feat: Refactor plural up to no longer use git crypt

.gitignore

@@ -33,9 +33,10 @@ override.tf.json
 .terraformrc
 terraform.rc
 
-test/helm-values
-
 # IDE
 .idea/
 
-**/values.secret.yaml
+**/values.secret.yaml
+
+# Temporary files used during bootstrap
+temp/

README.md

@@ -22,11 +22,9 @@ Our defaults are meant to be tweaked, feel free to reference the documentation o
 A plural installation repo will have a folder structure like this:
 
 ```
-helm-values/ # git-crypted helm values to be used to bootstrap your setup.  Avoid editing unless necessary
+helm/ # helm values files
 - ${app}.yaml # value overrides
 - ${app}-defaults.yaml # default values we generate on install
-
-helm/ # helm values files that are meant to be user-editable, used for setup of many common components
 - *.yaml{.liquid} # `.liquid` extension signifies the helm values file can be templated
 
 bootstrap/ # setup for apps within your cluster fleet, this is the root service-of-services that bootstraps everything recursively
@@ -40,6 +38,8 @@ terraform/
   - - clusters
   - - - {cloud} # we've crafted some reusable modules for setting up clusters on most major clouds, feel free to use these in stacks or wherever
   - ${app}/ - submodule for individual app's terraform
+
+temp/ # a temp folder used during bootstrap that is gitignored
 ```
 
 You're free to extend this as you'd like, although if you use the plural marketplace that structure will be expected.  You can also deploy services w/ manifests in other repos, this is meant to serve as a base to define the core infrastructure and get you started in a sane way.
@@ -113,7 +113,7 @@ spec:
       namespace: infra
     git:
       ref: main
-      folder: helm-values # or wherever else you want to store the helm values
+      folder: helm # or wherever else you want to store the helm values
     helm:
       version: 6.31.4
       chart: externaldns

charts/runtime/values.yaml.liquid.tpl

@@ -0,0 +1,78 @@
+ownerEmail: {{ "{{ configuration.ownerEmail }}" }}
+
+{{ if not .Cloud }}
+external-dns:
+  extraArgs:
+    plural-cluster: {{ .Cluster }}
+    plural-provider: {{ .Provider }}
+  domainFilters:
+  - {{ .Subdomain }}
+
+dnsSolver: 
+  webhook:
+    groupName: acme.plural.sh
+    solverName: plural-solver
+    config:
+      cluster: {{ .Cluster }}
+      provider: {{ .Provider }}
+
+pluralToken: {{ "{{ configuration.pluralToken }}" }}
+
+acmeEAB:
+  kid: {{ "{{ configuration.acmeEABKid }}" }}
+  secret: {{ "{{ configuration.acmeEABSecret }}" }}
+{{ end }}
+
+{{ if .Cloud }}
+external-dns:
+  enabled: false
+
+plural-certmanager-webhook:
+  enabled: false
+
+operator:
+  enabled: false
+
+application:
+  enabled: false
+
+plural:
+  enabled: false
+
+ingress-nginx:
+  enabled: false
+ingress-nginx-private:
+  enabled: false
+{{ end }}
+
+{{ if and (eq .Provider "aws") (not .Cloud) }}
+ingress-nginx:
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+    config:
+      compute-full-forwarded-for: 'true'
+      use-forwarded-headers: 'true'
+      use-proxy-protocol: 'true'
+ingress-nginx-private:
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+    config:
+      compute-full-forwarded-for: 'true'
+      use-forwarded-headers: 'true'
+      use-proxy-protocol: 'true'
+{{ end }}

charts/runtime/values.yaml.tpl

@@ -1,3 +1,5 @@
+ownerEmail: {{ .Config.Email }}
+
 {{ if not .Cloud }}
 external-dns:
   extraArgs:
@@ -14,7 +16,6 @@ dnsSolver:
       cluster: {{ .Cluster }}
       provider: {{ .Provider }}
 
-ownerEmail: {{ .Config.Email }}
 pluralToken: {{ .Config.Token }}
 
 acmeEAB:
@@ -23,10 +24,6 @@ acmeEAB:
 {{ end }}
 
 {{ if .Cloud }}
-
-ownerEmail: {{ .Config.Email }}
-
-
 external-dns:
   enabled: false
 

setup/cert-manager.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   namespace: cert-manager
   git:
-    folder: helm-values
+    folder: helm
     ref: [[ or .Context.Branch "main" ]]
   repositoryRef:
     kind: GitRepository

setup/console.yaml

@@ -6,18 +6,21 @@ metadata:
 spec:
   namespace: plrl-console
   git:
-    folder: helm-values
+    folder: helm
     ref: [[ or .Context.Branch "main" ]]
   repositoryRef:
     kind: GitRepository
     name: infra
     namespace: infra
+  configurationRef:
+    name: console-config
+    namespace: infra
   helm:
     version: "0.x.x"
     chart: console
     url: https://pluralsh.github.io/console
     valuesFiles:
-    - console.yaml
+    - console.yaml.liquid
   clusterRef:
     kind: Cluster
     name: mgmt

