTPS, so your iPXE firmware must be compiled to support HTTPS downloads.
```hcl
Let's review the terraform config and learn a bit about Matchbox.
### Provider
Matchbox is configured as a provider platform for bare-metal resources.
```tf
// Configure the matchbox provider
provider "matchbox" {
endpoint = var.matchbox_rpc_endpoint
client_cert = file("~/.matchbox/client.crt")
client_key = file("~/.matchbox/client.key")
ca = file("~/.matchbox/ca.crt")
}
terraform {
required_providers {
ct = {
source = "poseidon/ct"
version = "0.6.1"
}
matchbox = {
source = "poseidon/matchbox"
version = "0.4.1"
}
}
}
```
### Profiles
Machine profiles specify the kernel, initrd, kernel args, Ignition Config, and other configs (e.g. templated Container Linux Config, Cloud-config, generic) used to network boot and provision a bare-metal machine. The profile below would PXE boot machines using a Fedora CoreOS kernel and initrd (see [assets](api-http.md#assets) to learn about caching for speed), perform a disk install, reboot (first boot from disk), and use a [Fedora CoreOS Config](https://github.com/coreos/fcct/blob/master/docs/configuration-v1_1.md) to generate an Ignition config to provision.
```tf
// Fedora CoreOS profile
resource "matchbox_profile" "fedora-coreos-install" {
name = "worker"
kernel = "https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-kernel-x86_64"
initrd = [
"https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img",
"https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img"
]
args = [
"rd.neednet=1",
"coreos.inst.install_dev=/dev/sda",
"coreos.inst.ignition_url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"coreos.inst.image_url=https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-metal.x86_64.raw.xz",
"console=tty0",
"console=ttyS0",
]
raw_ignition = data.ct_config.worker-ignition.rendered
}
data "ct_config" "worker-ignition" {
content = data.template_file.worker-config.rendered
strict = true
}
data "template_file" "worker-config" {
template = file("fcc/fedora-coreos.yaml")
vars = {
ssh_authorized_key = var.ssh_authorized_key
}
}
```
### Groups
Matcher groups match machines based on labels like MAC, UUID, etc. to different profiles and templates in machine-specific values. The group below does not have a `selector` block, so any machines which network boot from Matchbox will match this group and be provisioned using the `fedora-coreos-install` profile. Machines are matched to the most specific matching group.
```tf
// Default matcher group for machines
resource "matchbox_group" "default" {
name = "default"
profile = matchbox_profile.fedora-coreos-install.name
}
```
### Variables
Some Terraform [variables](https://www.terraform.io/docs/configuration/variables.html) are used in the examples. A quick way to set their value is by creating a `terraform.tfvars` file.
```
cp terraform.tfvars.example terraform.tfvars
```
```tf
matchbox_http_endpoint = "http://matchbox.example.com:8080"
matchbox_rpc_endpoint = "matchbox.example.com:8081"
ssh_authorized_key = "YOUR_SSH_KEY"
```
Terraform can now interact with the matchbox service and create resources.
```sh
$ terraform plan
Plan: 4 to add, 0 to change, 0 to destroy.
```
Let's review the terraform config and learn a bit about matchbox.
#### Provider
Matchbox is configured as a provider platform for bare-metal resources.
```hcl
// Configure the matchbox provider
provider "matchbox" {
endpoint = "${var.matchbox_rpc_endpoint}"
client_cert = "${file("~/.matchbox/client.crt")}"
client_key = "${file("~/.matchbox/client.key")}"
ca = "${file("~/.matchbox/ca.crt")}"
}
```
#### Profiles
Machine profiles specify the kernel, initrd, kernel args, Container Linux Config, Cloud-config, or other configs used to network boot and provision a bare-metal machine. This profile will PXE boot machines using the current stable Container Linux kernel and initrd (see [assets](api-http.md#assets) to learn about caching for speed) and supply a Container Linux Config specifying that a disk install and reboot should be performed. Learn more about [Container Linux configs](https://coreos.com/os/docs/latest/configuration.html).
```hcl
// Create a CoreOS-install profile
resource "matchbox_profile" "coreos-install" {
name = "coreos-install"
kernel = "https://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe.vmlinuz"
initrd = [
"https://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe_image.cpio.gz"
]
args = [
"coreos.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"coreos.first_boot=yes",
"console=tty0",
"console=ttyS0",
]
container_linux_config = "${file("./cl/coreos-install.yaml.tmpl")}"
}
```
