Merge pull request #91 from JoshVanL/eks-demo

Enable manifests apply to multiple arbitrary clusters

Author: jetstack-bot

demo/Makefile

@@ -37,6 +37,7 @@ terraform_apply: ## Applies terraform infrastructure
 	echo 'google_project = "$(GOOGLE_PROJECT)"' > infrastructure/$(CLOUD)/terraform.tfvars
 	echo 'ca_crt_file = "$(CA_CRT_FILE)"' >> infrastructure/$(CLOUD)/terraform.tfvars
 	echo 'ca_key_file = "$(CA_KEY_FILE)"' >> infrastructure/$(CLOUD)/terraform.tfvars
+	echo 'cloud = "$(CLOUD)"' >> infrastructure/$(CLOUD)/terraform.tfvars
 	cd infrastructure/$(CLOUD) && terraform init && terraform apply
 	cd infrastructure/$(CLOUD) && terraform output config > ../../manifests/$(CLOUD)-config.json
 	$(shell cd infrastructure/$(CLOUD) && terraform output kubeconfig_command)
@@ -53,7 +54,7 @@ manifests_apply: depend manifests/$(CLOUD)-config.json ## Use kubecfg to apply m
 	# apply all CRDs
 	$(BINDIR)/kubecfg $(EXT_VARS) show config.jsonnet --format json | sed 's#^---$$##' | jq 'select(.kind == "CustomResourceDefinition")' | kubectl apply -f -
 	# apply everything
-	$(BINDIR)/kubecfg $(EXT_VARS) show config.jsonnet | kubectl apply -f -
+	$(BINDIR)/kubecfg $(EXT_VARS) show config.jsonnet | kubectl apply -f - --validate=false
 
 .PHONY: manifests_validate
 manifests_validate: depend manifests/$(CLOUD)-config.json ## Use kubecfg to validate manifests

demo/config.dist.jsonnet

@@ -5,10 +5,30 @@ function(cloud='google') main {
   // this will only run the google cluster
   clouds: {
     google: main.clouds.google,
+    amazon: main.clouds.amazon,
+    digitalocean: main.clouds.digitalocean,
   },
   base_domain: '.kubernetes.example.net',
   cert_manager+: {
     letsencrypt_contact_email:: 'certificates@example.net',
+    solvers+: [
+      //{
+      //  http01: {
+      //    ingress: {},
+      //  },
+      //},
+      {
+        dns01: {
+          clouddns: {
+            project: $.config.cert_manager.project,
+            serviceAccountSecretRef: {
+              name: $.cert_manager.google_secret.metadata.name,
+              key: 'credentials.json',
+            },
+          },
+        },
+      },
+    ],
   },
   dex+: if $.master then {
     users: [

demo/infrastructure/amazon/outputs.tf

@@ -11,7 +11,7 @@ output "config" {
 }
 
 output "kubeconfig_command" {
-  value = "cp infrastructure/amazon/kubeconfig_cluster-${random_id.suffix.hex} $$KUBECONFIG"
+  value = "cp infrastructure/${var.cloud}/kubeconfig_cluster-${random_id.suffix.hex} $KUBECONFIG"
 }
 
 output "kubeconfig" {

demo/infrastructure/amazon/providers.tf

@@ -2,8 +2,12 @@ variable "aws_region" {
   default = "eu-west-1"
 }
 
+variable "cloud" {
+  default = "amazon"
+}
+
 variable "cluster_version" {
-  default = "1.12"
+  default = "1.14"
 }
 
