From 688c57827afd540df9896162629845abc5bf2b7f Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 04:18:54 +0200 Subject: [PATCH 01/10] ci: adding drone.yml --- .drone.yml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .drone.yml diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..7cae839 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,71 @@ +--- +kind: pipeline +type: kubernetes +name: Terraform root module + +environment: + TF_IN_AUTOMATION: "1" + GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa" + + +steps: +- name: terraform init + image: hashicorp/terraform:1.1.8 + commands: + - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa + - chmod 600 id_rsa + - terraform init + environment: + CI_SSH_KEY: + from_secret: ci-ssh-key + AWS_ACCESS_KEY_ID: + from_secret: terraform-aws-key-id + AWS_SECRET_ACCESS_KEY: + from_secret: terraform-aws-secret-access-key + +- name: terraform plan + image: hashicorp/terraform:1.1.8 + commands: + - mkdir -p ~/.ssh + - cp -a id_rsa ~/.ssh/id_rsa + - terraform plan -out .tfplan + environment: + AWS_ACCESS_KEY_ID: + from_secret: terraform-aws-key-id + AWS_SECRET_ACCESS_KEY: + from_secret: terraform-aws-secret-access-key + KUBE_TOKEN: + from_secret: lawndale-k8s-ci-token + TF_VAR_lawndale_dns_key_secret: + from_secret: lawndale-dns-key-secret + TF_VAR_lawndale_dns_key_algorithm: + from_secret: lawndale-dns-key-algorithm + +- name: terraform apply + when: + branch: + - main + event: + - push + image: hashicorp/terraform:1.1.8 + commands: + - mkdir -p ~/.ssh + - cp -a id_rsa ~/.ssh/id_rsa + - terraform apply .tfplan + environment: + AWS_ACCESS_KEY_ID: + from_secret: terraform-aws-key-id + AWS_SECRET_ACCESS_KEY: + from_secret: terraform-aws-secret-access-key + KUBE_TOKEN: + from_secret: lawndale-k8s-ci-token + TF_VAR_lawndale_dns_key_secret: + from_secret: lawndale-dns-key-secret + TF_VAR_lawndale_dns_key_algorithm: + from_secret: lawndale-dns-key-algorithm + +--- +kind: signature +hmac: 290ac82203ef299b26f3ba19e69857990506229301165b94d420459c32f96af1 + +... -- 2.49.1 From 29065a4df85a7e05e952930da5b1189c296df6c8 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 11:43:06 +0200 Subject: [PATCH 02/10] perm: give more permission to CI clusterrole --- ci.tf | 80 +++++++++++++++++++++++------------------------------------ 1 file changed, 31 insertions(+), 49 deletions(-) diff --git a/ci.tf b/ci.tf index a70da15..d40ce8d 100644 --- a/ci.tf +++ b/ci.tf @@ -39,17 +39,10 @@ resource "kubernetes_cluster_role" "ci_cd" { "pods", "namespaces", "secrets", + "serviceaccounts", "services", ] - verbs = [ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - ] + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { @@ -58,15 +51,7 @@ resource "kubernetes_cluster_role" "ci_cd" { "deployments", "replicasets", # needed for 'helm upgrade --wait' ] - verbs = [ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - ] + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { @@ -74,45 +59,42 @@ resource "kubernetes_cluster_role" "ci_cd" { resources = [ "horizontalpodautoscalers" ] - verbs = [ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - ] + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["networking.k8s.io"] resources = [ "ingresses", - ] - verbs = [ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - ] - } - rule { - api_groups = ["networking.k8s.io"] - resources = [ "networkpolicies" ] - verbs = [ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] + } + + rule { + api_groups = ["apiextensions.k8s.io"] + resources = [ + "customresourcedefinitions" ] + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] + } + + rule { + api_groups = ["rbac.authorization.k8s.io"] + resources = [ + "clusterrolebindings", + "clusterroles", + "rolebindings", + "roles", + ] + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] + } + + rule { + api_groups = ["policy"] + resources = [ + "podsecuritypolicies", + ] + verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } } -- 2.49.1 From a53203645732bce34f02ca0295523356f9c44654 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 11:47:35 +0200 Subject: [PATCH 03/10] ci: limit triggers to main and PRs --- .drone.