tjo-cloud/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: lint

Browse source
This commit is contained in:
Tine 2024-07-25 17:42:08 +02:00
parent b0fc017586
commit e744c3898a
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
13 changed files with 180 additions and 124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.forgejo/workflows/lint.yaml Normal file
View file

@ -0,0 +1,17 @@
on:
push:
branches:
- main
pull_request:
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install devbox
uses: jetify-com/devbox-install-action@v0.11.0
with:
enable-cache: true
- run: devbox run -- just lint

3
devbox.json
View file

@ -6,7 +6,8 @@
"cilium-cli@latest",
"kubelogin-oidc@latest",
"talosctl@latest",
"kubernetes-helm@latest"
"kubernetes-helm@latest",
"tflint@latest"
],
"shell": {
"init_hook": [

48
devbox.lock
View file

@ -324,6 +324,54 @@
"store_path": "/nix/store/63slizc3fnqigbbn8lwpdwwz9ccx13qa-talosctl-1.7.5"
}
}
},
"tflint@latest": {
"last_modified": "2024-07-19T15:40:08Z",
"resolved": "github:NixOS/nixpkgs/ad0111043c09f7d0f6b9f039882cbf350d4f7d49#tflint",
"source": "devbox-search",
"version": "0.52.0",
"systems": {
"aarch64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0"
},
"aarch64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0"
},
"x86_64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0"
},
"x86_64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0"
}
}
}
}
}

4
justfile
View file

@ -3,6 +3,10 @@ set shell := ["devbox", "run"]
# Load dotenv
set dotenv-load
lint:
@tofu fmt -check -recursive .
@tflint --recursive
GATEWAY_API_VERSION := "v1.1.0"
METRICS_SERVER_VERSION := "v0.7.1"

26
k8s.tjo.cloud/kubeconfig
View file

@ -1,26 +0,0 @@
apiVersion: v1
kind: Config
clusters:
- name: tjo-cloud
cluster:
server: https://api.k8s.tjo.cloud:6443
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRZXNQaHZSS20xbHlhdTU2RndIbDZMekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNRGN5TWpJd01UVXhOMW9YRFRNME1EY3lNREl3TVRVeApOMW93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTnVNUnl0K1lQUncxN094TFNRUDlJdngzZVk1am1pS1FSL2tEeTFENFI2ZVI4WUpqTlVDOXZGNmxzZFcKaWV3M09wekZybFl4eHl3Ym9vZVdDN3R1dlkyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU2TUhBdEhTZEJuUTZBbTRjeFVMOVc3b1Y2UFl3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUpobVdzRXgKVjVnRW5na25uMURndjBBaVNjZTBHVUtrZWdBNStDK1VyOXlWQWlFQTVzQituQmFGVUl3R2JsYkcrSWEvOXFsZApFZEh0dXNkbDRRaHVmT0R5K1d3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
contexts:
- name: oidc@tjo-cloud
context:
cluster: tjo-cloud
namespace: default
user: oidc
current-context: oidc@tjo-cloud
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://id.tjo.space/application/o/k8stjocloud/
- --oidc-client-id=HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg
- --oidc-extra-scope=profile

2
k8s.tjo.cloud/terraform.tf
View file

@ -29,6 +29,8 @@ terraform {
version = "2.31.0"
}
}
required_version = "~> 1.7.3"
}
provider "proxmox" {

