Merge pull request 'Setting up CI with Drone' (#1) from adding-ci into main

Reviewed-on: #1

.drone.yml

@@ -0,0 +1,97 @@
+---
+kind: pipeline
+type: kubernetes
+name: Terraform root module
+
+environment:
+  TF_IN_AUTOMATION: "1"
+  GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa"
+  TF_VAR_lawndale_dns_host: "nat.lawndale"
+  TF_VAR_lawndale_libvirt_uri_transport: ssh
+  TF_VAR_lawndale_libvirt_uri_userhostport: "192.168.253.254:10022"
+
+trigger:
+  ref:
+    - refs/heads/main
+    - refs/pull/*/head
+
+steps:
+- name: terraform init
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa
+    - chmod 600 id_rsa
+    - echo 'lawndale_libvirt_uri_extra = {"sshauth"="privkey","keyfile"="'$${PWD}'/id_rsa","no_verify"="1"}' >> ci.tfvars
+    - terraform init
+  environment:
+    CI_SSH_KEY:
+      from_secret: ci-ssh-key
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+
+- name: terraform plan
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - terraform plan -var-file ci.tfvars -out .tfplan
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+    TF_VAR_lawndale_dns_key_secret:
+      from_secret: lawndale-dns-key-secret
+    TF_VAR_lawndale_dns_key_algorithm:
+      from_secret: lawndale-dns-key-algorithm
+
+- name: terraform apply
+  when:
+    branch:
+    - main
+    event:
+    - push
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - terraform apply -var-file ci.tfvars .tfplan
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+    TF_VAR_lawndale_dns_key_secret:
+      from_secret: lawndale-dns-key-secret
+    TF_VAR_lawndale_dns_key_algorithm:
+      from_secret: lawndale-dns-key-algorithm
+
+---
+kind: pipeline
+type: kubernetes
+name: Check docs and format
+
+environment:
+  TF_IN_AUTOMATION: "1"
+
+trigger:
+  ref:
+    - refs/pull/*/head
+
+steps:
+- name: format and generate docs
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - apk add bash wget 
+    - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
+    - terraform fmt
+    - terraform-docs .
+    - git diff --exit-code
+
+---
+kind: signature
+hmac: c79a45ff158cd06564765a09933921a2fd9856f6c2063716d45225fc1c45c100
+
+...

README.md

@@ -93,29 +93,27 @@ The following resources are used by this module:
 
 The following input variables are required:
 
-### <a name="input_lawndale_dns_key_secret"></a> [lawndale\_dns\_key\_secret](#input\_lawndale\_dns\_key\_secret)
-
-Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale
-
-Type: `string`
-
-### <a name="input_lawndale_dns_port"></a> [lawndale\_dns\_port](#input\_lawndale\_dns\_port)
-
-Description: Port where the lawndale internal DNS server listens on
-
-Type: `number`
-
-## Optional Inputs
-
-The following input variables are optional (have default values):
-
 ### <a name="input_lawndale_dns_host"></a> [lawndale\_dns\_host](#input\_lawndale\_dns\_host)
 
 Description: Address to reach lawndale internal DNS server
 
 Type: `string`
 
-Default: `"lawndale-hyper"`
+### <a name="input_lawndale_dns_key_secret"></a> [lawndale\_dns\_key\_secret](#input\_lawndale\_dns\_key\_secret)
+
+Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale
+
+Type: `string`
+
+### <a name="input_lawndale_libvirt_uri_transport"></a> [lawndale\_libvirt\_uri\_transport](#input\_lawndale\_libvirt\_uri\_transport)
+
+Description: Transport protocol (could be ssh or tls) to dial Lawndale hypervisor
+
+Type: `string`
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
 
 ### <a name="input_lawndale_dns_key_algorithm"></a> [lawndale\_dns\_key\_algorithm](#input\_lawndale\_dns\_key\_algorithm)
 
@@ -125,6 +123,14 @@ Type: `string`
 
 Default: `"hmac-sha256"`
 
+### <a name="input_lawndale_dns_port"></a> [lawndale\_dns\_port](#input\_lawndale\_dns\_port)
+
+Description: Port where the lawndale internal DNS server listens on
+
+Type: `number`
+
+Default: `53`
+
 ### <a name="input_lawndale_dns_transport"></a> [lawndale\_dns\_transport](#input\_lawndale\_dns\_transport)
 
 Description: Port where the lawndale internal DNS server listens on
@@ -133,6 +139,38 @@ Type: `string`
 
