feat: add talos and k8s setup

.gitignore

@@ -7,6 +7,7 @@
 *.tfstate.*
 **/.terraform/*
 /test
+config/
 override.tf
 override.tf.json
 registry.terraform.io/

main.tf

@@ -1,6 +1,20 @@
-module "cloudflare" {
-  source = "./modules/cloudflare"
+# module "cloudflare" {
+#   source = "./modules/cloudflare"
 
-  apple_domain_verification_code = var.apple_domain_verification_code
-  cloudflare_api_token           = var.cloudflare_api_token
+#   apple_domain_verification_code = var.apple_domain_verification_code
+#   cloudflare_api_token           = var.cloudflare_api_token
+# }
+
+module "kubernetes" {
+  source = "./modules/kubernetes"
+}
+
+module "talos" {
+  source = "./modules/talos"
+
+  talos_endpoint  = var.talos_endpoint
+  talos_name      = var.talos_name
+  talos_node_data = var.talos_node_data
 }
+
+

modules/kubernetes/README.md

@@ -0,0 +1,10 @@
+# Kubernetes
+
+In this module Im installing the essential services and resources to my cluster, which was deployed with talos
+
+Things Im deploying here:
+
+- ArgoCD: This is being set up here. It is observing another Repo which has all the applications which it is deploying
+- Cilium: This im deploying because I want to use Gateway API to manage the traffic of my cluster
+
+talosctl -n 192.168.172.20 get machineconfig -o yaml > controlplane-recovered.yaml

modules/kubernetes/argo.tf

@@ -0,0 +1,13 @@
+resource "helm_release" "argocd" {
+  name       = "argocd"
+  repository = "https://argoproj.github.io/argo-helm"
+  chart      = "argo-cd"
+  version    = "9.1.3"
+
+  namespace        = "argocd"
+  create_namespace = true
+
+  values = [
+    file("${path.module}/values/argocd.yaml"),
+  ]
+}

modules/kubernetes/istio.tf

@@ -0,0 +1,45 @@
+# resource "kubectl_manifest" "gateway_api" {
+#   yaml_body = file("${path.module}/crd/gateway-api-standard-install.yaml")
+# }
+
+# resource "helm_release" "istio_base" {
+#   chart            = "base"
+#   create_namespace = true
+#   name             = "istio-base"
+#   namespace        = "istio-system"
+#   repository       = "https://istio-release.storage.googleapis.com/charts"
+#   version          = "1.28.0"
+
+#   set = [{
+#     name  = "defaultRevision",
+#     value = "default"
+#   }]
+
+#   depends_on = [kubectl_manifest.gateway_api]
+# }
+
+# resource "helm_release" "istiod" {
+#   chart      = "istiod"
+#   create_namespace = true
+#   name       = "istiod"
+#   namespace  = "istio-system"
+#   repository = "https://istio-release.storage.googleapis.com/charts"
+#   version    = "1.28.0"
+
+#   depends_on = [helm_release.istio_base]
+# }
+
+# resource "helm_release" "istio_ingress" {
+#   chart            = "gateway"
+#   create_namespace = true
+#   name             = "istio-ingress"
+#   namespace        = "istio-ingress"
+#   repository       = "https://istio-release.storage.googleapis.com/charts"
+#   version          = "1.28.0"
+
+#   wait           = true
+#   wait_for_jobs  = true
+#   timeout        = 600  # 10 minutes
+
+#   depends_on = [helm_release.istiod]
+# }

