From 4ad1693f0fa17c5cce230ec022a462d469e4d05e Mon Sep 17 00:00:00 2001 From: Hongbo Miao <3375461+hongbo-miao@users.noreply.github.com> Date: Sun, 14 Jul 2024 23:22:30 -0700 Subject: [PATCH] feat(k8s): add kafbat ui --- .../production/aws/kubernetes/main.tf | 24 +++++++ .../modules/aws/hm_kafbat_ui_iam_role/main.tf | 64 +++++++++++++++++++ .../aws/hm_kafbat_ui_iam_role/variables.tf | 18 ++++++ .../production-hm/kafbat-ui/Makefile | 6 ++ .../hm-kafbat-ui-application.yaml | 58 +++++++++++++++++ .../hm-kafbat-ui-ingress.yaml | 36 +++++++++++ .../production-hm-kafbat-ui-certificate.yaml | 17 +++++ .../staging-hm-kafbat-ui-certificate.yaml | 17 +++++ 8 files changed, 240 insertions(+) create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/main.tf create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/variables.tf create mode 100644 ops/argo-cd/applications/production-hm/kafbat-ui/Makefile create mode 100644 ops/argo-cd/applications/production-hm/kafbat-ui/argo-cd-manifests/hm-kafbat-ui-application.yaml create mode 100644 ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml create mode 100644 ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/production-hm-kafbat-ui-certificate.yaml create mode 100644 ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/staging-hm-kafbat-ui-certificate.yaml diff --git a/cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf b/cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf index 7fcbe20dd2..d3279b5c4f 100644 --- a/cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf +++ b/cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf @@ -556,3 +556,27 @@ module "hm_kubernetes_namespace_hm_redpanda_console" { module.hm_amazon_eks_cluster ] } + +# Kafbat UI +# Kafbat UI - IAM role +module "hm_kafbat_ui_iam_role" { + providers = { aws = aws.production } + source = "../../../../modules/aws/hm_kafbat_ui_iam_role" + kafbat_ui_service_account_name = "hm-kafbat-ui" + kafbat_ui_namespace = "${var.environment}-hm-kafbat-ui" + amazon_eks_cluster_oidc_provider = module.hm_amazon_eks_cluster.oidc_provider + amazon_eks_cluster_oidc_provider_arn = module.hm_amazon_eks_cluster.oidc_provider_arn + environment = var.environment + team = var.team +} +# Kafbat UI - Kubernetes namespace +module "hm_kubernetes_namespace_hm_kafbat_ui" { + source = "../../../../modules/kubernetes/hm_kubernetes_namespace" + kubernetes_namespace = "${var.environment}-hm-kafbat-ui" + labels = { + "goldilocks.fairwinds.com/enabled" = "true" + } + depends_on = [ + module.hm_amazon_eks_cluster + ] +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/main.tf b/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/main.tf new file mode 100644 index 0000000000..381b0cf82a --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/main.tf @@ -0,0 +1,64 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } +} + +locals { + aws_iam_role_name_prefix = "KafbatUIRole" +} +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user +resource "aws_iam_role" "hm_kafbat_ui_iam_role" { + name = "${local.aws_iam_role_name_prefix}-${var.kafbat_ui_service_account_name}" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Federated = var.amazon_eks_cluster_oidc_provider_arn + } + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "${var.amazon_eks_cluster_oidc_provider}:aud" = "sts.amazonaws.com", + "${var.amazon_eks_cluster_oidc_provider}:sub" = "system:serviceaccount:${var.kafbat_ui_namespace}:${var.kafbat_ui_service_account_name}" + } + } + } + ] + }) + tags = { + Environment = var.environment + Team = var.team + Name = "${local.aws_iam_role_name_prefix}-${var.kafbat_ui_service_account_name}" + } +} +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy +resource "aws_iam_role_policy" "hm_kafbat_ui_iam_role_policy" { + name = "${local.aws_iam_role_name_prefix}Policy-${var.kafbat_ui_service_account_name}" + role = aws_iam_role.hm_kafbat_ui_iam_role.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeCluster", + "kafka-cluster:DescribeClusterDynamicConfiguration", + "kafka-cluster:DescribeGroup", + "kafka-cluster:DescribeTopic", + "kafka-cluster:DescribeTopicDynamicConfiguration", + "kafka-cluster:DescribeTransactionalId", + "kafka-cluster:ReadData" + ] + Resource = [ + "*" + ] + } + ] + }) +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/variables.tf b/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/variables.tf new file mode 100644 index 0000000000..42584f0415 --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_kafbat_ui_iam_role/variables.tf @@ -0,0 +1,18 @@ +variable "kafbat_ui_service_account_name" { + type = string +} +variable "kafbat_ui_namespace" { + type = string +} +variable "amazon_eks_cluster_oidc_provider" { + type = string +} +variable "amazon_eks_cluster_oidc_provider_arn" { + type = string +} +variable "environment" { + type = string +} +variable "team" { + type = string +} diff --git a/ops/argo-cd/applications/production-hm/kafbat-ui/Makefile b/ops/argo-cd/applications/production-hm/kafbat-ui/Makefile new file mode 100644 index 0000000000..3887c0b90d --- /dev/null +++ b/ops/argo-cd/applications/production-hm/kafbat-ui/Makefile @@ -0,0 +1,6 @@ +argo-cd-app-create: + argocd app create hm-kafbat-ui --file=manifests/hm-kafbat-ui-application.yaml +argo-cd-app-update: + argocd app create hm-kafbat-ui --file=manifests/hm-kafbat-ui-application.yaml --upsert +argo-cd-app-delete: + argocd app delete hm-kafbat-ui --yes diff --git a/ops/argo-cd/applications/production-hm/kafbat-ui/argo-cd-manifests/hm-kafbat-ui-application.yaml b/ops/argo-cd/applications/production-hm/kafbat-ui/argo-cd-manifests/hm-kafbat-ui-application.yaml new file mode 100644 index 0000000000..4556cf9e64 --- /dev/null +++ b/ops/argo-cd/applications/production-hm/kafbat-ui/argo-cd-manifests/hm-kafbat-ui-application.