From a5ef2550e3c9c1826aeb2f7ffaa8cb9191369c92 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 27 Nov 2020 07:46:01 +0000 Subject: [PATCH 001/121] Added pull request template --- .github/pull_request_template.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..7852590 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,22 @@ +## Description + + + +## Acceptance Checklist + +- [ ] Are the source and target branches correct? +- [ ] Has there been a successful build for the latest commit? + +## Release Notes + +### Added + +- ISSUE_NAME. Closed #xxx + +### Changed + +- ISSUE_NAME. Closed #xxx + +### Fixed + +- ISSUE_NAME. Closed #xxx From 643d85136d9ba75e34e2b6ddba023a251730ed8c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 27 Nov 2020 07:47:41 +0000 Subject: [PATCH 002/121] Bumped app and provider versions --- .github/workflows/build.yml | 2 +- terraform/helm/velero_values.yaml | 21 ++++++++++++++++++++- terraform/providers.tf | 6 +++--- terraform/variables.tf | 8 ++++---- 4 files changed, 28 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 65594a1..786496f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -70,7 +70,7 @@ jobs: build-and-deploy: # always pin versions - # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners + # view installed software: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners#supported-software runs-on: ubuntu-18.04 # only run if owner triggered action diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index 5f7a0e5..b3b8992 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.13.6/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.14.1/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -32,6 +32,10 @@ podLabels: {} # Resource requests/limits to specify for the Velero deployment. Optional. resources: {} +# Configure the dnsPolicy of the Velero deployment +# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: ClusterFirst + # Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required. # https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/releases initContainers: @@ -80,6 +84,11 @@ metrics: # Install CRDs as a templates. Enabled by default. installCRDs: true +# Enable/disable all helm hooks annotations +# You should disable this if using a deploy tool that doesn't support helm hooks, +# such as ArgoCD +enableHelmHooks: true + ## ## End of deployment-related settings. ## @@ -202,6 +211,8 @@ credentials: # credentials. Set to false if, for example, using kube2iam or # kiam to provide IAM credentials for the Velero pod. useSecret: true + # Name of the secret to create if `useSecret` is true and `existingSecret` is empty + name: # Name of a pre-existing secret (if any) in the Velero namespace # that should be used to get IAM account credentials. Optional. existingSecret: velero-credentials @@ -211,6 +222,10 @@ credentials: secretContents: {} # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: ". Values will be stored in the secret. extraEnvVars: {} + # Name of a pre-existing secret (if any) in the Velero namespace + # that will be used to load environment variables into velero and restic. + # Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables + extraSecretRef: "" # Whether to create backupstoragelocation crd, if false => do not create a default backup location backupsEnabled: true @@ -236,6 +251,10 @@ restic: # Extra volumeMounts for the Restic daemonset. Optional. extraVolumeMounts: [] + # Configure the dnsPolicy of the Restic daemonset + # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + # SecurityContext to use for the Velero deployment. Optional. # Set fsGroup for `AWS IAM Roles for Service Accounts` # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html diff --git a/terraform/providers.tf b/terraform/providers.tf index b646423..89c0d89 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -14,10 +14,10 @@ terraform { helm = "1.3.2" # https://github.com/hashicorp/terraform-provider-kubernetes/releases - kubernetes = "1.13.2" + kubernetes = "1.13.3" # https://github.com/terraform-providers/terraform-provider-azuread/releases - azuread = "1.0.0" + azuread = "1.1.1" random = "~> 2.2" # ~> 2.2 = 2.X.Y tls = "~> 2.1" @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.37.0" + version = "2.38.0" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index 3db9ff1..7ff6ee6 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -18,19 +18,19 @@ variable "kubernetes_version" { # https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/Chart.yaml#L3 # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.11.0" + default = "3.12.0" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.0.4" + default = "v1.1.0" } # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero variable "velero_chart_version" { - default = "2.13.7" + default = "2.14.1" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -62,7 +62,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.0.0" + default = "4.3.1" } #endregion Versions From aeb8859977b5a8e8f14fa7478c54bfb8542c0fff Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 27 Nov 2020 08:07:58 +0000 Subject: [PATCH 003/121] Bumped Pester to v5.1.0 --- scripts/Start-Test.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/Start-Test.ps1 b/scripts/Start-Test.ps1 index cf4961a..10af9f7 100755 --- a/scripts/Start-Test.ps1 +++ b/scripts/Start-Test.ps1 @@ -18,7 +18,7 @@ $taskMessage = "Installing Pester " Write-Verbose "STARTED: $taskMessage..." try { Set-PSRepository -Name "PSGallery" -InstallationPolicy "Trusted" - Install-Module -Name "Pester" -Scope "CurrentUser" -Repository "PSGallery" -Force -RequiredVersion 4.10.1 + Install-Module -Name "Pester" -Scope "CurrentUser" -Repository "PSGallery" -Force -RequiredVersion 5.1.0 Write-Verbose "FINISHED: $taskMessage." } From 4f87f319255b387499a0d4db5a75cc1bc7da5230 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 27 Nov 2020 08:20:33 +0000 Subject: [PATCH 004/121] Fixed Pester new assertions syntax --- test/integration.tests.ps1 | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/test/integration.tests.ps1 b/test/integration.tests.ps1 index 54f32c3..633ebec 100644 --- a/test/integration.tests.ps1 +++ b/test/integration.tests.ps1 @@ -10,20 +10,20 @@ Describe "Integration Tests" { # [CI Param Option] Trigger failed test on purpose if ($env:FORCE_TEST_FAIL -eq "true") { It "FORCE_TEST_FAIL used on Resource Group [$env:AKS_RG_NAME]" { - "false" | Should be "true" + "false" | Should -Be "true" } } It "Resource Group [$env:TERRAFORM_STORAGE_RG] should exist" { - az group exists --name $env:TERRAFORM_STORAGE_RG | Should be "true" + az group exists --name $env:TERRAFORM_STORAGE_RG | Should -Be "true" } It "Storage Account [$env:TERRAFORM_STORAGE_ACCOUNT] should exist" { - az storage account show --name $env:TERRAFORM_STORAGE_ACCOUNT --query "provisioningState" -o tsv | Should be "Succeeded" + az storage account show --name $env:TERRAFORM_STORAGE_ACCOUNT --query "provisioningState" -o tsv | Should -Be "Succeeded" } It "Storage Blob [terraform.tfstate] in Container [terraform] should exist" { - az storage blob exists --account-name $env:TERRAFORM_STORAGE_ACCOUNT --container-name "terraform" --name "terraform.tfstate" --query "exists" -o tsv | Should be "true" + az storage blob exists --account-name $env:TERRAFORM_STORAGE_ACCOUNT --container-name "terraform" --name "terraform.tfstate" --query "exists" -o tsv | Should -Be "true" } } @@ -31,11 +31,11 @@ Describe "Integration Tests" { Context 'When Terraform has provisioned: [AZURE KUBERNETES SERVICE]' { It "Resource Group [$env:AKS_RG_NAME] should exist" { - az group exists --name $env:AKS_RG_NAME | Should be "true" + az group exists --name $env:AKS_RG_NAME | Should -Be "true" } It "Azure Kubernetes Service [$env:AKS_CLUSTER_NAME] should exist" { - az aks show --name $env:AKS_CLUSTER_NAME --resource-group $env:AKS_RG_NAME --query "provisioningState" -o tsv | Should be "Succeeded" + az aks show --name $env:AKS_CLUSTER_NAME --resource-group $env:AKS_RG_NAME --query "provisioningState" -o tsv | Should -Be "Succeeded" } } @@ -63,12 +63,12 @@ Describe "Integration Tests" { # Root domain It "A request to [$testUrl] should return an allowed Status Code: [$($allowedStatusCodes -join ', ')]" { # $responseStatusCode = curl -k -s -o /dev/null -w "%{http_code}" $testUrl - $response.StatusCode | Should BeIn $allowedStatusCodes + $response.StatusCode | Should -BeIn $allowedStatusCodes } It "A request to [$testUrl] should include [$expectedContent] in the returned content" { - # (curl -k -s $testUrl) -match $expectedContent | Should Be $true - $response.Content -match $expectedContent | Should Be $true + # (curl -k -s $testUrl) -match $expectedContent | Should -Be $true + $response.Content -match $expectedContent | Should -Be $true } } @@ -93,7 +93,7 @@ Describe "Integration Tests" { # Tests It "Should have an SSL cert for [$hostname] issued by: [$expectedIssuerName]" { - $certResult.Issuer -like "*$expectedIssuerName*" | Should Be $true + $certResult.Issuer -like "*$expectedIssuerName*" | Should -Be $true } # Do extra supported tests if on Windows OS @@ -106,15 +106,15 @@ Describe "Integration Tests" { if ($env:CI_DEBUG -eq "true") { $sslResult | Format-Custom | Out-String | Write-Verbose } It "Should have Signature Algorithm of [sha256RSA]" { - $sslResult.SignatureAlgorithm | Should Be "sha256RSA" + $sslResult.SignatureAlgorithm | Should -Be "sha256RSA" } It "Should support TLS1.2" { - $sslResult.TLS12 | Should Be $True + $sslResult.TLS12 | Should -Be $True } It "Should not expire within [$warningThreshold] days" { - ($sslResult.Certificate.NotAfter -gt (Get-Date).AddDays($warningThreshold)) | Should Be $True + ($sslResult.Certificate.NotAfter -gt (Get-Date).AddDays($warningThreshold)) | Should -Be $True } } } From e80e7156bdc088823308ff975bc3daf3bc2fd23e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 27 Nov 2020 08:34:55 +0000 Subject: [PATCH 005/121] Added documentation comments --- test/integration.tests.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/integration.tests.ps1 b/test/integration.tests.ps1 index 633ebec..0ec2729 100644 --- a/test/integration.tests.ps1 +++ b/test/integration.tests.ps1 @@ -1,6 +1,10 @@ # Pester integration tests for provisioned infrastructure # Assumes az cli has already been logged in +# Documentation: +# - https://pester.dev/docs/migrations/v3-to-v4#update-to-the-new-assertions-syntax +# - https://pester.dev/docs/usage/assertions + # Pester tests Describe "Integration Tests" { From c0c810e7b1ebac6d454f21fdb94bf26975bcb651 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 1 Dec 2020 08:09:38 +0000 Subject: [PATCH 006/121] Bumped aad-pod-identity to v2.1.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 7ff6ee6..04d92b6 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -55,7 +55,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "2.0.3" + default = "2.1.0" } # https://bitnami.com/stack/external-dns/helm From c5ef5be01f3439284deea5216a8ab5634250d8cb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 5 Dec 2020 08:36:29 +0000 Subject: [PATCH 007/121] Bumped Nexus to v3.29.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 04d92b6..2008709 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -35,7 +35,7 @@ variable "velero_chart_version" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.28.1" + default = "3.29.0" } # https://github.com/adamrushuk/charts/releases From 6c3866a4b7d11ef870ca17bee3530071ce527f30 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 5 Dec 2020 08:36:44 +0000 Subject: [PATCH 008/121] Bumped azurerm to v2.39.0 --- terraform/providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 89c0d89..b518fe8 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.38.0" + version = "2.39.0" features {} } From f7fb4924657ca08b787a99b3bf776d314d43dcc3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 5 Dec 2020 09:17:27 +0000 Subject: [PATCH 009/121] Added Pester MinimumVersion --- scripts/Start-Test.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/Start-Test.ps1 b/scripts/Start-Test.ps1 index 10af9f7..6b7db6a 100755 --- a/scripts/Start-Test.ps1 +++ b/scripts/Start-Test.ps1 @@ -18,7 +18,7 @@ $taskMessage = "Installing Pester " Write-Verbose "STARTED: $taskMessage..." try { Set-PSRepository -Name "PSGallery" -InstallationPolicy "Trusted" - Install-Module -Name "Pester" -Scope "CurrentUser" -Repository "PSGallery" -Force -RequiredVersion 5.1.0 + Install-Module -Name "Pester" -Scope "CurrentUser" -Repository "PSGallery" -MinimumVersion 5.1.0 -Verbose Write-Verbose "FINISHED: $taskMessage." } From 8a08484a3d7748bb32e12127c407349476589f47 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 5 Dec 2020 18:53:09 +0000 Subject: [PATCH 010/121] Added kured helm chart --- terraform/helm/kured_values.yaml | 31 ++++++++++++++++++++++++++ terraform/helm_kured.tf | 37 ++++++++++++++++++++++++++++++++ terraform/variables.tf | 11 ++++++++++ 3 files changed, 79 insertions(+) create mode 100644 terraform/helm/kured_values.yaml create mode 100644 terraform/helm_kured.tf diff --git a/terraform/helm/kured_values.yaml b/terraform/helm/kured_values.yaml new file mode 100644 index 0000000..aff139b --- /dev/null +++ b/terraform/helm/kured_values.yaml @@ -0,0 +1,31 @@ +configuration: + # alertFilterRegexp: "" # alert names to ignore when checking for active alerts + # blockingPodSelector: [] # label selector identifying pods whose presence should prevent reboots + endTime: "17:00" # only reboot before this time of day (default "23:59") + # lockAnnotation: "" # annotation in which to record locking node (default "weave.works/kured-node-lock") + # lockTtl: 0 # force clean annotation after this ammount of time (default 0, disabled) + # messageTemplateDrain: "" # slack message template when notifying about a node being drained (default "Draining node %s") + # messageTemplateReboot: "" # slack message template when notifying about a node being rebooted (default "Rebooted node %s") + # period: "" # reboot check period (default 1h0m0s) + # prometheusUrl: "" # Prometheus instance to probe for active alerts + rebootDays: [mo,tu,we,th,fr] # only reboot on these days (default [su,mo,tu,we,th,fr,sa]) + # rebootSentinel: "" # path to file whose existence signals need to reboot (default "/var/run/reboot-required") + # slackChannel: "" # slack channel for reboot notfications + # slackHookUrl: "" # slack hook URL for reboot notfications + # slackUsername: "" # slack username for reboot notfications (default "kured") + startTime: "09:00" # only reboot after this time of day (default "0:00") + timeZone: "Europe/London" # time-zone to use (valid zones from "time" golang package) + +nodeSelector: + kubernetes.io/os: Linux + +extraArgs: {} + +extraEnvVars: +# - name: slackHookUrl +# valueFrom: +# secretKeyRef: +# name: secret_name +# key: secret_key +# - name: regularEnvVariable +# value: 123 diff --git a/terraform/helm_kured.tf b/terraform/helm_kured.tf new file mode 100644 index 0000000..ecedfc5 --- /dev/null +++ b/terraform/helm_kured.tf @@ -0,0 +1,37 @@ +# kured helm chart + +# https://www.terraform.io/docs/providers/kubernetes/r/namespace.html +resource "kubernetes_namespace" "kured" { + metadata { + name = "kured" + } + + timeouts { + delete = "15m" + } + + depends_on = [module.aks] +} + +# https://www.terraform.io/docs/providers/helm/r/release.html +resource "helm_release" "kured" { + chart = "kured" + name = "kured" + namespace = kubernetes_namespace.kured.metadata[0].name + repository = "https://weaveworks.github.io/kured" + version = var.kured_chart_version + timeout = 600 + + values = ["${file("helm/kured_values.yaml")}"] + + set { + name = "image.tag" + value = var.kured_image_tag + } + + # increase testing period frequency, when testing with "sudo touch /var/run/reboot-required" + # set { + # name = "configuration.period" + # value = "1m" + # } +} diff --git a/terraform/variables.tf b/terraform/variables.tf index 2008709..5625a2c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -64,6 +64,17 @@ variable "aad_pod_identity_chart_version" { variable "external_dns_chart_version" { default = "4.3.1" } + +# https://github.com/weaveworks/kured/tree/master/charts/kured +# helm search repo kured/kured +variable "kured_chart_version" { + default = "2.2.1" +} + +# https://github.com/weaveworks/kured#kubernetes--os-compatibility +variable "kured_image_tag" { + default = "1.4.4" +} #endregion Versions From b329ded80876ba6d4e945a9d8e116946fdad1f2d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 5 Dec 2020 19:01:48 +0000 Subject: [PATCH 011/121] Fixed nodeSelector case issue --- terraform/helm/kured_values.yaml | 2 +- terraform/helm_kured.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/helm/kured_values.yaml b/terraform/helm/kured_values.yaml index aff139b..7c96e24 100644 --- a/terraform/helm/kured_values.yaml +++ b/terraform/helm/kured_values.yaml @@ -17,7 +17,7 @@ configuration: timeZone: "Europe/London" # time-zone to use (valid zones from "time" golang package) nodeSelector: - kubernetes.io/os: Linux + kubernetes.io/os: linux extraArgs: {} diff --git a/terraform/helm_kured.tf b/terraform/helm_kured.tf index ecedfc5..b9a7344 100644 --- a/terraform/helm_kured.tf +++ b/terraform/helm_kured.tf @@ -1,4 +1,5 @@ # kured helm chart +# https://docs.microsoft.com/en-us/azure/aks/node-updates-kured # https://www.terraform.io/docs/providers/kubernetes/r/namespace.html resource "kubernetes_namespace" "kured" { From 1ccd97190ca7314e74fa630c8f33c1a9306321ba Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 6 Dec 2020 08:06:52 +0000 Subject: [PATCH 012/121] Changed azurerm provider back to v2.38.0 --- terraform/providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index b518fe8..89c0d89 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.39.0" + version = "2.38.0" features {} } From 3f9708cdc97875eeee4b5c82602617e2f7a12ad9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 6 Dec 2020 08:32:41 +0000 Subject: [PATCH 013/121] Added warning comment --- terraform/providers.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/providers.tf b/terraform/providers.tf index 89c0d89..6a481be 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,6 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { + # ! WARNING: "2.39.0" was a bit flakey, so stay on "2.38.0" for the time being version = "2.38.0" features {} } From 102fd82d98ec8242acf4e1acbfa8bcf3f1a954dd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 6 Dec 2020 09:02:24 +0000 Subject: [PATCH 014/121] Changed nexus demo user var names --- .github/workflows/build.yml | 14 +++++++------- ansible/group_vars/all.yml | 4 ++-- ansible/roles/user/defaults/main.yml | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 786496f..df53411 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,8 +37,6 @@ env: # prod or staging. # "" disables cert-manager annotations (use if you already have an existing TLS secret) CERT_API_ENVIRONMENT: "" - DEMO_USER_USERNAME: demo_user - # DEMO_USER_PASSWORD: ${{ secrets.DEMO_USER_PASSWORD }} DNS_DOMAIN_NAME: nexus.thehypepipe.co.uk DNS_RG_NAME: rg-dns DOCKER_FQDN: docker.thehypepipe.co.uk @@ -46,12 +44,14 @@ env: ENABLE_TLS_INGRESS: true FORCE_TEST_FAIL: false K8S_TLS_SECRET_NAME: tls-secret - KEY_VAULT_NAME: kv-rush-iz6y KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk + KEY_VAULT_NAME: kv-rush-iz6y KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot LOCATION: uksouth - ROOT_DOMAIN_NAME: thehypepipe.co.uk # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} + # NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} + NEXUS_USER_USERNAME: demo_user + ROOT_DOMAIN_NAME: thehypepipe.co.uk # STORAGE_KEY: 'env var set by Get-StorageKey.ps1' VELERO_ENABLED: true WEAVE_SCOPE_ENABLED: false @@ -218,7 +218,7 @@ jobs: run: ./scripts/ansible.sh env: NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} - DEMO_USER_PASSWORD: ${{ secrets.DEMO_USER_PASSWORD }} + NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} # Docker @@ -226,8 +226,8 @@ jobs: uses: Azure/docker-login@v1 with: login-server: ${{ env.DOCKER_FQDN }} - username: ${{ env.DEMO_USER_USERNAME }} - password: ${{ secrets.DEMO_USER_PASSWORD }} + username: ${{ env.NEXUS_USER_USERNAME }} + password: ${{ secrets.NEXUS_USER_PASSWORD }} - name: Push images to Docker repo run: ./scripts/push_docker_images.sh diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 8f61b85..6a516a4 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -7,8 +7,8 @@ api_base_uri: "" api_url: "{{ api_base_uri }}/service/rest" api_user: "admin" autogenerated_admin_password: "{{ lookup('env', 'AUTOGENERATED_ADMIN_PASSWORD') }}" -demo_user_username: "{{ lookup('env', 'DEMO_USER_USERNAME') }}" -demo_user_password: "{{ lookup('env', 'DEMO_USER_PASSWORD') }}" +nexus_user_username: "{{ lookup('env', 'NEXUS_USER_USERNAME') }}" +nexus_user_password: "{{ lookup('env', 'NEXUS_USER_PASSWORD') }}" enable_debug_output: "{{ lookup('env', 'CI_DEBUG') }}" nexus_namespace: "nexus" diff --git a/ansible/roles/user/defaults/main.yml b/ansible/roles/user/defaults/main.yml index 743b3c6..ef6b666 100644 --- a/ansible/roles/user/defaults/main.yml +++ b/ansible/roles/user/defaults/main.yml @@ -1,10 +1,10 @@ user_request_body: - userId: "{{ demo_user_username }}" + userId: "{{ nexus_user_username }}" firstName: "demo" lastName: "user" - emailAddress: "{{ demo_user_username }}@domain.com" + emailAddress: "{{ nexus_user_username }}@domain.com" status: "active" - password: "{{ demo_user_password }}" + password: "{{ nexus_user_password }}" roles: [ "nx-admin" ] From 9d1844898a23337352868a0e20079ae0c751a492 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 6 Dec 2020 18:22:08 +0000 Subject: [PATCH 015/121] Changed workflow names --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- .github/workflows/start_aks_cluster.yml | 2 +- .github/workflows/stop_aks_cluster.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df53411..b18ff0a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,5 @@ # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions -name: Build environment +name: build # name of GitHub event that triggers workflow # https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 7b37c54..77992a0 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -1,5 +1,5 @@ # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions -name: Destroy environment +name: destroy # name of GitHub event that triggers workflow # https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 13a16eb..d1a9ec1 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -1,4 +1,4 @@ -name: Start AKS Cluster +name: start_aks_cluster on: repository_dispatch: diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index b7259d7..aba41e2 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -1,4 +1,4 @@ -name: Stop AKS Cluster +name: stop_aks_cluster on: repository_dispatch: From 36a2123dbf43585e0183d101f9570f428768226d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 6 Dec 2020 18:22:38 +0000 Subject: [PATCH 016/121] Removed old content from README --- README.md | 72 ++++++++++--------------------------------------------- 1 file changed, 12 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index 7a4819c..22beafc 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,18 @@ -![Build environment](https://github.com/adamrushuk/aks-nexus-velero/workflows/Build%20environment/badge.svg) - + # aks-nexus-velero -Provisions an AKS cluster, deploys Nexus Repository OSS, configures Velero backups. +[![Build environment](https://github.com/adamrushuk/aks-nexus-velero/workflows/build/badge.svg)](https://github.com/adamrushuk/aks-nexus-velero/actions?query=workflow%3A%22build) + +This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's basically my playground. + +I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there's loads more being used now. + ## Contents -- [aks-nexus-velero](#aks-nexus-velero) - - [Contents](#contents) - - [Getting Started](#getting-started) - - [Assumptions](#assumptions) - - [Azure Secrets](#azure-secrets) - - [Login to Nexus Console](#login-to-nexus-console) +- [Getting Started](#getting-started) + - [Assumptions](#assumptions) + - [Azure Secrets](#azure-secrets) ## Getting Started @@ -27,13 +28,13 @@ https://www.terraform.io/docs/providers/azuread/guides/service_principal_configu These API permissions are required for your Terraform Service Principle: -**Azure Active Directory Graph** +**Azure Active Directory Graph** Application Permissions: 1. Application.ReadWrite.All - Read and write all applications 1. Directory.Read.All - Read directory data -Delegated Permissions: +Delegated Permissions: 1. User.Read - Sign in and read user profile @@ -45,52 +46,3 @@ Delegated Permissions: - `ARM_CLIENT_SECRET` - `ARM_SUBSCRIPTION_ID` - `ARM_TENANT_ID` - -## Login to Nexus Console - -Follow the steps below to update AKS credentials, get the Nexus admin password, then login and update the password: - -1. Import the AKS Cluster credentials: - - ```bash - # Vars - PREFIX="rush" - AKS_CLUSTER_NAME="$PREFIX-aks-001" - AKS_RG_NAME="$PREFIX-rg-aks-dev-001" - - # AKS Cluster credentials - az aks get-credentials --resource-group $AKS_RG_NAME --name $AKS_CLUSTER_NAME --overwrite-existing --admin - - # [OPTIONAL] View AKS Dashboard - az aks browse --resource-group $AKS_RG_NAME --name $AKS_CLUSTER_NAME - ``` - -1. Get the auto-generated admin password from within the Nexus container: - - ```bash - # Get pod name - pod_name=$(kubectl get pod --namespace nexus -l app=nexus -o jsonpath="{.items[0].metadata.name}") - - # Get admin password from pod - admin_password=$(kubectl exec -n ingress -it $pod_name -- cat /nexus-data/admin.password) - echo "$admin_password" - - # [OPTIONAL] Enter pod shell, then output admin password - kubectl exec -n ingress -it $pod_name -- /bin/bash - echo -e "\nadmin password: \n$(cat /nexus-data/admin.password)\n" - ``` - -1. Open the Nexus web console - - ```bash - # Set URL - nexus_host=$(kubectl get ingress -A -o jsonpath="{.items[0].spec.rules[0].host}") - nexus_base_url="https://$nexus_host" - - # Sign in as admin, using auto-generated admin password from prereqs section - echo "$nexus_base_url" - ``` - -1. Click `Sign in` in top right corner, then login using admin password. -1. Update admin password. -1. Enable anonymous access (to avoid using credential during repo testing). From bbb27e4b0a427563efe82852b65ca8c94fdcb787 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 8 Dec 2020 08:32:29 +0000 Subject: [PATCH 017/121] Updated README --- README.md | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 22beafc..f4015e2 100644 --- a/README.md +++ b/README.md @@ -3,46 +3,47 @@ [![Build environment](https://github.com/adamrushuk/aks-nexus-velero/workflows/build/badge.svg)](https://github.com/adamrushuk/aks-nexus-velero/actions?query=workflow%3A%22build) -This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's basically my playground. +This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's basically my +playground in Azure. -I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there's loads more being used now. +I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there's *loads* more +being used now. ## Contents - [Getting Started](#getting-started) - - [Assumptions](#assumptions) - - [Azure Secrets](#azure-secrets) + - [Configure Azure Authentication](#configure-azure-authentication) + - [Create Secrets](#create-secrets) + - [Running the Build workflow](#running-the-build-workflow) ## Getting Started -Before you start the `build` GitHub Action workflow, you need to create the following Secrets within -[GitHub Settings](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets): +Before the [`build`](./.github/workflows/build.yml) GitHub Action workflow can be run, authentication needs to be +configured for Azure. -### Assumptions +### Configure Azure Authentication - +1. [Create a Service Principal with a Client Secret](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_client_secret#creating-the-application-and-service-principal). -- Configure Azure Service Principle for Terraform, and grant permission to manage AAD: -https://www.terraform.io/docs/providers/azuread/guides/service_principal_configuration.html#granting-administrator-permissions +1. [Grant permissions to manage Azure Active Directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_configuration#azure-active-directory-permissions). -These API permissions are required for your Terraform Service Principle: +### Create Secrets -**Azure Active Directory Graph** -Application Permissions: +Once Azure authentication has been configured, the Service Principle credential values can be [passed as environment variables](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_client_secret#configuring-the-service-principal-in-terraform). -1. Application.ReadWrite.All - Read and write all applications -1. Directory.Read.All - Read directory data - -Delegated Permissions: - -1. User.Read - Sign in and read user profile - -### Azure Secrets - - +[Use these instructions](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) to create the following secrets for your repository: - `ARM_CLIENT_ID` - `ARM_CLIENT_SECRET` - `ARM_SUBSCRIPTION_ID` - `ARM_TENANT_ID` + +### Running the Build workflow + +Now that Azure authentication has been configured with coresponding secrets, the build workflow is ready to be run: + +1. Navigate to the [build workflow](/actions?query=workflow%3Abuild). +1. Click the `Run workflow` drop-down button. +1. Select the desired branch. +1. Click the `Run workflow` button. From e9527f76c4b685953377d60801977f84c36096dc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 8 Dec 2020 08:34:00 +0000 Subject: [PATCH 018/121] Fixed README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f4015e2..f933608 100644 --- a/README.md +++ b/README.md @@ -3,10 +3,10 @@ [![Build environment](https://github.com/adamrushuk/aks-nexus-velero/workflows/build/badge.svg)](https://github.com/adamrushuk/aks-nexus-velero/actions?query=workflow%3A%22build) -This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's basically my +This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's essentially my playground in Azure. -I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there's *loads* more +I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there are *loads* more being used now. @@ -41,7 +41,7 @@ Once Azure authentication has been configured, the Service Principle credential ### Running the Build workflow -Now that Azure authentication has been configured with coresponding secrets, the build workflow is ready to be run: +Now that Azure authentication has been configured with corresponding secrets, the build workflow is ready to be run: 1. Navigate to the [build workflow](/actions?query=workflow%3Abuild). 1. Click the `Run workflow` drop-down button. From b2fdcaaa28f3aa10ca086ba09d6e0d040d1e51e9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 8 Dec 2020 08:45:46 +0000 Subject: [PATCH 019/121] Changed relative link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f933608..9385d6e 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Once Azure authentication has been configured, the Service Principle credential Now that Azure authentication has been configured with corresponding secrets, the build workflow is ready to be run: -1. Navigate to the [build workflow](/actions?query=workflow%3Abuild). +1. Navigate to the [build workflow](../../actions?query=workflow%3Abuild). 1. Click the `Run workflow` drop-down button. 1. Select the desired branch. 1. Click the `Run workflow` button. From 2b8bb0fe571890340c8f711e363ad45e03097bd1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 8 Dec 2020 09:10:36 +0000 Subject: [PATCH 020/121] Added Destroy section --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 9385d6e..38efc06 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ being used now. - [Configure Azure Authentication](#configure-azure-authentication) - [Create Secrets](#create-secrets) - [Running the Build workflow](#running-the-build-workflow) + - [Running the Destroy workflow](#running-the-destroy-workflow) ## Getting Started @@ -47,3 +48,13 @@ Now that Azure authentication has been configured with corresponding secrets, th 1. Click the `Run workflow` drop-down button. 1. Select the desired branch. 1. Click the `Run workflow` button. + +### Running the Destroy workflow + +There will be ongoing costs if the environment is left running, so to avoid unexpected bills the destroy workflow +should be run once testing has been completed: + +1. Navigate to the [destroy workflow](../../actions?query=workflow%3Adestroy). +1. Click the `Run workflow` drop-down button. +1. Select the desired branch. +1. Click the `Run workflow` button. From 46bc777bf23cf38ef04dc4f879433edccbe41cd6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 07:51:14 +0000 Subject: [PATCH 021/121] Debug conditional step --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b18ff0a..25c0a3a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -307,7 +307,7 @@ jobs: # Velero CLI - name: Test Velero CLI - if: ${{ env.VELERO_ENABLED == true }} + if: env.VELERO_ENABLED == true run: | az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin From cc12f3d58c88bb562e2bf766d703cbca10b1400d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 07:59:28 +0000 Subject: [PATCH 022/121] Debug conditional step --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 25c0a3a..1b9bfb1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -307,7 +307,7 @@ jobs: # Velero CLI - name: Test Velero CLI - if: env.VELERO_ENABLED == true + if: env.VELERO_ENABLED == "true" run: | az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin From 77d14683b8fe4898c96484b7e8a8d994551d5ae0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 08:14:09 +0000 Subject: [PATCH 023/121] Debug conditional step --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b9bfb1..b3060c8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -307,7 +307,9 @@ jobs: # Velero CLI - name: Test Velero CLI - if: env.VELERO_ENABLED == "true" + # NOTE: Some functions cast values to a string to perform comparisons + # https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions#functions + if: env.VELERO_ENABLED == 'true' run: | az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin From dba92c2f8674638a92a898c215d0aa156fd0a4f5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 08:31:17 +0000 Subject: [PATCH 024/121] Fixed boolean comparison for Windows job --- .github/workflows/build.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b3060c8..f2a1cbd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -291,10 +291,12 @@ jobs: - uses: actions/checkout@v2 # Init tasks - inc Env var concatenation + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files - name: Init tasks - inc Env var concatenation (Workaround) + # * NOTE: different syntax required for Windows agents run: | - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append # Login - name: Login to Azure @@ -309,6 +311,7 @@ jobs: - name: Test Velero CLI # NOTE: Some functions cast values to a string to perform comparisons # https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions#functions + # ! WARNING: only single quotes work for boolean comparison if: env.VELERO_ENABLED == 'true' run: | az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin From 8000b78b5c7de9afddefef507d47c1c9ee976de8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 08:45:37 +0000 Subject: [PATCH 025/121] Debug win job --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f2a1cbd..e370d22 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -295,8 +295,8 @@ jobs: - name: Init tasks - inc Env var concatenation (Workaround) # * NOTE: different syntax required for Windows agents run: | - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append # Login - name: Login to Azure From a7523fd0ab75bbed1952a23cfea347e9be582985 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 08:52:00 +0000 Subject: [PATCH 026/121] Debug win job --- .github/workflows/build.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e370d22..de5b439 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -295,8 +295,9 @@ jobs: - name: Init tasks - inc Env var concatenation (Workaround) # * NOTE: different syntax required for Windows agents run: | - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append - echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" + echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" + # Login - name: Login to Azure @@ -314,6 +315,8 @@ jobs: # ! WARNING: only single quotes work for boolean comparison if: env.VELERO_ENABLED == 'true' run: | + ls env: + az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin echo "`nVelero version info:" From 3c6ea78bf54a773b6a729e50c7aa84237e6b5347 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 09:02:16 +0000 Subject: [PATCH 027/121] Debug win job --- .github/workflows/build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index de5b439..b487e55 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -313,10 +313,8 @@ jobs: # NOTE: Some functions cast values to a string to perform comparisons # https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions#functions # ! WARNING: only single quotes work for boolean comparison - if: env.VELERO_ENABLED == 'true' + if: env.VELERO_ENABLED == 'false' run: | - ls env: - az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin echo "`nVelero version info:" From 267abbc29f773ff3a96e56526c4653b9a7eada0f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 09:10:24 +0000 Subject: [PATCH 028/121] Fixed win job --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b487e55..d38880d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -313,7 +313,7 @@ jobs: # NOTE: Some functions cast values to a string to perform comparisons # https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions#functions # ! WARNING: only single quotes work for boolean comparison - if: env.VELERO_ENABLED == 'false' + if: env.VELERO_ENABLED == 'true' run: | az aks get-credentials --resource-group "${{ env.AKS_RG_NAME }}" --name "${{ env.AKS_CLUSTER_NAME }}" --overwrite-existing --admin From 0850e4c0b8e8e1bb8a513f00cffe9b78daf12025 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Dec 2020 09:14:14 +0000 Subject: [PATCH 029/121] Added fix comment --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d38880d..8e8ed99 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -294,6 +294,7 @@ jobs: # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files - name: Init tasks - inc Env var concatenation (Workaround) # * NOTE: different syntax required for Windows agents + # ! Docs say to use "$env:GITHUB_PATH", but only "$env:GITHUB_ENV" worked for me run: | echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" From e480ee3329bd60d92bdec567df21246c4c91947b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 12 Dec 2020 12:55:16 +0000 Subject: [PATCH 030/121] Changed node size to Standard_D2_v2 --- terraform/variables.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 5625a2c..752a18e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -177,8 +177,14 @@ variable "agent_pool_profile_name" { } variable "agent_pool_profile_vm_size" { + # Standard_D2s_v3 + # 2 x CPU, 8GB RAM, 4 x Data Disks # https://docs.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series - default = "Standard_D2s_v3" + + # Standard_DS2_v2 + # 2 x CPU, 7GB RAM, 8 x Data Disks + # https://docs.microsoft.com/en-us/azure/virtual-machines/dv2-dsv2-series?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#dsv2-series + default = "Standard_D2_v2" } variable "agent_pool_profile_os_type" { From f2cacbae5133d460ff87526afaacd8cddbf1c144 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 12 Dec 2020 12:55:58 +0000 Subject: [PATCH 031/121] Added max_pods 90 --- terraform/aks.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index b6bdf8c..8b11a39 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -71,8 +71,9 @@ module "aks" { count = var.agent_pool_node_count vm_size = var.agent_pool_profile_vm_size enable_auto_scaling = var.agent_pool_enable_auto_scaling - min_count = var.agent_pool_node_min_count max_count = var.agent_pool_node_max_count + max_pods = 90 + min_count = var.agent_pool_node_min_count os_disk_size_gb = var.agent_pool_profile_disk_size_gb } From ed8eb7937b43aeeac1f002b3aec2a60f0d9c9215 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 12 Dec 2020 18:35:12 +0000 Subject: [PATCH 032/121] Changed vm size to Standard_D4s_v3 --- terraform/variables.tf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 752a18e..9f87bde 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -177,14 +177,18 @@ variable "agent_pool_profile_name" { } variable "agent_pool_profile_vm_size" { - # Standard_D2s_v3 + # https://azureprice.net/?region=ukwest¤cy=GBP + # Standard_D2s_v3 - £0.086455 per hour # 2 x CPU, 8GB RAM, 4 x Data Disks # https://docs.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series - # Standard_DS2_v2 + # Standard_DS2_v2 - £0.130429 per hour # 2 x CPU, 7GB RAM, 8 x Data Disks # https://docs.microsoft.com/en-us/azure/virtual-machines/dv2-dsv2-series?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#dsv2-series - default = "Standard_D2_v2" + + # Standard_D4s_v3 - £0.172911 per hour + # 4 x CPU, 16GB RAM, 8 x Data Disks + default = "Standard_D4s_v3" } variable "agent_pool_profile_os_type" { From 63e5424d16bbc71f3eb894ca1c68ff8a9e5c7673 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 12 Dec 2020 18:44:55 +0000 Subject: [PATCH 033/121] use one availability zone to reduce volume node affinity conflicts during testing --- terraform/aks.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/aks.tf b/terraform/aks.tf index 8b11a39..d2f00e7 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -69,6 +69,8 @@ module "aks" { default_node_pool = { name = var.agent_pool_profile_name count = var.agent_pool_node_count + # use one availability zone to reduce volume node affinity conflicts during testing + availability_zones = [1] vm_size = var.agent_pool_profile_vm_size enable_auto_scaling = var.agent_pool_enable_auto_scaling max_count = var.agent_pool_node_max_count From 711e9bd9f71fdd4e19346cacea3abee01f9151a4 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 12 Dec 2020 18:45:18 +0000 Subject: [PATCH 034/121] Added comment for Standard_F8s_v2 --- terraform/variables.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/variables.tf b/terraform/variables.tf index 9f87bde..aab47e7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -188,6 +188,9 @@ variable "agent_pool_profile_vm_size" { # Standard_D4s_v3 - £0.172911 per hour # 4 x CPU, 16GB RAM, 8 x Data Disks + + # Standard_F8s_v2 - £0.301104 per hour + # 8 x CPU, 16GB RAM, 16 x Data Disks default = "Standard_D4s_v3" } From 51eed7d5a888230b15b65f17a9a497a924126625 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Dec 2020 07:14:53 +0000 Subject: [PATCH 035/121] Changed aks module to v0.4.2 --- terraform/aks.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index d2f00e7..70d4eae 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "0.4.1" + version = "0.4.2" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location @@ -69,8 +69,7 @@ module "aks" { default_node_pool = { name = var.agent_pool_profile_name count = var.agent_pool_node_count - # use one availability zone to reduce volume node affinity conflicts during testing - availability_zones = [1] + # availability_zones = null vm_size = var.agent_pool_profile_vm_size enable_auto_scaling = var.agent_pool_enable_auto_scaling max_count = var.agent_pool_node_max_count From 3300433fa41ecc26c03d3a68c5903eb25f5d56b9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 16 Dec 2020 11:27:40 +0000 Subject: [PATCH 036/121] Added dev container --- .devcontainer/Dockerfile | 63 +++- .devcontainer/devcontainer.json | 48 ++- .devcontainer/library-scripts/README.md | 5 + .devcontainer/library-scripts/azcli-debian.sh | 33 ++ .../library-scripts/common-debian.sh | 341 ++++++++++++++++++ .../library-scripts/docker-debian.sh | 181 ++++++++++ .devcontainer/library-scripts/node-debian.sh | 124 +++++++ .../library-scripts/terraform-debian.sh | 54 +++ 8 files changed, 827 insertions(+), 22 deletions(-) create mode 100644 .devcontainer/library-scripts/README.md create mode 100644 .devcontainer/library-scripts/azcli-debian.sh create mode 100644 .devcontainer/library-scripts/common-debian.sh create mode 100644 .devcontainer/library-scripts/docker-debian.sh create mode 100644 .devcontainer/library-scripts/node-debian.sh create mode 100644 .devcontainer/library-scripts/terraform-debian.sh diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 4abedb2..a736c31 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,6 +1,59 @@ -# Find the Dockerfile for mcr.microsoft.com/azure-functions/powershell:3.0-powershell${VARIANT}-core-tools at this URL -# https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/powershell +# azure-terraform image +# +# reference: +# https://github.com/microsoft/vscode-dev-containers +# https://hub.docker.com/_/microsoft-vscode-devcontainers +# https://github.com/microsoft/vscode-dev-containers/blob/master/containers/azure-terraform/.devcontainer/Dockerfile -# Update the VARIANT arg in devcontainer.json to pick a supported PowerShell version: 7, 6 -ARG VARIANT=7 -FROM mcr.microsoft.com/azure-functions/powershell:3.0-powershell${VARIANT}-core-tools + +# You can pick any Debian/Ubuntu-based image. 😊 +FROM mcr.microsoft.com/vscode/devcontainers/base:ubuntu-18.04 + +COPY library-scripts/*.sh /tmp/library-scripts/ + +# [Option] Install zsh +ARG INSTALL_ZSH="true" +# [Option] Upgrade OS packages to their latest versions +ARG UPGRADE_PACKAGES="false" + +# Install needed packages and setup non-root user. Use a separate RUN statement to add your own dependencies. +ARG USERNAME=vscode +ARG USER_UID=1000 +ARG USER_GID=$USER_UID +RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ + && bash /tmp/library-scripts/common-debian.sh "${INSTALL_ZSH}" "${USERNAME}" "${USER_UID}" "${USER_GID}" "${UPGRADE_PACKAGES}" \ + && apt-get install -y graphviz \ + && apt-get clean -y && rm -rf /var/lib/apt/lists/* + +# [Option] Install Azure CLI +ARG INSTALL_AZURE_CLI="true" +# [Option] Install Docker CLI +ARG INSTALL_DOCKER="true" +# [Option] Install Node.js +ARG INSTALL_NODE="true" +ARG NODE_VERSION="lts/*" +ENV NVM_DIR=/usr/local/share/nvm +ENV NVM_SYMLINK_CURRENT=true \ + PATH=${NVM_DIR}/current/bin:${PATH} +RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli-debian.sh; fi \ + && if [ "${INSTALL_NODE}" = "true" ]; then bash /tmp/library-scripts/node-debian.sh "${NVM_DIR}" "${NODE_VERSION}" "${USERNAME}"; fi \ + && if [ "${INSTALL_DOCKER}" = "true" ]; then \ + bash /tmp/library-scripts/docker-debian.sh "true" "/var/run/docker-host.sock" "/var/run/docker.sock" "${USERNAME}"; \ + else \ + echo '#!/bin/bash\n"$@"' > /usr/local/share/docker-init.sh && chmod +x /usr/local/share/docker-init.sh; \ + fi \ + && rm -rf /var/lib/apt/lists/* + +# Install Terraform, tflint +ARG TERRAFORM_VERSION=0.12.29 +ARG TFLINT_VERSION=0.18.0 +RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ + && rm -rf /tmp/library-scripts + + +ENTRYPOINT [ "/usr/local/share/docker-init.sh" ] +CMD [ "sleep", "infinity" ] + +# [Optional] Uncomment this section to install additional OS packages. +# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ +# && apt-get -y install --no-install-recommends diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a0f5362..e2470cd 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,31 +1,45 @@ // For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at: -// https://github.com/microsoft/vscode-dev-containers/blob/master/containers/azure-functions-pwsh/README.md +// https://github.com/microsoft/vscode-dev-containers/blob/master/containers/azure-terraform/.devcontainer/devcontainer.json { - "name": "Azure Functions & PowerShell", + "name": "Azure Terraform (Community)", "build": { "dockerfile": "Dockerfile", "args": { - // Update the VARIANT arg to pick a supported PowerShell version: 7, 6 - "VARIANT": "7" + "TERRAFORM_VERSION": "0.12.29", + "TFLINT_VERSION": "0.22.0", + "INSTALL_AZURE_CLI": "true", + "INSTALL_DOCKER": "true", + "INSTALL_NODE": "true" } }, - "forwardPorts": [ 7071 ], - "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ], - + "mounts": [ + "source=/var/run/docker.sock,target=/var/run/docker-host.sock,type=bind" + ], + "overrideCommand": false, // Set *default* container specific settings.json values on container create. "settings": { - "terminal.integrated.shell.linux": "/usr/bin/pwsh" + "terminal.integrated.shell.linux": "/bin/bash" }, - // Add the IDs of extensions you want installed when the container is created. "extensions": [ - "ms-azuretools.vscode-azurefunctions", - "ms-vscode.powershell" - ] - + "hashicorp.terraform", + "ms-azuretools.vscode-azureterraform", + "ms-vscode.azurecli", + "ms-azuretools.vscode-docker", + "aaron-bond.better-comments", + "coenraads.bracket-pair-colorizer-2", + "eamodio.gitlens", + "ms-kubernetes-tools.vscode-kubernetes-tools", + "yzhang.markdown-all-in-one", + "davidanson.vscode-markdownlint", + "ziyasal.vscode-open-in-github", + "ms-vscode.powershell", + "redhat.vscode-yaml", + ], + // Use 'forwardPorts' to make a list of ports inside the container available locally. + // "forwardPorts": [], // Use 'postCreateCommand' to run commands after the container is created. - // "postCreateCommand": "dotnet restore", - - // Uncomment to connect as a non-root user. See https://aka.ms/vscode-remote/containers/non-root. - // "remoteUser": "vscode" + // "postCreateCommand": "terraform --version", + // Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root. + "remoteUser": "vscode" } diff --git a/.devcontainer/library-scripts/README.md b/.devcontainer/library-scripts/README.md new file mode 100644 index 0000000..ab8a66d --- /dev/null +++ b/.devcontainer/library-scripts/README.md @@ -0,0 +1,5 @@ +# Warning: Folder contents may be replaced + +The contents of this folder will be automatically replaced with a file of the same name in the repository's [script-library folder](https://github.com/microsoft/vscode-dev-containers/tree/master/script-library) whenever the repository is packaged. + +To retain your edits, move the file to a different location. You may also delete the files if they are not needed. diff --git a/.devcontainer/library-scripts/azcli-debian.sh b/.devcontainer/library-scripts/azcli-debian.sh new file mode 100644 index 0000000..b03dcb0 --- /dev/null +++ b/.devcontainer/library-scripts/azcli-debian.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/azcli.md +# +# Syntax: ./azcli-debian.sh + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +# Install curl, apt-transport-https, lsb-release, or gpg if missing +if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 +fi + +# Install the Azure CLI +echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/azure-cli.list +curl -sL https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT) +apt-get update +apt-get install -y azure-cli +echo "Done!" \ No newline at end of file diff --git a/.devcontainer/library-scripts/common-debian.sh b/.devcontainer/library-scripts/common-debian.sh new file mode 100644 index 0000000..f168ca2 --- /dev/null +++ b/.devcontainer/library-scripts/common-debian.sh @@ -0,0 +1,341 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/common.md +# +# Syntax: ./common-debian.sh [install zsh flag] [username] [user UID] [user GID] [upgrade packages flag] [install Oh My *! flag] + +INSTALL_ZSH=${1:-"true"} +USERNAME=${2:-"automatic"} +USER_UID=${3:-"automatic"} +USER_GID=${4:-"automatic"} +UPGRADE_PACKAGES=${5:-"true"} +INSTALL_OH_MYS=${6:-"true"} + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +# Ensure that login shells get the correct path if the user updated the PATH using ENV. +rm -f /etc/profile.d/00-restore-env.sh +echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\${PATH}" > /etc/profile.d/00-restore-env.sh +chmod +x /etc/profile.d/00-restore-env.sh + +# If in automatic mode, determine if a user already exists, if not use vscode +if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then + USERNAME="" + POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") + for CURRENT_USER in ${POSSIBLE_USERS[@]}; do + if id -u ${CURRENT_USER} > /dev/null 2>&1; then + USERNAME=${CURRENT_USER} + break + fi + done + if [ "${USERNAME}" = "" ]; then + USERNAME=vscode + fi +elif [ "${USERNAME}" = "none" ]; then + USERNAME=root + USER_UID=0 + USER_GID=0 +fi + +# Load markers to see which steps have already run +MARKER_FILE="/usr/local/etc/vscode-dev-containers/common" +if [ -f "${MARKER_FILE}" ]; then + echo "Marker file found:" + cat "${MARKER_FILE}" + source "${MARKER_FILE}" +fi + +# Ensure apt is in non-interactive to avoid prompts +export DEBIAN_FRONTEND=noninteractive + +# Function to call apt-get if needed +apt-get-update-if-needed() +{ + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + echo "Running apt-get update..." + apt-get update + else + echo "Skipping apt-get update." + fi +} + +# Run install apt-utils to avoid debconf warning then verify presence of other common developer tools and dependencies +if [ "${PACKAGES_ALREADY_INSTALLED}" != "true" ]; then + apt-get-update-if-needed + + PACKAGE_LIST="apt-utils \ + git \ + openssh-client \ + gnupg2 \ + iproute2 \ + procps \ + lsof \ + htop \ + net-tools \ + psmisc \ + curl \ + wget \ + rsync \ + ca-certificates \ + unzip \ + zip \ + nano \ + vim-tiny \ + less \ + jq \ + lsb-release \ + apt-transport-https \ + dialog \ + libc6 \ + libgcc1 \ + libkrb5-3 \ + libgssapi-krb5-2 \ + libicu[0-9][0-9] \ + liblttng-ust0 \ + libstdc++6 \ + zlib1g \ + locales \ + sudo \ + ncdu \ + man-db \ + strace" + + # Install libssl1.1 if available + if [[ ! -z $(apt-cache --names-only search ^libssl1.1$) ]]; then + PACKAGE_LIST="${PACKAGE_LIST} libssl1.1" + fi + + # Install appropriate version of libssl1.0.x if available + LIBSSL=$(dpkg-query -f '${db:Status-Abbrev}\t${binary:Package}\n' -W 'libssl1\.0\.?' 2>&1 || echo '') + if [ "$(echo "$LIBSSL" | grep -o 'libssl1\.0\.[0-9]:' | uniq | sort | wc -l)" -eq 0 ]; then + if [[ ! -z $(apt-cache --names-only search ^libssl1.0.2$) ]]; then + # Debian 9 + PACKAGE_LIST="${PACKAGE_LIST} libssl1.0.2" + elif [[ ! -z $(apt-cache --names-only search ^libssl1.0.0$) ]]; then + # Ubuntu 18.04, 16.04, earlier + PACKAGE_LIST="${PACKAGE_LIST} libssl1.0.0" + fi + fi + + echo "Packages to verify are installed: ${PACKAGE_LIST}" + apt-get -y install --no-install-recommends ${PACKAGE_LIST} 2> >( grep -v 'debconf: delaying package configuration, since apt-utils is not installed' >&2 ) + + PACKAGES_ALREADY_INSTALLED="true" +fi + +# Get to latest versions of all packages +if [ "${UPGRADE_PACKAGES}" = "true" ]; then + apt-get-update-if-needed + apt-get -y upgrade --no-install-recommends + apt-get autoremove -y +fi + +# Ensure at least the en_US.UTF-8 UTF-8 locale is available. +# Common need for both applications and things like the agnoster ZSH theme. +if [ "${LOCALE_ALREADY_SET}" != "true" ] && ! grep -o -E '^\s*en_US.UTF-8\s+UTF-8' /etc/locale.gen > /dev/null; then + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen + locale-gen + LOCALE_ALREADY_SET="true" +fi + +# Create or update a non-root user to match UID/GID. +if id -u ${USERNAME} > /dev/null 2>&1; then + # User exists, update if needed + if [ "${USER_GID}" != "automatic" ] && [ "$USER_GID" != "$(id -G $USERNAME)" ]; then + groupmod --gid $USER_GID $USERNAME + usermod --gid $USER_GID $USERNAME + fi + if [ "${USER_UID}" != "automatic" ] && [ "$USER_UID" != "$(id -u $USERNAME)" ]; then + usermod --uid $USER_UID $USERNAME + fi +else + # Create user + if [ "${USER_GID}" = "automatic" ]; then + groupadd $USERNAME + else + groupadd --gid $USER_GID $USERNAME + fi + if [ "${USER_UID}" = "automatic" ]; then + useradd -s /bin/bash --gid $USERNAME -m $USERNAME + else + useradd -s /bin/bash --uid $USER_UID --gid $USERNAME -m $USERNAME + fi +fi + +# Add add sudo support for non-root user +if [ "${USERNAME}" != "root" ] && [ "${EXISTING_NON_ROOT_USER}" != "${USERNAME}" ]; then + echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME + chmod 0440 /etc/sudoers.d/$USERNAME + EXISTING_NON_ROOT_USER="${USERNAME}" +fi + +# ** Shell customization section ** +if [ "${USERNAME}" = "root" ]; then + USER_RC_PATH="/root" +else + USER_RC_PATH="/home/${USERNAME}" +fi + +# .bashrc/.zshrc snippet +RC_SNIPPET="$(cat << EOF +export USER=\$(whoami) + +export PATH=\$PATH:\$HOME/.local/bin +EOF +)" + +# code shim, it fallbacks to code-insiders if code is not available +cat << 'EOF' > /usr/local/bin/code +#!/bin/sh + +get_in_path_except_current() { + which -a "$1" | grep -v "$0" | head -1 +} + +code="$(get_in_path_except_current code)" + +if [ -n "$code" ]; then + exec "$code" "$@" +elif [ "$(command -v code-insiders)" ]; then + exec code-insiders "$@" +else + echo "code or code-insiders is not installed" >&2 + exit 127 +fi +EOF +chmod +x /usr/local/bin/code + +# Codespaces themes - partly inspired by https://github.com/ohmyzsh/ohmyzsh/blob/master/themes/robbyrussell.zsh-theme +CODESPACES_BASH="$(cat \ +<&1 + echo -e "$(cat "${TEMPLATE}")\nDISABLE_AUTO_UPDATE=true\nDISABLE_UPDATE_PROMPT=true" > ${USER_RC_FILE} + if [ "${OH_MY}" = "bash" ]; then + sed -i -e 's/OSH_THEME=.*/OSH_THEME="codespaces"/g' ${USER_RC_FILE} + mkdir -p ${OH_MY_INSTALL_DIR}/custom/themes/codespaces + echo "${CODESPACES_BASH}" > ${OH_MY_INSTALL_DIR}/custom/themes/codespaces/codespaces.theme.sh + else + sed -i -e 's/ZSH_THEME=.*/ZSH_THEME="codespaces"/g' ${USER_RC_FILE} + mkdir -p ${OH_MY_INSTALL_DIR}/custom/themes + echo "${CODESPACES_ZSH}" > ${OH_MY_INSTALL_DIR}/custom/themes/codespaces.zsh-theme + fi + # Shrink git while still enabling updates + cd ${OH_MY_INSTALL_DIR} + git repack -a -d -f --depth=1 --window=1 + + if [ "${USERNAME}" != "root" ]; then + cp -rf ${USER_RC_FILE} ${OH_MY_INSTALL_DIR} /root + chown -R ${USERNAME}:${USERNAME} ${USER_RC_PATH} + fi +} + +if [ "${RC_SNIPPET_ALREADY_ADDED}" != "true" ]; then + echo "${RC_SNIPPET}" >> /etc/bash.bashrc + RC_SNIPPET_ALREADY_ADDED="true" +fi +install-oh-my bash bashrc.osh-template https://github.com/ohmybash/oh-my-bash + +# Optionally install and configure zsh and Oh My Zsh! +if [ "${INSTALL_ZSH}" = "true" ]; then + if ! type zsh > /dev/null 2>&1; then + apt-get-update-if-needed + apt-get install -y zsh + fi + if [ "${ZSH_ALREADY_INSTALLED}" != "true" ]; then + echo "${RC_SNIPPET}" >> /etc/zsh/zshrc + ZSH_ALREADY_INSTALLED="true" + fi + install-oh-my zsh zshrc.zsh-template https://github.com/ohmyzsh/ohmyzsh +fi + +# Write marker file +mkdir -p "$(dirname "${MARKER_FILE}")" +echo -e "\ + PACKAGES_ALREADY_INSTALLED=${PACKAGES_ALREADY_INSTALLED}\n\ + LOCALE_ALREADY_SET=${LOCALE_ALREADY_SET}\n\ + EXISTING_NON_ROOT_USER=${EXISTING_NON_ROOT_USER}\n\ + RC_SNIPPET_ALREADY_ADDED=${RC_SNIPPET_ALREADY_ADDED}\n\ + ZSH_ALREADY_INSTALLED=${ZSH_ALREADY_INSTALLED}" > "${MARKER_FILE}" + +echo "Done!" diff --git a/.devcontainer/library-scripts/docker-debian.sh b/.devcontainer/library-scripts/docker-debian.sh new file mode 100644 index 0000000..d8ad895 --- /dev/null +++ b/.devcontainer/library-scripts/docker-debian.sh @@ -0,0 +1,181 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/docker.md +# +# Syntax: ./docker-debian.sh [enable non-root docker socket access flag] [source socket] [target socket] [non-root user] [use moby] + +ENABLE_NONROOT_DOCKER=${1:-"true"} +SOURCE_SOCKET=${2:-"/var/run/docker-host.sock"} +TARGET_SOCKET=${3:-"/var/run/docker.sock"} +USERNAME=${4:-"automatic"} +USE_MOBY=${5:-"true"} + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +# Determine the appropriate non-root user +if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then + USERNAME="" + POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") + for CURRENT_USER in ${POSSIBLE_USERS[@]}; do + if id -u ${CURRENT_USER} > /dev/null 2>&1; then + USERNAME=${CURRENT_USER} + break + fi + done + if [ "${USERNAME}" = "" ]; then + USERNAME=root + fi +elif [ "${USERNAME}" = "none" ] || ! id -u ${USERNAME} > /dev/null 2>&1; then + USERNAME=root +fi + +# Function to run apt-get if needed +apt-get-update-if-needed() +{ + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + echo "Running apt-get update..." + apt-get update + else + echo "Skipping apt-get update." + fi +} + +# Ensure apt is in non-interactive to avoid prompts +export DEBIAN_FRONTEND=noninteractive + +# Install apt-transport-https, curl, lsb-release, gpg if missing +if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then + apt-get-update-if-needed + apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 +fi + +# Install Docker / Moby CLI if not already installed +if type docker > /dev/null 2>&1; then + echo "Docker / Moby CLI already installed." +else + if [ "${USE_MOBY}" = "true" ]; then + DISTRO=$(lsb_release -is | tr '[:upper:]' '[:lower:]') + CODENAME=$(lsb_release -cs) + curl -s https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT) + echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-${DISTRO}-${CODENAME}-prod ${CODENAME} main" > /etc/apt/sources.list.d/microsoft.list + apt-get update + apt-get -y install --no-install-recommends moby-cli + else + curl -fsSL https://download.docker.com/linux/$(lsb_release -is | tr '[:upper:]' '[:lower:]')/gpg | (OUT=$(apt-key add - 2>&1) || echo $OUT) + echo "deb [arch=amd64] https://download.docker.com/linux/$(lsb_release -is | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list + apt-get update + apt-get -y install --no-install-recommends docker-ce-cli + fi +fi + +# Install Docker Compose if not already installed +if type docker-compose > /dev/null 2>&1; then + echo "Docker Compose already installed." +else + LATEST_COMPOSE_VERSION=$(curl -sSL "https://api.github.com/repos/docker/compose/releases/latest" | grep -o -P '(?<="tag_name": ").+(?=")') + curl -sSL "https://github.com/docker/compose/releases/download/${LATEST_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + chmod +x /usr/local/bin/docker-compose +fi + +# If init file already exists, exit +if [ -f "/usr/local/share/docker-init.sh" ]; then + exit 0 +fi + +# By default, make the source and target sockets the same +if [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ]; then + touch "${SOURCE_SOCKET}" + ln -s "${SOURCE_SOCKET}" "${TARGET_SOCKET}" +fi + +# Add a stub if not adding non-root user access, user is root +if [ "${ENABLE_NONROOT_DOCKER}" = "false" ] || [ "${USERNAME}" = "root" ]; then + echo '/usr/bin/env bash -c "\$@"' > /usr/local/share/docker-init.sh + chmod +x /usr/local/share/docker-init.sh + exit 0 +fi + +# If enabling non-root access and specified user is found, setup socat and add script +chown -h "${USERNAME}":root "${TARGET_SOCKET}" +if ! dpkg -s socat > /dev/null 2>&1; then + apt-get-update-if-needed + apt-get -y install socat +fi +tee /usr/local/share/docker-init.sh > /dev/null \ +<< EOF +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- + +set -e + +SOCAT_PATH_BASE=/tmp/vscr-dind-socat +SOCAT_LOG=\${SOCAT_PATH_BASE}.log +SOCAT_PID=\${SOCAT_PATH_BASE}.pid + +# Wrapper function to only use sudo if not already root +sudoIf() +{ + if [ "\$(id -u)" -ne 0 ]; then + sudo "\$@" + else + "\$@" + fi +} + +# Log messages +log() +{ + echo -e "[\$(date)] \$@" | sudoIf tee -a \${SOCAT_LOG} > /dev/null +} + +echo -e "\n** \$(date) **" | sudoIf tee -a \${SOCAT_LOG} > /dev/null +log "Ensuring ${USERNAME} has access to ${SOURCE_SOCKET} via ${TARGET_SOCKET}" + +# If enabled, try to add a docker group with the right GID. If the group is root, +# fall back on using socat to forward the docker socket to another unix socket so +# that we can set permissions on it without affecting the host. +if [ "${ENABLE_NONROOT_DOCKER}" = "true" ] && [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ] && [ "${USERNAME}" != "root" ] && [ "${USERNAME}" != "0" ]; then + SOCKET_GID=\$(stat -c '%g' ${SOURCE_SOCKET}) + if [ "\${SOCKET_GID}" != "0" ]; then + log "Adding user to group with GID \${SOCKET_GID}." + if [ "\$(cat /etc/group | grep :\${SOCKET_GID}:)" = "" ]; then + sudoIf groupadd --gid \${SOCKET_GID} docker-host + fi + # Add user to group if not already in it + if [ "\$(id ${USERNAME} | grep -E 'groups=.+\${SOCKET_GID}\(')" = "" ]; then + sudoIf usermod -aG \${SOCKET_GID} ${USERNAME} + fi + else + # Enable proxy if not already running + if [ ! -f "\${SOCAT_PID}" ] || ! ps -p \$(cat \${SOCAT_PID}) > /dev/null; then + log "Enabling socket proxy." + log "Proxying ${SOURCE_SOCKET} to ${TARGET_SOCKET} for vscode" + sudoIf rm -rf ${TARGET_SOCKET} + (sudoIf socat UNIX-LISTEN:${TARGET_SOCKET},fork,mode=660,user=${USERNAME} UNIX-CONNECT:${SOURCE_SOCKET} 2>&1 | sudoIf tee -a \${SOCAT_LOG} > /dev/null & echo "\$!" | sudoIf tee \${SOCAT_PID} > /dev/null) + else + log "Socket proxy already running." + fi + fi + log "Success" +fi + +# Execute whatever commands were passed in (if any). This allows us +# to set this script to ENTRYPOINT while still executing the default CMD. +set +e +exec "\$@" +EOF +chmod +x /usr/local/share/docker-init.sh +chown ${USERNAME}:root /usr/local/share/docker-init.sh +echo "Done!" \ No newline at end of file diff --git a/.devcontainer/library-scripts/node-debian.sh b/.devcontainer/library-scripts/node-debian.sh new file mode 100644 index 0000000..4b5b856 --- /dev/null +++ b/.devcontainer/library-scripts/node-debian.sh @@ -0,0 +1,124 @@ +#!/bin/bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/node.md +# +# Syntax: ./node-debian.sh [directory to install nvm] [node version to install (use "none" to skip)] [non-root user] [Update rc files flag] + +export NVM_DIR=${1:-"/usr/local/share/nvm"} +export NODE_VERSION=${2:-"lts/*"} +USERNAME=${3:-"automatic"} +UPDATE_RC=${4:-"true"} + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +# Ensure that login shells get the correct path if the user updated the PATH using ENV. +rm -f /etc/profile.d/00-restore-env.sh +echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\${PATH}" > /etc/profile.d/00-restore-env.sh +chmod +x /etc/profile.d/00-restore-env.sh + +# Determine the appropriate non-root user +if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then + USERNAME="" + POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") + for CURRENT_USER in ${POSSIBLE_USERS[@]}; do + if id -u ${CURRENT_USER} > /dev/null 2>&1; then + USERNAME=${CURRENT_USER} + break + fi + done + if [ "${USERNAME}" = "" ]; then + USERNAME=root + fi +elif [ "${USERNAME}" = "none" ] || ! id -u ${USERNAME} > /dev/null 2>&1; then + USERNAME=root +fi + +if [ "${NODE_VERSION}" = "none" ]; then + export NODE_VERSION= +fi + +# Ensure apt is in non-interactive to avoid prompts +export DEBIAN_FRONTEND=noninteractive + +# Install curl, apt-transport-https, tar, or gpg if missing +if ! dpkg -s apt-transport-https curl ca-certificates tar > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates tar gnupg2 +fi + +# Install yarn +if type yarn > /dev/null 2>&1; then + echo "Yarn already installed." +else + curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | (OUT=$(apt-key add - 2>&1) || echo $OUT) + echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list + apt-get update + apt-get -y install --no-install-recommends yarn +fi + +# Install the specified node version if NVM directory already exists, then exit +if [ -d "${NVM_DIR}" ]; then + echo "NVM already installed." + if [ "${NODE_VERSION}" != "" ]; then + su ${USERNAME} -c ". $NVM_DIR/nvm.sh && nvm install ${NODE_VERSION} && nvm clear-cache" + fi + exit 0 +fi + + +# Run NVM installer as non-root if needed +mkdir -p ${NVM_DIR} +chown ${USERNAME} ${NVM_DIR} +su ${USERNAME} -c "$(cat << EOF + set -e + + # Do not update profile - we'll do this manually + export PROFILE=/dev/null + + curl -so- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash + source ${NVM_DIR}/nvm.sh + if [ "${NODE_VERSION}" != "" ]; then + nvm alias default ${NODE_VERSION} + fi + nvm clear-cache +EOF +)" 2>&1 + +if [ "${UPDATE_RC}" = "true" ]; then + echo "Updating /etc/bash.bashrc and /etc/zsh/zshrc with NVM scripts..." +(cat < /dev/null 2>&1; then + echo "Fixing permissions of \"\$NVM_DIR\"..." + sudoIf chown -R ${USERNAME}:root \$NVM_DIR + else + echo "Warning: NVM directory is not owned by ${USERNAME} and sudo is not installed. Unable to correct permissions." + fi +fi +[ -s "\$NVM_DIR/nvm.sh" ] && . "\$NVM_DIR/nvm.sh" +[ -s "\$NVM_DIR/bash_completion" ] && . "\$NVM_DIR/bash_completion" +EOF +) | tee -a /etc/bash.bashrc >> /etc/zsh/zshrc +fi + +echo "Done!" \ No newline at end of file diff --git a/.devcontainer/library-scripts/terraform-debian.sh b/.devcontainer/library-scripts/terraform-debian.sh new file mode 100644 index 0000000..dc1f8fb --- /dev/null +++ b/.devcontainer/library-scripts/terraform-debian.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/terraform.md +# +# Syntax: ./terraform-debian.sh [terraform version] [tflint version] + +TERRAFORM_VERSION=${1:-"latest"} +TFLINT_VERSION=${2:-"latest"} + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +if [ "${TERRAFORM_VERSION}" = "latest" ] || [ "${TERRAFORM_VERSION}" = "lts" ] || [ "${TERRAFORM_VERSION}" = "current" ]; then + TERRAFORM_VERSION=$(curl -sSL https://releases.hashicorp.com/terraform/ | grep -m1 -oE '>terraform_[0-9]+\.[0-9]+\.[0-9]+<' | sed 's/^>terraform_\(.*\)<$/\1/') +fi + +if [ "${TFLINT_VERSION}" = "latest" ] || [ "${TFLINT_VERSION}" = "lts" ] || [ "${TFLINT_VERSION}" = "current" ]; then + LATEST_RELEASE=$(curl -sSL -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/terraform-linters/tflint/releases?per_page=1&page=1") + TFLINT_VERSION=$(echo ${LATEST_RELEASE} | grep -oE 'tag_name":\s*"v[^"]+' | sed -n '/tag_name":\s*"v/s///p') +fi + +# Install curl, unzip if missing +if ! dpkg -s curl ca-certificates unzip > /dev/null 2>&1; then + export DEBIAN_FRONTEND=noninteractive + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends curl ca-certificates unzip +fi + +# Install Terraform, tflint +echo "Downloading terraform..." +mkdir -p /tmp/tf-downloads +curl -sSL -o /tmp/tf-downloads/terraform.zip https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip +unzip /tmp/tf-downloads/terraform.zip +mv -f terraform /usr/local/bin/ + +if [ "${TFLINT_VERSION}" != "none" ]; then + echo "Downloading tflint..." + curl -sSL -o /tmp/tf-downloads/tflint.zip https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip + unzip /tmp/tf-downloads/tflint.zip + mv -f tflint /usr/local/bin/ +fi + +rm -rf /tmp/tf-downloads +echo "Done!" From 1c48f4953219c0d73e40d7f58e2a098082187fb5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 17:25:26 +0000 Subject: [PATCH 037/121] Fixed formatting --- terraform/aks.tf | 4 ++-- terraform/function_app.tf | 4 ++-- terraform/velero_mi_auth.tf | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 70d4eae..43d5548 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -67,8 +67,8 @@ module "aks" { # override defaults default_node_pool = { - name = var.agent_pool_profile_name - count = var.agent_pool_node_count + name = var.agent_pool_profile_name + count = var.agent_pool_node_count # availability_zones = null vm_size = var.agent_pool_profile_vm_size enable_auto_scaling = var.agent_pool_enable_auto_scaling diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 9d870f1..4f2c484 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -36,8 +36,8 @@ data "azurerm_storage_account_sas" "func_app" { # expiry = formatdate("YYYY-MM-DD", timeadd(timestamp(), var.func_app_sas_expires_in_hours)) # hardcoded values to stop timestamp() affecting EVERY Terraform Plan - start = "2020-10-25" - expiry = "2022-01-01" + start = "2020-10-25" + expiry = "2022-01-01" resource_types { object = true diff --git a/terraform/velero_mi_auth.tf b/terraform/velero_mi_auth.tf index 4fd7b70..1e2e610 100644 --- a/terraform/velero_mi_auth.tf +++ b/terraform/velero_mi_auth.tf @@ -3,15 +3,15 @@ resource "azurerm_user_assigned_identity" "velero" { count = var.velero_enabled ? 1 : 0 resource_group_name = module.aks.node_resource_group location = var.location - name = "mi-velero" + name = "mi-velero" } # assign velero MI contributor rights to velero storage RG resource "azurerm_role_assignment" "velero_mi_velero_storage_rg" { - count = var.velero_enabled ? 1 : 0 - principal_id = azurerm_user_assigned_identity.velero[0].principal_id - role_definition_name = "Contributor" - scope = azurerm_resource_group.velero[0].id + count = var.velero_enabled ? 1 : 0 + principal_id = azurerm_user_assigned_identity.velero[0].principal_id + role_definition_name = "Contributor" + scope = azurerm_resource_group.velero[0].id } # assign velero MI contributor rights to velero storage RG From a60e55c1bd4accb4e0dcc7f6fc5cb55303dde360 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 17:36:02 +0000 Subject: [PATCH 038/121] Fixed formatting --- function_app/TimerTrigger1/readme.md | 2 +- .../Public/Edge/Get-CIEdgeSecurityCheck.ps1 | 32 +++++++++---------- velero/velero.md | 2 +- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/function_app/TimerTrigger1/readme.md b/function_app/TimerTrigger1/readme.md index fa4456c..049c48d 100644 --- a/function_app/TimerTrigger1/readme.md +++ b/function_app/TimerTrigger1/readme.md @@ -25,7 +25,7 @@ Ensure you have a `local.settings.json` file with the following settings (replac Full instructions here: https://docs.microsoft.com/en-us/azure/azure-functions/functions-develop-vs-code?tabs=csharp#run-functions-locally -Ensure the [Azure Functions Core Tools are installed](https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=windows%2Ccsharp%2Cbash#install-the-azure-functions-core-tools), +Ensure the [Azure Functions Core Tools are installed](https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=windows%2Ccsharp%2Cbash#install-the-azure-functions-core-tools), ```powershell # install prereqs diff --git a/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 b/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 index fddc1f1..6c256bd 100644 --- a/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 +++ b/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 @@ -7,7 +7,7 @@ function Get-CIEdgeSecurityCheck { Retrieves basic vShield edge security information including: - FW enabled (True/False) - FW default action (Allow/Drop) - - Any insecure FW rules + - Any insecure FW rules .PARAMETER Name Specifies the name of the vShield Edge you want to retrieve. @@ -46,7 +46,7 @@ function Get-CIEdgeSecurityCheck { [Parameter(Mandatory = $true, ParameterSetName = "ByName")] [ValidateNotNullOrEmpty()] [String[]]$Name, - + [Parameter(Mandatory = $true, ValueFromPipeline = $true, ParameterSetName = "Standard")] [ValidateNotNullOrEmpty()] $CIEdge @@ -64,9 +64,9 @@ function Get-CIEdgeSecurityCheck { if ($PsCmdlet.ParameterSetName -eq "ByName") { $CIEdge = Get-CIEdge -Name $Name - + } - + # We need this foreach to handle multiple edges returned via 'name' parameter foreach ($Edge in $CIEdge) { # Check Firewall default action @@ -86,10 +86,10 @@ function Get-CIEdgeSecurityCheck { } # Check for insecure firewall setups - $AllowedEnabledRules = $Edge.XML.EdgeGateway.Configuration.EdgeGatewayServiceConfiguration.FirewallService.FirewallRule | + $AllowedEnabledRules = $Edge.XML.EdgeGateway.Configuration.EdgeGatewayServiceConfiguration.FirewallService.FirewallRule | Where-Object {$_.IsEnabled -eq $true -and $_.Policy -eq "allow"} - # Initialise array ready for PSCustomObject(s) of firewall rules + # Initialise array ready for PSCustomObject(s) of firewall rules $InSecureFirewallRules = @() foreach ($Rule in $AllowedEnabledRules) { @@ -98,42 +98,42 @@ function Get-CIEdgeSecurityCheck { $OffendingRuleCounter = $null switch ($Rule) { - {$Rule.SourceIp -eq "external" -and $Rule.DestinationIp -eq "external" -and $Rule.DestinationPortRange -eq "Any"} { + {$Rule.SourceIp -eq "external" -and $Rule.DestinationIp -eq "external" -and $Rule.DestinationPortRange -eq "Any"} { $OffendingRuleCounter = $true $RuleId = $Rule.Id - $RuleDescription = $Rule.Description + $RuleDescription = $Rule.Description $RuleViolation = "External to External on any port" break } - {$Rule.SourceIp -eq "external" -and $Rule.DestinationIp -eq "any" -and $Rule.DestinationPortRange -eq "Any"} { + {$Rule.SourceIp -eq "external" -and $Rule.DestinationIp -eq "any" -and $Rule.DestinationPortRange -eq "Any"} { $OffendingRuleCounter = $true $RuleId = $Rule.Id - $RuleDescription = $Rule.Description + $RuleDescription = $Rule.Description $RuleViolation = "External to Any on any port" break } - {$Rule.SourceIp -eq "external" -and $Rule.DestinationIp -eq "internal" -and $Rule.DestinationPortRange -eq "Any"} { + {$Rule.SourceIp -eq "external" -and $Rule.DestinationIp -eq "internal" -and $Rule.DestinationPortRange -eq "Any"} { $OffendingRuleCounter = $true $RuleId = $Rule.Id - $RuleDescription = $Rule.Description + $RuleDescription = $Rule.Description $RuleViolation = "External to Internal on any port" break } - {$Rule.SourceIp -eq "any" -and $Rule.DestinationIp -eq "any" -and $Rule.DestinationPortRange -eq "Any"} { + {$Rule.SourceIp -eq "any" -and $Rule.DestinationIp -eq "any" -and $Rule.DestinationPortRange -eq "Any"} { $OffendingRuleCounter = $true $RuleId = $Rule.Id - $RuleDescription = $Rule.Description + $RuleDescription = $Rule.Description $RuleViolation = "Any to Any on any port" break } } - + # Build the offending rule PSCustomObject if ($OffendingRuleCounter) { $InSecureFirewallRules += [PSCustomObject]@{ RuleId = $RuleId RuleDescription = $RuleDescription - RuleViolation = $RuleViolation + RuleViolation = $RuleViolation ExtensionData = $Rule } } diff --git a/velero/velero.md b/velero/velero.md index f077bf6..df8e821 100644 --- a/velero/velero.md +++ b/velero/velero.md @@ -59,7 +59,7 @@ az storage account create ` --https-only true ` --kind BlobStorage ` --access-tier Hot - + # Create Blob Container az storage container create -n $blobContainerName --public-access off --account-name $storageAccountName ``` From bd9f75c0a6fb71c2b4cccc3df2176fb4051e51ee Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 17:37:02 +0000 Subject: [PATCH 039/121] Fixed whitespace --- .devcontainer/library-scripts/azcli-debian.sh | 2 +- .../library-scripts/common-debian.sh | 20 +++++++++---------- .../library-scripts/docker-debian.sh | 14 ++++++------- .devcontainer/library-scripts/node-debian.sh | 8 ++++---- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.devcontainer/library-scripts/azcli-debian.sh b/.devcontainer/library-scripts/azcli-debian.sh index b03dcb0..cde7fd7 100644 --- a/.devcontainer/library-scripts/azcli-debian.sh +++ b/.devcontainer/library-scripts/azcli-debian.sh @@ -22,7 +22,7 @@ if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2> if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then apt-get update fi - apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 + apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 fi # Install the Azure CLI diff --git a/.devcontainer/library-scripts/common-debian.sh b/.devcontainer/library-scripts/common-debian.sh index f168ca2..2c8e98d 100644 --- a/.devcontainer/library-scripts/common-debian.sh +++ b/.devcontainer/library-scripts/common-debian.sh @@ -113,7 +113,7 @@ if [ "${PACKAGES_ALREADY_INSTALLED}" != "true" ]; then if [[ ! -z $(apt-cache --names-only search ^libssl1.1$) ]]; then PACKAGE_LIST="${PACKAGE_LIST} libssl1.1" fi - + # Install appropriate version of libssl1.0.x if available LIBSSL=$(dpkg-query -f '${db:Status-Abbrev}\t${binary:Package}\n' -W 'libssl1\.0\.?' 2>&1 || echo '') if [ "$(echo "$LIBSSL" | grep -o 'libssl1\.0\.[0-9]:' | uniq | sort | wc -l)" -eq 0 ]; then @@ -128,7 +128,7 @@ if [ "${PACKAGES_ALREADY_INSTALLED}" != "true" ]; then echo "Packages to verify are installed: ${PACKAGE_LIST}" apt-get -y install --no-install-recommends ${PACKAGE_LIST} 2> >( grep -v 'debconf: delaying package configuration, since apt-utils is not installed' >&2 ) - + PACKAGES_ALREADY_INSTALLED="true" fi @@ -142,7 +142,7 @@ fi # Ensure at least the en_US.UTF-8 UTF-8 locale is available. # Common need for both applications and things like the agnoster ZSH theme. if [ "${LOCALE_ALREADY_SET}" != "true" ] && ! grep -o -E '^\s*en_US.UTF-8\s+UTF-8' /etc/locale.gen > /dev/null; then - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen locale-gen LOCALE_ALREADY_SET="true" fi @@ -150,11 +150,11 @@ fi # Create or update a non-root user to match UID/GID. if id -u ${USERNAME} > /dev/null 2>&1; then # User exists, update if needed - if [ "${USER_GID}" != "automatic" ] && [ "$USER_GID" != "$(id -G $USERNAME)" ]; then - groupmod --gid $USER_GID $USERNAME + if [ "${USER_GID}" != "automatic" ] && [ "$USER_GID" != "$(id -G $USERNAME)" ]; then + groupmod --gid $USER_GID $USERNAME usermod --gid $USER_GID $USERNAME fi - if [ "${USER_UID}" != "automatic" ] && [ "$USER_UID" != "$(id -u $USERNAME)" ]; then + if [ "${USER_UID}" != "automatic" ] && [ "$USER_UID" != "$(id -u $USERNAME)" ]; then usermod --uid $USER_UID $USERNAME fi else @@ -164,7 +164,7 @@ else else groupadd --gid $USER_GID $USERNAME fi - if [ "${USER_UID}" = "automatic" ]; then + if [ "${USER_UID}" = "automatic" ]; then useradd -s /bin/bash --gid $USERNAME -m $USERNAME else useradd -s /bin/bash --uid $USER_UID --gid $USERNAME -m $USERNAME @@ -179,7 +179,7 @@ if [ "${USERNAME}" != "root" ] && [ "${EXISTING_NON_ROOT_USER}" != "${USERNAME}" fi # ** Shell customization section ** -if [ "${USERNAME}" = "root" ]; then +if [ "${USERNAME}" = "root" ]; then USER_RC_PATH="/root" else USER_RC_PATH="/home/${USERNAME}" @@ -231,7 +231,7 @@ prompt() { fi local cwd="\$(pwd | sed "s|^\${HOME}|~|")" PS1="\${green}\${USERNAME} \${arrow_color}➜\${reset_color} \${bold_blue}\${cwd}\${reset_color} \$(scm_prompt_info)\${white}$ \${reset_color}" - + # Prepend Python virtual env version to prompt if [[ -n \$VIRTUAL_ENV ]]; then if [ -z "\${VIRTUAL_ENV_DISABLE_PROMPT:-}" ]; then @@ -301,7 +301,7 @@ install-oh-my() echo "${CODESPACES_ZSH}" > ${OH_MY_INSTALL_DIR}/custom/themes/codespaces.zsh-theme fi # Shrink git while still enabling updates - cd ${OH_MY_INSTALL_DIR} + cd ${OH_MY_INSTALL_DIR} git repack -a -d -f --depth=1 --window=1 if [ "${USERNAME}" != "root" ]; then diff --git a/.devcontainer/library-scripts/docker-debian.sh b/.devcontainer/library-scripts/docker-debian.sh index d8ad895..7ca6d54 100644 --- a/.devcontainer/library-scripts/docker-debian.sh +++ b/.devcontainer/library-scripts/docker-debian.sh @@ -55,7 +55,7 @@ export DEBIAN_FRONTEND=noninteractive # Install apt-transport-https, curl, lsb-release, gpg if missing if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then apt-get-update-if-needed - apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 + apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 fi # Install Docker / Moby CLI if not already installed @@ -77,7 +77,7 @@ else fi fi -# Install Docker Compose if not already installed +# Install Docker Compose if not already installed if type docker-compose > /dev/null 2>&1; then echo "Docker Compose already installed." else @@ -105,13 +105,13 @@ if [ "${ENABLE_NONROOT_DOCKER}" = "false" ] || [ "${USERNAME}" = "root" ]; then fi # If enabling non-root access and specified user is found, setup socat and add script -chown -h "${USERNAME}":root "${TARGET_SOCKET}" +chown -h "${USERNAME}":root "${TARGET_SOCKET}" if ! dpkg -s socat > /dev/null 2>&1; then apt-get-update-if-needed apt-get -y install socat fi tee /usr/local/share/docker-init.sh > /dev/null \ -<< EOF +<< EOF #!/usr/bin/env bash #------------------------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. @@ -143,8 +143,8 @@ log() echo -e "\n** \$(date) **" | sudoIf tee -a \${SOCAT_LOG} > /dev/null log "Ensuring ${USERNAME} has access to ${SOURCE_SOCKET} via ${TARGET_SOCKET}" -# If enabled, try to add a docker group with the right GID. If the group is root, -# fall back on using socat to forward the docker socket to another unix socket so +# If enabled, try to add a docker group with the right GID. If the group is root, +# fall back on using socat to forward the docker socket to another unix socket so # that we can set permissions on it without affecting the host. if [ "${ENABLE_NONROOT_DOCKER}" = "true" ] && [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ] && [ "${USERNAME}" != "root" ] && [ "${USERNAME}" != "0" ]; then SOCKET_GID=\$(stat -c '%g' ${SOURCE_SOCKET}) @@ -171,7 +171,7 @@ if [ "${ENABLE_NONROOT_DOCKER}" = "true" ] && [ "${SOURCE_SOCKET}" != "${TARGET_ log "Success" fi -# Execute whatever commands were passed in (if any). This allows us +# Execute whatever commands were passed in (if any). This allows us # to set this script to ENTRYPOINT while still executing the default CMD. set +e exec "\$@" diff --git a/.devcontainer/library-scripts/node-debian.sh b/.devcontainer/library-scripts/node-debian.sh index 4b5b856..d61046d 100644 --- a/.devcontainer/library-scripts/node-debian.sh +++ b/.devcontainer/library-scripts/node-debian.sh @@ -86,12 +86,12 @@ su ${USERNAME} -c "$(cat << EOF # Do not update profile - we'll do this manually export PROFILE=/dev/null - curl -so- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash + curl -so- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash source ${NVM_DIR}/nvm.sh if [ "${NODE_VERSION}" != "" ]; then nvm alias default ${NODE_VERSION} fi - nvm clear-cache + nvm clear-cache EOF )" 2>&1 @@ -118,7 +118,7 @@ fi [ -s "\$NVM_DIR/nvm.sh" ] && . "\$NVM_DIR/nvm.sh" [ -s "\$NVM_DIR/bash_completion" ] && . "\$NVM_DIR/bash_completion" EOF -) | tee -a /etc/bash.bashrc >> /etc/zsh/zshrc -fi +) | tee -a /etc/bash.bashrc >> /etc/zsh/zshrc +fi echo "Done!" \ No newline at end of file From a8c6186aa676e1d7d0321fead7879588e70458fb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 17:37:35 +0000 Subject: [PATCH 040/121] Added more docker build scripts --- .devcontainer/devcontainer.json | 2 +- .devcontainer/library-scripts/go-debian.sh | 140 ++++++++++++++++++ .../library-scripts/kubectl-helm-debian.sh | 35 +++++ .../library-scripts/powershell-debian.sh | 35 +++++ .../library-scripts/terraform-pre-commit.sh | 43 ++++++ .../library-scripts/tflint-plugins.sh | 43 ++++++ 6 files changed, 297 insertions(+), 1 deletion(-) create mode 100644 .devcontainer/library-scripts/go-debian.sh create mode 100644 .devcontainer/library-scripts/kubectl-helm-debian.sh create mode 100644 .devcontainer/library-scripts/powershell-debian.sh create mode 100644 .devcontainer/library-scripts/terraform-pre-commit.sh create mode 100644 .devcontainer/library-scripts/tflint-plugins.sh diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e2470cd..ebb495b 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,7 +1,7 @@ // For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at: // https://github.com/microsoft/vscode-dev-containers/blob/master/containers/azure-terraform/.devcontainer/devcontainer.json { - "name": "Azure Terraform (Community)", + "name": "Azure Terraform", "build": { "dockerfile": "Dockerfile", "args": { diff --git a/.devcontainer/library-scripts/go-debian.sh b/.devcontainer/library-scripts/go-debian.sh new file mode 100644 index 0000000..fdbcc2f --- /dev/null +++ b/.devcontainer/library-scripts/go-debian.sh @@ -0,0 +1,140 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/go.md +# +# Syntax: ./go-debian.sh [Go version] [GOROOT] [GOPATH] [non-root user] [Add GOPATH, GOROOT to rc files flag] [Install tools flag] + +TARGET_GO_VERSION=${1:-"latest"} +TARGET_GOROOT=${2:-"/usr/local/go"} +TARGET_GOPATH=${3:-"/go"} +USERNAME=${4:-"automatic"} +UPDATE_RC=${5:-"true"} +INSTALL_GO_TOOLS=${6:-"true"} + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +# Ensure that login shells get the correct path if the user updated the PATH using ENV. +rm -f /etc/profile.d/00-restore-env.sh +echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\${PATH}" > /etc/profile.d/00-restore-env.sh +chmod +x /etc/profile.d/00-restore-env.sh + +# Determine the appropriate non-root user +if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then + USERNAME="" + POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") + for CURRENT_USER in ${POSSIBLE_USERS[@]}; do + if id -u ${CURRENT_USER} > /dev/null 2>&1; then + USERNAME=${CURRENT_USER} + break + fi + done + if [ "${USERNAME}" = "" ]; then + USERNAME=root + fi +elif [ "${USERNAME}" = "none" ] || ! id -u ${USERNAME} > /dev/null 2>&1; then + USERNAME=root +fi + +function updaterc() { + if [ "${UPDATE_RC}" = "true" ]; then + echo "Updating /etc/bash.bashrc and /etc/zsh/zshrc..." + echo -e "$1" | tee -a /etc/bash.bashrc >> /etc/zsh/zshrc + fi +} + +export DEBIAN_FRONTEND=noninteractive + +# Install curl, tar, git, other dependencies if missing +if ! dpkg -s curl ca-certificates tar git g++ gcc libc6-dev make pkg-config > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends curl ca-certificates tar git g++ gcc libc6-dev make pkg-config +fi + +# Get latest version number if latest is specified +if [ "${TARGET_GO_VERSION}" = "latest" ] || [ "${TARGET_GO_VERSION}" = "current" ] || [ "${TARGET_GO_VERSION}" = "lts" ]; then + TARGET_GO_VERSION=$(curl -sSL "https://golang.org/VERSION?m=text" | sed -n '/^go/s///p' ) +fi + +# Install Go +GO_INSTALL_SCRIPT="$(cat < /dev/null 2>&1; then + mkdir -p "${TARGET_GOROOT}" "${TARGET_GOPATH}" + chown -R ${USERNAME} "${TARGET_GOROOT}" "${TARGET_GOPATH}" + su ${USERNAME} -c "${GO_INSTALL_SCRIPT}" +else + echo "Go already installed. Skipping." +fi + +# Install Go tools +GO_TOOLS_WITH_MODULES="\ + golang.org/x/tools/gopls \ + honnef.co/go/tools/... \ + golang.org/x/tools/cmd/gorename \ + golang.org/x/tools/cmd/goimports \ + golang.org/x/tools/cmd/guru \ + golang.org/x/lint/golint \ + github.com/mdempsky/gocode \ + github.com/cweill/gotests/... \ + github.com/haya14busa/goplay/cmd/goplay \ + github.com/sqs/goreturns \ + github.com/josharian/impl \ + github.com/davidrjenni/reftools/cmd/fillstruct \ + github.com/uudashr/gopkgs/v2/cmd/gopkgs \ + github.com/ramya-rao-a/go-outline \ + github.com/acroca/go-symbols \ + github.com/godoctor/godoctor \ + github.com/rogpeppe/godef \ + github.com/zmb3/gogetdoc \ + github.com/fatih/gomodifytags \ + github.com/mgechev/revive \ + github.com/go-delve/delve/cmd/dlv" +if [ "${INSTALL_GO_TOOLS}" = "true" ]; then + echo "Installing common Go tools..." + export PATH=${TARGET_GOROOT}/bin:${PATH} + mkdir -p /tmp/gotools + cd /tmp/gotools + export GOPATH=/tmp/gotools + export GOCACHE=/tmp/gotools/cache + + # Go tools w/module support + export GO111MODULE=on + (echo "${GO_TOOLS_WITH_MODULES}" | xargs -n 1 go get -v )2>&1 + + # gocode-gomod + export GO111MODULE=auto + go get -v -d github.com/stamblerre/gocode 2>&1 + go build -o gocode-gomod github.com/stamblerre/gocode + + # golangci-lint + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b ${TARGET_GOPATH}/bin 2>&1 + + # Move Go tools into path and clean up + mv /tmp/gotools/bin/* ${TARGET_GOPATH}/bin/ + mv gocode-gomod ${TARGET_GOPATH}/bin/ + rm -rf /tmp/gotools + chown -R ${USERNAME} "${TARGET_GOPATH}" +fi + +# Add GOPATH variable and bin directory into PATH in bashrc/zshrc files (unless disabled) +updaterc "export GOPATH=\"${TARGET_GOPATH}\"\nexport GOROOT=\"${TARGET_GOROOT}\"\nexport PATH=\"\${GOROOT}/bin:\${GOPATH}/bin:\${PATH}\"" + +echo "Done!" diff --git a/.devcontainer/library-scripts/kubectl-helm-debian.sh b/.devcontainer/library-scripts/kubectl-helm-debian.sh new file mode 100644 index 0000000..00b3409 --- /dev/null +++ b/.devcontainer/library-scripts/kubectl-helm-debian.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/kubectl-helm.md +# +# Syntax: ./kubectl-helm-debian.sh + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +# Install curl if missing +if ! dpkg -s curl ca-certificates > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends curl ca-certificates +fi + +# Install the kubectl +echo "Downloading kubectl..." +curl -sSL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl +chmod +x /usr/local/bin/kubectl +# Install Helm +echo "Installing Helm..." +curl -s https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash - +echo "Done!" diff --git a/.devcontainer/library-scripts/powershell-debian.sh b/.devcontainer/library-scripts/powershell-debian.sh new file mode 100644 index 0000000..a7842ff --- /dev/null +++ b/.devcontainer/library-scripts/powershell-debian.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/powershell.md +# +# Syntax: ./powershell-debian.sh + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +# Install curl, apt-transport-https, lsb-release, or gpg if missing +if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 +fi + +# Use correct source for distro (Ubuntu/Debian) and Codename (stretch, buster, bionic, focal) +DISTRO=$(lsb_release -is | tr '[:upper:]' '[:lower:]') +CODENAME=$(lsb_release -cs) +curl -s https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT) +echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-${DISTRO}-${CODENAME}-prod ${CODENAME} main" > /etc/apt/sources.list.d/microsoft.list +apt-get update -yq +apt-get install -yq powershell +echo "Done!" diff --git a/.devcontainer/library-scripts/terraform-pre-commit.sh b/.devcontainer/library-scripts/terraform-pre-commit.sh new file mode 100644 index 0000000..b1351d2 --- /dev/null +++ b/.devcontainer/library-scripts/terraform-pre-commit.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Installs useful Terraform tools and pre-commit + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +# Install curl if missing +if ! dpkg -s curl ca-certificates > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends curl ca-certificates +fi + +# vars +PRECOMMIT_VERSION=${1:-"2.9.3"} +TFSEC_VERSION=${2:-"0.36.10"} +TERRAFORM_DOCS_VERSION=${3:-"0.10.1"} + +# workaround for "cannot use path@version syntax in GOPATH mode" error +export GO111MODULE="on" + +# TFSec +go get -u github.com/tfsec/tfsec/cmd/tfsec@v${TFSEC_VERSION} + +# Terraform Docs +go get github.com/terraform-docs/terraform-docs@v${TERRAFORM_DOCS_VERSION} + +# TODO: install TFLint azurerm plugin +# https://github.com/terraform-linters/tflint-ruleset-azurerm + + +# pre-commit +sudo apt install -y python3-pip +python3 -m pip install --upgrade pip +python3 -m pip install --upgrade pre-commit==${PRECOMMIT_VERSION} diff --git a/.devcontainer/library-scripts/tflint-plugins.sh b/.devcontainer/library-scripts/tflint-plugins.sh new file mode 100644 index 0000000..edb3076 --- /dev/null +++ b/.devcontainer/library-scripts/tflint-plugins.sh @@ -0,0 +1,43 @@ +#! /usr/bin/env bash +# +# installs and runs tflint with tflint-ruleset-azurerm plugin +# https://github.com/terraform-linters/tflint-ruleset-azurerm + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +# Install curl if missing +if ! dpkg -s curl ca-certificates > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends curl ca-certificates +fi + +message="Downloading tflint and azurerm plugin" +echo "STARTED: $message..." + +# download tflint-ruleset-azurerm plugin +curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint-ruleset-azurerm/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip + +# move tflint-ruleset-azurerm plugin to correct path +install -D -m 777 tflint-ruleset-azurerm ./.tflint.d/plugins/tflint-ruleset-azurerm + +echo "FINISHED: $message." + +# check versions +./tflint --version + +# create tflint config +# cat > .tflint.hcl << EOF +# plugin "azurerm" { +# enabled = true +# } +# EOF +# cat .tflint.hcl From a54f3bde2bdba6215a5a45360fae7fb3ea5d9e95 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 17:37:52 +0000 Subject: [PATCH 041/121] Added pre-commit example --- .pre-commit-config.yaml | 28 ++++++++++++++++++++++++++++ .tflint.hcl | 3 +++ 2 files changed, 31 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 .tflint.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..4e84bb8 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,28 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.4.0 # "" gets replaced with latest repo release versions by running "pre-commit autoupdate" + hooks: + - id: check-merge-conflict + # - id: trailing-whitespace # find way to ignore markdown files (.md) + # - id: check-yaml + - id: check-added-large-files + - id: detect-private-key + + - repo: https://github.com/gruntwork-io/pre-commit + rev: v0.1.12 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + hooks: + - id: tflint + args: + - "--module" + - "--deep" + - "--config=.tflint.hcl" + # - id: terraform-validate + # - id: terraform-fmt + + - repo: https://github.com/antonbabenko/pre-commit-terraform.git + rev: v1.45.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_tfsec + - id: terraform_docs + - id: terraform_fmt + - id: terraform_validate diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..d4e9c23 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,3 @@ +plugin "azurerm" { + enabled = true +} From 724bde1abcd1e909237cc932c98e9ac737acc75b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 18:58:34 +0000 Subject: [PATCH 042/121] Added TF pre-commit test files --- terraform/README.md | 7 +++++++ terraform/files/function_app.zip | 1 + 2 files changed, 8 insertions(+) create mode 100644 terraform/README.md create mode 100644 terraform/files/function_app.zip diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..677b337 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,7 @@ +# Test README + +some content + + +*auto populated information + diff --git a/terraform/files/function_app.zip b/terraform/files/function_app.zip new file mode 100644 index 0000000..c128107 --- /dev/null +++ b/terraform/files/function_app.zip @@ -0,0 +1 @@ +# PLACEHOLDER so validate doesnt fail on missing file From 8a6fac1c31e48ac9d70fdf489facf42a83f81012 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 18:59:54 +0000 Subject: [PATCH 043/121] Fixed examples --- .../library-scripts/terraform-pre-commit.sh | 11 ++++---- .../library-scripts/tflint-plugins.sh | 4 +-- .pre-commit-config.yaml | 27 ++++++++++--------- 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/.devcontainer/library-scripts/terraform-pre-commit.sh b/.devcontainer/library-scripts/terraform-pre-commit.sh index b1351d2..5e047bd 100644 --- a/.devcontainer/library-scripts/terraform-pre-commit.sh +++ b/.devcontainer/library-scripts/terraform-pre-commit.sh @@ -24,6 +24,11 @@ PRECOMMIT_VERSION=${1:-"2.9.3"} TFSEC_VERSION=${2:-"0.36.10"} TERRAFORM_DOCS_VERSION=${3:-"0.10.1"} +# pre-commit +apt install -y python3-pip +python3 -m pip install --upgrade pip +python3 -m pip install --upgrade pre-commit==${PRECOMMIT_VERSION} + # workaround for "cannot use path@version syntax in GOPATH mode" error export GO111MODULE="on" @@ -35,9 +40,3 @@ go get github.com/terraform-docs/terraform-docs@v${TERRAFORM_DOCS_VERSION} # TODO: install TFLint azurerm plugin # https://github.com/terraform-linters/tflint-ruleset-azurerm - - -# pre-commit -sudo apt install -y python3-pip -python3 -m pip install --upgrade pip -python3 -m pip install --upgrade pre-commit==${PRECOMMIT_VERSION} diff --git a/.devcontainer/library-scripts/tflint-plugins.sh b/.devcontainer/library-scripts/tflint-plugins.sh index edb3076..e845bab 100644 --- a/.devcontainer/library-scripts/tflint-plugins.sh +++ b/.devcontainer/library-scripts/tflint-plugins.sh @@ -27,12 +27,12 @@ echo "STARTED: $message..." curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint-ruleset-azurerm/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip # move tflint-ruleset-azurerm plugin to correct path -install -D -m 777 tflint-ruleset-azurerm ./.tflint.d/plugins/tflint-ruleset-azurerm +install -D -m 777 tflint-ruleset-azurerm /home/vscode/.tflint.d/plugins/tflint-ruleset-azurerm echo "FINISHED: $message." # check versions -./tflint --version +tflint --version # create tflint config # cat > .tflint.hcl << EOF diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4e84bb8..8bddb06 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,21 +8,24 @@ repos: - id: check-added-large-files - id: detect-private-key - - repo: https://github.com/gruntwork-io/pre-commit - rev: v0.1.12 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases - hooks: - - id: tflint - args: - - "--module" - - "--deep" - - "--config=.tflint.hcl" - # - id: terraform-validate - # - id: terraform-fmt - - repo: https://github.com/antonbabenko/pre-commit-terraform.git rev: v1.45.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - - id: terraform_tfsec - id: terraform_docs - id: terraform_fmt - id: terraform_validate + - id: terraform_tflint + - id: terraform_tfsec + + # ! WIP: unhandled errors running tflint with pre-commit + # - repo: https://github.com/gruntwork-io/pre-commit + # rev: v0.1.12 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + # hooks: + # - id: tflint + # args: + # - "terraform" + # # - "--module" + # # - "--deep" + # - "--config=.tflint.hcl" + # # # - id: terraform-validate + # # # - id: terraform-fmt From dfcca087a79862fe8855c645672a261e7df2eaa7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 17 Dec 2020 19:22:26 +0000 Subject: [PATCH 044/121] Debugging dcoker builds --- .devcontainer/Dockerfile | 14 ++++++- .../library-scripts/terraform-extras.sh | 39 +++++++++++++++++++ .../library-scripts/terraform-pre-commit.sh | 14 ------- 3 files changed, 51 insertions(+), 16 deletions(-) create mode 100644 .devcontainer/library-scripts/terraform-extras.sh diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a736c31..9cbb523 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -44,12 +44,22 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli fi \ && rm -rf /var/lib/apt/lists/* -# Install Terraform, tflint +# Install Terraform, tflint, Go, PowerShell +# TODO: move this into main "RUN" layer above ARG TERRAFORM_VERSION=0.12.29 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ - && rm -rf /tmp/library-scripts + && bash /tmp/library-scripts/go-debian.sh \ + && bash /tmp/library-scripts/powershell-debian.sh \ + && bash /tmp/library-scripts/kubectl-helm-debian.sh + # && rm -rf /tmp/library-scripts +# TODO: move this into main "RUN" layer above +# Testing in new layer for faster builds +RUN bash /tmp/library-scripts/terraform-pre-commit.sh +RUN bash /tmp/library-scripts/tflint-plugins.sh +RUN bash /tmp/library-scripts/terraform-extras.sh + # && rm -rf /tmp/library-scripts ENTRYPOINT [ "/usr/local/share/docker-init.sh" ] CMD [ "sleep", "infinity" ] diff --git a/.devcontainer/library-scripts/terraform-extras.sh b/.devcontainer/library-scripts/terraform-extras.sh new file mode 100644 index 0000000..8c4a591 --- /dev/null +++ b/.devcontainer/library-scripts/terraform-extras.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Installs useful Terraform tools and pre-commit + +set -e + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +# Install curl if missing +if ! dpkg -s curl ca-certificates > /dev/null 2>&1; then + if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then + apt-get update + fi + apt-get -y install --no-install-recommends curl ca-certificates +fi + +# vars +TFSEC_VERSION=${2:-"0.36.10"} +TERRAFORM_DOCS_VERSION=${3:-"0.10.1"} + +# workaround for "cannot use path@version syntax in GOPATH mode" error +# export GO111MODULE="on" + +# check +command -v go + +# TFSec +go get -u github.com/tfsec/tfsec/cmd/tfsec@v${TFSEC_VERSION} + +# Terraform Docs +go get github.com/terraform-docs/terraform-docs@v${TERRAFORM_DOCS_VERSION} + +# TODO: install TFLint azurerm plugin +# https://github.com/terraform-linters/tflint-ruleset-azurerm diff --git a/.devcontainer/library-scripts/terraform-pre-commit.sh b/.devcontainer/library-scripts/terraform-pre-commit.sh index 5e047bd..1dd53a6 100644 --- a/.devcontainer/library-scripts/terraform-pre-commit.sh +++ b/.devcontainer/library-scripts/terraform-pre-commit.sh @@ -21,22 +21,8 @@ fi # vars PRECOMMIT_VERSION=${1:-"2.9.3"} -TFSEC_VERSION=${2:-"0.36.10"} -TERRAFORM_DOCS_VERSION=${3:-"0.10.1"} # pre-commit apt install -y python3-pip python3 -m pip install --upgrade pip python3 -m pip install --upgrade pre-commit==${PRECOMMIT_VERSION} - -# workaround for "cannot use path@version syntax in GOPATH mode" error -export GO111MODULE="on" - -# TFSec -go get -u github.com/tfsec/tfsec/cmd/tfsec@v${TFSEC_VERSION} - -# Terraform Docs -go get github.com/terraform-docs/terraform-docs@v${TERRAFORM_DOCS_VERSION} - -# TODO: install TFLint azurerm plugin -# https://github.com/terraform-linters/tflint-ruleset-azurerm From 2708b3387f3c3068e8f64e66cffc7050e8060e2a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 18 Dec 2020 07:21:32 +0000 Subject: [PATCH 045/121] Changed go script with latest library --- .devcontainer/library-scripts/go-debian.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.devcontainer/library-scripts/go-debian.sh b/.devcontainer/library-scripts/go-debian.sh index fdbcc2f..9c7f533 100644 --- a/.devcontainer/library-scripts/go-debian.sh +++ b/.devcontainer/library-scripts/go-debian.sh @@ -24,7 +24,7 @@ fi # Ensure that login shells get the correct path if the user updated the PATH using ENV. rm -f /etc/profile.d/00-restore-env.sh -echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\${PATH}" > /etc/profile.d/00-restore-env.sh +echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\$PATH}" > /etc/profile.d/00-restore-env.sh chmod +x /etc/profile.d/00-restore-env.sh # Determine the appropriate non-root user @@ -135,6 +135,12 @@ if [ "${INSTALL_GO_TOOLS}" = "true" ]; then fi # Add GOPATH variable and bin directory into PATH in bashrc/zshrc files (unless disabled) -updaterc "export GOPATH=\"${TARGET_GOPATH}\"\nexport GOROOT=\"${TARGET_GOROOT}\"\nexport PATH=\"\${GOROOT}/bin:\${GOPATH}/bin:\${PATH}\"" +updaterc "$(cat << EOF +export GOPATH="${TARGET_GOPATH}" +if [[ "\${PATH}" != *"\${GOPATH}/bin"* ]]; then export PATH="\${PATH}:\${GOPATH}/bin"; fi +export GOROOT="${TARGET_GOROOT}" +if [[ "\${PATH}" != *"\${GOROOT}/bin"* ]]; then export PATH="\${PATH}:\${GOROOT}/bin"; fi +EOF +)" echo "Done!" From ffc5608a275eee15add71af5918d0bbe1651c36a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 18 Dec 2020 09:11:33 +0000 Subject: [PATCH 046/121] Changed README --- terraform/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/README.md b/terraform/README.md index 677b337..7001f0c 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -1,6 +1,8 @@ # Test README -some content +**PRE-COMMIT-TERRAFORM DOCS** content will be automatically created below: + +--- *auto populated information From 71e75829ea957f129bbc022f8d7a2a2dc3fcc121 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 18 Dec 2020 09:13:40 +0000 Subject: [PATCH 047/121] Added tfsec and terraform-docs to main Go script, plus tidy-up --- .devcontainer/Dockerfile | 22 ++++------- .devcontainer/library-scripts/go-debian.sh | 2 + .../library-scripts/terraform-extras.sh | 39 ------------------- .../library-scripts/tflint-plugins.sh | 2 +- 4 files changed, 11 insertions(+), 54 deletions(-) delete mode 100644 .devcontainer/library-scripts/terraform-extras.sh diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 9cbb523..da8a084 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -5,7 +5,6 @@ # https://hub.docker.com/_/microsoft-vscode-devcontainers # https://github.com/microsoft/vscode-dev-containers/blob/master/containers/azure-terraform/.devcontainer/Dockerfile - # You can pick any Debian/Ubuntu-based image. 😊 FROM mcr.microsoft.com/vscode/devcontainers/base:ubuntu-18.04 @@ -38,28 +37,23 @@ ENV NVM_SYMLINK_CURRENT=true \ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli-debian.sh; fi \ && if [ "${INSTALL_NODE}" = "true" ]; then bash /tmp/library-scripts/node-debian.sh "${NVM_DIR}" "${NODE_VERSION}" "${USERNAME}"; fi \ && if [ "${INSTALL_DOCKER}" = "true" ]; then \ - bash /tmp/library-scripts/docker-debian.sh "true" "/var/run/docker-host.sock" "/var/run/docker.sock" "${USERNAME}"; \ + bash /tmp/library-scripts/docker-debian.sh "true" "/var/run/docker-host.sock" "/var/run/docker.sock" "${USERNAME}"; \ else \ - echo '#!/bin/bash\n"$@"' > /usr/local/share/docker-init.sh && chmod +x /usr/local/share/docker-init.sh; \ + echo '#!/bin/bash\n"$@"' > /usr/local/share/docker-init.sh && chmod +x /usr/local/share/docker-init.sh; \ fi \ && rm -rf /var/lib/apt/lists/* -# Install Terraform, tflint, Go, PowerShell +# Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above ARG TERRAFORM_VERSION=0.12.29 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ - && bash /tmp/library-scripts/go-debian.sh \ && bash /tmp/library-scripts/powershell-debian.sh \ - && bash /tmp/library-scripts/kubectl-helm-debian.sh - # && rm -rf /tmp/library-scripts - -# TODO: move this into main "RUN" layer above -# Testing in new layer for faster builds -RUN bash /tmp/library-scripts/terraform-pre-commit.sh -RUN bash /tmp/library-scripts/tflint-plugins.sh -RUN bash /tmp/library-scripts/terraform-extras.sh - # && rm -rf /tmp/library-scripts + && bash /tmp/library-scripts/kubectl-helm-debian.sh \ + && bash /tmp/library-scripts/terraform-pre-commit.sh \ + && bash /tmp/library-scripts/tflint-plugins.sh \ + && bash /tmp/library-scripts/go-debian.sh \ + && rm -rf /tmp/library-scripts ENTRYPOINT [ "/usr/local/share/docker-init.sh" ] CMD [ "sleep", "infinity" ] diff --git a/.devcontainer/library-scripts/go-debian.sh b/.devcontainer/library-scripts/go-debian.sh index 9c7f533..b6b7f9b 100644 --- a/.devcontainer/library-scripts/go-debian.sh +++ b/.devcontainer/library-scripts/go-debian.sh @@ -106,6 +106,8 @@ GO_TOOLS_WITH_MODULES="\ github.com/zmb3/gogetdoc \ github.com/fatih/gomodifytags \ github.com/mgechev/revive \ + github.com/tfsec/tfsec/cmd/tfsec \ + github.com/terraform-docs/terraform-docs \ github.com/go-delve/delve/cmd/dlv" if [ "${INSTALL_GO_TOOLS}" = "true" ]; then echo "Installing common Go tools..." diff --git a/.devcontainer/library-scripts/terraform-extras.sh b/.devcontainer/library-scripts/terraform-extras.sh deleted file mode 100644 index 8c4a591..0000000 --- a/.devcontainer/library-scripts/terraform-extras.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bash - -# Installs useful Terraform tools and pre-commit - -set -e - -if [ "$(id -u)" -ne 0 ]; then - echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' - exit 1 -fi - -export DEBIAN_FRONTEND=noninteractive - -# Install curl if missing -if ! dpkg -s curl ca-certificates > /dev/null 2>&1; then - if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then - apt-get update - fi - apt-get -y install --no-install-recommends curl ca-certificates -fi - -# vars -TFSEC_VERSION=${2:-"0.36.10"} -TERRAFORM_DOCS_VERSION=${3:-"0.10.1"} - -# workaround for "cannot use path@version syntax in GOPATH mode" error -# export GO111MODULE="on" - -# check -command -v go - -# TFSec -go get -u github.com/tfsec/tfsec/cmd/tfsec@v${TFSEC_VERSION} - -# Terraform Docs -go get github.com/terraform-docs/terraform-docs@v${TERRAFORM_DOCS_VERSION} - -# TODO: install TFLint azurerm plugin -# https://github.com/terraform-linters/tflint-ruleset-azurerm diff --git a/.devcontainer/library-scripts/tflint-plugins.sh b/.devcontainer/library-scripts/tflint-plugins.sh index e845bab..501775e 100644 --- a/.devcontainer/library-scripts/tflint-plugins.sh +++ b/.devcontainer/library-scripts/tflint-plugins.sh @@ -24,7 +24,7 @@ message="Downloading tflint and azurerm plugin" echo "STARTED: $message..." # download tflint-ruleset-azurerm plugin -curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint-ruleset-azurerm/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip +curl -sL "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint-ruleset-azurerm/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip # move tflint-ruleset-azurerm plugin to correct path install -D -m 777 tflint-ruleset-azurerm /home/vscode/.tflint.d/plugins/tflint-ruleset-azurerm From 935683838ca6ad66d88cdfaaf72826a1a03fa833 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 18 Dec 2020 10:52:46 +0000 Subject: [PATCH 048/121] Fixed shellcheck problems --- .devcontainer/library-scripts/go-debian.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.devcontainer/library-scripts/go-debian.sh b/.devcontainer/library-scripts/go-debian.sh index b6b7f9b..e11284e 100644 --- a/.devcontainer/library-scripts/go-debian.sh +++ b/.devcontainer/library-scripts/go-debian.sh @@ -31,9 +31,9 @@ chmod +x /etc/profile.d/00-restore-env.sh if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then USERNAME="" POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") - for CURRENT_USER in ${POSSIBLE_USERS[@]}; do - if id -u ${CURRENT_USER} > /dev/null 2>&1; then - USERNAME=${CURRENT_USER} + for CURRENT_USER in "${POSSIBLE_USERS[@]}"; do + if id -u "${CURRENT_USER}" > /dev/null 2>&1; then + USERNAME="${CURRENT_USER}" break fi done @@ -127,11 +127,11 @@ if [ "${INSTALL_GO_TOOLS}" = "true" ]; then go build -o gocode-gomod github.com/stamblerre/gocode # golangci-lint - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b ${TARGET_GOPATH}/bin 2>&1 + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${TARGET_GOPATH}/bin" 2>&1 # Move Go tools into path and clean up - mv /tmp/gotools/bin/* ${TARGET_GOPATH}/bin/ - mv gocode-gomod ${TARGET_GOPATH}/bin/ + mv /tmp/gotools/bin/* "${TARGET_GOPATH}/bin/" + mv gocode-gomod "${TARGET_GOPATH}/bin/" rm -rf /tmp/gotools chown -R ${USERNAME} "${TARGET_GOPATH}" fi From 0925aabf56c1bc0a2ff0388c98bec8a16ccaa867 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 22 Dec 2020 08:22:40 +0000 Subject: [PATCH 049/121] Updated README --- README.md | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 38efc06..3fb2828 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,16 @@ This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's essentially my playground in Azure. -I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there are *loads* more +I started off with a Kubernetes cluster, Nexus Repository OSS, and Velero for backups, but there are *loads* more being used now. ## Contents - [Getting Started](#getting-started) + - [Prereqs](#prereqs) + - [Configure DNS Zone](#configure-dns-zone) + - [Configure Key Vault / LetsEncrypt TLS Certificate](#configure-key-vault--letsencrypt-tls-certificate) - [Configure Azure Authentication](#configure-azure-authentication) - [Create Secrets](#create-secrets) - [Running the Build workflow](#running-the-build-workflow) @@ -20,11 +23,29 @@ being used now. ## Getting Started -Before the [`build`](./.github/workflows/build.yml) GitHub Action workflow can be run, authentication needs to be -configured for Azure. +Follow the sections below to prepare and configure your environment, ready to run your first build: + +### Prereqs + +DNS zones and TLS certs are typically created out-of-band (outside of the main build automation), so we'll create +these only once, and they will exist across multiple builds. + +#### Configure DNS Zone + +Use the [Setting up ExternalDNS for Services on Azure tutorial](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md) + to create and configure your DNS zone, as we will be using ExternalDNS within the kubernetes cluster to +dynamically update DNS records. + +#### Configure Key Vault / LetsEncrypt TLS Certificate + +Use the [keyvault-acmebot Getting Started guide](https://github.com/shibayan/keyvault-acmebot#getting-started) to +deploy AcmeBot and configure a wildcard certificate for your domain. ### Configure Azure Authentication +Before the [`build`](./.github/workflows/build.yml) GitHub Action workflow can be run, authentication needs to be +configured for Azure. + 1. [Create a Service Principal with a Client Secret](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_client_secret#creating-the-application-and-service-principal). 1. [Grant permissions to manage Azure Active Directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_configuration#azure-active-directory-permissions). From c05805ef5d0c9880abd7a5e7252aadcdc45a4396 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 22 Dec 2020 08:23:03 +0000 Subject: [PATCH 050/121] Bumped several chart versions --- terraform/variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index aab47e7..a81872e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -18,7 +18,7 @@ variable "kubernetes_version" { # https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/Chart.yaml#L3 # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.12.0" + default = "3.16.1" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -30,7 +30,7 @@ variable "cert_manager_chart_version" { # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero variable "velero_chart_version" { - default = "2.14.1" + default = "2.14.4" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -62,7 +62,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.3.1" + default = "4.5.0" } # https://github.com/weaveworks/kured/tree/master/charts/kured From 59ea4d84562091a8887e27dfd6257c3cb8f3a0ef Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Dec 2020 07:47:27 +0000 Subject: [PATCH 051/121] Changed location to eastus --- .github/workflows/build.yml | 3 +- .github/workflows/destroy.yml | 3 +- terraform/files/argocd-gitlab.yaml | 24 +++++++++++++ terraform/files/argocd-ingress.yaml | 24 +++++++++++++ terraform/files/argocd-jenkins.yaml | 24 +++++++++++++ terraform/files/argocd-values.yaml | 22 ++++++++++++ terraform/helm_argocd.tf | 52 +++++++++++++++++++++++++++++ 7 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 terraform/files/argocd-gitlab.yaml create mode 100644 terraform/files/argocd-ingress.yaml create mode 100644 terraform/files/argocd-jenkins.yaml create mode 100644 terraform/files/argocd-values.yaml create mode 100644 terraform/helm_argocd.tf diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8e8ed99..7a02fec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,8 @@ env: KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk KEY_VAULT_NAME: kv-rush-iz6y KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot - LOCATION: uksouth + # NOTE: "eastus" is cheaper than "uksouth" + LOCATION: eastus # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} # NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} NEXUS_USER_USERNAME: demo_user diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 77992a0..762aa5b 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -41,7 +41,8 @@ env: KEY_VAULT_NAME: kv-rush-iz6y KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot - LOCATION: uksouth + # NOTE: "eastus" is cheaper than "uksouth" + LOCATION: eastus ROOT_DOMAIN_NAME: thehypepipe.co.uk # STORAGE_KEY: 'env var set by Get-StorageKey.ps1' VELERO_ENABLED: true diff --git a/terraform/files/argocd-gitlab.yaml b/terraform/files/argocd-gitlab.yaml new file mode 100644 index 0000000..ab29106 --- /dev/null +++ b/terraform/files/argocd-gitlab.yaml @@ -0,0 +1,24 @@ +--- +# https://argoproj.github.io/argo-cd/user-guide/helm/ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + # ! MUST match the existing helm release name + name: ar-gitlab + namespace: argocd +spec: + project: default + source: + repoURL: git@github.com:adamrushuk/charts-private.git + targetRevision: main + path: gitlab-https + helm: + # target helm version + version: v3 + # releaseName: ar-gitlab + valueFiles: + - ar-values-dev.yaml + destination: + server: https://kubernetes.default.svc + namespace: gitlab + syncPolicy: {} diff --git a/terraform/files/argocd-ingress.yaml b/terraform/files/argocd-ingress.yaml new file mode 100644 index 0000000..fb6dd0b --- /dev/null +++ b/terraform/files/argocd-ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: argocd-server-ingress + namespace: argocd + annotations: + kubernetes.io/ingress.class: nginx + + # needed for passthru to self-signed cert + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +spec: + rules: + - host: argocd.thehypepipe.co.uk + http: + paths: + - backend: + serviceName: argocd-server + servicePort: https + tls: + - hosts: + - argocd.thehypepipe.co.uk + secretName: aks-ingress-tls diff --git a/terraform/files/argocd-jenkins.yaml b/terraform/files/argocd-jenkins.yaml new file mode 100644 index 0000000..3dfc029 --- /dev/null +++ b/terraform/files/argocd-jenkins.yaml @@ -0,0 +1,24 @@ +--- +# https://argoproj.github.io/argo-cd/user-guide/helm/ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + # ! MUST match the existing helm release name + name: ar-jenkins + namespace: argocd +spec: + project: default + source: + repoURL: git@github.com:adamrushuk/charts-private.git + targetRevision: main + path: jenkins + helm: + # target helm version + version: v3 + # releaseName: ar-jenkins + valueFiles: + - ar-values-dev.yaml + destination: + server: https://kubernetes.default.svc + namespace: jenkins + syncPolicy: {} diff --git a/terraform/files/argocd-values.yaml b/terraform/files/argocd-values.yaml new file mode 100644 index 0000000..ce270c9 --- /dev/null +++ b/terraform/files/argocd-values.yaml @@ -0,0 +1,22 @@ +installCRDs: false + +server: + # this is required to disable SSL redirection, as ingress handles this + extraArgs: + - --insecure + service: + type: ClusterIP + + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + # (examples in docs are wrong) DO NOT use passthrough if ingress has tls settings + # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + # hosts: + # - argocd.thehypepipe.co.uk + tls: + - secretName: argocd-ingress-tls + # hosts: + # - argocd.thehypepipe.co.uk diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf new file mode 100644 index 0000000..ef82b68 --- /dev/null +++ b/terraform/helm_argocd.tf @@ -0,0 +1,52 @@ +# argocd helm chart +# https://argoproj.github.io/argo-cd/ + +# https://www.terraform.io/docs/providers/kubernetes/r/namespace.html +resource "kubernetes_namespace" "argocd" { + metadata { + name = "argocd" + } + + timeouts { + delete = "15m" + } + + depends_on = [module.aks] +} + +# https://www.terraform.io/docs/providers/helm/r/release.html +resource "helm_release" "argocd" { + chart = "argo-cd" + name = "argocd" + namespace = kubernetes_namespace.argocd.metadata[0].name + repository = "https://argoproj.github.io/argo-helm" + version = var.argocd_chart_version + timeout = 600 + values = ["${file("${path.module}/files/argocd-values.yaml")}"] + + set { + name = "global.image.tag" + value = var.argocd_image_tag + } + + # TODO: test this works + # argocd.thehypepipe.co.uk + # ref: + # - https://www.xspdf.com/resolution/53846273.html + # - https://helm.sh/docs/chart_best_practices/values/ + # - https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set + set { + name = "server.ingress.hosts[0]" + value = "argocd.${var.dns_zone_name}" + } + + set { + name = "server.ingress.tls[0].hosts[0]" + value = "argocd.${local.dns_zone_name}" + } + + set { + name = "server.ingress.tls[0].secretName" + value = "argocd-ingress-tls" + } +} From 7c4d0139eb8a8ed86a3f013f62a674f16c360d7d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Dec 2020 08:49:52 +0000 Subject: [PATCH 052/121] Added missing argo vars --- terraform/helm_argocd.tf | 2 +- terraform/variables.tf | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index ef82b68..14a038c 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -42,7 +42,7 @@ resource "helm_release" "argocd" { set { name = "server.ingress.tls[0].hosts[0]" - value = "argocd.${local.dns_zone_name}" + value = "argocd.${var.dns_zone_name}" } set { diff --git a/terraform/variables.tf b/terraform/variables.tf index a81872e..5670fa5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -75,6 +75,18 @@ variable "kured_chart_version" { variable "kured_image_tag" { default = "1.4.4" } + + +# argo cd +# https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 +variable "argocd_chart_version" { + default = "2.11.0" +} + +# https://hub.docker.com/r/argoproj/argocd/tags +variable "argocd_image_tag" { + default = "v1.8.1" +} #endregion Versions From 48381dc7ab34bee4fc26a3a2afde0e66c4f2f448 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Dec 2020 09:02:10 +0000 Subject: [PATCH 053/121] Added continue-on-error to aks start step --- .github/workflows/destroy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 762aa5b..596bd62 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -100,6 +100,7 @@ jobs: # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks - name: Start AKS Cluster + continue-on-error: true run: ./scripts/start_aks_cluster.sh # Prereqs From 06f87610d4f507142f1bbc234af367dc5099e37c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Dec 2020 09:11:27 +0000 Subject: [PATCH 054/121] Changed prefix --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7a02fec..d6f4136 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,7 +22,7 @@ on: # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: # prefix: used for some globally unique name requirements - PREFIX: rush + PREFIX: rushabc # debug CI_DEBUG: false diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 596bd62..57db1a0 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -18,7 +18,7 @@ on: # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: # prefix: used for some globally unique name requirements - PREFIX: rush + PREFIX: rushabc # debug CI_DEBUG: true From eebf97bbe84ebf37bafe15e6d57edb85bacee7f7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Dec 2020 09:15:36 +0000 Subject: [PATCH 055/121] Changed prefix --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d6f4136..c921316 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,7 +22,7 @@ on: # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: # prefix: used for some globally unique name requirements - PREFIX: rushabc + PREFIX: arshz # debug CI_DEBUG: false diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 57db1a0..c0ee166 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -18,7 +18,7 @@ on: # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: # prefix: used for some globally unique name requirements - PREFIX: rushabc + PREFIX: arshz # debug CI_DEBUG: true From 9d504e4f0954ea0c9899bb27b6500ceb8486f478 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Dec 2020 11:18:36 +0000 Subject: [PATCH 056/121] Changed prefix --- .github/workflows/start_aks_cluster.yml | 60 ++++++++++++------------- .github/workflows/stop_aks_cluster.yml | 60 ++++++++++++------------- 2 files changed, 60 insertions(+), 60 deletions(-) diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index d1a9ec1..64b0d89 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -13,7 +13,7 @@ on: # global environment variables env: # prefix: used for some globally unique name requirements - PREFIX: rush + PREFIX: arshz # debug CI_DEBUG: true @@ -32,32 +32,32 @@ jobs: if: github.actor == github.event.repository.owner.login steps: - # Checkout - - uses: actions/checkout@v2 - # specify different branch - # NOT required as I've changed the default branch to develop - # with: - # ref: develop - - # Init tasks - inc env var concatenation - - name: Init tasks - inc Env var concatenation (Workaround) - run: | - chmod -R +x ./scripts/ - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV - - # Login - - name: Login to Azure - run: ./scripts/azure_login.sh - - # Start - # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster - - name: Start AKS Cluster - run: ./scripts/start_aks_cluster.sh - - # Notify - - name: Notify slack - env: - SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Start AKS Cluster complete" + # Checkout + - uses: actions/checkout@v2 + # specify different branch + # NOT required as I've changed the default branch to develop + # with: + # ref: develop + + # Init tasks - inc env var concatenation + - name: Init tasks - inc Env var concatenation (Workaround) + run: | + chmod -R +x ./scripts/ + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV + + # Login + - name: Login to Azure + run: ./scripts/azure_login.sh + + # Start + # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster + - name: Start AKS Cluster + run: ./scripts/start_aks_cluster.sh + + # Notify + - name: Notify slack + env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Start AKS Cluster complete" diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index aba41e2..6672fce 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -13,7 +13,7 @@ on: # global environment variables env: # prefix: used for some globally unique name requirements - PREFIX: rush + PREFIX: arshz # debug CI_DEBUG: true @@ -32,32 +32,32 @@ jobs: if: github.actor == github.event.repository.owner.login steps: - # Checkout - - uses: actions/checkout@v2 - # specify different branch - # NOT required as I've changed the default branch to develop - # with: - # ref: develop - - # Init tasks - inc env var concatenation - - name: Init tasks - inc Env var concatenation (Workaround) - run: | - chmod -R +x ./scripts/ - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV - - # Login - - name: Login to Azure - run: ./scripts/azure_login.sh - - # Stop - # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster - - name: Stop AKS Cluster - run: ./scripts/stop_aks_cluster.sh - - # Notify - - name: Notify slack - env: - SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Stop AKS Cluster complete" + # Checkout + - uses: actions/checkout@v2 + # specify different branch + # NOT required as I've changed the default branch to develop + # with: + # ref: develop + + # Init tasks - inc env var concatenation + - name: Init tasks - inc Env var concatenation (Workaround) + run: | + chmod -R +x ./scripts/ + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV + + # Login + - name: Login to Azure + run: ./scripts/azure_login.sh + + # Stop + # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster + - name: Stop AKS Cluster + run: ./scripts/stop_aks_cluster.sh + + # Notify + - name: Notify slack + env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Stop AKS Cluster complete" From bb06502e35a89411363fdc80db2b25d3b53a825b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 28 Dec 2020 11:50:34 +0000 Subject: [PATCH 057/121] Changed links after repo rename from aks-nexus-velero --- .github/workflows/build.yml | 4 ++-- .github/workflows/destroy.yml | 2 +- README.md | 2 +- ansible/roles/pypi_repo/files/hello/setup.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c921316..90f9be8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,7 +9,7 @@ on: types: [started] # trigger via webhook - # https://github.com/adamrushuk/aks-nexus-velero/blob/master/TriggerCustomAction.ps1#L28 + # https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28 repository_dispatch: types: [build] @@ -257,7 +257,7 @@ jobs: - name: Unregister NuGet proxy repo run: pwsh -command "Unregister-PSRepository -Name nuget.org-proxy -Verbose" - # Shows at the bottom of a run: https://github.com/adamrushuk/aks-nexus-velero/runs/1035347513?check_suite_focus=true + # Shows at the bottom of a run: https://github.com/adamrushuk/devops-lab/runs/1035347513?check_suite_focus=true - name: Pester report # TODO: remove continue-on-error once bug is fixed continue-on-error: true diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index c0ee166..0d89c49 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -5,7 +5,7 @@ name: destroy # https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch on: # trigger via webhook - # https://github.com/adamrushuk/aks-nexus-velero/blob/master/TriggerCustomAction.ps1#L28 + # https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28 repository_dispatch: types: [destroy] diff --git a/README.md b/README.md index 3fb2828..2f26b02 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # aks-nexus-velero -[![Build environment](https://github.com/adamrushuk/aks-nexus-velero/workflows/build/badge.svg)](https://github.com/adamrushuk/aks-nexus-velero/actions?query=workflow%3A%22build) +[![Build environment](https://github.com/adamrushuk/devops-lab/workflows/build/badge.svg)](https://github.com/adamrushuk/devops-lab/actions?query=workflow%3A%22build) This is the main repo I use to test Kubernetes / DevOps applications, products, and processes. It's essentially my playground in Azure. diff --git a/ansible/roles/pypi_repo/files/hello/setup.py b/ansible/roles/pypi_repo/files/hello/setup.py index 7656d3c..4b2f519 100644 --- a/ansible/roles/pypi_repo/files/hello/setup.py +++ b/ansible/roles/pypi_repo/files/hello/setup.py @@ -14,7 +14,7 @@ long_description_content_type='text/markdown', author='Adam Rush', author_email='adam@example.com', - url='https://github.com/adamrushuk/aks-nexus-velero/tree/develop/ansible/roles/pypi_repo/files/hello/', + url='https://github.com/adamrushuk/devops-lab/tree/develop/ansible/roles/pypi_repo/files/hello/', license='MIT', packages=['helloworld'], zip_safe=False From b564d8abcd3f9626cdaf51cd94d5bbc491fc08e4 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 06:54:14 +0000 Subject: [PATCH 058/121] Changed LA retention_in_days to 30 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 43d5548..f3465a9 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -25,7 +25,7 @@ resource "azurerm_log_analytics_workspace" "aks" { location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name sku = "Free" - retention_in_days = 7 + retention_in_days = 30 tags = var.tags lifecycle { From 43696d53de0eac55fe09f2bfadbc446adb809996 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 07:51:43 +0000 Subject: [PATCH 059/121] Reverted LA retention_in_days to 7 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index f3465a9..43d5548 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -25,7 +25,7 @@ resource "azurerm_log_analytics_workspace" "aks" { location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name sku = "Free" - retention_in_days = 30 + retention_in_days = 7 tags = var.tags lifecycle { From 0729f1f0d99cedb90d01cb8d0014313a10fca853 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 08:06:49 +0000 Subject: [PATCH 060/121] Added DISABLED_RULES var for tflint --- scripts/tflint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 1378ea8..b49d6f2 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -6,6 +6,9 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR +# vars +DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") + message="Downloading tflint and azurerm plugin" echo "STARTED: $message..." @@ -32,4 +35,4 @@ EOF cat .tflint.hcl # run tflint -TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" +TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule=$DISABLED_RULES From d9548da0cc30c2b1dd9b1482c073cf2b03bb3854 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 16:10:21 +0000 Subject: [PATCH 061/121] Changed vm size to Standard_B4ms --- terraform/variables.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 5670fa5..df1bf7d 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -198,12 +198,15 @@ variable "agent_pool_profile_vm_size" { # 2 x CPU, 7GB RAM, 8 x Data Disks # https://docs.microsoft.com/en-us/azure/virtual-machines/dv2-dsv2-series?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#dsv2-series + # Standard_B4ms - £0.140863 per hour + # 4 x CPU, 16GB RAM, 8 x Data Disks + # Standard_D4s_v3 - £0.172911 per hour # 4 x CPU, 16GB RAM, 8 x Data Disks # Standard_F8s_v2 - £0.301104 per hour # 8 x CPU, 16GB RAM, 16 x Data Disks - default = "Standard_D4s_v3" + default = "Standard_B4ms" } variable "agent_pool_profile_os_type" { From 7d58d03ba5dd5e5d5d193cd2fb985ec5edd94e3d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 16:47:40 +0000 Subject: [PATCH 062/121] Added continue-on-error for Slack notify steps --- .github/workflows/build.yml | 1 + .github/workflows/destroy.yml | 1 + .github/workflows/start_aks_cluster.yml | 1 + .github/workflows/stop_aks_cluster.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 90f9be8..ca92174 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -271,6 +271,7 @@ jobs: # Notify - name: Notify slack + continue-on-error: true env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 0d89c49..b18aedc 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -132,6 +132,7 @@ jobs: # Notify - name: Notify slack + continue-on-error: true env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 64b0d89..20f17a4 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -57,6 +57,7 @@ jobs: # Notify - name: Notify slack + continue-on-error: true env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 6672fce..152263c 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -57,6 +57,7 @@ jobs: # Notify - name: Notify slack + continue-on-error: true env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} From 553a03362d085bb21f0488eac72343a8f4dafa74 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 18:59:20 +0000 Subject: [PATCH 063/121] Added shellcheck fix comment --- scripts/tflint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index b49d6f2..26bfcf6 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -35,4 +35,5 @@ EOF cat .tflint.hcl # run tflint -TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule=$DISABLED_RULES +# expand array for disabled rules +TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}" From c6f0a9b4258680d2ed5d73dacaa6a978d87c9a6d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 4 Jan 2021 18:59:40 +0000 Subject: [PATCH 064/121] Added argocd-certificate-sync --- terraform/files/akvs-certificate-sync.yaml | 25 +++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/terraform/files/akvs-certificate-sync.yaml b/terraform/files/akvs-certificate-sync.yaml index 33b5682..3c04c7c 100644 --- a/terraform/files/akvs-certificate-sync.yaml +++ b/terraform/files/akvs-certificate-sync.yaml @@ -3,15 +3,34 @@ apiVersion: spv.no/v1alpha1 kind: AzureKeyVaultSecret metadata: name: certificate-sync - namespace: nexus + namespace: nexus # cert dest namespace spec: vault: - name: __KEY_VAULT_NAME__ # name of key vault + name: __KEY_VAULT_NAME__ # name of key vault object: name: __KEY_VAULT_CERT_NAME__ # key vault certificate name type: certificate output: secret: name: __K8S_TLS_SECRET_NAME__ # kubernetes secret name - type: kubernetes.io/tls # kubernetes secret type + type: kubernetes.io/tls # kubernetes secret type + chainOrder: ensureserverfirst + +--- + +apiVersion: spv.no/v1alpha1 +kind: AzureKeyVaultSecret +metadata: + name: argocd-certificate-sync + namespace: argocd # cert dest namespace +spec: + vault: + name: __KEY_VAULT_NAME__ # name of key vault + object: + name: __KEY_VAULT_CERT_NAME__ # key vault certificate name + type: certificate + output: + secret: + name: argocd-ingress-tls # kubernetes secret name + type: kubernetes.io/tls # kubernetes secret type chainOrder: ensureserverfirst From 6822a199035aad40192daf55607cc2c6315929b3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 7 Jan 2021 07:37:16 +0000 Subject: [PATCH 065/121] Removed ingress tls from values --- terraform/files/argocd-values.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/terraform/files/argocd-values.yaml b/terraform/files/argocd-values.yaml index ce270c9..91d952c 100644 --- a/terraform/files/argocd-values.yaml +++ b/terraform/files/argocd-values.yaml @@ -11,12 +11,7 @@ server: enabled: true annotations: kubernetes.io/ingress.class: "nginx" + nginx.org/hsts: "false" # (examples in docs are wrong) DO NOT use passthrough if ingress has tls settings # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # nginx.ingress.kubernetes.io/ssl-passthrough: "true" - # hosts: - # - argocd.thehypepipe.co.uk - tls: - - secretName: argocd-ingress-tls - # hosts: - # - argocd.thehypepipe.co.uk From f3a61ae3b6532bc75475eb6f1ccf408539527ae1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 7 Jan 2021 07:37:33 +0000 Subject: [PATCH 066/121] Added logout url --- terraform/helm_argocd.tf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 14a038c..47c0a6a 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -29,12 +29,6 @@ resource "helm_release" "argocd" { value = var.argocd_image_tag } - # TODO: test this works - # argocd.thehypepipe.co.uk - # ref: - # - https://www.xspdf.com/resolution/53846273.html - # - https://helm.sh/docs/chart_best_practices/values/ - # - https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set set { name = "server.ingress.hosts[0]" value = "argocd.${var.dns_zone_name}" @@ -49,4 +43,11 @@ resource "helm_release" "argocd" { name = "server.ingress.tls[0].secretName" value = "argocd-ingress-tls" } + + # Argo CD's externally facing base URL + # used for logout destination and when configuring SSO + set { + name = "server.config.url" + value = "https://argocd.${var.dns_zone_name}" + } } From caabfa0a81e22c80b5f511b9fa378b458aa72052 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 8 Jan 2021 08:36:33 +0000 Subject: [PATCH 067/121] Removed old ingress --- terraform/files/argocd-ingress.yaml | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 terraform/files/argocd-ingress.yaml diff --git a/terraform/files/argocd-ingress.yaml b/terraform/files/argocd-ingress.yaml deleted file mode 100644 index fb6dd0b..0000000 --- a/terraform/files/argocd-ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: argocd-server-ingress - namespace: argocd - annotations: - kubernetes.io/ingress.class: nginx - - # needed for passthru to self-signed cert - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -spec: - rules: - - host: argocd.thehypepipe.co.uk - http: - paths: - - backend: - serviceName: argocd-server - servicePort: https - tls: - - hosts: - - argocd.thehypepipe.co.uk - secretName: aks-ingress-tls From 785de1bb903ec7bc703e06ebffe3c24745b7a299 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 8 Jan 2021 08:36:55 +0000 Subject: [PATCH 068/121] Changed nexus version to 3.29.2 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index df1bf7d..e80dfbb 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -35,7 +35,7 @@ variable "velero_chart_version" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.29.0" + default = "3.29.2" } # https://github.com/adamrushuk/charts/releases From 33728bb996cd386f6812a06a61792179e5cc428f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 9 Jan 2021 07:31:38 +0000 Subject: [PATCH 069/121] Bumped nginx to v3.19.0 --- terraform/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index e80dfbb..619b686 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -18,7 +18,7 @@ variable "kubernetes_version" { # https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/Chart.yaml#L3 # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.16.1" + default = "3.19.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -79,6 +79,7 @@ variable "kured_image_tag" { # argo cd # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 +# helm search repo argo/argo-cd variable "argocd_chart_version" { default = "2.11.0" } From 6b668d70d38165a86ce99a52821b1033a1f79575 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 9 Jan 2021 08:02:34 +0000 Subject: [PATCH 070/121] Fixed akv2k8s cert sync race condition --- terraform/helm_akv2k8s.tf | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/terraform/helm_akv2k8s.tf b/terraform/helm_akv2k8s.tf index 16b3718..c6e8d08 100644 --- a/terraform/helm_akv2k8s.tf +++ b/terraform/helm_akv2k8s.tf @@ -43,8 +43,7 @@ resource "local_file" "kubeconfig" { resource "null_resource" "akv2k8s_crds" { triggers = { # always_run = "${timestamp()}" - akv2k8s_yaml_contents = filemd5(var.akv2k8s_yaml_path) - cert_sync_yaml_contents = filemd5(var.cert_sync_yaml_path) + akv2k8s_yaml_contents = filemd5(var.akv2k8s_yaml_path) } provisioner "local-exec" { @@ -53,7 +52,6 @@ resource "null_resource" "akv2k8s_crds" { export KUBECONFIG=${var.aks_config_path} # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/ kubectl apply -f ${var.akv2k8s_yaml_path} - kubectl apply -f ${var.cert_sync_yaml_path} EOT } @@ -109,3 +107,24 @@ resource "helm_release" "akv2k8s" { value = "debug" } } + +# https://www.terraform.io/docs/provisioners/local-exec.html +resource "null_resource" "akv2k8s_cert_sync" { + triggers = { + # always_run = "${timestamp()}" + cert_sync_yaml_contents = filemd5(var.cert_sync_yaml_path) + } + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = < Date: Sat, 9 Jan 2021 08:42:31 +0000 Subject: [PATCH 071/121] Added argo app def comments --- terraform/files/argocd-gitlab.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/files/argocd-gitlab.yaml b/terraform/files/argocd-gitlab.yaml index ab29106..668700d 100644 --- a/terraform/files/argocd-gitlab.yaml +++ b/terraform/files/argocd-gitlab.yaml @@ -1,10 +1,10 @@ ---- # https://argoproj.github.io/argo-cd/user-guide/helm/ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - # ! MUST match the existing helm release name + # ! MUST match the existing helm release name: https://argoproj.github.io/argo-cd/user-guide/helm/#helm-release-name name: ar-gitlab + # namespace of argo cd deployment namespace: argocd spec: project: default @@ -15,7 +15,7 @@ spec: helm: # target helm version version: v3 - # releaseName: ar-gitlab + # values file path is relative from the source.path folder valueFiles: - ar-values-dev.yaml destination: From 0375950d4201db0126683bab5bfe3feaf3f1dccc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 9 Jan 2021 15:04:09 +0000 Subject: [PATCH 072/121] Added CreateNamespace sync option --- terraform/files/argocd-gitlab.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/terraform/files/argocd-gitlab.yaml b/terraform/files/argocd-gitlab.yaml index 668700d..b5b66dc 100644 --- a/terraform/files/argocd-gitlab.yaml +++ b/terraform/files/argocd-gitlab.yaml @@ -17,8 +17,12 @@ spec: version: v3 # values file path is relative from the source.path folder valueFiles: - - ar-values-dev.yaml + - ar-values-dev.yaml destination: server: https://kubernetes.default.svc namespace: gitlab - syncPolicy: {} + syncPolicy: + # sync options which modifies sync behavior + syncOptions: + # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster + - CreateNamespace=true From d06c781ba024ebebe7e3e65a7bb67368727c3761 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 9 Jan 2021 15:06:39 +0000 Subject: [PATCH 073/121] Added gitlab cert sync --- terraform/files/akvs-certificate-sync.