feat(k8s): add kafbat ui

hongbo-miao · Jul 15, 2024 · 4ad1693 · 4ad1693
1 parent 7a9b5c2
commit 4ad1693
Show file tree

Hide file tree

Showing 8 changed files with 240 additions and 0 deletions.
diff --git a/cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf b/cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf
@@ -556,3 +556,27 @@ module "hm_kubernetes_namespace_hm_redpanda_console" {
     module.hm_amazon_eks_cluster
   ]
 }
+
+# Kafbat UI
+# Kafbat UI - IAM role
+module "hm_kafbat_ui_iam_role" {
+  providers                            = { aws = aws.production }
+  source                               = "../../../../modules/aws/hm_kafbat_ui_iam_role"
+  kafbat_ui_service_account_name       = "hm-kafbat-ui"
+  kafbat_ui_namespace                  = "${var.environment}-hm-kafbat-ui"
+  amazon_eks_cluster_oidc_provider     = module.hm_amazon_eks_cluster.oidc_provider
+  amazon_eks_cluster_oidc_provider_arn = module.hm_amazon_eks_cluster.oidc_provider_arn
+  environment                          = var.environment
+  team                                 = var.team
+}
+# Kafbat UI - Kubernetes namespace
+module "hm_kubernetes_namespace_hm_kafbat_ui" {
+  source               = "../../../../modules/kubernetes/hm_kubernetes_namespace"
+  kubernetes_namespace = "${var.environment}-hm-kafbat-ui"
+  labels = {
+    "goldilocks.fairwinds.com/enabled" = "true"
+  }
+  depends_on = [
+    module.hm_amazon_eks_cluster
+  ]
+}
diff --git a/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/main.tf b/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/main.tf
@@ -0,0 +1,64 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}
+
+locals {
+  aws_iam_role_name_prefix = "KafbatUIRole"
+}
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user
+resource "aws_iam_role" "hm_kafbat_ui_iam_role" {
+  name = "${local.aws_iam_role_name_prefix}-${var.kafbat_ui_service_account_name}"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = var.amazon_eks_cluster_oidc_provider_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${var.amazon_eks_cluster_oidc_provider}:aud" = "sts.amazonaws.com",
+            "${var.amazon_eks_cluster_oidc_provider}:sub" = "system:serviceaccount:${var.kafbat_ui_namespace}:${var.kafbat_ui_service_account_name}"
+          }
+        }
+      }
+    ]
+  })
+  tags = {
+    Environment = var.environment
+    Team        = var.team
+    Name        = "${local.aws_iam_role_name_prefix}-${var.kafbat_ui_service_account_name}"
+  }
+}
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
+resource "aws_iam_role_policy" "hm_kafbat_ui_iam_role_policy" {
+  name = "${local.aws_iam_role_name_prefix}Policy-${var.kafbat_ui_service_account_name}"
+  role = aws_iam_role.hm_kafbat_ui_iam_role.name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kafka-cluster:Connect",
+          "kafka-cluster:DescribeCluster",
+          "kafka-cluster:DescribeClusterDynamicConfiguration",
+          "kafka-cluster:DescribeGroup",
+          "kafka-cluster:DescribeTopic",
+          "kafka-cluster:DescribeTopicDynamicConfiguration",
+          "kafka-cluster:DescribeTransactionalId",
+          "kafka-cluster:ReadData"
+        ]
+        Resource = [
+          "*"
+        ]
+      }
+    ]
+  })
+}
diff --git a/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/variables.tf b/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/variables.tf
@@ -0,0 +1,18 @@
+variable "kafbat_ui_service_account_name" {
+  type = string
+}
+variable "kafbat_ui_namespace" {
+  type = string
+}
+variable "amazon_eks_cluster_oidc_provider" {
+  type = string
+}
+variable "amazon_eks_cluster_oidc_provider_arn" {
+  type = string
+}
+variable "environment" {
+  type = string
+}
+variable "team" {
+  type = string
+}
diff --git a/ops/argo-cd/applications/production-hm/kafbat-ui/Makefile b/ops/argo-cd/applications/production-hm/kafbat-ui/Makefile
@@ -0,0 +1,6 @@
+argo-cd-app-create:
+	argocd app create hm-kafbat-ui --file=manifests/hm-kafbat-ui-application.yaml
+argo-cd-app-update:
+	argocd app create hm-kafbat-ui --file=manifests/hm-kafbat-ui-application.yaml --upsert
+argo-cd-app-delete:
+	argocd app delete hm-kafbat-ui --yes
