feat- gitlab/github container reg for aws; cloudflare dns for aws (#536)

feat: * cloudflare dns for aws * Flagged aws ecr, so we default to the git provider container registry but allow people to choose ecr fix: Civo creds fix * Cloud flare for aws as well as the secret lifecycle for the cloudflare credentials * significant transformation for bootstrapping aws clusters into the format we use for the other providers --------- Co-authored-by: Claywd <[email protected]>
konstructio · Jul 26, 2023 · 5d7c8a7 · 5d7c8a7
1 parent 4677ef1
commit 5d7c8a7
Show file tree

Hide file tree

Showing 74 changed files with 582 additions and 461 deletions.
diff --git a/aws-github/cluster-types/mgmt/components/argocd/argocd-ui-ingress.yaml b/aws-github/cluster-types/mgmt/components/argocd/argocd-ui-ingress.yaml
@@ -14,17 +14,17 @@ metadata:
     nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'
 spec:
   rules:
-    - host: argocd.<DOMAIN_NAME>
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: argocd-server
-                port:
-                  name: https
+  - host: argocd.<DOMAIN_NAME>
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
   tls:
-    - hosts:
-        - argocd.<DOMAIN_NAME>
-      secretName: argocd-secret # do not change, this is provided by Argo CD
+  - hosts:
+    - argocd.<DOMAIN_NAME>
+    secretName: argocd-secret # do not change, this is provided by Argo CD
diff --git a/aws-github/cluster-types/mgmt/components/cert-issuers/clusterissuers.yaml b/aws-github/cluster-types/mgmt/components/cert-issuers/clusterissuers.yaml
@@ -9,9 +9,9 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging
     solvers:
-      - http01:
-          ingress:
-            class: nginx
+    - http01:
+        ingress:
+          class: nginx
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@@ -24,6 +24,6 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod
     solvers:
-      - http01:
-          ingress:
-            class: nginx
+    - http01:
+        ingress:
+          class: nginx
diff --git a/aws-github/cluster-types/mgmt/components/development/metaphor/values.yaml b/aws-github/cluster-types/mgmt/components/development/metaphor/values.yaml
@@ -7,14 +7,14 @@ metaphor:
     annotations:
       cert-manager.io/cluster-issuer: 'letsencrypt-prod'
     hosts:
-      - host: metaphor-development.<DOMAIN_NAME>
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: metaphor-development.<DOMAIN_NAME>
+      paths:
+      - path: /
+        pathType: Prefix
     tls:
-      - secretName: metaphor-tls
-        hosts:
-          - metaphor-development.<DOMAIN_NAME>
+    - secretName: metaphor-tls
+      hosts:
+      - metaphor-development.<DOMAIN_NAME>
   metaphor:
     host: https://metaphor-development.<DOMAIN_NAME>/api
     console: https://kubefirst.<DOMAIN_NAME>
diff --git a/aws-github/cluster-types/mgmt/components/external-dns/application.yaml b/aws-github/cluster-types/mgmt/components/external-dns/application.yaml
@@ -13,13 +13,25 @@ spec:
     helm:
       releaseName: external-dns
       values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
         serviceAccount:
           create: true
           name: external-dns
           annotations:
             eks.amazonaws.com/role-arn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/external-dns-<CLUSTER_NAME>'
+        provider: <EXTERNAL_DNS_PROVIDER_NAME>
+        sources:
+        - ingress
         domainFilters:
           - <DOMAIN_NAME>
+        env:
+        - name: <EXTERNAL_DNS_PROVIDER_TOKEN_ENV_NAME>
+          valueFrom:
+            secretKeyRef:
+              name: <EXTERNAL_DNS_PROVIDER_SECRET_NAME>
+              key: <EXTERNAL_DNS_PROVIDER_SECRET_KEY>
     chart: external-dns
   destination:
     server: https://kubernetes.default.svc

diff --git a/aws-github/cluster-types/mgmt/components/production/metaphor/values.yaml b/aws-github/cluster-types/mgmt/components/production/metaphor/values.yaml
@@ -7,14 +7,14 @@ metaphor:
     annotations:
       cert-manager.io/cluster-issuer: 'letsencrypt-prod'
     hosts:
-      - host: metaphor-production.<DOMAIN_NAME>
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: metaphor-production.<DOMAIN_NAME>
+      paths:
+      - path: /
+        pathType: Prefix
     tls:
-      - secretName: metaphor-tls
-        hosts:
-          - metaphor-production.<DOMAIN_NAME>
+    - secretName: metaphor-tls
+      hosts:
+      - metaphor-production.<DOMAIN_NAME>
   metaphor:
     host: https://metaphor-production.<DOMAIN_NAME>/api
     console: https://kubefirst.<DOMAIN_NAME>

