Project K3s on Proxmox VE

k3s-proxmox.tf

# main.tf

resource "proxmox_virtual_environment_vm" "k3s-cp-01" {
  provider  = proxmox
  node_name = "pve-02"

  name        = "k3s-cp-01"
  description = "K3s-cp-01"
  tags        = ["k3s", "control-plane"]
  on_boot     = true
  vm_id       = 1001

  machine       = "q35"
  scsi_hardware = "virtio-scsi-single"
  bios          = "ovmf"


  cpu {
    cores = 2
    type  = "x86-64-v2-AES"
  }

  memory {
    dedicated = 4096
  }

  network_device {
    bridge = "vmbr0"
  }

  efi_disk {
    datastore_id = "local-zfs"
    file_format  = "raw" // To support qcow2 format
    type         = "4m"
  }

  disk {
    datastore_id = "local-zfs"
    file_id      = proxmox_virtual_environment_download_file.ubuntu.id
    interface    = "scsi0"
    cache        = "writethrough"
    discard      = "on"
    ssd          = true
    size         = 32
  }

  boot_order = ["scsi0"]

  # Enable QEMU guest agent
  agent {
    enabled = true
  }

  operating_system {
    type = "l26" # Linux Kernel 2.6 - 6.X.
  }

  initialization {
    meta_data_file_id = proxmox_virtual_environment_file.pve-cp.id
    datastore_id      = "local-zfs"
    ip_config {
      ipv4 {
        address = "192.168.1.151/24"
        gateway = "192.168.0.1"
      }
    }
  }
}

# bootstrap-cp.tf

resource "proxmox_virtual_environment_download_file" "ubuntu" {
  provider     = proxmox
  node_name    = "pve-02"
  content_type = "iso"
  datastore_id = "local"

  file_name          = "ubuntu-24.04-server-cloudimg-amd64.img"
  url                = "https://cloud-images.ubuntu.com/releases/releases/24.04/release-20250516/ubuntu-24.04-server-cloudimg-amd64.img"
  checksum           = "8d6161defd323d24d66f85dda40e64e2b9021aefa4ca879dcbc4ec775ad1bbc5"
  checksum_algorithm = "sha256"
}

resource "proxmox_virtual_environment_file" "pve-cp" {
  provider     = proxmox
  node_name    = "pve-02"
  content_type = "snippets"
  datastore_id = "local"

  source_raw {
    data = <<-EOF
    #cloud-config

    users:
      - name: ${var.vm_username}
        passwd: ${var.vm_password}
        lock_passwd: false
        groups: [ sudo ]
        shell: /usr/bin/bash
        ssh_authorized_keys:
          - ${var.host_public_key}

    hostname: ${var.vm_hostname}
    package_update: true
    package_upgrade: true
    timezone: Europe/Berlin

    # write_files:
    #   - path: /etc/ssh/sshd_config.d/01-ssh-hardening.conf
    #     content: |
    #       PermitRootLogin no
    #       PasswordAuthentication no
    #       ChallengeResponseAuthentication no
    #       UsePAM no

    packages:
      - qemu-guest-agent
      - curl
      - net-tools
      - vim
      - ca-certificates
      - jq

    # power_state:
    #     delay: now
    #     mode: reboot
    #     message: "Rebooting after cloud-init has finished applying its configuration."
    #     condition: true

    # runcmd:
    #   - systemctl enable qemu-guest-agent
    #   - localectl set-locale LANG=en_US.UTF-8
    #   - curl -sfL https://get.k3s.io | sh -s - \
    #     --flannel-backend=none \
    #     --disable-kube-proxy \
    #     --disable servicelb \
    #     --disable-network-policy \
    #     --disable traefik \
    #     --write-kubeconfig-mode 600 \
    #     --cluster-init

    #   - mkdir -p $HOME/.kube
    #   - sudo cp -i /etc/rancher/k3s/k3s.yaml $HOME/.kube/config
    #   - sudo chown $(id -u):$(id -g) $HOME/.kube/config
    #   - echo "export KUBECONFIG=$HOME/.kube/config" >> $HOME/.bashrc
    #   - source $HOME/.bashrc
    #   - curl -sfLO https://github.com/cilium/cilium-cli/releases/download/v${var.cilium_cli_version}/cilium-linux-amd64.tar.gz
    #   - tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
    #   - rm cilium-linux-amd64.tar.gz

    #   - cilium install --version 1.17.4 \
    #   --set operator.replicas=1 \
    #   --set kubeProxyReplacement=true \
    #   --set ipam.mode=kubernetes \
    #   --set gatewayAPI.enabled=true \
    #   --set l2announcements.enabled=true \
    #   --set hubble.relay.enabled=true \
    #   --set hubble.ui.enabled=true \
    #   --set k8sClientRateLimit.qps=5 \
    #   --set k8sClientRateLimit.burst=10 \
    #   --set multiPoolPreAllocation=null
      EOF

    file_name = "pve-cp.yaml"
  }
}

# versions.tf

terraform {
  required_providers {
    proxmox = {
      source  = "bpg/proxmox"
      version = "~> 0.78.0"
    }
  }
}

provider "proxmox" {
  endpoint  = "https://192.168.0.102:8006"
  insecure  = true
  ssh {
    agent    = true
    username = "root"
  }
}

# variables.tf

# variable "proxmox" {
#   description = "Proxmox provider configuration"
#   type = object({
#     node_name = string
#     endpoint  = string
#     insecure  = bool
#     username  = string
#     password  = string
#   })
# }

variable "proxmox_api_token" {
  description = "Proxmox API token"
  type        = string
  sensitive   = true
}

variable "vm_hostname" {
  description = "VM hostname"
  type        = string
}

variable "vm_username" {
  description = "VM username"
  type        = string
}

variable "vm_password" {
  description = "VM password"
  type        = string
  sensitive   = true
}

# variable "username" {
#   description = "PVE API username"
#   type        = string
# }

# variable "password" {
#   description = "PVE API password"
#   type        = string
#   sensitive   = true
# }

variable "host_public_key" {
  description = "Host public key"
  type        = string
}

variable "cilium_cli_version" {
  description = "Cilium CLI version"
  type        = string
}

# terraform.tfvars

vm_username        = "k3s-admin"
vm_hostname        = "k3s-cp-01"
cilium_cli_version = "0.18.3"