philipp/doran
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doran/deploy/hetzner/cloud-init.k3s-first-node.yaml

108 lines
3.7 KiB
YAML
Raw Blame History

#cloud-config
package_update: true
package_upgrade: true
packages:
- ca-certificates
- curl
- gnupg
- jq
- nfs-common
- open-iscsi
- apt-transport-https
- software-properties-common
- unattended-upgrades
- ufw
write_files:
- path: /etc/sysctl.d/90-k3s-single-node.conf
permissions: '0644'
owner: root:root
content: |
vm.max_map_count=1048575
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=1048576
net.core.somaxconn=65535
net.ipv4.ip_local_port_range=1024 65535
net.ipv4.tcp_tw_reuse=1
- path: /etc/rancher/k3s/config.yaml
permissions: '0600'
owner: root:root
content: |
write-kubeconfig-mode: "0640"
kube-apiserver-arg:
- anonymous-auth=false
protect-kernel-defaults: true
disable:
- traefik
- path: /usr/local/bin/post-k3s-bootstrap.sh
permissions: '0755'
owner: root:root
content: |
#!/usr/bin/env bash
set -euo pipefail
install -d -m 0755 /var/lib/redpanda/data
install -d -m 0755 /var/lib/unrip/executor-state
chown root:root /var/lib/redpanda/data /var/lib/unrip/executor-state
systemctl enable --now iscsid || true
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
install -d -m 0755 /usr/local/share/unrip
cat >/usr/local/share/unrip/bootstrap-metadata.env <<'EOF'
BOOTSTRAP_MODE=k3s-single-node
BOOTSTRAP_PROJECT_NAME=unrip
BOOTSTRAP_PROJECT_NAMESPACE=unrip
K3S_KUBECONFIG=/opt/bootstrap/kubeconfig-internal.yaml
BOOTSTRAP_MANIFEST_SOURCE=operator-workstation
GITOPS_HANDOFF=seed-self-hosted-git-and-runner
EOF
chmod 0644 /usr/local/share/unrip/bootstrap-metadata.env
install -d -m 0755 /opt/bootstrap
cp /etc/rancher/k3s/k3s.yaml /opt/bootstrap/kubeconfig-internal.yaml
chmod 0640 /opt/bootstrap/kubeconfig-internal.yaml
chgrp k3s-readers /opt/bootstrap/kubeconfig-internal.yaml
sed -i 's/127.0.0.1/{{PRIVATE_IPV4}}/' /opt/bootstrap/kubeconfig-internal.yaml
cat >/opt/bootstrap/README.txt <<'EOF'
This node was provisioned by Terraform + cloud-init.
Use /opt/bootstrap/kubeconfig-internal.yaml for automation.
Bootstrap metadata lives at /usr/local/share/unrip/bootstrap-metadata.env.
Kubernetes bootstrap assets are applied from the operator workstation after provisioning.
EOF
chmod 0644 /opt/bootstrap/README.txt
if command -v kubectl >/dev/null 2>&1; then
kubectl get nodes -o wide >/opt/bootstrap/kubectl-get-nodes.txt
fi
if id ubuntu >/dev/null 2>&1; then
usermod -aG k3s-readers ubuntu || true
install -d -o ubuntu -g ubuntu -m 0700 /home/ubuntu/.kube
cp /etc/rancher/k3s/k3s.yaml /home/ubuntu/.kube/config
chown ubuntu:ubuntu /home/ubuntu/.kube/config
chmod 0600 /home/ubuntu/.kube/config
sed -i 's/127.0.0.1/{{PRIVATE_IPV4}}/' /home/ubuntu/.kube/config
fi
runcmd:
- sysctl --system
- systemctl enable unattended-upgrades
- systemctl enable --now ufw
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 22/tcp
- ufw allow 6443/tcp
- ufw allow 80/tcp
- ufw allow 443/tcp
- groupadd --system k3s-readers || true
- mkdir -p /etc/rancher/k3s
- curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='server --cluster-init --tls-san {{PUBLIC_IPV4}} --node-ip {{PRIVATE_IPV4}} --advertise-address {{PRIVATE_IPV4}} --flannel-backend vxlan --disable servicelb' sh -
- cloud-init status --wait
- /usr/local/bin/post-k3s-bootstrap.sh
final_message: "cloud-init finished: k3s first node bootstrapped"
Reference in a new issue View git blame Copy permalink