From f9c99d9d4c79d2d98aa043ef35bbe8f275863d66 Mon Sep 17 00:00:00 2001 From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com> Date: Wed, 25 Sep 2024 15:24:57 +0200 Subject: [PATCH] feat: Argocd for Diego domain up and running (#135) * argocd with variable version * argocd with variable version * updated providers version * updated providers version * added workload identity * dirty changes * minor fixs * pre-commit fixs * velero workload identity * add depends_on * setup provider argocd * setup project for argocd * added app for root-diego with provider * argocd updated password loading and configuration * fix app root-diego * pre-commit fixs --------- Co-authored-by: umbcoppolabottazzi --- src/aks-platform/.terraform.lock.hcl | 28 +--- src/aks-platform/00_network.tf | 8 +- src/aks-platform/03_aks_middleware.tf | 90 +++++----- src/aks-platform/05_argocd.tf | 23 +-- src/aks-platform/README.md | 8 +- .../argocd/argocd_application_games.yaml.tpl | 64 ------- .../argocd/argocd_helm_setup_values.yaml | 3 + .../argocd/argocd_project_games.yaml.tpl | 73 -------- src/aks-platform/terraform.sh | 2 +- src/domains/diego-app/.terraform.lock.hcl | 17 ++ src/domains/diego-app/00_key_vault.tf | 10 ++ src/domains/diego-app/05_argocd.tf | 157 +++++++++++------- src/domains/diego-app/99_main.tf | 13 ++ src/domains/diego-app/99_variables.tf | 7 +- src/domains/diego-app/README.md | 11 +- ...rraform-diego.yaml => root-diego-app.yaml} | 10 +- .../projects/project-terraform-argocd.yaml | 101 ----------- .../diego-app/env/itn-dev/terraform.tfvars | 2 + 18 files changed, 234 insertions(+), 393 deletions(-) delete mode 100644 src/aks-platform/argocd/argocd_application_games.yaml.tpl delete mode 100644 src/aks-platform/argocd/argocd_project_games.yaml.tpl rename src/domains/diego-app/argocd/apps/{apps-terraform-diego.yaml => root-diego-app.yaml} (75%) delete mode 100644 src/domains/diego-app/argocd/projects/project-terraform-argocd.yaml diff --git a/src/aks-platform/.terraform.lock.hcl b/src/aks-platform/.terraform.lock.hcl index 65adafc8..ab1e939c 100644 --- a/src/aks-platform/.terraform.lock.hcl +++ b/src/aks-platform/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/alekc/kubectl" { constraints = "<= 2.0.4" hashes = [ "h1:TUeUq1UdVkHTxcgq7CJWWXBrc8VEQTufmgU18qDmfGE=", + "h1:mCz0lOwNsFCZEcFf7DBSe6b4hZgn5piiy0mZDwRGUIU=", "zh:15c227886bac78c8b8827f85595648212574ec81febc39e1055e1a6bf048fe65", "zh:2211ebeeb0918dbb3587d206e32adca9e1f343a93bbffcd37d8d99bf4d8dea9a", "zh:2303836cdea12ece8dbe39c2d7d30a9378fd06e9c2ebda66cbe5e01cc096ee2e", @@ -27,6 +28,7 @@ provider "registry.terraform.io/hashicorp/azuread" { version = "2.50.0" constraints = "<= 2.50.0" hashes = [ + "h1:/G7xnO8J6f2WvVXBfd111XeKjKsw2t9Oj7WkDLu4Ygc=", "h1:9hS4fOOfMoJ769IJEmRuVbYzBPPo4TNVVCEk04Pqn14=", "zh:0eb91d177d1d868dc50c006f07fb17905318555c5c7ff56ba5a8a623415e9342", "zh:1baabaca448f4cab0cb31cbb1b564d1849a13ca4a6536d1a6f92097b88cd883d", @@ -45,8 +47,9 @@ provider "registry.terraform.io/hashicorp/azuread" { provider "registry.terraform.io/hashicorp/azurerm" { version = "3.114.0" - constraints = "~> 3.30, ~> 3.100, ~> 3.110, <= 3.114.0" + constraints = "~> 3.30, ~> 3.76, != 3.97.0, != 3.97.1, ~> 3.100, ~> 3.110, <= 3.114.0" hashes = [ + "h1:fIM8Lbg5w2m2HbETUx+aAYnTVtktETwOqnKZyVVajIo=", "h1:sP1K3rtDj2pVQqBBn50rOXe+QPFBAKRbI2uExOxnh3M=", "zh:016b6f4662d1cfcddbe968624e899c1a20c6df0ed5014cdeed19c3e945ea80ee", "zh:08448eeaaa9e9e84a2887282f9524faa2bb000fbdfcdac610c088a74e36e6911", @@ -67,6 +70,7 @@ provider "registry.terraform.io/hashicorp/helm" { version = "2.14.0" constraints = ">= 2.0.0, ~> 2.12, <= 2.14.0" hashes = [ + "h1:8Vt9264v3UE6mHLRG8yiteVl5h8ZSTkJXf1xdVLa7GA=", "h1:K8aRZTK4Eq2RacrcCviWaxDlHmeUi+M4vmBFoKAk/O0=", "zh:087a475fda3649e4b6b9aeb5f21704972f5d85c10d0bf334289b0a1b8c1a5575", "zh:1877991d976491d4e2a653a89491bd3b92123a00f442f15aa62caea8902677c7", @@ -87,6 +91,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.30.0" constraints = "~> 2.27, ~> 2.30.0, <= 2.31.0" hashes = [ + "h1:+Je5UPTWMmO4eG5ep1WfujkXQI9tDk0OsMU4olU76Bg=", "h1:z0Gy1p59XfS9MawIqCck7m2eeEEhAj6D7n8Ngglu8vE=", "zh:06531333a72fe6d2829f37a328e08a3fc4ed66226344a003b62418a834ac6c69", "zh:34480263939ef5007ce65c9f4945df5cab363f91e5260ae552bcd9f2ffeed444", @@ -108,6 +113,7 @@ provider "registry.terraform.io/hashicorp/local" { constraints = "<= 2.4.0" hashes = [ "h1:Bs7LAkV/iQTLv72j+cTMrvx2U3KyXrcVHaGbdns1NcE=", + "h1:ZUEYUmm2t4vxwzxy1BvN1wL6SDWrDxfH7pxtzX8c6d0=", "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732", @@ -127,6 +133,7 @@ provider "registry.terraform.io/hashicorp/null" { version = "3.2.2" constraints = "~> 3.2" hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", "h1:vWAsYRd7MjYr3adj8BVKRohVfHpWQdvkIwUQ2Jf5FVM=", "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", @@ -142,22 +149,3 @@ provider "registry.terraform.io/hashicorp/null" { "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", ] } - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.2" - hashes = [ - "h1:R5qdQjKzOU16TziCN1vR3Exr/B+8WGK80glLTT4ZCPk=", - "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec", - "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53", - "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114", - "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad", - "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b", - "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916", - "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150", - "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544", - "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7", - "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af", - ] -} diff --git a/src/aks-platform/00_network.tf b/src/aks-platform/00_network.tf index 06ab051b..9546ecb4 100644 --- a/src/aks-platform/00_network.tf +++ b/src/aks-platform/00_network.tf @@ -49,10 +49,10 @@ data "azurerm_public_ip" "pip_aks_outboud" { # # Dns # -# data "azurerm_private_dns_zone" "storage_account_private_dns_zone" { -# name = "privatelink.blob.core.windows.net" -# resource_group_name = data.azurerm_resource_group.vnet_core_rg.name -# } +data "azurerm_private_dns_zone" "storage_account_private_dns_zone" { + name = "privatelink.blob.core.windows.net" + resource_group_name = data.azurerm_resource_group.vnet_italy_rg.name +} data "azurerm_private_dns_zone" "internal" { name = local.internal_dns_zone_name diff --git a/src/aks-platform/03_aks_middleware.tf b/src/aks-platform/03_aks_middleware.tf index 87a3190d..ea19e847 100644 --- a/src/aks-platform/03_aks_middleware.tf +++ b/src/aks-platform/03_aks_middleware.tf @@ -1,44 +1,46 @@ -# module "velero" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=v8.34.0" -# count = var.aks_enabled ? 1 : 0 -# backup_storage_container_name = "velero-backup" -# subscription_id = data.azurerm_subscription.current.subscription_id -# tenant_id = data.azurerm_subscription.current.tenant_id -# resource_group_name = azurerm_resource_group.rg_aks_backup.name -# prefix = "devopla" -# aks_cluster_name = module.aks[count.index].name -# aks_cluster_rg = azurerm_resource_group.rg_aks.name -# location = var.location -# use_storage_private_endpoint = true -# private_endpoint_subnet_id = data.azurerm_subnet.private_endpoint_italy_subnet.id -# storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id -# -# advanced_threat_protection = false -# enable_low_availability_alert = false -# -# tags = var.tags -# } -# -# module "aks_namespace_backup" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_velero_backup?ref=v8.34.0" -# count = var.aks_enabled ? 1 : 0 -# # required -# backup_name = "daily-backup" -# namespaces = ["ALL"] -# aks_cluster_name = module.aks[count.index].name -# cluster_id = module.aks[count.index].id -# prefix = "devopslab" -# rg_name = azurerm_resource_group.rg_aks.name -# location = var.location -# -# # optional -# ttl = "72h0m0s" -# schedule = "0 3 * * *" #refers to UTC timezone -# volume_snapshot = false -# -# depends_on = [ -# module.velero -# ] -# -# tags = var.tags -# } +## Resource Group +resource "azurerm_resource_group" "rg_velero" { + name = "${local.project}-velero-rg" + location = var.location + tags = var.tags +} + +# Workload identity init +module "velero_workload_identity_init" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=velero-workload-identity" + + workload_identity_location = var.location + workload_identity_name_prefix = "velero" + workload_identity_resource_group_name = azurerm_resource_group.rg_velero.name +} + +resource "kubernetes_namespace" "velero_namespace" { + metadata { + name = "velero" + } +} + +# Cluster Velero + Workload