diff --git a/CHANGELOG.md b/CHANGELOG.md index df06729739148cdf3c48e8c0e399901a694d0be0..800339432e8acfa5cfeadfe725c2b51ddc1a7946 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,11 +2,52 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -- [Changelog](#changelog) - - [[Unreleased]](#unreleased) - - [Added](#added) +## [1.2.1] -## [Unreleased] +### Changed + +- Moved TLS cert back out of configmap.yaml +- Updated documentation on how to add and update TLS certificates to encrypted secret. +- Fixed Big Bang version mismatch using semver in kustomization +- Fixed flux install instructions to use version rather than master. New versions of flux may not be backwards compatible. +- Cleaned up dev values.yaml + +## [1.2.0] + +### Changed + +- Fix namespace error (istio-system) when deploying wildcard-cert +- Updated expired certificate for *.bigbang.dev +- Added default values for `istio.ingress.tls.*` to workaround Helm error on `nil` values. +- Updated [README.md](./README.md) for TLS cert +- Updated [README.md](./README.md) for sops key creation (Issue #8) +- Updated default BigBang release to 1.12.0 in kustomization. + +## [1.1.1] + +### Changed + +- Security groups between internet facing network load balancer and agent's node ports updated to fix ingress + +## [1.1.0] + +### Added + +- Upload of private SSH to encrypted S3 bucket +- Rename of `default` Kubernetes profile to environment name +- Change permissions of local Kubernetes config file to read/write of owner only + +### Changed + +- Migrated terraform classic load balancer to regular load balancer + +## [1.0.1] + +### Changed + +- Terraform cache S3 bucket created off of name in environment + +## [1.0.0] ### Added @@ -28,3 +69,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - [CHANGELOG.md](CHANGELOG.md) - [CODEOWNERS](CODEOWNERS) - [CONTRIBUTING.md](CONTRIBUTING.md) +- Terraform template for AWS with... + - Multi-environment support + - High-availability (cross-zone) and auto-scaling + - Private and public subnets + - Load balancer + - Bastion server diff --git a/README.md b/README.md index d8799637708de9918b4c042ff361137e4499f967..90708e123140fee65fe1cbc002682a98a21640ff 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,28 @@ sed -i "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml ## On MacOS sed -i "" "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml + +# Save encrypted secrets into Git +# Configuration changes must be stored in Git to take affect +git add .sops.yaml +git commit -m "chore: update default encryption key" +git push --set-upstream origin template-demo +``` + +### Add TLS Certificates + +The `base/configmap.yaml` is setup to use the domain `bigbang.dev` by default. A demo TLS certificate is provided in `base/bigbang-dev-cert.yaml` to use. Certificates should be encrypted before pushing to Git since they contain both the public and private key. + +```shell +cd base + +# Encrypt the existing certifiate +sops -e bigbang-dev-cert.yaml > secrets.enc.yaml + +# Save encrypted TLS certificate into Git +git add secrets.enc.yaml +git commit -m "chore: add bigbang.dev tls certificates" +git push ``` ### Add Pull Credentials @@ -95,8 +117,7 @@ You will need pull credentials for Iron Bank to retrieve images for Big Bang. > Secrets can be specific to an environment if they are located in that environment's folder (e.g. `prod`, `dev`). Or, they can be shared between environments if located in the `base` directory. ``` shell -# Create a new encrypted secret to contain your pull credentials -cd base +# Edit the same secret holding your TLS certificates to add the pull credentials sops secrets.enc.yaml ``` @@ -115,16 +136,17 @@ stringData: - registry: registry1.dso.mil username: replace-with-your-iron-bank-user password: replace-with-your-iron-bank-personal-access-token + istio: + # Leave the TLS certificate info here ``` -When you save the file, it will automatically encrypt your secret using SOPS. +When you save the file, it will automatically re-encrypt your secret using SOPS. ```shell -# Save encrypted secrets into Git -# Configuration changes must be stored in Git to take affect -git add secrets.enc.yaml ../.sops.yaml -git commit -m "chore: added encrypted credentials" -git push --set-upstream origin template-demo +# Save pull credentials into Git +git add secrets.enc.yaml +git commit -m "chore: added iron bank pull credentials" +git push ``` > Your private key to decrypt these secrets is stored in your GPG key ring. You must **NEVER** export this key and commit it to your Git repository since this would comprimise your secrets. @@ -173,7 +195,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) ```shell # The private key is not stored in Git (and should NEVER be stored there). We deploy it manually by exporting the key into a secret. kubectl create namespace bigbang - gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin + gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin ``` 1. Create imagePullSecrets for Flux @@ -184,6 +206,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) # Adding a space before this command keeps our PAT out of our history kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username= --docker-password= -n flux-system + ``` 1. Create Git credentials for Flux @@ -197,7 +220,8 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) ```shell # Flux is used to sync Git with the the cluster configuration - kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=master | kubectl apply -f - + # If you are using a different version of Big Bang, make sure to update the `?ref=1.12.0` to the correct tag or branch. + kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=1.12.0 | kubectl apply -f - # Wait for flux to complete kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system @@ -232,7 +256,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) # If you are deployed on a remote host you will need to point "kiali.bigbang.dev" to your cluster master node via your /etc/hosts file ``` - > If you cannot get to the main page of Kiali, it may be due to an expired certificate. Check the expiration of the certificate in `base/bigbang-dev-cert.yaml`. + > If you cannot get to the main page of Kiali, it may be due to an expired certificate. Check the expiration of the certificate in `base/configmap.yaml`. > For troubleshooting deployment problems, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) documentation. @@ -274,7 +298,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa ```yaml bases: - - https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.8.0 + - https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.12.0 ``` - Reference for the Big Bang helm release: @@ -287,7 +311,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa spec: ref: $patch: replace - semver: "1.8.0" + tag: "1.12.0" ``` To update `dev/kustomization.yaml`, you would create a `mergePatch` like the following: @@ -303,7 +327,7 @@ patchesStrategicMerge: interval: 1m ref: $patch: replace - semver: "1.9.0" + tag: "1.13.0" ``` > This does not update the kustomize base, but it is unusual for that to change. @@ -312,13 +336,13 @@ Then, commit your change: ```shell git add kustomization.yaml - git commit -m "feat(dev): update bigbang to 1.9.0" + git commit -m "feat(dev): update bigbang to 1.13.0" git push ``` > It may take Big Bang up to 10 minutes to recognize your changes and start to deploy them. This is based on the interval set for polling. You can force Big Bang to recheck by running the [sync.sh](https://repo1.dsop.io/platform-one/big-bang/bigbang/-/blob/master/hack/sync.sh) script. -It is recommended that you track Big Bang releases using the version. However, you can use `tag` or `branch` in place of `semver` if needed. The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference. The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax. +It is recommended that you track Big Bang releases using the version. However, you can use `branch` in place of `tag` if needed. The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference. The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax. When you are done testing, you can update the reference in `base` (and delete this setting in `dev`) to update Big Bang in all environments. @@ -326,25 +350,36 @@ When you are done testing, you can update the reference in `base` (and delete th ### Update the domain -Big Bang deploys applications to `*.bigbang.dev` by default. You can override the `bigbang.dev` domain to your domain by updating `dev/configmap.yaml` and adding the following: +Big Bang deploys applications to `*.bigbang.dev` by default. You can override the `bigbang.dev` domain to your domain by updating `base/configmap.yaml` and adding the following: ```yaml hostname: insert-your-domain-here ``` -> NOTE: The `dev` template includes several overrides to minimize resource usage and increase polling time in a development environment. They are provided for convenience and are NOT required. - -Commit your change: +In addition, you will need to update the TLS certificates by updating `base/secrets.enc.yaml`. ```shell - git add configmap.yaml - git commit -m "feat(dev): updated domain name" - git push +# Open and edit the encrypted file +sops base/secrets.enc.yaml ``` +After saving the secrets.enc.yaml file, it will be automatically re-encrypted. + +``` shell +# Push changes to Git +git add base/configmap.yaml base/secrets.enc.yaml +git commit -m "chore: updated domain and tls certificates" +git push +``` + +> If you have different certificates for `dev` and `prod`, you can also put the values in `dev/secrets.enc.yaml` or `prod/secrets.enc.yaml` respectively. The name of the secret must be `common-bb` if the secret is in the `base` folder or `environment-bb` if the secret is in the `dev` or `prod` folder. The `environment-bb` values take precedence over the `common-bb` values. +Make sure to add the file to `kustomization.yaml` as a resource if it is not already. + ### Additional Big Bang values -For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation. +For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation. Big Bang values can be passed down in the `configmap.yaml` or `secrets.enc.yaml`. See the Kubernetes documentation on [configmaps](https://kubernetes.io/docs/concepts/configuration/configmap/) and [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) for differences between the two. Secrets should always be SOPS encrypted before committing to Git. + +> NOTE: The `dev` template includes several overrides in the `configmap.yaml` to minimize resource usage and increase polling time in a development environment. They are provided for convenience and are NOT required. ### Additional resources diff --git a/base/bigbang-dev-cert.yaml b/base/bigbang-dev-cert.yaml index 4d88697c8194526988729c15fd5848fd6c94cd25..88c64a41daecf2eb4f6f4f90e5d6ea32b86f3ecf 100644 --- a/base/bigbang-dev-cert.yaml +++ b/base/bigbang-dev-cert.yaml @@ -1,9 +1,130 @@ apiVersion: v1 kind: Secret metadata: - name: wildcard-cert - namespace: istio-system -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNekNDQkJ1Z0F3SUJBZ0lTQS9iZlFINVZneTNLVHUzUFh4aU5IZWQ4TUEwR0NTcUdTSWIzRFFFQkN3VUEKTURJeEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1Rc3dDUVlEVlFRRApFd0pTTXpBZUZ3MHlNVEEwTVRZd01UQTFNVE5hRncweU1UQTNNVFV3TVRBMU1UTmFNQmd4RmpBVUJnTlZCQU1NCkRTb3VZbWxuWW1GdVp5NWtaWFl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGwKN29JZWNESFJiOFhCakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NApJZ0tHUFNxM1NFa2lnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Ck55eXFkVXRXZGMvVjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWYKejlNaGgzckQyaWh3NkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQgoyVFpoWWdEWjMrdjdsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rCjFpakJoQWVoUm5UTWE4ZkIrbWI5QWdNQkFBR2pnZ0piTUlJQ1Z6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWUQKVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwTwpCQllFRkFxWXBTQy9hcTg2VkdnMFBqK0FKTDhKcTRvcE1COEdBMVVkSXdRWU1CYUFGQlF1c3hlM1dGYkxybEFKClFPWWZyNTJMRk1MR01GVUdDQ3NHQVFVRkJ3RUJCRWt3UnpBaEJnZ3JCZ0VGQlFjd0FZWVZhSFIwY0RvdkwzSXoKTG04dWJHVnVZM0l1YjNKbk1DSUdDQ3NHQVFVRkJ6QUNoaFpvZEhSd09pOHZjak11YVM1c1pXNWpjaTV2Y21jdgpNQ3NHQTFVZEVRUWtNQ0tDRFNvdVltbG5ZbUZ1Wnk1a1pYYUNFU291WkdWMkxtSnBaMkpoYm1jdVpHVjJNRXdHCkExVWRJQVJGTUVNd0NBWUdaNEVNQVFJQk1EY0dDeXNHQVFRQmd0OFRBUUVCTUNnd0pnWUlLd1lCQlFVSEFnRVcKR21oMGRIQTZMeTlqY0hNdWJHVjBjMlZ1WTNKNWNIUXViM0puTUlJQkJBWUtLd1lCQkFIV2VRSUVBZ1NCOVFTQgo4Z0R3QUhVQWIxTjJyREh3TVJuWW1RQ2tVUlgvZHhVY0Vka0N3UUFwQm8yeUNKbzMyUk1BQUFGNDJHelJYQUFBCkJBTUFSakJFQWlCQzlTSnpwQlVtTWZwVFRmbEthc1ZVTUNPVkVIL3lRSExlejlPaWpleUxFUUlnSjI5cXQrbXQKQ3doZHM1MnA4Rm44ZDREUTA1WDFZR2U4M3cvL25KRzc2aHdBZHdEMlhKUXYwWGN3SWhSVUdBZ3dsRmFPNDAwVApHVE8vM3d3dklBdk1UdkZrNHdBQUFYalliTkhQQUFBRUF3QklNRVlDSVFEQnRTbHYydTNTejNiVE9LUUF6c21TCit1NzlQanRwdlRuSGZwN1N3cUdUQUFJaEFPSkw3ZHI5cEp0OUpSS0JsNEU3VnU3OXhVN3hPdXgxTElVVkUra0EKZFIxcU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlFLNzZrWkp3YTF6TnYyazJoL3U1aXN2Y1FpREw4ZW9VZAppZElkWHk3eWRJYmh6WWw5VmgrekRHa1V3eHZJUDRqVmpENEZCQzRRcVFUanF1dHc4c0xXamJ6U1BKTFZmWUxWClRtd3RrYkN2aFRpRTNQQWRUK1Ntb09GSVVzZDJMRW1qRko2MjJEeVVhTkgwT3NkckhLQ2xDL0tJTzBOdmhUUXMKWm5OODllSDF3cmVJTDlEb2xYa28zUmdrR0IxTGJHOU1INC9kdnpUbktIb0JvNEVVRlhvSmNuU2lLN3JkSEVYSQp1N3dLRmp3OU9KbnFqQ0x4N1NHT0l5aExvNGM1VXRKWFU4dXhLbXhzTzYzV0daRytaQjM4dXp1UlphRUV0K3pzClNvbFN0ZUVFSEhYYmUvQmpZZnVmVzJCWGRKd3FpM2dhdzA0ais4UTRoY250SDJjTTI4VFcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRVpUQ0NBMDJnQXdJQkFnSVFRQUYxQklNVXBNZ2hqSVNwREJiTjN6QU5CZ2txaGtpRzl3MEJBUXNGQURBLwpNU1F3SWdZRFZRUUtFeHRFYVdkcGRHRnNJRk5wWjI1aGRIVnlaU0JVY25WemRDQkRieTR4RnpBVkJnTlZCQU1UCkRrUlRWQ0JTYjI5MElFTkJJRmd6TUI0WERUSXdNVEF3TnpFNU1qRTBNRm9YRFRJeE1Ea3lPVEU1TWpFME1Gb3cKTWpFTE1Ba0dBMVVFQmhNQ1ZWTXhGakFVQmdOVkJBb1REVXhsZENkeklFVnVZM0o1Y0hReEN6QUpCZ05WQkFNVApBbEl6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1d0lWS016Mm9KVFREeExzCmpWV1N3L2lDOFptbWVrS0lwMTBtcXJVcnVjVk1zYStPYS9sMXlLUFhEMGVVRkZVMVY0eWVxS0k1R2ZXQ1BFS3AKVG03MU84TXUyNDNBc0Z6eldUam43YzlwOEZvTEc3N0FsQ1FsaC9vM2NiTVQ1eHlzNFp2djIrUTdSVkpGbHFuQgpVODQweUZMdXRhN3RqOTVnY09LbFZLdTJiUTZYcFVBMGF5dlR2R2JyWmpSOCttdUxqMWNwbWZnd0YxMjZjbS83CmdjV3Qwb1pZUFJmSDV3bTc4U3YzaHR6QjJuRmQxRWJqekswbHdZaThZR2QxWnJQeEdQZWlYT1pUL3pxSXRrZWwKL3hNWTZwZ0pkeitkVS9uUEFlWDFwbkFYRks5anBQK1pzNU9kM0ZPbkJ2NUloUjJoYWE0bGRic1R6RklEOWUxUgpvWXZiRlFJREFRQUJvNElCYURDQ0FXUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBREFPQmdOVkhROEJBZjhFCkJBTUNBWVl3U3dZSUt3WUJCUVVIQVFFRVB6QTlNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndPaTh2WVhCd2N5NXAKWkdWdWRISjFjM1F1WTI5dEwzSnZiM1J6TDJSemRISnZiM1JqWVhnekxuQTNZekFmQmdOVkhTTUVHREFXZ0JURQpwN0drZXl4eCt0dmhTNUIxLzhRVllJV0pFREJVQmdOVkhTQUVUVEJMTUFnR0JtZUJEQUVDQVRBL0Jnc3JCZ0VFCkFZTGZFd0VCQVRBd01DNEdDQ3NHQVFVRkJ3SUJGaUpvZEhSd09pOHZZM0J6TG5KdmIzUXRlREV1YkdWMGMyVnUKWTNKNWNIUXViM0puTUR3R0ExVWRId1ExTURNd01hQXZvQzJHSzJoMGRIQTZMeTlqY213dWFXUmxiblJ5ZFhOMApMbU52YlM5RVUxUlNUMDlVUTBGWU0wTlNUQzVqY213d0hRWURWUjBPQkJZRUZCUXVzeGUzV0ZiTHJsQUpRT1lmCnI1MkxGTUxHTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBMlV6Z3lmV0VpRGN4MjdzVDRyUDhpMnRpRW14WXQwbCtQQUszcUI4b1lldk80QzV6NzBrSAplaldFSHgydGFQRFkvbGFCTDIxL1dLWnVOVFlRSEhQRDViMXRYZ0hYYm5MN0txQzQwMWRrNVZ2Q2FkVFFzdmQ4ClM4TVhqb2h5Yzl6OS9HMjk0OGtMam1FNkZsaDlkRFlyVllBOXgyTytoRVBHT2FFT2ExZWVQeW5CZ1BheXZVZkwKcWpCc3R6TGhXVlFMR0FrWFhtTnMrNVpuUEJ4ekRKT0x4aEYySkliZVFBY0g1SDB0WnJVbG81Wll5T3FBN3M5cApPNWI4NW8zQU0vT0orQ2t0RkJRdGZ2QmhjSlZkOXd2bHdQc2srdXlPeTJISTdtTnhLS2dzQlR0Mzc1dGVBMlR3ClVkSGtoVk5jc0FLWDFIN0dOTkxPRUFEa3NkODZ3dW9Ydmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGw3b0llY0RIUmI4WEIKakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NElnS0dQU3EzU0VraQpnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Tnl5cWRVdFdkYy9WCjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWZ6OU1oaDNyRDJpaHcKNkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQjJUWmhZZ0RaMyt2NwpsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rMWlqQmhBZWhSblRNCmE4ZkIrbWI5QWdNQkFBRUNnZ0VBUzdLaUUvTkw4MitnNDMrZ0pkSDIrOURPQWorOHFka0Q4b2dKaThiWDYzeXkKaUU1M0lnYVRJYWRjU0pXcHIzR1ZhMVdIRHpyRC9XTkc4SjBXdnUxaHlsRnNNdWNPd21zbER4SDJtakZmQXZ5Rgp3VjV2WGpZSjJvazNTTDhOTlBPelMxNEd6bmVmUGUrN1pPNENDTnhoeEFUMSsxeXdXenY0dnZ4U29jRzBXSU55ClF3Ylk1M3ZsNy9meUp6bWtpRFV1cVJxdFZLUi9TQ3ZWRnlWL016YjlYd0xWVk96bWU3ek1iSzlFd2xSN1h4d0gKTnRqWlMydC9EYkZVaCtPOWxqMjhmdVY0cVZvODNqR1dFNjNQNGJFdk9YekZDNXp1K2twRW1RRVA1WDFVR3FxcApoMU5CUEcwb2VQMTdodjBqVnpjNzAzZGJuQnppZjU4U2M0REZyYVE5NFFLQmdRRDgxK0lxdVNwbVcxZXBKZE51CkFHQWFsdlBTMEpXV2pqQnJuK3NDMEpBKzdRV0dKckdBTjhGdFpyeC9FdTU4b3Z1RDNZcmE4NmlsV0FMV0pLUWoKdmFFZy94YnJaaXhiUW9hcDZNSTRYWUs2aHFFWTJPZzI4SzRNcVFYdHZRQjVOcmpuRGRZWTdjSUNTdEo4V01HcwpLVjBNS3pIR3NVYnZUQlJRR1hhRlhIRFNsd0tCZ1FEb3pXV0lIWitmTzBSZC9uRzhNK2tSWTNIbUlGTHl4WjdDCllaNXBnRW4rWDR4TmkzbGdoa0JNWEF4NTBCQithczE1OGxQcmRITFRwa2VZYmNXZzd4ZmNuMkM0VittS3VVRG8KYUFYOFRlcWJJeS9XYzY3SHhNMCt1alJrd05OSXFaSmhMckUzNFNHQkR6ajlqRHYrc0xBamdsQXpJYkszdnRMUgpuUDVEUlExSml3S0JnRmQ3RGpwLzlHYVR4Z0cxSDdFWW1pZTVBTVY0KzdpcW02QXhKV3ZFNDVPU0NHNUE1dnNZCnoyamR1ZXd4amFnNzc4L1JFQ0R2V3ZOU1B6RCtYbmdyUFJ1Z2hycU5rRjFHNkRiVFhKZUo2eGhFU21yQmFaN1EKcVRlaUozWDVCYmZxc2hEblhhTWthQkxJOW9pbFlPVURMcmx1SEh2RmpHaHhKem9MaFZGaENYd2pBb0dCQUxtTQo5QzdnUlpoNWVZMWRQek9kUUZlZXBtcWdPdHpMRERXcjdzSHlBWWZnaWdoSWNXNndzbERxVVB0S0RjdGt2dTlDCmFRYlM0cTYwNm4yZ2lKTXozaFgzWmZTb0JUbVBYQitnd1p5T1ViNWk5ajc4SjBPTUpYYW9uUmZzNUxvV2hkZzEKaWdTYXlNUi82SkdXRXo5MWZuNWU0Q05RNll3d2FRR3ZHcTF0UFNEdkFvR0JBTUg3eXpjTm9QbFRHRjd0SUh1Zgp4dkZHQ25uclMrVUZXbTZKYUZDYU5tS0NyMUZxUnFhMHNlUW1SbDBGcm53WEgzUTkvS3BlcEJsY01qeGhJMWFGClp0WE1qcVlxM0ZlNlY4UUF4MEh4YmJBbHl6ZU9uSzV4bUtmelYwWVhTSEg1R2p2Szk5ektUNnM4R3Uxanh1NEkKdmZrY3pyckJsS2JOcDV3eFBnamNBWmQ3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + name: common-bb +stringData: + # TLS key pair for *.bigbang.dev is used as an example for demo purposes + values.yaml: |- + istio: + ingress: + key: |- + -----BEGIN PRIVATE KEY----- + MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh + YyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13 + gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp + iApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq + +BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba + 8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH + 1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb + qTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ + EpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE + S+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD + CIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z + XqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l + TkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B + is5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v + lpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm + DRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO + MwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7 + edXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK + RagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl + M2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA + pZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO + IWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN + kXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8 + Fz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin + 73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0 + dbfd2CfWKgXWqJNl2RCGWIoqDIU= + -----END PRIVATE KEY----- + cert: |- + -----BEGIN CERTIFICATE----- + MIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA + MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD + EwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM + DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1 + ahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM + U7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR + /mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V + 9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs + LLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz + D+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O + BBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ + QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz + Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv + MBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw + NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j + cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL + IiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ + 69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL + RilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6 + XEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC + IHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA + A4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak + RWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx + yPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9 + 6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl + 3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6 + 9xxT5njjSqfC0xOqknR0hhhn5Pbu + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw + TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh + cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw + WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg + RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK + AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP + R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx + sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm + NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg + Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG + /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC + AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB + Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA + FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw + AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw + Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB + gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W + PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl + ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz + CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm + lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 + avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 + yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O + yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids + hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ + HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv + MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX + nLRbwHOoq7hHwg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow + TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh + cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB + AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC + ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL + wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D + LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK + 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 + bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y + sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ + Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 + FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc + SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql + PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND + TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw + SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 + c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx + +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB + ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu + b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E + U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu + MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC + 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW + 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG + WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O + he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC + Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 + -----END CERTIFICATE----- \ No newline at end of file diff --git a/base/kustomization.yaml b/base/kustomization.yaml index 46c919219adc8c14c7156241a9c427c90115e251..b55b7e3c4b451b7dc65195d4ff29184da8796f57 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -1,9 +1,7 @@ # When updating the version of BigBang, make sure to update # both the bases reference and the GitRepository reference bases: -- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.8.0 -resources: -- bigbang-dev-cert.yaml +- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.12.0 configMapGenerator: - name: common behavior: merge @@ -19,4 +17,4 @@ patchesStrategicMerge: spec: ref: $patch: replace - semver: "1.8.0" \ No newline at end of file + tag: "1.12.0" \ No newline at end of file diff --git a/dev/configmap.yaml b/dev/configmap.yaml index 0d273581c97a34fbd9b8aa454dc4b462100b13ba..933f7e9ea98d8cf920f14acc27227bef8a9bbeeb 100644 --- a/dev/configmap.yaml +++ b/dev/configmap.yaml @@ -6,7 +6,6 @@ flux: cleanupOnFail: false logging: - enabled: true values: elasticsearch: master: @@ -16,7 +15,6 @@ logging: resources: requests: cpu: .5 - limits: {} data: count: 1 persistence: @@ -24,32 +22,20 @@ logging: resources: requests: cpu: .5 - limits: {} fluentbit: values: securityContext: privileged: true -istio: - enabled: true - values: - kiali: - dashboard: - auth: - strategy: "anonymous" - clusterAuditor: - enabled: true values: resources: requests: cpu: 100m memory: .5Gi - limits: {} monitoring: - enabled: true values: alertmanager: alertmanagerSpec: @@ -57,48 +43,40 @@ monitoring: requests: cpu: 100m memory: 200Mi - limits: {} prometheusOperator: resources: requests: cpu: 250m memory: 400Mi - limits: {} prometheus: prometheusSpec: resources: requests: cpu: 100m memory: 200Mi - limits: {} grafana: resources: requests: cpu: 100m memory: 128Mi - limits: {} kubeStateMetrics: resources: requests: cpu: 10m memory: 32Mi - limits: {} nodeExporter: resources: requests: cpu: 100m memory: 30Mi - limits: {} gatekeeper: - enabled: true values: replicas: 1 resources: requests: cpu: 100m memory: 256Mi - limits: {} twistlock: enabled: false diff --git a/dev/kustomization.yaml b/dev/kustomization.yaml index b1ea80ad8bb65867b9c16a753e07d08b1bff97d7..7964ce9bb4a77c159d2b466b05b0b749fe60295a 100644 --- a/dev/kustomization.yaml +++ b/dev/kustomization.yaml @@ -18,7 +18,7 @@ patchesStrategicMerge: # Use the following three lines to test a new version of Big Bang without affecting other environments # ref: # $patch: replace -# semver: "1.9.0" +# tag: "1.13.0" - |- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease diff --git a/terraform/modules/elb/main.tf b/terraform/modules/elb/main.tf index c9d515d433aa7d9fc92ca3e870a17f83b56d8e57..e11301e76b7a90ca202ce2a83ec70aba1de7e268 100644 --- a/terraform/modules/elb/main.tf +++ b/terraform/modules/elb/main.tf @@ -5,112 +5,149 @@ # - Security group created for other entities to use for ingress from the ELB # - Attaching a pool to the load balancer is done outside of this Terraform -# Security group for load balancer -resource "aws_security_group" "elb" { - name_prefix = "${var.name}-elb-" - description = "${var.name} Elastic Load Balancer" - vpc_id = "${var.vpc_id}" +resource "aws_lb" "public_nlb" { + name = "${var.name}-public-nlb" + internal = false + load_balancer_type = "network" + subnets = var.subnet_ids - # Allow all HTTP traffic - ingress { - description = "HTTP Traffic" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + tags = merge({}, var.tags) +} + +resource "aws_lb_target_group" "public_nlb_http" { + name = "${var.name}-public-nlb-http" + port = var.node_port_http + protocol = "TCP" + vpc_id = var.vpc_id + + health_check { + port = var.node_port_health_checks + path = "/healthz/ready" } + lifecycle { + create_before_destroy = true + } + tags = merge({}, var.tags) +} - # Allow all HTTPS traffic - ingress { - description = "HTTPS Traffic" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] +resource "aws_lb_target_group" "public_nlb_https" { + name = "${var.name}-public-nlb-https" + port = var.node_port_https + protocol = "TCP" + vpc_id = var.vpc_id + + health_check { + port = var.node_port_health_checks + path = "/healthz/ready" + } + lifecycle { + create_before_destroy = true } + tags = merge({}, var.tags) +} + +resource "aws_lb_target_group" "public_nlb_sni" { + name = "${var.name}-public-nlb-sni" + port = var.node_port_sni + protocol = "TCP" + vpc_id = var.vpc_id - # Allow all egress - egress { - description = "All traffic out" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + health_check { + port = var.node_port_health_checks + path = "/healthz/ready" + } + lifecycle { + create_before_destroy = true } + tags = merge({}, var.tags) +} - tags = var.tags +resource "aws_lb_listener" "public_nlb_http" { + load_balancer_arn = aws_lb.public_nlb.arn + port = "80" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.public_nlb_http.arn + } +} + +resource "aws_lb_listener" "public_nlb_https" { + load_balancer_arn = aws_lb.public_nlb.arn + port = "443" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.public_nlb_https.arn + } +} + +resource "aws_lb_listener" "public_nlb_sni" { + load_balancer_arn = aws_lb.public_nlb.arn + port = "15443" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.public_nlb_sni.arn + } +} + +# Retrieve the IP addresses of the nlb +data "aws_network_interface" "public_nlb" { + for_each = toset(var.subnet_ids) + + filter { + name = "description" + values = ["ELB ${aws_lb.public_nlb.arn_suffix}"] + } + + filter { + name = "subnet-id" + values = [each.value] + } } # Security group for server pool to allow traffic from load balancer -resource "aws_security_group" "elb_pool" { - name_prefix = "${var.name}-elb-pool-" - description = "${var.name} Traffic to Elastic Load Balancer server pool" +resource "aws_security_group" "public_nlb_pool" { + name_prefix = "${var.name}-public-nlb-to-pool-" + description = "${var.name} Traffic from public Network Load Balancer to server pool" vpc_id = "${var.vpc_id}" # Allow all traffic from load balancer ingress { - description = "Allow Load Balancer Traffic" - from_port = 0 - to_port = 0 - protocol = "-1" - security_groups = [aws_security_group.elb.id] + description = "Allow public Network Load Balancer traffic to health check" + from_port = var.node_port_health_checks + to_port = var.node_port_health_checks + protocol = "tcp" + cidr_blocks = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.private_ip]) } - tags = var.tags -} + ingress { + description = "Allow internet traffic to HTTP node port" + from_port = var.node_port_http + to_port = var.node_port_http + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } -# Create Elastic Load Balancer -module "elb" { - source = "terraform-aws-modules/elb/aws" - version = "~> 3.0" - name = "${var.name}-elb" - subnets = var.subnet_ids - security_groups = [aws_security_group.elb.id] - internal = false - - # Port: Description - # 80: HTTP for applications - # 443: HTTPS for applications - # 15021: Istio Health Checks - # 15443: Istio SNI Routing in multi-cluster environment - listener = [ - { - instance_port = var.node_port_http - instance_protocol = "TCP" - lb_port = 80 - lb_protocol = "tcp" - }, - { - instance_port = var.node_port_https - instance_protocol = "TCP" - lb_port = 443 - lb_protocol = "tcp" - }, - { - instance_port = var.node_port_health_checks - instance_protocol = "TCP" - lb_port = 15021 - lb_protocol = "tcp" - }, - { - instance_port = var.node_port_sni - instance_protocol = "TCP" - lb_port = 15443 - lb_protocol = "tcp" - }, - ] - - health_check = { - target = "TCP:${var.node_port_health_checks}" - interval = 10 - healthy_threshold = 2 - unhealthy_threshold = 6 - timeout = 5 + ingress { + description = "Allow internet traffic to HTTPS node port" + from_port = var.node_port_https + to_port = var.node_port_https + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] } - access_logs = {} + ingress { + description = "Allow internet traffic to SNI node port" + from_port = var.node_port_sni + to_port = var.node_port_sni + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } - tags = merge({ - "kubernetes.io/cluster/${var.name}" = "shared" - }, var.tags) + tags = var.tags } \ No newline at end of file diff --git a/terraform/modules/elb/outputs.tf b/terraform/modules/elb/outputs.tf index 089e6667e7c77c8a3ee9223b7cb59a6399b8c87c..1580a1281ded3e4987a6ada22042aa1f1e5d363b 100644 --- a/terraform/modules/elb/outputs.tf +++ b/terraform/modules/elb/outputs.tf @@ -1,9 +1,9 @@ -output "elb_id" { - description = "The Elastic Load Balancer (ELB) ID" - value = module.elb.elb_id +output "pool_sg_id" { + description = "The ID of the security group used as an inbound rule for load balancer's back-end server pool" + value = aws_security_group.public_nlb_pool.id } -output "pool_sg_id" { - description = "The ID of the security group used as an inbound rule for load balancer's back-end application instances" - value = aws_security_group.elb_pool.id +output "elb_target_group_arns" { + description = "The load balancer target group ARNs" + value = [aws_lb_target_group.public_nlb_http.arn, aws_lb_target_group.public_nlb_https.arn, aws_lb_target_group.public_nlb_sni.arn] } \ No newline at end of file diff --git a/terraform/modules/elb/variables.tf b/terraform/modules/elb/variables.tf index 848b9cbcaf878059767252aa7567ecc7e29bd285..7d862f3d657e6f8386120cb54785b3c4feffa1fd 100644 --- a/terraform/modules/elb/variables.tf +++ b/terraform/modules/elb/variables.tf @@ -14,28 +14,27 @@ variable "subnet_ids" { type = list(string) } +variable "node_port_health_checks" { + description = "The node port to use for Istio health check traffic" + type = string + default = "30000" +} variable "node_port_http" { description = "The node port to use for HTTP traffic" type = string - default = "30080" + default = "30001" } variable "node_port_https" { description = "The node port to use for HTTPS traffic" type = string - default = "30443" -} - -variable "node_port_health_checks" { - description = "The node port to use for Istio health check traffic" - type = string - default = "32021" + default = "30002" } variable "node_port_sni" { description = "The node port to use for Istio SNI traffic" type = string - default = "32443" + default = "30003" } variable "tags" { diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf deleted file mode 100644 index 1924376a510a69fab674ccbc7da2d1ce403e667b..0000000000000000000000000000000000000000 --- a/terraform/modules/k8s/main.tf +++ /dev/null @@ -1,28 +0,0 @@ -# After the cluster is setup, this script will retrieve the Kubeconfig -# file from S3 storage and merge in the local ~/.kube/config - -# Retrieves kubeconfig -resource "null_resource" "kubeconfig" { - triggers = { - kubeconfig_path = var.kubeconfig_path - } - provisioner "local-exec" { - interpreter = ["bash", "-c"] - command = <<-EOF - # Get kubeconfig from storage - aws s3 cp ${var.kubeconfig_path} ~/.kube/new - - # Merge new config into existing - export KUBECONFIGBAK=$KUBECONFIG - export KUBECONFIG=~/.kube/new:~/.kube/config - # Do not redirect to ~/.kube/config or you may truncate the results - kubectl config view --flatten > ~/.kube/merged - mv -f ~/.kube/merged ~/.kube/config - - # Cleanup - rm -f ~/.kube/new - export KUBECONFIG=$KUBECONFIGBAK - unset KUBECONFIGBAK - EOF - } -} \ No newline at end of file diff --git a/terraform/modules/k8s/variables.tf b/terraform/modules/k8s/variables.tf deleted file mode 100644 index a7c10bf00f65a9b0a94548454f02688696f1d196..0000000000000000000000000000000000000000 --- a/terraform/modules/k8s/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "kubeconfig_path" { - description = "Remote path to kubeconfig" - type = string -} \ No newline at end of file diff --git a/terraform/modules/pool/main.tf b/terraform/modules/pool/main.tf index 7e656c85b0f5203f4a01b664258267a70338cb43..df0eba50f04d619d2fb1a0023bff3e90fd057cd2 100644 --- a/terraform/modules/pool/main.tf +++ b/terraform/modules/pool/main.tf @@ -1,6 +1,9 @@ # Connects an Elastic Load Balancer to a pool of servers +# NOTE: RKE2 already sets the lifecycle of the auto scale group to ignore changes in load balancers and target groups +# See https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform/-/blob/master/modules/nodepool/main.tf#L113 resource "aws_autoscaling_attachment" "pool" { - elb = var.elb_id + for_each = toset(var.elb_target_group_arns) autoscaling_group_name = var.pool_asg_id -} + alb_target_group_arn = each.value +} \ No newline at end of file diff --git a/terraform/modules/pool/variables.tf b/terraform/modules/pool/variables.tf index 1adae132d833c66a6e3ed12889c012131f9219da..ee1ce2a6ffeb13673186ace56cf42a60ce39a814 100644 --- a/terraform/modules/pool/variables.tf +++ b/terraform/modules/pool/variables.tf @@ -1,9 +1,15 @@ -variable "elb_id" { - description = "The load balancer ID to attach the pool" - type = string +variable "name" { + description = "The name to apply to resources" + type = string + default = "bigbang-dev" +} + +variable "elb_target_group_arns" { + description = "The load balancer's target group ARNs to attach to the autoscale group" + type = list(string) } variable "pool_asg_id" { - description = "The autoscale group IDs that make up the pool to attach to the load balancer" + description = "The pool's autoscale group ID" type = string } \ No newline at end of file diff --git a/terraform/modules/s3/main.tf b/terraform/modules/s3/main.tf new file mode 100644 index 0000000000000000000000000000000000000000..10abfdad9bdfe0af7dff4986849a01f0a7f0c16f --- /dev/null +++ b/terraform/modules/s3/main.tf @@ -0,0 +1,43 @@ +# After the