 provider "aws" {

demo/infrastructure/modules/amazon-cluster/cluster.tf

@@ -5,36 +5,11 @@ data "aws_availability_zones" "available" {}
 
 locals {
   cluster_name    = "cluster-${var.suffix}"
-
-  worker_groups = [
-    {
-      instance_type        = "t2.large"
-      subnets              = "${join(",", module.vpc.private_subnets)}"
-      asg_desired_capacity = "2"
-    },
-  ]
-  tags = {
-    Workspace   = "${terraform.workspace}"
-  }
-  worker_groups_launch_template = [
-    {
-      # This will launch an autoscaling group with only Spot Fleet instances
-      instance_type                            = "t2.small"
-      additional_userdata                      = "echo foo bar"
-      subnets                                  = "${join(",", module.vpc.private_subnets)}"
-      additional_security_group_ids            = "${aws_security_group.worker_group_mgmt_one.id},${aws_security_group.worker_group_mgmt_two.id}"
-      override_instance_type                   = "t3.small"
-      asg_desired_capacity                     = "2"
-      spot_instance_pools                      = 10
-      on_demand_percentage_above_base_capacity = "0"
-    },
-  ]
 }
 
 resource "aws_security_group" "worker_group_mgmt_one" {
   name_prefix = "worker_group_mgmt_one"
-  description = "SG to be applied to all *nix machines"
-  vpc_id      = "${module.vpc.vpc_id}"
+  vpc_id      = module.vpc.vpc_id
 
   ingress {
     from_port = 22
@@ -49,7 +24,7 @@ resource "aws_security_group" "worker_group_mgmt_one" {
 
 resource "aws_security_group" "worker_group_mgmt_two" {
   name_prefix = "worker_group_mgmt_two"
-  vpc_id      = "${module.vpc.vpc_id}"
+  vpc_id      = module.vpc.vpc_id
 
   ingress {
     from_port = 22
@@ -64,7 +39,7 @@ resource "aws_security_group" "worker_group_mgmt_two" {
 
 resource "aws_security_group" "all_worker_mgmt" {
   name_prefix = "all_worker_management"
-  vpc_id      = "${module.vpc.vpc_id}"
+  vpc_id      = module.vpc.vpc_id
 
   ingress {
     from_port = 22
@@ -80,28 +55,63 @@ resource "aws_security_group" "all_worker_mgmt" {
 }
 
 module "vpc" {
-  source             = "terraform-aws-modules/vpc/aws"
-  version            = "1.60.0"
-  name               = "test-vpc"
-  cidr               = "10.0.0.0/16"
-  azs                = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}", "${data.aws_availability_zones.available.names[2]}"]
-  private_subnets    = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets     = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
-  enable_nat_gateway = true
-  single_nat_gateway = true
-  tags               = "${merge(local.tags, map("kubernetes.io/cluster/${local.cluster_name}", "shared"))}"
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.6.0"
+
+  name                 = "test-vpc"
+  cidr                 = "10.0.0.0/16"
+  azs                  = "${data.aws_availability_zones.available.names}"
+  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets       = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+  }
+
+  public_subnet_tags = {
+    "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+    "kubernetes.io/role/elb"                      = "1"
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"             = "1"
+  }
 }
 
 module "eks" {
-  source                               = "terraform-aws-modules/eks/aws"
-  cluster_name                         = "${local.cluster_name}"
-  cluster_version                      = "${var.cluster_version}"
-  subnets                              = ["${module.vpc.private_subnets}"]
-  tags                                 = "${local.tags}"
-  vpc_id                               = "${module.vpc.vpc_id}"
-  worker_groups                        = "${local.worker_groups}"
-  worker_groups_launch_template        = "${local.worker_groups_launch_template}"
-  worker_group_count                   = "1"
-  worker_group_launch_template_count   = "1"
+  #source       = "terraform-aws-modules/eks/aws"
+  source       = "git@github.com:terraform-aws-modules/terraform-aws-eks.git?ref=6c3e4ec510f658f53508623a6192df064e7a4786"
+  cluster_name = "${local.cluster_name}"
+  subnets      = "${module.vpc.private_subnets}"
+
+  tags = {
+    Environment = "test"
+    GithubRepo  = "terraform-aws-eks"
+    GithubOrg   = "terraform-aws-modules"
+  }
+
+  vpc_id = "${module.vpc.vpc_id}"
+
+  worker_groups = [
+    {
+      name                          = "worker-group-1"
+      instance_type                 = "t2.small"
+      additional_userdata           = "echo foo bar"
+      asg_desired_capacity          = 2
+      additional_security_group_ids = ["${aws_security_group.worker_group_mgmt_one.id}"]
+    },
+    {
+      name                          = "worker-group-2"
+      instance_type                 = "t2.medium"
+      additional_userdata           = "echo foo bar"
+      additional_security_group_ids = ["${aws_security_group.worker_group_mgmt_two.id}"]
+      asg_desired_capacity          = 1
+    },
+  ]
+
   worker_additional_security_group_ids = ["${aws_security_group.all_worker_mgmt.id}"]
 }

