diff --git a/kubernetes/flux-system/boostrap.yaml b/kubernetes/flux-system/app/boostrap.yaml similarity index 100% rename from kubernetes/flux-system/boostrap.yaml rename to kubernetes/flux-system/app/boostrap.yaml diff --git a/kubernetes/flux-system/app/receiver.yaml b/kubernetes/flux-system/app/receiver.yaml new file mode 100644 index 00000000..016f5f30 --- /dev/null +++ b/kubernetes/flux-system/app/receiver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: notification.toolkit.fluxcd.io/v1 +kind: Receiver +metadata: + namespace: flux-system + name: homelab +spec: + type: github + events: + - "ping" + - "push" + secretRef: + name: webhook-token + resources: + - apiVersion: source.toolkit.fluxcd.io/v1 + kind: GitRepository + name: homelab diff --git a/kubernetes/flux-system/app/release.yaml b/kubernetes/flux-system/app/release.yaml new file mode 100644 index 00000000..6565ea0c --- /dev/null +++ b/kubernetes/flux-system/app/release.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + namespace: flux-system + name: flux2 +spec: + chart: + spec: + sourceRef: + kind: HelmRepository + name: fluxcd-community + chart: flux2 + version: 2.13.0 + install: + crds: CreateReplace + upgrade: + crds: CreateReplace + interval: 1h + maxHistory: 1 + timeout: 1m0s + values: + installCRDs: true + policies: + create: false + notificationController: + serviceAccount: + create: true + automount: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-notification-controller + eks.amazonaws.com/audience: sts.amazonaws.com + volumes: + - name: &n webhook-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: *n + volumeMounts: + - name: *n + mountPath: /secret + readOnly: true + webhookReceiver: + ingress: + create: true + ingressClassName: nginx + hosts: + - host: flux.timtor.dev + paths: + - path: / + pathType: ImplementationSpecific diff --git a/kubernetes/flux-system/app/repo.yaml b/kubernetes/flux-system/app/repo.yaml new file mode 100644 index 00000000..34bf50d5 --- /dev/null +++ b/kubernetes/flux-system/app/repo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + namespace: flux-system + name: fluxcd-community +spec: + url: https://fluxcd-community.github.io/helm-charts + interval: 24h diff --git a/kubernetes/flux-system/app/secret.yaml b/kubernetes/flux-system/app/secret.yaml new file mode 100644 index 00000000..1b13a41f --- /dev/null +++ b/kubernetes/flux-system/app/secret.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + namespace: flux-system + name: &name webhook-token +spec: + provider: aws + parameters: + region: us-west-2 + objects: | + - objectType: ssmparameter + objectName: /kubernetes/flux-system/webhook-token + jmesPath: + - path: TOKEN + objectAlias: TOKEN + secretObjects: + - secretName: *name + type: Opaque + data: + - key: token + objectName: TOKEN diff --git a/kubernetes/flux-system/_namespace.yaml b/kubernetes/flux-system/base/ns.yaml similarity index 100% rename from kubernetes/flux-system/_namespace.yaml rename to kubernetes/flux-system/base/ns.yaml diff --git a/kubernetes/flux-system/flux2.yaml b/kubernetes/flux-system/flux2.yaml deleted file mode 100644 index dd7d73cf..00000000 --- a/kubernetes/flux-system/flux2.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# CRDs and workloads is managed by this manifest ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - namespace: flux-system - name: flux2 -spec: - interval: 1m - url: https://github.com/fluxcd/flux2 - ref: - tag: v2.3.0 - ignore: | - /* - !/manifests/bases/source-controller - !/manifests/bases/kustomize-controller - !/manifests/bases/helm-controller - !/manifests/bases/notification-controller - !/manifests/rbac ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - namespace: flux-system - name: flux2 -spec: - sourceRef: - kind: GitRepository - name: flux2 - targetNamespace: flux-system - interval: 10m0s - prune: false diff --git a/kubernetes/flux-system/kustomization.yaml b/kubernetes/flux-system/kustomization.yaml index 1bf528c2..d15fe70d 100644 --- a/kubernetes/flux-system/kustomization.yaml +++ b/kubernetes/flux-system/kustomization.yaml @@ -2,6 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - _namespace.yaml - - flux2.yaml - - boostrap.yaml + - base/ns.yaml + - app/repo.yaml + - app/release.yaml + - app/boostrap.yaml + - app/receiver.yaml + - app/secret.yaml diff --git a/terraform/aws-iam.tf.template b/terraform/aws-iam.tf.template deleted file mode 100644 index a4132d00..00000000 --- a/terraform/aws-iam.tf.template +++ /dev/null @@ -1,44 +0,0 @@ -# -- IAM role for kubernetes service account - -resource "aws_iam_role" "$app" { - name = "${local.project}-$app" - assume_role_policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Effect" : "Allow", - "Principal" : { - "Federated" : "arn:aws:iam::262264826613:oidc-provider/oidc.timtor.dev/amethyst" - }, - "Action" : "sts:AssumeRoleWithWebIdentity", - "Condition" : { - "StringEquals" : { - "oidc.timtor.dev/amethyst:sub" : "system:serviceaccount:$namespace:$app", - "oidc.timtor.dev/amethyst:aud" : "sts.amazonaws.com" - } - } - } - ] - }) -} - -resource "aws_iam_policy" "$app" { - name = "${local.project}-$app" - policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Action" : "ssm:*", - "Effect" : "Allow", - "Resource" : [ - "arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/amethyst/$secret" - ] - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "$app" { - role = aws_iam_role.$app.name - policy_arn = aws_iam_policy.$app.arn -} diff --git a/terraform/aws-kubernetes-irsa.tf b/terraform/aws-kubernetes-irsa.tf index c5d95a0e..e8ef343b 100644 --- a/terraform/aws-kubernetes-irsa.tf +++ b/terraform/aws-kubernetes-irsa.tf @@ -1,3 +1,46 @@ +resource "aws_iam_role" "notification-controller" { + name = "${local.project}-notification-controller" + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Federated" : "${aws_iam_openid_connect_provider.kubernetes-oidc.arn}" + }, + "Action" : "sts:AssumeRoleWithWebIdentity", + "Condition" : { + "StringEquals" : { + "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:sub" : "system:serviceaccount:flux-system:notification-controller", + "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:aud" : "sts.amazonaws.com" + } + } + } + ] + }) +} + +resource "aws_iam_policy" "notification-controller" { + name = "${local.project}-notification-controller" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : "ssm:GetParameters", + "Effect" : "Allow", + "Resource" : [ + "arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/kubernetes/flux-system/webhook-token" + ] + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "notification-controller" { + role = aws_iam_role.notification-controller.name + policy_arn = aws_iam_policy.notification-controller.arn +} + resource "aws_iam_role" "cert-manager" { name = "${local.project}-cert-manager" assume_role_policy = jsonencode({