fix ssh tunnel enable/disable

Author: git-ival

tofu/modules/generic/k3s/install_k3s.sh

@@ -2,11 +2,6 @@
 
 set -xe
 
-# HACK: work around https://github.com/k3s-io/k3s/issues/7000
-# can be removed as of v1.27.2+k3s1 and later
-sleep ${sleep_time}
-
-sudo -s <<SUDO
 # use data disk if available (see mount_ephemeral.sh)
 if [ -d /data ]; then
   mkdir -p /data/rancher
@@ -71,4 +66,3 @@ export INSTALL_K3S_VERSION=${distro_version}
 export INSTALL_K3S_EXEC=${exec}
 
 curl -sfL https://get.k3s.io | sh -
-SUDO

tofu/modules/generic/k3s/main.tf

@@ -13,14 +13,15 @@ module "server_nodes" {
   name                 = "${var.name}-server-${count.index}"
   ssh_private_key_path = var.ssh_private_key_path
   ssh_user             = var.ssh_user
-  ssh_tunnels = count.index == 0 ? [
+  ssh_tunnels = count.index == 0 && var.create_tunnels ? [
     [var.local_kubernetes_api_port, 6443],
     [var.tunnel_app_http_port, 80],
     [var.tunnel_app_https_port, 443],
   ] : []
   node_module           = var.node_module
   node_module_variables = var.node_module_variables
   network_config        = var.network_config
+  public                = var.public
 }
 
 module "agent_nodes" {
@@ -61,7 +62,6 @@ resource "ssh_sensitive_resource" "first_server_installation" {
       server_ca_cert         = tls_self_signed_cert.server_ca_cert.cert_pem
       request_header_ca_key  = tls_private_key.request_header_ca_key.private_key_pem
       request_header_ca_cert = tls_self_signed_cert.request_header_ca_cert.cert_pem
-      sleep_time             = 0
       max_pods               = var.max_pods
       node_cidr_mask_size    = var.node_cidr_mask_size
       datastore_endpoint     = var.datastore_endpoint
@@ -111,7 +111,6 @@ resource "ssh_resource" "additional_server_installation" {
       server_ca_cert         = tls_self_signed_cert.server_ca_cert.cert_pem
       request_header_ca_key  = tls_private_key.request_header_ca_key.private_key_pem
       request_header_ca_cert = tls_self_signed_cert.request_header_ca_cert.cert_pem
-      sleep_time             = count.index * 60
       max_pods               = var.max_pods
       node_cidr_mask_size    = var.node_cidr_mask_size
       datastore_endpoint     = var.datastore_endpoint
@@ -157,7 +156,6 @@ resource "ssh_resource" "agent_installation" {
       server_ca_cert         = tls_self_signed_cert.server_ca_cert.cert_pem
       request_header_ca_key  = tls_private_key.request_header_ca_key.private_key_pem
       request_header_ca_cert = tls_self_signed_cert.request_header_ca_cert.cert_pem
-      sleep_time             = 0
       max_pods               = var.max_pods
       node_cidr_mask_size    = var.node_cidr_mask_size
       datastore_endpoint     = var.datastore_endpoint

tofu/modules/generic/k3s/outputs.tf

@@ -29,7 +29,7 @@ output "config" {
         name       = "${var.name}.local.gd"
         http_port  = var.tunnel_app_http_port
         https_port = var.tunnel_app_https_port
-      } : {}
+      } : null
     }
 
     node_access_commands = merge({

tofu/modules/generic/k3s/variables.tf

@@ -94,6 +94,11 @@ variable "datastore_endpoint" {
   default     = null
 }
 
+variable "public" {
+  description = "Whether the node is publicly accessible"
+  default     = false
+}
+
 variable "node_module" {
   description = "Non-generic module to create nodes"
   type        = string

tofu/modules/generic/rke2/install_rke2.sh

@@ -2,10 +2,6 @@
 
 set -xe
 
-# HACK: work around https://github.com/k3s-io/k3s/issues/2306
-sleep ${sleep_time}
-
-sudo -s <<SUDO
 # use data disk if available (see mount_ephemeral.sh)
 if [ -d /data ]; then
   mkdir -p /data/rancher
@@ -90,4 +86,3 @@ export INSTALL_RKE2_TYPE=${type}
 curl -sfL https://get.rke2.io | sh -
 systemctl enable rke2-${type}.service
 systemctl restart rke2-${type}.service
-SUDO

