diff --git a/.tofu/platforms/upc/modules/cluster/main.tf b/.tofu/platforms/upc/modules/cluster/main.tf index ee71b32..7eda0b7 100644 --- a/.tofu/platforms/upc/modules/cluster/main.tf +++ b/.tofu/platforms/upc/modules/cluster/main.tf @@ -47,6 +47,14 @@ resource "upcloud_kubernetes_node_group" "workers" { node_count = var.node_count plan = var.node_plan anti_affinity = var.node_count > 1 + + dynamic "cloud_native_plan" { + for_each = var.storage_size != null ? [1] : [] + content { + storage_size = var.storage_size + } + } + labels = { prefix = var.prefix cluster = var.cluster_name diff --git a/.tofu/platforms/upc/modules/cluster/variables.tf b/.tofu/platforms/upc/modules/cluster/variables.tf index f18651d..5fb0cc3 100644 --- a/.tofu/platforms/upc/modules/cluster/variables.tf +++ b/.tofu/platforms/upc/modules/cluster/variables.tf @@ -38,6 +38,12 @@ variable "control_plane_ip_filter" { default = ["0.0.0.0/0"] } +variable "storage_size" { + description = "Storage size in GB for worker nodes (overrides plan default via cloud_native_plan block)" + type = number + default = null +} + variable "tags" { description = "Labels to apply to resources" type = map(string) diff --git a/.tofu/platforms/upc/prod/main.tf b/.tofu/platforms/upc/prod/main.tf index b12b651..195dbed 100644 --- a/.tofu/platforms/upc/prod/main.tf +++ b/.tofu/platforms/upc/prod/main.tf @@ -1,10 +1,72 @@ +# ============================================================================= +# UpCloud Workload Cluster +# ============================================================================= +# A lean UCS cluster for running application workloads. No managed data +# services — those live on the platform cluster. ArgoCD (on the platform +# cluster) deploys apps to this cluster via the app-of-apps pattern. +# +# Platform components deployed by deploy-workload.sh: +# nginx-ingress, cert-manager, external-dns, external-secrets, alloy +# +# Usage: +# tofu init && tofu plan && tofu apply +# ./sync-tofu-outputs.sh --env upcloud-workload +# ./deploy-workload.sh --env upcloud-workload +# ============================================================================= + +variable "prefix" { + description = "Prefix for resource names" + type = string + default = "clst-workload" +} + +variable "zone" { + description = "UpCloud zone" + type = string + default = "no-svg1" +} + +variable "node_plan" { + description = "UpCloud server plan for worker nodes" + type = string + default = "2xCPU-4GB" +} + +variable "node_count" { + description = "Number of worker nodes" + type = number + default = 2 +} + +variable "network_cidr" { + description = "CIDR block for the private network" + type = string + default = "10.110.0.0/24" +} + +variable "control_plane_ip_filter" { + description = "CIDRs allowed to access the K8s API" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "tags" { + description = "Labels to apply to resources" + type = map(string) + default = { + Environment = "workload" + ManagedBy = "tofu" + } +} + module "cluster" { source = "../modules/cluster" - prefix = "clst" - zone = "de-fra1" - node_plan = "4xCPU-8GB" - node_count = 3 + prefix = "clst-prod" + zone = "no-svg1" + node_plan = "CLOUDNATIVE-4xCPU-8GB" + node_count = 4 + storage_size = 30 network_cidr = "10.100.0.0/24" control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs @@ -14,3 +76,45 @@ module "cluster" { ManagedBy = "tofu" } } + +# ─── Networking ─────────────────────────────────────────────────────── + +resource "upcloud_router" "kubernetes" { + name = "${var.prefix}-workload-router" +} + +resource "upcloud_gateway" "kubernetes" { + name = "${var.prefix}-workload-gateway" + zone = var.zone + features = ["nat"] + router { + id = upcloud_router.kubernetes.id + } +} + +resource "upcloud_network" "kubernetes" { + name = "${var.prefix}-workload-network" + zone = var.zone + router = upcloud_router.kubernetes.id + + ip_network { + address = var.network_cidr + dhcp = true + dhcp_default_route = true + family = "IPv4" + gateway = cidrhost(var.network_cidr, 1) + } + + depends_on = [upcloud_gateway.kubernetes] +} + +# ─── Kubernetes Cluster ─────────────────────────────────────────────── + +resource "upcloud_kubernetes_cluster" "main-prod" { + name = "${var.prefix}-workload" + zone = var.zone + network = upcloud_network.kubernetes.id + control_plane_ip_filter = var.control_plane_ip_filter + + private_node_groups = true +} diff --git a/.tofu/platforms/upc/workload/main.tf b/.tofu/platforms/upc/workload/main.tf index 8b87e10..87c5a25 100644 --- a/.tofu/platforms/upc/workload/main.tf +++ b/.tofu/platforms/upc/workload/main.tf @@ -23,7 +23,7 @@ variable "prefix" { variable "zone" { description = "UpCloud zone" type = string - default = "fi-hel1" + default = "no-svg1" } variable "node_plan" { diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 04750af..227eb54 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -333,8 +333,8 @@ Each platform defines three environment tiers: | `upcloud_kubernetes_node_group` | Anti-affinity if node_count > 1 | **Dev**: DEV-1xCPU-2GB, 2 nodes, no-svg1 -**Prod**: 4xCPU-8GB, 3 nodes, de-fra1 -**Workload**: 2xCPU-4GB, 2 nodes, fi-hel1, CIDR `10.110.0.0/24` +**Prod**: 4xCPU-8GB, 3 nodes, no-svg1 +**Workload**: 2xCPU-4GB, 2 nodes, no-svg1, CIDR `10.110.0.0/24` > **Note**: UpCloud has no native workload identity — external-DNS integration not available.