this repo has no description
refactor(infra): move cluster into a Terraform module
+89
-51
+3
-24
Makefile
+3
-24
Makefile
···
1
1
.POSIX:
2
-
.PHONY: default compose infra cluster system platform apps secrets edit-secrets test update
2
+
.PHONY: default compose infra apps test update
3
3
4
4
env ?= local
5
5
# TODO multiple clusters
···
16
16
--task-queue cloudlab \
17
17
--type Infra \
18
18
--input '{ "url": "https://github.com/khuedoan/cloudlab", "revision": "infra-rewrite", "oldRevision": "790763a8166e306f34559870c60e818505117e6b", "stack": "local" }'
19
-
20
-
cluster:
21
-
cd cluster && ansible-playbook \
22
-
--inventory inventory.yml \
23
-
--ask-vault-pass \
24
-
main.yml
25
-
26
-
system:
27
-
kubectl apply --server-side=true --namespace argocd --filename system/
28
-
29
-
platform:
30
-
kubectl apply --server-side=true --namespace argocd --filename platform/
31
19
32
20
apps:
21
+
# TODO auto bootstrap
33
22
kubectl apply --server-side=true --namespace argocd --filename apps/
34
23
35
-
secrets:
36
-
cd cluster && ansible-playbook \
37
-
--inventory inventory.yml \
38
-
--ask-vault-pass \
39
-
--tags secrets \
40
-
main.yml
41
-
42
-
edit-secrets:
43
-
ansible-vault edit ./cluster/roles/secrets/vars/main.yml
44
-
45
24
test:
46
25
cd controller && go test ./...
47
26
cd test/e2e && go test
48
27
49
28
fmt:
50
29
yamlfmt \
51
-
--exclude cluster/roles/secrets/vars/main.yml \
30
+
--exclude infra/modules/cluster/roles/secrets/vars/main.yml \
52
31
--exclude infra/*/secrets.yaml \
53
32
.
54
33
terragrunt hcl format
-1
cluster/.gitignore
-1
cluster/.gitignore
···
1
-
inventory.yml
cluster/group_vars/all.yml
infra/modules/cluster/group_vars/all.yml
cluster/group_vars/all.yml
infra/modules/cluster/group_vars/all.yml
cluster/main.yml
infra/modules/cluster/main.yml
cluster/main.yml
infra/modules/cluster/main.yml
cluster/roles/bootstrap/defaults/main.yml
infra/modules/cluster/roles/bootstrap/defaults/main.yml
cluster/roles/bootstrap/defaults/main.yml
infra/modules/cluster/roles/bootstrap/defaults/main.yml
cluster/roles/bootstrap/tasks/main.yml
infra/modules/cluster/roles/bootstrap/tasks/main.yml
cluster/roles/bootstrap/tasks/main.yml
infra/modules/cluster/roles/bootstrap/tasks/main.yml
cluster/roles/data/tasks/main.yml
infra/modules/cluster/roles/data/tasks/main.yml
cluster/roles/data/tasks/main.yml
infra/modules/cluster/roles/data/tasks/main.yml
