👷 Update CI with Pulumi, Helm, Kubernetes, enable AWS Load Balancer, ingress-nginx, HTTPS (#129)

Author: tiangolo

.github/workflows/deploy.yml

@@ -6,6 +6,12 @@ on:
   release:
     types:
       - created
+  workflow_dispatch:
+    inputs:
+      debug_enabled:
+        description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
+        required: false
+        default: 'false'
 
 jobs:
   deploy:
@@ -33,10 +39,22 @@ jobs:
       - run: pip install -r requirements.txt
         working-directory: infra
       - uses: pulumi/actions@v5
+        id: pulumi
         with:
           command: up
           # stack-name: org-name/stack-name # When using an individual account, only use stack-name.
-          stack-name: staging
+          # staging on push, production on release
+          stack-name: ${{ github.event_name == 'release' && 'production' || 'staging' }}
           work-dir: infra
         env:
           PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
+        with:
+          limit-access-to-actor: true
+        env:
+          CLUSTER_NAME: ${{ steps.pulumi.outputs.cluster_name }}
+          KUBECONFIG_CONTENT: ${{ steps.pulumi.outputs.kubeconfig }}
+          CLOUDFLARE_API_TOKEN_DNS: ${{ secrets.CLOUDFLARE_API_TOKEN_DNS }}
+          DEPLOYMENT_ENV: ${{ github.event_name == 'release' && 'production' || 'staging' }}

infra/__main__.py

@@ -14,7 +14,9 @@
 eks_node_instance_type = config.get("eksNodeInstanceType", "t3.medium")
 vpc_network_cidr = config.get("vpcNetworkCidr", "10.0.0.0/16")
 
-aws_loadbalancer_name = "aws-load-balancer-controller"
+aws_load_balancer_name = "aws-load-balancer-controller"
+
+### AWS Resources ###
 
 # Role generated automatically by AWS from permission set from AWS IAM Identity Center
 roles = aws.iam.get_roles(name_regex="FastAPILabsPowerUserK8s")
@@ -85,7 +87,7 @@
 # Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/deploy/installation/
 aws_lb_controller_policy_content = (
     Path(__file__)
-    .parent.joinpath(f"{aws_loadbalancer_name}-config/iam-policy.json")
+    .parent.joinpath(f"{aws_load_balancer_name}-config/iam-policy.json")
     .read_text()
 )
 
@@ -94,13 +96,13 @@
 # Ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
 
 
-service_account_name = f"system:serviceaccount:kube-system:{aws_loadbalancer_name}"
+service_account_name = f"system:serviceaccount:kube-system:{aws_load_balancer_name}"
 oidc_url = eks_cluster.core.apply(lambda x: x.oidc_provider and x.oidc_provider.url)
 oidc_arn = eks_cluster.core.apply(lambda x: x.oidc_provider and x.oidc_provider.arn)
 
 
 aws_lb_controller_role = aws.iam.Role(
-    f"{aws_loadbalancer_name}-role",
+    f"{aws_load_balancer_name}-role",
     assume_role_policy=pulumi.Output.json_dumps(
         {
             "Version": "2012-10-17",
@@ -128,35 +130,66 @@
 )
 
 aws_lb_controller_policy = aws.iam.Policy(
-    f"{aws_loadbalancer_name}-policy",
+    f"{aws_load_balancer_name}-policy",
     policy=aws_lb_controller_policy_content,
 )
 
 # Attach IAM Policy to IAM Role
 aws.iam.PolicyAttachment(
-    f"{aws_loadbalancer_name}-attachment",
+    f"{aws_load_balancer_name}-attachment",
     policy_arn=aws_lb_controller_policy.arn,
     roles=[aws_lb_controller_role.name],
 )
 
+### Kubernetes Resources ###
+
 provider = k8s.Provider("provider", kubeconfig=eks_cluster.kubeconfig)
 
-service_account = k8s.core.v1.ServiceAccount(
-    f"{aws_loadbalancer_name}-sa",
+aws_load_balancer_service_account = k8s.core.v1.ServiceAccount(
+    f"{aws_load_balancer_name}-sa",
     metadata={
-        "name": aws_loadbalancer_name,
+        "name": aws_load_balancer_name,
         "namespace": "kube-system",
         "labels": {
             "app.kubernetes.io/component": "controller",
-            "app.kubernetes.io/name": aws_loadbalancer_name,
+            "app.kubernetes.io/name": aws_load_balancer_name,
         },
         "annotations": {"eks.amazonaws.com/role-arn": aws_lb_controller_role.arn},
     },
+    opts=pulumi.ResourceOptions(provider=provider),
 )
 
+cluster_name = eks_cluster.core.apply(lambda x: x.cluster.name)
+
+# TODO: Fix this
+
+# error: 1 error occurred:
+#         * Helm release "kube-system/aws-load-balancer-controller-bf4de232" was created, but failed to initialize completely. Use Helm CLI to investigate: failed to become available within allocated timeout. Error: Helm Release kube-system/aws-load-balancer-controller-bf4de232: client rate limiter Wait returned an error: context deadline exceeded
+
+# aws_load_balancer_controller = k8s.helm.v3.Release(
+#     aws_load_balancer_name,
+#     k8s.helm.v3.ReleaseArgs(
+#         chart="aws-load-balancer-controller",
+#         version="1.8.1",
+#         repository_opts=k8s.helm.v3.RepositoryOptsArgs(
+#             repo="https://aws.github.io/eks-charts"
+#         ),
+#         namespace="kube-system",
+#         values={
+#             "clusterName": cluster_name,
+#             "serviceAccount": {
+#                 "create": False,
+#                 "name": aws_load_balancer_service_account.metadata["name"],
+#             },
+#         },
+#     ),
+#     opts=pulumi.ResourceOptions(provider=provider),
+# )
+
 