52
modules/cluster-components/gateway.tf
View file

@ -53,14 +53,14 @@ resource "kubernetes_manifest" "gateway_class_config" {
type = "Kubernetes"
kubernetes = {
envoyDaemonSet = {
patch : {
type : "StrategicMerge"
value : {
spec : {
template : {
spec : {
hostNetwork : true
dnsPolicy : "ClusterFirstWithHostNet"
patch = {
type = "StrategicMerge"
value = {
spec = {
template = {
spec = {
hostNetwork = true
dnsPolicy = "ClusterFirstWithHostNet"
}
}
}
@ -92,12 +92,12 @@ resource "kubernetes_manifest" "gateway_class" {
name = "envoy"
}
spec = {
controllerName : "gateway.envoyproxy.io/gatewayclass-controller"
parametersRef : {
group : "gateway.envoyproxy.io"
kind : "EnvoyProxy"
name : kubernetes_manifest.gateway_class_config.object.metadata.name
namespace : kubernetes_manifest.gateway_class_config.object.metadata.namespace
controllerName = "gateway.envoyproxy.io/gatewayclass-controller"
parametersRef = {
group = "gateway.envoyproxy.io"
kind = "EnvoyProxy"
name = kubernetes_manifest.gateway_class_config.object.metadata.name
namespace = kubernetes_manifest.gateway_class_config.object.metadata.namespace
}
}
}
@ -111,27 +111,27 @@ resource "kubernetes_manifest" "gateway" {
name = "gateway"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
annotations = {
"cert-manager.io/issuer" : "tjo-cloud"
"cert-manager.io/issuer" = "tjo-cloud"
}
}
spec = {
gatewayClassName = kubernetes_manifest.gateway_class.object.metadata.name
listeners = [
{
name : "http"
hostname : "*.${var.cluster_name}.${var.cluster_domain}"
protocol : "HTTPS"
port : 443
allowedRoutes : {
namespaces : {
from : "Same"
name = "http"
hostname = "*.${var.cluster_name}.${var.cluster_domain}"
protocol = "HTTPS"
port = 443
allowedRoutes = {
namespaces = {
from = "Same"
}
}
tls : {
mode : "Terminate"
certificateRefs : [
tls = {
mode = "Terminate"
certificateRefs = [
{
name : "tjo-cloud-tls"
name = "tjo-cloud-tls"
}
]
}

2
modules/cluster-components/versions.tf
View file

@ -1,4 +1,6 @@
terraform {
required_version = ">= 1.0"
required_providers {
digitalocean = {
source = "digitalocean/digitalocean"

2
modules/cluster-core/versions.tf
View file

@ -1,4 +1,6 @@
terraform {
required_version = ">= 1.0"
required_providers {
helm = {
source = "hashicorp/helm"

6
modules/cluster/components.tf
View file

@ -22,9 +22,9 @@ data "helm_template" "cilium" {
ipv4:
enabled: true
#enableIPv6Masquerade: true
#ipv6:
# enabled: true
enableIPv6Masquerade: true
ipv6:
enabled: true
kubeProxyReplacement: "true"
securityContext:

