Merge branch 'mcmCluster' into feature-gatekeeper

SCT-Engineering · Apr 16, 2025 · 9484763 · 9484763
2 parents e912f53 + 15b96ba
commit 9484763
Show file tree

Hide file tree

Showing 23 changed files with 903 additions and 148 deletions.
diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
@@ -0,0 +1,73 @@
+name: Terraform CI/CD
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+jobs:
+  terraform-ci-cd:
+    runs-on: 229685449397
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: CSVD/gh-actions-checkout@v4
+
+      - name: Setup Terraform
+        uses: CSVD/gh-actions-setup-terraform@v3
+        with:
+          terraform_version: "1.9.1"
+
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        uses: CSVD/gh-auth@main
+        with:
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          github_app_id: ${{ vars.GH_APP_ID }}
+
+
+      - name: Debug Authentication
+        run: |
+          # Print the GitHub server URL
+          echo "GitHub Server URL: ${{ github.server_url }}"
+
+          # Extract the host from the URL
+          HOST="${{ github.server_url }}"
+          HOST="${HOST#*//}"
+          HOST="${HOST%%/*}"
+          echo "GitHub Host: $HOST"
+
+          # Check if token exists
+          if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
+            echo "Token generated successfully"
+            # Test the token with a simple GitHub API call (without exposing the token)
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
+            echo "API Test Status Code: $STATUS"
+          else
+            echo "No token was generated!"
+          fi
+
+      - name: Setup GitHub CLI
+        run: |
+          # Force manual authentication since setup-git might not work with GitHub Enterprise
+          echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+          gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+          rm /tmp/token.txt
+
+          # Test GitHub CLI auth status
+          gh auth status || echo "GitHub CLI authentication failed"
+
+      - name: AWS Auth
+        id: aws_auth
+        uses: CSVD/aws-auth@main
+        with:
+          ecs: true
+
+      - name: Run Terraform Module Release Action
+        uses: CSVD/terraform-module-release@main
+        with:
+          github-token: ${{ steps.github_credentials.outputs.github_token }}
+          working-directory: '.'
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
@@ -0,0 +1,40 @@
+name: Terraform CI/CD
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+jobs:
+  terraform-ci-cd:
+    runs-on: 229685449397
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: CSVD/gh-actions-checkout@v4
+
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        uses: CSVD/gh-auth@main
+        with:
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          github_app_id: ${{ vars.GH_APP_ID }}
+
+      - name: Setup GitHub CLI
+        run: |
+          # Force manual authentication since setup-git might not work with GitHub Enterprise
+          echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+          gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+          rm /tmp/token.txt
+
+          # Test GitHub CLI auth status
+          gh auth status || echo "GitHub CLI authentication failed"
+
+      - name: Run Release Action
+        uses: CSVD/releaser@main
+        with:
+          github-token: ${{ steps.github_credentials.outputs.github_token }}
+          working-directory: '.'
diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -37,7 +37,7 @@ repos:
 
 # Terraform Hooks
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.96.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+  rev: v1.98.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
   hooks:
     - id: terraform_fmt
       args:
@@ -94,6 +94,6 @@ repos:
     #     - --hook-config=--parallelism-ci-cpu-cores=2
 
 - repo: https://github.com/ljnsn/cz-conventional-gitmoji
-  rev: v0.6.1
+  rev: v0.7.0
   hooks:
     - id: conventional-gitmoji
diff --git a/README.md b/README.md
@@ -19,19 +19,20 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_images"></a> [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
-| <a name="module_ingress_resources"></a> [ingress\_resources](#module\_ingress\_resources) | git@github.e.it.census.gov:SCT-Engineering/tfmod-istio-service-ingress.git | main |
+| <a name="module_images"></a> [images](#module\_images) | git::https://github.e.it.census.gov/terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kiali_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
 | <a name="input_cluster_domain"></a> [cluster\_domain](#input\_cluster\_domain) | The domain name used to reference ingresses for the cluster | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which the tools are deployed. | `string` | n/a | yes |
 | <a name="input_grafana_internal_url"></a> [grafana\_internal\_url](#input\_grafana\_internal\_url) | The url within the cluster to use to access grafana. | `string` | n/a | yes |
@@ -43,7 +44,10 @@
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"namespace"` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no |
 | <a name="input_prometheus_internal_url"></a> [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | region name | `string` | `"us-gov-east-1"` | no |
 | <a name="input_service_name"></a> [service\_name](#input\_service\_name) | The name of the service for Kiali. | `string` | `"kiali"` | no |
+| <a name="input_tempo_datasource_id"></a> [tempo\_datasource\_id](#input\_tempo\_datasource\_id) | The UID of the created Tempo datasource | `string` | n/a | yes |
+| <a name="input_tempo_internal_url"></a> [tempo\_internal\_url](#input\_tempo\_internal\_url) | The url within the cluster to use to query tempo tracing. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -52,5 +56,5 @@
 | <a name="output_internal_endpoint"></a> [internal\_endpoint](#output\_internal\_endpoint) | The internal endpoint to use to access kiali |
 | <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
 | <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
-| <a name="output_public_endpoint"></a> [public\_endpoint](#output\_public\_endpoint) | The endpoint at which keycloak can be reached from outside the cluster. |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | The namespace in which kiali gets installed in. |
 <!-- END_TF_DOCS -->
diff --git a/copy_images.tf b/copy_images.tf
@@ -1,6 +1,7 @@
 locals {
   kiali_operator_key = format("%v#%v", "istio-tools/kiali-operator", var.kiali_application_version)
   kiali_server_key   = format("%v#%v", "istio-tools/kiali", var.kiali_application_version)
+  # ent_ecr_source     = format("%v.%v.%v.%v", var.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
 
