Modifications for keycloak and gatekeeper OIDC

SCT-Engineering · Apr 10, 2025 · f389f8d · f389f8d
1 parent eab33e9
commit f389f8d
Show file tree

Hide file tree

Showing 9 changed files with 254 additions and 29 deletions.
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl
@@ -1,21 +1,28 @@
-# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl
-
-# Set cluster specific variables. These are automatically pulled in to configure the remote state bucket in the root
-# terragrunt.hcl configuration.
 locals {
+  # Cluster specific configuration
   cluster_endpoint_public_access           = true
   cluster_name                             = "platform-test-z"
-  created_reason                           = "Terragrunt Development for CICD Delivered EKS Platform"
-  creator                                  = "luther.coleman.mcginty@census.gov"
+  cluster_mailing_list                     = "luther.coleman.mcginty@census.gov"
   eks_instance_disk_size                   = 100
   eks_ng_desired_size                      = 3
   eks_ng_max_size                          = 10
   eks_ng_min_size                          = 1
   enable_cluster_creator_admin_permissions = true
-  terraform                                = true
-  terragrunt                               = true
   tags = {
     "slim:schedule" = "8:00-17:00"
     "cluster:size"  = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}"
   }
+
+  # Common configuration
+  common_retry_args = {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20m"]
+  }
+
+  common_dependencies = ["../eks", "../eks-config"]
+
+  common_mock_eks = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
 }
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl
@@ -33,7 +33,7 @@ inputs = {
   cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag
   cert_manager_webhook_tag         = include.root.inputs.cert_manager_webhook_tag
   cluster_issuer_name              = include.root.inputs.cluster_issuer_name
-  cluster_mailing_list             = dependency.eks.inputs.creator
+  cluster_mailing_list             = include.root.inputs.cluster_mailing_list
   cluster_name                     = dependency.eks.outputs.cluster_name
   oidc_provider_arn                = dependency.eks.outputs.oidc_provider_arn
   profile                          = include.root.inputs.aws_profile

diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gatekeeper/terragrunt.hcl
@@ -30,14 +30,6 @@ dependency "eks_dns" {
   }
 }
 
-# dependency "eks_grafana" {
-#   config_path                             = "../eks-grafana"
-#   mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
-#   mock_outputs = {
-#     public_endpoint = "mock.grafaba.example.com"
-#   }
-# }
-
 dependency "eks_keycloak" {
   config_path                             = "../eks-keycloak"
   mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
@@ -76,14 +68,27 @@ dependency "eks-grafana" {
   }
 }
 
+dependency "eks-kiali" {
+  config_path                             = "../eks-kiali"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    namespace       = "istio-system"
+    internal_endpoint = {
+      hostname = "kiali.telemetry.svc.cluster.local"
+      port_number = 80
+      url = "http://kiali.telemetry.svc.cluster.local:80/"
+    }
+  }
+}
+
 dependencies {
   paths = [
     "../eks",
     "../eks-dns",
     "../eks-keycloak",
     "../eks-k8s-dashboard",
     "../eks-grafana",
-    # "../eks-prometheus",
+    "../eks-kiali",
   ]
 }
 
