diff --git a/setup/catalogs.yaml b/setup/catalogs.yaml new file mode 100644 index 0000000..fe9fed3 --- /dev/null +++ b/setup/catalogs.yaml @@ -0,0 +1,18 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: ServiceDeployment +metadata: + name: catalogs + namespace: infra +spec: + namespace: catalogs + git: + folder: setup + ref: main + repositoryRef: + kind: GitRepository + namespace: infra + name: scaffolds + clusterRef: + kind: Cluster + name: mgmt + namespace: infra \ No newline at end of file diff --git a/setup/notifications.yaml b/setup/notifications.yaml new file mode 100644 index 0000000..4d6a5f4 --- /dev/null +++ b/setup/notifications.yaml @@ -0,0 +1,22 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: NotificationRouter +metadata: + name: deployments +spec: + events: + - stack.run + - pr.create + - pr.close + sinks: + - name: plural + namespace: infra +--- +apiVersion: deployments.plural.sh/v1alpha1 +kind: NotificationSink +metadata: + name: plural +spec: + type: PLURAL + name: plural + bindings: + - groupName: general diff --git a/setup/pr-automation/cluster-creator.yaml b/setup/pr-automation/cluster-creator.yaml index 16420ff..c08078e 100644 --- a/setup/pr-automation/cluster-creator.yaml +++ b/setup/pr-automation/cluster-creator.yaml @@ -18,7 +18,7 @@ spec: destination: "bootstrap/clusters.yaml" external: false scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional + name: plural # you'll need to add this ScmConnection manually before this is functional title: "Adding {{ context.cloud }} cluster: {{ context.name }}" message: "Adding {{ context.cloud }} cluster {{ context.name }} and registering it with Plural" identifier: [[ .Identifier ]] # REPLACEME with your own repo slug diff --git a/setup/pr-automation/gatekeeper-setup.yaml b/setup/pr-automation/gatekeeper-setup.yaml deleted file mode 100644 index a952611..0000000 --- a/setup/pr-automation/gatekeeper-setup.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: deployments.plural.sh/v1alpha1 -kind: PrAutomation -metadata: - name: gatekeeper-setup -spec: - name: gatekeeper-setup - documentation: | - Sets up OPA gatekeeper and installs a pre-baked policy bundle - creates: - templates: - - source: resources/policy/services - destination: "bootstrap/policy" - external: false - scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional - title: "Setup OPA gatekeeper and install the {{ context.bundle }} policy bundle" - message: "Setup OPA gatekeeper and install the {{ context.bundle }} policy bundle" - identifier: [[ .Identifier ]] # REPLACEME with your own repo slug - configuration: - - name: bundle - type: ENUM - values: - - asm-policy-v0.0.1 - - cis-k8s-v1.5.1 - - policy-essentials-v2022 - - psp-v2022 - - pss-baseline-v2022 - documentation: A policy bundle you'd like to install \ No newline at end of file diff --git a/setup/pr-automation/prometheus/prom-agent-creator.yaml b/setup/pr-automation/prometheus/prom-agent-creator.yaml deleted file mode 100644 index eb452c8..0000000 --- a/setup/pr-automation/prometheus/prom-agent-creator.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: deployments.plural.sh/v1alpha1 -kind: PrAutomation -metadata: - name: metrics-agent-creator -spec: - name: metrics-agent-creator - documentation: | - Sets up a victoria metrics agent for shipping metrics, pairs with `prom-creator` - creates: - templates: - - source: resources/monitoring/helm - destination: "helm/monitoring" - external: false - - source: resources/monitoring/mgmt.yaml - destination: "bootstrap/monitoring/mgmt.yaml" - external: false - scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional - title: "Setup prometheus agent for metrics shipping" - message: "Setup prometheus agent for metrics shipping" - identifier: [[ .Identifier ]] # REPLACEME with your