calico.yaml

2025-07-31 14:50:51 +00:00
parent 68b889c591
commit d676962a6e
6 changed files with 5319 additions and 118 deletions
--- a/terraform/control-plane1.bu
+++ b/terraform/control-plane1.bu
@@ -7,140 +7,157 @@ passwd:
      ssh_authorized_keys:
        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHEAlPo3v4U67Y3411pTjIMkQxwlFWdXrBJkSzXenDH flatcar@undercloud"

+networkd:
+  units:
+    - name: eth0.network
+      contents: |
+        [Match]
+        Name=eth0
+        
+        [Network]
+        Address=fd00:0:0:2::91/64
+        Gateway=fd00:0:0:2::3
+        DNS=fd00:0:0:3::1
+        Address=10.0.2.91/24
+        Gateway=10.0.2.3
+        DNS=10.0.3.1
+        Domains=undercloud.local
+
 storage:
  files:
-    # --- Hostname
    - path: /etc/hostname
      mode: 0644
      contents:
-        inline: "control-plane1"
-    # --- hosts
+        inline: |
+          control-plane1
+
    - path: /etc/hosts
+      mode: 0644
      overwrite: true
-      mode: 0644
      contents:
        inline: |
-          127.0.0.1		localhost
-          ::1           	localhost
-          10.0.2.91     	control-plane1.undercloud.local control-plane1
-          fd00:0:0:2::91	control-plane1.undercloud.local control-plane1
-          10.0.2.92		control-plane2.undercloud.local control-plane2
-          fd00:0:0:2::92	control-plane2.undercloud.local control-plane2
-          10.0.2.93		control-plane3.undercloud.local control-plane3
-          fd00:0:0:2::93        control-plane3.undercloud.local control-plane3
-          10.0.2.101		worker1.undercloud.local worker1
-          fd00:0:0:2::101	worker1.undercloud.local worker1
-          10.0.2.102		worker2.undercloud.local worker2
-          fd00:0:0:2::102	worker2.undercloud.local worker2
-          10.0.2.103		worker3.undercloud.local worker3
-          fd00:0:0:2::103	worker3.undercloud.local worker3
-    # --- Kubernetes sysctl tweaks ---
-    - path: /etc/sysctl.d/99-kubernetes-cri.conf
-      mode: 0644
-      contents:
-        inline: |
-          net.bridge.bridge-nf-call-iptables  = 1
-          net.bridge.bridge-nf-call-ip6tables = 1
-          net.ipv4.ip_forward                 = 1
+          127.0.0.1   localhost
+          ::1         localhost ip6-localhost ip6-loopback
+          fd00:0:0:2::91 control-plane1.undercloud.local control-plane1
+          fd00:0:0:2::92 control-plane2.undercloud.local control-plane2
+          fd00:0:0:2::93 control-plane3.undercloud.local control-plane3
+          fd00:0:0:2::101 worker1.undercloud.local worker1
+          fd00:0:0:2::102 worker2.undercloud.local worker2
+          fd00:0:0:2::103 worker3.undercloud.local worker3
+          10.0.2.91   control-plane1.undercloud.local control-plane1
+          10.0.2.92   control-plane2.undercloud.local control-plane2
+          10.0.2.93   control-plane3.undercloud.local control-plane3
+          10.0.2.101  worker1.undercloud.local worker1
+          10.0.2.102  worker2.undercloud.local worker2
+          10.0.2.103  worker3.undercloud.local worker3

-    # --- Netzwerkkonfiguration eth0 ---
-    - path: /etc/systemd/network/10-eth0.network
-      mode: 0644
-      contents:
-        inline: |
-          [Match]
-          Name=eth0
-
-          [Network]
-          Address=10.0.2.91/24
-          Gateway=10.0.2.3
-          Address=fd00:0:0:2::91/64
-          Gateway=fd00:0:0:2::3
-          DNS=10.0.3.1
-          DNS=fd00:0:0:3::1
-          Domains=undercloud.local.
-
-    # --- Message of the day ---
    - path: /etc/motd
+      mode: 0644
      overwrite: true
+      contents:
+        inline: |
+          *******************************************************************
+          *                        AUTHORIZED ACCESS ONLY                  *
+          *                                                                 *
+          *  This system is part of a secured infrastructure.               *
+          *  All activities are monitored and logged.                       *
+          *  Unauthorized access or misuse is strictly prohibited and       *
+          *  may result in disciplinary and legal action.                   *
+          *******************************************************************
+
+    - path: /etc/sysctl.d/99-k8s.conf
      mode: 0644
      contents:
        inline: |
-           =========== Welcome to control-plane1 ============
-           --------------------------------------------------
-           this is a System of Undercloud!
-           --------------------------------------------------
+          net.ipv4.ip_forward=1
+          net.ipv6.conf.all.forwarding=1
+          net.bridge.bridge-nf-call-iptables=1
+          net.bridge.bridge-nf-call-ip6tables=1
+          net.ipv4.conf.all.rp_filter=0
+          net.ipv6.conf.all.disable_ipv6=0
+          vm.overcommit_memory=1
+          fs.inotify.max_user_watches=524288
+          fs.inotify.max_user_instances=512
+          kernel.panic=10
+          kernel.panic_on_oops=1