modules/kubernetes/values/argocd.yaml

@@ -0,0 +1,68 @@
+---
+global:
+  domain: argo.barnes.biz
+
+server:
+  ingress:
+    enabled: false
+
+  service:
+    type: ClusterIP
+    ports:
+      http: 80
+      https: 443
+
+  # TLS is terminated at the Gateway and HTTP is sent to Argo
+  extraArgs:
+    - --insecure
+
+  resources:
+    limits:
+      cpu: 250m
+      memory: 512Mi
+    requests:
+      cpu: 125m
+      memory: 256Mi
+
+configs:
+  cm:
+    application.instanceLabelKey: argo.argoproj.io/instance
+    timeout.reconciliation: 180s
+  rbac:
+    policy.csv: |
+      g, system:authenticated, role:admin
+    policy.default: role:readonly
+
+  secret:
+    createSecret: true
+
+controller:
+  resources:
+    limits:
+      cpu: 250m
+      memory: 512Mi
+    requests:
+      cpu: 125m
+      memory: 256Mi
+
+repoServer:
+  resources:
+    limits:
+      cpu: 250m
+      memory: 512Mi
+    requests:
+      cpu: 125m
+      memory: 256Mi
+
+applicationSet:
+  enabled: true
+
+dex:
+  enabled: true
+
+redis:
+  resources:
+    limits:
+      memory: 256Mi
+    requests:
+      memory: 128Mi

modules/kubernetes/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.19.0"
+    }
+  }
+  required_version = ">= 1.13.5"
+}

modules/talos/README.md

@@ -0,0 +1,50 @@
+# talos
+
+[Talos Linux](https://www.talos.dev/) is a secure, immutable, and minimal operating system purpose-built for running Kubernetes.
+It eliminates configuration drift by enforcing an Infrastructure-as-Code (IaC) model for system management.
+
+Because of its API-driven architecture, Talos integrates seamlessly with IaC tools such as [OpenTofu](https://opentofu.org/),
+enabling fully automated provisioning and lifecycle management of clusters.
+
+In this module, the Kubernetes cluster `barnes-lab` is initialized,
+and additional nodes are joined to it using declarative configuration.
+
+## How to generate machine configurations
+
+```bash
+talosctl gen config \
+    barnes-lab https://192.168.178.20:6443 \
+    --config-patch @patches/disable-flannel.yaml \
+    --config-patch @patches/disable-kube-proxy.yaml \
+    -o ./config
+```
+
+## How to apply patches to talos nodes
+
+### Control planes
+
+```bash
+talosctl apply-config \
+  --nodes 192.168.178.20 \
+  --file ./config/controlplane.yaml \
+  --mode=auto
+```
+
+### Worker
+
+```bash
+talosctl apply-config \
+  --nodes 192.168.178.XX \
+  --file ./config/worker.yaml \
+  --mode=auto
+```
+
+## How to upgrade talos nodes
+
+```bash
+talosctl upgrade \
+  --nodes 192.168.178.20 \
+  --image ghcr.io/siderolabs/installer:v1.11.5 \
+  --preserve \
+  --wait=true
+```

modules/talos/cluster.tf

@@ -0,0 +1,12 @@
+locals {
+  controlplane_ips = sort(keys(var.talos_node_data.controlplanes))
+  bootstrap_node   = local.controlplane_ips[0]
+}
+
+resource "talos_cluster_kubeconfig" "barnes-lab" {
+  depends_on                   = [talos_machine_bootstrap.node]
+  client_configuration         = talos_machine_secrets.node.client_configuration
+  node                         = local.bootstrap_node
+  endpoint                     = local.bootstrap_node
+  certificate_renewal_duration = "720h"
+}

