Merge pull request #1 from SCT-Engineering/feature-baseline-mvp

Updated for MVP deployment
SCT-Engineering · Oct 24, 2024 · f9b8dbf · f9b8dbf
2 parents 0524c6f + 0ab913c
commit f9b8dbf
Show file tree

Hide file tree

Showing 9 changed files with 111 additions and 160 deletions.
diff --git a/README.md b/README.md
@@ -21,8 +21,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_images"></a> [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
-| <a name="module_kiali_ingress"></a> [kiali\_ingress](#module\_kiali\_ingress) | git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git// | n/a |
-| <a name="module_preinstall"></a> [preinstall](#module\_preinstall) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job | n/a |
+| <a name="module_preinstall"></a> [preinstall](#module\_preinstall) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job | feature-kiali-baseline |
 | <a name="module_service_account"></a> [service\_account](#module\_service\_account) | git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account | n/a |
 
 ## Resources
@@ -38,31 +37,21 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_certificate_issuer"></a> [certificate\_issuer](#input\_certificate\_issuer) | The cluster issuer to use to create the grafana SSL certificate. | `string` | n/a | yes |
 | <a name="input_cluster_domain"></a> [cluster\_domain](#input\_cluster\_domain) | The domain name used to reference ingresses for the cluster | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which the tools are deployed. | `string` | n/a | yes |
-| <a name="input_gogatekeeper_chart_version"></a> [gogatekeeper\_chart\_version](#input\_gogatekeeper\_chart\_version) | When SSO information is supplied, use this gogatekeeper chart version to protect kiali/jaeger | `string` | `""` | no |
-| <a name="input_gogatekeeper_registry"></a> [gogatekeeper\_registry](#input\_gogatekeeper\_registry) | When SSO information is supplied, use gogatekeeper in this registry to protect kiali/jaeger | `string` | `""` | no |
-| <a name="input_gogatekeeper_repository"></a> [gogatekeeper\_repository](#input\_gogatekeeper\_repository) | When SSO information is supplied, use gogatekeeper in this repository to protect kiali/jaeger | `string` | `""` | no |
-| <a name="input_gogatekeeper_tag"></a> [gogatekeeper\_tag](#input\_gogatekeeper\_tag) | When SSO information is supplied, use gogatekeeper with this tag to protect kiali/jaeger | `string` | `""` | no |
 | <a name="input_grafana_internal_url"></a> [grafana\_internal\_url](#input\_grafana\_internal\_url) | The url within the cluster to use to access grafana. | `string` | n/a | yes |
 | <a name="input_grafana_namespace"></a> [grafana\_namespace](#input\_grafana\_namespace) | The namespace holding the grafana instance, used to look up the grafana password. | `string` | n/a | yes |
 | <a name="input_grafana_public_url"></a> [grafana\_public\_url](#input\_grafana\_public\_url) | The URL incoming traffic from outisde the cluster uses to access grafana. | `string` | n/a | yes |
 | <a name="input_grafana_secret_name"></a> [grafana\_secret\_name](#input\_grafana\_secret\_name) | The secret in the <grafana\_namespace> holding the grafana admin password. | `string` | n/a | yes |
 | <a name="input_istio_namespace"></a> [istio\_namespace](#input\_istio\_namespace) | The namespace where istio has been deployed. | `string` | `"istio-system"` | no |
 | <a name="input_jaeger_internal_url"></a> [jaeger\_internal\_url](#input\_jaeger\_internal\_url) | The url within the cluster to use to query the jaegertracing. | `string` | n/a | yes |
-| <a name="input_keycloak_namespace"></a> [keycloak\_namespace](#input\_keycloak\_namespace) | The namespace holding the keycloak instance. | `string` | `""` | no |
-| <a name="input_keycloak_public_url"></a> [keycloak\_public\_url](#input\_keycloak\_public\_url) | The hostname used with the cluster domain to access keycloak | `string` | `""` | no |
-| <a name="input_keycloak_realm"></a> [keycloak\_realm](#input\_keycloak\_realm) | The existing keycloak realm in which the client should be created | `string` | `""` | no |
 | <a name="input_kiali_application_version"></a> [kiali\_application\_version](#input\_kiali\_application\_version) | The version of kiali to install | `string` | `"v1.73.0"` | no |
 | <a name="input_kiali_operator_version"></a> [kiali\_operator\_version](#input\_kiali\_operator\_version) | The version of kiali to install | `string` | `"1.73.0"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to create and into which the tools are deployed. | `string` | `"istio-tools"` | no |
 | <a name="input_operators_namespace"></a> [operators\_namespace](#input\_operators\_namespace) | The namespace into which all operators are to be deployed. | `string` | n/a | yes |
 | <a name="input_profile"></a> [profile](#input\_profile) | The AWS\_PROFILE to use while running the scripts. | `string` | `""` | no |
 | <a name="input_prometheus_internal_url"></a> [prometheus\_internal\_url](#input\_prometheus\_internal\_url) | The url within the cluster to use to query the prometheus server. | `string` | n/a | yes |
 | <a name="input_public_hostname"></a> [public\_hostname](#input\_public\_hostname) | The hostname to use for kiali that will be publicly available | `string` | `"kiali"` | no |
-| <a name="input_sso_client_id"></a> [sso\_client\_id](#input\_sso\_client\_id) | The client id to use for SSO | `string` | `""` | no |
-| <a name="input_sso_client_secret"></a> [sso\_client\_secret](#input\_sso\_client\_secret) | The secret associated with the sso\_client\_id | `string` | `""` | no |
 
