feat: Argocd for Diego domain up and running (#135)

* argocd with variable version * argocd with variable version * updated providers version * updated providers version * added workload identity * dirty changes * minor fixs * pre-commit fixs * velero workload identity * add depends_on * setup provider argocd * setup project for argocd * added app for root-diego with provider * argocd updated password loading and configuration * fix app root-diego * pre-commit fixs --------- Co-authored-by: umbcoppolabottazzi <umberto.coppolabottazzi@pagopa.it>
pagopa · Sep 25, 2024 · f9c99d9 · f9c99d9
1 parent fd056b0
commit f9c99d9
Show file tree

Hide file tree

Showing 18 changed files with 234 additions and 393 deletions.
diff --git a/src/aks-platform/.terraform.lock.hcl b/src/aks-platform/.terraform.lock.hcl
diff --git a/src/aks-platform/00_network.tf b/src/aks-platform/00_network.tf
@@ -49,10 +49,10 @@ data "azurerm_public_ip" "pip_aks_outboud" {
 #
 # Dns
 #
-# data "azurerm_private_dns_zone" "storage_account_private_dns_zone" {
-#   name                = "privatelink.blob.core.windows.net"
-#   resource_group_name = data.azurerm_resource_group.vnet_core_rg.name
-# }
+data "azurerm_private_dns_zone" "storage_account_private_dns_zone" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = data.azurerm_resource_group.vnet_italy_rg.name
+}
 
 data "azurerm_private_dns_zone" "internal" {
   name                = local.internal_dns_zone_name

diff --git a/src/aks-platform/03_aks_middleware.tf b/src/aks-platform/03_aks_middleware.tf
@@ -1,44 +1,46 @@
-# module "velero" {
-#   source                              = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=v8.34.0"
-#   count                               = var.aks_enabled ? 1 : 0
-#   backup_storage_container_name       = "velero-backup"
-#   subscription_id                     = data.azurerm_subscription.current.subscription_id
-#   tenant_id                           = data.azurerm_subscription.current.tenant_id
-#   resource_group_name                 = azurerm_resource_group.rg_aks_backup.name
-#   prefix                              = "devopla"
-#   aks_cluster_name                    = module.aks[count.index].name
-#   aks_cluster_rg                      = azurerm_resource_group.rg_aks.name
-#   location                            = var.location
-#   use_storage_private_endpoint        = true
-#   private_endpoint_subnet_id          = data.azurerm_subnet.private_endpoint_italy_subnet.id
-#   storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id
-#
-#   advanced_threat_protection      = false
-#   enable_low_availability_alert   = false
-#
-#   tags = var.tags
-# }
-#
-# module "aks_namespace_backup" {
-#   source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_velero_backup?ref=v8.34.0"
-#   count  = var.aks_enabled ? 1 : 0
-#   # required
-#   backup_name      = "daily-backup"
-#   namespaces       = ["ALL"]
-#   aks_cluster_name = module.aks[count.index].name
-#   cluster_id       = module.aks[count.index].id
-#   prefix           = "devopslab"
-#   rg_name          = azurerm_resource_group.rg_aks.name
-#   location         = var.location
-#
-#   # optional
-#   ttl             = "72h0m0s"
-#   schedule        = "0 3 * * *" #refers to UTC timezone
-#   volume_snapshot = false
-#
-#   depends_on = [
-#     module.velero
-#   ]
-#
-#   tags = var.tags
-# }
+## Resource Group
+resource "azurerm_resource_group" "rg_velero" {
+  name     = "${local.project}-velero-rg"
+  location = var.location
+  tags     = var.tags
+}
+
+# Workload identity init
+module "velero_workload_identity_init" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=velero-workload-identity"
+
+  workload_identity_location            = var.location
+  workload_identity_name_prefix         = "velero"
+  workload_identity_resource_group_name = azurerm_resource_group.rg_velero.name
+}
+
+resource "kubernetes_namespace" "velero_namespace" {
+  metadata {
+    name = "velero"
+  }
+}
+
+# Cluster Velero + Workload identity configuration
+module "velero_aks_workload_identity" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=velero-workload-identity"
+
+  prefix          = var.prefix
+  location        = var.location
+  subscription_id = data.azurerm_client_config.current.subscription_id
+
+  aks_cluster_name                      = local.aks_cluster_name
+  aks_cluster_rg                        = local.aks_rg_name
+  workload_identity_name                = module.velero_workload_identity_init.user_assigned_identity_name
+  workload_identity_resource_group_name = azurerm_resource_group.rg_velero.name
+
+  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
+
+  storage_account_resource_group_name = azurerm_resource_group.rg_velero.name
+  private_endpoint_subnet_id          = azurerm_subnet.user_aks_subnet.id
+  storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id
+  tags                                = {}
+
+  depends_on = [
+    kubernetes_namespace.velero_namespace
+  ]
+}
diff --git a/src/aks-platform/05_argocd.tf b/src/aks-platform/05_argocd.tf
@@ -8,6 +8,9 @@ resource "kubernetes_namespace" "namespace_argocd" {
   ]
 }
 
