ci: adding drone.yml

2022-05-27 04:29:00 +02:00
9 changed files with 75 additions and 243 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -6,14 +6,7 @@ name: Terraform root module
 environment:
  TF_IN_AUTOMATION: "1"
  GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa"
-  TF_VAR_lawndale_dns_host: "nat.lawndale"
-  TF_VAR_lawndale_libvirt_uri_transport: ssh
-  TF_VAR_lawndale_libvirt_uri_userhostport: "192.168.253.254:10022"
  
-trigger:
-  ref:
-    - refs/heads/main
-    - refs/pull/*/head

 steps:
 - name: terraform init
@@ -21,7 +14,6 @@ steps:
  commands:
    - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa
    - chmod 600 id_rsa
-    - echo 'lawndale_libvirt_uri_extra = {"sshauth"="privkey","keyfile"="'$${PWD}'/id_rsa","no_verify"="1"}' >> ci.tfvars
    - terraform init
  environment:
    CI_SSH_KEY:
@@ -34,7 +26,8 @@ steps:
 - name: terraform plan
  image: hashicorp/terraform:1.1.8
  commands:
-    - terraform plan $([[ $${DRONE_BUILD_EVENT} = cron ]] && echo "-detailed-exitcode") -var-file ci.tfvars -out .tfplan
+    - cp -a id_rsa ~/.ssh/id_rsa
+    - terraform plan -out .tfplan
  environment:
    AWS_ACCESS_KEY_ID:
      from_secret: terraform-aws-key-id
@@ -42,7 +35,7 @@ steps:
      from_secret: terraform-aws-secret-access-key
    KUBE_TOKEN:
      from_secret: lawndale-k8s-ci-token
-    TF_VAR_lawndale_dns_key_secret:
+    TF_VAR_lawdnale_dns_key_secret:
      from_secret: lawndale-dns-key-secret
    TF_VAR_lawndale_dns_key_algorithm:
      from_secret: lawndale-dns-key-algorithm
@@ -55,36 +48,22 @@ steps:
    - push
  image: hashicorp/terraform:1.1.8
  commands:
+    - cp -a id_rsa ~/.ssh/id_rsa
    - terraform apply .tfplan
  environment:
    AWS_ACCESS_KEY_ID:
      from_secret: terraform-aws-key-id
    AWS_SECRET_ACCESS_KEY:
      from_secret: terraform-aws-secret-access-key
---
-kind: pipeline
-type: kubernetes
-name: Check docs and format
-
-environment:
-  TF_IN_AUTOMATION: "1"
-
-trigger:
-  ref:
-    - refs/pull/*/head
-
-steps:
- name: format and generate docs
-  image: hashicorp/terraform:1.1.8
-  commands:
-    - apk add bash wget 
-    - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
-    - terraform fmt
-    - terraform-docs .
-    - git diff --exit-code
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+    TF_VAR_lawdnale_dns_key_secret:
+      from_secret: lawndale-dns-key-secret
+    TF_VAR_lawndale_dns_key_algorithm:
+      from_secret: lawndale-dns-key-algorithm

 ---
 kind: signature
-hmac: 95f8db197163e884f2eee4b14af136b9ea1e0f88f626079b4a3b38b43b91c6a8
+hmac: d5b34139e5dd55d395dfbc99a5193220239fa13f1186c4bab7a9f084de190e47

 ...
--- a/README.md
+++ b/README.md
@@ -69,9 +69,7 @@ Version:
 The following resources are used by this module:

 - [helm_release.coredns](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
- [helm_release.kube_state_metrics](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
 - [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
- [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
 - [kubernetes_cluster_role.ci_cd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) (resource)
 - [kubernetes_cluster_role.prometheus](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) (resource)
 - [kubernetes_cluster_role_binding.auto_approve_node_csrs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) (resource)
@@ -95,28 +93,30 @@ The following resources are used by this module:

 The following input variables are required:

-### <a name="input_lawndale_dns_host"></a> [lawndale\_dns\_host](#input\_lawndale\_dns\_host)
-
-Description: Address to reach lawndale internal DNS server
-
-Type: `string`
-
 ### <a name="input_lawndale_dns_key_secret"></a> [lawndale\_dns\_key\_secret](#input\_lawndale\_dns\_key\_secret)

 Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale

 Type: `string`

-### <a name="input_lawndale_libvirt_uri_transport"></a> [lawndale\_libvirt\_uri\_transport](#input\_lawndale\_libvirt\_uri\_transport)
+### <a name="input_lawndale_dns_port"></a> [lawndale\_dns\_port](#input\_lawndale\_dns\_port)

-Description: Transport protocol (could be ssh or tls) to dial Lawndale hypervisor
+Description: Port where the lawndale internal DNS server listens on

