add ingress

SCT-Engineering · Mar 17, 2025 · 70d7130 · 70d7130
1 parent 7ca6ecf
commit 70d7130
Show file tree

Hide file tree

Showing 5 changed files with 198 additions and 28 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml
@@ -0,0 +1,101 @@
+name: 'Terraform Module CI'
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '**/*.hcl'
+      - '**/*.tf'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '**/*.hcl'
+      - '**/*.tf'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validate:
+    name: 'Validate Module'
+    runs-on: self-hosted
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.5.0
+
+    - name: Terraform Init
+      run: |
+        terraform init -backend=false
+
+    - name: Terraform Format
+      run: |
+        terraform fmt -check
+
+    - name: Terraform Validate
+      run: |
+        terraform validate
+
+    - name: Run tflint
+      uses: terraform-linters/setup-tflint@v3
+      if: github.event_name == 'pull_request'
+
+    - name: Lint Terraform
+      if: github.event_name == 'pull_request'
+      run: |
+        tflint --format compact
+
+  release:
+    name: 'Create Release'
+    needs: validate
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    runs-on: self-hosted
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Install Commitizen
+        run: |
+          pip install commitizen
+
+      - name: Configure Git
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+
+      - name: Bump Version and Generate Changelog
+        id: cz
+        run: |
+          cz bump --yes
+          echo "new_version=$(cz version --project)" >> $GITHUB_OUTPUT
+          echo "changelog=$(cz changelog --dry-run)" >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ steps.cz.outputs.new_version }}
+          release_name: Release v${{ steps.cz.outputs.new_version }}
+          draft: false
+          prerelease: false
+          body: ${{ steps.cz.outputs.changelog }}
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -4,18 +4,18 @@ config {
   disabled_by_default = false
 }
 
-rule "aws_instance_invalid_type" {
-  enabled = true
-}
+# rule "aws_instance_invalid_type" {
+#   enabled = true
+# }
 
-plugin "aws" {
-  enabled = true
-  version = "0.32.0"
-  source  = "github.com/terraform-linters/tflint-ruleset-aws"
-}
+# plugin "aws" {
+#   enabled = true
+#   version = "0.32.0"
+#   source  = "github.com/terraform-linters/tflint-ruleset-aws"
+# }
 
-plugin "terraform" {
-  enabled = true
-  version = "0.9.0"
-  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
-}
+# plugin "terraform" {
+#   enabled = true
+#   version = "0.9.0"
+#   source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+# }
diff --git a/README.md b/README.md
@@ -13,14 +13,15 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.16.1 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.36.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_images"></a> [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
+| <a name="module_ingress_resources"></a> [ingress\_resources](#module\_ingress\_resources) | git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git | main |
 | <a name="module_preinstall"></a> [preinstall](#module\_preinstall) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job | feature-kiali-baseline |
 | <a name="module_service_account"></a> [service\_account](#module\_service\_account) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account | n/a |
 
@@ -31,7 +32,7 @@
 | [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source |
+| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 
 ## Inputs
 

diff --git a/main.tf b/main.tf
@@ -1,8 +1,8 @@
 locals {
 
-  internal_hostname    = format("kiali.%v.svc.cluster.local", var.namespace)
+  internal_hostname    = format("%v.%v.svc.cluster.local", kubernetes_namespace.ns.metadata[0].name, local.service_name)
   internal_port_number = "20001"
-  internal_url         = format("http://%v:%v/", local.internal_hostname, local.internal_port_number)
+  internal_url         = format("https://%s:%s/", local.internal_hostname, local.internal_port_number)
 
   grafana_secret_name  = "kiali"
   grafana_password_key = "grafana_password"
@@ -23,22 +23,51 @@ wait_for_istio_ready() {
 wait_for_istio_ready
 ensure_secret ${local.grafana_secret_name} ${local.grafana_password_key} "$(kubectl -n ${var.grafana_namespace} get secret ${var.grafana_secret_name} -o jsonpath='{.data.admin-password}' | base64 -d)"
 CONFIG
+
+  public_domain = format("%v.%v", var.cluster_name, var.cluster_domain)
+  service_name  = var.namespace
+}
+
+resource "kubernetes_namespace" "operators" {
+  metadata {
+    name = var.operators_namespace
+    labels = {
+      istio-injection = "enabled"
+    }
+  }
 }
 
