roleypoly/v3
1
0
Fork 0
mirror of https://github.com/roleypoly/roleypoly.git synced 2025-06-16 09:39:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

temp tf

Browse source
This commit is contained in:
41666 2020-10-09 10:54:55 -04:00
parent a5e2fdc7a7
commit ec505739c8
31 changed files with 1394 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
terraform/platform/services/ingress.tf Normal file
View file

@ -0,0 +1,13 @@
module "ingress-controller" {
source = "github.com/roleypoly/devops.git//terraform/modules/nginx-ingress-controller"
nginx-ingress-version = "0.32.0"
}
module "cluster-dns" {
source = "github.com/roleypoly/devops.git//terraform/modules/cloudflare-cluster-dns"
ingress-name = module.ingress-controller.service-name
ingress-namespace = module.ingress-controller.service-namespace
ingress-endpoint = module.ingress-controller.service-endpoint
cloudflare-zone-id = var.cloudflare_zone_id
record-name = "roleypoly-nyc.kc"
}

56
terraform/platform/services/provision.tf Normal file
View file

@ -0,0 +1,56 @@
terraform {
required_version = ">=0.12.6"
backend "remote" {
organization = "Roleypoly"
workspaces {
name = "roleypoly-platform-services"
}
}
}
/*
DigitalOcean
*/
variable "digitalocean_token" { type = string }
provider "digitalocean" {
version = ">=1.16.0"
token = var.digitalocean_token
}
/*
Cloudflare
*/
variable "cloudflare_token" { type = string }
variable "cloudflare_email" { type = string }
variable "cloudflare_zone_id" { type = string }
variable "cloudflare_origin_ca_token" { type = string }
provider "cloudflare" {
version = ">=2.0"
email = var.cloudflare_email
api_token = var.cloudflare_token
api_user_service_key = var.cloudflare_origin_ca_token
}
/*
Kubernetes
*/
variable "k8s_endpoint" { type = string }
variable "k8s_token" { type = string }
variable "k8s_cert" { type = string }
provider "kubernetes" {
load_config_file = false
token = var.k8s_token
host = var.k8s_endpoint
cluster_ca_certificate = var.k8s_cert
}
/*
Others
*/
variable "vault_gcs_token" { type = string }
variable "vault_gcs_url" { type = string }
variable "gcp_project" { type = string }
variable "gcp_region" { type = string }

207
terraform/platform/services/vault.tf Normal file
View file

@ -0,0 +1,207 @@
resource "kubernetes_namespace" "vault" {
metadata {
name = "vault"
}
}
locals {
vaultNs = kubernetes_namespace.vault.metadata.0.name
vaultLabels = {
"app.kubernetes.io/name" = "vault"
"app.kubernetes.io/part-of" = "vault"
}
}
resource "kubernetes_secret" "vault-svcacct" {
metadata {
generate_name = "vault-svcacct"
namespace = local.vaultNs
labels = local.vaultLabels
}
data = {
"vault-service-account.json" = base64decode(var.vault_gcs_token)
}
}
resource "kubernetes_config_map" "vault-cm" {
metadata {
generate_name = "vault-config"
namespace = local.vaultNs
labels = local.vaultLabels
}
data = {
"vault-config.json" = jsonencode({
// Enables UI
ui = true,
// Storage with GCS
storage = {
gcs = {
bucket = "roleypoly-vault",
}
},
// Auto-seal setup with GCPKMS
seal = {
gcpckms = {
credentials = "/vault/mounted-secrets/vault-service-account.json",
project = var.gcp_project
region = "global"
key_ring = "vault-keyring"
crypto_key = "vault-key"
}
},
// TCP
listener = {
tcp = {
address = "0.0.0.0:8200"
}
},
// K8s service registration
service_registration = {
kubernetes = {}
}
})
}
}
resource "kubernetes_deployment" "vault" {
metadata {
name = "vault"
namespace = local.vaultNs
labels = local.vaultLabels
}
spec {
replicas = 1
selector {
match_labels = local.vaultLabels
}
template {
metadata {
labels = local.vaultLabels
}
spec {
service_account_name = kubernetes_service_account.vault-sa.metadata.0.name
automount_service_account_token = true
container {
image = "vault:1.5.0"
name = "vault"
env {
name = "GOOGLE_APPLICATION_CREDENTIALS"
value = "/vault/mounted-secrets/vault-service-account.json"
}
env {
name = "VAULT_K8S_NAMESPACE"
value_from {
field_ref {
field_path = "metadata.namespace"
}
}
}
env {
name = "VAULT_K8S_POD_NAME"
value_from {
field_ref {
field_path = "metadata.name"
}
}
}
volume_mount {
mount_path = "/vault/mounted-secrets"
name = "vault-secrets"
read_only = true
}
volume_mount {
mount_path = "/vault/config/vault-config.json"
name = "vault-config"
sub_path = "vault-config.json"
}
security_context {
capabilities {
add = ["IPC_LOCK"]
}
}
}
node_selector = {
node_type = "static"
}
restart_policy = "Always"
volume {
name = "vault-secrets"
secret {
secret_name = kubernetes_secret.vault-svcacct.metadata.0.name
}
}
volume {
name = "vault-config"
config_map {
name = kubernetes_config_map.vault-cm.metadata.0.name
}
}
}
}
}
}
resource "kubernetes_service_account" "vault-sa" {
metadata {
namespace = local.vaultNs
name = "vault"
labels = local.vaultLabels
}
}
resource "kubernetes_role" "vault-sa-role" {
metadata {
namespace = local.vaultNs
name = "vault"
labels = local.vaultLabels
}
rule {
api_groups = [""]
resources = ["pods"]
verbs = ["get", "update"]
}
}
resource "kubernetes_role_binding" "vault-sa-rb" {
metadata {
namespace = local.vaultNs
name = "vault-rb"
labels = local.vaultLabels
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.vault-sa-role.metadata.0.name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.vault-sa.metadata.0.name
namespace = local.vaultNs
}
}