Deploy web and worker nodes

2025-11-01 18:58:39 +00:00 · 2021-05-30 20:43:59 +03:00
parent 457eafc557
commit 9b7048abbc
12 changed files with 245 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,7 @@ override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
+
+#
+talosctl
+talosconfig
--- a/hetzner/instances-common.tf
+++ b/hetzner/instances-common.tf
@@ -3,6 +3,10 @@ data "hcloud_image" "talos" {
  with_selector = "type=infra"
 }

+data "hcloud_ssh_key" "infra" {
+  with_selector = "type=infra"
+}
+
 # resource "talos_cluster_config" "talos_config" {
 #   cluster_name = var.cluster_name
 #   endpoint     = "https://${hcloud_load_balancer.api.ip}:6443"
--- a/hetzner/instances-master.tf
+++ b/hetzner/instances-master.tf
@@ -5,6 +5,7 @@ resource "hcloud_server" "controlplane" {
  name        = "kube-api-${count.index + 1}"
  image       = data.hcloud_image.talos.id
  server_type = lookup(var.controlplane, "type", "cpx11")
+  ssh_keys    = [data.hcloud_ssh_key.infra.id]
  keep_disk   = true
  labels      = merge(var.tags, { type = "infra", label = "master" })

@@ -29,14 +30,15 @@ resource "hcloud_load_balancer_target" "api" {
  server_id        = hcloud_server.controlplane[count.index].id
 }

-resource "local_file" "init" {
+resource "local_file" "controlplane" {
  count = lookup(var.controlplane, "count", 0)
  content = templatefile("${path.module}/templates/api.yaml.tpl",
-    merge(var.vm_params, {
+    merge(var.kubernetes, {
      name       = "kube-api-${count.index + 1}"
+      ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
      ipv4       = hcloud_server.controlplane[count.index].ipv4_address
      ipv6       = hcloud_server.controlplane[count.index].ipv6_address
-      lbv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 5)
+      lbv4_local = hcloud_load_balancer_network.api.ip
      lbv4       = hcloud_load_balancer.api.ipv4
      lbv6       = hcloud_load_balancer.api.ipv6
    })
@@ -46,3 +48,11 @@ resource "local_file" "init" {