   image_config = [
     ## Images for Kiali
@@ -26,14 +27,29 @@ locals {
 }
 
 module "images" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/?ref=tf-upgrade"
+  source = "git::https://github.e.it.census.gov/terraform-modules/aws-ecr-copy-images.git/?ref=tf-upgrade"
 
   profile          = var.profile
   application_name = var.cluster_name
   image_config     = local.image_config
   tags             = {}
 
-  enable_lifecycle_policy = true
-  lifecycle_policy_all    = true
-  force_delete            = true
+  enable_lifecycle_policy     = true
+  lifecycle_policy_all        = true
+  force_delete                = true
+  lifecycle_policy_keep_count = 5
+
+  # source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+  # source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+  # destination_username = data.aws_ecr_authorization_token.token.user_name
+  # destination_password = data.aws_ecr_authorization_token.token.password
 }
+
+# data "aws_ecr_authorization_token" "ecr_token" {
+#   registry_id = var.account_id
+# }
+
+# data "aws_ecr_authorization_token" "token" {
+#   registry_id = var.account_id
+# }
diff --git a/kiali-operator/Chart.yaml b/kiali-operator/Chart.yaml
@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v2.7.1
+description: Kiali is an open source project for service mesh observability, refer
+  to https://www.kiali.io for details.
+home: https://github.com/kiali/kiali-operator
+icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg
+keywords:
+- istio
+- kiali
+- operator
+maintainers:
+- email: kiali-users@googlegroups.com
+  name: Kiali
+  url: https://kiali.io
+name: kiali-operator
+sources:
+- https://github.com/kiali/kiali
+- https://github.com/kiali/kiali-operator
+- https://github.com/kiali/helm-charts
+version: 2.7.1
diff --git a/kiali-operator/crds/crds.yaml b/kiali-operator/crds/crds.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: kialis.kiali.io
+spec:
+  group: kiali.io
+  names:
+    kind: Kiali
+    listKind: KialiList
+    plural: kialis
+    singular: kiali
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+...
diff --git a/kiali-operator/templates/NOTES.txt b/kiali-operator/templates/NOTES.txt
@@ -0,0 +1,30 @@
+Welcome to Kiali! For more details on Kiali, see: https://kiali.io
+
+The Kiali Operator [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
+
+{{- if .Values.cr.create }}
+  {{- if or (and (not .Values.watchNamespace) (not .Values.cr.namespace)) (and (.Values.watchNamespace) (eq .Values.watchNamespace .Release.Namespace)) (and (.Values.cr.namespace) (eq .Values.cr.namespace .Release.Namespace)) }}
+You have elected to install a Kiali CR in the same namespace as the operator [{{ .Release.Namespace }}]. You should be able to access Kiali soon.
+
+================================
+PLEASE READ THIS WARNING NOTICE:
+Because the Kiali CR lives in the same namespace as the operator, DO NOT uninstall the operator or delete the operator namespace without first removing the Kiali CR. If you do not follow this advice then the Kiali Operator deletion will hang indefinitely until you remove the finalizer from the Kiali CR, and then you may find your Kubernetes environment still has Kiali Server remnants left behind.
+================================
+  {{- else if .Values.watchNamespace }}
+You have elected to install a Kiali CR in the operator watch namespace [{{ .Values.watchNamespace }}]. You should be able to access Kiali soon.
+  {{- else if .Values.cr.namespace }}
+You have elected to install a Kiali CR in the namespace [{{ .Values.cr.namespace }}]. You should be able to access Kiali soon.
+  {{- else }}
+You have elected to install a Kiali CR. You should be able to access Kiali soon.
+  {{- end }}
+{{- else }}
+  {{- if (not .Values.watchNamespace) }}
+You have elected not to install a Kiali CR. You must first install a Kiali CR before you can access Kiali. The operator is watching all namespaces, so you can create the Kiali CR anywhere.
+  {{- else }}
+You have elected not to install a Kiali CR. You must first install a Kiali CR in the operator watch namespace [{{ .Values.watchNamespace }}] before you can access Kiali.
+  {{- end }}
+{{- end }}
+
+If you ever want to uninstall the Kiali Operator, remember to delete the Kiali CR first before uninstalling the operator to give the operator a chance to uninstall and remove all the Kiali Server resources.
+
+(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])