Upgrade to Ubuntu 22.04 and Kubernetes 1.26, replace obsolete Terrafo…

…rm `template_file` resource (#82)
hobby-kube · Jan 24, 2023 · 17eeb23 · 17eeb23
1 parent 296864e
commit 17eeb23
Show file tree

Hide file tree

Showing 13 changed files with 155 additions and 169 deletions.
diff --git a/README.md b/README.md
@@ -47,7 +47,7 @@ export TF_VAR_hcloud_ssh_keys='["<description-key1>", "<description-key2>"]'
 # Defaults:
 # export TF_VAR_hcloud_location="nbg1"
 # export TF_VAR_hcloud_type="cx11"
-# export TF_VAR_hcloud_image="ubuntu-20.04"
+# export TF_VAR_hcloud_image="ubuntu-22.04"
 ```
 
 SSH keys are referenced by their description. Visit the Hetzner Cloud console at
@@ -62,7 +62,7 @@ export TF_VAR_scaleway_secret_key=<secret_key>
 # Defaults:
 # export TF_VAR_scaleway_zone="nl-ams-1"
 # export TF_VAR_scaleway_type="DEV1-S"
-# export TF_VAR_scaleway_image="Ubuntu 20.04 Focal Fossa"
+# export TF_VAR_scaleway_image="Ubuntu 22.04 Jammy Jellyfish"
 
 ```
 
@@ -75,7 +75,7 @@ export TF_VAR_digitalocean_ssh_keys='["<id-key1>", "<id-key2>"]'
 # Defaults:
 # export TF_VAR_digitalocean_region="fra1"
 # export TF_VAR_digitalocean_size="1gb"
-# export TF_VAR_digitalocean_image="ubuntu-20-04-x64"
+# export TF_VAR_digitalocean_image="ubuntu-22-04-x64"
 ```
 
 You can get SSH key IDs using [this API](https://developers.digitalocean.com/documentation/v2/#list-all-keys).
@@ -88,7 +88,7 @@ export TF_VAR_packet_project_id=<uuid>
 # Defaults:
 # export TF_VAR_packet_facility="sjc1"
 # export TF_VAR_packet_plan="c1.small.x86"
-# export TF_VAR_packet_operating_system="ubuntu_20_04"
+# export TF_VAR_packet_operating_system="ubuntu_22_04"
 ```
 
