homelab/terraform-rancher-clusters
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added first implementation

Browse Source
This commit is contained in:
Matthias Hinrichs
2025-07-17 01:11:17 +02:00
commit 817adf98c3
9 changed files with 385 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+40
View File
@@ -0,0 +1,40 @@
# Terraform Dateien
*.tfstate
*.tfstate.*
**/.terraform/*
*.tfvars
.terraform.lock.hcl
# Ausnahme für Beispiel-Variablendateien im cluster-configs Verzeichnis
!cluster-configs/*.tfvars
# Kubeconfig Dateien
*kubeconfig*
# Crash Log Dateien
crash.log
crash.*.log
# Lokale Override-Dateien
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# CLI Konfigurationsdateien
.terraformrc
terraform.rc
# Secrets und Keys
*.pem
*.key
.env
*.env
secrets.yaml
*secret*
# Systemdateien
.DS_Store
.directory
*-kubeconfig
README.md
+162
View File
@@ -0,0 +1,162 @@
# Kubernetes Cluster Management mit Terraform
Dieses Modul erstellt und verwaltet Kubernetes Cluster auf Harvester mit den folgenden Features:
- Cilium CNI (von Rancher)
- Aktiviertes KubeProxyReplacement
- Gateway API Support
## Voraussetzungen
Folgende Tools werden benötigt:
- Terraform v1.5.0 oder höher
- [Infisical CLI](https://infisical.com/docs/cli/overview) (für Secrets Management)
- Rancher CLI (für Kubeconfig-Erstellung)
- kubectl (optional)
Vor der ersten Verwendung muss eine kubeconfig-Datei erstellt werden:
```bash
./scripts/create_kubeconfig.sh <cluster-name> <umgebung>
```
## Cluster Management mit Workspaces
Das Modul verwendet Terraform Workspaces für die Verwaltung verschiedener Cluster-Umgebungen. Jeder Workspace hat seinen eigenen State und spezifische Konfigurationen.
### 1. Workspace Verwaltung
Verfügbare Workspace-Befehle:
```bash
# Workspace erstellen
terraform workspace new [dev|test|prod]
# Workspace auswählen
terraform workspace select [dev|test|prod]
# Alle Workspaces anzeigen
terraform workspace list
# Aktuellen Workspace anzeigen
terraform workspace show
```
### 2. Cluster Deployment
Cluster erstellen oder aktualisieren:
```bash
# Workspace auswählen
terraform workspace select [dev|test|prod]
# Konfiguration prüfen
terraform plan -var-file="cluster-configs/${terraform.workspace}.tfvars"
# Cluster erstellen/aktualisieren
terraform apply -var-file="cluster-configs/${terraform.workspace}.tfvars"
```
### 3. Cluster Entfernen
Zum Löschen eines Clusters:
```bash
# Workspace auswählen
terraform workspace select [dev|test|prod]
# Cluster löschen
terraform destroy -var-file="cluster-configs/${terraform.workspace}.tfvars"
```
### 4. State Management
Jeder Workspace verwaltet seinen eigenen State in einem separaten Verzeichnis:
```
terraform.tfstate.d/
├── dev/
│ └── terraform.tfstate
├── test/
│ └── terraform.tfstate
└── prod/
└── terraform.tfstate
```
## Cluster Konfigurationen
Die Cluster werden je nach Workspace unterschiedlich konfiguriert:
| Workspace | Beschreibung | Nodes |
|-----------|----------------------|--------------------------------------------------------------|
| dev | Entwicklungsumgebung | 1 All-in-One Node (4 CPU, 16GB RAM) |
| test | Testumgebung | 1 Control-Plane (2 CPU, 4GB RAM) + 1 Worker (4 CPU, 8GB RAM) |
| prod | Produktionsumgebung | 3 Control-Plane (2 CPU, 4GB RAM) + 2 Worker (4 CPU, 8GB RAM) |
## Nach dem Deployment
Nach erfolgreicher Cluster-Erstellung:
1. Kubeconfig generieren:
```bash
./scripts/create_kubeconfig.sh ${terraform.workspace}
```
Die Kubeconfig wird als `hnrx-${terraform.workspace}-kubeconfig` gespeichert.
