diff --git a/_sub/compute/k8s-fluxcd/main.tf b/_sub/compute/k8s-fluxcd/main.tf index 3046c767b..dd2e18a42 100644 --- a/_sub/compute/k8s-fluxcd/main.tf +++ b/_sub/compute/k8s-fluxcd/main.tf @@ -35,6 +35,7 @@ resource "flux_bootstrap_git" "this" { # -------------------------------------------------- resource "github_repository_file" "flux_monitoring_config_path" { + count = var.enable_monitoring ? 1 : 0 repository = var.repository_name branch = data.github_branch.flux_branch.branch file = "${local.cluster_target_path}/${local.app_install_name}.yaml" @@ -69,4 +70,4 @@ resource "github_repository_file" "custom_folder" { file = "platform-apps/${var.cluster_name}/custom/README.md" content = local.custom_folder_readme overwrite_on_create = var.overwrite_on_create -} \ No newline at end of file +} diff --git a/_sub/compute/k8s-fluxcd/vars.tf b/_sub/compute/k8s-fluxcd/vars.tf index cd173d8be..660b6d105 100644 --- a/_sub/compute/k8s-fluxcd/vars.tf +++ b/_sub/compute/k8s-fluxcd/vars.tf @@ -62,3 +62,9 @@ variable "token" { variable "cluster_ca_certificate" { type = string } + +variable "enable_monitoring" { + type = bool + default = false + description = "Enable monitoring for Flux" +} diff --git a/_sub/compute/k8s-shared-manifests/main.tf b/_sub/compute/k8s-shared-manifests/main.tf new file mode 100644 index 000000000..da2ac089a --- /dev/null +++ b/_sub/compute/k8s-shared-manifests/main.tf @@ -0,0 +1,29 @@ +# -------------------------------------------------- +# Flux CD in a shared responsibility model with +# other platform teams +# -------------------------------------------------- + +data "github_repository" "main" { + full_name = "${var.repo_owner}/${var.repo_name}" +} + +locals { + default_repo_branch = data.github_repository.main.default_branch + repo_branch = length(var.repo_branch) > 0 ? var.repo_branch : local.default_repo_branch + cluster_repo_path = "clusters/${var.cluster_name}" +} + +resource "github_repository_file" "shared_manifests" { + repository = var.repo_name + branch = local.repo_branch + file = "${local.cluster_repo_path}/shared-manifests.yaml" + content = templatefile("${path.module}/values/shared-manifests.yaml", { + shared_manifests_repo_url = var.shared_manifests_repo_url + shared_manifests_repo_branch = var.shared_manifests_repo_branch + overlay_folder = var.overlay_folder + account_id = var.account_id + role_name = var.role_name + prune = var.prune + }) + overwrite_on_create = var.overwrite_on_create +} diff --git a/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml b/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml new file mode 100644 index 000000000..7dcdd8f3d --- /dev/null +++ b/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ssm-secrets + namespace: flux-system + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${account_id}:role/${role_name} + eks.amazonaws.com/sts-regional-endpoints: "true" +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: shared-manifests-git + namespace: flux-system +spec: + provider: + aws: + service: ParameterStore + region: eu-west-1 + auth: + jwt: + serviceAccountRef: + name: ssm-secrets +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: shared-manifests-git + namespace: flux-system +spec: + refreshInterval: 1m + secretStoreRef: + kind: SecretStore + name: shared-manifests-git + target: + name: shared-manifests-git + creationPolicy: Owner + data: + - secretKey: username + remoteRef: + key: /github/shared-manifests/owner + - secretKey: password + remoteRef: + key: /github/shared-manifests/token +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: shared-manifests-git + namespace: flux-system +spec: + interval: 1m0s + secretRef: + name: shared-manifests-git + ref: + branch: ${shared_manifests_repo_branch} + url: ${shared_manifests_repo_url} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: shared-manifests + namespace: flux-system +spec: + interval: 1m0s + dependsOn: + - name: flux-system + sourceRef: + kind: GitRepository + name: shared-manifests-git + path: ./infrastructure/${overlay_folder} + prune: ${prune} diff --git a/_sub/compute/k8s-shared-manifests/vars.tf b/_sub/compute/k8s-shared-manifests/vars.tf new file mode 100644 index 000000000..5aba6d9b5 --- /dev/null +++ b/_sub/compute/k8s-shared-manifests/vars.tf @@ -0,0 +1,56 @@ +variable "cluster_name" { + type = string +} + +variable "overlay_folder" { + type = string +} + +variable "repo_owner" { + type = string + description = "Name of the repo owner (previously: organization)" + sensitive = true +} + +variable "repo_name" { + type = string + description = "Name of the Github repo to store the manifests in" +} + +variable "repo_branch" { + type = string + description = "Override the default branch of the repo (optional)" + default = "main" +} + +variable "overwrite_on_create" { + type = bool + default = true + description = "Enable overwriting existing files" +} + +variable "shared_manifests_repo_url" { + type = string + default = "" + description = "The https url for your GitOps manifests" +} + +variable "shared_manifests_repo_branch" { + type = string + default = "main" + description = "The default branch for your GitOps manifests" +} + +variable "prune" { + type = bool + default = true + description = "Enable Garbage collection" +} + +variable "account_id" { + type = string +} + +variable "role_name" { + type = string +} diff --git a/_sub/compute/k8s-shared-manifests/versions.tf b/_sub/compute/k8s-shared-manifests/versions.tf new file mode 100644 index 000000000..70e7ba910 --- /dev/null +++ b/_sub/compute/k8s-shared-manifests/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.0, < 1.6.0" + + required_providers { + github = { + source = "integrations/github" + version = "~> 6.3.0" + } + } +} diff --git a/_sub/compute/k8s-shared-manifests/versions.tofu b/_sub/compute/k8s-shared-manifests/versions.tofu new file mode 100644 index 000000000..2c835eac9 --- /dev/null +++ b/_sub/compute/k8s-shared-manifests/versions.tofu @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.8.0" + + required_providers { + github = { + source = "integrations/github" + version = "~> 6.3.0" + } + } +} diff --git a/compute/k8s-services/dependencies.tf b/compute/k8s-services/dependencies.tf index 7c543b6b7..3a0aa5768 100644 --- a/compute/k8s-services/dependencies.tf +++ b/compute/k8s-services/dependencies.tf @@ -260,7 +260,8 @@ locals { # -------------------------------------------------- locals { - fluxcd_apps_repo_url = "${var.fluxcd_apps_git_provider_url}${var.fluxcd_apps_repo_owner}/${var.fluxcd_apps_repo_name}" + fluxcd_apps_repo_url = "${var.fluxcd_apps_git_provider_url}${var.fluxcd_apps_repo_owner}/${var.fluxcd_apps_repo_name}" + shared_manifests_repo_url = "${var.fluxcd_apps_git_provider_url}${var.shared_manifests_repo_owner}/${var.shared_manifests_repo_name}" } # -------------------------------------------------- diff --git a/compute/k8s-services/main.tf b/compute/k8s-services/main.tf index d06096497..e3efcc28d 100644 --- a/compute/k8s-services/main.tf +++ b/compute/k8s-services/main.tf @@ -458,6 +458,7 @@ module "platform_fluxcd" { endpoint = data.aws_eks_cluster.eks.endpoint token = data.aws_eks_cluster_auth.eks.token cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data) + enable_monitoring = var.monitoring_kube_prometheus_stack_deploy || var.grafana_deploy ? true : false providers = { github = github.fluxcd @@ -995,3 +996,51 @@ module "github_arc_runners" { depends_on = [module.platform_fluxcd, module.github_arc_ss_controller] } + +# -------------------------------------------------- +# Flux CD in a shared responsibility model with +# other platform teams +# -------------------------------------------------- + +module "shared_manifests_git_owner" { + source = "../../_sub/security/ssm-parameter-store" + count = var.shared_manifests_deploy ? 