sync setup

2025-11-02 19:28:35 +00:00 · 2024-08-16 17:57:31 +03:00
parent 4797ae6210
commit 4934aebeff
16 changed files with 253 additions and 108 deletions
--- a/oracle/images/Makefile
+++ b/oracle/images/Makefile
@@ -0,0 +1,39 @@
 #
 REGISTRY ?= ghcr.io/siderolabs
 TAG ?= 1.6.7
 clean:
 	rm -rf .terraform.lock.hcl .terraform/
 	rm -f oracle-*.qcow2
 	rm -f oracle-*.oci
 	rm -f image_metadata.json
 init:
 	terraform init -upgrade
 images: clean
 	docker run --rm -i -v /dev:/dev --privileged $(REGISTRY)/imager:v$(TAG) oracle \
 		--extra-kernel-arg talos.dashboard.disabled=1 --platform oracle --arch amd64 --tar-to-stdout | tar xz
 	xz -d oracle-amd64.qcow2.xz
 	cp image_metadata_amd64.json image_metadata.json
 	tar zcf oracle-amd64.oci oracle-amd64.qcow2 image_metadata.json
 	docker run --rm -i -v /dev:/dev --privileged $(REGISTRY)/imager:v$(TAG) oracle \
 		--extra-kernel-arg talos.dashboard.disabled=1 --platform oracle --arch arm64 --tar-to-stdout | tar xz
 	xz -d oracle-arm64.qcow2.xz
 	cp image_metadata_arm64.json image_metadata.json
 	tar zcf oracle-arm64.oci oracle-arm64.qcow2 image_metadata.json
 images-factory: clean
 	wget -O oracle-amd64.qcow2.xz https://factory.talos.dev/image/6d423353cba6ef7d56d5a818fff27caf23f32b90cf271eada90f706141a84ec0/v$(TAG)/oracle-amd64.qcow2.xz
 	xz -d oracle-amd64.qcow2.xz
 	cp image_metadata_amd64.json image_metadata.json
 	tar zcf oracle-amd64.oci oracle-amd64.qcow2 image_metadata.json
 	wget -O oracle-arm64.qcow2.xz https://factory.talos.dev/image/6d423353cba6ef7d56d5a818fff27caf23f32b90cf271eada90f706141a84ec0/v$(TAG)/oracle-arm64.qcow2.xz
 	xz -d oracle-arm64.qcow2.xz
 	cp image_metadata_arm64.json image_metadata.json
 	tar zcf oracle-arm64.oci oracle-arm64.qcow2 image_metadata.json
 images-update:
 	terraform apply -var="release=v$(TAG)"
--- a/oracle/images/auth.tf
+++ b/oracle/images/auth.tf
@@ -8,5 +8,5 @@ provider "oci" {
  user_ocid        = var.user_ocid
  fingerprint      = var.fingerprint
  private_key_path = var.key_file
-  region           = var.region
+  region           = local.region
 }
--- a/oracle/images/images.tf
+++ b/oracle/images/images.tf
@@ -1,55 +1,38 @@
-resource "oci_objectstorage_object" "talos_amd64" {
+resource "oci_objectstorage_object" "talos" {
  for_each = toset(var.arch)
  bucket      = oci_objectstorage_bucket.images.name
  namespace   = data.oci_objectstorage_namespace.ns.namespace
-  object      = "talos-amd64.oci"
+  object      = "talos-${lower(each.key)}.oci"
-  source      = "oracle-amd64.oci"
+  source      = "oracle-${lower(each.key)}.oci"
-  content_md5 = filemd5("oracle-amd64.oci")
+  content_md5 = filemd5("oracle-${lower(each.key)}.oci")
 }
-resource "oci_objectstorage_object" "talos_arm64" {
+resource "oci_core_image" "talos" {
-  bucket      = oci_objectstorage_bucket.images.name
+  for_each       = toset(var.arch)
  namespace   = data.oci_objectstorage_namespace.ns.namespace
  object      = "talos-arm64.oci"
  source      = "oracle-arm64.oci"
  content_md5 = filemd5("oracle-arm64.oci")
 }
 resource "oci_core_image" "talos_amd64" {
  compartment_id = var.compartment_ocid
-  display_name   = "Talos-amd64"
+  display_name   = "Talos-${lower(each.key)}"
  defined_tags   = local.tags
  freeform_tags  = { "OS" : "Talos", "Arch" : lower(each.key) }
  launch_mode    = "PARAVIRTUALIZED"
  image_source_details {
    source_type    = "objectStorageTuple"
    namespace_name = oci_objectstorage_bucket.images.namespace
    bucket_name    = oci_objectstorage_bucket.images.name
-    object_name    = oci_objectstorage_object.talos_amd64.object
