roleypoly/v3
1
0
Fork 0
mirror of https://github.com/roleypoly/roleypoly.git synced 2025-06-14 16:49:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

initial port to cfworkers i guess

Browse source
This commit is contained in:
41666 2020-12-03 00:32:07 -05:00
parent ab9fe30b42
commit 9eeb946389
37 changed files with 367 additions and 1098 deletions
Download patch file Download diff file Expand all files Collapse all files

56
terraform/app/discord.tf
View file

@ -1,56 +0,0 @@
locals {
discord_labels = {
"app.kubernetes.io/name" = "discord"
"app.kubernetes.io/part-of" = "roleypoly"
"roleypoly/environment" = var.environment_tag
}
}
resource "kubernetes_deployment" "discord" {
metadata {
name = "discord"
namespace = local.ns
labels = local.discord_labels
}
spec {
replicas = 1
selector {
match_labels = local.discord_labels
}
template {
metadata {
labels = local.discord_labels
}
spec {
container {
image = "roleypoly/discord:${local.tags.discord}"
name = "discord"
liveness_probe {
http_get {
path = "/"
port = 16777
}
initial_delay_seconds = 3
period_seconds = 3
}
readiness_probe {
http_get {
path = "/"
port = 16777
}
initial_delay_seconds = 3
period_seconds = 3
}
}
}
}
}
}

26
terraform/app/provision.tf
View file

@ -1,26 +0,0 @@
terraform {
required_version = ">=0.12.6"
backend "remote" {
organization = "Roleypoly"
workspaces {
prefix = "roleypoly-app-"
}
}
}
variable "k8s_endpoint" { type = string }
variable "k8s_token" { type = string }
variable "k8s_cert" { type = string }
variable "k8s_namespace" { type = string }
provider "kubernetes" {
load_config_file = false
token = var.k8s_token
host = var.k8s_endpoint
cluster_ca_certificate = var.k8s_cert
}
locals {
ns = var.k8s_namespace
}

6
terraform/app/tags.auto.tfvars.json
View file

@ -1,6 +0,0 @@
{
"deployment_env": {
"production": {},
"staging": {}
}
}

12
terraform/app/variables.tf
View file

@ -1,12 +0,0 @@
variable "deployment_env" {
type = map(map(string))
}
variable "environment_tag" {
type = string
description = "One of: production, staging, test"
}
locals {
tags = var.deployment_env[var.environment_tag]
}

20
terraform/functions/.terraform.lock.hcl generated
View file

@ -1,20 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/google" {
version = "3.49.0"
constraints = ">= 3.49.0"
hashes = [
"h1:MgihBNqO052m2jthWBu00wWYkz+eNrETwLqBfWmvMMY=",
"zh:00ea68b3a3b6e11ea469f47ee949c7f8f5751f935a3366152f9d3c6660c27e9b",
"zh:1ef3efc2e81fa31ceb04e39ae25acd0f061629f104827e127bdb4345e95f37d0",
"zh:6bf00943baa776adef0bbc914886359cf95c505b0494f3936cedac5cd1e01a00",
"zh:7d2cce5a9be476d8eee67435d854d094f82b5814a0e34964d10f28c1e88a2c8f",
"zh:841d074e3fb06f0df7c930bc0c4a9733ce0c5f1a19d6af98632a7931d2ca6a59",
"zh:8920ccd27c8904fcf5d701d71baee4f64d9d6f1383e66c4673909d9c53895057",
"zh:91d4479d2d461ad582d127d47aa7094bd74a1278cc8d78ad36a1c4f31301f4f0",
"zh:a97c19cdb42b5f7e4e297183d60eaa45843ee7b0adde1120e47026c4cae456c1",
"zh:cbd862cc4d21866bb832e3e7fe4e6ed959f5e5363bcf3d74e476b42fec716efe",
"zh:ec3c63ba6db74b353fafff6aedbb30e3eb1a4e5c856b4920c7ffa10d7081cbbd",
]
}

23
terraform/functions/cloud-function.tf
View file

@ -1,23 +0,0 @@
resource "google_cloudfunctions_function" "function" {
name = "roleypoly-test-hello-world"
description = "Roleypoly FaaS: /hello-world"
runtime = "go113"
available_memory_mb = 128
source_repository {
url = "https://source.cloud.google.com/projects/roleypoly/repos/github_roleypoly_roleypoly/moveable-alias/gcf/paths/src/functions/hello-world"
}
trigger_http = true
entry_point = "helloGET"
}
# IAM entry for all users to invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.function.project
region = google_cloudfunctions_function.function.region
cloud_function = google_cloudfunctions_function.function.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}

