seth
/
video-iac
mirror of https://bitbucket.org/jamkazam/video-iac.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

argocd installed from scratch by terraform

This commit is contained in:
Victor Barba Martin 2021-10-31 16:46:51 +01:00
parent a752513411
commit 67fdfb0822
14 changed files with 313 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
k8s/applications/argocd.yaml
View File

@ -12,3 +12,13 @@ spec:
repoURL: 'git@bitbucket.org:jamkazam/video-iac.git' repoURL: 'git@bitbucket.org:jamkazam/video-iac.git'
targetRevision: HEAD targetRevision: HEAD
project: default project: default
syncPolicy:
automated:
prune: true
allowEmpty: false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

10
k8s/applications/cert-manager.yaml
View File

@ -12,3 +12,13 @@ spec:
repoURL: 'git@bitbucket.org:jamkazam/video-iac.git' repoURL: 'git@bitbucket.org:jamkazam/video-iac.git'
targetRevision: HEAD targetRevision: HEAD
project: default project: default
syncPolicy:
automated:
prune: true
allowEmpty: false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

10
k8s/applications/external-dns.yaml
View File

@ -15,3 +15,13 @@ spec:
repoURL: 'git@bitbucket.org:jamkazam/video-iac.git' repoURL: 'git@bitbucket.org:jamkazam/video-iac.git'
targetRevision: HEAD targetRevision: HEAD
project: default project: default
syncPolicy:
automated:
prune: true
allowEmpty: false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

10
k8s/applications/haproxy-ingress.yaml
View File

@ -20,3 +20,13 @@ spec:
values: |- values: |-
prometheus-port: "9105" prometheus-port: "9105"
project: default project: default
syncPolicy:
automated:
prune: true
allowEmpty: false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

10
k8s/applications/ingress-nginx.yaml
View File

@ -16,3 +16,13 @@ spec:
targetRevision: 4.0.6 targetRevision: 4.0.6
chart: ingress-nginx chart: ingress-nginx
project: default project: default
syncPolicy:
automated:
prune: true
allowEmpty: false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

10
k8s/applications/metrics-server.yaml
View File

@ -23,3 +23,13 @@ spec:
kubelet-preferred-address-types: InternalIP kubelet-preferred-address-types: InternalIP
kubelet-insecure-tls: true kubelet-insecure-tls: true
project: default project: default
syncPolicy:
automated:
prune: true
allowEmpty: false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

2
k8s/argocd/base/kustomization.yaml
View File

@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: argocd namespace: argocd
resources: resources:
# - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
- ingress.yaml - ingress.yaml

22
terraform/.terraform.lock.hcl
View File

@ -90,6 +90,28 @@ provider "registry.terraform.io/hashicorp/local" {
] ]
} }
provider "registry.terraform.io/kbst/kustomization" {
version = "0.6.0"
constraints = "0.6.0"
hashes = [
"h1:abrUi8VhJAz8It7ZJrUMJU8Nf35zCvfCXYizeicYWCs=",
"zh:07ba6c329139d32411ba3b52c1da0af8cf393925f9dec5844853f45bc26d235c",
"zh:08a1885c1c603c39fbec8e74b762ad4002aea5ecb8c57db297fb9e935bada5eb",
"zh:149d1ac2ace6e5539f1abd2186ed470a94d3146639d758db7ecefffc6ea86942",
"zh:30c641789aff263a088944a7765f7c3e104704e15f45c4b828ef5341cf1f87b2",
"zh:5497d55248fa47050000b213dae7bb9c5b3c33e31b4f4c6862dd4a5e46295df1",
"zh:6d6fac9185d34828e6f7d7f92f31590d600064a373e4f38add053c53cf9db5cf",
"zh:7cad5e6b8cdac3eee3654b4777a0ffc1627c9d5712d85e12a6f73e7b9fb112b7",
"zh:8c5e4557e5d70bec0eb00a708e0c71f0ef082f012fe8af3b7d14b3be8454a9b9",
"zh:91b11fead24db03e54bf49ffaf1afaf229d2f4d59331597aeb513ec4f8d1a114",
"zh:ac986c7102f413fbfabea49735c5b0343d34f313e93d772e7d12d504cc7b221d",
"zh:afc046c3ecc121d1c4c35822cad6280db1cff1165b99ed545d15d5cde3e5a464",
"zh:b726fc46c30f4c90cc6e7f3e991b31cb058768ae78596432f39997f3ed3f2085",
"zh:c46b73f037b0fc2dbc4d3a137d2ff17a794ec61c9d185f2d0252a3d7cf688dae",
"zh:d0962c860edc9c6db7bdb261fa9c9a3b11ca5e62f19552232c0b29ff9ca8fe7c",
]
}
provider "registry.terraform.io/linode/linode" { provider "registry.terraform.io/linode/linode" {
version = "1.18.0" version = "1.18.0"
hashes = [ hashes = [

