From 70d71303120e602fe644290485d8acf114b0605e Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:15:52 -0500 Subject: [PATCH 01/16] add ingress --- .github/dependabot.yml | 11 +++ .github/workflows/terragrunt-cicd.yml | 101 ++++++++++++++++++++++++++ .tflint.hcl | 26 +++---- README.md | 7 +- main.tf | 81 ++++++++++++++++++--- 5 files changed, 198 insertions(+), 28 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/terragrunt-cicd.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..867570d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily" diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml new file mode 100644 index 0000000..a78523e --- /dev/null +++ b/.github/workflows/terragrunt-cicd.yml @@ -0,0 +1,101 @@ +name: 'Terraform Module CI' + +on: + push: + branches: + - main + paths: + - '**/*.hcl' + - '**/*.tf' + pull_request: + branches: + - main + paths: + - '**/*.hcl' + - '**/*.tf' + +permissions: + contents: read + pull-requests: write + +jobs: + validate: + name: 'Validate Module' + runs-on: self-hosted + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.5.0 + + - name: Terraform Init + run: | + terraform init -backend=false + + - name: Terraform Format + run: | + terraform fmt -check + + - name: Terraform Validate + run: | + terraform validate + + - name: Run tflint + uses: terraform-linters/setup-tflint@v3 + if: github.event_name == 'pull_request' + + - name: Lint Terraform + if: github.event_name == 'pull_request' + run: | + tflint --format compact + + release: + name: 'Create Release' + needs: validate + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + runs-on: self-hosted + permissions: + contents: write + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + + - name: Install Commitizen + run: | + pip install commitizen + + - name: Configure Git + run: | + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + + - name: Bump Version and Generate Changelog + id: cz + run: | + cz bump --yes + echo "new_version=$(cz version --project)" >> $GITHUB_OUTPUT + echo "changelog=$(cz changelog --dry-run)" >> $GITHUB_OUTPUT + + - name: Create Release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: v${{ steps.cz.outputs.new_version }} + release_name: Release v${{ steps.cz.outputs.new_version }} + draft: false + prerelease: false + body: ${{ steps.cz.outputs.changelog }} diff --git a/.tflint.hcl b/.tflint.hcl index 684d807..ab8ea66 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -4,18 +4,18 @@ config { disabled_by_default = false } -rule "aws_instance_invalid_type" { - enabled = true -} +# rule "aws_instance_invalid_type" { +# enabled = true +# } -plugin "aws" { - enabled = true - version = "0.32.0" - source = "github.com/terraform-linters/tflint-ruleset-aws" -} +# plugin "aws" { +# enabled = true +# version = "0.32.0" +# source = "github.com/terraform-linters/tflint-ruleset-aws" +# } -plugin "terraform" { - enabled = true - version = "0.9.0" - source = "github.com/terraform-linters/tflint-ruleset-terraform" -} +# plugin "terraform" { +# enabled = true +# version = "0.9.0" +# source = "github.com/terraform-linters/tflint-ruleset-terraform" +# } diff --git a/README.md b/README.md index 8d49162..bb7c40f 100644 --- a/README.md +++ b/README.md @@ -13,14 +13,15 @@ | Name | Version | |------|---------| -| [helm](#provider\_helm) | 2.16.1 | -| [kubernetes](#provider\_kubernetes) | 2.33.0 | +| [helm](#provider\_helm) | 2.17.0 | +| [kubernetes](#provider\_kubernetes) | 2.36.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade | +| [ingress\_resources](#module\_ingress\_resources) | git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git | main | | [preinstall](#module\_preinstall) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job | feature-kiali-baseline | | [service\_account](#module\_service\_account) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account | n/a | @@ -31,7 +32,7 @@ | [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | +| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | ## Inputs diff --git a/main.tf b/main.tf index b02d609..5755a43 100644 --- a/main.tf +++ b/main.tf @@ -1,8 +1,8 @@ locals { - internal_hostname = format("kiali.%v.svc.cluster.local", var.namespace) + internal_hostname = format("%v.%v.svc.cluster.local", kubernetes_namespace.ns.metadata[0].name, local.service_name) internal_port_number = "20001" - internal_url = format("http://%v:%v/", local.internal_hostname, local.internal_port_number) + internal_url = format("https://%s:%s/", local.internal_hostname, local.internal_port_number) grafana_secret_name = "kiali" grafana_password_key = "grafana_password" @@ -23,14 +23,43 @@ wait_for_istio_ready() { wait_for_istio_ready ensure_secret ${local.grafana_secret_name} ${local.grafana_password_key} "$(kubectl -n ${var.grafana_namespace} get secret ${var.grafana_secret_name} -o jsonpath='{.data.admin-password}' | base64 -d)" CONFIG + + public_domain = format("%v.