2. Gateway API CRDs installieren:
```bash
# Kubeconfig verwenden
export KUBECONFIG=hnrx-${terraform.workspace}-kubeconfig
# Gateway API CRDs installieren
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
```
---
# Terraform Module Description
<!-- BEGIN_TF_DOCS -->
## Requirements
| Name | Version |
|---------------------------------------------------------------------------|----------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_infisical"></a> [infisical](#requirement\_infisical) | 0.15.21 |
| <a name="requirement_rancher2"></a> [rancher2](#requirement\_rancher2) | 7.3.2 |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rancher_cluster"></a> [rancher\_cluster](#module\_rancher\_cluster) | git::https://git.hnrx.net/terraform-modules/rancher-cluster.git | main |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|----------|-------------------------------|:--------:|
| <a name="input_cluster_kubernetes_version"></a> [cluster\_kubernetes\_version](#input\_cluster\_kubernetes\_version) | Kubernetes Version für die Cluster | `string` | `"v1.32.5+rke2r1"` | no |
| <a name="input_cluster_vm_image"></a> [cluster\_vm\_image](#input\_cluster\_vm\_image) | Image für die VMs | `string` | `"default/image-62xch"` | no |
| <a name="input_cluster_vm_network"></a> [cluster\_vm\_network](#input\_cluster\_vm\_network) | Netzwerk für die VMs | `string` | `"default/vmnetwork"` | no |
| <a name="input_harvester_cluster_name"></a> [harvester\_cluster\_name](#input\_harvester\_cluster\_name) | Name des Harvester Clusters | `string` | `"c-g8zlv"` | no |
| <a name="input_infisical_api_url"></a> [infisical\_api\_url](#input\_infisical\_api\_url) | Infisical API URL | `string` | `"https://app.infisical.com"` | no |
| <a name="input_infisical_client_id"></a> [infisical\_client\_id](#input\_infisical\_client\_id) | Infisical Client ID für die Authentifizierung | `string` | n/a | yes |
| <a name="input_infisical_client_secret"></a> [infisical\_client\_secret](#input\_infisical\_client\_secret) | Infisical Client Secret für die Authentifizierung | `string` | n/a | yes |
| <a name="input_infisical_environment"></a> [infisical\_environment](#input\_infisical\_environment) | Infisical Umgebung (z.B. dev, test, prod) | `string` | `"dev"` | no |
| <a name="input_infisical_project_id"></a> [infisical\_project\_id](#input\_infisical\_project\_id) | Infisical Projekt ID | `string` | n/a | yes |
| <a name="input_rancher2_api_url"></a> [rancher2\_api\_url](#input\_rancher2\_api\_url) | Rancher API URL | `string` | n/a | yes |
| <a name="input_rancher2_insecure"></a> [rancher2\_insecure](#input\_rancher2\_insecure) | SSL-Verifizierung für Rancher API überspringen | `bool` | `false` | no |
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_cluster"></a> [cluster](#output\_cluster) | Details des Clusters |
<!-- END_TF_DOCS -->
cluster-configs/dev.tfvars
+7
View File
@@ -0,0 +1,7 @@
# Dev Cluster Konfiguration
cluster_name = "hnrx"
cluster_environment = "dev"
cluster_kubernetes_version = "v1.32.5+rke2r1"
cluster_vm_network = "default/vmnetwork"
cluster_vm_image = "default/image-62xch"
harvester_cluster_name = "c-g8zlv"
cluster-configs/prod.tfvars
+8
View File
@@ -0,0 +1,8 @@
# Prod Cluster Konfiguration
cluster_name = "hnrx"
cluster_environment = "prod"
cluster_kubernetes_version = "v1.32.5+rke2r1"
cluster_vm_namespace = "hnrx-prod-cluster"
cluster_vm_network = "default/vmnetwork"
cluster_vm_image = "default/image-62xch"
harvester_cluster_name = "c-g8zlv"
cluster-configs/test.tfvars
+7
View File
@@ -0,0 +1,7 @@
# Test Cluster Konfiguration
cluster_name = "hnrx"
cluster_environment = "test"
cluster_kubernetes_version = "v1.32.5+rke2r1"
