c12s-kubespray/contrib/terraform/upcloud
Fredrik Liv 07ad5ecfce
[upcloud] Fixed issue where DNS would be blocked while using allowlist (#9510)
* [upcloud] Fixed issue where DNS would be blocked while using allowlist

* Missed one NTP rule
2022-11-30 21:36:26 -08:00
..
modules/kubernetes-cluster [upcloud] Fixed issue where DNS would be blocked while using allowlist (#9510) 2022-11-30 21:36:26 -08:00
sample-inventory [upcloud] Add firewall default deny policy and port allowlisting (#9058) 2022-07-19 00:18:06 -07:00
templates Rename ansible groups to use _ instead of - (#7552) 2021-04-29 05:20:50 -07:00
cluster-settings.tfvars [upcloud] Add firewall default deny policy and port allowlisting (#9058) 2022-07-19 00:18:06 -07:00
main.tf [upcloud] Add firewall default deny policy and port allowlisting (#9058) 2022-07-19 00:18:06 -07:00
output.tf UpCloud server plan, firewall, load balancer integration (#8758) 2022-05-11 10:15:03 -07:00
README.md [upcloud] Add firewall default deny policy and port allowlisting (#9058) 2022-07-19 00:18:06 -07:00
variables.tf [upcloud] Add firewall default deny policy and port allowlisting (#9058) 2022-07-19 00:18:06 -07:00
versions.tf [upcloud] Add firewall default deny policy and port allowlisting (#9058) 2022-07-19 00:18:06 -07:00

Kubernetes on UpCloud with Terraform

Provision a Kubernetes cluster on UpCloud using Terraform and Kubespray

Overview

The setup looks like following

   Kubernetes cluster
+--------------------------+
|      +--------------+    |
|      | +--------------+  |
| -->  | |              |  |
|      | | Master/etcd  |  |
|      | | node(s)      |  |
|      +-+              |  |
|        +--------------+  |
|              ^           |
|              |           |
|              v           |
|      +--------------+    |
|      | +--------------+  |
| -->  | |              |  |
|      | |    Worker    |  |
|      | |    node(s)   |  |
|      +-+              |  |
|        +--------------+  |
+--------------------------+

The nodes uses a private network for node to node communication and a public interface for all external communication.

Requirements

  • Terraform 0.13.0 or newer

Quickstart

NOTE: Assumes you are at the root of the kubespray repo.

For authentication in your cluster you can use the environment variables.

export TF_VAR_UPCLOUD_USERNAME=username
export TF_VAR_UPCLOUD_PASSWORD=password

To allow API access to your UpCloud account, you need to allow API connections by visiting Account-page in your UpCloud Hub.

Copy the cluster configuration file.

CLUSTER=my-upcloud-cluster
cp -r inventory/sample inventory/$CLUSTER
cp contrib/terraform/upcloud/cluster-settings.tfvars inventory/$CLUSTER/
export ANSIBLE_CONFIG=ansible.cfg
cd inventory/$CLUSTER

Edit cluster-settings.tfvars to match your requirement.

Run Terraform to create the infrastructure.

terraform init ../../contrib/terraform/upcloud
terraform apply --var-file cluster-settings.tfvars \
    -state=tfstate-$CLUSTER.tfstate \
     ../../contrib/terraform/upcloud/

You should now have a inventory file named inventory.ini that you can use with kubespray. You can use the inventory file with kubespray to set up a cluster.

It is a good idea to check that you have basic SSH connectivity to the nodes. You can do that by:

ansible -i inventory.ini -m ping all

You can setup Kubernetes with kubespray using the generated inventory:

ansible-playbook -i inventory.ini ../../cluster.yml -b -v

Teardown

You can teardown your infrastructure using the following Terraform command:

terraform destroy --var-file cluster-settings.tfvars \
      -state=tfstate-$CLUSTER.tfstate \
      ../../contrib/terraform/upcloud/

Variables

  • prefix: Prefix to add to all resources, if set to "" don't set any prefix
  • template_name: The name or UUID of a base image
  • username: a user to access the nodes, defaults to "ubuntu"
  • private_network_cidr: CIDR to use for the private network, defaults to "172.16.0.0/24"
  • ssh_public_keys: List of public SSH keys to install on all machines
  • zone: The zone where to run the cluster
  • machines: Machines to provision. Key of this object will be used as the name of the machine
    • node_type: The role of this node (master|worker)
    • plan: Preconfigured cpu/mem plan to use (disables cpu and mem attributes below)
    • cpu: number of cpu cores
    • mem: memory size in MB
    • disk_size: The size of the storage in GB
    • additional_disks: Additional disks to attach to the node.
      • size: The size of the additional disk in GB
      • tier: The tier of disk to use (maxiops is the only one you can choose atm)
  • firewall_enabled: Enable firewall rules
  • firewall_default_deny_in: Set the firewall to deny inbound traffic by default. Automatically adds UpCloud DNS server and NTP port allowlisting.
  • firewall_default_deny_out: Set the firewall to deny outbound traffic by default.
  • master_allowed_remote_ips: List of IP ranges that should be allowed to access API of masters
    • start_address: Start of address range to allow
    • end_address: End of address range to allow
  • k8s_allowed_remote_ips: List of IP ranges that should be allowed SSH access to all nodes
    • start_address: Start of address range to allow
    • end_address: End of address range to allow
  • master_allowed_ports: List of port ranges that should be allowed to access the masters
    • protocol: Protocol (tcp|udp|icmp)
    • port_range_min: Start of port range to allow
    • port_range_max: End of port range to allow
    • start_address: Start of address range to allow
    • end_address: End of address range to allow
  • worker_allowed_ports: List of port ranges that should be allowed to access the workers
    • protocol: Protocol (tcp|udp|icmp)
    • port_range_min: Start of port range to allow
    • port_range_max: End of port range to allow
    • start_address: Start of address range to allow
    • end_address: End of address range to allow
  • loadbalancer_enabled: Enable managed load balancer
  • loadbalancer_plan: Plan to use for load balancer (development|production-small)
  • loadbalancers: Ports to load balance and which machines to forward to. Key of this object will be used as the name of the load balancer frontends/backends
    • port: Port to load balance.
    • backend_servers: List of servers that traffic to the port should be forwarded to.