cluster/roles/k3s/defaults/main.yml
infra/modules/cluster/roles/k3s/defaults/main.yml
cluster/roles/k3s/defaults/main.yml
infra/modules/cluster/roles/k3s/defaults/main.yml
cluster/roles/k3s/tasks/main.yml
infra/modules/cluster/roles/k3s/tasks/main.yml
cluster/roles/k3s/tasks/main.yml
infra/modules/cluster/roles/k3s/tasks/main.yml
cluster/roles/k3s/templates/config.yaml.j2
infra/modules/cluster/roles/k3s/templates/config.yaml.j2
cluster/roles/k3s/templates/config.yaml.j2
infra/modules/cluster/roles/k3s/templates/config.yaml.j2
cluster/roles/k3s/templates/k3s.service.j2
infra/modules/cluster/roles/k3s/templates/k3s.service.j2
cluster/roles/k3s/templates/k3s.service.j2
infra/modules/cluster/roles/k3s/templates/k3s.service.j2
cluster/roles/k3s/templates/registries.yaml.j2
infra/modules/cluster/roles/k3s/templates/registries.yaml.j2
cluster/roles/k3s/templates/registries.yaml.j2
infra/modules/cluster/roles/k3s/templates/registries.yaml.j2
cluster/roles/prerequisites/tasks/main.yml
infra/modules/cluster/roles/prerequisites/tasks/main.yml
cluster/roles/prerequisites/tasks/main.yml
infra/modules/cluster/roles/prerequisites/tasks/main.yml
cluster/roles/secrets/tasks/main.yml
infra/modules/cluster/roles/secrets/tasks/main.yml
cluster/roles/secrets/tasks/main.yml
infra/modules/cluster/roles/secrets/tasks/main.yml
cluster/roles/secrets/vars/main.yml
infra/modules/cluster/roles/secrets/vars/main.yml
cluster/roles/secrets/vars/main.yml
infra/modules/cluster/roles/secrets/vars/main.yml
+37
infra/modules/cluster/main.tf
+37
infra/modules/cluster/main.tf
···
1
+
resource "local_file" "vault_password" {
2
+
content = var.vault_password
3
+
filename = "${path.root}/vault_password"
4
+
file_permission = "0600"
5
+
}
6
+
7
+
resource "local_file" "ssh_private_key" {
8
+
content = var.ssh_private_key
9
+
filename = "${path.root}/private.pem"
10
+
file_permission = "0600"
11
+
}
12
+
13
+
resource "local_file" "inventory" {
14
+
filename = "${path.root}/inventory.yml"
15
+
file_permission = "0644"
16
+
content = yamlencode({
17
+
k3s = {
18
+
hosts = {
19
+
"${var.instance_public_ip}" = {
20
+
ansible_user = "ubuntu"
21
+
ansible_ssh_private_key_file = abspath(local_file.ssh_private_key.filename)
22
+
}
23
+
}
24
+
}
25
+
})
26
+
}
27
+
28
+
resource "null_resource" "cluster" {
29
+
triggers = {
30
+
inventory = local_file.inventory.content_md5
31
+
}
32
+
33
+
