First working version with Cilium

.github/workflows/ci.yaml

@@ -0,0 +1,24 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  pre-commit:
+    name: Terraform CI 🛃
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install Task
+        uses: arduino/setup-task@v1
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Terraform checks (pre-commit)
+        run: task pre-commit

.github/workflows/manifests.yaml

@@ -0,0 +1,23 @@
+name: manifests
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches: [ '*' ]
+    tags-ignore: [ '*' ]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup yq
+        uses: fluxcd/pkg/actions/yq@main
+      - name: Setup kubeconform
+        uses: fluxcd/pkg/actions/kubeconform@main
+      - name: Setup kustomize
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Validate manifests
+        run: ./scripts/validate.sh

.gitignore

@@ -0,0 +1,47 @@
+## More on https://github.com/github/gitignore
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+**.terraform.lock.hcl
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# TFSec cache
+.tfsec
+
+# VSCode
+.vscode
+
+# Secrets directory
+.secrets

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform.git
+    rev: v1.79.1
+    hooks:
+      - id: terraform_docs
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_tfsec
+        args:
+          - --args=--config-file=__GIT_WORKING_DIR__/.tfsec.yaml
+      - id: terraform_tflint
+        args:
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks.git
+    rev: v4.4.0
+    hooks:
+      - id: check-merge-conflict

.tflint.hcl

@@ -0,0 +1,8 @@
+config {
+  module = true
+}
+plugin "aws" {
+  enabled = true
+  version = "0.17.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}

.tfsec.yaml

@@ -0,0 +1,13 @@
+# Ignore rules for the whole repository
+# It is preferable to ignore per resource: https://aquasecurity.github.io/tfsec/v1.28.1/guides/configuration/ignores/
+exclude:
+  # Demo mamagement cluster, need to work on security best-practices for real production
+  - aws-s3-encryption-customer-key
+  - aws-s3-enable-bucket-logging
+  - aws-ec2-no-public-egress-sgr
+  - aws-ec2-no-excessive-port-access
+  - aws-ec2-no-public-ingress-acl
+  - aws-ec2-no-excessive-port-access
+  - aws-ec2-no-public-ip-subnet
+  - aws-ec2-require-vpc-flow-logs-for-all-vpcs
+  - aws-eks-enable-control-plane-logging

Makefile

@@ -0,0 +1,12 @@
+.PHONY: clean pre-commit
+
+# pre-commit variables
+DOCKER_IMG = ghcr.io/antonbabenko/pre-commit-terraform
+DOCKER_TAG = latest
+REPO_NAME = action-terraform-ci
+
+clean:
+	find . -type d -name "*.terraform" -or -name "*.terraform.lock.hcl" | sudo xargs rm -vrf
+
+pre-commit:
+	docker run -e "USERID=$$(id -u):$$(id -g)" -v $$(pwd):/lint -w /lint ${DOCKER_IMG}:${DOCKER_TAG} run -a

clusters/mycluster-0/flux-config.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-config
+  namespace: flux-system
+spec:
+  prune: true
+  interval: 4m0s
+  path: ./flux-config/mycluster-0
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  postBuild:
+    substitute:
+      domain_name: "cloud.ogenki.io"
+    substituteFrom:
+      - kind: ConfigMap
+        name: eks-mycluster-0-vars
+      - kind: Secret
+        name: eks-mycluster-0-vars
+        optional: true
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: weave-gitops
+      namespace: flux-system

clusters/mycluster-0/infrastructure.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  prune: true
+  interval: 4m0s
+  path: ./infrastructure/mycluster-0
+  postBuild:
+    substitute:
+      domain_name: "cloud.ogenki.io"
+    substituteFrom:
+      - kind: ConfigMap
+        name: eks-mycluster-0-vars
+      - kind: Secret
+        name: eks-mycluster-0-vars
+        optional: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: tf-irsa-mycluster-0
+    - name: tf-custom-resources