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 7cae839..ca3ac6b 100644 --- a/.drone.yml +++ b/.drone.yml @@ -6,7 +6,11 @@ name: Terraform root module environment: TF_IN_AUTOMATION: "1" GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa" - + +trigger: + ref: + - refs/heads/main + - refs/pull/*/head steps: - name: terraform init @@ -66,6 +70,6 @@ steps: --- kind: signature -hmac: 290ac82203ef299b26f3ba19e69857990506229301165b94d420459c32f96af1 +hmac: 698805937fd548b8265f65322cb6e9cd83689faeba99d3387ffb255701d53f5e ... -- 2.49.1 From bf43e01ab2b383bd9dcd143a50ba69cdda581074 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 12:42:10 +0200 Subject: [PATCH 04/10] perm: manage nodes and daemonsets with ci --- ci.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci.tf b/ci.tf index d40ce8d..144ebc0 100644 --- a/ci.tf +++ b/ci.tf @@ -38,6 +38,7 @@ resource "kubernetes_cluster_role" "ci_cd" { "persistentvolumeclaims", "pods", "namespaces", + "nodes", "secrets", "serviceaccounts", "services", @@ -48,8 +49,10 @@ resource "kubernetes_cluster_role" "ci_cd" { rule { api_groups = ["apps"] resources = [ + "daemonsets", "deployments", "replicasets", # needed for 'helm upgrade --wait' + "statefulsets", ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } -- 2.49.1 From 119997e273a23daff32a360b24cbde3c45a89afd Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 12:42:39 +0200 Subject: [PATCH 05/10] ci: fixing libvirt connection --- .drone.yml | 13 ++++++------- locals.tf | 9 +++++++++ providers.tf | 2 +- variables.tf | 30 ++++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 8 deletions(-) diff --git a/.drone.yml b/.drone.yml index ca3ac6b..dd6d5e2 100644 --- a/.drone.yml +++ b/.drone.yml @@ -6,6 +6,8 @@ name: Terraform root module environment: TF_IN_AUTOMATION: "1" GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa" + TF_VAR_lawndale_libvirt_uri_transport: ssh + TF_VAR_lawndale_libvirt_uri_userhostport: "192.168.253.254:10022" trigger: ref: @@ -18,6 +20,7 @@ steps: commands: - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa - chmod 600 id_rsa + - echo 'lawndale_libvirt_uri_extra = {"sshauth"="privkey","keyfile"="'$${PWD}'/id_rsa","no_verify"="1"}' >> ci.tfvars - terraform init environment: CI_SSH_KEY: @@ -30,9 +33,7 @@ steps: - name: terraform plan image: hashicorp/terraform:1.1.8 commands: - - mkdir -p ~/.ssh - - cp -a id_rsa ~/.ssh/id_rsa - - terraform plan -out .tfplan + - terraform plan -var-file ci.tfvars -out .tfplan environment: AWS_ACCESS_KEY_ID: from_secret: terraform-aws-key-id @@ -53,9 +54,7 @@ steps: - push image: hashicorp/terraform:1.1.8 commands: - - mkdir -p ~/.ssh - - cp -a id_rsa ~/.ssh/id_rsa - - terraform apply .tfplan + - terraform apply -var-file ci.tfvars .tfplan environment: AWS_ACCESS_KEY_ID: from_secret: terraform-aws-key-id @@ -70,6 +69,6 @@ steps: --- kind: signature -hmac: 698805937fd548b8265f65322cb6e9cd83689faeba99d3387ffb255701d53f5e +hmac: 007cc7fc0dbdc2ae54a59dbc6c673e33e4f94831189eb3b6fd4b0b0f8adf703f ... diff --git a/locals.tf b/locals.tf index 010f0eb..f7be528 100644 --- a/locals.tf +++ b/locals.tf @@ -38,4 +38,13 @@ EehXHhbRmbtSZ7c4DrGeR2J0SZTyBQJfZczSGRvEiKyGNnyZlLVYKTTnV9b+aN3q Xw+ilWL3boYsSiqVN6SIUA== -----END CERTIFICATE----- EOM + + + lawndale_libvirt_uri_extra = join("&", [for k, v in var.lawndale_libvirt_uri_extra : format("%s=%s", urlencode(k), urlencode(v))]) + lawndale_libvirt_uri = var.lawndale_libvirt_uri != null ? var.lawndale_libvirt_uri : format("qemu+%s://%s%s?