koboltmarky/rancher-cluster.tf

## rancher-cluster.tf

resource "rancher2_cluster" "rancher-cluster" {
  provider = rancher2

  name        = var.rancher_cluster_name
  description = var.rancher_cluster_description

  rke_config {
    kubernetes_version = var.kubernetes_version

    private_registries {
      url        = var.docker_registry_url
      user       = var.docker_registry_user
      password   = var.docker_registry_password
      is_default = true
    }

    ssh_key_path = var.ssh_key_file_name

    dynamic "nodes" {
      iterator = node
      for_each = var.nodes
      content {
        address           = node.value["address"]
        user              = var.node_username
        role              = node.value["role"]
        hostname_override = node.value["hostname_override"]
      }
    }

    authentication {
      sans = [
        "x.x.x.x"
      ]
    }

    services {

      etcd {
        gid = "52034"
        uid = "52034"

        extra_args = {
          "data-dir" = "/var/lib/rancher/etcd/data/"
          "wal-dir"  = "/var/lib/rancher/etcd/wal/wal_dir"
        }

        extra_binds = [
          "/var/lib/etcd/data:/var/lib/rancher/etcd/data",
          "/var/lib/etcd/wal:/var/lib/rancher/etcd/wal",
        ]

        backup_config {
          interval_hours = 6
          retention      = 24
        }

      }

      kubelet {
        extra_args = {
          "feature-gates"                     = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true",
          "anonymous-auth"                    = "false",
          "make-iptables-util-chains"         = "true",
          "protect-kernel-defaults"           = "true",
          "streaming-connection-idle-timeout" = "1800s",
          "tls-cipher-suites"                 = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
        }

        fail_swap_on                 = false
        generate_serving_certificate = true
        cluster_domain               = var.cluster_domain

      }

      kube_controller {
        extra_args = {
          "address"                     = "127.0.0.1",
          "feature-gates"               = "RotateKubeletServerCertificate=true",
          "profiling"                   = "false",
          "terminated-pod-gc-threshold" = "1000",
        }
      }

      scheduler {
        extra_args = {
          "address"   = "127.0.0.1",
          "profiling" = "false",
        }
      }

      kube_api {
        extra_args = {
          "feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true",
        }

        secrets_encryption_config {
          enabled = true
        }

        event_rate_limit {
          enabled = true
        }

        pod_security_policy = true

        audit_log {
          enabled = true
        }
      }
    }

    cloud_provider {
      name = "external"
    }

    addons = <<EOL
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  requiredDropCapabilities:
  - NET_RAW
  privileged: false
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  fsGroup:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - emptyDir
  - secret
  - persistentVolumeClaim
  - downwardAPI
  - configMap
  - projected
EOL
  }

  enable_network_policy                   = true
  default_pod_security_policy_template_id = "restricted"
  enable_cluster_monitoring               = false

  cluster_auth_endpoint {
    enabled = true
    fqdn    = var.fqdn
  }
}

resource "null_resource" "init_cluster" {

  depends_on = [
    rancher2_cluster.rancher-cluster,
  ]

  for_each = { for node in var.nodes : node.address => node }
  connection {
    host        = each.value.address
    user        = var.node_username
    private_key = file(var.ssh_key_file_name)
  }


  provisioner "remote-exec" {
    # Bootstrap script called with private_ip of each node in the cluster
    inline = [
      "docker login -u ${var.docker_registry_user} -p '${var.docker_registry_password}' ${var.docker_registry_url}",
      #"sleep ${each.value.sleep}",
      "${substr(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command, 5, length(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command))} ${each.value.register_rancher_role}",
      "docker logout ${var.docker_registry_url}",
    ]
  }