-Type: `string`
+Type: `number`

 ## Optional Inputs

 The following input variables are optional (have default values):

+### <a name="input_lawndale_dns_host"></a> [lawndale\_dns\_host](#input\_lawndale\_dns\_host)
+
+Description: Address to reach lawndale internal DNS server
+
+Type: `string`
+
+Default: `"lawndale-hyper"`
+
 ### <a name="input_lawndale_dns_key_algorithm"></a> [lawndale\_dns\_key\_algorithm](#input\_lawndale\_dns\_key\_algorithm)

 Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale
@@ -125,14 +125,6 @@ Type: `string`

 Default: `"hmac-sha256"`

-### <a name="input_lawndale_dns_port"></a> [lawndale\_dns\_port](#input\_lawndale\_dns\_port)
-
-Description: Port where the lawndale internal DNS server listens on
-
-Type: `number`
-
-Default: `53`
-
 ### <a name="input_lawndale_dns_transport"></a> [lawndale\_dns\_transport](#input\_lawndale\_dns\_transport)

 Description: Port where the lawndale internal DNS server listens on
@@ -141,38 +133,6 @@ Type: `string`

 Default: `"udp"`

-### <a name="input_lawndale_libvirt_uri"></a> [lawndale\_libvirt\_uri](#input\_lawndale\_libvirt\_uri)
-
-Description: Libvirt URI to use accessing Lawndale hypervisor
-
-Type: `string`
-
-Default: `null`
-
-### <a name="input_lawndale_libvirt_uri_extra"></a> [lawndale\_libvirt\_uri\_extra](#input\_lawndale\_libvirt\_uri\_extra)
-
-Description: Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration)
-
-Type: `map(any)`
-
-Default: `{}`
-
-### <a name="input_lawndale_libvirt_uri_path"></a> [lawndale\_libvirt\_uri\_path](#input\_lawndale\_libvirt\_uri\_path)
-
-Description: Libvirt URI path sent to the libvirt daemon
-
-Type: `string`
-
-Default: `"/system"`
-
-### <a name="input_lawndale_libvirt_uri_userhostport"></a> [lawndale\_libvirt\_uri\_userhostport](#input\_lawndale\_libvirt\_uri\_userhostport)
-
-Description: Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@]<hostname>[:port]`
-
-Type: `string`
-
-Default: `"lawndale-hyper"`
-
 ## Outputs

 No outputs.
--- a/ci.tf
+++ b/ci.tf
@@ -38,23 +38,35 @@ resource "kubernetes_cluster_role" "ci_cd" {
      "persistentvolumeclaims",
      "pods",
      "namespaces",
-      "nodes",
      "secrets",
-      "serviceaccounts",
      "services",
    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
  }

  rule {
    api_groups = ["apps"]
    resources = [
-      "daemonsets",
      "deployments",
      "replicasets", # needed for 'helm upgrade --wait'
-      "statefulsets",
    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
  }

  rule {
@@ -62,58 +74,45 @@ resource "kubernetes_cluster_role" "ci_cd" {
    resources = [
      "horizontalpodautoscalers"
    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
  }
  rule {
    api_groups = ["networking.k8s.io"]

    resources = [
      "ingresses",
+    ]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
+  }
+  rule {
+    api_groups = ["networking.k8s.io"]
+    resources = [
      "networkpolicies"
    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-  }
-
-  rule {
-    api_groups = ["apiextensions.k8s.io"]
-    resources = [
-      "customresourcedefinitions"
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-  }
-
-  rule {
-    api_groups = ["rbac.authorization.k8s.io"]
-    resources = [
-      "clusterrolebindings",
-      "clusterroles",
-      "rolebindings",
-      "roles",
-    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-  }
-
-  rule {
-    api_groups = ["policy"]
-    resources = [
-      "podsecuritypolicies",
-    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-  }
-
-  rule {
-    api_groups = ["traefik.containo.us"]
-    resources = [
-      "ingressroutes",
-      "ingressroutetcps",
-      "ingressrouteudps",
-      "middlewares",
-      "middlewaretcps",
-      "serverstransports",
-      "tlsoptions",
-      "tlsstores",
-      "traefikservices",
-    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
  }
 }
--- a/kube-state-metrics.tf
+++ b/kube-state-metrics.tf
@@ -1,35 +0,0 @@
-resource "helm_release" "kube_state_metrics" {
-  name      = "kube-state-metrics"
-  namespace = "kube-system"
-
-  repository = "https://prometheus-community.github.io/helm-charts"
-  chart      = "kube-state-metrics"
-  version    = "4.13.0"
-
-  values = [
-    jsonencode({
-      rbac = {
-        create         = true
-        useClusterRole = true
-      }
-      serviceAccount = {
-        create = true
-      }
-      podSecurityPolicy = {
-        enabled = false
-      }
-    }),
-    jsonencode({
-      autosharding = {
-        enabled = false
-      }
-    }),
-    jsonencode({
-      customLabels = {
-        "prometheus.io/scrape" = "true"
-        "prometheus.io/port"   = "8080"
-        "prometheus.io/scheme" = "http"
-      }
-    }),
-  ]
-}
--- a/locals.tf
+++ b/locals.tf
@@ -3,7 +3,6 @@ locals {
  kubernetes_server  = "https://nat.lawndale:6443"
  kubernetes_version = "1.23.5"
  cluster_dns        = "10.32.0.10"
-  traefik_namespace  = "traefik"