own repo slug - configuration: - - name: cluster - type: STRING - documentation: CRD name for this cluster, use `mgmt` to place it in the management cluster - - name: host - type: STRING - documentation: the FQDN of your victoria metrics prometheus instance - - name: tagName - type: STRING - documentation: The cluster tag name you want to use to control the global service for installation of prometheus agent - - name: tagValue - type: STRING - documentation: The cluster tag value you want to use to control the global service for installation of prometheus agent diff --git a/setup/pr-automation/prometheus/prom-creator.yaml b/setup/pr-automation/prometheus/prom-creator.yaml deleted file mode 100644 index 1dc1533..0000000 --- a/setup/pr-automation/prometheus/prom-creator.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: deployments.plural.sh/v1alpha1 -kind: PrAutomation -metadata: - name: prom-creator -spec: - name: prom-creator - documentation: | - Sets up a victoria metrics prometheus instance for metrics storage, pairs with prom-agent-creator to ship metrics from workload clusters - creates: - templates: - - source: resources/monitoring/helm - destination: "helm/monitoring" - external: false - - source: resources/monitoring/mgmt.yaml - destination: "bootstrap/monitoring/mgmt.yaml" - external: false - scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional - title: "Setup a prometheus cluster for fleetwide metrics" - message: "Setup a prometheus cluster for fleetwide metrics in {{ context.cluster }}" - identifier: [[ .Identifier ]] # REPLACEME with your own repo slug - configuration: - - name: cluster - type: STRING - documentation: CRD name for this cluster, use `mgmt` to place it in the management cluster - - name: host - type: STRING - documentation: the FQDN you want victoria metrics prometheus to be hosted on, you'll need external-dns and cert manager already configured diff --git a/setup/pr-automation/scm.yaml b/setup/pr-automation/scm.yaml index ed8d5ed..20da15b 100644 --- a/setup/pr-automation/scm.yaml +++ b/setup/pr-automation/scm.yaml @@ -1,8 +1,8 @@ -# You will need to manually create the github scm connection this refers to +# You will need to manually create the SCM connection this refers to in the Plural Console UI # apiVersion: deployments.plural.sh/v1alpha1 # kind: ScmConnection # metadata: -# name: github +# name: plural # spec: -# name: github +# name: plural # type: GITHUB \ No newline at end of file diff --git a/setup/settings.yaml b/setup/settings.yaml index 0427af7..e25bc29 100644 --- a/setup/settings.yaml +++ b/setup/settings.yaml @@ -4,6 +4,8 @@ metadata: name: global namespace: plrl-deploy-operator spec: + managementRepo: [[ .Identifier ]] + stacks: jobSpec: namespace: plrl-deploy-operator diff --git a/setup/stacks/core-infra.yaml b/setup/stacks/core-infra.yaml new file mode 100644 index 0000000..84763c9 --- /dev/null +++ b/setup/stacks/core-infra.yaml @@ -0,0 +1,23 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: InfrastructureStack +metadata: + name: core-infra +spec: + name: core-infra + detach: false + type: TERRAFORM + approval: true + manageState: true + actor: console@plural.sh + repositoryRef: + name: infra + namespace: infra + clusterRef: + name: mgmt + namespace: infra + variables: + region: [[ .Region ]] + cluster_name: [[ .Cluster ]] + git: + ref: main + folder: terraform/core-infra \ No newline at end of file diff --git a/setup/stacks/mgmt.yaml b/setup/stacks/mgmt.yaml new file mode 100644 index 0000000..b0895e4 --- /dev/null +++ b/setup/stacks/mgmt.yaml @@ -0,0 +1,22 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: InfrastructureStack +metadata: + name: mgmt +spec: + name: mgmt + detach: false + type: TERRAFORM + approval: true + manageState: false + actor: console@plural.sh + repositoryRef: + name: infra + namespace: infra + clusterRef: + name: mgmt + namespace: infra + variables: + use_cli: false + git: + ref: main + folder: terraform/mgmt \ No newline at end of file diff --git a/templates/clusters/stack.yaml b/templates/clusters/stack.yaml index fa5a894..cadcd77 100644 --- a/templates/clusters/stack.yaml +++ b/templates/clusters/stack.yaml @@ -17,13 +17,10 @@ spec: clusterRef: name: mgmt namespace: infra + variables: + cluster: {{ context.name }} + fleet: {{ context.fleet }} + tier: {{ context.tier }} git: ref: main - folder: terraform/modules/clusters/{{ context.cloud }} - environment: - - name: TF_VAR_cluster - value: {{ context.name }} - - name: TF_VAR_fleet - value: {{ context.fleet }} - - name: TF_VAR_tier - value: {{ context.tier }} \ No newline at end of file + folder: terraform/modules/clusters/{{ context.cloud }} \ No newline at end of file diff --git a/templates/providers/bootstrap/aws.tf b/templates/providers/bootstrap/aws.tf index 8e54639..9adebe4 100644 --- a/templates/providers/bootstrap/aws.tf +++ b/templates/providers/bootstrap/aws.tf @@ -42,13 +42,17 @@ provider "aws" { data "aws_eks_cluster" "cluster" { name = module.mgmt.cluster.cluster_name + # BEGIN REMOVE depends_on = [ module.mgmt.cluster ] + # END REMOVE } data "aws_eks_cluster_auth" "cluster" { name = module.mgmt.cluster.cluster_name + # BEGIN REMOVE depends_on = [ module.mgmt.cluster ] + # END REMOVE } provider "kubernetes" { @@ -66,7 +70,7 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field } ## useful outputs dumped here, can be moved to a separate file post-generate @@ -76,4 +80,9 @@ output "cloudwatch_iam_arn" { output "vpc_id" { value = module.mgmt.vpc.vpc_id +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/templates/providers/bootstrap/azure.tf b/templates/providers/bootstrap/azure.tf index 503f66d..99935a8 100644 --- a/templates/providers/bootstrap/azure.tf +++ b/templates/providers/bootstrap/azure.tf @@ -69,5 +69,10 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/templates/providers/bootstrap/gcp.tf b/templates/providers/bootstrap/gcp.tf index fd04858..57b3864 100644 --- a/templates/providers/bootstrap/gcp.tf +++ b/templates/providers/bootstrap/gcp.tf @@ -43,5 +43,10 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/templates/providers/bootstrap/linode.tf b/templates/providers/bootstrap/linode.tf index 3c39178..27c402e 100644 --- a/templates/providers/bootstrap/linode.tf +++ b/templates/providers/bootstrap/linode.tf @@ -52,5 +52,10 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/terraform/clouds/aws/eks.tf b/terraform/clouds/aws/eks.tf index 005caf1..8b69523 100644 --- a/terraform/clouds/aws/eks.tf +++ b/terraform/clouds/aws/eks.tf @@ -1,6 +1,23 @@ +data "aws_caller_identity" "current" {} + +data "aws_iam_session_context" "current" { + # This data source provides information on the IAM source role of an STS assumed role + # For non-role ARNs, this data source simply passes the ARN through issuer ARN + # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 + # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 + arn = data.aws_caller_identity.current.arn +} + +data "aws_partition" "current" {} + +locals { + cluster_admin_policy = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + stacks_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${var.cluster_name}-plrl-stacks" +} + module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.0" + version = "~> 20.0" cluster_name = var.cluster_name cluster_version = var.kubernetes_version @@ -13,6 +30,30 @@ module "eks" { create_kms_key = true + # You'll need to set this to false to allow Plural stacks to manage this cluster + enable_cluster_creator_admin_permissions = true + + access_entries = { + stacks = { + principal_arn = local.stacks_arn + type = "STANDARD" + + policy_associations = { + admin = { + policy_arn = local.cluster_admin_policy + access_scope = { + type = "cluster" + } + } + } + } + } + + kms_key_administrators = concat([ + # UNCOMMENT local.stacks_arn, + data.aws_iam_session_context.current.issuer_arn + ], var.additional_kms_administrators) + # EKS Managed Node Group(s) eks_managed_node_group_defaults = merge(var.node_group_defaults, {ami_release_version = data.aws_ssm_parameter.eks_ami_release_version.value}) diff --git a/terraform/clouds/aws/variables.tf b/terraform/clouds/aws/variables.tf index 4521891..237d223 100644 --- a/terraform/clouds/aws/variables.tf +++ b/terraform/clouds/aws/variables.tf @@ -106,4 +106,9 @@ variable "create_cloudwatch_log_group" { variable "monitoring_role" { type = string default = "" +} + +variable "additional_kms_administrators" { + type = list(string) + default = [ ] } \ No newline at end of file diff --git a/terraform/core-infra/aws/README.md b/terraform/core-infra/aws/README.md new file mode 100644 index 0000000..c388335 --- /dev/null +++ b/terraform/core-infra/aws/README.md @@ -0,0 +1,4 @@ +# this can be used for provisioning any base infrastructure for your environment, a couple of common usecases: +# * setting up multi-cluster networks +# * setting up dns zones, subdomains, etc +# * configuring Cloud IAM throughout your environment \ No newline at end of file diff --git a/terraform/core-infra/aws/context.tf b/terraform/core-infra/aws/context.tf new file mode 100644 index 0000000..edf3db9 --- /dev/null +++ b/terraform/core-infra/aws/context.tf @@ -0,0 +1,17 @@ +data "aws_eks_cluster" "mgmt" { + name = var.cluster_name +} + +data "aws_vpc" "mgmt" { + id = one(data.aws_eks_cluster.mgmt.vpc_config).vpc_id +} + +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/mgmt" + configuration = jsonencode({ + cluster_name = var.cluster_name + vpc_id = one(data.aws_eks_cluster.mgmt.vpc_config).vpc_id + subnet_ids = one(data.aws_eks_cluster.mgmt.vpc_config).subnet_ids + vpc_cidr = data.aws_vpc.mgmt.cidr_block + }) +} \ No newline at end of file diff --git a/terraform/core-infra/aws/variables.tf b/terraform/core-infra/aws/variables.tf new file mode 100644 index 0000000..13ae710 --- /dev/null +++ b/terraform/core-infra/aws/variables.tf @@ -0,0 +1,8 @@ +variable "region" { + type = string + default = "us-east-2" +} + +variable "cluster_name" { + type = string +} \ No newline at end of file diff --git a/terraform/core-infra/aws/versions.tf b/terraform/core-infra/aws/versions.tf new file mode 100644 index 0000000..327b76d --- /dev/null +++ b/terraform/core-infra/aws/versions.tf @@ -0,0 +1,21 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + } + + plural = { + source = "pluralsh/plural" + version = ">= 0.2.9" + } + } +} + +provider "aws" { + region = var.region +} + + +provider "plural" { } \ No newline at end of file diff --git a/terraform/core-infra/azure/README.md b/terraform/core-infra/azure/README.md new file mode 100644 index 0000000..c388335 --- /dev/null +++ b/terraform/core-infra/azure/README.md @@ -0,0 +1,4 @@ +# this can be used for provisioning any base infrastructure for your environment, a couple of common usecases: +# * setting up multi-cluster networks +# * setting up dns zones, subdomains, etc +# * configuring Cloud IAM throughout your environment \ No newline at end of file diff --git a/terraform/core-infra/azure/context.tf b/terraform/core-infra/azure/context.