%s", + var.lawndale_libvirt_uri_transport, + var.lawndale_libvirt_uri_userhostport, + var.lawndale_libvirt_uri_path, + local.lawndale_libvirt_uri_extra + ) } \ No newline at end of file diff --git a/providers.tf b/providers.tf index e490f65..4023b18 100644 --- a/providers.tf +++ b/providers.tf @@ -53,7 +53,7 @@ provider "aws" { provider "libvirt" { # no-pty ssh-rsa AAAAB3..... - uri = "qemu+ssh://lawndale-hyper.sch.bme.hu:10022/system?sshauth=privkey" + uri = local.lawndale_libvirt_uri } provider "dns" { diff --git a/variables.tf b/variables.tf index 5db4a65..131b1f0 100644 --- a/variables.tf +++ b/variables.tf @@ -32,3 +32,33 @@ variable "lawndale_dns_key_algorithm" { description = "DNSSEC key to use sigining the NSUPDATE queries for Lawndale" default = "hmac-sha256" } + +variable "lawndale_libvirt_uri" { + type = string + description = "Libvirt URI to use accessing Lawndale hypervisor" + default = null + nullable = true +} + +variable "lawndale_libvirt_uri_transport" { + type = string + description = "Transport protocol (could be ssh or tls) to dial Lawndale hypervisor" +} + +variable "lawndale_libvirt_uri_userhostport" { + type = string + description = "Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@][:port]`" + default = "lawndale-hyper" +} + +variable "lawndale_libvirt_uri_path" { + type = string + description = "Libvirt URI path sent to the libvirt daemon" + default = "/system" +} + +variable "lawndale_libvirt_uri_extra" { + type = map(any) + description = "Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration)" + default = {} +} -- 2.49.1 From e711cdf83547f8acf5035d99c2c326e957d3dc85 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 14:32:55 +0200 Subject: [PATCH 06/10] ci: fix dns host --- .drone.yml | 3 ++- variables.tf | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index dd6d5e2..83fb0a5 100644 --- a/.drone.yml +++ b/.drone.yml @@ -6,6 +6,7 @@ name: Terraform root module environment: TF_IN_AUTOMATION: "1" GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa" + TF_VAR_lawndale_dns_host: "nat.lawndale" TF_VAR_lawndale_libvirt_uri_transport: ssh TF_VAR_lawndale_libvirt_uri_userhostport: "192.168.253.254:10022" @@ -69,6 +70,6 @@ steps: --- kind: signature -hmac: 007cc7fc0dbdc2ae54a59dbc6c673e33e4f94831189eb3b6fd4b0b0f8adf703f +hmac: e5dd07c87773ffb3b02240744e4bdde91d9338a344d0ba2d393f598aac43cdfd ... diff --git a/variables.tf b/variables.tf index 131b1f0..b74fc34 100644 --- a/variables.tf +++ b/variables.tf @@ -1,7 +1,6 @@ variable "lawndale_dns_host" { type = string description = "Address to reach lawndale internal DNS server" - default = "lawndale-hyper" } variable "lawndale_dns_port" { -- 2.49.1 From d49e69634013c3a289d1590207bfd916af28b599 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 14:49:33 +0200 Subject: [PATCH 07/10] ci: check docs and format --- .drone.yml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 83fb0a5..0ad36bf 100644 --- a/.drone.yml +++ b/.drone.yml @@ -68,8 +68,30 @@ steps: TF_VAR_lawndale_dns_key_algorithm: from_secret: lawndale-dns-key-algorithm +--- +kind: pipeline +type: kubernetes +name: Check docs and format + +environment: + TF_IN_AUTOMATION: "1" + +trigger: + ref: + - refs/pull/*/head + +steps: +- name: format and generate docs + image: hashicorp/terraform:1.1.8 + commands: + - apk add bash wget + - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin + - terraform fmt + - terraform-docs . + - git diff-index --name-status HEAD + --- kind: signature -hmac: e5dd07c87773ffb3b02240744e4bdde91d9338a344d0ba2d393f598aac43cdfd +hmac: c6554c5e7fc2c06848178745fbc97f30f1a5c652f9ad93995c901cb8cb7296e1 ... -- 2.49.1 From 0210e38c12a4f3e105895dcb6680214059933850 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 14:56:50 +0200 Subject: [PATCH 08/10] ci: fix docs test missing exit-code --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 0ad36bf..ef3686a 100644 --- a/.drone.yml +++ b/.drone.yml @@ -88,10 +88,10 @@ steps: - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin - terraform fmt - terraform-docs . - - git diff-index --name-status HEAD + - git diff-index --exit-code --name-status HEAD --- kind: signature -hmac: c6554c5e7fc2c06848178745fbc97f30f1a5c652f9ad93995c901cb8cb7296e1 +hmac: 05ee4e191f657d959752ba19c45bb980530c49140d75dc8eef5602c2e4e80fcc ... -- 2.49.1 From 30b5be510e06c789198bf907ea3b61bec83a3441 Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 14:57:55 +0200 Subject: [PATCH 09/10] docs: update README.md --- README.md | 72 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 55 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index f8710ea..085feb6 100644 --- a/README.md +++ b/README.md @@ -93,29 +93,27 @@ The following resources are used by this module: The following input variables are required: -### [lawndale\_dns\_key\_secret](#input\_lawndale\_dns\_key\_secret) - -Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale - -Type: `string` - -### [lawndale\_dns\_port](#input\_lawndale\_dns\_port) - -Description: Port where the lawndale internal DNS server listens on - -Type: `number` - -## Optional Inputs - -The following input variables are optional (have default values): - ### [lawndale\_dns\_host](#input\_lawndale\_dns\_host) Description: Address to reach lawndale internal DNS server Type: `string` -Default: `"lawndale-hyper"` +### [lawndale\_dns\_key\_secret](#input\_lawndale\_dns\_key\_secret) + +Description: DNSSEC key to use sigining the NSUPDATE queries for Lawndale + +Type: `string` + +### [lawndale\_libvirt\_uri\_transport](#input\_lawndale\_libvirt\_uri\_transport) + +Description: Transport protocol (could be ssh or tls) to dial Lawndale hypervisor + +Type: `string` + +## Optional Inputs + +The following input variables are optional (have default values): ### [lawndale\_dns\_key\_algorithm](#input\_lawndale\_dns\_key\_algorithm) @@ -125,6 +123,14 @@ Type: `string` Default: `"hmac-sha256"` +### [lawndale\_dns\_port](#input\_lawndale\_dns\_port) + +Description: Port where the lawndale internal DNS server listens on + +Type: `number` + +Default: `53` + ### [lawndale\_dns\_transport](#input\_lawndale\_dns\_transport) Description: Port where the lawndale internal DNS server listens on @@ -133,6 +139,38 @@ Type: `string` Default: `"udp"` +### [lawndale\_libvirt\_uri](#input\_lawndale\_libvirt\_uri) + +Description: Libvirt URI to use accessing Lawndale hypervisor + +Type: `string` + +Default: `null` + +### [lawndale\_libvirt\_uri\_extra](#input\_lawndale\_libvirt\_uri\_extra) + +Description: Libvirt URI extra parameters [https://libvirt.org/uri.html#transport-configuration](See Libvirt transport configuration) + +Type: `map(any)` + +Default: `{}` + +### [lawndale\_libvirt\_uri\_path](#input\_lawndale\_libvirt\_uri\_path) + +Description: Libvirt URI path sent to the libvirt daemon + +Type: `string` + +Default: `"/system"` + +### [lawndale\_libvirt\_uri\_userhostport](#input\_lawndale\_libvirt\_uri\_userhostport) + +Description: Libvirt URI username, hostname or ip address, and port to reach lawndale hypervisor, in the format of `[username@][:port]` + +Type: `string` + +Default: `"lawndale-hyper"` + ## Outputs No outputs. -- 2.49.1 From 6ff0aa3ff8ce1082c7e0a191c50d1063c0b2f1ea Mon Sep 17 00:00:00 2001 From: Tamas Kiss Date: Fri, 27 May 2022 15:07:20 +0200 Subject: [PATCH 10/10] fixup: drone.yml --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index ef3686a..16b8d51 100644 --- a/.drone.yml +++ b/.drone.yml @@ -88,10 +88,10 @@ steps: - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin - terraform fmt - terraform-docs . - - git diff-index --exit-code --name-status HEAD + - git diff --exit-code --- kind: signature -hmac: 05ee4e191f657d959752ba19c45bb980530c49140d75dc8eef5602c2e4e80fcc +hmac: c79a45ff158cd06564765a09933921a2fd9856f6c2063716d45225fc1c45c100 ... -- 2.49.1