Terraform 是一种基础架构即代码(infrastructure as code)工具,可以安全高效地构建、更改和版本控制云资源和本地资源。
通过各种 Provider,就能够简单的操控资源,此处使用 Rancher2 Provider。
环境信息:
- Rancher v2.8.5-ent
- 下游集群为 RKE2 v1.28.15+rke2r1
- Terraform v1.11.4
- Rancher2 provider v4.1.0
Provider 版本需要根据 Rancher 版本选择,可参考:https://github.com/rancher/terraform-provider-rancher2/blob/master/docs/compatibility-matrix.md
参考文档:https://developer.hashicorp.com/terraform/install
1
2
3
| wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform
|
准备配置文件
参考文档:https://registry.terraform.io/providers/rancher/rancher2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| cat <<EOF > main.tf
terraform {
required_providers {
rancher2 = {
source = "rancher/rancher2"
version = "4.1.0"
}
}
}
provider "rancher2" {
api_url = "https://172.16.16.102"
access_key = "xxx"
secret_key = "yyy"
# 建议是创建一个没有指定集群的 Rancher admin ak/sk,否则使用该参数会报 401 错误
insecure = true
}
EOF
|
初始化:
使用 rancher2_app_v2 Resource 安装 NeuVector
在配置文件中,添加下面的内容:
1
2
3
4
5
6
7
8
9
10
| resource "rancher2_app_v2" "neuvector" {
cluster_id = "c-xxx"
name = "neuvector"
namespace = "cattle-neuvector-system"
repo_name = "rancher-charts"
chart_name = "neuvector"
chart_version = "103.0.9+up2.8.5"
values = file("values.yaml")
}
|
执行安装:
检查 APP 状态:
1
2
3
4
| root@test-1:~# terraform state list
rancher2_app_v2.neuvector
root@test-1:~# terraform state show rancher2_app_v2.neuvector
...
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@test-1:~# helm -n cattle-neuvector-system ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
neuvector cattle-neuvector-system 1 2025-05-02 11:04:37.784743727 +0000 UTC deployed neuvector-103.0.9+up2.8.5 5.4.3
neuvector-crd cattle-neuvector-system 1 2025-05-02 11:04:37.069967094 +0000 UTC deployed neuvector-crd-103.0.9+up2.8.5 5.4.3
root@test-1:~# kubectl -n cattle-neuvector-system get pod
NAME READY STATUS RESTARTS AGE
neuvector-cert-upgrader-job-l57fz 0/1 Completed 0 39m
neuvector-controller-pod-5577d69fcf-5vndq 1/1 Running 0 39m
neuvector-controller-pod-5577d69fcf-6rtkh 1/1 Running 0 39m
neuvector-controller-pod-5577d69fcf-kw7qj 1/1 Running 0 39m
neuvector-enforcer-pod-scm7g 1/1 Running 0 39m
neuvector-manager-pod-d8859f9bb-mxjpz 1/1 Running 0 39m
neuvector-scanner-pod-7d64b669cc-978ht 1/1 Running 0 39m
neuvector-scanner-pod-7d64b669cc-dltdd 1/1 Running 0 39m
neuvector-scanner-pod-7d64b669cc-xg9d2 1/1 Running 0 39m
|