Merge pull request #155 from kubermatic/example/kubermatic-virtualization

add kubermatic-virtualization example

Author: toschneck

README.md

@@ -31,8 +31,8 @@ Dedicated components for customer purposes.
 | [vmware-exporter](components/vmware-exporter)                                                             | Helm chart for VMware Exporter and Dashboard for Prometheus and Grafana for monitoring of vSphere environments in the KKP MLA stack.                                                                                                                         |
 | [nutanix-exporter](components/nutanix-exporter)                                                           | Helm chart for [nutanix-exporter](https://github.com/claranet/nutnix-exporter) - exporter for Prometheus that can be used for monitoring of Nutanix-based environments.                                                                                      |
 | [user-cluster-alertmanager-alerts](components/user-cluster-alertmanager-alerts)                           | Set of user-cluster alert rules for usage with User-Cluster MLA. See cluster-mamangement-by-api to deploy Alertrules programatically.                                                                                                                        |
-| [user-cluster-grafana-dashboards](components/user-cluster-grafana-dashboards)                             | Set of user-cluster grafana dashboards for usage with User-Cluster MLA.                                                                                                                     | 
-[kubevirt](components/kubevirt)                                                                                                                           | Help Components for e.g. installing kvm quemu packages on baremetal.                                      |
+| [user-cluster-grafana-dashboards](components/user-cluster-grafana-dashboards)                             | Set of user-cluster grafana dashboards for usage with User-Cluster MLA.                                                                                                                                                                                      | 
+| [kubevirt](components/kubevirt)                                                                           | Help Components for e.g. installing kvm quemu packages on baremetal.                                                                                                                                                                                         |
 
 ## Kubermatic Example Setups
 
@@ -43,6 +43,7 @@ Dedicated components for customer purposes.
 | [Bare Metal - KubeOne Static Hosts](./examples/baremetal/kubeone/vsphere-static-machines) | Example how to managed static bare metal workers. The "bare metal" workers are simulated with vSphere by terraform automation                                                                                                                                            |
 | [Bare Metal - KKP and kubeadm join implementation examples](examples/baremetal/kkp)       | Example how to use [kubeadm](https://kubernetes.io/docs/setup/independent/install-kubeadm/) to join the KKP managed controlplan: [1 Manual Example](examples/baremetal/kkp/kubadm-manual), [2 SSH Multi Client join script](examples/baremetal/kkp/kubeadm-multi-client) |
 | [Baremetal node provisioning with OSM](examples/baremetal/kkp/kubeadm-osm/README.md)      | This method allows you to provision a baremetal machine as a Kubernetes node, using the provisioning logic of OSM as provided by the specific OSP.                                                                                                                       |
+| [Kubermatic Virtualization](examples/kubermatic-virtualization/README.md)                 | Example config to run Kubermatic Virtualization setup with dedicated (protected) tooling container                                                                                                                                                                       |
 
 ## Kubermatic Addons
 

examples/kubermatic-virtualization/.env

@@ -0,0 +1,8 @@
+# KubeOne Offline Bootstrap Environment Configuration
+#
+# This file contains the environment variables needed to configure and run the bootstrap environment.
+# Copy this file to .env and fill in the appropriate values for your setup.
+
+# --- Kubermatic Virtualization Settings ---
+DOCKER_REPO=quay.io/toschneck/kubermatic-virtualization-tooling
+TOOLING_CONTAINER_TAG=kubev-d12dc16_kkp-v2.29.4-2026-02-24