%v", var.cluster_name, var.cluster_domain) + service_name = var.namespace +} + +resource "kubernetes_namespace" "operators" { + metadata { + name = var.operators_namespace + labels = { + istio-injection = "enabled" + } + } } +resource "kubernetes_namespace" "ns" { + metadata { + name = var.namespace + labels = { + istio-injection = "enabled" + } + } +} + +# data "kubernetes_namespace" "keycloak" { +# count = local.have_keycloak ? 1 : 0 + +# metadata { +# name = var.keycloak_namespace +# } +# } + module "service_account" { # tflint-ignore: terraform_module_pinned_source source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account" - namespace = var.namespace - read_only_namespaces = [var.grafana_namespace] + namespace = kubernetes_namespace.ns.metadata[0].name + read_only_namespaces = ["grafana"] } module "preinstall" { @@ -38,7 +67,7 @@ module "preinstall" { profile = var.profile cluster_name = var.cluster_name - namespace = var.namespace + namespace = kubernetes_namespace.ns.metadata[0].name service_account_name = module.service_account.service_account_name job_name = "istio-tools-config-job" config_script = local.preinstall_script @@ -49,7 +78,7 @@ resource "helm_release" "kiali_operator" { chart = "kiali-operator" version = var.kiali_operator_version name = "kiali-operator" - namespace = var.namespace + namespace = kubernetes_namespace.operators.metadata[0].name repository = "https://kiali.org/helm-charts" set { @@ -71,7 +100,7 @@ resource "helm_release" "kiali_operator" { } set { name = "watchNamespace" - value = var.namespace + value = kubernetes_namespace.ns.metadata[0].name } set { name = "env[0].name" @@ -138,9 +167,37 @@ module "ingress_resources" { # tflint-ignore: terraform_module_pinned_source source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main" - public_hostname = "kiali" - public_domain = format("%v.%v", var.cluster_name, var.cluster_domain) - service_name = "kiali" - service_namespace = var.namespace - service_port = local.internal_port_number + +# module "kiali_ingress" { +# depends_on = [helm_release.kiali] + +# #source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//>ref=1.0.0" +# source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//" + +# certificate_issuer = var.certificate_issuer + +# namespace = local.ns +# application_name = "kiali" +# public_hostname = "kiali" +# cluster_domain = var.cluster_domain +# upstream_hostname = local.internal_hostname +# upstream_port = local.internal_port_number +# redirection_url = local.public_url +# client_id = var.sso_client_id +# client_secret = var.sso_client_secret +# keycloak_public_url = var.keycloak_public_url +# gogatekeeper_chart_version = var.gogatekeeper_chart_version +# gogatekeeper_registry = var.gogatekeeper_registry +# gogatekeeper_repository = var.gogatekeeper_repository +# gogatekeeper_tag = var.gogatekeeper_tag +# } + +module "ingress_resources" { + # tflint-ignore: terraform_module_pinned_source + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main" + public_hostname = local.service_name + public_domain = local.public_domain + service_name = local.service_name + service_namespace = kubernetes_namespace.ns.metadata[0].name + service_port = local.internal_port_number } From 98f4e3c7ebacb5755648b6601609b002f34899bd Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:32:16 -0500 Subject: [PATCH 02/16] chart consolidation --- README.md | 2 - main.tf | 132 +++++++++++++++++++++++++++++++++++++++++++-------- variables.tf | 10 ++-- 3 files changed, 116 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index bb7c40f..2513c02 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,6 @@ | Name | Type | |------|------| -| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | @@ -52,7 +51,6 @@ | [operators\_namespace](#input\_operators\_namespace) | The namespace into which all operators are to be deployed. | `string` | n/a | yes | | [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no | | [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes | -| [public\_hostname](#input\_public\_hostname) | The hostname to use for kiali that will be publicly available | `string` | `"kiali"` | no | ## Outputs diff --git a/main.tf b/main.tf index 5755a43..531c3a7 100644 --- a/main.tf +++ b/main.tf @@ -78,7 +78,7 @@ resource "helm_release" "kiali_operator" { chart = "kiali-operator" version = var.kiali_operator_version name = "kiali-operator" - namespace = kubernetes_namespace.operators.metadata[0].name + namespace = kubernetes_namespace.ns.metadata[0].name repository = "https://kiali.org/helm-charts" set { @@ -94,10 +94,6 @@ resource "helm_release" "kiali_operator" { } - set { - name = "cr.create" - value = "false" - } set { name = "watchNamespace" value = kubernetes_namespace.ns.metadata[0].name @@ -114,18 +110,14 @@ resource "helm_release" "kiali_operator" { module.images.images[local.kiali_server_key].tag ) } -} - -resource "helm_release" "kiali" { - depends_on = [ - helm_release.kiali_operator, - module.preinstall, - ] - - chart = "./kiali-server" - name = "kiali" - namespace = var.namespace - + set { + name = "publicHostname" + value = local.service_name + } + set { + name = "publicDomain" + value = local.public_domain + } set { name = "istioNamespace" value = var.istio_namespace @@ -162,10 +154,108 @@ resource "helm_release" "kiali" { } -module "ingress_resources" { - # tflint-ignore: terraform_module_version - # tflint-ignore: terraform_module_pinned_source - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main" +# resource "helm_release" "kiali" { +# depends_on = [ +# helm_release.kiali_operator, +# # module.preinstall, +# ] + +# chart = "kiali" +# name = "kiali" +# namespace = kubernetes_namespace.ns.metadata[0].name +# repository = "./charts" +# # repository = "${path.module}/charts" + +# set { +# name = "image_name" +# value = format("%v/%v", +# module.images.images[local.kiali_key].dest_registry, +# module.images.images[local.kiali_key].dest_repository +# ) +# } +# set { +# name = "image_version" +# value = module.images.images[local.kiali_key].tag +# } + +# set { +# name = "publicHostname" +# value = var.public_hostname +# } +# set { +# name = "publicDomain" +# value = var.cluster_domain +# } +# set { +# name = "istioNamespace" +# value = var.istio_namespace +# } +# set { +# name = "prometheusInClusterUrl" +# value = var.prometheus_internal_url +# } +# set { +# name = "jaegerInClusterUrl" +# value = var.jaeger_internal_url +# } +# set { +# name = "grafanaInClusterUrl" +# value = var.grafana_internal_url +# } +# set { +# name = "grafanaPublicUrl" +# value = var.grafana_public_url +# } +# set { +# name = "grafanaUserName" +# value = "YWRtaW4=" +# # value = "admin" +# } +# set { +# name = "grafanaSecretName" +# value = "kiali" +# } +# set { +# name = "grafanaPasswordKey" +# value = "grafana_password" +# } +# } + +# dynamic "set" { +# for_each = local.have_keycloak ? ["openid"] : ["anonymous"] +# content { +# name = "kialiAuthStrategy" +# value = set.value +# } +# } +# dynamic "set" { +# for_each = local.have_keycloak ? [var.sso_client_id] : [] +# content { +# name = "openid.clientId" +# value = set.value +# } +# } +# dynamic "set" { +# for_each = local.have_keycloak ? [var.sso_client_secret] : [] +# content { +# name = "openid.secret" +# value = set.value +# } +# } +# dynamic "set" { +# for_each = local.have_keycloak ? [local.keycloak_issuer_uri] : [] +# content { +# name = "openid.issuerUri" +# value = set.value +# } +# } +# dynamic "set" { +# for_each = local.have_keycloak ? ["username_claim"] : [] +# content { +# name = "openid.username_claim" +# value = set.value +# } +# } # module "kiali_ingress" { diff --git a/variables.tf b/variables.tf index e019c65..848ff40 100644 --- a/variables.tf +++ b/variables.tf @@ -61,11 +61,11 @@ variable "tempo_datasource_id" { type = string } -variable "public_hostname" { - description = "The hostname to use for kiali that will be publicly available" - type = string - default = "kiali" -} +# variable "public_hostname" { +# description = "The hostname to use for kiali that will be publicly available" +# type = string +# default = "kiali" +# } # helm repo add kiali https://kiali.org/helm-charts # helm search repo kiali/kiali-operator From 121b21ae6b02e8f0245ecb074ba22f65a4a8ddc9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:33:42 -0500 Subject: [PATCH 03/16] update outputs --- README.md | 2 +- outputs.tf | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2513c02..7b56809 100644 --- a/README.md +++ b/README.md @@ -59,5 +59,5 @@ | [internal\_endpoint](#output\_internal\_endpoint) | The internal endpoint to use to access kiali | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | -| [public\_endpoint](#output\_public\_endpoint) | The public endpoint to use to access kiali | +| [public\_endpoint](#output\_public\_endpoint) | The endpoint at which keycloak can be reached from outside the cluster. | diff --git a/outputs.tf b/outputs.tf index d3b64bb..f221287 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,7 +1,6 @@ - output "public_endpoint" { - description = "The public endpoint to use to access kiali" - value = module.ingress_resources.service_url + description = "The endpoint at which keycloak can be reached from outside the cluster." + value = module.ingress_resources.service_url } output "internal_endpoint" { From 