-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit c189261
Showing
13 changed files
with
1,225 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
bin/* | ||
**/*.tfstate* | ||
**/*.tfstate.backup | ||
**/.terraform/* | ||
**/.terraform.lock.* | ||
**/*.test.tfvars | ||
|
||
.DS_Store | ||
builds/* | ||
crash.log | ||
.idea | ||
*.iml | ||
*.exe | ||
*.ovpn | ||
debug.test | ||
linux-amd64/* | ||
temp/* | ||
.env | ||
kubeconfig_* | ||
|
||
**/config/generated/* | ||
**/config/demo.yaml | ||
**/config/lab.yaml | ||
|
||
known_hosts |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Terraform K8s ArgoCD Bootstrap | ||
A terraform module that will bootstrap a Kubernetes cluster with ArgoCD and Sealed Secrets. | ||
|
||
## Usage | ||
Below are few examples on how to use this module | ||
|
||
|
||
## Module Info | ||
See the module info here [here](./TERRAFORM.md) | ||
|
||
## Contributing | ||
See contributing docs [here](./docs/CONTRIBUTING.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| kubernetes | >= 1.13.3 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| aws | n/a | | ||
| helm | n/a | | ||
| kubernetes | >= 1.13.3 | | ||
| template | n/a | | ||
| tls | n/a | | ||
|
||
## Modules | ||
|
||
No Modules. | ||
|
||
## Resources | ||
|
||
| Name | | ||
|------| | ||
| [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | | ||
| [aws_eks_cluster_auth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | | ||
| [helm_release](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | | ||
| [kubernetes_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | | ||
| [kubernetes_secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | | ||
| [template_file](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | | ||
| [tls_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | | ||
| [tls_self_signed_cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| argocd\_git\_repo\_url | The ArgoCD git config | `string` | n/a | yes | | ||
| target\_cluster\_name | The cluster name where the ArgoCD will be installed | `string` | n/a | yes | | ||
| argocd\_additional\_applications | Additional applications to be added to ArgoCD | `list(any)` | `[]` | no | | ||
| argocd\_additional\_projects | Additional projeccts to be added to ArgoCD | `list(any)` | `[]` | no | | ||
| argocd\_chart\_version | The ArgoCD chart version | `string` | `"3.7.1"` | no | | ||
| argocd\_image\_tag | The image tag for the ArgoCD image | `string` | `"v2.0.4"` | no | | ||
| managed\_clusters\_names | A list of clusters that will be managed by ArgoCD | `list(string)` | `[]` | no | | ||
| namespace | The namespace name that will be created for argo and sealed secret | `string` | `"argo-system"` | no | | ||
| namespace\_labels | labels to be added to the namespace | `map(string)` | `{}` | no | | ||
| sealed\_secrets\_chart | The chart version and docker image version. | <pre>object({<br> repository : string<br> chart_version : string<br> docker_image_tag : string<br> })</pre> | <pre>{<br> "chart_version": "1.16.1",<br> "docker_image_tag": "v0.16.0",<br> "repository": "https://bitnami-labs.github.io/sealed-secrets"<br>}</pre> | no | | ||
| sealed\_secrets\_chart\_values | A list of values.yaml files to be added to the chart installation. | `list(string)` | `[]` | no | | ||
| sealed\_secrets\_chart\_values\_overrides | A map of key/value to override the chart values. The key must be the path/name of the chart value, e.g: `path.to.chart.key` | `map(string)` | `{}` | no | | ||
| sealed\_secrets\_key\_cert | The key/cert config for sealed secrets. If `auto_generate_key_cert` is false and no custom key/cert is provided, no custom key/cert will be generated | <pre>object({<br> auto_generate_key_cert : bool,<br> private_key : string<br> private_cert : string<br> })</pre> | <pre>{<br> "auto_generate_key_cert": true,<br> "private_cert": "",<br> "private_key": ""<br>}</pre> | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| argocd\_git\_private\_key | n/a | | ||
| argocd\_git\_public\_key | n/a | | ||
| sealed\_secrets\_generated\_cert | n/a | | ||
| sealed\_secrets\_generated\_private\_key | n/a | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
locals { | ||
cluster_credentials = { | ||
configs = { | ||
clusterCredentials = [ | ||
for c in var.managed_clusters_names : { | ||
name = c | ||
server = data.aws_eks_cluster.creds[c].endpoint | ||
namespaces = "default,argo-system" | ||
config = { | ||
bearerToken = data.aws_eks_cluster_auth.creds[c].token | ||
tlsClientConfig = { | ||
insecure = false | ||
caData = data.aws_eks_cluster.creds[c].certificate_authority.0.data | ||
} | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
argocd_config = { | ||
server = { | ||
additionalApplications = var.argocd_additional_applications | ||
additionalProjects = var.argocd_additional_projects | ||
} | ||
} | ||
|
||
gitSSHSecretKey = "sshPrivateKey" | ||
} | ||
|
||
data "aws_eks_cluster" "creds" { | ||
for_each = toset(var.managed_clusters_names) | ||
|
||
name = each.value | ||
} | ||
|
||
data "aws_eks_cluster_auth" "creds" { | ||
for_each = toset(var.managed_clusters_names) | ||
|
||
name = each.value | ||
} | ||
|
||
data "template_file" "git" { | ||
template = file("${path.module}/templates/git-config.tmpl") | ||
vars = { | ||
GIT_URL = var.argocd_git_repo_url | ||
SECRET_NAME = kubernetes_secret.git.metadata.0.name | ||
SECRET_KEY = local.gitSSHSecretKey | ||
} | ||
} | ||
|
||
resource "tls_private_key" "git" { | ||
algorithm = "RSA" | ||
rsa_bits = "4096" | ||
} | ||
|
||
