Terraform module which creates a k3s cluster, with multi-server and annotations/labels/taints management features.
module "k3s" {
source = "xunleii/k3s/module"
k3s_version = "v1.0.0"
name = "my.k3s.local"
cidr = {
pods = "10.0.0.0/16"
services = "10.1.0.0/16"
}
drain_timeout = "30s"
managed_fields = ["label", "taint"]
global_flags = [
"--tls-san k3s.my.domain.com"
]
servers = {
# The node name will be automatically provided by
# the module using the field name... any usage of
# --node-name in additional_flags will be ignored
server-one = {
ip = "10.123.45.67" // internal node IP
connection = {
host = "203.123.45.67" // public node IP
user = "ubuntu"
}
flags = ["--flannel-backend=none"]
labels = {"node.kubernetes.io/type" = "master"}
taints = {"node.k3s.io/type" = "server:NoSchedule"}
}
server-two = {
ip = "10.123.45.68"
connection = {
host = "203.123.45.68" // bastion node
user = "ubuntu"
}
flags = ["--flannel-backend=none"]
labels = {"node.kubernetes.io/type" = "master"}
taints = {"node.k3s.io/type" = "server:NoSchedule"}
}
server-three = {
ip = "10.123.45.69"
connection = {
host = "203.123.45.69" // bastion node
user = "ubuntu"
}
flags = ["--flannel-backend=none"]
labels = {"node.kubernetes.io/type" = "master"}
taints = {"node.k3s.io/type" = "server:NoSchedule"}
}
}
agents = {
# The node name will be automatically provided by
# the module using the field name... any usage of
# --node-name in additional_flags will be ignored
agent-one = {
ip = "10.123.45.70"
connection = {
user = "root"
bastion_host = "203.123.45.67" // server_one node used as bastion
bastion_user = "ubuntu"
}
labels = {"node.kubernetes.io/pool" = "service-pool"}
},
agent-two = {
ip = "10.123.45.71"
connection = {
user = "root"
bastion_host = "203.123.45.67"
bastion_user = "ubuntu"
}
labels = {"node.kubernetes.io/pool" = "service-pool"}
},
agent-three = {
name = "gpu-agent-one"
ip = "10.123.45.72"
connection = {
user = "root"
bastion_host = "203.123.45.67"
bastion_user = "ubuntu"
}
labels = {"node.kubernetes.io/pool" = "gpu-pool"}
taints = {dedicated = "gpu:NoSchedule"}
},
}
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
servers | K3s server nodes definition. The key is used as node name if no name is provided. | map(any) |
n/a | yes |
agents | K3s agent nodes definitions. The key is used as node name if no name is provided. | map(any) |
{} |
no |
cidr | K3s network CIDRs (see https://rancher.com/docs/k3s/latest/en/installation/install-options/). | object({ |
{ |
no |
cluster_domain | K3s cluster domain name (see https://rancher.com/docs/k3s/latest/en/installation/install-options/). | string |
"cluster.local" |
no |
depends_on_ | Resouce dependency of this module. | any |
null |
no |
drain_timeout | The length of time to wait before giving up the node draining. Infinite by default. | string |
"0s" |
no |
generate_ca_certificates | If true, this module will generate the CA certificates (see k3s-io/k3s#1868 (comment)). Otherwise rancher will generate it. This is required to generate kubeconfig | bool |
true |
no |
global_flags | Add additional installation flags, used by all nodes (see https://rancher.com/docs/k3s/latest/en/installation/install-options/). | list(string) |
[] |
no |
k3s_version | Specify the k3s version. You can choose from the following release channels or pin the version directly | string |
"latest" |
no |
kubernetes_certificates | A list of maps of cerificate-name.[crt/key] : cerficate-value to copied to /var/lib/rancher/k3s/server/tls, if this option is used generate_ca_certificates will be treat as false | list( |
[] |
no |
managed_fields | List of fields which must be managed by this module (can be annotation, label and/or taint). | list(string) |
[ |
no |
name | K3s cluster domain name (see https://rancher.com/docs/k3s/latest/en/installation/install-options/). This input is deprecated and will be remove in the next major release. Use cluster_domain instead. |
string |
"cluster.local" |
no |
separator | Separator used to separates node name and field name (used to manage annotations, labels and taints). | string |
`" | "` |
use_sudo | Whether or not to use kubectl with sudo during cluster setup. | bool |
false |
no |
NOTES:
servers must have an odd number of nodes
use the first server node to configure the cluster
ifname
is not specified, the key in the map will be used as name
only one taint can be applied per taint name and per node
Name | Description |
---|---|
kube_config | Genereated kubeconfig. |
kubernetes | Authentication credentials of Kubernetes (full administrator). |
kubernetes_ready | Dependency endpoint to synchronize k3s installation and provisioning. |
summary | Current state of k3s (version & nodes). |
kubernetes_cluster_secret | Secret token used to join nodes to the cluster |
Name | Version |
---|---|
terraform | ~> 1.0 |
http | ~> 1.2 |
null | ~> 2.1 |
random | ~> 2.2 |
Because using external references on destroy
provisionner is deprecated by Terraform, storing information
inside each resources will be mandatory in order to manage several features like auto-draining node
and fields management. So, several fields like connection
block will be available in your TF state.
This means that used password or private key will be clearly readable in this TF state.
Please do not use
this module if you need to pass private key or password in the connection block, even if your TF state is
securely stored.
terraform-module-k3s is released under the MIT License. See the bundled LICENSE file for details.
Generated with ❤️ by terraform-docs