add gitattributes with git-crypt

2021-02-13 02:10:39 +00:00 · 2021-02-13 02:10:39 +00:00 · b51d58a389
commit b51d58a389
parent 3c7eee2ca0
5 changed files with 97 additions and 10 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,14 +3,13 @@ type: kubernetes
 name: default

 steps:
-  - name: test
+  - name: Get terraform files
    image: alpine
    # environment:
      # kek:
      #   from_secret: tfstate
    commands:
-      - "apk update && apk add jq curl perl"
-      # - "sleep 900"
+      - "apk update && apk add jq curl"
      - |
        curl -k https://kubernetes:6443/api/v1/namespaces/drone/configmaps/tfstate -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.tfstate | base64 -d | gzip -d > /terraform.tfstate
      - |
@ -26,7 +25,14 @@ steps:
  - name: Terraform apply
    image: hashicorp/terraform:latest
    commands:
-      - "terraform init && terraform plan"
+      - "terraform init"
+      - "terraform plan -target=module.kubernetes_cluster"
+
+  - name: Update configmap
+    image: alpine
+    commands:
+      - "apk update && apk add curl"
+      - "head terraform.tfstate"
    # plan: true
    # root_dir: "/data/src"
    # var_files:
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,4 @@
+.gitattributes !filter !diff
+
+*.tfstate filter=git-crypt diff=git-crypt
+*.tfvars filter=git-crypt diff=git-crypt
--- a/.gitignore
+++ b/.gitignore
@ -7,7 +7,7 @@
 **/.terraform/*

 # .tfstate files
-*.tfstate
+#*.tfstate
 *.tfstate.*

 # Crash log files
@ -18,7 +18,7 @@ crash.log
 # version control.
 #
 # example.tfvars
-*.tfvars
+#*.tfvars

 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
--- a/main.tf
+++ b/main.tf
@ -1,3 +1,7 @@
+variable "prod" {
+  type    = bool
+  default = false
+}
 variable "vsphere_password" {}
 variable "vsphere_user" {}
 variable "vsphere_server" {}
@ -26,13 +30,26 @@ variable "ansible_prefix" {
  default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
  description = "Provisioner command"
 }
+
+data "terraform_remote_state" "foo" {
+  backend = "kubernetes"
+  config = {
+    secret_suffix     = "state"
+    namespace         = "drone"
+    in_cluster_config = var.prod
+    host              = "https://kubernetes:6443"
+    //  load_config_file  = true
+  }
+
+  depends_on = [module.kubernetes_cluster]
+}
 provider "kubernetes" {
-  config_path = "~/.kube/config"
+  # config_path = "~/.kube/config"
 }

 provider "helm" {
  kubernetes {
-    config_path = "~/.kube/config"
+    # config_path = "~/.kube/config"
  }
 }

--- a/modules/kubernetes/drone/main.tf
+++ b/modules/kubernetes/drone/main.tf
@ -28,6 +28,28 @@ module "tls_secret" {
  tls_key         = var.tls_key
 }

+resource "kubernetes_config_map" "tfvars" {
+  metadata {
+    name      = "tfvars"
+    namespace = "drone"
+  }
+
+  data = {
+    "tfvars" = base64gzip(file("${path.root}/terraform.tfvars"))
+  }
+}
+
+resource "kubernetes_config_map" "tfstate" {
+  metadata {
+    name      = "tfstate"
+    namespace = "drone"
+  }
+
+  data = {
+    "tfstate" = base64gzip(file("${path.root}/terraform.tfstate"))
+  }
+}
+
 resource "kubernetes_deployment" "drone_server" {
  metadata {
    name      = "drone-server"
@ -141,6 +163,8 @@ resource "kubernetes_ingress" "drone" {
    namespace = "drone"
    annotations = {
      "kubernetes.io/ingress.class" = "nginx"
+      //"nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
+      //"nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
    }
  }

@ -169,6 +193,11 @@ resource "kubernetes_cluster_role" "drone" {
  metadata {
    name = "drone"
  }
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps"]
+    verbs      = ["get", "list", "update", "patch"]
+  }
  rule {
    api_groups = [""]
    resources  = ["secrets"]
@ -197,7 +226,8 @@ resource "kubernetes_cluster_role_binding" "drone" {
  }
  role_ref {
    kind = "ClusterRole"
-    name      = "drone"
+    # name      = "drone"
+    name      = "cluster-admin"
    api_group = "rbac.authorization.k8s.io"
  }
 }
@ -240,6 +270,15 @@ resource "kubernetes_deployment" "drone_runner" {
              memory = "1Gi"
            }
          }
+          volume_mount {
+            mount_path = "/terraform.tfvars"
+            name       = "tfvars"
+            sub_path   = "tfvars"
+          }
+          # volume_mount {
+          #   mount_path = "/data/"
+          #   name       = "data"
+          # }
          env {
            name  = "DRONE_RPC_HOST"
            value = var.rpc_host
@ -274,6 +313,22 @@ resource "kubernetes_deployment" "drone_runner" {
            value = "true"
          }
        }
+        volume {
+          name = "tfvars"
+          config_map {
+            name = "tfvars"
+          }
+        }
+        # volume {
+        #   name = "data"
+        #   iscsi {
+        #     target_portal = "iscsi.viktorbarzin.lan:3260"
+        #     fs_type       = "ext4"
+        #     iqn           = "iqn.2020-12.lan.viktorbarzin:storage:drone:tfstate"
+        #     lun           = 0
+        #     read_only     = false
+        #   }
+        # }
      }
    }
  }
@ -321,6 +376,11 @@ resource "kubernetes_deployment" "drone_runner_secret" {
            name  = "KUBERNETES_NAMESPACE"
            value = "drone"
          }
+          // Custom variable to start terraform as prod
+          env {
+            name  = "TF_VAR_prod"
+            value = true
+          }
        }
      }
    }