ci: fixing libvirt connection

2022-05-27 12:47:14 +02:00
8 changed files with 27 additions and 162 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -6,7 +6,6 @@ name: Terraform root module
 environment:
  TF_IN_AUTOMATION: "1"
  GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa"
-  TF_VAR_lawndale_dns_host: "nat.lawndale"
  TF_VAR_lawndale_libvirt_uri_transport: ssh
  TF_VAR_lawndale_libvirt_uri_userhostport: "192.168.253.254:10022"

@@ -21,7 +20,7 @@ steps:
  commands:
    - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa
    - chmod 600 id_rsa
-    - echo 'lawndale_libvirt_uri_extra = {"sshauth"="privkey","keyfile"="'$${PWD}'/id_rsa","no_verify"="1"}' >> ci.tfvars
+    - echo 'lawndale_libvirt_uri_extra = {"sshauth"="privkey","keyfile"="'$${PWD}'/id_rsa","no_Verify"="1"}' >> ci.tfvars
    - terraform init
  environment:
    CI_SSH_KEY:
@@ -34,7 +33,9 @@ steps:
 - name: terraform plan
  image: hashicorp/terraform:1.1.8
  commands:
-    - terraform plan $([[ $${DRONE_BUILD_EVENT} = cron ]] && echo "-detailed-exitcode") -var-file ci.tfvars -out .tfplan
+    - mkdir -p ~/.ssh
+    - cp -a id_rsa ~/.ssh/id_rsa
+    - terraform plan -var-file ci.tfvars -out .tfplan
  environment:
    AWS_ACCESS_KEY_ID:
      from_secret: terraform-aws-key-id
@@ -55,36 +56,23 @@ steps:
    - push
  image: hashicorp/terraform:1.1.8
  commands:
-    - terraform apply .tfplan
+    - mkdir -p ~/.ssh
+    - cp -a id_rsa ~/.ssh/id_rsa
+    - terraform apply -var-file ci.tfvars .tfplan
  environment:
    AWS_ACCESS_KEY_ID:
      from_secret: terraform-aws-key-id
    AWS_SECRET_ACCESS_KEY:
      from_secret: terraform-aws-secret-access-key
---
-kind: pipeline
-type: kubernetes
-name: Check docs and format
-
-environment:
-  TF_IN_AUTOMATION: "1"
-
-trigger:
-  ref:
-    - refs/pull/*/head
-
-steps:
- name: format and generate docs
-  image: hashicorp/terraform:1.1.8
-  commands:
-    - apk add bash wget 
-    - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
-    - terraform fmt
-    - terraform-docs .
-    - git diff --exit-code
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+    TF_VAR_lawndale_dns_key_secret:
+      from_secret: lawndale-dns-key-secret
+    TF_VAR_lawndale_dns_key_algorithm:
+      from_secret: lawndale-dns-key-algorithm

 ---
 kind: signature
-hmac: 95f8db197163e884f2eee4b14af136b9ea1e0f88f626079b4a3b38b43b91c6a8
+hmac: af59d9cab72f3df02ec380568ca3feaddcd9088f4aef91614e7d75c043772666

 ...
--- a/README.md
+++ b/README.md
@@ -69,9 +69,7 @@ Version:
 The following resources are used by this module:

 - [helm_release.coredns](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
- [helm_release.kube_state_metrics](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
 - [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
- [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
 - [kubernetes_cluster_role.ci_cd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) (resource)
 - [kubernetes_cluster_role.prometheus](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) (resource)
 - [kubernetes_cluster_role_binding.auto_approve_node_csrs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) (resource)
@@ -95,28 +93,30 @@ The following resources are used by this module:

 The following input variables are required:

-### <a name="input_lawndale_dns_host"></a> [lawndale\_dns\_host](#input\_lawndale\_dns\_host)
-
-Description: Address to reach lawndale internal DNS server
-
-Type: `string`
-
 ### <a name="input_lawndale_dns_key_secret"></a> [lawndale\_dns\_key\_secret](#input\_lawndale\_dns\_key\_secret)

 Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale

 Type: `string`

-### <a name="input_lawndale_libvirt_uri_transport"></a> [lawndale\_libvirt\_uri\_transport](#input\_lawndale\_libvirt\_uri\_transport)
+### <a name="input_lawndale_dns_port"></a> [lawndale\_dns\_port](#input\_lawndale\_dns\_port)

-Description: Transport protocol (could be ssh or tls) to dial Lawndale hypervisor
+Description: Port where the lawndale internal DNS server listens on

-Type: `string`
+Type: `number`

 ## Optional Inputs

 The following input variables are optional (have default values):

+### <a name="input_lawndale_dns_host"></a> [lawndale\_dns\_host](#input\_lawndale\_dns\_host)
+
+Description: Address to reach lawndale internal DNS server
+
+Type: `string`
+
+Default: `"lawndale-hyper"`
+
 ### <a name="input_lawndale_dns_key_algorithm"></a> [lawndale\_dns\_key\_algorithm](#input\_lawndale\_dns\_key\_algorithm)

 Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale
@@ -125,14 +125,6 @@ Type: `string`