+    object_name    = oci_objectstorage_object.talos[each.key].object
    operating_system         = "Talos"
-    operating_system_version = "1.3.0"
+    operating_system_version = var.release
    source_image_type        = "QCOW2"
  }
-  timeouts {
+  lifecycle {
-    create = "30m"
+    ignore_changes = [
-  }
+      defined_tags,
-}
+    ]
-
+    replace_triggered_by = [oci_objectstorage_object.talos[each.key].content_md5]
 resource "oci_core_image" "talos_arm64" {
  compartment_id = var.compartment_ocid
  display_name   = "Talos-arm64"
  launch_mode    = "PARAVIRTUALIZED"
  image_source_details {
    source_type    = "objectStorageTuple"
    namespace_name = oci_objectstorage_bucket.images.namespace
    bucket_name    = oci_objectstorage_bucket.images.name
    object_name    = oci_objectstorage_object.talos_arm64.object
    operating_system         = "Talos"
    operating_system_version = "1.3.0"
    source_image_type        = "QCOW2"
  }
  timeouts {
--- a/oracle/images/variables.tf
+++ b/oracle/images/variables.tf
@@ -1,14 +1,40 @@
-variable "compartment_ocid" {}
+variable "compartment_ocid" {
-variable "tenancy_ocid" {}
+  description = "The OCID of the compartment"
  type        = string
  default     = "ocid1.compartment.oc1.."
 }
 variable "tenancy_ocid" {
  description = "The OCID of the tenancy"
  type        = string
  default     = "ocid1.tenancy.oc1.."
 }
 variable "user_ocid" {}
 variable "fingerprint" {}
 variable "key_file" {
  default = "~/.oci/oci_main_terraform.pem"
 }
-variable "region" {
+data "terraform_remote_state" "init" {
-  description = "the OCI region where resources will be created"
+  backend = "local"
-  type        = string
+  config = {
-  default     = null
+    path = "${path.module}/../prepare/terraform.tfstate"
  }
 }
 locals {
  region = data.terraform_remote_state.init.outputs.region
  tags   = data.terraform_remote_state.init.outputs.tags
 }
 variable "release" {
  description = "The image name"
  type        = string
  default     = "1.6.7"
 }
 variable "arch" {
  description = "The Talos architecture list"
  type        = list(string)
  default     = ["amd64", "arm64"]
 }
--- a/oracle/images/versions.tf
+++ b/oracle/images/versions.tf
@@ -2,9 +2,23 @@
 terraform {
  required_providers {
    oci = {
-      source  = "hashicorp/oci"
+      source  = "oracle/oci"
-      version = "4.108.0"
+      version = "5.38.0"
    }
  }
-  required_version = ">= 1.2"
+  required_version = ">= 1.5"
 }
 # terraform {
 #   backend "s3" {
 #     bucket                      = "YYY"
 #     key                         = "images/terraform.tfstate"
 #     region                      = local.region
 #     endpoint                    = "https://XXX.compat.objectstorage.${local.region}.oraclecloud.com"
 #     shared_credentials_file     = "../terraform.tfstate.credentials"
 #     skip_region_validation      = true
 #     skip_credentials_validation = true
 #     skip_metadata_api_check     = true
 #     force_path_style            = true
 #   }
 # }
--- a/oracle/prepare/Makefile
+++ b/oracle/prepare/Makefile
@@ -0,0 +1,7 @@
 init:
 	terraform init -upgrade
 apply:
 	terraform apply -target=oci_core_vcn.main
 	terraform apply
--- a/oracle/prepare/common.tf
+++ b/oracle/prepare/common.tf
@@ -14,3 +14,11 @@ data "oci_core_services" "object_store" {
    regex  = true
  }
 }
 data "oci_core_services" "all_services" {
  filter {
    name   = "name"
    values = ["All .* Services In Oracle Services Network"]
    regex  = true
  }
 }
--- a/oracle/prepare/variables.tf
