├── modules
    ├── k3s_worker_profile
    │   ├── variables.tf
    │   ├── outputs.tf
    │   └── main.tf
    ├── k3s_master
    │   ├── outputs.tf
    │   ├── variables.tf
    │   ├── vpc.tf
    │   ├── master_role.tf
    │   └── master_instance.tf
    ├── k3s_workers
    │   ├── variables.tf
    │   └── main.tf
    ├── ocean_workers
    │   ├── variables.tf
    │   └── main.tf
    ├── k3s_aws
    │   └── main.tf
    └── ocean_k3s_aws
    │   └── main.tf
├── .gitignore
├── manifests
    ├── echo_server.yaml
    ├── echo_server-local.yaml
    ├── echo_server-hpa.yaml
    └── cloud-provider-aws.yaml
└── README.md


/modules/k3s_worker_profile/variables.tf:
--------------------------------------------------------------------------------
1 | variable "cluster_name" {
2 |   type     = string
3 | }
4 | 


--------------------------------------------------------------------------------
/modules/k3s_worker_profile/outputs.tf:
--------------------------------------------------------------------------------
1 | output "worker_profile_id" {
2 |   value = "${aws_iam_instance_profile.k3s_worker_profile.id}"
3 | }
4 | 


--------------------------------------------------------------------------------
/modules/k3s_master/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "security_group_id" {
 2 |   value = "${module.sg.this_security_group_id}"
 3 | }
 4 | 
 5 | output "subnet_ids" {
 6 |   value = module.vpc.public_subnets
 7 | }
 8 | 
 9 | output "master_dns_name" {
10 |   value = "${module.k3s_master.private_dns[0]}"
11 | }
12 | 
13 | output "master_token" {
14 |   value = "${random_uuid.token.result}"
15 | }
16 | 
17 | 


--------------------------------------------------------------------------------
/modules/k3s_master/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "cluster_name" {
 2 |   type    = string
 3 |   default = "ocean"
 4 | }
 5 | 
 6 | variable "ssh_key_name" {
 7 |   type    = string
 8 | }
 9 | 
10 | variable "region" {
11 |   type    = string
12 | }
13 | 
14 | variable "install_ocean_controller" {
15 |   default = false
16 | }
17 | 
18 | variable "ocean_controller_token" {
19 |   type    = string
20 |   default = ""
21 | }
22 | 
23 | variable "ocean_account" {
24 |   type    = string
25 |   default = ""
26 | }
27 | 


--------------------------------------------------------------------------------
/modules/k3s_workers/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "worker_count" {
 2 |   type    = number
 3 |   default = 1
 4 | }
 5 | 
 6 | variable "cluster_name" {
 7 |   type    = string
 8 | }
 9 | 
10 | variable "ssh_key_name" {
11 |   type    = string
12 | }
13 | 
14 | variable "security_group_id" {
15 |   type    = string
16 | }
17 | 
18 | variable "subnet_ids" {
19 |   type    = list(string)
20 | }
21 | 
22 | variable "master_dns_name" {
23 |   type    = string
24 | }
25 | 
26 | variable "master_token" {
27 |   type    = string
28 | }
29 | 
30 | variable "region" {
31 |   type    = string
32 | }
33 | 


--------------------------------------------------------------------------------
/modules/ocean_workers/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "cluster_name" {
 2 |   type        = string
 3 |   default     = "k3s_ocean"
 4 |   description = "Name for the k3s cluster"
 5 | }
 6 | 
 7 | variable "ssh_key_name" {
 8 |   type        = string
 9 |   description = "Name of the AWS SSH Key to use"
10 | }
11 | 
12 | variable "security_group_id" {
13 |   type        = string
14 |   description = "AWS SecurityGroup the workers will be associated with"
15 | }
16 | 
17 | variable "subnet_ids" {
18 |   type        = list(string)
19 |   description = "AWS Subnet IDs the workers will be launched in"
20 | }
21 | 
22 | variable "master_dns_name" {
23 |   type        = string
24 |   description = "The k3s master DNS name"
25 | }
26 | 
27 | variable "master_token" {
28 |   type        = string
29 |   description = "k3s master token"
30 | }
31 | 
32 | variable "region" {
33 |   type        = string
34 |   description = "AWS Region"
35 | }
36 | 
37 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # Crash log files
 9 | crash.log
10 | 
11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
12 | # .tfvars files are managed as part of configuration and so should be included in
13 | # version control.
14 | #
15 | # example.tfvars
16 | 
17 | # Ignore override files as they are usually used to override resources locally and so
18 | # are not checked in
19 | override.tf
20 | override.tf.json
21 | *_override.tf
22 | *_override.tf.json
23 | 
24 | # Include override files you do wish to add to version control using negated pattern
25 | #
26 | # !example_override.tf
27 | 
28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
29 | # example: *tfplan*
30 | 
31 | # Ignore CLI configuration files
32 | .terraformrc
33 | terraform.rc
34 | 


