Terraform 是一种基础架构即代码(infrastructure as code)工具,可以安全高效地构建、更改和版本控制云资源和本地资源。
通过各种 Provider,就能够简单的操控资源,此处使用 Rancher2 Provider。
环境信息:
- Rancher v2.8.5-ent
- 下游集群为 RKE2 v1.28.15+rke2r1
- Terraform v1.11.4
- Rancher2 provider v4.1.0
Provider 版本需要根据 Rancher 版本选择,可参考:https://github.com/rancher/terraform-provider-rancher2/blob/master/docs/compatibility-matrix.md
参考文档:https://developer.hashicorp.com/terraform/install
1
2
3
| wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform
|
准备配置文件
参考文档:https://registry.terraform.io/providers/rancher/rancher2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| cat <<EOF > main.tf
terraform {
required_providers {
rancher2 = {
source = "rancher/rancher2"
version = "4.1.0"
}
}
}
provider "rancher2" {
api_url = "https://172.16.16.102"
access_key = "xxx"
secret_key = "yyy"
# 建议是创建一个没有指定集群的 Rancher admin ak/sk,否则使用该参数会报 401 错误
insecure = true
}
EOF
|
初始化:
使用 rancher2_app_v2 安装 NeuVector
在配置文件中,添加下面的内容:
1
2
3
4
5
6
7
8
9
10
| resource "rancher2_app_v2" "neuvector" {
cluster_id = "c-xxx"
name = "neuvector"
namespace = "cattle-neuvector-system"
repo_name = "rancher-charts"
chart_name = "neuvector"
chart_version = "103.0.9+up2.8.5"
values = file("values.yaml")
}
|
执行安装:
1
2
| terraform plan
terraform apply
|
检查 APP 状态:
1
2
3
4
| root@test-1:~# terraform state list
rancher2_app_v2.neuvector
root@test-1:~# terraform state show rancher2_app_v2.neuvector
...
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@test-1:~# helm -n cattle-neuvector-system ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
neuvector cattle-neuvector-system 1 2025-05-02 11:04:37.784743727 +0000 UTC deployed neuvector-103.0.9+up2.8.5 5.4.3
neuvector-crd cattle-neuvector-system 1 2025-05-02 11:04:37.069967094 +0000 UTC deployed neuvector-crd-103.0.9+up2.8.5 5.4.3
root@test-1:~# kubectl -n cattle-neuvector-system get pod
NAME READY STATUS RESTARTS AGE
neuvector-cert-upgrader-job-l57fz 0/1 Completed 0 39m
neuvector-controller-pod-5577d69fcf-5vndq 1/1 Running 0 39m
neuvector-controller-pod-5577d69fcf-6rtkh 1/1 Running 0 39m
neuvector-controller-pod-5577d69fcf-kw7qj 1/1 Running 0 39m
neuvector-enforcer-pod-scm7g 1/1 Running 0 39m
neuvector-manager-pod-d8859f9bb-mxjpz 1/1 Running 0 39m
neuvector-scanner-pod-7d64b669cc-978ht 1/1 Running 0 39m
neuvector-scanner-pod-7d64b669cc-dltdd 1/1 Running 0 39m
neuvector-scanner-pod-7d64b669cc-xg9d2 1/1 Running 0 39m
|
使用 rancher2_cluster_v2 构建 Elemental RKE2 集群
Elemental 节点就绪后,创建 MachineInventorySelectorTemplate:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| cat <<EOF > kubectl apply -f -
apiVersion: elemental.cattle.io/v1beta1
kind: MachineInventorySelectorTemplate
metadata:
name: pool-1
namespace: fleet-default
spec:
template:
spec:
selector:
matchExpressions:
- key: machineUUID
operator: In
values:
- xxx
---
apiVersion: elemental.cattle.io/v1beta1
kind: MachineInventorySelectorTemplate
metadata:
name: pool-2
namespace: fleet-default
spec:
template:
spec:
selector:
matchExpressions:
- key: machineUUID
operator: In
values:
- yyy
---
apiVersion: elemental.cattle.io/v1beta1
kind: MachineInventorySelectorTemplate
metadata:
name: pool-3
namespace: fleet-default
spec:
template:
spec:
selector:
matchExpressions:
- key: machineUUID
operator: In
values:
- zzz
EOF
|
在配置文件中,添加下面的内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| locals {
machine_pools = {
all = {
etcd_role = true
control_plane_role = true
worker_role = true
quantity = 1
machine_config_name = "pool-1"
}
dev = {
etcd_role = false
control_plane_role = false
worker_role = true
quantity = 1
machine_config_name = "pool-2"
}
test = {
etcd_role = false
control_plane_role = false
worker_role = true
quantity = 1
machine_config_name = "pool-3"
}
}
}
resource "rancher2_cluster_v2" "foo" {
name = "foo"
kubernetes_version = "v1.30.13+rke2r1"
rke_config {
registries {
configs {
hostname = "harbor.warnerchen.com"
auth_config_secret_name = "registryconfig-auth-xxx"
insecure = "true"
tls_secret_name = ""
ca_bundle = ""
}
}
dynamic "machine_pools" {
for_each = local.machine_pools
content {
name = machine_pools.key
etcd_role = machine_pools.value.etcd_role
control_plane_role = machine_pools.value.control_plane_role
worker_role = machine_pools.value.worker_role
quantity = machine_pools.value.quantity
machine_config {
api_version = "elemental.cattle.io/v1beta1"
kind = "MachineInventorySelectorTemplate"
name = machine_pools.value.machine_config_name
}
}
}
}
}
|
使用 rancher2_cluster_v2 轮换 RKE2 集群证书
在配置文件中,添加下面的内容:
1
2
3
4
5
6
7
8
9
10
11
12
| resource "rancher2_cluster_v2" "foo" {
name = "foo"
kubernetes_version = "v1.30.13+rke2r1"
rke_config {
...
rotate_certificates {
generation = 1
}
...
}
}
|
使用 rancher2_cluster_v2 为 RKE2 集群创建/恢复 ETCD 快照
创建快照:
1
2
3
4
5
6
7
8
9
10
11
12
| resource "rancher2_cluster_v2" "foo" {
name = "foo"
kubernetes_version = "v1.30.13+rke2r1"
rke_config {
...
etcd_snapshot_create {
generation = 1
}
...
}
}
|
恢复快照:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| resource "rancher2_cluster_v2" "foo" {
name = "foo"
kubernetes_version = "v1.30.13+rke2r1"
rke_config {
...
etcd_snapshot_restore {
name = "on-demand-m-029d6c9d-9024-4f9b-92de-58334a7aa6b7-1750757634"
generation = 1
}
...
}
}
|