1 : 0 + key_name = "/github/shared-manifests/owner" + key_description = "Git owner for the shared Flux manifests" + key_value = var.fluxcd_bootstrap_repo_owner + tag_createdby = var.ssm_param_createdby != null ? var.ssm_param_createdby : "k8s-services" +} + +module "shared_manifests_git_token" { + source = "../../_sub/security/ssm-parameter-store" + count = var.shared_manifests_deploy ? 1 : 0 + key_name = "/github/shared-manifests/token" + key_description = "Git owner's token for the shared Flux manifests" + key_value = var.fluxcd_bootstrap_repo_owner_token + tag_createdby = var.ssm_param_createdby != null ? var.ssm_param_createdby : "k8s-services" +} + +module "shared_manifests" { + source = "../../_sub/compute/k8s-shared-manifests" + count = var.shared_manifests_deploy ? 1 : 0 + cluster_name = var.eks_cluster_name + overlay_folder = var.shared_manifests_overlay_folder + repo_owner = var.fluxcd_bootstrap_repo_owner + repo_name = var.fluxcd_bootstrap_repo_name + repo_branch = var.fluxcd_bootstrap_repo_branch + overwrite_on_create = var.fluxcd_bootstrap_overwrite_on_create + shared_manifests_repo_url = local.shared_manifests_repo_url + shared_manifests_repo_branch = var.shared_manifests_repo_branch + account_id = var.aws_workload_account_id + role_name = var.external_secrets_ssm_iam_role_name + + providers = { + github = github.fluxcd + } + + depends_on = [ + module.shared_manifests_git_owner, + module.shared_manifests_git_token, + module.external_secrets_ssm + ] +} diff --git a/compute/k8s-services/vars.tf b/compute/k8s-services/vars.tf index 69e49cb1c..f7b9bf026 100644 --- a/compute/k8s-services/vars.tf +++ b/compute/k8s-services/vars.tf @@ -468,7 +468,6 @@ variable "fluxcd_bootstrap_overwrite_on_create" { description = "Enable overwriting existing files" } - # -------------------------------------------------- # GitOps apps used by Flux CD # -------------------------------------------------- @@ -1613,3 +1612,48 @@ variable "github_arc_runners_memory_limit" { description = "Memory request for the runner pods" default = "8Gi" } + +# -------------------------------------------------- +# Optional +# -------------------------------------------------- + +variable "ssm_param_createdby" { + type = string + description = "The value that will be used for the createdBy key when tagging any SSM parameters" + default = null +} + +# -------------------------------------------------- +# Flux CD in a shared responsibility model with +# other platform teams +# -------------------------------------------------- + +variable "shared_manifests_repo_name" { + type = string + default = "" + description = "The repo name for your GitOps manifests" +} + +variable "shared_manifests_repo_branch" { + type = string + default = "main" + description = "The default branch for your GitOps manifests" +} + +variable "shared_manifests_repo_owner" { + type = string + default = "main" + description = "The repo owner for your GitOps manifests" +} + +variable "shared_manifests_deploy" { + type = bool + description = "Deploy Flux manifests from a shared responsibily repo" + default = false +} + +variable "shared_manifests_overlay_folder" { + type = string + description = "Which overlay folder to deploy" + default = "production" +} diff --git a/test/integration/eu-west-1/k8s-qa/services/terragrunt.hcl b/test/integration/eu-west-1/k8s-qa/services/terragrunt.hcl index 650aeb34a..78edc76f9 100644 --- a/test/integration/eu-west-1/k8s-qa/services/terragrunt.hcl +++ b/test/integration/eu-west-1/k8s-qa/services/terragrunt.hcl @@ -291,8 +291,20 @@ inputs = { # -------------------------------------------------- # Github ARC SS Controller # -------------------------------------------------- - + github_arc_ss_controller_deploy = true github_arc_ss_controller_helm_chart_version = "0.9.3" + # -------------------------------------------------- + # Flux CD in a shared responsibility model with + # other platform teams + # -------------------------------------------------- + + shared_manifests_repo_name = "shared-manifests" + shared_manifests_repo_branch = "main" + shared_manifests_repo_owner = "dfds" + + shared_manifests_deploy = true + shared_manifests_overlay_folder = "qa" + }