Merge pull request #2 from mojaloop/add-k8s-netmaker-network

add functionality to support tenancy vault

mojaloop/iac/playbooks/argok3s_cluster_deploy.yaml

@@ -3,6 +3,7 @@
   roles:
     - mojaloop.iac.bastion_common
     - mojaloop.iac.netclient
+    - mojaloop.iac.haproxy
 
 - hosts: master
   become: true

mojaloop/iac/playbooks/control_center_netmaker_deploy.yaml → mojaloop/iac/playbooks/control_center_post_deploy.yaml

@@ -7,4 +7,9 @@
 - hosts: bastion
   become: true
   roles:
-    - mojaloop.iac.netclient
+    - mojaloop.iac.netclient
+
+- hosts: docker
+  become: true
+  roles:
+    - mojaloop.iac.vault

mojaloop/iac/roles/argocd/defaults/main.yaml

@@ -3,7 +3,11 @@ argocd_lovely_plugin_version: "0.18.0"
 repo_url: "https://localhost/repo.git"
 repo_password: mypassword
 repo_username: user
-external_secrets_version: "0.8.2"
+external_secrets_version: "0.9.0"
 external_secrets_namespace: "external-secrets"
+tenant_vault_token: token
+tenant_vault_server_url: "https://tenantvault"
 kubeconfig_location: "/etc/rancher/k3s/k3s.yaml"
-root_app_path: "infra/app-yamls"
+root_app_path: "infra/app-yamls"
+netmaker_image_version: "0.18.7"
+wireguard_node_port: "31821"

mojaloop/iac/roles/argocd/tasks/main.yaml

@@ -16,7 +16,7 @@
     src: "templates/{{ item }}.yaml.j2"
     dest: "{{ extsectmpvalues.path }}/{{ item }}.yaml"
   with_items:
-    - external-secretstore-gitlab
+    - external-secretstore
 
 - name: Upload argo bootstrap files
   template: 
@@ -40,7 +40,7 @@
     helm --kubeconfig {{ kubeconfig_location }} upgrade --install external-secrets external-secrets/external-secrets --version {{ external_secrets_version }} -n {{ external_secrets_namespace }} --create-namespace --set installCRDs=true
 
 - name: Try clustersecretstore create until successful
-  shell: kubectl --kubeconfig {{ kubeconfig_location }} apply -n {{ external_secrets_namespace }} -f {{ extsectmpvalues.path }}/external-secretstore-gitlab.yaml
+  shell: kubectl --kubeconfig {{ kubeconfig_location }} apply -n {{ external_secrets_namespace }} -f {{ extsectmpvalues.path }}/external-secretstore.yaml
   register: clustersecretstore
   until: clustersecretstore is not failed
   retries: 12

mojaloop/iac/roles/argocd/templates/external-secretstore.yaml.j2

@@ -0,0 +1,63 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-secret
+  namespace: {{ external_secrets_namespace }}
+  labels: 
+    type: gitlab
+type: Opaque 
+stringData:
+  token: "{{ repo_password }}"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-secret
+  namespace: {{ external_secrets_namespace }}
+  labels: 
+    type: vault
+type: Opaque 
+stringData:
+  token: "{{ tenant_vault_token }}"
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: gitlab-secret-store
+spec:
+  provider:
+    # provider type: gitlab
+    gitlab:
+      url: {{ gitlab_server_url }}
+      auth:
+        SecretRef:
+          accessToken:
+            name: gitlab-secret
+            namespace: {{ external_secrets_namespace }}
+            key: token
+      projectID: "{{ gitlab_project_id }}"
+      inheritFromGroups: true
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: tenant-vault-secret-store
+spec:
+  provider:
+    vault:
+      server: {{ tenant_vault_server_url }}
+      path: "secret"
+      # Version is the Vault KV secret engine version.
+      # This can be either "v1" or "v2", defaults to "v2"
+      version: "v2"
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: vault-secret
+          namespace: {{ external_secrets_namespace }}
+          key: token

mojaloop/iac/roles/argocd/templates/netclient.yaml.j2

@@ -1,33 +1,24 @@
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: netclient
+  name: netclient-gateway
   labels:
-    app: netclient
+    app: netclient-gateway
 spec:
   selector:
     matchLabels:
-      app: netclient
+      app: netclient-gateway
   template:
     metadata:
       labels:
-        app: netclient
+        app: netclient-gateway
     spec:
       hostNetwork: true
       containers:
       - name: netclient
-        image: gravitl/netclient:v0.18.7
+        image: gravitl/netclient:v{{ netmaker_image_version }}
         env:
-        - name: NETCLIENT_ROAMING
-          value: "no"
-        - name: NETCLIENT_PORT
-          value: "51821"
-        - name: NETCLIENT_IS_STATIC
-          value: "yes"
-        - name: NETCLIENT_ENDPOINT
-          valueFrom:
-            fieldRef:
-              fieldPath: status.hostIP
         - name: TOKEN
           valueFrom:
             secretKeyRef:
@@ -36,19 +27,13 @@ spec:
         volumeMounts:
         - mountPath: /etc/netclient
           name: etc-netclient
-        - mountPath: /usr/bin/wg
-          name: wg
         securityContext:
           privileged: true
       volumes:
       - hostPath:
           path: /etc/netclient
           type: DirectoryOrCreate
         name: etc-netclient
-      - hostPath:
-          path: /usr/bin/wg
-          type: File
-        name: wg
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -68,4 +53,4 @@ spec:
   data:
     - secretKey: TOKEN # Key given to the secret to be created on the cluster
       remoteRef: 
-        key: NETMAKER_TOKEN
+        key: NETMAKER_OPS_TOKEN

