feat: lint

2024-07-25 17:42:08 +02:00 · 2024-07-25 17:42:08 +02:00 · e744c3898a
commit e744c3898a
parent b0fc017586
13 changed files with 180 additions and 124 deletions
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -0,0 +1,17 @@
 on:
  push:
    branches:
      - main
  pull_request:
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install devbox
        uses: jetify-com/devbox-install-action@v0.11.0
        with:
          enable-cache: true
      - run: devbox run -- just lint
--- a/devbox.json
+++ b/devbox.json
@ -6,7 +6,8 @@
    "cilium-cli@latest",
    "kubelogin-oidc@latest",
    "talosctl@latest",
-    "kubernetes-helm@latest"
+    "kubernetes-helm@latest",
    "tflint@latest"
  ],
  "shell": {
    "init_hook": [
--- a/devbox.lock
+++ b/devbox.lock
@ -324,6 +324,54 @@
          "store_path": "/nix/store/63slizc3fnqigbbn8lwpdwwz9ccx13qa-talosctl-1.7.5"
        }
      }
    },
    "tflint@latest": {
      "last_modified": "2024-07-19T15:40:08Z",
      "resolved": "github:NixOS/nixpkgs/ad0111043c09f7d0f6b9f039882cbf350d4f7d49#tflint",
      "source": "devbox-search",
      "version": "0.52.0",
      "systems": {
        "aarch64-darwin": {
          "outputs": [
            {
              "name": "out",
              "path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0",
              "default": true
            }
          ],
          "store_path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0"
        },
        "aarch64-linux": {
          "outputs": [
            {
              "name": "out",
              "path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0",
              "default": true
            }
          ],
          "store_path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0"
        },
        "x86_64-darwin": {
          "outputs": [
            {
              "name": "out",
              "path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0",
              "default": true
            }
          ],
          "store_path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0"
        },
        "x86_64-linux": {
          "outputs": [
            {
              "name": "out",
              "path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0",
              "default": true
            }
          ],
          "store_path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0"
        }
      }
    }
  }
 }
--- a/4
+++ b/4
@ -3,6 +3,10 @@ set shell := ["devbox", "run"]
 # Load dotenv
 set dotenv-load
 lint:
  @tofu fmt -check -recursive .
  @tflint --recursive
 GATEWAY_API_VERSION := "v1.1.0"
 METRICS_SERVER_VERSION := "v0.7.1"
--- a/k8s.tjo.cloud/kubeconfig
+++ b/k8s.tjo.cloud/kubeconfig
@ -1,26 +0,0 @@
 apiVersion: v1
 kind: Config
 clusters:
 - name: tjo-cloud
  cluster:
    server: https://api.k8s.tjo.cloud:6443
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRZXNQaHZSS20xbHlhdTU2RndIbDZMekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNRGN5TWpJd01UVXhOMW9YRFRNME1EY3lNREl3TVRVeApOMW93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTnVNUnl0K1lQUncxN094TFNRUDlJdngzZVk1am1pS1FSL2tEeTFENFI2ZVI4WUpqTlVDOXZGNmxzZFcKaWV3M09wekZybFl4eHl3Ym9vZVdDN3R1dlkyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU2TUhBdEhTZEJuUTZBbTRjeFVMOVc3b1Y2UFl3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUpobVdzRXgKVjVnRW5na25uMURndjBBaVNjZTBHVUtrZWdBNStDK1VyOXlWQWlFQTVzQituQmFGVUl3R2JsYkcrSWEvOXFsZApFZEh0dXNkbDRRaHVmT0R5K1d3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
 contexts:
 - name: oidc@tjo-cloud
  context:
    cluster: tjo-cloud
    namespace: default
    user: oidc
 current-context: oidc@tjo-cloud
 users:
 - name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://id.tjo.space/application/o/k8stjocloud/
      - --oidc-client-id=HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg
      - --oidc-extra-scope=profile
--- a/k8s.tjo.cloud/terraform.tf
+++ b/k8s.tjo.cloud/terraform.tf
@ -29,6 +29,8 @@ terraform {
      version = "2.31.0"
    }
  }
  required_version = "~> 1.7.3"
 }
 provider "proxmox" {
--- a/modules/cluster-components/gateway.tf
+++ b/modules/cluster-components/gateway.tf
@ -53,14 +53,14 @@ resource "kubernetes_manifest" "gateway_class_config" {
        type = "Kubernetes"
        kubernetes = {
          envoyDaemonSet = {
-            patch : {
+            patch = {
-              type : "StrategicMerge"
+              type = "StrategicMerge"
-              value : {
+              value = {
-                spec : {
+                spec = {
-                  template : {
+                  template = {
-                    spec : {
+                    spec = {
-                      hostNetwork : true
+                      hostNetwork = true
-                      dnsPolicy : "ClusterFirstWithHostNet"
+                      dnsPolicy   = "ClusterFirstWithHostNet"
