|
| 1 | +# CLAUDE.md |
| 2 | + |
| 3 | +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. |
| 4 | + |
| 5 | +## Project Overview |
| 6 | + |
| 7 | +This is a Terraform module that creates production-ready Kubernetes clusters using Talos OS on Hetzner Cloud infrastructure. It deploys secure, immutable clusters with comprehensive networking, security, and high availability features. |
| 8 | + |
| 9 | +## Architecture |
| 10 | + |
| 11 | +### Core Components |
| 12 | +- **Control Plane**: 1, 3, or 5 control plane nodes (odd numbers only) running Talos OS |
| 13 | +- **Worker Nodes**: Configurable number of worker nodes |
| 14 | +- **Networking**: Private Hetzner Cloud networks with public API access via firewall rules |
| 15 | +- **CNI**: Cilium for advanced networking and security features |
| 16 | +- **Cloud Integration**: Hetzner Cloud Controller Manager for native cloud features |
| 17 | + |
| 18 | +### Key Files Structure |
| 19 | +- `terraform.tf` - Provider configurations (Hetzner Cloud, Talos, Helm, kubectl) |
| 20 | +- `variables.tf` - Comprehensive variable definitions (13k+ lines) |
| 21 | +- `server.tf` - Server provisioning for control plane and worker nodes |
| 22 | +- `network.tf` - VPC, subnets, floating IPs setup |
| 23 | +- `firewall.tf` - Security rules and firewall configuration |
| 24 | +- `talos.tf` - Talos OS configuration and bootstrapping |
| 25 | +- `talos_patch_*.tf` - Node-specific Talos configurations |
| 26 | +- `manifest_*.tf` - Kubernetes manifests for Cilium and Hcloud CCM |
| 27 | + |
| 28 | +## Development Commands |
| 29 | + |
| 30 | +### Essential Commands |
| 31 | +```bash |
| 32 | +# Format Terraform code |
| 33 | +terraform fmt -recursive |
| 34 | + |
| 35 | +# Validate configuration |
| 36 | +terraform init |
| 37 | +terraform validate |
| 38 | + |
| 39 | +# Build Talos images (required before first deployment) |
| 40 | +./_packer/create.sh |
| 41 | + |
| 42 | +# Install and run pre-commit hooks |
| 43 | +pre-commit install |
| 44 | +pre-commit run --all-files |
| 45 | +``` |
| 46 | + |
| 47 | +### Packer Image Building |
| 48 | +Located in `_packer/` directory. Must be run before first Terraform deployment: |
| 49 | +```bash |
| 50 | +# Build Talos OS images for both ARM64 and x86_64 |
| 51 | +./_packer/create.sh |
| 52 | +``` |
| 53 | + |
| 54 | +### Testing and Quality Assurance |
| 55 | +- **Terraform Validation**: `terraform init && terraform validate` |
| 56 | +- **Security Scanning**: Checkov runs in CI, can be run locally if installed |
| 57 | +- **Code Formatting**: `terraform fmt -recursive` and Prettier |
| 58 | +- **Pre-commit Hooks**: Run automatically on commit, manually with `pre-commit run --all-files` |
| 59 | + |
| 60 | +## Configuration Management |
| 61 | + |
| 62 | +### Version Compatibility |
| 63 | +Critical version alignments required: |
| 64 | +- `talos_version` must match between Packer build and Terraform deployment |
| 65 | +- `kubernetes_version` must be compatible with `talos_version` |
| 66 | +- `cilium_version` must be compatible with `kubernetes_version` |
| 67 | + |
| 68 | +### Network Configuration |
| 69 | +All network CIDRs are customizable: |
| 70 | +- `network_ipv4_cidr` - Main network CIDR |
| 71 | +- `node_ipv4_cidr` - Node subnet CIDR |
| 72 | +- `pod_ipv4_cidr` - Pod network CIDR |
| 73 | +- `service_ipv4_cidr` - Service network CIDR |
| 74 | + |
| 75 | +### Security Configuration |
| 76 | +- Firewall rules restrict API access to specific IPs |
| 77 | +- `firewall_use_current_ip = true` automatically uses current public IP |
| 78 | +- Manual IP specification via `firewall_kube_api_source` and `firewall_talos_api_source` |
| 79 | + |
| 80 | +## Deployment Workflow |
| 81 | + |
| 82 | +1. **Image Building**: Run `_packer/create.sh` to build Talos OS images |
| 83 | +2. **Configuration**: Set required variables (hcloud_token, cluster_name, etc.) |
| 84 | +3. **Deployment**: Run `terraform plan` and `terraform apply` |
| 85 | +4. **Config Export**: Extract kubeconfig and talosconfig from Terraform outputs |
| 86 | +5. **Access**: Use kubectl and talosctl with exported configurations |
| 87 | + |
| 88 | +## CI/CD Integration |
| 89 | + |
| 90 | +### GitHub Actions Workflows |
| 91 | +- **dev-experience.yml**: Terraform validation on multiple versions (1.8.x, 1.9.x) |
| 92 | +- **checkov.yml**: Security scanning with SARIF output |
| 93 | +- **release.yml**: Automated semantic releases |
| 94 | + |
| 95 | +### Code Quality Tools |
| 96 | +- **Pre-commit hooks**: terraform_fmt, terraform_docs, terraform_tflint, terraform_checkov |
| 97 | +- **Conventional Commits**: Enforced via commitlint |
| 98 | +- **Semantic Release**: Automated versioning based on commit messages |
| 99 | + |
| 100 | +## Important Notes |
| 101 | + |
| 102 | +### Cluster Upgrades |
| 103 | +- Kubernetes upgrades must be performed using `talosctl upgrade-k8s`, not by changing Terraform variables |
| 104 | +- Changes to `user_data` or `image` require node recreation |
| 105 | +- Always use publicly accessible endpoints when running talosctl from outside the cluster |
| 106 | + |
| 107 | +### Known Limitations |
| 108 | +- IPv6 dual stack not yet supported by Talos |
| 109 | +- KubeSpan may prevent cluster ready state in some configurations |
| 110 | +- Rate limiting issues with registry.k8s.io from some Hetzner IP ranges |
| 111 | + |
| 112 | +### Multi-Architecture Support |
| 113 | +- Supports both ARM64 and x86_64 server types |
| 114 | +- Separate Packer builds create images for both architectures |
| 115 | +- Server type selection determines architecture (e.g., "cax11" for ARM64, "cx11" for x86_64) |
0 commit comments