diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f556c06 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +tmp/** \ No newline at end of file diff --git a/argocd-apps/external-dns.yaml b/argocd-apps/external-dns.yaml deleted file mode 100644 index b107953..0000000 --- a/argocd-apps/external-dns.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-dns - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - project: default - source: - repoURL: https://charts.bitnami.com/bitnami - chart: external-dns - targetRevision: 6.1.0 - helm: - values: | - aws: - region: {{ .variables.region }} - zoneType: "public" - policy: upsert-only - serviceAccount: - create: true - metrics: - enabled: true - logLevel: debug - destination: - server: https://kubernetes.default.svc - namespace: external-dns - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - Validate=true - - CreateNamespace=true \ No newline at end of file diff --git a/aws-k3s.yaml b/aws-k3s.yaml index 426de9e..d787f6d 100644 --- a/aws-k3s.yaml +++ b/aws-k3s.yaml @@ -11,10 +11,9 @@ _p: &provider_aws - aws: region: {{ .variables.region }} - name: aws-k3s kind: StackTemplate -cliVersion: ">=0.6.1" +cliVersion: ">=v0.8.0" units: - name: aws_key_pair @@ -25,6 +24,7 @@ units: create_key_pair: true public_key: {{ .variables.public_key }} key_name: {{ .variables.public_key_name }} + {{- if .variables.domain }} - name: route53 type: tfmodule @@ -34,6 +34,7 @@ units: cluster_name: {{ .variables.cluster_name }} cluster_domain: {{ .variables.domain }} zone_delegation: {{ if eq .variables.domain "cluster.dev" }}true{{ else }}false{{ end }} + {{- end }} {{- if not .variables.vpc_id }} - name: vpc @@ -73,23 +74,17 @@ units: "kubernetes.io/role/internal-lb": 1 azs: {{ insertYAML $azs }} {{- end }} - - - name: ext-dns-iam - type: tfmodule - source: ./ext-dns-iam - providers: *provider_aws - inputs: - name: {{ .variables.cluster_name }}-test - domain: {{ remoteState "this.route53.zone_id" }} - name: k3s type: tfmodule - source: github.com/shalb/terraform-aws-k3s?ref=v0.4.2 + source: github.com/shalb/terraform-aws-k3s?ref=v0.5.0 inputs: cluster_name: {{ .variables.cluster_name }} extra_args: - "--disable traefik" + {{ if .variables.domain }} domain: {{ remoteState "this.route53.domain" }} + {{ end }} k3s_version: {{ .variables.k3s_version }} {{- if .variables.vpc_id }} public_subnets: {{ insertYAML .variables.public_subnets }} @@ -102,23 +97,70 @@ units: master_node_count: {{ .variables.master_node_count }} worker_node_groups: {{ insertYAML .variables.worker_node_groups }} master_iam_policies: - - {{ remoteState "this.ext-dns-iam.arn" }} - worker_iam_policies: - - {{ remoteState "this.ext-dns-iam.arn" }} + - {{ remoteState "this.iam-policy-external-dns.arn" }} enable_asg_rolling_auto_update: true - name: kubeconfig - type: shell + type: tfmodule force_apply: true depends_on: this.k3s - apply: - commands: - - aws s3 cp s3://{{ .variables.bucket }}/{{ .variables.cluster_name }}/kubeconfig /tmp/kubeconfig_{{ .variables.cluster_name }} - - echo "kubeconfig_base64=$(cat /tmp/kubeconfig_{{ .variables.cluster_name }} | base64 -w 0)" - - echo "kubeconfig_path=/tmp/kubeconfig_{{ .variables.cluster_name }}" - outputs: - type: separator - separator: "=" + source: github.com/shalb/terraform-modules//local-file?ref=0.0.1 + inputs: + filename: /tmp/kubeconfig_{{ .variables.cluster_name }} + source_s3: + bucket: {{ .variables.bucket }} + key: {{ .variables.cluster_name }}/kubeconfig + file_permission: "0600" + {{- if .variables.domain }} + - + name: iam-policy-external-dns + type: tfmodule + source: "terraform-aws-modules/iam/aws//modules/iam-policy" + version: "5.30.0" + providers: *provider_aws + inputs: + name: AllowRoute53ZoneManagement-{{ .variables.cluster_name }} + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:GetChange" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/{{ .variables.domain }}", + "arn:aws:route53:::change/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListHostedZonesByName" + ], + "Resource": [ + "*" + ] + } + ] + } + - + name: external-dns + type: helm + source: + repository: "https://charts.bitnami.com/bitnami" + chart: "external-dns" + version: "6.26.3" + kubeconfig: {{ remoteState "this.kubeconfig.path" }} + additional_options: + namespace: "external-dns" + create_namespace: true + values: + - file: ./values/external-dns.yaml - name: cert-manager type: helm @@ -126,7 +168,7 @@ units: repository: "https://charts.jetstack.io" chart: "cert-manager" version: "v1.6.1" - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} + kubeconfig: {{ output "this.kubeconfig.path" }} additional_options: namespace: "cert-manager" create_namespace: true @@ -140,82 +182,33 @@ units: serviceAccount.create: true - name: cert-manager-issuer - type: k8s-manifest - path: ./cert-manager/issuer.yaml - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} + type: kubernetes depends_on: this.cert-manager + source: ./cert-manager/issuer.yaml + kubeconfig: {{ remoteState "this.kubeconfig.path" }} + {{- end }} - name: ingress-nginx type: helm source: repository: "https://kubernetes.github.io/ingress-nginx" chart: "ingress-nginx" - version: "4.0.13" - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} + version: "4.7.3" + kubeconfig: {{ output "this.kubeconfig.path" }} additional_options: namespace: "ingress-nginx" create_namespace: true + timeout: 60 inputs: service.type: LoadBalancer controller.admissionWebhooks.enabled: false service.externalTrafficPolicy: Local controller.ingressClassResource.default: true - - - name: csi - type: helm - source: - repository: "https://kubernetes-sigs.github.io/aws-ebs-csi-driver" - chart: "aws-ebs-csi-driver" - version: "2.6.9" - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} - additional_options: - namespace: "kube-system" - values: - - file: ./csi/values.yaml - apply_template: false - - - name: argocd - type: helm - source: - repository: "https://argoproj.github.io/argo-helm" - chart: "argo-cd" - version: "4.5.7" - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} - depends_on: this.cert-manager-issuer - additional_options: - namespace: "argocd" - create_namespace: true - inputs: - service.type: LoadBalancer - server.certificate.domain: argocd.{{ .variables.cluster_name }}.{{ .variables.domain }} - server.certificate.enabled: true - server.certificate.issuer.name: letsencrypt-prod - server.certificate.issuer.kind: ClusterIssuer - server.ingress.enabled: true - server.ingress.tls[0].secretName: argocd-secret - server.ingress.hosts[0]: argocd.{{ .variables.cluster_name }}.{{ .variables.domain }} - server.ingress.tls[0].hosts[0]: argocd.{{ .variables.cluster_name }}.{{ .variables.domain }} - server.ingress.annotations.cert-manager\.io/cluster-issuer: letsencrypt-prod - server.ingress.annotations.kubernetes\.io/ingress.class: nginx - server.ingress.annotations.kubernetes\.io/tls-acme: "true" - server.ingress.annotations.nginx\.ingress\.kubernetes\.io/ssl-passthrough: "true" - server.ingress.annotations.nginx\.ingress\.kubernetes\.io/backend-protocol: "HTTPS" - server.config.url: https://argocd.{{ .variables.cluster_name }}.{{ .variables.domain }} - configs.secret.argocdServerAdminPassword: {{ .variables.argocdServerAdminPassword }} - configs.secret.argocdServerAdminPasswordMtime: "2021-01-01T00:00:00Z" - - - name: argocd_apps - type: k8s-manifest - path: ./argocd-apps/ - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} - depends_on: this.argocd - name: outputs type: printer - depends_on: this.argocd_apps outputs: cluster_name: {{ .variables.cluster_name }} region: {{ .variables.region }} - kubeconfig: {{ output "this.kubeconfig.kubeconfig_path" }} + kubeconfig: {{ output "this.kubeconfig.path" }} k3s_version: {{ .variables.k3s_version }} - argocd_url: https://argocd.{{ .variables.cluster_name }}.{{ .variables.domain }} diff --git a/csi/values.yaml b/csi/values.yaml deleted file mode 100644 index 0da732f..0000000 --- a/csi/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -enableVolumeResizing: true -enableVolumeSnapshot: false - -tolerateAllTaints: true - -tolerations: - - operator: Exists - -affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - ebs-csi-controller - topologyKey: "kubernetes.io/hostname" - -# If set, add pv/pvc metadata to plugin create requests as parameters. -extraCreateMetadata: false - -node: - nodeSelector: {} - podAnnotations: - iam.amazonaws.com/role: k8s_ebs_csi_driver - tolerateAllTaints: true - tolerations: [] - -serviceAccount: - controller: - annotations: {} - snapshot: - annotations: {} - \ No newline at end of file diff --git a/examples/README.md b/examples/README.md deleted file mode 100644 index 477140d..0000000 --- a/examples/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# Example infrastructure with k3s and demo app - -1. [Configure access to AWS](https://docs.cluster.dev/examples-aws-eks/#authentication) and export required variables. -2. Copy all example files to empty dir. -As an alternative you can use cdev generator to create project from this repo: - - ```bash - cdev project create https://github.com/shalb/cdev-aws-k3s - ``` - -3. Edit variables in the example's files, if necessary. -4. Run `cdev plan` -5. Run `cdev apply` diff --git a/examples/backend.yaml b/examples/backend.yaml old mode 100644 new mode 100755 diff --git a/examples/demo-app.yaml b/examples/demo-app.yaml old mode 100644 new mode 100755 index 98e11ee..b52e7e9 --- a/examples/demo-app.yaml +++ b/examples/demo-app.yaml @@ -4,5 +4,5 @@ kind: Stack backend: aws-backend variables: replicas: 3 - domain: {{ output "k3s-demo.outputs.cluster_name" }}.