resource "kubernetes_secret" "git" { | ||
metadata { | ||
name = "argocd-git-ssh-credentials" | ||
namespace = kubernetes_namespace.argo.metadata.0.name | ||
labels = {} | ||
} | ||
|
||
data = { | ||
"${local.gitSSHSecretKey}" = tls_private_key.git.private_key_pem | ||
} | ||
|
||
type = "Opaque" | ||
} | ||
|
||
resource "helm_release" "argo" { | ||
name = "argo-cd" | ||
namespace = kubernetes_namespace.argo.metadata.0.name | ||
|
||
repository = "https://argoproj.github.io/argo-helm" | ||
chart = "argo-cd" | ||
version = var.argocd_chart_version | ||
|
||
values = [ | ||
yamlencode(local.cluster_credentials), | ||
yamlencode(local.argocd_config), | ||
data.template_file.git.rendered | ||
] | ||
|
||
set { | ||
name = "global.image.tag" | ||
value = var.argocd_image_tag | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
# Contributing | ||
This project accepts contributions via GitHub pull requests. This document outlines the process to help get your contribution accepted | ||
|
||
## Sign Your Work | ||
|
||
The sign-off is a simple line at the end of the explanation for a commit. All | ||
commits needs to be signed. Your signature certifies that you wrote the patch or | ||
otherwise have the right to contribute the material. The rules are pretty simple, | ||
if you can certify the below (from [developercertificate.org](http://developercertificate.org/)): | ||
|
||
``` | ||
Developer Certificate of Origin | ||
Version 1.1 | ||
Copyright (C) 2004, 2006 The Linux Foundation and its contributors. | ||
1 Letterman Drive | ||
Suite D4700 | ||
San Francisco, CA, 94129 | ||
Everyone is permitted to copy and distribute verbatim copies of this | ||
license document, but changing it is not allowed. | ||
Developer's Certificate of Origin 1.1 | ||
By making a contribution to this project, I certify that: | ||
(a) The contribution was created in whole or in part by me and I | ||
have the right to submit it under the open source license | ||
indicated in the file; or | ||
(b) The contribution is based upon previous work that, to the best | ||
of my knowledge, is covered under an appropriate open source | ||
license and I have the right under that license to submit that | ||
work with modifications, whether created in whole or in part | ||
by me, under the same open source license (unless I am | ||
permitted to submit under a different license), as indicated | ||
in the file; or | ||
(c) The contribution was provided directly to me by some other | ||
person who certified (a), (b) or (c) and I have not modified | ||
it. | ||
(d) I understand and agree that this project and the contribution | ||
are public and that a record of the contribution (including all | ||
personal information I submit with it, including my sign-off) is | ||
maintained indefinitely and may be redistributed consistent with | ||
this project or the open source license(s) involved. | ||
``` | ||
|
||
Then you just add a line to every git commit message: | ||
|
||
Signed-off-by: Joe Smith <joe.smith@example.com> | ||
|
||
Use your real name (sorry, no pseudonyms or anonymous contributions.) | ||
|
||
If you set your `user.name` and `user.email` git configs, you can sign your | ||
commit automatically with `git commit -s`. | ||
|
||
Note: If your git config information is set properly then viewing the | ||
`git log` information for your commit will look something like this: | ||
|
||
``` | ||
Author: Joe Smith <joe.smith@example.com> | ||
Date: Thu Feb 2 11:41:15 2018 -0800 | ||
Update README | ||
Signed-off-by: Joe Smith <joe.smith@example.com> | ||
``` | ||
|
||
Notice the `Author` and `Signed-off-by` lines match. If they don't | ||
your PR will be rejected by the automated DCO check. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
data "aws_eks_cluster" "target" { | ||
name = var.target_cluster_name | ||
} | ||
|
||
data "aws_eks_cluster_auth" "target" { | ||
name = var.target_cluster_name | ||
} | ||
|
||
provider "helm" { | ||
kubernetes { | ||
host = data.aws_eks_cluster.target.endpoint | ||
cluster_ca_certificate = base64decode(data.aws_eks_cluster.target.certificate_authority.0.data) | ||
token = data.aws_eks_cluster_auth.target.token | ||
} | ||
} | ||
|
||
provider "kubernetes" { | ||
host = data.aws_eks_cluster.target.endpoint | ||
cluster_ca_certificate = base64decode(data.aws_eks_cluster.target.certificate_authority.0.data) | ||
token = data.aws_eks_cluster_auth.target.token | ||
} | ||
|
||
resource "kubernetes_namespace" "argo" { | ||
metadata { | ||
name = var.namespace | ||
labels = var.namespace_labels | ||
} | ||
|
||
lifecycle { | ||
ignore_changes = [ | ||
metadata[0].labels, | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
output "argocd_git_public_key" { | ||
value = tls_private_key.git.public_key_openssh | ||
} | ||
|
||
output "argocd_git_private_key" { | ||
sensitive = true | ||
value = tls_private_key.git.private_key_pem | ||
} | ||
|
||
output "sealed_secrets_generated_private_key" { | ||
sensitive = true | ||
value = var.sealed_secrets_key_cert.auto_generate_key_cert ? tls_private_key.sealed_secret_key.0.private_key_pem : "" | ||
} | ||
|
||
output "sealed_secrets_generated_cert" { | ||
sensitive = true | ||
value = var.sealed_secrets_key_cert.auto_generate_key_cert ? tls_self_signed_cert.sealed_secret_cert.0.cert_pem : "" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
terraform { | ||
required_providers { | ||
kubernetes = { | ||
source = "hashicorp/kubernetes" | ||
version = ">= 1.13.3" | ||
} | ||
} | ||
} |
Oops, something went wrong.