From f3a41c29c96ead5bc713f9ac16b79a71462d0a69 Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:53:05 +0900 Subject: [PATCH 1/7] chore: update cloudflare provider version --- modules/cloudflare/dns/main.tf | 2 +- modules/cloudflare/dns/provider.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/cloudflare/dns/main.tf b/modules/cloudflare/dns/main.tf index fca312e..85d5f3a 100644 --- a/modules/cloudflare/dns/main.tf +++ b/modules/cloudflare/dns/main.tf @@ -1,4 +1,4 @@ -resource "cloudflare_dns_record" "istio-gateway" { +resource "cloudflare_dns_record" "istio-dns" { zone_id = var.zone_id content = var.ip_address name = "*.goboolean.io" diff --git a/modules/cloudflare/dns/provider.tf b/modules/cloudflare/dns/provider.tf index 9fbb909..c5d96a0 100644 --- a/modules/cloudflare/dns/provider.tf +++ b/modules/cloudflare/dns/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 4.0" + version = "~> 5.0" } } } From 1287762d11af6fac7777cb881937f1b58e299b5a Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:53:41 +0900 Subject: [PATCH 2/7] feat: divide core gcp --- modules/gcp/core/gcs.tf | 13 +++++++++++++ modules/gcp/core/iam.tf | 18 ++++++++++++++++++ modules/gcp/core/kms.tf | 13 +++++++++++++ modules/gcp/core/output.tf | 15 +++++++++++++++ modules/gcp/core/service.tf | 15 +++++++++++++++ modules/gcp/core/variables.tf | 11 +++++++++++ 6 files changed, 85 insertions(+) create mode 100644 modules/gcp/core/gcs.tf create mode 100644 modules/gcp/core/iam.tf create mode 100644 modules/gcp/core/kms.tf create mode 100644 modules/gcp/core/output.tf create mode 100644 modules/gcp/core/service.tf create mode 100644 modules/gcp/core/variables.tf diff --git a/modules/gcp/core/gcs.tf b/modules/gcp/core/gcs.tf new file mode 100644 index 0000000..79b2a24 --- /dev/null +++ b/modules/gcp/core/gcs.tf @@ -0,0 +1,13 @@ +resource "google_storage_bucket" "terraform_state" { + name = "${var.project_id}-tfstate" + location = var.location + project = var.project_id + + versioning { + enabled = true + } + + uniform_bucket_level_access = true + + public_access_prevention = "enforced" +} diff --git a/modules/gcp/core/iam.tf b/modules/gcp/core/iam.tf new file mode 100644 index 0000000..92f63f6 --- /dev/null +++ b/modules/gcp/core/iam.tf @@ -0,0 +1,18 @@ +resource "google_service_account" "vault_kms_sa" { + project = var.project_id + account_id = "vault-kms-sa" + display_name = "Vault KMS Service Account" +} + +resource "google_project_iam_custom_role" "vault_kms_custom_role" { + role_id = "vaultKmsRole" + title = "Vault KMS Custom Role" + description = "Custom role for Vault to use KMS for auto-unseal with minimal permissions" + project = var.project_id + + permissions = [ + "cloudkms.cryptoKeyVersions.useToEncrypt", + "cloudkms.cryptoKeyVersions.useToDecrypt", + "cloudkms.cryptoKeys.get", + ] +} diff --git a/modules/gcp/core/kms.tf b/modules/gcp/core/kms.tf new file mode 100644 index 0000000..073a064 --- /dev/null +++ b/modules/gcp/core/kms.tf @@ -0,0 +1,13 @@ +resource "google_kms_key_ring" "vault_keyring" { + name = "vault-keyring" + location = var.region + project = var.project_id +} + +resource "google_kms_crypto_key" "vault_crypto_key" { + name = "vault-key" + key_ring = google_kms_key_ring.vault_keyring.id + rotation_period = "7776000s" # 90d + + depends_on = [google_kms_key_ring.vault_keyring] +} diff --git a/modules/gcp/core/output.tf b/modules/gcp/core/output.tf new file mode 100644 index 0000000..6eca211 --- /dev/null +++ b/modules/gcp/core/output.tf @@ -0,0 +1,15 @@ +output "vault_kms_keyring_name" { + value = google_kms_key_ring.vault_keyring.name + sensitive = true +} + +output "vault_kms_crypto_key_name" { + value = google_kms_crypto_key.vault_crypto_key.name + sensitive = true +} + +output "vault_kms_crypto_key_id" { + value = google_kms_crypto_key.vault_crypto_key.id + sensitive = true +} + diff --git a/modules/gcp/core/service.tf b/modules/gcp/core/service.tf new file mode 100644 index 0000000..d034d0c --- /dev/null +++ b/modules/gcp/core/service.tf @@ -0,0 +1,15 @@ +locals { + services = toset([ + "secretmanager.googleapis.com" + ]) +} + +resource "google_project_service" "services" { + for_each = local.services + + project = var.project_id + service = each.key + + disable_dependent_services = true + disable_on_destroy = false +} diff --git a/modules/gcp/core/variables.tf b/modules/gcp/core/variables.tf new file mode 100644 index 0000000..5f26342 --- /dev/null +++ b/modules/gcp/core/variables.tf @@ -0,0 +1,11 @@ +variable "project_id" { + type = string +} + +variable "location" { + type = string +} + +variable "region" { + type = string +} From 071c7738f138d9193c88536d3f086d0d68082445 Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:54:36 +0900 Subject: [PATCH 3/7] feat: divide core gcp & manage gcp --- modules/gcp/gke/gke.tf | 4 ---- modules/gcp/gke/variables.tf | 4 ++-- modules/gcp/iam/main.tf | 31 +++++-------------------------- modules/gcp/iam/variables.tf | 12 ++++++++++-- modules/gcp/service/main.tf | 5 +++-- 5 files changed, 20 insertions(+), 36 deletions(-) diff --git a/modules/gcp/gke/gke.tf b/modules/gcp/gke/gke.tf index 439ed49..4c9c546 100644 --- a/modules/gcp/gke/gke.tf +++ b/modules/gcp/gke/gke.tf @@ -4,10 +4,6 @@ resource "google_container_cluster" "primary" { name = "${var.project_id}-gke" location = var.zone - release_channel { - channel = "REGULAR" - } - workload_identity_config { workload_pool = "${var.project_id}.svc.id.goog" } diff --git a/modules/gcp/gke/variables.tf b/modules/gcp/gke/variables.tf index 96244bc..c4db42e 100644 --- a/modules/gcp/gke/variables.tf +++ b/modules/gcp/gke/variables.tf @@ -1,5 +1,5 @@ variable "gke_num_nodes" { - default = 3 + default = 4 } variable "gke_machine_type" { @@ -11,5 +11,5 @@ variable "gke_disk_size_gb" { } variable "gke_version" { - default = "1.31.4-gke.1372000" + default = "1.31.5-gke.1068000" } diff --git a/modules/gcp/iam/main.tf b/modules/gcp/iam/main.tf index 95d8180..9fa53ad 100644 --- a/modules/gcp/iam/main.tf +++ b/modules/gcp/iam/main.tf @@ -62,41 +62,20 @@ resource "google_storage_bucket_iam_member" "terraform_state_access" { */ # for vault -resource "google_service_account" "vault_kms_sa" { - account_id = "vault-kms-sa" - display_name = "Vault KMS Service Account" -} - -resource "google_project_iam_custom_role" "vault_kms_custom_role" { - role_id = "vaultKmsRole" - title = "Vault KMS Custom Role" - description = "Custom role for Vault to use KMS for auto-unseal with minimal permissions" - project = var.project_id - - permissions = [ - "cloudkms.cryptoKeyVersions.useToEncrypt", - "cloudkms.cryptoKeyVersions.useToDecrypt", - "cloudkms.cryptoKeys.get", - ] -} - -resource "google_kms_crypto_key_iam_member" "vault_kms_custom_binding" { - crypto_key_id = var.vault_kms_crypto_key_id - role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.vault_kms_custom_role.role_id}" - member = "serviceAccount:${google_service_account.vault_kms_sa.email}" - - depends_on = [google_service_account.vault_kms_sa, google_project_iam_custom_role.vault_kms_custom_role] +data "google_service_account" "vault_kms_sa" { + account_id = "vault-kms-sa" + project = var.main_project_id } resource "google_service_account_iam_binding" "vault_workload_identity_binding" { - service_account_id = google_service_account.vault_kms_sa.name + service_account_id = data.google_service_account.vault_kms_sa.name role = "roles/iam.workloadIdentityUser" members = [ "serviceAccount:${var.project_id}.svc.id.goog[vault/vault-sa]" ] - depends_on = [google_service_account.vault_kms_sa] + depends_on = [data.google_service_account.vault_kms_sa] } # ƒor loki diff --git a/modules/gcp/iam/variables.tf b/modules/gcp/iam/variables.tf index 77bb29c..8424c1d 100644 --- a/modules/gcp/iam/variables.tf +++ b/modules/gcp/iam/variables.tf @@ -2,10 +2,18 @@ variable "project_id" { type = string } -variable "region" { +variable "main_project_id" { type = string } -variable "vault_kms_crypto_key_id" { +variable "region" { type = string } + +output "access_key" { + value = google_storage_hmac_key.airflow_hmac_key.access_id +} +output "secret_key" { + value = google_storage_hmac_key.airflow_hmac_key.secret + sensitive = true +} diff --git a/modules/gcp/service/main.tf b/modules/gcp/service/main.tf index d9cc4bd..f412ab8 100644 --- a/modules/gcp/service/main.tf +++ b/modules/gcp/service/main.tf @@ -5,7 +5,8 @@ locals { "serviceusage.googleapis.com", "compute.googleapis.com", "container.googleapis.com", - "storage.googleapis.com" + "storage.googleapis.com", + "secretmanager.googleapis.com" ]) } @@ -16,5 +17,5 @@ resource "google_project_service" "services" { service = each.key disable_dependent_services = true - disable_on_destroy = true + disable_on_destroy = false } From 8cb4715403e68bd7888fdac7f10d6d89fb700fd9 Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:54:59 +0900 Subject: [PATCH 4/7] chore: cert-manager --- .../{manifest => issuer}/certificate.yaml | 0 .../{manifest => issuer}/cluster-issuer.yaml | 0 .../{manifest/manifest.tf => issuer/main.tf} | 0 .../{manifest => issuer}/variable.tf | 0 modules/infra/cert-manager/values.yaml | 1465 +++++++++++++++++ 5 files changed, 1465 insertions(+) rename modules/infra/cert-manager/{manifest => issuer}/certificate.yaml (100%) rename modules/infra/cert-manager/{manifest => issuer}/cluster-issuer.yaml (100%) rename modules/infra/cert-manager/{manifest/manifest.tf => issuer/main.tf} (100%) rename modules/infra/cert-manager/{manifest => issuer}/variable.tf (100%) create mode 100644 modules/infra/cert-manager/values.yaml diff --git a/modules/infra/cert-manager/manifest/certificate.yaml b/modules/infra/cert-manager/issuer/certificate.yaml similarity index 100% rename from modules/infra/cert-manager/manifest/certificate.yaml rename to modules/infra/cert-manager/issuer/certificate.yaml diff --git a/modules/infra/cert-manager/manifest/cluster-issuer.yaml b/modules/infra/cert-manager/issuer/cluster-issuer.yaml similarity index 100% rename from modules/infra/cert-manager/manifest/cluster-issuer.yaml rename to modules/infra/cert-manager/issuer/cluster-issuer.yaml diff --git a/modules/infra/cert-manager/manifest/manifest.tf b/modules/infra/cert-manager/issuer/main.tf similarity index 100% rename from modules/infra/cert-manager/manifest/manifest.tf rename to modules/infra/cert-manager/issuer/main.tf diff --git a/modules/infra/cert-manager/manifest/variable.tf b/modules/infra/cert-manager/issuer/variable.tf similarity index 100% rename from modules/infra/cert-manager/manifest/variable.tf rename to modules/infra/cert-manager/issuer/variable.tf diff --git a/modules/infra/cert-manager/values.yaml b/modules/infra/cert-manager/values.yaml new file mode 100644 index 0000000..a8c94f8 --- /dev/null +++ b/modules/infra/cert-manager/values.yaml @@ -0,0 +1,1465 @@ +# +docs:section=Global + +# Default values for cert-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + # Reference to one or more secrets to be used when pulling images. + # For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). + # + # For example: + # imagePullSecrets: + # - name: "image-pull-secret" + imagePullSecrets: [] + + # Labels to apply to all resources. + # Please note that this does not add labels to the resources created dynamically by the controllers. + # For these resources, you have to add the labels in the template in the cert-manager custom resource: + # For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress + # For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress). + # For example, secretTemplate in CertificateSpec + # For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec). + commonLabels: {} + + # The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10). + # +docs:property + # revisionHistoryLimit: 1 + + # The optional priority class to be used for the cert-manager pods. + priorityClassName: "" + + rbac: + # Create required ClusterRoles and ClusterRoleBindings for cert-manager. + create: true + # Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) + aggregateClusterRoles: true + + podSecurityPolicy: + # Create PodSecurityPolicy for cert-manager. + # + # Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. + enabled: false + # Configure the PodSecurityPolicy to use AppArmor. + useAppArmor: true + + # Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose. + logLevel: 2 + + leaderElection: + # Override the namespace used for the leader election lease. + namespace: "kube-system" + + # The duration that non-leader candidates will wait after observing a + # leadership renewal until attempting to acquire leadership of a led but + # unrenewed leader slot. This is effectively the maximum duration that a + # leader can be stopped before it is replaced by another candidate. + # +docs:property + # leaseDuration: 60s + + # The interval between attempts by the acting master to renew a leadership + # slot before it stops leading. This must be less than or equal to the + # lease duration. + # +docs:property + # renewDeadline: 40s + + # The duration the clients should wait between attempting acquisition and + # renewal of a leadership. + # +docs:property + # retryPeriod: 15s + +# This option is equivalent to setting crds.enabled=true and crds.keep=true. +# Deprecated: use crds.enabled and crds.keep instead. +installCRDs: false + +crds: + # This option decides if the CRDs should be installed + # as part of the Helm installation. + enabled: false + + # This option makes it so that the "helm.sh/resource-policy": keep + # annotation is added to the CRD. This will prevent Helm from uninstalling + # the CRD when the Helm release is uninstalled. + # WARNING: when the CRDs are removed, all cert-manager custom resources + # (Certificates, Issuers, ...) will be removed too by the garbage collector. + keep: true + +# +docs:section=Controller + +# The number of replicas of the cert-manager controller to run. +# +# The default is 1, but in production set this to 2 or 3 to provide high +# availability. +# +# If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`. +# +# Note that cert-manager uses leader election to ensure that there can +# only be a single instance active at a time. +replicaCount: 1 + +# Deployment update strategy for the cert-manager controller deployment. +# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). +# +# For example: +# strategy: +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 +strategy: {} + +podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource. + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # This configures the minimum available pods for disruptions. It can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # It cannot be used if `maxUnavailable` is set. + # +docs:property + # +docs:type=unknown + # minAvailable: 1 + + # This configures the maximum unavailable pods for disruptions. It can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # it cannot be used if `minAvailable` is set. + # +docs:property + # +docs:type=unknown + # maxUnavailable: 1 + +# A comma-separated list of feature gates that should be enabled on the +# controller pod. +featureGates: "" + +# The maximum number of challenges that can be scheduled as 'processing' at once. +maxConcurrentChallenges: 60 + +image: + # The container registry to pull the manager image from. + # +docs:property + # registry: quay.io + + # The container image for the cert-manager controller. + # +docs:property + repository: quay.io/jetstack/cert-manager-controller + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion is used. + # +docs:property + # tag: vX.Y.Z + + # Setting a digest will override any tag. + # +docs:property + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + +# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer +# resources. By default, the same namespace as cert-manager is deployed within is +# used. This namespace will not be automatically created by the Helm chart. +clusterResourceNamespace: "" + +# This namespace allows you to define where the services are installed into. +# If not set then they use the namespace of the release. +# This is helpful when installing cert manager as a chart dependency (sub chart). +namespace: "" + +# Override the "cert-manager.fullname" value. This value is used as part of +# most of the names of the resources created by this Helm chart. +# +docs:property +# fullnameOverride: "my-cert-manager" + +# Override the "cert-manager.name" value, which is used to annotate some of +# the resources that are created by this Chart (using "app.kubernetes.io/name"). +# NOTE: There are some inconsistencies in the Helm chart when it comes to +# these annotations (some resources use eg. "cainjector.name" which resolves +# to the value "cainjector"). +# +docs:property +# nameOverride: "my-cert-manager" + +serviceAccount: + # Specifies whether a service account should be created. + create: true + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + # +docs:property + # name: "" + + # Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values. + # Example using templating: + # annotations: + # "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}" + # +docs:property + # annotations: {} + + # Optional additional labels to add to the controller's Service Account. + # +docs:property + # labels: {} + + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + +# Automounting API credentials for a particular pod. +# +docs:property +# automountServiceAccountToken: true + +# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted. +enableCertificateOwnerRef: false + +# This property is used to configure options for the controller pod. +# This allows setting options that would usually be provided using flags. +# +# If `apiVersion` and `kind` are unspecified they default to the current latest +# version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin +# the version by specifying the `apiVersion` yourself. +# +# For example: +# config: +# apiVersion: controller.config.cert-manager.io/v1alpha1 +# kind: ControllerConfiguration +# logging: +# verbosity: 2 +# format: text +# leaderElectionConfig: +# namespace: kube-system +# kubernetesAPIQPS: 9000 +# kubernetesAPIBurst: 9000 +# numberOfConcurrentWorkers: 200 +# enableGatewayAPI: true +# # Feature gates as of v1.17.0. Listed with their default values. +# # See https://cert-manager.io/docs/cli/controller/ +# featureGates: +# AdditionalCertificateOutputFormats: true # BETA - default=true +# AllAlpha: false # ALPHA - default=false +# AllBeta: false # BETA - default=false +# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false +# ExperimentalGatewayAPISupport: true # BETA - default=true +# LiteralCertificateSubject: true # BETA - default=true +# NameConstraints: true # BETA - default=true +# OtherNames: false # ALPHA - default=false +# SecretsFilteredCaching: true # BETA - default=true +# ServerSideApply: false # ALPHA - default=false +# StableCertificateRequestName: true # BETA - default=true +# UseCertificateRequestBasicConstraints: false # ALPHA - default=false +# UseDomainQualifiedFinalizer: true # BETA - default=false +# ValidateCAA: false # ALPHA - default=false +# # Configure the metrics server for TLS +# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls +# metricsTLSConfig: +# dynamic: +# secretNamespace: "cert-manager" +# secretName: "cert-manager-metrics-ca" +# dnsNames: +# - cert-manager-metrics +config: {} + +# Setting Nameservers for DNS01 Self Check. +# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check). + +# A comma-separated string with the host and port of the recursive nameservers cert-manager should query. +dns01RecursiveNameservers: "" + +# Forces cert-manager to use only the recursive nameservers for verification. +# Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers. +dns01RecursiveNameserversOnly: false + +# Option to disable cert-manager's build-in auto-approver. The auto-approver +# approves all CertificateRequests that reference issuers matching the 'approveSignerNames' +# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions +# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy). +disableAutoApproval: false + +# List of signer names that cert-manager will approve by default. CertificateRequests +# referencing these signer names will be auto-approved by cert-manager. Defaults to just +# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty +# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, +# because eg. you are using approver-policy, you can enable 'disableAutoApproval'. +# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval +# +docs:property +approveSignerNames: +- issuers.cert-manager.io/* +- clusterissuers.cert-manager.io/* + +# Additional command line flags to pass to cert-manager controller binary. +# To see all available flags run `docker run quay.io/jetstack/cert-manager-controller: --help`. +# +# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver. +# +# For example: +# extraArgs: +# - --controllers=*,-certificaterequests-approver +extraArgs: [] + +# Additional environment variables to pass to cert-manager controller binary. +# For example: +# extraEnv: +# - name: SOME_VAR +# value: 'some value' +extraEnv: [] + +# Resources to provide to the cert-manager controller pod. +# +# For example: +# requests: +# cpu: 10m +# memory: 32Mi +# +# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). +resources: {} + +# Pod Security