--------------------------------------------------------------------------------
/modules/k3s_aws/main.tf:
--------------------------------------------------------------------------------
 1 | variable "cluster_name" {
 2 |   type    = string
 3 |   default = "aws"
 4 | }
 5 | 
 6 | variable "ssh_key_name" {
 7 |   type    = string
 8 | }
 9 | 
10 | variable "worker_count" {
11 |   type    = number
12 | }
13 | 
14 | variable "region" {
15 |   type    = string
16 | }
17 | 
18 | module "k3s_master" {
19 |   source = "../k3s_master"
20 | 
21 |   region       = var.region
22 |   cluster_name = var.cluster_name
23 |   ssh_key_name = var.ssh_key_name
24 | }
25 | 
26 | module "k3s_workers" {
27 |   source = "../k3s_workers"
28 | 
29 |   region       = var.region
30 |   cluster_name = var.cluster_name
31 |   ssh_key_name = var.ssh_key_name
32 | 
33 |   worker_count      = var.worker_count
34 |   security_group_id = module.k3s_master.security_group_id
35 |   subnet_ids        = module.k3s_master.subnet_ids
36 |   master_dns_name   = module.k3s_master.master_dns_name
37 |   master_token      = module.k3s_master.master_token
38 | 
39 | }
40 | 
41 | 


--------------------------------------------------------------------------------
/manifests/echo_server.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: echo-server
 5 | spec:
 6 |   replicas: 9
 7 |   selector:
 8 |     matchLabels:
 9 |       app: echo-server
10 |   template:
11 |     metadata:
12 |       labels:
13 |         app: echo-server
14 |     spec:
15 |       containers:
16 |         - name: echo-server
17 |           image: jmalloc/echo-server
18 |           ports:
19 |             - name: http-port
20 |               containerPort: 8080
21 |           resources:
22 |             limits:
23 |               cpu: "1"
24 |             requests:
25 |               cpu: "0.5"
26 |       dnsConfig:
27 |         options:
28 |           - name: ndots
29 |             value: "1"
30 | ---
31 | apiVersion: v1
32 | kind: Service
33 | metadata:
34 |   name: echo-server
35 | spec:
36 |   ports:
37 |     - name: http-port
38 |       port: 80
39 |       targetPort: http-port
40 |       protocol: TCP
41 |   selector:
42 |     app: echo-server
43 |   type: LoadBalancer
44 | 


--------------------------------------------------------------------------------
/manifests/echo_server-local.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: echo-server
 5 | spec:
 6 |   replicas: 9
 7 |   selector:
 8 |     matchLabels:
 9 |       app: echo-server
10 |   template:
11 |     metadata:
12 |       labels:
13 |         app: echo-server
14 |     spec:
15 |       containers:
16 |         - name: echo-server
17 |           image: jmalloc/echo-server
18 |           ports:
19 |             - name: http-port
20 |               containerPort: 8080
21 |           resources:
22 |             limits:
23 |               cpu: "1"
24 |             requests:
25 |               cpu: "0.5"
26 |       dnsConfig:
27 |         options:
28 |           - name: ndots
29 |             value: "1"
30 | ---
31 | apiVersion: v1
32 | kind: Service
33 | metadata:
34 |   name: echo-server
35 | spec:
36 |   ports:
37 |     - name: http-port
38 |       port: 80
39 |       targetPort: http-port
40 |       protocol: TCP
41 |   selector:
42 |     app: echo-server
43 |   externalTrafficPolicy: Local
44 |   type: LoadBalancer
45 | 


--------------------------------------------------------------------------------
/modules/ocean_k3s_aws/main.tf:
--------------------------------------------------------------------------------
 1 | variable "cluster_name" {
 2 |   type    = string
 3 |   default = "ocean"
 4 | }
 5 | 
 6 | variable "ssh_key_name" {
 7 |   type    = string
 8 | }
 9 | 
10 | variable "region" {
11 |   type    = string
12 | }
13 | 
14 | variable "ocean_controller_token" {
15 |   type    = string
16 | }
17 | 
18 | variable "ocean_account" {
19 |   type    = string
20 | }
21 | 
22 | module "k3s_master" {
23 |   source = "../k3s_master"
24 | 
25 |   region       = var.region
26 |   cluster_name = var.cluster_name
27 |   ssh_key_name = var.ssh_key_name
28 |   install_ocean_controller = true
29 |   ocean_controller_token = var.ocean_controller_token
30 |   ocean_account = var.ocean_account
31 | }
32 | 
33 | module "k3s_workers" {
34 |   source = "../ocean_workers"
35 | 
36 |   cluster_name = var.cluster_name
37 |   ssh_key_name = var.ssh_key_name
38 | 
39 |   region            = var.region
40 |   security_group_id = module.k3s_master.security_group_id
41 |   subnet_ids        = module.k3s_master.subnet_ids
42 |   master_dns_name   = module.k3s_master.master_dns_name
43 |   master_token      = module.k3s_master.master_token
44 | 
45 | }
46 | 
47 | 


