Merge pull request #10 from Smana/refacto/private_gateway

refactor(gapi): private gateway

clusters/mycluster-0/flux-config.yaml

@@ -15,11 +15,8 @@ spec:
     substitute:
       domain_name: "cloud.ogenki.io"
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   dependsOn:
     - name: crds
   healthChecks:

clusters/mycluster-0/infrastructure.yaml

@@ -13,11 +13,8 @@ spec:
     name: flux-system
   postBuild:
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   healthChecks:
     - apiVersion: helm.toolkit.fluxcd.io/v1beta1
       kind: HelmRelease
@@ -40,11 +37,8 @@ spec:
     name: flux-system
   postBuild:
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   dependsOn:
     - name: crossplane-controller
 ---
@@ -62,11 +56,8 @@ spec:
     name: flux-system
   postBuild:
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   dependsOn:
     - name: crossplane-providers
 ---
@@ -84,11 +75,8 @@ spec:
     substitute:
       domain_name: "cloud.ogenki.io"
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   sourceRef:
     kind: GitRepository
     name: flux-system

clusters/mycluster-0/observability.yaml

@@ -15,13 +15,11 @@ spec:
     substitute:
       domain_name: "cloud.ogenki.io"
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   dependsOn:
     - name: crds
+    - name: security
   healthChecks:
     - apiVersion: helm.toolkit.fluxcd.io/v1beta1
       kind: HelmRelease
@@ -31,3 +29,7 @@ spec:
       kind: HelmRelease
       name: loki
       namespace: observability
+    - apiVersion: helm.toolkit.fluxcd.io/v1beta1
+      kind: HelmRelease
+      name: vector-agent
+      namespace: observability

clusters/mycluster-0/security.yaml

@@ -14,11 +14,8 @@ spec:
     substitute:
       domain_name: "cloud.ogenki.io"
     substituteFrom:
-      - kind: ConfigMap
-        name: eks-mycluster-0-vars
       - kind: Secret
         name: eks-mycluster-0-vars
-        optional: true
   dependsOn:
     - name: crds
   healthChecks:

flux-config/base/weave-gitops/httproute.yaml

@@ -4,7 +4,7 @@ metadata:
   name: weave-gitops
 spec:
   parentRefs:
-    - name: platform
+    - name: platform-private
       namespace: infrastructure
   hostnames:
     - "gitops-${cluster_name}.priv.${domain_name}"

infrastructure/base/crossplane/controller/release.yaml

@@ -11,7 +11,7 @@ spec:
         kind: HelmRepository
         name: crossplane
         namespace: crossplane-system
-      version: "1.13.2"
+      version: "1.14.0"
   interval: 10m0s
   install:
     remediation:

infrastructure/base/crossplane/providers/provider-iam.yaml

@@ -3,6 +3,6 @@ kind: Provider
 metadata:
   name: provider-aws-iam
 spec:
-  package: xpkg.upbound.io/upbound/provider-aws-iam:v0.42.0
+  package: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
   controllerConfigRef:
     name: aws-config

infrastructure/base/crossplane/providers/provider-s3.yaml

@@ -3,6 +3,6 @@ kind: Provider
 metadata:
   name: provider-aws-s3
 spec:
-  package: xpkg.upbound.io/upbound/provider-aws-s3:v0.42.0
+  package: xpkg.upbound.io/upbound/provider-aws-s3:v0.43.1
   controllerConfigRef:
     name: aws-config

infrastructure/base/gapi/kustomization.yaml

@@ -3,4 +3,5 @@ kind: Kustomization
 namespace: infrastructure
 
 resources:
-  - platform-gateway.yaml
+  - platform-private-gateway.yaml
+  - platform-public-gateway.yaml

infrastructure/base/gapi/platform-gateway.yaml → infrastructure/base/gapi/platform-private-gateway.yaml