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/core-infra/azure/variables.tf b/terraform/core-infra/azure/variables.tf new file mode 100644 index 0000000..f0bf816 --- /dev/null +++ b/terraform/core-infra/azure/variables.tf @@ -0,0 +1,8 @@ +variable "region" { + type = string + default = "us-east-2" +} + +variable "cluster_name" { + type = string +} \ No newline at end of file diff --git a/terraform/core-infra/azure/versions.tf b/terraform/core-infra/azure/versions.tf new file mode 100644 index 0000000..903cbe5 --- /dev/null +++ b/terraform/core-infra/azure/versions.tf @@ -0,0 +1,24 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.51.0, < 4.0" + } + plural = { + source = "pluralsh/plural" + version = ">= 0.2.9" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} + +provider "plural" { } \ No newline at end of file diff --git a/terraform/core-infra/gcp/README.md b/terraform/core-infra/gcp/README.md new file mode 100644 index 0000000..c388335 --- /dev/null +++ b/terraform/core-infra/gcp/README.md @@ -0,0 +1,4 @@ +# this can be used for provisioning any base infrastructure for your environment, a couple of common usecases: +# * setting up multi-cluster networks +# * setting up dns zones, subdomains, etc +# * configuring Cloud IAM throughout your environment \ No newline at end of file diff --git a/terraform/core-infra/gcp/context.tf b/terraform/core-infra/gcp/context.tf new file mode 100644 index 0000000..dea95cc --- /dev/null +++ b/terraform/core-infra/gcp/context.tf @@ -0,0 +1,22 @@ +data "google_container_cluster" "mgmt" { + name = var.cluster_name + location = var.region +} + +data "google_compute_network" "network" { + name = data.google_container_cluster.mgmt.network +} + +data "google_compute_subnetwork" "subnetwork" { + name = data.google_container_cluster.mgmt.subnetwork +} + +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/mgmt" + configuration = jsonencode({ + cluster_name = var.cluster_name + network = data.google_container_cluster.mgmt.network + subnetwork = data.google_container_cluster.mgmt.subnetwork + cidr = data.google_compute_subnetwork.ip_cidr_range + }) +} \ No newline at end of file diff --git a/terraform/core-infra/gcp/variables.tf b/terraform/core-infra/gcp/variables.tf new file mode 100644 index 0000000..13ae710 --- /dev/null +++ b/terraform/core-infra/gcp/variables.tf @@ -0,0 +1,8 @@ +variable "region" { + type = string + default = "us-east-2" +} + +variable "cluster_name" { + type = string +} \ No newline at end of file diff --git a/terraform/core-infra/gcp/versions.tf b/terraform/core-infra/gcp/versions.tf new file mode 100644 index 0000000..9ce1e08 --- /dev/null +++ b/terraform/core-infra/gcp/versions.tf @@ -0,0 +1,21 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + google = { + source = "hashicorp/google" + } + plural = { + source = "pluralsh/plural" + version = ">= 0.2.9" + } + } +} + +provider "google" { + region = var.region +} + +data "google_client_config" "default" {} + +provider "plural" { } \ No newline at end of file diff --git a/terraform/modules/clusters/aws/context.tf b/terraform/modules/clusters/aws/context.tf new file mode 100644 index 0000000..80c0382 --- /dev/null +++ b/terraform/modules/clusters/aws/context.tf @@ -0,0 +1,11 @@ +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/${var.cluster_name}" + configuration = { + cluster_name = var.cluster_name + vpc_id = module.vpc.vpc_id + subnet_ids = concat(module.vpc.public_subnets, module.vpc.private_subnets) + private_subnets = module.vpc.private_subnets + public_subnets = module.vpc.public_subnets + vpc_cidr = var.vpc_cidr + } +} \ No newline at end of file diff --git a/terraform/modules/clusters/gcp/context.tf b/terraform/modules/clusters/gcp/context.tf new file mode 100644 index 0000000..c11c0b2 --- /dev/null +++ b/terraform/modules/clusters/gcp/context.tf @@ -0,0 +1,10 @@ +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/${var.cluster_name}" + + configuration = { + cluster_name = var.cluster_name + network = module.gcp-network.network_name + subnetwork = module.gcp-network.subnets_names[0] + cidr = var.subnet_cidr + } +} \ No newline at end of file