provisioner "local-exec" {
34
+
working_dir = path.root
35
+
command = "ansible-playbook --inventory ${local_file.inventory.filename} --vault-password-file ${local_file.vault_password.filename} ${path.module}/main.yml"
36
+
}
37
+
}
+13
infra/modules/cluster/variables.tf
+13
infra/modules/cluster/variables.tf
+6
-19
infra/modules/legacy/main.tf
+6
-19
infra/modules/legacy/main.tf
···
14
14
algorithm = "ED25519"
15
15
}
16
16
17
-
resource "local_file" "ssh_private_key" {
18
-
content = tls_private_key.ssh.private_key_openssh
19
-
filename = "${path.root}/private.pem"
20
-
file_permission = "0600"
21
-
}
22
-
23
17
module "instance" {
24
18
source = "../instance"
25
19
compartment_id = module.base.compartment_id
···
35
29
}
36
30
}
37
31
38
-
resource "local_file" "inventory" {
39
-
filename = "${path.root}/inventory.yml"
40
-
file_permission = "0644"
41
-
content = yamlencode({
42
-
k3s = {
43
-
hosts = {
44
-
"${module.instance.public_ip}" = {
45
-
ansible_user = "ubuntu"
46
-
ansible_ssh_private_key_file = abspath(local_file.ssh_private_key.filename)
47
-
}
48
-
}
49
-
}
50
-
})
32
+
module "cluster" {
33
+
source = "../cluster"
34
+
35
+
vault_password = var.vault_password
36
+
instance_public_ip = module.instance.public_ip
37
+
ssh_private_key = tls_private_key.ssh.private_key_openssh
51
38
}
-3
infra/modules/legacy/outputs.tf
-3
infra/modules/legacy/outputs.tf
+6
infra/modules/legacy/variables.tf
+6
infra/modules/legacy/variables.tf
+17
infra/production/oracle/legacy/.terraform.lock.hcl
+17
infra/production/oracle/legacy/.terraform.lock.hcl
···
35
35
]
36
36
}
37
37
38
+
provider "registry.opentofu.org/hashicorp/null" {
39
+
version = "3.2.4"
40
+
hashes = [
41
+
"h1:i+WKhUHL2REY5EGmiHjfUljJB8UKZ9QdhdM5uTeUhC4=",
42
+
"zh:1769783386610bed8bb1e861a119fe25058be41895e3996d9216dd6bb8a7aee3",
43
+
"zh:32c62a9387ad0b861b5262b41c5e9ed6e940eda729c2a0e58100e6629af27ddb",
44
+
"zh:339bf8c2f9733fce068eb6d5612701144c752425cebeafab36563a16be460fb2",
45
+
"zh:36731f23343aee12a7e078067a98644c0126714c4fe9ac930eecb0f2361788c4",
46
+
"zh:3d106c7e32a929e2843f732625a582e562ff09120021e510a51a6f5d01175b8d",
47
+
"zh:74bcb3567708171ad83b234b92c9d63ab441ef882b770b0210c2b14fdbe3b1b6",
48
+
"zh:90b55bdbffa35df9204282251059e62c178b0ac7035958b93a647839643c0072",
49
+
"zh:ae24c0e5adc692b8f94cb23a000f91a316070fdc19418578dcf2134ff57cf447",
50
+
"zh:b5c10d4ad860c4c21273203d1de6d2f0286845edf1c64319fa2362df526b5f58",
