CSCfi · mmatthiesencsc · Dec 4, 2025 · Nov 24, 2025 · Nov 24, 2025 · Dec 3, 2025
diff --git a/.git-crypt/keys/default/0/AA8C701A045FAFF2771DC98B37BCF93FD33995BC.gpg b/.git-crypt/keys/default/0/AA8C701A045FAFF2771DC98B37BCF93FD33995BC.gpg
diff --git a/terraform/cloud-config.yaml b/terraform/cloud-config.yaml
@@ -7,9 +7,6 @@ apt:
     docker.list:
       source: deb [arch=amd64] https://download.docker.com/linux/ubuntu $RELEASE stable
       keyid: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
-    helm.list:
-      source: deb [arch=amd64] https://baltocdn.com/helm/stable/debian/ all main
-      keyid: 81BF832E2F19CD2AA0471959294AC4827C1A168A # https://baltocdn.com/helm/signing.asc
 packages:
 - ca-certificates
 - containerd.io
@@ -60,6 +57,8 @@ ssh_keys:
 runcmd:
 - systemctl disable --now docker.service docker.socket
 - rm -f /var/run/docker.sock
+- sysctl -p /etc/sysctl.d/unprivileged_port_start.conf
+- tar -xzf /tmp/helm.tar.gz -C /tmp && mv /tmp/linux-amd64/helm /usr/bin/helm && chmod 755 /usr/bin/helm
 - loginctl enable-linger ubuntu
 - chown ubuntu:root /home/ubuntu # in some versions docker setup has problems without it
 - su - ubuntu -c '/usr/local/sbin/setup.sh'
@@ -95,6 +94,11 @@ write_files:
   owner: root:root
   path: /usr/bin/kubectl
   permissions: '0755'
+- source:
+    uri: https://get.helm.sh/helm-v3.16.3-linux-amd64.tar.gz
+  owner: root:root
+  path: /tmp/helm.tar.gz
+  permissions: '0755'
 fs_setup:
 - label: data
   filesystem: 'ext4'

diff --git a/terraform/secrets/ssh_host_ed25519_key b/terraform/secrets/ssh_host_ed25519_key
diff --git a/terraform/secrets/ssh_host_ed25519_key.pub b/terraform/secrets/ssh_host_ed25519_key.pub
diff --git a/terraform/server.tf b/terraform/server.tf
@@ -22,7 +22,7 @@
 
 # Define required providers
 terraform {
-  required_version = ">= 1.1.5"
+  required_version = ">= 1.1.5, < 1.7.0"
   required_providers {
     openstack = {
       source  = "terraform-provider-openstack/openstack"
@@ -31,10 +31,14 @@ terraform {
   }
   backend "s3" {
     # Pouta/Swift specifics
-    region                      = "regionOne"
+#    region                      = "regionOne"
+    region                      = "1"
     skip_region_validation      = true
     skip_credentials_validation = true
-    endpoint                    = "a3s.fi"
+    skip_requesting_account_id  = true
+    skip_metadata_api_check     = true
+    skip_s3_checksum            = true
+    endpoint                    = "https://a3s.fi"
   }
 }
 
@@ -270,6 +274,24 @@ resource "openstack_networking_secgroup_rule_v2" "k8s-api-in-pa-vpn" {
   remote_ip_prefix  = "193.166.83.0/24"
   security_group_id = openstack_networking_secgroup_v2.security_group.id
 }
+resource "openstack_networking_secgroup_rule_v2" "k8s-api-in-espoo-office-02" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 6444
+  port_range_max    = 6444
+  remote_ip_prefix  = "193.166.2.0/24"
+  security_group_id = openstack_networking_secgroup_v2.security_group.id
+}
+resource "openstack_networking_secgroup_rule_v2" "k8s-api-in-espoo-office-01" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 6444
+  port_range_max    = 6444
+  remote_ip_prefix  = "193.166.1.0/24"
+  security_group_id = openstack_networking_secgroup_v2.security_group.id
+}
 resource "openstack_networking_secgroup_rule_v2" "aux-k8s-portsp-in" {
   direction         = "ingress"
   ethertype         = "IPv4"