-           --------------------------------------------------
-           kubernetes control-plane node
-           
-           manage via:
-           kubectl (kubectl)
-           calico (calicoctl)
-           argocd (https...)
-           --------------------------------------------------
-
-    # --- Kubernetes Binaries (aus deinem Gitea) ---
-    - path: /opt/bin/kubelet
+    - path: /opt/kubernetes/bin/kubeadm
      mode: 0755
      contents:
-        source: http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/kubelet
-
-    - path: /opt/bin/kubeadm
+        source: "http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/kubeadm"
+    - path: /opt/kubernetes/bin/kubelet
      mode: 0755
      contents:
-        source: http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/kubeadm
-
-    - path: /opt/bin/kubectl
+        source: "http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/kubelet"
+    - path: /opt/kubernetes/bin/kubectl
      mode: 0755
      contents:
-        source: http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/kubectl
-
-    # --- Containerd Config (Minimal) ---
-    - path: /etc/containerd/config.toml
+        source: "http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/kubectl"
+    - path: /opt/kubernetes/bin/calicoctl
+      mode: 0755
+      contents:
+        source: "http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/calicoctl"
+    - path: /etc/kubernetes/kubeadm-init.yaml
      mode: 0644
      contents:
        inline: |
-          version = 2
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-            runtime_type = "io.containerd.runc.v2"
-          [plugins."io.containerd.grpc.v1.cri".cni]
-            bin_dir = "/opt/cni/bin"
-            conf_dir = "/etc/cni/net.d"
+          apiVersion: kubeadm.k8s.io/v1beta3
+          kind: InitConfiguration
+          nodeRegistration:
+            name: control-plane1
+            criSocket: /run/containerd/containerd.sock
+          bootstrapTokens:
+            - token: "abcdef.0123456789abcdef"
+              description: "default kubeadm bootstrap token"
+              ttl: 0
+          ---
+          apiVersion: kubeadm.k8s.io/v1beta3
+          kind: ClusterConfiguration
+          kubernetesVersion: v1.29.0
+          controlPlaneEndpoint: "[fd00:0:0:2::100]:6443"
+          networking:
+            podSubnet: "fd00:10:244::/56,10.244.0.0/16"
+            serviceSubnet: "fd00:10:96::/112,10.96.0.0/12"
+            dnsDomain: "k8s.undercloud.local"
+          ---
+          apiVersion: kubelet.config.k8s.io/v1beta1
+          kind: KubeletConfiguration
+          volumePluginDir: /opt/libexec/kubernetes/kubelet-plugins/volume/exec
+
+    - path: /etc/kubernetes/calico.yaml
+      mode: 0644
+      contents:
+        source: "http://build-node.undercloud.local:3000/admin/undercloud-infrastructure/raw/branch/main/k8s-binaries/calico.yaml"

 systemd:
  units:
-    # --- timezone
-    - name: set-timezone.service
+    - name: modules-load.service
      enabled: true
      contents: |
        [Unit]
-        Description=Set Timezone
-        After=network-online.target
-        Wants=network-online.target
+        Description=Load necessary kernel modules
+        Before=containerd.service kubeadm-init.service

        [Service]
-        StandardOutput=journal+console
-        StandardError=journal+console
        Type=oneshot
-        Restart=on-failure
-        ExecStart=/usr/bin/timedatectl set-timezone Europe/Berlin
-        ExecStart=/usr/bin/timedatectl set-ntp true
+        ExecStart=/usr/bin/modprobe br_netfilter
+        ExecStart=/usr/bin/modprobe overlay
+        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
-    # --- containerd service aktivieren ---
+
+    - name: systemd-networkd-wait-online.service
+      enabled: true
+
    - name: containerd.service
      enabled: true
      contents: |
        [Unit]
        Description=containerd container runtime
-        Documentation=https://containerd.io
-        After=network.target
+        After=network.target modules-load.service

        [Service]
-        ExecStartPre=/sbin/modprobe overlay
-        ExecStartPre=/sbin/modprobe br_netfilter
        ExecStart=/usr/bin/containerd
        Restart=always
        RestartSec=5
@@ -151,16 +168,22 @@ systemd:
        [Install]
        WantedBy=multi-user.target

-    # --- sysctl Settings aktivieren ---
-    - name: systemd-sysctl.service
+    - name: kubeadm-init.service
      enabled: true
+      contents: |
+        [Unit]
+        Description=Kubeadm Init Cluster
+        After=network-online.target containerd.service
+        Wants=network-online.target

-    # --- networkd & resolved aktivieren ---
-    - name: systemd-networkd.service
-      enabled: true
-    - name: systemd-resolved.service
-      enabled: true
+        [Service]
+        Type=oneshot
+        ExecStart=/opt/kubernetes/bin/kubeadm init --config=/etc/kubernetes/kubeadm-init.yaml
+        ExecStartPost=/usr/bin/mkdir -p /home/core/.kube
+        ExecStartPost=/usr/bin/cp -i /etc/kubernetes/admin.conf /home/core/.kube/config
+        ExecStartPost=/usr/bin/chown core:core /home/core/.kube/config
+        ExecStartPost=/opt/kubernetes/bin/kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /etc/kubernetes/calico.yaml
+        RemainAfterExit=yes

-    # kubelet wird erst nach kubeadm init gestartet
-    - name: kubelet.service
-      enabled: false
+        [Install]
+        WantedBy=multi-user.target
--- a/terraform/flatcar.tf
+++ b/terraform/flatcar.tf
@@ -34,7 +34,7 @@ resource "proxmox_virtual_environment_download_file" "flatcar_image" {
 # --- Butane zu Ignition ---
 data "ct_config" "control_plane1_ignition" {
  content       = file("${path.module}/control-plane1.bu")
-  strict        = true
+  strict        = false
  pretty_print  = true
 }
 data "ct_config" "control_plane2_ignition" {
--- a/terraform/terraform.tfstate
+++ b/terraform/terraform.tfstate
--- a/terraform/terraform.tfstate.backup
+++ b/terraform/terraform.tfstate.backup