 ## Outputs
 

diff --git a/chart/kiali/.helmignore → charts/kiali/.helmignore b/chart/kiali/.helmignore → charts/kiali/.helmignore
diff --git a/chart/kiali/Chart.yaml → charts/kiali/Chart.yaml b/chart/kiali/Chart.yaml → charts/kiali/Chart.yaml
diff --git a/chart/kiali/templates/_helpers.tpl → charts/kiali/templates/_helpers.tpl b/chart/kiali/templates/_helpers.tpl → charts/kiali/templates/_helpers.tpl
diff --git a/chart/kiali/templates/kiali.yaml → charts/kiali/templates/kiali.yaml b/chart/kiali/templates/kiali.yaml → charts/kiali/templates/kiali.yaml
@@ -10,6 +10,8 @@ spec:
   istio_namespace: {{ .Values.istioNamespace | quote }}
   deployment:
     accessible_namespaces: "**"
+    image_name: {{ .Values.image_name | quote }}
+    # image_version: {{ .Values.image_version | quote }}
   external_services:
     grafana:
       auth:

diff --git a/chart/kiali/templates/secret.yaml → charts/kiali/templates/secret.yaml b/chart/kiali/templates/secret.yaml → charts/kiali/templates/secret.yaml
@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: kiali
+  name: kiali-o
   labels:
     {{- include "kiali.labels" . | nindent 4 }}
 stringData:

diff --git a/chart/kiali/values.yaml → charts/kiali/values.yaml b/chart/kiali/values.yaml → charts/kiali/values.yaml
@@ -3,11 +3,12 @@ publicHostname: "kiali"
 publicDomain: "cluster.domain"
 
 istioNamespace: "istio-system"
-prometheusInClusterUrl: "http://loki-prometheus-server.logging.svc.cluster.local/"
+prometheusInClusterUrl: "http://loki-prometheus-server.prometheus.svc.cluster.local/"
 jaegerInClusterUrl: "http://istio-jaeger-query.istio-tools.svc.cluster.local:16686/"
-grafanaInClusterUrl: "http://loki-grafana.logging.svc.cluster.local/"
+grafanaInClusterUrl: "http://loki-grafana.grafana.svc.cluster.local/"
 grafanaPublicUrl: "https://grafana.cluster.domain/"
-grafanaUserName: "admin"
+# grafanaUserName: "admin"
+grafanaUserName: "YWRtaW4="
 grafanaSecretName: "kiali"
 grafanaSecretPasswordKey: "grafana_password"
 

diff --git a/main.tf b/main.tf
@@ -1,34 +1,31 @@
 
 locals {
-  have_keycloak = (
-    try(length(var.keycloak_namespace), 0) > 0 &&
-    try(length(var.sso_client_id), 0) > 0 &&
-    try(length(var.sso_client_secret), 0) > 0 &&
-    try(length(var.keycloak_public_url), 0) > 0 &&
-    try(length(var.keycloak_realm), 0) > 0
-  ) ? true : false
 
   internal_hostname    = format("kiali.%v.svc.cluster.local", var.namespace)
   internal_port_number = "20001"
   internal_url         = format("http://%v:%v/", local.internal_hostname, local.internal_port_number)
 
