initial commit

shalb · Apr 5, 2021 · 0553ae9 · 0553ae9
1 parent 8a52c6a
commit 0553ae9
Show file tree

Hide file tree

Showing 5 changed files with 304 additions and 0 deletions.
diff --git a/argocd-apps/external-dns.yaml b/argocd-apps/external-dns.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-dns
+  namespace: argocd
+  argocd.argoproj.io/sync-wave: "0"
+spec:
+  project: default
+  source:
+    repoURL: https://charts.bitnami.com/bitnami
+    chart: external-dns
+    targetRevision: 4.4.3
+    helm:
+      values: |
+        aws:
+          region: {{ .variables.region }}
+          zoneType: "public"
+        policy: upsert-only
+        serviceAccount:
+          create: true
+        metrics:
+          enabled: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - Validate=true
+      - CreateNamespace=true
diff --git a/argocd-apps/ingress-nginx.yaml b/argocd-apps/ingress-nginx.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx
+  namespace: argocd
+  argocd.argoproj.io/sync-wave: "0"
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    chart: ingress-nginx
+    targetRevision: 3.21.0
+    helm:
+      values: |
+        service:
+          type: LoadBalancer
+          externalTrafficPolicy: Local
+        controller:
+          admissionWebhooks:
+            enabled: false
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - Validate=true
+      - CreateNamespace=true
diff --git a/aws-k3s.yaml b/aws-k3s.yaml
@@ -0,0 +1,174 @@
+{{- $createVpcCIDR := "10.8.0.0/18" -}}
+{{- $azs_count := len .variables.azs -}}
+_: &getKubeconfig "export KUBECONFIG=./kubeconfig_{{ .name }} && aws s3 cp s3://{{ .variables.bucket }}/{{ .name }}/kubeconfig ./kubeconfig_{{ .name }}"
+_p: &provider_aws
+- aws:
+    region: {{ .variables.region }}
+
+
+name: aws-k3s
+kind: InfraTemplate
+modules:
+  - 
+    name: aws_key_pair
+    type: terraform
+    source: github.com/terraform-aws-modules/terraform-aws-key-pair?ref=v0.6.0
+    providers: *provider_aws
+    inputs:
+      create_key_pair: true
+      public_key: {{ .variables.public_key }}
+      key_name: {{ .variables.public_key_name }}
+  - 
+    name: route53
+    type: terraform
+    source: github.com/shalb/cluster.dev-domain?ref=0.1.0
+    inputs:
+      region: {{ .variables.region }}
+      cluster_name: {{ .name }}
+      cluster_domain: {{ .variables.domain }}
+      zone_delegation: {{ if eq .variables.domain "cluster.dev" }}true{{ else }}false{{ end }}
+  {{- if .variables.vpc.create }}
+  - 
+    name: vpc
+    type: terraform
+    providers: *provider_aws
+    source: terraform-aws-modules/vpc/aws
+    version: "2.70.0"
+    inputs:
+      name: {{ .name }}
+      cidr: {{ $createVpcCIDR }}
+      public_subnets:
+      {{- range $index, $_ := .variables.azs }}
+       - {{ cidrSubnet $createVpcCIDR 4 $index }}
+      {{- end }}
+      private_subnets:
+      {{- range $index, $_ := .variables.azs }}
+       - {{ cidrSubnet $createVpcCIDR 4 (add $index $azs_count ) }}
+      {{- end }}
+      azs: {{ insertYAML .variables.azs }}
+  {{- end }}
+  - 
+    name: ext-dns-iam
+    type: terraform
+    source: ./ext-dns-iam
+    providers: *provider_aws
+    inputs:
+      name: {{ .name }}-test
+      domain: {{ remoteState "this.route53.zone_id" }}
+  - 
+    name: k3s
+    type: terraform
+    source: github.com/shalb/terraform-aws-k3s?ref=v0.2.0_rc2
+    pre_hook:
+      command: *getKubeconfig
+      on_apply: false
+    inputs:
+      cluster_name: {{ .name }}
+      extra_args:
+        - "--disable traefik"
+      domain: {{ remoteState "this.route53.domain" }}
+      k3s_version: {{ .variables.k3s_version }}
+      {{- if .variables.vpc.create }}
+      public_subnets: {{ remoteState "this.vpc.public_subnets" }}
+      {{- else }}
+      public_subnets: {{ insertYAML .variables.public_subnets }}
+      {{- end }}
+      key_name: {{ remoteState "this.aws_key_pair.this_key_pair_key_name" }}
+      region: {{ .variables.region }}
+      s3_bucket: {{ .variables.bucket }}
+      master_node_count: {{ .variables.master_node_count }}
+      worker_node_groups: {{ insertYAML .variables.worker_node_groups  }}
+      master_iam_policies: 
+        - {{ remoteState "this.ext-dns-iam.arn" }}
+      worker_iam_policies: 
+        - {{ remoteState "this.ext-dns-iam.arn" }}
