diff --git a/bootstrap/scripts/validation.py b/bootstrap/scripts/validation.py index ef3e0bb6c17..98cf22b26fe 100644 --- a/bootstrap/scripts/validation.py +++ b/bootstrap/scripts/validation.py @@ -1,34 +1,38 @@ from functools import wraps from shutil import which -from typing import Callable +from typing import Callable, cast from zoneinfo import available_timezones import netaddr import sys DISTRIBUTIONS = ["k3s", "talos"] -GLOBAL_CLI_TOOLS = ["age", "cloudflared", "flux", "helmfile", "sops", "jq", "kubeconform", "kustomize"] +GLOBAL_CLI_TOOLS = ["age", "flux", "helmfile", "sops", "jq", "kubeconform", "kustomize"] TALOS_CLI_TOOLS = ["talosctl", "talhelper"] +CLOUDFLARE_TOOLS = ["cloudflared"] + def required(*keys: str): def wrapper_outter(func: Callable): @wraps(func) - def wrapper(data: dict, *args, **kwargs) -> None: + def wrapper(data: dict, *_, **kwargs) -> None: for key in keys: if data.get(key) is None: raise ValueError(f"Missing required key {key}") return func(*[data[key] for key in keys], **kwargs) + return wrapper + return wrapper_outter def validate_python_version() -> None: required_version = (3, 11, 0) if sys.version_info < required_version: - raise ValueError(f"Python version is below 3.11. Please upgrade.") + raise ValueError(f"Python {sys.version_info} is below 3.11. Please upgrade.") -@required("bootstrap_distribution") -def validate_cli_tools(distribution: dict, **_) -> None: +@required("bootstrap_distribution", "bootstrap_cloudflare") +def validate_cli_tools(distribution: str, cloudflare: dict, **_) -> None: if distribution not in DISTRIBUTIONS: raise ValueError(f"Invalid distribution {distribution}") for tool in GLOBAL_CLI_TOOLS: @@ -37,10 +41,18 @@ def validate_cli_tools(distribution: dict, **_) -> None: for tool in TALOS_CLI_TOOLS if distribution in ["talos"] else []: if not which(tool): raise ValueError(f"Missing required CLI tool {tool}") + for tool in ( + CLOUDFLARE_TOOLS + if cloudflare.get("enabled", False) + and cast(dict, cloudflare.get("tunnel", {})).get("token", "") == "" + else [] + ): + if not which(tool): + raise ValueError(f"Missing required CLI tool {tool}") @required("bootstrap_distribution") -def validate_distribution(distribution: dict, **_) -> None: +def validate_distribution(distribution: str, **_) -> None: if distribution not in DISTRIBUTIONS: raise ValueError(f"Invalid distribution {distribution}") diff --git a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 index 785fc81855a..b30636e8a1e 100644 --- a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 @@ -44,6 +44,11 @@ spec: secretKeyRef: name: cloudflared-secret key: TUNNEL_ID + TUNNEL_TOKEN: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_TOKEN args: - tunnel - --config diff --git a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 index 67d169ed7c3..cf97b857b36 100644 --- a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 @@ -5,6 +5,7 @@ metadata: name: cloudflared-secret stringData: TUNNEL_ID: "#{ bootstrap_cloudflare.tunnel.id }#" + TUNNEL_TOKEN: "#{ bootstrap_cloudflare.tunnel.token }#" credentials.json: | { "AccountTag": "#{ bootstrap_cloudflare.tunnel.account_id }#", diff --git a/config.sample.yaml b/config.sample.yaml index ef071daed60..516f701804d 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -184,18 +184,23 @@ bootstrap_cloudflare: # in your nodes host network that is NOT being used. This is announced over L2. gateway_vip: "" # (Required) Options for Cloudflare Tunnel - # 1. Authenticate cloudflared to your domain - # > cloudflared tunnel login - # 2. Create the tunnel - # > cloudflared tunnel create k8s - # 3. Copy the AccountTag, TunnelID, and TunnelSecret from the tunnel configuration file and paste them below + # For a locally-managed (aka CLI) tunnel: + # 1. Authenticate cloudflared to your domain + # > cloudflared tunnel login + # 2. Create the tunnel + # > cloudflared tunnel create k8s + # 3. Copy the AccountTag, TunnelID, and TunnelSecret from the tunnel configuration file and paste them below + # For a remotely-managed (aka dashboard) tunnel: https://one.dash.cloudflare.com/ tunnel: - # (Required) Cloudflare Account ID (cat ~/.cloudflared/*.json | jq -r .AccountTag) - account_id: "" - # (Required) Cloudflared Tunnel ID (cat ~/.cloudflared/*.json | jq -r .TunnelID) + # (Required) Cloudflared Tunnel ID + # If using CLI tunnel: (cat ~/.cloudflared/*.json | jq -r .TunnelID) id: "" - # (Required) Cloudflared Tunnel Secret (cat ~/.cloudflared/*.json | jq -r .TunnelSecret) + # (Required: CLI) Cloudflare Account ID (cat ~/.cloudflared/*.json | jq -r .AccountTag) + account_id: "" + # (Required: CLI) Cloudflared Tunnel Secret (cat ~/.cloudflared/*.json | jq -r .TunnelSecret) secret: "" + # (Required: dashboard) Cloudflared Tunnel Token + token: "" # (Required) Provide WAN access to the cluster ingresses for external ingress classes # The Load balancer IP for external ingress, choose an available IP # in your nodes host network that is NOT being used. This is announced over L2.