diff --git a/aws-github/cluster-types/mgmt/components/staging/metaphor/values.yaml b/aws-github/cluster-types/mgmt/components/staging/metaphor/values.yaml
@@ -7,14 +7,14 @@ metaphor:
     annotations:
       cert-manager.io/cluster-issuer: 'letsencrypt-prod'
     hosts:
-      - host: metaphor-staging.<DOMAIN_NAME>
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: metaphor-staging.<DOMAIN_NAME>
+      paths:
+      - path: /
+        pathType: Prefix
     tls:
-      - secretName: metaphor-tls
-        hosts:
-          - metaphor-staging.<DOMAIN_NAME>
+    - secretName: metaphor-tls
+      hosts:
+      - metaphor-staging.<DOMAIN_NAME>
   metaphor:
     host: https://metaphor-staging.<DOMAIN_NAME>/api
     console: https://kubefirst.<DOMAIN_NAME>

diff --git a/aws-github/terraform/vault/secrets.tf b/aws-github/terraform/vault/secrets.tf
@@ -98,6 +98,18 @@ resource "vault_generic_secret" "ci_secrets" {
   depends_on = [vault_mount.secret]
 }
 
+resource "vault_generic_secret" "external_dns_secrets" {
+  path = "secret/external-dns"
+
+  data_json = jsonencode(
+    {
+      <EXTERNAL_DNS_PROVIDER_NAME>-token = var.<EXTERNAL_DNS_PROVIDER_NAME>_secret,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
 resource "vault_generic_secret" "atlantis_secrets" {
   path = "secret/atlantis"
 

diff --git a/aws-github/terraform/vault/variables.tf b/aws-github/terraform/vault/variables.tf
@@ -2,6 +2,11 @@ locals {
   cluster_name = "<CLUSTER_NAME>"
 }
 
+variable "<EXTERNAL_DNS_PROVIDER_NAME>_secret" {
+  default = ""
+  type = string
+}
+
 variable "b64_docker_auth" {
   type = string
 }

diff --git a/aws-gitlab/cluster-types/mgmt/components/argocd/argocd-ui-ingress.yaml b/aws-gitlab/cluster-types/mgmt/components/argocd/argocd-ui-ingress.yaml
@@ -14,17 +14,17 @@ metadata:
     nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'
 spec:
   rules:
-    - host: argocd.<DOMAIN_NAME>
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: argocd-server
-                port:
-                  name: https
+  - host: argocd.<DOMAIN_NAME>
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
   tls:
-    - hosts:
-        - argocd.<DOMAIN_NAME>
-      secretName: argocd-secret # do not change, this is provided by Argo CD
+  - hosts:
+    - argocd.<DOMAIN_NAME>
+    secretName: argocd-secret # do not change, this is provided by Argo CD
diff --git a/aws-gitlab/cluster-types/mgmt/components/cert-issuers/clusterissuers.yaml b/aws-gitlab/cluster-types/mgmt/components/cert-issuers/clusterissuers.yaml
@@ -9,9 +9,9 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging
     solvers:
-      - http01:
-          ingress:
-            class: nginx
+    - http01:
+        ingress:
+          class: nginx
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@@ -24,6 +24,6 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod
     solvers:
-      - http01:
-          ingress:
-            class: nginx
+    - http01:
+        ingress:
+          class: nginx
diff --git a/aws-gitlab/cluster-types/mgmt/components/development/metaphor/values.yaml b/aws-gitlab/cluster-types/mgmt/components/development/metaphor/values.yaml
@@ -7,14 +7,14 @@ metaphor:
     annotations:
       cert-manager.io/cluster-issuer: 'letsencrypt-prod'
     hosts:
-      - host: metaphor-development.<DOMAIN_NAME>
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: metaphor-development.<DOMAIN_NAME>
+      paths:
+      - path: /
+        pathType: Prefix
     tls:
-      - secretName: metaphor-tls
-        hosts:
-          - metaphor-development.<DOMAIN_NAME>
+    - secretName: metaphor-tls
+      hosts:
+      - metaphor-development.<DOMAIN_NAME>
   metaphor:
     host: https://metaphor-development.<DOMAIN_NAME>/api
     console: https://kubefirst.<DOMAIN_NAME>
diff --git a/aws-gitlab/cluster-types/mgmt/components/external-dns/application.yaml b/aws-gitlab/cluster-types/mgmt/components/external-dns/application.yaml
@@ -13,13 +13,25 @@ spec:
     helm:
       releaseName: external-dns
       values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
         serviceAccount:
           create: true
           name: external-dns
           annotations:
             eks.amazonaws.com/role-arn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/external-dns-<CLUSTER_NAME>'
+        provider: <EXTERNAL_DNS_PROVIDER_NAME>
+        sources:
+        - ingress
         domainFilters:
           - <DOMAIN_NAME>
+        env:
+        - name: <EXTERNAL_DNS_PROVIDER_TOKEN_ENV_NAME>
+          valueFrom:
+            secretKeyRef:
+              name: <EXTERNAL_DNS_PROVIDER_SECRET_NAME>
+              key: <EXTERNAL_DNS_PROVIDER_SECRET_KEY>
     chart: external-dns
   destination:
     server: https://kubernetes.default.svc