  depends_on = [hcloud_server.controlplane]
 }
+
+resource "null_resource" "controlplane_apply" {
+  count = lookup(var.controlplane, "count", 0)
+  provisioner "local-exec" {
+    command = "sleep 60 && ./talosctl apply-config --insecure --nodes ${hcloud_server.controlplane[count.index].ipv4_address} --file controlplane-${count.index + 1}.yaml"
+  }
+  depends_on = [local_file.controlplane]
+}
--- a/hetzner/instances-web.tf
+++ b/hetzner/instances-web.tf
@@ -0,0 +1,21 @@
+
+module "web" {
+  source = "./modules/worker"
+
+  for_each = var.instances
+  location = each.key
+  labels   = merge(var.tags, { label = "web" })
+  network  = hcloud_network.main.id
+  subnet   = hcloud_network_subnet.core.ip_range
+
+  vm_name           = "web-${each.key}-"
+  vm_items          = lookup(each.value, "web_count", 0)
+  vm_type           = lookup(each.value, "web_instance_type", "cx11")
+  vm_image          = data.hcloud_image.talos.id
+  vm_ip_start       = (3 + index(var.regions, each.key)) * 10
+  vm_security_group = [hcloud_firewall.web.id]
+
+  vm_params = merge(var.kubernetes, {
+    lbv4 = hcloud_load_balancer_network.api.ip
+  })
+}
--- a/hetzner/instances-workers.tf
+++ b/hetzner/instances-workers.tf
@@ -0,0 +1,21 @@
+
+module "worker" {
+  source = "./modules/worker"
+
+  for_each = var.instances
+  location = each.key
+  labels   = merge(var.tags, { label = "worker" })
+  network  = hcloud_network.main.id
+  subnet   = hcloud_network_subnet.core.ip_range
+
+  vm_name           = "worker-${each.key}-"
+  vm_items          = lookup(each.value, "worker_count", 0)
+  vm_type           = lookup(each.value, "worker_instance_type", "cx11")
+  vm_image          = data.hcloud_image.talos.id
+  vm_ip_start       = (6 + index(var.regions, each.key)) * 10
+  vm_security_group = [hcloud_firewall.worker.id]
+
+  vm_params = merge(var.kubernetes, {
+    lbv4 = hcloud_load_balancer_network.api.ip
+  })
+}
--- a/hetzner/modules/templates/worker.yaml.tpl
+++ b/hetzner/modules/templates/worker.yaml.tpl
@@ -0,0 +1,49 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+  type: worker
+  token: ${tokenmachine}
+  certSANs: []
+  kubelet:
+    extraArgs:
+      node-ip: "${ipv4}"
+  network:
+    hostname: "${name}"
+    interfaces:
+      - interface: eth0
+        dhcp: true
+      - interface: eth1
+        dhcp: true
+      - interface: dummy0
+        cidr: "169.254.2.53/32"
+      - interface: dummy0
+        cidr: "fd00::169:254:2:53/128"
+  sysctls:
+    net.core.somaxconn: 65535
+    net.core.netdev_max_backlog: 4096
+  install:
+    disk: /dev/sda
+    extraKernelArgs:
+      - elevator=noop
+    image: ghcr.io/talos-systems/installer:v0.10.3
+    bootloader: true
+    wipe: true
+  systemDiskEncryption:
+    ephemeral:
+      provider: luks2
+      keys:
+        - nodeID: {}
+          slot: 0
+cluster:
+  controlPlane:
+    endpoint: https://${lbv4}:6443
+  clusterName: ${cluster_name}
+  network:
+    dnsDomain: ${domain}
+  proxy:
+    mode: ipvs
+  token: ${token}
+  ca:
+    crt: ${ca}
+    key: ""
--- a/hetzner/modules/worker/main.tf
+++ b/hetzner/modules/worker/main.tf
@@ -0,0 +1,45 @@
+
+resource "hcloud_server" "worker" {
+  count       = var.vm_items
+  location    = var.location
+  name        = "${var.vm_name}${count.index + 1}"
+  image       = var.vm_image
+  server_type = var.vm_type
+  ssh_keys    = []
+  keep_disk   = true
+  labels      = var.labels
+
+  user_data = templatefile("${path.module}/../templates/worker.yaml.tpl",
+    merge(var.vm_params, {
+      name = "${var.vm_name}${count.index + 1}"
+      ipv4 = cidrhost(var.subnet, var.vm_ip_start + count.index)
+    })
+  )
+
+  firewall_ids = var.vm_security_group
+  network {
+    network_id = var.network
+    ip         = cidrhost(var.subnet, var.vm_ip_start + count.index)
+  }
+
+  lifecycle {
+    ignore_changes = [
+      user_data,
+      ssh_keys,
+    ]
+  }
+}
+
+# resource "local_file" "worker" {
+#   count = var.vm_items
+#   content = templatefile("${path.module}/../templates/worker.yaml.tpl",
+#     merge(var.vm_params, {
+#       name = "${var.vm_name}${count.index + 1}"
+#       ipv4 = cidrhost(var.subnet, var.vm_ip_start + count.index)
+#     })
+#   )
+#   filename        = "${var.vm_name}${count.index + 1}.yaml"
+#   file_permission = "0640"
+
+#   depends_on = [hcloud_server.worker]
+# }
--- a/hetzner/modules/worker/outputs.tf
+++ b/hetzner/modules/worker/outputs.tf
@@ -0,0 +1,4 @@
+
+output "vms" {
+  value = hcloud_server.worker
+}
--- a/hetzner/modules/worker/variables.tf
+++ b/hetzner/modules/worker/variables.tf
@@ -0,0 +1,52 @@
+
+variable "location" {
+  type    = string
+  default = "nbg1"
+}
+
+variable "labels" {
+  type        = map(string)
+  description = "Tags of resources"
+}
+
+variable "network" {
+  type        = string
+  description = "Network id"
+}
+
+variable "subnet" {
+  type        = string
+  description = "Subnet cidr"
+}
+
+variable "vm_name" {
+  type    = string
+  default = "worker-"
+}
+
+variable "vm_items" {
+  type    = number
+  default = 0
+}
+
+variable "vm_type" {
+  type    = string
+  default = "cx11"
+}
+
+variable "vm_image" {
+  type = string
+}
+
+variable "vm_security_group" {
+  type = list(string)
+}
+
+variable "vm_ip_start" {
+  type    = number
+  default = 61
+}
+
+variable "vm_params" {
+  type = map(string)
+}
--- a/hetzner/modules/worker/versions.tf
+++ b/hetzner/modules/worker/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "~> 1.26.2"
+    }
+  }
+  required_version = ">= 0.15"
+}
--- a/hetzner/network-secgroup.tf
+++ b/hetzner/network-secgroup.tf
@@ -24,22 +24,28 @@ resource "hcloud_firewall" "controlplane" {
  rule {
    direction  = "in"
    protocol   = "tcp"
-    port       = 50000
+    port       = "50000"
    source_ips = ["0.0.0.0/0", "::/0"]
    # source_ips = var.whitelist_admins
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
-    port       = 6443
+    port       = "50001"
+    source_ips = [var.vpc_main_cidr]
+  }
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "6443"
    source_ips = ["0.0.0.0/0", "::/0"]
    # source_ips = var.whitelist_admins
  }
 }

