begin working on walkthrough for existing AKS clusters

.gitignore

@@ -37,3 +37,5 @@ test/helm-values
 
 # IDE
 .idea/
+
+**/values.secret.yaml

charts/runtime/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: runtime
 description: Sets up the basic dependencies needed to get a network stack running
 type: application
-version: 0.1.19
+version: 0.1.20
 appVersion: "0.1.0"
 dependencies:
 - name: external-dns

charts/runtime/templates/helmrepositories.yaml

@@ -1,3 +1,4 @@
+{{ if .Values.flux.enabled }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
@@ -21,3 +22,4 @@ metadata:
 spec:
   interval: 5m0s
   url: https://fluxcd-community.github.io/helm-charts
+{{ end }}

existing/terraform/azure/externaldns.tf

@@ -0,0 +1,27 @@
+data "azurerm_resource_group" "group" {
+  name = var.resource_group
+}
+
+data "azurerm_dns_zone" "zone" {
+  name = var.dns_zone_name
+  resource_group_name = data.azurerm_resource_group.group.name
+}
+
+resource "azurerm_user_assigned_identity" "externaldns" {
+  resource_group_name = data.azurerm_resource_group.group.name
+  location            = data.azurerm_resource_group.group.location
+
+  name = "${var.cluster_name}-externaldns"
+}
+
+resource "azurerm_role_assignment" "rg-reader" {
+  scope                = data.azurerm_resource_group.group.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.externaldns.principal_id
+}
+
+resource "azurerm_role_assignment" "dns-contributor" {
+  scope                = data.azurerm_dns_zone.zone.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.externaldns.principal_id
+}

existing/terraform/azure/outputs.tf

@@ -0,0 +1,3 @@
+output "externaldns_client_id" {
+    value = azurerm_user_assigned_identity.externaldns.client_id
+}

existing/terraform/azure/variables.tf

@@ -4,4 +4,8 @@ variable "cluster_name" {
 
 variable "resource_group" {
   type = string
+}
+
+variable "dns_zone_name" {
+  type = string
 }

existing/terraform/azure/workload_identity.tf

@@ -0,0 +1,22 @@
+data "azurerm_kubernetes_cluster" "cluster" {
+    name = var.cluster_name
+    resource_group_name = var.resource_group
+}
+
+resource "azurerm_federated_identity_credential" "externaldns" {
+  name                = "fc-externaldns"
+  resource_group_name = var.resource_group
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = data.azurerm_kubernetes_cluster.cluster.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.externaldns.id
+  subject             = "system:serviceaccount:externaldns:externaldns"
+}
+
+resource "azurerm_federated_identity_credential" "certmanager" {
+  name                = "fc-cert-manager"
+  resource_group_name = var.resource_group
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = data.azurerm_kubernetes_cluster.cluster.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.externaldns.id
+  subject             = "system:serviceaccount:cert-manager:cert-manager"
+}

existing/test/azure/cluster.tf

@@ -0,0 +1,13 @@
+module "mgmt" {
+  source = "../../../terraform/clouds/azure"
+
+  cluster_name = "plural-existing-test"
+  network_name = "plural-existing-test"
+  location     = "eastus"
+  db_name      = "plural-existing-test" 
+
+  postgres_dns_zone = "plrl-test.postgres.database.azure.com"
+  network_link_name = "plrl-test.postgres.com"
+
+  workload_identity_enabled = true
+}

existing/test/azure/externaldns.tf

@@ -0,0 +1,8 @@
+module "externaldns" {
+    source = "../../terraform/azure"
+    cluster_name = module.mgmt.cluster.aks_name
+    resource_group = "plural"
+    dns_zone_name = "az.plural.sh"
+
+    depends_on = [ module.mgmt.cluster, module.mgmt.db_url ]
+}

existing/test/azure/outputs.tf

@@ -0,0 +1,8 @@
+output "identity_client_id" {
+  value = module.externaldns.externaldns_client_id
+}
+
+output "db_url" {
+  value = module.mgmt.db_url
+  sensitive = true
+}