tofu/modules/generic/rke2/main.tf

@@ -14,14 +14,15 @@ module "server_nodes" {
   name                 = "${var.name}-server-${count.index}"
   ssh_private_key_path = var.ssh_private_key_path
   ssh_user             = var.ssh_user
-  ssh_tunnels = count.index == 0 ? [
+  ssh_tunnels = count.index == 0 && var.create_tunnels ? [
     [var.local_kubernetes_api_port, 6443],
     [var.tunnel_app_http_port, 80],
     [var.tunnel_app_https_port, 443],
   ] : []
   node_module           = var.node_module
   node_module_variables = var.node_module_variables
   network_config        = var.network_config
+  public                = var.public
 }
 
 module "agent_nodes" {
@@ -61,7 +62,6 @@ resource "ssh_sensitive_resource" "first_server_installation" {
       server_ca_cert         = tls_self_signed_cert.server_ca_cert.cert_pem
       request_header_ca_key  = tls_private_key.request_header_ca_key.private_key_pem
       request_header_ca_cert = tls_self_signed_cert.request_header_ca_cert.cert_pem
-      sleep_time             = 0
       max_pods               = var.max_pods
       node_cidr_mask_size    = var.node_cidr_mask_size
     })
@@ -109,7 +109,6 @@ resource "ssh_resource" "additional_server_installation" {
       server_ca_cert         = tls_self_signed_cert.server_ca_cert.cert_pem
       request_header_ca_key  = tls_private_key.request_header_ca_key.private_key_pem
       request_header_ca_cert = tls_self_signed_cert.request_header_ca_cert.cert_pem
-      sleep_time             = count.index * 60
       max_pods               = var.max_pods
       node_cidr_mask_size    = var.node_cidr_mask_size
     })
@@ -153,7 +152,6 @@ resource "ssh_resource" "agent_installation" {
       server_ca_cert         = tls_self_signed_cert.server_ca_cert.cert_pem
       request_header_ca_key  = tls_private_key.request_header_ca_key.private_key_pem
       request_header_ca_cert = tls_self_signed_cert.request_header_ca_cert.cert_pem
-      sleep_time             = 0
       max_pods               = var.max_pods
       node_cidr_mask_size    = var.node_cidr_mask_size
     })

tofu/modules/generic/rke2/outputs.tf

@@ -29,7 +29,7 @@ output "config" {
         name       = "${var.name}.local.gd"
         http_port  = var.tunnel_app_http_port
         https_port = var.tunnel_app_https_port
-      } : {}
+      } : null
     }
 
     node_access_commands = merge({

tofu/modules/generic/rke2/variables.tf

@@ -89,6 +89,11 @@ variable "enable_audit_log" {
   default     = false
 }
 
+variable "public" {
+  description = "Whether the node is publicly accessible"
+  default     = false
+}
+
 variable "node_module" {
   description = "Non-generic module to create nodes"
   type        = string

tofu/modules/generic/test_environment/main.tf

@@ -26,6 +26,7 @@ module "upstream_cluster" {
   reserve_node_for_monitoring = var.upstream_cluster.reserve_node_for_monitoring
   enable_audit_log            = var.upstream_cluster.enable_audit_log
   create_tunnels              = var.upstream_cluster.create_tunnels
+  public                      = var.upstream_cluster.public_ip
 
   sans                      = ["upstream.local.gd"]
   local_kubernetes_api_port = var.first_kubernetes_api_port
@@ -49,6 +50,7 @@ module "tester_cluster" {
   reserve_node_for_monitoring = var.tester_cluster.reserve_node_for_monitoring
   enable_audit_log            = var.tester_cluster.enable_audit_log
   create_tunnels              = var.tester_cluster.create_tunnels
+  public                      = var.tester_cluster.public_ip
 
   sans                      = ["tester.local.gd"]
   local_kubernetes_api_port = var.first_kubernetes_api_port + 1
@@ -72,6 +74,8 @@ module "downstream_clusters" {
   reserve_node_for_monitoring = local.downstream_clusters[count.index].reserve_node_for_monitoring
   enable_audit_log            = local.downstream_clusters[count.index].enable_audit_log
   create_tunnels              = local.downstream_clusters[count.index].create_tunnels
+  public                      = local.downstream_clusters[count.index].public_ip
+
   sans                        = ["${local.downstream_clusters[count.index].name}.local.gd"]
   local_kubernetes_api_port   = var.first_kubernetes_api_port + 2 + count.index
   tunnel_app_http_port        = var.first_app_http_port + 2 + count.index
@@ -84,7 +88,6 @@ module "downstream_clusters" {
 }
 
 module "nodes" {
-  # for_each = {for node in local.nodes: node.name => node}
   count = length(local.nodes)
   source = "../node"
   project_name          = var.project_name