Skip to content

Release v1.0.0: Stable Release with Full HashiCorp Vault Integration

Latest
Latest

Choose a tag to compare

View all tags
@csning1998 csning1998 released this 07 Sep 21:41
· 9 commits to main since this release
v1.0.0
45c4ca9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release v1.0.0: Summary

This is a landmark release, representing a fundamental architectural shift for the project. The entire virtualization backend has been migrated from VMware Workstation to an open-source QEMU/KVM stack managed by Libvirt. Furthermore, HashiCorp Vault is now fully integrated as a containerized service managed by Podman Compose, establishing a secure, automated, and consistent secrets management backend for the entire IaC workflow.

This release completes the vision of a fully automated, self-contained system for deploying Kubernetes clusters on-premise, with a strong focus on open-source tooling and try my best efforts to align with modern DevOps practices on premise

Screenshot_20250907_180634

BREAKING CHANGES

  • Hypervisor Support: This version exclusively supports QEMU/KVM managed by Libvirt. The VMware Workstation support has been moved to the legacy-workstation-on-ubuntu branch.
  • Secrets Management: The project is no longer functional without a running HashiCorp Vault instance. All secret variables previously defined in *.tfvars and *.pkrvars.hcl files must be populated in Vault.
  • Container Engine: The containerized workflow now requires podman and podman-compose instead of Docker.

Key Architectural Changes

  • Migration to QEMU/KVM with Libvirt:

    • The virtualization provider has been completely migrated from VMware Workstation to QEMU/KVM, managed via the dmacvicar/libvirt Terraform provider. This aligns the project with open-source hypervisor standards.
    • The Packer build process now produces a qcow2 golden image specifically for KVM environments.
    • Terraform now manages libvirt resources such as networks, storage pools, volumes, and domains, providing a more declarative approach to infrastructure management compared to the previous vmrun CLI-based method.

  • Full Integration of Containerized Vault Server:

    • HashiCorp Vault is now a first-class citizen, running as a managed iac-vault-server container within the project's compose.yml. You can also start the Vault server using the vault server ... command. Note that both the container and the host cannot be started at the same time, otherwise there will be a port conflict.
    • The entire workflow now relies on Vault for secrets. Both Packer and Terraform fetch credentials directly from the Vault API, completely removing secrets from local files.
    • The Vault server is configured with TLS for secure communication, and the entry.sh script provides helpers for certificate generation, initialization, and unsealing.
    • mlock is enabled (disable_mlock = false) to prevent secrets from being swapped to disk, aligning with production security practices.

  • Shift from Docker to Podman:

    • The containerized environment has been migrated from Docker to Podman. The Containerfile and compose.yml have been updated accordingly, reflecting a preference for daemonless and rootless container workflows.

  • Refined Host Environment Setup:

    • The README.md and setup scripts now include a detailed, robust guide for configuring non-root user access to the Libvirt daemon on RHEL-based systems, including the necessary systemd socket override configurations.

Pull Requests

  • refactor(core): Standardize on QEMU/KVM and Podman, removing VMware/Docker support by @csning1998 in #8
  • feat(HashiCorp Vault): Integration with Self-Managed Vault on both Host and Container Environment by @csning1998 in #9

Full Changelog: v0.3.0...v1.0.0

Contributors

csning1998
Assets 2
Loading