@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
 metadata:
-  name: platform
+  name: platform-private
   annotations:
     cert-manager.io/cluster-issuer: private-ca
 spec:
@@ -24,4 +24,4 @@ spec:
       tls:
         mode: Terminate
         certificateRefs:
-          - name: platform-tls
+          - name: platform-private-tls

infrastructure/base/gapi/platform-public-gateway.yaml

@@ -0,0 +1,26 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: platform-public
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  gatewayClassName: cilium
+  listeners:
+    - name: http
+      hostname: "*.${domain_name}"
+      port: 443
+      protocol: HTTPS
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - observability
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: platform-public-tls

observability/base/kube-prometheus-stack/grafana-dashboards/kubernetes_logs.json

@@ -137,7 +137,7 @@
             },
             "targets": [
                 {
-                    "expr": "sum(count_over_time({namespace=~\"$namespace\", node_name=~\"$node_name\", pod_owner=~\"$pod_owner\", pod_name=~\"$pod_name\", container_name=~\"$container_name\"} |= \"$query\" [$__interval]))",
+                    "expr": "sum(count_over_time({namespace=~\"$namespace\", node_name=~\"$node_name\", pod_owner=~\"$pod_owner\", pod_name=~\"$pod_name\", container_name=~\"$container_name\", stream=\"$stream\"} |= \"$query\" [$__interval]))",
                     "instant": false,
                     "legendFormat": "Log count",
                     "range": true,
@@ -168,7 +168,7 @@
             },
             "targets": [
                 {
-                    "expr": "{namespace=~\"$namespace\", node_name=~\"$node_name\", pod_owner=~\"$pod_owner\", pod_name=~\"$pod_name\", container_name=~\"$container_name\"} |= \"$query\"",
+                    "expr": "{namespace=~\"$namespace\", node_name=~\"$node_name\", pod_owner=~\"$pod_owner\", pod_name=~\"$pod_name\", container_name=~\"$container_name\", stream=~\"$stream\"} |= \"$query\"",
                     "refId": "A"
                 }
             ],
@@ -330,6 +330,36 @@
                 "skipUrlSync": false,
                 "sort": 1,
                 "type": "query"
+            },
+            {
+                "allValue": ".+",
+                "current": {
+                    "selected": true,
+                    "text": [
+                        "All"
+                    ],
+                    "value": [
+                        "$__all"
+                    ]
+                },
+                "datasource": "${DS_LOKI}",
+                "definition": "",
+                "hide": 0,
+                "includeAll": true,
+                "label": "stream",
+                "multi": false,
+                "name": "stream",
+                "options": [],
+                "query": {
+                    "label": "stream",
+                    "stream": "",
+                    "type": 1
+                },
+                "refresh": 1,
+                "regex": "",
+                "skipUrlSync": false,
+                "sort": 1,
+                "type": "query"
             }
         ]
     },

observability/base/kube-prometheus-stack/helmrelease.yaml

@@ -11,7 +11,7 @@ spec:
         kind: HelmRepository
         name: prometheus-community
         namespace: flux-system
-      version: "51.0.3"
+      version: "52.1.0"
   interval: 10m0s
   timeout: 30m
   install:

observability/base/kube-prometheus-stack/httproute.yaml

@@ -4,7 +4,7 @@ metadata:
   name: grafana
 spec:
   parentRefs:
-    - name: platform
+    - name: platform-private
       namespace: infrastructure
   hostnames:
     - "grafana-${cluster_name}.priv.${domain_name}"

observability/base/loki/helmrelease.yaml

@@ -39,3 +39,8 @@ spec:
           s3ForcePathStyle: true
           insecure: false
           sse_encryption: false
+    # We already use Vector for logs collection
+    monitoring:
+      selfMonitoring:
+        grafanaAgent:
+          installOperator: false

observability/base/vector-agent/helmrelease.yaml

@@ -18,7 +18,6 @@ spec:
     remediation:
       retries: 3
   values:
-    # fullnameOverride -- Override the full name of resources.
     fullnameOverride: "vector-agent"
     role: "Agent"
     customConfig:
@@ -63,6 +62,8 @@ spec:
               {{ print "{{ kubernetes.pod_node_name }}" }}
             container_name: |-
               {{ print "{{ kubernetes.container_name }}" }}
+            stream: |-
+              {{ print "{{ stream }}" }}
             cluster_name: "${cluster_name}"
 
