feat: reuse loadbalancer for ingress

k3s_cluster_v2/agents.tf

@@ -20,3 +20,11 @@ resource "hcloud_server_network" "agents_network" {
   subnet_id = hcloud_network_subnet.k3s_nodes.id
   ip        = cidrhost(hcloud_network_subnet.k3s_nodes.ip_range, 1 + var.control_count + count.index)
 }
+
+resource "hcloud_load_balancer_target" "ingress" {
+  count            = var.compute_count
+  type             = "server"
+  load_balancer_id = hcloud_load_balancer.k3s.id
+  server_id        = hcloud_server.agents[count.index].id
+  use_private_ip   = true
+}

k3s_cluster_v2/flux.tf

@@ -92,6 +92,18 @@ resource "kubernetes_secret" "main" {
   }
 }
 
+resource "kubernetes_secret" "github_notifications" {
+  metadata {
+    name      = "github"
+    namespace = data.flux_sync.main.namespace
+  }
+
+  data = {
+    token = var.github_token_flux_notifications
+  }
+}
+
+
 # GitHub
 resource "github_repository" "main" {
   name       = var.repository_name

k3s_cluster_v2/k3s.tf

@@ -25,7 +25,12 @@ module "k3s" {
 
         agent = true
       }
-      flags       = ["--disable-cloud-controller", "--tls-san ${var.domain}"]
+      flags = [
+        "--disable-cloud-controller",
+        "--tls-san ${var.domain}",
+        # We need to modify the helm release to work with one loadbalancer for api+ingress
+        "--disable traefik"
+      ]
       annotations = { "server_id" : i } // theses annotations will not be managed by this module
     }
   }

k3s_cluster_v2/main.tf

@@ -44,3 +44,19 @@ resource "hcloud_rdns" "k3s" {
   ip_address       = hcloud_load_balancer.k3s.ipv4
   dns_ptr          = var.domain
 }
+
+### LB Ingress
+
+resource "hcloud_load_balancer_service" "ingress_https" {
+  load_balancer_id = hcloud_load_balancer.k3s.id
+  protocol         = "tcp"
+  listen_port      = 443
+  destination_port = 32443
+}
+
+resource "hcloud_load_balancer_service" "ingress_http" {
+  load_balancer_id = hcloud_load_balancer.k3s.id
+  protocol         = "tcp"
+  listen_port      = 80
+  destination_port = 32080
+}

k3s_cluster_v2/server.tf

@@ -35,4 +35,5 @@ resource "hcloud_load_balancer_target" "api" {
   type             = "server"
   load_balancer_id = hcloud_load_balancer.k3s.id
   server_id        = hcloud_server.control_planes[count.index].id
+  use_private_ip   = true
 }

k3s_cluster_v2/variables.tf

@@ -67,6 +67,11 @@ variable "github_token" {
   sensitive = true
 }
 
+variable "github_token_flux_notifications" {
+  type      = string
+  sensitive = true
+}
+
 variable "repository_name" {
   type = string
 }

main.tf

@@ -39,13 +39,14 @@ module "k3s_cluster_v2" {
   hcloud_ccm_token    = var.hcloud_ccm_token
 
   ## Flux
-  github_owner          = "apricote"
+  github_owner                    = "apricote"
-  github_token          = var.github_token
+  github_token                    = var.github_token
-  repository_name       = "home-cloud-flux-v2"
+  github_token_flux_notifications = var.github_token_flux_notifications
-  branch                = "main"
+  repository_name                 = "home-cloud-flux-v2"
-  repository_visibility = "private"
+  branch                          = "main"
-  target_path           = ""
+  repository_visibility           = "private"
-  flux_version          = "v0.24.0"
+  target_path                     = ""
+  flux_version                    = "v0.24.0"
 
 
 

variables.tf

@@ -9,6 +9,13 @@ variable "hcloud_ccm_token" {
 }
 
 variable "github_token" {
-  type      = string
+  description = "Github Personal Access Token that is used by Terraform"
-  sensitive = true
+  type        = string
+  sensitive   = true
+}
+
+variable "github_token_flux_notifications" {
+  description = "GH PAT used by flux for notifications"
+  type        = string
+  sensitive   = true
 }