Skip to content

Releases: csning1998/on-premise-gitlab-deployment

Release v1.0.0: Stable Release with Full HashiCorp Vault Integration

07 Sep 21:41
@csning1998 csning1998
v1.0.0
45c4ca9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v1.0.0: Stable Release with Full HashiCorp Vault Integration Latest
Latest

Release v1.0.0: Summary

This is a landmark release, representing a fundamental architectural shift for the project. The entire virtualization backend has been migrated from VMware Workstation to an open-source QEMU/KVM stack managed by Libvirt. Furthermore, HashiCorp Vault is now fully integrated as a containerized service managed by Podman Compose, establishing a secure, automated, and consistent secrets management backend for the entire IaC workflow.

This release completes the vision of a fully automated, self-contained system for deploying Kubernetes clusters on-premise, with a strong focus on open-source tooling and try my best efforts to align with modern DevOps practices on premise

Screenshot_20250907_180634

BREAKING CHANGES

  • Hypervisor Support: This version exclusively supports QEMU/KVM managed by Libvirt. The VMware Workstation support has been moved to the legacy-workstation-on-ubuntu branch.
  • Secrets Management: The project is no longer functional without a running HashiCorp Vault instance. All secret variables previously defined in *.tfvars and *.pkrvars.hcl files must be populated in Vault.
  • Container Engine: The containerized workflow now requires podman and podman-compose instead of Docker.

Key Architectural Changes

  • Migration to QEMU/KVM with Libvirt:

    • The virtualization provider has been completely migrated from VMware Workstation to QEMU/KVM, managed via the dmacvicar/libvirt Terraform provider. This aligns the project with open-source hypervisor standards.
    • The Packer build process now produces a qcow2 golden image specifically for KVM environments.
    • Terraform now manages libvirt resources such as networks, storage pools, volumes, and domains, providing a more declarative approach to infrastructure management compared to the previous vmrun CLI-based method.

  • Full Integration of Containerized Vault Server:

    • HashiCorp Vault is now a first-class citizen, running as a managed iac-vault-server container within the project's compose.yml. You can also start the Vault server using the vault server ... command. Note that both the container and the host cannot be started at the same time, otherwise there will be a port conflict.
    • The entire workflow now relies on Vault for secrets. Both Packer and Terraform fetch credentials directly from the Vault API, completely removing secrets from local files.
    • The Vault server is configured with TLS for secure communication, and the entry.sh script provides helpers for certificate generation, initialization, and unsealing.
    • mlock is enabled (disable_mlock = false) to prevent secrets from being swapped to disk, aligning with production security practices.

  • Shift from Docker to Podman:

    • The containerized environment has been migrated from Docker to Podman. The Containerfile and compose.yml have been updated accordingly, reflecting a preference for daemonless and rootless container workflows.

  • Refined Host Environment Setup:

    • The README.md and setup scripts now include a detailed, robust guide for configuring non-root user access to the Libvirt daemon on RHEL-based systems, including the necessary systemd socket override configurations.

Pull Requests

  • refactor(core): Standardize on QEMU/KVM and Podman, removing VMware/Docker support by @csning1998 in #8
  • feat(HashiCorp Vault): Integration with Self-Managed Vault on both Host and Container Environment by @csning1998 in #9

Full Changelog: v0.3.0...v1.0.0

Contributors

csning1998
Assets 2
Loading

Version v0.3.0: HA Cluster Deployment & Containerized Environment on Type-II Hypervisor

07 Sep 10:00
@csning1998 csning1998
v0.3.0
ee2d8de
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Version v0.3.0: HA Cluster Deployment & Containerized Environment on Type-II Hypervisor

Summary

This release introduces the capability to deploy a multi-master, High Availability (HA) Kubernetes cluster and containerizes the entire IaC execution environment for improved portability. The Ansible roles and Terraform configurations have been significantly refactored to support conditional logic for both single-master and HA deployments, laying the groundwork for more advanced configurations.

Key Features & Enhancements

  • High Availability (HA) Cluster Deployment:

    • The deployment logic can now create a multi-master HA Kubernetes cluster by simply defining multiple IPs in the master_ip_list variable.
    • Ansible playbooks now automatically configure keepalived and HAProxy for creating a stable virtual IP (controlPlaneEndpoint) before initializing the cluster.
    • A validation rule was added to Terraform to ensure the number of master nodes is odd, mitigating etcd split-brain risks.

  • Containerized Execution Environment:

    • The entire toolchain (Packer, Terraform, Ansible) is now containerized using Docker, allowing for consistent execution across different host systems.
    • The entry.sh script provides a seamless way to switch between native and docker execution strategies.

  • Upgraded Kubernetes Version:

    • The target Kubernetes version for kubeadm, kubelet, and kubectl has been upgraded to v1.32.

Refactoring and Fixes

  • Ansible Structure Overhaul:

    • The Ansible directory structure was reorganized, separating playbooks and roles for better clarity.
    • Roles for cluster provisioning were broken down into modular stages (11-ha-loadbalancer, 12-kubeadm-init-primary, etc.) for a more logical execution flow.
    • All Kubernetes network parameters are now passed from Terraform via a template, creating a single source of truth in the generated inventory.yaml.

