Move manifests to old/ and init Terraform configuration for silver-hand

homelab/silver-hand/certmanager.tf

@@ -0,0 +1,60 @@
+resource "kubernetes_namespace" "certmanager" {
+    metadata {
+        name = "certmanager"
+    }
+}
+
+resource "helm_release" "certmanager" {
+    depends_on = [
+        kubernetes_namespace.certmanager
+    ]
+    name = "certmanager"
+    namespace = "certmanager"
+    repository = "https://charts.jetstack.io"
+    chart = "cert-manager"
+    version = "v1.15.2"
+    lint = true
+    set {
+        name  = "installCRDs"
+        value = "true"
+    }    
+}
+
+resource "time_sleep" "wait_for_certmanager" {
+    depends_on = [
+        helm_release.certmanager
+    ]
+    create_duration = "10s"
+}
+
+resource "kubectl_manifest" "cloudflare_prod" {
+    depends_on = [
+        time_sleep.wait_for_certmanager
+    ]
+    yaml_body = <<YAML
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-prod
+spec:
+  acme:
+    email: jafner425@gmail.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cloudflare-prod-account-key
+    solvers:
+    - dns01:
+        cloudflare:
+          email: jafner425@gmail.com
+          apiKeySecretRef:
+            name: cloudflare-api-key-secret
+            key: api-key
+YAML
+}
+
+resource "time_sleep" "wait_for_clusterissuer" {
+    depends_on = [
+        kubectl_manifest.cloudflare_prod
+    ]
+    create_duration = "30s"
+} 

homelab/silver-hand/cloudflare.tf

@@ -0,0 +1,13 @@
+resource "kubernetes_secret" "cloudflare_api_key_secret" {
+    depends_on = [
+        kubernetes_namespace.certmanager
+    ]
+    metadata {
+        name = "cloudflare-api-key-secret"
+        namespace = "certmanager"
+    }
+    data = {
+        api-key = var.cloudflare_token
+    }
+    type = "Opaque"
+}

homelab/silver-hand/jafner-dev/jafner-dev.yml

@@ -1,62 +0,0 @@
-
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: jafner-dev
-
----
-
-apiVersion: datashim.io/v1alpha1
-kind: Dataset
-metadata:
-  namespace: jafner-dev
-  name: jafner-dev
-spec:
-  local:
-    type: "COS"
-    secret-name: jafner-dev-aws-credentials
-    endpoint: "https://s3.us-west-2.amazonaws.com"
-    bucket: "jafner-dev"
-    region: "us-west-2"
-
----
-apiVersion: v1
-kind: Pod
-metadata:
-  namespace: jafner-dev
-  name: nginx
-  labels:
-    app: jafner-dev
-    dataset.0.id: "jafner-dev"
-    dataset.0.useas: "mount"
-spec:
-  containers:
-    - name: nginx
-      image: nginx
-      volumeMounts:
-        - mountPath: "/usr/share/nginx/html"
-          name: "jafner-dev"
-  volumes:
-  - name: "jafner-dev"
-    persistentVolumeClaim:
-      claimName: "jafner-dev"
-
----
-apiVersion: v1
-kind: Service
-metadata: 
-  namespace: jafner-dev
-  name: nginx-service
-spec:
-  type: LoadBalancer
-  selector:
-    app: jafner-dev
-  ports:
-  - port: 8080
-    targetPort: 80
-
-# Access at: 
-#   - http://192.168.1.31:8080
-#   - http://192.168.1.32:8080
-#   - http://192.168.1.33:8080

