From f2387682c126ad9ac12403df01214ea2e9ccefe9 Mon Sep 17 00:00:00 2001 From: Rob Best Date: Thu, 10 Oct 2019 15:43:29 +0100 Subject: [PATCH 1/3] add kustomize base and example --- manifests/base/kustomization.yaml | 4 + manifests/base/terraform-applier.yaml | 93 +++++++++++++++++++ manifests/example/kustomization.yaml | 21 +++++ manifests/example/resources/known_hosts | 1 + .../example/secrets/aws-secret-access-key | 1 + manifests/example/secrets/ssh | 7 ++ .../example/terraform-applier-ingress.yaml | 17 ++++ .../example/terraform-applier-patch.yaml | 29 ++++++ 8 files changed, 173 insertions(+) create mode 100644 manifests/base/kustomization.yaml create mode 100644 manifests/base/terraform-applier.yaml create mode 100644 manifests/example/kustomization.yaml create mode 100644 manifests/example/resources/known_hosts create mode 100644 manifests/example/secrets/aws-secret-access-key create mode 100644 manifests/example/secrets/ssh create mode 100644 manifests/example/terraform-applier-ingress.yaml create mode 100644 manifests/example/terraform-applier-patch.yaml diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml new file mode 100644 index 00000000..f0c2e337 --- /dev/null +++ b/manifests/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - terraform-applier.yaml diff --git a/manifests/base/terraform-applier.yaml b/manifests/base/terraform-applier.yaml new file mode 100644 index 00000000..3377660f --- /dev/null +++ b/manifests/base/terraform-applier.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: terraform-applier +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: /__/metrics + prometheus.io/port: "8080" + name: terraform-applier + labels: + app: terraform-applier +spec: + ports: + - name: web + protocol: TCP + port: 80 + targetPort: 8080 + selector: + app: terraform-applier +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: terraform-applier +spec: + replicas: 1 + selector: + matchLabels: + app: terraform-applier + template: + metadata: + labels: + app: terraform-applier + spec: + serviceAccountName: terraform-applier + containers: + - name: git-sync + image: k8s.gcr.io/git-sync:v3.1.2 + securityContext: + runAsUser: 65533 # git-sync user + runAsGroup: 0 # root group to read mounted Secrets + env: + - name: GIT_SYNC_REPO + value: "git@github.com:org/repo.git" + - name: GIT_SYNC_DEST + value: "modules" + - name: GIT_SYNC_SSH + value: "true" + - name: GIT_SYNC_MAX_SYNC_FAILURES + value: "5" + volumeMounts: + - name: git-repo + mountPath: /tmp/git + - name: git-secret + mountPath: /etc/git-secret + resources: + requests: + cpu: 40m + memory: 48Mi + limits: + cpu: 500m + memory: 512Mi + - name: terraform-applier + image: quay.io/utilitywarehouse/terraform-applier:v0.1.0 + env: + - name: DIFF_URL_FORMAT + value: "https://github.com/org/repo/commit/%s" + - name: REPO_PATH + value: "/src/modules/exp-1-aws" + volumeMounts: + - name: git-repo + mountPath: /src + readOnly: true + resources: + requests: + cpu: 10m + memory: 25Mi + limits: + cpu: 500m + memory: 200Mi + ports: + - containerPort: 8080 + volumes: + - name: git-repo + emptyDir: {} + - name: git-secret + secret: + secretName: ssh + defaultMode: 0440 diff --git a/manifests/example/kustomization.yaml b/manifests/example/kustomization.yaml new file mode 100644 index 00000000..d8ed5098 --- /dev/null +++ b/manifests/example/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: + - ../base/ + # - github.com/utilitywarehouse/terraform-applier//manifests/base?ref=0.1.0 +resources: + - terraform-applier-ingress.yaml +patchesStrategicMerge: + - terraform-applier-patch.yaml +secretGenerator: + # aws secret access key + - name: aws + type: Opaque + files: + - aws-secret-access-key=secrets/aws-secret-access-key + # ssh key to clone the "root" terraform modules repository, used by git-sync + - name: ssh + type: Opaque + files: + - ssh=secrets/ssh + - known_hosts=resources/known_hosts diff --git a/manifests/example/resources/known_hosts b/manifests/example/resources/known_hosts new file mode 100644 