richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7379 Commits
33 Branches
82 Tags
152 MiB
Tree: 6b1188e3dc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6b1188e3dc'
${ noResults }
kubespray/contrib/terraform/exoscale/README.md

152 lines
5.5 KiB
Raw Normal View History

Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
add pre-commit hook to facilitate local testing (#9158) * add pre-commit hook configuration * add tmp.md to .gitignore * describe the use of pre-commit hook in CONTRIBUTING.md * fix docs/integration.md errors identified by markdownlint * fix docs/<file>.md errors identified by markdownlint * docs/azure-csi.md * docs/azure.md * docs/bootstrap-os.md * docs/calico.md * docs/debian.md * docs/fcos.md * docs/vagrant.md * docs/gcp-lb.md * docs/kubernetes-apps/registry.md * docs/setting-up-your-first-cluster.md * docs/vagrant.md * docs/vars.md * fix contrib/<file>.md errors identified by markdownlint
2 years ago
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
contrib/terraform/exoscale: Rework SSH public keys (#7242) * contrib/terraform/exoscale: Rework SSH public keys Exoscale has a few limitations with `exoscale_ssh_keypair` resources. Creating several clusters with these scripts may lead to an error like: ``` Error: API error ParamError 431 (InvalidParameterValueException 4350): The key pair "lj-sc-ssh-key" already has this fingerprint ``` This patch reworks handling of SSH public keys. Specifically, we rely on the more cloud-agnostic way of configuring SSH public keys via `cloud-init`. * contrib/terraform/exoscale: terraform fmt * contrib/terraform/exoscale: Add terraform validate * contrib/terraform/exoscale: Inline public SSH keys The Terraform scripts need to install some SSH key, so that Kubespray (i.e., the "Ansible part") can take over. Initially, we pointed the Terraform scripts to `~/.ssh/id_rsa.pub`. This proved to be suboptimal: Operators sharing responbility for a cluster risk unnecessarily replacing resources. Therefore, it has been determined that it's best to inline the public SSH keys. The chosen variable `ssh_public_keys` provides some uniformity with `contrib/azurerm`. * Fix Terraform Exoscale test * Fix Terraform 0.14 test
4 years ago
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
contrib/terraform/exoscale: Rework SSH public keys (#7242) * contrib/terraform/exoscale: Rework SSH public keys Exoscale has a few limitations with `exoscale_ssh_keypair` resources. Creating several clusters with these scripts may lead to an error like: ``` Error: API error ParamError 431 (InvalidParameterValueException 4350): The key pair "lj-sc-ssh-key" already has this fingerprint ``` This patch reworks handling of SSH public keys. Specifically, we rely on the more cloud-agnostic way of configuring SSH public keys via `cloud-init`. * contrib/terraform/exoscale: terraform fmt * contrib/terraform/exoscale: Add terraform validate * contrib/terraform/exoscale: Inline public SSH keys The Terraform scripts need to install some SSH key, so that Kubespray (i.e., the "Ansible part") can take over. Initially, we pointed the Terraform scripts to `~/.ssh/id_rsa.pub`. This proved to be suboptimal: Operators sharing responbility for a cluster risk unnecessarily replacing resources. Therefore, it has been determined that it's best to inline the public SSH keys. The chosen variable `ssh_public_keys` provides some uniformity with `contrib/azurerm`. * Fix Terraform Exoscale test * Fix Terraform 0.14 test
4 years ago
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform
4 years ago
  1. # Kubernetes on Exoscale with Terraform
  3. Provision a Kubernetes cluster on [Exoscale](https://www.exoscale.com/) using Terraform and Kubespray
  5. ## Overview
  7. The setup looks like following
  9. ```text
  10. Kubernetes cluster
  11. +-----------------------+
  12. +---------------+ | +--------------+ |
  13. | | | | +--------------+ |
  14. | API server LB +---------> | | | |
  15. | | | | | Master/etcd | |
  16. +---------------+ | | | node(s) | |
  17. | +-+ | |
  18. | +--------------+ |
  19. | ^ |
  20. | | |
  21. | v |
  22. +---------------+ | +--------------+ |
  23. | | | | +--------------+ |
  24. | Ingress LB +---------> | | | |
  25. | | | | | Worker | |
  26. +---------------+ | | | node(s) | |
  27. | +-+ | |
  28. | +--------------+ |
  29. +-----------------------+
  30. ```
  32. ## Requirements
  34. * Terraform 0.13.0 or newer (0.12 also works if you modify the provider block to include version and remove all `versions.tf` files)
  36. ## Quickstart
  38. NOTE: *Assumes you are at the root of the kubespray repo*
  40. Copy the sample inventory for your cluster and copy the default terraform variables.
  42. ```bash
  43. CLUSTER=my-exoscale-cluster
  44. cp -r inventory/sample inventory/$CLUSTER
  45. cp contrib/terraform/exoscale/default.tfvars inventory/$CLUSTER/
  46. cd inventory/$CLUSTER
  47. ```
  49. Edit `default.tfvars` to match your setup. You MUST, at the very least, change `ssh_public_keys`.
  51. ```bash
  52. # Ensure $EDITOR points to your favorite editor, e.g., vim, emacs, VS Code, etc.