Context. +# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). +# +docs:property +securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +# Container Security Context to be set on the controller component container. +# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). +# +docs:property +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + +# Additional volumes to add to the cert-manager controller pod. +volumes: [] + +# Additional volume mounts to add to the cert-manager controller container. +volumeMounts: [] + +# Optional additional annotations to add to the controller Deployment. +# +docs:property +# deploymentAnnotations: {} + +# Optional additional annotations to add to the controller Pods. +# +docs:property +# podAnnotations: {} + +# Optional additional labels to add to the controller Pods. +podLabels: {} + +# Optional annotations to add to the controller Service. +# +docs:property +# serviceAnnotations: {} + +# Optional additional labels to add to the controller Service. +# +docs:property +# serviceLabels: {} + +# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services). +# +docs:property +# serviceIPFamilyPolicy: "" + +# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6. +# +docs:property +# serviceIPFamilies: [] + +# Optional DNS settings. These are useful if you have a public and private DNS zone for +# the same domain on Route 53. The following is an example of ensuring +# cert-manager can access an ingress or DNS TXT records at all times. +# Note that this requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for +# the cluster to work. + +# Pod DNS policy. +# For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). +# +docs:property +# podDnsPolicy: "None" + +# Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy +# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +# For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config). +# +docs:property +# podDnsConfig: +# nameservers: +# - "1.1.1.1" +# - "8.8.8.8" + +# Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks. +hostAliases: [] +# - ip: 127.0.0.1 +# hostnames: +# - foo.local +# - bar.local +# - ip: 10.1.2.3 +# hostnames: +# - foo.remote +# - bar.remote + +# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with +# matching labels. +# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). +# +# This default ensures that Pods are only scheduled to Linux nodes. +# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. +# +docs:property +nodeSelector: + kubernetes.io/os: linux + +# +docs:ignore +ingressShim: {} + + # Optional default issuer to use for ingress resources. + # +docs:property=ingressShim.defaultIssuerName + # defaultIssuerName: "" + + # Optional default issuer kind to use for ingress resources. + # +docs:property=ingressShim.defaultIssuerKind + # defaultIssuerKind: "" + + # Optional default issuer group to use for ingress resources. + # +docs:property=ingressShim.defaultIssuerGroup + # defaultIssuerGroup: "" + +# Use these variables to configure the HTTP_PROXY environment variables. + +# Configures the HTTP_PROXY environment variable where a HTTP proxy is required. +# +docs:property +# http_proxy: "http://proxy:8080" + +# Configures the HTTPS_PROXY environment variable where a HTTP proxy is required. +# +docs:property +# https_proxy: "https://proxy:8080" + +# Configures the NO_PROXY environment variable where a HTTP proxy is required, +# but certain domains should be excluded. +# +docs:property +# no_proxy: 127.0.0.1,localhost + + +# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). +# +# For example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master +affinity: {} + +# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). +# +# For example: +# tolerations: +# - key: foo.bar.com/role +# operator: Equal +# value: master +# effect: NoSchedule +tolerations: [] + +# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core +# +# For example: +# topologySpreadConstraints: +# - maxSkew: 2 +# topologyKey: topology.kubernetes.io/zone +# whenUnsatisfiable: ScheduleAnyway +# labelSelector: +# matchLabels: +# app.kubernetes.io/instance: cert-manager +# app.kubernetes.io/component: controller +topologySpreadConstraints: [] + +# LivenessProbe settings for the controller container of the controller Pod. +# +# This is enabled by default, in order to enable the clock-skew liveness probe that +# restarts the controller in case of a skew between the system clock and the monotonic clock. +# LivenessProbe durations and thresholds are based on those used for the Kubernetes +# controller-manager. For more information see the following on the +# [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245) +# +docs:property +livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 8 + +# enableServiceLinks indicates whether information about services should be +# injected into the pod's environment variables, matching the syntax of Docker +# links. +enableServiceLinks: false + +# +docs:section=Prometheus + +prometheus: + # Enable Prometheus monitoring for the cert-manager controller and webhook. + # If you use the Prometheus Operator, set prometheus.podmonitor.enabled or + # prometheus.servicemonitor.enabled, to create a PodMonitor or a + # ServiceMonitor resource. + # Otherwise, 'prometheus.io' annotations are added to the cert-manager and + # cert-manager-webhook Deployments. + # Note that you can not enable both PodMonitor and ServiceMonitor as they are + # mutually exclusive. Enabling both will result in an error. + enabled: true + + servicemonitor: + # Create a ServiceMonitor to add cert-manager to Prometheus. + enabled: false + + # The namespace that the service monitor should live in, defaults + # to the cert-manager namespace. + # +docs:property + # namespace: cert-manager + + # Specifies the `prometheus` label on the created ServiceMonitor. This is + # used when different Prometheus instances have label selectors matching + # different ServiceMonitors. + prometheusInstance: default + + # The target port to set on the ServiceMonitor. This must match the port that the + # cert-manager controller is listening on for metrics. + targetPort: 9402 + + # The path to scrape for metrics. + path: /metrics + + # The interval to scrape metrics. + interval: 60s + + # The timeout before a metrics scrape fails. + scrapeTimeout: 30s + + # Additional labels to add to the ServiceMonitor. + labels: {} + + # Additional annotations to add to the ServiceMonitor. + annotations: {} + + # Keep labels from scraped data, overriding server-side labels. + honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property + endpointAdditionalProperties: {} + + # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. + podmonitor: + # Create a PodMonitor to add cert-manager to Prometheus. + enabled: false + + # The namespace that the pod monitor should live in, defaults + # to the cert-manager namespace. + # +docs:property + # namespace: cert-manager + + # Specifies the `prometheus` label on the created PodMonitor. This is + # used when different Prometheus instances have label selectors matching + # different PodMonitors. + prometheusInstance: default + + # The path to scrape for metrics. + path: /metrics + + # The interval to scrape metrics. + interval: 60s + + # The timeout before a metrics scrape fails. + scrapeTimeout: 30s + + # Additional labels to add to the PodMonitor. + labels: {} + + # Additional annotations to add to the PodMonitor. + annotations: {} + + # Keep labels from scraped data, overriding server-side labels. + honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # # Configure the PodMonitor for TLS connections + # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls + # scheme: https + # tlsConfig: + # serverName: cert-manager-metrics + # ca: + # secret: + # name: cert-manager-metrics-ca + # key: "tls.crt" + # + # +docs:property + endpointAdditionalProperties: {} + +# +docs:section=Webhook + +webhook: + # Number of replicas of the cert-manager webhook to run. + # + # The default is 1, but in production set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`. + replicaCount: 1 + + # The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. + # The value must be between 1 and 30 seconds. For more information, see + # [Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/). + # + # The default is set to the maximum value of 30 seconds as + # users sometimes report that the connection between the K8S API server and + # the cert-manager webhook server times out. + # If *this* timeout is reached, the error message will be "context deadline exceeded", + # which doesn't help the user diagnose what phase of the HTTPS connection timed out. + # For example, it could be during DNS resolution, TCP connection, TLS + # negotiation, HTTP negotiation, or slow HTTP response from the webhook + # server. + # By setting this timeout to its maximum value the underlying timeout error + # message has more chance of being returned to the end user. + timeoutSeconds: 30 + + # This is used to configure options for the webhook pod. + # This allows setting options that would usually be provided using flags. + # + # If `apiVersion` and `kind` are unspecified they default to the current latest + # version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin + # the version by specifying the `apiVersion` yourself. + # + # For example: + # apiVersion: webhook.config.cert-manager.io/v1alpha1 + # kind: WebhookConfiguration + # # The port that the webhook listens on for requests. + # # In GKE private clusters, by default Kubernetes apiservers are allowed to + # # talk to the cluster nodes only on 443 and 10250. Configuring + # # securePort: 10250 therefore will work out-of-the-box without needing to add firewall + # # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. + # # This should be uncommented and set as a default by the chart once + # # the apiVersion of WebhookConfiguration graduates beyond v1alpha1. + # securePort: 10250 + # # Configure the metrics server for TLS + # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls + # metricsTLSConfig: + # dynamic: + # secretNamespace: "cert-manager" + # secretName: "cert-manager-metrics-ca" + # dnsNames: + # - cert-manager-metrics + config: {} + + # The update strategy for the cert-manager webhook deployment. + # For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + strategy: {} + + # Pod Security Context to be set on the webhook component Pod. + # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + # +docs:property + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + # Container Security Context to be set on the webhook component container. + # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + # +docs:property + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource. + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # This property configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # It cannot be used if `maxUnavailable` is set. + # +docs:property + # +docs:type=unknown + # minAvailable: 1 + + # This property configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # It cannot be used if `minAvailable` is set. + # +docs:property + # +docs:type=unknown + # maxUnavailable: 1 + + # Optional additional annotations to add to the webhook Deployment. + # +docs:property + # deploymentAnnotations: {} + + # Optional additional annotations to add to the webhook Pods. + # +docs:property + # podAnnotations: {} + + # Optional additional annotations to add to the webhook Service. + # +docs:property + # serviceAnnotations: {} + + # Optional additional annotations to add to the webhook MutatingWebhookConfiguration. + # +docs:property + # mutatingWebhookConfigurationAnnotations: {} + + # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration. + # +docs:property + # validatingWebhookConfigurationAnnotations: {} + + validatingWebhookConfiguration: + # Configure spec.namespaceSelector for validating webhooks. + # +docs:property + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + + mutatingWebhookConfiguration: + # Configure spec.namespaceSelector for mutating webhooks. + # +docs:property + namespaceSelector: {} + # matchLabels: + # key: value + # matchExpressions: + # - key: kubernetes.io/metadata.name + # operator: NotIn + # values: + # - kube-system + + + # Additional command line flags to pass to cert-manager webhook binary. + # To see all available flags run `docker run quay.io/jetstack/cert-manager-webhook: --help`. + extraArgs: [] + # Path to a file containing a WebhookConfiguration object used to configure the webhook. + # - --config= + + # Additional environment variables to pass to cert-manager webhook binary. + # For example: + # extraEnv: + # - name: SOME_VAR + # value: 'some value' + extraEnv: [] + + # Comma separated list of feature gates that should be enabled on the + # webhook pod. + featureGates: "" + + # Resources to provide to the cert-manager webhook pod. + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + resources: {} + + # Liveness probe values. + # For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + # + # +docs:property + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + # Readiness probe values. + # For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + # + # +docs:property + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property + nodeSelector: + kubernetes.io/os: linux + + # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master + affinity: {} + + # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule + tolerations: [] + + # A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core). + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller + topologySpreadConstraints: [] + + # Optional additional labels to add to the Webhook Pods. + podLabels: {} + + # Optional additional labels to add to the Webhook Service. + serviceLabels: {} + + # Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services). + serviceIPFamilyPolicy: "" + + # Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + + image: + # The container registry to pull the webhook image from. + # +docs:property + # registry: quay.io + + # The container image for the cert-manager webhook + # +docs:property + repository: quay.io/jetstack/cert-manager-webhook + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # +docs:property + # tag: vX.Y.Z + + # Setting a digest will override any tag + # +docs:property + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created. + create: true + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + # +docs:property + # name: "" + + # Optional additional annotations to add to the webhook's Service Account. + # +docs:property + # annotations: {} + + # Optional additional labels to add to the webhook's Service Account. + # +docs:property + # labels: {} + + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + + # Automounting API credentials for a particular pod. + # +docs:property + # automountServiceAccountToken: true + + # The port that the webhook listens on for requests. + # In GKE private clusters, by default Kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. Configuring + # securePort: 10250, therefore will work out-of-the-box without needing to add firewall + # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. + securePort: 10250 + + # Specifies if the webhook should be started in hostNetwork mode. + # + # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom + # CNI (such as calico), because control-plane managed by AWS cannot communicate + # with pods' IP CIDR and admission webhooks are not working + # + # Since the default port for the webhook conflicts with kubelet on the host + # network, `webhook.securePort` should be changed to an available port if + # running in hostNetwork mode. + hostNetwork: false + + # Specifies how the service should be handled. Useful if you want to expose the + # webhook outside of the cluster. In some cases, the control plane cannot + # reach internal services. + serviceType: ClusterIP + + # Specify the load balancer IP for the created service. + # +docs:property + # loadBalancerIP: "10.10.10.10" + + # Overrides the mutating webhook and validating webhook so they reach the webhook + # service using the `url` field instead of a service. + url: {} + # host: + + # Enables default network policies for webhooks. + networkPolicy: + # Create network policies for the webhooks. + enabled: false + + # Ingress rule for the webhook network policy. By default, it allows all + # inbound traffic. + # +docs:property + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + + # Egress rule for the webhook network policy. By default, it allows all + # outbound traffic to ports 80 and 443, as well as DNS ports. + # +docs:property + egress: + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + # On OpenShift and OKD, the Kubernetes API server listens on. + # port 6443. + - port: 6443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 + + # Additional volumes to add to the cert-manager controller pod. + volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. + volumeMounts: [] + + # enableServiceLinks indicates whether information about services should be + # injected into the pod's environment variables, matching the syntax of Docker + # links. + enableServiceLinks: false + +# +docs:section=CA Injector + +cainjector: + # Create the CA Injector deployment + enabled: true + + # The number of replicas of the cert-manager cainjector to run. + # + # The default is 1, but in production set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`. + # + # Note that cert-manager uses leader election to ensure that there can + # only be a single instance active at a time. + replicaCount: 1 + + # This is used to configure options for the cainjector pod. + # It allows setting options that are usually provided via flags. + # + # If `apiVersion` and `kind` are unspecified they default to the current latest + # version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin + # the version by specifying the `apiVersion` yourself. + # + # For example: + # apiVersion: cainjector.config.cert-manager.io/v1alpha1 + # kind: CAInjectorConfiguration + # logging: + # verbosity: 2 + # format: text + # leaderElectionConfig: + # namespace: kube-system + # # Configure the metrics server for TLS + # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls + # metricsTLSConfig: + # dynamic: + # secretNamespace: "cert-manager" + # secretName: "cert-manager-metrics-ca" + # dnsNames: + # - cert-manager-metrics + config: {} + + # Deployment update strategy for the cert-manager cainjector deployment. + # For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + strategy: {} + + # Pod Security Context to be set on the cainjector component Pod + # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + # +docs:property + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + # Container Security Context to be set on the cainjector component container + # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + # +docs:property + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource. + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # `minAvailable` configures the minimum available pods for disruptions. It can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # +docs:type=unknown + # minAvailable: 1 + + # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # +docs:type=unknown + # maxUnavailable: 1 + + # Optional additional annotations to add to the cainjector Deployment. + # +docs:property + # deploymentAnnotations: {} + + # Optional additional annotations to add to the cainjector Pods. + # +docs:property + # podAnnotations: {} + + # Optional additional annotations to add to the cainjector metrics Service. + # +docs:property + # serviceAnnotations: {} + + # Additional command line flags to pass to cert-manager cainjector binary. + # To see all available flags run `docker run quay.io/jetstack/cert-manager-cainjector: --help`. + extraArgs: [] + # Enable profiling for cainjector. + # - --enable-profiling=true + + # Additional environment variables to pass to cert-manager cainjector binary. + # For example: + # extraEnv: + # - name: SOME_VAR + # value: 'some value' + extraEnv: [] + + # Comma separated list of feature gates that should be enabled on the + # cainjector pod. + featureGates: "" + + # Resources to provide to the cert-manager cainjector pod. + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + resources: {} + + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property + nodeSelector: + kubernetes.io/os: linux + + # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master + affinity: {} + + # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule + tolerations: [] + + # A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core). + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller + topologySpreadConstraints: [] + + # Optional additional labels to add to the CA Injector Pods. + podLabels: {} + + # Optional additional labels to add to the CA Injector metrics Service. + serviceLabels: {} + + image: + # The container registry to pull the cainjector image from. + # +docs:property + # registry: quay.io + + # The container image for the cert-manager cainjector + # +docs:property + repository: quay.io/jetstack/cert-manager-cainjector + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # +docs:property + # tag: vX.Y.Z + + # Setting a digest will