Kube deploy in Yandex cloud

variable "k8s_global_vars" {
  description = "module:K8S-GLOBAL VARS"
  type        = any
  default     = {}
}

locals {

  k8s-addresses = {
    local_api_address           = format("%s.1",  join(".", slice(split(".",local.k8s_network.service_cidr), 0, 3)) )
    dns_address                 = format("%s.10", join(".", slice(split(".",local.k8s_network.service_cidr), 0, 3)) )

    idp_provider_fqdn           = format("auth.%s"          , local.cluster_metadata.base_domain)
    base_cluster_fqdn           = format("%s.%s"            , local.cluster_metadata.cluster_name, local.cluster_metadata.base_domain)
    wildcard_base_cluster_fqdn  = format("%s.%s.%s", "*"    , local.cluster_metadata.cluster_name, local.cluster_metadata.base_domain)
    etcd_server_lb_fqdn         = format("%s.%s.%s", "etcd" , local.cluster_metadata.cluster_name, local.cluster_metadata.base_domain)
  }
}

output "k8s-addresses" {
  value = local.k8s-addresses
}

fraimctl.conf
- apiVersion: fraima.io/v1alpha
  kind: Containerd
  spec:

    service:
      extraArgs:
        # This document provides the description of the CRI plugin configuration. 
        # The CRI plugin config is part of the containerd config
        # Default: /etc/containerd/config.toml
        config: /etc/kubernetes/containerd/config.toml

    configuration:
      extraArgs:
        version: 2
        plugins:
          io.containerd.grpc.v1.cri:
            containerd:
              runtimes:
                runc:
                  # Runtime v2 introduces a first class shim API for runtime authors to integrate with containerd. 
                  # The shim API is minimal and scoped to the execution lifecycle of a container.
                  runtime_type: "io.containerd.runc.v2"
                  options:
                    # While containerd and Kubernetes use the legacy cgroupfs driver for managing cgroups by default, 
                    # it is recommended to use the systemd driver on systemd-based hosts for compliance of the "single-writer" rule of cgroups. 
                    # To configure containerd to use the systemd driver, set the following option:
                    SystemdCgroup: true

    downloading:
      - name: containerd
        src: https://github.com/containerd/containerd/releases/download/v1.6.6/containerd-1.6.6-linux-amd64.tar.gz
        checkSum:
          src: https://github.com/containerd/containerd/releases/download/v1.6.6/containerd-1.6.6-linux-amd64.tar.gz.sha256sum
          type: "sha256"
        path: /usr/bin/
        owner: root:root
        permission: 0645
        unzip:
          status: true
          files: 
            - bin/containerd
            - bin/containerd-shim
            - bin/containerd-shim-runc-v1
            - bin/containerd-shim-runc-v2
            - bin/containerd-stress
            - bin/ctr

      - name: runc
        src: https://github.com/opencontainers/runc/releases/download/v1.1.3/runc.amd64
        path: /usr/bin/
        owner: root:root
        permission: 0645

    starting:
      - systemctl enable containerd
      - systemctl start containerd

fraimctl.conf
- apiVersion: fraima.io/v1alpha
  kind: Sysctl
  spec:
    configuration:
      extraArgs:
        net.ipv4.ip_forward: 1
    starting:
      - sudo sysctl --system

- apiVersion: fraima.io/v1alpha
  kind: Modprob
  spec:
    configuration:
      extraArgs:
      - br_netfilter
      - overlay
    starting:
      - sudo modprobe overlay
      - sudo modprobe br_netfilter
      - sudo sysctl --system

kubectl get no -o wide

root@master-2-cluster-2:/home/dkot# kubectl get nodes -o wide
NAME                 STATUS   ROLES                  AGE     VERSION    INTERNAL-IP   EXTERNAL-IP     OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
master-1-cluster-2   Ready    control-plane,master   2m50s   v1.23.12   10.1.0.11     51.250.66.122   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.8
master-2-cluster-2   Ready    control-plane,master   2m53s   v1.23.12   10.2.0.33     84.201.139.95   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.8
master-3-cluster-2   Ready    control-plane,master   2m55s   v1.23.12   10.3.0.21     51.250.40.244   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.8