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/terraform/files/akvs-certificate-sync.yaml b/terraform/files/akvs-certificate-sync.yaml index 3c04c7c..d5ef697 100644 --- a/terraform/files/akvs-certificate-sync.yaml +++ b/terraform/files/akvs-certificate-sync.yaml @@ -34,3 +34,21 @@ spec: name: argocd-ingress-tls # kubernetes secret name type: kubernetes.io/tls # kubernetes secret type chainOrder: ensureserverfirst +--- + +apiVersion: spv.no/v1alpha1 +kind: AzureKeyVaultSecret +metadata: + name: gitlab-certificate-sync + namespace: gitlab # cert dest namespace +spec: + vault: + name: __KEY_VAULT_NAME__ # name of key vault + object: + name: __KEY_VAULT_CERT_NAME__ # key vault certificate name + type: certificate + output: + secret: + name: gitlab-tls # kubernetes secret name + type: kubernetes.io/tls # kubernetes secret type + chainOrder: ensureserverfirst From ccd30e162bc2c76f91b9e153e3a66abcc9c77296 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 07:29:00 +0000 Subject: [PATCH 074/121] Changed terraform to v0.12.30 --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ca92174..ee5d22a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,7 +61,7 @@ env: TF_IN_AUTOMATION: "true" TF_INPUT: "false" TF_PLAN: "tfplan" - TF_VERSION: "0.12.29" # "latest" is supported + TF_VERSION: "0.12.30" # "latest" is supported TF_WORKING_DIR: ./terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index b18aedc..b62ad30 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -50,7 +50,7 @@ env: # terraform TF_IN_AUTOMATION: "true" TF_INPUT: "false" - TF_VERSION: "0.12.29" # "latest" is supported + TF_VERSION: "0.12.30" # "latest" is supported TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From 49a1e86a00a70021f1fb140306ca2110edc9ba54 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 07:55:38 +0000 Subject: [PATCH 075/121] Fixed TLS cert sync for argocd and gitlab --- terraform/files/akvs-certificate-sync.yaml | 37 ------------------- .../files/argocd-akvs-certificate-sync.yaml | 17 +++++++++ .../files/gitlab-akvs-certificate-sync.yaml | 17 +++++++++ terraform/helm_argocd.tf | 22 +++++++++++ terraform/helm_gitlab.tf | 36 ++++++++++++++++++ terraform/variables.tf | 14 +++++++ 6 files changed, 106 insertions(+), 37 deletions(-) create mode 100644 terraform/files/argocd-akvs-certificate-sync.yaml create mode 100644 terraform/files/gitlab-akvs-certificate-sync.yaml create mode 100644 terraform/helm_gitlab.tf diff --git a/terraform/files/akvs-certificate-sync.yaml b/terraform/files/akvs-certificate-sync.yaml index d5ef697..0e93d81 100644 --- a/terraform/files/akvs-certificate-sync.yaml +++ b/terraform/files/akvs-certificate-sync.yaml @@ -15,40 +15,3 @@ spec: name: __K8S_TLS_SECRET_NAME__ # kubernetes secret name type: kubernetes.io/tls # kubernetes secret type chainOrder: ensureserverfirst - ---- - -apiVersion: spv.no/v1alpha1 -kind: AzureKeyVaultSecret -metadata: - name: argocd-certificate-sync - namespace: argocd # cert dest namespace -spec: - vault: - name: __KEY_VAULT_NAME__ # name of key vault - object: - name: __KEY_VAULT_CERT_NAME__ # key vault certificate name - type: certificate - output: - secret: - name: argocd-ingress-tls # kubernetes secret name - type: kubernetes.io/tls # kubernetes secret type - chainOrder: ensureserverfirst ---- - -apiVersion: spv.no/v1alpha1 -kind: AzureKeyVaultSecret -metadata: - name: gitlab-certificate-sync - namespace: gitlab # cert dest namespace -spec: - vault: - name: __KEY_VAULT_NAME__ # name of key vault - object: - name: __KEY_VAULT_CERT_NAME__ # key vault certificate name - type: certificate - output: - secret: - name: gitlab-tls # kubernetes secret name - type: kubernetes.io/tls # kubernetes secret type - chainOrder: ensureserverfirst diff --git a/terraform/files/argocd-akvs-certificate-sync.yaml b/terraform/files/argocd-akvs-certificate-sync.yaml new file mode 100644 index 0000000..9d1f2d8 --- /dev/null +++ b/terraform/files/argocd-akvs-certificate-sync.yaml @@ -0,0 +1,17 @@ +# https://akv2k8s.io/tutorials/sync/2-certificate/ +apiVersion: spv.no/v1alpha1 +kind: AzureKeyVaultSecret +metadata: + name: argocd-certificate-sync + namespace: argocd # cert dest namespace +spec: + vault: + name: __KEY_VAULT_NAME__ # name of key vault + object: + name: __KEY_VAULT_CERT_NAME__ # key vault certificate name + type: certificate + output: + secret: + name: argocd-ingress-tls # kubernetes secret name + type: kubernetes.io/tls # kubernetes secret type + chainOrder: ensureserverfirst diff --git a/terraform/files/gitlab-akvs-certificate-sync.yaml b/terraform/files/gitlab-akvs-certificate-sync.yaml new file mode 100644 index 0000000..0dbfcc0 --- /dev/null +++ b/terraform/files/gitlab-akvs-certificate-sync.yaml @@ -0,0 +1,17 @@ +# https://akv2k8s.io/tutorials/sync/2-certificate/ +apiVersion: spv.no/v1alpha1 +kind: AzureKeyVaultSecret +metadata: + name: gitlab-certificate-sync + namespace: gitlab # cert dest namespace +spec: + vault: + name: __KEY_VAULT_NAME__ # name of key vault + object: + name: __KEY_VAULT_CERT_NAME__ # key vault certificate name + type: certificate + output: + secret: + name: gitlab-tls # kubernetes secret name + type: kubernetes.io/tls # kubernetes secret type + chainOrder: ensureserverfirst diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 47c0a6a..fe39170 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -14,6 +14,28 @@ resource "kubernetes_namespace" "argocd" { depends_on = [module.aks] } +# https://www.terraform.io/docs/provisioners/local-exec.html +resource "null_resource" "argocd_cert_sync" { + triggers = { + # always_run = "${timestamp()}" + cert_sync_yaml_contents = filemd5(var.argocd_cert_sync_yaml_path) + } + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = < Date: Sun, 10 Jan 2021 08:11:10 +0000 Subject: [PATCH 076/121] Removed namespace auto-creation --- terraform/files/argocd-gitlab.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/files/argocd-gitlab.yaml b/terraform/files/argocd-gitlab.yaml index b5b66dc..c019095 100644 --- a/terraform/files/argocd-gitlab.yaml +++ b/terraform/files/argocd-gitlab.yaml @@ -23,6 +23,6 @@ spec: namespace: gitlab syncPolicy: # sync options which modifies sync behavior - syncOptions: - # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster - - CreateNamespace=true + syncOptions: {} + # # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster + # - CreateNamespace=true From 64302d9fbf783fed6e5a2989fafdc0fb7ea6f937 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 08:40:35 +0000 Subject: [PATCH 077/121] Improved env vars --- .github/workflows/build.yml | 11 +++++------ .github/workflows/destroy.yml | 6 +++--- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ee5d22a..00939f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,9 +37,7 @@ env: # prod or staging. # "" disables cert-manager annotations (use if you already have an existing TLS secret) CERT_API_ENVIRONMENT: "" - DNS_DOMAIN_NAME: nexus.thehypepipe.co.uk DNS_RG_NAME: rg-dns - DOCKER_FQDN: docker.thehypepipe.co.uk EMAIL_ADDRESS: certadmin@domain.com ENABLE_TLS_INGRESS: true FORCE_TEST_FAIL: false @@ -49,8 +47,6 @@ env: KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot # NOTE: "eastus" is cheaper than "uksouth" LOCATION: eastus - # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} - # NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} NEXUS_USER_USERNAME: demo_user ROOT_DOMAIN_NAME: thehypepipe.co.uk # STORAGE_KEY: 'env var set by Get-StorageKey.ps1' @@ -92,12 +88,14 @@ jobs: - name: Init tasks - inc Env var concatenation (Workaround) run: | chmod -R +x ./scripts/ - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV - echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV + echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV # # Show event info # - name: Show triggered event data @@ -141,6 +139,7 @@ jobs: - name: Replace tokens in Terraform config files run: pwsh -command "./scripts/Replace-Tokens.ps1" env: + ARGOCD_ADMIN_PASSWORD: ${{ secrets.ARGOCD_ADMIN_PASSWORD }} IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - name: Create zip file of Function App diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index b62ad30..68e712d 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -32,7 +32,6 @@ env: # other # prod or staging CERT_API_ENVIRONMENT: staging - DNS_DOMAIN_NAME: nexus.thehypepipe.co.uk DNS_RG_NAME: rg-dns EMAIL_ADDRESS: certadmin@domain.com ENABLE_TLS_INGRESS: true @@ -81,12 +80,13 @@ jobs: - name: Concatenate env vars (Workaround) run: | chmod -R +x ./scripts/ - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV - echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV + echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV # # Show event info # - name: Show triggered event data From 8ef47d842661516fd92af3c7b0acffe3f95fc294 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 11:07:20 +0000 Subject: [PATCH 078/121] Added argo config script --- .github/workflows/build.yml | 2 ++ .github/workflows/destroy.yml | 1 + terraform/files/scripts/argocd_config.sh | 42 ++++++++++++++++++++++++ terraform/helm_argocd.tf | 29 ++++++++++++++++ terraform/variables.tf | 12 +++++++ 5 files changed, 86 insertions(+) create mode 100644 terraform/files/scripts/argocd_config.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00939f1..a579e87 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -90,6 +90,7 @@ jobs: chmod -R +x ./scripts/ echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "ARGO_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV @@ -140,6 +141,7 @@ jobs: run: pwsh -command "./scripts/Replace-Tokens.ps1" env: ARGOCD_ADMIN_PASSWORD: ${{ secrets.ARGOCD_ADMIN_PASSWORD }} + HELM_CHART_REPO_DEPLOY_PRIVATE_KEY: ${{ secrets.HELM_CHART_REPO_DEPLOY_PRIVATE_KEY }} IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - name: Create zip file of Function App diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 68e712d..95aaaed 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -82,6 +82,7 @@ jobs: chmod -R +x ./scripts/ echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "ARGO_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh new file mode 100644 index 0000000..f9b96db --- /dev/null +++ b/terraform/files/scripts/argocd_config.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# +# Argo CD configuration + +# Ensure strict mode and predictable pipeline failure +set -euo pipefail +trap "echo 'error: Script failed: see failed command above'" ERR + +# Vars +ARGOCD_PATH="./argocd" +REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" + +# Install +VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') +curl -SL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" +chmod +x "$ARGOCD_PATH" + +# Show version +"$ARGOCD_PATH" version --grpc-web --server "$ARGOCD_FQDN" + +# Get default admin password +# default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx" +DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) + +# Login +"$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD" + +# Update admin password +"$ARGOCD_PATH" account update-password --grpc-web --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" + +# Show info +"$ARGOCD_PATH" account list +"$ARGOCD_PATH" cluster list +"$ARGOCD_PATH" app list + +# Add SSH repo connection +# Save repo private key +echo "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" > "$REPO_SSH_PRIVATE_KEY_PATH" + +# Add a Git repository via SSH using a private key for authentication +# [OPTIONAL] use "--insecure-ignore-host-key" during testing with self-signed certs +"$ARGOCD_PATH" repo add "$REPO_URL" --ssh-private-key-path "$REPO_SSH_PRIVATE_KEY_PATH" diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index fe39170..2da9945 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -72,4 +72,33 @@ resource "helm_release" "argocd" { name = "server.config.url" value = "https://argocd.${var.dns_zone_name}" } + + depends_on = [ + null_resource.argocd_cert_sync + ] +} + +# post-install config +resource "null_resource" "argocd_configure" { + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + environment = { + ARGOCD_ADMIN_PASSWORD = var.argocd_admin_password + ARGOCD_FQDN = var.argo_fqdn + HELM_CHART_REPO_DEPLOY_PRIVATE_KEY = var.helm_chart_repo_deploy_private_key + KUBECONFIG = var.aks_config_path + REPO_URL = "git@github.com:adamrushuk/charts-private.git" + } + + command = < Date: Sun, 10 Jan 2021 11:20:19 +0000 Subject: [PATCH 079/121] Fixed multiline error --- terraform/variables.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 9fd0bae..bf1253a 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -338,7 +338,11 @@ variable "argocd_fqdn" { } variable "helm_chart_repo_deploy_private_key" { - default = "__HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__" + # default = "__HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__" + + default = < Date: Sun, 10 Jan 2021 11:29:14 +0000 Subject: [PATCH 080/121] Debug --- terraform/variables.tf | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index bf1253a..bebe8f8 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -338,11 +338,9 @@ variable "argocd_fqdn" { } variable "helm_chart_repo_deploy_private_key" { - # default = "__HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__" - - default = < Date: Sun, 10 Jan 2021 11:38:12 +0000 Subject: [PATCH 081/121] Fixed tf var typo --- terraform/helm_argocd.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 2da9945..92715b1 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -84,7 +84,7 @@ resource "null_resource" "argocd_configure" { interpreter = ["/bin/bash", "-c"] environment = { ARGOCD_ADMIN_PASSWORD = var.argocd_admin_password - ARGOCD_FQDN = var.argo_fqdn + ARGOCD_FQDN = var.argocd_fqdn HELM_CHART_REPO_DEPLOY_PRIVATE_KEY = var.helm_chart_repo_deploy_private_key KUBECONFIG = var.aks_config_path REPO_URL = "git@github.com:adamrushuk/charts-private.git" From dac82f70b155f1a5b71c7ac861e107b73d15296a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 11:46:18 +0000 Subject: [PATCH 082/121] Debug --- terraform/helm_argocd.tf | 5 ++++- terraform/variables.tf | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 92715b1..bcc0072 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -90,9 +90,12 @@ resource "null_resource" "argocd_configure" { REPO_URL = "git@github.com:adamrushuk/charts-private.git" } - command = < Date: Sun, 10 Jan 2021 11:51:41 +0000 Subject: [PATCH 083/121] Fixed argo script --- terraform/helm_argocd.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index bcc0072..7bf6821 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -93,10 +93,9 @@ resource "null_resource" "argocd_configure" { command = <<-EOT # export KUBECONFIG=${var.aks_config_path} # kubectl apply -f ${var.argocd_cert_sync_yaml_path} - ls -lah ./files/scripts chmod -R +x ./files/scripts ls -lah ./files/scripts - ./files/scripts/argocd_config.sh" + ./files/scripts/argocd_config.sh EOT } From b3929bb0360dd519c939c5852ea5dfae930a07f0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 12:06:16 +0000 Subject: [PATCH 084/121] Changed env var name --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a579e87..27f6fda 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -90,7 +90,7 @@ jobs: chmod -R +x ./scripts/ echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "ARGO_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "ARGOCD_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 95aaaed..894993d 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -82,7 +82,7 @@ jobs: chmod -R +x ./scripts/ echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "ARGO_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "ARGOCD_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV From 455fc857522d264acbca1e39614a557792805304 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 12:15:50 +0000 Subject: [PATCH 085/121] Fixed ARGOCD_FQDN --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27f6fda..95171cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -90,7 +90,7 @@ jobs: chmod -R +x ./scripts/ echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "ARGOCD_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 894993d..a9c5596 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -82,7 +82,7 @@ jobs: chmod -R +x ./scripts/ echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "ARGOCD_FQDN=argo.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV From bd1f0028d55e5c8fbf28d3ef87d73f58b50e645f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 12:37:48 +0000 Subject: [PATCH 086/121] Removed old code --- terraform/helm_argocd.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 7bf6821..60ed5f9 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -91,8 +91,6 @@ resource "null_resource" "argocd_configure" { } command = <<-EOT - # export KUBECONFIG=${var.aks_config_path} - # kubectl apply -f ${var.argocd_cert_sync_yaml_path} chmod -R +x ./files/scripts ls -lah ./files/scripts ./files/scripts/argocd_config.sh From 41e663039dad1b1e29d258d4dbb48e0d101f9b61 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 12:38:10 +0000 Subject: [PATCH 087/121] Added logging for debugging --- terraform/files/scripts/argocd_config.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index f9b96db..e63f0cd 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -16,19 +16,24 @@ curl -SL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/downloa chmod +x "$ARGOCD_PATH" # Show version +echo "Showing Argo CD version info..." "$ARGOCD_PATH" version --grpc-web --server "$ARGOCD_FQDN" # Get default admin password # default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx" +echo "Getting default admin password..." DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) # Login +echo "Logging in to Argo CD..." "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD" # Update admin password +echo "Updating default admin password..." "$ARGOCD_PATH" account update-password --grpc-web --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" # Show info +echo "Showing Argo CD cluster info..." "$ARGOCD_PATH" account list "$ARGOCD_PATH" cluster list "$ARGOCD_PATH" app list @@ -37,6 +42,13 @@ DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/na # Save repo private key echo "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" > "$REPO_SSH_PRIVATE_KEY_PATH" +# ! TODO: Temp debugging, remove and change key once fixed +echo "TEMP DEBUGGING...REMOVE AFTERWARDS!!!!..." +echo "echo HELM_CHART_REPO_DEPLOY_PRIVATE_KEY..." +echo "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" +echo "cat REPO_SSH_PRIVATE_KEY_PATH..." +cat "$REPO_SSH_PRIVATE_KEY_PATH" + # Add a Git repository via SSH using a private key for authentication # [OPTIONAL] use "--insecure-ignore-host-key" during testing with self-signed certs "$ARGOCD_PATH" repo add "$REPO_URL" --ssh-private-key-path "$REPO_SSH_PRIVATE_KEY_PATH" From f26f7b8358898435642c5d86f33704be9bc03291 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 13:02:57 +0000 Subject: [PATCH 088/121] Change argo ligin to be idempotent --- terraform/files/scripts/argocd_config.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index e63f0cd..4779a38 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -25,12 +25,17 @@ echo "Getting default admin password..." DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) # Login -echo "Logging in to Argo CD..." -"$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD" - -# Update admin password -echo "Updating default admin password..." -"$ARGOCD_PATH" account update-password --grpc-web --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" +echo "Logging in to Argo CD with default password..." +if ! "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD"; then + + # Update admin password + echo "Updating default admin password..." + "$ARGOCD_PATH" account update-password --grpc-web --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" +else + echo "ERROR: Logging in to Argo CD with default password..." + echo "Attempting login with new admin password..." + "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$ARGOCD_ADMIN_PASSWORD" +fi # Show info echo "Showing Argo CD cluster info..." From b65eeff68a6e1fd6d404c7ec93f1a94241184131 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 13:14:43 +0000 Subject: [PATCH 089/121] Fixed logic --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 4779a38..6ab8d87 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -26,7 +26,7 @@ DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/na # Login echo "Logging in to Argo CD with default password..." -if ! "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD"; then +if "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD"; then # Update admin password echo "Updating default admin password..." From d04d56609d27c3f923f7405195ce09a61c2f541b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 13:51:44 +0000 Subject: [PATCH 090/121] Debug --- terraform/files/scripts/argocd_config.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 6ab8d87..170cd04 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -45,7 +45,11 @@ echo "Showing Argo CD cluster info..." # Add SSH repo connection # Save repo private key -echo "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" > "$REPO_SSH_PRIVATE_KEY_PATH" +echo -e "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" > "$REPO_SSH_PRIVATE_KEY_PATH" +ssh-keygen -lf "$REPO_SSH_PRIVATE_KEY_PATH" +ls -lah +chmod 600 "$REPO_SSH_PRIVATE_KEY_PATH" +ssh-keygen -lf "$REPO_SSH_PRIVATE_KEY_PATH" # ! TODO: Temp debugging, remove and change key once fixed echo "TEMP DEBUGGING...REMOVE AFTERWARDS!!!!..." From 4fdc9f0bef81109cb17e9b6d7c1ea4176ef7e42d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 14:11:50 +0000 Subject: [PATCH 091/121] Debug deploy key --- terraform/files/scripts/argocd_config.sh | 3 +-- terraform/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 170cd04..cb7e005 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -46,9 +46,8 @@ echo "Showing Argo CD cluster info..." # Add SSH repo connection # Save repo private key echo -e "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" > "$REPO_SSH_PRIVATE_KEY_PATH" -ssh-keygen -lf "$REPO_SSH_PRIVATE_KEY_PATH" -ls -lah chmod 600 "$REPO_SSH_PRIVATE_KEY_PATH" +ls -lah "$REPO_SSH_PRIVATE_KEY_PATH" ssh-keygen -lf "$REPO_SSH_PRIVATE_KEY_PATH" # ! TODO: Temp debugging, remove and change key once fixed diff --git a/terraform/variables.tf b/terraform/variables.tf index 9546863..bebe8f8 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -339,8 +339,8 @@ variable "argocd_fqdn" { variable "helm_chart_repo_deploy_private_key" { default = <<-EOT - __HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__ - EOT +__HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__ +EOT } From f695486f78644dbbbaa8e8961d0e0b89615ad022 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 14:38:28 +0000 Subject: [PATCH 092/121] Added DNS_DOMAIN_NAME env var --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 95171cf..55a8be4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -301,6 +301,7 @@ jobs: run: | echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" + echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV # Login From ce671b790f1b949232808e8dd13467c48b2462b5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 14:38:49 +0000 Subject: [PATCH 093/121] Removed temp debugging code --- terraform/files/scripts/argocd_config.sh | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index cb7e005..cd86e41 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -12,7 +12,7 @@ REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" # Install VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') -curl -SL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" +curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" # Show version @@ -27,12 +27,11 @@ DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/na # Login echo "Logging in to Argo CD with default password..." if "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD"; then - - # Update admin password + # Update default admin password echo "Updating default admin password..." "$ARGOCD_PATH" account update-password --grpc-web --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" else - echo "ERROR: Logging in to Argo CD with default password..." + echo "WARNING: Failed to log into Argo CD using default password..." echo "Attempting login with new admin password..." "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$ARGOCD_ADMIN_PASSWORD" fi @@ -47,16 +46,9 @@ echo "Showing Argo CD cluster info..." # Save repo private key echo -e "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" > "$REPO_SSH_PRIVATE_KEY_PATH" chmod 600 "$REPO_SSH_PRIVATE_KEY_PATH" -ls -lah "$REPO_SSH_PRIVATE_KEY_PATH" +echo "Showing public key fingerprint..." ssh-keygen -lf "$REPO_SSH_PRIVATE_KEY_PATH" -# ! TODO: Temp debugging, remove and change key once fixed -echo "TEMP DEBUGGING...REMOVE AFTERWARDS!!!!..." -echo "echo HELM_CHART_REPO_DEPLOY_PRIVATE_KEY..." -echo "$HELM_CHART_REPO_DEPLOY_PRIVATE_KEY" -echo "cat REPO_SSH_PRIVATE_KEY_PATH..." -cat "$REPO_SSH_PRIVATE_KEY_PATH" - # Add a Git repository via SSH using a private key for authentication # [OPTIONAL] use "--insecure-ignore-host-key" during testing with self-signed certs "$ARGOCD_PATH" repo add "$REPO_URL" --ssh-private-key-path "$REPO_SSH_PRIVATE_KEY_PATH" From 3f00462739898a37aa2261a04d808e1cb2ab4507 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 15:08:15 +0000 Subject: [PATCH 094/121] Fixed DNS_DOMAIN_NAME env var test --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 55a8be4..5deabee 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -301,7 +301,7 @@ jobs: run: | echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" - echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" # Login From f46add0e6ed22072c5683e78222fd7dbfc54acf1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 10 Jan 2021 16:10:23 +0000 Subject: [PATCH 095/121] Disable sync policy --- terraform/files/argocd-gitlab.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/files/argocd-gitlab.yaml b/terraform/files/argocd-gitlab.yaml index c019095..72206fe 100644 --- a/terraform/files/argocd-gitlab.yaml +++ b/terraform/files/argocd-gitlab.yaml @@ -21,8 +21,8 @@ spec: destination: server: https://kubernetes.default.svc namespace: gitlab - syncPolicy: - # sync options which modifies sync behavior - syncOptions: {} - # # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster - # - CreateNamespace=true + syncPolicy: {} + # # sync options which modifies sync behavior + # syncOptions: + # # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster + # - CreateNamespace=true From a2382683660c956f913b5d0282b50918777ec5a2 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 11 Jan 2021 09:00:57 +0000 Subject: [PATCH 096/121] Added argo app definitions --- terraform/helm_argocd.tf | 20 +++++++++++++++++++- terraform/variables.tf | 4 ++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 60ed5f9..55098fc 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -23,7 +23,7 @@ resource "null_resource" "argocd_cert_sync" { provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] - command = < Date: Wed, 13 Jan 2021 07:45:29 +0000 Subject: [PATCH 097/121] Bumped helm chart versions --- terraform/variables.tf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index dda6b8d..9a48aec 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -16,9 +16,11 @@ variable "kubernetes_version" { # https://kubernetes.github.io/ingress-nginx/deploy/#using-helm # https://github.com/kubernetes/ingress-nginx/releases # https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/Chart.yaml#L3 +# +# helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.19.0" + default = "3.20.