demo/manifests/components/cert-manager.jsonnet

@@ -1,30 +1,21 @@
-local upstream_cert_manager = import '../vendor/kube-prod-runtime/components/cert-manager.jsonnet';
 local kube = import '../vendor/kube-prod-runtime/lib/kube.libsonnet';
+local cert_manager_manifests = import './cert-manager/cert-manager.json';
 
 local CERT_MANAGER_IMAGE = '';
 
-local add_acme_spec(issuer, obj) =
-  if std.objectHas(issuer.spec, 'acme') then
-    obj {
-      spec+: {
-        acme: {
-          config: [{
-            dns01: {
-              provider: issuer.spec.acme.dns01.providers[0].name,
-            },
-            domains: obj.spec.dnsNames,
-          }],
-        },
-      },
-    }
-  else
-    obj;
-
-upstream_cert_manager {
+{
   ca_secret_name:: 'ca-key-pair',
 
+  p:: '',
+  metadata:: {
+    metadata+: {
+      namespace: 'kubeprod',
+    },
+  },
+  letsencrypt_contact_email:: error 'Letsencrypt contact e-mail is undefined',
+
   // create simple to use certificate resource
-  Certificate(namespace, name, issuer, domains):: add_acme_spec(issuer, kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
+  Certificate(namespace, name, issuer, solver, domains):: kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
     metadata+: {
       namespace: namespace,
       name: name,
@@ -37,7 +28,48 @@ upstream_cert_manager {
         kind: issuer.kind,
       },
     },
-  }),
+  },
+
+  // Letsencrypt environments
+  letsencrypt_environments:: {
+    prod: $.letsencryptProd.metadata.name,
+    staging: $.letsencryptStaging.metadata.name,
+  },
+  // Letsencrypt environment (defaults to the production one)
+  letsencrypt_environment:: 'prod',
+
+  Issuer(name):: kube._Object('certmanager.k8s.io/v1alpha1', 'Issuer', name) {
+  },
+
+  ClusterIssuer(name):: kube._Object('certmanager.k8s.io/v1alpha1', 'ClusterIssuer', name) {
+  },
+
+  certCRD: kube.CustomResourceDefinition('certmanager.k8s.io', 'v1alpha1', 'Certificate') {
+    spec+: { names+: { shortNames+: ['cert', 'certs'] } },
+  },
+
+  deploy: cert_manager_manifests,
+
+  letsencryptStaging: $.ClusterIssuer($.p + 'letsencrypt-staging') {
+    local this = self,
+    spec+: {
+      acme+: {
+        server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+        email: $.letsencrypt_contact_email,
+        privateKeySecretRef: { name: this.metadata.name },
+        http01: {},
+      },
+    },
+  },
+
+  letsencryptProd: $.letsencryptStaging {
+    metadata+: { name: $.p + 'letsencrypt-prod' },
+    spec+: {
+      acme+: {
+        server: 'https://acme-v02.api.letsencrypt.org/directory',
+      },
+    },
+  },
 
-  // TODO: use upstream images for cert-manager
+  solvers+:: [],
 }