59
terraform/argocd-repo-creds.yaml Normal file
View File

@ -0,0 +1,59 @@
# Repository credentials, for using the same credentials in multiple repositories.
apiVersion: v1
kind: Secret
metadata:
name: argoproj-https-creds
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repo-creds
stringData:
url: https://github.com/argoproj
password: my-password
username: my-username
---
apiVersion: v1
kind: Secret
metadata:
name: argoproj-ssh-creds
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repo-creds
stringData:
url: git@github.com:argoproj-labs
sshPrivateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
---
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repo-creds
stringData:
url: https://github.com/argoproj
githubAppID: 1
githubAppInstallationID: 2
githubAppPrivateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
---
apiVersion: v1
kind: Secret
metadata:
name: github-enterprise-creds
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repo-creds
stringData:
url: https://github.com/argoproj
githubAppID: 1
githubAppInstallationID: 2
githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3
githubAppPrivateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

54
terraform/argocd-repositories.yaml Normal file
View File

@ -0,0 +1,54 @@
# Git repositories configure Argo CD with (optional).
# This list is updated when configuring/removing repos from the UI/CLI
# Note: the last example in the list would use a repository credential template, configured under "argocd-repo-creds.yaml".
apiVersion: v1
kind: Secret
metadata:
name: my-private-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: https://github.com/argoproj/my-private-repository
password: my-password
username: my-username
sshPrivateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
---
apiVersion: v1
kind: Secret
metadata:
name: istio-helm-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
name: istio.io
type: helm
---
apiVersion: v1
kind: Secret
metadata:
name: private-helm-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: https://my-private-chart-repo.internal
name: private-repo
type: helm
password: my-password
username: my-username
---
apiVersion: v1
kind: Secret
metadata:
name: private-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: https://github.com/argoproj/private-repo

40
terraform/iam-external-dns.tf Normal file
View File

@ -0,0 +1,40 @@
resource "aws_iam_user" "lke-external-dns" {
name = "lke-external-dns"
}
resource "aws_iam_access_key" "lke-external-dns" {
user = aws_iam_user.lke-external-dns.name
}
resource "aws_iam_user_policy" "lke-external-dns" {
name = "route-53"
user = aws_iam_user.lke-external-dns.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
}
]
}
EOF
}

69
terraform/kubernetes.tf Normal file
View File

@ -0,0 +1,69 @@
resource "kubernetes_namespace" "external-dns" {
depends_on = [local_file.kubeconfig]
metadata {
name = "external-dns"
}
}
resource "kubernetes_secret" "aws_user_external_dns" {
depends_on = [kubernetes_namespace.external-dns]
metadata {
name = "aws-user-external-dns"
namespace = "external-dns"
}
data = {
username = aws_iam_access_key.lke-external-dns.id
password = aws_iam_access_key.lke-external-dns.secret
}
type = "kubernetes.io/basic-auth"
}
resource "kubernetes_namespace" "argocd" {
depends_on = [local_file.kubeconfig]
metadata {
name = "argocd"
}
}
data "aws_secretsmanager_secret" "bitbucket_ssh_argocd_key" {
name = "bitbucket-ssh-argocd-key"
}
data "aws_secretsmanager_secret_version" "bitbucket_ssh_argocd_key" {
secret_id = data.aws_secretsmanager_secret.bitbucket_ssh_argocd_key.id
}
resource "kubernetes_secret" "bitbucket_ssh_argocd_key" {
depends_on = [kubernetes_namespace.argocd]
metadata {
name = "bitbucket-ssh-argocd-key"
namespace = "argocd"
labels = {
"argocd.argoproj.io/secret-type" = "repository"
}
}
data = {
url = "git@bitbucket.org:jamkazam/video-iac"
sshPrivateKey = base64decode(jsondecode(data.aws_secretsmanager_secret_version.bitbucket_ssh_argocd_key.secret_string)["private"])
}
}
data "kustomization_build" "argocd" {
path = "../k8s/argocd/overlays/staging"
}
resource "kustomization_resource" "argocd" {
depends_on = [kubernetes_namespace.argocd]
for_each = data.kustomization_build.argocd.ids
manifest = data.kustomization_build.argocd.manifests[each.value]
}

4
terraform/lke.tf
View File

@ -34,6 +34,10 @@ provider "kubernetes" {
config_path = local_file.kubeconfig.filename config_path = local_file.kubeconfig.filename
} }
provider "kustomization" {
kubeconfig_path = local_file.kubeconfig.filename
}
resource "linode_lke_cluster" "prd-video-cluster" { resource "linode_lke_cluster" "prd-video-cluster" {
label = "prd-video-cluster" label = "prd-video-cluster"
k8s_version = "1.21" k8s_version = "1.21"

4
terraform/terraform.tf
View File

@ -11,6 +11,10 @@ terraform {
linode = { linode = {
source = "linode/linode" source = "linode/linode"
} }
kustomization = {
source = "kbst/kustomization"
version = "0.6.0"
}
} }
} }