This repository contains Terraform code to deploy a basic security package for Kubernetes (Kubert), focusing on essential security tools. The primary goal is to establish a secure foundation for Kubernetes environments by deploying and configuring key components like:
- HashiCorp Vault: A centralized secret management and PKI platform for secure credential and certificate lifecycle management.
- Linkerd: A service mesh to provide observability, security, and reliability for microservices within the Kubernetes cluster.
- External Secrets Operator (ESO): Automates the management of sensitive data by synchronizing secrets from external secret stores (like Vault) into Kubernetes.
- Reloader: A utility to automatically trigger pod restarts when ConfigMaps or Secrets are updated, essential for dynamic configurations.
- PostgreSQL: A robust open-source relational database, configured for secure access and integrated with Vault for credential management. Used with Keycloak.
- Keycloak: An open-source identity and access management solution for authentication and authorization within the Kubert environment.
This basic security package is designed to be modular and extensible, allowing for customization and integration with other Kubert components and services.
This repository is configured for a GitOps workflow using Atlantis to automate Terraform operations. To contribute or modify the infrastructure, please follow this GitOps process:
- Fork the Repository: Start by forking the main repository containing your Kubert Security infrastructure code.
- Create a Feature Branch: Create a new branch in your forked repository for the changes you want to implement. For example, if you're adjusting resource limits, you might name your branch
adjust-vault-resources.git checkout -b adjust-vault-resources
- Make Code Changes: Modify the Terraform configuration files within your feature branch to implement the desired changes (e.g., in
vault/environments/prod/terragrunt.hclorvault/infra/variables.tf). - Commit and Push Changes: Commit your changes and push your feature branch to your forked repository.
git add . git commit -m "Adjust Vault resource limits" git push origin adjust-vault-resources
- Create a Pull Request (PR): Open a pull request (PR) from your feature branch to the
masterbranch of the main repository. - Atlantis Plan: Atlantis, configured to monitor your repository, will automatically detect the new pull request. It will then execute
terragrunt plan(orterraform planif you're not using Terragrunt) for the relevant module based on the changed files in your PR. Atlantis will comment back on the PR with the plan output, showing you the proposed infrastructure changes. - Review and Approve Plan: Review the Atlantis plan output in the pull request comments. Ensure that the planned changes are correct and as expected. If necessary, iterate on your code and push updates to your branch, which will trigger Atlantis to re-plan.
- Merge Pull Request: Once you are satisfied with the plan, and after any required approvals from your team, merge the pull request to the
masterbranch. - Atlantis Apply: Upon merging the pull request to
master, Atlantis will automatically triggerterragrunt apply(orterraform apply) for the relevant module. Atlantis will again comment on the PR (now merged) with the apply output, confirming the infrastructure changes have been applied to your environment.
Benefits of this GitOps Workflow:
- Version Control: All infrastructure changes are tracked in Git, providing a complete history of modifications.
- Collaboration and Review: Pull requests enable code review and collaboration before changes are applied to the infrastructure, reducing errors and improving consistency.
- Automation: Atlantis automates the planning and applying of infrastructure changes, streamlining the deployment process and reducing manual effort.
- Auditability: Every change is auditable through Git history and pull request logs, enhancing transparency and compliance.
- Disaster Recovery and Rollback: Infrastructure can be easily rolled back to previous versions by reverting commits in Git, simplifying disaster recovery.
For local development and testing, a Docker-based developer environment is provided. To enter the developer container:
make docker_runThis command starts a Docker container with all necessary tools (Terraform, Terragrunt, Kubectl, gcloud CLI, etc.) pre-installed and configured. Inside the container, you can:
- Execute Terraform and Terragrunt commands (terragrunt plan, terragrunt apply).
- Interact with your GKE cluster using kubectl.
- Manage GCP resources using gcloud.
- Generate documentation using make docker_generate_docs.
To authenticate with GCP from within the container, run:
gcloud auth application-default login --no-launch-browser --project <your-gcp-project-id>Replace with your actual GCP project ID.