--------------------------------------------------------------------------------
/manifests/echo_server-hpa.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: echo-server
 5 | spec:
 6 |   replicas: 1
 7 |   selector:
 8 |     matchLabels:
 9 |       app: echo-server
10 |   template:
11 |     metadata:
12 |       labels:
13 |         app: echo-server
14 |     spec:
15 |       containers:
16 |         - name: echo-server
17 |           image: jmalloc/echo-server
18 |           ports:
19 |             - name: http-port
20 |               containerPort: 8080
21 |           resources:
22 |             limits:
23 |               cpu: 250m
24 |             requests:
25 |               cpu: 100m
26 | ---
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 |   name: echo-server
31 | spec:
32 |   ports:
33 |     - name: http-port
34 |       port: 80
35 |       targetPort: http-port
36 |       protocol: TCP
37 |   selector:
38 |     app: echo-server
39 |   externalTrafficPolicy: Local
40 |   type: LoadBalancer
41 | ---
42 | apiVersion: autoscaling/v1
43 | kind: HorizontalPodAutoscaler
44 | metadata:
45 |   name: echo-server
46 |   namespace: default
47 | spec:
48 |   scaleTargetRef:
49 |     apiVersion: apps/v1
50 |     kind: Deployment
51 |     name: echo-server
52 |   minReplicas: 1
53 |   maxReplicas: 100
54 |   targetCPUUtilizationPercentage: 10
55 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # k3s-terraform-modules
 2 | 
 3 | Modules for testing and development of k3s with Ocean by Spot
 4 | 
 5 | 
 6 | ## Ocean k3s
 7 | 
 8 | * VPC with 2 subnets in region of choice
 9 | * k3s master
10 | * [AWS k8s Cloud Provider][cloud-provider-aws-url]
11 | * [AWS EBS CSI Driver][ebs-csi-driver-url]
12 | * Ocean by Spot worker nodes
13 | 
14 | Provision master and Ocean workers
15 | 
16 | ```
17 | module "ocean_k3s_aws" {
18 |   source = "github.com/kmcgrath/k3s-terraform-modules//modules/ocean_k3s_aws"
19 | 
20 |   ocean_account               = "act-XXXXXX"
21 |   ocean_controller_token      = "SECRET"
22 |   region                      = "us-east-1"
23 |   ssh_key_name                = "my-key"
24 |   cluster_name                = "ocean-k3s"
25 | }
26 | ```
27 | 
28 | 
29 | ## k3s only
30 | 
31 | * VPC with 2 subnets in region of choice
32 | * k3s master
33 | * [AWS k8s Cloud Provider][cloud-provider-aws-url]
34 | * [AWS EBS CSI Driver][ebs-csi-driver-url]
35 | * Worker nodes
36 | 
37 | Provision master and Ocean workers
38 | 
39 | ```
40 | module "k3s_aws" {
41 |   source = "github.com/kmcgrath/k3s-terraform-modules//modules/k3s_aws"
42 | 
43 |   region                      = "us-east-1"
44 |   ssh_key_name                = "my-key"
45 |   worker_count                = 1
46 | }
47 | ```
48 | 
49 | 
50 | [cloud-provider-aws-url]: https://github.com/kubernetes/cloud-provider-aws
51 | [ebs-csi-driver-url]: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
52 | 


--------------------------------------------------------------------------------
/modules/k3s_workers/main.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = var.region
 3 | }
 4 | 
 5 | data "aws_ami" "latest_amzn" {
 6 |   most_recent = true
 7 |   owners = ["amazon"]
 8 | 
 9 |   filter {
10 |       name   = "name"
11 |       values = ["amzn2-ami-hvm-2.0.????????.?-x86_64-gp2"]
12 |   }
13 | 
14 |   filter {
15 |       name   = "state"
16 |       values = ["available"]
17 |   }
18 | }
19 | 
20 | 
21 | module "k3s_worker_profile" {
22 |   source = "../k3s_worker_profile"
23 | 
24 |   cluster_name = "${var.cluster_name}"
25 | }
26 | 
27 | module "k3s_workers" {
28 |   source = "terraform-aws-modules/ec2-instance/aws"
29 | 
30 |   name           = "k3s-worker-${var.cluster_name}"
31 |   instance_count = "${var.worker_count}"
32 | 
33 |   ami                    = data.aws_ami.latest_amzn.id
34 |   instance_type          = "t2.medium"
35 |   key_name               = "${var.ssh_key_name}"
36 |   vpc_security_group_ids = ["${var.security_group_id}"]
37 |   subnet_id              = var.subnet_ids[0]
38 |   user_data              = "${local.worker_userdata}"
39 |   iam_instance_profile   = "${module.k3s_worker_profile.worker_profile_id}"
40 |   associate_public_ip_address = true
41 | 
42 |   tags = {
43 |     KubernetesCluster = "${var.cluster_name}"
44 |   }
45 | }
46 | 
47 | 
48 | 
49 | locals {
50 | 
51 |   worker_userdata = <<EOF
52 | #!/usr/bin/bash
53 | 
54 | curl -sfL https://get.k3s.io | sh -s agent --server https://${var.master_dns_name}:6443 \
55 |   --token "${var.master_token}"  \
56 |   --kubelet-arg="cloud-provider=external" \
57 |   --kubelet-arg="provider-id=aws:///$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)/$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
58 | 
59 | EOF
60 | }
61 | 