homelab/silver-hand/nginx-test.tf

@@ -0,0 +1,120 @@
+resource "kubernetes_namespace" "nginx1" {
+    metadata {
+        name = "nginx1"
+    }
+}
+
+resource "kubernetes_deployment" "nginx1" {
+    depends_on = [
+        kubernetes_namespace.nginx1
+    ]
+    metadata {
+        name = "nginx1"
+        namespace = "nginx1"
+        labels = {
+            app = "nginx1"
+        }
+    }
+    spec {
+        replicas = 1
+        selector {
+            match_labels = {
+                app = "nginx1"
+            }
+        }
+        template {
+            metadata {
+                labels = {
+                    app = "nginx1"
+                }
+            }
+            spec {
+                container {
+                    image = "nginx:latest"
+                    name  = "nginx"
+
+                    port {
+                        container_port = 80
+                    }
+                }
+            }
+        }
+    }
+}
+
+
+resource "kubernetes_service" "nginx1" {
+    depends_on = [
+        kubernetes_namespace.nginx1
+    ]
+    metadata {
+        name = "nginx1"
+        namespace = "nginx1"
+    }
+    spec {
+        selector = {
+            app = "nginx1"
+        }
+        port {
+            port = 80
+        }
+        type = "ClusterIP"
+    }
+}
+
+resource "kubectl_manifest" "nginx1-certificate" {
+    depends_on = [kubernetes_namespace.nginx1, time_sleep.wait_for_clusterissuer]
+    yaml_body = <<YAML
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx1
+  namespace: nginx1
+spec:
+  secretName: nginx1
+  issuerRef:
+    name: cloudflare-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - 'nginx1.jafner.dev'   
+    YAML
+}
+
+resource "kubernetes_ingress_v1" "nginx1" {
+    depends_on = [kubernetes_namespace.nginx1]
+    metadata {
+        name = "nginx1"
+        namespace = "nginx1"
+    }
+    spec {
+        rule {
+            host = "nginx1.jafner.dev"
+            http {
+                path {
+                    path = "/"
+                    backend {
+                        service {
+                            name = "nginx1"
+                            port {
+                                number = 80
+                            }
+                        }
+                    }
+
+                }
+            }
+        }
+        tls {
+          secret_name = "nginx1"
+          hosts = ["nginx1.jafner.dev"]
+        }
+    }
+}
+
+resource "cloudflare_record" "nginx1-k3s-jafner-dev" {
+    zone_id = "b6f3735cd87078e4c5d4a17c95cd979f"
+    name = "nginx1.jafner.dev"
+    content =  data.dns_a_record_set.jafner-net.addrs[0] # Not a typo. We assume jafner.net is pointing at the homelab, and jafner.dev is pointed elsewhere
+    type = "A"
+    proxied = false
+}

homelab/silver-hand/old/cert-manager/cert-manager.issuer.yml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-issuer
+spec:
+  acme:
+    email: jafner425@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-issuer-account-key
+    solvers:
+      - selector: {}
+        dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-token
+              key: token

homelab/silver-hand/old/helm/README.md

@@ -0,0 +1,26 @@
+# Helm
+This directory contains documentation and files related to configuring Helm for the Silver Hand cluster. 
+
+### Repositories Used
+- [kubernetes-dashboard](https://kubernetes.github.io/dashboard/) to provide [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/).
+
+### Steps Taken So Far
+```
+helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard
+```
+
+```
+helm repo add traefik https://traefik.github.io/charts
+helm install traefik traefik/traefik --version 30.0.2
+```
+
+```
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.crds.yaml
+helm repo add jetstack https://charts.jetstack.io --force-update
+helm install cert-manager --namespace cert-manager --version v1.15.2 jetstack/cert-manager
+
+```
+
+#### Sources:
+[Deploy and Access the Kubernetes Dashboard - Kubernetes.io](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/)

homelab/silver-hand/old/jafner-dev/jafner-dev.dataset.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: datashim.io/v1alpha1
+kind: Dataset
+metadata:
+  namespace: jafner-dev
+  name: jafner-dev
+spec:
+  local:
+    type: "COS"
+    secret-name: jafner-dev-aws-credentials
+    endpoint: "https://s3.us-west-2.amazonaws.com"
+    bucket: "jafner-dev"
+    region: "us-west-2"