identity configuration +module "velero_aks_workload_identity" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=velero-workload-identity" + + prefix = var.prefix + location = var.location + subscription_id = data.azurerm_client_config.current.subscription_id + + aks_cluster_name = local.aks_cluster_name + aks_cluster_rg = local.aks_rg_name + workload_identity_name = module.velero_workload_identity_init.user_assigned_identity_name + workload_identity_resource_group_name = azurerm_resource_group.rg_velero.name + + key_vault_id = data.azurerm_key_vault.kv_core_ita.id + + storage_account_resource_group_name = azurerm_resource_group.rg_velero.name + private_endpoint_subnet_id = azurerm_subnet.user_aks_subnet.id + storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id + tags = {} + + depends_on = [ + kubernetes_namespace.velero_namespace + ] +} diff --git a/src/aks-platform/05_argocd.tf b/src/aks-platform/05_argocd.tf index 2f924b58..a55fadfb 100644 --- a/src/aks-platform/05_argocd.tf +++ b/src/aks-platform/05_argocd.tf @@ -8,6 +8,9 @@ resource "kubernetes_namespace" "namespace_argocd" { ] } +# +# Setup ArgoCD +# resource "helm_release" "argocd" { name = "argo" chart = "https://github.com/argoproj/argo-helm/releases/download/argo-cd-${var.argocd_helm_release_version}/argo-cd-${var.argocd_helm_release_version}.tgz" @@ -23,32 +26,22 @@ resource "helm_release" "argocd" { ] } -resource "random_password" "argocd_admin_password" { - length = 12 - special = true - override_special = "_%@" - - depends_on = [helm_release.argocd] +data "azurerm_key_vault_secret" "argocd_admin_password" { + key_vault_id = data.azurerm_key_vault.kv_core_ita.id + name = "argocd-admin-password" } resource "null_resource" "argocd_change_admin_password" { triggers = { - helm_revision = helm_release.argocd.metadata[0].revision, - argocd_password = random_password.argocd_admin_password.result + argocd_password = data.azurerm_key_vault_secret.argocd_admin_password.value } provisioner "local-exec" { - command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\": \"${bcrypt(random_password.argocd_admin_password.result)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'" + command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\": \"${bcrypt(data.azurerm_key_vault_secret.argocd_admin_password.value)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'" } } -resource "azurerm_key_vault_secret" "argocd_admin_password" { - key_vault_id = data.azurerm_key_vault.kv_core_ita.id - name = "argocd-admin-password" - value = random_password.argocd_admin_password.result -} - resource "azurerm_key_vault_secret" "argocd_admin_username" { key_vault_id = data.azurerm_key_vault.kv_core_ita.id name = "argocd-admin-username" diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md index c43e254d..5bdb3f13 100644 --- a/src/aks-platform/README.md +++ b/src/aks-platform/README.md @@ -49,18 +49,20 @@ Re-enable all the resource, commented before to complete the procedure | [keda\_workload\_identity\_configuration](#module\_keda\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | workload-identity-fix-config | | [keda\_workload\_identity\_init](#module\_keda\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.42.1 | | [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 | +| [velero\_aks\_workload\_identity](#module\_velero\_aks\_workload\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero | velero-workload-identity | +| [velero\_workload\_identity\_init](#module\_velero\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | velero-workload-identity | ## Resources | Name | Type | |------|------| -| [azurerm_key_vault_secret.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.argocd_admin_username](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_kubernetes_cluster_node_pool.spot_node_pool](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource | | [azurerm_kubernetes_cluster_node_pool.user_nodepool_default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource | | [azurerm_private_dns_a_record.argocd_ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [azurerm_resource_group.rg_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.rg_aks_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.rg_velero](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_role_assignment.aks_to_acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_role_assignment.keda_monitoring_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_role_assignment.managed_identity_operator_vs_aks_managed_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | @@ -81,9 +83,9 @@ Re-enable all the resource, commented before to complete the procedure | [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.namespace_argocd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.velero_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [null_resource.argocd_change_admin_password](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.create_vnet_core_aks_link](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [random_password.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | @@ -94,10 +96,12 @@ Re-enable all the resource, commented before to complete the procedure | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_registry) | data source | | [azurerm_key_vault.kv_core_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_key_vault_secret.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_log_analytics_workspace.log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_private_dns_zone.storage_account_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | | [azurerm_public_ip.pip_aks_outboud](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source | | [azurerm_resource_group.rg_monitor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.vnet_core_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | diff --git a/src/aks-platform/argocd/argocd_application_games.yaml.tpl b/src/aks-platform/argocd/argocd_application_games.yaml.tpl deleted file mode 100644 index c7e0984d..00000000 --- a/src/aks-platform/argocd/argocd_application_games.yaml.tpl +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: games - namespace: argocd - labels: - argo-project: "argo-${namespace}" - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: "${namespace}" - - source: - repoURL: "${deployment_repo_url}" - targetRevision: "${target_revision}" - path: argocd - - helm: - valueFiles: - - values.yaml - parameters: - ### SERVICE - - name: foo - value: "bar" - forceString: true - - - # Destination cluster and namespace to deploy the application - destination: - server: https://kubernetes.default.svc - namespace: "${namespace}" - - # Sync policy - syncPolicy: - automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field. - prune: true # Specifies if resources should be pruned during auto-syncing ( false by default ). - selfHeal: true # Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected ( false by default ). - allowEmpty: false # Allows deleting all application resources during automatic syncing ( false by default ). - syncOptions: # Sync options which modifies sync behavior - - Validate=false # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ). - - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster. - - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan. - - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation - # The retry feature is available since v1.7 - retry: - limit: 5 # number of failed sync attempt retries; unlimited number of attempts if less than 0 - backoff: - duration: 5s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") - factor: 2 # a factor to multiply the base duration after each failed retry - maxDuration: 3m # the maximum amount of time allowed for the backoff strategy - - # Will ignore differences between live and desired states during the diff. Note that these configurations are not - # used during the sync process. - ignoreDifferences: - # for the specified json pointers - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - # for the specified managedFields managers - - group: "*" - kind: "*" - managedFieldsManagers: - - kube-controller-manager diff --git a/src/aks-platform/argocd/argocd_helm_setup_values.yaml b/src/aks-platform/argocd/argocd_helm_setup_values.yaml index 8407f836..8c4ff9e4 100644 --- a/src/aks-platform/argocd/argocd_helm_setup_values.yaml +++ b/src/aks-platform/argocd/argocd_helm_setup_values.yaml @@ -30,3 +30,6 @@ repoServer: replicas: 1 applicationSet: replicas: 1 +configs: + cm: + timeout.reconciliation: 30s diff --git a/src/aks-platform/argocd/argocd_project_games.yaml.tpl