override any tag. + # +docs:property + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created. + create: true + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # +docs:property + # name: "" + + # Optional additional annotations to add to the cainjector's Service Account. + # +docs:property + # annotations: {} + + # Optional additional labels to add to the cainjector's Service Account. + # +docs:property + # labels: {} + + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + + # Automounting API credentials for a particular pod. + # +docs:property + # automountServiceAccountToken: true + + # Additional volumes to add to the cert-manager controller pod. + volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. + volumeMounts: [] + + # enableServiceLinks indicates whether information about services should be + # injected into the pod's environment variables, matching the syntax of Docker + # links. + enableServiceLinks: false + +# +docs:section=ACME Solver + +acmesolver: + image: + # The container registry to pull the acmesolver image from. + # +docs:property + # registry: quay.io + + # The container image for the cert-manager acmesolver. + # +docs:property + repository: quay.io/jetstack/cert-manager-acmesolver + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion is used. + # +docs:property + # tag: vX.Y.Z + + # Setting a digest will override any tag. + # +docs:property + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + +# +docs:section=Startup API Check +# This startupapicheck is a Helm post-install hook that waits for the webhook +# endpoints to become available. +# The check is implemented using a Kubernetes Job - if you are injecting mesh +# sidecar proxies into cert-manager pods, ensure that they +# are not injected into this Job's pod. Otherwise, the installation may time out +# owing to the Job never being completed because the sidecar proxy does not exit. +# For more information, see [this note](https://github.com/cert-manager/cert-manager/pull/4414). + +startupapicheck: + # Enables the startup api check. + enabled: true + + # Pod Security Context to be set on the startupapicheck component Pod. + # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + # +docs:property + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + # Container Security Context to be set on the controller component container. + # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + # +docs:property + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + + # Timeout for 'kubectl check api' command. + timeout: 1m + + # Job backoffLimit + backoffLimit: 4 + + # Optional additional annotations to add to the startupapicheck Job. + # +docs:property + jobAnnotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + + # Optional additional annotations to add to the startupapicheck Pods. + # +docs:property + # podAnnotations: {} + + # Additional command line flags to pass to startupapicheck binary. + # To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck: --help`. + # + # Verbose logging is enabled by default so that if startupapicheck fails, you + # can know what exactly caused the failure. Verbose logs include details of + # the webhook URL, IP address and TCP connect errors for example. + # +docs:property + extraArgs: + - -v + + # Additional environment variables to pass to cert-manager startupapicheck binary. + # For example: + # extraEnv: + # - name: SOME_VAR + # value: 'some value' + extraEnv: [] + + # Resources to provide to the cert-manager controller pod. + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + resources: {} + + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property + nodeSelector: + kubernetes.io/os: linux + + # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master + affinity: {} + + # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule + tolerations: [] + + # Optional additional labels to add to the startupapicheck Pods. + podLabels: {} + + image: + # The container registry to pull the startupapicheck image from. + # +docs:property + # registry: quay.io + + # The container image for the cert-manager startupapicheck. + # +docs:property + repository: quay.io/jetstack/cert-manager-startupapicheck + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion is used. + # +docs:property + # tag: vX.Y.Z + + # Setting a digest will override any tag. + # +docs:property + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + + rbac: + # annotations for the startup API Check job RBAC and PSP resources. + # +docs:property + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + + # Automounting API credentials for a particular pod. + # +docs:property + # automountServiceAccountToken: true + + serviceAccount: + # Specifies whether a service account should be created. + create: true + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + # +docs:property + # name: "" + + # Optional additional annotations to add to the Job's Service Account. + # +docs:property + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + + # Automount API credentials for a Service Account. + # +docs:property + automountServiceAccountToken: true + + # Optional additional labels to add to the startupapicheck's Service Account. + # +docs:property + # labels: {} + + # Additional volumes to add to the cert-manager controller pod. + volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. + volumeMounts: [] + + # enableServiceLinks indicates whether information about services should be + # injected into pod's environment variables, matching the syntax of Docker + # links. + enableServiceLinks: false + +# Create dynamic manifests via values. +# +# For example: +# extraObjects: +# - | +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: '{{ template "cert-manager.fullname" . }}-extra-configmap' +extraObjects: [] + +# Field used by our release pipeline to produce the static manifests. +# The field defaults to "helm" but is set to "static" when we render +# the static YAML manifests. +# +docs:hidden +creator: "helm" + +# Field that can be used as a condition when cert-manager is a dependency. +# This definition is only here as a placeholder such that it is included in +# the json schema. +# See https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags +# for more info. +# +docs:hidden +enabled: true From cd3f68e5836a9be676e6e437904be32dba0aa91e Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:55:12 +0900 Subject: [PATCH 5/7] chore: istio --- modules/infra/istio/gateway/{gateway.tf => main.tf} | 0 modules/infra/istio/main.tf | 10 ++++++++++ 2 files changed, 10 insertions(+) rename modules/infra/istio/gateway/{gateway.tf => main.tf} (100%) diff --git a/modules/infra/istio/gateway/gateway.tf b/modules/infra/istio/gateway/main.tf similarity index 100% rename from modules/infra/istio/gateway/gateway.tf rename to modules/infra/istio/gateway/main.tf diff --git a/modules/infra/istio/main.tf b/modules/infra/istio/main.tf index 0019034..1f5f8ae 100644 --- a/modules/infra/istio/main.tf +++ b/modules/infra/istio/main.tf @@ -5,6 +5,16 @@ resource "helm_release" "istio_base" { namespace = "istio-system" version = "1.24.2" + set { + name = "base.enableIstioConfigCRDs" + value = "false" + } + + set { + name = "base.enableCRDTemplates" + value = "false" + } + timeout = 300 } From 34472051b4fe146e76240d593b2fa3f3aa96738d Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:55:53 +0900 Subject: [PATCH 6/7] feat: divide chore gcp --- projects/gcp/core/main.tf | 34 ++++ projects/gcp/core/output.tf | 21 +++ projects/gcp/core/provider.tf | 31 ++++ projects/gcp/core/state.tfstate | 210 +++++++++++++++++++++++++ projects/gcp/core/state.tfstate.backup | 142 +++++++++++++++++ projects/gcp/core/variables.tf | 11 ++ projects/gcp/main.tf | 38 +---- projects/gcp/output.tf | 17 +- projects/gcp/terraform.tfvars | 3 +- projects/gcp/variables.tf | 5 +- 10 files changed, 468 insertions(+), 44 deletions(-) create mode 100644 projects/gcp/core/main.tf create mode 100644 projects/gcp/core/output.tf create mode 100644 projects/gcp/core/provider.tf create mode 100644 projects/gcp/core/state.tfstate create mode 100644 projects/gcp/core/state.tfstate.backup create mode 100644 projects/gcp/core/variables.tf diff --git a/projects/gcp/core/main.tf b/projects/gcp/core/main.tf new file mode 100644 index 0000000..db9d92d --- /dev/null +++ b/projects/gcp/core/main.tf @@ -0,0 +1,34 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "450909/gcp/core" + } + + required_providers { + google = { + source = "hashicorp/google" + version = "6.20.0" + } + + acme = { + source = "vancluever/acme" + version = "2.29.0" + } + } +} + +module "core" { + source = "../../../modules/gcp/core" + project_id = var.project_id + location = var.location + region = var.region +} + +module "acme" { + source = "../../../modules/cloudflare/acme" + + cloudflare_email = local.cloudflare_email + cloudflare_api_token = local.cloudflare_api_token + cloudflare_zone_id = local.cloudflare_zone_id + cloudflare_api_key = local.cloudflare_api_key +} diff --git a/projects/gcp/core/output.tf b/projects/gcp/core/output.tf new file mode 100644 index 0000000..50e3a20 --- /dev/null +++ b/projects/gcp/core/output.tf @@ -0,0 +1,21 @@ +output "vault_kms_keyring_name" { + value = module.core.vault_kms_keyring_name + sensitive = true +} + +output "vault_kms_crypto_key_name" { + value = module.core.vault_kms_crypto_key_name + sensitive = true +} + +output "cloudflare_api_token" { + description = "Cloudflare API token" + value = local.cloudflare_api_token + sensitive = true +} + +output "cloudflare_zone_id" { + description = "Cloudflare zone ID" + value = local.cloudflare_zone_id + sensitive = true +} diff --git a/projects/gcp/core/provider.tf b/projects/gcp/core/provider.tf new file mode 100644 index 0000000..75f4c48 --- /dev/null +++ b/projects/gcp/core/provider.tf @@ -0,0 +1,31 @@ +provider "google" { + project = var.project_id + region = var.region +} + +provider "acme" { + server_url = "https://acme-v02.api.letsencrypt.org/directory" +} + +data "google_secret_manager_secret_version" "cloudflare_email" { + secret = "cloudflare_email" +} + +data "google_secret_manager_secret_version" "cloudflare_api_token" { + secret = "cloudflare_api_token" +} + +data "google_secret_manager_secret_version" "cloudflare_zone_id" { + secret = "cloudflare_zone_id" +} + +data "google_secret_manager_secret_version" "cloudflare_api_key" { + secret = "cloudflare_api_key" +} + +locals { + cloudflare_email = data.google_secret_manager_secret_version.cloudflare_email.secret_data + cloudflare_api_token = data.google_secret_manager_secret_version.cloudflare_api_token.secret_data + cloudflare_zone_id = data.google_secret_manager_secret_version.cloudflare_zone_id.secret_data + cloudflare_api_key = data.google_secret_manager_secret_version.cloudflare_api_key.secret_data +} diff --git a/projects/gcp/core/state.tfstate b/projects/gcp/core/state.tfstate new file mode 100644 index 0000000..dd313bd --- /dev/null +++ b/projects/gcp/core/state.tfstate @@ -0,0 +1,210 @@ +{ + "version": 4, + "terraform_version": "1.9.5", + "serial": 8, + "lineage": "cc1737e4-7588-13b5-dd13-f6cf65c6eab0", + "outputs": { + "vault_kms_crypto_key_name": { + "value": "vault-key", + "type": "string", + "sensitive": true + }, + "vault_kms_keyring_name": { + "value": "vault-keyring", + "type": "string", + "sensitive": true + } + }, + "resources": [ + { + "module": "module.core", + "mode": "managed", + "type": "google_kms_crypto_key", + "name": "vault_crypto_key", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 1, + "attributes": { + "crypto_key_backend": "", + "destroy_scheduled_duration": "2592000s", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "id": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring/cryptoKeys/vault-key", + "import_only": false, + "key_ring": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring", + "labels": {}, + "name": "vault-key", + "primary": [ + { + "name": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring/cryptoKeys/vault-key/cryptoKeyVersions/2", + "state": "ENABLED" + } + ], + "purpose": "ENCRYPT_DECRYPT", + "rotation_period": "7776000s", + "skip_initial_version_creation": false, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null, + "version_template": [ + { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "protection_level": "SOFTWARE" + } + ] + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9", + "dependencies": [ + "module.core.google_kms_key_ring.vault_keyring" + ] + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_kms_key_ring", + "name": "vault_keyring", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring", + "location": "asia-northeast3", + "name": "vault-keyring", + "project": "goboolean-450909", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjAifQ==" + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_project_iam_custom_role", + "name": "vault_kms_custom_role", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "deleted": false, + "description": "Custom role for Vault to use KMS for auto-unseal with minimal permissions", + "id": "projects/goboolean-450909/roles/vaultKmsRole", + "name": "projects/goboolean-450909/roles/vaultKmsRole", + "permissions": [ + "cloudkms.cryptoKeyVersions.useToDecrypt", + "cloudkms.cryptoKeyVersions.useToEncrypt", + "cloudkms.cryptoKeys.get" + ], + "project": "goboolean-450909", + "role_id": "vaultKmsRole", + "stage": "GA", + "title": "Vault KMS Custom Role" + }, + "sensitive_attributes": [], + "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ==" + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_service_account", + "name": "vault_kms_sa", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "vault-kms-sa", + "create_ignore_already_exists": null, + "description": "", + "disabled": false, + "display_name": "Vault KMS Service Account", + "email": "vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "id": "projects/goboolean-450909/serviceAccounts/vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "member": "serviceAccount:vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "name": "projects/goboolean-450909/serviceAccounts/vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "project": "goboolean-450909", + "timeouts": null, + "unique_id": "101952005478664320523" + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjAifQ==" + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_storage_bucket", + "name": "terraform_state", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 3, + "attributes": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "default_event_based_hold": false, + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "enable_object_retention": false, + "encryption": [], + "force_destroy": false, + "hierarchical_namespace": [ + { + "enabled": false + } + ], + "id": "goboolean-450909-tfstate", + "labels": null, + "lifecycle_rule": [], + "location": "ASIA-NORTHEAST3", + "logging": [], + "name": "goboolean-450909-tfstate", + "project": "goboolean-450909", + "project_number": 172374252040, + "public_access_prevention": "enforced", + "requester_pays": false, + "retention_policy": [], + "rpo": null, + "self_link": "https://www.googleapis.com/storage/v1/b/goboolean-450909-tfstate", + "soft_delete_policy": [ + { + "effective_time": "2025-02-25T09:33:05.198Z", + "retention_duration_seconds": 604800 + } + ], + "storage_class": "STANDARD", + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null, + "uniform_bucket_level_access": true, + "url": "gs://goboolean-450909-tfstate", + "versioning": [ + { + "enabled": true + } + ], + "website": [] + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsInJlYWQiOjI0MDAwMDAwMDAwMCwidXBkYXRlIjoyNDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjMifQ==" + } + ] + } + ], + "check_results": null +} diff --git a/projects/gcp/core/state.tfstate.backup b/projects/gcp/core/state.tfstate.backup new file mode 100644 index 0000000..fc16055 --- /dev/null +++ b/projects/gcp/core/state.tfstate.backup @@ -0,0 +1,142 @@ +{ + "version": 4, + "terraform_version": "1.9.5", + "serial": 5, + "lineage": "cc1737e4-7588-13b5-dd13-f6cf65c6eab0", + "outputs": { + "vault_kms_crypto_key_name": { + "value": "vault-key", + "type": "string", + "sensitive": true + }, + "vault_kms_keyring_name": { + "value": "vault-keyring", + "type": "string", + "sensitive": true + } + }, + "resources": [ + { + "module": "module.core", + "mode": "managed", + "type": "google_kms_crypto_key", + "name": "vault_crypto_key", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 1, + "attributes": { + "crypto_key_backend": "", + "destroy_scheduled_duration": "2592000s", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "id": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring/cryptoKeys/vault-key", + "import_only": false, + "key_ring": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring", + "labels": {}, + "name": "vault-key", + "primary": [ + { + "name": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring/cryptoKeys/vault-key/cryptoKeyVersions/2", + "state": "ENABLED" + } + ], + "purpose": "ENCRYPT_DECRYPT", + "rotation_period": "7776000s", + "skip_initial_version_creation": false, + "terraform_labels": {}, + "timeouts": null, + "version_template": [ + { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "protection_level": "SOFTWARE" + } + ] + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9" + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_kms_key_ring", + "name": "vault_keyring", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "projects/goboolean-450909/locations/asia-northeast3/keyRings/vault-keyring", + "location": "asia-northeast3", + "name": "vault-keyring", + "project": "goboolean-450909", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjAifQ==" + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_project_iam_custom_role", + "name": "vault_kms_custom_role", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "deleted": false, + "description": "Custom role for Vault to use KMS for auto-unseal with minimal permissions", + "id": "projects/goboolean-450909/roles/vaultKmsRole", + "name": "projects/goboolean-450909/roles/vaultKmsRole", + "permissions": [ + "cloudkms.cryptoKeyVersions.useToDecrypt", + "cloudkms.cryptoKeyVersions.useToEncrypt", + "cloudkms.cryptoKeys.get" + ], + "project": "goboolean-450909", + "role_id": "vaultKmsRole", + "stage": "GA", + "title": "Vault KMS Custom Role" + }, + "sensitive_attributes": [], + "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ==" + } + ] + }, + { + "module": "module.core", + "mode": "managed", + "type": "google_service_account", + "name": "vault_kms_sa", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "vault-kms-sa", + "create_ignore_already_exists": null, + "description": "", + "disabled": false, + "display_name": "Vault KMS Service Account", + "email": "vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "id": "projects/goboolean-450909/serviceAccounts/vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "member": "serviceAccount:vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "name": "projects/goboolean-450909/serviceAccounts/vault-kms-sa@goboolean-450909.iam.gserviceaccount.com", + "project": "goboolean-450909", + "timeouts": null, + "unique_id": "101952005478664320523" + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjAifQ==" + } + ] + } + ], + "check_results": null +} diff --git a/projects/gcp/core/variables.tf b/projects/gcp/core/variables.tf new file mode 100644 index 0000000..5f26342 --- /dev/null +++ b/projects/gcp/core/variables.tf @@ -0,0 +1,11 @@ +variable "project_id" { + type = string +} + +variable "location" { + type = string +} + +variable "region" { + type = string +} diff --git a/projects/gcp/main.tf b/projects/gcp/main.tf index 33f138c..efa27d3 100644 --- a/projects/gcp/main.tf +++ b/projects/gcp/main.tf @@ -1,7 +1,7 @@ terraform { backend "gcs" { - bucket = "goboolean-450909-terraform-state" - prefix = "gcp" + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" } } @@ -27,41 +27,11 @@ module "gke" { depends_on = [module.service] } -resource "google_project_service" "secretmanager_api" { - service = "secretmanager.googleapis.com" - project = var.project_id - disable_on_destroy = false -} - -resource "google_project_service" "kms_api" { - service = "cloudkms.googleapis.com" - project = var.project_id - disable_on_destroy = false -} - -module "kms" { - source = "../../modules/gcp/kms" - project_id = var.project_id - region = var.region - - depends_on = [google_project_service.kms_api] -} - module "iam" { source = "../../modules/gcp/iam" project_id = var.project_id + main_project_id = var.main_project_id region = var.region - vault_kms_crypto_key_id = module.kms.vault_kms_crypto_key_id - - depends_on = [module.gke, module.gcs, module.kms] -} - -module "storageclass" { - source = "../../modules/gcp/gke/storageclass" - depends_on = [module.gke] -} -module "namespace" { - source = "../../modules/gcp/gke/namespace" - depends_on = [module.gke] + depends_on = [module.gke, module.gcs] } diff --git a/projects/gcp/output.tf b/projects/gcp/output.tf index 4c89053..aa0e786 100644 --- a/projects/gcp/output.tf +++ b/projects/gcp/output.tf @@ -1,14 +1,15 @@ -output "vault_kms_keyring_name" { - value = module.kms.vault_kms_keyring_name +output "kubernetes_provider_config" { + value = module.gke.kubernetes_provider_config sensitive = true } -output "vault_kms_crypto_key_name" { - value = module.kms.vault_kms_crypto_key_name - sensitive = true +output "airflow_hmac_access_key" { + description = "HMAC access key for Airflow service account" + value = module.iam.access_key } -output "kubernetes_provider_config" { - value = module.gke.kubernetes_provider_config - sensitive = true +output "airflow_hmac_secret_key" { + description = "HMAC secret key for Airflow service account" + value = module.iam.secret_key + sensitive = true } diff --git a/projects/gcp/terraform.tfvars b/projects/gcp/terraform.tfvars index a93fc8c..253cb1f 100644 --- a/projects/gcp/terraform.tfvars +++ b/projects/gcp/terraform.tfvars @@ -1,5 +1,6 @@ # Google Cloud Platform -project_id = "goboolean-450909" +project_id = "goboolean-452007" +main_project_id = "goboolean-450909" region = "asia-northeast3" zone = "asia-northeast3-a" location = "ASIA" diff --git a/projects/gcp/variables.tf b/projects/gcp/variables.tf index 15ae5f0..6b4793f 100644 --- a/projects/gcp/variables.tf +++ b/projects/gcp/variables.tf @@ -1,6 +1,9 @@ variable "project_id" { description = "project id" } +variable "main_project_id" { + description = "main project id" +} variable "region" { description = "region" } @@ -9,4 +12,4 @@ variable "zone" { } variable "location" { description = "location" -} \ No newline at end of file +} From c27e094dd4d5a89292043e8049e27b2a53c04617 Mon Sep 17 00:00:00 2001 From: mulmuri Date: Thu, 27 Feb 2025 19:57:04 +0900 Subject: [PATCH 7/7] feat: refactor project structure --- projects/domain/main.tf | 32 ------- projects/domain/provider.tf | 89 ------------------- projects/domain/terraform.tfvars | 3 - projects/k8s/base/istio-system.json | 59 ++++++++++++ projects/k8s/base/main.tf | 7 ++ projects/k8s/base/provider.tf | 41 +++++++++ projects/{domain => k8s/base}/variables.tf | 0 projects/k8s/gateway/configs/main.tf | 16 ++++ projects/k8s/gateway/configs/providers.tf | 81 +++++++++++++++++ projects/k8s/gateway/deployments/main.tf | 8 ++ projects/k8s/gateway/deployments/output.tf | 3 + projects/k8s/gateway/deployments/providers.tf | 56 ++++++++++++ projects/k8s/vault/configs/main.tf | 16 ++++ projects/k8s/vault/configs/provider.tf | 73 +++++++++++++++ projects/k8s/vault/configs/variables.tf | 7 ++ projects/k8s/vault/deployments/main.tf | 14 +++ projects/k8s/vault/deployments/provider.tf | 64 +++++++++++++ projects/k8s/vault/deployments/variables.tf | 7 ++ projects/k8s/vault/main.tf | 16 ++++ projects/k8s/vault/provider.tf | 71 +++++++++++++++ projects/k8s/vault/variables.tf | 7 ++ 21 files changed, 546 insertions(+), 124 deletions(-) delete mode 100644 projects/domain/main.tf delete mode 100644 projects/domain/provider.tf delete mode 100644 projects/domain/terraform.tfvars create mode 100644 projects/k8s/base/istio-system.json create mode 100644 projects/k8s/base/main.tf create mode 100644 projects/k8s/base/provider.tf rename projects/{domain => k8s/base}/variables.tf (100%) create mode 100644 projects/k8s/gateway/configs/main.tf create mode 100644 projects/k8s/gateway/configs/providers.tf create mode 100644 projects/k8s/gateway/deployments/main.tf create mode 100644 projects/k8s/gateway/deployments/output.tf create mode 100644 projects/k8s/gateway/deployments/providers.tf create mode 100644 projects/k8s/vault/configs/main.tf create mode 100644 projects/k8s/vault/configs/provider.tf create mode 100644 projects/k8s/vault/configs/variables.tf create mode 100644 projects/k8s/vault/deployments/main.tf create mode 100644 projects/k8s/vault/deployments/provider.tf create mode 100644 projects/k8s/vault/deployments/variables.tf create mode 100644 projects/k8s/vault/main.tf create mode 100644 projects/k8s/vault/provider.tf create mode 100644 projects/k8s/vault/variables.tf diff --git a/projects/domain/main.tf b/projects/domain/main.tf deleted file mode 100644 index facbbc8..0000000 --- a/projects/domain/main.tf +++ /dev/null @@ -1,32 +0,0 @@ -terraform { - backend "gcs" { - bucket = "goboolean-450909-terraform-state" - prefix = "domain" - } -} - -module "istio" { - source = "../../modules/infra/istio" -} - -module "dns" { - source = "../../modules/cloudflare/dns" - api_token = local.cloudflare_api_token - zone_id = local.cloudflare_zone_id - ip_address = module.istio.istio_gateway_ip - - depends_on = [module.istio] -} - -module "acme" { - source = "../../modules/cloudflare/acme" - - cloudflare_email = local.cloudflare_email - cloudflare_api_token = local.cloudflare_api_token - cloudflare_zone_id = local.cloudflare_zone_id - cloudflare_api_key = local.cloudflare_api_key -} - -module "cert_manager" { - source = "../../modules/infra/cert-manager" -} diff --git a/projects/domain/provider.tf b/projects/domain/provider.tf deleted file mode 100644 index 39e6d9c..0000000 --- a/projects/domain/provider.tf +++ /dev/null @@ -1,89 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "4.84.0" - } - - cloudflare = { - source = "cloudflare/cloudflare" - version = "5.0.0-rc1" - } - - acme = { - source = "vancluever/acme" - version = "2.29.0" - } - } - required_version = ">= 0.14" -} - -# cloudflare secrets -provider "google" { - project = var.project_id - region = var.region -} - -data "google_secret_manager_secret_version" "cloudflare_email" { - secret = "cloudflare_email" -} - -data "google_secret_manager_secret_version" "cloudflare_api_token" { - secret = "cloudflare_api_token" -} - -data "google_secret_manager_secret_version" "cloudflare_zone_id" { - secret = "cloudflare_zone_id" -} - -data "google_secret_manager_secret_version" "cloudflare_api_key" { - secret = "cloudflare_api_key" -} - -locals { - cloudflare_email = data.google_secret_manager_secret_version.cloudflare_email.secret_data - cloudflare_api_token = data.google_secret_manager_secret_version.cloudflare_api_token.secret_data - cloudflare_zone_id = data.google_secret_manager_secret_version.cloudflare_zone_id.secret_data - cloudflare_api_key = data.google_secret_manager_secret_version.cloudflare_api_key.secret_data -} - -# gke secrets -data "terraform_remote_state" "gcp" { - backend = "gcs" - - config = { - bucket = "goboolean-450909-terraform-state" - prefix = "gcp" - } -} - -data "google_client_config" "default" {} - -locals { - gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host - gke_token = data.google_client_config.default.access_token - gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate -} - -# providers -provider "cloudflare" { - api_token = local.cloudflare_api_token -} - -provider "acme" { - server_url = "https://acme-staging-v02.api.letsencrypt.org/directory" -} - -provider "helm" { - kubernetes { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate - } -} - -provider "kubernetes" { - host = local.gke_host - token = local.gke_token - cluster_ca_certificate = local.gke_cluster_ca_certificate -} diff --git a/projects/domain/terraform.tfvars b/projects/domain/terraform.tfvars deleted file mode 100644 index 9005dae..0000000 --- a/projects/domain/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -# Google Cloud Platform -project_id = "goboolean-450909" -region = "asia-northeast3" diff --git a/projects/k8s/base/istio-system.json b/projects/k8s/base/istio-system.json new file mode 100644 index 0000000..5ad4111 --- /dev/null +++ b/projects/k8s/base/istio-system.json @@ -0,0 +1,59 @@ +{ + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2025-02-25T14:20:09Z", + "deletionTimestamp": "2025-02-26T14:04:39Z", + "labels": { + "kubernetes.io/metadata.name": "istio-system" + }, + "name": "istio-system", + "resourceVersion": "1196581", + "uid": "1706b331-1e53-4df8-a4c6-dd0e34262fb6" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "conditions": [ + { + "lastTransitionTime": "2025-02-26T14:04:46Z", + "message": "All resources successfully discovered", + "reason": "ResourcesDiscovered", + "status": "False", + "type": "NamespaceDeletionDiscoveryFailure" + }, + { + "lastTransitionTime": "2025-02-26T14:04:46Z", + "message": "All legacy kube types successfully parsed", + "reason": "ParsedGroupVersions", + "status": "False", + "type": "NamespaceDeletionGroupVersionParsingFailure" + }, + { + "lastTransitionTime": "2025-02-26T14:04:46Z", + "message": "All content successfully deleted, may be waiting on finalization", + "reason": "ContentDeleted", + "status": "False", + "type": "NamespaceDeletionContentFailure" + }, + { + "lastTransitionTime": "2025-02-26T14:04:46Z", + "message": "Some resources are remaining: challenges.acme.cert-manager.io has 1 resource instances", + "reason": "SomeResourcesRemain", + "status": "True", + "type": "NamespaceContentRemaining" + }, + { + "lastTransitionTime": "2025-02-26T14:04:46Z", + "message": "Some content in the namespace has finalizers remaining: finalizer.acme.cert-manager.io in 1 resource instances", + "reason": "SomeFinalizersRemain", + "status": "True", + "type": "NamespaceFinalizersRemaining" + } + ], + "phase": "Terminating" + } +} diff --git a/projects/k8s/base/main.tf b/projects/k8s/base/main.tf new file mode 100644 index 0000000..246c2bd --- /dev/null +++ b/projects/k8s/base/main.tf @@ -0,0 +1,7 @@ +module "storageclass" { + source = "../../../modules/gcp/gke/storageclass" +} + +module "namespace" { + source = "../../../modules/gcp/gke/namespace" +} diff --git a/projects/k8s/base/provider.tf b/projects/k8s/base/provider.tf new file mode 100644 index 0000000..bf13abb --- /dev/null +++ b/projects/k8s/base/provider.tf @@ -0,0 +1,41 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/base" + } + + required_providers { + google = { + source = "hashicorp/google" + version = "6.20.0" + } + } +} + +data "terraform_remote_state" "gcp" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" + } +} + +data "google_client_config" "default" {} + +locals { + gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host + gke_token = data.google_client_config.default.access_token + gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} + +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate +} + +provider "google" { + project = var.project_id + region = var.region +} diff --git a/projects/domain/variables.tf b/projects/k8s/base/variables.tf similarity index 100% rename from projects/domain/variables.tf rename to projects/k8s/base/variables.tf diff --git a/projects/k8s/gateway/configs/main.tf b/projects/k8s/gateway/configs/main.tf new file mode 100644 index 0000000..3de2ef8 --- /dev/null +++ b/projects/k8s/gateway/configs/main.tf @@ -0,0 +1,16 @@ +module "dns" { + source = "../../../../modules/cloudflare/dns" + api_token = local.cloudflare_api_token + zone_id = local.cloudflare_zone_id + ip_address = local.istio_gateway_ip +} + +module "cert_manager_issuer" { + source = "../../../../modules/infra/cert-manager/issuer" + cloudflare_api_token = local.cloudflare_api_token +} + +module "istio_gateway" { + source = "../../../../modules/infra/istio/gateway" +} + diff --git a/projects/k8s/gateway/configs/providers.tf b/projects/k8s/gateway/configs/providers.tf new file mode 100644 index 0000000..511bc80 --- /dev/null +++ b/projects/k8s/gateway/configs/providers.tf @@ -0,0 +1,81 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/gateway/configs" + } + + required_providers { + google = { + source = "hashicorp/google" + version = "4.84.0" + } + + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } + + cloudflare = { + source = "cloudflare/cloudflare" + version = "5.1.0" + } + } +} + +data "terraform_remote_state" "gateway" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/gateway/deployments" + } +} + +data "terraform_remote_state" "core" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "450909/gcp/core" + } +} + +data "terraform_remote_state" "gcp" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" + } +} + +data "google_client_config" "default" {} + +locals { + istio_gateway_ip = data.terraform_remote_state.gateway.outputs.istio_gateway_ip + + cloudflare_api_token = data.terraform_remote_state.core.outputs.cloudflare_api_token + cloudflare_zone_id = data.terraform_remote_state.core.outputs.cloudflare_zone_id + + gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host + gke_token = data.google_client_config.default.access_token + gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} + + +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate +} + +provider "kubectl" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + load_config_file = false +} + +provider "cloudflare" { + api_token = local.cloudflare_api_token +} diff --git a/projects/k8s/gateway/deployments/main.tf b/projects/k8s/gateway/deployments/main.tf new file mode 100644 index 0000000..909ace2 --- /dev/null +++ b/projects/k8s/gateway/deployments/main.tf @@ -0,0 +1,8 @@ +module "cert_manager" { + source = "../../../../modules/infra/cert-manager" +} + +module "istio" { + source = "../../../../modules/infra/istio" +} + diff --git a/projects/k8s/gateway/deployments/output.tf b/projects/k8s/gateway/deployments/output.tf new file mode 100644 index 0000000..5656f72 --- /dev/null +++ b/projects/k8s/gateway/deployments/output.tf @@ -0,0 +1,3 @@ +output "istio_gateway_ip" { + value = module.istio.istio_gateway_ip +} diff --git a/projects/k8s/gateway/deployments/providers.tf b/projects/k8s/gateway/deployments/providers.tf new file mode 100644 index 0000000..9de6af5 --- /dev/null +++ b/projects/k8s/gateway/deployments/providers.tf @@ -0,0 +1,56 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/gateway/deployments" + } + + required_providers { + google = { + source = "hashicorp/google" + version = "4.84.0" + } + + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } + } +} + +data "terraform_remote_state" "gcp" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" + } +} + +data "google_client_config" "default" {} + +locals { + gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host + gke_token = data.google_client_config.default.access_token + gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} + +provider "helm" { + kubernetes { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + } +} + +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate +} + +provider "kubectl" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + load_config_file = false +} diff --git a/projects/k8s/vault/configs/main.tf b/projects/k8s/vault/configs/main.tf new file mode 100644 index 0000000..2abff5d --- /dev/null +++ b/projects/k8s/vault/configs/main.tf @@ -0,0 +1,16 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/vault/configs" + } +} + +module "vault_config" { + source = "../../../../modules/infra/vault/config" + token_reviewer_jwt = local.token_reviewer_jwt + kubernetes_host = local.gke_host + kubernetes_ca_cert = local.gke_cluster_ca_certificate + providers = { + vault = vault + } +} diff --git a/projects/k8s/vault/configs/provider.tf b/projects/k8s/vault/configs/provider.tf new file mode 100644 index 0000000..3e0cbaf --- /dev/null +++ b/projects/k8s/vault/configs/provider.tf @@ -0,0 +1,73 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "4.84.0" + } + vault = { + source = "hashicorp/vault" + version = "4.6.0" + } + } + required_version = ">= 0.14" +} + +data "terraform_remote_state" "gcp" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-terraform-state" + prefix = "gcp" + } +} + +data "google_client_config" "default" {} + +locals { + gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host + gke_token = data.google_client_config.default.access_token + gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} + +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate +} + +data "kubernetes_secret" "vault_sa_token" { + metadata { + name = "vault-sa-token" + namespace = "vault" + } +} + +locals { + token_reviewer_jwt = data.kubernetes_secret.vault_sa_token.data["token"] + role_id = data.google_secret_manager_secret_version.vault_role_id.secret_data + secret_id = data.google_secret_manager_secret_version.vault_secret_id.secret_data +} + +provider "google" { + project = var.project_id + region = var.region +} + +data "google_secret_manager_secret_version" "vault_role_id" { + secret = "vault_role_id" +} + +data "google_secret_manager_secret_version" "vault_secret_id" { + secret = "vault_secret_id" +} + +provider "vault" { + address = "https://vault.goboolean.io" + auth_login { + path = "auth/approle/login" + parameters = { + role_id = local.role_id + secret_id = local.secret_id + } + } +} diff --git a/projects/k8s/vault/configs/variables.tf b/projects/k8s/vault/configs/variables.tf new file mode 100644 index 0000000..c3aa77c --- /dev/null +++ b/projects/k8s/vault/configs/variables.tf @@ -0,0 +1,7 @@ +variable "project_id" { + description = "project id" +} + +variable "region" { + description = "region" +} diff --git a/projects/k8s/vault/deployments/main.tf b/projects/k8s/vault/deployments/main.tf new file mode 100644 index 0000000..a0ccf99 --- /dev/null +++ b/projects/k8s/vault/deployments/main.tf @@ -0,0 +1,14 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/k8s/vault/deployments" + } +} + +module "vault" { + source = "../../../../modules/infra/vault" + project_id = var.project_id + region = var.region + key_ring_name = local.vault_kms_keyring_name + crypto_key_name = local.vault_kms_crypto_key_name +} diff --git a/projects/k8s/vault/deployments/provider.tf b/projects/k8s/vault/deployments/provider.tf new file mode 100644 index 0000000..639997f --- /dev/null +++ b/projects/k8s/vault/deployments/provider.tf @@ -0,0 +1,64 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "4.84.0" + } + + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } + } + required_version = ">= 0.14" +} + +provider "helm" { + kubernetes { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + } +} + +data "terraform_remote_state" "core" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "450909/gcp/core" + } +} + +data "terraform_remote_state" "gcp" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-tfstate" + prefix = "452007/gcp" + } +} + +data "google_client_config" "default" {} + +locals { + vault_kms_keyring_name = data.terraform_remote_state.core.outputs.vault_kms_keyring_name + vault_kms_crypto_key_name = data.terraform_remote_state.core.outputs.vault_kms_crypto_key_name + + gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host + gke_token = data.google_client_config.default.access_token + gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} + +provider "kubectl" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate + load_config_file = false +} + +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate +} diff --git a/projects/k8s/vault/deployments/variables.tf b/projects/k8s/vault/deployments/variables.tf new file mode 100644 index 0000000..c3aa77c --- /dev/null +++ b/projects/k8s/vault/deployments/variables.tf @@ -0,0 +1,7 @@ +variable "project_id" { + description = "project id" +} + +variable "region" { + description = "region" +} diff --git a/projects/k8s/vault/main.tf b/projects/k8s/vault/main.tf new file mode 100644 index 0000000..f034d44 --- /dev/null +++ b/projects/k8s/vault/main.tf @@ -0,0 +1,16 @@ +terraform { + backend "gcs" { + bucket = "goboolean-450909-tfstate" + prefix = "452007/core/config" + } +} + +module "vault_config" { + source = "../../../modules/infra/vault/config" + token_reviewer_jwt = local.token_reviewer_jwt + kubernetes_host = local.gke_host + kubernetes_ca_cert = local.gke_cluster_ca_certificate + providers = { + vault = vault + } +} diff --git a/projects/k8s/vault/provider.tf b/projects/k8s/vault/provider.tf new file mode 100644 index 0000000..121da01 --- /dev/null +++ b/projects/k8s/vault/provider.tf @@ -0,0 +1,71 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "4.84.0" + } + vault = { + source = "hashicorp/vault" + version = "4.6.0" + } + } + required_version = ">= 0.14" +} + +data "terraform_remote_state" "gcp" { + backend = "gcs" + + config = { + bucket = "goboolean-450909-terraform-state" + prefix = "gcp" + } +} + +data "google_client_config" "default" {} + +locals { + gke_host = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.host + gke_token = data.google_client_config.default.access_token + gke_cluster_ca_certificate = data.terraform_remote_state.gcp.outputs.kubernetes_provider_config.cluster_ca_certificate +} + +provider "kubernetes" { + host = local.gke_host + token = local.gke_token + cluster_ca_certificate = local.gke_cluster_ca_certificate +} + +data "kubernetes_secret" "vault_sa_token" { + metadata { + name = "vault-sa-token" + namespace = "vault" + } +} + +locals { + token_reviewer_jwt = data.kubernetes_secret.vault_sa_token.data["token"] +} + +provider "google" { + project = var.project_id + region = var.region +} + +data "google_secret_manager_secret_version" "vault_role_id" { + secret = "vault_role_id" +} + +data "google_secret_manager_secret_version" "vault_secret_id" { + secret = "vault_secret_id" +} + +provider "vault" { + address = "https://vault.goboolean.io" + auth_login { + path = "auth/approle/login" + parameters = { + role_id = data.google_secret_manager_secret_version.vault_role_id.secret_data + secret_id = data.google_secret_manager_secret_version.vault_secret_id.secret_data + } + } +} diff --git a/projects/k8s/vault/variables.tf b/projects/k8s/vault/variables.tf new file mode 100644 index 0000000..c3aa77c --- /dev/null +++ b/projects/k8s/vault/variables.tf @@ -0,0 +1,7 @@ +variable "project_id" { + description = "project id" +} + +variable "region" { + description = "region" +}