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: hm-kafbat-ui + namespace: production-hm-argo-cd + labels: + app.kubernetes.io/name: hm-kafbat-ui +spec: + project: production-hm + sources: + - repoURL: https://kafbat.github.io/helm-charts + # https://artifacthub.io/packages/helm/kafka-ui/kafka-ui + targetRevision: 1.4.2 + chart: kafka-ui + helm: + releaseName: hm-kafbat-ui + values: | + # https://github.com/kafbat/helm-charts/blob/main/charts/kafka-ui/values.yaml + --- + yamlApplicationConfig: + kafka: + clusters: + - name: yaml + bootstrapServers: b-1.hmkafka.xxxxxx.xx.kafka.us-west-2.amazonaws.com:9098,b-2.hmkafka.xxxxxx.xx.kafka.us-west-2.amazonaws.com:9098,b-3.hmkafka.xxxxxx.xx.kafka.us-west-2.amazonaws.com:9098 + properties: + security.protocol: SASL_SSL + sasl.mechanism: AWS_MSK_IAM + sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required; + sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandler + auth: + type: disabled + management: + health: + ldap: + enabled: false + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::272394222652:role/KafbatUIRole-hm-kafbat-ui + resources: + requests: + cpu: 50m + memory: 512Mi + limits: + cpu: 300m + memory: 2Gi + - repoURL: git@github.com:hongbo-miao/hongbomiao.com.git + targetRevision: HEAD + path: ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests + destination: + namespace: production-hm-kafbat-ui + server: https://kubernetes.default.svc + syncPolicy: + syncOptions: + - ServerSideApply=true + automated: + prune: true diff --git a/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml b/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml new file mode 100644 index 0000000000..f7438dbfcb --- /dev/null +++ b/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: hm-kafbat-ui-ingress + namespace: production-hm-kafbat-ui + annotations: + kubernetes.io/ingress.class: traefik + # https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#on-ingress + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations + external-dns.alpha.kubernetes.io/hostname: hm-kafbat-ui.internal.hongbomiao.com + # https://cert-manager.io/docs/usage/ingress/#supported-annotations + cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer + # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks + argocd.argoproj.io/hook: PostSync + labels: + app.kubernetes.io/name: hm-kafbat-ui-ingress + app.kubernetes.io/part-of: production-hm-kafbat-ui +spec: + rules: + - host: hm-kafbat-ui.internal.hongbomiao.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: hm-kafbat-ui-kafka-ui + port: + number: 80 + tls: + - hosts: + - hm-kafbat-ui.internal.hongbomiao.com + secretName: production-hm-kafbat-ui-certificate diff --git a/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/production-hm-kafbat-ui-certificate.yaml b/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/production-hm-kafbat-ui-certificate.yaml new file mode 100644 index 0000000000..3f15d5fa45 --- /dev/null +++ b/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/production-hm-kafbat-ui-certificate.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: production-hm-kafbat-ui-certificate + namespace: production-hm-kafbat-ui + annotations: + # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks + argocd.argoproj.io/hook: PostSync +spec: + commonName: hm-kafbat-ui.internal.hongbomiao.com + secretName: production-hm-kafbat-ui-certificate + dnsNames: + - hm-kafbat-ui.internal.hongbomiao.com + issuerRef: + kind: ClusterIssuer + name: production-lets-encrypt-cluster-issuer diff --git a/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/staging-hm-kafbat-ui-certificate.yaml b/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/staging-hm-kafbat-ui-certificate.yaml new file mode 100644 index 0000000000..3d6c6737e2 --- /dev/null +++ b/ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/staging-hm-kafbat-ui-certificate.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: staging-hm-kafbat-ui-certificate + namespace: production-hm-kafbat-ui + annotations: + # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks + argocd.argoproj.io/hook: PostSync +spec: + commonName: hm-kafbat-ui.internal.hongbomiao.com + secretName: staging-hm-kafbat-ui-certificate + dnsNames: + - hm-kafbat-ui.internal.hongbomiao.com + issuerRef: + kind: ClusterIssuer + name: staging-lets-encrypt-cluster-issuer