b/src/aks-platform/argocd/argocd_project_games.yaml.tpl deleted file mode 100644 index f67916b2..00000000 --- a/src/aks-platform/argocd/argocd_project_games.yaml.tpl +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: "${project_name}" - namespace: argocd - # Finalizer that ensures that project is not deleted until it is not referenced by any application - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - # - description: This project hosts ${project_name} related deployments. - - sourceRepos: - - '${deployment_repo_url}' - - # Only permit applications to deploy to namespaces in the same cluster - destinations: - - server: "https://kubernetes.default.svc" - namespace: "${namespace}" - #needed to install applications - - server: "https://kubernetes.default.svc" - namespace: "argocd" - - clusterResourceWhitelist: - - group: '*' - kind: Namespace - - group: '*' - kind: CustomResourceDefinition - - group: '*' - kind: ClusterRole - - group: '*' - kind: ClusterRoleBinding - - group: '*' - kind: ClusterIssuer - - group: '*' - kind: PersistentVolume - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - - # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy - namespaceResourceBlacklist: - - group: '' - kind: ResourceQuota - - group: '' - kind: LimitRange - - group: '' - kind: NetworkPolicy - - # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet - # namespaceResourceWhitelist: - # - group: 'apps' - # kind: Deployment - # - group: 'apps' - # kind: StatefulSet - - # Enables namespace orphaned resource monitoring. - orphanedResources: - warn: false - - roles: - # A role which provides read-only access to all applications in the project - - name: read-only - description: Read-only privileges to infrastructure - policies: - - p, proj:${project_name}:read-only, applications, get, ${project_name}/*, allow - groups: - - my-oidc-group - - # A role which provides sync privileges to all applications, e.g. to provide sync privileges to a CI system - - name: ci-role - description: Sync privileges for infrastructure - policies: - - p, proj:${project_name}:cd-role, applications, sync, ${project_name}/*, allow diff --git a/src/aks-platform/terraform.sh b/src/aks-platform/terraform.sh index 5a66e9ea..165ae703 120000 --- a/src/aks-platform/terraform.sh +++ b/src/aks-platform/terraform.sh @@ -1 +1 @@ -scripts/terraform.sh \ No newline at end of file +../../scripts/terraform.sh \ No newline at end of file diff --git a/src/domains/diego-app/.terraform.lock.hcl b/src/domains/diego-app/.terraform.lock.hcl index 81b4f241..cfac28fc 100644 --- a/src/domains/diego-app/.terraform.lock.hcl +++ b/src/domains/diego-app/.terraform.lock.hcl @@ -119,3 +119,20 @@ provider "registry.terraform.io/hashicorp/null" { "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", ] } + +provider "registry.terraform.io/oboukili/argocd" { + version = "6.1.1" + constraints = "<= 6.1.1" + hashes = [ + "h1:Mt1kOLqObTO7531rGV6kSkILcYS2mgoV3PrVmdb4Vs8=", + "zh:0eeb24ae36d29296e0e4fd0bbaa90bbbb051d6894e1920fe960cb73bf60d68b4", + "zh:4b842983692ff7bc2c40c74feccb902718c59f536fc376ab4d646178ef325b0e", + "zh:576640a6cbba7dfd20ac5399c47b2eb0d25a42c6aa23cf1c00ceb2bc32873a46", + "zh:76a5a1f0c5d2c4b97f51211c14f2abe3bb9ef7e855d44501bf7f661fab31dd55", + "zh:797c14187b2afad3d12a071c002a3ba20366777cecab2e3664cb7cb160658563", + "zh:9f1bb4ee552bc027a54ff99f68b867f76e0567761fe3703d9b7606464ad74276", + "zh:bec504dd356e9b15be2a737a54bdeaebab11c0c23b50d3fc22d01f8d3a4de086", + "zh:c89d3d174b7ef463b0c79e6d5f691a63c9a71973e3e460b8f319e9d6672f15b3", + "zh:d0b410bf208fdb818897109543de7ebcafe479b8de5e7af05a8b0cd5449b4edf", + ] +} diff --git a/src/domains/diego-app/00_key_vault.tf b/src/domains/diego-app/00_key_vault.tf index b3bcd57e..0a77453c 100644 --- a/src/domains/diego-app/00_key_vault.tf +++ b/src/domains/diego-app/00_key_vault.tf @@ -2,3 +2,13 @@ data "azurerm_key_vault" "kv_domain" { name = local.key_vault_domain_name resource_group_name = local.key_vault_domain_resource_group } + +data "azurerm_key_vault_secret" "argocd_admin_username" { + name = "argocd-admin-username" + key_vault_id = data.azurerm_key_vault.kv_domain.id +} + +data "azurerm_key_vault_secret" "argocd_admin_password" { + name = "argocd-admin-password" + key_vault_id = data.azurerm_key_vault.kv_domain.id +} diff --git