examples/kubermatic-virtualization/.gitignore

@@ -0,0 +1,2 @@
+*-kubeconfig
+*-kubeconfig.crypt.yaml

examples/kubermatic-virtualization/Justfile

@@ -0,0 +1,60 @@
+
+_default:
+    @just --list
+set shell := ["bash", "-uc"]
+
+KUBEV_FOLDER := source_directory()/"kubev"
+KUBEV_KUBECONFIG := KUBEV_FOLDER/"kubev-kubeconfig.crypt.yaml"
+
+#### Local KubeV Tooling
+KUBEV_SSH_KEY := source_directory()/"../git-submodules/secrets/ssh/id_rsa"
+KUBEV_TF_INFRA := source_directory()/"./keepalived-lb-tf-infra"
+DOCKER_EXTRA_FLAG := "--detach"
+CONTAINER_NAME := "kubev"
+ENV_FILE := source_directory()/".env"
+
+local-kubev-tooling-start:
+    #!/usr/bin/env bash
+    source "{{ ENV_FILE }}"
+    docker pull --platform linux/amd64 ${DOCKER_REPO}:${TOOLING_CONTAINER_TAG}
+    docker run -it --platform linux/amd64 --user 0 --rm \
+        --name {{ CONTAINER_NAME }} {{ DOCKER_EXTRA_FLAG }} \
+        -v {{ source_directory() }}/../../../:/data \
+        ${DOCKER_REPO}:${TOOLING_CONTAINER_TAG} bash
+    just local-kubev-tooling-exec
+
+local-kubev-tooling-rm:
+    docker rm -f {{ CONTAINER_NAME }}
+
+local-kubev-tooling-exec:
+    docker exec -w /data -it {{ CONTAINER_NAME }} bash
+
+load-env:
+    @test -f {{ KUBEV_SSH_KEY }} && chmod 600 {{ KUBEV_SSH_KEY }} && ssh-add {{ KUBEV_SSH_KEY }} && echo "[ok] "|| (echo "ERROR: ssh key permission ..." && exit 2)
+
+#### #### KubeV Cluster Management
+#### Terraform (K8s API LB)
+
+kubev-lb-tf-init: load-env
+    cd {{ KUBEV_TF_INFRA }} && terraform init
+
+kubev-lb-tf-apply: load-env
+    cd {{ KUBEV_TF_INFRA }} && terraform apply
+
+kubev-lb-output: load-env
+    cd {{ KUBEV_TF_INFRA }} && terraform output
+
+kubev-apply:
+    kubermatic-virtualization version > {{ KUBEV_FOLDER }}/kubermatic-virtualization.version.txt
+    kubermatic-virtualization apply --verbose -f {{ KUBEV_FOLDER }}/kubev.yaml
+    cp ./*-kubeconfig {{ KUBEV_KUBECONFIG }}
+    just untaint-cp-nodes
+    just kubev-apply-services
+
+kubev-apply-services:
+	cd {{ KUBEV_FOLDER }} && KUBECONFIG={{ KUBEV_KUBECONFIG }} helmfile sync
+
+#### Kubernetes Helpers
+untaint-cp-nodes:
+	kubectl --kubeconfig {{ KUBEV_KUBECONFIG }} taint nodes --all node-role.kubernetes.io/master- || echo "... untainted"
+	kubectl --kubeconfig {{ KUBEV_KUBECONFIG }} taint nodes --all node-role.kubernetes.io/control-plane- || echo "... untainted"

examples/kubermatic-virtualization/README.md

@@ -0,0 +1,90 @@
+# KubeV Cluster Setup
+
+This directory contains an example `Justfile` for managing a Kubermatic Virtualization (KubeV) cluster (example: `kubev`).
+
+## Requirements
+
+Before starting, verify your infrastructure meets the hardware and software requirements:
+- [KubeV Requirements](https://docs.kubermatic.com/kubermatic-virtualization/main/architecture/requirements/)
+
+## Prepare Configuration
+
+### Print Full Config Template
+
+Generate a full example configuration to understand all available options:
+
+```bash
+kubermatic-virtualization config print --full
+```
+
+See [Declarative Installation Docs](https://docs.kubermatic.com/kubermatic-virtualization/main/installation/declarative-installation/) for details.
+
+Edit your cluster config at `kubev/kubev.yaml`.
+
+### Interactive Installation (alternative)
+
+Alternatively, use the interactive installer to generate a config:
+
+```bash
+kubermatic-virtualization install
+```
+
+See [Interactive Installation Docs](https://docs.kubermatic.com/kubermatic-virtualization/main/installation/interactive-installation/).
+
+## Setup Steps
+
+### 1. Start Local KubeV Tooling Container
+
+```bash
+just local-kubev-tooling-start
+```
+
+Re-attach to a running container:
+
+```bash
+just local-kubev-tooling-exec
+```
+
+Remove the container:
+
+```bash
+just local-kubev-tooling-rm
+```
+
+### 2. Load SSH Key & Environment
+
+```bash
+just load-env
+```
+
+### 3. Provision Load Balancer (Terraform)
+
+```bash
+just kubev-lb-tf-init
+just kubev-lb-tf-apply
+just kubev-lb-output
+```
+
+### 4. Apply KubeV Cluster
+
+Runs `kubermatic-virtualization apply`, copies the kubeconfig, untaints control-plane nodes, and syncs Helm releases:
+
+```bash
+just kubev-apply
+```
+
+Individual steps:
+
+```bash
+just untaint-cp-nodes       # remove control-plane taints
+just kubev-apply-services   # helmfile sync
+```
+
+## Key Files
+
+| Path | Description |
+|---|---|
+| `kubev/kubev.yaml` | KubeV cluster configuration |
+| `kubev/kubev-kubeconfig.crypt.yaml` | Encrypted kubeconfig (written after apply) |
+| `../00_config-generator/.env` | Environment variables (Docker registry, tags, etc.) |
+| `../git-submodules/secrets/ssh/id_rsa` | SSH key for cluster access |