#### Groups
Matcher groups match machines based on labels like MAC, UUID, etc. to different profiles and templates in machine-specific values. This group does not have a `selector` block, so any machines which network boot from matchbox will match this group and be provisioned using the `coreos-install` profile. Machines are matched to the most specific matching group.
```hcl
resource "matchbox_group" "default" {
name = "default"
profile = "${matchbox_profile.coreos-install.name}"
# no selector means all machines can be matched
metadata {
ignition_endpoint = "${var.matchbox_http_endpoint}/ignition"
ssh_authorized_key = "${var.ssh_authorized_key}"
}
}
```
### Apply
Apply the terraform configuration.
Initialize the Terraform workspace. Then plan and apply the resources.
```sh
```
terraform init
```
```
$ terraform apply
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
```
@@ -148,13 +172,12 @@ Matchbox serves configs to machines and respects query parameters, if you're int
* iPXE default - [/ipxe](http://matchbox.example.com:8080/ipxe)
* Ignition default - [/ignition](http://matchbox.example.com:8080/ignition)
* Ignition post-install - [/ignition?os=installed](http://matchbox.example.com:8080/ignition?os=installed)
* GRUB default - [/grub](http://matchbox.example.com:8080/grub)
## Network
Matchbox can integrate with many on-premise network setups. It does not seek to be the DHCP server, TFTP server, or DNS server for the network. Instead, matchbox serves iPXE scripts and GRUB configs as the entrypoint for provisioning network booted machines. PXE clients are supported by chainloading iPXE firmware.
Matchbox can integrate with many on-premise network setups. It does not seek to be the DHCP server, TFTP server, or DNS server for the network. Instead, matchbox serves iPXE scripts as the entrypoint for provisioning network booted machines. PXE clients are supported by chainloading iPXE firmware.
In the simplest case, an iPXE-enabled network can chain to matchbox,
In the simplest case, an iPXE-enabled network can chain to Matchbox,
```
# /var/www/html/ipxe/default.ipxe
@@ -179,20 +202,19 @@ $ ipmitool -H node1.example.com -U USER -P PASS chassis bootdev pxe
$ ipmitool -H node1.example.com -U USER -P PASS power on
```
Each machine should chainload iPXE, delegate to `matchbox`, receive its iPXE config (or other supported configs) and begin the provisioning process. The `simple-install` example assumes your machines are configured to boot from disk first and PXE only when requested, but you can write profiles for different cases.
Each machine should chainload iPXE, delegate to Matchbox, receive its iPXE config (or other supported configs) and begin the provisioning process. The examples assume machines are configured to boot from disk first and PXE only when requested, but you can write profiles for different cases.
Once the Container Linux install completes and the machine reboots you can SSH,
Once the install completes and the machine reboots, you can SSH.
```ssh
$ ssh core@node1.example.com
```
To re-provision the machine for another purpose, run `terraform apply` and PXE boot it again.
To re-provision the machine for another purpose, run `terraform apply` and PXE boot machines again.
## Going Further
Matchbox can be used to provision multi-node Container Linux clusters at one or many on-premise sites if deployed in an HA way. Machines can be matched individually by MAC address, UUID, region, or other labels you choose. Installs can be made much faster by caching images in the built-in HTTP [assets](api-http.md#assets) server.
Matchbox can be used to provision multi-node Fedora CoreOS or Flatcar Linux clusters at one or many on-premise sites if deployed in an HA way. Machines can be matched individually by MAC address, UUID, region, or other labels you choose. Installs can be made much faster by caching images in the built-in HTTP [assets](api-http.md#assets) server.
[Container Linux configs](https://coreos.com/os/docs/latest/configuration.html) can be used to partition disks and filesystems, write systemd units, write networkd configs or regular files, and create users. Container Linux nodes can be provisioned into a system that meets your needs. Checkout the examples which create a 3 node [etcd](../examples/terraform/etcd3-install) cluster or a 3 node [Kubernetes](../examples/terraform/bootkube-install) cluster.
[Ignition](https://github.com/coreos/ignition) can be used to partition disks and filesystems, write systemd units, write networkd configs or regular files, and create users. Nodes can be network provisioned into a complete cluster system that meets your needs. For example, see [Typhoon](https://typhoon.psdn.io/fedora-coreos/bare-metal/).
[terraform-dl]: https://www.terraform.io/downloads.html

