Skip to content

Commit 8e6bc57

Browse files
cmyuiclaude
andauthored
Use self-hosted runner for Terraform workflow (#36)
* Use self-hosted runner for Terraform workflow Switch both terraform-plan and terraform-apply jobs to use the self-hosted VPC runner for consistency with the Grafana workflow and to ensure K8s API access works with the new firewall restrictions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Fix helm-diff plugin installation on self-hosted runner Check if the plugin exists before installing to avoid "plugin already exists" error on the persistent self-hosted runner. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Make GitHub runner ephemeral Ephemeral runners exit after one job and restart fresh, avoiding state accumulation issues (helm plugins, directories, etc.). This reverts the helm-diff workaround since it's no longer needed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Trigger CI with ephemeral runner * Document K8s API access and certificate regeneration Added Cluster Access section with: - Network access table (VPC, Tailscale, public) - Instructions for local and CI/CD access - Certificate regeneration procedure for adding new SANs Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 273f905 commit 8e6bc57

File tree

2 files changed

+33
-1
lines changed

2 files changed

+33
-1
lines changed

README.md

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,11 +73,41 @@ ssh k8s-worker01
7373
ssh k8s-worker02
7474
```
7575

76+
## Cluster Access
77+
78+
The K8s API (port 6443) is restricted to VPC and Tailscale networks only.
79+
80+
| Network | IP | Use case |
81+
|-----------|----------------|-----------------------------|
82+
| Public | 159.203.62.14 | Blocked by firewall |
83+
| VPC | 10.118.0.2 | CI/CD (GitHub runner) |
84+
| Tailscale | 100.78.124.92 | Admin access (local kubectl)|
85+
86+
**Local access**: Connect via Tailscale, then use `kubectl` with server `https://100.78.124.92:6443`.
87+
88+
**CI/CD access**: The self-hosted runner in the VPC uses `https://10.118.0.2:6443`.
89+
90+
### Regenerating API Server Certificate
91+
92+
If you need to add new IPs to the K8s API certificate (e.g., new Tailscale IP):
93+
94+
```bash
95+
ssh k8s-master01
96+
97+
# Backup and regenerate
98+
sudo cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
99+
sudo rm /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.key
100+
sudo kubeadm init phase certs apiserver --apiserver-cert-extra-sans=10.118.0.2,100.78.124.92
101+
102+
# Restart API server
103+
sudo crictl pods --name kube-apiserver -q | xargs sudo crictl stopp
104+
```
105+
76106
## CI/CD
77107

78108
- **Grafana workflow**: Deploys k8s-monitoring stack on push to master
79109
- **Terraform CI**: Validates and applies infrastructure changes
80-
- **Self-hosted runner**: Runs in VPC for secure K8s API access (see `k8s/github-runner/`)
110+
- **Self-hosted runner**: Ephemeral runner in VPC for secure K8s API access (see `k8s/github-runner/`)
81111

82112
## Related Repositories
83113

k8s/github-runner/templates/deployment.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ spec:
2626
value: {{ .Values.labels | quote }}
2727
- name: RUNNER_WORKDIR
2828
value: "/tmp/runner"
29+
- name: EPHEMERAL
30+
value: "true"
2931
- name: ACCESS_TOKEN
3032
valueFrom:
3133
secretKeyRef:

0 commit comments

Comments
 (0)