This repository enable easy deployment of Kubernetes clusters on Hetzner Cloud using Talos OS and Terraform. Benefit from scalable, and automated setup, leveraging infrastructure as core principles for efficient management. Simplify Kubernetes deployment and focus on your applications with confidence.
| Terminology | Meaning |
|---|---|
| CPN | Control Plane Node |
| WKN | Worker Kubernetes Node |
brew install age
brew install terraform
curl -sL https://talos.dev/install | sh
brew install kubectl# you need change values before execute command
cat << EOF > terraform/terraform.tfvars
hcloud_token = "YOUR_TOKEN_FROM_HETZNER"
hcloud_image = 1234567890
wkn_count = 0
EOFage-keygen -o age.agekey &&
age_pubkey=$(awk '/^# public key:/{print $NF}' age.agekey) &&
echo "
creation_rules:
- path_regex: .*.ya?ml
encrypted_regex: ^(data|stringData)$
age: $age_pubkey" > .sops.yamlNext, you'll need to include .sops.yaml in your repository. This step is crucial to allow other project contributors
to encrypt their secrets using the public key. Remember, keep the age.agekey private key secure.
Before enter command below you need prepare Talos snapshot in Hetzner Cloud. For this, you can use official instruction. Your snapshot of talos image will be specified as the value of variable "hcloud_image"
Create Talos OS snapshot
Prerequisites:
- Create x86 instance with any linux distro
- Enable "Rescue" mode from hetzner (Go to the instance, then move to "Rescue" tab)
- Manually reboot the instance (only once)
- On the connection via ssh, you can see the instance is booted in rescue mode
- Execute commands below
# fulfill the prerequisites, then run:
cd /tmp
wget -O /tmp/talos.raw.xz https://factory.talos.dev/image/1c924f0d41b37542e63612149946f0a62094ea88e1e0e3ae93a15246625e6775/v1.9.3/hcloud-amd64.raw.xz
xz -d -c /tmp/talos.raw.xz | dd of=/dev/sda && sync
shutdown -h nowterraform init
terraform apply# Warning! This command remove yours old configurations (if their exists)
terraform output -raw talosconfig > ~/.talos/config
terraform output -raw kubeconfig > ~/.kube/config# you can check cluster status via `kubectl get nodes`.
# Output will be something like this:
(base) user@host terraform % kubectl get nodes
NAME STATUS ROLES AGE VERSION
cpn-00 Ready control-plane 25m v1.28.1
cpn-01 Ready control-plane 25m v1.28.1
cpn-02 Ready control-plane 25m v1.28.1SOPS Example
# db-auth.yaml
apiVersion: v1
kind: Secret
metadata:
name: db-auth
namespace: default
type: Opaque
data:
DB_NAME: cG9zdGdyZXM=
DB_HOST: MTI3LjAuMC4x
DB_PORT: NTQzMg==
DB_USERNAME: cG9zdGdyZXM=
DB_PASSWORD: c3VwZXJTZWNyZXRQYXNzb3dyZA==# You can encrypt any files by using the .sops.yaml file.
sops -e -i db-auth.yaml
# You can decrypt it only if you have the age.agekey file.
export SOPS_AGE_KEY_FILE=age.agekey
sops -i -d db-auth.yaml.yamlFluxCD Example
export GITHUB_TOKEN=ghp-xyz
flux bootstrap github --owner=ownerName --repository=mbrc --path=kubernetes/fluxexport GITLAB_TOKEN=glpat-xyz
flux bootstrap gitlab --owner=groupName --repository=mbrc --path=kubernetes/flux