initial push

kuptan · Jul 9, 2021 · c189261 · c189261
commit c189261
Show file tree

Hide file tree

Showing 13 changed files with 1,225 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,25 @@
+bin/*
+**/*.tfstate*
+**/*.tfstate.backup
+**/.terraform/*
+**/.terraform.lock.*
+**/*.test.tfvars
+
+.DS_Store
+builds/*
+crash.log
+.idea
+*.iml
+*.exe
+*.ovpn
+debug.test
+linux-amd64/*
+temp/*
+.env
+kubeconfig_*
+
+**/config/generated/*
+**/config/demo.yaml
+**/config/lab.yaml
+
+known_hosts
diff --git a/LICENSE b/LICENSE
diff --git a/README.md b/README.md
@@ -0,0 +1,12 @@
+# Terraform K8s ArgoCD Bootstrap
+A terraform module that will bootstrap a Kubernetes cluster with ArgoCD and Sealed Secrets.
+
+## Usage
+Below are few examples on how to use this module
+
+
+## Module Info
+See the module info here [here](./TERRAFORM.md)
+
+## Contributing
+See contributing docs [here](./docs/CONTRIBUTING.md)
diff --git a/TERRAFORM.md b/TERRAFORM.md
@@ -0,0 +1,59 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| kubernetes | >= 1.13.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| helm | n/a |
+| kubernetes | >= 1.13.3 |
+| template | n/a |
+| tls | n/a |
+
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) |
+| [aws_eks_cluster_auth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) |
+| [helm_release](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) |
+| [kubernetes_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) |
+| [kubernetes_secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) |
+| [template_file](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) |
+| [tls_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) |
+| [tls_self_signed_cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| argocd\_git\_repo\_url | The ArgoCD git config | `string` | n/a | yes |
+| target\_cluster\_name | The cluster name where the ArgoCD will be installed | `string` | n/a | yes |
+| argocd\_additional\_applications | Additional applications to be added to ArgoCD | `list(any)` | `[]` | no |
+| argocd\_additional\_projects | Additional projeccts to be added to ArgoCD | `list(any)` | `[]` | no |
+| argocd\_chart\_version | The ArgoCD chart version | `string` | `"3.7.1"` | no |
+| argocd\_image\_tag | The image tag for the ArgoCD image | `string` | `"v2.0.4"` | no |
+| managed\_clusters\_names | A list of clusters that will be managed by ArgoCD | `list(string)` | `[]` | no |
+| namespace | The namespace name that will be created for argo and sealed secret | `string` | `"argo-system"` | no |
+| namespace\_labels | labels to be added to the namespace | `map(string)` | `{}` | no |
+| sealed\_secrets\_chart | The chart version and docker image version. | <pre>object({<br>    repository : string<br>    chart_version : string<br>    docker_image_tag : string<br>  })</pre> | <pre>{<br>  "chart_version": "1.16.1",<br>  "docker_image_tag": "v0.16.0",<br>  "repository": "https://bitnami-labs.github.io/sealed-secrets"<br>}</pre> | no |
+| sealed\_secrets\_chart\_values | A list of values.yaml files to be added to the chart installation. | `list(string)` | `[]` | no |
+| sealed\_secrets\_chart\_values\_overrides | A map of key/value to override the chart values. The key must be the path/name of the chart value, e.g: `path.to.chart.key` | `map(string)` | `{}` | no |
+| sealed\_secrets\_key\_cert | The key/cert config for sealed secrets. If `auto_generate_key_cert` is false and no custom key/cert is provided, no custom key/cert will be generated | <pre>object({<br>    auto_generate_key_cert : bool,<br>    private_key : string<br>    private_cert : string<br>  })</pre> | <pre>{<br>  "auto_generate_key_cert": true,<br>  "private_cert": "",<br>  "private_key": ""<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| argocd\_git\_private\_key | n/a |
+| argocd\_git\_public\_key | n/a |
+| sealed\_secrets\_generated\_cert | n/a |
+| sealed\_secrets\_generated\_private\_key | n/a |
diff --git a/argo.tf b/argo.tf
@@ -0,0 +1,89 @@
+locals {
+  cluster_credentials = {
+    configs = {
+      clusterCredentials = [
+        for c in var.managed_clusters_names : {
+          name       = c
+          server     = data.aws_eks_cluster.creds[c].endpoint
+          namespaces = "default,argo-system"
+          config = {
+            bearerToken = data.aws_eks_cluster_auth.creds[c].token
+            tlsClientConfig = {
+              insecure = false
