Add environments/production/k8s-cluster.tf
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
This commit is contained in:
parent
c26947696e
commit
d78a78004e
84
environments/production/k8s-cluster.tf
Normal file
84
environments/production/k8s-cluster.tf
Normal file
@ -0,0 +1,84 @@
|
||||
# Kubernetes PoC cluster — Phase 6
|
||||
# 2 VMs on NAT bridge vmbr0 (10.10.10.200-201)
|
||||
# kubeadm + containerd + Calico
|
||||
#
|
||||
# Access: DNAT 6443 from bare_srv_1 public IP → k8s-master
|
||||
# Firewall: Proxmox FW on node level restricts 6443 to control plane IP
|
||||
#
|
||||
# Cloud image dependency: proxmox_virtual_environment_download_file.ubuntu_2404_cloud (in main.tf)
|
||||
|
||||
locals {
|
||||
k8s_nodes = {
|
||||
"k8s-master" = {
|
||||
vm_id = 300
|
||||
ip_address = "10.10.10.200"
|
||||
}
|
||||
"k8s-worker-01" = {
|
||||
vm_id = 301
|
||||
ip_address = "10.10.10.201"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "k8s_node" {
|
||||
source = "../../modules/k8s-node"
|
||||
for_each = local.k8s_nodes
|
||||
|
||||
name = each.key
|
||||
vm_id = each.value.vm_id
|
||||
ip_address = each.value.ip_address
|
||||
|
||||
depends_on = [proxmox_virtual_environment_download_file.ubuntu_2404_cloud]
|
||||
}
|
||||
|
||||
# ─── Proxmox node-level FW — allow K8s API + ArgoCD from control plane ──────
|
||||
|
||||
resource "proxmox_virtual_environment_firewall_rules" "k8s_api_access" {
|
||||
node_name = "georgeops"
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "6443"
|
||||
source = "78.109.17.180"
|
||||
comment = "K8s API from control plane (DNAT to k8s-master)"
|
||||
}
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "30443"
|
||||
source = "78.109.17.180"
|
||||
comment = "ArgoCD UI from control plane (DNAT to k8s-master)"
|
||||
}
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "9200"
|
||||
source = "78.109.17.180"
|
||||
comment = "k8s-master node_exporter (DNAT)"
|
||||
}
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "9201"
|
||||
source = "78.109.17.180"
|
||||
comment = "k8s-worker-01 node_exporter (DNAT)"
|
||||
}
|
||||
}
|
||||
|
||||
output "k8s_nodes" {
|
||||
description = "K8s cluster nodes"
|
||||
value = {
|
||||
for name, node in module.k8s_node : name => {
|
||||
vm_id = node.vm_id
|
||||
ip_address = node.ip_address
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user