51
+
"zh:e05bbd88e82e1d6234988c85db62fd66f11502645838fff594a2ec25352ecd80",
52
+
]
53
+
}
54
+
38
55
provider "registry.opentofu.org/hashicorp/oci" {
39
56
version = "6.37.0"
40
57
constraints = "~> 6.0"
+3
-2
infra/production/oracle/legacy/terragrunt.hcl
+3
-2
infra/production/oracle/legacy/terragrunt.hcl
···
1
1
include "root" {
2
-
path = find_in_parent_folders("root.hcl")
2
+
path = find_in_parent_folders("root.hcl")
3
3
expose = true
4
4
}
5
5
···
8
8
}
9
9
10
10
inputs = {
11
-
tenancy_ocid = include.root.locals.secrets.oracle_tenancy_ocid
11
+
tenancy_ocid = include.root.locals.secrets.oracle_tenancy_ocid
12
+
vault_password = include.root.locals.secrets.vault_password
12
13
}
+1
infra/production/oracle/root.hcl
+1
infra/production/oracle/root.hcl
+3
-2
infra/production/secrets.yaml
+3
-2
infra/production/secrets.yaml
···
3
3
oracle_fingerprint: ENC[AES256_GCM,data:HL7NqWBTJ0f9hXfA9HyyMDErLMDbmK5QsyMKr2Kg+w8Qo9h1891+KuhGpe7K+SQ=,iv:vBak+FMghPYeuDbtfzMyEeEPfdQtbvpUXEVJGfzqslY=,tag:C057JRlVzWhbOoVUee82aw==,type:str]
4
4
oracle_private_key: ENC[AES256_GCM,data:RVXJfU4Hs3/5XDRq9mby4XP81mn0rbgFHThgjtndePfpY3uCD9mRFzcaJah9euxoguRMOokwPFjM5escsruUHK6b6USw8EA4KFXv4tEtuH+1CMV/DhqnkN/UR9NhVkUok4gABOkjKApxz0d49+Cfg50dRoFvZ23iVEnWjJi4WaDaPVcQpxCP0FsILt1gzG+t4dVdDNEbAeWBNYEC8hjDMCMKgsxKFMS2y5jWzW28luRSDfSR247SetjE0bQI2Zga8sfM/LBo0pFr+T0oluqdonAtOBBBOEctyP33W9m9c/YqOD/8kWyiRvNYA8qVcqkSfgLsTKqE2mQSjMb376fqSAomPPVLuAdnnOOak6WaEksIEnPkVTKzei441sv6PXfsm9n8KZ5UrUIImUv+lbIRfOK3va8jPbeIdKZUxvnYoJAWyaHcayL9yCe/uYF20IZk4H+Awh9Z0OgYD+o7AYCZe3MOFmCorDLXZCl0GxRSOvp8z8AjTR3PG87t7EY8vR23NekHkkGXTYICFws3Jlip9c2Wl9pn2ScSpYqQfF0/PEEu3baYSeqdFXR5MpHgBrwvwKHejiYpArUqpkZrvC2nQzVx5qMY6VmWRGWrvnxVi29vQvptXcWAw2/U3ecCaNKNekiGm2W0nZ9rfkZaHOVAt3tiYmyCcWGRq9AYtH3C0ylG75d5RNwoaOi4XBolbUM/9Q3JwadwnhHtjRQWPr7sCcMCAjtlvfYIUph0v5bl81rTkB8NkWIOX4r/qAX/NNQtZsLW4RKJXvQpkTbMXh19nngvaRJ0GJvOi3Dywc+FxOpzjVJBnsbnJHgLFHdAlvpZANRcjCUYjL9+LHZBqDMqAQQqTZ3H+W6TkeTHE85oh+R/MGK+0L38dVdOQSNcf7DBFoVXO94Q01DlKVBcuZSdFVeg9WwNHzWT6P7HcuM6a+5rZReoccJ2cLUKSV/qt22NgxFfEHdmlE23A9KtVuSQ0vShotPhpOzEkb0eTwICSEgPckSFvlxVDUiuheZiGnveIdMKqu4/TFyrZbL4X9OzBI1Oq08D6TOlbI8uelGCz+Hb4Sn/tWwtfxTdiFQaUK5B+hQdtFqgPw0oSYMmesK8DsWmgaII0b+MuYeq406WoXsKDTfx3kN65523TzwZ8wYOwqQ19G07g/YaMnMIHquexXbtREPwq8WCxHuzFC/j9ZOMd+mK0QTAtrCeyVZEPb7QKjm8Ffl8C5ppgWrERRq8BoPBiMX6hqY1s1GJyVZAtQ+iApAL0GKsdy4NpTudIX6