diff --git a/...o-cd/applications/production-hm/kafbat-ui/argo-cd-manifests/hm-kafbat-ui-application.yaml b/...o-cd/applications/production-hm/kafbat-ui/argo-cd-manifests/hm-kafbat-ui-application.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: hm-kafbat-ui
+  namespace: production-hm-argo-cd
+  labels:
+    app.kubernetes.io/name: hm-kafbat-ui
+spec:
+  project: production-hm
+  sources:
+    - repoURL: https://kafbat.github.io/helm-charts
+      # https://artifacthub.io/packages/helm/kafka-ui/kafka-ui
+      targetRevision: 1.4.2
+      chart: kafka-ui
+      helm:
+        releaseName: hm-kafbat-ui
+        values: |
+          # https://github.com/kafbat/helm-charts/blob/main/charts/kafka-ui/values.yaml
+          ---
+          yamlApplicationConfig:
+            kafka:
+              clusters:
+                - name: yaml
+                  bootstrapServers: b-1.hmkafka.xxxxxx.xx.kafka.us-west-2.amazonaws.com:9098,b-2.hmkafka.xxxxxx.xx.kafka.us-west-2.amazonaws.com:9098,b-3.hmkafka.xxxxxx.xx.kafka.us-west-2.amazonaws.com:9098
+                  properties:
+                    security.protocol: SASL_SSL
+                    sasl.mechanism: AWS_MSK_IAM
+                    sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required;
+                    sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandler
+            auth:
+              type: disabled
+            management:
+              health:
+                ldap:
+                  enabled: false
+          serviceAccount:
+            create: true
+            annotations:
+              eks.amazonaws.com/role-arn: arn:aws:iam::272394222652:role/KafbatUIRole-hm-kafbat-ui
+          resources:
+            requests:
+              cpu: 50m
+              memory: 512Mi
+            limits:
+              cpu: 300m
+              memory: 2Gi
+    - repoURL: git@github.com:hongbo-miao/hongbomiao.com.git
+      targetRevision: HEAD
+      path: ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests
+  destination:
+    namespace: production-hm-kafbat-ui
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true
+    automated:
+      prune: true
diff --git a/...go-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml b/...go-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hm-kafbat-ui-ingress
+  namespace: production-hm-kafbat-ui
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    # https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#on-ingress
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
+    external-dns.alpha.kubernetes.io/hostname: hm-kafbat-ui.internal.hongbomiao.com
+    # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PostSync
+  labels:
+    app.kubernetes.io/name: hm-kafbat-ui-ingress
+    app.kubernetes.io/part-of: production-hm-kafbat-ui
+spec:
+  rules:
+    - host: hm-kafbat-ui.internal.hongbomiao.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: hm-kafbat-ui-kafka-ui
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - hm-kafbat-ui.internal.hongbomiao.com
+      secretName: production-hm-kafbat-ui-certificate
diff --git a/...ons/production-hm/kafbat-ui/kubernetes-manifests/production-hm-kafbat-ui-certificate.yaml b/...ons/production-hm/kafbat-ui/kubernetes-manifests/production-hm-kafbat-ui-certificate.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: production-hm-kafbat-ui-certificate
+  namespace: production-hm-kafbat-ui
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PostSync
+spec:
+  commonName: hm-kafbat-ui.internal.hongbomiao.com
+  secretName: production-hm-kafbat-ui-certificate
+  dnsNames:
+    - hm-kafbat-ui.internal.hongbomiao.com
+  issuerRef:
+    kind: ClusterIssuer
+    name: production-lets-encrypt-cluster-issuer
diff --git a/...ations/production-hm/kafbat-ui/kubernetes-manifests/staging-hm-kafbat-ui-certificate.yaml b/...ations/production-hm/kafbat-ui/kubernetes-manifests/staging-hm-kafbat-ui-certificate.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: staging-hm-kafbat-ui-certificate
+  namespace: production-hm-kafbat-ui
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PostSync
+spec:
+  commonName: hm-kafbat-ui.internal.hongbomiao.com
+  secretName: staging-hm-kafbat-ui-certificate
+  dnsNames:
+    - hm-kafbat-ui.internal.hongbomiao.com
+  issuerRef:
+    kind: ClusterIssuer
+    name: staging-lets-encrypt-cluster-issuer