Merge pull request #1 from utilitywarehouse/manifests

add kustomize base and example

manifests/base/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - terraform-applier.yaml

manifests/base/terraform-applier.yaml

@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: terraform-applier
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: /__/metrics
+    prometheus.io/port: "8080"
+  name: terraform-applier
+  labels:
+    app: terraform-applier
+spec:
+  ports:
+    - name: web
+      protocol: TCP
+      port: 80
+      targetPort: 8080
+  selector:
+    app: terraform-applier
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: terraform-applier
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: terraform-applier
+  template:
+    metadata:
+      labels:
+        app: terraform-applier
+    spec:
+      serviceAccountName: terraform-applier
+      containers:
+        - name: git-sync
+          image: k8s.gcr.io/git-sync:v3.1.2
+          securityContext:
+            runAsUser: 65533 # git-sync user
+            runAsGroup: 0 # root group to read mounted Secrets
+          env:
+            - name: GIT_SYNC_DEST
+              value: "modules"
+            - name: GIT_SYNC_SSH
+              value: "true"
+            - name: GIT_SYNC_MAX_SYNC_FAILURES
+              value: "5"
+          volumeMounts:
+            - name: git-repo
+              mountPath: /tmp/git
+            - name: git-secret
+              mountPath: /etc/git-secret
+          resources:
+            requests:
+              cpu: 40m
+              memory: 48Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+        - name: terraform-applier
+          image: quay.io/utilitywarehouse/terraform-applier:0.1.0
+          env:
+          volumeMounts:
+            - name: git-repo
+              mountPath: /src
+              readOnly: true
+          resources:
+            requests:
+              cpu: 10m
+              memory: 25Mi
+            limits:
+              cpu: 500m
+              memory: 200Mi
+          ports:
+            - containerPort: 8080
+      volumes:
+        - name: git-repo
+          emptyDir: {}
+        - name: git-secret
+          secret:
+            secretName: ssh
+            defaultMode: 0440

manifests/example/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+  - ../base/
+  #  - github.com/utilitywarehouse/terraform-applier//manifests/base?ref=0.1.0
+resources:
+  - terraform-applier-ingress.yaml
+patchesStrategicMerge:
+  - terraform-applier-patch.yaml
+secretGenerator:
+  # aws secret access key
+  - name: aws
+    type: Opaque
+    files:
+      - aws-secret-access-key=secrets/aws-secret-access-key
+  # ssh key to clone the "root" terraform modules repository, used by git-sync
+  - name: ssh
+    type: Opaque
+    files:
+      - ssh=secrets/ssh
+      - known_hosts=resources/known_hosts

manifests/example/resources/known_hosts

@@ -0,0 +1 @@
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

manifests/example/secrets/aws-secret-access-key

@@ -0,0 +1 @@
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

manifests/example/secrets/ssh

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+-----END OPENSSH PRIVATE KEY-----

manifests/example/terraform-applier-ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: terraform-applier
+  labels:
+    kubernetes.io/ingress.class: private-example
+  annotations:
+    external-dns.alpha.kubernetes.io/target: example.com
+spec:
+  rules:
+    - host: example.com
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: terraform-applier
+              servicePort: 80

manifests/example/terraform-applier-patch.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: terraform-applier
+spec:
+  template:
+    spec:
+      containers:
+        - name: terraform-applier
+          env:
+            # AWS credentials for use by an S3 backend/AWS provider. Substitute the configuration for your particular
+            # backends and providers.
+            - name: AWS_ACCESS_KEY_ID
+              value: AAAAAAAAAAAAAAAAAAAA
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: aws
+                  key: aws-secret-access-key
+            - name: REPO_PATH
+              value: "/src/modules/example-env"
+            - name: REPO_PATH_FILTERS
+              value: "my-module-1,my-module-2,env-*"
+            - name: DIFF_URL_FORMAT
+              value: "https://github.com/org/repo/commit/%s"
+        - name: git-sync
+          env:
+            - name: GIT_SYNC_REPO
+              value: "[email protected]:org/repo.git"