Skip to content

Commit

Permalink
feat(flux): add github webhook receiver
Browse files Browse the repository at this point in the history
  • Loading branch information
@timtorChen
timtorChen committed Jun 8, 2024
1 parent f1532c6 commit d7e5db0
Show file tree
Hide file tree
Showing 10 changed files with 149 additions and 79 deletions.
0 kubernetes/flux-system/boostrap.yaml → kubernetes/flux-system/app/boostrap.yaml
View file
File renamed without changes.
17 changes: 17 additions & 0 deletions kubernetes/flux-system/app/receiver.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
namespace: flux-system
name: homelab
spec:
type: github
events:
- "ping"
- "push"
secretRef:
name: webhook-token
resources:
- apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
name: homelab
52 changes: 52 additions & 0 deletions kubernetes/flux-system/app/release.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
namespace: flux-system
name: flux2
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
name: fluxcd-community
chart: flux2
version: 2.13.0
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
interval: 1h
maxHistory: 1
timeout: 1m0s
values:
installCRDs: true
policies:
create: false
notificationController:
serviceAccount:
create: true
automount: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-notification-controller
eks.amazonaws.com/audience: sts.amazonaws.com
volumes:
- name: &n webhook-token
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: *n
volumeMounts:
- name: *n
mountPath: /secret
readOnly: true
webhookReceiver:
ingress:
create: true
ingressClassName: nginx
hosts:
- host: flux.timtor.dev
paths:
- path: /
pathType: ImplementationSpecific
9 changes: 9 additions & 0 deletions kubernetes/flux-system/app/repo.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
namespace: flux-system
name: fluxcd-community
spec:
url: https://fluxcd-community.github.io/helm-charts
interval: 24h
22 changes: 22 additions & 0 deletions kubernetes/flux-system/app/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
namespace: flux-system
name: &name webhook-token
spec:
provider: aws
parameters:
region: us-west-2
objects: |
- objectType: ssmparameter
objectName: /kubernetes/flux-system/webhook-token
jmesPath:
- path: TOKEN
objectAlias: TOKEN
secretObjects:
- secretName: *name
type: Opaque
data:
- key: token
objectName: TOKEN
0 kubernetes/flux-system/_namespace.yaml → kubernetes/flux-system/base/ns.yaml
View file
File renamed without changes.
32 changes: 0 additions & 32 deletions kubernetes/flux-system/flux2.yaml
View file

This file was deleted.

9 changes: 6 additions & 3 deletions kubernetes/flux-system/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- _namespace.yaml
- flux2.yaml
- boostrap.yaml
- base/ns.yaml
- app/repo.yaml
- app/release.yaml
- app/boostrap.yaml
- app/receiver.yaml
- app/secret.yaml
44 changes: 0 additions & 44 deletions terraform/aws-iam.tf.template
View file

This file was deleted.

43 changes: 43 additions & 0 deletions terraform/aws-kubernetes-irsa.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,46 @@
resource "aws_iam_role" "notification-controller" {
name = "${local.project}-notification-controller"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : "${aws_iam_openid_connect_provider.kubernetes-oidc.arn}"
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringEquals" : {
"${aws_iam_openid_connect_provider.kubernetes-oidc.url}:sub" : "system:serviceaccount:flux-system:notification-controller",
"${aws_iam_openid_connect_provider.kubernetes-oidc.url}:aud" : "sts.amazonaws.com"
}
}
}
]
})
}

resource "aws_iam_policy" "notification-controller" {
name = "${local.project}-notification-controller"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : "ssm:GetParameters",
"Effect" : "Allow",
"Resource" : [
"arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/kubernetes/flux-system/webhook-token"
]
}
]
})
}

resource "aws_iam_role_policy_attachment" "notification-controller" {
role = aws_iam_role.notification-controller.name
policy_arn = aws_iam_policy.notification-controller.arn
}

resource "aws_iam_role" "cert-manager" {
name = "${local.project}-cert-manager"
assume_role_policy = jsonencode({
Expand Down

0 comments on commit d7e5db0

Please sign in to comment.