649c1ad0e0711713ea916c3ef37e3d9ed2a26288 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:38:02 -0500 Subject: [PATCH 04/16] watch the operators ns --- README.md | 2 +- main.tf | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7b56809..05d2285 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ |------|------| | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | ## Inputs diff --git a/main.tf b/main.tf index 531c3a7..312e0bc 100644 --- a/main.tf +++ b/main.tf @@ -28,12 +28,9 @@ CONFIG service_name = var.namespace } -resource "kubernetes_namespace" "operators" { +data "kubernetes_namespace" "operators" { metadata { name = var.operators_namespace - labels = { - istio-injection = "enabled" - } } } @@ -96,7 +93,7 @@ resource "helm_release" "kiali_operator" { set { name = "watchNamespace" - value = kubernetes_namespace.ns.metadata[0].name + value = data.kubernetes_namespace.operators.metadata[0].name } set { name = "env[0].name" From 7bf03a0ada6874f0fa5273838834b3d958d7c694 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 16:01:48 -0500 Subject: [PATCH 05/16] not plural --- README.md | 2 +- main.tf | 2 +- variables.tf | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05d2285..f71613d 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ | [kiali\_application\_version](#input\_kiali\_application\_version) | The version of kiali to install | `string` | `"v1.73.0"` | no | | [kiali\_operator\_version](#input\_kiali\_operator\_version) | The version of kiali to install | `string` | `"1.73.0"` | no | | [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"istio-tools"` | no | -| [operators\_namespace](#input\_operators\_namespace) | The namespace into which all operators are to be deployed. | `string` | n/a | yes | +| [operator\_namespace](#input\_operator\_namespace) | The namespace into which all operators are to be deployed. | `string` | n/a | yes | | [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no | | [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes | diff --git a/main.tf b/main.tf index 312e0bc..231ede6 100644 --- a/main.tf +++ b/main.tf @@ -30,7 +30,7 @@ CONFIG data "kubernetes_namespace" "operators" { metadata { - name = var.operators_namespace + name = var.operator_namespace } } diff --git a/variables.tf b/variables.tf index 848ff40..b509ff2 100644 --- a/variables.tf +++ b/variables.tf @@ -26,6 +26,11 @@ variable "istio_namespace" { default = "istio-system" } +variable "operator_namespace" { + description = "The namespace into which all operators are to be deployed." + type = string +} + variable "grafana_namespace" { description = "The namespace holding the grafana instance, used to look up the grafana password." type = string From 23cb90608932ec250c90dbcb51ceeb3155a3d564 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 16:08:56 -0500 Subject: [PATCH 06/16] don't use data item for plan --- README.md | 1 - main.tf | 8 +------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index f71613d..b6f9c27 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,6 @@ |------|------| | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | ## Inputs diff --git a/main.tf b/main.tf index 231ede6..2b056fc 100644 --- a/main.tf +++ b/main.tf @@ -28,12 +28,6 @@ CONFIG service_name = var.namespace } -data "kubernetes_namespace" "operators" { - metadata { - name = var.operator_namespace - } -} - resource "kubernetes_namespace" "ns" { metadata { name = var.namespace @@ -93,7 +87,7 @@ resource "helm_release" "kiali_operator" { set { name = "watchNamespace" - value = data.kubernetes_namespace.operators.metadata[0].name + value = var.operator_namespace } set { name = "env[0].name" From 2542ebd6a1c821b4219aaa55f3dfde668f00a509 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 17:19:13 -0500 Subject: [PATCH 07/16] data --- README.md | 9 +++---- main.tf | 76 ++++++++++++++++------------------------------------ variables.tf | 13 ++++----- 3 files changed, 34 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index b6f9c27..3e110ee 100644 --- a/README.md +++ b/README.md @@ -22,15 +22,14 @@ |------|--------|---------| | [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade | | [ingress\_resources](#module\_ingress\_resources) | git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git | main | -| [preinstall](#module\_preinstall) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job | feature-kiali-baseline | -| [service\_account](#module\_service\_account) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account | n/a | ## Resources | Name | Type | |------|------| | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_secret.kiali_grafana](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_secret.grafana_admin](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/secret) | data