tjo-cloud/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: update

Browse source
This commit is contained in:
Tine 2024-07-23 20:42:22 +02:00
parent dd21e589d6
commit b0fc017586
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
8 changed files with 106 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
justfile
View file

@ -17,4 +17,5 @@ modules-cluster-manifests:
k8s-apply: modules-cluster-manifests
tofu -chdir={{justfile_directory()}}/k8s.tjo.cloud init
tofu -chdir={{justfile_directory()}}/k8s.tjo.cloud apply -target module.cluster
tofu -chdir={{justfile_directory()}}/k8s.tjo.cloud apply -target module.cluster-core
tofu -chdir={{justfile_directory()}}/k8s.tjo.cloud apply

6
k8s.tjo.cloud/main.tf
View file

@ -60,7 +60,11 @@ resource "local_file" "kubeconfig" {
filename = "${path.module}/kubeconfig"
}
module "cluster_components" {
module "cluster-core" {
source = "../modules/cluster-core"
}
module "cluster-components" {
source = "../modules/cluster-components"
oidc_issuer_url = var.oidc_issuer_url

50
modules/cluster-components/gateway.tf
View file

@ -40,6 +40,50 @@ resource "kubernetes_manifest" "tjo-cloud-issuer" {
}
}
resource "kubernetes_manifest" "gateway_class_config" {
manifest = {
apiVersion = "gateway.envoyproxy.io/v1alpha1"
kind = "EnvoyProxy"
metadata = {
name = "daemonset"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
}
spec = {
provider = {
type = "Kubernetes"
kubernetes = {
envoyDaemonSet = {
patch : {
type : "StrategicMerge"
value : {
spec : {
template : {
spec : {
hostNetwork : true
dnsPolicy : "ClusterFirstWithHostNet"
}
}
}
}
}
pod = {
nodeSelector = {
"node-role.kubernetes.io/control-plane" = ""
}
tolerations = [
{
key = "node-role.kubernetes.io/control-plane"
effect = "NoSchedule"
}
]
}
}
}
}
}
}
}
resource "kubernetes_manifest" "gateway_class" {
manifest = {
apiVersion = "gateway.networking.k8s.io/v1"
@ -49,6 +93,12 @@ resource "kubernetes_manifest" "gateway_class" {
}
spec = {
controllerName : "gateway.envoyproxy.io/gatewayclass-controller"
parametersRef : {
group : "gateway.envoyproxy.io"
kind : "EnvoyProxy"
name : kubernetes_manifest.gateway_class_config.object.metadata.name
namespace : kubernetes_manifest.gateway_class_config.object.metadata.namespace
}
}
}
}

28
modules/cluster-core/main.tf Normal file
View file

@ -0,0 +1,28 @@
resource "helm_release" "cert-manager" {
name = "cert-manager"
chart = "cert-manager"
repository = "https://charts.jetstack.io"
version = "v1.15.1"
namespace = "kube-system"
atomic = true
cleanup_on_fail = true
values = [<<-EOF
crds:
enabled: true
extraArgs:
- --enable-gateway-api
EOF
]
}
resource "helm_release" "envoy" {
name = "envoy"
chart = "gateway-helm"
repository = "oci://docker.io/envoyproxy"
version = "v1.1.0"
namespace = "kube-system"
atomic = true
cleanup_on_fail = true
}

1
modules/cluster-core/variables.tf Normal file
View file

@ -0,0 +1 @@

8
modules/cluster-core/versions.tf Normal file
View file

@ -0,0 +1,8 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "2.14.0"
}
}
}

56
modules/cluster/components.tf
View file

@ -12,20 +12,19 @@ data "helm_template" "cilium" {
values = [<<-EOF
ipam:
mode: "kubernetes"
nodeIPAM:
enabled: true
bpf:
masquerade: true
#routingMode: native
#ipv4NativeRoutingCIDR: pod and service cidrs?
enableIPv4Masquerade: true
ipv4:
enabled: true
#enableIPv6Masquerade: true
ipv6:
enabled: false
nodeIPAM:
enabled: true
#ipv6:
# enabled: true
kubeProxyReplacement: "true"
securityContext:
@ -152,44 +151,3 @@ data "helm_template" "talos-ccm" {
kube_version = var.talos.kubernetes
}
data "helm_template" "cert-manager" {
provider = helm.template
name = "cert-manager"
chart = "cert-manager"
repository = "https://charts.jetstack.io"
version = "v1.15.1"
namespace = "kube-system"
kube_version = var.talos.kubernetes
api_versions = [
"gateway.networking.k8s.io/v1/GatewayClass",
]
include_crds = true
values = [<<-EOF
crds:
enabled: true
extraArgs:
- --enable-gateway-api
EOF
]
}
data "helm_template" "envoy" {
provider = helm.template
name = "envoy"
chart = "gateway-helm"
repository = "oci://docker.io/envoyproxy"
version = "v1.1.0-rc.1"
namespace = "kube-system"
kube_version = var.talos.kubernetes
api_versions = [
"gateway.networking.k8s.io/v1/GatewayClass",
]
include_crds = true
}

16
modules/cluster/main.tf
View file

@ -75,14 +75,6 @@ locals {
name : "cilium"
contents : data.helm_template.cilium.manifest
},
#{
# name : "envoy"
# contents : data.helm_template.envoy.manifest
#},
#{
# name : "cert-manager"
# contents : data.helm_template.cert-manager.manifest
#},
{
name : "oidc-admins"
contents : <<-EOF
@ -153,6 +145,10 @@ locals {
"k8s.tjo.cloud/host" = node.host
"k8s.tjo.cloud/proxmox" = var.proxmox.name
}
sysctls = {
"net.ipv4.ip_forward" = "1"
"net.ipv6.conf.all.forwarding" = "1"
}
}
}),
yamlencode(
@ -163,8 +159,8 @@ locals {
environment : [
"TS_AUTHKEY=${var.tailscale_authkey}",
"TS_HOSTNAME=${node.name}",
# IPV6: https://github.com/siderolabs/extensions/issues/432
"TS_ROUTES=${local.podSubnets[0]},${local.serviceSubnets[0]}"
"TS_ROUTES=${join(",", local.podSubnets)},${join(",", local.serviceSubnets)}",
"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes",
]
})
]