cluster_vm_network = "default/vmnetwork"
cluster_vm_image = "default/image-62xch"
harvester_cluster_name = "c-g8zlv"
main.tf
+64
View File
@@ -0,0 +1,64 @@
# Gemeinsame Variablen
variable "cluster_kubernetes_version" {
description = "Kubernetes Version für die Cluster"
type = string
default = "v1.32.5+rke2r1"
}
variable "harvester_cluster_name" {
description = "Name des Harvester Clusters"
type = string
default = "c-g8zlv"
}
variable "cluster_vm_network" {
description = "Netzwerk für die VMs"
type = string
default = "default/vmnetwork"
}
variable "cluster_vm_image" {
description = "Image für die VMs"
type = string
default = "default/image-62xch"
}
variable "cluster_name" {
description = "Name des zu erstellenden Clusters"
type = string
default = "hnrx"
}
variable "cluster_environment" {
description = "Umgebung des zu erstellenden Clusters"
type = string
default = "hnrx"
}
# Rancher Cluster Modul
module "rancher_cluster" {
source = "git::https://git.hnrx.net/terraform-modules/rancher-cluster.git?ref=main"
# Cluster Konfiguration aus Workspace
cluster_name = var.cluster_name
cluster_environment = terraform.workspace
cluster_kubernetes_version = var.cluster_kubernetes_version
# Harvester Konfiguration
harvester_cluster_name = var.harvester_cluster_name
cluster_vm_namespace = "hnrx-${var.cluster_environment}-cluster"
cluster_vm_network = var.cluster_vm_network
cluster_vm_image = var.cluster_vm_image
}
# Outputs
output "cluster" {
description = "Details des Clusters"
value = {
id = module.rancher_cluster.cluster_id
name = module.rancher_cluster.cluster_name
kube_config = module.rancher_cluster.kube_config
}
sensitive = true
}
providers.tf
+50
View File
@@ -0,0 +1,50 @@
terraform {
required_providers {
infisical = {
source = "infisical/infisical"
version = "0.15.21"
}
rancher2 = {
source = "rancher/rancher2"
version = "7.3.2"
}
}
}
# Infisical Provider & Secrets
provider "infisical" {
host = var.infisical_api_url
auth = {
universal = {
client_id = var.infisical_client_id
client_secret = var.infisical_client_secret
}
}
}
ephemeral "infisical_secret" "rancher2_access_key" {
name = "RANCHER2_ACCESS_KEY"
env_slug = var.infisical_environment
workspace_id = var.infisical_project_id
folder_path = "/"
}
ephemeral "infisical_secret" "rancher2_secret_key" {
name = "RANCHER2_SECRET_KEY"
env_slug = var.infisical_environment
workspace_id = var.infisical_project_id
folder_path = "/"
}
# Rancher Provider
provider "rancher2" {
api_url = var.rancher2_api_url
access_key = ephemeral.infisical_secret.rancher2_access_key.value
secret_key = ephemeral.infisical_secret.rancher2_secret_key.value
insecure = var.rancher2_insecure
}
variables.tf
+40
View File
@@ -0,0 +1,40 @@
# Infisical Konfiguration
variable "infisical_api_url" {
description = "Infisical API URL"
type = string
default = "https://app.infisical.com"
}
variable "infisical_client_id" {
description = "Infisical Client ID für die Authentifizierung"
type = string
}
variable "infisical_client_secret" {
description = "Infisical Client Secret für die Authentifizierung"
type = string
sensitive = true
}
variable "infisical_project_id" {
description = "Infisical Projekt ID"
type = string
}
variable "infisical_environment" {
description = "Infisical Umgebung (z.B. dev, test, prod)"
type = string
default = "dev"
}
# Rancher Provider Konfiguration
variable "rancher2_api_url" {
description = "Rancher API URL"
type = string
}
variable "rancher2_insecure" {
description = "SSL-Verifizierung für Rancher API überspringen"
type = bool
default = false
}
versions.tf
+7
View File
@@ -0,0 +1,7 @@
terraform {
required_version = ">= 1.0.0"
backend "local" {
workspace_dir = "terraform.tfstate.d"
}
}