Merge pull request #56 from pluralsh/stacks-support

Work towards adding support for stacks in `plural up`
pluralsh · Jun 30, 2024 · 1fb89d5 · 1fb89d5
2 parents 6debe1d + c40c61e
commit 1fb89d5
Show file tree

Hide file tree

Showing 58 changed files with 923 additions and 220 deletions.
diff --git a/apps/repositories/runtime.yaml b/apps/repositories/runtime.yaml
@@ -5,4 +5,22 @@ metadata:
   namespace: infra
 spec:
   interval: 5m0s
-  url: https://pluralsh.github.io/bootstrap
+  url: https://pluralsh.github.io/bootstrap
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: infra
+spec:
+  interval: 5m0s
+  url: https://charts.jetstack.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: flux
+  namespace: infra
+spec:
+  interval: 5m0s
+  url: https://fluxcd-community.github.io/helm-charts
diff --git a/apps/services/pr-automation/cluster-creator.yaml b/apps/services/pr-automation/cluster-creator.yaml
@@ -0,0 +1,44 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: PrAutomation
+metadata:
+  name: cluster-creator
+spec:
+  name: cluster-creator
+  documentation: |
+    Sets up a PR to provision a cluster for a fleet + stage
+  creates:
+    templates:
+    - source: templates/clusters/stack.yaml
+      destination: "apps/clusters/{{ context.cloud }}/stacks/{{ context.name }}.yaml"
+      external: false
+    - source: templates/clusters/cluster.yaml
+      destination: "apps/clusters/{{ context.cloud }}/clusters/{{ context.name }}.yaml"
+      external: false
+    - source: templates/clusters/clusters.yaml
+      destination: "apps/services/clusters.yaml"
+      external: false
+  scmConnectionRef:
+    name: github  # you'll need to add this ScmConnection manually before this is functional
+  title: "Adding {{ context.cloud }} cluster: {{ context.name }}"
+  message: "Adding {{ context.cloud }} cluster {{ context.name }} and registering it with Plural"
+  identifier: [[ .Identifier ]] # REPLACEME with your own repo slug
+  configuration:
+  - name: name
+    type: STRING
+    documentation: name for this cluster
+  - name: cloud
+    type: ENUM
+    documentation: the cloud you'll host on
+    values:
+    - aws
+    - gcp
+    - azure
+  - name: fleet
+    type: STRING
+    documentation: a name for the fleet you want this cluster to belong to
+  - name: tier
+    type: ENUM
+    documentation: what tier to place this cluster in
+    values:
+    - dev
+    - prd
diff --git a/apps/services/pr-automation/scm.yaml b/apps/services/pr-automation/scm.yaml
@@ -0,0 +1,8 @@
+# You will need to manually create the github scm connection this refers to
+# apiVersion: deployments.plural.sh/v1alpha1
+# kind: ScmConnection
+# metadata:
+#   name: github
+# spec:
+#   name: github
+#   type: GITHUB
diff --git a/apps/services/runtime.yaml b/apps/services/runtime.yaml
@@ -5,6 +5,7 @@ metadata:
   name: cert-manager
   namespace: infra
 spec:
+  version: 0.0.1
   namespace: cert-manager
   git:
     folder: helm-values
@@ -19,7 +20,7 @@ spec:
     valuesFiles:
     - certmanager.yaml
     repository:
-      namespace: plural-runtime
+      namespace: infra
       name: cert-manager
   clusterRef:
     kind: Cluster
@@ -32,6 +33,7 @@ metadata:
   name: flux
   namespace: infra
 spec:
+  version: 0.0.1
   namespace: flux
   git:
     folder: helm-values
@@ -46,7 +48,7 @@ spec:
     valuesFiles:
     - flux.yaml
     repository:
-      namespace: plural-runtime
+      namespace: infra
       name: flux
   clusterRef:
     kind: Cluster
@@ -59,6 +61,7 @@ metadata:
   name: runtime
   namespace: infra
 spec:
+  version: 0.0.1
   namespace: plural-runtime
   git:
     folder: helm-values

