Merge pull request #1128 from kube-hetzner/staging

Deploy staging

Author: mysticaltech

docs/terraform.md

@@ -180,6 +180,7 @@
 | <a name="input_network_ipv4_cidr"></a> [network\_ipv4\_cidr](#input\_network\_ipv4\_cidr) | The main network cidr that all subnets will be created upon. | `string` | `"10.0.0.0/8"` | no |
 | <a name="input_network_region"></a> [network\_region](#input\_network\_region) | Default region for network. | `string` | `"eu-central"` | no |
 | <a name="input_nginx_values"></a> [nginx\_values](#input\_nginx\_values) | Additional helm values file to pass to nginx as 'valuesContent' at the HelmChart. | `string` | `""` | no |
+| <a name="input_nginx_version"></a> [nginx\_version](#input\_nginx\_version) | Version of Nginx helm chart. | `string` | `""` | no |
 | <a name="input_placement_group_disable"></a> [placement\_group\_disable](#input\_placement\_group\_disable) | Whether to disable placement groups. | `bool` | `false` | no |
 | <a name="input_postinstall_exec"></a> [postinstall\_exec](#input\_postinstall\_exec) | Additional to execute after the install calls, for example restoring a backup. | `list(string)` | `[]` | no |
 | <a name="input_preinstall_exec"></a> [preinstall\_exec](#input\_preinstall\_exec) | Additional to execute before the install calls, for example fetching and installing certs. | `list(string)` | `[]` | no |
@@ -200,10 +201,12 @@
 | <a name="input_traefik_additional_ports"></a> [traefik\_additional\_ports](#input\_traefik\_additional\_ports) | Additional ports to pass to Traefik. These are the ones that go into the ports section of the Traefik helm values file. | <pre>list(object({<br>    name        = string<br>    port        = number<br>    exposedPort = number<br>  }))</pre> | `[]` | no |
 | <a name="input_traefik_additional_trusted_ips"></a> [traefik\_additional\_trusted\_ips](#input\_traefik\_additional\_trusted\_ips) | Additional Trusted IPs to pass to Traefik. These are the ones that go into the trustedIPs section of the Traefik helm values file. | `list(string)` | `[]` | no |
 | <a name="input_traefik_autoscaling"></a> [traefik\_autoscaling](#input\_traefik\_autoscaling) | Should traefik enable Horizontal Pod Autoscaler. | `bool` | `true` | no |
+| <a name="input_traefik_image_tag"></a> [traefik\_image\_tag](#input\_traefik\_image\_tag) | Traefik image tag. Useful to use the beta version for new features. Example: v3.0.0-beta5 | `string` | `""` | no |
 | <a name="input_traefik_pod_disruption_budget"></a> [traefik\_pod\_disruption\_budget](#input\_traefik\_pod\_disruption\_budget) | Should traefik enable pod disruption budget. Default values are maxUnavailable: 33% and minAvailable: 1. | `bool` | `true` | no |
 | <a name="input_traefik_redirect_to_https"></a> [traefik\_redirect\_to\_https](#input\_traefik\_redirect\_to\_https) | Should traefik redirect http traffic to https. | `bool` | `true` | no |
 | <a name="input_traefik_resource_limits"></a> [traefik\_resource\_limits](#input\_traefik\_resource\_limits) | Should traefik enable default resource requests and limits. Default values are requests: 100m & 50Mi and limits: 300m & 150Mi. | `bool` | `true` | no |
 | <a name="input_traefik_values"></a> [traefik\_values](#input\_traefik\_values) | Additional helm values file to pass to Traefik as 'valuesContent' at the HelmChart. | `string` | `""` | no |
+| <a name="input_traefik_version"></a> [traefik\_version](#input\_traefik\_version) | Version of Traefik helm chart. | `string` | `""` | no |
 | <a name="input_use_cluster_name_in_node_name"></a> [use\_cluster\_name\_in\_node\_name](#input\_use\_cluster\_name\_in\_node\_name) | Whether to use the cluster name in the node name. | `bool` | `true` | no |
 | <a name="input_use_control_plane_lb"></a> [use\_control\_plane\_lb](#input\_use\_control\_plane\_lb) | When this is enabled, rather than the first node, all external traffic will be routed via a control-plane loadbalancer, allowing for high availability. | `bool` | `false` | no |
 

init.tf

@@ -131,9 +131,11 @@ resource "null_resource" "kustomization" {
       coalesce(var.kured_version, "N/A"),
       coalesce(var.calico_version, "N/A"),
       coalesce(var.cilium_version, "N/A"),
+      coalesce(var.traefik_version, "N/A"),
+      coalesce(var.nginx_version, "N/A"),
     ])
     options = join("\n", [
-      for option, value in var.kured_options : "${option}=${value}"
+      for option, value in local.kured_options : "${option}=${value}"
     ])
   }
 
@@ -156,6 +158,7 @@ resource "null_resource" "kustomization" {
     content = templatefile(
       "${path.module}/templates/traefik_ingress.yaml.tpl",
       {
+        version          = var.traefik_version
         values           = indent(4, trimspace(local.traefik_values))
         target_namespace = local.ingress_target_namespace
     })
@@ -167,6 +170,7 @@ resource "null_resource" "kustomization" {
     content = templatefile(
       "${path.module}/templates/nginx_ingress.yaml.tpl",
       {
+        version          = var.nginx_version
         values           = indent(4, trimspace(local.nginx_values))
         target_namespace = local.ingress_target_namespace
     })

kube.tf.example

@@ -430,6 +430,10 @@ module "kube-hetzner" {
   # Example:
   # traefik_additional_options = ["--log.level=DEBUG", "--tracing=true"]
 
