From f389f8d7d6fc68e6482af27be5b986a86b9e2d62 Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Thu, 10 Apr 2025 11:20:14 -0400 Subject: [PATCH] Modifications for keycloak and gatekeeper OIDC --- .../vpc/platform-test-z/cluster.hcl | 23 ++++-- .../eks-cert-manager/terragrunt.hcl | 2 +- .../eks-gatekeeper/terragrunt.hcl | 28 ++++--- .../eks-gogatekeeper/terragrunt.hcl.disable | 81 +++++++++++++++++++ .../eks-grafana/terragrunt.hcl | 44 +++++++++- .../eks-k8s-dashboard/terragrunt.hcl | 19 ++++- .../eks-keycloak/terragrunt.hcl | 77 ++++++++++++++++++ .../platform-test-z/eks-kiali/terragrunt.hcl | 7 +- .../vpc/platform-test-z/eks/terragrunt.hcl | 2 +- 9 files changed, 254 insertions(+), 29 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-gogatekeeper/terragrunt.hcl.disable create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-keycloak/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl index 740c1ad9..f6482b19 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl @@ -1,21 +1,28 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl - -# Set cluster specific variables. These are automatically pulled in to configure the remote state bucket in the root -# terragrunt.hcl configuration. locals { + # Cluster specific configuration cluster_endpoint_public_access = true cluster_name = "platform-test-z" - created_reason = "Terragrunt Development for CICD Delivered EKS Platform" - creator = "luther.coleman.mcginty@census.gov" + cluster_mailing_list = "luther.coleman.mcginty@census.gov" eks_instance_disk_size = 100 eks_ng_desired_size = 3 eks_ng_max_size = 10 eks_ng_min_size = 1 enable_cluster_creator_admin_permissions = true - terraform = true - terragrunt = true tags = { "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } + + # Common configuration + common_retry_args = { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } + + common_dependencies = ["../eks", "../eks-config"] + + common_mock_eks = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl index 926da7c8..11570cf8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl @@ -33,7 +33,7 @@ inputs = { cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag cluster_issuer_name = include.root.inputs.cluster_issuer_name - cluster_mailing_list = dependency.eks.inputs.creator + cluster_mailing_list = include.root.inputs.cluster_mailing_list cluster_name = dependency.eks.outputs.cluster_name oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn profile = include.root.inputs.aws_profile diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gatekeeper/terragrunt.hcl index 1e9606f8..b596a8ff 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gatekeeper/terragrunt.hcl @@ -30,14 +30,6 @@ dependency "eks_dns" { } } -# dependency "eks_grafana" { -# config_path = "../eks-grafana" -# mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] -# mock_outputs = { -# public_endpoint = "mock.grafaba.example.com" -# } -# } - dependency "eks_keycloak" { config_path = "../eks-keycloak" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] @@ -76,6 +68,19 @@ dependency "eks-grafana" { } } +dependency "eks-kiali" { + config_path = "../eks-kiali" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "istio-system" + internal_endpoint = { + hostname = "kiali.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kiali.telemetry.svc.cluster.local:80/" + } + } +} + dependencies { paths = [ "../eks", @@ -83,7 +88,7 @@ dependencies { "../eks-keycloak", "../eks-k8s-dashboard", "../eks-grafana", - # "../eks-prometheus", + "../eks-kiali", ] } @@ -111,4 +116,9 @@ inputs = { grafana_service_name = "grafana" grafana_ns = dependency.eks-grafana.outputs.namespace grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url + + # Kaili Gatekeeper Config + kiali_service_name = "kiali" + kiali_ns = dependency.eks-kiali.outputs.namespace + kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gogatekeeper/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gogatekeeper/terragrunt.hcl.disable new file mode 100644 index 00000000..5f859197 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-gogatekeeper/terragrunt.hcl.disable @@ -0,0 +1,81 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" + source = "../../../../../../../tfmod-gogatekeeper" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + public_endpoint = "mock.grafaba.example.com" + } +} + +dependency "eks_keycloak" { + config_path = "../eks-keycloak" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + public_endpoint = "mock.keycloak.example.com" + discovery_url = "mock.keycloak.example.com/auth" + client_id = "mock-client-id" + client_secret = "mock-client-secret" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + "../eks-grafana", + "../eks-keycloak", + "../eks-prometheus", + ] +} + +inputs = { + # Base Cluster Config + cluster_domain = dependency.eks_dns.outputs.cluster_domain + namespace = include.root.inputs.namespaces["gogatekeeper"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Gatekeeper Config + gogatekeeper_tag = include.root.inputs.gogatekeeper_tag + gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version + keycloak_discovery_url = dependency.eks_keycloak.outputs.discovery_url + + # Service Behind Gatekeeper Config + service_name = "test-gc" + upstream_url = dependency.eks_grafana.outputs.public_endpoint + redirection_url = dependency.eks_grafana.outputs.public_endpoint + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint +} \ No newline at end of file diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl index cd0b9354..c360a1d7 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl @@ -13,6 +13,15 @@ terraform { } } +dependencies { + paths = [ + "../eks", + "../eks-loki", + "../eks-prometheus", + "../eks-tempo" + ] +} + dependency "eks" { config_path = "../eks" mock_outputs = { @@ -24,19 +33,48 @@ dependency "eks-loki" { config_path = "../eks-loki" mock_outputs = { rwo_storage_class = "gp3-encrypted" + gateway_internal_endpoint = { + hostname = "loki-gateway.telemetry.svc.cluster.local" + portNumber = "80" + url = "http://loki-gateway.telemetry.svc.cluster.local:80/" + } + } +} + +dependency "eks-prometheus" { + config_path = "../eks-prometheus" + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.prometheus.