--------------------------------------------------------------------------------
/modules/ocean_workers/main.tf:
--------------------------------------------------------------------------------
 1 | provider "spotinst" { }
 2 | 
 3 | provider "aws" {
 4 |   region = var.region
 5 | }
 6 | 
 7 | 
 8 | module "k3s_worker_profile" {
 9 |   source = "../k3s_worker_profile"
10 | 
11 |   cluster_name = var.cluster_name
12 | }
13 | 
14 | data "aws_ami" "latest_amzn" {
15 |   most_recent = true
16 |   owners = ["amazon"] 
17 | 
18 |   filter {
19 |       name   = "name"
20 |       values = ["amzn2-ami-hvm-2.0.????????.?-x86_64-gp2"]
21 |   }
22 | 
23 |   filter {
24 |       name   = "state"
25 |       values = ["available"]
26 |   }
27 | }
28 | 
29 | 
30 | 
31 | resource "spotinst_ocean_aws" "example" {
32 |   name = var.cluster_name
33 |   controller_id = var.cluster_name
34 |   region = var.region
35 | 
36 |   max_size         = 100
37 |   min_size         = 0
38 |   desired_capacity = 1
39 | 
40 |   subnet_ids = var.subnet_ids
41 | 
42 |   // --- LAUNCH CONFIGURATION --------------
43 |   image_id             = data.aws_ami.latest_amzn.id
44 |   security_groups      = ["${var.security_group_id}"]
45 |   key_name             = var.ssh_key_name
46 |   user_data            = local.worker_userdata
47 |   iam_instance_profile = module.k3s_worker_profile.worker_profile_id
48 |   root_volume_size     = 20
49 | 
50 |   associate_public_ip_address = true
51 | 
52 |   tags {
53 |     key   = "KubernetesCluster"
54 |     value = var.cluster_name
55 |   }
56 | 
57 |   lifecycle {
58 |     ignore_changes = [
59 |       desired_capacity
60 |     ]
61 |   }
62 | 
63 | }
64 | 
65 | locals {
66 | 
67 |   worker_userdata = <<EOF
68 | #!/usr/bin/bash
69 | 
70 | curl -sfL https://get.k3s.io | sh -s agent --server https://${var.master_dns_name}:6443 \
71 |   --token "${var.master_token}"  \
72 |   --kubelet-arg="cloud-provider=external" \
73 |   --kubelet-arg="provider-id=aws:///$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)/$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
74 | 
75 | EOF
76 | }
77 | 


--------------------------------------------------------------------------------
/modules/k3s_master/vpc.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = var.region
 3 | }
 4 | 
 5 | data "aws_availability_zones" "available" {
 6 |   state = "available"
 7 | }
 8 | 
 9 | module "vpc" {
10 |   source = "terraform-aws-modules/vpc/aws"
11 | 
12 |   name = "k3s-${var.cluster_name}"
13 |   cidr = "10.0.0.0/16"
14 | 
15 |   azs             = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[0]}"]
16 |   public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
17 | 
18 |   enable_dns_hostnames = true
19 |   enable_dns_support   = true
20 | 
21 |   tags = {
22 |     KubernetesCluster = var.cluster_name
23 |   }
24 | }
25 | 
26 | 
27 | module "sg" {
28 |   source = "terraform-aws-modules/security-group/aws"
29 | 
30 |   name        = "k3s-${var.cluster_name}-sg"
31 |   description = "Security group wth custom ports open within VPC"
32 |   vpc_id      = module.vpc.vpc_id
33 | 
34 |   egress_cidr_blocks       = ["10.0.0.0/16"]
35 |   egress_with_cidr_blocks  = [
36 |     {
37 |       from_port   = 0
38 |       to_port     = 65535
39 |       protocol    = "tcp"
40 |       description = "outbound"
41 |       cidr_blocks = "0.0.0.0/0"
42 |     }
43 |   ]
44 | 
45 | 
46 |   ingress_cidr_blocks      = ["10.0.0.0/16"]
47 |   ingress_with_cidr_blocks = [
48 |     {
49 |       from_port   = 6443
50 |       to_port     = 6443
51 |       protocol    = "tcp"
52 |       description = "Kubernetes API"
53 |       cidr_blocks = "10.0.0.0/16"
54 |     },
55 |     {
56 |       from_port   = 10250
57 |       to_port     = 10250
58 |       protocol    = "tcp"
59 |       description = "kubelet"
60 |       cidr_blocks = "10.0.0.0/16"
61 |     },
62 |     {
63 |       from_port   = 8472
64 |       to_port     = 8472
65 |       protocol    = "udp"
66 |       description = "VXLAN"
67 |       cidr_blocks = "10.0.0.0/16"
68 |     },
69 |     {
70 |       from_port   = 22
71 |       to_port     = 22
72 |       protocol    = "tcp"
73 |       description = "ssh"
74 |       cidr_blocks = "0.0.0.0/0"
75 |     },
76 |   ]
77 | }
78 | 
79 | 