diff --git a/aws-gitlab/cluster-types/mgmt/components/production/metaphor/values.yaml b/aws-gitlab/cluster-types/mgmt/components/production/metaphor/values.yaml
@@ -7,14 +7,14 @@ metaphor:
     annotations:
       cert-manager.io/cluster-issuer: 'letsencrypt-prod'
     hosts:
-      - host: metaphor-production.<DOMAIN_NAME>
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: metaphor-production.<DOMAIN_NAME>
+      paths:
+      - path: /
+        pathType: Prefix
     tls:
-      - secretName: metaphor-tls
-        hosts:
-          - metaphor-production.<DOMAIN_NAME>
+    - secretName: metaphor-tls
+      hosts:
+      - metaphor-production.<DOMAIN_NAME>
   metaphor:
     host: https://metaphor-production.<DOMAIN_NAME>/api
     console: https://kubefirst.<DOMAIN_NAME>

diff --git a/aws-gitlab/cluster-types/mgmt/components/staging/metaphor/values.yaml b/aws-gitlab/cluster-types/mgmt/components/staging/metaphor/values.yaml
@@ -7,14 +7,14 @@ metaphor:
     annotations:
       cert-manager.io/cluster-issuer: 'letsencrypt-prod'
     hosts:
-      - host: metaphor-staging.<DOMAIN_NAME>
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: metaphor-staging.<DOMAIN_NAME>
+      paths:
+      - path: /
+        pathType: Prefix
     tls:
-      - secretName: metaphor-tls
-        hosts:
-          - metaphor-staging.<DOMAIN_NAME>
+    - secretName: metaphor-tls
+      hosts:
+      - metaphor-staging.<DOMAIN_NAME>
   metaphor:
     host: https://metaphor-staging.<DOMAIN_NAME>/api
     console: https://kubefirst.<DOMAIN_NAME>

diff --git a/aws-gitlab/terraform/vault/secrets.tf b/aws-gitlab/terraform/vault/secrets.tf
@@ -42,6 +42,17 @@ resource "vault_generic_secret" "container_registry_auth" {
   depends_on = [vault_mount.secret]
 }
 
+resource "vault_generic_secret" "external_dns_secrets" {
+  path = "secret/external-dns"
+
+  data_json = jsonencode(
+    {
+<EXTERNAL_DNS_PROVIDER_NAME>-token = var.<EXTERNAL_DNS_PROVIDER_NAME>_secret,    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
 resource "vault_generic_secret" "development_metaphor" {
   path = "secret/development/metaphor"
   # note: these secrets are not actually sensitive.

diff --git a/aws-gitlab/terraform/vault/variables.tf b/aws-gitlab/terraform/vault/variables.tf
@@ -2,6 +2,11 @@ locals {
   cluster_name = "<CLUSTER_NAME>"
 }
 
+variable "<EXTERNAL_DNS_PROVIDER_NAME>_secret" {
+  default = ""
+  type = string
+}
+
 variable "b64_docker_auth" {
   type = string
 }
@@ -39,3 +44,8 @@ variable "vault_token" {
   default = ""
   type    = string
 }
+
+variable "container_registry_auth" {
+  default = ""
+  type = string
+}
diff --git a/civo-github/cluster-types/mgmt/components/argocd/argocd-ui-ingress.yaml b/civo-github/cluster-types/mgmt/components/argocd/argocd-ui-ingress.yaml
@@ -14,17 +14,17 @@ metadata:
     nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'
 spec:
   rules:
-    - host: argocd.<DOMAIN_NAME>
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: argocd-server
-                port:
-                  name: https
+  - host: argocd.<DOMAIN_NAME>
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
   tls:
-    - hosts:
-        - argocd.<DOMAIN_NAME>
-      secretName: argocd-secret # do not change, this is provided by Argo CD
+  - hosts:
+    - argocd.<DOMAIN_NAME>
+    secretName: argocd-secret # do not change, this is provided by Argo CD