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -30,7 +32,7 @@ variable "cert_manager_chart_version" { # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero variable "velero_chart_version" { - default = "2.14.4" + default = "2.14.5" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -62,13 +64,13 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.5.0" + default = "4.5.1" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.2.1" + default = "2.3.1" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -81,12 +83,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.0" + default = "2.11.1" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v1.8.1" + default = "v1.8.2" } #endregion Versions From 4c176caba8fd643aba77a451cd6da5e45ed41b85 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 13 Jan 2021 08:13:41 +0000 Subject: [PATCH 098/121] Changed argocd back to v2.11.0? --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 9a48aec..586ebbe 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -83,7 +83,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.1" + default = "2.11.0" } # https://hub.docker.com/r/argoproj/argocd/tags From 0883426d0cfd0d099e925f3b6ad1000da2e4136d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 14 Jan 2021 08:08:03 +0000 Subject: [PATCH 099/121] Added latest helm values --- terraform/helm/nginx_default_values.yaml | 730 +++++++++++++++++++++++ terraform/helm/nginx_values.yaml | 15 - terraform/helm/velero_values.yaml | 22 +- terraform/variables.tf | 2 + 4 files changed, 751 insertions(+), 18 deletions(-) create mode 100644 terraform/helm/nginx_default_values.yaml diff --git a/terraform/helm/nginx_default_values.yaml b/terraform/helm/nginx_default_values.yaml new file mode 100644 index 0000000..edb6a05 --- /dev/null +++ b/terraform/helm/nginx_default_values.yaml @@ -0,0 +1,730 @@ +# source: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-3.20.0/charts/ingress-nginx/values.yaml + +## nginx configuration +## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md +## + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: + +controller: + name: controller + image: + repository: k8s.gcr.io/ingress-nginx/controller + tag: "v0.43.0" + digest: sha256:9bba603b99bf25f6d117cf1235b6598c16033ad027b143c90fa5b3cc583c5713 + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} + + # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers + proxySetHeaders: {} + + # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # Optionally customize the pod dnsConfig. + dnsConfig: {} + + # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + + # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: + http: 80 + https: 443 + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + ## Name of the ingress class to route through this controller + ## + ingressClass: nginx + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Security Context policies for controller pods + ## + podSecurityContext: {} + + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. + publishService: + enabled: true + ## Allows overriding of the publish service to bind to + ## Must be / + ## + pathOverride: "" + + ## Limit the scope of the controller + ## + scope: + enabled: false + namespace: "" # defaults to .Release.Namespace + + ## Allows customization of the configmap / nginx-configmap namespace + ## + configMapNamespace: "" # defaults to .Release.Namespace + + ## Allows customization of the tcp-services-configmap + ## + tcp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the tcp config configmap + annotations: {} + + ## Allows customization of the udp-services-configmap + ## + udp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the udp config configmap + annotations: {} + + # Maxmind license key to download GeoLite2 Databases + # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + + ## Additional command line arguments to pass to nginx-ingress-controller + ## E.g. to specify the default SSL certificate you can use + ## extraArgs: + ## default-ssl-certificate: "/" + extraArgs: {} + + ## Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + ## DaemonSet or Deployment + ## + kind: Deployment + + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + + # The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # minReadySeconds to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Affinity and anti-affinity + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" + + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 + + ## Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + # limits: + # cpu: 100m + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + + # Mutually exclusive with keda autoscaling + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + annotations: {} + labels: {} + # clusterIP: "" + + ## List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + # the service controller allocates a port from your cluster’s NodePort range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + type: LoadBalancer + + # type: NodePort + # nodePorts: + # http: 32080 + # https: 32443 + # tcp: + # 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + annotations: {} + + # loadBalancerIP: "" + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + extraVolumeMounts: [] + ## Additional volumeMounts to the controller main container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the controller pod. + # - name: copy-portal-skins + # emptyDir: {} + + extraInitContainers: [] + ## Containers, which are run before the app containers are started. + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + admissionWebhooks: + annotations: {} + enabled: true + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + patch: + enabled: true + image: + repository: docker.io/jettech/kube-webhook-certgen + tag: v1.5.0 + pullPolicy: IfNotPresent + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: {} + tolerations: [] + runAsUser: 2000 + + metrics: + port: 10254 + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + ## List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9913 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + + serviceMonitor: + enabled: false + additionalLabels: {} + namespace: "" + namespaceSelector: {} + # Default: scrape .Release.Namespace only + # To scrape all, use the following: + # namespaceSelector: + # any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + metricRelabelings: [] + + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + + priorityClassName: "" + +## Rollback limit +## +revisionHistoryLimit: 10 + +## Default 404 backend +## +defaultBackend: + ## + enabled: false + + name: defaultbackend + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + extraArgs: {} + + serviceAccount: + create: true + name: + ## Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + service: + annotations: {} + + # clusterIP: "" + + ## List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + +## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 +rbac: + create: true + scope: false + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +# TCP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcp: {} +# 8080: "default/example-tcp-svc:9000" + +# UDP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp +## +udp: {} +# 53: "kube-system/kube-dns:53" diff --git a/terraform/helm/nginx_values.yaml b/terraform/helm/nginx_values.yaml index 4d7248f..6407621 100644 --- a/terraform/helm/nginx_values.yaml +++ b/terraform/helm/nginx_values.yaml @@ -13,20 +13,6 @@ controller: redirect-to-https: "false" ssl-redirect: "false" - ## Annotations to be added to the controller config configuration configmap - ## - configAnnotations: {} - - # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers - proxySetHeaders: {} - - # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers - addHeaders: {} - - # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply - reportNodeInternalIp: false - ## Allows customization of the source of the IP address or FQDN to report ## in the ingress status field. By default, it reads the information provided ## by the service. If disable, the status field reports the IP address of the @@ -41,7 +27,6 @@ controller: ## pathOverride: "" - ## Additional command line arguments to pass to nginx-ingress-controller ## E.g. to specify the default SSL certificate you can use ## extraArgs: diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index b3b8992..1a25bd6 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -74,6 +74,7 @@ extraVolumeMounts: [] # Settings for Velero's prometheus metrics. Enabled by default. metrics: enabled: true + scrapeInterval: 30s # Pod annotations for Prometheus podAnnotations: @@ -81,6 +82,10 @@ metrics: prometheus.io/port: "8085" prometheus.io/path: "/metrics" + serviceMonitor: + enabled: false + additionalLabels: {} + # Install CRDs as a templates. Enabled by default. installCRDs: true @@ -216,10 +221,19 @@ credentials: # Name of a pre-existing secret (if any) in the Velero namespace # that should be used to get IAM account credentials. Optional. existingSecret: velero-credentials - # Data to be stored in the Velero secret, if `useSecret` is - # true and `existingSecret` is empty. This should be the contents - # of your IAM credentials file. + # Data to be stored in the Velero secret, if `useSecret` is true and `existingSecret` is empty. + # As of the current Velero release, Velero only uses one secret key/value at a time. + # The key must be named `cloud`, and the value corresponds to the entire content of your IAM credentials file. + # Note that the format will be different for different providers, please check their documentation. + # Here is a list of documentation for plugins maintained by the Velero team: + # [AWS] https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/README.md + # [GCP] https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md + # [Azure] https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md secretContents: {} + # cloud: | + # [default] + # aws_access_key_id= + # aws_secret_access_key= # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: ". Values will be stored in the secret. extraEnvVars: {} # Name of a pre-existing secret (if any) in the Velero namespace @@ -267,6 +281,8 @@ restic: # mybackup: # labels: # myenv: foo +# annotations: +# myenv: foo # schedule: "0 0 * * *" # template: # ttl: "240h" diff --git a/terraform/variables.tf b/terraform/variables.tf index 586ebbe..5c110a5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -19,6 +19,7 @@ variable "kubernetes_version" { # # helm repo update # helm search repo ingress-nginx/ingress-nginx +# * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { default = "3.20.0" } @@ -31,6 +32,7 @@ variable "cert_manager_chart_version" { # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero +# * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { default = "2.14.5" } From 49b5b107d080929a0d22d8e4879b50a6f3a7f045 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 15 Jan 2021 08:22:41 +0000 Subject: [PATCH 100/121] Added fix for nginx SSL Certificate admission webhook --- terraform/helm_argocd.tf | 3 ++- terraform/helm_nexus.tf | 4 +++- terraform/helm_nginx.tf | 26 ++++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 55098fc..c53895e 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -74,7 +74,8 @@ resource "helm_release" "argocd" { } depends_on = [ - null_resource.argocd_cert_sync + null_resource.argocd_cert_sync, + null_resource.nginx_ready ] } diff --git a/terraform/helm_nexus.tf b/terraform/helm_nexus.tf index d0e2fe1..3e2b769 100644 --- a/terraform/helm_nexus.tf +++ b/terraform/helm_nexus.tf @@ -53,5 +53,7 @@ resource "helm_release" "nexus" { value = var.nexus_tls_secret_name } - depends_on = [helm_release.nginx] + depends_on = [ + null_resource.nginx_ready + ] } diff --git a/terraform/helm_nginx.tf b/terraform/helm_nginx.tf index 9183f50..8e32045 100644 --- a/terraform/helm_nginx.tf +++ b/terraform/helm_nginx.tf @@ -22,3 +22,29 @@ resource "helm_release" "nginx" { timeout = 600 values = ["${file("helm/nginx_values.yaml")}"] } + +# wait /fix for documented warning +# https://kubernetes.github.io/ingress-nginx/deploy/ +# The first time the ingress controller starts, two Jobs create the SSL Certificate used by the admission webhook. +# For this reason, there is an initial delay of up to two minutes until it is possible to create and validate Ingress +# definitions. +resource "null_resource" "nginx_ready" { + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + environment = { + KUBECONFIG = var.aks_config_path + } + + command = < Date: Fri, 15 Jan 2021 09:07:35 +0000 Subject: [PATCH 101/121] Revert "Added fix for nginx SSL Certificate admission webhook" This reverts commit 49b5b107d080929a0d22d8e4879b50a6f3a7f045. --- terraform/helm_argocd.tf | 3 +-- terraform/helm_nexus.tf | 4 +--- terraform/helm_nginx.tf | 26 -------------------------- 3 files changed, 2 insertions(+), 31 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index c53895e..55098fc 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -74,8 +74,7 @@ resource "helm_release" "argocd" { } depends_on = [ - null_resource.argocd_cert_sync, - null_resource.nginx_ready + null_resource.argocd_cert_sync ] } diff --git a/terraform/helm_nexus.tf b/terraform/helm_nexus.tf index 3e2b769..d0e2fe1 100644 --- a/terraform/helm_nexus.tf +++ b/terraform/helm_nexus.tf @@ -53,7 +53,5 @@ resource "helm_release" "nexus" { value = var.nexus_tls_secret_name } - depends_on = [ - null_resource.nginx_ready - ] + depends_on = [helm_release.nginx] } diff --git a/terraform/helm_nginx.tf b/terraform/helm_nginx.tf index 8e32045..9183f50 100644 --- a/terraform/helm_nginx.tf +++ b/terraform/helm_nginx.tf @@ -22,29 +22,3 @@ resource "helm_release" "nginx" { timeout = 600 values = ["${file("helm/nginx_values.yaml")}"] } - -# wait /fix for documented warning -# https://kubernetes.github.io/ingress-nginx/deploy/ -# The first time the ingress controller starts, two Jobs create the SSL Certificate used by the admission webhook. -# For this reason, there is an initial delay of up to two minutes until it is possible to create and validate Ingress -# definitions. -resource "null_resource" "nginx_ready" { - provisioner "local-exec" { - interpreter = ["/bin/bash", "-c"] - environment = { - KUBECONFIG = var.aks_config_path - } - - command = < Date: Fri, 15 Jan 2021 09:14:36 +0000 Subject: [PATCH 102/121] Revert nginx_chart_version to 3.19.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 5c110a5..5c294e7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.20.0" + default = "3.19.0" } # https://hub.helm.sh/charts/jetstack/cert-manager From 6ddbdaa56244550615df80f9d4bf51a7ca97eb1b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 07:43:44 +0000 Subject: [PATCH 103/121] Bumped external_dns and argocd --- terraform/variables.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 5c294e7..955ac9b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -48,6 +48,7 @@ variable "nexus_chart_version" { default = "0.2.8" } +# https://github.com/SparebankenVest/azure-key-vault-to-kubernetes # https://github.com/SparebankenVest/public-helm-charts/releases # https://github.com/SparebankenVest/helm-charts/tree/gh-pages/akv2k8s # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 @@ -66,7 +67,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.5.1" + default = "4.5.3" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -85,7 +86,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.0" + default = "2.11.2" } # https://hub.docker.com/r/argoproj/argocd/tags From b98835f2f06a5fc9114b9c5dbac1f677588ee1ac Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 07:52:04 +0000 Subject: [PATCH 104/121] Bumped TF provider versions --- terraform/providers.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 6a481be..676dcd0 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -11,13 +11,13 @@ terraform { # versioning syntax: https://www.terraform.io/docs/configuration/modules.html#module-versions required_providers { # https://github.com/hashicorp/terraform-provider-helm/releases - helm = "1.3.2" + helm = "2.0.1" # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = "1.13.3" # https://github.com/terraform-providers/terraform-provider-azuread/releases - azuread = "1.1.1" + azuread = "1.2.2" random = "~> 2.2" # ~> 2.2 = 2.X.Y tls = "~> 2.1" @@ -31,7 +31,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { # ! WARNING: "2.39.0" was a bit flakey, so stay on "2.38.0" for the time being - version = "2.38.0" + version = "2.43.0" features {} } From 9689f1ab6522b293ee86d4d04463507dc15073e8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 07:58:25 +0000 Subject: [PATCH 105/121] Removed load_config_file from helm provider --- terraform/providers.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 676dcd0..34c8a62 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -47,7 +47,6 @@ provider "kubernetes" { provider "helm" { kubernetes { - load_config_file = false host = module.aks.full_object.kube_admin_config[0].host client_certificate = base64decode(module.aks.full_object.kube_admin_config[0].client_certificate) client_key = base64decode(module.aks.full_object.kube_admin_config[0].client_key) From 7c9f80fccb13542d3cd4d1f55155e894760829ea Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 09:01:22 +0000 Subject: [PATCH 106/121] Bumped nginx chart to v3.20.1 --- terraform/providers.tf | 1 - terraform/variables.tf | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 34c8a62..1a6cbd9 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,6 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - # ! WARNING: "2.39.0" was a bit flakey, so stay on "2.38.0" for the time being version = "2.43.0" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index 955ac9b..326d8b2 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,8 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.19.0" + # ! "3.19.0" was last stable version + default = "3.20.1" } # https://hub.helm.sh/charts/jetstack/cert-manager From f668b3c436ca12c10ddee4d0c11345bc75cb0030 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 10:30:21 +0000 Subject: [PATCH 107/121] Revert nginx_chart_version to 3.19.0 --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 326d8b2..95257f3 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,8 +21,8 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - # ! "3.19.0" was last stable version - default = "3.20.1" + # ! > "3.19.0" breaks the build + default = "3.19.0" } # https://hub.helm.sh/charts/jetstack/cert-manager From 5e43d61180e721b16a8640cba2950f582da08466 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 15:00:32 +0000 Subject: [PATCH 108/121] Disabled Container Insights --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 95257f3..09179a9 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -165,7 +165,7 @@ variable "sla_sku" { variable "aks_container_insights_enabled" { description = "Should Container Insights monitoring be enabled" - default = true + default = false } variable "aks_config_path" { From 1fd4df095533d7fab807e531664edae134c9f8b5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 15:56:24 +0000 Subject: [PATCH 109/121] Added fixed argocd cli version and ARGOCD_OPTS --- terraform/files/scripts/argocd_config.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index cd86e41..a51a0a3 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -9,15 +9,16 @@ trap "echo 'error: Script failed: see failed command above'" ERR # Vars ARGOCD_PATH="./argocd" REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" +export ARGOCD_OPTS="--grpc-web" # Install -VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') +VERSION="v1.8.2" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" # Show version echo "Showing Argo CD version info..." -"$ARGOCD_PATH" version --grpc-web --server "$ARGOCD_FQDN" +"$ARGOCD_PATH" version --server "$ARGOCD_FQDN" # Get default admin password # default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx" @@ -26,14 +27,14 @@ DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/na # Login echo "Logging in to Argo CD with default password..." -if "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD"; then +if "$ARGOCD_PATH" login "$ARGOCD_FQDN" --username admin --password "$DEFAULT_ARGO_ADMIN_PASSWORD"; then # Update default admin password echo "Updating default admin password..." - "$ARGOCD_PATH" account update-password --grpc-web --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" + "$ARGOCD_PATH" account update-password --account admin --current-password "$DEFAULT_ARGO_ADMIN_PASSWORD" --new-password "$ARGOCD_ADMIN_PASSWORD" else echo "WARNING: Failed to log into Argo CD using default password..." echo "Attempting login with new admin password..." - "$ARGOCD_PATH" login "$ARGOCD_FQDN" --grpc-web --username admin --password "$ARGOCD_ADMIN_PASSWORD" + "$ARGOCD_PATH" login "$ARGOCD_FQDN" --username admin --password "$ARGOCD_ADMIN_PASSWORD" fi # Show info From b21d50e5ad4b46a49f2790f25bbfc04e35387e77 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 15:57:04 +0000 Subject: [PATCH 110/121] Revert argocd_chart_version to 2.11.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 09179a9..9849726 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -87,7 +87,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.2" + default = "2.11.0" } # https://hub.docker.com/r/argoproj/argocd/tags From ea4a215c6f8255e4dceee1ca6a908431428e2e59 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 16:35:07 +0000 Subject: [PATCH 111/121] Changed aks node size back to Standard_D4s_v3 --- terraform/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 9849726..76649ac 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -205,6 +205,7 @@ variable "agent_pool_profile_vm_size" { # 2 x CPU, 7GB RAM, 8 x Data Disks # https://docs.microsoft.com/en-us/azure/virtual-machines/dv2-dsv2-series?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#dsv2-series + # ! Standard_B4ms can cause performance issues # Standard_B4ms - £0.140863 per hour # 4 x CPU, 16GB RAM, 8 x Data Disks @@ -213,7 +214,7 @@ variable "agent_pool_profile_vm_size" { # Standard_F8s_v2 - £0.301104 per hour # 8 x CPU, 16GB RAM, 16 x Data Disks - default = "Standard_B4ms" + default = "Standard_D4s_v3" } variable "agent_pool_profile_os_type" { From cc026fd5bf63336ffd75e7458b003d72579293f0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 16:57:04 +0000 Subject: [PATCH 112/121] Added atomic for helm releases --- terraform/dns.tf | 1 + terraform/helm_aad_pod_identity.tf | 6 ++++-- terraform/helm_akv2k8s.tf | 1 + terraform/helm_argocd.tf | 11 ++++++----- terraform/helm_cert_manager.tf | 1 + terraform/helm_kured.tf | 1 + terraform/helm_nexus.tf | 1 + terraform/helm_nginx.tf | 1 + terraform/velero.tf | 2 +- 9 files changed, 17 insertions(+), 8 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 09a0f59..d220320 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -82,6 +82,7 @@ resource "helm_release" "external_dns" { repository = "https://charts.bitnami.com/bitnami" version = var.external_dns_chart_version timeout = 600 + atomic = true # values = [file("helm/NOT_USED.yaml")] set { diff --git a/terraform/helm_aad_pod_identity.tf b/terraform/helm_aad_pod_identity.tf index b4a41e5..9018b63 100644 --- a/terraform/helm_aad_pod_identity.tf +++ b/terraform/helm_aad_pod_identity.tf @@ -44,21 +44,23 @@ resource "helm_release" "aad_pod_identity" { repository = "https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts" version = var.aad_pod_identity_chart_version timeout = 600 + atomic = true values = [ file("helm/aad_pod_identity_values.yaml"), data.template_file.azureIdentities.rendered ] + # should only be required for helm v2 set { name = "installCRDs" - value = "true" + value = "false" } # allow Kubenet: https://azure.github.io/aad-pod-identity/docs/configure/aad_pod_identity_on_kubenet/ set { name = "nmi.allowNetworkPluginKubenet" - value = "true" + value = "false" } # https://github.com/Azure/aad-pod-identity/wiki/Debugging#increasing-the-verbosity-of-the-logs diff --git a/terraform/helm_akv2k8s.tf b/terraform/helm_akv2k8s.tf index c6e8d08..7e61508 100644 --- a/terraform/helm_akv2k8s.tf +++ b/terraform/helm_akv2k8s.tf @@ -101,6 +101,7 @@ resource "helm_release" "akv2k8s" { repository = "http://charts.spvapi.no" version = var.akv2k8s_chart_version timeout = 600 + atomic = true set { name = "controller.logLevel" diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 55098fc..7206538 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -44,6 +44,7 @@ resource "helm_release" "argocd" { repository = "https://argoproj.github.io/argo-helm" version = var.argocd_chart_version timeout = 600 + atomic = true values = ["${file("${path.module}/files/argocd-values.yaml")}"] set { @@ -83,11 +84,11 @@ resource "null_resource" "argocd_configure" { provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] environment = { - ARGOCD_ADMIN_PASSWORD = var.argocd_admin_password - ARGOCD_FQDN = var.argocd_fqdn + ARGOCD_ADMIN_PASSWORD = var.argocd_admin_password + ARGOCD_FQDN = var.argocd_fqdn HELM_CHART_REPO_DEPLOY_PRIVATE_KEY = var.helm_chart_repo_deploy_private_key - KUBECONFIG = var.aks_config_path - REPO_URL = "git@github.com:adamrushuk/charts-private.git" + KUBECONFIG = var.aks_config_path + REPO_URL = "git@github.com:adamrushuk/charts-private.git" } command = <<-EOT @@ -110,7 +111,7 @@ resource "null_resource" "argocd_apps" { environment = { KUBECONFIG = var.aks_config_path } - command = <<-EOT + command = <<-EOT kubectl apply -f ${var.gitlab_argocd_app_path} EOT } diff --git a/terraform/helm_cert_manager.tf b/terraform/helm_cert_manager.tf index 448ca38..feb0f72 100644 --- a/terraform/helm_cert_manager.tf +++ b/terraform/helm_cert_manager.tf @@ -11,6 +11,7 @@ resource "helm_release" "cert_manager" { repository = "https://charts.jetstack.io" version = var.cert_manager_chart_version timeout = 600 + atomic = true set { name = "global.logLevel" diff --git a/terraform/helm_kured.tf b/terraform/helm_kured.tf index b9a7344..1ce3b27 100644 --- a/terraform/helm_kured.tf +++ b/terraform/helm_kured.tf @@ -22,6 +22,7 @@ resource "helm_release" "kured" { repository = "https://weaveworks.github.io/kured" version = var.kured_chart_version timeout = 600 + atomic = true values = ["${file("helm/kured_values.yaml")}"] diff --git a/terraform/helm_nexus.tf b/terraform/helm_nexus.tf index d0e2fe1..958ab92 100644 --- a/terraform/helm_nexus.tf +++ b/terraform/helm_nexus.tf @@ -20,6 +20,7 @@ resource "helm_release" "nexus" { repository = "https://adamrushuk.github.io/charts/" version = var.nexus_chart_version timeout = 600 + atomic = true values = ["${file("helm/nexus_values.yaml")}"] diff --git a/terraform/helm_nginx.tf b/terraform/helm_nginx.tf index 9183f50..03c9146 100644 --- a/terraform/helm_nginx.tf +++ b/terraform/helm_nginx.tf @@ -20,5 +20,6 @@ resource "helm_release" "nginx" { repository = "https://kubernetes.github.io/ingress-nginx" version = var.nginx_chart_version timeout = 600 + atomic = true values = ["${file("helm/nginx_values.yaml")}"] } diff --git a/terraform/velero.tf b/terraform/velero.tf index 6bb1ee3..5678f06 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -88,13 +88,13 @@ EOT resource "helm_release" "velero" { count = var.velero_enabled ? 1 : 0 - atomic = true chart = "velero" name = "velero" namespace = kubernetes_namespace.velero[0].metadata[0].name repository = "https://vmware-tanzu.github.io/helm-charts" version = var.velero_chart_version timeout = 600 + atomic = true values = ["${file("helm/velero_values.yaml")}"] From 068425ec52acb0567e89b134398669b16b1ea7d0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 17:27:21 +0000 Subject: [PATCH 113/121] Removed old comments --- .github/workflows/build.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5deabee..16a6442 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -98,26 +98,6 @@ jobs: echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV - # # Show event info - # - name: Show triggered event data - # run: pwsh -command "./scripts/Get-EventData.ps1" - # env: - # GITHUB_CONTEXT: ${{ toJson(github) }} - - # # Linting multiple languages - # - name: Lint Code Base - # uses: github/super-linter@v3 - # env: - # DEFAULT_BRANCH: develop - # # VALIDATE_ALL_CODEBASE: false - # VALIDATE_ANSIBLE: true - # VALIDATE_BASH: true - # VALIDATE_POWERSHELL: true - # VALIDATE_SHELL_SHFMT: true - # VALIDATE_TERRAFORM: true - # VALIDATE_TERRAFORM_TERRASCAN: true - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Login - name: Login to Azure @@ -297,7 +277,6 @@ jobs: # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files - name: Init tasks - inc Env var concatenation (Workaround) # * NOTE: different syntax required for Windows agents - # ! Docs say to use "$env:GITHUB_PATH", but only "$env:GITHUB_ENV" worked for me run: | echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" From 31afe9ba55947b3937b971b1145db568e16bc718 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 16 Jan 2021 17:28:42 +0000 Subject: [PATCH 114/121] Disabled nginx admission webhooks --- nginx/default_nginx_values.yaml | 24 +- terraform/helm/nginx_default_values.yaml | 730 ----------------------- terraform/helm_nginx.tf | 5 + terraform/variables.tf | 4 +- 4 files changed, 24 insertions(+), 739 deletions(-) delete mode 100644 terraform/helm/nginx_default_values.yaml diff --git a/nginx/default_nginx_values.yaml b/nginx/default_nginx_values.yaml index 04b6d94..8c60a24 100644 --- a/nginx/default_nginx_values.yaml +++ b/nginx/default_nginx_values.yaml @@ -1,13 +1,20 @@ -# source: https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/values.yaml +# source: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-3.20.1/charts/ingress-nginx/values.yaml ## nginx configuration ## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md ## + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: + controller: + name: controller image: repository: k8s.gcr.io/ingress-nginx/controller - tag: "v0.41.2" - digest: sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de + tag: "v0.43.0" + digest: sha256:9bba603b99bf25f6d117cf1235b6598c16033ad027b143c90fa5b3cc583c5713 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -115,6 +122,10 @@ controller: ## Annotations to be added to the udp config configmap annotations: {} + # Maxmind license key to download GeoLite2 Databases + # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + ## Additional command line arguments to pass to nginx-ingress-controller ## E.g. to specify the default SSL certificate you can use ## extraArgs: @@ -398,6 +409,8 @@ controller: enabled: false annotations: {} + # loadBalancerIP: "" + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. loadBalancerSourceRanges: [] @@ -576,16 +589,13 @@ controller: ## revisionHistoryLimit: 10 -# Maxmind license key to download GeoLite2 Databases -# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases -maxmindLicenseKey: "" - ## Default 404 backend ## defaultBackend: ## enabled: false + name: defaultbackend image: repository: k8s.gcr.io/defaultbackend-amd64 tag: "1.5" diff --git a/terraform/helm/nginx_default_values.yaml b/terraform/helm/nginx_default_values.yaml deleted file mode 100644 index edb6a05..0000000 --- a/terraform/helm/nginx_default_values.yaml +++ /dev/null @@ -1,730 +0,0 @@ -# source: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-3.20.0/charts/ingress-nginx/values.yaml - -## nginx configuration -## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md -## - -## Overrides for generated resource names -# See templates/_helpers.tpl -# nameOverride: -# fullnameOverride: - -controller: - name: controller - image: - repository: k8s.gcr.io/ingress-nginx/controller - tag: "v0.43.0" - digest: sha256:9bba603b99bf25f6d117cf1235b6598c16033ad027b143c90fa5b3cc583c5713 - pullPolicy: IfNotPresent - # www-data -> uid 101 - runAsUser: 101 - allowPrivilegeEscalation: true - - # Configures the ports the nginx-controller listens on - containerPort: - http: 80 - https: 443 - - # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: {} - - ## Annotations to be added to the controller config configuration configmap - ## - configAnnotations: {} - - # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers - proxySetHeaders: {} - - # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers - addHeaders: {} - - # Optionally customize the pod dnsConfig. - dnsConfig: {} - - # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst - - # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply - reportNodeInternalIp: false - - # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - - ## Use host ports 80 and 443 - ## Disabled by default - ## - hostPort: - enabled: false - ports: - http: 80 - https: 443 - - ## Election ID to use for status update - ## - electionID: ingress-controller-leader - - ## Name of the ingress class to route through this controller - ## - ingressClass: nginx - - # labels to add to the pod container metadata - podLabels: {} - # key: value - - ## Security Context policies for controller pods - ## - podSecurityContext: {} - - ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - ## notes on enabling and using sysctls - ### - sysctls: {} - # sysctls: - # "net.core.somaxconn": "8192" - - ## Allows customization of the source of the IP address or FQDN to report - ## in the ingress status field. By default, it reads the information provided - ## by the service. If disable, the status field reports the IP address of the - ## node or nodes where an ingress controller pod is running. - publishService: - enabled: true - ## Allows overriding of the publish service to bind to - ## Must be / - ## - pathOverride: "" - - ## Limit the scope of the controller - ## - scope: - enabled: false - namespace: "" # defaults to .Release.Namespace - - ## Allows customization of the configmap / nginx-configmap namespace - ## - configMapNamespace: "" # defaults to .Release.Namespace - - ## Allows customization of the tcp-services-configmap - ## - tcp: - configMapNamespace: "" # defaults to .Release.Namespace - ## Annotations to be added to the tcp config configmap - annotations: {} - - ## Allows customization of the udp-services-configmap - ## - udp: - configMapNamespace: "" # defaults to .Release.Namespace - ## Annotations to be added to the udp config configmap - annotations: {} - - # Maxmind license key to download GeoLite2 Databases - # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" - - ## Additional command line arguments to pass to nginx-ingress-controller - ## E.g. to specify the default SSL certificate you can use - ## extraArgs: - ## default-ssl-certificate: "/" - extraArgs: {} - - ## Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - - ## DaemonSet or Deployment - ## - kind: Deployment - - ## Annotations to be added to the controller Deployment or DaemonSet - ## - annotations: {} - # keel.sh/pollSchedule: "@every 60m" - - ## Labels to be added to the controller Deployment or DaemonSet - ## - labels: {} - # keel.sh/policy: patch - # keel.sh/trigger: poll - - - # The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # minReadySeconds to avoid killing pods before we are ready - ## - minReadySeconds: 0 - - - ## Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - ## Affinity and anti-affinity - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} - # # An example of preferred pod anti-affinity, weight is in the range 1-100 - # podAntiAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # podAffinityTerm: - # labelSelector: - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/instance - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/component - # operator: In - # values: - # - controller - # topologyKey: kubernetes.io/hostname - - # # An example of required pod anti-affinity - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/instance - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/component - # operator: In - # values: - # - controller - # topologyKey: "kubernetes.io/hostname" - - ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: failure-domain.beta.