Terraform resources for Harvester VM and LBs

Author: vulkoingim

.pre-commit-config.yaml

@@ -52,4 +52,11 @@ repos:
  language: system
  pass_filenames: false
 
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.75.0
+ hooks:
+ - id: terraform_fmt
+ args:
+ - --args=-diff
+
 exclude: ^install/installer/.*/.*\.golden$

dev/preview/.gitignore

@@ -3,3 +3,4 @@
 *.tfstate
 *.tfstate.backup
 *.plan
+*.tfvars

dev/preview/infrastructure/harvester/cloudinit.yaml

@@ -0,0 +1,104 @@
+#cloud-config
+users:
+- name: ubuntu
+ sudo: "ALL=(ALL) NOPASSWD: ALL"
+ ssh_authorized_keys:
+ - ${ssh_authorized_keys}
+chpasswd:
+ list: |
+ ubuntu:ubuntu
+ expire: False
+write_files:
+ - path: /etc/disable-services.sh
+ permissions: '0755'
+ content: |
+ #!/bin/bash
+ systemctl disable google-guest-agent &
+ systemctl disable google-startup-scripts &
+ systemctl disable google-osconfig-agent &
+ systemctl disable google-oslogin-cache.timer &
+ systemctl disable google-shutdown-scripts &
+ systemctl stop google-guest-agent &
+ systemctl stop google-startup-scripts &
+ systemctl stop google-osconfig-agent &
+ systemctl stop google-oslogin-cache.timer &
+ systemctl stop google-shutdown-scripts &
+ - path: /etc/ssh/sshd_config.d/101-change-ssh-port.conf
+ permissions: '0644'
+ owner: root
+ content: 'Port 2200'
+
+ - path: /usr/local/bin/bootstrap-k3s.sh
+ permissions: '0744'
+ owner: root
+ content: |
+ #!/bin/bash
+
+ set -eo pipefail
+
+ cat <<EOF >> /etc/containerd/config.toml
+ [plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth]
+ username = "${dockerhub_user}"
+ password = "${dockerhub_passwd}"
+ EOF
+ sudo systemctl restart containerd.service
+
+ # inspired by https://github.com/gitpod-io/ops/blob/main/deploy/workspace/templates/bootstrap.sh
+
+ # Install k3s
+ export INSTALL_K3S_SKIP_DOWNLOAD=true
+
+ /usr/local/bin/install-k3s.sh \
+ --token "1234" \
+ --node-ip "$(hostname -I | cut -d ' ' -f1)" \
+ --node-label "cloud.google.com/gke-nodepool=control-plane-pool" \
+ --container-runtime-endpoint=/var/run/containerd/containerd.sock \
+ --write-kubeconfig-mode 444 \
+ --disable traefik \
+ --disable metrics-server \
+ --flannel-backend=none \
+ --kubelet-arg config=/etc/kubernetes/kubelet-config.json \
+ --kubelet-arg cgroup-driver=systemd \
+ --kubelet-arg feature-gates=LocalStorageCapacityIsolation=true \
+ --kubelet-arg feature-gates=LocalStorageCapacityIsolationFSQuotaMonitoring=true \
+ --kube-apiserver-arg feature-gates=LocalStorageCapacityIsolation=true \
+ --kube-apiserver-arg feature-gates=LocalStorageCapacityIsolationFSQuotaMonitoring=true \
+ --cluster-init
+
+ # Seems like this is a bit flaky now, with k3s not always being ready, and the labeling
+ # failing occasionally. Sleeping for a bit solves it.
+ sleep 10
+
+ kubectl label nodes ${vm_name} \
+ gitpod.io/workload_meta=true \
+ gitpod.io/workload_ide=true \
+ gitpod.io/workload_workspace_services=true \
+ gitpod.io/workload_workspace_regular=true \
+ gitpod.io/workload_workspace_headless=true \
+ gitpod.io/workspace_0=true \
+ gitpod.io/workspace_1=true \
+ gitpod.io/workspace_2=true
+
+ # apply fix from https://github.com/k3s-io/klipper-lb/issues/6 so we can use the klipper servicelb
+ # this can be removed if https://github.com/gitpod-io/gitpod-packer-gcp-image/pull/20 gets merged
+ cat /var/lib/gitpod/manifests/calico.yaml | sed s/__KUBERNETES_NODE_NAME__\"\,/__KUBERNETES_NODE_NAME__\",\ \"container_settings\"\:\ \{\ \"allow_ip_forwarding\"\:\ true\ \}\,/ > /var/lib/gitpod/manifests/calico2.yaml
+
+ sed -i 's/docker.io/quay.io/g' /var/lib/gitpod/manifests/calico2.yaml
+ sed -i 's/interface=ens/interface=en/g' /var/lib/gitpod/manifests/calico2.yaml
+ sed -i 's/\$CLUSTER_IP_RANGE/10.20.0.0\/16/g' /var/lib/gitpod/manifests/calico2.yaml
+
+ kubectl apply -f /var/lib/gitpod/manifests/calico2.yaml
+
+ kubectl apply -f /var/lib/gitpod/manifests/cert-manager.yaml
+ kubectl apply -f /var/lib/gitpod/manifests/metrics-server.yaml
+
+ # install CSI snapshotter CRDs and snapshot controller
+ kubectl apply -f /var/lib/gitpod/manifests/csi-driver.yaml || true
+ kubectl apply -f /var/lib/gitpod/manifests/csi-config.yaml || true
+
+ cat <<EOF >> /etc/bash.bashrc
+ export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+ EOF
+runcmd:
+ - bash /etc/disable-services.sh
+ - bash /usr/local/bin/bootstrap-k3s.sh