homelab/silver-hand/old/jafner-dev/jafner-dev.ingress.yml

@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: jafner-dev
+  name: jafner-dev
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  ingressClassName: jafner-dev
+  rules:
+  - host: "jafner-dev.k3s.jafner.net"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend: 
+          service: 
+            name: jafner-dev-service
+            port:
+              number: 80

homelab/silver-hand/old/jafner-dev/jafner-dev.namespace.yml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jafner-dev

homelab/silver-hand/old/jafner-dev/jafner-dev.pod.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: jafner-dev
+  name: nginx
+  labels:
+    app: jafner-dev
+    dataset.0.id: "jafner-dev"
+    dataset.0.useas: "mount"
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    ports:
+    - containerPort: 80
+      name: http
+    volumeMounts:
+    - mountPath: "/usr/share/nginx/html"
+      name: "jafner-dev"
+  volumes:
+  - name: "jafner-dev"
+    persistentVolumeClaim:
+      claimName: "jafner-dev"

homelab/silver-hand/old/jafner-dev/jafner-dev.service.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata: 
+  namespace: jafner-dev
+  name: jafner-dev-service
+spec:
+  type: LoadBalancer
+  selector:
+    app: jafner-dev
+  ports:
+  - port: 80
+    targetPort: 80

homelab/silver-hand/old/traefik/traefik-custom-values.yml

@@ -0,0 +1,90 @@
+certResolvers:
+  cloudflare:
+    dnsChallenge:
+      provider: cloudflare
+    storage: /ssl-certs/acme-cloudflare.json
+
+env:
+  - name: CF_DNS_API_TOKEN
+    valueFrom:
+      secretKeyRef:
+        key: token
+        name: cloudflare-token-jafner-net-dns-edit
+
+logs:
+  general:
+    level: error
+
+ports:
+  web:
+    redirectTo: 
+      port: websecure
+  websecure:
+    tls:
+      enabled: true
+      certResolver: cloudflare
+
+ingressRoute: 
+  dashboard:
+    enabled: true
+
+additionalArguments:
+- "--api.insecure=true"
+
+tlsStore:
+  default:
+    defaultCertificate:
+      secretName: traefik-k3s-jafner-net
+
+persistence:
+  enabled: true
+  name: ssl-certs
+  size: 1Gi
+  path: /ssl-certs
+  storageClass: local-path
+
+deployment:
+  initContainers:
+    - name: volume-permissions
+      image: busybox:1.36.1
+      command: ["sh", "-c", "touch /ssl-certs/acme-cloudflare.json; chmod -v 600 /ssl-certs/acme-cloudflare.json"]
+      volumeMounts:
+        - name: ssl-certs
+          mountPath: /ssl-certs
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+extraObjects:
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik-dashboard
+    spec:
+      selector:
+        app.kubernetes.io/name: traefik
+        app.kubernetes.io/instance: traefik-traefik
+      ports:
+      - port: 8080
+        name: traefik
+        targetPort: 9000
+        protocol: TCP
+  - apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: traefik-dashboard
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    spec:
+      rules:
+      - host: traefik.k3s.jafner.net
+        http:
+          paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service: 
+                name: traefik-dashboard
+                port:
+                  name: traefik