a/src/domains/diego-app/05_argocd.tf b/src/domains/diego-app/05_argocd.tf index 7b15bf9c..c4adc3e6 100644 --- a/src/domains/diego-app/05_argocd.tf +++ b/src/domains/diego-app/05_argocd.tf @@ -1,72 +1,111 @@ # # Terraform argocd project # -resource "kubernetes_manifest" "argocd_project_terraform" { - manifest = yamldecode(templatefile("${path.module}/argocd/projects/project-terraform-argocd.yaml", {})) - field_manager { - # set the name of the field manager - name = "argocd" - - # force field manager conflicts to be overridden - force_conflicts = true +resource "argocd_project" "project" { + metadata { + name = "${var.domain}-project" + namespace = "argocd" + labels = { + acceptance = "true" + } } -} -# data "kubernetes_secret_v1" "example" { -# metadata { -# name = "example-secret" -# namespace = "argocd" -# } -# binary_data = { -# "keystore.p12" = "" -# another_field = "" -# } -# } -# -# $2a$10$spTFkPoQd.spcen9xT1tq.aMJ4O9fgH6q.r9c2sLLmwYIMWvgRyw. -# -# $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo) -# -# -# resource "null_resource" "argocd_create_app" { -# provisioner "local-exec" { -# command = "argocd app create guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse -# " -# } -# } + spec { + description = "${var.domain}-project" + source_namespaces = ["argocd"] + source_repos = ["*"] -# -# APPS Diego deploy -# -resource "kubernetes_manifest" "argocd_app_diego" { - manifest = yamldecode(templatefile("${path.module}/argocd/apps/apps-terraform-diego.yaml", { - NAME : "domain-diego-deploy" - ARGOCD_PROJECT_NAME : "terraform-argocd-project" - WORKLOAD_IDENTITY_CLIENT_ID : module.workload_identity.workload_identity_client_id - GIT_REPO_URL : "https://github.com/diegolagospagopa/devopslab-diego-deploy" - GIT_TARGET_REVISION : "init-charts" - HELM_PATH : "helm/dev" - NAMESPACE : var.domain - DOMAIN : var.domain - })) -} + destination { + server = "https://kubernetes.default.svc" + namespace = var.domain + } + destination { + server = "https://kubernetes.default.svc" + namespace = "argocd" + } + # cluster_resource_blacklist { + # group = "*" + # kind = "*" + # } -# -# APPS Showcase -# -resource "kubernetes_manifest" "argocd_app_status_standalone" { - count = var.argocd_showcase_enabled ? 1 : 0 - manifest = yamldecode(templatefile("${path.module}/argocd/apps/app-status-standalone.yaml", {})) -} + cluster_resource_whitelist { + group = "*" + kind = "*" + } + + namespace_resource_whitelist { + group = "*" + kind = "*" + } + + orphaned_resources { + warn = true + } -resource "kubernetes_manifest" "argocd_apps_ok" { - count = var.argocd_showcase_enabled ? 1 : 0 - manifest = yamldecode(templatefile("${path.module}/argocd/apps/apps-terraform-ok.yaml", {})) + # role { + # name = "anotherrole" + # policies = [ + # "p, proj:myproject:testrole, applications, get, myproject/*, allow", + # "p, proj:myproject:testrole, applications, sync, myproject/*, deny", + # ] + # } + } } -resource "kubernetes_manifest" "argocd_broken_apps" { - count = var.argocd_showcase_enabled ? 1 : 0 - manifest = yamldecode(templatefile("${path.module}/argocd/apps/apps-terraform-broken.yaml", {})) +# Helm application +resource "argocd_application" "root_diego_app" { + metadata { + name = "root-${var.domain}-app" + namespace = "argocd" + labels = { + name : "root-${var.domain}-app" + domain : var.domain + } + } + + cascade = true + wait = true + + spec { + project = argocd_project.project.metadata[0].name + destination { + server = "https://kubernetes.default.svc" + namespace = var.domain + } + + source { + repo_url = "https://github.com/diegolagospagopa/devopslab-diego-deploy" + target_revision = "main" + path = "helm/dev" + helm { + values = yamlencode({ + _argocdProjectName : argocd_project.project.metadata[0].name + _argocdProjectName1 : argocd_project.project.metadata[0].name + _azureWorkloadIdentityClientId : module.workload_identity.workload_identity_client_id + _gitRepoUrl : "https://github.com/diegolagospagopa/devopslab-diego-deploy" + _gitTargetRevision : "main" + _helmPath : "helm/dev" + }) + } + } + + sync_policy { + automated { + prune = true + self_heal = false + allow_empty = false + } + + retry { + backoff { + duration = "5s" + factor = "2" + max_duration = "3m0s" + } + limit = "5" + } + } + } } diff --git a/src/domains/diego-app/99_main.tf b/src/domains/diego-app/99_main.tf