8
docs/index.md
View File

@@ -17,14 +17,14 @@ Matchbox can be installed from a binary or a container image.
## Tutorials
[Getting started](getting-started.md) provisioning machines with Fedora CoreOS or Flatcar Linux.
Start provisioning machines with Fedora CoreOS or Flatcar Linux.
* [Terraform Usage](getting-started.md)
* Fedora CoreOS (live PXE or PXE install to disk)
* Flatcar Linux (live PXE or PXE install to disk)
* [Local QEMU/KVM](getting-started-docker.md)
* Fedora CoreOS (live PXE or PXE install to disk)
* Flatcar Linux (live PXE or PXE install to disk)
* Clusters
* [etcd3](getting-started-docker.md) - Install a 3-node etcd3 cluster
* [etcd3](https://github.com/poseidon/matchbox/tree/master/examples/terraform/etcd3-install) - Install a 3-node etcd3 cluster (terraform-based)
## Related

16
examples/README.md
View File

@@ -1,6 +1,6 @@
# Examples
Matchbox automates network booting and provisioning of clusters. These examples show how to use matchbox on-premise or locally with [QEMU/KVM](scripts/README.md#libvirt).
Matchbox automates network booting and provisioning of clusters. These examples show how to use Matchbox on-premise or locally with QEMU/KVM.
## Terraform Examples
@@ -8,12 +8,12 @@ These examples use [Terraform](https://www.terraform.io/intro/) as a client to M
| Name | Description |
|-------------------------------|-------------------------------|
| [simple-install](terraform/simple-install/) | Install Container Linux with an SSH key |
| [etcd3-install](terraform/etcd3-install/) | Install a 3-node etcd3 cluster |
| [fedora-coreos-install](terraform/fedora-coreos-install) | Fedora CoreOS disk install |
| [flatcar-install](terraform/flatcar-install) | Flatcar Linux disk install |
### Customization
Look through the examples and Terraform modules and use them as a starting point. Learn more about [matchbox](../docs/matchbox.md) and [Container Linux configs](../docs/container-linux-config.md).
Look through the examples and Terraform modules and use them as a starting point. Learn more about [matchbox](../docs/matchbox.md).
## Manual Examples
@@ -30,7 +30,7 @@ These examples mount raw Matchbox objects into a Matchbox server's `/var/lib/mat
For Fedora CoreOS, add an SSH authorized key to Fedora CoreOS Config (`ignition/fedora-coreos.yaml`) and regenerate the Ignition Config.
```
```yaml
variant: fcos
version: 1.1.0
passwd:
@@ -44,10 +44,9 @@ passwd:
podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < fedora-coreos.yaml > fedora-coreos.ign
```
For Flatcar Linux, add a Matchbox variable to a Group to set the SSH authorized key (or directly update the Container Linux Config).
For Flatcar Linux, add a Matchbox variable to a Group (`groups/flatcar-install/flatcar.json`) to set the SSH authorized key (or directly update the Container Linux Config).
```
# groups/flatcar-install/flatcar.json
```json
{
"id": "stage-1",
"name": "Flatcar Linux",
@@ -60,4 +59,3 @@ For Flatcar Linux, add a Matchbox variable to a Group to set the SSH authorized
}
}
```

