commit 65ab6a1512aba26a69756b9db3d7d3601075c5ae Author: Tamas Kiss Date: Fri May 27 16:55:50 2022 +0200 init: copy from lawndale-infra diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..d9052cf --- /dev/null +++ b/.drone.yml @@ -0,0 +1,85 @@ +--- +kind: pipeline +type: kubernetes +name: Terraform root module + +environment: + TF_IN_AUTOMATION: "1" + GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa" + +trigger: + ref: + - refs/heads/main + - refs/pull/*/head + +steps: +- name: terraform init + image: hashicorp/terraform:1.1.8 + commands: + - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa + - chmod 600 id_rsa + - terraform init + environment: + CI_SSH_KEY: + from_secret: ci-ssh-key + AWS_ACCESS_KEY_ID: + from_secret: terraform-aws-key-id + AWS_SECRET_ACCESS_KEY: + from_secret: terraform-aws-secret-access-key + +- name: terraform plan + image: hashicorp/terraform:1.1.8 + commands: + - terraform plan -out .tfplan + environment: + AWS_ACCESS_KEY_ID: + from_secret: terraform-aws-key-id + AWS_SECRET_ACCESS_KEY: + from_secret: terraform-aws-secret-access-key + KUBE_TOKEN: + from_secret: lawndale-k8s-ci-token + +- name: terraform apply + when: + branch: + - main + event: + - push + image: hashicorp/terraform:1.1.8 + commands: + - terraform apply .tfplan + environment: + AWS_ACCESS_KEY_ID: + from_secret: terraform-aws-key-id + AWS_SECRET_ACCESS_KEY: + from_secret: terraform-aws-secret-access-key + KUBE_TOKEN: + from_secret: lawndale-k8s-ci-token + +--- +kind: pipeline +type: kubernetes +name: Check docs and format + +environment: + TF_IN_AUTOMATION: "1" + +trigger: + ref: + - refs/pull/*/head + +steps: +- name: format and generate docs + image: hashicorp/terraform:1.1.8 + commands: + - apk add bash wget + - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin + - terraform fmt + - terraform-docs . + - git diff --exit-code + +--- +kind: signature +hmac: 368164860598a6980892222216f3b14f9effbe392f5b13616df251115ae82719 + +... diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9b8a46e --- /dev/null +++ b/.gitignore @@ -0,0 +1,34 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..e41c6c7 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,5 @@ +formatter: markdown document + +output: + mode: inject + file: README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..d8639f8 --- /dev/null +++ b/README.md @@ -0,0 +1,69 @@ +# Terraform module for Gitea deployment +[![Build Status](https://drone.thomasklein.me/api/badges/thomasklein/terraform-app-gitea/status.svg)](https://drone.thomasklein.me/thomasklein/terraform-app-gitea) + +This module manages the gitea installation on lawndale. + + + +## Requirements + +The following requirements are needed by this module: + +- [aws](#requirement\_aws) (~> 4.9.0) + +- [helm](#requirement\_helm) (~> 2.5.1) + +- [kubernetes](#requirement\_kubernetes) (~> 2.11.0) + +## Providers + +The following providers are used by this module: + +- [aws](#provider\_aws) (~> 4.9.0) + +- [helm](#provider\_helm) (~> 2.5.1) + +- [kubernetes](#provider\_kubernetes) (~> 2.11.0) + +- [random](#provider\_random) + +## Modules + +The following Modules are called: + +### [gitea\_persistance](#module\_gitea\_persistance) + +Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume + +Version: + +### [postgres\_persistance](#module\_postgres\_persistance) + +Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume + +Version: + +## Resources + +The following resources are used by this module: + +- [aws_cognito_user_pool_client.gitea](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) (resource) +- [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) (resource) +- [kubernetes_manifest.ingress_tcp_route](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) (resource) +- [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) (resource) +- [random_password.gitea_admin](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource) +- [aws_cognito_user_pools.thomasklein_infra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pools) (data source) +- [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) (data source) + +## Required Inputs + +No required inputs. + +## Optional Inputs + +No optional inputs. + +## Outputs + +No outputs. + diff --git a/backend.tf b/backend.tf new file mode 100644 index 0000000..5a5efb1 --- /dev/null +++ b/backend.tf @@ -0,0 +1,10 @@ +terraform { + backend "s3" { + bucket = "thomasklein-global-states" + key = "apps/lawndale/gitea" + region = "eu-central-1" + encrypt = true + kms_key_id = "a767a3ce-c505-44c0-9f93-6f53678c69c7" + dynamodb_table = "thomasklein-global-state-locks" + } +} diff --git a/gitea.tf b/gitea.tf new file mode 100644 index 0000000..d15313a --- /dev/null +++ b/gitea.tf @@ -0,0 +1,121 @@ +resource "kubernetes_namespace" "this" { + metadata { + name = "gitea" + } +} + +resource "helm_release" "this" { + name = "gitea" + namespace = kubernetes_namespace.this.metadata.0.name + + repository = "https://dl.gitea.io/charts/" + chart = "gitea" + version = "5.0.0" + + create_namespace = false + + values = [ + jsonencode({ + ingress = { + enabled = true + annotations = { + "kubernetes.io/ingress.class" = "traefik" + "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" + "traefik.ingress.kubernetes.io/router.tls" = "true" + "traefik.ingress.kubernetes.io/router.tls.certresolver" = "acme-thomasklein-me" + "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain + } + hosts = [ + { + host = local.ingress_domain + paths = [ + { + path = "/" + pathType = "Prefix" + } + ] + } + ] + } + }), + jsonencode({ + gitea = { + oauth = [ + { + name = "Cognito" + provider = "openidConnect" + autoDiscoverUrl = "https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${data.aws_cognito_user_pools.thomasklein_infra.ids[0]}/.well-known/openid-configuration" + #useCustomUrls = + #customAuthUrl = + #customTokenUrl = + #customProfileUrl = + #customEmailUrl = + } + ] + } + }), + jsonencode({ + gitea = { + config = { + # APP_NAME = "" + server = { + ROOT_URL = "https://${local.ingress_domain}/" + } + indexer = { + ISSUE_INDEXER_TYPE = "db" # bleve doesn't like 9p filesystems :/ + } + metrics = { + ENABLED = false ## the metrics not really worth it + } + service = { + DISABLE_REGISTRATION = true + } + } + admin = { + username = "thomasklein" + email = "kiss.tamas94@gmail.com" + } + } + }), + jsonencode({ + persistence = { + enabled = true + existingClaim = module.gitea_persistance.pvc_name + } + }), + jsonencode({ + postgresql = { + enabled = true + persistence = { + enabled = true + existingClaim = module.postgres_persistance.pvc_name + } + podSecurityContext = { + enabled = true + } + volumePermissions = { + enabled = true + } + } + }), + ] + + set_sensitive { + name = "gitea.oauth[0].key" + value = aws_cognito_user_pool_client.gitea.id + } + set_sensitive { + name = "gitea.oauth[0].secret" + value = aws_cognito_user_pool_client.gitea.client_secret + } + + set_sensitive { + name = "gitea.admin.password" + value = random_password.gitea_admin.result + } +} + +resource "random_password" "gitea_admin" { + length = 16 + special = true +} diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..29c40fb --- /dev/null +++ b/locals.tf @@ -0,0 +1,5 @@ +locals { + ingress_domain = "git.thomasklein.me" +} + +data "aws_region" "current" {} diff --git a/oauth.tf b/oauth.tf new file mode 100644 index 0000000..a0c97a1 --- /dev/null +++ b/oauth.tf @@ -0,0 +1,18 @@ +data "aws_cognito_user_pools" "thomasklein_infra" { + name = "thomasklein-infra" +} + +resource "aws_cognito_user_pool_client" "gitea" { + name = "gitea" + + user_pool_id = data.aws_cognito_user_pools.thomasklein_infra.ids[0] + + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["profile", "email", "openid"] + + supported_identity_providers = ["COGNITO"] + + generate_secret = true + callback_urls = ["https://${local.ingress_domain}/user/oauth2/Cognito/callback"] +} diff --git a/provider.tf b/provider.tf new file mode 100644 index 0000000..93633a1 --- /dev/null +++ b/provider.tf @@ -0,0 +1,28 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.9.0" + } + + helm = { + source = "hashicorp/helm" + version = "~> 2.5.1" + } + + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.11.0" + } + + } +} + +provider "aws" { + # Configuration options + default_tags { + tags = { + "managed-by" = "terraform" + } + } +} diff --git a/ssh-ingresstcproute.tf b/ssh-ingresstcproute.tf new file mode 100644 index 0000000..6a5332c --- /dev/null +++ b/ssh-ingresstcproute.tf @@ -0,0 +1,26 @@ +resource "kubernetes_manifest" "ingress_tcp_route" { + manifest = { + apiVersion = "traefik.containo.us/v1alpha1" + kind = "IngressRouteTCP" + metadata = { + name = "gitea-ssh" + namespace = kubernetes_namespace.this.metadata.0.name + } + spec = { + entryPoints = [ + "gitssh", + ] + routes: [ + { + match = "HostSNI(`*`)" + services = [ + { + name = "gitea-ssh" + port = 22 + } + ] + } + ] + } + } +} diff --git a/volume.tf b/volume.tf new file mode 100644 index 0000000..d59a348 --- /dev/null +++ b/volume.tf @@ -0,0 +1,21 @@ +# This is actually a self reference as these modules would only be available IF +# This lawndale gitea instance is running and available. +# Here it would be wiser to reference a mirror of this repository +# TODO: setup repository mirror for terraform-modules +# TODO: user mirrored repository + +module "gitea_persistance" { + source = "git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume" + + namespace = kubernetes_namespace.this.metadata.0.name + name = "gitea" + volume_storage_capacity = "5Gi" +} + +module "postgres_persistance" { + source = "git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume" + + namespace = kubernetes_namespace.this.metadata.0.name + name = "gitea-postgres" + volume_storage_capacity = "5Gi" +}