examples/kubermatic-virtualization/keepalived-lb-tf-infra/README.md

@@ -0,0 +1,170 @@
+# Keepalived Load Balancer for KubeV Control Plane
+
+This Terraform module deploys keepalived on KubeV control plane nodes to provide a Virtual IP (VIP) for Kubernetes API high availability.
+
+## Overview
+
+Keepalived uses VRRP (Virtual Router Redundancy Protocol) to manage a floating Virtual IP address across multiple control plane nodes. When the master node fails, the VIP automatically moves to a backup node, ensuring continuous API server availability.
+
+## Use Cases
+
+This module is recommended for:
+- **On-premise / bare-metal deployments** where cloud load balancers are not available
+- **VMware vSphere** environments
+- **Private data centers** with direct L2 network connectivity
+
+> **Note**: For GCP test deployments, use the [GCP Internal Load Balancer](../../infra-machines/gce/README.md) instead, as keepalived VIPs are not easily accessible from outside the VPC and GCP does not support multicast.
+
+## Prerequisites
+
+- Control plane nodes must be provisioned and accessible via SSH
+- All control plane nodes must be on the same L2 network segment
+- The VIP address must be unused and within the same subnet as control plane nodes
+- SSH key-based authentication configured
+
+## Usage
+
+### 1. Create terraform.tfvars
+
+```hcl
+cluster_name = "kubev-cluster"
+
+# Virtual IP for the Kubernetes API
+api_vip = "10.0.2.100"
+
+# Control plane node IPs
+control_plane_hosts = [
+  "10.0.2.10",
+  "10.0.2.11",
+  "10.0.2.12"
+]
+
+# SSH configuration
+ssh_username         = "ubuntu"
+ssh_private_key_file = "~/.ssh/id_rsa"
+
+# Network interface for VRRP (check with: ip link show)
+vrrp_interface = "ens192"
+
+# VRRP router ID (must be unique in your network, 1-255)
+vrrp_router_id = 42
+
+# Optional: Bastion host for SSH jump
+# bastion_host     = "bastion.example.com"
+# bastion_port     = 22
+# bastion_username = "ubuntu"
+```
+
+### 2. Initialize and Apply
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+### 3. Verify Installation
+
+SSH into any control plane node and check:
+
+```bash
+# Check keepalived status
+sudo systemctl status keepalived
+
+# Check which node holds the VIP
+ip addr show | grep <VIP>
+
+# Test API server via VIP
+curl -k https://<VIP>:6443/healthz
+```
+
+## Configuration Variables
+
+| Variable | Description | Default | Required |
+|----------|-------------|---------|:--------:|
+| `cluster_name` | Name of the cluster | - | yes |
+| `api_vip` | Virtual IP address for Kubernetes API | - | yes |
+| `control_plane_hosts` | List of control plane node IPs | - | yes |
+| `ssh_username` | SSH user for provisioning | `root` | no |
+| `ssh_private_key_file` | Path to SSH private key | - | yes |
+| `vrrp_interface` | Network interface for VRRP | `ens192` | no |
+| `vrrp_router_id` | VRRP router ID (1-255, must be unique) | `42` | no |
+| `bastion_host` | SSH bastion/jump host | `""` | no |
+| `bastion_port` | SSH bastion port | `22` | no |
+| `bastion_username` | SSH bastion user | `""` | no |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `kubev_api` | API endpoint configuration with VIP |
+| `kubev_hosts` | Control plane host information |
+
+## How It Works
+
+1. **Installation**: The module installs keepalived on all control plane nodes
+2. **Configuration**: Each node is configured with VRRP:
+   - First node becomes MASTER (priority 101)
+   - Other nodes become BACKUP (priority 100)
+3. **Health Check**: A script checks the local API server every 3 seconds
+4. **Failover**: If the master fails the health check, the VIP moves to a backup node
+
+## Architecture
+
+```
+                    ┌─────────────────┐
+                    │   VIP: api_vip  │
+                    │   (Floating IP) │
+                    └────────┬────────┘
+                             │
+           ┌─────────────────┼─────────────────┐
+           │                 │                 │
+           ▼                 ▼                 ▼
+    ┌──────────────┐  ┌──────────────┐  ┌──────────────┐
+    │   CP Node 1  │  │   CP Node 2  │  │   CP Node 3  │
+    │   (MASTER)   │  │   (BACKUP)   │  │   (BACKUP)   │
+    │  Priority:101│  │  Priority:100│  │  Priority:100│
+    │  kube-api:6443│  │  kube-api:6443│  │  kube-api:6443│
+    └──────────────┘  └──────────────┘  └──────────────┘
+```
+
+## Troubleshooting
+
+### Check keepalived logs
+```bash
+sudo journalctl -u keepalived -f
+```
+
+### Verify VRRP communication
+```bash
+sudo tcpdump -i <interface> vrrp
+```
+
+### Manual failover test
+```bash
+# On master node, stop keepalived
+sudo systemctl stop keepalived
+
+# Check VIP moved to another node
+ip addr show | grep <VIP>
+```
+
+### Common issues
+
+1. **VIP not assigned**: Check firewall allows VRRP protocol (IP protocol 112)
+2. **Split-brain**: Ensure all nodes can communicate via VRRP
+3. **Health check failing**: Verify API server is running on localhost:6443
+
+## Integration with KubeV
+
+When using this module with KubeV, configure the cluster to use the VIP as the API endpoint:
+
+```yaml
+# kubev.yaml
+apiVersion: kubermatic.k8c.io/v1
+kind: KubevCluster
+spec:
+  controlPlaneEndpoint:
+    host: "<api_vip>"
+    port: 6443
+```