}

resource "rancher2_cluster_sync" "wait-for-cluster-is-ready" {
  depends_on = [
    null_resource.init_cluster,
  ]
  cluster_id      = rancher2_cluster.rancher-cluster.id
  state_confirm   = 2
  wait_alerting   = false
  wait_catalogs   = false
  wait_monitoring = false
}

	resource "rancher2_cluster" "rancher-cluster" {
	provider = rancher2

	name = var.rancher_cluster_name
	description = var.rancher_cluster_description

	rke_config {
	kubernetes_version = var.kubernetes_version

	private_registries {
	url = var.docker_registry_url
	user = var.docker_registry_user
	password = var.docker_registry_password
	is_default = true
	}

	ssh_key_path = var.ssh_key_file_name

	dynamic "nodes" {
	iterator = node
	for_each = var.nodes
	content {
	address = node.value["address"]
	user = var.node_username
	role = node.value["role"]
	hostname_override = node.value["hostname_override"]
	}
	}

	authentication {
	sans = [
	"x.x.x.x"
	]
	}

	services {

	etcd {
	gid = "52034"
	uid = "52034"

	extra_args = {
	"data-dir" = "/var/lib/rancher/etcd/data/"
	"wal-dir" = "/var/lib/rancher/etcd/wal/wal_dir"
	}

	extra_binds = [
	"/var/lib/etcd/data:/var/lib/rancher/etcd/data",
	"/var/lib/etcd/wal:/var/lib/rancher/etcd/wal",
	]

	backup_config {
	interval_hours = 6
	retention = 24
	}

	}

	kubelet {
	extra_args = {
	"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true",
	"anonymous-auth" = "false",
	"make-iptables-util-chains" = "true",
	"protect-kernel-defaults" = "true",
	"streaming-connection-idle-timeout" = "1800s",
	"tls-cipher-suites" = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
	}

	fail_swap_on = false
	generate_serving_certificate = true
	cluster_domain = var.cluster_domain

	}

	kube_controller {
	extra_args = {
	"address" = "127.0.0.1",
	"feature-gates" = "RotateKubeletServerCertificate=true",
	"profiling" = "false",
	"terminated-pod-gc-threshold" = "1000",
	}
	}

	scheduler {
	extra_args = {
	"address" = "127.0.0.1",
	"profiling" = "false",
	}
	}

	kube_api {
	extra_args = {
	"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true",
	}

	secrets_encryption_config {
	enabled = true
	}

	event_rate_limit {
	enabled = true
	}

	pod_security_policy = true

	audit_log {
	enabled = true
	}
	}
	}

	cloud_provider {
	name = "external"
	}

	addons = <<EOL
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: restricted-psp
	spec:
	requiredDropCapabilities:
	- NET_RAW
	privileged: false
	allowPrivilegeEscalation: false
	defaultAllowPrivilegeEscalation: false
	fsGroup:
	rule: MustRunAs
	ranges:
	- min: 1
	max: 65535
	runAsUser:
	rule: MustRunAsNonRoot
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- emptyDir
	- secret
	- persistentVolumeClaim
	- downwardAPI
	- configMap
	- projected
	EOL
	}

	enable_network_policy = true
	default_pod_security_policy_template_id = "restricted"
	enable_cluster_monitoring = false

	cluster_auth_endpoint {
	enabled = true
	fqdn = var.fqdn
	}
	}

	resource "null_resource" "init_cluster" {

	depends_on = [
	rancher2_cluster.rancher-cluster,
	]

	for_each = { for node in var.nodes : node.address => node }
	connection {
	host = each.value.address
	user = var.node_username
	private_key = file(var.ssh_key_file_name)
	}


	provisioner "remote-exec" {
	# Bootstrap script called with private_ip of each node in the cluster
	inline = [
	"docker login -u ${var.docker_registry_user} -p '${var.docker_registry_password}' ${var.docker_registry_url}",
	#"sleep ${each.value.sleep}",
	"${substr(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command, 5, length(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command))} ${each.value.register_rancher_role}",
	"docker logout ${var.docker_registry_url}",
	]
	}

	}

	resource "rancher2_cluster_sync" "wait-for-cluster-is-ready" {
	depends_on = [
	null_resource.init_cluster,
	]
	cluster_id = rancher2_cluster.rancher-cluster.id
	state_confirm = 2
	wait_alerting = false
	wait_catalogs = false
	wait_monitoring = false
	}