diff --git a/kayak.tf b/kayak.tf new file mode 100644 index 0000000..8bdb0cf --- /dev/null +++ b/kayak.tf @@ -0,0 +1,31 @@ +// Points to the local working directory instead of +// the published version +module "kayak" { + source = "../terraform-digitalocean-kayak" + cert_path = "${path.root}/secrets/kayak" + domain = "kayak.${var.root-domain}" + ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0Getey8585AqdgIl9mqQ3SH9w6z7NZUW4HXdOqZwC7sYEaDrLOBV014gtFS8h8ymm4dcw6xEGUkaavcHC8W9ChTLKBMK4N1/sUS/umLy+Wi/K//g13y0VHSdvcc+gMQ27b9n/DwDY4ZKkaf6t+4HWyFWNh6gp0cT1WCyLNlsER55KUdy+C1lCOpv1SMepOaYc7uyBlC9FfgewJho/OfxnoTztQV6QeSGfr2Xr94Ip1FUPoLoBLLilh4ZbCe6F6bqn0kNgVBTkrVwWJv5Z0jCJpUjER69cqjASRao9KCHkyPtybzKKhCLZIlB3QMggEv0xnlHMpeeuDWcGrBVPKI8V" + + asset_dir = "${path.root}/k8s" + + providers { + docker = "docker.kayak" + } +} + +provider "docker" { + host = "tcp://${cloudflare_record.kayak-docker.hostname}:2376" + version = "~> 2.0.0" + alias = "kayak" + ca_material = "${module.kayak.docker_ca_cert}" + cert_material = "${module.kayak.docker_client_cert}" + key_material = "${module.kayak.docker_client_key}" +} + +resource "cloudflare_record" "kayak-docker" { + name = "docker.kayak" + value = "${module.kayak.droplet_ipv4}" + domain = "${var.root-domain}" + type = "A" + ttl = 3600 +} diff --git a/kubernetes.tf b/kubernetes.tf deleted file mode 100644 index 1a7cf98..0000000 --- a/kubernetes.tf +++ /dev/null @@ -1,12 +0,0 @@ -module "k8s" { - source = "modules/k8s" - cluster_name = "k8s.${var.root-domain}" - etcd_domain = "etcd.${var.root-domain}" - etcd_data_dir = "/mnt/disk/etcd" - asset_dir = "${path.root}/k8s2" - host_ip = "${var.ips["dovpn"]}" - - providers = { - docker = "docker.sydney" - } -} diff --git a/modules/bootkube/main.tf b/modules/bootkube/main.tf deleted file mode 100644 index 188a0ec..0000000 --- a/modules/bootkube/main.tf +++ /dev/null @@ -1,221 +0,0 @@ -resource "docker_container" "bootkube" { - image = "${docker_image.image.latest}" - name = "bootkube" - - volumes { - container_path = "/etc/kubernetes" - host_path = "/etc/kubernetes" - } - - # bootstrap manifests - - upload { - content = "${file("${var.asset-dir}/bootstrap-manifests/bootstrap-apiserver.yaml")}" - file = "/home/.bootkube/bootstrap-manifests/bootstrap-apiserver.yaml" - } - upload { - content = "${file("${var.asset-dir}/bootstrap-manifests/bootstrap-controller-manager.yaml")}" - file = "/home/.bootkube/bootstrap-manifests/bootstrap-controller-manager.yaml" - } - upload { - content = "${file("${var.asset-dir}/bootstrap-manifests/bootstrap-scheduler.yaml")}" - file = "/home/.bootkube/bootstrap-manifests/bootstrap-scheduler.yaml" - } - # etcd secrets - # - upload { - file = "/home/.bootkube/tls/etcd-client-ca.crt" - content = "${file("${var.asset-dir}/tls/etcd-client-ca.crt")}" - } - upload { - file = "/home/.bootkube/tls/etcd-client.crt" - content = "${file("${var.asset-dir}/tls/etcd-client.crt")}" - } - upload { - file = "/home/.bootkube/tls/etcd-client.key" - content = "${file("${var.asset-dir}/tls/etcd-client.key")}" - } - # Cluster Networking - upload { - content = "${file("${var.asset-dir}/manifests-networking/cluster-role-binding.yaml")}" - file = "/home/.bootkube/manifests/networking-cluster-role-binding.yaml" - } - upload { - content = "${file("${var.asset-dir}/manifests-networking/cluster-role.yaml")}" - file = "/home/.bootkube/manifests/networking-cluster-role.yaml" - } - upload { - content = "${file("${var.asset-dir}/manifests-networking/config.yaml")}" - file = "/home/.bootkube/manifests/networking-config.yaml" - } - upload { - content = "${file("${var.asset-dir}/manifests-networking/daemonset.yaml")}" - file = "/home/.bootkube/manifests/networking-daemonset.yaml" - } - upload { - content = "${file("${var.asset-dir}/manifests-networking/service-account.yaml")}" - file = "/home/.bootkube/manifests/networking-service-account.yaml" - } - # TLS - upload { - file = "/home/.bootkube/tls/service-account.pub" - content = "${file("${var.asset-dir}/tls/service-account.pub")}" - } - upload { - file = "/home/.bootkube/tls/service-account.key" - content = "${file("${var.asset-dir}/tls/service-account.key")}" - } - upload { - content = "${file("${var.asset-dir}/tls/ca.key")}" - file = "/home/.bootkube/tls/ca.key" - } - upload { - content = "${file("${var.asset-dir}/tls/ca.crt")}" - file = "/home/.bootkube/tls/ca.crt" - } - upload { - content = "${file("${var.asset-dir}/tls/apiserver.key")}" - file = "/home/.bootkube/tls/apiserver.key" - } - upload { - content = "${file("${var.asset-dir}/tls/apiserver.crt")}" - file = "/home/.bootkube/tls/apiserver.crt" - } - upload { - content = "${var.assets["kubelet_cert"]}" - file = "/home/.bootkube/tls/kubelet.crt" - } - upload { - content = "${var.assets["kubelet_key"]}" - file = "/home/.bootkube/tls/kubelet.key" - } - # auth/kubeconfig-kubelet - upload { - content = "${var.assets["kubeconfig-kubelet"]}" - file = "/home/.bootkube/auth/kubeconfig-kubelet" - } - # TODO: Move to a module read instead of file - # auth/kubeconfig - upload { - file = "/home/.bootkube/auth/kubeconfig" - content = "${file("${var.asset-dir}/auth/kubeconfig")}" - } - # Manifests Directory - upload { - file = "/home/.bootkube/manifests/kube-apiserver-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/kube-apiserver-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-apiserver-sa.yaml" - content = "${file("${var.asset-dir}/manifests/kube-apiserver-sa.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-apiserver-secret.yaml" - content = "${file("${var.asset-dir}/manifests/kube-apiserver-secret.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-apiserver.yaml" - content = "${file("${var.asset-dir}/manifests/kube-apiserver.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kubeconfig-in-cluster.yaml" - content = "${file("${var.asset-dir}/manifests/kubeconfig-in-cluster.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-controller-manager-disruption.yaml" - content = "${file("${var.asset-dir}/manifests/kube-controller-manager-disruption.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-controller-manager-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/kube-controller-manager-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-controller-manager-sa.yaml" - content = "${file("${var.asset-dir}/manifests/kube-controller-manager-sa.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-controller-manager-secret.yaml" - content = "${file("${var.asset-dir}/manifests/kube-controller-manager-secret.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-controller-manager.yaml" - content = "${file("${var.asset-dir}/manifests/kube-controller-manager.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kubelet-nodes-cluster-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/kubelet-nodes-cluster-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-proxy-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/kube-proxy-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-proxy-sa.yaml" - content = "${file("${var.asset-dir}/manifests/kube-proxy-sa.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-proxy.yaml" - content = "${file("${var.asset-dir}/manifests/kube-proxy.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-scheduler-disruption.yaml" - content = "${file("${var.asset-dir}/manifests/kube-scheduler-disruption.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-scheduler-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/kube-scheduler-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-scheduler-sa.yaml" - content = "${file("${var.asset-dir}/manifests/kube-scheduler-sa.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-scheduler-volume-scheduler-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/kube-scheduler-volume-scheduler-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/kube-scheduler.yaml" - content = "${file("${var.asset-dir}/manifests/kube-scheduler.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/pod-checkpointer-cluster-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/pod-checkpointer-cluster-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/pod-checkpointer-cluster-role.yaml" - content = "${file("${var.asset-dir}/manifests/pod-checkpointer-cluster-role.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/pod-checkpointer-role-binding.yaml" - content = "${file("${var.asset-dir}/manifests/pod-checkpointer-role-binding.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/pod-checkpointer-role.yaml" - content = "${file("${var.asset-dir}/manifests/pod-checkpointer-role.