 Default: `"udp"`
 
+### <a name="input_lawndale_libvirt_uri"></a> [lawndale\_libvirt\_uri](#input\_lawndale\_libvirt\_uri)
+
+Description: Libvirt URI to use accessing Lawndale hypervisor
+
+Type: `string`
+
+Default: `null`
+
+### <a name="input_lawndale_libvirt_uri_extra"></a> [lawndale\_libvirt\_uri\_extra](#input\_lawndale\_libvirt\_uri\_extra)
+
+Description: Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration)
+
+Type: `map(any)`
+
+Default: `{}`
+
+### <a name="input_lawndale_libvirt_uri_path"></a> [lawndale\_libvirt\_uri\_path](#input\_lawndale\_libvirt\_uri\_path)
+
+Description: Libvirt URI path sent to the libvirt daemon
+
+Type: `string`
+
+Default: `"/system"`
+
+### <a name="input_lawndale_libvirt_uri_userhostport"></a> [lawndale\_libvirt\_uri\_userhostport](#input\_lawndale\_libvirt\_uri\_userhostport)
+
+Description: Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@]<hostname>[:port]`
+
+Type: `string`
+
+Default: `"lawndale-hyper"`
+
 ## Outputs
 
 No outputs.

ci.tf

@@ -38,35 +38,23 @@ resource "kubernetes_cluster_role" "ci_cd" {
       "persistentvolumeclaims",
       "pods",
       "namespaces",
+      "nodes",
       "secrets",
+      "serviceaccounts",
       "services",
     ]
-    verbs = [
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
   }
 
   rule {
     api_groups = ["apps"]
     resources = [
+      "daemonsets",
       "deployments",
       "replicasets", # needed for 'helm upgrade --wait'
+      "statefulsets",
     ]
-    verbs = [
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
   }
 
   rule {
@@ -74,45 +62,42 @@ resource "kubernetes_cluster_role" "ci_cd" {
     resources = [
       "horizontalpodautoscalers"
     ]
-    verbs = [
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
   }
   rule {
     api_groups = ["networking.k8s.io"]
 
     resources = [
       "ingresses",
-    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
-  }
-  rule {
-    api_groups = ["networking.k8s.io"]
-    resources = [
       "networkpolicies"
     ]
-    verbs = [
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-      "create",
+  }
-      "delete",
+
-      "get",
+  rule {
-      "list",
+    api_groups = ["apiextensions.k8s.io"]
-      "patch",
+    resources = [
-      "update",
+      "customresourcedefinitions"
-      "watch",
     ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources = [
+      "clusterrolebindings",
+      "clusterroles",
+      "rolebindings",
+      "roles",
+    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["policy"]
+    resources = [
+      "podsecuritypolicies",
+    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
   }
 }

locals.tf

@@ -38,4 +38,13 @@ EehXHhbRmbtSZ7c4DrGeR2J0SZTyBQJfZczSGRvEiKyGNnyZlLVYKTTnV9b+aN3q
 Xw+ilWL3boYsSiqVN6SIUA==
 -----END CERTIFICATE-----
 EOM
+
+
+  lawndale_libvirt_uri_extra = join("&", [for k, v in var.lawndale_libvirt_uri_extra : format("%s=%s", urlencode(k), urlencode(v))])
+  lawndale_libvirt_uri = var.lawndale_libvirt_uri != null ? var.lawndale_libvirt_uri : format("qemu+%s://%s%s?%s",
+    var.lawndale_libvirt_uri_transport,
+    var.lawndale_libvirt_uri_userhostport,
+    var.lawndale_libvirt_uri_path,
+    local.lawndale_libvirt_uri_extra
+  )
 }

providers.tf

@@ -53,7 +53,7 @@ provider "aws" {
 
 provider "libvirt" {
   # no-pty ssh-rsa AAAAB3.....
-  uri = "qemu+ssh://lawndale-hyper.sch.bme.hu:10022/system?sshauth=privkey"
+  uri = local.lawndale_libvirt_uri
 }
 
 provider "dns" {

variables.tf

@@ -1,7 +1,6 @@
 variable "lawndale_dns_host" {
   type        = string
   description = "Address to reach lawndale internal DNS server"
-  default     = "lawndale-hyper"
 }
 
 variable "lawndale_dns_port" {
@@ -32,3 +31,33 @@ variable "lawndale_dns_key_algorithm" {
   description = "DNSSEC key to use sigining the NSUPDATE queries for Lawndale"
   default     = "hmac-sha256"
 }
+
+variable "lawndale_libvirt_uri" {
+  type        = string
+  description = "Libvirt URI to use accessing Lawndale hypervisor"
+  default     = null
+  nullable    = true
+}
+
+variable "lawndale_libvirt_uri_transport" {
+  type        = string
+  description = "Transport protocol (could be ssh or tls) to dial Lawndale hypervisor"
+}
+
+variable "lawndale_libvirt_uri_userhostport" {
+  type        = string
+  description = "Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@]<hostname>[:port]`"
+  default     = "lawndale-hyper"
+}
+
+variable "lawndale_libvirt_uri_path" {
+  type        = string
+  description = "Libvirt URI path sent to the libvirt daemon"
+  default     = "/system"
+}
+
+variable "lawndale_libvirt_uri_extra" {
+  type        = map(any)
+  description = "Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration)"
+  default     = {}
+}