Configure truenas k3s instance

MacroPower · Dec 31, 2023 · dd07b2b · dd07b2b
1 parent c945623
commit dd07b2b
Show file tree

Hide file tree

Showing 21 changed files with 193 additions and 26 deletions.
diff --git a/applications/base/argocd/application.libsonnet b/applications/base/argocd/application.libsonnet
@@ -7,7 +7,7 @@ app.new(
 ).withChart(
   name='argo-cd',
   repoURL='https://argoproj.github.io/argo-helm',
-  targetRevision='5.51.6',
+  targetRevision='5.52.0',
   releaseName='argocd',
   values='values.yaml'
 )
diff --git a/...ents/store01/argocd/application.libsonnet → ...nments/nas01/argocd/application.libsonnet b/...ents/store01/argocd/application.libsonnet → ...nments/nas01/argocd/application.libsonnet
diff --git a/applications/environments/nas01/cert-manager/application.libsonnet b/applications/environments/nas01/cert-manager/application.libsonnet
@@ -0,0 +1 @@
+import '../../../base/cert-manager/application.libsonnet'
diff --git a/applications/environments/nas01/external-secrets/application.libsonnet b/applications/environments/nas01/external-secrets/application.libsonnet
@@ -0,0 +1 @@
+import '../../../base/external-secrets/application.libsonnet'
diff --git a/applications/environments/nas01/imports.libsonnet b/applications/environments/nas01/imports.libsonnet
@@ -0,0 +1,8 @@
+[
+  import 'argocd/application.libsonnet',
+  import 'external-secrets/application.libsonnet',
+  import 'cert-manager/application.libsonnet',
+  import 'prometheus/application.libsonnet',
+  import 'tailscale-operator/application.libsonnet',
+  import 'traefik/application.libsonnet',
+]
diff --git a/applications/environments/nas01/main.jsonnet b/applications/environments/nas01/main.jsonnet
@@ -0,0 +1,19 @@
+local apps = import 'imports.libsonnet';
+
+[
+  app
+  .withAppNamespace('argocd')
+  .withDestinationServer('https://kubernetes.default.svc')
+  .withExtVars({
+    ingressHost: '%s-.nas01.home.macro.network' % app.metadata.name,
+    ingressSuffix: '.nas01.home.macro.network',
+    ingressAnnotations: |||
+      'traefik.ingress.kubernetes.io/router.entrypoints': 'websecure'
+    |||,
+  })
+  .withBase(
+    repoURL='https://github.com/MacroPower/homelab',
+    targetRevision='main',
+  )
+  for app in apps
+]
diff --git a/applications/environments/nas01/prometheus/application.libsonnet b/applications/environments/nas01/prometheus/application.libsonnet
@@ -0,0 +1 @@
+import '../../../base/prometheus/application.libsonnet'
diff --git a/.../tailscale-operator/application.libsonnet → .../tailscale-operator/application.libsonnet b/.../tailscale-operator/application.libsonnet → .../tailscale-operator/application.libsonnet
@@ -1,5 +1,5 @@
 local app = import '../../../base/tailscale-operator/application.libsonnet';
 