  • Robust Network & SSH Configuration:

    • Terraform's remote-exec provisioner was improved to dynamically detect network interface names on the guest VMs instead of assuming a fixed name like ens33, making the configuration more resilient.
    • The SSH verification process in entry.sh now includes retries to handle potential race conditions where a VM is not immediately ready for connection.

  • Lifecycle and Dependency Management:

    • The entry.sh script was updated to use docker compose exec instead of run, ensuring that commands are sent to a persistent controller container, correctly managing the VM lifecycle.
    • Ansible Vault has been deprecated in preparation for the future integration of HashiCorp Vault.
Loading

Version v0.2.0: Unattended SSH & Terraform Refactoring

18 Aug 10:58
@csning1998 csning1998
v0.2.0
028f81c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Version v0.2.0: Unattended SSH & Terraform Refactoring

Summary

Version v0.2.0 modifies the project to use a key-based SSH workflow for unattended deployments and centralizes Terraform's variable management. This release removes the previous dependency on password-based authentication. The IaC process for image creation and cluster provisioning is now managed through a single SSH key pair and a centralized variable structure in locals.tf.

Changes

Added

  • Implemented a key-based SSH authentication system. The public key is now written into the Packer image, allowing for passwordless provisioning.
  • Added a generate_ssh_key helper to entry.sh for users to create SSH keys with custom or default names.
  • Added a check_ssh_key_exists prerequisite check before executing build or deployment tasks.
  • Implemented a netcat-based port polling mechanism in bootstrap_ssh_known_hosts to wait for the SSH service on new VMs to be ready before scanning host keys.

Changed

  • Terraform Architecture: All complex variable composition logic (e.g., node paths, keys) is now centralized into the root locals.tf. Child modules (vm, ansible) now accept pre-composed objects, removing duplicated code in module outputs.
  • SSH Configuration: Terraform now generates project-specific SSH files (~/.ssh/k8s_cluster_config, ~/.ssh/k8s_cluster_known_hosts) and integrates them via an Include directive, isolating them from the user's global SSH settings.
  • Ansible Inventory: The inventory generation now relies on the centralized SSH config file for connection parameters, removing connection variables from the inventory template.
  • SSH Alias Naming: VM aliases now use descriptive hostnames (e.g., k8s-master-0) instead of generic names (e.g., vm200).
  • Shell Scripts: All SSH-related functions were moved to a dedicated scripts/ssh_utils.sh. Function names were renamed for clarity (e.g., prepare_ansible_known_hosts to bootstrap_ssh_known_hosts).
  • Terraform Workflow: Removed the unnecessary VM stop/restart cycle during the provisioning process.

Fixed

  • Idempotency: Use of an isolated known_hosts file resolves "man-in-the-middle" errors on subsequent apply runs with recreated VMs.
  • Automation: Corrected local-exec scripts and Ansible inventory generation to prevent UNREACHABLE errors.

Included Pull Request

  • feat: Refactor SSH Workflow and Terraform Variable Management by @csning1998 in #5

Full Changelog: v0.1.0-beta.1...v0.2.0

Contributors

csning1998
Loading

Version 0.1.0-beta.1: Basic Kubernetes Cluster Deployment with kubeadm

16 Aug 17:33
@csning1998 csning1998
v0.1.0-beta.1
250430a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Version 0.1.0-beta.1: Basic Kubernetes Cluster Deployment with kubeadm Pre-release
Pre-release

Summary

This beta release establishes a foundational, end-to-end workflow for deploying a Kubernetes cluster using a combination of Packer, Terraform, and Ansible. Key improvements include migrating the virtualization platform to VMware Workstation, refactoring the entire Ansible configuration into a role-based structure for better scalability, and resolving a critical networking issue where cloned VMs would receive duplicate IP addresses. The base Kubernetes components are now pre-baked into the Packer image, significantly speeding up the VM cloning and provisioning stages.

Changes

Screenshot_20250816_140619

Added

  • Implemented a complete automation script (entry.sh) to provision a basic Kubernetes cluster with kubeadm.
  • Added VM lifecycle management commands (status, start, stop, delete) for easier control.

Changed

  • Platform Migration: Migrated the virtualization platform from VirtualBox to VMware Workstation to improve performance and automation stability.
  • Ansible Refactoring: All Ansible playbooks were refactored into a standardized, role-based structure for better maintainability and scalability.

Fixed

  • Networking: Resolved a critical issue where cloned VMs would receive duplicate NAT IP addresses by implementing a script to reset the machine-id during provisioning.
  • Configuration: Improved SSH configuration management to prevent ~/.ssh/config from being overwritten or deleted during terraform destroy.

Included Pull Requests

  • Refactor ( infra ) : Overhaul and Stabilize the VBox VM Automation Workflow by @csning1998 in #1
  • Refactored: Migrated from Oracle VirtualBox to VMWare Workstation by @csning1998 in #2
  • Experimental: Terraform to Ansible without using Provider by @csning1998 in #3
  • Basic Kubernetes Cluster Deployment with kubeadm by @csning1998 in #4

Full Changelog: https://github.com/csning1998/iac-kubeadm-deployment/commits/v0.1.0-beta.1

Contributors

csning1998
Loading