homelab/silver-hand/old/traefik/traefik-dashboard.yml

@@ -0,0 +1,90 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cloudflare
+  namespace: traefik
+spec:
+  acme: 
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: jafner425@gmail.com
+    privateKeySecretRef:
+      name: cloudflare-key
+    solvers:
+      - dns01: 
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-token-jafner-net-dns-edit
+              key: token
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-k3s-jafner-net
+  namespace: traefik
+spec: 
+  secretName: traefik-k3s-jafner-net
+  dnsNames:
+    - "traefik.k3s.jafner.net"
+  issuerRef:
+    name: cloudflare
+    kind: Issuer
+
+
+# ---
+# apiVersion: traefik.containo.us/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: traefik-dashboard
+#   namespace: traefik
+# spec: 
+#   entryPoints: ["websecure"]
+#   routes:
+#   tls:
+#     certResolver: cloudflare
+
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: traefik-dashboard
+#   namespace: traefik
+# spec:
+#   selector:
+#     app.kubernetes.io/name: traefik
+#   type: ClusterIP
+#   ports:
+#   - name: http
+#     port: 80
+#     targetPort: 9000
+
+# ---
+# apiVersion: networking.k8s.io/v1
+# kind: Ingress
+# metadata:
+#   name: traefik-dashboard
+#   namespace: traefik
+# spec:
+#   tls:
+#   - hosts:
+#       - traefik.k3s.jafner.net
+#     secretName: cloudflare-token-jafner-net-dns-edit
+#   rules:
+#   - host: traefik.k3s.jafner.net
+#     http:
+#       paths:
+#       - path: /
+#         pathType: Prefix
+#         backend:
+#           service:
+#             name: traefik-dashboard
+#             port:
+#               number: 80
+

homelab/silver-hand/silver-hand.tf

@@ -0,0 +1,72 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "2.31.0"
+    }
+    helm = {
+      source = "hashicorp/helm"
+      version = "2.14.1"
+    }
+    kubectl = {
+      source = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+    dns = {
+      source = "hashicorp/dns"
+      version = "3.4.1"
+    }
+  }
+}
+
+provider "kubernetes" {
+    config_path = "~/.kube/config"
+    config_context = "default"
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = "~/.kube/config"
+  }
+}
+
+provider "kubectl" { 
+}
+
+provider "cloudflare" {
+  api_token = var.cloudflare_token
+}
+
+variable "cloudflare_token" {
+  type = string
+}
+
+# Below allows us to reference public IP of TF execution environment 
+# with `data.http.myip.body`
+data "http" "myip" {
+  url = "https://ipv4.icanhazip.com"
+}
+
+# Below allows us to reference DNS A-records for the listed domains 
+# with `data.dns_a_record_set.<data-object-name>.addrs`
+data "dns_a_record_set" "jafner-net" {
+  host = "jafner.net"
+}
+data "dns_a_record_set" "jafner-dev" {
+  host = "jafner.dev"
+}
+data "dns_a_record_set" "jafner-chat" {
+  host = "jafner.chat"
+}
+
+## Look into how to implement a wait-for timer like this for self-hosted k3s.
+#resource "time_sleep" "wait_for_kubernetes" {
+#    depends_on = [
+#        civo_kubernetes_cluster.k8s_demo_1
+#    ]
+#    create_duration = "20s"
+#}

homelab/silver-hand/traefik.tf

@@ -0,0 +1,49 @@
+resource "kubernetes_namespace" "traefik" {
+    metadata {
+        name = "traefik"
+    }
+}
+
+resource "helm_release" "traefik" {
+    depends_on = [
+        kubernetes_namespace.traefik
+    ]
+    name = "traefik"
+    namespace = "traefik"
+    repository = "https://traefik.github.io/charts"
+    chart = "traefik"
+    version = "30.0.2"
+    lint = true
+    cleanup_on_fail = true
+    create_namespace = true
+    dependency_update = true
+    replace = true
+    set {
+        name  = "ingressClass.enabled"
+        value = "true"
+    }
+    set {
+        name  = "ingressClass.isDefaultClass"
+        value = "true"
+    }
+    set {
+        name  = "ports.web.redirectTo.port"
+        value = "websecure"
+    }
+    set {
+        name  = "ports.websecure.tls.enabled"
+        value = "true"
+    }
+
+    # In my local k3s environment, we need to give the Traefik service at least one external IP
+    # Else it will be stuck <pending> and terraform will fail to apply.
+    set_list { 
+        name = "service.externalIPs"
+        value = [
+            "192.168.1.31",
+            "192.168.1.32",
+            "192.168.1.33"
+        ]
+    }
+}
+