feat: each helm release has its own namespace (#164)

Author: mglotov

docs/FAQ.md

@@ -152,3 +152,60 @@ module "test_namespace" {
 }
 ```
 
+## How to add more restrictions for Gitlab-Runner
+By default Gitlab-Runner can deploy into any namespaces. If you want to allow Gitlab-Runner to deploy only into specific namespaces, then do these:
+* Create new Service Account:
+```
+resource "kubernetes_service_account" "gitlab_runner" {
+  metadata {
+    name      = "my-gitlab-runners-sa"
+    namespace = module.gitlab_runner_namespace.name
+    annotations = {
+      "eks.amazonaws.com/role-arn" = module.aws_iam_gitlab_runner.role_arn
+    }
+  }
+  automount_service_account_token = true
+}
+```
+* Create a new Kubernetes Role and RoleBinding. For example, these role and rolebinding will allow to deploy into dev namespace only:
+```
+resource "kubernetes_role" "dev" {
+  metadata {
+    name      = "${local.name}-dev"
+    namespace = "dev"
+  }
+
+  rule {
+    api_groups = ["", "apps", "extensions", "batch", "networking.k8s.io", "kubernetes-client.io"]
+    resources  = ["*"]
+    verbs      = ["*"]
+  }
+}
+
+resource "kubernetes_role_binding" "dev" {
+  metadata {
+    name      = "${local.name}-dev"
+    namespace = "dev"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = kubernetes_role.dev.metadata.0.name
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.gitlab_runner.metadata.0.name
+    namespace = module.gitlab_runner_namespace.name
+  }
+}
+```
+* Set the name of a new created account in layer2-k8s/templates/gitlab-runner-values.yaml
+```
+...
+runners:
+  serviceAccountName: my-gitlab-runners-sa
+  image: ubuntu:18.04
+...
+```

terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf

@@ -13,14 +13,19 @@ locals {
   })
 }
 
+module "aws_load_balancer_controller_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "aws-load-balancer-controller"
+}
+
 resource "helm_release" "aws_loadbalancer_controller" {
   count = var.aws_loadbalancer_controller_enable ? 1 : 0
 
   name        = "aws-load-balancer-controller"
   chart       = local.aws-load-balancer-controller.chart
   repository  = local.aws-load-balancer-controller.repository
   version     = local.aws-load-balancer-controller.chart_version
-  namespace   = module.ing_namespace.name
+  namespace   = module.aws_load_balancer_controller_namespace.name
   max_history = var.helm_release_history_size
 
   values = [

terraform/layer2-k8s/eks-aws-node-termination-handler.tf

@@ -6,12 +6,17 @@ locals {
   }
 }
 
+module "aws_node_termination_handler_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "aws-node-termination-handler"
+}
+
 resource "helm_release" "aws_node_termination_handler" {
   name        = "aws-node-termination-handler"
   chart       = local.aws-node-termination-handler.chart
   repository  = local.aws-node-termination-handler.repository
   version     = local.aws-node-termination-handler.chart_version
-  namespace   = module.sys_namespace.name
+  namespace   = module.aws_node_termination_handler_namespace.name
   wait        = false
   max_history = var.helm_release_history_size
 

terraform/layer2-k8s/eks-cert-manager-certificate.tf

@@ -20,7 +20,7 @@ resource "helm_release" "certificate" {
   chart       = local.cert-mananger-certificate.chart
   repository  = local.cert-mananger-certificate.repository
   version     = local.cert-mananger-certificate.chart_version
-  namespace   = module.ing_namespace.name
+  namespace   = module.ingress_nginx_namespace.name
   wait        = false
   max_history = var.helm_release_history_size
 

terraform/layer2-k8s/eks-cluster-autoscaler.tf

@@ -17,12 +17,17 @@ data "template_file" "cluster_autoscaler" {
   }
 }
 
+module "cluster_autoscaler_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "cluster-autoscaler"
+}
+
 resource "helm_release" "cluster_autoscaler" {
   name        = "cluster-autoscaler"
   chart       = local.cluster-autoscaler.chart
   repository  = local.cluster-autoscaler.repository
   version     = local.cluster-autoscaler.chart_version
-  namespace   = module.sys_namespace.name
+  namespace   = module.cluster_autoscaler_namespace.name
   max_history = var.helm_release_history_size
 
   values = [

terraform/layer2-k8s/eks-external-dns.tf

@@ -16,12 +16,17 @@ data "template_file" "external_dns" {
   }
 }
 
+module "external_dns_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "external-dns"
+}
+
 resource "helm_release" "external_dns" {
   name        = "external-dns"
   chart       = local.external-dns.chart
   repository  = local.external-dns.repository
   version     = local.external-dns.chart_version
-  namespace   = module.dns_namespace.name
+  namespace   = module.external_dns_namespace.name
   max_history = var.helm_release_history_size
 
   values = [

terraform/layer2-k8s/eks-external-secrets.tf

@@ -20,25 +20,35 @@ data "template_file" "external_secrets" {
   }
 }
 
+module "external_secrets_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "external-secrets"
+}
+
 resource "helm_release" "external_secrets" {
   name        = "external-secrets"
   chart       = local.external-secrets.chart
   repository  = local.external-secrets.repository
   version     = local.external-secrets.chart_version
-  namespace   = module.sys_namespace.name
+  namespace   = module.external_secrets_namespace.name
   max_history = var.helm_release_history_size
 
   values = [
     data.template_file.external_secrets.rendered,
   ]
 }
 
+module "reloader_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "reloader"
+}
+
 resource "helm_release" "reloader" {
   name        = "reloader"
   chart       = local.reloader.chart
   repository  = local.reloader.repository
   version     = local.reloader.chart_version
-  namespace   = module.sys_namespace.name
+  namespace   = module.reloader_namespace.name
   wait        = false
   max_history = var.helm_release_history_size
 }

terraform/layer2-k8s/eks-kube-prometheus-stack.tf

@@ -26,9 +26,9 @@ locals {
   })
 }
 
-resource "random_string" "grafana_password" {
-  length  = 20
-  special = true
+module "monitoring_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "monitoring"
 }
 
 resource "helm_release" "prometheus_operator" {
@@ -45,6 +45,11 @@ resource "helm_release" "prometheus_operator" {
   ]
 }
 
+resource "random_string" "grafana_password" {
+  length  = 20
+  special = true
+}
+
 module "aws_iam_grafana" {
   source = "../modules/aws-iam-eks-trusted"
 

terraform/layer2-k8s/eks-loki-stack.tf

@@ -16,12 +16,17 @@ locals {
   })
 }
 
+module "loki_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "loki"
+}
+
 resource "helm_release" "loki_stack" {
   name        = "loki-stack"
   chart       = local.loki-stack.chart
   repository  = local.loki-stack.repository
   version     = local.loki-stack.chart_version
-  namespace   = module.monitoring_namespace.name
+  namespace   = module.loki_namespace.name
   wait        = false
   max_history = var.helm_release_history_size
 

terraform/layer2-k8s/eks-namespaces.tf

@@ -1,34 +1,4 @@
-module "dns_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "dns"
-}
-
-module "ing_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "ing"
-}
-
-module "elk_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "elk"
-}
-
 module "fargate_namespace" {
   source = "../modules/kubernetes-namespace"
   name   = "fargate"
 }
-
-module "ci_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "ci"
-}
-
-module "sys_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "sys"
-}
-
-module "monitoring_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "monitoring"
-}