+      enable_asg_rolling_auto_update: true
+  - 
+    name: cert-manager
+    type: helm
+    source:
+      repository: "https://charts.jetstack.io"
+      chart: "cert-manager"
+      version: "v1.2.0"
+    kubeconfig: ./kubeconfig_{{ .name }}
+    depends_on: this.k3s
+    additional_options:
+      namespace: "cert-manager"
+      create_namespace: true
+    pre_hook:
+      command: *getKubeconfig
+      on_destroy: true
+      on_plan: true
+    inputs:
+      installCRDs: true
+      webhook.enabled: false
+      ingressShim.defaultIssuerName: letsencrypt-prod
+      ingressShim.defaultIssuerKind: ClusterIssuer
+      ingressShim.defaultACMEChallengeType: dns01
+      securityContext.enabled: false
+      serviceAccount.create: true
+  - 
+    name: cert-manager-issuer
+    type: kubernetes
+    source: ./cert-manager/
+    provider_version: "0.2.1"
+    kubeconfig: ./kubeconfig_{{ .name }}
+    depends_on: this.cert-manager
+    pre_hook:
+      command: *getKubeconfig
+      on_destroy: true
+      on_plan: true
+  - 
+    name: argocd
+    type: helm
+    source:
+      repository: "https://argoproj.github.io/argo-helm"
+      chart: "argo-cd"
+      version: "2.11.0"
+    pre_hook:
+      command: *getKubeconfig
+      on_destroy: true
+    kubeconfig: ./kubeconfig_{{ .name }}
+    depends_on: this.cert-manager-issuer
+    additional_options:
+      namespace: "argocd"
+      create_namespace: true
+    inputs:
+      global.image.tag: v1.8.3
+      service.type: LoadBalancer
+      server.certificate.domain: argocd.{{ .name }}.{{ .variables.domain }}
+      server.certificate.enabled: true
+      server.certificate.issuer.name: letsencrypt-prod
+      server.certificate.issuer.kind: ClusterIssuer
+      server.ingress.enabled: true
+      server.ingress.tls[0].secretName: argocd-secret
+      server.ingress.hosts[0]: argocd.{{ .name }}.{{ .variables.domain }}
+      server.ingress.tls[0].hosts[0]: argocd.{{ .name }}.{{ .variables.domain }}
+      server.ingress.annotations.cert-manager\.io/cluster-issuer: letsencrypt-prod
+      server.ingress.annotations.kubernetes\.io/ingress.class: nginx
+      server.ingress.annotations.kubernetes\.io/tls-acme: "true"
+      server.ingress.annotations.nginx\.ingress\.kubernetes\.io/ssl-passthrough: "true"
+      server.ingress.annotations.nginx\.ingress\.kubernetes\.io/backend-protocol: "HTTPS"
+      server.config.url: https://argocd.{{ .name }}.{{ .variables.domain }}
+      configs.secret.argocdServerAdminPassword: {{ .variables.argocdServerAdminPassword }}
+  - 
+    name: argocd_apps
+    type: kubernetes
+    provider_version: "0.2.1"
+    source: ./argocd-apps/
+    pre_hook:
+      command: *getKubeconfig
+      on_destroy: true
+      on_plan: true
+    kubeconfig: ./kubeconfig_{{ .name }}
+    depends_on: this.argocd
+  - 
+    name: print_outputs
+    type: printer
+    depends_on: this.argocd_apps
+    inputs:
+      cluster_name: {{ .name }}
+      region: {{ .variables.region }}
+      kubeconfig: *getKubeconfig
+      k3s_version: {{ .variables.k3s_version }}
+      argocd_url: https://argocd.{{ .name }}.{{ .variables.domain }}
diff --git a/cert-manager/issuer.yaml b/cert-manager/issuer.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        route53:
+          region: {{ .variables.region }}
diff --git a/ext-dns-iam/main.tf b/ext-dns-iam/main.tf
@@ -0,0 +1,54 @@
+resource random_pet "iam" {}
+
+resource aws_iam_policy "ext_dns" {
+  name   = substr("${var.name}-ext-dns-${random_pet.iam.id}", 0, 32)
+  policy =  <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+    {
+        "Effect": "Allow",
+        "Action": [
+        "route53:ChangeResourceRecordSets",
+        "route53:GetChange"
+        ],
+        "Resource": [
+        "arn:aws:route53:::hostedzone/${var.domain}",
+        "arn:aws:route53:::change/*"
+        ]
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets",
+        "route53:ListHostedZonesByName"
+        ],
+        "Resource": [
+        "*"
+        ]
+    }
+    ]
+}
+EOF
+}
+
+variable "domain" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+output "id" {
+    value = aws_iam_policy.ext_dns.id
+}
+
+output "arn" {
+    value = aws_iam_policy.ext_dns.arn
+}
+
+output "name" {
+    value = aws_iam_policy.ext_dns.name
+}