26
terraform/functions/provision.tf
View file

@ -1,26 +0,0 @@
terraform {
required_version = ">=0.14"
required_providers {
google = {
source = "hashicorp/google"
version = ">=3.49.0"
}
}
}
/*
Google Cloud
*/
# variable "gcs_token" { type = string }
# variable "gcs_region" { type = string }
# variable "gcs_project" { type = string }
provider "google" {
# project = var.gcs_project
# region = var.gcs_region
# credentials = var.gcs_token
scopes = [
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/cloud-platform",
]
}

66
terraform/modules/cloudflare-cluster-dns/main.tf
View file

@ -1,66 +0,0 @@
# Primary cluster hostname
resource "cloudflare_record" "cluster" {
zone_id = var.cloudflare-zone-id
name = var.record-name
value = var.ingress-endpoint
type = "A"
proxied = true
}
# PRD & STG records for direct FQDN usage
# Long term, these will also be CNAME'd to
# - prd == roleypoly.com
# - stg == beta.roleypoly.com
resource "cloudflare_record" "prd" {
zone_id = var.cloudflare-zone-id
name = "prd.${var.record-name}"
value = cloudflare_record.cluster.hostname
type = "CNAME"
proxied = true
}
resource "cloudflare_record" "stg" {
zone_id = var.cloudflare-zone-id
name = "stg.${var.record-name}"
value = cloudflare_record.cluster.hostname
type = "CNAME"
proxied = true
}
# Origin CA Cert
resource "tls_private_key" "origin-ca-key" {
algorithm = "ECDSA"
}
resource "tls_cert_request" "origin-ca-csr" {
key_algorithm = tls_private_key.origin-ca-key.algorithm
private_key_pem = tls_private_key.origin-ca-key.private_key_pem
subject {
common_name = "roleypoly.com"
organization = "Roleypoly"
}
}
resource "cloudflare_origin_ca_certificate" "origin-ca-cert" {
csr = tls_cert_request.origin-ca-csr.cert_request_pem
hostnames = [
cloudflare_record.cluster.hostname,
cloudflare_record.prd.hostname,
cloudflare_record.stg.hostname
]
request_type = "origin-ecc"
requested_validity = 1095 # 3 years
}
resource "kubernetes_secret" "cloudflare-origin" {
type = "kubernetes.io/tls"
metadata {
name = "cloudflare-origin"
namespace = "default"
}
data = {
"tls.crt" = base64encode(cloudflare_origin_ca_certificate.origin-ca-cert.certificate),
"tls.key" = base64encode(tls_private_key.origin-ca-key.private_key_pem)
}
}

19
terraform/modules/cloudflare-cluster-dns/variables.tf
View file

@ -1,19 +0,0 @@
variable "ingress-name" {
type = string
}
variable "ingress-namespace" {
type = string
}
variable "ingress-endpoint" {
type = string
}
variable "cloudflare-zone-id" {
type = string
}
variable "record-name" {
type = string
}

4
terraform/modules/cloudflare-cluster-dns/version.tf
View file

@ -1,4 +0,0 @@
terraform {
required_version = ">=0.12"
}

56
terraform/modules/cluster-environment/main.tf
View file

@ -1,56 +0,0 @@
locals {
ns = "${var.app_name}-${var.environment_tag}"
labels = {
"app.kubernetes.io/name" = var.app_name
"app.kubernetes.io/part-of" = var.app_name
"roleypoly/environment" = var.environment_tag
}
}
resource "kubernetes_namespace" "ns" {
metadata {
name = local.ns
labels = local.labels
}
}
resource "kubernetes_service_account" "sa" {
metadata {
name = "${local.ns}-sa-tf"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_secret" "sa-key" {
metadata {
name = "${local.ns}-sa-tf-key"
namespace = local.ns
labels = local.labels
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account.sa.metadata.0.name
}
}
type = "kubernetes.io/service-account-token"
}
resource "kubernetes_role_binding" "sa-admin-rb" {
metadata {
name = "${local.ns}-sa-admin-binding"
namespace = local.ns
labels = local.labels
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.sa.metadata.0.name
namespace = local.ns
}
role_ref {
kind = "ClusterRole"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
}

7
terraform/modules/cluster-environment/output.tf
View file

@ -1,7 +0,0 @@
output "service_account_token" {
value = lookup(kubernetes_secret.sa-key, "data.token", "")
}
output "namespace" {
value = local.ns
}