103
examples/terraform/etcd3-install/README.md
View File

@@ -1,103 +0,0 @@
# etcd3
The `etcd3-install` example shows how to use matchbox to network boot and provision 3-node etcd3 cluster on bare-metal in an automated way.
## Requirements
Follow the getting started [tutorial](../../../docs/getting-started.md) to learn about matchbox and set up an environment that meets the requirements:
* Matchbox v0.6+ [installation](../../../docs/deployment.md) with gRPC API enabled
* Matchbox provider credentials `client.crt`, `client.key`, and `ca.crt`
* PXE [network boot](../../../docs/network-setup.md) environment
* Terraform v0.9+ and [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox) installed locally on your system
* 3 machines with known DNS names and MAC addresses
If you prefer to provision QEMU/KVM VMs on your local Linux machine, set up the matchbox [development environment](../../../docs/getting-started-docker.md).
```sh
sudo ./scripts/devnet create
```
## Usage
Clone the [matchbox](https://github.com/poseidon/matchbox) project and take a look at the cluster examples.
```sh
$ git clone https://github.com/poseidon/matchbox.git
$ cd matchbox/examples/terraform/etcd3-install
```
Copy the `terraform.tfvars.example` file to `terraform.tfvars`. Ensure `provider.tf` references your matchbox credentials.
```hcl
matchbox_http_endpoint = "http://matchbox.example.com:8080"
matchbox_rpc_endpoint = "matchbox.example.com:8081"
ssh_authorized_key = "ADD ME"
```
Configs in `etcd3-install` configure the matchbox provider, define profiles (e.g. `cached-container-linux-install`, `etcd3`), and define 3 groups which match machines by MAC address to a profile. These resources declare that the machines should PXE boot, install Container Linux to disk, and provision themselves into peers in a 3-node etcd3 cluster.
Note: The `cached-container-linux-install` profile will PXE boot and install Container Linux from matchbox [assets](https://github.com/poseidon/matchbox/blob/master/docs/api.md#assets). If you have not populated the assets cache, use the `container-linux-install` profile to use public images (slower).
### Optional
You may set certain optional variables to override defaults.
```hcl
# install_disk = "/dev/sda"
# container_linux_oem = ""
```
## Apply
Fetch the [profiles](../README.md#modules) Terraform [module](https://www.terraform.io/docs/modules/index.html) which let's you use common machine profiles maintained in the matchbox repo (like `etcd3`).
```sh
$ terraform get
```
Plan and apply to create the resoures on Matchbox.
```sh
$ terraform plan
Plan: 10 to add, 0 to change, 0 to destroy.
$ terraform apply
Apply complete! Resources: 10 added, 0 changed, 0 destroyed.
```
## Machines
Power on each machine (with PXE boot device on next boot). Machines should network boot, install Container Linux to disk, reboot, and provision themselves as a 3-node etcd3 cluster.
```sh
$ ipmitool -H node1.example.com -U USER -P PASS chassis bootdev pxe
$ ipmitool -H node1.example.com -U USER -P PASS power on
```
For local QEMU/KVM development, create the QEMU/KVM VMs.
```sh
$ sudo ./scripts/libvirt create
$ sudo ./scripts/libvirt [start|reboot|shutdown|poweroff|destroy]
```
## Verify
Verify each node is running etcd3 (i.e. etcd-member.service).
```sh
$ ssh core@node1.example.com
$ systemctl status etcd-member
```
Verify that etcd3 peers are healthy and communicating.
```sh
$ etcdctl cluster-health
$ etcdctl set /message hello
$ etcdctl get /message
```
## Going Further
Learn more about [matchbox](../../../docs/matchbox.md) or explore the other [example](../) clusters.

74
examples/terraform/etcd3-install/etcd3.tf
View File

@@ -1,74 +0,0 @@
// Create popular profiles (convenience module)
module "profiles" {
source = "../modules/profiles"
matchbox_http_endpoint = "${var.matchbox_http_endpoint}"
container_linux_version = "1967.3.0"
container_linux_channel = "stable"
install_disk = "${var.install_disk}"
container_linux_oem = "${var.container_linux_oem}"
}
// Install Container Linux to disk before provisioning
resource "matchbox_group" "default" {
name = "default"
profile = "${module.profiles.cached-container-linux-install}"
// No selector, matches all nodes
metadata {
ssh_authorized_key = "${var.ssh_authorized_key}"
}
}
// Create matcher groups for 3 machines
resource "matchbox_group" "node1" {
name = "node1"
profile = "${module.profiles.etcd3}"
selector {
mac = "52:54:00:a1:9c:ae"
os = "installed"
}
metadata {
domain_name = "node1.example.com"
etcd_name = "node1"
etcd_initial_cluster = "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
ssh_authorized_key = "${var.ssh_authorized_key}"
}
}
resource "matchbox_group" "node2" {
name = "node2"
profile = "${module.profiles.etcd3}"
selector {
mac = "52:54:00:b2:2f:86"
os = "installed"
}
metadata {
domain_name = "node2.example.com"
etcd_name = "node2"
etcd_initial_cluster = "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
ssh_authorized_key = "${var.ssh_authorized_key}"
}
}
resource "matchbox_group" "node3" {
name = "node3"
profile = "${module.profiles.etcd3}"
selector {
mac = "52:54:00:c3:61:77"
os = "installed"
}
metadata {
domain_name = "node3.example.com"
etcd_name = "node3"
etcd_initial_cluster = "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
ssh_authorized_key = "${var.ssh_authorized_key}"
}
}

7
examples/terraform/etcd3-install/provider.tf
View File

@@ -1,7 +0,0 @@
// Configure the matchbox provider
provider "matchbox" {
endpoint = "${var.matchbox_rpc_endpoint}"
client_cert = "${file("~/.matchbox/client.crt")}"
client_key = "${file("~/.matchbox/client.key")}"
ca = "${file("~/.matchbox/ca.crt")}"
}

