diff --git a/.gitignore b/.gitignore index 92e9b68e..9e7b4cef 100644 --- a/.gitignore +++ b/.gitignore @@ -33,9 +33,10 @@ override.tf.json .terraformrc terraform.rc -test/helm-values - # IDE .idea/ -**/values.secret.yaml \ No newline at end of file +**/values.secret.yaml + +# Temporary files used during bootstrap +temp/ diff --git a/README.md b/README.md index 951cece2..33fb0712 100644 --- a/README.md +++ b/README.md @@ -22,11 +22,9 @@ Our defaults are meant to be tweaked, feel free to reference the documentation o A plural installation repo will have a folder structure like this: ``` -helm-values/ # git-crypted helm values to be used to bootstrap your setup. Avoid editing unless necessary +helm/ # helm values files - ${app}.yaml # value overrides - ${app}-defaults.yaml # default values we generate on install - -helm/ # helm values files that are meant to be user-editable, used for setup of many common components - *.yaml{.liquid} # `.liquid` extension signifies the helm values file can be templated bootstrap/ # setup for apps within your cluster fleet, this is the root service-of-services that bootstraps everything recursively @@ -40,6 +38,8 @@ terraform/ - - clusters - - - {cloud} # we've crafted some reusable modules for setting up clusters on most major clouds, feel free to use these in stacks or wherever - ${app}/ - submodule for individual app's terraform + +temp/ # a temp folder used during bootstrap that is gitignored ``` You're free to extend this as you'd like, although if you use the plural marketplace that structure will be expected. You can also deploy services w/ manifests in other repos, this is meant to serve as a base to define the core infrastructure and get you started in a sane way. @@ -113,7 +113,7 @@ spec: namespace: infra git: ref: main - folder: helm-values # or wherever else you want to store the helm values + folder: helm # or wherever else you want to store the helm values helm: version: 6.31.4 chart: externaldns diff --git a/charts/runtime/values.yaml.liquid.tpl b/charts/runtime/values.yaml.liquid.tpl new file mode 100644 index 00000000..eda1b7ca --- /dev/null +++ b/charts/runtime/values.yaml.liquid.tpl @@ -0,0 +1,78 @@ +ownerEmail: {{ "{{ configuration.ownerEmail }}" }} + +{{ if not .Cloud }} +external-dns: + extraArgs: + plural-cluster: {{ .Cluster }} + plural-provider: {{ .Provider }} + domainFilters: + - {{ .Subdomain }} + +dnsSolver: + webhook: + groupName: acme.plural.sh + solverName: plural-solver + config: + cluster: {{ .Cluster }} + provider: {{ .Provider }} + +pluralToken: {{ "{{ configuration.pluralToken }}" }} + +acmeEAB: + kid: {{ "{{ configuration.acmeEABKid }}" }} + secret: {{ "{{ configuration.acmeEABSecret }}" }} +{{ end }} + +{{ if .Cloud }} +external-dns: + enabled: false + +plural-certmanager-webhook: + enabled: false + +operator: + enabled: false + +application: + enabled: false + +plural: + enabled: false + +ingress-nginx: + enabled: false +ingress-nginx-private: + enabled: false +{{ end }} + +{{ if and (eq .Provider "aws") (not .Cloud) }} +ingress-nginx: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + config: + compute-full-forwarded-for: 'true' + use-forwarded-headers: 'true' + use-proxy-protocol: 'true' +ingress-nginx-private: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + config: + compute-full-forwarded-for: 'true' + use-forwarded-headers: 'true' + use-proxy-protocol: 'true' +{{ end }} \ No newline at end of file diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl index 0c9c9927..bca045b7 100644 --- a/charts/runtime/values.yaml.tpl +++ b/charts/runtime/values.yaml.tpl @@ -1,3 +1,5 @@ +ownerEmail: {{ .Config.Email }} + {{ if not .Cloud }} external-dns: extraArgs: @@ -14,7 +16,6 @@ dnsSolver: cluster: {{ .Cluster }} provider: {{ .Provider }} -ownerEmail: {{ .Config.Email }} pluralToken: {{ .Config.Token }} acmeEAB: @@ -23,10 +24,6 @@ acmeEAB: {{ end }} {{ if .Cloud }} - -ownerEmail: {{ .Config.Email }} - - external-dns: enabled: false diff --git a/helm/runtime.yaml b/helm/runtime.yaml deleted file mode 100644 index 2c48e706..00000000 --- a/helm/runtime.yaml +++ /dev/null @@ -1,74 +0,0 @@ -cert-manager: - enabled: false - -ownerEmail: notifications@plural.sh # change this to whatever email you want to receive cert notifs - -plural: - enabled: false - -operator: - enabled: false - -flux2: - enabled: false - -flux: - enabled: false - -external-dns: - enabled: true - serviceAccount: - name: externaldns - annotations: - plural.sh/dummy: ignore - # eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT-ID:role/plrl-console-eks-certmanager-extdns" # uncomment and update for aws - # azure.workload.identity/client-id: XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX # uncomment and update for azure - - podLabels: - azure.workload.identity/use: "true" - - txtOwnerId: plrl - - provider: azure # <- change to the provider you actually wish to use - - domainFilters: - - az.plural.sh # <- you need to change this - -# For azure -# azure: -# useWorkloadIdentityExtension: true -# resourceGroup: -# tenantId: -# subscriptionId: - -# For aws -# ingress-nginx: -# controller: -# service: -# annotations: -# service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing -# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp -# service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' -# service.beta.kubernetes.io/aws-load-balancer-type: external -# service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip -# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" -# service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -# config: -# compute-full-forwarded-for: 'true' -# use-forwarded-headers: 'true' -# use-proxy-protocol: 'true' - -# ingress-nginx-private: -# controller: -# service: -# annotations: -# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp -# service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' -# service.beta.kubernetes.io/aws-load-balancer-type: external -# service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip -# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" -# service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -# config: -# compute-full-forwarded-for: 'true' -# use-forwarded-headers: 'true' -# use-proxy-protocol: 'true' \ No newline at end of file diff --git a/setup/cert-manager.yaml b/setup/cert-manager.yaml index 4eef912f..15543311 100644 --- a/setup/cert-manager.yaml +++ b/setup/cert-manager.yaml @@ -6,7 +6,7 @@ metadata: spec: namespace: cert-manager git: - folder: helm-values + folder: helm ref: [[ or .Context.Branch "main" ]] repositoryRef: kind: GitRepository diff --git a/setup/console.yaml b/setup/console.yaml index 8ef0ce14..073ed074 100644 --- a/setup/console.yaml +++ b/setup/console.yaml @@ -6,18 +6,21 @@ metadata: spec: namespace: plrl-console git: - folder: helm-values + folder: helm ref: [[ or .Context.Branch "main" ]] repositoryRef: kind: GitRepository name: infra namespace: infra + configurationRef: + name: console-config + namespace: infra helm: version: "0.x.x" chart: console url: https://pluralsh.github.io/console valuesFiles: - - console.yaml + - console.yaml.liquid clusterRef: kind: Cluster name: mgmt diff --git a/setup/runtime.yaml b/setup/runtime.yaml index 2cadac6f..f2faaff1 100644 --- a/setup/runtime.yaml +++ b/setup/runtime.yaml @@ -6,18 +6,21 @@ metadata: spec: namespace: plural-runtime git: - folder: helm-values + folder: helm ref: [[ or .Context.Branch "main" ]] repositoryRef: kind: GitRepository name: infra namespace: infra + configurationRef: + name: runtime-config + namespace: infra helm: version: "0.x.x" chart: runtime url: https://pluralsh.github.io/bootstrap valuesFiles: - - runtime.yaml + - runtime.yaml.liquid clusterRef: kind: Cluster name: mgmt diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf new file mode 100644 index 