Merge branch 'mcmCluster' into feature-gatekeeper

SCT-Engineering · Apr 17, 2025 · 3f41972 · 3f41972
2 parents ae9ac08 + e3f685b
commit 3f41972
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 44 deletions.
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
@@ -1,42 +1,40 @@
-name: Terraform Validate
+name: Terraform CI/CD
 on:
-  pull_request:
   workflow_dispatch:
-
+  pull_request:
+    types: [closed]
+    branches:
+      - main
 jobs:
-
-  terraform-validate:
-    runs-on: "229685449397"
+  terraform-ci-cd:
+    runs-on: 229685449397
     permissions:
       contents: write
+
     steps:
       - name: Checkout code
         uses: CSVD/gh-actions-checkout@v4
 
-      - name: Setup Terraform
-        uses: CSVD/gh-actions-setup-terraform@v2
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        uses: CSVD/gh-auth@main
         with:
-          terraform_version: '1.7.3'
-
-      - name: Validate Terraform Configuration
-        id: validate
-        uses: CSVD/terraform-validate@main
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          github_app_id: ${{ vars.GH_APP_ID }}
 
-      - name: Check Validation/Test Results
-        if: always()
+      - name: Setup GitHub CLI
         run: |
-          # Set default values if outputs are empty
-          IS_VALID="${{ steps.validate.outputs.is_valid }}"
-          TESTS_PASSED="${{ steps.validate.outputs.tests_passed }}"
+          # Force manual authentication since setup-git might not work with GitHub Enterprise
+          echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+          gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+          rm /tmp/token.txt
 
-          # If outputs are empty, set them to false
-          [ -z "$IS_VALID" ] && IS_VALID="false"
-          [ -z "$TESTS_PASSED" ] && TESTS_PASSED="false"
+          # Test GitHub CLI auth status
+          gh auth status || echo "GitHub CLI authentication failed"
 
-          if [[ "$IS_VALID" != "true" || "$TESTS_PASSED" != "true" ]]; then
-            echo "Validation or test errors found:"
-            echo "${{ steps.validate.outputs.stderr }}"
-            exit 1
-          else
-            echo "All validations and tests passed successfully!"
-          fi
+      - name: Run Release Action
+        uses: CSVD/releaser@main
+        with:
+          github-token: ${{ steps.github_credentials.outputs.github_token }}
+          working-directory: '.'
diff --git a/README.md b/README.md
@@ -10,32 +10,38 @@ This module deploys and configures Kiali via its operator and integrates it with
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.94.1 |
+| <a name="provider_aws.eecr"></a> [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_images"></a> [images](#module\_images) | git::https://github.e.it.census.gov/terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
-| <a name="module_ingress_resources"></a> [ingress\_resources](#module\_ingress\_resources) | git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio-service-ingress.git | main |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
 | <a name="input_cluster_domain"></a> [cluster\_domain](#input\_cluster\_domain) | The domain name used to reference ingresses for the cluster | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which the tools are deployed. | `string` | n/a | yes |
 | <a name="input_grafana_internal_url"></a> [grafana\_internal\_url](#input\_grafana\_internal\_url) | The url within the cluster to use to access grafana. | `string` | n/a | yes |
@@ -47,7 +53,10 @@ This module deploys and configures Kiali via its operator and integrates it with
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"namespace"` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no |
 | <a name="input_prometheus_internal_url"></a> [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | region name | `string` | `"us-gov-east-1"` | no |
 | <a name="input_service_name"></a> [service\_name](#input\_service\_name) | The name of the service for Kiali. | `string` | `"kiali"` | no |
+| <a name="input_tempo_datasource_id"></a> [tempo\_datasource\_id](#input\_tempo\_datasource\_id) | The UID of the created Tempo datasource | `string` | n/a | yes |
+| <a name="input_tempo_internal_url"></a> [tempo\_internal\_url](#input\_tempo\_internal\_url) | The url within the cluster to use to query tempo tracing. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -56,5 +65,5 @@ This module deploys and configures Kiali via its operator and integrates it with
 | <a name="output_internal_endpoint"></a> [internal\_endpoint](#output\_internal\_endpoint) | The internal endpoint to use to access kiali |
 | <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
 | <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
-| <a name="output_public_endpoint"></a> [public\_endpoint](#output\_public\_endpoint) | The endpoint at which keycloak can be reached from outside the cluster. |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | The namespace in which kiali gets installed in. |
 <!-- END_TF_DOCS -->
diff --git a/copy_images.tf b/copy_images.tf
@@ -1,6 +1,7 @@
 locals {
   kiali_operator_key = format("%v#%v", "istio-tools/kiali-operator", var.kiali_application_version)
   kiali_server_key   = format("%v#%v", "istio-tools/kiali", var.kiali_application_version)
+  # ent_ecr_source     = format("%v.%v.%v.%v", var.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
 
   image_config = [
     ## Images for Kiali
@@ -33,7 +34,23 @@ module "images" {
   image_config     = local.image_config
   tags             = {}
 
-  enable_lifecycle_policy = true
-  lifecycle_policy_all    = true
-  force_delete            = true
+  enable_lifecycle_policy     = true
+  lifecycle_policy_all        = true
+  force_delete                = true
+  lifecycle_policy_keep_count = 5
+
+  source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+  source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+  destination_username = data.aws_ecr_authorization_token.token.user_name
+  destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+  provider    = aws.eecr
+  registry_id = var.eecr_account_id
+}
+
+data "aws_ecr_authorization_token" "token" {
+  registry_id = var.account_id
 }
diff --git a/kiali-operator/templates/_helpers.tpl b/kiali-operator/templates/_helpers.tpl
@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "kiali-operator.name" -}}
+{{- define "kiali.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "kiali-operator.fullname" -}}
+{{- define "kiali.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -27,17 +27,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "kiali-operator.chart" -}}
+{{- define "kiali.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "kiali-operator.labels" -}}
-helm.sh/chart: {{ include "kiali-operator.chart" . }}
-app: {{ include "kiali-operator.name" . }}
-{{ include "kiali-operator.selectorLabels" . }}
+{{- define "kiali.labels" -}}
+helm.sh/chart: {{ include "kiali.chart" . }}
+{{ include "kiali.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
@@ -48,8 +47,7 @@ app.kubernetes.io/part-of: "kiali-operator"
 {{/*
 Selector labels
 */}}
-{{- define "kiali-operator.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "kiali-operator.name" . }}
+{{- define "kiali.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kiali.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
-
diff --git a/kiali-server/templates/kiali.yaml b/kiali-server/templates/kiali.yaml
@@ -35,4 +35,4 @@ spec:
       tempo_config:
         org_id: "1"
         datasource_uid: {{ .Values.tracing.tempo_config.datasource_uid }}
-        url_format: "grafana"
+        url_format: "grafana"
diff --git a/requirements.tf b/requirements.tf
@@ -2,6 +2,10 @@ terraform {
   required_version = ">= 0.13"
 
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14.0"
+    }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.11.0"

diff --git a/variables.tf b/variables.tf
@@ -78,3 +78,17 @@ variable "service_name" {
   type        = string
   default     = "kiali"
 }
+
+# tflint-ignore: terraform_unused_declarations
+variable "account_id" {
+  description = "aws account number"
+  type        = string
+  default     = ""
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "region" {
+  description = "region name"
+  type        = string
+  default     = "us-gov-east-1"
+}