 # Export values to use elsewhere
 pulumi.export("kubeconfig", eks_cluster.kubeconfig)
+pulumi.export("cluster_name", cluster_name)
 pulumi.export("vpc_id", eks_vpc.vpc_id)
 pulumi.export("k8s_role_arn", k8s_role_arn)
 pulumi.export("aws_lb_controller_policy", aws_lb_controller_policy.arn)

infra/deploy-helm.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+set -e
+
+CLUSTER_NAME=${CLUSTER_NAME:?}
+KUBECONFIG_CONTENT=${KUBECONFIG_CONTENT:?}
+AWS_LOAD_BALANCER_CONTROLLER_VERSION="1.8.1"
+CERT_MANAGER_VERSION="1.15.1"
+INGRESS_NGINX_VERSION="4.10.1"
+
+echo "Configure Kubeconfig"
+echo "${KUBECONFIG_CONTENT}" > kubeconfig.json
+chmod 600 kubeconfig.json
+export KUBECONFIG=kubeconfig.json
+
+# Enable debugging
+set -x
+
+echo "Add Helm repo: eks, for AWS Load Balancer Controller"
+helm repo add eks https://aws.github.io/eks-charts --force-update
+
+echo "Add Helm repo: jetstack, for Cert Manager"
+helm repo add jetstack https://charts.jetstack.io --force-update
+
+echo "Add Helm repo: ingress-nginx, for Ingress Controller"
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx --force-update
+
+echo "Update Helm repos"
+helm repo update
+
+echo "Install AWS Load Balancer Controller"
+helm upgrade --install aws-load-balancer-controller eks/aws-load-balancer-controller \
+  --namespace kube-system \
+  --version "${AWS_LOAD_BALANCER_CONTROLLER_VERSION}" \
+  --set clusterName="${CLUSTER_NAME}" \
+  --set serviceAccount.create=false \
+  --set serviceAccount.name=aws-load-balancer-controller
+
+echo "Install Cert Manager"
+helm upgrade --install cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version "${CERT_MANAGER_VERSION}" \
+  --set crds.enabled=true
+
+echo "Install Ingress Nginx Controller"
+helm upgrade --install ingress-nginx-external ingress-nginx/ingress-nginx \
+  --namespace ingress-nginx-external \
+  --create-namespace \
+  --version "${INGRESS_NGINX_VERSION}" \
+  -f helm-values/ingress-nginx-external-values.yaml
+
+LOAD_BALANCER_HOSTHAME=$(kubectl -n ingress-nginx-external get service ingress-nginx-external-controller --output jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+
+echo "Add DNS record for Load Balancer before continuing:"
+echo "$LOAD_BALANCER_HOSTHAME"
+
+echo "Remove kubeconfig.json with by running:"
+echo "rm kubeconfig.json"

infra/deploy-kubectl.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -e
+
+CLOUDFLARE_API_TOKEN_DNS=${CLOUDFLARE_API_TOKEN_DNS:?}
+DEPLOY_ENVIRONMENT=${DEPLOY_ENVIRONMENT:-staging}
+
+echo "Configure Kubeconfig"
+echo "${KUBECONFIG_CONTENT}" > kubeconfig.json
+chmod 600 kubeconfig.json
+export KUBECONFIG=kubeconfig.json
+
+# Enable debugging
+set -x
+
+echo "Add Cloudflare token secret"
+envsubst < k8s/cert-manager-cloudflare-token.yaml | kubectl apply -f -
+
+echo "Add Cert Manager issuer prod"
+kubectl apply -f k8s/cert-manager-issuer-prod.yaml
+
+echo "Add Cert Manager issuer staging"
+kubectl apply -f k8s/cert-manager-issuer-staging.yaml
+
+echo "Add wildcard cert"
+kubectl apply -f "k8s/cert-manager-wildcard-cert-${DEPLOY_ENVIRONMENT}.yaml"
+
+echo "Remove kubeconfig.json with by running:"
+echo "rm kubeconfig.json"

infra/helm-values/ingress-nginx-external-values.yaml

@@ -0,0 +1,11 @@
+controller:
+  ingressClassResource:
+    name: external
+  extraArgs:
+    # Sync with cert-manager-wildcard-cert.yaml
+    default-ssl-certificate: cert-manager/fastapicloud-tls
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-type: external
+      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip

infra/k8s/cert-manager-cloudflare-token.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: ${CLOUDFLARE_API_TOKEN_DNS}

infra/k8s/cert-manager-issuer-prod.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: certs@fastapilabs.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the DNS-01 challenge provider with Cloudflare API token
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

infra/k8s/cert-manager-issuer-staging.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: certs@fastapilabs.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the DNS-01 challenge provider with Cloudflare API token
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

infra/k8s/cert-manager-wildcard-cert-production.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fastapicloud-com
+  namespace: cert-manager
+
+spec:
+  # Sync with ingress-nginx-external-values.yaml
+  secretName: fastapicloud-tls
+  dnsNames:
+    - fastapicloud.com
+    - "*.fastapicloud.com"
+  issuerRef:
+    name: letsencrypt-prod
+    kind: Issuer
+    group: cert-manager.io

infra/k8s/cert-manager-wildcard-cert-staging.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fastapicloud-work
+  namespace: cert-manager
+
+spec:
+  # Sync with ingress-nginx-external-values.yaml
+  secretName: fastapicloud-tls
+  dnsNames:
+    - fastapicloud.work
+    - "*.fastapicloud.work"
+  issuerRef:
+    name: letsencrypt-prod
+    kind: Issuer
+    group: cert-manager.io