+++ b/oracle/prepare/variables.tf
@@ -26,25 +26,6 @@ variable "tags" {
  }
 }
 variable "kubernetes" {
  type = map(string)
  default = {
    podSubnets     = "10.32.0.0/12,fd40:10:32::/102"
    serviceSubnets = "10.200.0.0/22,fd40:10:200::/112"
    nodeSubnets    = "192.168.0.0/16"
    domain         = "cluster.local"
    apiDomain      = "api.cluster.local"
    clusterName    = "talos-k8s-oracle"
    clusterID      = ""
    clusterSecret  = ""
    tokenMachine   = ""
    caMachine      = ""
    token          = ""
    ca             = ""
  }
  sensitive = true
 }
 variable "vpc_main_cidr" {
  description = "Local subnet rfc1918"
  type        = string
--- a/oracle/prepare/versions.tf
+++ b/oracle/prepare/versions.tf
@@ -2,9 +2,9 @@
 terraform {
  required_providers {
    oci = {
-      source  = "hashicorp/oci"
+      source  = "oracle/oci"
-      version = "4.108.0"
+      version = "5.38.0"
    }
  }
-  required_version = ">= 1.2"
+  required_version = ">= 1.5"
 }
--- a/oracle/scripts/download
+++ b/oracle/scripts/download
@@ -1,16 +0,0 @@
 #!/bin/bash 
 dest="./images"
 version="1.5.5"
 url=https://github.com/siderolabs/talos/releases/download/v${version}/
 for arch in amd64 arm64
 do
  file=oracle-${arch}.qcow2.xz
  echo "Downloading ${file} to ${dest}/${file}"
  curl -L ${url}/${file} -o ${dest}/${file}
  echo "Extracting: ${dest}/${file}"
  xz -df ${dest}/${file}
  echo
 done
--- a/oracle/services/auth.tf
+++ b/oracle/services/auth.tf
@@ -1,13 +1,8 @@
 # openssl genrsa -out ~/.oci/oci_api_key.pem 2048
 # chmod go-rwx ~/.oci/oci_api_key.pem
 # openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
 provider "oci" {
  tenancy_ocid     = var.tenancy_ocid
  user_ocid        = var.user_ocid
  fingerprint      = var.fingerprint
-  private_key_path = "~/.oci/oci_api_key.pem"
+  private_key_path = var.key_file
-
+  region           = local.region
  region = var.region
 }
--- a/oracle/services/backet-backup.tf
+++ b/oracle/services/backet-backup.tf
@@ -0,0 +1,52 @@
 resource "random_string" "backup" {
  length  = 16
  numeric = false
  special = false
  upper   = false
 }
 data "oci_objectstorage_namespace" "namespace" {
  compartment_id = var.compartment_ocid
 }
 resource "oci_objectstorage_bucket" "backup" {
  compartment_id = var.compartment_ocid
  name           = random_string.registry.result
  namespace      = data.oci_objectstorage_namespace.namespace.namespace
  defined_tags   = merge(local.tags, { "Kubernetes.Type" = "project", "Kubernetes.Role" = "backup" })
  access_type  = "NoPublicAccess"
  auto_tiering = "Disabled"
  storage_tier = "Standard"
  versioning   = "Disabled"
  lifecycle {
    ignore_changes = [
      defined_tags,
    ]
  }
 }
 resource "oci_objectstorage_object_lifecycle_policy" "test_object_lifecycle_policy" {
  bucket    = oci_objectstorage_bucket.backup.name
  namespace = data.oci_objectstorage_namespace.namespace.namespace
  rules {
    action      = "DELETE"
    is_enabled  = "true"
    name        = "Clean all objects"
    time_amount = "30"
    time_unit   = "DAYS"
    target      = "objects"
  }
  rules {
    action      = "ABORT"
    is_enabled  = "true"
    name        = "Abort incomplete multipart uploads"
    time_amount = "2"
    time_unit   = "DAYS"
    target      = "multipart-uploads"
  }
 }
--- a/oracle/services/output.tf
+++ b/oracle/services/output.tf
@@ -1,5 +1,16 @@
-output "registry" {
+output "registries" {
  description = "Registry name"
-  value       = "https://${var.region}.ocir.io/${data.oci_artifacts_container_configuration.registry.namespace}/${oci_artifacts_container_repository.registry.display_name}"