28
examples/terraform/etcd3-install/variables.tf
View File

@@ -1,28 +0,0 @@
variable "matchbox_http_endpoint" {
type = "string"
description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
}
variable "matchbox_rpc_endpoint" {
type = "string"
description = "Matchbox gRPC API endpoint, without the protocol (e.g. matchbox.example.com:8081)"
}
variable "ssh_authorized_key" {
type = "string"
description = "SSH public key to set as an authorized_key on machines"
}
# optional
variable "install_disk" {
type = "string"
default = "/dev/sda"
description = "Disk device to which the install profiles should install Container Linux (e.g. /dev/sda)"
}
variable "container_linux_oem" {
type = "string"
default = ""
description = "Specify an OEM image id to use as base for the installation (e.g. ami, vmware_raw, xen) or leave blank for the default image"
}

7
examples/terraform/fedora-coreos-install/fcc/fedora-coreos.yaml Normal file
View File

@@ -0,0 +1,7 @@
variant: fcos
version: 1.1.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ${ssh_authorized_key}

6
examples/terraform/fedora-coreos-install/groups.tf Normal file
View File

@@ -0,0 +1,6 @@
// Default matcher group for machines
resource "matchbox_group" "default" {
name = "default"
profile = matchbox_profile.fedora-coreos-install.name
}

34
examples/terraform/fedora-coreos-install/profiles.tf Normal file
View File

@@ -0,0 +1,34 @@
// Fedora CoreOS profile
resource "matchbox_profile" "fedora-coreos-install" {
name = "worker"
kernel = "https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-kernel-x86_64"
initrd = [
"https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img",
"https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img"
]
args = [
"rd.neednet=1",
"coreos.inst.install_dev=/dev/sda",
"coreos.inst.ignition_url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"coreos.inst.image_url=https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-metal.x86_64.raw.xz",
"console=tty0",
"console=ttyS0",
]
raw_ignition = data.ct_config.worker-ignition.rendered
}
data "ct_config" "worker-ignition" {
content = data.template_file.worker-config.rendered
strict = true
}
data "template_file" "worker-config" {
template = file("fcc/fedora-coreos.yaml")
vars = {
ssh_authorized_key = var.ssh_authorized_key
}
}

20
examples/terraform/fedora-coreos-install/provider.tf Normal file
View File

@@ -0,0 +1,20 @@
// Configure the matchbox provider
provider "matchbox" {
endpoint = var.matchbox_rpc_endpoint
client_cert = file("~/.matchbox/client.crt")
client_key = file("~/.matchbox/client.key")
ca = file("~/.matchbox/ca.crt")
}
terraform {
required_providers {
ct = {
source = "poseidon/ct"
version = "0.6.1"
}
matchbox = {
source = "poseidon/matchbox"
version = "0.4.1"
}
}
}

7
examples/terraform/etcd3-install/terraform.tfvars.example → examples/terraform/fedora-coreos-install/terraform.tfvars.example
View File

@@ -1,7 +1,4 @@
matchbox_http_endpoint = "http://matchbox.example.com:8080"
matchbox_rpc_endpoint = "matchbox.example.com:8081"
# ssh_authorized_key = "ADD ME"
# Optional (defaults)
# install_disk = "/dev/sda"
# container_linux_oem = ""
os_version = "32.20200923.3.0"
ssh_authorized_key = "YOUR_SSH_KEY"

26
examples/terraform/fedora-coreos-install/variables.tf Normal file
View File

@@ -0,0 +1,26 @@
variable "matchbox_http_endpoint" {
type = string
description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
}
variable "matchbox_rpc_endpoint" {
type = string
description = "Matchbox gRPC API endpoint, without the protocol (e.g. matchbox.example.com:8081)"
}
variable "os_stream" {
type = string
description = "Fedora CoreOS release stream (e.g. testing, stable)"
default = "stable"
}
variable "os_version" {
type = string
description = "Fedora CoreOS version to PXE and install (e.g. 32.20200923.3.0)"
}
variable "ssh_authorized_key" {
type = string
description = "SSH public key to set as an authorized_key on machines"
}

7
examples/terraform/simple-install/cl/coreos-install.yaml.tmpl → examples/terraform/flatcar-install/clc/flatcar-install.yaml
View File

