claude/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
infrastructure/modules/k8s-node/cloud-init.yaml.tftpl
root 9bacf44e76
Some checks failed
0/1 projects planned successfully.
AI Review / AI Code Review (pull_request) Successful in 2s
Details
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 11s
Details
Security Scan / Security Scan (pull_request) Successful in 15s
Details
fix: persist gitea hosts entry + containerd registry mirror in cloud-init 
manage_etc_hosts: true rewrites /etc/hosts on every VM boot, removing
the manually-added gitea entry. This broke image pulls after bare_srv_1
reboot because containerd couldn't resolve the Gitea auth token URL.

Changes:
- Add bootcmd to ensure 10.10.10.1 gitea in /etc/hosts on every boot
- Add containerd registry mirror config in write_files (was only in bootstrap)
- Add registry config_path to containerd config.toml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 17:41:19 +01:00

117 lines
3.9 KiB
Plaintext
Raw Blame History

#cloud-config
# K8s node cloud-init — installs containerd + kubeadm + node_exporter
# kubeadm init/join is NOT run here — done manually after boot
hostname: ${hostname}
manage_etc_hosts: true
disable_root: false
# Runs BEFORE runcmd, on every boot — survives manage_etc_hosts rewrite
bootcmd:
- grep -q '10.10.10.1 gitea' /etc/hosts || echo '10.10.10.1 gitea' >> /etc/hosts
users:
- name: root
ssh_authorized_keys:
- ${ssh_key}
shell: /bin/bash
package_update: true
packages:
- apt-transport-https
- ca-certificates
- curl
- gnupg
- conntrack
write_files:
# Kernel modules for K8s networking
- path: /etc/modules-load.d/k8s.conf
content: |
overlay
br_netfilter
# Sysctl for K8s networking
- path: /etc/sysctl.d/99-kubernetes.conf
content: |
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
# containerd config — systemd cgroup driver + registry mirror path
- path: /etc/containerd/config.toml
content: |
version = 2
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
# containerd registry mirror for Gitea (10.10.10.1:3000 via loki-tunnel)
- path: /etc/containerd/certs.d/10.10.10.1:3000/hosts.toml
content: |
server = "http://10.10.10.1:3000"
[host."http://10.10.10.1:3000"]
capabilities = ["pull", "resolve", "push"]
skip_verify = true
# node_exporter systemd unit
- path: /etc/systemd/system/node_exporter.service
content: |
[Unit]
Description=Prometheus Node Exporter
After=network.target
[Service]
User=node_exporter
ExecStart=/usr/local/bin/node_exporter
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
runcmd:
# ── Kernel modules ──
- modprobe overlay
- modprobe br_netfilter
- sysctl --system
# ── Disable swap (required for K8s) ──
- swapoff -a
- sed -i '/swap/d' /etc/fstab
# ── Install containerd from Docker repo ──
- install -m 0755 -d /etc/apt/keyrings
- curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
- chmod a+r /etc/apt/keyrings/docker.asc
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo $VERSION_CODENAME) stable" > /etc/apt/sources.list.d/docker.list
- apt-get update
- apt-get install -y containerd.io
- mkdir -p /etc/containerd
- systemctl restart containerd
- systemctl enable containerd
# ── Install kubeadm, kubelet, kubectl (v1.31) ──
- curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.31/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
- echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.31/deb/ /" > /etc/apt/sources.list.d/kubernetes.list
- apt-get update
- apt-get install -y kubelet kubeadm kubectl
- apt-mark hold kubelet kubeadm kubectl
# ── Install node_exporter for monitoring ──
- useradd --no-create-home --shell /bin/false node_exporter
- curl -fsSL https://github.com/prometheus/node_exporter/releases/download/v1.10.2/node_exporter-1.10.2.linux-amd64.tar.gz -o /tmp/node_exporter.tar.gz
- tar xzf /tmp/node_exporter.tar.gz -C /tmp
- cp /tmp/node_exporter-1.10.2.linux-amd64/node_exporter /usr/local/bin/
- chown node_exporter:node_exporter /usr/local/bin/node_exporter
- rm -rf /tmp/node_exporter*
- systemctl daemon-reload
- systemctl enable --now node_exporter
# ── Signal cloud-init completion ──
- touch /var/lib/cloud/instance/k8s-ready
Reference in New Issue View Git Blame Copy Permalink