-  # keycloak_issuer_uri = (
-  #   local.have_keycloak ?
-  #   format("%v/realms/%v",
-  #     var.keycloak_public_url,
-  #     var.keycloak_realm
-  #   )
-  # : "")
-  kiali_oidc_secret = local.have_keycloak ? "ensure_secret kiali oidc-secret \"${var.sso_client_secret}\"" : ";"
-
   preinstall_script = <<CONFIG
-${local.kiali_oidc_secret}
+wait_for_istio_ready() {
+  local retries http_code
+  echo "$(timestamp) : Waiting to make sure istio-proxy is in ready state..."
+  retries=30
+  http_code="$(istio_proxy_health)"
+  while [ "$http_code" != "200" ] && [ $retries -gt 0 ]; do
+    sleep 2
+    retries=$(( retries - 1 ))
+    http_code="$(istio_proxy_health)"
+  done
+  echo "wait_for_istio_ready = $http_code"
+}
+wait_for_istio_ready
 ensure_secret kiali grafana_password "$(kubectl -n ${var.grafana_namespace} get secret ${var.grafana_secret_name} -o jsonpath='{.data.admin-password}' | base64 -d)"
 CONFIG
 
   public_hostname    = format("kiali.%v", var.cluster_domain)
   public_port_number = "80"
   public_url         = format("https://%v:%v/", local.public_hostname, local.public_port_number)
+  ns                 = try(kubernetes_namespace.ns[0].metadata[0].name, data.kubernetes_namespace.operators[0].metadata[0].name)
 }
 
 data "kubernetes_namespace" "operators" {
@@ -58,14 +55,16 @@ module "service_account" {
   # tflint-ignore: terraform_module_pinned_source
   source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//service-account"
 
-  namespace = var.namespace
+  namespace            = local.ns
+  read_only_namespaces = ["grafana"]
 }
 
 module "preinstall" {
-  # tflint-ignore: terraform_module_pinned_source
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job"
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-config-job.git//config-job?ref=feature-kiali-baseline"
 
-  namespace            = var.namespace
+  profile              = var.profile
+  cluster_name         = var.cluster_name
+  namespace            = local.ns
   service_account_name = module.service_account.service_account_name
   job_name             = "istio-tools-config-job"
   config_script        = local.preinstall_script
@@ -98,19 +97,35 @@ resource "helm_release" "kiali_operator" {
     name  = "watchNamespace"
     value = var.namespace
   }
+  set {
+    name  = "allowAdHocKialiImage"
+    value = true
+  }
 }
 
 resource "helm_release" "kiali" {
   depends_on = [
-    module.image,
-    helm_release.kiali_operator,
-    module.preinstall,
+    helm_release.kiali-operator,
+    # module.preinstall,
   ]
 
   chart      = "kiali"
   name       = "kiali"
-  namespace  = var.namespace
-  repository = "${path.module}/charts"
+  namespace  = local.ns
+  repository = "./charts"
+  # repository = "${path.module}/charts"
+
+  set {
+    name = "image_name"
+    value = format("%v/%v",
+      module.images.images[local.kiali_key].dest_registry,
+      module.images.images[local.kiali_key].dest_repository
+    )
+  }
+  set {
+    name  = "image_version"
+    value = module.images.images[local.kiali_key].tag
+  }
 