@@ -21,7 +21,12 @@ storage:
inline: |
#!/bin/bash -ex
curl --retry 10 "{{.ignition_endpoint}}?{{.request.raw_query}}&os=installed" -o ignition.json
coreos-install -d /dev/sda -C stable -V current -i ignition.json {{if index . "baseurl"}}-b {{.baseurl}}{{end}}
flatcar-install \
-d /dev/sda \
-C stable \
-V current \
{{- if index . "baseurl"}}-b {{.baseurl}} \{{end}}
-i ignition.json
udevadm settle
systemctl reboot
passwd:

0
examples/terraform/simple-install/cl/simple.yaml.tmpl → examples/terraform/flatcar-install/clc/flatcar.yaml
View File

8
examples/terraform/simple-install/groups.tf → examples/terraform/flatcar-install/groups.tf
View File

@@ -1,25 +1,25 @@
// Default matcher group for machines
resource "matchbox_group" "default" {
name = "default"
profile = "${matchbox_profile.coreos-install.name}"
profile = matchbox_profile.flatcar-install.name
# no selector means all machines can be matched
metadata = {
ignition_endpoint = "${var.matchbox_http_endpoint}/ignition"
ssh_authorized_key = "${var.ssh_authorized_key}"
ssh_authorized_key = var.ssh_authorized_key
}
}
// Match machines which have CoreOS Container Linux installed
resource "matchbox_group" "node1" {
name = "node1"
profile = "${matchbox_profile.simple.name}"
profile = matchbox_profile.worker.name
selector = {
os = "installed"
}
metadata = {
ssh_authorized_key = "${var.ssh_authorized_key}"
ssh_authorized_key = var.ssh_authorized_key
}
}

24
examples/terraform/flatcar-install/profiles.tf Normal file
View File

@@ -0,0 +1,24 @@
// Create a flatcar-install profile
resource "matchbox_profile" "flatcar-install" {
name = "flatcar-install"
kernel = "http://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_pxe.vmlinuz"
initrd = [
"http://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_pxe_image.cpio.gz",
]
args = [
"initrd=flatcar_production_pxe_image.cpio.gz",
"flatcar.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"flatcar.first_boot=yes",
"console=tty0",
"console=ttyS0",
]
container_linux_config = file("./clc/flatcar-install.yaml")
}
// Profile to set an SSH authorized key on first boot from disk
resource "matchbox_profile" "worker" {
name = "worker"
container_linux_config = file("./clc/flatcar.yaml")
}

16
examples/terraform/flatcar-install/provider.tf Normal file
View File

@@ -0,0 +1,16 @@
// Configure the matchbox provider
provider "matchbox" {
endpoint = var.matchbox_rpc_endpoint
client_cert = file("~/.matchbox/client.crt")
client_key = file("~/.matchbox/client.key")
ca = file("~/.matchbox/ca.crt")
}
terraform {
required_providers {
matchbox = {
source = "poseidon/matchbox"
version = "0.4.1"
}
}
}

2
examples/terraform/simple-install/terraform.tfvars.example → examples/terraform/flatcar-install/terraform.tfvars.example
View File

@@ -1,3 +1,3 @@
matchbox_http_endpoint = "http://matchbox.example.com:8080"
matchbox_rpc_endpoint = "matchbox.example.com:8081"
ssh_authorized_key = "ssh-rsa you-contents"
ssh_authorized_key = "YOUR_SSH_KEY"

6
examples/terraform/simple-install/variables.tf → examples/terraform/flatcar-install/variables.tf
View File

@@ -1,14 +1,14 @@
variable "matchbox_http_endpoint" {
type = "string"
type = string
description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
}
variable "matchbox_rpc_endpoint" {
type = "string"
type = string
description = "Matchbox gRPC API endpoint, without the protocol (e.g. matchbox.example.com:8081)"
}
variable "ssh_authorized_key" {
type = "string"
type = string
description = "SSH public key to set as an authorized_key on machines"
}

33
examples/terraform/modules/README.md
View File

@@ -1,33 +0,0 @@
# Terraform Modules
Matchbox provides Terraform [modules](https://www.terraform.io/docs/modules/usage.html) you can re-use directly within your own Terraform configs. Modules are updated regularly so it is **recommended** that you pin the module version (e.g. `ref=sha`) to keep your configs deterministic.
```hcl
module "profiles" {
source = "git::https://github.com/poseidon/matchbox.git//examples/terraform/modules/profiles?ref=08f4e9908b167fba608e60169ec6a803df9db37f"
matchbox_http_endpoint = "${var.matchbox_http_endpoint}"
container_linux_version = "${var.container_linux_version}"
container_linux_channel = "${var.container_linux_channel}"
}
```
Download referenced Terraform modules.
```sh
$ terraform get # does not check for updates
$ terraform get --update # checks for updates
```
Available modules:
| Module | Includes | Description |
|----------|-----------|-------------|
| profiles | * | Creates machine profiles you can reference in matcher groups |
| | container-linux-install | Install Container Linux to disk from core-os.net |
| | cached-container-linux-install | Install Container Linux to disk from matchbox assets cache |
| | etcd3 | Provision an etcd3 peer node |
| | etcd3-gateway | Provision an etcd3 gateway node |
## Customization
You are encouraged to look through the examples and modules. Implement your own profiles or package them as modules to meet your needs. We've just provided a starting point. Learn more about [matchbox](../../docs/matchbox.md) and [Container Linux configs](../../docs/container-linux-config.md).

