From 174389cb0bb3bdd46bfad5e9c65cabd5e8ca0dc9 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Fri, 23 Aug 2024 10:57:43 +1200 Subject: [PATCH 1/7] feat: add terraform for oci oke terraform to provision an OKE cluster on OCI --- terraform/oci-oke-cluster/data.tf | 18 +++++ terraform/oci-oke-cluster/locals.tf | 5 ++ terraform/oci-oke-cluster/main.tf | 82 +++++++++++++++++++ terraform/oci-oke-cluster/network.tf | 108 +++++++++++++++++++++++++ terraform/oci-oke-cluster/output.tf | 4 + terraform/oci-oke-cluster/variables.tf | 70 ++++++++++++++++ terraform/oci-oke-cluster/versions.tf | 17 ++++ 7 files changed, 304 insertions(+) create mode 100644 terraform/oci-oke-cluster/data.tf create mode 100644 terraform/oci-oke-cluster/locals.tf create mode 100644 terraform/oci-oke-cluster/main.tf create mode 100644 terraform/oci-oke-cluster/network.tf create mode 100644 terraform/oci-oke-cluster/output.tf create mode 100644 terraform/oci-oke-cluster/variables.tf create mode 100644 terraform/oci-oke-cluster/versions.tf diff --git a/terraform/oci-oke-cluster/data.tf b/terraform/oci-oke-cluster/data.tf new file mode 100644 index 0000000..d68c038 --- /dev/null +++ b/terraform/oci-oke-cluster/data.tf @@ -0,0 +1,18 @@ +data "oci_identity_availability_domains" "availability_domains" { + #Required + compartment_id = var.tenancy_ocid +} + +data "oci_core_images" "node_pool_images" { + compartment_id = var.compartment_ocid + operating_system = "Oracle Linux" + operating_system_version = "8" + shape = var.node_shape + sort_by = "TIMECREATED" + sort_order = "DESC" +} + +data "oci_containerengine_cluster_kube_config" "cluster_kube_config" { + #Required + cluster_id = oci_containerengine_cluster.cluster.id +} diff --git a/terraform/oci-oke-cluster/locals.tf b/terraform/oci-oke-cluster/locals.tf new file mode 100644 index 0000000..7e7373c --- /dev/null +++ b/terraform/oci-oke-cluster/locals.tf @@ -0,0 +1,5 @@ +locals { + common_labels = { + "TalosCluster" = var.cluster_name + } +} diff --git a/terraform/oci-oke-cluster/main.tf b/terraform/oci-oke-cluster/main.tf new file mode 100644 index 0000000..fa6a503 --- /dev/null +++ b/terraform/oci-oke-cluster/main.tf @@ -0,0 +1,82 @@ +resource "oci_containerengine_cluster" "cluster" { + #Required + compartment_id = var.compartment_ocid + kubernetes_version = var.cluster_kubernetes_version + name = var.cluster_name + vcn_id = oci_core_vcn.vcn.id + + endpoint_config { + + #Optional + is_public_ip_enabled = true + nsg_ids = [oci_core_network_security_group.network_security_group.id] + subnet_id = oci_core_subnet.subnet.id + } + options { + + #Optional + add_ons { + + #Optional + is_kubernetes_dashboard_enabled = false + is_tiller_enabled = false + } + admission_controller_options { + + #Optional + is_pod_security_policy_enabled = false + } + kubernetes_network_config { + + #Optional + pods_cidr = var.pod_subnet_block + services_cidr = var.service_subnet_block + } + persistent_volume_config { + + #Optional + freeform_tags = local.common_labels + } + service_lb_config { + + #Optional + freeform_tags = local.common_labels + } + service_lb_subnet_ids = [oci_core_subnet.subnet.id] + } + type = "ENHANCED_CLUSTER" +} + +resource "oci_containerengine_node_pool" "node_pool" { + #Required + cluster_id = oci_containerengine_cluster.cluster.id + compartment_id = var.compartment_ocid + name = "${var.cluster_name}-primary" + node_shape = var.node_shape + + #Optional + freeform_tags = local.common_labels + kubernetes_version = var.cluster_kubernetes_version + node_config_details { + #Required + placement_configs { + #Required + availability_domain = data.oci_identity_availability_domains.availability_domains.availability_domains[0].name + subnet_id = oci_core_subnet.node_subnet.id + } + size = var.node_pool_count + + freeform_tags = local.common_labels + nsg_ids = [oci_core_network_security_group.network_security_group.id] + } + node_shape_config { + #Optional + memory_in_gbs = var.node_memory_in_gbs + ocpus = var.node_ocpus + } + node_source_details { + #Required + image_id = data.oci_core_images.node_pool_images.images[0].id + source_type = "IMAGE" + } +} diff --git a/terraform/oci-oke-cluster/network.tf b/terraform/oci-oke-cluster/network.tf new file mode 100644 index 0000000..32a82d3 --- /dev/null +++ b/terraform/oci-oke-cluster/network.tf @@ -0,0 +1,108 @@ +resource "oci_core_vcn" "vcn" { + #Required + compartment_id = var.compartment_ocid + + #Optional + cidr_blocks = var.cidr_blocks + display_name = "${var.cluster_name}-vcn" + freeform_tags = local.common_labels + is_ipv6enabled = true +} +resource "oci_core_subnet" "subnet" { + #Required + cidr_block = var.subnet_block + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + prohibit_internet_ingress = false + prohibit_public_ip_on_vnic = false + + #Optional + display_name = "${var.cluster_name}-subnet" + freeform_tags = local.common_labels + security_list_ids = [oci_core_security_list.security_list.id] + route_table_id = oci_core_route_table.route_table.id +} +resource "oci_core_subnet" "node_subnet" { + #Required + cidr_block = var.node_subnet_block + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + prohibit_internet_ingress = false + prohibit_public_ip_on_vnic = false + + #Optional + display_name = "${var.cluster_name}-subnet" + freeform_tags = local.common_labels + security_list_ids = [oci_core_security_list.security_list.id] + route_table_id = oci_core_route_table.route_table.id +} +resource "oci_core_route_table" "route_table" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + display_name = "${var.cluster_name}-route-table" + freeform_tags = local.common_labels + route_rules { + #Required + network_entity_id = oci_core_internet_gateway.internet_gateway.id + + #Optional + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + } +} + +resource "oci_core_internet_gateway" "internet_gateway" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + enabled = true + display_name = "${var.cluster_name}-internet-gateway" + freeform_tags = local.common_labels +} + +resource "oci_core_network_security_group" "network_security_group" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + display_name = "${var.cluster_name}-security-group" + freeform_tags = local.common_labels +} +resource "oci_core_network_security_group_security_rule" "allow_all" { + network_security_group_id = oci_core_network_security_group.network_security_group.id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + protocol = "all" + direction = "EGRESS" + stateless = false +} + +resource "oci_core_security_list" "security_list" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + display_name = "${var.cluster_name}-security-list" + egress_security_rules { + #Required + destination = "0.0.0.0/0" + protocol = "all" + + stateless = true + } + freeform_tags = local.common_labels + ingress_security_rules { + #Required + source = "0.0.0.0/0" + protocol = "all" + + stateless = true + } +} diff --git a/terraform/oci-oke-cluster/output.tf b/terraform/oci-oke-cluster/output.tf new file mode 100644 index 0000000..f2f2ae2 --- /dev/null +++ b/terraform/oci-oke-cluster/output.tf @@ -0,0 +1,4 @@ +output "kubeconfig" { + value = data.oci_containerengine_cluster_kube_config.cluster_kube_config.content + sensitive = true +} diff --git a/terraform/oci-oke-cluster/variables.tf b/terraform/oci-oke-cluster/variables.tf new file mode 100644 index 0000000..1d77298 --- /dev/null +++ b/terraform/oci-oke-cluster/variables.tf @@ -0,0 +1,70 @@ +variable "compartment_ocid" { + type = string + sensitive = true +} +variable "tenancy_ocid" { + type = string + sensitive = true +} +variable "user_ocid" { + type = string + sensitive = true +} +variable "fingerprint" { + type = string + sensitive = true +} +variable "private_key_path" { + type = string + default = "~/.oci/oci_main_terraform.pem" + sensitive = true +} +variable "region" { + description = "the OCI region where resources will be created" + type = string + default = null +} +variable "cluster_name" { + type = string + default = "cncfoke" +} +variable "cluster_kubernetes_version" { + type = string + default = "v1.30.1" +} +variable "cidr_blocks" { + type = set(string) + default = ["10.0.0.0/16"] +} +variable "subnet_block" { + type = string + default = "10.0.0.0/24" +} +variable "pod_subnet_block" { + type = string + default = "10.32.0.0/12" +} +variable "service_subnet_block" { + type = string + default = "10.200.0.0/21" +} +variable "node_subnet_block" { + type = string + default = "10.0.7.0/24" +} +variable "node_shape" { + type = string + default = "VM.Standard.A1.Flex" +} +variable "node_memory_in_gbs" { + type = number + default = 128 +} +variable "node_ocpus" { + type = number + default = 8 +} +variable "node_pool_count" { + type = number + default = 3 +} diff --git a/terraform/oci-oke-cluster/versions.tf b/terraform/oci-oke-cluster/versions.tf new file mode 100644 index 0000000..c056b79 --- /dev/null +++ b/terraform/oci-oke-cluster/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + oci = { + source = "oracle/oci" + version = "6.7.0" # TODO include version in project root providers + } + } + required_version = ">= 1.2" +} + +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint + region = var.region +} From 59a87a868c6899d30538ff6c3e636eae84cfe26f Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Mon, 9 Sep 2024 10:43:21 +1200 Subject: [PATCH 2/7] feat: integrate into main and start from scratch - use oke module in main - remove currently not used terraform (reintroduce when needed) --- authentik.tf | 20 --- coder_dns.tf | 22 +-- main.tf | 97 ++------------ outputs.tf | 33 ----- providers.tf | 117 ---------------- terraform/oci-oke-cluster/locals.tf | 2 +- terraform/oci-oke-cluster/versions.tf | 11 +- variables.tf | 184 +++----------------------- versions.tf | 16 +++ 9 files changed, 47 insertions(+), 455 deletions(-) delete mode 100644 providers.tf create mode 100644 versions.tf diff --git a/authentik.tf b/authentik.tf index 6854dd1..8b13789 100644 --- a/authentik.tf +++ b/authentik.tf @@ -1,21 +1 @@ -module "cluster-authentik-config" { - source = "./terraform/authentik-config" - github_oauth_app_id = var.authentik_github_oauth_app_id - github_oauth_app_secret = var.authentik_github_oauth_app_secret - authentik_coder_oidc_client_id = module.cluster-manifests.authentik_coder_oidc_client_id - authentik_coder_oidc_client_secret = module.cluster-manifests.authentik_coder_oidc_client_secret - authentik_bootstrap_token = module.cluster-manifests.authentik_bootstrap_token - domain = var.domain - # repo = var.github_repository - # # repo = "${var.github_org}/${var.github_repository}" - # domain = "${var.domain}" - # secret = module.cluster-manifests.flux_receiver_token - providers = { - authentik = authentik - flux = flux - kubernetes = kubernetes.cluster - } - - depends_on = [module.cluster-manifests] -} diff --git a/coder_dns.tf b/coder_dns.tf index 0e721fd..8b13789 100644 --- a/coder_dns.tf +++ b/coder_dns.tf @@ -1,21 +1 @@ -resource "powerdns_zone" "coder" { - name = "coder.${var.domain}." - kind = "Native" - nameservers = ["ns1.sharing.io.", "ns2.sharing.io."] -} -resource "powerdns_record" "coder-A" { - zone = "coder.${var.domain}." - name = "coder.