tjo-cloud/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: lint

Browse source
This commit is contained in:
Tine 2024-07-25 17:42:08 +02:00
parent b0fc017586
commit e744c3898a
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
13 changed files with 180 additions and 124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.forgejo/workflows/lint.yaml Normal file
View file

@ -0,0 +1,17 @@
on:
push:
branches:
- main
pull_request:
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install devbox
uses: jetify-com/devbox-install-action@v0.11.0
with:
enable-cache: true
- run: devbox run -- just lint

3
devbox.json
View file

@ -6,7 +6,8 @@
"cilium-cli@latest", "cilium-cli@latest",
"kubelogin-oidc@latest", "kubelogin-oidc@latest",
"talosctl@latest", "talosctl@latest",
"kubernetes-helm@latest" "kubernetes-helm@latest",
"tflint@latest"
], ],
"shell": { "shell": {
"init_hook": [ "init_hook": [

48
devbox.lock
View file

@ -324,6 +324,54 @@
"store_path": "/nix/store/63slizc3fnqigbbn8lwpdwwz9ccx13qa-talosctl-1.7.5" "store_path": "/nix/store/63slizc3fnqigbbn8lwpdwwz9ccx13qa-talosctl-1.7.5"
} }
} }
},
"tflint@latest": {
"last_modified": "2024-07-19T15:40:08Z",
"resolved": "github:NixOS/nixpkgs/ad0111043c09f7d0f6b9f039882cbf350d4f7d49#tflint",
"source": "devbox-search",
"version": "0.52.0",
"systems": {
"aarch64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/0r44l4z5bd367npzgbgmpg5zba862wml-tflint-0.52.0"
},
"aarch64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/hn8cflv9xa7l9yqqnzf9yxxy8gp71483-tflint-0.52.0"
},
"x86_64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/jlhmb4ka96dw5zayp993zn9zisd24s2v-tflint-0.52.0"
},
"x86_64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0",
"default": true
}
],
"store_path": "/nix/store/vwwkk3ph9rx68ngdg4mxm0zm4p0sqwa7-tflint-0.52.0"
}
}
} }
} }
} }

4
justfile
View file

@ -3,6 +3,10 @@ set shell := ["devbox", "run"]
# Load dotenv # Load dotenv
set dotenv-load set dotenv-load
lint:
@tofu fmt -check -recursive .
@tflint --recursive
GATEWAY_API_VERSION := "v1.1.0" GATEWAY_API_VERSION := "v1.1.0"
METRICS_SERVER_VERSION := "v0.7.1" METRICS_SERVER_VERSION := "v0.7.1"

26
k8s.tjo.cloud/kubeconfig
View file

@ -1,26 +0,0 @@
apiVersion: v1
kind: Config
clusters:
- name: tjo-cloud
cluster:
server: https://api.k8s.tjo.cloud:6443
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRZXNQaHZSS20xbHlhdTU2RndIbDZMekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNRGN5TWpJd01UVXhOMW9YRFRNME1EY3lNREl3TVRVeApOMW93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTnVNUnl0K1lQUncxN094TFNRUDlJdngzZVk1am1pS1FSL2tEeTFENFI2ZVI4WUpqTlVDOXZGNmxzZFcKaWV3M09wekZybFl4eHl3Ym9vZVdDN3R1dlkyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU2TUhBdEhTZEJuUTZBbTRjeFVMOVc3b1Y2UFl3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUpobVdzRXgKVjVnRW5na25uMURndjBBaVNjZTBHVUtrZWdBNStDK1VyOXlWQWlFQTVzQituQmFGVUl3R2JsYkcrSWEvOXFsZApFZEh0dXNkbDRRaHVmT0R5K1d3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
contexts:
- name: oidc@tjo-cloud
context:
cluster: tjo-cloud
namespace: default
user: oidc
current-context: oidc@tjo-cloud
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://id.tjo.space/application/o/k8stjocloud/
- --oidc-client-id=HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg
- --oidc-extra-scope=profile

2
k8s.tjo.cloud/terraform.tf
View file

@ -29,6 +29,8 @@ terraform {
version = "2.31.0" version = "2.31.0"
} }
} }
required_version = "~> 1.7.3"
} }
provider "proxmox" { provider "proxmox" {