 app.withChartParams({
-  'operatorConfig.hostname': 'tailscale-operator-store01.home.macro.network',
+  'operatorConfig.hostname': 'tailscale-operator.nas01.home.macro.network',
 })
diff --git a/applications/environments/nas01/traefik/application.libsonnet b/applications/environments/nas01/traefik/application.libsonnet
@@ -0,0 +1,22 @@
+local app = import '../../../base/traefik/application.libsonnet';
+
+app.withBasePath('applications/environments/nas01/traefik').withChartParams({
+  'tlsOptions.default.clientAuth': 'null',
+}).withChartValues(|||
+  image:
+    tag: v3.0.0-beta4
+
+  tracing:
+    openTelemetry:
+      address: main-collector.opentelemetry.svc:4317
+      grpc: true
+      insecure: true
+
+  env:
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: TRAEFIK_TRACING_OPENTELEMETRY_ADDRESS
+      value: "$(HOST_IP):4317"
+|||)
diff --git a/applications/environments/nas01/traefik/issuer.yaml b/applications/environments/nas01/traefik/issuer.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: traefik-selfsigned-issuer
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-cert
+spec:
+  secretName: traefik-cert
+  issuerRef:
+    kind: Issuer
+    name: traefik-selfsigned-issuer
+  dnsNames:
+    - "*.home.macro.network"
diff --git a/applications/environments/nas01/traefik/main.jsonnet b/applications/environments/nas01/traefik/main.jsonnet
@@ -0,0 +1,5 @@
+local dashboard_ingresss = import '../../../base/traefik/dashboard_ingress.libsonnet';
+local ns = import '../../../base/traefik/namespace.libsonnet';
+local issuer = std.parseYaml(importstr 'issuer.yaml');
+
+[ns] + issuer + dashboard_ingresss
diff --git a/hack/extra/argocd/kustomization.yaml b/hack/extra/argocd/kustomization.yaml
@@ -4,7 +4,7 @@ kind: Kustomization
 helmCharts:
   - name: argo-cd
     repo: https://argoproj.github.io/argo-helm
-    version: 5.51.6
+    version: 5.52.0
     releaseName: argocd
     namespace: argocd
     valuesFile: values.yaml

diff --git a/terraform/home/.auto.tfvars.tpl b/terraform/home/.auto.tfvars.tpl
@@ -1,9 +1,9 @@
 truenas_devices = {
-  store01 = {
-    name = "store01.home.macro.network"
-    ipv4 = "10.0.3.2"
-    ssh_password = "${STORE01_SSH_PASSWORD}"
-    apikey = "${STORE01_APIKEY}"
+  nas01 = {
+    fqdn         = "nas01.home.macro.network"
+    ipv4         = "10.10.1.1"
+    ssh_password = "${NAS01_SSH_PASSWORD}"
+    apikey       = "${NAS01_APIKEY}"
   }
 }
 
@@ -17,4 +17,4 @@ unifi_sites = {
   }
 }
 
-doppler_token = "${STORE01_DOPPLER_TOKEN}"
+doppler_token = "${NAS01_DOPPLER_TOKEN}"
diff --git a/terraform/home/.terraform.lock.hcl b/terraform/home/.terraform.lock.hcl
diff --git a/terraform/home/README.md b/terraform/home/README.md
@@ -17,12 +17,16 @@ terraform apply -target=module.mikrotik_agg_api
 
 ### TrueNAS
 
-1. Network -> Global Configuration -> Settings
+1. DEL (Enter BIOS)
+    - Set time to UTC
+2. Network -> Global Configuration -> Settings
     - Set hostname
     - Check "Inherit domain from DHCP"
-2. System Settings -> Services -> SSH
+3. System Settings -> Services -> SSH
     - Check "Log in as Root with Password"
     - Check "Allow Password Authentication"
     - Uncheck Start Automatically
     - Start the SSH service
     - Once provisioning is complete, SSH can be disabled
+4. Apps
+    - Choose a pool for Apps
diff --git a/terraform/home/get_kubeconfig.sh b/terraform/home/get_kubeconfig.sh
@@ -0,0 +1,3 @@
+terraform output -raw kubeconfig > kubeconfig.yaml
+
+KUBECONFIG=kubeconfig.yaml:~/.kube/config kubectl config view --flatten > ~/.kube/config
diff --git a/terraform/home/main.tf b/terraform/home/main.tf
@@ -9,20 +9,25 @@ terraform {
   }
 }
 
-# module "truenas_store01_k3s" {
-#   source = "./modules/truenas-k3s"
+module "nas01_k3s" {
+  source = "./modules/truenas-k3s"
 
-#   name = var.truenas_devices.store01.name
-#   ipv4 = var.truenas_devices.store01.ipv4
+  fqdn = var.truenas_devices.nas01.fqdn
+  ipv4 = var.truenas_devices.nas01.ipv4
 