+  # By default traefik image tag is an empty string which uses latest image tag.
+  # The default is "".
+  # traefik_image_tag = "v3.0.0-beta5"
+
   # By default traefik is configured to redirect http traffic to https, you can set this to "false" to disable the redirection.
   # The default is true.
   # traefik_redirect_to_https = false
@@ -833,6 +837,9 @@ persistence:
   defaultClass: true
   EOT */
 
+  # If you want to use a specific Traefik helm chart version, set it below; otherwise, leave them as-is for the latest versions.
+  # traefik_version = ""
+
   # Traefik, all Traefik helm values can be found at https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml
   # The following is an example, please note that the current indentation inside the EOT is important.
   /*   traefik_values = <<EOT
@@ -875,6 +882,9 @@ ports:
         - 10.0.0.0/8
   EOT */
 
+  # If you want to use a specific Nginx helm chart version, set it below; otherwise, leave them as-is for the latest versions.
+  # nginx_version = ""
+
   # Nginx, all Nginx helm values can be found at https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml
   # You can also have a look at https://kubernetes.github.io/ingress-nginx/, to understand how it works, and all the options at your disposal.
   # The following is an example, please note that the current indentation inside the EOT is important.

locals.tf

@@ -79,9 +79,7 @@ locals {
         "https://github.com/kubereboot/kured/releases/download/${local.kured_version}/kured-${local.kured_version}-dockerhub.yaml",
         "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml",
       ],
-      var.disable_hetzner_csi ? [] : [
-        "hcloud-csi.yml"
-      ],
+      var.disable_hetzner_csi ? [] : ["hcloud-csi.yml"],
       lookup(local.ingress_controller_install_resources, local.ingress_controller, []),
       lookup(local.cni_install_resources, var.cni_plugin, []),
       var.enable_longhorn ? ["longhorn.yaml"] : [],
@@ -90,14 +88,24 @@ locals {
       var.enable_rancher ? ["rancher.yaml"] : [],
       var.rancher_registration_manifest_url != "" ? [var.rancher_registration_manifest_url] : []
     ),
-    patchesStrategicMerge = concat(
-      [
-        file("${path.module}/kustomize/system-upgrade-controller.yaml"),
-        "kured.yaml",
-        "ccm.yaml",
-      ],
-      lookup(local.cni_install_resource_patches, var.cni_plugin, [])
-    )
+    patches = [
+      {
+        target = {
+          group     = "apps"
+          version   = "v1"
+          kind      = "Deployment"
+          name      = "system-upgrade-controller"
+          namespace = "system-upgrade"
+        }
+        patch = file("${path.module}/kustomize/system-upgrade-controller.yaml")
+      },
+      {
+        path = "kured.yaml"
+      },
+      {
+        path = "ccm.yaml"
+      }
+    ]
   })
 
   apply_k3s_selinux = ["/sbin/semodule -v -i /usr/share/selinux/packages/k3s.pp"]
@@ -484,6 +492,8 @@ controller:
   EOT
 
   traefik_values = var.traefik_values != "" ? var.traefik_values : <<EOT
+image:
+  tag: ${var.traefik_image_tag}
 deployment:
   replicas: ${local.ingress_replica_count}
 globalArguments: []
@@ -618,6 +628,7 @@ installCRDs: true
     "pre-reboot-node-labels" : "kured=rebooting",
     "post-reboot-node-labels" : "kured=done",
     "period" : "5m",
+    "lock-ttl" : "30m"
   }, var.kured_options)
 
   k3s_registries_update_script = <<EOF

templates/nginx_ingress.yaml.tpl

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: nginx
+  name: ${target_namespace}
 ---
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
@@ -11,6 +11,7 @@ metadata:
   namespace: kube-system
 spec:
   chart: ingress-nginx
+  version: "${version}"
   repo: https://kubernetes.github.io/ingress-nginx
   targetNamespace: ${target_namespace}
   bootstrap: true

templates/traefik_ingress.yaml.tpl

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: traefik
+  name: ${target_namespace}
 ---
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
@@ -11,6 +11,7 @@ metadata:
   namespace: kube-system
 spec:
   chart: traefik
+  version: "${version}"
   repo: https://traefik.github.io/charts
   targetNamespace: ${target_namespace}
   bootstrap: true

variables.tf

@@ -358,6 +358,12 @@ variable "ingress_max_replica_count" {
   }
 }
 
+variable "traefik_image_tag" {
+  type        = string
+  default     = ""
+  description = "Traefik image tag. Useful to use the beta version for new features. Example: v3.0.0-beta5"
+}
+
 variable "traefik_autoscaling" {
   type        = bool
   default     = true
@@ -404,12 +410,24 @@ variable "traefik_additional_trusted_ips" {
   description = "Additional Trusted IPs to pass to Traefik. These are the ones that go into the trustedIPs section of the Traefik helm values file."
 }
 
+variable "traefik_version" {
+  type        = string
+  default     = ""
+  description = "Version of Traefik helm chart."
+}
+
 variable "traefik_values" {
   type        = string
   default     = ""
   description = "Additional helm values file to pass to Traefik as 'valuesContent' at the HelmChart."
 }
 
+variable "nginx_version" {
+  type        = string
+  default     = ""
+  description = "Version of Nginx helm chart."
+}
+
 variable "nginx_values" {
   type        = string
   default     = ""