Merge pull request #176 from kube-hetzner/rancher

Rancher addon

Author: mysticaltech

README.md

@@ -229,6 +229,29 @@ To use Kube-Hetzner on Terraform cloud, use as a Terraform module as mentioned a
 
 </details>
 
+<details>
+
+<summary>Configure add-ons with HelmChartConfig</summary>
+
+For instance, to customize the Rancher install, if you choose to enable it, you can create and apply the following `HelmChartConfig`:
+
+```yaml
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: rancher
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    **values.yaml content you want to customize**
+```
+
+The helm options for Rancher can be seen here <https://github.com/rancher/rancher/blob/release/v2.6/chart/values.yaml>.
+
+Same goes for all add-ons, like Longhorn, Cert-manager, and Traefik.
+
+</details>
+
 ## Debugging
 
 First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in.

init.tf

@@ -88,9 +88,11 @@ resource "null_resource" "kustomization" {
           "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml",
         ],
         var.disable_hetzner_csi ? [] : ["https://raw.githubusercontent.com/hetznercloud/csi-driver/${local.csi_version}/deploy/kubernetes/hcloud-csi.yml"],
-        var.enable_longhorn ? ["longhorn.yaml"] : [],
         local.is_single_node_cluster ? [] : var.traefik_enabled ? ["traefik_config.yaml"] : [],
-        var.cni_plugin == "calico" ? ["https://projectcalico.docs.tigera.io/manifests/calico.yaml"] : []
+        var.cni_plugin == "calico" ? ["https://projectcalico.docs.tigera.io/manifests/calico.yaml"] : [],
+        var.enable_longhorn ? ["longhorn.yaml"] : [],
+        var.enable_cert_manager || var.enable_rancher ? ["cert-manager.yaml"] : [],
+        var.enable_rancher ? ["rancher.yaml"] : [],
       ),
       patchesStrategicMerge = concat(
         [
@@ -160,6 +162,26 @@ resource "null_resource" "kustomization" {
     destination = "/var/post_install/longhorn.yaml"
   }
 
+  # Upload the cert-manager config
+  provisioner "file" {
+    content = templatefile(
+      "${path.module}/templates/cert-manager.yaml.tpl",
+    {})
+    destination = "/var/post_install/cert-manager.yaml"
+  }
+
+  # Upload the Rancher config
+  provisioner "file" {
+    content = templatefile(
+      "${path.module}/templates/rancher.yaml.tpl",
+      {
+        rancher_install_channel    = var.rancher_install_channel
+        rancher_hostname           = var.rancher_hostname
+        number_control_plane_nodes = length(local.control_plane_nodes)
+    })
+    destination = "/var/post_install/rancher.yaml"
+  }
+
   # Deploy secrets, logging is automatically disabled due to sensitive variables
   provisioner "remote-exec" {
     inline = [

templates/cert-manager.yaml.tpl

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: kube-system
+spec:
+  chart: cert-manager
+  repo: https://charts.jetstack.io
+  targetNamespace: cert-manager
+  valuesContent: |-
+    installCRDs: true

templates/rancher.yaml.tpl

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cattle-system
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: rancher
+  namespace: kube-system
+spec:
+  chart: rancher
+  repo: https://releases.rancher.com/server-charts/${rancher_install_channel}
+  targetNamespace: cattle-system
+  valuesContent: |-
+    ingress:
+      tls:
+        source: rancher
+    hostname: ${rancher_hostname}
+    replicas: ${number_control_plane_nodes}

terraform.tfvars.example

@@ -18,7 +18,7 @@ private_key = "/home/username/.ssh/id_ed25519"
 network_region = "eu-central" # change to `us-east` if location is ash
 
 # For the control planes, at least three nodes are the minimum for HA. Otherwise, you need to turn off the automatic upgrade (see ReadMe).
-# As per rancher docs, it must always be an odd number, never even! See https://rancher.com/docs/k3s/latest/en/installation/ha-embedded/
+# As per Rancher docs, it must always be an odd number, never even! See https://rancher.com/docs/k3s/latest/en/installation/ha-embedded/
 # For instance, one is ok (non-HA), two is not ok, and three is ok (becomes HA). It does not matter if they are in the same nodepool or not! So they can be in different locations and of various types.
 
 # Of course, you can choose any number of nodepools you want, with the location you want. The only constraint on the location is that you need to stay in the same network region, Europe, or the US.
@@ -183,3 +183,23 @@ load_balancer_location = "fsn1"
 # If you want to disable the automatic use of placement group "spread". See https://docs.hetzner.com/cloud/placement-groups/overview/
 # That may be useful if you need to deploy more than 500 nodes! The default is "false".
 # placement_group_disable = true
+
+# You can enable cert-manager (installed by Helm behind the scenes) with the following flag, the default is "false".
+# enable_cert_manager = true
+
+# You can enable Rancher (installed by Helm behind the scenes) with the following flag, the default is "false".
+# When Rancher is enabled, it automatically installs cert-manager too, and it uses rancher's own certificates.
+# As for the number of replicas, it is set to the numbe of control plane nodes.
+# You can customized all of the above by creating and applying a HelmChartConfig to pass the helm chart values of your choice. 
+# See https://rancher.com/docs/k3s/latest/en/helm/ 
+# and https://rancher.com/docs/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/
+# enable_rancher = true
+
+# When Rancher is deployed, by default is uses the "stable" channel. But this can be customized.
+# The allowed values are "stable", "latest", and "alpha".
+# rancher_install_channel = "latest"
+
+# Set your Rancher hostname, the default is "rancher.example.com".
+# It is a required value when using rancher, but up to you to point the DNS to it or not. 
+# You can also not point the DNS, and just port-forward locally via kubectl to get access to the dashboard.
+# rancher_hostname = "rancher.xyz.dev"

variables.tf

@@ -107,7 +107,7 @@ variable "initial_k3s_channel" {
   description = "Allows you to specify an initial k3s channel"
 
   validation {
-    condition     = contains(["stable", "latest", "testing", "v1.16", "v1.17", "v1.18", "v1.19", "v1.20", "v1.21", "v1.22", "v1.23"], var.initial_k3s_channel)
+    condition     = contains(["stable", "latest", "testing", "v1.16", "v1.17", "v1.18", "v1.19", "v1.20", "v1.21", "v1.22", "v1.23", "v1.24"], var.initial_k3s_channel)
     error_message = "The initial k3s channel must be one of stable, latest or testing."
   }
 }
@@ -175,3 +175,32 @@ variable "disable_hetzner_csi" {
   default     = false
   description = "Disable hetzner csi driver"
 }
+
+variable "enable_cert_manager" {
+  type        = bool
+  default     = false
+  description = "Enable cert manager"
+}
+
+variable "enable_rancher" {
+  type        = bool
+  default     = false
+  description = "Enable rancher"
+}
+
+variable "rancher_install_channel" {
+  type        = string
+  default     = "stable"
+  description = "Rancher install channel"
+
+  validation {
+    condition     = contains(["stable", "latest", "alpha"], var.rancher_install_channel)
+    error_message = "The allowed values for the Rancher install channel are stable, latest, or alpha."
+  }
+}
+
+variable "rancher_hostname" {
+  type        = string
+  default     = "rancher.example.com"
+  description = "Enable rancher"
+}