${var.domain}." - type = "A" - ttl = 300 - records = [module.cluster.cluster_ingress_ip] - depends_on = [powerdns_zone.coder] -} -resource "powerdns_record" "coder-WILDCARD" { - zone = "coder.${var.domain}." - name = "*.coder.${var.domain}." - type = "A" - ttl = 300 - records = [module.cluster.cluster_ingress_ip] - depends_on = [powerdns_zone.coder] -} + diff --git a/main.tf b/main.tf index ebfe601..0f0b6a1 100644 --- a/main.tf +++ b/main.tf @@ -1,94 +1,13 @@ -module "cluster" { - source = "./terraform/equinix-metal-talos-cluster" - - talos_version = var.talos_version - kubernetes_version = var.kubernetes_version - kubernetes_apiserver_fqdn = "k8s.${var.domain}" - controlplane_nodes = var.kubernetes_control_plane_nodes - cluster_name = var.github_org - domain = var.domain - equinix_metal_project_id = var.equinix_metal_project_id - equinix_metal_metro = var.equinix_metal_metro - equinix_metal_auth_token = var.equinix_metal_auth_token - equinix_metal_plan = var.equinix_metal_plan - talos_install_disk = var.talos_install_disk - longhorn_disk = var.longhorn_disk +module "cluster-sharingio-oke" { + source = "./terraform/oci-oke-cluster" providers = { - talos = talos - helm = helm - equinix = equinix - dns = dns - http = http + oci = oci } -} -resource "local_sensitive_file" "cluster-kubeconfig" { - content = module.cluster.kubeconfig.kubeconfig_raw - filename = "./tmp/cluster-kubeconfig" - - lifecycle { - ignore_changes = all - } -} -module "cluster-manifests" { - source = "./terraform/manifests" - - equinix_metal_project_id = var.equinix_metal_project_id - equinix_metal_metro = var.equinix_metal_metro - equinix_metal_auth_token = var.equinix_metal_auth_token - ingress_ip = module.cluster.cluster_ingress_ip - dns_ip = module.cluster.cluster_dns_ip - wg_ip = module.cluster.cluster_wireguard_ip - acme_email_address = var.acme_email_address - rfc2136_nameserver = var.rfc2136_nameserver - rfc2136_tsig_keyname = var.rfc2136_tsig_keyname - rfc2136_tsig_algorithm = var.rfc2136_tsig_algorithm - rfc2136_tsig_key = var.rfc2136_tsig_key - domain = var.domain - pdns_host = var.pdns_host - pdns_api_key = var.pdns_api_key - # for coder to directly authenticate via github - coder_version = var.coder_version - coder_oauth2_github_client_id = var.coder_oauth2_github_client_id - coder_oauth2_github_client_secret = var.coder_oauth2_github_client_secret - # for coder to create gh tokens for rw within workspaces - coder_gitauth_0_client_id = var.coder_gitauth_0_client_id - coder_gitauth_0_client_secret = var.coder_gitauth_0_client_secret - providers = { - kubernetes = kubernetes.cluster - random = random - } - authentik_version = var.authentik_version - depends_on = [local_sensitive_file.cluster-kubeconfig, module.cluster] -} -module "cluster-flux-bootstrap" { - source = "./terraform/flux-bootstrap" - - github_org = var.github_org - github_repository = var.github_repository - kubeconfig = module.cluster.kubeconfig.kubeconfig_raw - - providers = { - github = github - flux = flux.cluster - } - depends_on = [local_sensitive_file.cluster-kubeconfig, module.cluster-manifests] + compartment_ocid = var.compartment_ocid + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint } - -# module "cluster-flux-github-webhook" { -# source = "./terraform/flux-github-webhook" - -# repo = var.github_repository -# # repo = "${var.github_org}/${var.github_repository}" -# domain = var.domain -# secret = module.cluster-manifests.flux_receiver_token - -# providers = { -# github = github -# kubernetes = kubernetes.cluster -# } - -# depends_on = [local_sensitive_file.cluster-kubeconfig, module.cluster-manifests, module.cluster-flux-bootstrap] -# } - diff --git a/outputs.tf b/outputs.tf index 7a76889..8b13789 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,34 +1 @@ -output "talosconfig" { - value = module.cluster.talosconfig - sensitive = true -} -output "kubeconfig" { - value = module.cluster.kubeconfig.kubeconfig_raw - sensitive = true -} - -output "akadmin-password" { - value = module.cluster-manifests.authentik_bootstrap_password - sensitive = true -} - -output "akadmin-token" { - value = module.cluster-manifests.authentik_bootstrap_token - sensitive = true -} - -output "cluster-apiserver-ip" { - value = module.cluster.cluster_apiserver_ip -} - -output "cluster-ingress-ip" { - value = module.cluster.cluster_ingress_ip -} -output "coder_admin_email" { - value = module.cluster-manifests.coder_admin_email -} -output "coder_admin_password" { - value = module.cluster-manifests.coder_admin_password - sensitive = true -} diff --git a/providers.tf b/providers.tf deleted file mode 100644 index bc0af7d..0000000 --- a/providers.tf +++ /dev/null @@ -1,117 +0,0 @@ -terraform { - required_providers { - talos = { - source = "siderolabs/talos" - version = "0.4.0" - } - helm = { - source = "hashicorp/helm" - version = "2.9.0" - } - equinix = { - source = "equinix/equinix" - version = "1.13.0" - } - dns = { - source = "hashicorp/dns" - version = "3.4.0" - } - flux = { - source = "fluxcd/flux" - version = "1.2.3" - } - github = { - source = "integrations/github" - version = "6.0.1" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = "2.27.0" - } - authentik = { - source = "goauthentik/authentik" - version = "2024.4.0" - } - random = { - source = "hashicorp/random" - version = "3.6.0" - } - powerdns = { - source = "pan-net/powerdns" - version = "1.5.0" - } - http = { - source = "hashicorp/http" - version = "3.4.2" - } - } - backend "kubernetes" { - secret_suffix = "cluster-state" - namespace = "hh" - } -} -provider "talos" { - alias = "talos" - # Configuration options -} -provider "helm" { - alias = "helm" - # Configuration options -} -provider "equinix" { - alias = "equinix" - # Configuration options - token = var.equinix_metal_auth_token -} -provider "github" { - owner = var.github_org - token = var.github_token -} -provider "dns" { - update { - server = var.rfc2136_nameserver - key_name = var.rfc2136_tsig_keyname - key_secret = var.rfc2136_tsig_key - key_algorithm = "hmac-sha256" - } -} -provider "kubernetes" { - alias = "cluster" - # config_path = "./tmp/cluster-kubeconfig" - # config_path = "./tmp/kubeconfig" - # host = "https://${module.cluster.kubeconfig.node}:6443" - # We use an IP here to speed things up, the first nome name might work as well - host = "https://${module.cluster.cluster_node0_ip}:6443" - client_certificate = base64decode(module.cluster.kubeconfig.kubernetes_client_configuration.client_certificate) - client_key = base64decode(module.cluster.kubeconfig.kubernetes_client_configuration.client_key) - cluster_ca_certificate = base64decode(module.cluster.kubeconfig.kubernetes_client_configuration.ca_certificate) -} -provider "flux" { - alias = "cluster" - kubernetes = { - # config_path = "./tmp/cluster-kubeconfig" - # host = "https://${module.cluster.kubeconfig.node}:6443" - # We use an IP here to speed things up, the first nome name might work as well - host = "https://${module.cluster.cluster_node0_ip}:6443" - client_certificate = base64decode(module.cluster.kubeconfig.kubernetes_client_configuration.client_certificate) - client_key = base64decode(module.cluster.kubeconfig.kubernetes_client_configuration.client_key) - cluster_ca_certificate = base64decode(module.cluster.kubeconfig.kubernetes_client_configuration.ca_certificate) - } - git = { - url = "ssh://git@github.com/${var.github_org}/${var.github_repository}.git" - ssh = { - username = "git" - private_key = module.cluster-flux-bootstrap.github_repository_deploy_key - } - } -} -provider "authentik" { - url = "https://sso.