{{ .project.variables.domain }} - kubeconfig: {{ output "k3s-demo.kubeconfig.kubeconfig_path" }} + domain: {{ remoteState "k3s-demo.outputs.cluster_name" }}.{{ .project.variables.domain }} + kubeconfig: {{ output "k3s-demo.kubeconfig.path" }} diff --git a/examples/demo-infra.yaml b/examples/demo-infra.yaml old mode 100644 new mode 100755 index 74cdd57..b6c154d --- a/examples/demo-infra.yaml +++ b/examples/demo-infra.yaml @@ -1,24 +1,16 @@ name: k3s-demo -template: https://github.com/shalb/cdev-aws-k3s?ref=main +template: ../ kind: Stack backend: aws-backend variables: - cluster_name: k3s-demo-boston + cluster_name: demo-k3s bucket: {{ .project.variables.state_bucket_name }} region: {{ .project.variables.region }} organization: {{ .project.variables.organization }} domain: {{ .project.variables.domain }} instance_type: "t3.medium" - k3s_version: "1.25.11+k3s1" - # Uncomment lines below if you need to specify the VPC - #vpc_id: "vpc-5ecf1234" - #public_subnets: - # - "subnet-d775f0bd" - # - "subnet-6696651a" + k3s_version: "v1.28.2+k3s1" env: "demo" - azs: - - "{{ .project.variables.region }}a" - - "{{ .project.variables.region }}b" public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCi6UIVruH0CfKewYlSjA7oR6gjahZrkJ+k/0cj46nvYrORVcds2cijZPT34ACWkvXV8oYvXGWmvlGXV5H1sD0356zpjhRnGo6j4UZVS6KYX5HwObdZ6H/i+A9knEyXxOCyo6p4VeJIYGhVYcQT4GDAkxb8WXHVP0Ax/kUqrKx0a2tK9JjGkuLbufQc3yWhqcfZSVRU2a+M8f8EUmGLOc2VEi2mGoxVgikrelJ0uIGjLn63L6trrsbvasoBuILeXOAO1xICwtYFek/MexQ179NKqQ1Wx/+9Yx4Xc63MB0vR7kde6wxx2Auzp7CjJBFcSTz0TXSRsvF3mnUUoUrclNkr demo" # Change this. public_key_name: demo master_node_count: 1 @@ -27,4 +19,3 @@ variables: min_size: 2 max_size: 3 instance_type: "t3.medium" - argocdServerAdminPassword: "$2a$10$1buVsK9yv0Al1oJlLmABeeRxYsArdlT2QPdNRqaZwiuYztj9JUDmu" # Bcrypted "password" diff --git a/examples/project.yaml b/examples/project.yaml old mode 100644 new mode 100755 index 1edbad0..178b8cf --- a/examples/project.yaml +++ b/examples/project.yaml @@ -1,10 +1,10 @@ -name: demo +name: cdev-example kind: Project backend: aws-backend variables: - organization: shalb # sample global variable + organization: my-organization region: eu-central-1 - state_bucket_name: cdev-k3s-arti # create and set your s3 bucket here + state_bucket_name: cdev-state domain: cluster.dev # exports: # AWS_PROFILE: cluster-dev # optional set the AWS profile to use during apply diff --git a/examples/sample-application-template/kuard.yaml b/examples/sample-application-template/kuard.yaml old mode 100644 new mode 100755 index 00ff7f5..814f39f --- a/examples/sample-application-template/kuard.yaml +++ b/examples/sample-application-template/kuard.yaml @@ -3,10 +3,9 @@ kind: StackTemplate units: - name: kuard - type: k8s-manifest + type: kubernetes namespace: default - path: ./manifests/ - apply_template: true + source: ./manifests/ kubeconfig: {{ .variables.kubeconfig }} kubectl_opts: "--wait=true" inputs: diff --git a/examples/sample-application-template/manifests/kuard.yaml b/examples/sample-application-template/manifests/kuard.yaml old mode 100644 new mode 100755 index 05d6459..3f96b28 --- a/examples/sample-application-template/manifests/kuard.yaml +++ b/examples/sample-application-template/manifests/kuard.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: kuard-deployment + namespace: default labels: app: kuard spec: @@ -31,6 +32,7 @@ apiVersion: v1 kind: Service metadata: name: kuard + namespace: default spec: ports: - port: 80 @@ -49,6 +51,7 @@ metadata: labels: app: kuard name: kuard + namespace: default spec: rules: - host: kuard.{{ .variables.domain }} diff --git a/ext-dns-iam/main.tf b/ext-dns-iam/main.tf deleted file mode 100644 index 231f6ac..0000000 --- a/ext-dns-iam/main.tf +++ /dev/null @@ -1,54 +0,0 @@ -resource random_pet "iam" {} - -resource aws_iam_policy "ext_dns" { - name = substr("${var.name}-ext-dns-${random_pet.iam.id}", 0, 32) - policy = <