52
modules/cluster-components/gateway.tf
View file

@ -53,14 +53,14 @@ resource "kubernetes_manifest" "gateway_class_config" {
type = "Kubernetes" type = "Kubernetes"
kubernetes = { kubernetes = {
envoyDaemonSet = { envoyDaemonSet = {
patch : { patch = {
type : "StrategicMerge" type = "StrategicMerge"
value : { value = {
spec : { spec = {
template : { template = {
spec : { spec = {
hostNetwork : true hostNetwork = true
dnsPolicy : "ClusterFirstWithHostNet" dnsPolicy = "ClusterFirstWithHostNet"
} }
} }
} }
@ -92,12 +92,12 @@ resource "kubernetes_manifest" "gateway_class" {
name = "envoy" name = "envoy"
} }
spec = { spec = {
controllerName : "gateway.envoyproxy.io/gatewayclass-controller" controllerName = "gateway.envoyproxy.io/gatewayclass-controller"
parametersRef : { parametersRef = {
group : "gateway.envoyproxy.io" group = "gateway.envoyproxy.io"
kind : "EnvoyProxy" kind = "EnvoyProxy"
name : kubernetes_manifest.gateway_class_config.object.metadata.name name = kubernetes_manifest.gateway_class_config.object.metadata.name
namespace : kubernetes_manifest.gateway_class_config.object.metadata.namespace namespace = kubernetes_manifest.gateway_class_config.object.metadata.namespace
} }
} }
} }
@ -111,27 +111,27 @@ resource "kubernetes_manifest" "gateway" {
name = "gateway" name = "gateway"
namespace = kubernetes_namespace.tjo-cloud.metadata[0].name namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
annotations = { annotations = {
"cert-manager.io/issuer" : "tjo-cloud" "cert-manager.io/issuer" = "tjo-cloud"
} }
} }
spec = { spec = {
gatewayClassName = kubernetes_manifest.gateway_class.object.metadata.name gatewayClassName = kubernetes_manifest.gateway_class.object.metadata.name
listeners = [ listeners = [
{ {
name : "http" name = "http"
hostname : "*.${var.cluster_name}.${var.cluster_domain}" hostname = "*.${var.cluster_name}.${var.cluster_domain}"
protocol : "HTTPS" protocol = "HTTPS"
port : 443 port = 443
allowedRoutes : { allowedRoutes = {
namespaces : { namespaces = {
from : "Same" from = "Same"
} }
} }
tls : { tls = {
mode : "Terminate" mode = "Terminate"
certificateRefs : [ certificateRefs = [
{ {
name : "tjo-cloud-tls" name = "tjo-cloud-tls"
} }
] ]
} }

2
modules/cluster-components/versions.tf
View file

@ -1,4 +1,6 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
digitalocean = { digitalocean = {
source = "digitalocean/digitalocean" source = "digitalocean/digitalocean"

2
modules/cluster-core/versions.tf
View file

@ -1,4 +1,6 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
helm = { helm = {
source = "hashicorp/helm" source = "hashicorp/helm"

6
modules/cluster/components.tf
View file

@ -22,9 +22,9 @@ data "helm_template" "cilium" {
ipv4: ipv4:
enabled: true enabled: true
#enableIPv6Masquerade: true enableIPv6Masquerade: true
#ipv6: ipv6:
# enabled: true enabled: true
kubeProxyReplacement: "true" kubeProxyReplacement: "true"
securityContext: securityContext:

125
modules/cluster/main.tf
View file

@ -4,11 +4,11 @@ locals {
podSubnets = [ podSubnets = [
"10.200.0.0/16", "10.200.0.0/16",
#"fd9b:5314:fc70::/64", "fd9b:5314:fc70::/56",
] ]
serviceSubnets = [ serviceSubnets = [
"10.201.0.0/16", "10.201.0.0/16",
#"fd9b:5314:fc71::/108", "fd9b:5314:fc71::/112",
] ]
# Nodes will use IPs from this subnets # Nodes will use IPs from this subnets
@ -19,65 +19,65 @@ locals {
] ]
talos_controlplane_config = { talos_controlplane_config = {
machine : { machine = {
features : { features = {
rbac : true rbac = true
apidCheckExtKeyUsage : true apidCheckExtKeyUsage = true
kubernetesTalosAPIAccess : { kubernetesTalosAPIAccess = {
enabled : true enabled = true
allowedRoles : [ allowedRoles = [
"os:reader" "os:reader"
] ]
allowedKubernetesNamespaces : [ allowedKubernetesNamespaces = [
"kube-system" "kube-system"
] ]
} }
} }
} }
cluster : { cluster = {
etcd : { etcd = {
advertisedSubnets : local.tailscaleSubnets advertisedSubnets = local.tailscaleSubnets
listenSubnets : local.tailscaleSubnets listenSubnets = local.tailscaleSubnets
} }
allowSchedulingOnControlPlanes : var.allow_scheduling_on_control_planes, allowSchedulingOnControlPlanes = var.allow_scheduling_on_control_planes,
apiServer : { apiServer = {
extraArgs : { extraArgs = {
"oidc-issuer-url" : "https://id.tjo.space/application/o/k8stjocloud/", "oidc-issuer-url" = "https://id.tjo.space/application/o/k8stjocloud/",
"oidc-client-id" : "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg", "oidc-client-id" = "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg",
"oidc-username-claim" : "sub", "oidc-username-claim" = "sub",
"oidc-username-prefix" : "oidc:", "oidc-username-prefix" = "oidc:",
"oidc-groups-claim" : "groups", "oidc-groups-claim" = "groups",
"oidc-groups-prefix" : "oidc:groups:", "oidc-groups-prefix" = "oidc:groups:",
} }
} }
inlineManifests : [ inlineManifests = [
{ {
name : "proxmox-cloud-controller-manager" name = "proxmox-cloud-controller-manager"
contents : data.helm_template.proxmox-ccm.manifest contents = data.helm_template.proxmox-ccm.manifest
}, },
{ {
name : "talos-cloud-controller-manager" name = "talos-cloud-controller-manager"
contents : data.helm_template.talos-ccm.manifest contents = data.helm_template.talos-ccm.manifest
}, },
{ {
name : "promxmox-csi-plugin" name = "promxmox-csi-plugin"
contents : data.helm_template.proxmox-csi.manifest contents = data.helm_template.proxmox-csi.manifest
}, },
{ {
name : "gateway-api-crds" name = "gateway-api-crds"
contents : file("${path.module}/manifests/gateway-api.crds.yaml") contents = file("${path.module}/manifests/gateway-api.crds.yaml")
}, },
{ {
name : "metrics-server" name = "metrics-server"
contents : file("${path.module}/manifests/metrics-server.yaml") contents = file("${path.module}/manifests/metrics-server.yaml")
}, },
{ {
name : "cilium" name = "cilium"
contents : data.helm_template.cilium.manifest contents = data.helm_template.cilium.manifest
}, },
{ {
name : "oidc-admins" name = "oidc-admins"
contents : <<-EOF contents = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
@ -97,33 +97,33 @@ locals {
} }
talos_worker_config = { talos_worker_config = {
cluster : { cluster = {
externalCloudProvider : { externalCloudProvider = {
enabled : true enabled = true
} }
controlPlane : { controlPlane = {
endpoint : local.cluster_endpoint endpoint = local.cluster_endpoint
localAPIServerPort : var.cluster.api.port localAPIServerPort = var.cluster.api.port
} }
network : { network = {
cni : { cni = {
name : "none" name = "none"
} }
podSubnets : local.podSubnets podSubnets = local.podSubnets
serviceSubnets : local.serviceSubnets serviceSubnets = local.serviceSubnets
} }
proxy : { proxy = {
disabled : true disabled = true
} }
} }
machine = { machine = {
kubelet = { kubelet = {
nodeIP : { nodeIP = {
validSubnets : local.tailscaleSubnets validSubnets = local.tailscaleSubnets
} }
extraArgs : { extraArgs = {
rotate-server-certificates : true rotate-server-certificates = true
cloud-provider : "external" cloud-provider = "external"
} }
} }
install = { install = {
@ -139,6 +139,9 @@ locals {
machine = { machine = {
network = { network = {
hostname = node.name hostname = node.name
kubespan = {
enabled = false
}
} }
nodeLabels = { nodeLabels = {
"k8s.tjo.cloud/public" = node.public ? "true" : "false" "k8s.tjo.cloud/public" = node.public ? "true" : "false"
@ -153,14 +156,14 @@ locals {
}), }),
yamlencode( yamlencode(
{ {
apiVersion : "v1alpha1" apiVersion = "v1alpha1"
kind : "ExtensionServiceConfig" kind = "ExtensionServiceConfig"
name : "tailscale" name = "tailscale"
environment : [ environment = [
"TS_AUTHKEY=${var.tailscale_authkey}", "TS_AUTHKEY=${var.tailscale_authkey}",
"TS_HOSTNAME=${node.name}", "TS_HOSTNAME=${node.name}",
"TS_ROUTES=${join(",", local.podSubnets)},${join(",", local.serviceSubnets)}", "TS_ROUTES=${join(",", local.podSubnets)},${join(",", local.serviceSubnets)}",
"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes", #"TS_EXTRA_ARGS=--accept-routes --snat-subnet-routes",
] ]
}) })
] ]

15
modules/cluster/variables.tf
View file

@ -18,13 +18,14 @@ variable "talos" {
kubernetes = optional(string, "v1.30.0") kubernetes = optional(string, "v1.30.0")
# Default is: # Default is:
# customization: # customization:
# systemExtensions: # systemExtensions:
# officialExtensions: # officialExtensions:
# - siderolabs/kata-containers # - siderolabs/kata-containers
# - siderolabs/qemu-guest-agent # - siderolabs/qemu-guest-agent
# - siderolabs/tailscale # - siderolabs/tailscale
schematic_id = optional(string, "a3f29a65dfd32b73c76f14eef96ef7588cf08c7d737d24fae9b8216d1ffa5c3d") # - siderolabs/wasmedge
schematic_id = optional(string, "a125b6d6becb63df5543edfae1231e351723dd6e4d551ba73e0f30229ad6ff59")
}) })
} }

2
modules/cluster/versions.tf
View file

@ -1,4 +1,6 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
proxmox = { proxmox = {
source = "bpg/proxmox" source = "bpg/proxmox"