index 5ed86800..32092f37 100644 --- a/src/domains/diego-app/99_main.tf +++ b/src/domains/diego-app/99_main.tf @@ -23,6 +23,10 @@ terraform { local = { source = "hashicorp/local" } + argocd = { + source = "oboukili/argocd" + version = "<= 6.1.1" + } } backend "azurerm" {} @@ -45,3 +49,12 @@ provider "helm" { config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}" } } + +provider "argocd" { + server_addr = var.argocd_server_addr + username = data.azurerm_key_vault_secret.argocd_admin_username.value + password = data.azurerm_key_vault_secret.argocd_admin_password.value + kubernetes { + config_context = "config-${local.aks_name}" + } +} diff --git a/src/domains/diego-app/99_variables.tf b/src/domains/diego-app/99_variables.tf index 49074f08..a9e853e2 100644 --- a/src/domains/diego-app/99_variables.tf +++ b/src/domains/diego-app/99_variables.tf @@ -28,7 +28,7 @@ locals { # # ARGOCD # - argocd_url = "argocd.internal.devopslab.pagopa.it" + argocd_server_addr = "argocd.internal.devopslab.pagopa.it" # # KeyVault @@ -205,3 +205,8 @@ variable "argocd_showcase_enabled" { description = "Enable or not app for showcase" default = false } + +variable "argocd_server_addr" { + type = string + description = "ArgoCD hostname" +} diff --git a/src/domains/diego-app/README.md b/src/domains/diego-app/README.md index afb7efd5..b313b01e 100644 --- a/src/domains/diego-app/README.md +++ b/src/domains/diego-app/README.md @@ -4,6 +4,7 @@ | Name | Version | |------|---------| +| [argocd](#requirement\_argocd) | <= 6.1.1 | | [azuread](#requirement\_azuread) | <= 2.47.0 | | [azurerm](#requirement\_azurerm) | ~> 3.110 | | [helm](#requirement\_helm) | <= 2.12.1 | @@ -23,17 +24,14 @@ | Name | Type | |------|------| +| [argocd_application.root_diego_app](https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application) | resource | +| [argocd_project.project](https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project) | resource | | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.app_insights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_private_dns_a_record.itn_diego_ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_manifest.argocd_app_diego](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | -| [kubernetes_manifest.argocd_app_status_standalone](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | -| [kubernetes_manifest.argocd_apps_ok](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | -| [kubernetes_manifest.argocd_broken_apps](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | -| [kubernetes_manifest.argocd_project_terraform](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_namespace.domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.system_domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_role_binding.deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | @@ -47,6 +45,8 @@ | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | [azurerm_key_vault.kv_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_key_vault_secret.argocd_admin_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | +| [azurerm_key_vault_secret.argocd_admin_username](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | @@ -64,6 +64,7 @@ |------|-------------|------|---------|:--------:| | [aks\_name](#input\_aks\_name) | AKS cluster name | `string` | n/a | yes | | [aks\_resource\_group\_name](#input\_aks\_resource\_group\_name) | AKS cluster resource name | `string` | n/a | yes | +| [argocd\_server\_addr](#input\_argocd\_server\_addr) | ArgoCD hostname | `string` | n/a | yes | | [argocd\_showcase\_enabled](#input\_argocd\_showcase\_enabled) | Enable or not app for showcase | `bool` | `false` | no | | [cidr\_subnet\_container\_apps](#input\_cidr\_subnet\_container\_apps) | Subnet for container apps in diego domain | `list(string)` | n/a | yes | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | diff --git a/src/domains/diego-app/argocd/apps/apps-terraform-diego.yaml b/src/domains/diego-app/argocd/apps/root-diego-app.yaml similarity index 75% rename from src/domains/diego-app/argocd/apps/apps-terraform-diego.yaml rename to src/domains/diego-app/argocd/apps/root-diego-app.yaml index 08ff3fea..6437fca1 100644 --- a/src/domains/diego-app/argocd/apps/apps-terraform-diego.yaml +++ b/src/domains/diego-app/argocd/apps/root-diego-app.yaml @@ -22,10 +22,12 @@ spec: path: ${HELM_PATH} helm: valuesObject: - azureWorkloadIdentityClientId: ${WORKLOAD_IDENTITY_CLIENT_ID} - gitRepoUrl: ${GIT_REPO_URL} - gitTargetRevision: ${GIT_TARGET_REVISION} - helmPath: ${HELM_PATH} + _argocdProjectName: ${ARGOCD_PROJECT_NAME} + _argocdProjectName1: ${ARGOCD_PROJECT_NAME} + _azureWorkloadIdentityClientId: ${WORKLOAD_IDENTITY_CLIENT_ID} + _gitRepoUrl: ${GIT_REPO_URL} + _gitTargetRevision: ${GIT_TARGET_REVISION} + _helmPath: ${HELM_PATH} ciao: pippo destination: server: 'https://kubernetes.default.svc' diff --git a/src/domains/diego-app/argocd/projects/project-terraform-argocd.yaml b/src/domains/diego-app/argocd/projects/project-terraform-argocd.yaml deleted file mode 100644 index 97386289..00000000 --- a/src/domains/diego-app/argocd/projects/project-terraform-argocd.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: terraform-argocd-project - namespace: argocd - # Finalizer that ensures that project is not deleted until it is not referenced by any application - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - # Project description - description: terraform-argocd Project - - # Allow manifests to deploy from any Git repos - sourceRepos: - - '*' - - # Only permit applications to deploy to the terraform-argocd namespace in the same cluster - # Destination clusters can be identified by 'server', 'name', or both. - destinations: - - namespace: diego - server: https://kubernetes.default.svc - name: in-cluster - - namespace: argocd - server: https://kubernetes.default.svc - name: in-cluster - -# # Deny all cluster-scoped resources from being created, except for Namespace -# clusterResourceWhitelist: -# - group: '' -# kind: Namespace - - # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy - namespaceResourceBlacklist: - - group: '' - kind: ResourceQuota - - group: '' - kind: LimitRange - - group: 'networking.k8s.io/v1' - kind: NetworkPolicy - -# # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet -# namespaceResourceWhitelist: -# - group: 'apps' -# kind: Deployment -# - group: 'apps' -# kind: StatefulSet - - # Enables namespace orphaned resource monitoring. - orphanedResources: - warn: false - -# roles: -# # A role which provides read-only access to all applications in the project -# - name: read-only -# description: Read-only privileges to terraform-argocd -# policies: -# - p, proj:terraform-argocd:read-only, applications, get, terraform-argocd/*, allow -# groups: -# - my-oidc-group -# -# # A role which provides sync privileges to only the terraform-argocd-dev application, e.g. to provide -# # sync privileges to a CI system -# - name: ci-role -# description: Sync privileges for terraform-argocd-dev -# policies: -# - p, proj:terraform-argocd:ci-role, applications, sync, terraform-argocd/terraform-argocd-dev, allow - -# # NOTE: JWT tokens can only be generated by the API server and the token is not persisted -# # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list. -# jwtTokens: -# - iat: 1535390316 - -# # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/ -# syncWindows: -# - kind: allow -# schedule: '10 1 * * *' -# duration: 1h -# applications: -# - '*-prod' -# manualSync: true -# - kind: deny -# schedule: '0 22 * * *' -# duration: 1h -# namespaces: -# - default -# - kind: allow -# schedule: '0 23 * * *' -# duration: 1h -# clusters: -# - in-cluster -# - cluster1 - - # By default, apps may sync to any cluster specified under the `destinations` field, even if they are not - # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters - # scoped to this project. - permitOnlyProjectScopedClusters: false - -# # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits -# # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/ -# sourceNamespaces: -# - "argocd-apps-*" diff --git a/src/domains/diego-app/env/itn-dev/terraform.tfvars b/src/domains/diego-app/env/itn-dev/terraform.tfvars index 0a4e1a50..35154ec3 100644 --- a/src/domains/diego-app/env/itn-dev/terraform.tfvars +++ b/src/domains/diego-app/env/itn-dev/terraform.tfvars @@ -54,3 +54,5 @@ tls_cert_check_helm = { image_name = "ghcr.io/pagopa/infra-ssl-check" image_tag = "v1.2.2@sha256:22f4b53177cc8891bf10cbd0deb39f60e1cd12877021c3048a01e7738f63e0f9" } + +argocd_server_addr = "argocd.internal.devopslab.pagopa.it"