setup/runtime.yaml

@@ -6,18 +6,21 @@ metadata:
 spec:
   namespace: plural-runtime
   git:
-    folder: helm-values
+    folder: helm
     ref: [[ or .Context.Branch "main" ]]
   repositoryRef:
     kind: GitRepository
     name: infra
     namespace: infra
+  configurationRef:
+    name: runtime-config
+    namespace: infra
   helm:
     version: "0.x.x"
     chart: runtime
     url: https://pluralsh.github.io/bootstrap
     valuesFiles:
-    - runtime.yaml
+    - runtime.yaml.liquid
   clusterRef:
     kind: Cluster
     name: mgmt

templates/setup/config-secrets.tf

@@ -0,0 +1,69 @@
+# This file should not be commited to repository.
+
+locals {
+  console_values = yamldecode(data.local_sensitive_file.console.content)
+}
+
+resource "kubernetes_namespace" "infra" {
+  metadata {
+    name = "infra"
+  }
+
+  depends_on = [module.mgmt.cluster, module.mgmt.ready]
+}
+
+resource "kubernetes_secret" "console_config" {
+  metadata {
+    name      = "console-config"
+    namespace = kubernetes_namespace.infra.metadata[0].name
+  }
+
+  type = "Opaque"
+
+  data = {
+    consoleDns = tostring(try(local.console_values.ingress.console_dns, ""))
+    kasDns     = tostring(try(local.console_values.ingress.kas_dns, ""))
+
+    clusterIssuer = "plural"
+
+    provider = tostring(try(local.console_values.provider, ""))
+
+    jwt                = tostring(try(local.console_values.secrets.jwt, ""))
+    erlang             = tostring(try(local.console_values.secrets.erlang, ""))
+    aesKey             = tostring(try(local.console_values.secrets.aes_key, ""))
+    key                = tostring(try(local.console_values.secrets.key, ""))
+    identity           = tostring(try(local.console_values.secrets.identity, ""))
+    pluralClientId     = tostring(try(local.console_values.secrets.plural_client_id, ""))
+    pluralClientSecret = tostring(try(local.console_values.secrets.plural_client_secret, ""))
+    adminName          = tostring(try(local.console_values.secrets.admin_name, ""))
+    adminEmail         = tostring(try(local.console_values.secrets.admin_email, ""))
+    adminPassword      = tostring(try(local.console_values.secrets.admin_password, ""))
+    clusterName        = tostring(try(local.console_values.secrets.cluster_name, ""))
+
+    pluralToken   = tostring(try(local.console_values.extraSecretEnv.PLURAL_TOKEN, ""))
+    kasApi        = tostring(try(local.console_values.extraSecretEnv.KAS_API_SECRET, ""))
+    kasPrivateApi = tostring(try(local.console_values.extraSecretEnv.KAS_PRIVATE_API_SECRET, ""))
+    kasRedis      = tostring(try(local.console_values.extraSecretEnv.KAS_REDIS_SECRET, ""))
+    postgresUrl   = tostring(try(local.console_values.extraSecretEnv.POSTGRES_URL, ""))
+  }
+
+  depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready]
+}
+
+resource "kubernetes_secret" "runtime_config" {
+  metadata {
+    name      = "runtime-config"
+    namespace = kubernetes_namespace.infra.metadata[0].name
+  }
+
+  type = "Opaque"
+
+  data = {
+    ownerEmail    = "{{ .Config.Email }}"
+    pluralToken   = "{{ .Config.Token }}"
+    acmeEABKid    = "{{ .Acme.KeyId }}"
+    acmeEABSecret = "{{ .Acme.HmacKey }}"
+  }
+
+  depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready]
+}

templates/setup/console.tf

@@ -2,24 +2,24 @@
 resource "null_resource" "console" {
   provisioner "local-exec" {
     command     = "plural cd control-plane-values --name {{ .Cluster }} --dsn \"${module.mgmt.db_url}\" --domain {{ .Subdomain }} --file console.yaml"
-    working_dir = "${path.module}/../../helm-values"
+    working_dir = "${path.module}/../../temp/helm"
   }
 }
 
 data "local_sensitive_file" "certmanager" {
-  filename = "${path.module}/../../helm-values/certmanager.yaml"
+  filename = "${path.module}/../../helm/certmanager.yaml"
 }
 
 data "local_sensitive_file" "flux" {
-  filename = "${path.module}/../../helm-values/flux.yaml"
+  filename = "${path.module}/../../helm/flux.yaml"
 }
 
 data "local_sensitive_file" "runtime" {
-  filename = "${path.module}/../../helm-values/runtime.yaml"
+  filename = "${path.module}/../../temp/helm/runtime.yaml"
 }
 
 data "local_sensitive_file" "console" {
-  filename   = "${path.module}/../../helm-values/console.yaml"
+  filename   = "${path.module}/../../temp/helm/console.yaml"
   depends_on = [null_resource.console]
 }
 
@@ -76,7 +76,7 @@ resource "helm_release" "console" {
   namespace        = "plrl-console"
   chart            = "console"
   repository       = "https://pluralsh.github.io/console"
-  version          = "0.3.125"
+  version          = "0.3.139"
   create_namespace = true
   timeout          = 600
   wait             = true