--------------------------------------------------------------------------------
/modules/k3s_worker_profile/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_instance_profile" "k3s_worker_profile" {
 2 |   name = "k3s_worker_instance_profile-${var.cluster_name}"
 3 |   role = aws_iam_role.k3s_worker_role.name
 4 | }
 5 | 
 6 | resource "aws_iam_role_policy" "k3s_worker_policy" {
 7 |   name = "k3s_worker_policy-${var.cluster_name}"
 8 |   role = aws_iam_role.k3s_worker_role.id
 9 | 
10 |   policy = <<-EOF
11 |   {
12 |     "Version": "2012-10-17",
13 |     "Statement": [
14 |           {
15 |               "Effect": "Allow",
16 |               "Action": [
17 |                   "ec2:DescribeInstances",
18 |                   "ec2:DescribeRegions",
19 |                   "ecr:GetAuthorizationToken",
20 |                   "ecr:BatchCheckLayerAvailability",
21 |                   "ecr:GetDownloadUrlForLayer",
22 |                   "ecr:GetRepositoryPolicy",
23 |                   "ecr:DescribeRepositories",
24 |                   "ecr:ListImages",
25 |                   "ecr:BatchGetImage"
26 |               ],
27 |               "Resource": "*"
28 |           },
29 |           {
30 |       "Effect": "Allow",
31 |       "Action": [
32 |         "ec2:AttachVolume",
33 |         "ec2:CreateSnapshot",
34 |         "ec2:CreateTags",
35 |         "ec2:CreateVolume",
36 |         "ec2:DeleteSnapshot",
37 |         "ec2:DeleteTags",
38 |         "ec2:DeleteVolume",
39 |         "ec2:DescribeInstances",
40 |         "ec2:DescribeSnapshots",
41 |         "ec2:DescribeTags",
42 |         "ec2:DescribeVolumes",
43 |         "ec2:DetachVolume",
44 |         "ec2:ModifyVolume"
45 |       ],
46 |       "Resource": "*"
47 |     }
48 |     ]
49 |   }
50 |   EOF
51 | }
52 | 
53 | resource "aws_iam_role" "k3s_worker_role" {
54 |   name = "k3s_worker_role-${var.cluster_name}"
55 |   path = "/"
56 | 
57 |   assume_role_policy = <<EOF
58 | {
59 |     "Version": "2012-10-17",
60 |     "Statement": [
61 |         {
62 |             "Action": "sts:AssumeRole",
63 |             "Principal": {
64 |                "Service": "ec2.amazonaws.com"
65 |             },
66 |             "Effect": "Allow",
67 |             "Sid": ""
68 |         }
69 |     ]
70 | }
71 | EOF
72 | }
73 | 
74 | 
75 | 


--------------------------------------------------------------------------------
/modules/k3s_master/master_role.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_iam_instance_profile" "k3s_master_profile" {
  2 |   name = "k3s_master_instance_profile-${var.cluster_name}"
  3 |   role = aws_iam_role.k3s_master_role.name
  4 | }
  5 | 
  6 | resource "aws_iam_role_policy" "k3s_master_policy" {
  7 |   name = "k3s_master_policy-${var.cluster_name}"
  8 |   role = aws_iam_role.k3s_master_role.id
  9 | 
 10 |   policy = <<-EOF
 11 |   {
 12 |     "Version": "2012-10-17",
 13 |     "Statement": [
 14 |       {
 15 |       "Effect": "Allow",
 16 |       "Action": [
 17 |         "autoscaling:DescribeAutoScalingGroups",
 18 |         "autoscaling:DescribeLaunchConfigurations",
 19 |         "autoscaling:DescribeTags",
 20 |         "ec2:DescribeInstances",
 21 |         "ec2:DescribeRegions",
 22 |         "ec2:DescribeRouteTables",
 23 |         "ec2:DescribeSecurityGroups",
 24 |         "ec2:DescribeSubnets",
 25 |         "ec2:DescribeVolumes",
 26 |         "ec2:CreateSecurityGroup",
 27 |         "ec2:CreateTags",
 28 |         "ec2:CreateVolume",
 29 |         "ec2:ModifyInstanceAttribute",
 30 |         "ec2:ModifyVolume",
 31 |         "ec2:AttachVolume",
 32 |         "ec2:AuthorizeSecurityGroupIngress",
 33 |         "ec2:CreateRoute",
 34 |         "ec2:DeleteRoute",
 35 |         "ec2:DeleteSecurityGroup",
 36 |         "ec2:DeleteVolume",
 37 |         "ec2:DetachVolume",
 38 |         "ec2:RevokeSecurityGroupIngress",
 39 |         "ec2:DescribeVpcs",
 40 |         "elasticloadbalancing:AddTags",
 41 |         "elasticloadbalancing:AttachLoadBalancerToSubnets",
 42 |         "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
 43 |         "elasticloadbalancing:CreateLoadBalancer",
 44 |         "elasticloadbalancing:CreateLoadBalancerPolicy",
 45 |         "elasticloadbalancing:CreateLoadBalancerListeners",
 46 |         "elasticloadbalancing:ConfigureHealthCheck",
 47 |         "elasticloadbalancing:DeleteLoadBalancer",
 48 |         "elasticloadbalancing:DeleteLoadBalancerListeners",
 49 |         "elasticloadbalancing:DescribeLoadBalancers",
 50 |         "elasticloadbalancing:DescribeLoadBalancerAttributes",
 51 |         "elasticloadbalancing:DetachLoadBalancerFromSubnets",
 52 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
 53 |         "elasticloadbalancing:ModifyLoadBalancerAttributes",
 54 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
 55 |         "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
 56 |         "elasticloadbalancing:AddTags",
 57 |         "elasticloadbalancing:CreateListener",
 58 |         "elasticloadbalancing:CreateTargetGroup",
 59 |         "elasticloadbalancing:DeleteListener",
 60 |         "elasticloadbalancing:DeleteTargetGroup",
 61 |         "elasticloadbalancing:DescribeListeners",
 62 |         "elasticloadbalancing:DescribeLoadBalancerPolicies",
 63 |         "elasticloadbalancing:DescribeTargetGroups",
 64 |         "elasticloadbalancing:DescribeTargetHealth",
 65 |         "elasticloadbalancing:ModifyListener",
 66 |         "elasticloadbalancing:ModifyTargetGroup",
 67 |         "elasticloadbalancing:RegisterTargets",
 68 |         "elasticloadbalancing:DeregisterTargets",
 69 |         "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
 70 |         "iam:CreateServiceLinkedRole",
 71 |         "kms:DescribeKey"
 72 |       ],
 73 |       "Resource": [
 74 |         "*"
 75 |       ]
 76 |     }
 77 |     ]
 78 |   }
 79 |   EOF
 80 | }
 81 | 
 82 | resource "aws_iam_role" "k3s_master_role" {
 83 |   name = "k3s_master_role-${var.cluster_name}"
 84 |   path = "/"
 85 | 
 86 |   assume_role_policy = <<EOF
 87 | {
 88 |     "Version": "2012-10-17",
 89 |     "Statement": [
 90 |         {
 91 |             "Action": "sts:AssumeRole",
 92 |             "Principal": {
 93 |                "Service": "ec2.amazonaws.com"
 94 |             },
 95 |             "Effect": "Allow",
 96 |             "Sid": ""
 97 |         }
 98 |     ]
 99 | }
100 | EOF
101 | }
102 | 
103 | 
104 | 


