Terraform Standalone Use Case: Testing

[matttrach]

This tracks progress on satisfying a QA RKE2 use case.

We will need different install types (air-gapped and not) We will need to ensure IPv4 and IPv6 We will need Elastic IPs We will need external load balancing for control plane nodes We will need DNS addressing

[matttrach]

We will need private registry and system-default-registry installs

[matttrach]

Different install types complete: https://github.com/rancher/terraform-null-rke2-install/pull/43

[matttrach]

Need to be able to set the AZ for HA clusters: https://github.com/rancher/terraform-aws-server/pull/16

[matttrach]

Rhel9 and CIS: https://github.com/rancher/terraform-aws-server/pull/20 Need to propagate this change to the install and rke2 modules, then add examples for injecting the selinux policy installation

[matttrach]

Propagate CIS to install module with example cis configuration: https://github.com/rancher/terraform-null-rke2-install/pull/51

[matttrach]

rke2 selinux policy is installed by default on rke2 installs with type rpm now

[matttrach]

Status

• [x] IPv4
• [x] IPv6
• [x] Dual IP
• [x] Elastic IPs
• [x] External load balancing for control plane nodes
• [x] DNS addressing
• [x] Air-gapped install
• [x] Rpm install
• [ ] Private image registry https://docs.rke2.io/install/airgap?_highlight=air&_highlight=gap#private-registry-method
• [ ] System default registry system-default-registry option to configure custom image repo
• [ ] Private RPM repo
• [ ] Local RPM repo
• [x] SLE Micro
• [x] Rhel8
• [x] Rhel9
• [x] Ubuntu
• [x] CIS profile enabled
• [x] Fips Enabled (selinux enforcing)
• [x] Cilium configured
• [x] HA cluster
• [x] Split role cluster
• [x] surface startup errors

[matttrach]

This is the current living example of what I have working: https://github.com/rancher/terraform-aws-rke2-live-example This generates an RKE2 node with immutable infrastructure paradigms fully operated by CI workflows.

[matttrach]

Progress and Plans:

• Ubuntu and SLE Micro testing can be added to the aws-rke2 module.
• Local and Private RPM repos should exist in their own module.
  • Using the local rpm repo for the node is going to take generating a build server and packaging up the repo for addition to the rke2 node.
  • Generating an rpm mirror to use as a private repo is itself a project
• Using the system default registry to store the images in the rke2 node is a configuration that will need to happen after the node is generated, I think a module could handle this fairly easily, but I don't think it should be part of the normal install process. I just think it is out of scope for the RKE2 install mod.
  • in its own module this could be added to any rke2 node, independent of how it was created
  • this could be a series of "config" mods that allow users to pick addons to their node by implementing modules
• Generating a private registry server (eg Harbor) is its own project so it should be an independent module
• External load balancing can be added to the access mod
• DNS addressing can be added to the server mod
• I need to research dual IP more, but it seems like something that should be easily put in the server mod

[matttrach]

Prioritizing by difficulty/time consumption:

• [x] Ubuntu and SLE Micro testing can be added to the aws-rke2 module.
• [x] External load balancing can be added to the access mod
• [x] DNS addressing can be added to the server mod
• [x] Dual IP addressing can be added to the server mod
• [ ] Config mod for local RPM repo
• [ ] Config mod for local image repo
• [ ] Private RPM repo mod
• [ ] Private Image repo mod

[matttrach]

I need to split this issue to set realistic timelines.

These items can be done relatively quickly:

• Ubuntu and SLE Micro testing can be added to the aws-rke2 module.
• External load balancing can be added to the access mod
• DNS addressing can be added to the server mod
• Dual IP addressing can be added to the server mod

These items will take longer:

• Config mod for local RPM repo
• Config mod for local image repo
• Private RPM repo mod
• Private Image repo mod

[matttrach]

This ticket will remain for the "quick" items above, and I will create another for the "longer" items to place in our backlog.

[matttrach]

With version 2.0.0 of the access mod, load balancing, dns, and multiple availability zones are covered.

[matttrach]

Moving back to next up for the next phases of this.

• [x] Dualstack will need to be enabled on both the access and server mods.
• [ ] Embedded image registry will need to be added to the install mod.
• [ ] Local RPM repo, or something to manage an airgapped RPM install still needs to be figured out
• [x] Ubuntu and SLE Micro need to be tested in the rke2 module

[matttrach]

I am currently working on updating the server mod, its next release will include SLE micro as an image type.

[matttrach]

Next challenge is implementing the embedded image registry