bBPxJTs+qUOjKR8Jfp/sBjTdsNeOGKITzmJdbH+do2zYDPw8EKH3XxXOPTVwQl3yN3PQEovV6JDxz4Vr4rtiEgpvVyltEc5MDisj+62pei8X9Bw0C0Pak6UnkScicLcjQ5FCg+Wakylla3MY6knptPANouNJvLRgtjg1r/JAmfVXZe3OoaquU9wNKNbVt41roSYRUjqfoPDDATSutoHvukFfrerDQkI61cJf0wLeuidjPjOr+fL3J+TWoTIMIjMwRfkxhEbh7f7B4eQlYnFx2AZF6fL+BJIVLDjj9ARu810LQZD1KISRVnTQ1BBtdvTl1l8qMUsNhbki3YSIkageXzvnfBILVmsnhVcmAC0JqrqkYhOFWSlEhlEiV9WpUk3IQiagHKsz/DtTenYbpTd1aIQCQ9Q4pr60vHRnONWvqHTitCqHXl7aFMvoSOxhDXclono/0pccDNEUNF3b+qXjNrBCHv3bxLdz5peuuwOP/dWlNnUHD+kRlO6MkPnuMFgWYkIHhpRsfCE6EUusqeJP5iQ1AJ95PkT/aMjTvVFgW5TMdEgBI/QQI+sDPXyM+FHGaNXUXA2U/okWx0Pjf1aSYMPoF2P0nK060B4AJMvrLYq8B2RpDXFv7L4emCTyfomtD+cLPq1pObqlkYwX8fpAXr97N7npH2oMbbW4PePatsItrCkqSZUQjw6ETVnbU+bCBPh4i5wP/aLxeKtsUlaQt4L6T5PskQCDez8vzq5vQd3Q4qSsqFuCWoUnXxfhQ8CE+lgECyy3soOKXFEaFDHV89VTsXyGbww+FKxmTJjztte0J0EYIUp9tN8XRu9F1UTcnm0hXrzYDgxrvajmCN646HwUjDlu0nhv8r/WghPEbdoMWs29AJHZtLPgHqnYuBKz1SoUadW8gOS+KokShjyOw5wQmXT0cEzz8NtZ6Cx8dTaaZFlupR7Rs2eR9VciNXQCfORCBnEUqSDnx4gQOKUdZ55CF2kTV3Gg=,iv:rzCVfuRUc+IV6Oww25g0162gtYUsmrHZerLsUATxYzk=,tag:iRMIkyUWgNVY4c9ZVvtvrQ==,type:str]
5
5
oracle_region: ENC[AES256_GCM,data:Dz1UpFhrPNBDatU=,iv:vR9uUF7hOz/u5ICjm9H0fNF6GooBeOtXCTVmQZi0M7s=,tag:939nIJTpkL5gj3WEFRFb3g==,type:str]
6
+
vault_password: ENC[AES256_GCM,data:FY3I6WBPJluAuy0n8xgO4gSedeaK7+FWz3KmZsPk,iv:zefeS6Tol+j8ukOqmuY4Ne1gqEMmgZuqenaTjbc/wkE=,tag:Y7yGXJMVoJsUGMZ+14Klzw==,type:str]
6
7
sops:
7
8
age:
8
9
- recipient: age15c5rpksj0u27sp667525zqh8dhtd70rwrlv7xq2hqhsfaempcdwqu3unel
···
14
15
bzdTeVZWYVIwM1VyUm5UM0pQZW5KYlUKWw7Fq17anbkfY6U3HCr00OKEfffRL/TM
15
16
zvtvDaWLg2ZilP7kWM7YbqyTi4XqjLXKldOblwIcF7qA5E/OfbbzXw==
16
17
-----END AGE ENCRYPTED FILE-----
17
-
lastmodified: "2025-06-12T09:56:14Z"
18
-
mac: ENC[AES256_GCM,data:FGXolVu+F0xsqpMU2V3OWcyMCGiqkJlUI96jfgQM8O0T92A9v/TYKbH3Tuk0h1jlvV8fKt+5nXlFmJm+DH5DFC6NQn1KMpwWAJpjmf/8gZiDTyYeGV5CbfROpfyRCapZbhi/zaWEoO8Gg2T4Z7EHZf1tct3+0aMg6V6e8ciD36Y=,iv:dch5dsqDL7QxWErSPRjgiWQWhIydbmlqGqcUyUDbR+0=,tag:6PpFJx01dJELtGK1VeoqQg==,type:str]
18
+
lastmodified: "2025-06-12T10:24:24Z"
19
+
mac: ENC[AES256_GCM,data:5v7fpxak56kw+PUmvJZnMfzNzVn7pBLHJWqGr7RGg3tTF7k2HW9SAUAnLr3n/tB1QrE7N9ljZ8YoUOSn6qbcrj0FyF+SmWgUH+/M+SHzBPqROSn8VyqMX4lv+4p3KDJOCGa9l3LUUBzwKs6uu42FG5nHrB7iG/YHz44PqoL5ldE=,iv:5OZGUwKslfqM7i1XDMYh12uttuqzlgHNVO1r2hsn+fg=,tag:IiZawvODPvTzgTfwbZT4vw==,type:str]
19
20
unencrypted_suffix: _unencrypted
20
21
version: 3.10.2