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: - # matchLabels: - # app.kubernetes.io/instance: ingress-nginx-internal - - ## terminationGracePeriodSeconds - ## wait up to five minutes for the drain of connections - ## - terminationGracePeriodSeconds: 300 - - ## Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - livenessProbe: - failureThreshold: 5 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - port: 10254 - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - port: 10254 - - # Path of the health check endpoint. All requests received on the port defined by - # the healthz-port parameter are forwarded internally to this path. - healthCheckPath: "/healthz" - - ## Annotations to be added to controller pods - ## - podAnnotations: {} - - replicaCount: 1 - - minAvailable: 1 - - # Define requests resources to avoid probe issues due to CPU utilization in busy nodes - # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 - # Ideally, there should be no limits. - # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ - resources: - # limits: - # cpu: 100m - # memory: 90Mi - requests: - cpu: 100m - memory: 90Mi - - # Mutually exclusive with keda autoscaling - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - - autoscalingTemplate: [] - # Custom or additional autoscaling metrics - # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics - # - type: Pods - # pods: - # metric: - # name: nginx_ingress_controller_nginx_process_requests_total - # target: - # type: AverageValue - # averageValue: 10000m - - # Mutually exclusive with hpa autoscaling - keda: - apiVersion: "keda.sh/v1alpha1" - # apiVersion changes with keda 1.x vs 2.x - # 2.x = keda.sh/v1alpha1 - # 1.x = keda.k8s.io/v1alpha1 - enabled: false - minReplicas: 1 - maxReplicas: 11 - pollingInterval: 30 - cooldownPeriod: 300 - restoreToOriginalReplicaCount: false - triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) - - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - - ## Enable mimalloc as a drop-in replacement for malloc. - ## ref: https://github.com/microsoft/mimalloc - ## - enableMimalloc: true - - ## Override NGINX template - customTemplate: - configMapName: "" - configMapKey: "" - - service: - enabled: true - - annotations: {} - labels: {} - # clusterIP: "" - - ## List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - - enableHttp: true - enableHttps: true - - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - # the service controller allocates a port from your cluster’s NodePort range. - # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - # healthCheckNodePort: 0 - - ports: - http: 80 - https: 443 - - targetPorts: - http: http - https: https - - type: LoadBalancer - - # type: NodePort - # nodePorts: - # http: 32080 - # https: 32443 - # tcp: - # 8080: 32808 - nodePorts: - http: "" - https: "" - tcp: {} - udp: {} - - ## Enables an additional internal load balancer (besides the external one). - ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. - internal: - enabled: false - annotations: {} - - # loadBalancerIP: "" - - ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. - loadBalancerSourceRanges: [] - - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - extraContainers: [] - ## Additional containers to be added to the controller pod. - ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - - extraVolumeMounts: [] - ## Additional volumeMounts to the controller main container. - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - extraVolumes: [] - ## Additional volumes to the controller pod. - # - name: copy-portal-skins - # emptyDir: {} - - extraInitContainers: [] - ## Containers, which are run before the app containers are started. - # - name: init-myservice - # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - admissionWebhooks: - annotations: {} - enabled: true - failurePolicy: Fail - # timeoutSeconds: 10 - port: 8443 - certificate: "/usr/local/certificates/cert" - key: "/usr/local/certificates/key" - namespaceSelector: {} - objectSelector: {} - - service: - annotations: {} - # clusterIP: "" - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 443 - type: ClusterIP - - patch: - enabled: true - image: - repository: docker.io/jettech/kube-webhook-certgen - tag: v1.5.0 - pullPolicy: IfNotPresent - ## Provide a priority class name to the webhook patching job - ## - priorityClassName: "" - podAnnotations: {} - nodeSelector: {} - tolerations: [] - runAsUser: 2000 - - metrics: - port: 10254 - # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: false - - service: - annotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "10254" - - # clusterIP: "" - - ## List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 9913 - type: ClusterIP - # externalTrafficPolicy: "" - # nodePort: "" - - serviceMonitor: - enabled: false - additionalLabels: {} - namespace: "" - namespaceSelector: {} - # Default: scrape .Release.Namespace only - # To scrape all, use the following: - # namespaceSelector: - # any: true - scrapeInterval: 30s - # honorLabels: true - targetLabels: [] - metricRelabelings: [] - - prometheusRule: - enabled: false - additionalLabels: {} - # namespace: "" - rules: [] - # # These are just examples rules, please adapt them to your needs - # - alert: NGINXConfigFailed - # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: bad ingress config - nginx config test failed - # summary: uninstall the latest ingress changes to allow config reloads to resume - # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: ssl certificate(s) will expire in less then a week - # summary: renew expiring certificates to avoid downtime - # - alert: NGINXTooMany500s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 5XXs - # summary: More than 5% of all requests returned 5XX, this requires your attention - # - alert: NGINXTooMany400s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 4XXs - # summary: More than 5% of all requests returned 4XX, this requires your attention - - ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: - ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds - ## to 300, allowing the draining of connections up to five minutes. - ## If the active connections end before that, the pod will terminate gracefully at that time. - ## To effectively take advantage of this feature, the Configmap feature - ## worker-shutdown-timeout new value is 240s instead of 10s. - ## - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - - priorityClassName: "" - -## Rollback limit -## -revisionHistoryLimit: 10 - -## Default 404 backend -## -defaultBackend: - ## - enabled: false - - name: defaultbackend - image: - repository: k8s.gcr.io/defaultbackend-amd64 - tag: "1.5" - pullPolicy: IfNotPresent - # nobody user -> uid 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - - extraArgs: {} - - serviceAccount: - create: true - name: - ## Additional environment variables to set for defaultBackend pods - extraEnvs: [] - - port: 8080 - - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 0 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - - ## Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - - ## Security Context policies for controller pods - ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - ## notes on enabling and using sysctls - ## - podSecurityContext: {} - - # labels to add to the pod container metadata - podLabels: {} - # key: value - - ## Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - ## Annotations to be added to default backend pods - ## - podAnnotations: {} - - replicaCount: 1 - - minAvailable: 1 - - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 2 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - - service: - annotations: {} - - # clusterIP: "" - - ## List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 80 - type: ClusterIP - - priorityClassName: "" - -## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 -rbac: - create: true - scope: false - -# If true, create & use Pod Security Policy resources -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false - -serviceAccount: - create: true - name: - -## Optional array of imagePullSecrets containing private registry credentials -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -imagePullSecrets: [] -# - name: secretName - -# TCP service key:value pairs -# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp -## -tcp: {} -# 8080: "default/example-tcp-svc:9000" - -# UDP service key:value pairs -# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp -## -udp: {} -# 53: "kube-system/kube-dns:53" diff --git a/terraform/helm_nginx.tf b/terraform/helm_nginx.tf index 03c9146..3a4ac0a 100644 --- a/terraform/helm_nginx.tf +++ b/terraform/helm_nginx.tf @@ -22,4 +22,9 @@ resource "helm_release" "nginx" { timeout = 600 atomic = true values = ["${file("helm/nginx_values.yaml")}"] + + set { + name = "controller.admissionWebhooks.enabled" + value = false + } } diff --git a/terraform/variables.tf b/terraform/variables.tf index 76649ac..ba52c22 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,8 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - # ! > "3.19.0" breaks the build - default = "3.19.0" + default = "3.20.1" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -60,6 +59,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity +# TODO: change to 3.0.0 variable "aad_pod_identity_chart_version" { default = "2.1.0" } From e544c405f5ad18b70d0fbe8f10111a6bdcebf7f0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 07:12:47 +0000 Subject: [PATCH 115/121] Added comment --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index a51a0a3..c8ddaf6 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -17,7 +17,7 @@ curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/downlo chmod +x "$ARGOCD_PATH" # Show version -echo "Showing Argo CD version info..." +echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." "$ARGOCD_PATH" version --server "$ARGOCD_FQDN" # Get default admin password From 5fba19d3accc29ed56bb4d7b921efc9fb3746c70 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 07:24:01 +0000 Subject: [PATCH 116/121] Changed aad-pod-identity to v3.0.0 (breaking changes) --- aad-pod-identity/default-values.yaml | 195 -------------------- terraform/files/azureIdentities.yaml.tpl | 2 +- terraform/helm/aad_pod_identity_values.yaml | 51 ++++- terraform/variables.tf | 3 +- 4 files changed, 46 insertions(+), 205 deletions(-) delete mode 100644 aad-pod-identity/default-values.yaml diff --git a/aad-pod-identity/default-values.yaml b/aad-pod-identity/default-values.yaml deleted file mode 100644 index 4fc2bc9..0000000 --- a/aad-pod-identity/default-values.yaml +++ /dev/null @@ -1,195 +0,0 @@ -# Default values for aad-pod-identity-helm. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -nameOverride: "" -fullnameOverride: "" - -image: - repository: mcr.microsoft.com/k8s/aad-pod-identity - imagePullPolicy: Always - -# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace -# By default, AAD Pod Identity matches pods to identities across namespaces. -# To match only pods in the namespace containing AzureIdentity set this to true. -forceNameSpaced: "false" - -# When NMI runs on a node where MIC is running, then MIC token request call is also -# intercepted by NMI. MIC can't get a valid token as to initialize and then -# assign the identity. Installing an exception for MIC would ensure all token requests -# for MIC pods directly go to IMDS and not go through the pod-identity validation -# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md -installMICException: "true" - -## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following -## (The chart will perform the base64 encoding for you for values that are stored in secrets.) -adminsecret: {} -# cloud: -# subscriptionID: -# resourceGroup: -# vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set> -# tenantID: -# clientID: -# clientSecret: - -# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment -# Allowed values: "standard", "managed" -operationMode: "standard" - -mic: - image: mic - tag: 1.6.2 - - priorityClassName: "" - - # log level. Uses V logs (glog) - logVerbosity: 0 - - resources: - limits: - cpu: 200m - memory: 1024Mi - requests: - cpu: 100m - memory: 256Mi - - podAnnotations: {} - - ## Node labels for pod assignment - ## aad-pod-identity is currently only supported on linux - nodeSelector: - kubernetes.io/os: linux - - tolerations: [] - - affinity: {} - - leaderElection: - # Override leader election instance name (default is 'hostname') - instance: "" - # Override the namespace to create leader election objects (default is default namespace) - namespace: "" - # Override leader election name (default is aad-pod-identity-mic) - name: "" - # Override leader election duration (default is 15s) - duration: "" - - # Override http liveliness probe port (default is 8080) - probePort: "" - - # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s) - syncRetryDuration: "" - - # Override the defult value of immutable identities. - immutableUserMSIs: [] - # Example of MSIs (should be replaced with the real client ids) - #- "00000000-0000-0000-0000-000000000000" - #- "11111111-1111-1111-1111-111111111111" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag - # default value is 20 - createDeleteBatch: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag - # default value is 5 - clientQps: "" - - # default value is 8888 - # prometheus port for metrics - prometheusPort: "" - - # cloud configuration used to authenticate with Azure - cloudConfig: "/etc/kubernetes/azure.json" - - # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error - # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities - # returned in the error - # Default value is 2. - updateUserMSIMaxRetry: "" - - # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors - # Default value is 1s - updateUserMSIRetryInterval: "" - -nmi: - image: nmi - tag: 1.6.2 - - priorityClassName: "" - - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - - podAnnotations: {} - - ## Node labels for pod assignment - ## aad-pod-identity is currently only supported on linux - nodeSelector: - kubernetes.io/os: linux - - tolerations: [] - - affinity: {} - - # Override iptables update interval in seconds (default is 60) - ipTableUpdateTimeIntervalInSeconds: "" - - # Override mic namespace to short circuit MIC token requests (default is default namespace) - micNamespace: "" - - # Override http liveliness probe port (default is 8080) - probePort: "8085" - - # Override number of retries in NMI to find assigned identity in CREATED state (default is 16) - retryAttemptsForCreated: "" - - # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4) - retryAttemptsForAssigned: "" - - # Override retry interval to find assigned identities in seconds (default is 5) - findIdentityRetryIntervalInSeconds: "" - - # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag - # Accepted values are true/false. Default is false. - enableScaleFeatures: "" - - # default value is 9090 - # prometheus port for metrics - prometheusPort: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag - # default is false - blockInstanceMetadata: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag - # default is false - metadataHeaderRequired: "" - -rbac: - enabled: true - # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. - # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false. - allowAccessToSecrets: true - -# Create azure identities and bindings -azureIdentities: [] - # - name: "azure-identity" - # # if not defined, then the azure identity will be deployed in the same namespace as the chart - # namespace: "" - # # type 0: MSI, type 1: Service Principal - # type: 0 - # # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name - # resourceID: "" - # clientID: "" - # binding: - # name: "azure-identity-binding" - # # The selector will also need to be included in labels for app deployment - # selector: "demo" - -# If true, install necessary custom resources. -installCRDs: false diff --git a/terraform/files/azureIdentities.yaml.tpl b/terraform/files/azureIdentities.yaml.tpl index a37dcce..345dfa9 100644 --- a/terraform/files/azureIdentities.yaml.tpl +++ b/terraform/files/azureIdentities.yaml.tpl @@ -1,5 +1,5 @@ azureIdentities: - - name: "velero" + "velero": # if not defined, then the azure identity will be deployed in the same namespace as the chart namespace: "" # type 0: MSI, type 1: Service Principal diff --git a/terraform/helm/aad_pod_identity_values.yaml b/terraform/helm/aad_pod_identity_values.yaml index 2f5c077..31f16b2 100644 --- a/terraform/helm/aad_pod_identity_values.yaml +++ b/terraform/helm/aad_pod_identity_values.yaml @@ -1,4 +1,5 @@ -# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.0/charts/aad-pod-identity/values.yaml +# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.1/charts/aad-pod-identity/values.yaml + # Default values for aad-pod-identity-helm. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -17,7 +18,13 @@ image: # https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace # By default, AAD Pod Identity matches pods to identities across namespaces. # To match only pods in the namespace containing AzureIdentity set this to true. -forceNameSpaced: "false" +# DEPRECATED - use 'forceNamespaced' instead. +forceNameSpaced: "" + +# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace +# By default, AAD Pod Identity matches pods to identities across namespaces. +# To match only pods in the namespace containing AzureIdentity set this to true. +forceNamespaced: "false" # When NMI runs on a node where MIC is running, then MIC token request call is also # intercepted by NMI. MIC can't get a valid token as to initialize and then @@ -44,7 +51,7 @@ operationMode: "standard" mic: image: mic - tag: v1.7.0 + tag: v1.7.1 priorityClassName: "" @@ -71,6 +78,22 @@ mic: affinity: {} + # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/component: mic + + # Limit the number of concurrent disruptions that your application experiences, + # allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. + # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: {} + # minAvailable: 1 + leaderElection: # Override leader election instance name (default is 'hostname') instance: "" @@ -124,7 +147,7 @@ mic: nmi: image: nmi - tag: v1.7.0 + tag: v1.7.1 priorityClassName: "" @@ -189,6 +212,10 @@ nmi: # default is false allowNetworkPluginKubenet: false + # Path to kubelet default config. + # default is /etc/default/kubelet + kubeletConfig: "/etc/default/kubelet" + rbac: enabled: true # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. @@ -196,15 +223,25 @@ rbac: allowAccessToSecrets: true # Create azure identities and bindings -azureIdentities: [] - # - name: "azure-identity" +# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance +# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values +azureIdentities: + # "azure-identity": # # if not defined, then the azure identity will be deployed in the same namespace as the chart # namespace: "" - # # type 0: MSI, type 1: Service Principal + # # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate # type: 0 # # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name + # # Required for type 0 # resourceID: "" + # # Required for type 0, 1 and 2 # clientID: "" + # # Required for type 1 and 2 + # tenantID: "" + # # Required for type 1 and 2 + # clientPassword: "{\"name\":\"\",\"namespace\":\"\"}" + # # Optional for type 1 and 2 (multi-tenant) + # auxiliaryTenantIDs: [] # binding: # name: "azure-identity-binding" # # The selector will also need to be included in labels for app deployment diff --git a/terraform/variables.tf b/terraform/variables.tf index ba52c22..4c8bedc 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -59,9 +59,8 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity -# TODO: change to 3.0.0 variable "aad_pod_identity_chart_version" { - default = "2.1.0" + default = "3.0.0" } # https://bitnami.com/stack/external-dns/helm From d02727913bc7431efd5ab7050d6559cf85608342 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 07:25:48 +0000 Subject: [PATCH 117/121] Changed Terraform version to v0.12.30 --- .devcontainer/Dockerfile | 2 +- terraform/providers.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index da8a084..1550014 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,7 +45,7 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.12.29 +ARG TERRAFORM_VERSION=0.12.30 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ diff --git a/terraform/providers.tf b/terraform/providers.tf index 1a6cbd9..1205713 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -24,7 +24,7 @@ terraform { } # 0.12.X - required_version = "~> 0.12.29" # https://github.com/hashicorp/terraform/releases + required_version = "~> 0.12.30" # https://github.com/hashicorp/terraform/releases } # must include blank features block From e1ed9d55c5e018c15e47696c90ff9b5008f594d1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 07:26:26 +0000 Subject: [PATCH 118/121] Changed Terraform version to v0.12.30 --- .devcontainer/Dockerfile | 2 +- .devcontainer/devcontainer.json | 2 +- terraform/providers.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index da8a084..1550014 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,7 +45,7 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.12.29 +ARG TERRAFORM_VERSION=0.12.30 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index ebb495b..40a933d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "build": { "dockerfile": "Dockerfile", "args": { - "TERRAFORM_VERSION": "0.12.29", + "TERRAFORM_VERSION": "0.12.30", "TFLINT_VERSION": "0.22.0", "INSTALL_AZURE_CLI": "true", "INSTALL_DOCKER": "true", diff --git a/terraform/providers.tf b/terraform/providers.tf index 1a6cbd9..1205713 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -24,7 +24,7 @@ terraform { } # 0.12.X - required_version = "~> 0.12.29" # https://github.com/hashicorp/terraform/releases + required_version = "~> 0.12.30" # https://github.com/hashicorp/terraform/releases } # must include blank features block From 6dff07b1a62cf99a70fc21dcb89fe25ece15b13d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 08:01:40 +0000 Subject: [PATCH 119/121] Added url health check/wait for argocd script --- terraform/files/scripts/argocd_config.sh | 8 ++++++++ terraform/helm_argocd.tf | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index c8ddaf6..bbfee97 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -10,12 +10,20 @@ trap "echo 'error: Script failed: see failed command above'" ERR ARGOCD_PATH="./argocd" REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" export ARGOCD_OPTS="--grpc-web" +ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install VERSION="v1.8.2" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" +# Wait for URL to be responsive +ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" +while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' $ARGOCD_HEALTH_CHECK_URL)" != "200" ]]; do + echo "Checking ArgoCD is ready on [$ARGOCD_HEALTH_CHECK_URL]..." + sleep 10 +done + # Show version echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." "$ARGOCD_PATH" version --server "$ARGOCD_FQDN" diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 7206538..0f373bd 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -94,7 +94,7 @@ resource "null_resource" "argocd_configure" { command = <<-EOT chmod -R +x ./files/scripts ls -lah ./files/scripts - ./files/scripts/argocd_config.sh + timeout 5m ./files/scripts/argocd_config.sh EOT } From 1360e7e7ffef20c1ada6a58aa850f1643b3552c7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 08:24:54 +0000 Subject: [PATCH 120/121] Cleanup --- terraform/files/scripts/argocd_config.sh | 4 ++-- terraform/helm_argocd.tf | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index bbfee97..aa79fb2 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -18,9 +18,9 @@ curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/downlo chmod +x "$ARGOCD_PATH" # Wait for URL to be responsive -ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" +echo "Checking ArgoCD is ready on [$ARGOCD_HEALTH_CHECK_URL]..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' $ARGOCD_HEALTH_CHECK_URL)" != "200" ]]; do - echo "Checking ArgoCD is ready on [$ARGOCD_HEALTH_CHECK_URL]..." + echo "Still waiting for ArgoCD to be ready on [$ARGOCD_HEALTH_CHECK_URL]..." sleep 10 done diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 0f373bd..92f74e3 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -93,7 +93,6 @@ resource "null_resource" "argocd_configure" { command = <<-EOT chmod -R +x ./files/scripts - ls -lah ./files/scripts timeout 5m ./files/scripts/argocd_config.sh EOT } From a0529d3b3447040ce26d9d540fd72d541354553d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 17 Jan 2021 15:51:03 +0000 Subject: [PATCH 121/121] Changed PR template --- .github/pull_request_template.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 7852590..5c61f7c 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,22 +1,22 @@ ## Description - +Recent fixes and features ## Acceptance Checklist - [ ] Are the source and target branches correct? -- [ ] Has there been a successful build for the latest commit? +- [ ] Has there been a successful build and destroy for the latest commit? ## Release Notes ### Added -- ISSUE_NAME. Closed #xxx +- ISSUE_OR_FEATURE_DESCRIPTION. Closed #xxx ### Changed -- ISSUE_NAME. Closed #xxx +- ISSUE_OR_FEATURE_DESCRIPTION. Closed #xxx ### Fixed -- ISSUE_NAME. Closed #xxx +- ISSUE_OR_FEATURE_DESCRIPTION. Closed #xxx