TG-598 Add route metrics and healthz paths (#197)

* TG-598 Add route metrics and healthz paths

* TG-598 Refactor routing metrics paths

Co-authored-by: Filippo Morelli <filippo@20tab.com>

Author: trottomv

{{cookiecutter.project_dirname}}/terraform/environment/digitalocean-k8s/main.tf

@@ -184,6 +184,23 @@ module "routing" {
   monitoring_subdomain = var.monitoring_subdomain
 }
 
+
+/* Routing Metrics */
+
+module "metrics" {
+  count = var.stack_slug == "main" ? 1 : 0
+
+  source = "../modules/kubernetes/metrics"
+
+  project_domain = var.project_domain
+
+  basic_auth_enabled  = var.basic_auth_enabled
+  basic_auth_username = var.basic_auth_username
+  basic_auth_password = var.basic_auth_password
+
+  tls_secret_name = module.routing.tls_secret_name
+}
+
 /* Secrets */
 
 resource "kubernetes_secret_v1" "regcred" {

{{cookiecutter.project_dirname}}/terraform/environment/modules/kubernetes/metrics/main.tf

@@ -0,0 +1,102 @@
+locals {
+  basic_auth_ready = alltrue(
+    [
+      var.basic_auth_enabled,
+      var.basic_auth_username != "",
+      var.basic_auth_password != ""
+    ]
+  )
+}
+
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.9.0"
+    }
+  }
+}
+
+/* Metrics Ingress Route */
+
+resource "kubernetes_secret_v1" "metrics_basic_auth" {
+  count = local.basic_auth_ready ? 1 : 0
+
+  metadata {
+    name      = "metrics-basic-auth"
+    namespace = "kube-system"
+  }
+
+  data = {
+    username = var.basic_auth_username
+    password = var.basic_auth_password
+  }
+
+  type = "kubernetes.io/basic-auth"
+}
+
+resource "kubernetes_manifest" "metrics_basic_auth_middleware" {
+  count = local.basic_auth_ready ? 1 : 0
+
+  manifest = {
+    apiVersion = "traefik.containo.us/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "metrics-basic-auth-middleware"
+      namespace = "kube-system"
+    }
+    spec = {
+      basicAuth = {
+        removeHeader = true
+        secret       = kubernetes_secret_v1.metrics_basic_auth[0].metadata[0].name
+      }
+    }
+  }
+}
+
+resource "kubernetes_manifest" "metrics_ingress_route" {
+
+  manifest = {
+    apiVersion = "traefik.containo.us/v1alpha1"
+    kind       = "IngressRoute"
+    metadata = {
+      name      = "metrics-ingress-route"
+      namespace = "kube-system"
+    }
+    spec = merge(
+      {
+        entryPoints = var.tls_secret_name != "" ? ["websecure"] : ["web"]
+        routes = concat(
+          local.basic_auth_ready ? [
+            {
+              kind        = "Rule"
+              match       = "Host(`${var.project_domain}`) && PathPrefix(`/metrics`)"
+              middlewares = [{ "name" : "metrics-basic-auth-middleware" }]
+              services = [
+                {
+                  name = "kube-state-metrics"
+                  port = 8080
+                }
+              ]
+          }] : [],
+          [{
+            kind        = "Rule"
+            match       = "Host(`${var.project_domain}`) && PathPrefix(`/healthz`)"
+            middlewares = []
+            services = [
+              {
+                name = "kube-state-metrics"
+                port = 8080
+              }
+            ]
+            }
+        ])
+      },
+      var.tls_secret_name != "" ? {
+        tls = {
+          secretName = var.tls_secret_name
+        }
+      } : {}
+    )
+  }
+}

{{cookiecutter.project_dirname}}/terraform/environment/modules/kubernetes/metrics/variables.tf

@@ -0,0 +1,23 @@
+variable "basic_auth_password" {
+  description = "The basic_auth password."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "basic_auth_username" {
+  description = "The basic_auth username."
+  type        = string
+  default     = ""
+}
+
+variable "project_domain" {
+  description = "The project domain."
+  type        = string
+}
+
+variable "tls_secret_name" {
+  description = "The tls secret name"
+  type        = string
+  default     = ""
+}

