Enable manifests apply to multiple arbitrary clusters

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

demo/Makefile

@@ -37,6 +37,7 @@ terraform_apply: ## Applies terraform infrastructure
 	echo 'google_project = "$(GOOGLE_PROJECT)"' > infrastructure/$(CLOUD)/terraform.tfvars
 	echo 'ca_crt_file = "$(CA_CRT_FILE)"' >> infrastructure/$(CLOUD)/terraform.tfvars
 	echo 'ca_key_file = "$(CA_KEY_FILE)"' >> infrastructure/$(CLOUD)/terraform.tfvars
+	echo 'cloud = "$(CLOUD)"' >> infrastructure/$(CLOUD)/terraform.tfvars
 	cd infrastructure/$(CLOUD) && terraform init && terraform apply
 	cd infrastructure/$(CLOUD) && terraform output config > ../../manifests/$(CLOUD)-config.json
 	$(shell cd infrastructure/$(CLOUD) && terraform output kubeconfig_command)
@@ -53,7 +54,7 @@ manifests_apply: depend manifests/$(CLOUD)-config.json ## Use kubecfg to apply m
 	# apply all CRDs
 	$(BINDIR)/kubecfg $(EXT_VARS) show config.jsonnet --format json | sed 's#^---$$##' | jq 'select(.kind == "CustomResourceDefinition")' | kubectl apply -f -
 	# apply everything
-	$(BINDIR)/kubecfg $(EXT_VARS) show config.jsonnet | kubectl apply -f -
+	$(BINDIR)/kubecfg $(EXT_VARS) show config.jsonnet | kubectl apply -f - --validate=false
 
 .PHONY: manifests_validate
 manifests_validate: depend manifests/$(CLOUD)-config.json ## Use kubecfg to validate manifests

demo/config.dist.jsonnet

@@ -5,10 +5,30 @@ function(cloud='google') main {
   // this will only run the google cluster
   clouds: {
     google: main.clouds.google,
+    amazon: null,
+    digitalocean: null,
   },
   base_domain: '.kubernetes.example.net',
   cert_manager+: {
     letsencrypt_contact_email:: '[email protected]',
+    solvers+: [
+      //{
+      //  http01: {
+      //    ingress: {},
+      //  },
+      //},
+      {
+        dns01: {
+          clouddns: {
+            project: $.config.cert_manager.project,
+            serviceAccountSecretRef: {
+              name: $.cert_manager.google_secret.metadata.name,
+              key: 'credentials.json',
+            },
+          },
+        },
+      },
+    ],
   },
   dex+: if $.master then {
     users: [

demo/infrastructure/amazon/outputs.tf

@@ -11,7 +11,7 @@ output "config" {
 }
 
 output "kubeconfig_command" {
-  value = "cp infrastructure/amazon/kubeconfig_cluster-${random_id.suffix.hex} $$KUBECONFIG"
+  value = "cp infrastructure/${var.cloud}/kubeconfig_cluster-${random_id.suffix.hex} $KUBECONFIG"
 }
 
 output "kubeconfig" {

demo/infrastructure/amazon/providers.tf

@@ -2,8 +2,12 @@ variable "aws_region" {
   default = "eu-west-1"
 }
 
+variable "cloud" {
+  default = "amazon"
+}
+
 variable "cluster_version" {
-  default = "1.12"
+  default = "1.14"
 }
 
 provider "aws" {

demo/infrastructure/modules/amazon-cluster/cluster.tf

@@ -5,36 +5,11 @@ data "aws_availability_zones" "available" {}
 
 locals {
   cluster_name    = "cluster-${var.suffix}"
-
-  worker_groups = [
-    {
-      instance_type        = "t2.large"
-      subnets              = "${join(",", module.vpc.private_subnets)}"
-      asg_desired_capacity = "2"
-    },
-  ]
-  tags = {
-    Workspace   = "${terraform.workspace}"
-  }
-  worker_groups_launch_template = [
-    {
-      # This will launch an autoscaling group with only Spot Fleet instances
-      instance_type                            = "t2.small"
-      additional_userdata                      = "echo foo bar"
-      subnets                                  = "${join(",", module.vpc.private_subnets)}"
-      additional_security_group_ids            = "${aws_security_group.worker_group_mgmt_one.id},${aws_security_group.worker_group_mgmt_two.id}"
-      override_instance_type                   = "t3.small"
-      asg_desired_capacity                     = "2"
-      spot_instance_pools                      = 10
-      on_demand_percentage_above_base_capacity = "0"
-    },
-  ]
 }
 