--------------------------------------------------------------------------------
/manifests/cloud-provider-aws.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | apiVersion: v1
  3 | kind: ServiceAccount
  4 | metadata:
  5 |   name: cloud-controller-manager
  6 |   namespace: kube-system
  7 | ---
  8 | apiVersion: rbac.authorization.k8s.io/v1beta1
  9 | kind: ClusterRole
 10 | metadata:
 11 |   name: system:cloud-controller-manager
 12 |   labels:
 13 |     kubernetes.io/cluster-service: "true"
 14 | rules:
 15 | - apiGroups:
 16 |   - ""
 17 |   resources:
 18 |   - nodes
 19 |   verbs:
 20 |   - '*'
 21 | 
 22 | - apiGroups:
 23 |   - ""
 24 |   resources:
 25 |   - nodes/status
 26 |   verbs:
 27 |   - patch
 28 | 
 29 | - apiGroups:
 30 |   - ""
 31 |   resources:
 32 |   - services
 33 |   verbs:
 34 |   - list
 35 |   - watch
 36 |   - patch
 37 | 
 38 | - apiGroups:
 39 |   - ""
 40 |   resources:
 41 |   - services/status
 42 |   verbs:
 43 |   - update
 44 |   - patch
 45 | 
 46 | - apiGroups:
 47 |   - ""
 48 |   resources:
 49 |   - events
 50 |   verbs:
 51 |   - create
 52 |   - patch
 53 |   - update
 54 | 
 55 | # For leader election
 56 | - apiGroups:
 57 |   - ""
 58 |   resources:
 59 |   - endpoints
 60 |   verbs:
 61 |   - create
 62 | 
 63 | - apiGroups:
 64 |   - ""
 65 |   resources:
 66 |   - endpoints
 67 |   resourceNames:
 68 |   - "cloud-controller-manager"
 69 |   verbs:
 70 |   - get
 71 |   - list
 72 |   - watch
 73 |   - update
 74 | 
 75 | - apiGroups:
 76 |   - ""
 77 |   resources:
 78 |   - configmaps
 79 |   verbs:
 80 |   - create
 81 | 
 82 | - apiGroups:
 83 |   - ""
 84 |   resources:
 85 |   - configmaps
 86 |   resourceNames:
 87 |   - "cloud-controller-manager"
 88 |   verbs:
 89 |   - get
 90 |   - update
 91 | 
 92 | - apiGroups:
 93 |   - ""
 94 |   resources:
 95 |   - serviceaccounts
 96 |   verbs:
 97 |   - create
 98 | - apiGroups:
 99 |   - ""
100 |   resources:
101 |   - secrets
102 |   verbs:
103 |   - get
104 |   - list
105 | 
106 | - apiGroups:
107 |   - "coordination.k8s.io"
108 |   resources:
109 |   - leases
110 |   verbs:
111 |   - get
112 |   - create
113 |   - update
114 |   - list
115 | 
116 | 
117 | # For the PVL
118 | - apiGroups:
119 |   - ""
120 |   resources:
121 |   - persistentvolumes
122 |   verbs:
123 |   - list
124 |   - watch
125 |   - patch
126 | 
127 | ---
128 | kind: ClusterRoleBinding
129 | apiVersion: rbac.authorization.k8s.io/v1beta1
130 | metadata:
131 |   name: aws-cloud-controller-manager
132 | roleRef:
133 |   apiGroup: rbac.authorization.k8s.io
134 |   kind: ClusterRole
135 |   name: system:cloud-controller-manager
136 | subjects:
137 | - kind: ServiceAccount
138 |   name: cloud-controller-manager
139 |   namespace: kube-system
140 | ---
141 | kind: RoleBinding
142 | apiVersion: rbac.authorization.k8s.io/v1
143 | metadata:
144 |   name: aws-cloud-controller-manager-ext
145 |   namespace: kube-system
146 | roleRef:
147 |   apiGroup: rbac.authorization.k8s.io
148 |   kind: Role
149 |   name: extension-apiserver-authentication-reader
150 | subjects:
151 | - kind: ServiceAccount
152 |   name: cloud-controller-manager
153 |   namespace: kube-system
154 | ---
155 | apiVersion: apps/v1
156 | kind: DaemonSet
157 | metadata:
158 |   name: aws-cloud-controller-manager
159 |   namespace: kube-system
160 |   labels:
161 |     k8s-app: aws-cloud-controller-manager
162 | spec:
163 |   selector:
164 |     matchLabels:
165 |       component: aws-cloud-controller-manager
166 |       tier: control-plane
167 |   updateStrategy:
168 |     type: RollingUpdate
169 |   template:
170 |     metadata:
171 |       labels:
172 |         component: aws-cloud-controller-manager
173 |         tier: control-plane
174 |     spec:
175 |       serviceAccountName: cloud-controller-manager
176 |       hostNetwork: true
177 |       nodeSelector:
178 |         node-role.kubernetes.io/master: "true"
179 |       tolerations:
180 |       - key: node.cloudprovider.kubernetes.io/uninitialized
181 |         value: "true"
182 |         effect: NoSchedule
183 |       - key: node-role.kubernetes.io/master
184 |         operator: Exists
185 |         effect: NoSchedule
186 |       containers:
187 |         - name: aws-cloud-controller-manager
188 |           image: kmcgrath/cloud-provider-aws:latest
189 | 