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/pod-checkpointer-sa.yaml" - content = "${file("${var.asset-dir}/manifests/pod-checkpointer-sa.yaml")}" - } - upload { - file = "/home/.bootkube/manifests/pod-checkpointer.yaml" - content = "${file("${var.asset-dir}/manifests/pod-checkpointer.yaml")}" - } - command = [ - "/bootkube", - "start", - "--asset-dir=/home/.bootkube", - ] - network_mode = "host" - restart = "on-failure" - max_retry_count = 5 -} - -data "docker_registry_image" "image" { - name = "quay.io/coreos/bootkube:v${var.version}" -} - -resource "docker_image" "image" { - name = "${data.docker_registry_image.image.name}" - pull_triggers = ["${data.docker_registry_image.image.sha256_digest}"] -} diff --git a/modules/bootkube/outputs.tf b/modules/bootkube/outputs.tf deleted file mode 100644 index acc0ef3..0000000 --- a/modules/bootkube/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "image" { - value = "${docker_image.image.latest}" -} diff --git a/modules/bootkube/variables.tf b/modules/bootkube/variables.tf deleted file mode 100644 index 45f8246..0000000 --- a/modules/bootkube/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -// Based on https://github.com/v1k0d3n/dockerfiles/tree/master/bootkube - -variable "k8s_host" { - description = "kubenetes hostname" -} - -variable "host_port" { - default = "8443" -} - -variable "network_provider" { - default = "flannel" -} - -variable "host_ip" {} - -variable "pod_cidr" { - default = "10.25.0.0/16" -} - -variable "service_cidr" { - default = "10.96.0.0/16" -} - -variable "version" { - default = "0.14.0" -} - -variable "depends_on" { - default = [] - - type = "list" -} - -variable "assets" { - type = "map" -} - -variable "asset-dir" {} diff --git a/modules/etcd/main.tf b/modules/etcd/main.tf deleted file mode 100644 index 6001622..0000000 --- a/modules/etcd/main.tf +++ /dev/null @@ -1,79 +0,0 @@ -resource "docker_container" "etcd" { - name = "etcd" - image = "${docker_image.image.latest}" - - volumes { - host_path = "${var.data_dir}" - container_path = "/etcd-data" - } - - ports { - internal = 2379 - external = 2379 - ip = "${var.host_bind_ip}" - } - - ports { - internal = 2380 - external = 2380 - ip = "${var.host_bind_ip}" - } - - upload { - content = "${var.pki["ca_cert"]}" - file = "/etc/ssl/ca_cert.pem" - } - - upload { - content = "${var.pki["server_cert"]}" - file = "/etc/ssl/server_cert.pem" - } - - upload { - content = "${var.pki["server_key"]}" - file = "/etc/ssl/server_key.pem" - } - - upload { - content = "${var.pki["peer_cert"]}" - file = "/etc/ssl/peer_cert.pem" - } - - upload { - content = "${var.pki["peer_key"]}" - file = "/etc/ssl/peer_key.pem" - } - - env = [ - "ETCD_NAME=${var.node_name}", - "ETCD_DATA_DIR=/etcd-data", - "ETCD_ADVERTISE_CLIENT_URLS=https://${var.domain}:2379", - "ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${var.domain}:2380", - "ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379", - "ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380", - "ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381", - "ETCD_CLIENT_CERT_AUTH=true", - "ETCD_INITIAL_CLUSTER=${var.node_name}=https://${var.domain}:2380", - "ETCD_STRICT_RECONFIG_CHECK=true", - "ETCD_CERT_FILE=/etc/ssl/server_cert.pem", - "ETCD_KEY_FILE=/etc/ssl/server_key.pem", - "ETCD_TRUSTED_CA_FILE=/etc/ssl/ca_cert.pem", - "ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca_cert.pem", - "ETCD_PEER_CERT_FILE=/etc/ssl/peer_cert.pem", - "ETCD_PEER_KEY_FILE=/etc/ssl/peer_key.pem", - "ETCD_PEER_CLIENT_CERT_AUTH=true", - ] - - command = [ - "/usr/local/bin/etcd", - ] -} - -data "docker_registry_image" "image" { - name = "quay.io/coreos/etcd:v${var.version}" -} - -resource "docker_image" "image" { - name = "${data.docker_registry_image.image.name}" - pull_triggers = ["${data.docker_registry_image.image.sha256_digest}"] -} diff --git a/modules/etcd/variables.tf b/modules/etcd/variables.tf deleted file mode 100644 index 6b8c90a..0000000 --- a/modules/etcd/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "domain" { - description = "Host name to advertise" - type = "string" -} - -variable "data_dir" { - description = "Directory on host to mount to /etcd-data" - type = "string" -} - -variable "node_name" { - description = "name of the etcd node" - default = "controller" -} - -variable "depends_on" { - default = [] - - type = "list" -} - -variable "pki" { - type = "map" -} - -variable "version" { - description = "etcd version" - default = "3.3.11" -} - -variable "host_bind_ip" { - description = "IP address to expose the ports on host" - default = "0.0.0.0" -} diff --git a/modules/kubelet/main.tf b/modules/kubelet/main.tf deleted file mode 100644 index 6903f4b..0000000 --- a/modules/kubelet/main.tf +++ /dev/null @@ -1,143 +0,0 @@ -// This is primarily based on