diff --git a/.drone.yml b/.drone.yml index baa3b426..e7c72402 100644 --- a/.drone.yml +++ b/.drone.yml @@ -3,36 +3,26 @@ type: kubernetes name: default steps: - - name: Get terraform files + - name: PRepare terraform files image: alpine - # environment: - # kek: - # from_secret: tfstate commands: - - "apk update && apk add jq curl" + - "apk update && apk add jq curl git git-crypt" - | - curl -k https://kubernetes:6443/api/v1/namespaces/drone/configmaps/tfstate -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.tfstate | base64 -d | gzip -d > /terraform.tfstate - - | - curl -k https://kubernetes:6443/api/v1/namespaces/drone/configmaps/tfvars -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.tfvars | base64 -d | gzip -d > /terraform.tfvars - - "cp /terraform.tfstate . && cp /terraform.tfvars ." - # - "cat /terraform.tfvars | head" - # - "env | grep kek" - # - 'echo $kek > /terraform.tfstate' - # - "sleep 300" - # volumes: - # - name: tfstate - # path: /terraform.tfstate + curl -k https://kubernetes:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key + - "git-crypt unlock /tmp/key" - name: Terraform apply image: hashicorp/terraform:latest + environment: + TF_VAR_prod: "true" commands: - "terraform init" - "terraform plan -target=module.kubernetes_cluster" - - name: Update configmap - image: alpine - commands: - - "apk update && apk add curl" - - "head terraform.tfstate" + # - name: Update configmap + # image: alpine + # commands: + # - "apk update && apk add curl" + # - "head terraform.tfstate" # plan: true # root_dir: "/data/src" # var_files: @@ -47,3 +37,8 @@ steps: # get: # path: tfstate-default-state # name: tfstate + +# --- +# kind: secret +# name: tfstate +# data: zQSRlrUlUyY/lJL4AADpjTt+CfLmybuZqI4uHbPKv8kn2Aq4jomsNmseYgvrxbOF diff --git a/.gitattributes b/.gitattributes index f0fa86e8..ecbe4335 100644 --- a/.gitattributes +++ b/.gitattributes @@ -2,3 +2,4 @@ *.tfstate filter=git-crypt diff=git-crypt *.tfvars filter=git-crypt diff=git-crypt +secrets/** filter=git-crypt diff=git-crypt diff --git a/.gitignore b/.gitignore index c355cccc..7e133df2 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* +git_crypt.key diff --git a/main.tf b/main.tf index bb24fa31..62186ecf 100644 --- a/main.tf +++ b/main.tf @@ -44,12 +44,12 @@ data "terraform_remote_state" "foo" { depends_on = [module.kubernetes_cluster] } provider "kubernetes" { - # config_path = "~/.kube/config" + config_path = var.prod ? "" : "~/.kube/config" } provider "helm" { kubernetes { - # config_path = "~/.kube/config" + config_path = var.prod ? "" : "~/.kube/config" } } diff --git a/modules/kubernetes/drone/main.tf b/modules/kubernetes/drone/main.tf index b7325b24..91c5b08c 100644 --- a/modules/kubernetes/drone/main.tf +++ b/modules/kubernetes/drone/main.tf @@ -28,25 +28,14 @@ module "tls_secret" { tls_key = var.tls_key } -resource "kubernetes_config_map" "tfvars" { +resource "kubernetes_config_map" "git_crypt_key" { metadata { - name = "tfvars" + name = "git-crypt-key" namespace = "drone" } data = { - "tfvars" = base64gzip(file("${path.root}/terraform.tfvars")) - } -} - -resource "kubernetes_config_map" "tfstate" { - metadata { - name = "tfstate" - namespace = "drone" - } - - data = { - "tfstate" = base64gzip(file("${path.root}/terraform.tfstate")) + "key" = filebase64("${path.root}/.git/git-crypt/keys/default") } } @@ -270,15 +259,6 @@ resource "kubernetes_deployment" "drone_runner" { memory = "1Gi" } } - volume_mount { - mount_path = "/terraform.tfvars" - name = "tfvars" - sub_path = "tfvars" - } - # volume_mount { - # mount_path = "/data/" - # name = "data" - # } env { name = "DRONE_RPC_HOST" value = var.rpc_host @@ -300,8 +280,7 @@ resource "kubernetes_deployment" "drone_runner" { value = var.rpc_secret } env { - name = "DRONE_SECRET_PLUGIN_ENDPOINT" - # value = "http://localhost:3000" + name = "DRONE_SECRET_PLUGIN_ENDPOINT" value = "http://drone-runner-secret.drone.svc.cluster.local:3000" } env { @@ -313,12 +292,12 @@ resource "kubernetes_deployment" "drone_runner" { value = "true" } } - volume { - name = "tfvars" - config_map { - name = "tfvars" - } - } + # volume { + # name = "tfvars" + # config_map { + # name = "tfvars" + # } + # } # volume { # name = "data" # iscsi { diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 3d309ce9..ead8bbbb 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -155,6 +155,13 @@ module privatebin { depends_on = [null_resource.core_services] } +module vault { + source = "./vault" + tls_secret_name = var.tls_secret_name + tls_crt = var.tls_crt + tls_key = var.tls_key +} + module webhook_handler { source = "./webhook_handler" tls_secret_name = var.tls_secret_name diff --git a/modules/kubernetes/vault/chart_values.tpl b/modules/kubernetes/vault/chart_values.tpl new file mode 100644 index 00000000..79d54847 --- /dev/null +++ b/modules/kubernetes/vault/chart_values.tpl @@ -0,0 +1,24 @@ +injector: + metrics: + enabled: true +server: + enabled: true + volumes: + - name: data + emptyDir: {} + ingress: + enabled: true + annotations: + "kubernetes.io/ingress.class": "nginx" + "nginx.ingress.kubernetes.io/auth-tls-verify-client": "on" + "nginx.ingress.kubernetes.io/auth-tls-secret": "default/ca-secret" + hosts: + - host: "${host}" + paths: + - / + tls: + - secretName: ${tls_secret_name} + hosts: + - "${host}" +ui: + enabled: true diff --git a/modules/kubernetes/vault/main.tf b/modules/kubernetes/vault/main.tf new file mode 100644 index 00000000..39e25425 --- /dev/null +++ b/modules/kubernetes/vault/main.tf @@ -0,0 +1,51 @@ +variable "tls_secret_name" {} +variable "tls_crt" {} +variable "tls_key" {} +variable "host" { + default = "vault.viktorbarzin.me" +} + +resource "kubernetes_namespace" "vault" { + metadata { + name = "vault" + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "vault" + tls_secret_name = var.tls_secret_name + tls_crt = var.tls_crt + tls_key = var.tls_key +} + +resource "kubernetes_persistent_volume" "vault_data" { + metadata { + name = "vauld-data-pv" + } + spec { + capacity = { + "storage" = "10Gi" + } + access_modes = ["ReadWriteOnce"] + persistent_volume_source { + iscsi { + target_portal = "iscsi.viktorbarzin.lan:3260" + iqn = "iqn.2020-12.lan.viktorbarzin:storage:vault" + lun = 0 + fs_type = "ext4" + } + } + } +} + +resource "helm_release" "prometheus" { + namespace = "vault" + create_namespace = true + name = "vault" + + repository = "https://helm.releases.hashicorp.com" + chart = "vault" + + values = [templatefile("${path.module}/chart_values.tpl", { host = var.host, tls_secret_name = var.tls_secret_name })] +} diff --git a/terraform.tfstate b/terraform.tfstate new file mode 100644 index 00000000..fbabc601 Binary files /dev/null and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars new file mode 100644 index 00000000..d48292de Binary files /dev/null and b/terraform.tfvars differ