9
terraform/modules/cluster-environment/variables.tf
View file

@ -1,9 +0,0 @@
variable "environment_tag" {
type = string
default = "main"
}
variable "app_name" {
type = string
}

331
terraform/modules/nginx-ingress-controller/main.tf
View file

@ -1,331 +0,0 @@
locals {
ns = kubernetes_namespace.ns.metadata.0.name
labels = {
"app.kubernetes.io/name" = "ingress-nginx"
"app.kubernetes.io/part-of" = "ingress-nginx"
}
}
resource "kubernetes_namespace" "ns" {
metadata {
name = "ingress-nginx"
labels = local.labels
}
}
resource "kubernetes_config_map" "cm-nginx" {
metadata {
name = "nginx-configuration"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_config_map" "cm-tcp" {
metadata {
name = "tcp-services"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_config_map" "cm-udp" {
metadata {
name = "udp-services"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_service_account" "sa" {
metadata {
name = "nginx-ingress-serviceaccount"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_cluster_role" "cr" {
metadata {
name = "nginx-ingress-clusterrole"
labels = local.labels
}
rule {
api_groups = [""]
resources = ["configmaps", "endpoints", "nodes", "pods", "secrets"]
verbs = ["list", "watch"]
}
rule {
api_groups = [""]
resources = ["nodes"]
verbs = ["get"]
}
rule {
api_groups = [""]
resources = ["services"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = [""]
resources = ["events"]
verbs = ["create", "patch"]
}
rule {
api_groups = ["extensions", "networking.k8s.io"]
resources = ["ingresses"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["extensions", "networking.k8s.io"]
resources = ["ingresses/status"]
verbs = ["update"]
}
}
resource "kubernetes_role" "role" {
metadata {
name = "nginx-ingress-role"
namespace = local.ns
labels = local.labels
}
rule {
api_groups = [""]
resources = ["configmaps", "pods", "secrets", "namespaces"]
verbs = ["get"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
resource_names = ["ingress-controller-leader-nginx"]
verbs = ["get", "update"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
verbs = ["create"]
}
rule {
api_groups = [""]
resources = ["endpoints"]
verbs = ["get"]
}
}
resource "kubernetes_role_binding" "rb" {
metadata {
name = "nginx-ingress-role-nisa-binding"
namespace = local.ns
labels = local.labels
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.role.metadata.0.name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.sa.metadata.0.name
namespace = local.ns
}
}
resource "kubernetes_cluster_role_binding" "crb" {
metadata {
name = "nginx-ingress-clusterrole-nisa-binding"
labels = local.labels
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.cr.metadata.0.name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.sa.metadata.0.name
namespace = local.ns
}
}
resource "kubernetes_deployment" "deployment" {
metadata {
name = "nginx-ingress-controller"
namespace = local.ns
labels = local.labels
}
spec {
replicas = 3
selector {
match_labels = local.labels
}
template {
metadata {
labels = local.labels
annotations = {
"prometheus.io/port" = "10254"
"prometheus.io/scrape" = "true"
}
}
spec {
automount_service_account_token = true
termination_grace_period_seconds = 300
service_account_name = kubernetes_service_account.sa.metadata.0.name
node_selector = {
"kubernetes.io/os" = "linux"
node_type = "static"
}
container {
name = "nginx-ingress-controller"
image = "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:${var.nginx-ingress-version}"
args = [
"/nginx-ingress-controller",
"--configmap=${local.ns}/${kubernetes_config_map.cm-nginx.metadata.0.name}",
"--tcp-services-configmap=${local.ns}/${kubernetes_config_map.cm-tcp.metadata.0.name}",
"--udp-services-configmap=${local.ns}/${kubernetes_config_map.cm-udp.metadata.0.name}",
"--publish-service=${local.ns}/ingress-nginx",
"--annotations-prefix=nginx.ingress.kubernetes.io",
]
security_context {
allow_privilege_escalation = true
capabilities {
drop = ["ALL"]
add = ["NET_BIND_SERVICE"]
}
run_as_user = 101
}
env {
name = "POD_NAME"
value_from {
field_ref {
field_path = "metadata.name"
}
}
}
env {
name = "POD_NAMESPACE"
value_from {
field_ref {
field_path = "metadata.namespace"
}
}
}
port {
name = "http"
container_port = 80
protocol = "TCP"
}
port {
name = "https"
container_port = 443
protocol = "TCP"
}
liveness_probe {
http_get {
path = "/healthz"
port = 10254
scheme = "HTTP"
}
failure_threshold = 3
initial_delay_seconds = 10
period_seconds = 10
success_threshold = 1
timeout_seconds = 10
}
readiness_probe {
http_get {
path = "/healthz"
port = 10254
scheme = "HTTP"
}
failure_threshold = 3
initial_delay_seconds = 10
period_seconds = 10
success_threshold = 1
timeout_seconds = 10
}
lifecycle {
pre_stop {
exec {
command = ["/wait-shutdown"]
}
}
}
}
}
}
}
}
resource "kubernetes_limit_range" "lr" {
metadata {
name = "ingress-nginx"
namespace = local.ns
labels = local.labels
}
spec {
limit {
min = {
memory = "90Mi"
cpu = "100m"
}
type = "Container"
}
}
}
# Specific service related to Google Cloud
resource "kubernetes_service" "svc" {
metadata {
name = "ingress-nginx"
namespace = local.ns
labels = local.labels
}
spec {
external_traffic_policy = "Local"
type = "LoadBalancer"
selector = local.labels
port {
name = "http"
port = 80
protocol = "TCP"
target_port = "http"
}
port {
name = "https"
port = 443
protocol = "TCP"
target_port = "https"
}
}
lifecycle {
ignore_changes = [
// We add no annotations, but DO adds some.
metadata[0].annotations,
]
}
}

