Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provision cluster and bootstrap flux #6

Closed
wants to merge 30 commits into from
Closed
Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
f631183
Provision cluster with OpenTofu
rossf7 Nov 3, 2023
1327b86
feat: Remove ansible and add worker node
rossf7 Nov 12, 2023
03f35ff
Wip opentofu spike k3s (#3)
dipankardas011 Nov 28, 2023
12ec03a
added workflow check whether k3s service is up
dipankardas011 Nov 28, 2023
b200d83
Rename github action
rossf7 Nov 28, 2023
91a7b53
Added cilium script
dipankardas011 Dec 4, 2023
f1e5ff5
fix: added $$ as excape sequence for env vars
dipankardas011 Dec 9, 2023
f92ece7
Use var for cilium version
rossf7 Dec 12, 2023
773d51f
Add flux bootstrap step
rossf7 Dec 17, 2023
30a91d0
added flux based helm install of kepler
dipankardas011 Dec 14, 2023
75daea4
Remove tf lock file
rossf7 Jan 6, 2024
b593db3
Improve tofu logic and upgrade versions
rossf7 Jan 6, 2024
b0777de
Fix flux branch and use tofu var
rossf7 Jan 9, 2024
c3621ef
Delete extra flux init
nikimanoledaki Jan 12, 2024
021938b
added initial setup
dipankardas011 Jan 12, 2024
1e7f1b1
updated the kepler grafana dashboard
dipankardas011 Jan 12, 2024
9a9b1e8
refactoring and specifying namespace for kepler grafana dashboard
dipankardas011 Jan 12, 2024
3f60d02
trying to solve the signed commit problem
AntonioDiTuri Jan 16, 2024
593039b
Kepler docs edits
rossf7 Jan 15, 2024
1ba9248
Use kube-prometheus-stack chart
rossf7 Jan 16, 2024
68637ce
Switch branch for testing
rossf7 Jan 16, 2024
75ffcb4
Add dependsOn and create namespace settings
rossf7 Jan 16, 2024
1b1c1e0
Fix naming
rossf7 Jan 16, 2024
ebd5dd5
Revert wip branch
rossf7 Jan 16, 2024
0018306
Switch branch back
rossf7 Jan 16, 2024
0d95bb0
Revert branch watched by Flux to 'main'
nikimanoledaki Jan 17, 2024
e853f7f
Create falco namespace
nikimanoledaki Jan 17, 2024
b0456a5
Move kepler and prometheus to clusters/base
nikimanoledaki Jan 17, 2024
6456f56
Rename apps to projects
nikimanoledaki Jan 17, 2024
00d81d6
Add path filter to action
rossf7 Jan 19, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions .github/workflows/tofu.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: OpenTofu

on:
push:
branches:
- main

defaults:
run:
working-directory: infrastructure/equinix-metal

jobs:
tofu:
name: OpenTofu
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
TF_VAR_equinix_auth_token: ${{ secrets.EQUINIX_AUTH_TOKEN }}
TF_VAR_github_token: ${{ secrets.GITHUB_TOKEN }}
TF_VAR_k3s_agent_token: ${{ secrets.K3S_AGENT_TOKEN }}
TF_VAR_project_id: ${{ secrets.PROJECT_ID }}
TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
steps:
- uses: actions/checkout@v3
- uses: opentofu/setup-opentofu@v1

- name: Add SSH key
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
ssh-add ~/.ssh/id_rsa
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock

- name: tofu init
run: tofu init -upgrade

- name: tofu plan
run: tofu plan

- name: tofu apply
run: tofu apply -auto-approve
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
infrastructure/equinix-metal/.terraform/
infrastructure/equinix-metal/terraform.tfvars
58 changes: 58 additions & 0 deletions infrastructure/equinix-metal/.terraform.lock.hcl
rossf7 marked this conversation as resolved.
Show resolved Hide resolved

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

123 changes: 123 additions & 0 deletions infrastructure/equinix-metal/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
terraform {
required_providers {
equinix = {
source = "equinix/equinix"
version = "1.13.0"
}
null = {
source = "hashicorp/null"
version = "3.2.2"
}
}

backend "s3" {
bucket = "green-reviews-state-bucket"
key = "opentofu/terraform.tfstate"
region = "eu-central-1"
encrypt = true
}
}

provider "equinix" {
auth_token = var.equinix_auth_token
}

resource "equinix_metal_project_ssh_key" "ssh_key" {
name = var.cluster_name
project_id = var.project_id
public_key = var.ssh_public_key
}

resource "equinix_metal_device" "control_plane" {
hostname = "${var.cluster_name}-control-plane"
plan = var.device_plan
metro = var.device_metro
operating_system = var.device_os
billing_cycle = var.billing_cycle
project_id = var.project_id
depends_on = [equinix_metal_project_ssh_key.ssh_key]
project_ssh_key_ids = [equinix_metal_project_ssh_key.ssh_key.id]

connection {
user = "root"
private_key = file(var.ssh_private_key_path)
host = self.access_public_ipv4
}

provisioner "remote-exec" {
inline = [
"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=${var.k3s_version} K3S_TOKEN=${var.k3s_agent_token} sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --flannel-backend=none --disable-network-policy",
"systemctl is-active --quiet k3s.service",
]
}
}