index 00000000..1bae52b8 --- /dev/null +++ b/manifests/example/resources/known_hosts @@ -0,0 +1 @@ +github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== diff --git a/manifests/example/secrets/aws-secret-access-key b/manifests/example/secrets/aws-secret-access-key new file mode 100644 index 00000000..a3ea2516 --- /dev/null +++ b/manifests/example/secrets/aws-secret-access-key @@ -0,0 +1 @@ +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA diff --git a/manifests/example/secrets/ssh b/manifests/example/secrets/ssh new file mode 100644 index 00000000..d7d0b4c6 --- /dev/null +++ b/manifests/example/secrets/ssh @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-----END OPENSSH PRIVATE KEY----- \ No newline at end of file diff --git a/manifests/example/terraform-applier-ingress.yaml b/manifests/example/terraform-applier-ingress.yaml new file mode 100644 index 00000000..49e1937d --- /dev/null +++ b/manifests/example/terraform-applier-ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: terraform-applier + labels: + kubernetes.io/ingress.class: private-example + annotations: + external-dns.alpha.kubernetes.io/target: example.com +spec: + rules: + - host: example.com + http: + paths: + - path: / + backend: + serviceName: terraform-applier + servicePort: 80 diff --git a/manifests/example/terraform-applier-patch.yaml b/manifests/example/terraform-applier-patch.yaml new file mode 100644 index 00000000..52e849ec --- /dev/null +++ b/manifests/example/terraform-applier-patch.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: terraform-applier +spec: + template: + spec: + containers: + - name: terraform-applier + env: + # AWS credentials for use by an S3 backend/AWS provider. Substitute the configuration for your particular + # backends and providers. + - name: AWS_ACCESS_KEY_ID + value: AAAAAAAAAAAAAAAAAAAA + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws + key: aws-secret-access-key + - name: REPO_PATH + value: "/src/modules/example-env" + - name: REPO_PATH_FILTERS + value: "my-module-1,my-module-2,env-*" + - name: DIFF_URL_FORMAT + value: "https://github.com/org/repo/commit/%s" + - name: git-sync + env: + - name: GIT_SYNC_REPO + value: "git@github.com:org/repo.git" From b55203b141acf8f95ee1e88228b323295a245265 Mon Sep 17 00:00:00 2001 From: Rob Best Date: Thu, 10 Oct 2019 16:29:41 +0100 Subject: [PATCH 2/3] remove placeholder env vars from base GIT_SYNC_REPO, DIFF_URL_FORMAT and REPO_PATH are completely specific to a given deployment, so just ommit them, rather than using a bogus value --- manifests/base/terraform-applier.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/manifests/base/terraform-applier.yaml b/manifests/base/terraform-applier.yaml index 3377660f..a7924a92 100644 --- a/manifests/base/terraform-applier.yaml +++ b/manifests/base/terraform-applier.yaml @@ -44,8 +44,6 @@ spec: runAsUser: 65533 # git-sync user runAsGroup: 0 # root group to read mounted Secrets env: - - name: GIT_SYNC_REPO - value: "git@github.com:org/repo.git" - name: GIT_SYNC_DEST value: "modules" - name: GIT_SYNC_SSH @@ -67,10 +65,6 @@ spec: - name: terraform-applier image: quay.io/utilitywarehouse/terraform-applier:v0.1.0 env: - - name: DIFF_URL_FORMAT - value: "https://github.com/org/repo/commit/%s" - - name: REPO_PATH - value: "/src/modules/exp-1-aws" volumeMounts: - name: git-repo mountPath: /src From e42bf1028f138fd179b357b01290f007081dcb92 Mon Sep 17 00:00:00 2001 From: Rob Best Date: Thu, 10 Oct 2019 16:33:04 +0100 Subject: [PATCH 3/3] remove v from image tag --- manifests/base/terraform-applier.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base/terraform-applier.yaml b/manifests/base/terraform-applier.yaml index a7924a92..e69b8f7d 100644 --- a/manifests/base/terraform-applier.yaml +++ b/manifests/base/terraform-applier.yaml @@ -63,7 +63,7 @@ spec: cpu: 500m memory: 512Mi - name: terraform-applier - image: quay.io/utilitywarehouse/terraform-applier:v0.1.0 + image: quay.io/utilitywarehouse/terraform-applier:0.1.0 env: volumeMounts: - name: git-repo