modules/talos/files/cp-scheduling.yaml

@@ -0,0 +1,3 @@
+---
+cluster:
+  allowSchedulingOnControlPlanes: true

modules/talos/machine.tf

@@ -0,0 +1,32 @@
+resource "talos_machine_bootstrap" "node" {
+  depends_on           = [talos_machine_configuration_apply.controlplane]
+  client_configuration = talos_machine_secrets.node.client_configuration
+  node                 = [for k, v in var.talos_node_data.controlplanes : k][0]
+}
+
+resource "talos_machine_configuration_apply" "controlplane" {
+  client_configuration        = talos_machine_secrets.node.client_configuration
+  machine_configuration_input = data.talos_machine_configuration.controlplane.machine_configuration
+
+  for_each   = var.talos_node_data.controlplanes
+  node       = each.key
+  endpoint   = each.key
+  apply_mode = "auto"
+
+  config_patches = [
+    templatefile("${path.module}/templates/install-disk-and-hostname.yaml.tmpl", {
+      hostname     = coalesce(each.value.hostname, format("%s-cp-%s", var.talos_name, index(sort(keys(var.talos_node_data.controlplanes)), each.key)))
+      install_disk = each.value.install_disk
+    }),
+    file("${path.module}/files/cp-scheduling.yaml"),
+  ]
+}
+
+data "talos_machine_configuration" "controlplane" {
+  cluster_name     = var.talos_name
+  cluster_endpoint = var.talos_endpoint
+  machine_type     = "controlplane"
+  machine_secrets  = talos_machine_secrets.node.machine_secrets
+}
+
+resource "talos_machine_secrets" "node" {}

modules/talos/outputs.tf

@@ -0,0 +1,19 @@
+output "talosconfig" {
+  value     = talos_cluster_kubeconfig.barnes-lab.kubeconfig_raw
+  sensitive = true
+}
+
+output "kubeconfig" {
+  value     = talos_cluster_kubeconfig.barnes-lab.kubernetes_client_configuration
+  sensitive = true
+}
+
+output "machine_secrets_yaml" {
+  value     = talos_machine_secrets.node.machine_secrets
+  sensitive = true
+}
+
+output "controlplane_machine_config" {
+  value     = data.talos_machine_configuration.controlplane.machine_configuration
+  sensitive = true
+}

modules/talos/patches/disable-flannel.yaml

@@ -0,0 +1,6 @@
+# This patch is required when installing Cilium
+---
+cluster:
+  network:
+    cni:
+      name: none

modules/talos/patches/disable-kube-proxy.yaml

@@ -0,0 +1,5 @@
+# This patch is required to use Cilium
+---
+cluster:
+  proxy:
+    disabled: true

modules/talos/templates/install-disk-and-hostname.yaml.tmpl

@@ -0,0 +1,10 @@
+machine:
+  install:
+    disk: ${install_disk}
+  network:
+    hostname: ${hostname}
+    interfaces:
+      - interface: eth0
+        addresses: ["192.168.178.20/24"]
+        dhcp: false
+    nameservers: ["192.168.178.1"]

modules/talos/variables.tf

@@ -0,0 +1,32 @@
+variable "talos_name" {
+  description = "Talos cluster name"
+  type        = string
+  default     = "barnes-lab-1"
+}
+
+variable "talos_endpoint" {
+  description = "Talos cluster endpoint"
+  type        = string
+}
+
+variable "talos_node_data" {
+  description = "A map of node data"
+  type = object({
+    controlplanes = map(object({
+      install_disk = string
+      hostname     = optional(string)
+    }))
+    workers = map(object({
+      install_disk = string
+      hostname     = optional(string)
+    }))
+  })
+  default = {
+    controlplanes = {
+      "192.168.178.20" = {
+        install_disk = "/dev/sda"
+      }
+    }
+    workers = {}
+  }
+}

modules/talos/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    talos = {
+      source  = "siderolabs/talos"
+      version = "0.9.0"
+    }
+  }
+  required_version = ">= 1.13.4"
+}

outputs.tf

@@ -0,0 +1,19 @@
+output "talos_config" {
+  value     = module.talos.talosconfig
+  sensitive = true
+}
+
+output "talos_kubeconfig" {
+  value     = module.talos.kubeconfig
+  sensitive = true
+}
+
+output "talos_machine_secrets_yaml" {
+  value     = module.talos.machine_secrets_yaml
+  sensitive = true
+}
+
+output "talos_controlplane_machine_config" {
+  value     = module.talos.controlplane_machine_config
+  sensitive = true
+}