+#
+# Setup ArgoCD
+#
 resource "helm_release" "argocd" {
   name      = "argo"
   chart     = "https://github.com/argoproj/argo-helm/releases/download/argo-cd-${var.argocd_helm_release_version}/argo-cd-${var.argocd_helm_release_version}.tgz"
@@ -23,32 +26,22 @@ resource "helm_release" "argocd" {
   ]
 }
 
-resource "random_password" "argocd_admin_password" {
-  length           = 12
-  special          = true
-  override_special = "_%@"
-
-  depends_on = [helm_release.argocd]
+data "azurerm_key_vault_secret" "argocd_admin_password" {
+  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
+  name         = "argocd-admin-password"
 }
 
 resource "null_resource" "argocd_change_admin_password" {
 
   triggers = {
-    helm_revision   = helm_release.argocd.metadata[0].revision,
-    argocd_password = random_password.argocd_admin_password.result
+    argocd_password = data.azurerm_key_vault_secret.argocd_admin_password.value
   }
 
   provisioner "local-exec" {
-    command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\":  \"${bcrypt(random_password.argocd_admin_password.result)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'"
+    command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\":  \"${bcrypt(data.azurerm_key_vault_secret.argocd_admin_password.value)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'"
   }
 }
 
-resource "azurerm_key_vault_secret" "argocd_admin_password" {
-  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
-  name         = "argocd-admin-password"
-  value        = random_password.argocd_admin_password.result
-}
-
 resource "azurerm_key_vault_secret" "argocd_admin_username" {
   key_vault_id = data.azurerm_key_vault.kv_core_ita.id
   name         = "argocd-admin-username"

diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md
@@ -49,18 +49,20 @@ Re-enable all the resource, commented before to complete the procedure
 | <a name="module_keda_workload_identity_configuration"></a> [keda\_workload\_identity\_configuration](#module\_keda\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | workload-identity-fix-config |
 | <a name="module_keda_workload_identity_init"></a> [keda\_workload\_identity\_init](#module\_keda\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.42.1 |
 | <a name="module_nginx_ingress"></a> [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 |
+| <a name="module_velero_aks_workload_identity"></a> [velero\_aks\_workload\_identity](#module\_velero\_aks\_workload\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero | velero-workload-identity |
+| <a name="module_velero_workload_identity_init"></a> [velero\_workload\_identity\_init](#module\_velero\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | velero-workload-identity |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [azurerm_key_vault_secret.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.argocd_admin_username](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_kubernetes_cluster_node_pool.spot_node_pool](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource |
 | [azurerm_kubernetes_cluster_node_pool.user_nodepool_default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource |
 | [azurerm_private_dns_a_record.argocd_ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
 | [azurerm_resource_group.rg_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.rg_aks_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.rg_velero](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.aks_to_acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.keda_monitoring_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.managed_identity_operator_vs_aks_managed_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -81,9 +83,9 @@ Re-enable all the resource, commented before to complete the procedure
 | [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.namespace_argocd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.velero_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [null_resource.argocd_change_admin_password](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.create_vnet_core_aks_link](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [random_password.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
@@ -94,10 +96,12 @@ Re-enable all the resource, commented before to complete the procedure
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_registry) | data source |
 | [azurerm_key_vault.kv_core_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault_secret.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
 | [azurerm_log_analytics_workspace.log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
 | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
 | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
 | [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.storage_account_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
 | [azurerm_public_ip.pip_aks_outboud](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source |
 | [azurerm_resource_group.rg_monitor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.vnet_core_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |

diff --git a/src/aks-platform/argocd/argocd_application_games.yaml.tpl b/src/aks-platform/argocd/argocd_application_games.yaml.tpl
diff --git a/src/aks-platform/argocd/argocd_helm_setup_values.yaml b/src/aks-platform/argocd/argocd_helm_setup_values.yaml
@@ -30,3 +30,6 @@ repoServer:
   replicas: 1
 applicationSet:
   replicas: 1
+configs:
+  cm:
+    timeout.reconciliation: 30s