Last active
June 25, 2022 19:17
-
-
Save sosan/02c2c34f7cb1e84af5e75290dffe2672 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Network VPC | |
| resource "digitalocean_vpc" "keep-secrets-vpc" { | |
| name = var.cluster_name | |
| region = var.region | |
| description = "VPC for keep-secrets" | |
| } | |
| # Firewall config | |
| resource "digitalocean_firewall" "rules" { | |
| name = var.cluster_name | |
| tags = [ | |
| digitalocean_tag.controllers.name, | |
| digitalocean_tag.workers.name | |
| ] | |
| inbound_rule { | |
| protocol = "icmp" | |
| source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name] | |
| } | |
| # allow ssh, internal flannel, internal node-exporter, internal kubelet | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "22" | |
| source_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| # IANA vxlan (flannel, calico) | |
| inbound_rule { | |
| protocol = "udp" | |
| port_range = "4789" | |
| source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name] | |
| } | |
| # Allow Prometheus to scrape node-exporter | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "9100" | |
| source_tags = [digitalocean_tag.workers.name] | |
| } | |
| # Allow Prometheus to scrape kube-proxy | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "10249" | |
| source_tags = [digitalocean_tag.workers.name] | |
| } | |
| # Kubelet | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "10250" | |
| source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name] | |
| } | |
| # allow all outbound traffic | |
| outbound_rule { | |
| protocol = "tcp" | |
| port_range = "1-65535" | |
| destination_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| outbound_rule { | |
| protocol = "udp" | |
| port_range = "1-65535" | |
| destination_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| outbound_rule { | |
| protocol = "icmp" | |
| port_range = "1-65535" | |
| destination_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| } | |
| resource "digitalocean_firewall" "controllers" { | |
| name = "${var.cluster_name}-controllers" | |
| tags = [digitalocean_tag.controllers.name] | |
| # etcd | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "2379-2380" | |
| source_tags = [digitalocean_tag.controllers.name] | |
| } | |
| # etcd metrics | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "2381" | |
| source_tags = [digitalocean_tag.workers.name] | |
| } | |
| # kube-apiserver | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "6443" | |
| source_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| # kube-scheduler metrics, kube-controller-manager metrics | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "10257-10259" | |
| source_tags = [digitalocean_tag.workers.name] | |
| } | |
| } | |
| resource "digitalocean_firewall" "workers" { | |
| name = "${var.cluster_name}-workers" | |
| tags = [digitalocean_tag.workers.name] | |
| # allow HTTP/HTTPS ingress | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "80" | |
| source_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "443" | |
| source_addresses = ["0.0.0.0/0", "::/0"] | |
| } | |
| inbound_rule { | |
| protocol = "tcp" | |
| port_range = "10254" | |
| source_addresses = ["0.0.0.0/0"] | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| provider "digitalocean" { | |
| token = "${chomp(file("~/.config-bla-bla/bla-bla-bla/digital-ocean-token"))}" | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "cluster_name" { | |
| type = string | |
| description = "Unique cluster name (prepended to dns_zone)" | |
| } | |
| # Digital Ocean | |
| variable "region" { | |
| type = string | |
| description = "Digital Ocean region (e.g. nyc1, sfo2, fra1, tor1)" | |
| } | |
| variable "dns_zone" { | |
| type = string | |
| description = "Digital Ocean domain (i.e. DNS zone) (e.g. do.example.com)" | |
| } | |
| # instances | |
| variable "controller_count" { | |
| type = number | |
| description = "Number of controllers (i.e. masters)" | |
| default = 1 | |
| } | |
| variable "worker_count" { | |
| type = number | |
| description = "Number of workers" | |
| default = 1 | |
| } | |
| variable "controller_type" { | |
| type = string | |
| description = "Droplet type for controllers (e.g. s-2vcpu-2gb, s-2vcpu-4gb, s-4vcpu-8gb)." | |
| default = "s-2vcpu-2gb" | |
| } | |
| variable "worker_type" { | |
| type = string | |
| description = "Droplet type for workers (e.g. s-1vcpu-2gb, s-2vcpu-2gb)" | |
| default = "s-1vcpu-2gb" | |
| } | |
| variable "os_image" { | |
| type = string | |
| description = "Flatcar Linux image for instances (e.g. custom-image-id)" | |
| } | |
| variable "controller_snippets" { | |
| type = list(string) | |
| description = "Controller Container Linux Config snippets" | |
| default = [] | |
| } | |
| variable "worker_snippets" { | |
| type = list(string) | |
| description = "Worker Container Linux Config snippets" | |
| default = [] | |
| } | |
| # configuration | |
| variable "ssh_fingerprints" { | |
| type = list(string) | |
| description = "SSH public key fingerprints. (e.g. see `ssh-add -l -E md5`)" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment