init

2019-10-07 15:27:05 -05:00 · 2019-10-07 15:27:05 -05:00 · 6aaefd5d90
--- a/cluster-provisioning/README.md
+++ b/cluster-provisioning/README.md
--- a/cluster-provisioning/terraform/flux.tf
+++ b/cluster-provisioning/terraform/flux.tf
@ -0,0 +1,234 @@
+# The cluster will use a GitOps repo for Kubernetes configuration. this file
+# will bootstrap the configuration of Flux such that all the manifests from the
+# repository will be automatically applied when the cluster is created.
+
+locals {
+  k8s-ns = "flux"
+}
+
+resource "kubernetes_namespace" "flux" {
+  metadata {
+    name = "${local.k8s-ns}"
+  }
+
+  depends_on = ["kubernetes_namespace.flux"]
+}
+
+resource "kubernetes_service_account" "flux" {
+  metadata {
+    name      = "flux"
+    namespace = "${local.k8s-ns}"
+
+    labels {
+      name = "flux"
+    }
+  }
+
+  automount_service_account_token = true
+
+  depends_on = ["kubernetes_namespace.flux"]
+}
+
+resource "kubernetes_cluster_role" "flux" {
+  metadata {
+    name = "flux"
+
+    labels {
+      name = "flux"
+    }
+  }
+
+  rule {
+    api_groups = ["*"]
+    resources  = ["*"]
+    verbs      = ["*"]
+  }
+
+  rule {
+    non_resource_urls = ["*"]
+    verbs             = ["*"]
+  }
+
+  depends_on = ["kubernetes_namespace.flux"]
+}
+
+resource "kubernetes_cluster_role_binding" "flux" {
+  metadata {
+    name = "flux"
+
+    labels {
+      name = "flux"
+    }
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "flux"
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = "flux"
+    namespace = "${local.k8s-ns}"
+    api_group = ""
+  }
+
+  depends_on = [
+    "kubernetes_namespace.flux",
+    "kubernetes_cluster_role.flux",
+    "kubernetes_service_account.flux",
+  ]
+}
+
+resource "kubernetes_deployment" "flux" {
+  metadata {
+    name      = "flux"
+    namespace = "${local.k8s-ns}"
+  }
+
+  spec {
+    selector {
+      match_labels {
+        name = "flux"
+      }
+    }
+
+    strategy {
+      type = "Recreate"
+    }
+
+    template {
+      metadata {
+        labels {
+          name = "flux"
+        }
+      }
+
+      spec {
+        service_account_name = "flux"
+        automount_service_account_token = true
+
+        # See the following GH issue for why we have to do this manually
+        # https://github.com/terraform-providers/terraform-provider-kubernetes/issues/38
+
+        volume {
+          name = "git-key"
+
+          secret {
+            secret_name  = "flux-git-deploy"
+            default_mode = "0400"
+          }
+        }
+
+        volume {
+          name = "git-keygen"
+
+          empty_dir {
+            medium = "Memory"
+          }
+        }
+
+        container {
+          name  = "flux"
+          image = "docker.io/fluxcd/flux:1.14.2"
+
+          volume_mount {
+            name       = "git-key"
+            mount_path = "/etc/fluxd/ssh"
+            read_only  = true
+          }
+
+          volume_mount {
+            name       = "git-keygen"
+            mount_path = "/var/fluxd/keygen"
+          }
+
+          args = [
+            "--memcached-service=memcached",
+            "--ssh-keygen-dir=/var/fluxd/keygen",
+            "--git-url=${data.github_repository.flux-repo.ssh_clone_url}",
+            "--git-branch=master",
+          ]
+        }
+      }
+    }
+  }
+
+  depends_on = [
+    "kubernetes_cluster_role_binding.flux",
+    "kubernetes_secret.flux-git-deploy",
+  ]
+}
+
+resource "kubernetes_secret" "flux-git-deploy" {
+  metadata {
+    name      = "flux-git-deploy"
+    namespace = "${local.k8s-ns}"
+  }
+
+  type = "Opaque"
+
+  data {
+    identity = "${tls_private_key.flux.private_key_pem}"
+  }
+
+  depends_on = ["kubernetes_namespace.flux"]
+}
+
+resource "kubernetes_deployment" "memcached" {
+  metadata {
+    name      = "memcached"
+    namespace = "${local.k8s-ns}"
+  }
+
+  spec {
+    selector {
+      match_labels {
+        name = "memcached"
+      }
+    }
+
+    template {
+      metadata {
+        labels {
+          name = "memcached"
+        }
+      }
+
+      spec {
+        container {
+          name  = "memcached"
+          image = "memcached:1.4.25"
+
+          port {
+            name           = "clients"
+            container_port = 11211
+          }
+        }
+      }
+    }
+  }
+
+  depends_on = ["kubernetes_namespace.flux"]
+}
+
+resource "kubernetes_service" "memcached" {
+  metadata {
+    name      = "memcached"
+    namespace = "${local.k8s-ns}"
+  }
+
+  spec {
+    port {
+      name = "memcached"
+      port = 11211
+    }
+
+    selector {
+      name = "memcached"
+    }
+  }
+
+  depends_on = ["kubernetes_namespace.flux"]
+}
--- a/cluster-provisioning/terraform/github.tf
+++ b/cluster-provisioning/terraform/github.tf
@ -0,0 +1,18 @@
+# Generate a keypair. The private key will go to Flux in-cluster, public key
+# will be added as a deploy key to the Github repo.
+
+resource "tls_private_key" "flux" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+data "github_repository" "flux-repo" {
+  name = "${var.github_repository_name}"
+}
+
+resource "github_repository_deploy_key" "flux" {
+  title      = "Flux deploy key (flux-${var.prefix})"
+  repository = "${data.github_repository.flux-repo.name}"
+  read_only  = false
+  key        = "${tls_private_key.flux.public_key_openssh}"
+}
--- a/cluster-provisioning/terraform/main.tf
+++ b/cluster-provisioning/terraform/main.tf
@ -0,0 +1,86 @@
+resource "azurerm_resource_group" "demo" {
+  name     = "k8-clusters"
+  location = "${var.location}"
+}
+
+resource "azurerm_log_analytics_workspace" "demo" {
+  name                = "${var.prefix}-aks-logs"
+  location            = "${azurerm_resource_group.demo.location}"
+  resource_group_name = "${azurerm_resource_group.demo.name}"
+  sku                 = "PerGB2018"
+}
+
+resource "azurerm_log_analytics_solution" "demo" {
+  solution_name         = "Containers"
+  location              = "${azurerm_resource_group.demo.location}"
+  resource_group_name   = "${azurerm_resource_group.demo.name}"
+  workspace_resource_id = "${azurerm_log_analytics_workspace.demo.id}"
+  workspace_name        = "${azurerm_log_analytics_workspace.demo.name}"
+
+  plan {
+    publisher = "Microsoft"
+    product   = "OMSGallery/Containers"
+  }
+}
+resource "azurerm_virtual_network" "demo" {
+  name                = "${var.prefix}-network"
+  location            = "${azurerm_resource_group.demo.location}"
+  resource_group_name = "${azurerm_resource_group.demo.name}"
+  address_space       = ["${var.address_space}"]
+}
+resource "azurerm_subnet" "demo" {
+  name                 = "internal"
+  resource_group_name  = "${azurerm_resource_group.demo.name}"
+  address_prefix       = "${var.subnet}"
+  virtual_network_name = "${azurerm_virtual_network.demo.name}"
+}
+
+resource "azurerm_kubernetes_cluster" "demo" {
+  name                = "${var.prefix}-aks"
+  location            = "${azurerm_resource_group.demo.location}"
+  dns_prefix          = "${var.prefix}-aks"
+  resource_group_name = "${azurerm_resource_group.demo.name}"
+  kubernetes_version = "${var.kubernetes_version}"
+
+  linux_profile {
+    admin_username = "${var.admin_username}"
+
+    ssh_key {
+      key_data = "${file(var.public_ssh_key_path)}"
+    }
+  }
+
+  agent_pool_profile {
+    name            = "agentpool"
+    count           = "${var.agent_count}"
+    vm_size         = "${var.vm_size}"
+    os_type         = "Linux"
+    os_disk_size_gb = "${var.os_disk_size_gb}"
+
+    # Required for advanced networking
+    vnet_subnet_id = "${azurerm_subnet.demo.id}"
+  }
+
+  service_principal {
+    client_id     = "${var.client_id}"
+    client_secret = "${var.client_secret}"
+  }
+
+  role_based_access_control {
+    enabled = true
+  }
+  addon_profile {
+    oms_agent {
+      enabled                    = true
+      log_analytics_workspace_id = "${azurerm_log_analytics_workspace.demo.id}"
+    }
+  }
+  network_profile {
+    network_plugin = "${var.network_plugin}"
+    network_policy = "${var.network_policy}"
+    service_cidr = "${var.service_cidr}"
+    dns_service_ip = "${var.dns_service_ip}"
+    docker_bridge_cidr = "${var.docker_bridge_cidr}"
+    #pod_cidr = "${var.pod_cidr}"
+  }
+}
--- a/cluster-provisioning/terraform/output.tf
+++ b/cluster-provisioning/terraform/output.tf
@ -0,0 +1,23 @@
+output "id" {
+  value = "${azurerm_kubernetes_cluster.demo.id}"
+}
+
+output "kube_config" {
+  value = "${azurerm_kubernetes_cluster.demo.kube_config_raw}"
+}
+
+output "client_key" {
+  value = "${azurerm_kubernetes_cluster.demo.kube_config.0.client_key}"
+}
+
+output "client_certificate" {
+  value = "${azurerm_kubernetes_cluster.demo.kube_config.0.client_certificate}"
+}
+
+output "cluster_ca_certificate" {
+  value = "${azurerm_kubernetes_cluster.demo.kube_config.0.cluster_ca_certificate}"
+}
+
+output "host" {
+  value = "${azurerm_kubernetes_cluster.demo.kube_config.0.host}"
+}
--- a/cluster-provisioning/terraform/provider.tf
+++ b/cluster-provisioning/terraform/provider.tf
@ -0,0 +1,24 @@
+provider "azurerm" {
+    version = "=1.34.0"
+}
+
+provider "github" {
+  token = "${var.github_token}"
+  organization = "${var.github_organization}"
+  version = "=2.2"
+}
+
+provider "kubernetes" {
+  host                   = "${azurerm_kubernetes_cluster.demo.kube_config.0.host}"
+  client_certificate     = "${base64decode(azurerm_kubernetes_cluster.demo.kube_config.0.client_certificate)}"
+  client_key             = "${base64decode(azurerm_kubernetes_cluster.demo.kube_config.0.client_key)}"
+  cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.demo.kube_config.0.cluster_ca_certificate)}"
+  #version                = "=0.6.0"
+  version                = "=1.9"
+}
+
+provider "tls" {
+    version = "=2.1"
+}
+
+
--- a/cluster-provisioning/terraform/variables.tf
+++ b/cluster-provisioning/terraform/variables.tf
@ -0,0 +1,110 @@
+variable "prefix" {
+  description = "A prefix used for all resources"
+}
+
+variable "location" {
+  default     = "Central US"
+  description = "The Azure Region in which all resources will be provisioned in"
+}
+
+variable "kubernetes_version" {
+  default     = "1.14.6"
+  description = "The version of Kubernetes you want deployed to your cluster. Please reference the command: az aks get-versions --location eastus -o table"
+}
+
+variable "client_id" {
+  description = "The Client ID for the Service Principal to use for this Managed Kubernetes Cluster"
+}
+
+variable "client_secret" {
+  description = "The Client Secret for the Service Principal to use for this Managed Kubernetes Cluster"
+}
+
+variable "public_ssh_key_path" {
+  description = "The Path at which your Public SSH Key is located. Defaults to ~/.ssh/id_rsa.pub"
+  default     = "~/.ssh/id_rsa.pub"
+}
+
+variable "address_space" {
+  default = "172.20.0.0/16"
+  description = "The IP address CIDR block to be assigned to the entride Azure Virtual Network. If connecting to another peer or to you On-Premises netwokr this CIDR block MUST NOT overlap with existing BGP learned routes"
+}
+
+variable "subnet" {
+  default = "172.20.0.0/20"
+  description = "The IP address CIDR block to be assigned to the subnet that AKS nodes and Pods will ge their IP addresses from. This is a subset CIDR of the vnetIPCIDR"
+}
+
+variable "admin_username" {
+  default = "azureuser"
+  description = "The username assigned to the admin user on the OS of the AKS nodes if SSH access is ever needed"
+}
+variable "agent_count" {
+  default = "4"
+  description = "The starting number of Nodes in the AKS cluster"
+}
+
+variable "vm_size" {
+  default = "Standard_E2s_v3"
+  description = "The Node type and size based on Azure VM SKUs Reference: az vm list-sizes --location eastus -o table"
+}
+variable "os_disk_size_gb" {
+  default = 30
+  description = "The Agent Operating System disk size in GB. Changing this forces a new resource to be created."
+  
+}
+
+
+variable "max_pods" {
+  default = 30
+  description = "The maximum number of pods that can run on each agent. Changing this forces a new resource to be created."
+}
+
+variable "pool_type" {
+  default = "VirtualMachineScaleSets"
+  description = "Uses VMSS as the backing scale set"
+  
+}
+
+variable "network_plugin" {
+  default = "azure"
+  description = "Can either be azure or kubenet. azure will use Azure subnet IPs for Pod IPs. Kubenet you need to use the pod-cidr variable below"
+}
+
+variable "network_policy" {
+  default = "calico"
+  description = "Uses calico by default for network policy"
+}
+
+
+variable "pod_cidr" {
+  default = "172.23.0.0/16"
+  description = "Only use if kubenet is assigned as the network plugin. It will be divided into a /24 for each node and will be the space assigned for POD IPs on each node. A Rout Table will be created by Azure, but it must be assigned to the AKS subnet upon completion of deployment to complete install"
+}
+
+variable "service_cidr" {
+  default = "172.21.0.0/16"
+  description = "The IP address CIDR block to be assigned to the service created inside the Kubernetes cluster. If connecting to another peer or to you On-Premises network this CIDR block MUST NOT overlap with existing BGP learned routes"
+}
+
+variable "dns_service_ip" {
+  default = "172.21.0.10"
+  description = "The IP address that will be assigned to the CoreDNS or KubeDNS service inside of Kubernetes for Service Discovery. Must start at the .10 or higher of the svc-cidr range"
+}
+
+variable "docker_bridge_cidr" {
+  default = "172.22.0.1/16"
+  description = "The IP address CIDR block to be assigned to the Docker container bridge on each node. If connecting to another peer or to you On-Premises network this CIDR block SHOULD NOT overlap with existing BGP learned routes"
+}
+variable "github_organization" {
+  description = "Name of the Github Organisation"
+}
+
+variable "github_repository_name" {
+  description = "Name of the Github repository for Flux"
+}
+
+variable "github_token" {
+  description = "github token to authenticate"
+  
+}