{{cookiecutter.project_dirname}}/terraform/environment/modules/kubernetes/routing/main.tf

@@ -1,5 +1,5 @@
 locals {
-  basic_auth_enabled = alltrue(
+  basic_auth_ready = alltrue(
     [
       var.basic_auth_enabled,
       var.basic_auth_username != "",
@@ -12,11 +12,13 @@ locals {
 
   traefik_hosts = join(", ", [for i in local.domains : "`${i}`"])
 
-  base_middlewares = local.basic_auth_enabled ? [{ "name" : "traefik-basic-auth-middleware" }] : []
+  base_middlewares = local.basic_auth_ready ? [{ "name" : "traefik-basic-auth-middleware" }] : []
 
   letsencrypt_enabled        = var.letsencrypt_certificate_email != ""
   manual_certificate_enabled = var.tls_certificate_crt != "" && var.tls_certificate_key != ""
   tls_enabled                = local.manual_certificate_enabled || local.letsencrypt_enabled
+
+  tls_secret_name = local.tls_enabled ? "tls-certificate" : ""
 }
 
 terraform {
@@ -31,7 +33,7 @@ terraform {
 /* Basic Auth */
 
 resource "kubernetes_secret_v1" "traefik_basic_auth" {
-  count = local.basic_auth_enabled ? 1 : 0
+  count = local.basic_auth_ready ? 1 : 0
 
   metadata {
     name      = "basic-auth"
@@ -47,7 +49,7 @@ resource "kubernetes_secret_v1" "traefik_basic_auth" {
 }
 
 resource "kubernetes_manifest" "traefik_basic_auth_middleware" {
-  count = local.basic_auth_enabled ? 1 : 0
+  count = local.basic_auth_ready ? 1 : 0
 
   manifest = {
     "apiVersion" = "traefik.containo.us/v1alpha1"
@@ -92,7 +94,7 @@ resource "kubernetes_secret_v1" "tls" {
   count = local.manual_certificate_enabled ? 1 : 0
 
   metadata {
-    name      = "tls-certificate"
+    name      = local.tls_secret_name
     namespace = var.namespace
   }
 
@@ -148,7 +150,7 @@ resource "kubernetes_manifest" "certificate" {
       namespace = var.namespace
     }
     spec = {
-      secretName = "tls-certificate"
+      secretName = local.tls_secret_name
       issuerRef = {
         name = "letsencrypt"
         kind = "Issuer"
@@ -225,7 +227,7 @@ resource "kubernetes_manifest" "traefik_ingress_route" {
       },
       local.tls_enabled ? {
         tls = {
-          secretName = "tls-certificate"
+          secretName = local.tls_secret_name
         }
       } : {}
     )

{{cookiecutter.project_dirname}}/terraform/environment/modules/kubernetes/routing/outputs.tf

@@ -0,0 +1,4 @@
+output "tls_secret_name" {
+  description = "The name of the TLS certificate Kubernetes secret."
+  value       = local.tls_secret_name
+}

{{cookiecutter.project_dirname}}/terraform/environment/other-k8s/main.tf

@@ -114,6 +114,20 @@ module "routing" {
   monitoring_subdomain = var.monitoring_subdomain
 }
 
+/* Metrics */
+
+module "metrics" {
+  count = var.stack_slug == "main" ? 1 : 0
+
+  source = "../modules/kubernetes/metrics"
+
+  project_domain = var.project_domain
+
+  basic_auth_enabled  = var.basic_auth_enabled
+  basic_auth_username = var.basic_auth_username
+  basic_auth_password = var.basic_auth_password
+}
+
 /* Secrets */
 
 resource "kubernetes_secret_v1" "regcred" {

{{cookiecutter.project_dirname}}/terraform/environment/vars/.tfvars

@@ -1,5 +1,6 @@
 {% if "environment" in cookiecutter.tfvars %}{% for item in cookiecutter.tfvars.environment|sort %}{{ item }}
 {% endfor %}{% endif %}# database_connection_pool_size=1
 # database_dumps_enabled=true
+# basic_auth_enabled=false
 # backend_service_extra_traefik_middlewares=[]
 # frontend_service_extra_traefik_middlewares=[]