diff --git a/examples/full-cluster/common-services/ca-cert.tf b/examples/full-cluster/common-services/ca-cert.tf deleted file mode 100644 index 8e1c01b..0000000 --- a/examples/full-cluster/common-services/ca-cert.tf +++ /dev/null @@ -1,119 +0,0 @@ -# tf-apply $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g') -# terraform taint null_resource.ca_cert[0] -# # (wait for submitted cert to be ready) -# tf-apply $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g') -# tf-apply $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g') - -#--- -# ca -#--- -locals { - ca_dns_name = format("pki.%v.%v", var.cluster_name, var.vpc_domain_name) - # ca_ou = format("ou=%v,ou=EKS,ou=%v,ou=PKI",var.cluster_name,var.vpc_full_name) - ca_ou = format("eks-%v-%v-PKI", var.cluster_name, var.vpc_full_name) - ca_cert_download = false - ca_cert_san = [local.ca_dns_name] - - ca_key_filename = format("${path.root}/certs/%v.key", local.ca_dns_name) - ca_key_exists = fileexists(local.ca_key_filename) - ca_cert_filename = format("${path.root}/certs/%v.crt", local.ca_dns_name) - ca_cert_exists = fileexists(local.ca_cert_filename) - ca_root_filename = "${path.root}/certs/ca-root.crt" - ca_root_exists = fileexists(local.ca_root_filename) - ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : "" - ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name) -} - -resource "tls_private_key" "ca" { - algorithm = "RSA" - rsa_bits = 4096 -} - -resource "tls_cert_request" "ca" { - key_algorithm = "RSA" - private_key_pem = tls_private_key.ca.private_key_pem - - dns_names = local.ca_cert_san - subject { - common_name = local.ca_dns_name - organizational_unit = local.ca_ou - organization = "U.S. Census Bureau" - country = "US" - } -} - -resource "null_resource" "ca_root_cert" { - provisioner "local-exec" { - command = "test -d certs || mkdir certs" - } - provisioner "local-exec" { - command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca" - } -} - -resource "null_resource" "ca_files" { - triggers = { - ca_key_public = sha256(tls_private_key.ca.public_key_pem) - ca_csr = sha256(tls_cert_request.ca.cert_request_pem) - } - - # get key - provisioner "local-exec" { - command = "test -d certs || mkdir certs" - } - provisioner "local-exec" { - command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key" - } - provisioner "local-exec" { - command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key" - } - # get csr - provisioner "local-exec" { - command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr" - } - - # detail how to get certs - provisioner "local-exec" { - command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it. Then add the .secret to git'" - } - provisioner "local-exec" { - command = "echo 'now submit file to TCO for signing and return the result as below:\n csr = certs/${local.ca_dns_name}.csr\n cert = certs/${local.ca_dns_name}.crt\n'" - } - provisioner "local-exec" { - command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730" - } - provisioner "local-exec" { - command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'" - } -} - -resource "null_resource" "ca_cert" { - count = local.ca_cert_download ? 1 : 0 - # get cert - provisioner "local-exec" { - command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'" - } -} - -resource "local_file" "ca_bundle_cert" { - count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0 - - content = local.ca_bundle_contents - filename = local.ca_bundle_filename - file_permission = "0644" -} - -#--- -# once the cert is in place, you can use the ACM certificate soemthign like below -#--- -## resource "aws_acm_certificate" "ca" { -## count = local.ca_cert_exists ? 1 : 0 -## private_key = file("${path.root}/certs/${local.ca_dns_name}.key") -## certificate_body = file("${path.root}/certs/${local.ca_dns_name}.crt") -## certificate_chain = file("/etc/pki/tls/certs/cacert.crt") -## -## tags = merge( -## local.common_tags, -## map("Name", local.ca_dns_name), -## ) -## } diff --git a/examples/full-cluster/common-services/cert.tf b/examples/full-cluster/common-services/cert.tf new file mode 100644 index 0000000..05e43ce --- /dev/null +++ b/examples/full-cluster/common-services/cert.tf @@ -0,0 +1,125 @@ +# tf-apply $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g') +# terraform taint null_resource.ca_cert[0] +# # (wait for submitted cert to be ready) +# tf-apply $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g') +# tf-apply $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g') + +#--- +# ca +#--- +locals { + ca_dns_name = format("pki.