K8s Digitalocean Terraform Save

Deploy latest Kubernetes cluster on DigitalOcean using Terraform

Project README

k8s-digitalocean-terraform

Deploy your Kubernetes cluster on DigitalOcean using Terraform with one click.

fork from kubernetes-digitalocean-terraform :)

Different from the original source, we use kubeadm to install k8s components, and we choose Ubuntu system, install ingress-controller by default.

Requirements

On Mac

With brew installed, all tools can be installed with

brew install terraform cfssl kubectl

Do all the following steps from a development machine. It does not matter where it is, as long as it is connected to the internet. This one will be subsequently used to access the cluster via kubectl.

Generate private / public keys

ssh-keygen -t rsa -b 4096

The system will prompt you for a file path to save the key, we will go with ~/.ssh/id_rsa in this tutorial.

Add your public key in the DigitalOcean control panel

Do it here. Name it and paste the public key just below Add SSH Key.

Add this key to your SSH agent

eval `ssh-agent -s`
ssh-add ~/.ssh/id_rsa

Invoke Terraform

We put our DigitalOcean token in the file ./secrets/DO_TOKEN (this directory is mentioned in .gitignore, of course, so we don't leak it)

Then we setup the environment variables (step into this repository root). Note that the first variable sets up the number of workers

export TF_VAR_number_of_workers=3
export TF_VAR_do_token=$(cat ./secrets/DO_TOKEN)
export TF_VAR_ssh_fingerprint=$(ssh-keygen -E MD5 -lf ~/.ssh/id_rsa.pub | awk '{print $2}' | sed 's/MD5://g')

If you are using an older version of OpenSSH (<6.9), replace the last line with

export TF_VAR_ssh_fingerprint=$(ssh-keygen -lf ~/.ssh/id_rsa.pub | awk '{print $2}')

There is a convenience script for you in ./setup_terraform.sh. Invoke it as

./setup_terraform.sh

Optionally, you can customize the datacenter region via:

export TF_VAR_do_region=fra1

The default region is nyc3. You can find a list of available regions from DigitalOcean.

After setup, call terraform apply

terraform apply

That should do! kubectl is configured, so you can just check the nodes (get no) and the pods (get po).

$ kubectl get no
NAME          LABELS                               STATUS
X.X.X.X   kubernetes.io/hostname=X.X.X.X   Ready     2m
Y.Y.Y.Y   kubernetes.io/hostname=Y.Y.Y.Y   Ready     2m

$ kubectl --namespace=kube-system get po
NAME                                   READY     STATUS    RESTARTS   AGE
kube-apiserver-X.X.X.X                    1/1       Running   0          13m
kube-controller-manager-X.X.X.X           1/1       Running   0          12m
kube-proxy-X.X.X.X                        1/1       Running   0          12m
kube-proxy-X.X.X.X                        1/1       Running   0          11m
kube-proxy-X.X.X.X                        1/1       Running   0          12m
kube-scheduler-X.X.X.X                    1/1       Running   0          13m

You are good to go. Now, we can keep on reading to dive into the specifics.

Deploy details

We use kubeadm.

K8s master

The cluster master, running:

  • flanneld
  • kubelet
  • kube-proxy
  • kube-apiserver
  • kube-controller-manager
  • kube-scheduler

Cloud config

See the template 00-master.yaml.

Provisions

Once we create this droplet (and get its IP), the TLS assets will be created locally (i.e. on the development machine from which we run terraform), and put into the directory secrets (which, again, is mentioned in .gitignore). The TLS assets consist of a server key and certificate for the API server, as well as a client key and certificate to authenticate flanneld and the API server to etcd2.

The TLS assets are copied to appropriate directories on the K8s master using Terraform file and remote-exec provisioners.

Lastly, we start and enable both kubelet and flanneld, and finally create the kube-system namespace.

K8s workers

Cluster worker nodes, each running:

  • flanneld
  • kubelet
  • kube-proxy
  • docker

Cloud config

See the template 01-worker.yaml.

Provisions

For each droplet created, a TLS client key and certificate will be created locally (i.e. on the development machine from which we run terraform), and put into the directory secrets (which, again, is mentioned in .gitignore).

The TLS assets are then copied to appropriate directories on the worker using Terraform file and remote-exec provisioners.

Finally, we start and enable kubelet and flanneld.

Setup kubectl

Use

export KUBECONFIG=/path/to/your/k8s-digitalocean-terraform/secrets/admin.conf

to configure kubectl.

Test your brand new cluster

kubectl get nodes

You should get something similar to

$ kubectl get nodes
NAME          LABELS                               STATUS
X.X.X.X       kubernetes.io/hostname=X.X.X.X       Ready

Thanks

LICENSE

MIT

Open Source Agenda is not affiliated with "K8s Digitalocean Terraform" Project. README Source: knarfeh/k8s-digitalocean-terraform
Stars
43
Open Issues
0
Last Commit
4 years ago
Repository
knarfeh/k8s-digitalocean-terraform
License
MIT
Tags
Cluster Coredns Devops Digitalocean Install Ipvs Ipvsadm K8s Kubeadm Kubernetes Kubernetes Cluster Kubernetes Digitalocean Terraform Terraform

Open Source Agenda Badge

Open Source Agenda Rating
Submit Review Review Your Favorite Project
Submit Resource Articles, Courses, Videos
Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?