07ad5ecfce
* [upcloud] Fixed issue where DNS would be blocked while using allowlist * Missed one NTP rule |
||
---|---|---|
.. | ||
modules/kubernetes-cluster | ||
sample-inventory | ||
templates | ||
cluster-settings.tfvars | ||
main.tf | ||
output.tf | ||
README.md | ||
variables.tf | ||
versions.tf |
Kubernetes on UpCloud with Terraform
Provision a Kubernetes cluster on UpCloud using Terraform and Kubespray
Overview
The setup looks like following
Kubernetes cluster
+--------------------------+
| +--------------+ |
| | +--------------+ |
| --> | | | |
| | | Master/etcd | |
| | | node(s) | |
| +-+ | |
| +--------------+ |
| ^ |
| | |
| v |
| +--------------+ |
| | +--------------+ |
| --> | | | |
| | | Worker | |
| | | node(s) | |
| +-+ | |
| +--------------+ |
+--------------------------+
The nodes uses a private network for node to node communication and a public interface for all external communication.
Requirements
- Terraform 0.13.0 or newer
Quickstart
NOTE: Assumes you are at the root of the kubespray repo.
For authentication in your cluster you can use the environment variables.
export TF_VAR_UPCLOUD_USERNAME=username
export TF_VAR_UPCLOUD_PASSWORD=password
To allow API access to your UpCloud account, you need to allow API connections by visiting Account-page in your UpCloud Hub.
Copy the cluster configuration file.
CLUSTER=my-upcloud-cluster
cp -r inventory/sample inventory/$CLUSTER
cp contrib/terraform/upcloud/cluster-settings.tfvars inventory/$CLUSTER/
export ANSIBLE_CONFIG=ansible.cfg
cd inventory/$CLUSTER
Edit cluster-settings.tfvars
to match your requirement.
Run Terraform to create the infrastructure.
terraform init ../../contrib/terraform/upcloud
terraform apply --var-file cluster-settings.tfvars \
-state=tfstate-$CLUSTER.tfstate \
../../contrib/terraform/upcloud/
You should now have a inventory file named inventory.ini
that you can use with kubespray.
You can use the inventory file with kubespray to set up a cluster.
It is a good idea to check that you have basic SSH connectivity to the nodes. You can do that by:
ansible -i inventory.ini -m ping all
You can setup Kubernetes with kubespray using the generated inventory:
ansible-playbook -i inventory.ini ../../cluster.yml -b -v
Teardown
You can teardown your infrastructure using the following Terraform command:
terraform destroy --var-file cluster-settings.tfvars \
-state=tfstate-$CLUSTER.tfstate \
../../contrib/terraform/upcloud/
Variables
prefix
: Prefix to add to all resources, if set to "" don't set any prefixtemplate_name
: The name or UUID of a base imageusername
: a user to access the nodes, defaults to "ubuntu"private_network_cidr
: CIDR to use for the private network, defaults to "172.16.0.0/24"ssh_public_keys
: List of public SSH keys to install on all machineszone
: The zone where to run the clustermachines
: Machines to provision. Key of this object will be used as the name of the machinenode_type
: The role of this node (master|worker)plan
: Preconfigured cpu/mem plan to use (disablescpu
andmem
attributes below)cpu
: number of cpu coresmem
: memory size in MBdisk_size
: The size of the storage in GBadditional_disks
: Additional disks to attach to the node.size
: The size of the additional disk in GBtier
: The tier of disk to use (maxiops
is the only one you can choose atm)
firewall_enabled
: Enable firewall rulesfirewall_default_deny_in
: Set the firewall to deny inbound traffic by default. Automatically adds UpCloud DNS server and NTP port allowlisting.firewall_default_deny_out
: Set the firewall to deny outbound traffic by default.master_allowed_remote_ips
: List of IP ranges that should be allowed to access API of mastersstart_address
: Start of address range to allowend_address
: End of address range to allow
k8s_allowed_remote_ips
: List of IP ranges that should be allowed SSH access to all nodesstart_address
: Start of address range to allowend_address
: End of address range to allow
master_allowed_ports
: List of port ranges that should be allowed to access the mastersprotocol
: Protocol (tcp|udp|icmp)port_range_min
: Start of port range to allowport_range_max
: End of port range to allowstart_address
: Start of address range to allowend_address
: End of address range to allow
worker_allowed_ports
: List of port ranges that should be allowed to access the workersprotocol
: Protocol (tcp|udp|icmp)port_range_min
: Start of port range to allowport_range_max
: End of port range to allowstart_address
: Start of address range to allowend_address
: End of address range to allow
loadbalancer_enabled
: Enable managed load balancerloadbalancer_plan
: Plan to use for load balancer (development|production-small)loadbalancers
: Ports to load balance and which machines to forward to. Key of this object will be used as the name of the load balancer frontends/backendsport
: Port to load balance.backend_servers
: List of servers that traffic to the port should be forwarded to.