This repository contains:
-
the minimum
Terraform
scaffolding necessary to spin up aKubernetes
cluster onLinode
. -
a
Makefile
with a suite of commands for creating, and tearing down, aKubernetes
cluster on Linode via these.tf
files on a local machine. -
a Github Action Workflow which runs
terraform apply
on this repository's.tf
files when a newRelease
is published, thus either creating a new or updating a pre-existingKubernetes
cluster onLinode
with thatRelease
's changes.
The Makefile
must be paired with an .env
file containing all necessary credentials, which are:
VAULT_ADDR
VAULT_NAMESPACE
VAULT_TOKEN
CONSUL_HTTP_TOKEN
TF_VAR_LINODE_KUBERNETES_API_TOKEN
KUBECONFIG
GH_TOKEN
init
runsterraform init
terraform_fmt
runsterraform fmt
plan_destroy
runsterraform plan -destroy
destroy
runsterraform destroy
get_kube_config
gets the kubeconfig file for a newly createdKubernetes
clusterplan
runsterraform plan
apply
runsterraform apply
generate_new_vault_token_for_github
generates a newVAULT_TOKEN
list_releases
lists all GithubRelease
s for this repocreate_release
creates a new publishedRelease
on github, taking two arguments:tag='v0.0.0'
- the version number for the release in Semverdescription='text'
- the description string for theRelease
main.tf
is configured to use Consul
as a backend state store and Linode
as its sole Provider
.
When triggered by a published release, the GitHub action Workflow reaches out to a Vault
server to retrieve credentials for both Consul
nd Linode
and then runs terraform fmt
, terraform plan
and terraform apply
.
This is the relevant part of the Workflow which must be configured with a Vault
endpoint url and API token as well as the precise paths of the secrets to be fetched:
- uses: hashicorp/[email protected]
with:
url: ${{ env.vault_endpoint}}
tlsSkipVerify: true
method: token
namespace: admin/yoyodynecorp
token: ${{ secrets.VAULT_API_TOKEN }}
secrets: |
secret/data/github_action_linode_terraform LINODE_KUBERNETES_API_TOKEN ;
secret/data/github_action_linode_terraform CONSUL_API_TOKEN
Else on all pull requests, terraform fmt
and terraform plan
are run to verify correctness.