11
terraform/modules/nginx-ingress-controller/outputs.tf
View file

@ -1,11 +0,0 @@
output "service-name" {
value = kubernetes_service.svc.metadata.0.name
}
output "service-namespace" {
value = kubernetes_service.svc.metadata.0.namespace
}
output "service-endpoint" {
value = kubernetes_service.svc.load_balancer_ingress.0.ip
}

4
terraform/modules/nginx-ingress-controller/variables.tf
View file

@ -1,4 +0,0 @@
variable "nginx-ingress-version" {
type = string
default = "0.30.0"
}

3
terraform/modules/nginx-ingress-controller/version.tf
View file

@ -1,3 +0,0 @@
terraform {
required_version = ">=0.12"
}

57
terraform/modules/tfc-workspace/main.tf
View file

@ -1,57 +0,0 @@
locals {
dependentModulesPathed = formatlist("terraform/modules/%s", var.dependent_modules)
variableDescription = "Terraform-owned variable"
}
resource "tfe_workspace" "ws" {
name = var.workspace-name
organization = var.tfc_org
auto_apply = var.auto_apply
trigger_prefixes = concat([var.directory], local.dependentModulesPathed)
working_directory = var.directory
vcs_repo {
identifier = var.repo
branch = var.branch
oauth_token_id = var.tfc_oauth_token_id
}
}
resource "tfe_notification_configuration" "webhook" {
name = "${var.workspace-name}-webhook"
enabled = true
destination_type = "slack"
triggers = ["run:created", "run:planning", "run:needs_attention", "run:applying", "run:completed", "run:errored"]
url = var.tfc_webhook_url
workspace_id = tfe_workspace.ws.id
}
resource "tfe_variable" "vars" {
for_each = var.vars
key = each.key
value = each.value
category = "terraform"
workspace_id = tfe_workspace.ws.id
sensitive = false
}
resource "tfe_variable" "sensitive" {
for_each = var.secret-vars
key = each.key
value = each.value
category = "terraform"
workspace_id = tfe_workspace.ws.id
sensitive = true
}
resource "tfe_variable" "env" {
for_each = var.env-vars
key = each.key
value = each.value
category = "env"
workspace_id = tfe_workspace.ws.id
sensitive = true
}

3
terraform/modules/tfc-workspace/outputs.tf
View file

@ -1,3 +0,0 @@
output "workspace" {
value = tfe_workspace.ws[*]
}

54
terraform/modules/tfc-workspace/variables.tf
View file

@ -1,54 +0,0 @@
variable "workspace-name" {
type = string
}
variable "secret-vars" {
type = map(string)
default = {}
}
variable "vars" {
type = map(string)
default = {}
}
variable "env-vars" {
type = map(string)
default = {}
}
variable "repo" {
type = string
}
variable "directory" {
type = string
default = "/"
}
variable "branch" {
type = string
default = "master"
}
variable "auto_apply" {
type = bool
default = false
}
variable "dependent_modules" {
type = list(string)
default = []
}
variable "tfc_oauth_token_id" {
type = string
}
variable "tfc_org" {
type = string
}
variable "tfc_webhook_url" {
type = string
}

7
terraform/modules/tfc-workspace/version.tf
View file

@ -1,7 +0,0 @@
terraform {
required_version = ">=0.12.6"
}
provider "tfe" {
version = ">=0.15.0"
}