--------------------------------------------------------------------------------
/modules/k3s_master/master_instance.tf:
--------------------------------------------------------------------------------
  1 | resource "random_uuid" "token" { }
  2 | 
  3 | data "aws_ami" "latest_amzn" {
  4 |   most_recent = true
  5 |   owners = ["amazon"]
  6 | 
  7 |   filter {
  8 |       name   = "name"
  9 |       values = ["amzn2-ami-hvm-2.0.????????.?-x86_64-gp2"]
 10 |   }
 11 | 
 12 |   filter {
 13 |       name   = "state"
 14 |       values = ["available"]
 15 |   }
 16 | }
 17 | 
 18 | module "k3s_master" {
 19 |   source = "terraform-aws-modules/ec2-instance/aws"
 20 | 
 21 |   name           = "k3s-master-${var.cluster_name}"
 22 |   instance_count = 1
 23 | 
 24 |   ami                    = data.aws_ami.latest_amzn.id
 25 |   instance_type          = "t2.medium"
 26 |   key_name               = var.ssh_key_name
 27 |   vpc_security_group_ids = ["${module.sg.this_security_group_id}"]
 28 |   subnet_id              = module.vpc.public_subnets[0]
 29 |   user_data              = local.master_userdata
 30 |   iam_instance_profile   = aws_iam_instance_profile.k3s_master_profile.id
 31 |   associate_public_ip_address = true
 32 | 
 33 |   tags = {
 34 |     KubernetesCluster = var.cluster_name
 35 |   }
 36 | }
 37 | 
 38 | locals {
 39 |   master_userdata = <<EOF
 40 | #cloud-config
 41 | write_files:
 42 | -   content: |
 43 |       ---
 44 |       apiVersion: v1
 45 |       kind: ServiceAccount
 46 |       metadata:
 47 |         name: cloud-controller-manager
 48 |         namespace: kube-system
 49 |       ---
 50 |       apiVersion: rbac.authorization.k8s.io/v1beta1
 51 |       kind: ClusterRole
 52 |       metadata:
 53 |         name: system:cloud-controller-manager
 54 |         labels:
 55 |           kubernetes.io/cluster-service: "true"
 56 |       rules:
 57 |       - apiGroups:
 58 |         - ""
 59 |         resources:
 60 |         - nodes
 61 |         verbs:
 62 |         - '*'
 63 |       - apiGroups:
 64 |         - ""
 65 |         resources:
 66 |         - nodes/status
 67 |         verbs:
 68 |         - patch
 69 |       - apiGroups:
 70 |         - ""
 71 |         resources:
 72 |         - services
 73 |         verbs:
 74 |         - list
 75 |         - watch
 76 |         - patch
 77 |       - apiGroups:
 78 |         - ""
 79 |         resources:
 80 |         - services/status
 81 |         verbs:
 82 |         - update
 83 |         - patch
 84 |       - apiGroups:
 85 |         - ""
 86 |         resources:
 87 |         - events
 88 |         verbs:
 89 |         - create
 90 |         - patch
 91 |         - update
 92 |       # For leader election
 93 |       - apiGroups:
 94 |         - ""
 95 |         resources:
 96 |         - endpoints
 97 |         verbs:
 98 |         - create
 99 |       - apiGroups:
100 |         - ""
101 |         resources:
102 |         - endpoints
103 |         resourceNames:
104 |         - "cloud-controller-manager"
105 |         verbs:
106 |         - get
107 |         - list
108 |         - watch
109 |         - update
110 |       - apiGroups:
111 |         - ""
112 |         resources:
113 |         - configmaps
114 |         verbs:
115 |         - create
116 |       - apiGroups:
117 |         - ""
118 |         resources:
119 |         - configmaps
120 |         resourceNames:
121 |         - "cloud-controller-manager"
122 |         verbs:
123 |         - get
124 |         - update
125 |       - apiGroups:
126 |         - ""
127 |         resources:
128 |         - serviceaccounts
129 |         verbs:
130 |         - create
131 |       - apiGroups:
132 |         - ""
133 |         resources:
134 |         - secrets
135 |         verbs:
136 |         - get
137 |         - list
138 |       - apiGroups:
139 |         - "coordination.k8s.io"
140 |         resources:
141 |         - leases
142 |         verbs:
143 |         - get
144 |         - create
145 |         - update
146 |         - list
147 |       # For the PVL
148 |       - apiGroups:
149 |         - ""
150 |         resources:
151 |         - persistentvolumes
152 |         verbs:
153 |         - list
154 |         - watch
155 |         - patch
156 |       ---
157 |       kind: ClusterRoleBinding
158 |       apiVersion: rbac.authorization.k8s.io/v1beta1
159 |       metadata:
160 |         name: aws-cloud-controller-manager
161 |       roleRef:
162 |         apiGroup: rbac.authorization.k8s.io
163 |         kind: ClusterRole
164 |         name: system:cloud-controller-manager
165 |       subjects:
166 |       - kind: ServiceAccount
167 |         name: cloud-controller-manager
168 |         namespace: kube-system
169 |       ---
170 |       kind: RoleBinding
171 |       apiVersion: rbac.authorization.k8s.io/v1
172 |       metadata:
173 |         name: aws-cloud-controller-manager-ext
174 |         namespace: kube-system
175 |       roleRef:
176 |         apiGroup: rbac.authorization.k8s.io
177 |         kind: Role
178 |         name: extension-apiserver-authentication-reader
179 |       subjects:
180 |       - kind: ServiceAccount
181 |         name: cloud-controller-manager
182 |         namespace: kube-system
183 |       ---
184 |       apiVersion: apps/v1
185 |       kind: DaemonSet
186 |       metadata:
187 |         name: aws-cloud-controller-manager
188 |         namespace: kube-system
189 |         labels:
190 |           k8s-app: aws-cloud-controller-manager
191 |       spec:
192 |         selector:
193 |           matchLabels:
194 |             component: aws-cloud-controller-manager
195 |             tier: control-plane
196 |         updateStrategy:
197 |           type: RollingUpdate
198 |         template:
199 |           metadata:
200 |             labels:
201 |               component: aws-cloud-controller-manager
202 |               tier: control-plane
203 |           spec:
204 |             serviceAccountName: cloud-controller-manager
205 |             hostNetwork: true
206 |             nodeSelector:
207 |               node-role.kubernetes.io/master: "true"
208 |             tolerations:
209 |             - key: node.cloudprovider.kubernetes.io/uninitialized
210 |               value: "true"
211 |               effect: NoSchedule
212 |             - key: node-role.kubernetes.io/master
213 |               operator: Exists
214 |               effect: NoSchedule
215 |             containers:
216 |               - name: aws-cloud-controller-manager
217 |                 image: kmcgrath/cloud-provider-aws:latest
218 |     path: /k8s_yaml/cloud_provider_aws.yaml
219 | 
220 | runcmd:
221 |  - |
222 |     curl -sfL https://get.k3s.io | INSTALL_K3S_NAME=${var.cluster_name} sh -s server --disable-cloud-controller \
223 |       --token "${random_uuid.token.result}" \
224 |       --disable servicelb \
225 |       --disable local-storage \
226 |       --disable traefik \
227 |       --kubelet-arg="cloud-provider=external" \
228 |       --kubelet-arg="provider-id=aws:///$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)/$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
229 |  - [kubectl, apply, -f, /k8s_yaml/cloud_provider_aws.yaml]
230 |  - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
231 |  -
232 |    - helm
233 |    - --kubeconfig
234 |    - /etc/rancher/k3s/k3s.yaml
235 |    - install
236 |    - aws-ebs-csi-driver
237 |    - --set
238 |    - enableVolumeScheduling=true
239 |    - --set
240 |    - enableVolumeResizing=true
241 |    - --set
242 |    - enableVolumeSnapshot=true
243 |    - --set
244 |    - cloud-provider=external
245 |    - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/download/v0.5.0/helm-chart.tgz
246 |  - %{ if var.install_ocean_controller == true }curl -fsSL http://spotinst-public.s3.amazonaws.com/integrations/kubernetes/cluster-controller/scripts/init.sh | SPOTINST_TOKEN=${var.ocean_controller_token} SPOTINST_ACCOUNT=${var.ocean_account} SPOTINST_CLUSTER_IDENTIFIER=${var.cluster_name} bash %{ else }sleep 10%{ endif }
247 |  - [sleep, 90]
248 |  - kubectl patch node $(hostname) -p '{"spec":{"unschedulable":true}}}']
249 | 
250 | EOF
251 | 
252 | }
253 | 


--------------------------------------------------------------------------------