+  value = [for repo in oci_artifacts_container_repository.registry :
    try("${local.region}.ocir.io/${data.oci_artifacts_container_configuration.registry.namespace}/${repo.display_name}", "")
  ]
 }
 output "backup" {
  description = "Backup bucket name"
  value = {
    bucket   = oci_objectstorage_bucket.backup.name,
    region   = local.region,
    endpoint = "https://${data.oci_objectstorage_namespace.namespace.namespace}.compat.objectstorage.${local.region}.oraclecloud.com",
  }
 }
--- a/oracle/services/registry.tf
+++ b/oracle/services/registry.tf
@@ -1,6 +1,9 @@
-resource "random_id" "registry" {
+resource "random_string" "registry" {
-  byte_length = 8
+  length  = 16
  numeric = false
  special = false
  upper   = false
 }
 data "oci_artifacts_container_configuration" "registry" {
@@ -8,13 +11,21 @@ data "oci_artifacts_container_configuration" "registry" {
 }
 resource "oci_artifacts_container_repository" "registry" {
  for_each       = toset(var.repos)
  compartment_id = var.compartment_ocid
-  display_name   = "registry-${random_id.registry.hex}"
+  display_name   = "${random_string.registry.result}/${each.value}"
  defined_tags   = merge(local.tags, { "Kubernetes.Type" = "infra" })
  is_immutable   = false
  is_public      = false
  readme {
-    content = "Container registry for ${var.project}"
+    content = "Container mirror of ${each.value}"
    format  = "text/plain"
  }
  lifecycle {
    ignore_changes = [
      defined_tags,
    ]
  }
 }
--- a/oracle/services/variables.tf
+++ b/oracle/services/variables.tf
@@ -1,16 +1,35 @@
-variable "compartment_ocid" {}
+variable "compartment_ocid" {
-variable "tenancy_ocid" {}
+  description = "The OCID of the compartment"
  type        = string
  default     = "ocid1.compartment.oc1.."
 }
 variable "tenancy_ocid" {
  description = "The OCID of the tenancy"
  type        = string
  default     = "ocid1.tenancy.oc1.."
 }
 variable "user_ocid" {}
 variable "fingerprint" {}
-
+variable "key_file" {
-variable "project" {
+  default = "~/.oci/oci_production_terraform.pem"
  type    = string
  default = "main"
 }
-variable "region" {
+data "terraform_remote_state" "prepare" {
-  description = "the OCI region where resources will be created"
+  backend = "local"
-  type        = string
+  config = {
-  default     = null
+    path = "${path.module}/../prepare/terraform.tfstate"
  }
 }
 locals {
  project = data.terraform_remote_state.prepare.outputs.project
  region  = data.terraform_remote_state.prepare.outputs.region
  tags    = data.terraform_remote_state.prepare.outputs.tags
 }
 variable "repos" {
  default = [
    "kubelet",
  ]
 }
--- a/oracle/services/versions.tf
+++ b/oracle/services/versions.tf
@@ -2,8 +2,23 @@
 terraform {
  required_providers {
    oci = {
-      source  = "hashicorp/oci"
+      source  = "oracle/oci"
-      version = "4.108.0"
+      version = "5.38.0"
    }
  }
  required_version = ">= 1.5"
 }
 # terraform {
 #   backend "s3" {
 #     bucket                      = "YYY"
 #     key                         = "services/terraform.tfstate"
 #     region                      = local.region
 #     endpoint                    = "https://fracoo9ea64h.compat.objectstorage.${local.region}.oraclecloud.com"
 #     shared_credentials_file     = "../terraform.tfstate.credentials"
 #     skip_region_validation      = true
 #     skip_credentials_validation = true
 #     skip_metadata_api_check     = true
 #     force_path_style            = true
 #   }
 # }