-resource "hcloud_firewall" "ingress" {
+resource "hcloud_firewall" "web" {
  name   = "web"
-  labels = merge(var.tags, { type = "infra", label = "ingress" })
+  labels = merge(var.tags, { type = "infra", label = "web" })

  rule {
    direction  = "in"
--- a/hetzner/variables.tf
+++ b/hetzner/variables.tf
@@ -11,14 +11,16 @@ variable "regions" {
  default     = ["nbg1", "fsn1", "hel1"]
 }

-variable "vm_params" {
+variable "kubernetes" {
  type = map(string)
  default = {
    podSubnets     = "10.32.0.0/12"
    serviceSubnets = "10.200.0.0/22"
-    token          = "wq93rz.dsvn0aw5erdwp78f"
    domain         = "cluster.local"
    cluster_name   = "talos-k8s-hezner"
+    tokenmachine   = "4g8t1y.u3xw5r11fzyfuj8y"
+    token          = "wq93rz.dsvn0aw5erdwp78f"
+    ca             = ""
  }
 }

@@ -38,7 +40,7 @@ variable "controlplane" {
  description = "Count of controlplanes"
  type        = map(any)
  default = {
-    count = 0,
+    count = 1,
    type  = "cx11"
  }
 }
@@ -49,21 +51,21 @@ variable "instances" {
  default = {
    "nbg1" = {
      web_count            = 0,
-      web_instance_type    = "",
+      web_instance_type    = "cx11",
      worker_count         = 0,
-      worker_instance_type = "",
+      worker_instance_type = "cx11",
    },
    "fsn1" = {
      web_count            = 0,
-      web_instance_type    = "",
+      web_instance_type    = "cx11",
      worker_count         = 0,
-      worker_instance_type = "",
+      worker_instance_type = "cx11",
    }
    "hel1" = {
-      web_count            = 0,
-      web_instance_type    = "",
-      worker_count         = 0,
-      worker_instance_type = "",
+      web_count            = 1,
+      web_instance_type    = "cx11",
+      worker_count         = 1,
+      worker_instance_type = "cx11",
    }
  }
 }