 Default: `"hmac-sha256"`

-### <a name="input_lawndale_dns_port"></a> [lawndale\_dns\_port](#input\_lawndale\_dns\_port)
-
-Description: Port where the lawndale internal DNS server listens on
-
-Type: `number`
-
-Default: `53`
-
 ### <a name="input_lawndale_dns_transport"></a> [lawndale\_dns\_transport](#input\_lawndale\_dns\_transport)

 Description: Port where the lawndale internal DNS server listens on
@@ -141,38 +133,6 @@ Type: `string`

 Default: `"udp"`

-### <a name="input_lawndale_libvirt_uri"></a> [lawndale\_libvirt\_uri](#input\_lawndale\_libvirt\_uri)
-
-Description: Libvirt URI to use accessing Lawndale hypervisor
-
-Type: `string`
-
-Default: `null`
-
-### <a name="input_lawndale_libvirt_uri_extra"></a> [lawndale\_libvirt\_uri\_extra](#input\_lawndale\_libvirt\_uri\_extra)
-
-Description: Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration)
-
-Type: `map(any)`
-
-Default: `{}`
-
-### <a name="input_lawndale_libvirt_uri_path"></a> [lawndale\_libvirt\_uri\_path](#input\_lawndale\_libvirt\_uri\_path)
-
-Description: Libvirt URI path sent to the libvirt daemon
-
-Type: `string`
-
-Default: `"/system"`
-
-### <a name="input_lawndale_libvirt_uri_userhostport"></a> [lawndale\_libvirt\_uri\_userhostport](#input\_lawndale\_libvirt\_uri\_userhostport)
-
-Description: Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@]<hostname>[:port]`
-
-Type: `string`
-
-Default: `"lawndale-hyper"`
-
 ## Outputs

 No outputs.
--- a/ci.tf
+++ b/ci.tf
@@ -100,20 +100,4 @@ resource "kubernetes_cluster_role" "ci_cd" {
    ]
    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
  }
-
-  rule {
-    api_groups = ["traefik.containo.us"]
-    resources = [
-      "ingressroutes",
-      "ingressroutetcps",
-      "ingressrouteudps",
-      "middlewares",
-      "middlewaretcps",
-      "serverstransports",
-      "tlsoptions",
-      "tlsstores",
-      "traefikservices",
-    ]
-    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
-  }
 }
--- a/kube-state-metrics.tf
+++ b/kube-state-metrics.tf
@@ -1,35 +0,0 @@
-resource "helm_release" "kube_state_metrics" {
-  name      = "kube-state-metrics"
-  namespace = "kube-system"
-
-  repository = "https://prometheus-community.github.io/helm-charts"
-  chart      = "kube-state-metrics"
-  version    = "4.13.0"
-
-  values = [
-    jsonencode({
-      rbac = {
-        create         = true
-        useClusterRole = true
-      }
-      serviceAccount = {
-        create = true
-      }
-      podSecurityPolicy = {
-        enabled = false
-      }
-    }),
-    jsonencode({
-      autosharding = {
-        enabled = false
-      }
-    }),
-    jsonencode({
-      customLabels = {
-        "prometheus.io/scrape" = "true"
-        "prometheus.io/port"   = "8080"
-        "prometheus.io/scheme" = "http"
-      }
-    }),
-  ]
-}
--- a/locals.tf
+++ b/locals.tf
@@ -3,7 +3,6 @@ locals {
  kubernetes_server  = "https://nat.lawndale:6443"
  kubernetes_version = "1.23.5"
  cluster_dns        = "10.32.0.10"
-  traefik_namespace  = "traefik"

  bootstrap_token = "${random_password.bootstrap_token_id.result}.${random_password.bootstrap_token_secret.result}"

--- a/traefik.tf
+++ b/traefik.tf
@@ -1,32 +0,0 @@
-resource "helm_release" "traefik" {
-  name             = "traefik"
-  namespace        = local.traefik_namespace
-  create_namespace = true
-
-  repository = "https://helm.traefik.io/traefik"
-  chart      = "traefik"
-
-  values = [
-    jsonencode({
-      rbac = {
-        enabled    = true
-        namespaced = false # traefik works for the whole cluster
-      }
-      podSecurityPolicy = {
-        enabled = false
-      }
-      deployment = {
-        enabled = false
-      }
-      daemonset = {
-        enabled = false
-      }
-      service = {
-        enabled = false
-      }
-      ingressroute = {
-        dashboard = { enabled = false }
-      }
-    })
-  ]
-}
--- a/variables.tf
+++ b/variables.tf
@@ -1,6 +1,7 @@
 variable "lawndale_dns_host" {
  type        = string
  description = "Address to reach lawndale internal DNS server"
+  default     = "lawndale-hyper"
 }

 variable "lawndale_dns_port" {
--- a/worker.tf
+++ b/worker.tf
@@ -1,7 +1,7 @@
 locals {
  pool_name       = "kubernetes-workers"
  worker_id_start = 80
-  worker_count    = 2
+  worker_count    = 1
 }

 resource "libvirt_pool" "kubernetes_workers" {