split cert manager/flux installation from runtime chart

pluralsh · Jan 5, 2024 · 58d920f · 58d920f
1 parent 151e9e7
commit 58d920f
Show file tree

Hide file tree

Showing 10 changed files with 187 additions and 14 deletions.
diff --git a/apps/services/runtime.yaml b/apps/services/runtime.yaml
@@ -1,3 +1,58 @@
+
+apiVersion: deployments.plural.sh/v1alpha1
+kind: ServiceDeployment
+metadata:
+  name: cert-manager
+  namespace: infra
+spec:
+  namespace: cert-manager
+  git:
+    folder: helm-values
+    ref: main
+  repositoryRef:
+    kind: GitRepository
+    name: infra
+    namespace: infra
+  helm:
+    version: "v1.13.3"
+    chart: cert-manager
+    valuesFiles:
+    - certmanager.yaml
+    repository:
+      namespace: plural-runtime
+      name: cert-manager
+  clusterRef:
+    kind: Cluster
+    name: mgmt
+    namespace: infra
+---
+apiVersion: deployments.plural.sh/v1alpha1
+kind: ServiceDeployment
+metadata:
+  name: flux
+  namespace: infra
+spec:
+  namespace: flux
+  git:
+    folder: helm-values
+    ref: main
+  repositoryRef:
+    kind: GitRepository
+    name: infra
+    namespace: infra
+  helm:
+    version: "2.12.2"
+    chart: flux2
+    valuesFiles:
+    - flux.yaml
+    repository:
+      namespace: plural-runtime
+      name: flux
+  clusterRef:
+    kind: Cluster
+    name: mgmt
+    namespace: infra
+---
 apiVersion: deployments.plural.sh/v1alpha1
 kind: ServiceDeployment
 metadata:

diff --git a/charts/runtime/Chart.yaml b/charts/runtime/Chart.yaml
@@ -26,4 +26,5 @@ dependencies:
   condition: ingress-nginx-private.enabled
 - name: flux2
   repository: https://fluxcd-community.github.io/helm-charts
-  version: 2.12.2
+  version: 2.12.2
+  condition: flux2.enabled
diff --git a/charts/runtime/templates/clusterissuers.yaml b/charts/runtime/templates/clusterissuers.yaml
@@ -0,0 +1,50 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: {{ .Values.ownerEmail }}
+    server: {{ .Values.letsencryptServer }}
+    privateKeySecretRef:
+      name: letsencryt-prod-key
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx
+{{ if and .Values.acmeEAB.kid .Values.dnsSolver }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: plural
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: {{ .Values.ownerEmail }}
+    server: {{ .Values.acmeServer }}
+    {{ if .Values.acmeEAB.kid }}
+    externalAccountBinding:
+      keyID: {{ .Values.acmeEAB.kid }}
+      keySecretRef:
+        name: acme-eab-secret
+        key: eab-secret
+      keyAlgorithm: HS256
+    {{ end }}
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: cert-manager-key
+    # Add a single challenge solver, dns01, configured using the appropriate cloud dns setup
+    solvers:
+    - dns01:
+      {{ .Values.dnsSolver | toYaml | nindent 8 }}
+{{ end }}
diff --git a/charts/runtime/templates/helmrepositories.yaml b/charts/runtime/templates/helmrepositories.yaml
@@ -2,8 +2,6 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
   name: bitnami
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
 spec:
   interval: 5m0s
   type: oci
@@ -13,8 +11,22 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
   name: flagger
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
 spec:
   interval: 5m0s
   url: https://flagger.app
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cert-manager
+spec:
+  interval: 5m0s
+  url: https://charts.jetstack.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: flux
+spec:
+  interval: 5m0s
+  url: https://fluxcd-community.github.io/helm-charts
diff --git a/charts/runtime/templates/operator-cm.yaml b/charts/runtime/templates/operator-cm.yaml
@@ -2,17 +2,13 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: plural-operator-selfsigned-issuer
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
 spec:
   selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: plural-operator-serving-cert
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
 spec:
   dnsNames:
   - plural-operator-webhook-service.{{ .Release.Namespace }}.svc

diff --git a/charts/runtime/templates/operator.yaml b/charts/runtime/templates/operator.yaml
@@ -2,8 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: plural-operator
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
   labels:
     control-plane: plural-operator
     {{- include "runtime.labels" . | nindent 4 }}

diff --git a/charts/runtime/values.yaml b/charts/runtime/values.yaml
@@ -45,7 +45,7 @@ dnsSolver:
 acmeEAB: {}
 
 cert-manager:
-  enabled: true
+  enabled: false
   installCRDs: true
   serviceAccount:
     name: cert-manager
@@ -210,6 +210,7 @@ ingress-nginx-private:
         enabled: false
 
 flux2:
+  enabled: false
   helmController:
     create: false
   imageAutomationController:

diff --git a/helm/certmanager.yaml b/helm/certmanager.yaml
@@ -0,0 +1,6 @@
+installCRDs: true
+serviceAccount:
+  name: cert-manager
+securityContext:
+  fsGroup: 1000
+  runAsNonRoot: true
diff --git a/helm/flux.yaml b/helm/flux.yaml
@@ -0,0 +1,14 @@
+helmController:
+  create: false
+imageAutomationController:
+  create: false
+imageReflectionController:
+  create: false
+kustomizeController:
+  create: false
+notificationController:
+  create: false
+sourceController:
+  create: true
+policies:
+  create: false
diff --git a/templates/setup/console.tf b/templates/setup/console.tf
@@ -1,3 +1,43 @@
+data "local_sensitive_file" "certmanager" {
+  filename = "${path.module}/../helm-values/certmanager.yaml"
+}
+
+resource "helm_release" "certmanager" {
+  name             = "cert-manager"
+  namespace        = "cert-manager"
+  chart            = "cert-manager"
+  repository       = "https://charts.jetstack.io"
+  version          = "v1.13.3"
+  create_namespace = true
+  timeout          = 300
+  wait             = true
+  values           = [
+    data.local_sensitive_file.certmanager.content
+  ]
+
+  depends_on = [ module.mgmt.cluster ]
+}
+
+data "local_sensitive_file" "flux" {
+  filename = "${path.module}/../helm-values/flux.yaml"
+}
+
+resource "helm_release" "flux" {
+  name             = "flux"
+  namespace        = "flux"
+  chart            = "flux"
+  repository       = "https://fluxcd-community.github.io/helm-charts"
+  version          = "2.12.2"
+  create_namespace = true
+  timeout          = 300
+  wait             = false
+  values           = [
+    data.local_sensitive_file.flux.content
+  ]
+
+  depends_on = [ module.mgmt.cluster ]
+}
+
 data "local_sensitive_file" "runtime" {
   filename = "${path.module}/../helm-values/runtime.yaml"
 }
@@ -7,15 +47,15 @@ resource "helm_release" "runtime" {
   namespace        = "plural-runtime"
   chart            = "runtime"
   repository       = "https://pluralsh.github.io/bootstrap"
-  version          = "0.1.10"
+  version          = "0.1.11"
   create_namespace = true
   timeout          = 300
   wait             = false
   values           = [
     data.local_sensitive_file.console.content
   ]
 
-  depends_on = [ module.mgmt.cluster ]
+  depends_on = [ module.mgmt.cluster, helm_release.certmanager, helm_release.flux ]
 }
 
 resource "null_resource" "console" {