   set {
     name  = "publicHostname"
@@ -142,7 +157,8 @@ resource "helm_release" "kiali" {
   }
   set {
     name  = "grafanaUserName"
-    value = "admin"
+    value = "YWRtaW4="
+    # value = "admin"
   }
   set {
     name  = "grafanaSecretName"
@@ -152,64 +168,65 @@ resource "helm_release" "kiali" {
     name  = "grafanaPasswordKey"
     value = "grafana_password"
   }
-
-  #  dynamic "set" {
-  #    for_each = local.have_keycloak ? ["openid"] : ["anonymous"]
-  #    content {
-  #      name  = "kialiAuthStrategy"
-  #      value = set.value
-  #    }
-  #  }
-  #  dynamic "set" {
-  #    for_each = local.have_keycloak ? [var.sso_client_id] : []
-  #    content {
-  #      name  = "openid.clientId"
-  #      value = set.value
-  #    }
-  #  }
-  #  dynamic "set" {
-  #    for_each = local.have_keycloak ? [var.sso_client_secret] : []
-  #    content {
-  #      name  = "openid.secret"
-  #      value = set.value
-  #    }
-  #  }
-  #  dynamic "set" {
-  #    for_each = local.have_keycloak ? [local.keycloak_issuer_uri] : []
-  #    content {
-  #      name  = "openid.issuerUri"
-  #      value = set.value
-  #    }
-  #  }
-  #  dynamic "set" {
-  #    for_each = local.have_keycloak ? ["username_claim"] : []
-  #    content {
-  #      name  = "openid.username_claim"
-  #      value = set.value
-  #    }
-  #  }
 }
 
-module "kiali_ingress" {
-  depends_on = [helm_release.kiali]
-
-  # tflint-ignore: terraform_module_pinned_source
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git//"
-
-  certificate_issuer = var.certificate_issuer
-
-  namespace                  = var.namespace
-  application_name           = "kiali"
-  public_hostname            = "kiali"
-  cluster_domain             = var.cluster_domain
-  upstream_hostname          = local.internal_hostname
-  upstream_port              = local.internal_port_number
-  redirection_url            = local.public_url
-  client_id                  = var.sso_client_id
-  client_secret              = var.sso_client_secret
-  keycloak_public_url        = var.keycloak_public_url
-  gogatekeeper_chart_version = var.gogatekeeper_chart_version
-  gogatekeeper_registry      = var.gogatekeeper_registry
-  gogatekeeper_repository    = var.gogatekeeper_repository
-  gogatekeeper_tag           = var.gogatekeeper_tag
-}
+#  dynamic "set" {
+#    for_each = local.have_keycloak ? ["openid"] : ["anonymous"]
+#    content {
+#      name  = "kialiAuthStrategy"
+#      value = set.value
+#    }
+#  }
+#  dynamic "set" {
+#    for_each = local.have_keycloak ? [var.sso_client_id] : []
+#    content {
+#      name  = "openid.clientId"
+#      value = set.value
+#    }
+#  }
+#  dynamic "set" {
+#    for_each = local.have_keycloak ? [var.sso_client_secret] : []
+#    content {
+#      name  = "openid.secret"
+#      value = set.value
+#    }
+#  }
+#  dynamic "set" {
+#    for_each = local.have_keycloak ? [local.keycloak_issuer_uri] : []
+#    content {
+#      name  = "openid.issuerUri"
+#      value = set.value
+#    }
+#  }
+#  dynamic "set" {
+#    for_each = local.have_keycloak ? ["username_claim"] : []
+#    content {
+#      name  = "openid.username_claim"
+#      value = set.value
+#    }
+#  }
+
+
+# module "kiali_ingress" {
+#   depends_on = [helm_release.kiali]
+
+#   #source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//>ref=1.0.0"
+#   source = "git@github.it.census.gov:SOA/tfmod-gogatekeeper.git//"
+
+#   certificate_issuer = var.certificate_issuer
+
+#   namespace                  = local.ns
+#   application_name           = "kiali"
+#   public_hostname            = "kiali"
+#   cluster_domain             = var.cluster_domain
+#   upstream_hostname          = local.internal_hostname
+#   upstream_port              = local.internal_port_number
+#   redirection_url            = local.public_url
+#   client_id                  = var.sso_client_id
+#   client_secret              = var.sso_client_secret
+#   keycloak_public_url        = var.keycloak_public_url
+#   gogatekeeper_chart_version = var.gogatekeeper_chart_version
+#   gogatekeeper_registry      = var.gogatekeeper_registry
+#   gogatekeeper_repository    = var.gogatekeeper_repository
+#   gogatekeeper_tag           = var.gogatekeeper_tag
+# }