root@master-2-cluster-2:/home/dkot# kubectl get nodes -o wide
NAME                 STATUS   ROLES                  AGE   VERSION    INTERNAL-IP   EXTERNAL-IP     OS-IMAGE                       KERNEL-VERSION    CONTAINER-RUNTIME
master-1-cluster-2   Ready    control-plane,master   37s   v1.23.12   10.1.0.12     62.84.119.244   Debian GNU/Linux 10 (buster)   4.19.0-18-amd64   containerd://1.6.8
master-2-cluster-2   Ready    control-plane,master   12m   v1.23.12   10.2.0.16     51.250.27.187   Debian GNU/Linux 10 (buster)   4.19.0-18-amd64   containerd://1.6.8
master-3-cluster-2   Ready    control-plane,master   12m   v1.23.12   10.3.0.13     51.250.45.49    Debian GNU/Linux 10 (buster)   4.19.0-18-amd64   containerd://1.6.8

environments
export TF_VAR_YC_CLOUD_ID=""
export TF_VAR_YC_FOLDER_ID=""
export TF_VAR_YC_TOKEN=""
export TF_VAR_YC_ZONE=""
export TF_VAR_VAULT_TOKEN=""
export TF_VAR_VAULT_ADDR=""
export TF_VAR_KEYCLOAK_REALM=""
export TF_VAR_KEYCLOAK_CLIENT_ID=""
export TF_VAR_KEYCLOAK_USER=""
export TF_VAR_KEYCLOAK_PASSWORD=""
export TF_VAR_KEYCLOAK_URL=""
Этот подход позволяет использовать Terraform в контейнере через инструмент CI/CD, не указывая реальные значения переменных в провайдерах.

terraform workspace new example

terraform plan    -var-file vars/example.tfvars
terraform apply   -var-file vars/example.tfvars
terraform destroy -var-file vars/example.tfvars

vars/${cluster_name}.tf
global_vars = {
    cluster_name    = "example"
    pod_cidr        = "10.102.0.0/16"

    serviceaccount_k8s_controllers_name = "yandex-k8s-controllers"

    kube_apiserver_flags = {
        oidc-issuer-url         = "https://auth.dobry-kot.ru/auth/realms/master"
        oidc-client-id          = "kubernetes-clusters"
        oidc-username-claim     = "sub"
        oidc-groups-claim       = "groups"
        oidc-username-prefix    = "-"
    }

    kube_controller_manager_flags = {
        cluster-name = "kubernetes"
    }

    kube_scheduler_flags = {
        
    }

    addons = {
        cilium = {
            enabled = true
            extra_values = {
                cluster = {
                    name = "example"
                    id = 12
                }
            }
        }

        vault-issuer = {
            enabled = true
            extra_values = {}
        }

        coredns = {
            enabled = true
            extra_values = {}
        }

        gatekeeper = {
            enabled = true
            extra_values = {}
        }

        certmanager = {
            enabled = true
            extra_values = {}
        }

        machine-controller-manager = {
            enabled = true
            extra_values = {}
        }

        yandex-cloud-controller = {
            enabled = true
            extra_values = {}
        }

        yandex-csi-controller = {
            enabled = true
            extra_values = {}
        }

        compute-instance = {
            enabled = true
            custom_values = {
                subnet_id   = "e9bndv0b3c5asheadg09"
                zone        = "ru-central1-a"
                image_id    = "fd8ingbofbh3j5h7i8ll"
                replicas    = 1
            }
            extra_values = {
                metadata = {
                    nodeLabels = {
                        "node-role.kubernetes.io/worker" = ""
                        "provider" = "yandex"    
                    }
                    cloudLabels = {
                        tair = "critical"
                    }
                }
            }
        }
    }

}

cloud_metadata = {
    cloud_name  = "cloud-uid-vf465ie7"
    folder_name = "example"
}

master_group = {
    name                = "master"
    count               = 3

    default_subnet      = "10.0.0.0/24"
    default_zone        = "ru-central1-a"

    metadata = {
        # user_data_template = "fraima-hbf"
        user_data_template = "fraima"
    }
}

time terraform apply -var-file vars/example.tfvars  -auto-approve

Apply complete! Resources: 86 added, 0 changed, 0 destroyed.