examples/kubermatic-virtualization/keepalived-lb-tf-infra/etc_keepalived_check_apiserver_sh.tpl

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+errorExit() {
+    echo "*** $*" 1>&2
+    exit 1
+}
+
+curl --silent --max-time 2 --insecure https://localhost:6443/healthz -o /dev/null || errorExit "Error GET https://localhost:6443/healthz"
+if ip addr | grep -q ${APISERVER_VIP}; then
+    curl --silent --max-time 2 --insecure https://${APISERVER_VIP}:6443/healthz -o /dev/null || errorExit "Error GET https://${APISERVER_VIP}:6443/healthz"
+fi

examples/kubermatic-virtualization/keepalived-lb-tf-infra/etc_keepalived_keepalived_conf.tpl

@@ -0,0 +1,27 @@
+global_defs {
+    router_id LVS_DEVEL
+}
+vrrp_script check_apiserver {
+  script "/etc/keepalived/check_apiserver.sh"
+  interval 3
+  weight -2
+  fall 10
+  rise 2
+}
+
+vrrp_instance VI_1 {
+    state ${STATE}
+    interface ${INTERFACE}
+    virtual_router_id ${ROUTER_ID}
+    priority ${PRIORITY}
+    authentication {
+        auth_type PASS
+        auth_pass ${AUTH_PASS}
+    }
+    virtual_ipaddress {
+        ${APISERVER_VIP}
+    }
+    track_script {
+        check_apiserver
+    }
+}