Add controlplane template

2025-10-29 17:42:47 +00:00 · 2021-05-31 00:09:31 +03:00
parent 9b7048abbc
commit 6973802fde
7 changed files with 108 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -1,2 +1,22 @@
 # terraform-talos
+
 Terraform examples to run Talos
+
+* terraform
+* talosctl
+* kubectl
+* yq
+
+## Talos on Hetzner Cloud
+
+```bash
+cd hetzner
+
+# create the cluster configuration
+talosctl gen config --output-dir _cfgs --with-docs=false --with-examples=false talos-k8s-hezner https://127.0.0.1:6443
+yq ea -P '. as $item ireduce ({}; . * $item )' _cfgs/controlplane.yaml templates/controlplane.yaml.tpl > templates/controlplane.yaml
+```
+
+```bash
+kubectl -n kube-system create secret generic hcloud --from-literal=network= --from-literal=token=
+```
--- a/hetzner/.gitignore
+++ b/hetzner/.gitignore
@@ -1 +1,3 @@
-controlplane-*.yaml
+_cfgs/
+controlplane-*.yaml
+templates/controlplane.yaml
--- a/hetzner/instances-master.tf
+++ b/hetzner/instances-master.tf
@@ -17,6 +17,7 @@ resource "hcloud_server" "controlplane" {

  lifecycle {
    ignore_changes = [
+      server_type,
      user_data,
      ssh_keys,
    ]
@@ -32,9 +33,10 @@ resource "hcloud_load_balancer_target" "api" {

 resource "local_file" "controlplane" {
  count = lookup(var.controlplane, "count", 0)
-  content = templatefile("${path.module}/templates/api.yaml.tpl",
+  content = templatefile("${path.module}/templates/controlplane.yaml",
    merge(var.kubernetes, {
      name       = "kube-api-${count.index + 1}"
+      type       = count.index == 0 ? "init" : "controlplane"
      ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
      ipv4       = hcloud_server.controlplane[count.index].ipv4_address
      ipv6       = hcloud_server.controlplane[count.index].ipv6_address
--- a/hetzner/modules/templates/worker.yaml.tpl
+++ b/hetzner/modules/templates/worker.yaml.tpl
@@ -8,6 +8,8 @@ machine:
  kubelet:
    extraArgs:
      node-ip: "${ipv4}"
+      cloud-provider: external
+      rotate-server-certificates: true
  network:
    hostname: "${name}"
    interfaces:
--- a/hetzner/network-secgroup.tf
+++ b/hetzner/network-secgroup.tf
@@ -34,6 +34,13 @@ resource "hcloud_firewall" "controlplane" {
    port       = "50001"
    source_ips = [var.vpc_main_cidr]
  }
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "2380"
+    source_ips = ["0.0.0.0/0"]
+    # source_ips = var.whitelist_admins
+  }
  rule {
    direction  = "in"
    protocol   = "tcp"
--- a/hetzner/templates/controlplane.yaml.tpl
+++ b/hetzner/templates/controlplane.yaml.tpl
@@ -0,0 +1,69 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+  type: ${type}
+  certSANs:
+    - "${lbv4}"
+    - "${lbv6}"
+    - "${lbv4_local}"
+    - "${ipv4}"
+    - "${ipv6}"
+  kubelet:
+    extraArgs:
+      node-ip: "${ipv4_local}"
+      rotate-server-certificates: true
+  network:
+    hostname: "${name}"
+    interfaces:
+      - interface: eth0
+        dhcp: true
+      - interface: eth0
+        cidr: "${ipv6}/64"
+      - interface: eth1
+        dhcp: true
+      - interface: dummy0
+        cidr: "169.254.2.53/32"
+      - interface: dummy0
+        cidr: "fd00::169:254:2:53/128"
+  sysctls:
+    net.core.somaxconn: 65535
+    net.core.netdev_max_backlog: 4096
+  install:
+    disk: /dev/sda
+    extraKernelArgs:
+      - elevator=noop
+    bootloader: true
+    wipe: false
+  systemDiskEncryption:
+    ephemeral:
+      provider: luks2
+      keys:
+        - nodeID: {}
+          slot: 0
+cluster:
+  controlPlane:
+    endpoint: https://${lbv4}:6443
+  network:
+    dnsDomain: ${domain}
+    podSubnets:
+    - ${podSubnets}
+    serviceSubnets:
+    - ${serviceSubnets}
+  proxy:
+    mode: ipvs
+  apiServer:
+    certSANs:
+      - "${lbv4_local}"
+      - "${lbv4}"
+      - "${lbv6}"
+      - "${ipv4}"
+  controllerManager: {}
+  scheduler: {}
+  etcd: {}
+  externalCloudProvider:
+    enabled: true
+    manifests:
+      - https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/latest/download/ccm.yaml
+      - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+      - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
--- a/hetzner/variables.tf
+++ b/hetzner/variables.tf
@@ -40,8 +40,8 @@ variable "controlplane" {
  description = "Count of controlplanes"
  type        = map(any)
  default = {
-    count = 1,
-    type  = "cx11"
+    count = 0,
+    type  = "cpx11"
  }
 }

@@ -62,9 +62,9 @@ variable "instances" {
      worker_instance_type = "cx11",
    }
    "hel1" = {
-      web_count            = 1,
+      web_count            = 0,
      web_instance_type    = "cx11",
-      worker_count         = 1,
+      worker_count         = 0,
      worker_instance_type = "cx11",
    }
  }