                    }
                  }
                }
@ -92,12 +92,12 @@ resource "kubernetes_manifest" "gateway_class" {
      name = "envoy"
    }
    spec = {
-      controllerName : "gateway.envoyproxy.io/gatewayclass-controller"
+      controllerName = "gateway.envoyproxy.io/gatewayclass-controller"
-      parametersRef : {
+      parametersRef = {
-        group : "gateway.envoyproxy.io"
+        group     = "gateway.envoyproxy.io"
-        kind : "EnvoyProxy"
+        kind      = "EnvoyProxy"
-        name : kubernetes_manifest.gateway_class_config.object.metadata.name
+        name      = kubernetes_manifest.gateway_class_config.object.metadata.name
-        namespace : kubernetes_manifest.gateway_class_config.object.metadata.namespace
+        namespace = kubernetes_manifest.gateway_class_config.object.metadata.namespace
      }
    }
  }
@ -111,27 +111,27 @@ resource "kubernetes_manifest" "gateway" {
      name      = "gateway"
      namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
      annotations = {
-        "cert-manager.io/issuer" : "tjo-cloud"
+        "cert-manager.io/issuer" = "tjo-cloud"
      }
    }
    spec = {
      gatewayClassName = kubernetes_manifest.gateway_class.object.metadata.name
      listeners = [
        {
-          name : "http"
+          name     = "http"
-          hostname : "*.${var.cluster_name}.${var.cluster_domain}"
+          hostname = "*.${var.cluster_name}.${var.cluster_domain}"
-          protocol : "HTTPS"
+          protocol = "HTTPS"
-          port : 443
+          port     = 443
-          allowedRoutes : {
+          allowedRoutes = {
-            namespaces : {
+            namespaces = {
-              from : "Same"
+              from = "Same"
            }
          }
-          tls : {
+          tls = {
-            mode : "Terminate"
+            mode = "Terminate"
-            certificateRefs : [
+            certificateRefs = [
              {
-                name : "tjo-cloud-tls"
+                name = "tjo-cloud-tls"
              }
            ]
          }
--- a/modules/cluster-components/versions.tf
+++ b/modules/cluster-components/versions.tf
@ -1,4 +1,6 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    digitalocean = {
      source  = "digitalocean/digitalocean"
--- a/modules/cluster-core/versions.tf
+++ b/modules/cluster-core/versions.tf
@ -1,4 +1,6 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    helm = {
      source  = "hashicorp/helm"
--- a/modules/cluster/components.tf
+++ b/modules/cluster/components.tf
@ -22,9 +22,9 @@ data "helm_template" "cilium" {
    ipv4:
      enabled: true
-    #enableIPv6Masquerade: true
+    enableIPv6Masquerade: true
-    #ipv6:
+    ipv6:
-    #  enabled: true
+      enabled: true
    kubeProxyReplacement: "true"
    securityContext:
--- a/modules/cluster/main.tf
+++ b/modules/cluster/main.tf
@ -4,11 +4,11 @@ locals {
  podSubnets = [
    "10.200.0.0/16",
-    #"fd9b:5314:fc70::/64",
+    "fd9b:5314:fc70::/56",
  ]
  serviceSubnets = [
    "10.201.0.0/16",
-    #"fd9b:5314:fc71::/108",
+    "fd9b:5314:fc71::/112",
  ]
  # Nodes will use IPs from this subnets
@ -19,65 +19,65 @@ locals {
  ]
  talos_controlplane_config = {
-    machine : {
+    machine = {
-      features : {
+      features = {
-        rbac : true
+        rbac                 = true
-        apidCheckExtKeyUsage : true
+        apidCheckExtKeyUsage = true
-        kubernetesTalosAPIAccess : {
+        kubernetesTalosAPIAccess = {
-          enabled : true
+          enabled = true
-          allowedRoles : [
+          allowedRoles = [
            "os:reader"
          ]
-          allowedKubernetesNamespaces : [
+          allowedKubernetesNamespaces = [
            "kube-system"
          ]
        }
      }
    }
-    cluster : {
+    cluster = {
-      etcd : {
+      etcd = {
-        advertisedSubnets : local.tailscaleSubnets
+        advertisedSubnets = local.tailscaleSubnets
-        listenSubnets : local.tailscaleSubnets
+        listenSubnets     = local.tailscaleSubnets
      }
-      allowSchedulingOnControlPlanes : var.allow_scheduling_on_control_planes,
+      allowSchedulingOnControlPlanes = var.allow_scheduling_on_control_planes,
-      apiServer : {
+      apiServer = {
-        extraArgs : {
+        extraArgs = {
-          "oidc-issuer-url" : "https://id.tjo.space/application/o/k8stjocloud/",
+          "oidc-issuer-url"      = "https://id.tjo.space/application/o/k8stjocloud/",
-          "oidc-client-id" : "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg",
+          "oidc-client-id"       = "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg",
-          "oidc-username-claim" : "sub",
+          "oidc-username-claim"  = "sub",
-          "oidc-username-prefix" : "oidc:",
+          "oidc-username-prefix" = "oidc:",
-          "oidc-groups-claim" : "groups",