diff --git a/apps/services/settings.yaml b/apps/services/settings.yaml
@@ -0,0 +1,10 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: DeploymentSettings
+metadata:
+  name: global
+  namespace: plrl-deploy-operator
+spec:
+  stacks:
+    jobSpec:
+      namespace: plrl-deploy-operator
+      serviceAccount: stacks
diff --git a/apps/services/setup.yaml b/apps/services/setup.yaml
@@ -4,7 +4,7 @@ metadata:
   name: infra
   namespace: infra
 spec:
-  url: {{ configuration.repoUrl }}
+  url: [[ .RepoUrl ]]
 ---
 apiVersion: deployments.plural.sh/v1alpha1
 kind: Cluster

diff --git a/templates/clusters/cluster.yaml b/templates/clusters/cluster.yaml
@@ -0,0 +1,7 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: Cluster
+metadata:
+  name: {{ context.name }}
+  namespace: infra
+spec:
+  handle: {{ context.name }}
diff --git a/templates/clusters/clusters.yaml b/templates/clusters/clusters.yaml
@@ -0,0 +1,17 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: ServiceDeployment
+metadata:
+  name: clusters
+  namespace: infra
+spec:
+  namespace: infra
+  git:
+    folder: apps/clusters
+    ref: main
+  repositoryRef:
+    kind: GitRepository
+    name: infra
+    namespace: infra
+  clusterRef:
+    name: mgmt
+    namespace: infra
diff --git a/templates/clusters/eks/create.tf.liquid b/templates/clusters/eks/create.tf.liquid
diff --git a/templates/clusters/eks/register.tf.liquid b/templates/clusters/eks/register.tf.liquid
diff --git a/templates/clusters/stack.yaml b/templates/clusters/stack.yaml
@@ -0,0 +1,29 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: InfrastructureStack
+metadata:
+  name: cluster-{{ context.name }}
+spec:
+  name: cluster-{{ context.name }}
+  detach: false
+  type: TERRAFORM
+  approval: true
+  manageState: true
+  actor: console@plural.sh
+  configuration:
+    version: '1.8'
+  repositoryRef:
+    name: infra
+    namespace: infra
+  clusterRef:
+    name: mgmt
+    namespace: infra
+  git:
+    ref: main
+    folder: terraform/modules/clusters/{{ context.cloud }}
+  environment:
+  - name: TF_VAR_cluster
+    value: {{ context.name }}
+  - name: TF_VAR_fleet
+    value: {{ context.fleet }}
+  - name: TF_VAR_tier
+    value: {{ context.tier }}
diff --git a/templates/setup/console.tf b/templates/setup/console.tf
@@ -86,3 +86,7 @@ resource "helm_release" "console" {
 
   depends_on = [ module.mgmt.cluster, helm_release.runtime, module.mgmt.db_url ]
 }
+
+output "identity" {
+  value = module.mgmt.identity 
+}
diff --git a/templates/setup/providers/aws.tf b/templates/setup/providers/aws.tf
@@ -1,4 +1,4 @@
 module "mgmt" {
-    source        = "../bootstrap/terraform/clouds/aws"
+    source        = "../terraform/modules/mgmt"
     cluster_name  = "{{ .Cluster }}"
 }
diff --git a/templates/setup/providers/azure.tf b/templates/setup/providers/azure.tf
@@ -1,5 +1,5 @@
 module "mgmt" {
-    source              = "../bootstrap/terraform/clouds/azure"
+    source              = "../terraform/modules/mgmt"
     resource_group_name = "{{ .Project }}"
     cluster_name        = "{{ .Cluster }}"
     location            = "{{ .Region }}"

diff --git a/templates/setup/providers/gcp.tf b/templates/setup/providers/gcp.tf
@@ -1,5 +1,5 @@
 module "mgmt" {
-    source        = "../bootstrap/terraform/clouds/gcp"
+    source        = "../terraform/modules/mgmt"
     project_id    = "{{ .Project }}"
     cluster_name  = "{{ .Cluster }}"
     region        = "{{ .Region }}"