cluster is setup, these scripts will ... +# - Retrieve the Kuberntes config file from S3 and merge it with the local ~/.kube/config +# - Upload the SSH private key to S3 + +# Retrieves kubeconfig +resource "null_resource" "kubeconfig" { + triggers = { + kubeconfig_path = var.kubeconfig_path + } + provisioner "local-exec" { + interpreter = ["bash", "-c"] + command = <<-EOF + # Get kubeconfig from storage + aws s3 cp ${var.kubeconfig_path} ~/.kube/new + + # Merge new config into existing + export KUBECONFIGBAK=$KUBECONFIG + export KUBECONFIG=~/.kube/new:~/.kube/config + # Replace default with cluster name + sed -ri "s/: default$/: ${var.name}/g" ~/.kube/new + # Update user only with more info + sed -ri "s/(user|- name): ${var.name}$/\1: clusterUser_${var.name}/g" ~/.kube/new + # Do not redirect to ~/.kube/config or you may truncate the results + kubectl config view --flatten > ~/.kube/merged + mv -f ~/.kube/merged ~/.kube/config + chmod 0600 ~/.kube/config + + # Cleanup + rm -f ~/.kube/new + export KUBECONFIG=$KUBECONFIGBAK + unset KUBECONFIGBAK + EOF + } +} + +# Upload SSH private key +resource "aws_s3_bucket_object" "sshkey" { + key = "ssh-private-key.pem" + # Get bucket name in middle of s3:///rke2.yaml + bucket = replace(replace(var.kubeconfig_path, "/\\/[^/]*$/", ""), "/^[^/]*\\/\\//", "") + source = pathexpand("${var.private_key_path}/${var.name}.pem") + server_side_encryption = "aws:kms" +} diff --git a/terraform/modules/s3/variables.tf b/terraform/modules/s3/variables.tf new file mode 100644 index 0000000000000000000000000000000000000000..3f4b4d4ead6443d91e89672dcce6318c63422421 --- /dev/null +++ b/terraform/modules/s3/variables.tf @@ -0,0 +1,16 @@ +variable "name" { + description = "The name of the SSH key" + type = string + default = "bigbang-dev" +} + +variable "kubeconfig_path" { + description = "Remote path to kubeconfig" + type = string +} + +variable "private_key_path" { + description = "Local path to SSH private key" + type = string + default = "~/.ssh" +} \ No newline at end of file diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index 02f406ae486d3f9d45d0c387dc13319b70b2e849..ea218203a017d0d2be03ed0495b118920325f920 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -21,13 +21,13 @@ remote_state { generate = { path = "backend.tf" - if_exists = "overwrite_terragrunt" + if_exists = "overwrite" } config = { encrypt = true key = format("%s/terraform.tfstate", path_relative_to_include()) - bucket = "p1-bigbang-live-tf-states-${local.env.region}" + bucket = "${local.env.name}-terraform-state" region = local.env.region } } \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/agent/terragrunt.hcl b/terraform/us-gov-west-1/prod/agent/terragrunt.hcl index b9eb418483efc6a803854a90a723b5ccb4462754..5c9c18c37d8d10418122ba5ffef57e315339fb4e 100644 --- a/terraform/us-gov-west-1/prod/agent/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/agent/terragrunt.hcl @@ -8,7 +8,7 @@ locals { } terraform { - source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.8" + source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.9" } include { @@ -80,5 +80,4 @@ inputs = { pre_userdata = local.env.cluster.init_script tags = merge(local.env.region_tags, local.env.tags, {}) -} - +} \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/main/terragrunt.hcl b/terraform/us-gov-west-1/prod/main/terragrunt.hcl index dbcdbe5b933049ac54f19a0350de1d58128bb59c..77c1e2aaa2731dff8bf18be4b0aefb93482a363a 100644 --- a/terraform/us-gov-west-1/prod/main/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/main/terragrunt.hcl @@ -1,7 +1,13 @@ # This file performs post-cluster actions, like downloading the kubeconfig +locals { + env = merge( + yamldecode(file(find_in_parent_folders("region.yaml"))), + yamldecode(file(find_in_parent_folders("env.yaml"))) + ) +} terraform { - source = "${path_relative_from_include()}//modules/k8s" + source = "${path_relative_from_include()}//modules/s3" } include { @@ -16,5 +22,6 @@ dependency "server" { } inputs = { + name = local.env.name kubeconfig_path = dependency.server.outputs.kubeconfig_path } \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/pool/terragrunt.hcl b/terraform/us-gov-west-1/prod/pool/terragrunt.hcl index 46c6a03b0fb459eccb49b9590771f501de24f8fb..3a9c68754407087f85f5759e39e4a31a2beaacf0 100644 --- a/terraform/us-gov-west-1/prod/pool/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/pool/terragrunt.hcl @@ -16,7 +16,7 @@ include { dependency "elb" { config_path = "../elb" mock_outputs = { - elb_id = "mock_elb_id" + elb_target_group_arns = ["mock_elb_id"] } } @@ -28,7 +28,7 @@ dependency "agent" { } inputs = { - elb_id = dependency.elb.outputs.elb_id + elb_target_group_arns = dependency.elb.outputs.elb_target_group_arns pool_asg_id = dependency.agent.outputs.nodepool_id tags = merge(local.env.region_tags, local.env.tags, {}) } \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/server/terragrunt.hcl b/terraform/us-gov-west-1/prod/server/terragrunt.hcl index 176e007235f2d76f56e4d56f0663199365f62128..164ec80d4a77d7a6bcbd7b43f3d8f94220729110 100644 --- a/terraform/us-gov-west-1/prod/server/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/server/terragrunt.hcl @@ -8,7 +8,7 @@ locals { } terraform { - source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//?ref=v1.1.8" + source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//?ref=v1.1.9" } include {