Merge pull request #8 from smarunich/dev

adding 1.22 related updates

Author: smarunich

.gitignore

@@ -1,5 +1,6 @@
 # Local .terraform directories
 **/.terraform/*
+tests/*
 
 # .tfstate files
 *.tfstate

Makefile

@@ -15,10 +15,11 @@ azure_k8s:
 	terraform apply -auto-approve -target=module.azure_k8s
 tsb_deps:
 	terraform init
-	terraform apply -auto-approve -target=module.cert-manager
+	terraform apply -auto-approve -target=module.cert-manager -var=cluster_id=0
 	terraform apply -auto-approve -target=module.es
 tsb_mp:
 	terraform init
+	terraform apply -auto-approve -target=module.tsb_mp.kubectl_manifest.manifests_certs
 	terraform apply -auto-approve -target=module.tsb_mp
 	terraform apply -auto-approve -target=module.aws_dns
 tsb_fqdn:
@@ -27,6 +28,8 @@ tsb_cp:
 	@echo cluster_id is ${cluster_id} 
 	@echo cloud is ${cloud}
 	terraform init
+	terraform state list | grep "^module.cert-manager" | grep -v data | tr -d ':' | xargs -I '{}' terraform taint {}
+	terraform apply -auto-approve -target=module.cert-manager -var=cluster_id=${cluster_id} 
 	terraform taint -allow-missing "module.tsb_cp.null_resource.jumpbox_tctl"
 	terraform apply -auto-approve -target=module.tsb_cp -var=cluster_id=${cluster_id} -var=cloud=${cloud}
 argocd:
@@ -39,7 +42,7 @@ app_bookinfo:
 	@echo cluster_id is ${cluster_id} 
 	@echo cloud is ${cloud}
 	terraform init
-	terraform taint -allow-missing "module.app_bookinfo"
+	terraform state list | grep "^module.app_bookinfo" | grep -v data | tr -d ':' | xargs -I '{}' terraform taint {}
 	terraform apply -auto-approve -target=module.app_bookinfo -var=cluster_id=${cluster_id} -var=cloud=${cloud}
 azure_oidc:
 	terraform init

main.tf

@@ -64,11 +64,10 @@ module "aws_k8s" {
 
 module "cert-manager" {
   source                     = "./modules/addons/cert-manager"
-  k8s_host                   = module.azure_k8s.0.host
-  k8s_cluster_ca_certificate = module.azure_k8s.0.cluster_ca_certificate
-  k8s_client_certificate     = module.azure_k8s.0.client_certificate
-  k8s_client_key             = module.azure_k8s.0.client_key
-  tsb_fqdn                   = var.tsb_fqdn
+  k8s_host                   = element(module.azure_k8s, var.cluster_id).host
+  k8s_cluster_ca_certificate = element(module.azure_k8s, var.cluster_id).cluster_ca_certificate
+  k8s_client_certificate     = element(module.azure_k8s, var.cluster_id).client_certificate
+  k8s_client_key             = element(module.azure_k8s, var.cluster_id).client_key
 }
 
 module "es" {

modules/addons/cert-manager/main.tf

@@ -27,12 +27,16 @@ resource "helm_release" "cert_manager" {
   version          = "1.7.2"
   create_namespace = true
   namespace        = "cert-manager"
+  timeout          = 900
 
   set {
     name  = "installCRDs"
     value = "true"
   }
-
+  set {
+    name  = "featureGates"
+    value = "ExperimentalCertificateSigningRequestControllers=true"
+  }
 }
 
 resource "time_sleep" "wait_90_seconds" {
@@ -51,16 +55,4 @@ resource "kubectl_manifest" "manifests_selfsigned_ca" {
   depends_on = [time_sleep.wait_90_seconds]
 }
 