source | ## Inputs @@ -46,10 +45,10 @@ | [jaeger\_internal\_url](#input\_jaeger\_internal\_url) | The url within the cluster to use to query the jaegertracing. | `string` | n/a | yes | | [kiali\_application\_version](#input\_kiali\_application\_version) | The version of kiali to install | `string` | `"v1.73.0"` | no | | [kiali\_operator\_version](#input\_kiali\_operator\_version) | The version of kiali to install | `string` | `"1.73.0"` | no | -| [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"istio-tools"` | no | -| [operator\_namespace](#input\_operator\_namespace) | The namespace into which all operators are to be deployed. | `string` | n/a | yes | +| [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"namespace"` | no | | [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no | | [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes | +| [service\_name](#input\_service\_name) | The name of the service for Kiali. | `string` | `"kiali"` | no | ## Outputs diff --git a/main.tf b/main.tf index 2b056fc..5b1e7c2 100644 --- a/main.tf +++ b/main.tf @@ -1,42 +1,31 @@ locals { - internal_hostname = format("%v.%v.svc.cluster.local", kubernetes_namespace.ns.metadata[0].name, local.service_name) + internal_hostname = format("%v.%v.svc.cluster.local", var.service_name, var.namespace) internal_port_number = "20001" internal_url = format("https://%s:%s/", local.internal_hostname, local.internal_port_number) - grafana_secret_name = "kiali" - grafana_password_key = "grafana_password" - - preinstall_script = < Date: Thu, 27 Feb 2025 17:25:18 -0500 Subject: [PATCH 08/16] no jaeger --- README.md | 1 - main.tf | 9 ++++----- variables.tf | 13 ++++--------- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 3e110ee..0cac009 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,6 @@ | [grafana\_public\_url](#input\_grafana\_public\_url) | The URL incoming traffic from outisde the cluster uses to access grafana. | `string` | n/a | yes | | [grafana\_secret\_name](#input\_grafana\_secret\_name) | The secret in the holding the grafana admin password. | `string` | n/a | yes | | [istio\_namespace](#input\_istio\_namespace) | The namespace where istio has been deployed. | `string` | `"istio-system"` | no | -| [jaeger\_internal\_url](#input\_jaeger\_internal\_url) | The url within the cluster to use to query the jaegertracing. | `string` | n/a | yes | | [kiali\_application\_version](#input\_kiali\_application\_version) | The version of kiali to install | `string` | `"v1.73.0"` | no | | [kiali\_operator\_version](#input\_kiali\_operator\_version) | The version of kiali to install | `string` | `"1.73.0"` | no | | [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"namespace"` | no | diff --git a/main.tf b/main.tf index 5b1e7c2..08905e5 100644 --- a/main.tf +++ b/main.tf @@ -25,7 +25,6 @@ resource "kubernetes_secret" "kiali_grafana" { } } - # data "kubernetes_namespace" "keycloak" { # count = local.have_keycloak ? 1 : 0 @@ -87,10 +86,10 @@ resource "helm_release" "kiali_operator" { name = "prometheus.url" value = var.prometheus_internal_url } - set { - name = "grafana.secretName" - value = local.grafana_secret_name - } + # set { + # name = "jaegerInClusterUrl" + # value = var.jaeger_internal_url + # } set { name = "grafana.passwordKey" value = local.grafana_password_key diff --git a/variables.tf b/variables.tf index a22772b..d7f6408 100644 --- a/variables.tf +++ b/variables.tf @@ -51,15 +51,10 @@ variable "prometheus_internal_url" { type = string } -variable "tempo_internal_url" { - description = "The url within the cluster to use to query tempo tracing." - type = string -} - -variable "tempo_datasource_id" { - description = "The UID of the created Tempo datasource" - type = string -} +# variable "jaeger_internal_url" { +# description = "The url within the cluster to use to query the jaegertracing." +# type = string +# } # variable "public_hostname" { # description = "The hostname to use for kiali that will be publicly available" From 441d3db91775bb8ea2dbaba705ecf7fb006f6877 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 17:40:22 -0500 Subject: [PATCH 09/16] fix domain --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 08905e5..6c3c1ae 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ locals { internal_port_number = "20001" internal_url = format("https://%s:%s/", local.internal_hostname, local.internal_port_number) - public_domain = format("%v.%v", var.cluster_name, var.cluster_domain) + public_domain = var.cluster_domain } data "kubernetes_secret" "grafana_admin" { @@ -243,6 +243,7 @@ resource "helm_release" "kiali_operator" { # } module "ingress_resources" { + depends_on = [helm_release.kiali_operator] # tflint-ignore: terraform_module_pinned_source source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main" public_hostname = var.service_name From dddde5459c856073775dc04c257e9dd3e322e439 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 13:29:58 -0500 Subject: [PATCH 10/16] add lifecycle to kiali_grafana secret --- main.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 6c3c1ae..dd89867 100644 --- a/main.tf +++ b/main.tf @@ -23,6 +23,9 @@ resource "kubernetes_secret" "kiali_grafana" { data = { grafana_password = data.kubernetes_secret.grafana_admin.data["admin-password"] } + lifecycle { + ignore_changes = [metadata] + } } # data "kubernetes_namespace" "keycloak" { @@ -103,8 +106,8 @@ resource "helm_release" "kiali_operator" { value = var.grafana_internal_url } set { - name = "tracing.internalUrl" - value = var.tempo_internal_url + name = "grafanaSecretName" + value = kubernetes_secret.kiali_grafana.metadata[0].name } set { name = "tracing.tempo_config.datasource_uid" From 6863a18a8312d03669d5a2f74538d67caeddadfc Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 13:42:22 -0500 Subject: [PATCH 11/16] ignore changes to data also --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index dd89867..f9da684 100644 --- a/main.tf +++ b/main.tf @@ -24,7 +24,7 @@ resource "kubernetes_secret" "kiali_grafana" { grafana_password = data.kubernetes_secret.grafana_admin.data["admin-password"] } lifecycle { - ignore_changes = [metadata] + ignore_changes = [metadata, data] } } From bfa3383374b9e8f43683d1d34fc824a561c255ce Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 6 Mar 2025 16:55:58 -0500 Subject: [PATCH 12/16] remove secret --- README.md | 4 -- main.tf | 176 +++++++++++++-------------------------------------- variables.tf | 5 -- 3 files changed, 44 insertions(+), 141 deletions(-) diff --git a/README.md b/README.md index 0cac009..271170e 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,6 @@ | Name | Version | |------|---------| | [helm](#provider\_helm) | 2.17.0 | -| [kubernetes](#provider\_kubernetes) | 2.36.0 | ## Modules @@ -28,8 +27,6 @@ | Name | Type | |------|------| | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_secret.kiali_grafana](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | -| [kubernetes_secret.grafana_admin](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/secret) | data source | ## Inputs @@ -38,7 +35,6 @@ | [cluster\_domain](#input\_cluster\_domain) | The domain name used to reference ingresses for the cluster | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | The name of the cluster into which the tools are deployed. | `string` | n/a | yes | | [grafana\_internal\_url](#input\_grafana\_internal\_url) | The url within the cluster to use to access grafana. | `string` | n/a | yes | -| [grafana\_namespace](#input\_grafana\_namespace) | The namespace holding the grafana instance, used to look up the grafana password. | `string` | n/a | yes | | [grafana\_public\_url](#input\_grafana\_public\_url) | The URL incoming traffic from outisde the cluster uses to access grafana. | `string` | n/a | yes | | [grafana\_secret\_name](#input\_grafana\_secret\_name) | The secret in the holding the grafana admin password. | `string` | n/a | yes | | [istio\_namespace](#input\_istio\_namespace) | The namespace where istio has been deployed. | `string` | `"istio-system"` | no | diff --git a/main.tf b/main.tf index f9da684..7a6845f 100644 --- a/main.tf +++ b/main.tf @@ -7,26 +7,12 @@ locals { public_domain = var.cluster_domain } -data "kubernetes_secret" "grafana_admin" { - metadata { - name = var.grafana_secret_name - namespace = var.grafana_namespace - } -} - -resource "kubernetes_secret" "kiali_grafana" { - metadata { - name = "kiali" - namespace = var.namespace - } - - data = { - grafana_password = data.kubernetes_secret.grafana_admin.data["admin-password"] - } - lifecycle { - ignore_changes = [metadata, data] - } -} +# data "kubernetes_secret" "grafana_admin" { +# metadata { +# name = var.grafana_secret_name +# namespace = var.grafana_namespace +# } +# } # data "kubernetes_namespace" "keycloak" { # count = local.have_keycloak ? 