  bootstrap_token = "${random_password.bootstrap_token_id.result}.${random_password.bootstrap_token_secret.result}"

@@ -39,13 +38,4 @@ EehXHhbRmbtSZ7c4DrGeR2J0SZTyBQJfZczSGRvEiKyGNnyZlLVYKTTnV9b+aN3q
 Xw+ilWL3boYsSiqVN6SIUA==
 -----END CERTIFICATE-----
 EOM
-
-
-  lawndale_libvirt_uri_extra = join("&", [for k, v in var.lawndale_libvirt_uri_extra : format("%s=%s", urlencode(k), urlencode(v))])
-  lawndale_libvirt_uri = var.lawndale_libvirt_uri != null ? var.lawndale_libvirt_uri : format("qemu+%s://%s%s?%s",
-    var.lawndale_libvirt_uri_transport,
-    var.lawndale_libvirt_uri_userhostport,
-    var.lawndale_libvirt_uri_path,
-    local.lawndale_libvirt_uri_extra
-  )
 }
--- a/providers.tf
+++ b/providers.tf
@@ -53,7 +53,7 @@ provider "aws" {

 provider "libvirt" {
  # no-pty ssh-rsa AAAAB3.....
-  uri = local.lawndale_libvirt_uri
+  uri = "qemu+ssh://lawndale-hyper.sch.bme.hu:10022/system?sshauth=privkey"
 }

 provider "dns" {
--- a/traefik.tf
+++ b/traefik.tf
@@ -1,32 +0,0 @@
-resource "helm_release" "traefik" {
-  name             = "traefik"
-  namespace        = local.traefik_namespace
-  create_namespace = true
-
-  repository = "https://helm.traefik.io/traefik"
-  chart      = "traefik"
-
-  values = [
-    jsonencode({
-      rbac = {
-        enabled    = true
-        namespaced = false # traefik works for the whole cluster
-      }
-      podSecurityPolicy = {
-        enabled = false
-      }
-      deployment = {
-        enabled = false
-      }
-      daemonset = {
-        enabled = false
-      }
-      service = {
-        enabled = false
-      }
-      ingressroute = {
-        dashboard = { enabled = false }
-      }
-    })
-  ]
-}
--- a/variables.tf
+++ b/variables.tf
@@ -1,6 +1,7 @@
 variable "lawndale_dns_host" {
  type        = string
  description = "Address to reach lawndale internal DNS server"
+  default     = "lawndale-hyper"
 }

 variable "lawndale_dns_port" {
@@ -31,33 +32,3 @@ variable "lawndale_dns_key_algorithm" {
  description = "DNSSEC key to use sigining the NSUPDATE queries for Lawndale"
  default     = "hmac-sha256"
 }
-
-variable "lawndale_libvirt_uri" {
-  type        = string
-  description = "Libvirt URI to use accessing Lawndale hypervisor"
-  default     = null
-  nullable    = true
-}
-
-variable "lawndale_libvirt_uri_transport" {
-  type        = string
-  description = "Transport protocol (could be ssh or tls) to dial Lawndale hypervisor"
-}
-
-variable "lawndale_libvirt_uri_userhostport" {
-  type        = string
-  description = "Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@]<hostname>[:port]`"
-  default     = "lawndale-hyper"
-}
-
-variable "lawndale_libvirt_uri_path" {
-  type        = string
-  description = "Libvirt URI path sent to the libvirt daemon"
-  default     = "/system"
-}
-
-variable "lawndale_libvirt_uri_extra" {
-  type        = map(any)
-  description = "Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration)"
-  default     = {}
-}
--- a/worker.tf
+++ b/worker.tf
@@ -1,7 +1,7 @@
 locals {
  pool_name       = "kubernetes-workers"
  worker_id_start = 80
-  worker_count    = 2
+  worker_count    = 1
 }

 resource "libvirt_pool" "kubernetes_workers" {