38
examples/terraform/modules/profiles/cl/container-linux-install.yaml.tmpl
View File

@@ -1,38 +0,0 @@
---
systemd:
units:
- name: installer.service
enable: true
contents: |
[Unit]
Requires=network-online.target
After=network-online.target
[Service]
Type=simple
ExecStart=/opt/installer
[Install]
WantedBy=multi-user.target
storage:
files:
- path: /opt/installer
filesystem: root
mode: 0500
contents:
inline: |
#!/bin/bash -ex
curl --retry 10 "${ignition_endpoint}?{{.request.raw_query}}&os=installed" -o ignition.json
coreos-install \
-d ${install_disk} \
-C ${container_linux_channel} \
-V ${container_linux_version} \
-o "${container_linux_oem}" \
${baseurl_flag} \
-i ignition.json
udevadm settle
systemctl reboot
passwd:
users:
- name: core
ssh_authorized_keys:
- {{.ssh_authorized_key}}

25
examples/terraform/modules/profiles/cl/etcd3-gateway.yaml.tmpl
View File

@@ -1,25 +0,0 @@
---
systemd:
units:
- name: etcd-member.service
enable: true
dropins:
- name: 40-etcd-cluster.conf
contents: |
[Service]
Environment="ETCD_IMAGE_TAG=v3.2.0"
ExecStart=
ExecStart=/usr/lib/coreos/etcd-wrapper gateway start \
--listen-addr=127.0.0.1:2379 \
--endpoints={{.etcd_endpoints}}
- name: locksmithd.service
dropins:
- name: 40-etcd-lock.conf
contents: |
[Service]
Environment="REBOOT_STRATEGY=etcd-lock"
passwd:
users:
- name: core
ssh_authorized_keys:
- {{.ssh_authorized_key}}

28
examples/terraform/modules/profiles/cl/etcd3.yaml.tmpl
View File

@@ -1,28 +0,0 @@
---
systemd:
units:
- name: etcd-member.service
enable: true
dropins:
- name: 40-etcd-cluster.conf
contents: |
[Service]
Environment="ETCD_IMAGE_TAG=v3.2.0"
Environment="ETCD_NAME={{.etcd_name}}"
Environment="ETCD_ADVERTISE_CLIENT_URLS=http://{{.domain_name}}:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://{{.domain_name}}:2380"
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380"
Environment="ETCD_INITIAL_CLUSTER={{.etcd_initial_cluster}}"
Environment="ETCD_STRICT_RECONFIG_CHECK=true"
- name: locksmithd.service
dropins:
- name: 40-etcd-lock.conf
contents: |
[Service]
Environment="REBOOT_STRATEGY=etcd-lock"
passwd:
users:
- name: core
ssh_authorized_keys:
- {{.ssh_authorized_key}}

15
examples/terraform/modules/profiles/outputs.tf
View File

@@ -1,15 +0,0 @@
output "container-linux-install" {
value = "${matchbox_profile.container-linux-install.name}"
}
output "cached-container-linux-install" {
value = "${matchbox_profile.cached-container-linux-install.name}"
}
output "etcd3" {
value = "${matchbox_profile.etcd3.name}"
}
output "etcd3-gateway" {
value = "${matchbox_profile.etcd3-gateway.name}"
}