00000000..2b7407ae --- /dev/null +++ b/templates/setup/config-secrets.tf @@ -0,0 +1,69 @@ +# This file should not be commited to repository. + +locals { + console_values = yamldecode(data.local_sensitive_file.console.content) +} + +resource "kubernetes_namespace" "infra" { + metadata { + name = "infra" + } + + depends_on = [module.mgmt.cluster, module.mgmt.ready] +} + +resource "kubernetes_secret" "console_config" { + metadata { + name = "console-config" + namespace = kubernetes_namespace.infra.metadata[0].name + } + + type = "Opaque" + + data = { + consoleDns = tostring(try(local.console_values.ingress.console_dns, "")) + kasDns = tostring(try(local.console_values.ingress.kas_dns, "")) + + clusterIssuer = "plural" + + provider = tostring(try(local.console_values.provider, "")) + + jwt = tostring(try(local.console_values.secrets.jwt, "")) + erlang = tostring(try(local.console_values.secrets.erlang, "")) + aesKey = tostring(try(local.console_values.secrets.aes_key, "")) + key = tostring(try(local.console_values.secrets.key, "")) + identity = tostring(try(local.console_values.secrets.identity, "")) + pluralClientId = tostring(try(local.console_values.secrets.plural_client_id, "")) + pluralClientSecret = tostring(try(local.console_values.secrets.plural_client_secret, "")) + adminName = tostring(try(local.console_values.secrets.admin_name, "")) + adminEmail = tostring(try(local.console_values.secrets.admin_email, "")) + adminPassword = tostring(try(local.console_values.secrets.admin_password, "")) + clusterName = tostring(try(local.console_values.secrets.cluster_name, "")) + + pluralToken = tostring(try(local.console_values.extraSecretEnv.PLURAL_TOKEN, "")) + kasApi = tostring(try(local.console_values.extraSecretEnv.KAS_API_SECRET, "")) + kasPrivateApi = tostring(try(local.console_values.extraSecretEnv.KAS_PRIVATE_API_SECRET, "")) + kasRedis = tostring(try(local.console_values.extraSecretEnv.KAS_REDIS_SECRET, "")) + postgresUrl = tostring(try(local.console_values.extraSecretEnv.POSTGRES_URL, "")) + } + + depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready] +} + +resource "kubernetes_secret" "runtime_config" { + metadata { + name = "runtime-config" + namespace = kubernetes_namespace.infra.metadata[0].name + } + + type = "Opaque" + + data = { + ownerEmail = "{{ .Config.Email }}" + pluralToken = "{{ .Config.Token }}" + acmeEABKid = "{{ .Acme.KeyId }}" + acmeEABSecret = "{{ .Acme.HmacKey }}" + } + + depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready] +} diff --git a/templates/setup/console.tf b/templates/setup/console.tf index 5d7094dc..49a1a0d1 100644 --- a/templates/setup/console.tf +++ b/templates/setup/console.tf @@ -2,24 +2,24 @@ resource "null_resource" "console" { provisioner "local-exec" { command = "plural cd control-plane-values --name {{ .Cluster }} --dsn \"${module.mgmt.db_url}\" --domain {{ .Subdomain }} --file console.yaml" - working_dir = "${path.module}/../../helm-values" + working_dir = "${path.module}/../../temp/helm" } } data "local_sensitive_file" "certmanager" { - filename = "${path.module}/../../helm-values/certmanager.yaml" + filename = "${path.module}/../../helm/certmanager.yaml" } data "local_sensitive_file" "flux" { - filename = "${path.module}/../../helm-values/flux.yaml" + filename = "${path.module}/../../helm/flux.yaml" } data "local_sensitive_file" "runtime" { - filename = "${path.module}/../../helm-values/runtime.yaml" + filename = "${path.module}/../../temp/helm/runtime.yaml" } data "local_sensitive_file" "console" { - filename = "${path.module}/../../helm-values/console.yaml" + filename = "${path.module}/../../temp/helm/console.yaml" depends_on = [null_resource.console] } @@ -76,7 +76,7 @@ resource "helm_release" "console" { namespace = "plrl-console" chart = "console" repository = "https://pluralsh.github.io/console" - version = "0.3.125" + version = "0.3.139" create_namespace = true timeout = 600 wait = true