${var.domain}" - token = module.cluster-manifests.authentik_bootstrap_token - # Optionally set insecure to ignore TLS Certificates - # insecure = true -} -provider "powerdns" { - api_key = var.pdns_api_key - server_url = var.pdns_host -} diff --git a/terraform/oci-oke-cluster/locals.tf b/terraform/oci-oke-cluster/locals.tf index 7e7373c..893e494 100644 --- a/terraform/oci-oke-cluster/locals.tf +++ b/terraform/oci-oke-cluster/locals.tf @@ -1,5 +1,5 @@ locals { common_labels = { - "TalosCluster" = var.cluster_name + "okeCluster" = var.cluster_name } } diff --git a/terraform/oci-oke-cluster/versions.tf b/terraform/oci-oke-cluster/versions.tf index c056b79..4284080 100644 --- a/terraform/oci-oke-cluster/versions.tf +++ b/terraform/oci-oke-cluster/versions.tf @@ -1,17 +1,8 @@ terraform { required_providers { oci = { - source = "oracle/oci" - version = "6.7.0" # TODO include version in project root providers + source = "oracle/oci" } } required_version = ">= 1.2" } - -provider "oci" { - tenancy_ocid = var.tenancy_ocid - user_ocid = var.user_ocid - private_key_path = var.private_key_path - fingerprint = var.fingerprint - region = var.region -} diff --git a/variables.tf b/variables.tf index 3346506..66fe4d3 100644 --- a/variables.tf +++ b/variables.tf @@ -1,165 +1,21 @@ -variable "kubernetes_version" { - type = string - default = "v1.30.0" - description = "the version of Kubernetes to deploy" -} - -variable "kubernetes_control_plane_nodes" { - type = number - default = 3 - description = "the number of control plane nodes to deploy" -} - -variable "talos_version" { - type = string - default = "v1.7.1" - description = "the version of Talos to deploy" -} - -variable "talos_install_disk" { - type = string - default = "/dev/sda" - description = "the disk for Talos to completely claim" -} - -variable "longhorn_disk" { - type = string - default = "/dev/sdb" - description = "the disk for Longhorn to completely claim" -} - -variable "ceph_disk" { - type = string - default = "/dev/X" - description = "the disk for Rook/CEPH to completely claim" -} - -variable "equinix_metal_project_id" { - description = "the project ID for the Equinix Metal project" - type = string - default = "" -} - -variable "equinix_metal_auth_token" { - description = "the api auth for the Equinix Metal, for virtual ip assignment" - type = string - default = "" -} - -variable "equinix_metal_metro" { - description = "the metro" - type = string - default = "sv" -} - -variable "equinix_metal_plan" { - description = "the plan" - type = string - default = "c3.medium.x86" -} - -variable "domain" { - description = "the root DNS zone for this cluster" - type = string - default = "" -} - -variable "rfc2136_nameserver" { - description = "the DNS server for nsupdates" - type = string - default = "" -} - -variable "rfc2136_tsig_keyname" { - description = "the tsig key name for talking to a RFC2136 compliant DNS server" - type = string - default = "" -} - -variable "rfc2136_tsig_algorithm" { - description = "the tsig algorithm for talking to a RFC2136 compliant DNS server" - type = string - default = "HMACSHA256" -} - -variable "rfc2136_tsig_key" { - description = "the tsig key for talking to a RFC2136 compliant DNS server" - type = string - default = "" -} - -variable "github_token" { - sensitive = true - type = string - description = "a PAT for GitHub auth" -} - -variable "github_org" { - type = string - description = "the org for the Flux repo (ii)" - default = "sharingio" -} - -variable "github_repository" { - type = string - description = "the Flux repo name (infra)" - default = "infra" -} - -variable "pdns_api_key" { - description = "the API key for PowerDNS" - type = string - default = "" -} -variable "pdns_host" { - description = "the host address for PowerDNS" - type = string - default = "" -} -variable "acme_email_address" { - description = "the email address for LetsEncrypt" - type = string - default = "" -} -variable "authentik_github_oauth_app_id" { - description = "Github OAUTH app id" - type = string - default = "" -} -variable "authentik_github_oauth_app_secret" { - description = "Github OAUTH app secrets" - type = string - default = "" -} -variable "coder_oauth2_github_client_id" { - description = "Authenticating Coder directly to github (bypassing authentik)" - type = string - default = "" -} -variable "coder_oauth2_github_client_secret" { - description = "Authenticating Coder directly to github (bypassing authentik)" - type = string - default = "" -} -variable "coder_gitauth_0_client_id" { - description = "Retrieving a RW token to save prs / commits etc in workspaces" - type = string - default = "" -} -variable "coder_gitauth_0_client_secret" { - description = "Retrieving a RW token to save prs / commits etc in workspaces" - type = string - default = "" -} -variable "coder_version" { - description = "Version of coder" - type = string - default = "v2.10.2" - # https://github.com/coder/coder/releases/tag/v2.10.2 -} -variable "authentik_version" { - description = "Version of authentik" - type = string - default = "2024.4.1" - # https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.3 +variable "compartment_ocid" { + type = string + sensitive = true +} +variable "tenancy_ocid" { + type = string + sensitive = true +} +variable "user_ocid" { + type = string + sensitive = true +} +variable "fingerprint" { + type = string + sensitive = true +} +variable "private_key_path" { + type = string + default = "~/.oci/oci_main_terraform.pem" + sensitive = true } diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..a8618cd --- /dev/null +++ b/versions.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + oci = { + source = "oracle/oci" + version = "6.7.0" + } + } + required_version = ">= 1.2" +} + +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint +} From 0c214e39567a8a25188c899d618ba22d80f79a5d Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Mon, 9 Sep 2024 10:45:31 +1200 Subject: [PATCH 3/7] chore: add kubeconfig output for oke cluster adds output to get kubeconfig --- outputs.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 8b13789..c14e9df 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1 +1,4 @@ - +output "cluster-sharingio-oke-kubeconfig" { + value = module.cluster-sharingio-oke.kubeconfig + sensitive = true +} From bd8ff14d3f00d4c4eb94167f1de312a904089e22 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Mon, 9 Sep 2024 10:56:57 +1200 Subject: [PATCH 4/7] feat: update docs use latest info --- README.org | 56 ++++++++++++++++++------------------------------------ 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/README.org b/README.org index 69295b9..729abc5 100644 --- a/README.org +++ b/README.org @@ -4,13 +4,6 @@ a Flux + Terraform infrastructure repo #+end_quote -* Todo - -- [x] add Flux for cluster repo -- [x] get talosconfig -- [ ] access Kubernetes APIServer -- [ ] verify Ceph disk allocation - * Prerequisites Install OpenTofu @@ -21,59 +14,48 @@ brew install opentofu #+RESULTS: +Create a .tfvars file + +#+begin_src hcl +tenancy_ocid = "TENANCY OCID : https://cloud.oracle.com/tenancy" +user_ocid = "YOUR USER OCID : https://cloud.oracle.com/identity/domains/my-profile" +private_key_path = "YOUR PRIVATE KEY PATH : https://cloud.oracle.com/identity/domains/my-profile/api-keys" +fingerprint = "THE FINGERPRINT FOR YOUR PRIVATE KEY : ^^" +region = "us-sanjose-1" +compartment_ocid = "YOUR COMPARTMENT OCID : https://cloud.oracle.com/identity/compartments # cloudnative.coop" +#+end_src + * Usage -You'll need .tfvar files, currently we create those via org files. +init -#+begin_src tmux :session ":tofu" -cd ~/infra -mkdir -p ./tmp/ -touch ./tmp/cluster-kubeconfig -tofu init -var-file=./config.tfvars -var-file=./secrets.tfvars -var github_token="$(gh auth token)" --upgrade +#+begin_src shell +tofu init --var-file=./.tfvars #+end_src + plan #+begin_src tmux :session ":tofu" -tofu plan -var-file=./config.tfvars -var-file=./secrets.tfvars -var github_token="$(gh auth token)" +tofu plan --var-file=./.tfvars #+end_src apply #+begin_src tmux :session ":tofu" -tofu apply -var-file=./config.tfvars -var-file=./secrets.tfvars -var github_token="$(gh auth token)" -#+end_src - -get talosconfig - -#+begin_src tmux :session ":talos" -mkdir -p ~/.talos -tofu output -raw talosconfig > ~/.talos/config +tofu apply --var-file=./.tfvars #+end_src get kubeconfig #+begin_src tmux mkdir -p ~/.kube -tofu output -raw kubeconfig > ~/.kube/config -#+end_src - -* Flux usage - -force a reconciliation - -#+begin_src tmux -CLUSTER_NAME=cloudnative-coop -flux --kubeconfig ~/.kube/config-"$CLUSTER_NAME" reconcile source git flux-system +tofu output -raw cluster-sharingio-oke-kubeconfig > ~/.kube/config #+end_src * Force tear down #+begin_src tmux :session ":tofu" tofu state list | grep -E 'talos|flux|manifests|kubernetes_manifest' | xargs -I{} tofu state rm {} -tofu destroy -var-file=./config.tfvars -var-file=./secrets.tfvars -var github_token="$(gh auth token)" +tofu destroy -var-file=./.tfvars #+end_src - -* Notes - -- Equinix Metal Cloud Provider 401 error regarding IP allocation and assigning From 51b96a9f6f680ecb79da7bdc114540637acd593a Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Mon, 9 Sep 2024 11:15:25 +1200 Subject: [PATCH 5/7] chore: use kubernetes tfstate backend use an endpoint which everyone can access --- versions.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/versions.tf b/versions.tf index a8618cd..50972ec 100644 --- a/versions.tf +++ b/versions.tf @@ -6,6 +6,11 @@ terraform { } } required_version = ">= 1.2" + backend "kubernetes" { + secret_suffix = "cluster-state" + namespace = "tfstate" + config_path = "~/.kube/config-fop" + } } provider "oci" { From 7444bf1eb2b0ef703d98d51b9c6b3a128dded7e8 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Mon, 9 Sep 2024 11:45:28 +1200 Subject: [PATCH 6/7] chore: update docs add auth and tfstate info --- README.org | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.org b/README.org index 729abc5..9a85ac4 100644 --- a/README.org +++ b/README.org @@ -9,7 +9,7 @@ a Flux + Terraform infrastructure repo Install OpenTofu #+begin_src tmux :session ":tofu " -brew install opentofu +brew install opentofu oci-cli #+end_src #+RESULTS: @@ -25,6 +25,14 @@ region = "us-sanjose-1" compartment_ocid = "YOUR COMPARTMENT OCID : https://cloud.oracle.com/identity/compartments # cloudnative.coop" #+end_src +Log into ~oci-cli~, using the links provided in the hcl file above to get keys and other data. + +#+begin_src shell +oci setup bootstrap +#+end_src + +A kubeconfig must be at ~~/.kube/config-fop~ for using shared tfstate. + * Usage init From 30aafe476ccf1027762d2a21f5f8e7ba97cd5462 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Mon, 9 Sep 2024 12:03:43 +1200 Subject: [PATCH 7/7] chore: update formatting change expression --- README.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.org b/README.org index 9a85ac4..9b6b3a3 100644 --- a/README.org +++ b/README.org @@ -31,7 +31,7 @@ Log into ~oci-cli~, using the links provided in the hcl file above to get keys a oci setup bootstrap #+end_src -A kubeconfig must be at ~~/.kube/config-fop~ for using shared tfstate. +A kubeconfig must be at =~/.kube/config-fop= for using shared tfstate. * Usage