locals { public_domain = "${var.cluster.api.public.subdomain}.${var.cluster.api.public.domain}" internal_domain = "${var.cluster.api.internal.subdomain}.${var.cluster.api.internal.domain}" cluster_internal_endpoint = "https://${local.internal_domain}:${var.cluster.api.internal.port}" cluster_public_endpoint = "https://${local.public_domain}:${var.cluster.api.public.port}" talos_controlplane_config = { machine = { kubelet = { extraArgs = { rotate-server-certificates = true } } features = { rbac = true apidCheckExtKeyUsage = true kubernetesTalosAPIAccess = { enabled = true allowedRoles = [ "os:reader" ] allowedKubernetesNamespaces = [ "kube-system" ] } } } cluster = { apiServer = { certSANs = [ local.public_domain, local.internal_domain, "localhost:7445", ] extraArgs = { "oidc-issuer-url" = "https://id.tjo.space/application/o/k8stjocloud/", "oidc-client-id" = "HAI6rW0EWtgmSPGKAJ3XXzubQTUut2GMeTRS2spg", "oidc-username-claim" = "sub", "oidc-username-prefix" = "oidc:", "oidc-groups-claim" = "groups", "oidc-groups-prefix" = "oidc:groups:", } } inlineManifests = concat([ { name = "proxmox-cloud-controller-manager" contents = data.helm_template.proxmox-ccm.manifest }, { name = "talos-cloud-controller-manager" contents = data.helm_template.talos-ccm.manifest }, { name = "promxmox-csi-plugin" contents = data.helm_template.proxmox-csi.manifest }, { name = "gateway-api-crds" contents = file("${path.module}/manifests/gateway-api.crds.yaml") }, { name = "oidc-admins" contents = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: id-tjo-space:admins subjects: - kind: Group name: oidc:groups:k8s.tjo.cloud admin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io EOF }, { name = "cilium" contents = data.helm_template.cilium.manifest }, { name = "cilium-bgp-advertisement" contents = <<-EOF apiVersion: cilium.io/v2alpha1 kind: CiliumBGPAdvertisement metadata: name: pods-and-services labels: k8s.tjo.cloud/default: "true" spec: advertisements: - advertisementType: "PodCIDR" - advertisementType: "Service" service: addresses: - ExternalIP - LoadBalancerIP selector: matchExpressions: - {key: somekey, operator: NotIn, values: ['never-used-value']} # match all services EOF }, { name = "cilium-bgp-peer-config" contents = <<-EOF apiVersion: cilium.io/v2alpha1 kind: CiliumBGPPeerConfig metadata: name: default spec: families: - afi: ipv4 safi: unicast advertisements: matchLabels: k8s.tjo.cloud/default: "true" - afi: ipv6 safi: unicast advertisements: matchLabels: k8s.tjo.cloud/default: "true" EOF }, { name = "cilium-load-balancer-ip-pool" contents = <<-EOF apiVersion: cilium.io/v2alpha1 kind: CiliumLoadBalancerIPPool metadata: name: default spec: blocks: - cidr: "${var.cluster.load_balancer_cidr.ipv4}" - cidr: "${var.cluster.load_balancer_cidr.ipv6}" EOF }, ], [for name, attributes in var.hosts : { name = "cilium-bgp-node-config-override-${name}" contents = <<-EOF apiVersion: cilium.io/v2alpha1 kind: CiliumBGPClusterConfig metadata: name: ${name} spec: gracefulRestart: enabled: true restartTimeSeconds: 15 nodeSelector: matchLabels: k8s.tjo.cloud/bgp: "true" k8s.tjo.cloud/host: ${name} k8s.tjo.cloud/proxmox: ${var.proxmox.name} bgpInstances: - name: "${name}" localASN: ${attributes.asn} peers: - name: "local-router-vip" peerASN: ${attributes.asn} peerAddress: "10.0.0.1" peerConfigRef: name: "default" EOF } ] ) } } talos_worker_config = { cluster = { network = { cni = { name = "none" } podSubnets = [ var.cluster.pod_cidr.ipv4, var.cluster.pod_cidr.ipv6 ] serviceSubnets = [ var.cluster.service_cidr.ipv4, var.cluster.service_cidr.ipv6 ] } proxy = { disabled = true } } machine = { kubelet = { extraArgs = { rotate-server-certificates = true cloud-provider = "external" } } install = { image = "factory.talos.dev/installer/${var.talos.schematic_id}:${var.talos.version}" disk = "/dev/vda" } features = { hostDNS = { enabled = false resolveMemberNames = false forwardKubeDNSToHost = false } } } } talos_node_config = { for k, node in local.nodes_with_address : k => [ yamlencode({ machine = { network = { hostname = node.name } nodeLabels = { "k8s.tjo.cloud/bgp" = "true" "k8s.tjo.cloud/host" = node.host "k8s.tjo.cloud/proxmox" = var.proxmox.name } } }), ] } } resource "talos_machine_secrets" "this" { talos_version = var.talos.version } data "talos_machine_configuration" "controlplane" { cluster_name = var.cluster.name machine_type = "controlplane" cluster_endpoint = local.cluster_internal_endpoint machine_secrets = talos_machine_secrets.this.machine_secrets talos_version = var.talos.version kubernetes_version = var.talos.kubernetes } data "talos_machine_configuration" "worker" { cluster_name = var.cluster.name machine_type = "worker" cluster_endpoint = local.cluster_internal_endpoint machine_secrets = talos_machine_secrets.this.machine_secrets talos_version = var.talos.version kubernetes_version = var.talos.kubernetes } resource "talos_machine_configuration_apply" "controlplane" { for_each = { for k, v in local.nodes_with_address : k => v if v.type == "controlplane" } client_configuration = talos_machine_secrets.this.client_configuration machine_configuration_input = data.talos_machine_configuration.controlplane.machine_configuration node = each.value.name endpoint = each.value.ipv4 config_patches = sensitive(concat( [ yamlencode(local.talos_worker_config), yamlencode(local.talos_controlplane_config) ], local.talos_node_config[each.key] )) timeouts = { create = "1m" update = "1m" } } resource "talos_machine_configuration_apply" "worker" { for_each = { for k, v in local.nodes_with_address : k => v if v.type == "worker" } client_configuration = talos_machine_secrets.this.client_configuration machine_configuration_input = data.talos_machine_configuration.worker.machine_configuration node = each.value.name endpoint = each.value.ipv4 config_patches = sensitive(concat( [ yamlencode(local.talos_worker_config) ], local.talos_node_config[each.key] )) timeouts = { create = "1m" update = "1m" } } resource "talos_machine_bootstrap" "this" { depends_on = [ talos_machine_configuration_apply.controlplane, talos_machine_configuration_apply.worker ] node = local.first_controlplane_node.name endpoint = local.first_controlplane_node.ipv4 client_configuration = talos_machine_secrets.this.client_configuration } resource "talos_cluster_kubeconfig" "this" { depends_on = [ talos_machine_bootstrap.this ] client_configuration = talos_machine_secrets.this.client_configuration node = local.first_controlplane_node.ipv4 } resource "local_file" "kubeconfig" { content = talos_cluster_kubeconfig.this.kubeconfig_raw filename = "${path.root}/admin.kubeconfig" lifecycle { ignore_changes = [content] } } data "talos_client_configuration" "this" { count = length(values({ for k, v in local.nodes_with_address : k => v if v.type == "controlplane" })) > 0 ? 1 : 0 cluster_name = var.cluster.name client_configuration = talos_machine_secrets.this.client_configuration endpoints = values({ for k, v in local.nodes_with_address : k => v if v.type == "controlplane" })[*].ipv4 } resource "local_file" "talosconfig" { count = length(values({ for k, v in local.nodes : k => v if v.type == "controlplane" })) > 0 ? 1 : 0 content = nonsensitive(data.talos_client_configuration.this[0].talos_config) filename = "${path.root}/admin.talosconfig" } resource "dnsimple_zone_record" "api-internal-ipv4" { for_each = { for k, v in local.nodes_with_address : k => v if v.type == "controlplane" } zone_name = var.cluster.api.internal.domain type = "A" name = var.cluster.api.internal.subdomain value = each.value.ipv4 ttl = 30 } resource "dnsimple_zone_record" "api-internal-ipv6" { for_each = { for k, v in local.nodes_with_address : k => v if v.type == "controlplane" } zone_name = var.cluster.api.internal.domain type = "AAAA" name = var.cluster.api.internal.subdomain value = each.value.ipv6 ttl = 30 }