From e744c3898a99540cfb5894dabb060e18fe9f294c Mon Sep 17 00:00:00 2001 From: Tine Date: Thu, 25 Jul 2024 17:42:08 +0200 Subject: [PATCH] feat: lint --- .forgejo/workflows/lint.yaml | 17 ++++ devbox.json | 3 +- devbox.lock | 48 ++++++++++ justfile | 4 + k8s.tjo.cloud/kubeconfig | 26 ----- k8s.tjo.cloud/terraform.tf | 2 + modules/cluster-components/gateway.tf | 52 +++++----- modules/cluster-components/versions.tf | 2 + modules/cluster-core/versions.tf | 2 + modules/cluster/components.tf | 6 +- modules/cluster/main.tf | 125 +++++++++++++------------ modules/cluster/variables.tf | 15 +-- modules/cluster/versions.tf | 2 + 13 files changed, 180 insertions(+), 124 deletions(-) create mode 100644 .forgejo/workflows/lint.yaml delete mode 100755 k8s.tjo.cloud/kubeconfig diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml new file mode 100644 index 0000000..dd65735 --- /dev/null +++ b/.forgejo/workflows/lint.yaml @@ -0,0 +1,17 @@ +on: + push: + branches: + - main + pull_request: + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install devbox + uses: jetify-com/devbox-install-action@v0.11.0 + with: + enable-cache: true + + - run: devbox run -- just lint diff --git a/devbox.json b/devbox.json index b2fdb20..7af2efd 100644 --- a/devbox.json +++ b/devbox.json @@ -6,7 +6,8 @@ "cilium-cli@latest", "kubelogin-oidc@latest", "talosctl@latest", - "kubernetes-helm@latest" + "kubernetes-helm@latest", + "tflint@latest" ], "shell": { "init_hook": [ diff --git a/devbox.lock b/devbox.lock index a1f668d..e4d9d2e 100644 --- a/devbox.lock +++ b/devbox.lock @@ -324,6 +324,54 @@ "store_path": "/nix/store/63slizc3fnqigbbn8lwpdwwz9ccx13qa-talosctl-1.7.5" } } + }, + "tflint@latest": { + "last_modified": "2024-07-19T15:40:08Z", + "resolved": "github:NixOS/nixpkgs/ad0111043c09f7d0f6b9f039882cbf350d4f7d49#tflint", + "source": "devbox-search", + "version": "0.52.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0", + "default": true + } + ], + "store_path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0", + "default": true + } + ], + "store_path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0", + "default": true + } + ], + "store_path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0", + "default": true + } + ], + "store_path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0" + } + } } } } diff --git a/justfile b/justfile index 54ea676..fccc278 100644 --- a/justfile +++ b/justfile @@ -3,6 +3,10 @@ set shell := ["devbox", "run"] # Load dotenv set dotenv-load +lint: + @tofu fmt -check -recursive . + @tflint --recursive + GATEWAY_API_VERSION := "v1.1.0" METRICS_SERVER_VERSION := "v0.7.1" diff --git a/k8s.tjo.cloud/kubeconfig b/k8s.tjo.cloud/kubeconfig deleted file mode 100755 index 6343db2..0000000 --- a/k8s.tjo.cloud/kubeconfig +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Config -clusters: -- name: tjo-cloud - cluster: - server: https://api.k8s.tjo.cloud:6443 - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRZXNQaHZSS20xbHlhdTU2RndIbDZMekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNRGN5TWpJd01UVXhOMW9YRFRNME1EY3lNREl3TVRVeApOMW93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTnVNUnl0K1lQUncxN094TFNRUDlJdngzZVk1am1pS1FSL2tEeTFENFI2ZVI4WUpqTlVDOXZGNmxzZFcKaWV3M09wekZybFl4eHl3Ym9vZVdDN3R1dlkyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU2TUhBdEhTZEJuUTZBbTRjeFVMOVc3b1Y2UFl3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUpobVdzRXgKVjVnRW5na25uMURndjBBaVNjZTBHVUtrZWdBNStDK1VyOXlWQWlFQTVzQituQmFGVUl3R2JsYkcrSWEvOXFsZApFZEh0dXNkbDRRaHVmT0R5K1d3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -contexts: -- name: oidc@tjo-cloud - context: - cluster: tjo-cloud - namespace: default - user: oidc -current-context: oidc@tjo-cloud -users: -- name: oidc - user: - exec: - apiVersion: client.authentication.k8s.io/v1beta1 - command: kubectl - args: - - oidc-login - - get-token - - --oidc-issuer-url=https://id.tjo.space/application/o/k8stjocloud/ - - --oidc-client-id=HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg - - --oidc-extra-scope=profile diff --git a/k8s.tjo.cloud/terraform.tf b/k8s.tjo.cloud/terraform.tf index 2a67ef6..09338ea 100644 --- a/k8s.tjo.cloud/terraform.tf +++ b/k8s.tjo.cloud/terraform.tf @@ -29,6 +29,8 @@ terraform { version = "2.31.0" } } + + required_version = "~> 1.7.3" } provider "proxmox" { diff --git a/modules/cluster-components/gateway.tf b/modules/cluster-components/gateway.tf index e3ab61e..41a783b 100644 --- a/modules/cluster-components/gateway.tf +++ b/modules/cluster-components/gateway.tf @@ -53,14 +53,14 @@ resource "kubernetes_manifest" "gateway_class_config" { type = "Kubernetes" kubernetes = { envoyDaemonSet = { - patch : { - type : "StrategicMerge" - value : { - spec : { - template : { - spec : { - hostNetwork : true - dnsPolicy : "ClusterFirstWithHostNet" + patch = { + type = "StrategicMerge" + value = { + spec = { + template = { + spec = { + hostNetwork = true + dnsPolicy = "ClusterFirstWithHostNet" } } } @@ -92,12 +92,12 @@ resource "kubernetes_manifest" "gateway_class" { name = "envoy" } spec = { - controllerName : "gateway.envoyproxy.io/gatewayclass-controller" - parametersRef : { - group : "gateway.envoyproxy.io" - kind : "EnvoyProxy" - name : kubernetes_manifest.gateway_class_config.object.metadata.name - namespace : kubernetes_manifest.gateway_class_config.object.metadata.namespace + controllerName = "gateway.envoyproxy.io/gatewayclass-controller" + parametersRef = { + group = "gateway.envoyproxy.io" + kind = "EnvoyProxy" + name = kubernetes_manifest.gateway_class_config.object.metadata.name + namespace = kubernetes_manifest.gateway_class_config.object.metadata.namespace } } } @@ -111,27 +111,27 @@ resource "kubernetes_manifest" "gateway" { name = "gateway" namespace = kubernetes_namespace.tjo-cloud.metadata[0].name annotations = { - "cert-manager.io/issuer" : "tjo-cloud" + "cert-manager.io/issuer" = "tjo-cloud" } } spec = { gatewayClassName = kubernetes_manifest.gateway_class.object.metadata.name listeners = [ { - name : "http" - hostname : "*.${var.cluster_name}.${var.cluster_domain}" - protocol : "HTTPS" - port : 443 - allowedRoutes : { - namespaces : { - from : "Same" + name = "http" + hostname = "*.${var.cluster_name}.${var.cluster_domain}" + protocol = "HTTPS" + port = 443 + allowedRoutes = { + namespaces = { + from = "Same" } } - tls : { - mode : "Terminate" - certificateRefs : [ + tls = { + mode = "Terminate" + certificateRefs = [ { - name : "tjo-cloud-tls" + name = "tjo-cloud-tls" } ] } diff --git a/modules/cluster-components/versions.tf b/modules/cluster-components/versions.tf index 5930c2b..906eb48 100644 --- a/modules/cluster-components/versions.tf +++ b/modules/cluster-components/versions.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.0" + required_providers { digitalocean = { source = "digitalocean/digitalocean" diff --git a/modules/cluster-core/versions.tf b/modules/cluster-core/versions.tf index 34ccf41..9654c4f 100644 --- a/modules/cluster-core/versions.tf +++ b/modules/cluster-core/versions.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.0" + required_providers { helm = { source = "hashicorp/helm" diff --git a/modules/cluster/components.tf b/modules/cluster/components.tf index 7af75ca..a3f3755 100644 --- a/modules/cluster/components.tf +++ b/modules/cluster/components.tf @@ -22,9 +22,9 @@ data "helm_template" "cilium" { ipv4: enabled: true - #enableIPv6Masquerade: true - #ipv6: - # enabled: true + enableIPv6Masquerade: true + ipv6: + enabled: true kubeProxyReplacement: "true" securityContext: diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf index e84ff1b..c32bb3c 100644 --- a/modules/cluster/main.tf +++ b/modules/cluster/main.tf @@ -4,11 +4,11 @@ locals { podSubnets = [ "10.200.0.0/16", - #"fd9b:5314:fc70::/64", + "fd9b:5314:fc70::/56", ] serviceSubnets = [ "10.201.0.0/16", - #"fd9b:5314:fc71::/108", + "fd9b:5314:fc71::/112", ] # Nodes will use IPs from this subnets @@ -19,65 +19,65 @@ locals { ] talos_controlplane_config = { - machine : { - features : { - rbac : true - apidCheckExtKeyUsage : true - kubernetesTalosAPIAccess : { - enabled : true - allowedRoles : [ + machine = { + features = { + rbac = true + apidCheckExtKeyUsage = true + kubernetesTalosAPIAccess = { + enabled = true + allowedRoles = [ "os:reader" ] - allowedKubernetesNamespaces : [ + allowedKubernetesNamespaces = [ "kube-system" ] } } } - cluster : { - etcd : { - advertisedSubnets : local.tailscaleSubnets - listenSubnets : local.tailscaleSubnets + cluster = { + etcd = { + advertisedSubnets = local.tailscaleSubnets + listenSubnets = local.tailscaleSubnets } - allowSchedulingOnControlPlanes : var.allow_scheduling_on_control_planes, - apiServer : { - extraArgs : { - "oidc-issuer-url" : "https://id.tjo.space/application/o/k8stjocloud/", - "oidc-client-id" : "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg", - "oidc-username-claim" : "sub", - "oidc-username-prefix" : "oidc:", - "oidc-groups-claim" : "groups", - "oidc-groups-prefix" : "oidc:groups:", + allowSchedulingOnControlPlanes = var.allow_scheduling_on_control_planes, + apiServer = { + extraArgs = { + "oidc-issuer-url" = "https://id.tjo.space/application/o/k8stjocloud/", + "oidc-client-id" = "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg", + "oidc-username-claim" = "sub", + "oidc-username-prefix" = "oidc:", + "oidc-groups-claim" = "groups", + "oidc-groups-prefix" = "oidc:groups:", } } - inlineManifests : [ + inlineManifests = [ { - name : "proxmox-cloud-controller-manager" - contents : data.helm_template.proxmox-ccm.manifest + name = "proxmox-cloud-controller-manager" + contents = data.helm_template.proxmox-ccm.manifest }, { - name : "talos-cloud-controller-manager" - contents : data.helm_template.talos-ccm.manifest + name = "talos-cloud-controller-manager" + contents = data.helm_template.talos-ccm.manifest }, { - name : "promxmox-csi-plugin" - contents : data.helm_template.proxmox-csi.manifest + name = "promxmox-csi-plugin" + contents = data.helm_template.proxmox-csi.manifest }, { - name : "gateway-api-crds" - contents : file("${path.module}/manifests/gateway-api.crds.yaml") + name = "gateway-api-crds" + contents = file("${path.module}/manifests/gateway-api.crds.yaml") }, { - name : "metrics-server" - contents : file("${path.module}/manifests/metrics-server.yaml") + name = "metrics-server" + contents = file("${path.module}/manifests/metrics-server.yaml") }, { - name : "cilium" - contents : data.helm_template.cilium.manifest + name = "cilium" + contents = data.helm_template.cilium.manifest }, { - name : "oidc-admins" - contents : <<-EOF + name = "oidc-admins" + contents = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -97,33 +97,33 @@ locals { } talos_worker_config = { - cluster : { - externalCloudProvider : { - enabled : true + cluster = { + externalCloudProvider = { + enabled = true } - controlPlane : { - endpoint : local.cluster_endpoint - localAPIServerPort : var.cluster.api.port + controlPlane = { + endpoint = local.cluster_endpoint + localAPIServerPort = var.cluster.api.port } - network : { - cni : { - name : "none" + network = { + cni = { + name = "none" } - podSubnets : local.podSubnets - serviceSubnets : local.serviceSubnets + podSubnets = local.podSubnets + serviceSubnets = local.serviceSubnets } - proxy : { - disabled : true + proxy = { + disabled = true } } machine = { kubelet = { - nodeIP : { - validSubnets : local.tailscaleSubnets + nodeIP = { + validSubnets = local.tailscaleSubnets } - extraArgs : { - rotate-server-certificates : true - cloud-provider : "external" + extraArgs = { + rotate-server-certificates = true + cloud-provider = "external" } } install = { @@ -139,6 +139,9 @@ locals { machine = { network = { hostname = node.name + kubespan = { + enabled = false + } } nodeLabels = { "k8s.tjo.cloud/public" = node.public ? "true" : "false" @@ -153,14 +156,14 @@ locals { }), yamlencode( { - apiVersion : "v1alpha1" - kind : "ExtensionServiceConfig" - name : "tailscale" - environment : [ + apiVersion = "v1alpha1" + kind = "ExtensionServiceConfig" + name = "tailscale" + environment = [ "TS_AUTHKEY=${var.tailscale_authkey}", "TS_HOSTNAME=${node.name}", "TS_ROUTES=${join(",", local.podSubnets)},${join(",", local.serviceSubnets)}", - "TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes", + #"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes", ] }) ] diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf index c808967..74eec42 100644 --- a/modules/cluster/variables.tf +++ b/modules/cluster/variables.tf @@ -18,13 +18,14 @@ variable "talos" { kubernetes = optional(string, "v1.30.0") # Default is: - # customization: - # systemExtensions: - # officialExtensions: - # - siderolabs/kata-containers - # - siderolabs/qemu-guest-agent - # - siderolabs/tailscale - schematic_id = optional(string, "a3f29a65dfd32b73c76f14eef96ef7588cf08c7d737d24fae9b8216d1ffa5c3d") + # customization: + # systemExtensions: + # officialExtensions: + # - siderolabs/kata-containers + # - siderolabs/qemu-guest-agent + # - siderolabs/tailscale + # - siderolabs/wasmedge + schematic_id = optional(string, "a125b6d6becb63df5543edfae1231e351723dd6e4d551ba73e0f30229ad6ff59") }) } diff --git a/modules/cluster/versions.tf b/modules/cluster/versions.tf index 660b870..689f191 100644 --- a/modules/cluster/versions.tf +++ b/modules/cluster/versions.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.0" + required_providers { proxmox = { source = "bpg/proxmox"