%v.%v", var.cluster_name, var.vpc_domain_name) + # ca_ou = format("ou=%v,ou=EKS,ou=%v,ou=PKI",var.cluster_name,var.vpc_full_name) + ca_ou = format("eks-%v-%v-PKI", var.cluster_name, var.vpc_full_name) + ca_cert_download = false + ca_cert_san = [local.ca_dns_name] + + ca_key_filename = format("${path.root}/certs/%v.key", local.ca_dns_name) + ca_key_exists = fileexists(local.ca_key_filename) + ca_cert_filename = format("${path.root}/certs/%v.crt", local.ca_dns_name) + ca_cert_exists = fileexists(local.ca_cert_filename) + ca_root_filename = "${path.root}/certs/ca-root.crt" + ca_root_exists = fileexists(local.ca_root_filename) + ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : "" + ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name) +} + +module "cert" { + source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate" + + certificate_cn = local.ca_dns_name + certificate_san = [local.ca_dns_name] + certificate_download = true + enable_acm_certificate = false + certificate_subject_overrides = { ou = local.ca_ou } + certificate_csr_message = < 0 ? 1 : 0 +## +## content = local.ca_bundle_contents +## filename = local.ca_bundle_filename +## file_permission = "0644" +## } diff --git a/examples/full-cluster/common-services/copy_images.tf b/examples/full-cluster/common-services/copy_images.tf index 9d2a2e1..df4fe53 100644 --- a/examples/full-cluster/common-services/copy_images.tf +++ b/examples/full-cluster/common-services/copy_images.tf @@ -5,7 +5,7 @@ locals { repo_parent_name = format("eks/%v", var.cluster_name) account_ecr_registry = format("%v.dkr.ecr.%v.amazonaws.com", local.account_id, var.region) - account_ecr = format("%v/%v", local.account_ecr_registry, local.repo_parent_name) + account_ecr = format("%v/%v", local.account_ecr_registry, local.repo_parent_name) images = [ # cert-manager related images: @@ -60,14 +60,14 @@ locals { }, ] image_repos = { for image in local.images : image.name => format("%v/%v", local.account_ecr, image.name) } - image_map = { for image in local.images : image.name => + image_map = { for image in local.images : image.name => merge( image, tomap( - { "full_path"=local.image_repos[image.name], - "registry"=local.account_ecr_registry, - "repository"=format("%v/%v",local.repo_parent_name,image.name), } - ) ) } + { "full_path" = local.image_repos[image.name], + "registry" = local.account_ecr_registry, + "repository" = format("%v/%v", local.repo_parent_name, image.name), } + )) } } resource "null_resource" "copy_images" { diff --git a/examples/full-cluster/common-services/dns.tf b/examples/full-cluster/common-services/dns.tf index a8fba0c..91a5b35 100644 --- a/examples/full-cluster/common-services/dns.tf +++ b/examples/full-cluster/common-services/dns.tf @@ -21,5 +21,5 @@ resource "aws_route53_record" "istio-ingress" { ttl = 900 zone_id = local.parent_rs.cluster_domain_id - records = [ data.aws_lb.lb[0].dns_name ] + records = [data.aws_lb.lb[0].dns_name] } diff --git a/examples/full-cluster/common-services/locals.tf b/examples/full-cluster/common-services/locals.tf index 3042080..4b9ae5a 100644 --- a/examples/full-cluster/common-services/locals.tf +++ b/examples/full-cluster/common-services/locals.tf @@ -12,6 +12,6 @@ locals { subnet_ids = local.parent_rs.cluster_subnet_ids cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id - oidc_provider_url = local.parent_rs.oidc_provider_url - oidc_provider_arn = local.parent_rs.oidc_provider_arn + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn } diff --git a/examples/full-cluster/common-services/main.tf b/examples/full-cluster/common-services/main.tf index dd8c4fa..629d4df 100644 --- a/examples/full-cluster/common-services/main.tf +++ b/examples/full-cluster/common-services/main.tf @@ -45,36 +45,36 @@ resource "helm_release" "metrics-server" { depends_on = [null_resource.copy_images] set { name = "extraArgs.kubelet-preferred-address-types" -# value = "InternalIP,ExternalIP,Hostname" + # value = "InternalIP,ExternalIP,Hostname" value = "InternalIP" } set { - name = "apiService.create" + name = "apiService.create" value = "true" } set { - name = "extraArgs.cert-dir" + name = "extraArgs.cert-dir" value = "/tmp" } set { - name = "extraArgs.kubelet-use-node-status-port" + name = "extraArgs.kubelet-use-node-status-port" value = "" } set { - name = "extraArgs.metric-resolution" + name = "extraArgs.metric-resolution" value = "15s" } -# set { -# name = "extraArgs.kubelet-insecure-tls" -# value = "true" -# } + # set { + # name = "extraArgs.kubelet-insecure-tls" + # value = "true" + # } set { - name = "image.registry" + name = "image.registry" value = local.account_ecr_registry } set { - name = "image.repository" -# value = format("%v/%v", local.repo_parent_name, local.images["metric-server"].name) + name = "image.repository" + # value = format("%v/%v", local.repo_parent_name, local.images["metric-server"].name) value = local.image_map["metrics-server"].repository } @@ -87,9 +87,9 @@ resource "helm_release" "metrics-server" { } resource "helm_release" "cluster-autoscaler" { - chart = "cluster-autoscaler" - name = "cluster-autoscaler" - namespace = "kube-system" + chart = "cluster-autoscaler" + name = "cluster-autoscaler" + namespace = "kube-system" repository = "${path.module}/charts/" depends_on = [null_resource.copy_images] set { @@ -101,7 +101,7 @@ resource "helm_release" "cluster-autoscaler" { value = var.cluster_autoscaler_tag } set { - name = "autoDiscovery.clusterName" + name = "autoDiscovery.clusterName" value = var.cluster_name } } diff --git a/examples/full-cluster/common-services/settings.auto.tfvars b/examples/full-cluster/common-services/settings.auto.tfvars deleted file mode 120000 index e397af4..0000000 --- a/examples/full-cluster/common-services/settings.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../settings.auto.tfvars \ No newline at end of file diff --git a/examples/full-cluster/common-services/tf-run.data b/examples/full-cluster/common-services/tf-run.data index d1571ae..41261d6 100644 --- a/examples/full-cluster/common-services/tf-run.data +++ b/examples/full-cluster/common-services/tf-run.data @@ -3,18 +3,21 @@ REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh COMMAND tf-init -upgrade -tls_private_key.ca tls_cert_request.ca null_resource.ca_root_cert null_resource.ca_files -null_resource.ca_cert -local_file.ca_bundle_cert +# tls_private_key.ca tls_cert_request.ca null_resource.ca_root_cert null_resource.ca_files +# null_resource.ca_cert +# local_file.ca_bundle_cert +module.cert COMMAND tf-directory-setup.py -l s3 COMMENT submit certs/*csr using command ouptut listed in apply to TCO for signing STOP once that is availabile, change cert_download to true -COMMAND terraform taint null_resource.ca_cert -null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert -COMMENT second run is to complete the steps -null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert +# COMMAND terraform taint null_resource.ca_cert +# null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert +# COMMENT second run is to complete the steps +# null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert +module.cert +module.cert ALL diff --git a/examples/full-cluster/common-services/variables.common-services.tf b/examples/full-cluster/common-services/variables.common-services.tf index 14770e6..17f2009 100644 --- a/examples/full-cluster/common-services/variables.common-services.tf +++ b/examples/full-cluster/common-services/variables.common-services.tf @@ -179,7 +179,7 @@ variable "cert_manager_controller_tag" { variable "cluster_autoscaler_tag" { description = "Image tag of public.ecr.aws/v0g0y9g5/cluster-autoscaler" type = string - default = "v1.21.0" + default = "v1.21.0" } variable "metrics_server_tag" { diff --git a/examples/full-cluster/common-services/variables.vpc.auto.tfvars b/examples/full-cluster/common-services/variables.vpc.auto.tfvars deleted file mode 120000 index cb9b691..0000000 --- a/examples/full-cluster/common-services/variables.vpc.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../variables.vpc.auto.tfvars \ No newline at end of file diff --git a/examples/full-cluster/common-services/variables.vpc.tf b/examples/full-cluster/common-services/variables.vpc.tf deleted file mode 120000 index f672f33..0000000 --- a/examples/full-cluster/common-services/variables.vpc.tf +++ /dev/null @@ -1 +0,0 @@ -../variables.vpc.tf \ No newline at end of file