+              caData   = data.aws_eks_cluster.creds[c].certificate_authority.0.data
+            }
+          }
+        }
+      ]
+    }
+  }
+
+  argocd_config = {
+    server = {
+      additionalApplications = var.argocd_additional_applications
+      additionalProjects     = var.argocd_additional_projects
+    }
+  }
+
+  gitSSHSecretKey = "sshPrivateKey"
+}
+
+data "aws_eks_cluster" "creds" {
+  for_each = toset(var.managed_clusters_names)
+
+  name = each.value
+}
+
+data "aws_eks_cluster_auth" "creds" {
+  for_each = toset(var.managed_clusters_names)
+
+  name = each.value
+}
+
+data "template_file" "git" {
+  template = file("${path.module}/templates/git-config.tmpl")
+  vars = {
+    GIT_URL     = var.argocd_git_repo_url
+    SECRET_NAME = kubernetes_secret.git.metadata.0.name
+    SECRET_KEY  = local.gitSSHSecretKey
+  }
+}
+
+resource "tls_private_key" "git" {
+  algorithm = "RSA"
+  rsa_bits  = "4096"
+}
+
+resource "kubernetes_secret" "git" {
+  metadata {
+    name      = "argocd-git-ssh-credentials"
+    namespace = kubernetes_namespace.argo.metadata.0.name
+    labels    = {}
+  }
+
+  data = {
+    "${local.gitSSHSecretKey}" = tls_private_key.git.private_key_pem
+  }
+
+  type = "Opaque"
+}
+
+resource "helm_release" "argo" {
+  name      = "argo-cd"
+  namespace = kubernetes_namespace.argo.metadata.0.name
+
+  repository = "https://argoproj.github.io/argo-helm"
+  chart      = "argo-cd"
+  version    = var.argocd_chart_version
+
+  values = [
+    yamlencode(local.cluster_credentials),
+    yamlencode(local.argocd_config),
+    data.template_file.git.rendered
+  ]
+
+  set {
+    name  = "global.image.tag"
+    value = var.argocd_image_tag
+  }
+}
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
@@ -0,0 +1,72 @@
+# Contributing
+This project accepts contributions via GitHub pull requests. This document outlines the process to help get your contribution accepted
+
+## Sign Your Work
+
+The sign-off is a simple line at the end of the explanation for a commit. All
+commits needs to be signed. Your signature certifies that you wrote the patch or
+otherwise have the right to contribute the material. The rules are pretty simple,
+if you can certify the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+1 Letterman Drive
+Suite D4700
+San Francisco, CA, 94129
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@example.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+Note: If your git config information is set properly then viewing the
+ `git log` information for your commit will look something like this:
+
+```
+Author: Joe Smith <joe.smith@example.com>
+Date:   Thu Feb 2 11:41:15 2018 -0800
+
+    Update README
+
+    Signed-off-by: Joe Smith <joe.smith@example.com>
+```
+
+Notice the `Author` and `Signed-off-by` lines match. If they don't
+your PR will be rejected by the automated DCO check.
diff --git a/main.tf b/main.tf
@@ -0,0 +1,34 @@
+data "aws_eks_cluster" "target" {
+  name = var.target_cluster_name
+}
+
+data "aws_eks_cluster_auth" "target" {
+  name = var.target_cluster_name
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_eks_cluster.target.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.target.certificate_authority.0.data)
+    token                  = data.aws_eks_cluster_auth.target.token
+  }
+}
+
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.target.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.target.certificate_authority.0.data)
+  token                  = data.aws_eks_cluster_auth.target.token
+}
+
+resource "kubernetes_namespace" "argo" {
+  metadata {
+    name   = var.namespace
+    labels = var.namespace_labels
+  }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].labels,
+    ]
+  }
+}
diff --git a/output.tf b/output.tf
@@ -0,0 +1,18 @@
+output "argocd_git_public_key" {
+  value = tls_private_key.git.public_key_openssh
+}
+
+output "argocd_git_private_key" {
+  sensitive = true
+  value     = tls_private_key.git.private_key_pem
+}
+
+output "sealed_secrets_generated_private_key" {
+  sensitive = true
+  value     = var.sealed_secrets_key_cert.auto_generate_key_cert ? tls_private_key.sealed_secret_key.0.private_key_pem : ""
+}
+
+output "sealed_secrets_generated_cert" {
+  sensitive = true
+  value     = var.sealed_secrets_key_cert.auto_generate_key_cert ? tls_self_signed_cert.sealed_secret_cert.0.cert_pem : ""
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 1.13.3"
+    }
+  }
+}