clusters/mycluster-0/observability.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: observability
+  namespace: flux-system
+spec:
+  interval: 3m0s
+  timeout: 30m0s
+  path: ./observability/mycluster-0
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  postBuild:
+    substitute:
+      domain_name: "cloud.ogenki.io"
+    substituteFrom:
+      - kind: ConfigMap
+        name: eks-mycluster-0-vars
+      - kind: Secret
+        name: eks-mycluster-0-vars
+        optional: true
+  dependsOn:
+    - name: security
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v1beta1
+      kind: HelmRelease
+      name: kube-prometheus-stack
+      namespace: observability

clusters/mycluster-0/security.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: security
+  namespace: flux-system
+spec:
+  prune: true
+  interval: 4m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./security/mycluster-0
+  postBuild:
+    substitute:
+      domain_name: "cloud.ogenki.io"
+    substituteFrom:
+      - kind: ConfigMap
+        name: eks-mycluster-0-vars
+      - kind: Secret
+        name: eks-mycluster-0-vars
+        optional: true
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v1beta1
+      kind: HelmRelease
+      name: external-secrets
+      namespace: security

flux-config/base/weave-gitops/helmrelease.yaml

@@ -0,0 +1,36 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  annotations:
+    metadata.weave.works/description:
+      This is the Weave GitOps Dashboard.  It provides
+      a simple way to get insights into your GitOps workloads.
+  name: weave-gitops
+  namespace: flux-system
+spec:
+  chart:
+    spec:
+      chart: weave-gitops
+      sourceRef:
+        kind: HelmRepository
+        name: ww-gitops
+  interval: 1h0m0s
+  values:
+    adminUser:
+      create: true
+      passwordHash: $2a$10$4EnJSNAJ4hJDahA/EH7f/OoPr3w9p1p6XfjTkIQkxeGaZZRkEu5gy
+      username: admin
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: alb
+        alb.ingress.kubernetes.io/target-type: ip
+        alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
+        alb.ingress.kubernetes.io/scheme: internet-facing
+        alb.ingress.kubernetes.io/target-group-attributes: deregistration_delay.timeout_seconds=30
+        external-dns.alpha.kubernetes.io/hostname: gitops-${cluster_name}.${domain_name}
+      hosts:
+        - host: gitops-${cluster_name}.${domain_name}
+          paths:
+            - path: /*
+              pathType: ImplementationSpecific

flux-config/base/weave-gitops/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- helmrelease.yaml
+- source.yaml

flux-config/base/weave-gitops/source.yaml

@@ -0,0 +1,18 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  annotations:
+    metadata.weave.works/description:
+      This is the source location for the Weave GitOps
+      Dashboard's helm chart.
+  labels:
+    app.kubernetes.io/component: ui
+    app.kubernetes.io/created-by: weave-gitops-cli
+    app.kubernetes.io/name: weave-gitops-dashboard
+    app.kubernetes.io/part-of: weave-gitops
+  name: ww-gitops
+  namespace: flux-system
+spec:
+  interval: 1h0m0s
+  type: oci
+  url: oci://ghcr.io/weaveworks/charts

flux-config/mycluster-0/weave-gitops/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base/weave-gitops

infrastructure/base/aws-load-balancer-controller/helmrelease.yaml

@@ -0,0 +1,34 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: aws-load-balancer-controller
+spec:
+  releaseName: aws-load-balancer-controller
+  chart:
+    spec:
+      chart: aws-load-balancer-controller
+      sourceRef:
+        kind: HelmRepository
+        name: eks
+        namespace: kube-system
+      version: "1.5.3"
+  interval: 10m0s
+  install:
+    remediation:
+      retries: 3
+  values:
+    clusterName: ${cluster_name}
+    serviceAccount:
+      # Has to match the policy created using terraform (IRSA)
+      name: load-balancer-controller
+      annotations:
+        eks.amazonaws.com/role-arn: "arn:aws:iam::${aws_account_id}:role/${cluster_name}-load-balancer-controller"
+    defaultTags:
+      environment: ${environment}
+      clusterName: ${cluster_name}
+    replicaCount: 1
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+    vpcId: ${vpc_id}

infrastructure/base/aws-load-balancer-controller/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+
+resources:
+  - helmrelease.yaml
+  - source.yaml

infrastructure/base/aws-load-balancer-controller/source.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: eks
+spec:
+  interval: 30m
+  url: https://aws.github.io/eks-charts