// NOTE: to extract KUBECONFIG we need to copy kubeconfig in controlplane:/etc/rancher/k3s/k3s.yaml

resource "equinix_metal_device" "worker" {
for_each = toset(var.worker_nodes)
hostname = "${var.cluster_name}-${each.value}"
plan = var.device_plan
metro = var.device_metro
operating_system = var.device_os
billing_cycle = var.billing_cycle
project_id = var.project_id
project_ssh_key_ids = [equinix_metal_project_ssh_key.ssh_key.id]
depends_on = [equinix_metal_device.control_plane]
user_data = <<EOF
#!/bin/bash
curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL="${var.k3s_version}" sh -s - agent --token "${var.k3s_agent_token}" --server "https://${equinix_metal_device.control_plane.access_private_ipv4}:6443"
EOF

behavior {
allow_changes = [
"user_data"
]
}
}

resource "null_resource" "install_cilium_cni" {
depends_on = [equinix_metal_device.control_plane]

connection {
user = "root"
private_key = file(var.ssh_private_key_path)
host = equinix_metal_device.control_plane.access_public_ipv4
}

provisioner "remote-exec" {
inline = [
"echo '@@@@@@ Installing Cilium @@@@@@'",
"CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)",
"CLI_ARCH=amd64",
"curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/$${CILIUM_CLI_VERSION}/cilium-linux-$${CLI_ARCH}.tar.gz{,.sha256sum}",
"sha256sum --check cilium-linux-$${CLI_ARCH}.tar.gz.sha256sum",
"sudo tar xzvfC cilium-linux-$${CLI_ARCH}.tar.gz /usr/local/bin",
"rm cilium-linux-$${CLI_ARCH}.tar.gz{,.sha256sum}",
"echo '@@@@@@ Installed Cilium @@@@@@'",
"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml",
"echo '@@@@@@ Adding Cilium CNI to cluster @@@@@@'",
"cilium install --version ${var.cilium_version}",
"cilium status --wait"
]
}
}

resource "null_resource" "bootstrap_flux" {
depends_on = [null_resource.install_cilium_cni]

connection {
user = "root"
private_key = file(var.ssh_private_key_path)
host = equinix_metal_device.control_plane.access_public_ipv4
}

provisioner "remote-exec" {
inline = [
"curl -s https://fluxcd.io/install.sh | sudo FLUX_VERSION=${var.flux_version} bash",
"export GITHUB_TOKEN=${var.flux_github_token}",
"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml",
"flux bootstrap github --owner=${var.flux_github_user} --repository=green-reviews-tooling --path=clusters"
]
}
}
96 changes: 96 additions & 0 deletions infrastructure/equinix-metal/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
variable "billing_cycle" {
description = "Billing cycle for the Equinix Metal device"
type = string
default = "hourly"
}

variable "cilium_version" {
description = "cilium version for the cluster"
type = string
default = "1.14.4"
}

variable "cluster_name" {
description = "Name of the cluster"
type = string
default = "green-reviews"
}

variable "device_metro" {
description = "Metro location for the Equinix Metal device"
type = string
default = "pa"
}

variable "device_os" {
description = "Operating system for the Equinix Metal device"
type = string
default = "ubuntu_22_04"
}

variable "device_plan" {
description = "Plan type for the Equinix Metal device"
type = string
default = "m3.small.x86"
}

variable "flux_github_token" {
description = "GitHub token for Flux"
type = string
sensitive = true
}

variable "flux_github_user" {
description = "GitHub user for Flux"
type = string
default = "cncf-tags"
}

variable "flux_version" {
description = "Flux cli version"
type = string
default = "2.1.2"
}

variable "k3s_version" {
description = "k3s version for the cluster"
type = string
default = "v1.28.3+k3s2"
}

variable "k3s_agent_token" {
description = "agent token for joining workernodes with the controlplane"
type = string
sensitive = true
}

variable "equinix_auth_token" {
description = "Authentication token for Equinix Metal"
type = string
sensitive = true
}

variable "project_id" {
description = "Project ID for the Equinix Metal resources"
type = string
sensitive = true
}

variable "ssh_public_key" {
description = "SSH public key for the Equinix Metal device"
type = string
sensitive = true
}


variable "ssh_private_key_path" {
description = "SSH private key path for the Equinix Metal device"
type = string
default = "~/.ssh/id_rsa"
}

variable "worker_nodes" {
description = "List of worker node names"
type = list(string)
default = ["worker1"]
}