tofu config and docs

2026-05-31 20:48:25 +02:00
parent 24c59256c9
commit 428de7af78
5 changed files with 125 additions and 7 deletions
--- a/.tofu/platforms/upc/modules/cluster/main.tf
+++ b/.tofu/platforms/upc/modules/cluster/main.tf
@@ -47,6 +47,14 @@ resource "upcloud_kubernetes_node_group" "workers" {
  node_count    = var.node_count
  plan          = var.node_plan
  anti_affinity = var.node_count > 1
+
+  dynamic "cloud_native_plan" {
+    for_each = var.storage_size != null ? [1] : []
+    content {
+      storage_size = var.storage_size
+    }
+  }
+
  labels = {
    prefix  = var.prefix
    cluster = var.cluster_name
--- a/.tofu/platforms/upc/modules/cluster/variables.tf
+++ b/.tofu/platforms/upc/modules/cluster/variables.tf
@@ -38,6 +38,12 @@ variable "control_plane_ip_filter" {
  default     = ["0.0.0.0/0"]
 }

+variable "storage_size" {
+  description = "Storage size in GB for worker nodes (overrides plan default via cloud_native_plan block)"
+  type        = number
+  default     = null
+}
+
 variable "tags" {
  description = "Labels to apply to resources"
  type        = map(string)
--- a/.tofu/platforms/upc/prod/main.tf
+++ b/.tofu/platforms/upc/prod/main.tf
@@ -1,10 +1,72 @@
+# =============================================================================
+# UpCloud Workload Cluster
+# =============================================================================
+# A lean UCS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env upcloud-workload
+#   ./deploy-workload.sh --env upcloud-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+  default     = "no-svg1"
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+  default     = "2xCPU-4GB"
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.110.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
 module "cluster" {
  source = "../modules/cluster"

-  prefix       = "clst"
-  zone         = "de-fra1"
-  node_plan    = "4xCPU-8GB"
-  node_count   = 3
+  prefix       = "clst-prod"
+  zone         = "no-svg1"
+  node_plan    = "CLOUDNATIVE-4xCPU-8GB"
+  node_count   = 4
+  storage_size = 30
  network_cidr = "10.100.0.0/24"

  control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs
@@ -14,3 +76,45 @@ module "cluster" {
    ManagedBy   = "tofu"
  }
 }
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-workload-router"
+}
+
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-workload-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-workload-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# ─── Kubernetes Cluster ───────────────────────────────────────────────
+
+resource "upcloud_kubernetes_cluster" "main-prod" {
+  name                    = "${var.prefix}-workload"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}
--- a/.tofu/platforms/upc/workload/main.tf
+++ b/.tofu/platforms/upc/workload/main.tf
@@ -23,7 +23,7 @@ variable "prefix" {
 variable "zone" {
  description = "UpCloud zone"
  type        = string
-  default     = "fi-hel1"
+  default     = "no-svg1"
 }

 variable "node_plan" {