-#   ssh_password = var.truenas_devices.store01.ssh_password
+  ssh_password = var.truenas_devices.nas01.ssh_password
 
-#   argocd_kustomization      = abspath("../../hack/extra/argocd")
-#   argocd_apps_kustomization = abspath("../../hack/extra/argocd-apps")
-#   doppler_kustomization     = abspath("../../hack/extra/doppler")
+  argocd_kustomization      = abspath("../../hack/extra/argocd")
+  argocd_apps_kustomization = abspath("../../hack/extra/argocd-apps")
+  doppler_kustomization     = abspath("../../hack/extra/doppler")
 
-#   doppler_secrets_tpl_doppler_token = var.doppler_token
-# }
+  doppler_secrets_tpl_doppler_token = var.doppler_token
+}
+
+output "kubeconfig" {
+  sensitive = true
+  value     = module.nas01_k3s.kubeconfig
+}
 
 module "unifi" {
   source = "./modules/unifi"

diff --git a/terraform/home/modules/truenas-k3s/main.tf b/terraform/home/modules/truenas-k3s/main.tf
@@ -4,13 +4,31 @@ locals {
   argocd_apps_dir = "${local.manifests_dir}/argocd-apps/"
   doppler_dir     = "${local.manifests_dir}/doppler/"
 
+  environment_name = split(".", var.fqdn)[0]
+
   argocd_apps_apps_tpl_base_filename = "apps.yaml"
   doppler_secrets_tpl_base_filename  = "secrets.yaml"
 
   k_cmd = "k3s kubectl"
 }
 
-resource "null_resource" "truenas_k3s_init" {
+resource "null_resource" "truenas_k3s_firewall" {
+  connection {
+    type     = "ssh"
+    host     = var.ipv4
+    port     = 22
+    user     = "root"
+    password = var.ssh_password
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "iptables -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment \"iX Custom Rule to allow connection requests to k8s cluster from all external sources\" -j ACCEPT"
+    ]
+  }
+}
+
+resource "null_resource" "truenas_k3s_bootstrap" {
   connection {
     type     = "ssh"
     host     = var.ipv4
@@ -43,7 +61,7 @@ resource "null_resource" "truenas_k3s_init" {
 
   provisioner "file" {
     content = templatefile("${var.argocd_apps_kustomization}/${local.argocd_apps_apps_tpl_base_filename}.tpl", {
-      environment_name = split(".", var.name)[0]
+      environment_name = local.environment_name
     })
     destination = "${local.argocd_apps_dir}${local.argocd_apps_apps_tpl_base_filename}"
   }
@@ -64,3 +82,18 @@ resource "null_resource" "truenas_k3s_init" {
     ]
   }
 }
+
+data "remote_file" "kubeconfig" {
+  conn {
+    host     = var.ipv4
+    port     = 22
+    user     = "root"
+    password = var.ssh_password
+  }
+  path = "/etc/rancher/k3s/k3s.yaml"
+}
+
+output "kubeconfig" {
+  sensitive = true
+  value     = replace(replace(data.remote_file.kubeconfig.content, "127.0.0.1", var.fqdn), "/: default\\n/", ": ${local.environment_name}\n")
+}
diff --git a/terraform/home/modules/truenas-k3s/providers.tf b/terraform/home/modules/truenas-k3s/providers.tf
@@ -1,3 +1,8 @@
 terraform {
-  required_providers {}
+  required_providers {
+    remote = {
+      source  = "tenstad/remote"
+      version = "0.1.2"
+    }
+  }
 }
diff --git a/terraform/home/modules/truenas-k3s/variables.tf b/terraform/home/modules/truenas-k3s/variables.tf
@@ -1,4 +1,4 @@
-variable "name" {
+variable "fqdn" {
   type = string
 }
 

diff --git a/terraform/home/variables.tf b/terraform/home/variables.tf
@@ -1,6 +1,6 @@
 variable "truenas_devices" {
   type = map(object({
-    name         = string
+    fqdn         = string
     ipv4         = string
     ssh_password = string
     apikey       = string