dev/preview/infrastructure/harvester/lb.tf

@@ -0,0 +1,65 @@
+resource "kubernetes_deployment" "dev-loadbalancer" {
+ provider = k8s.dev
+
+ metadata {
+ name = "lb-${var.preview_name}"
+ namespace = "loadbalancers"
+ labels = {
+ "gitpod.io/lbName" = var.preview_name
+ }
+ }
+
+ spec {
+ replicas = 1
+
+ selector {
+ match_labels = {
+ "gitpod.io/lbName" = var.preview_name
+ }
+ }
+
+ template {
+ metadata {
+ name = "lb"
+ labels = {
+ "gitpod.io/lbName" = var.preview_name
+ }
+ }
+
+ spec {
+ service_account_name = "proxy"
+ enable_service_links = false
+
+ volume {
+ name = "kubeconfig"
+ secret {
+ secret_name = "harvester-kubeconfig"
+ }
+ }
+
+ container {
+ image = "bitnami/kubectl:1.25.2"
+ name = "kubectl"
+ args = [
+ "port-forward",
+ "--kubeconfig",
+ "/mnt/kubeconfig/harvester-kubeconfig.yml",
+ "-n",
+ kubernetes_namespace.preview_namespace.metadata[0].name,
+ "--address=0.0.0.0",
+ "--pod-running-timeout=2m",
+ "svc/proxy",
+ "4430:443",
+ "2200:22",
+ ]
+
+ volume_mount {
+ mount_path = "/mnt/kubeconfig/"
+ name = "kubeconfig"
+ read_only = true
+ }
+ }
+ }
+ }
+ }
+}

dev/preview/infrastructure/harvester/namespace.tf

@@ -1,4 +1,4 @@
-resource "kubernetes_namespace" "example" {
+resource "kubernetes_namespace" "preview_namespace" {
  provider = k8s.harvester
  metadata {
  name = "preview-${var.preview_name}"

dev/preview/infrastructure/harvester/svc.tf

@@ -0,0 +1,86 @@
+# Load balancer in the DEV cluster
+resource "kubernetes_service" "dev-svc" {
+ provider = k8s.dev
+ metadata {
+ name = "lb-${var.preview_name}"
+ namespace = "loadbalancers"
+ }
+ spec {
+ port {
+ name = "ssh-gateway"
+ protocol = "TCP"
+ port = 22
+ target_port = 2200
+ }
+ port {
+ name = "https"
+ protocol = "TCP"
+ port = 443
+ target_port = 4430
+ }
+ selector = {
+ "gitpod.io/lbName" = var.preview_name
+ }
+ type = "LoadBalancer"
+ }
+}
+
+# Proxy service in the HARVESTER cluster, same namespace
+resource "kubernetes_service" "harvester-svc" {
+ provider = k8s.harvester
+ metadata {
+ name = "proxy"
+ namespace = kubernetes_namespace.preview_namespace.metadata[0].name
+ }
+
+ spec {
+ port {
+ name = "ssh-gateway"
+ protocol = "TCP"
+ port = 22
+ target_port = 22
+ }
+ port {
+ name = "vm-ssh"
+ protocol = "TCP"
+ port = 2200
+ target_port = 2200
+ }
+ port {
+ name = "http"
+ protocol = "TCP"
+ port = 80
+ target_port = 80
+ }
+ port {
+ name = "https"
+ protocol = "TCP"
+ port = 443
+ target_port = 4430
+ }
+ port {
+ name = "kube-api"
+ protocol = "TCP"
+ port = 6443
+ target_port = 6443
+ }
+ port {
+ name = "prometheus"
+ protocol = "TCP"
+ port = 9090
+ target_port = 32001
+ }
+ port {
+ name = "grafana"
+ protocol = "TCP"
+ port = 3000
+ target_port = 32000
+ }
+
+ selector = {
+ "harvesterhci.io/vmName" = var.preview_name
+ }
+
+ type = "ClusterIP"
+ }
+}

dev/preview/infrastructure/harvester/variables.tf

@@ -14,3 +14,37 @@ variable "dev_kube_path" {
  description = "The path to the Dev Cluster kubeconfig"
  default = "~/.kube/dev"
 }
+
+variable "vm_memory" {
+ type = string
+ default = "2Gi"
+ description = "Memory for the VM"
+}
+
+variable "vm_cpu" {
+ type = number
+ default = 2
+ description = "CPU for the VM"
+}
+
+variable "vm_image" {
+ type = string
+ default = "default/gitpod-k3s-202209251218"
+ description = "The image name"
+}
+
+variable "dockerhub_user" {
+ type = string
+ description = "The dockerhub user used to pull images in k3s"
+}
+
+variable "dockerhub_password" {
+ type = string
+ description = "The password for the dockerhub user used to pull images in k3s"
+}
+
+variable "vm_storage_class" {
+ type = string
+ default = "longhorn-gitpod-k3s-202209251218-onereplica"
+ description = "The storage class for the VM"
+}