+resource "kubernetes_namespace" "ns" {
+  metadata {
+    name = var.namespace
+    labels = {
+      istio-injection = "enabled"
+    }
+  }
+}
+
+# data "kubernetes_namespace" "keycloak" {
+#   count = local.have_keycloak ? 1 : 0
+
+#   metadata {
+#     name = var.keycloak_namespace
+#   }
+# }
+
 module "service_account" {
   # tflint-ignore: terraform_module_pinned_source
   source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account"
 
-  namespace            = var.namespace
-  read_only_namespaces = [var.grafana_namespace]
+  namespace            = kubernetes_namespace.ns.metadata[0].name
+  read_only_namespaces = ["grafana"]
 }
 
 module "preinstall" {
   source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job?ref=feature-kiali-baseline"
 
   profile              = var.profile
   cluster_name         = var.cluster_name
-  namespace            = var.namespace
+  namespace            = kubernetes_namespace.ns.metadata[0].name
   service_account_name = module.service_account.service_account_name
   job_name             = "istio-tools-config-job"
   config_script        = local.preinstall_script
@@ -49,7 +78,7 @@ resource "helm_release" "kiali_operator" {
   chart      = "kiali-operator"
   version    = var.kiali_operator_version
   name       = "kiali-operator"
-  namespace  = var.namespace
+  namespace  = kubernetes_namespace.operators.metadata[0].name
   repository = "https://kiali.org/helm-charts"
 
   set {
@@ -71,7 +100,7 @@ resource "helm_release" "kiali_operator" {
   }
   set {
     name  = "watchNamespace"
-    value = var.namespace
+    value = kubernetes_namespace.ns.metadata[0].name
   }
   set {
     name  = "env[0].name"
@@ -138,9 +167,37 @@ module "ingress_resources" {
   # tflint-ignore: terraform_module_pinned_source
   source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main"
 
-  public_hostname = "kiali"
-  public_domain = format("%v.%v", var.cluster_name, var.cluster_domain)
-  service_name = "kiali"
-  service_namespace = var.namespace
-  service_port = local.internal_port_number
+
+# module "kiali_ingress" {
+#   depends_on = [helm_release.kiali]
+
+#   #source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//>ref=1.0.0"
+#   source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//"
+
+#   certificate_issuer = var.certificate_issuer
+
+#   namespace                  = local.ns
+#   application_name           = "kiali"
+#   public_hostname            = "kiali"
+#   cluster_domain             = var.cluster_domain
+#   upstream_hostname          = local.internal_hostname
+#   upstream_port              = local.internal_port_number
+#   redirection_url            = local.public_url
+#   client_id                  = var.sso_client_id
+#   client_secret              = var.sso_client_secret
+#   keycloak_public_url        = var.keycloak_public_url
+#   gogatekeeper_chart_version = var.gogatekeeper_chart_version
+#   gogatekeeper_registry      = var.gogatekeeper_registry
+#   gogatekeeper_repository    = var.gogatekeeper_repository
+#   gogatekeeper_tag           = var.gogatekeeper_tag
+# }
+
+module "ingress_resources" {
+  # tflint-ignore: terraform_module_pinned_source
+  source            = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git?ref=main"
+  public_hostname   = local.service_name
+  public_domain     = local.public_domain
+  service_name      = local.service_name
+  service_namespace = kubernetes_namespace.ns.metadata[0].name
+  service_port      = local.internal_port_number
 }