 resource "aws_security_group" "worker_group_mgmt_one" {
   name_prefix = "worker_group_mgmt_one"
-  description = "SG to be applied to all *nix machines"
-  vpc_id      = "${module.vpc.vpc_id}"
+  vpc_id      = module.vpc.vpc_id
 
   ingress {
     from_port = 22
@@ -49,7 +24,7 @@ resource "aws_security_group" "worker_group_mgmt_one" {
 
 resource "aws_security_group" "worker_group_mgmt_two" {
   name_prefix = "worker_group_mgmt_two"
-  vpc_id      = "${module.vpc.vpc_id}"
+  vpc_id      = module.vpc.vpc_id
 
   ingress {
     from_port = 22
@@ -64,7 +39,7 @@ resource "aws_security_group" "worker_group_mgmt_two" {
 
 resource "aws_security_group" "all_worker_mgmt" {
   name_prefix = "all_worker_management"
-  vpc_id      = "${module.vpc.vpc_id}"
+  vpc_id      = module.vpc.vpc_id
 
   ingress {
     from_port = 22
@@ -80,28 +55,63 @@ resource "aws_security_group" "all_worker_mgmt" {
 }
 
 module "vpc" {
-  source             = "terraform-aws-modules/vpc/aws"
-  version            = "1.60.0"
-  name               = "test-vpc"
-  cidr               = "10.0.0.0/16"
-  azs                = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}", "${data.aws_availability_zones.available.names[2]}"]
-  private_subnets    = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets     = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
-  enable_nat_gateway = true
-  single_nat_gateway = true
-  tags               = "${merge(local.tags, map("kubernetes.io/cluster/${local.cluster_name}", "shared"))}"
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.6.0"
+
+  name                 = "test-vpc"
+  cidr                 = "10.0.0.0/16"
+  azs                  = "${data.aws_availability_zones.available.names}"
+  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets       = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+  }
+
+  public_subnet_tags = {
+    "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+    "kubernetes.io/role/elb"                      = "1"
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"             = "1"
+  }
 }
 
 module "eks" {
-  source                               = "terraform-aws-modules/eks/aws"
-  cluster_name                         = "${local.cluster_name}"
-  cluster_version                      = "${var.cluster_version}"
-  subnets                              = ["${module.vpc.private_subnets}"]
-  tags                                 = "${local.tags}"
-  vpc_id                               = "${module.vpc.vpc_id}"
-  worker_groups                        = "${local.worker_groups}"
-  worker_groups_launch_template        = "${local.worker_groups_launch_template}"
-  worker_group_count                   = "1"
-  worker_group_launch_template_count   = "1"
+  #source       = "terraform-aws-modules/eks/aws"
+  source       = "[email protected]:terraform-aws-modules/terraform-aws-eks.git?ref=6c3e4ec510f658f53508623a6192df064e7a4786"
+  cluster_name = "${local.cluster_name}"
+  subnets      = "${module.vpc.private_subnets}"
+
+  tags = {
+    Environment = "test"
+    GithubRepo  = "terraform-aws-eks"
+    GithubOrg   = "terraform-aws-modules"
+  }
+
+  vpc_id = "${module.vpc.vpc_id}"
+
+  worker_groups = [
+    {
+      name                          = "worker-group-1"
+      instance_type                 = "t2.small"
+      additional_userdata           = "echo foo bar"
+      asg_desired_capacity          = 2
+      additional_security_group_ids = ["${aws_security_group.worker_group_mgmt_one.id}"]
+    },
+    {
+      name                          = "worker-group-2"
+      instance_type                 = "t2.medium"
+      additional_userdata           = "echo foo bar"
+      additional_security_group_ids = ["${aws_security_group.worker_group_mgmt_two.id}"]
+      asg_desired_capacity          = 1
+    },
+  ]
+
   worker_additional_security_group_ids = ["${aws_security_group.all_worker_mgmt.id}"]
 }

