preparation for k3s

terraform/data.tf

@@ -10,7 +10,8 @@ data "vault_generic_secret" "opnsense" {
   path  = "secret/infrastructure/opnsense"
 }
 
-data "vault_generic_secret" "vm_creds" {
+data "vault_kv_secret_v2" "vm_creds" {
   count = var.use_vault ? 1 : 0
-  path  = "secret/infrastructure/vm-credentials"
+  mount = "secret"
+  name  = "infrastructure/vm-credentials"
 }

terraform/locals.tf

@@ -1,10 +1,10 @@
 locals {
   # SSH Public Key for Provisioning
-  ssh_key = var.use_vault ? data.vault_generic_secret.vm_creds[0].data["ssh_public_key"] : var.ssh_public_key
+  ssh_key = var.use_vault ? data.vault_kv_secret_v2.vm_creds[0].data["ssh_public_key"] : var.ssh_public_key
   
   # CI Credentials
-  ci_user     = var.use_vault ? data.vault_generic_secret.vm_creds[0].data["ci_user"] : var.ci_user
-  ci_password = var.use_vault ? data.vault_generic_secret.vm_creds[0].data["ci_password"] : var.ci_password
+  ci_user     = var.use_vault ? data.vault_kv_secret_v2.vm_creds[0].data["ci_user"] : var.ci_user
+  ci_password = var.use_vault ? data.vault_kv_secret_v2.vm_creds[0].data["ci_password"] : var.ci_password
 
   vms = {
     # VLAN 30: Docker
@@ -12,14 +12,19 @@ locals {
     "vm-docker-apps-301"    = { id = 301, cores = 2, memory = 4096, vlan = 30, tags = "docker,apps",    ip = "10.100.30.11", gw = "10.100.30.1" }
     "vm-docker-traefik-302" = { id = 302, cores = 1, memory = 2048, vlan = 30, tags = "docker,ingress", ip = "10.100.30.12", gw = "10.100.30.1" }
 
-    # VLAN 40: K3s
+    # VLAN 40: K3s (HA Control Plane)
     "vm-k3s-master-400"     = { id = 400, cores = 2, memory = 4096, vlan = 40, tags = "k3s,master",     ip = "10.100.40.10", gw = "10.100.40.1" }
-    "vm-k3s-worker-401"     = { id = 401, cores = 2, memory = 4096, vlan = 40, tags = "k3s,worker",     ip = "10.100.40.11", gw = "10.100.40.1" }
-    "vm-k3s-worker-402"     = { id = 402, cores = 2, memory = 4096, vlan = 40, tags = "k3s,worker",     ip = "10.100.40.12", gw = "10.100.40.1" }
-    "vm-k3s-worker-403"     = { id = 403, cores = 2, memory = 4096, vlan = 40, tags = "k3s,worker",     ip = "10.100.40.13", gw = "10.100.40.1" }
+    "vm-k3s-master-401"     = { id = 401, cores = 2, memory = 4096, vlan = 40, tags = "k3s,master",     ip = "10.100.40.11", gw = "10.100.40.1" }
+    "vm-k3s-master-402"     = { id = 402, cores = 2, memory = 4096, vlan = 40, tags = "k3s,master",     ip = "10.100.40.12", gw = "10.100.40.1" }
 
     # VLAN 90: Bastion
     "vm-bastion-900"        = { id = 900, cores = 1, memory = 2048, vlan = 90, tags = "bastion",        ip = "10.100.90.10", gw = "10.100.90.1" }
     "vm-bastion-901"        = { id = 901, cores = 1, memory = 2048, vlan = 90, tags = "bastion",        ip = "10.100.90.11", gw = "10.100.90.1" }
   }
+
+  # Extra DNS entries for VIPs (Virtual IPs)
+  extra_dns = {
+    "k3s-api"     = { ip = "10.100.40.5", tags = "k3s,vip,api" }
+    "k3s-ingress" = { ip = "10.100.40.6", tags = "k3s,vip,ingress" }
+  }
 }

terraform/main.tf

@@ -64,12 +64,20 @@ resource "proxmox_vm_qemu" "vm_deployment" {
   tags = each.value.tags
 
   lifecycle {
-    ignore_changes = [ network ]
+    ignore_changes = [ 
+      network, 
+      sshkeys,
+      ciuser,
+      cipassword
+    ]
   }
 }
 
 resource "opnsense_unbound_host_override" "dns_entries" {
-  for_each = local.vms
+  for_each = merge(
+    { for k, v in local.vms : k => { ip = v.ip, tags = v.tags } },
+    local.extra_dns
+  )
 
   enabled     = true
   hostname    = each.key
@@ -77,3 +85,12 @@ resource "opnsense_unbound_host_override" "dns_entries" {
   description = "Managed by Terraform: ${each.value.tags}"
   server      = each.value.ip
 }
+
+# Wildcard DNS record for K3s Ingress
+resource "opnsense_unbound_host_override" "dns_wildcard_k3s" {
+  enabled     = true
+  hostname    = "*"
+  domain      = "k3s.stabify.de"
+  description = "Managed by Terraform: Wildcard for K3s Ingress VIP"
+  server      = local.extra_dns["k3s-ingress"].ip
+}