     # Configure a PodMonitor for Vector, requires the PodMonitor CRD to be installed.

security/mycluster-0/kustomization.yaml

@@ -5,4 +5,5 @@ resources:
   - ../base/kyverno
   - ../base/cert-manager
   - external-secrets
-  - platform-gw-clusterpolicy.yaml
+  - platform-public-gw-clusterpolicy.yaml
+  - platform-private-gw-clusterpolicy.yaml

security/mycluster-0/platform-gw-clusterpolicy.yaml → security/mycluster-0/platform-private-gw-clusterpolicy.yaml

@@ -1,12 +1,12 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: mutate-cilium-platform-gateway
+  name: mutate-cilium-platform-private-gateway
   annotations:
-    policies.kyverno.io/title: Mutate shared gateway
+    policies.kyverno.io/title: Mutate private shared gateway
     policies.kyverno.io/severity: medium
     policies.kyverno.io/description: >-
-      We need to mutate the shared gateway service in order to configure the AWS LB.
+      We need to mutate the private shared gateway service in order to configure the AWS LB.
 spec:
   rules:
     - name: mutate-svc-annotations
@@ -17,7 +17,7 @@ spec:
                 - Service
               namespaces:
                 - infrastructure
-              name: cilium-gateway-platform
+              name: cilium-gateway-platform-private
       mutate:
         patchStrategicMerge:
           metadata:

security/mycluster-0/platform-public-gw-clusterpolicy.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-cilium-platform-public-gateway
+  annotations:
+    policies.kyverno.io/title: Mutate Vector Cloudwatch Gateway
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      We need to mutate the public shared gateway service in order to configure the AWS LB.
+spec:
+  rules:
+    - name: mutate-svc-annotations
+      match:
+        any:
+          - resources:
+              kinds:
+                - Service
+              namespaces:
+                - infrastructure
+              name: cilium-gateway-platform-public
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              external-dns.alpha.kubernetes.io/hostname: vector-cloudwatch-${cluster_name}.${domain_name}
+              service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+              service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+          spec:
+            loadBalancerClass: service.k8s.aws/nlb

taskfile.yaml

@@ -18,6 +18,7 @@ tasks:
   pre-commit:
     deps: [clean]
     cmds:
+      - defer: { task: clean }
       - |
         USERID=$(id -u)
         GROUPID=$(id -g)

terraform/eks/data.tf

@@ -1,5 +1,8 @@
 data "aws_caller_identity" "this" {}
 
+# tflint-ignore: terraform_unused_declarations
+data "aws_ecr_authorization_token" "token" {}
+
 data "aws_vpc" "selected" {
   filter {
     name   = "tag:project"

terraform/eks/flux.tf

@@ -19,7 +19,8 @@ resource "flux_bootstrap_git" "this" {
   ]
 }
 
-resource "kubernetes_config_map" "flux_clusters_vars" {
+# Write secret items in order to use them as variables with flux's variables substitions
+resource "kubernetes_secret" "flux_clusters_vars" {
   metadata {
     name      = "eks-${var.cluster_name}-vars"
     namespace = "flux-system"
@@ -37,18 +38,3 @@ resource "kubernetes_config_map" "flux_clusters_vars" {
   }
   depends_on = [flux_bootstrap_git.this]
 }
-
-# Write Github secrets in order to use them as variables with flux's variables substitions
-resource "kubernetes_secret" "flux_github_creds" {
-  metadata {
-    name      = "flux-github-creds"
-    namespace = "flux-system"
-  }
-
-  data = {
-    github_owner      = var.github_owner
-    github_token      = var.github_token
-    github_repository = var.github_repository
-  }
-  depends_on = [flux_bootstrap_git.this]
-}