125
modules/cluster/main.tf
View file

@ -4,11 +4,11 @@ locals {
podSubnets = [
"10.200.0.0/16",
#"fd9b:5314:fc70::/64",
"fd9b:5314:fc70::/56",
]
serviceSubnets = [
"10.201.0.0/16",
#"fd9b:5314:fc71::/108",
"fd9b:5314:fc71::/112",
]
# Nodes will use IPs from this subnets
@ -19,65 +19,65 @@ locals {
]
talos_controlplane_config = {
machine : {
features : {
rbac : true
apidCheckExtKeyUsage : true
kubernetesTalosAPIAccess : {
enabled : true
allowedRoles : [
machine = {
features = {
rbac = true
apidCheckExtKeyUsage = true
kubernetesTalosAPIAccess = {
enabled = true
allowedRoles = [
"os:reader"
]
allowedKubernetesNamespaces : [
allowedKubernetesNamespaces = [
"kube-system"
]
}
}
}
cluster : {
etcd : {
advertisedSubnets : local.tailscaleSubnets
listenSubnets : local.tailscaleSubnets
cluster = {
etcd = {
advertisedSubnets = local.tailscaleSubnets
listenSubnets = local.tailscaleSubnets
}
allowSchedulingOnControlPlanes : var.allow_scheduling_on_control_planes,
apiServer : {
extraArgs : {
"oidc-issuer-url" : "https://id.tjo.space/application/o/k8stjocloud/",
"oidc-client-id" : "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg",
"oidc-username-claim" : "sub",
"oidc-username-prefix" : "oidc:",
"oidc-groups-claim" : "groups",
"oidc-groups-prefix" : "oidc:groups:",
allowSchedulingOnControlPlanes = var.allow_scheduling_on_control_planes,
apiServer = {
extraArgs = {
"oidc-issuer-url" = "https://id.tjo.space/application/o/k8stjocloud/",
"oidc-client-id" = "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg",
"oidc-username-claim" = "sub",
"oidc-username-prefix" = "oidc:",
"oidc-groups-claim" = "groups",
"oidc-groups-prefix" = "oidc:groups:",
}
}
inlineManifests : [
inlineManifests = [
{
name : "proxmox-cloud-controller-manager"
contents : data.helm_template.proxmox-ccm.manifest
name = "proxmox-cloud-controller-manager"
contents = data.helm_template.proxmox-ccm.manifest
},
{
name : "talos-cloud-controller-manager"
contents : data.helm_template.talos-ccm.manifest
name = "talos-cloud-controller-manager"
contents = data.helm_template.talos-ccm.manifest
},
{
name : "promxmox-csi-plugin"
contents : data.helm_template.proxmox-csi.manifest
name = "promxmox-csi-plugin"
contents = data.helm_template.proxmox-csi.manifest
},
{
name : "gateway-api-crds"
contents : file("${path.module}/manifests/gateway-api.crds.yaml")
name = "gateway-api-crds"
contents = file("${path.module}/manifests/gateway-api.crds.yaml")
},
{
name : "metrics-server"
contents : file("${path.module}/manifests/metrics-server.yaml")
name = "metrics-server"
contents = file("${path.module}/manifests/metrics-server.yaml")
},
{
name : "cilium"
contents : data.helm_template.cilium.manifest
name = "cilium"
contents = data.helm_template.cilium.manifest
},
{
name : "oidc-admins"
contents : <<-EOF
name = "oidc-admins"
contents = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -97,33 +97,33 @@ locals {
}
talos_worker_config = {
cluster : {
externalCloudProvider : {
enabled : true
cluster = {
externalCloudProvider = {
enabled = true
}
controlPlane : {
endpoint : local.cluster_endpoint
localAPIServerPort : var.cluster.api.port
controlPlane = {
endpoint = local.cluster_endpoint
localAPIServerPort = var.cluster.api.port
}
network : {
cni : {
name : "none"
network = {
cni = {
name = "none"
}
podSubnets : local.podSubnets
serviceSubnets : local.serviceSubnets
podSubnets = local.podSubnets
serviceSubnets = local.serviceSubnets
}
proxy : {
disabled : true
proxy = {
disabled = true
}
}
machine = {
kubelet = {
nodeIP : {
validSubnets : local.tailscaleSubnets
nodeIP = {
validSubnets = local.tailscaleSubnets
}
extraArgs : {
rotate-server-certificates : true
cloud-provider : "external"
extraArgs = {
rotate-server-certificates = true
cloud-provider = "external"
}
}
install = {
@ -139,6 +139,9 @@ locals {
machine = {
network = {
hostname = node.name
kubespan = {
enabled = false
}
}
nodeLabels = {
"k8s.tjo.cloud/public" = node.public ? "true" : "false"
@ -153,14 +156,14 @@ locals {
}),
yamlencode(
{
apiVersion : "v1alpha1"
kind : "ExtensionServiceConfig"
name : "tailscale"
environment : [
apiVersion = "v1alpha1"
kind = "ExtensionServiceConfig"
name = "tailscale"
environment = [
"TS_AUTHKEY=${var.tailscale_authkey}",
"TS_HOSTNAME=${node.name}",
"TS_ROUTES=${join(",", local.podSubnets)},${join(",", local.serviceSubnets)}",
"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes",
#"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes",
]
})
]

15
modules/cluster/variables.tf
View file

@ -18,13 +18,14 @@ variable "talos" {
kubernetes = optional(string, "v1.30.0")
# Default is:
# customization:
# systemExtensions:
# officialExtensions:
# - siderolabs/kata-containers
# - siderolabs/qemu-guest-agent
# - siderolabs/tailscale
schematic_id = optional(string, "a3f29a65dfd32b73c76f14eef96ef7588cf08c7d737d24fae9b8216d1ffa5c3d")
# customization:
# systemExtensions:
# officialExtensions:
# - siderolabs/kata-containers
# - siderolabs/qemu-guest-agent
# - siderolabs/tailscale
# - siderolabs/wasmedge
schematic_id = optional(string, "a125b6d6becb63df5543edfae1231e351723dd6e4d551ba73e0f30229ad6ff59")
})
}

2
modules/cluster/versions.tf
View file

@ -1,4 +1,6 @@
terraform {
required_version = ">= 1.0"
required_providers {
proxmox = {
source = "bpg/proxmox"