196 lines
5.5 KiB
HCL
196 lines
5.5 KiB
HCL
locals {
|
|
cluster_name = "${var.prefix}-${var.name}"
|
|
cluster_addresses = module.cluster-hcloud.ips != null ? [for ip in module.cluster-hcloud.ips : { ip = ip }] : []
|
|
}
|
|
|
|
data "vault_kv_secret_v2" "minio" {
|
|
mount = local.cluster_name
|
|
name = "minio"
|
|
}
|
|
|
|
resource "tls_private_key" "cluster" {
|
|
algorithm = "RSA"
|
|
rsa_bits = 2048
|
|
}
|
|
|
|
resource "rancher2_cluster_v2" "cluster" {
|
|
depends_on = [var.wait_on]
|
|
provider = rancher2.admin
|
|
|
|
name = local.cluster_name
|
|
kubernetes_version = var.kubernetes_version
|
|
}
|
|
|
|
resource "hcloud_ssh_key" "cluster" {
|
|
name = "${local.cluster_name}-ssh-key"
|
|
public_key = tls_private_key.cluster.public_key_openssh
|
|
|
|
lifecycle {
|
|
ignore_changes = [public_key]
|
|
}
|
|
}
|
|
|
|
// then do management module
|
|
module "cluster-management" {
|
|
source = "./management"
|
|
|
|
cluster = local.cluster_name
|
|
k8s_config_yaml = rancher2_cluster_v2.cluster.kube_config
|
|
minio_access_key = data.vault_kv_secret_v2.minio.data["access_key"]
|
|
minio_secret_key = data.vault_kv_secret_v2.minio.data["secret_key"]
|
|
minio_server = var.minio_server
|
|
ssh_private_key = tls_private_key.cluster.private_key_pem
|
|
ssh_public_key = tls_private_key.cluster.public_key_openssh
|
|
vault_token = var.vault_token
|
|
vault_server = var.vault_server
|
|
}
|
|
|
|
module "devops" {
|
|
source = "./devops"
|
|
|
|
minio_access_key = data.vault_kv_secret_v2.minio.data["access_key"]
|
|
minio_secret_key = data.vault_kv_secret_v2.minio.data["secret_key"]
|
|
minio_server = var.minio_server
|
|
|
|
cluster = local.cluster_name
|
|
k8s_config_yaml = var.k8s_config_yaml
|
|
}
|
|
|
|
module "cluster-hcloud" {
|
|
source = "./hcloud"
|
|
node_count = var.node_count
|
|
instance_type = var.node_instance_type
|
|
|
|
cluster_registration_command = rancher2_cluster_v2.cluster.cluster_registration_token.0.insecure_node_command
|
|
hcloud_network_id = var.hcloud_network_id
|
|
hcloud_token = var.hcloud_token
|
|
ssh_key_id = hcloud_ssh_key.cluster.id
|
|
prefix = var.prefix
|
|
name = var.name
|
|
}
|
|
|
|
resource "kubernetes_namespace" "cluster" {
|
|
metadata {
|
|
name = local.cluster_name
|
|
}
|
|
|
|
lifecycle {
|
|
ignore_changes = [metadata]
|
|
}
|
|
}
|
|
|
|
module "cluster-tls" {
|
|
source = "./tls"
|
|
|
|
name = local.cluster_name
|
|
namespace = kubernetes_namespace.cluster.metadata[0].name
|
|
hosts = var.hosts
|
|
k8s_config_yaml = var.k8s_config_yaml
|
|
}
|
|
|
|
resource "kubernetes_manifest" "cluster-endpoints" {
|
|
manifest = {
|
|
apiVersion = "v1"
|
|
kind = "Endpoints"
|
|
metadata = {
|
|
name = local.cluster_name
|
|
namespace = kubernetes_namespace.cluster.metadata[0].name
|
|
}
|
|
|
|
subsets = [
|
|
{
|
|
addresses = local.cluster_addresses,
|
|
ports = [
|
|
{
|
|
port = 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_manifest" "cluster-service" {
|
|
depends_on = [kubernetes_manifest.cluster-endpoints]
|
|
manifest = {
|
|
apiVersion = "v1"
|
|
kind = "Service"
|
|
metadata = {
|
|
name = local.cluster_name
|
|
namespace = kubernetes_namespace.cluster.metadata[0].name
|
|
}
|
|
|
|
spec = {
|
|
ports = [
|
|
{
|
|
port = 80
|
|
protocol = "TCP"
|
|
targetPort = 80
|
|
}
|
|
]
|
|
type = "ClusterIP"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_manifest" "application_ingress" {
|
|
depends_on = [
|
|
kubernetes_manifest.cluster-endpoints,
|
|
kubernetes_manifest.cluster-service,
|
|
module.cluster-tls.installed
|
|
]
|
|
|
|
manifest = {
|
|
apiVersion = "networking.k8s.io/v1"
|
|
kind = "Ingress"
|
|
metadata = {
|
|
name = local.cluster_name
|
|
namespace = kubernetes_namespace.cluster.metadata[0].name
|
|
annotations = {
|
|
"kubernetes.io/ingress.class" = "traefik"
|
|
"cert-manager.io/cluster-issuer" = "letsencrypt"
|
|
"traefik.ingress.kubernetes.io/router.entrypoints" = "web,websecure"
|
|
"traefik.ingress.kubernetes.io/router.middlewares" = "default-redirect-to-https@kubernetescrd,default-preserve-host-headers@kubernetescrd"
|
|
"traefik.ingress.kubernetes.io/service.backend.loadbalancer.server.scheme" = "http"
|
|
"traefik.ingress.kubernetes.io/service.backend.loadbalancer.healthcheck.path" = "/healthz"
|
|
"traefik.ingress.kubernetes.io/service.backend.loadbalancer.healthcheck.interval" = "10s"
|
|
"traefik.ingress.kubernetes.io/service.backend.loadbalancer.healthcheck.timeout" = "3s"
|
|
#"traefik.ingress.kubernetes.io/service.backend.loadbalancer.sticky.cookie" = "true"
|
|
#"traefik.ingress.kubernetes.io/service.backend.loadbalancer.sticky.cookie.name" = "platform_sticky"
|
|
}
|
|
}
|
|
|
|
spec = {
|
|
ingressClassName = "traefik"
|
|
rules = var.hosts != null ? [
|
|
for host in var.hosts : {
|
|
host = host
|
|
http = {
|
|
paths = [
|
|
{
|
|
path = "/"
|
|
pathType = "Prefix"
|
|
backend = {
|
|
service = {
|
|
name = kubernetes_manifest.cluster-service.manifest.metadata.name
|
|
port = {
|
|
number = 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
] : [],
|
|
tls = [
|
|
{
|
|
hosts = var.hosts
|
|
secretName = "${local.cluster_name}-tls"
|
|
}
|
|
// TODO: Optional extra TLS from external secret
|
|
]
|
|
}
|
|
}
|
|
}
|