 #### Using vSphere as provider
@@ -119,7 +119,7 @@ export TF_VAR_upcloud_ssh_keys='["<PUBLIC KEY HERE>"]'
 # Defaults:
 # export TF_VAR_upcloud_zone="de-fra1"
 # export TF_VAR_upcloud_plan="1xCPU-2GB"
-# export TF_VAR_upcloud_disk_template="Ubuntu Server 20.04 LTS (Focal Fossa)"
+# export TF_VAR_upcloud_disk_template="Ubuntu Server 22.04 LTS (Jammy Jellyfish)"
 ```
 
 You will need API credentials to use the UpCloud terraform provider, see https://upcloud.com/community/tutorials/getting-started-upcloud-api/ for more info.

diff --git a/provider/hcloud/main.tf b/provider/hcloud/main.tf
@@ -21,15 +21,15 @@ variable "image" {
 }
 
 variable "ssh_keys" {
-  type = list
+  type = list(string)
 }
 
 provider "hcloud" {
   token = var.token
 }
 
 variable "apt_packages" {
-  type    = list
+  type    = list(string)
   default = []
 }
 
@@ -68,15 +68,15 @@ resource "hcloud_server" "host" {
 # }
 
 output "hostnames" {
-  value = "${hcloud_server.host.*.name}"
+  value = hcloud_server.host.*.name
 }
 
 output "public_ips" {
-  value = "${hcloud_server.host.*.ipv4_address}"
+  value = hcloud_server.host.*.ipv4_address
 }
 
 output "private_ips" {
-  value = "${hcloud_server.host.*.ipv4_address}"
+  value = hcloud_server.host.*.ipv4_address
 }
 
 output "private_network_interface" {

diff --git a/security/ufw/main.tf b/security/ufw/main.tf
@@ -1,7 +1,7 @@
 variable "node_count" {}
 
 variable "connections" {
-  type = list
+  type = list(any)
 }
 
 variable "private_interface" {
@@ -29,7 +29,7 @@ resource "null_resource" "firewall" {
   count = var.node_count
 
   triggers = {
-    template = data.template_file.ufw.rendered
+    template = data.null_data_source.ufw.outputs.content
   }
 
   connection {
@@ -40,20 +40,19 @@ resource "null_resource" "firewall" {
 
   provisioner "remote-exec" {
     inline = [
-      data.template_file.ufw.rendered
+      data.null_data_source.ufw.outputs.content
     ]
-
   }
 }
 
-data "template_file" "ufw" {
-  template = file("${path.module}/scripts/ufw.sh")
-
-  vars = {
-    private_interface    = var.private_interface
-    kubernetes_interface = var.kubernetes_interface
-    vpn_interface        = var.vpn_interface
-    vpn_port             = var.vpn_port
-    additional_rules     = join("\nufw ", flatten(["", var.additional_rules]))
+data "null_data_source" "ufw" {
+  inputs = {
+    content = templatefile("${path.module}/scripts/ufw.sh", {
+      private_interface    = var.private_interface
+      kubernetes_interface = var.kubernetes_interface
+      vpn_interface        = var.vpn_interface
+      vpn_port             = var.vpn_port
+      additional_rules     = join("\nufw ", flatten(["", var.additional_rules]))
+    })
   }
 }
diff --git a/security/wireguard/main.tf b/security/wireguard/main.tf
@@ -1,11 +1,11 @@
 variable "node_count" {}
 
 variable "connections" {
-  type = list
+  type = list(any)
 }
 
 variable "private_ips" {
-  type = list
+  type = list(any)
 }
 
 variable "vpn_interface" {
@@ -17,7 +17,7 @@ variable "vpn_port" {
 }
 
 variable "hostnames" {
-  type = list
+  type = list(any)
 }
 
 variable "overlay_cidr" {
@@ -44,6 +44,11 @@ resource "null_resource" "wireguard" {
   provisioner "remote-exec" {
     inline = [
       "echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf",
+
+      "echo br_netfilter > /etc/modules-load.d/kubernetes.conf",
+      "modprobe br_netfilter",
+      "echo net.bridge.bridge-nf-call-iptables=1 >> /etc/sysctl.conf",
+
       "sysctl -p",
     ]
   }
@@ -56,7 +61,18 @@ resource "null_resource" "wireguard" {
   }
 
   provisioner "file" {
-    content     = element(data.template_file.interface-conf.*.rendered, count.index)
+    content = templatefile("${path.module}/templates/interface.conf", {
+      address     = element(local.vpn_ips, count.index)
+      port        = var.vpn_port
+      private_key = element(data.external.keys.*.result.private_key, count.index)
+      peers = templatefile("${path.module}/templates/peer.conf", {
+        exclude_index = count.index
+        endpoints     = var.private_ips
+        port          = var.vpn_port
+        public_keys   = data.external.keys.*.result.public_key
+        allowed_ips = local.vpn_ips
+      })
+    })
     destination = "/etc/wireguard/${var.vpn_interface}.conf"
   }
 
@@ -68,15 +84,18 @@ resource "null_resource" "wireguard" {
 
   provisioner "remote-exec" {
     inline = [
-      "${join("\n", formatlist("echo '%s %s' >> /etc/hosts", data.template_file.vpn_ips.*.rendered, var.hostnames))}",
+      "${join("\n", formatlist("echo '%s %s' >> /etc/hosts", local.vpn_ips, var.hostnames))}",
       "systemctl is-enabled wg-quick@${var.vpn_interface} || systemctl enable wg-quick@${var.vpn_interface}",
       "systemctl daemon-reload",
       "systemctl restart wg-quick@${var.vpn_interface}",
     ]
   }
 
   provisioner "file" {
-    content     = element(data.template_file.overlay-route-service.*.rendered, count.index)
+    content = templatefile("${path.module}/templates/overlay-route.service", {
+      address      = element(local.vpn_ips, count.index)
+      overlay_cidr = var.overlay_cidr
+    })
     destination = "/etc/systemd/system/overlay-route.service"
   }
 
@@ -89,58 +108,22 @@ resource "null_resource" "wireguard" {
   }
 }
 
-data "template_file" "interface-conf" {
-  count    = var.node_count
-  template = file("${path.module}/templates/interface.conf")
-
-  vars = {
-    address     = element(data.template_file.vpn_ips.*.rendered, count.index)
-    port        = var.vpn_port
-    private_key = element(data.external.keys.*.result.private_key, count.index)
-    peers       = "${replace(join("\n", data.template_file.peer-conf.*.rendered), element(data.template_file.peer-conf.*.rendered, count.index), "")}"
-  }
-}
-
-data "template_file" "peer-conf" {
-  count    = var.node_count
-  template = file("${path.module}/templates/peer.conf")
-
-  vars = {
-    endpoint    = element(var.private_ips, count.index)
-    port        = var.vpn_port
-    public_key  = element(data.external.keys.*.result.public_key, count.index)
-    allowed_ips = "${element(data.template_file.vpn_ips.*.rendered, count.index)}/32"
-  }
-}
-
-data "template_file" "overlay-route-service" {
-  count    = var.node_count
-  template = file("${path.module}/templates/overlay-route.service")
-
-  vars = {
-    address      = element(data.template_file.vpn_ips.*.rendered, count.index)
-    overlay_cidr = var.overlay_cidr
-  }
-}
-
 data "external" "keys" {
   count = var.node_count
 
   program = ["sh", "${path.module}/scripts/gen_keys.sh"]
 }
 
-data "template_file" "vpn_ips" {
-  count    = var.node_count
-  template = "$${ip}"
-
-  vars = {
-    ip = cidrhost(var.vpn_iprange, count.index + 1)
-  }
+locals {
+  vpn_ips = [
+    for n in range(var.node_count) :
+    cidrhost(var.vpn_iprange, n + 1)
+  ]
 }
 
 output "vpn_ips" {
   depends_on = [null_resource.wireguard]
-  value      = "${data.template_file.vpn_ips.*.rendered}"
+  value      = local.vpn_ips
 }
 
 output "vpn_unit" {
@@ -149,13 +132,13 @@ output "vpn_unit" {
 }
 
 output "vpn_interface" {
-  value = "${var.vpn_interface}"
+  value = var.vpn_interface
 }
 
 output "vpn_port" {
-  value = "${var.vpn_port}"
+  value = var.vpn_port
 }
 
 output "overlay_cidr" {
-  value = "${var.overlay_cidr}"
+  value = var.overlay_cidr
 }
diff --git a/security/wireguard/templates/peer.conf b/security/wireguard/templates/peer.conf
@@ -1,4 +1,9 @@
+%{ for n in range(length(endpoints)) ~}
+%{ if n != exclude_index ~}
 [Peer]
-PublicKey = ${public_key}
-AllowedIps = ${allowed_ips}
-Endpoint = ${endpoint}:${port}
+PublicKey = ${element(public_keys, n)}
+AllowedIps = ${element(allowed_ips, n)}/32
+Endpoint = ${element(endpoints, n)}:${port}
+
+%{ endif ~}
+%{ endfor ~}