@@ -111,4 +116,9 @@ inputs = {
   grafana_service_name       = "grafana"
   grafana_ns                 = dependency.eks-grafana.outputs.namespace
   grafana_url                = dependency.eks-grafana.outputs.internal_endpoint.url
+
+  # Kaili Gatekeeper Config 
+  kiali_service_name       = "kiali"
+  kiali_ns                 = dependency.eks-kiali.outputs.namespace
+  kiali_url                = dependency.eks-kiali.outputs.internal_endpoint.url
 }
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gogatekeeper/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gogatekeeper/terragrunt.hcl.disable
@@ -0,0 +1,81 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+terraform {
+  # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}"
+  source = "../../../../../../../tfmod-gogatekeeper"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.example.com"
+  }
+}
+
+dependency "eks_grafana" {
+  config_path                             = "../eks-grafana"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    public_endpoint = "mock.grafaba.example.com"
+  }
+}
+
+dependency "eks_keycloak" {
+  config_path                             = "../eks-keycloak"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    public_endpoint = "mock.keycloak.example.com"
+    discovery_url   = "mock.keycloak.example.com/auth"
+    client_id       = "mock-client-id"
+    client_secret   = "mock-client-secret"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-dns",
+    "../eks-grafana",
+    "../eks-keycloak",
+    "../eks-prometheus",
+  ]
+}
+
+inputs = {
+  # Base Cluster Config
+  cluster_domain = dependency.eks_dns.outputs.cluster_domain
+  namespace      = include.root.inputs.namespaces["gogatekeeper"]
+  profile        = include.root.inputs.aws_profile
+  region         = include.root.inputs.aws_region
+
+  # Gatekeeper Config
+  gogatekeeper_tag           = include.root.inputs.gogatekeeper_tag
+  gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version
+  keycloak_discovery_url     = dependency.eks_keycloak.outputs.discovery_url
+
+  # Service Behind Gatekeeper Config
+  service_name        = "test-gc"
+  upstream_url        = dependency.eks_grafana.outputs.public_endpoint
+  redirection_url     = dependency.eks_grafana.outputs.public_endpoint
+  client_id           = dependency.eks_keycloak.outputs.client_id
+  client_secret       = dependency.eks_keycloak.outputs.client_secret
+  keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint
+}
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl
@@ -13,6 +13,15 @@ terraform {
   }
 }
 
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-loki",
+    "../eks-prometheus",
+    "../eks-tempo"
+  ]
+}
+
 dependency "eks" {
   config_path = "../eks"
   mock_outputs = {
@@ -24,19 +33,48 @@ dependency "eks-loki" {
   config_path = "../eks-loki"
   mock_outputs = {
     rwo_storage_class = "gp3-encrypted"
+    gateway_internal_endpoint = {
+      hostname = "loki-gateway.telemetry.svc.cluster.local"
+      portNumber = "80"
+      url = "http://loki-gateway.telemetry.svc.cluster.local:80/"
+    }
+  }
+}
+
+dependency "eks-prometheus" {
+  config_path = "../eks-prometheus"
+  mock_outputs = {
+    prometheus_server_internal_endpoint = {
+      hostname    = "prometheus-server.prometheus.svc.cluster.local"
+      port_number = 9090
+      url         = "http://prometheus-server.prometheus.svc.cluster.local:9090/"
+    }
+  }
+}
+
+dependency "eks-tempo" {
+  config_path = "../eks-tempo"
+  mock_outputs = {
+    tempo_internal_endpoint = {
+      hostname = "tempo.telemetry.svc.cluster.local"
+      port_number = 4317
+      url = "http://tempo.telemetry.svc.cluster.local:4317/"
+    }
   }
 }
 
 inputs = {
   cluster_domain                = dependency.eks.inputs.vpc_domain_name
   cluster_name                  = dependency.eks.outputs.cluster_name
-  download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag
   grafana_chart_version         = include.root.inputs.grafana_chart_version
   grafana_tag                   = include.root.inputs.grafana_tag
-  init_chown_data_image_tag     = include.root.inputs.init_chown_data_image_tag
+  utilities_tag                 = include.root.inputs.utilities_tag
   profile                       = include.root.inputs.aws_profile
   public_hostname               = include.root.inputs.grafana_hostname
   region                        = include.root.inputs.aws_region
   rwo_storage_class             = dependency.eks-loki.outputs.rwo_storage_class
+  loki_endpoint                 = dependency.eks-loki.outputs.gateway_internal_endpoint.url
+  prometheus_endpoint           = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url
+  tempo_endpoint                = dependency.eks-tempo.outputs.tempo_internal_endpoint.url
   namespace                     = include.root.inputs.namespaces["grafana"]
-}
+}
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl
@@ -21,18 +21,29 @@ dependency "eks" {
   }
 }
 