https://github.com/coreos/coreos-overlay/blob/master/app-admin/kubelet-wrapper/files/kubelet-wrapper -resource "docker_container" "kubelet" { - image = "${docker_image.image.latest}" - name = "kubelet" - - upload { - file = "/etc/kubeconfig" - content = "${var.assets["kubeconfig"]}" - } - - upload { - file = "/etc/kubeca.crt" - content = "${var.assets["ca_cert"]}" - } - - volumes { - container_path = "/etc/ssl/certs" - host_path = "/etc/ssl/certs" - read_only = true - } - - volumes { - container_path = "/sys" - host_path = "/sys" - read_only = true - } - - volumes { - container_path = "/dev" - host_path = "/dev" - } - - volumes { - container_path = "/usr/share/ca-certificates" - host_path = "/usr/share/ca-certificates" - read_only = true - } - - volumes { - container_path = "/var/lib/docker" - host_path = "/var/lib/docker" - } - - volumes { - container_path = "/etc/kubernetes" - host_path = "/etc/kubernetes" - } - - // See https://github.com/kubernetes/kubernetes/issues/4869#issuecomment-193316593 - volumes { - container_path = "/var/lib/kubelet" - host_path = "/var/lib/kubelet" - shared = true - } - - volumes { - container_path = "/var/log" - host_path = "/var/log" - } - - volumes { - container_path = "/run" - host_path = "/run" - } - - volumes { - container_path = "/var/run" - host_path = "/var/run" - } - - volumes { - container_path = "/lib/modules" - host_path = "/lib/modules" - read_only = true - } - - volumes { - container_path = "/etc/os-release" - host_path = "/usr/lib/os-release" - read_only = true - } - - volumes { - container_path = "/etc/machine-id" - host_path = "/etc/machine-id" - read_only = true - } - - // Deviates from kubelet-wrapper - - volumes { - container_path = "/opt/cni/bin" - host_path = "/opt/cni/bin" - } - volumes { - container_path = "/etc/cni/net.d" - host_path = "/etc/kubernetes/cni/net.d" - } - # - # "There is no war within the container. Here we are safe. Here we are free." - # - Docker Li agent brainwashing the author - # - command = [ - "kubelet", - "--address=${var.host_ip}", - "--allow-privileged", - "--anonymous-auth=false", - "--authentication-token-webhook", - "--authorization-mode=Webhook", - "--client-ca-file=/etc/kubeca.crt", - "--cluster_dns=${var.dns_ip}", - "--cluster_domain=${var.k8s_host}", - "--exit-on-lock-contention=true", - "--hostname-override=${var.host_ip}", - "--kubeconfig=/etc/kubeconfig", - "--lock-file=/var/run/lock/kubelet.lock", - "--minimum-container-ttl-duration=10m0s", - "--network-plugin=cni", - "--node-labels=${var.node_label}", - "--pod-manifest-path=/etc/kubernetes/manifests", - "--read-only-port=0", - "--register-with-taints=${var.node_taints}", - "--rotate-certificates", - ] - host { - host = "${var.k8s_host}" - ip = "${var.host_ip}" - } - network_mode = "host" - pid_mode = "host" - privileged = true - restart = "no" - must_run = false -} - -data "docker_registry_image" "image" { - name = "gcr.io/google_containers/hyperkube:v${var.version}" -} - -resource "docker_image" "image" { - name = "${data.docker_registry_image.image.name}" - pull_triggers = ["${data.docker_registry_image.image.sha256_digest}"] -} diff --git a/modules/kubelet/variables.tf b/modules/kubelet/variables.tf deleted file mode 100644 index 24e643f..0000000 --- a/modules/kubelet/variables.tf +++ /dev/null @@ -1,38 +0,0 @@ -variable "version" { - description = "kubelet version" - default = "1.13.2" -} - -variable "node_label" { - description = "kubelet version" - default = "node-role.kubernetes.io/master" -} - -variable "node_taints" { - description = "node taints" - default = "node-role.kubernetes.io/master=:NoSchedule" -} - -variable "depends_on" { - default = [] - - type = "list" -} - -variable "asset_dir_volume_name" { - default = "k8s-assets" -} - -variable "host_ip" {} - -variable "dns_ip" { - default = "10.25.0.10" -} - -variable "k8s_host" { - description = "kubenetes hostname" -} - -variable "assets" { - type = "map" -} diff --git a/providers.tf b/providers.tf index e4d7417..c9eedb8 100644 --- a/providers.tf +++ b/providers.tf @@ -4,20 +4,6 @@ provider "docker" { version = "~> 2.0.0" } -provider "docker" { - host = "tcp://docker.dovpn.bb8.fun:2376" - cert_path = "./secrets/sydney" - alias = "sydney" - version = "~> 2.0.0" -} - -provider "docker" { - host = "tcp://docker.captnemo.in:4243" - cert_path = "./secrets/nautilus" - alias = "nautilus" - version = "~> 2.0.0" -} - provider "kubernetes" { version = "1.3.0-custom" host = "https://k8s.bb8.fun:6443"