+          "oidc-groups-claim"    = "groups",
-          "oidc-groups-prefix" : "oidc:groups:",
+          "oidc-groups-prefix"   = "oidc:groups:",
        }
      }
-      inlineManifests : [
+      inlineManifests = [
        {
-          name : "proxmox-cloud-controller-manager"
+          name     = "proxmox-cloud-controller-manager"
-          contents : data.helm_template.proxmox-ccm.manifest
+          contents = data.helm_template.proxmox-ccm.manifest
        },
        {
-          name : "talos-cloud-controller-manager"
+          name     = "talos-cloud-controller-manager"
-          contents : data.helm_template.talos-ccm.manifest
+          contents = data.helm_template.talos-ccm.manifest
        },
        {
-          name : "promxmox-csi-plugin"
+          name     = "promxmox-csi-plugin"
-          contents : data.helm_template.proxmox-csi.manifest
+          contents = data.helm_template.proxmox-csi.manifest
        },
        {
-          name : "gateway-api-crds"
+          name     = "gateway-api-crds"
-          contents : file("${path.module}/manifests/gateway-api.crds.yaml")
+          contents = file("${path.module}/manifests/gateway-api.crds.yaml")
        },
        {
-          name : "metrics-server"
+          name     = "metrics-server"
-          contents : file("${path.module}/manifests/metrics-server.yaml")
+          contents = file("${path.module}/manifests/metrics-server.yaml")
        },
        {
-          name : "cilium"
+          name     = "cilium"
-          contents : data.helm_template.cilium.manifest
+          contents = data.helm_template.cilium.manifest
        },
        {
-          name : "oidc-admins"
+          name     = "oidc-admins"
-          contents : <<-EOF
+          contents = <<-EOF
            apiVersion: rbac.authorization.k8s.io/v1
            kind: ClusterRoleBinding
            metadata:
@ -97,33 +97,33 @@ locals {
  }
  talos_worker_config = {
-    cluster : {
+    cluster = {
-      externalCloudProvider : {
+      externalCloudProvider = {
-        enabled : true
+        enabled = true
      }
-      controlPlane : {
+      controlPlane = {
-        endpoint : local.cluster_endpoint
+        endpoint           = local.cluster_endpoint
-        localAPIServerPort : var.cluster.api.port
+        localAPIServerPort = var.cluster.api.port
      }
-      network : {
+      network = {
-        cni : {
+        cni = {
-          name : "none"
+          name = "none"
        }
-        podSubnets : local.podSubnets
+        podSubnets     = local.podSubnets
-        serviceSubnets : local.serviceSubnets
+        serviceSubnets = local.serviceSubnets
      }
-      proxy : {
+      proxy = {
-        disabled : true
+        disabled = true
      }
    }
    machine = {
      kubelet = {
-        nodeIP : {
+        nodeIP = {
-          validSubnets : local.tailscaleSubnets
+          validSubnets = local.tailscaleSubnets
        }
-        extraArgs : {
+        extraArgs = {
-          rotate-server-certificates : true
+          rotate-server-certificates = true
-          cloud-provider : "external"
+          cloud-provider             = "external"
        }
      }
      install = {
@ -139,6 +139,9 @@ locals {
        machine = {
          network = {
            hostname = node.name
            kubespan = {
              enabled = false
            }
          }
          nodeLabels = {
            "k8s.tjo.cloud/public"  = node.public ? "true" : "false"
@ -153,14 +156,14 @@ locals {
      }),
      yamlencode(
        {
-          apiVersion : "v1alpha1"
+          apiVersion = "v1alpha1"
-          kind : "ExtensionServiceConfig"
+          kind       = "ExtensionServiceConfig"
-          name : "tailscale"
+          name       = "tailscale"
-          environment : [
+          environment = [
            "TS_AUTHKEY=${var.tailscale_authkey}",
            "TS_HOSTNAME=${node.name}",
            "TS_ROUTES=${join(",", local.podSubnets)},${join(",", local.serviceSubnets)}",
-            "TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes",
+            #"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes",
          ]
      })
    ]
--- a/modules/cluster/variables.tf
+++ b/modules/cluster/variables.tf
@ -24,7 +24,8 @@ variable "talos" {
    #         - siderolabs/kata-containers
    #         - siderolabs/qemu-guest-agent
    #         - siderolabs/tailscale
-    schematic_id = optional(string, "a3f29a65dfd32b73c76f14eef96ef7588cf08c7d737d24fae9b8216d1ffa5c3d")
+    #         - siderolabs/wasmedge
    schematic_id = optional(string, "a125b6d6becb63df5543edfae1231e351723dd6e4d551ba73e0f30229ad6ff59")
  })
 }
--- a/modules/cluster/versions.tf
+++ b/modules/cluster/versions.tf
@ -1,4 +1,6 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    proxmox = {
      source  = "bpg/proxmox"