-dependency "eks-loki" {
-  config_path  = "../eks-loki"
-  skip_outputs = true
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.example.com"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-dns",
+  ]
 }
 
 inputs = {
   # datasources        = dependency.eks-loki.outputs.gateway_internal_endpoint
-  cluster_domain        = dependency.eks.inputs.vpc_domain_name
+  cluster_domain        = dependency.eks_dns.outputs.cluster_domain
   cluster_name          = dependency.eks.outputs.cluster_name
   k8s_dashboard_version = include.root.inputs.k8s_dashboard_version
   profile               = include.root.inputs.aws_profile
   public_hostname       = include.root.inputs.dashboard_hostname
   region                = include.root.inputs.aws_region
   namespace             = include.root.inputs.namespaces["k8s-dashboard"]
+  service_name          = "dashboard"
 }
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-keycloak/terragrunt.hcl
@@ -0,0 +1,77 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+terraform {
+  # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}"
+  source = "../../../../../../../tfmod-keycloak"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_config" {
+  config_path                             = "../eks-config"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.example.com"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-dns",
+    "../eks-prometheus",
+  ]
+}
+
+inputs = {
+  cluster_domain = dependency.eks_dns.outputs.cluster_domain
+  cluster_name   = dependency.eks.outputs.cluster_name
+  namespace      = include.root.inputs.namespaces["keycloak"]
+  profile        = include.root.inputs.aws_profile
+  region         = include.root.inputs.aws_region
+
+  # keycloak config
+  default_storage_class  = dependency.eks_config.outputs.rwo_storage_class
+  keycloak_chart_version = include.root.inputs.keycloak_chart_version
+  keycloak_hostname      = include.root.inputs.keycloak_hostname
+  keycloak_tag           = include.root.inputs.keycloak_tag
+  realm_email            = include.root.inputs.cluster_mailing_list
+  realm_name             = "master"
+  realm_password         = include.root.inputs.keycloak_password
+  realm_username         = include.root.inputs.keycloak_username
+  service_name           = "keycloak"
+  telemetry_namespace    = include.root.inputs.telemetry_namespace
+
+  # # Database configuration
+  keycloak_database = include.root.inputs.keycloak_database
+  keycloak_user     = include.root.inputs.keycloak_username
+  keycloak_password = include.root.inputs.keycloak_password
+
+  # Project information
+  project_name = include.root.inputs.project_name
+  tags         = include.root.inputs.tags
+}
diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl
@@ -54,15 +54,15 @@ dependency "eks-grafana" {
       url         = "https://grafana.grafana.svc.cluster.local:80/"
     }
     namespace = "grafana"
-    public_endpoint = "https://grafana.dev.lab.csp2.census.gov:80/"
+    # public_endpoint = "https://grafana.dev.lab.csp2.census.gov:80/"
     secret_name = "grafana"
     tempo_datasource_id = "tempo"
   }
 }
 
 inputs = {
   profile             = include.root.inputs.aws_profile
-  cluster_domain      = dependency.eks.inputs.vpc_domain_name
+  cluster_domain      = "platform-test-z.dev.lab.csp2.census.gov"
   cluster_name        = dependency.eks.outputs.cluster_name
   certificate_issuer  = dependency.eks-cert-manager.outputs.cluster_issuer_name
 
@@ -76,7 +76,8 @@ inputs = {
   grafana_namespace       = dependency.eks-grafana.outputs.namespace
   grafana_secret_name     = dependency.eks-grafana.outputs.secret_name
   grafana_internal_url    = dependency.eks-grafana.outputs.internal_endpoint.url
-  grafana_public_url      = dependency.eks-grafana.outputs.public_endpoint
+  # grafana_public_url      = "https://grafana.dev.lab.csp2.census.gov" internal_endpoint
+  grafana_public_url      = "https://grafana.platform-test-z.dev.lab.csp2.census.gov"
   tempo_datasource_id     = dependency.eks-grafana.outputs.tempo_datasource_id
   tempo_internal_url      = dependency.eks-tempo.outputs.tempo_internal_endpoint.url