diff --git a/templates/setup/providers/linode.tf b/templates/setup/providers/linode.tf
@@ -1,5 +1,5 @@
 module "mgmt" {
-    source       = "../bootstrap/terraform/clouds/linode"
+    source       = "../terraform/modules/mgmt"
     cluster_name = "{{ .Cluster }}"
     region       = "{{ .Region }}"
 }
diff --git a/templates/setup/stacks/aws.yaml b/templates/setup/stacks/aws.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: stacks
+  namespace: plrl-deploy-operator
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .StacksIdentity }}
diff --git a/templates/setup/stacks/azure.yaml b/templates/setup/stacks/azure.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: stacks
+  namespace: plrl-deploy-operator
+  annotations:
+    azure.workload.identity/client-id: {{ .StacksIdentity }}
diff --git a/templates/setup/stacks/gcp.yaml b/templates/setup/stacks/gcp.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: stacks
+  namespace: plrl-deploy-operator
+  annotations:
+    iam.gke.io/gcp-service-account: {{ .StacksIdentity }}
diff --git a/terraform/clouds/aws/eks.tf b/terraform/clouds/aws/eks.tf
@@ -11,6 +11,8 @@ module "eks" {
   subnet_ids               = module.vpc.private_subnets
   control_plane_subnet_ids = module.vpc.public_subnets
 
+  create_kms_key = false
+
   # EKS Managed Node Group(s)
   eks_managed_node_group_defaults = merge(var.node_group_defaults,
     {ami_release_version = data.aws_ssm_parameter.eks_ami_release_version.value})

diff --git a/terraform/clouds/aws/iam.tf b/terraform/clouds/aws/iam.tf
@@ -0,0 +1,28 @@
+module "assumable_role_stacks" {
+  source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version          = "5.39.1"
+  create_role      = true
+  role_name        = "${var.cluster_name}-plrl-stacks"
+  provider_url     = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns = [aws_iam_policy.stacks.arn]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:plrl-deploy-operator:stacks",
+  ]
+}
+
+resource "aws_iam_policy" "stacks" {
+  name_prefix = "stacks"
+  description = "stacks permissions for ${var.cluster_name}"
+  policy      = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "*",
+          "Resource": "*"
+        }
+      ]
+    }
+  POLICY
+}
diff --git a/terraform/clouds/aws/locals.tf b/terraform/clouds/aws/locals.tf
@@ -5,5 +5,6 @@ locals {
     cluster = module.eks
     addons = module.eks_blueprints_addons
   }
+  vpc_name = var.vpc_name == "" ? "${var.cluster_name}-vpc" : var.vpc_name
   monitoring_role_name = var.monitoring_role == "" ? "${var.cluster_name}-PluralRDSMonitoringRole" : var.monitoring_role
 }
diff --git a/terraform/clouds/aws/outputs.tf b/terraform/clouds/aws/outputs.tf
@@ -232,4 +232,8 @@ output "db_url" {
 
 output "ready" {
     value = local.cluster_ready
+}
+
+output "identity" {
+  value = module.assumable_role_stacks.iam_role_arn
 }
diff --git a/terraform/clouds/aws/variables.tf b/terraform/clouds/aws/variables.tf
@@ -35,7 +35,7 @@ variable "public" {
 
 variable "vpc_name" {
   type    = string
-  default = "plural"
+  default = ""
 }
 
 variable "vpc_cidr" {

diff --git a/terraform/clouds/azure/iam.tf b/terraform/clouds/azure/iam.tf
@@ -12,4 +12,28 @@ resource "azurerm_role_assignment" "aks-network-identity-ssi" {
   principal_id         = module.aks.cluster_identity.principal_id
 
   depends_on = [module.aks, azurerm_virtual_network.network]
+}
+
+
+
+resource "azurerm_user_assigned_identity" "stacks" {
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+
+  name = "${var.cluster_name}-plrl-stacks"
+}
+
+resource "azurerm_role_assignment" "stacks-ssi" {
+  scope                = local.rg.id
+  role_definition_name = "Owner"
+  principal_id         = azurerm_user_assigned_identity.stacks.principal_id
+}
+
+resource "azurerm_federated_identity_credential" "stacks" {
+  name                = "${var.cluster_name}-stacks"
+  resource_group_name = local.resource_group.name
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = module.aks.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.stacks.id
+  subject             = "system:serviceaccount:plrl-deploy-operator:stacks"
 }