kubeconfig code/doc and misc updates. (#137)

sassoftware · Apr 2, 2021 · bffef6d · bffef6d
1 parent 5e8a515
commit bffef6d
Show file tree

Hide file tree

Showing 19 changed files with 183 additions and 20 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 ARG TERRAFORM_VERSION=0.13.6
-ARG AZURECLI_VERSION=2.19.1
+ARG AZURECLI_VERSION=2.21.0
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION

diff --git a/container-structure-test.yaml b/container-structure-test.yaml
@@ -26,7 +26,7 @@ commandTests:
       - -c
       - |
         az version -o tsv
-    expectedOutput: ["2.19.1\t2.19.1\t1.0.6"]
+    expectedOutput: ["2.21.0\t2.21.0\t1.0.6"]
 
 metadataTest:
   workdir: "/viya4-iac-azure"

diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -110,8 +110,9 @@ The default values for the subnets variable are:
 }
 ```
 
-### Use Exisiting
-When desiring to deploy into exising resource group, vnet, subnets, or network security group the varaiables below can be used to define the exsting resources
+### Use Existing
+
+When desiring to deploy into existing resource group, vnet, subnets, or network security group the variables below can be used to define the exiting resources
 
 | Name | Description | Type | Default | Notes |
 | :--- | ---: | ---: | ---: | ---: |
@@ -140,6 +141,7 @@ Ubuntu 18.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | Name | Description | Type | Default | Notes |
 | :--- | ---: | ---: | ---: | ---: |
 | partner_id | A GUID that is registered with Microsoft to facilitate partner resource usage attribution | string | "5d27f3ae-e49c-4dea-9aa3-b44e4750cd8c" | Defaults to SAS partner GUID, when you deploy this Terraform configurations, Microsoft can identify the installation of SAS software with the deployed Azure resources. Microsoft can correlate these resources used to support the software. Microsoft collects this information to provide the best experiences with their products and to operate their business. The data is collected and governed by Microsoft's privacy policies, located at https://www.microsoft.com/trustcenter. |
+| create_static_kubeconfig | Allows the user to create a provider / service account based kube config file | bool | false | A value of `false` will default to using the cloud providers mechanism for generating the kubeconfig file. A value of `true` will create a static kubeconfig which utilizes a `Service Account` and `Cluster Role Binding` to provide credentials. |
 | kubernetes_version | The AKS cluster K8S version | string | "1.18.14" | |
 | create_jump_vm | Create bastion host | bool | true | |
 | create_jump_public_ip | Add public ip to jump VM | bool | true | |

diff --git a/cloud-init/jump/cloud-config → files/cloud-init/jump/cloud-config b/cloud-init/jump/cloud-config → files/cloud-init/jump/cloud-config
diff --git a/cloud-init/nfs/cloud-config → files/cloud-init/nfs/cloud-config b/cloud-init/nfs/cloud-config → files/cloud-init/nfs/cloud-config
@@ -35,7 +35,7 @@ runcmd:
   # Update systemctl services
   #
   - systemctl enable nfs-kernel-server
-  - systemctl start nfs-kerneel-server
+  - systemctl start nfs-kernel-server
   - systemctl enable rpc-statd
   - systemctl start rpc-statd
   #

diff --git a/files/sas-iac-buildinfo.yaml.tmpl → files/templates/sas-iac-buildinfo.yaml.tmpl b/files/sas-iac-buildinfo.yaml.tmpl → files/templates/sas-iac-buildinfo.yaml.tmpl
diff --git a/files/iac_git_info.sh → files/tools/iac_git_info.sh b/files/iac_git_info.sh → files/tools/iac_git_info.sh
diff --git a/files/iac_tooling_version.sh → files/tools/iac_tooling_version.sh b/files/iac_tooling_version.sh → files/tools/iac_tooling_version.sh
diff --git a/files/terraform_env_variable_helper.sh → files/tools/terraform_env_variable_helper.sh b/files/terraform_env_variable_helper.sh → files/tools/terraform_env_variable_helper.sh
diff --git a/main.tf b/main.tf
@@ -84,7 +84,7 @@ module "vnet" {
 }
 
 data "template_file" "jump-cloudconfig" {
-  template = file("${path.module}/cloud-init/jump/cloud-config")
+  template = file("${path.module}/files/cloud-init/jump/cloud-config")
   vars = {
     nfs_rwx_filestore_endpoint = var.storage_type == "ha" ? module.netapp.0.netapp_endpoint : module.nfs.0.private_ip_address
     nfs_rwx_filestore_path     = var.storage_type == "ha" ? module.netapp.0.netapp_path : "/export"
@@ -125,7 +125,7 @@ module "jump" {
 }
 
 data "template_file" "nfs-cloudconfig" {
-  template = file("${path.module}/cloud-init/nfs/cloud-config")
+  template = file("${path.module}/files/cloud-init/nfs/cloud-config")
   vars = {
     base_cidr_block = element(module.vnet.address_space, 0)
     vm_admin        = var.nfs_vm_admin
@@ -245,14 +245,30 @@ module "aks" {
   depends_on = [module.vnet]
 }
 
+module "kubeconfig" {
+  source                   = "./modules/kubeconfig"
+  prefix                   = var.prefix
+  create_static_kubeconfig = var.create_static_kubeconfig
+  path                     = local.kubeconfig_path
+  namespace                = "kube-system"
+
+  cluster_name             = module.aks.name
+  endpoint                 = module.aks.host
+  ca_crt                   = module.aks.cluster_ca_certificate
+  client_crt               = module.aks.client_certificate
+  client_key               = module.aks.client_key
+  token                    = module.aks.cluster_password
+
+  depends_on = [ module.aks ]
+}
+
 data "azurerm_public_ip" "aks_public_ip" {
   name                = split("/", module.aks.cluster_slb_ip_id)[8]
   resource_group_name = "MC_${module.resource_group.name}_${module.aks.name}_${module.resource_group.location}"
 
   depends_on = [module.aks, module.node_pools]
 }
 
-
 module "node_pools" {
   source = "./modules/aks_node_pool"
 
@@ -328,19 +344,12 @@ module "netapp" {
   depends_on            = [module.resource_group]
 }
 
-resource "local_file" "kubeconfig" {
-  content  = module.aks.kube_config
-  filename = local.kubeconfig_path
-
-  depends_on = [module.aks]
-}
-
 data "external" "git_hash" {
-  program = ["files/iac_git_info.sh"]
+  program = ["files/tools/iac_git_info.sh"]
 }
 
 data "external" "iac_tooling_version" {
-  program = ["files/iac_tooling_version.sh"]
+  program = ["files/tools/iac_tooling_version.sh"]
 }
 
 resource "kubernetes_config_map" "sas_iac_buildinfo" {

diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf
@@ -54,6 +54,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
     node_count            = var.aks_cluster_node_count
     vnet_subnet_id        = var.aks_vnet_subnet_id
     tags                  = var.aks_cluster_tags
+    orchestrator_version  = var.kubernetes_version
   }
 
   identity {

diff --git a/modules/kubeconfig/main.tf b/modules/kubeconfig/main.tf
@@ -0,0 +1,76 @@
+locals {
+  service_account_name        = "${var.prefix}-cluster-admin-sa"
+  cluster_role_binding_name   = "${var.prefix}-cluster-admin-crb"
+  service_account_secret_name = "${var.prefix}-sa-secret"
+}
+
+# Provider based kube config data/template/resources
+data "template_file" "kubeconfig_provider" {
+  count = var.create_static_kubeconfig ? 0 : 1
+  template = file("${path.module}/templates/kubeconfig-provider.tmpl")
+
+  vars = {
+    cluster_name = var.cluster_name
+    endpoint     = var.endpoint
+    ca_crt       = var.ca_crt
+    client_crt   = var.client_crt
+    client_key   = var.client_key
+    token        = var.token
+  }
+}
+
+# Service Account based kube config data/template/resources
+data "kubernetes_secret" "sa_secret" {
+  count = var.create_static_kubeconfig ? 1 : 0
+  metadata {
+    name      = kubernetes_service_account.kubernetes_sa.0.default_secret_name
+    namespace = var.namespace
+  }
+}
+
+data "template_file" "kubeconfig_sa" {
+  count = var.create_static_kubeconfig ? 1 : 0
+  template = file("${path.module}/templates/kubeconfig-sa.tmpl")
+
+  vars = {
+    cluster_name = var.cluster_name
+    endpoint     = var.endpoint
+    name         = local.service_account_name
+    ca_crt       = base64encode(lookup(data.kubernetes_secret.sa_secret.0.data,"ca.crt", ""))
+    token        = lookup(data.kubernetes_secret.sa_secret.0.data,"token", "")
+    namespace    = var.namespace
+  }
+}
+
+resource "kubernetes_service_account" "kubernetes_sa" {
+  count = var.create_static_kubeconfig ? 1 : 0
+  metadata {
+    name      = local.service_account_name
+    namespace = var.namespace
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "kubernetes_crb" {
+  count = var.create_static_kubeconfig ? 1 : 0
+  metadata {
+    name      = local.cluster_role_binding_name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = local.service_account_name
+    namespace = var.namespace
+  }
+}
+
+# kube config file generation
+resource "local_file" "kubeconfig" {
+  content              = var.create_static_kubeconfig ? data.template_file.kubeconfig_sa.0.rendered : data.template_file.kubeconfig_provider.0.rendered
+  filename             = var.path
+  file_permission      = "0644"
+  directory_permission = "0755"
+}
diff --git a/modules/kubeconfig/output.tf b/modules/kubeconfig/output.tf
@@ -0,0 +1,3 @@
+output "kube_config" {
+  value = local_file.kubeconfig.content
+}
diff --git a/modules/kubeconfig/templates/kubeconfig-provider.tmpl b/modules/kubeconfig/templates/kubeconfig-provider.tmpl
@@ -0,0 +1,20 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: ${ca_crt}
+    server: '${endpoint}'
+  name: ${cluster_name}
+contexts:
+- context:
+    cluster: ${cluster_name}
+    user: ${cluster_name}
+  name: ${cluster_name}
+current-context: ${cluster_name}
+kind: Config
+preferences: {}
+users:
+- name: ${cluster_name}
+  user:
+    client-certificate-data: ${client_crt}
+    client-key-data: ${client_key}
+    token: ${token}
diff --git a/modules/kubeconfig/templates/kubeconfig-sa.tmpl b/modules/kubeconfig/templates/kubeconfig-sa.tmpl
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Config
+clusters:
+  - name: ${cluster_name}
+    cluster:
+      server: '${endpoint}'
+      certificate-authority-data: >-
+        ${ca_crt}
+users:
+  - name: ${name}
+    user:
+      token: >-
+        ${token}
+contexts:
+  - name: ${cluster_name}    
+    context:
+      user: ${name}
+      cluster: ${cluster_name}
+      namespace: ${namespace}
+current-context: ${cluster_name}
diff --git a/modules/kubeconfig/variables.tf b/modules/kubeconfig/variables.tf
@@ -0,0 +1,26 @@
+variable "prefix" {
+  description = "A prefix used for all Google Cloud resources created by this script"
+  type        = string
+}
+
+variable "namespace" {
+  description = "Namespace that the service account and cluster role binding will placed."
+  type        = string
+  default     = "kube-system"
+}
+
+variable "create_static_kubeconfig" {
+  description = "Allows the user to create a provider / service account based kube config file"
+  type        = bool
+  default     = false
+}
+
+variable "path" {}
+variable "cluster_name" {}
+variable "endpoint" {}
+variable "ca_crt" {}
+variable "client_crt" {}
+variable "client_key" {}
+variable "token" {}
+
+
diff --git a/outputs.tf b/outputs.tf
@@ -8,7 +8,7 @@ output "nat_ip" {
 }
 
 output "kube_config" {
-  value = module.aks.kube_config
+  value = module.kubeconfig.kube_config
 }
 
 output "aks_cluster_node_username" {

diff --git a/variables.tf b/variables.tf
@@ -575,3 +575,9 @@ variable "subnets" {
     }
   }
 }
+
+variable "create_static_kubeconfig" {
+  description = "Allows the user to create a provider / service account based kube config file"
+  type        = bool
+  default     = false
+}
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.47.0"
+      version = "2.49.0"
     }
     azureread = {
       source  = "hashicorp/azuread"
@@ -39,4 +39,4 @@ terraform {
       version = "2.0.2"
     }
   }
-}
+}