Cluster Repository
The cluster repository is a git repository. It holds all information which define the (intended) state of a cluster. This information consists of:
The version of the LCM code to deploy the cluster
The version of the WireGuard user information
State of Terraform
State of the WireGuard IP address management (IPAM)
Secrets and credentials obtained while deploying the cluster
A configuration file which defines the platform layout and other properties of the cluster
A user checks out the cluster repository and uses it to interact with the yk8s-cluster.
Cluster Repository Structure
The following schema shows all non-generated files. A local checkout will most certainly have more files than these.
your_cluster_repo
├── config/
│ ├── config.toml # Cluster configuration
│ └── wireguard_ipam.toml # WireGuard IPAM
├── etc/ # Cluster-specific files
├── inventory/ # Ansible inventory
│ └── yaook-k8s/ # Variables passed to Ansible
│ └── hosts # Ansible hosts file
├── k8s-custom/ # Custom Stage
│ ├── roles/ # Place to dump in personal Ansible roles
│ └── main.yaml # Customization playbook
├── managed-k8s/ # Submodule with the LCM code
├── submodules/ # Place for additional git submodules
├── terraform/ # Place for Terraform specific files
│ ├── .terraform/
│ │ └── plugins/
│ │ └── linux_amd64/
│ │ └── lock.json # Terraform plugin version lock
│ ├── terraform.tfstate # Terraform state
│ └── terraform.tfstate.backup # Terraform state backup
├── vault/ # Local vault data
├── .envrc # direnv (environment variables) configuration
├── .gitattributes
├── .gitignore
└── .gitattributes
Detailed explanation:
config/config.toml
holds the configuration variables of the cluster. A template for this file can be found in thetemplates/
directory.Note that the initialization script
init.sh
will bootstrap your configuration from that template.config/wirguard_ipam.toml
contains the Wireguard IP address management. This file is only of interest if you want to protect your cluster with gateway nodes. This file is managed by the update_inventory.py script. This script will automatically assign IP addresses to your configured peers.The
inventory/
directory holds your layer-specific Ansible variables. These variables are managed by the update_inventory.py script.etc/
holds credentials and cluster-specific files generated during creation of the cluster. Though nearly all credentials are managed by an instance of Hashicorp Vault.k8s-custom/
is an optional directory representing the custom layer. It is the basic skeleton to enable custom Ansible plays. If you want to use this feature, you’ll need to enable it in your environment variables.managed-k8s/
is a git submodule which refers to this (theyaook/k8s
) repository. By using a submodule, we get a pinning to an exact commit and hold the hash of that commit inside the cluster repository. This allows us to reproducibly roll out the cluster with the same state without changes again, even if the branch ofmanaged-k8s
has advanced in the meantime.terraform/
is a state-only directory for Terraform. You should not need to manually operate in that directory at all. The terraform state is managed by the apply-terraform.sh script.
Optional:
submodules/
is a directory which holds optional git submodules. You can add your submodules to this directory and e.g. use them in the custom layer/stage. Since this project is largely managed by C&H and partners, we have taken the privilege to be able to enable and integrate company specific submodules directly in the source code.If you’re managing your wireguard peers or SSH users via git repositories, these should be added here.