mojaloop/iac/roles/haproxy/defaults/main.yaml

@@ -0,0 +1,8 @@
+haproxy_version: 2.8
+seaweedfs_s3_listening_port: 8333
+nexus_docker_repo_listening_port: 8082
+local_vault_listening_port: 8200
+vault_listening_port: 443
+nexus_fqdn: private_ip
+seaweedfs_fqdn: private_ip
+vault_fqdn: private_ip

mojaloop/iac/roles/haproxy/handlers/main.yaml

@@ -0,0 +1,5 @@
+- name: "restart haproxy"
+  systemd:
+    name: "haproxy"
+    state: restarted
+    force: true

mojaloop/iac/roles/haproxy/tasks/install.yaml

@@ -0,0 +1,38 @@
+- name: Install software-properties-common
+  package:
+    name:
+      - software-properties-common
+    state: present
+
+- name: Update apt cache
+  shell: apt update
+
+- apt_repository:
+    repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
+    state: present
+
+- name: Update apt cache
+  shell: apt update
+
+- name: Install haproxy
+  package:
+    name:
+      - haproxy
+    state: present
+
+- name: copy haproxy conf
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: '0640'
+  notify: restart haproxy
+
+- name: "set haproxy to auto restart"
+  systemd:
+    enabled: true
+    daemon_reload: true
+    name: "haproxy"
+    state: started
+    force: true

mojaloop/iac/roles/haproxy/tasks/main.yaml

@@ -0,0 +1 @@
+- include_tasks: install.yaml

mojaloop/iac/roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,26 @@
+defaults
+  timeout connect 5000
+  timeout client 50000
+  timeout server 50000
+frontend seaweed
+  bind :{{ seaweedfs_s3_listening_port }}
+  default_backend seaweed
+
+frontend nexus
+  bind :{{ nexus_docker_repo_listening_port }}
+  default_backend nexus
+
+frontend vault
+  mode tcp
+  bind :{{ local_vault_listening_port }}
+  default_backend vault
+
+backend seaweed
+  server seaweed {{ seaweedfs_fqdn }}:{{ seaweedfs_s3_listening_port }}
+
+backend nexus
+  server nexus {{ nexus_fqdn }}:{{ nexus_docker_repo_listening_port }}
+
+backend vault
+  mode tcp
+  server vault {{ vault_fqdn }}:{{ vault_listening_port }} ssl verify none

mojaloop/iac/roles/netclient/defaults/main.yaml

@@ -1,5 +1,5 @@
 netmaker_root_dir: /root/netmaker-compose
 netmaker_image_version: 0.18.7
-netclient_enrollment_key: cntrlctr-bastion
-netmaker_join_token: null
-enrollment_key_list_file_location: /tmp/keylist.json
+netclient_enrollment_keys: ["cntrlctr-ops"]
+netmaker_join_tokens: []
+netmaker_enrollment_key_list_file_location: /tmp/keylist.json

mojaloop/iac/roles/netclient/tasks/install.yaml

@@ -22,13 +22,15 @@
 
 - name: set token from local file
   vars:
-    query: "[?tags[0]=='{{ netclient_enrollment_key }}'].token"
+    query: "[?tags[0]=='{{ item }}'].token"
   set_fact:
-    netmaker_join_token: "{{ lookup('file', enrollment_key_list_file_location) | from_json | json_query(query) | first }}"
-  when: "netmaker_join_token is none"
+    netmaker_join_tokens: "{{ netmaker_join_tokens + [lookup('file', netmaker_enrollment_key_list_file_location) | from_json | json_query(query) | first] }}"
+  when: "not netmaker_join_tokens"
+  loop: "{{ netclient_enrollment_keys }}"
 
 - name: join netmaker network
-  command: "netclient join -t {{ netmaker_join_token }}"
+  command: "netclient join -t {{ item }}"
+  loop: "{{ netmaker_join_tokens }}"
 
 - name: iptable accept on forward
   iptables:

mojaloop/iac/roles/netmaker/defaults/main.yaml

@@ -6,13 +6,19 @@ netmaker_caddy_image_version: 2.6.2
 netmaker_acme_email: cicd.automation@modusbox.com
 netmaker_mq_pw: crazypassword
 netmaker_master_key: crazypassword
-netmaker_control_network_name: cntrlctr
 netmaker_admin_password: crazypassword
 netmaker_admin_username: nmaker-admin
-netmaker_control_network_address_range: 10.20.30.0/24
 enable_oauth: false
 netmaker_oidc_issuer: https://gitlab.com
 netmaker_oidc_client_id: clientid
 netmaker_oidc_client_secret: crazysecret
-enrollment_key_list: ["bastion"]
-enrollment_key_list_file_location: /tmp/keylist.json
+netmaker_enrollment_key_list_file_location: /tmp/keylist.json
+netmaker_control_network_address_cidr_start: 10.20.30.0/24
+netmaker_networks:
+  - network_name: cntrlctr
+    node_keys: 
+      - ops
+  - network_name: dev
+    node_keys:
+      - k8s
+      - cc-svcs