demo/manifests/components/cert-manager.jsonnet

@@ -3,28 +3,11 @@ local kube = import '../vendor/kube-prod-runtime/lib/kube.libsonnet';
 
 local CERT_MANAGER_IMAGE = '';
 
-local add_acme_spec(issuer, obj) =
-  if std.objectHas(issuer.spec, 'acme') then
-    obj {
-      spec+: {
-        acme: {
-          config: [{
-            dns01: {
-              provider: issuer.spec.acme.dns01.providers[0].name,
-            },
-            domains: obj.spec.dnsNames,
-          }],
-        },
-      },
-    }
-  else
-    obj;
-
 upstream_cert_manager {
   ca_secret_name:: 'ca-key-pair',
 
   // create simple to use certificate resource
-  Certificate(namespace, name, issuer, domains):: add_acme_spec(issuer, kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
+  Certificate(namespace, name, issuer, solver, domains):: kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
     metadata+: {
       namespace: namespace,
       name: name,
@@ -37,7 +20,5 @@ upstream_cert_manager {
         kind: issuer.kind,
       },
     },
-  }),
-
-  // TODO: use upstream images for cert-manager
+  },
 }

demo/manifests/components/landingpage.jsonnet

@@ -114,7 +114,7 @@ local HTTP_PORT = 80;
           width: 56,
           height: 56,
           alt: cloud,
-          src: cloud + '.svg',
+          src: std.split(cloud, '_')[0] + '.svg',
         },
       ],
     ],

demo/manifests/main.jsonnet

@@ -136,19 +136,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
     letsencryptStaging+: {
       spec+: {
         acme+: {
-          http01: null,
-          dns01: {
-            providers: [{
-              name: 'clouddns',
-              clouddns: {
-                project: $.config.cert_manager.project,
-                serviceAccountSecretRef: {
-                  name: $.cert_manager.google_secret.metadata.name,
-                  key: 'credentials.json',
-                },
-              },
-            }],
-          },
+          solvers: $.cert_manager.solvers,
         },
       },
     },
@@ -251,6 +239,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
         $.namespace,
         this.name,
         $.cert_manager.letsencryptProd,
+        $.cert_manager.solver,
         [this.domain]
       ),
       ingressRoute: IngressRouteTLSPassthrough($.namespace, this.name, this.domain, this.name, 5556),
@@ -267,7 +256,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
                'https://gangway' + v.domain_part + $.base_domain + '/callback',
              ],
            }),
-        $.clouds
+        std.prune($.clouds)
       ),
     }
   else
@@ -328,6 +317,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
       $.namespace,
       this.name,
       $.cert_manager.letsencryptProd,
+      $.cert_manager.solver,
       [this.domain]
     ),
     ingressRoute: IngressRouteTLSPassthrough($.namespace, this.name, this.domain, this.name, 8080),
@@ -371,6 +361,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
       $.namespace,
       this.name,
       if $.ca_crt != '' && $.ca_key != '' then $.cert_manager.ca_issuer.issuer else $.cert_manager.letsencryptProd,
+      $.cert_manager.solver,
       [this.domain]
     ),
     ingressRoute: IngressRouteTLSPassthrough($.namespace, this.name, this.domain, this.name, 443),
@@ -399,6 +390,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
       $.namespace,
       this.name,
       $.cert_manager.letsencryptProd,
+      $.cert_manager.solver,
       [this.domain]
     ),
 
@@ -408,7 +400,7 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
          'https://gangway' + $.clouds[c].domain_part + $.base_domain,
          'Gangway ' + c,
        )),
-      std.objectFields($.clouds)
+      std.objectFields(std.prune($.clouds))
     )),
   },
 }