Outputs:

LB-IP = "kubectl config set-cluster  cluster --server=https://158.160.63.64:443 --insecure-skip-tls-verify"

real    6m4,698s
user    0m24,182s
sys     0m1,582s

dk@dobry-kot-system:~/workspace/fraima/kubernetes/k8s-yandex-cluster-naked$ kubectl get nodes -o wide
NAME                STATUS   ROLES                  AGE     VERSION    INTERNAL-IP   EXTERNAL-IP      OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
master-50d858e0-1   Ready    control-plane,master   9m34s   v1.23.12   10.0.0.12     158.160.51.95    Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.6
master-50d858e0-2   Ready    control-plane,master   9m33s   v1.23.12   10.0.0.6      158.160.38.139   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.6
master-50d858e0-3   Ready    control-plane,master   9m34s   v1.23.12   10.0.0.19     158.160.42.200   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.6

kubeconfig
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://158.160.63.64:443
  name: cluster
contexts:
- context:
    cluster: cluster
    namespace: kube-fraima-machine-controller-manager
    user: cluster
  name: cluster
current-context: cluster
kind: Config
preferences: {}
users:
- name: cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://$KEYCLOAK-SERVER/auth/realms/master
      - --oidc-client-id=kubernetes-clusters
      - --oidc-client-secret=kube-client-secret
      - --certificate-authority=/usr/local/share/ca-certificates/oidc-ca.pem
      - --skip-open-browser
      - --grant-type=password
      - --username=$USERNAME
      - --password=$PASSWORD
      command: kubectl
      env:
      - name: context
        value: $(kubectl config current-context)
      interactiveMode: IfAvailable
      provideClusterInfo: false

NAME                                     STATUS   AGE
default                                  Active   11m
kube-fraima-certmanager                  Active   8m48s # CERTMANAGER
kube-fraima-dns                          Active   9m57s # COREDNS
kube-fraima-machine-controller-manager   Active   8m55s
kube-fraima-opa                          Active   9m44s # GATEKEEPER
kube-fraima-sdn                          Active   10m   # CILIUM
kube-fraima-yandex-cloud-controller      Active   11m
kube-fraima-yandex-csi-controller        Active   9m54s
kube-node-lease                          Active   11m
kube-public                              Active   11m
kube-system                              Active   11m

dk@dobry-kot-system:~/Downloads$ kubectl get csr
NAME                                                   AGE     SIGNERNAME                                    REQUESTOR                       REQUESTEDDURATION   CONDITION
csr-52cx7                                              12m     kubernetes.io/kubelet-serving                 system:node:master-50d858e0-3   <none>              Pending
csr-lbhqf                                              12m     kubernetes.io/kubelet-serving                 system:node:master-50d858e0-1   <none>              Pending
csr-n27p4                                              12m     kubernetes.io/kubelet-serving                 system:node:master-50d858e0-2   <none>              Pending
node-csr-3l5VT-i7YinQWaTvbCY467d27GQLnSqnT_BYgk_PFII   8m17s   clusterissuers.cert-manager.io/vault-issuer   system:bootstrap:663273         <none>              Pending

kubectl certificate approve node-csr-3l5VT-i7YinQWaTvbCY467d27GQLnSqnT_BYgk_PFII

dk@dobry-kot-system:~/Downloads$ kubectl get no -o wide
NAME                                         STATUS   ROLES                  AGE   VERSION    INTERNAL-IP   EXTERNAL-IP      OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
master-50d858e0-1                            Ready    control-plane,master   24m   v1.23.12   10.0.0.12     158.160.51.95    Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.6
master-50d858e0-2                            Ready    control-plane,master   24m   v1.23.12   10.0.0.6      158.160.38.139   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.6
master-50d858e0-3                            Ready    control-plane,master   24m   v1.23.12   10.0.0.19     158.160.42.200   Ubuntu 20.04.4 LTS   5.4.0-124-generic   containerd://1.6.6
worker-yandex-compute-instance-68ffc-f2sd2   Ready    worker                 11m   v1.23.12   10.154.0.11   51.250.72.216    Ubuntu 22.04.1 LTS   5.15.0-46-generic   containerd://1.6.6