82
examples/terraform/modules/profiles/profiles.tf
View File

@@ -1,82 +0,0 @@
// Container Linux Install profile (from release.core-os.net)
resource "matchbox_profile" "container-linux-install" {
name = "container-linux-install"
kernel = "http://${var.container_linux_channel}.release.core-os.net/amd64-usr/${var.container_linux_version}/coreos_production_pxe.vmlinuz"
initrd = [
"http://${var.container_linux_channel}.release.core-os.net/amd64-usr/${var.container_linux_version}/coreos_production_pxe_image.cpio.gz",
]
args = [
"initrd=coreos_production_pxe_image.cpio.gz",
"coreos.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"coreos.first_boot=yes",
"console=tty0",
"console=ttyS0",
]
container_linux_config = "${data.template_file.container-linux-install-config.rendered}"
}
data "template_file" "container-linux-install-config" {
template = "${file("${path.module}/cl/container-linux-install.yaml.tmpl")}"
vars {
container_linux_channel = "${var.container_linux_channel}"
container_linux_version = "${var.container_linux_version}"
ignition_endpoint = "${format("%s/ignition", var.matchbox_http_endpoint)}"
install_disk = "${var.install_disk}"
container_linux_oem = "${var.container_linux_oem}"
# only cached-container-linux profile adds -b baseurl
baseurl_flag = ""
}
}
// Container Linux Install profile (from matchbox /assets cache)
// Note: Admin must have downloaded container_linux_version into matchbox assets.
resource "matchbox_profile" "cached-container-linux-install" {
name = "cached-container-linux-install"
kernel = "/assets/coreos/${var.container_linux_version}/coreos_production_pxe.vmlinuz"
initrd = [
"/assets/coreos/${var.container_linux_version}/coreos_production_pxe_image.cpio.gz",
]
args = [
"initrd=coreos_production_pxe_image.cpio.gz",
"coreos.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"coreos.first_boot=yes",
"console=tty0",
"console=ttyS0",
]
container_linux_config = "${data.template_file.cached-container-linux-install-config.rendered}"
}
data "template_file" "cached-container-linux-install-config" {
template = "${file("${path.module}/cl/container-linux-install.yaml.tmpl")}"
vars {
container_linux_channel = "${var.container_linux_channel}"
container_linux_version = "${var.container_linux_version}"
ignition_endpoint = "${format("%s/ignition", var.matchbox_http_endpoint)}"
install_disk = "${var.install_disk}"
container_linux_oem = "${var.container_linux_oem}"
# profile uses -b baseurl to install from matchbox cache
baseurl_flag = "-b ${var.matchbox_http_endpoint}/assets/coreos"
}
}
// etcd3 profile
resource "matchbox_profile" "etcd3" {
name = "etcd3"
container_linux_config = "${file("${path.module}/cl/etcd3.yaml.tmpl")}"
}
// etcd3 Gateway profile
resource "matchbox_profile" "etcd3-gateway" {
name = "etcd3-gateway"
container_linux_config = "${file("${path.module}/cl/etcd3-gateway.yaml.tmpl")}"
}

28
examples/terraform/modules/profiles/variables.tf
View File

@@ -1,28 +0,0 @@
variable "matchbox_http_endpoint" {
type = "string"
description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
}
variable "container_linux_version" {
type = "string"
description = "Container Linux version of the kernel/initrd to PXE or the image to install"
}
variable "container_linux_channel" {
type = "string"
description = "Container Linux channel corresponding to the container_linux_version"
}
# optional
variable "install_disk" {
type = "string"
default = "/dev/sda"
description = "Disk device to which the install profiles should install Container Linux (e.g. /dev/sda)"
}
variable "container_linux_oem" {
type = "string"
default = ""
description = "Specify an OEM image id to use as base for the installation (e.g. ami, vmware_raw, xen) or leave blank for the default image"
}

25
examples/terraform/simple-install/profiles.tf
View File

@@ -1,25 +0,0 @@
// Create a CoreOS-install profile
resource "matchbox_profile" "coreos-install" {
name = "coreos-install"
kernel = "http://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe.vmlinuz"
initrd = [
"http://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe_image.cpio.gz",
]
args = [
"initrd=coreos_production_pxe_image.cpio.gz",
"coreos.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
"coreos.first_boot=yes",
"console=tty0",
"console=ttyS0",
]
container_linux_config = "${file("./cl/coreos-install.yaml.tmpl")}"
}
// Create a simple profile which just sets an SSH authorized_key
resource "matchbox_profile" "simple" {
name = "simple"
container_linux_config = "${file("./cl/simple.yaml.tmpl")}"
}

7
examples/terraform/simple-install/provider.tf
View File

@@ -1,7 +0,0 @@
// Configure the matchbox provider
provider "matchbox" {
endpoint = "${var.matchbox_rpc_endpoint}"
client_cert = "${file("~/.matchbox/client.crt")}"
client_key = "${file("~/.matchbox/client.key")}"
ca = "${file("~/.matchbox/ca.crt")}"
}