1 : 0 @@ -107,120 +93,46 @@ resource "helm_release" "kiali_operator" { } set { name = "grafanaSecretName" - value = kubernetes_secret.kiali_grafana.metadata[0].name - } - set { - name = "tracing.tempo_config.datasource_uid" - value = var.tempo_datasource_id - } - - + value = var.grafana_secret_name + } + + # dynamic "set" { + # for_each = local.have_keycloak ? ["openid"] : ["anonymous"] + # content { + # name = "kialiAuthStrategy" + # value = set.value + # } + # } + # dynamic "set" { + # for_each = local.have_keycloak ? [var.sso_client_id] : [] + # content { + # name = "openid.clientId" + # value = set.value + # } + # } + # dynamic "set" { + # for_each = local.have_keycloak ? [var.sso_client_secret] : [] + # content { + # name = "openid.secret" + # value = set.value + # } + # } + # dynamic "set" { + # for_each = local.have_keycloak ? [local.keycloak_issuer_uri] : [] + # content { + # name = "openid.issuerUri" + # value = set.value + # } + # } + # dynamic "set" { + # for_each = local.have_keycloak ? ["username_claim"] : [] + # content { + # name = "openid.username_claim" + # value = set.value + # } + # } } -# resource "helm_release" "kiali" { -# depends_on = [ -# helm_release.kiali_operator, -# # module.preinstall, -# ] - -# chart = "kiali" -# name = "kiali" -# namespace = var.namespace -# repository = "./charts" -# # repository = "${path.module}/charts" - -# set { -# name = "image_name" -# value = format("%v/%v", -# module.images.images[local.kiali_key].dest_registry, -# module.images.images[local.kiali_key].dest_repository -# ) -# } -# set { -# name = "image_version" -# value = module.images.images[local.kiali_key].tag -# } - -# set { -# name = "publicHostname" -# value = var.public_hostname -# } -# set { -# name = "publicDomain" -# value = var.cluster_domain -# } -# set { -# name = "istioNamespace" -# value = var.istio_namespace -# } -# set { -# name = "prometheusInClusterUrl" -# value = var.prometheus_internal_url -# } -# set { -# name = "jaegerInClusterUrl" -# value = var.jaeger_internal_url -# } -# set { -# name = "grafanaInClusterUrl" -# value = var.grafana_internal_url -# } -# set { -# name = "grafanaPublicUrl" -# value = var.grafana_public_url -# } -# set { -# name = "grafanaUserName" -# value = "YWRtaW4=" -# # value = "admin" -# } -# set { -# name = "grafanaSecretName" -# value = "kiali" -# } -# set { -# name = "grafanaPasswordKey" -# value = "grafana_password" -# } -# } - -# dynamic "set" { -# for_each = local.have_keycloak ? ["openid"] : ["anonymous"] -# content { -# name = "kialiAuthStrategy" -# value = set.value -# } -# } -# dynamic "set" { -# for_each = local.have_keycloak ? [var.sso_client_id] : [] -# content { -# name = "openid.clientId" -# value = set.value -# } -# } -# dynamic "set" { -# for_each = local.have_keycloak ? [var.sso_client_secret] : [] -# content { -# name = "openid.secret" -# value = set.value -# } -# } -# dynamic "set" { -# for_each = local.have_keycloak ? [local.keycloak_issuer_uri] : [] -# content { -# name = "openid.issuerUri" -# value = set.value -# } -# } -# dynamic "set" { -# for_each = local.have_keycloak ? ["username_claim"] : [] -# content { -# name = "openid.username_claim" -# value = set.value -# } -# } - - # module "kiali_ingress" { # depends_on = [helm_release.kiali] diff --git a/variables.tf b/variables.tf index d7f6408..2af2040 100644 --- a/variables.tf +++ b/variables.tf @@ -26,11 +26,6 @@ variable "istio_namespace" { default = "istio-system" } -variable "grafana_namespace" { - description = "The namespace holding the grafana instance, used to look up the grafana password." - type = string -} - variable "grafana_secret_name" { description = "The secret in the holding the grafana admin password." type = string From e7d58e470fb18e8a508a67d2c89aa7011712d78b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 6 Mar 2025 16:57:31 -0500 Subject: [PATCH 13/16] remove bad depend --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7a6845f..7e52b02 100644 --- a/main.tf +++ b/main.tf @@ -23,7 +23,7 @@ locals { # } resource "helm_release" "kiali_operator" { - depends_on = [module.images, kubernetes_secret.kiali_grafana] + depends_on = [module.images] chart = "kiali-operator" version = var.kiali_operator_version name = "kiali-operator" From 689a0ed61b385c1e4a5da866955966c1edda2dda Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:24:40 -0400 Subject: [PATCH 14/16] testing --- main.tf | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/main.tf b/main.tf index 7e52b02..6ce326b 100644 --- a/main.tf +++ b/main.tf @@ -1,10 +1,7 @@ locals { - internal_hostname = format("%v.%v.svc.cluster.local", var.service_name, var.namespace) internal_port_number = "20001" internal_url = format("https://%s:%s/", local.internal_hostname, local.internal_port_number) - - public_domain = var.cluster_domain } # data "kubernetes_secret" "grafana_admin" { @@ -65,7 +62,7 @@ resource "helm_release" "kiali_operator" { } set { name = "publicDomain" - value = local.public_domain + value = var.cluster_domain } set { name = "istioNamespace" @@ -133,36 +130,12 @@ resource "helm_release" "kiali_operator" { # } } -# module "kiali_ingress" { -# depends_on = [helm_release.kiali] - -# #source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//>ref=1.0.0" -# source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//" - -# certificate_issuer = var.certificate_issuer - -# namespace = local.ns -# application_name = "kiali" -# public_hostname = "kiali" -# cluster_domain = var.cluster_domain -# upstream_hostname = local.internal_hostname -# upstream_port = local.internal_port_number -# redirection_url = local.public_url -# client_id = var.sso_client_id -# client_secret = var.sso_client_secret -# keycloak_public_url = var.keycloak_public_url -# gogatekeeper_chart_version = var.gogatekeeper_chart_version -# gogatekeeper_registry = var.gogatekeeper_registry -# gogatekeeper_repository = var.gogatekeeper_repository -# gogatekeeper_tag = var.gogatekeeper_tag -# } - module "ingress_resources" { depends_on = [helm_release.kiali_operator] # tflint-ignore: terraform_module_pinned_source source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main" public_hostname = var.service_name - public_domain = local.public_domain + public_domain = var.cluster_domain service_name = var.service_name service_namespace = var.namespace service_port = local.internal_port_number From e946d7a85c785bfe88cb325a74ac490a7642d3d7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 17 Mar 2025 17:26:49 -0400 Subject: [PATCH 15/16] need test --- copy_images.tf | 4 ++-- main.tf | 58 +------------------------------------------------- 2 files changed, 3 insertions(+), 59 deletions(-) diff --git a/copy_images.tf b/copy_images.tf index 96cc219..acf2a39 100644 --- a/copy_images.tf +++ b/copy_images.tf @@ -1,6 +1,6 @@ locals { - kiali_operator_key = format("%v#%v", "istio-tools/kiali-operator", var.kiali_application_version) - kiali_server_key = format("%v#%v", "istio-tools/kiali", var.kiali_application_version) + kiali_operator_key = format("%v#%v", "istio-tools/kiali-operator", var.kiali_application_version) + kiali_server_key = format("%v#%v", "istio-tools/kiali", var.kiali_application_version) image_config = [ ## Images for Kiali diff --git a/main.tf b/main.tf index 6ce326b..a5a954c 100644 --- a/main.tf +++ b/main.tf @@ -4,21 +4,6 @@ locals { internal_url = format("https://%s:%s/", local.internal_hostname, local.internal_port_number) } -# data "kubernetes_secret" "grafana_admin" { -# metadata { -# name = var.grafana_secret_name -# namespace = var.grafana_namespace -# } -# } - -# data "kubernetes_namespace" "keycloak" { -# count = local.have_keycloak ? 1 : 0 - -# metadata { -# name = var.keycloak_namespace -# } -# } - resource "helm_release" "kiali_operator" { depends_on = [module.images] chart = "kiali-operator" @@ -38,7 +23,6 @@ resource "helm_release" "kiali_operator" { name = "image.tag" value = module.images.images[local.kiali_operator_key].tag } - set { name = "watchNamespace" @@ -49,7 +33,7 @@ resource "helm_release" "kiali_operator" { value = "RELATED_IMAGE_kiali_default" } set { - name = "env[0].value" + name = "env[0].value" value = format("%v/%v:%v", module.images.images[local.kiali_server_key].dest_registry, module.images.images[local.kiali_server_key].dest_repository, @@ -72,10 +56,6 @@ resource "helm_release" "kiali_operator" { name = "prometheus.url" value = var.prometheus_internal_url } - # set { - # name = "jaegerInClusterUrl" - # value = var.jaeger_internal_url - # } set { name = "grafana.passwordKey" value = local.grafana_password_key @@ -92,42 +72,6 @@ resource "helm_release" "kiali_operator" { name = "grafanaSecretName" value = var.grafana_secret_name } - - # dynamic "set" { - # for_each = local.have_keycloak ? ["openid"] : ["anonymous"] - # content { - # name = "kialiAuthStrategy" - # value = set.value - # } - # } - # dynamic "set" { - # for_each = local.have_keycloak ? [var.sso_client_id] : [] - # content { - # name = "openid.clientId" - # value = set.value - # } - # } - # dynamic "set" { - # for_each = local.have_keycloak ? [var.sso_client_secret] : [] - # content { - # name = "openid.secret" - # value = set.value - # } - # } - # dynamic "set" { - # for_each = local.have_keycloak ? [local.keycloak_issuer_uri] : [] - # content { - # name = "openid.issuerUri" - # value = set.value - # } - # } - # dynamic "set" { - # for_each = local.have_keycloak ? ["username_claim"] : [] - # content { - # name = "openid.username_claim" - # value = set.value - # } - # } } module "ingress_resources" { From f3bfe7684e10e2fe7af5b59b48d7a2dbfa5b2eee Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 18 Mar 2025 15:45:49 -0400 Subject: [PATCH 16/16] fix from bad merge --- main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/main.tf b/main.tf index a5a954c..964cd8d 100644 --- a/main.tf +++ b/main.tf @@ -56,10 +56,6 @@ resource "helm_release" "kiali_operator" { name = "prometheus.url" value = var.prometheus_internal_url } - set { - name = "grafana.passwordKey" - value = local.grafana_password_key - } set { name = "grafana.externalUrl" value = var.grafana_public_url