  53. $EDITOR default.tfvars
  54. ```
  56. For authentication you can use the credentials file `~/.cloudstack.ini` or `./cloudstack.ini`.
  57. The file should look like something like this:
  59. ```ini
  60. [cloudstack]
  61. key = <API key>
  62. secret = <API secret>
  63. ```
  65. Follow the [Exoscale IAM Quick-start](https://community.exoscale.com/documentation/iam/quick-start/) to learn how to generate API keys.
  67. ### Encrypted credentials
  69. To have the credentials encrypted at rest, you can use [sops](https://github.com/mozilla/sops) and only decrypt the credentials at runtime.
  71. ```bash
  72. cat << EOF > cloudstack.ini
  73. [cloudstack]
  74. key =
  75. secret =
  76. EOF
  77. sops --encrypt --in-place --pgp <PGP key fingerprint> cloudstack.ini
  78. sops cloudstack.ini
  79. ```
  81. Run terraform to create the infrastructure
  83. ```bash
  84. terraform init ../../contrib/terraform/exoscale
  85. terraform apply -var-file default.tfvars ../../contrib/terraform/exoscale
  86. ```
  88. If your cloudstack credentials file is encrypted using sops, run the following:
  90. ```bash
  91. terraform init ../../contrib/terraform/exoscale
  92. sops exec-file -no-fifo cloudstack.ini 'CLOUDSTACK_CONFIG={} terraform apply -var-file default.tfvars ../../contrib/terraform/exoscale'
  93. ```
  95. You should now have a inventory file named `inventory.ini` that you can use with kubespray.
  96. You can now copy your inventory file and use it with kubespray to set up a cluster.
  97. You can type `terraform output` to find out the IP addresses of the nodes, as well as control-plane and data-plane load-balancer.
  99. It is a good idea to check that you have basic SSH connectivity to the nodes. You can do that by:
  101. ```bash
  102. ansible -i inventory.ini -m ping all
  103. ```
  105. Example to use this with the default sample inventory:
  107. ```bash
  108. ansible-playbook -i inventory.ini ../../cluster.yml -b -v
  109. ```
  111. ## Teardown
  113. The Kubernetes cluster cannot create any load-balancers or disks, hence, teardown is as simple as Terraform destroy:
  115. ```bash
  116. terraform destroy -var-file default.tfvars ../../contrib/terraform/exoscale
  117. ```
  119. ## Variables
  121. ### Required
  123. * `ssh_public_keys`: List of public SSH keys to install on all machines
  124. * `zone`: The zone where to run the cluster
  125. * `machines`: Machines to provision. Key of this object will be used as the name of the machine
  126. * `node_type`: The role of this node *(master|worker)*
  127. * `size`: The size to use
  128. * `boot_disk`: The boot disk to use
  129. * `image_name`: Name of the image
  130. * `root_partition_size`: Size *(in GB)* for the root partition
  131. * `ceph_partition_size`: Size *(in GB)* for the partition for rook to use as ceph storage. *(Set to 0 to disable)*
  132. * `node_local_partition_size`: Size *(in GB)* for the partition for node-local-storage. *(Set to 0 to disable)*
  133. * `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
  134. * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
  135. * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
  137. ### Optional
  139. * `prefix`: Prefix to use for all resources, required to be unique for all clusters in the same project *(Defaults to `default`)*
  141. An example variables file can be found `default.tfvars`
  143. ## Known limitations
  145. ### Only single disk
  147. Since Exoscale doesn't support additional disks to be mounted onto an instance, this script has the ability to create partitions for [Rook](https://rook.io/) and [node-local-storage](https://kubernetes.io/docs/concepts/storage/volumes/#local).
  149. ### No Kubernetes API
  151. The current solution doesn't use the [Exoscale Kubernetes cloud controller](https://github.com/exoscale/exoscale-cloud-controller-manager).
  152. This means that we need to set up a HTTP(S) loadbalancer in front of all workers and set the Ingress controller to DaemonSet mode.