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + } + } +} + +dependency "eks-tempo" { + config_path = "../eks-tempo" + mock_outputs = { + tempo_internal_endpoint = { + hostname = "tempo.telemetry.svc.cluster.local" + port_number = 4317 + url = "http://tempo.telemetry.svc.cluster.local:4317/" + } } } inputs = { cluster_domain = dependency.eks.inputs.vpc_domain_name cluster_name = dependency.eks.outputs.cluster_name - download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag grafana_chart_version = include.root.inputs.grafana_chart_version grafana_tag = include.root.inputs.grafana_tag - init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag + utilities_tag = include.root.inputs.utilities_tag profile = include.root.inputs.aws_profile public_hostname = include.root.inputs.grafana_hostname region = include.root.inputs.aws_region rwo_storage_class = dependency.eks-loki.outputs.rwo_storage_class + loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url + prometheus_endpoint = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url + tempo_endpoint = dependency.eks-tempo.outputs.tempo_internal_endpoint.url namespace = include.root.inputs.namespaces["grafana"] -} +} \ No newline at end of file diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl index e56658b8..a2406a1c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl @@ -21,18 +21,29 @@ dependency "eks" { } } -dependency "eks-loki" { - config_path = "../eks-loki" - skip_outputs = true +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + ] } inputs = { # datasources = dependency.eks-loki.outputs.gateway_internal_endpoint - cluster_domain = dependency.eks.inputs.vpc_domain_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name k8s_dashboard_version = include.root.inputs.k8s_dashboard_version profile = include.root.inputs.aws_profile public_hostname = include.root.inputs.dashboard_hostname region = include.root.inputs.aws_region namespace = include.root.inputs.namespaces["k8s-dashboard"] + service_name = "dashboard" } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-keycloak/terragrunt.hcl new file mode 100644 index 00000000..3e0cdb39 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-keycloak/terragrunt.hcl @@ -0,0 +1,77 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "../../../../../../../tfmod-keycloak" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-prometheus", + ] +} + +inputs = { + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + namespace = include.root.inputs.namespaces["keycloak"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # keycloak config + default_storage_class = dependency.eks_config.outputs.rwo_storage_class + keycloak_chart_version = include.root.inputs.keycloak_chart_version + keycloak_hostname = include.root.inputs.keycloak_hostname + keycloak_tag = include.root.inputs.keycloak_tag + realm_email = include.root.inputs.cluster_mailing_list + realm_name = "master" + realm_password = include.root.inputs.keycloak_password + realm_username = include.root.inputs.keycloak_username + service_name = "keycloak" + telemetry_namespace = include.root.inputs.telemetry_namespace + + # # Database configuration + keycloak_database = include.root.inputs.keycloak_database + keycloak_user = include.root.inputs.keycloak_username + keycloak_password = include.root.inputs.keycloak_password + + # Project information + project_name = include.root.inputs.project_name + tags = include.root.inputs.tags +} \ No newline at end of file diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl index 040fd99c..f52dd8ec 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl @@ -54,7 +54,7 @@ dependency "eks-grafana" { url = "https://grafana.grafana.svc.cluster.local:80/" } namespace = "grafana" - public_endpoint = "https://grafana.dev.lab.csp2.census.gov:80/" + # public_endpoint = "https://grafana.dev.lab.csp2.census.gov:80/" secret_name = "grafana" tempo_datasource_id = "tempo" } @@ -62,7 +62,7 @@ dependency "eks-grafana" { inputs = { profile = include.root.inputs.aws_profile - cluster_domain = dependency.eks.inputs.vpc_domain_name + cluster_domain = "platform-test-z.dev.lab.csp2.census.gov" cluster_name = dependency.eks.outputs.cluster_name certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name @@ -76,7 +76,8 @@ inputs = { grafana_namespace = dependency.eks-grafana.outputs.namespace grafana_secret_name = dependency.eks-grafana.outputs.secret_name grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint + # grafana_public_url = "https://grafana.dev.lab.csp2.census.gov" internal_endpoint + grafana_public_url = "https://grafana.platform-test-z.dev.lab.csp2.census.gov" tempo_datasource_id = dependency.eks-grafana.outputs.tempo_datasource_id tempo_internal_url = dependency.eks-tempo.outputs.tempo_internal_endpoint.url diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl index cff2547a..df8261ab 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl @@ -17,7 +17,7 @@ inputs = { cluster_endpoint_public_access = include.root.inputs.cluster_endpoint_public_access cluster_name = include.root.inputs.cluster_name cluster_version = include.root.inputs.cluster_version - creator = include.root.inputs.creator + # creator = include.root.inputs.creator eks_instance_disk_size = include.root.inputs.eks_instance_disk_size eks_ng_desired_size = include.root.inputs.eks_ng_desired_size eks_ng_max_size = include.root.inputs.eks_ng_max_size