-data "kubectl_path_documents" "manifests_certs" {
-  pattern = "${path.module}/manifests/certs.yaml.tmpl"
-  vars = {
-    tsb_fqdn = var.tsb_fqdn
-  }
-}
-
-resource "kubectl_manifest" "manifests_certs" {
-  count      = length(data.kubectl_path_documents.manifests_certs.documents)
-  yaml_body  = element(data.kubectl_path_documents.manifests_certs.documents, count.index)
-  depends_on = [time_sleep.wait_90_seconds]
-}
 

modules/addons/cert-manager/variables.tf

@@ -9,6 +9,3 @@ variable "k8s_client_key" {
 
 variable "k8s_cluster_ca_certificate" {
 }
-
-variable "tsb_fqdn" {
-}

modules/azure/k8s/main.tf

@@ -5,7 +5,7 @@ resource "azurerm_kubernetes_cluster" "k8s" {
 
   dns_prefix = var.cluster_name
 
-  kubernetes_version      = "1.21.9"
+  kubernetes_version      = "1.22.6"
   sku_tier                = "Free"
   private_cluster_enabled = false
 

modules/tsb/cp/manifests/tsb/controlplane-values.yaml.tmpl

@@ -28,5 +28,7 @@ spec:
     gitops:
       enabled: true
       reconcileInterval: 600s
-  meshExpansion: {}
-  
+    internalCertProvider:
+        certManager:
+          managed: EXTERNAL
+  meshExpansion: {}

modules/tsb/mp/main.tf

@@ -22,6 +22,22 @@ provider "kubernetes" {
   client_key             = base64decode(var.k8s_client_key)
 }
 
+resource "time_sleep" "warmup_90_seconds" {
+  create_duration = "90s"
+}
+
+data "kubectl_path_documents" "manifests_certs" {
+  pattern = "${path.module}/manifests/cert-manager/certs.yaml.tmpl"
+  vars = {
+    tsb_fqdn = var.tsb_fqdn
+  }
+}
+
+resource "kubectl_manifest" "manifests_certs" {
+  count     = length(data.kubectl_path_documents.manifests_certs.documents)
+  yaml_body = element(data.kubectl_path_documents.manifests_certs.documents, count.index)
+}
+
 resource "kubernetes_namespace" "tsb" {
   metadata {
     name = "tsb"
@@ -35,20 +51,23 @@ data "kubernetes_secret" "selfsigned_ca" {
     name      = "selfsigned-ca"
     namespace = "cert-manager"
   }
+  depends_on = [time_sleep.warmup_90_seconds]
 }
 
 data "kubernetes_secret" "tsb_server_cert" {
   metadata {
     name      = "tsb-server-cert"
     namespace = "cert-manager"
   }
+  depends_on = [time_sleep.warmup_90_seconds]
 }
 
 data "kubernetes_secret" "istiod_cacerts" {
   metadata {
     name      = "istiod-cacerts"
     namespace = "cert-manager"
   }
+  depends_on = [time_sleep.warmup_90_seconds]
 }
 data "kubernetes_secret" "es_password" {
   metadata {
@@ -133,38 +152,15 @@ resource "helm_release" "managementplane" {
 
 }
 
-resource "time_sleep" "wait_90_seconds" {
+resource "time_sleep" "wait_180_seconds" {
   depends_on      = [helm_release.managementplane]
-  create_duration = "90s"
-}
-
-resource "null_resource" "jumpbox_kubectl" {
-  connection {
-    host        = var.jumpbox_host
-    type        = "ssh"
-    agent       = false
-    user        = var.jumpbox_username
-    private_key = var.jumpbox_pkey
-  }
-
-  provisioner "file" {
-    source      = "${var.cluster_name}-kubeconfig"
-    destination = "${var.cluster_name}-kubeconfig"
-  }
-  provisioner "remote-exec" {
-
-    inline = [
-      "kubectl --kubeconfig ${var.cluster_name}-kubeconfig create job -n tsb teamsync-bootstrap --from=cronjob/teamsync"
-    ]
-  }
-
-  depends_on = [time_sleep.wait_90_seconds]
+  create_duration = "180s"
 }
 
 data "kubernetes_service" "tsb" {
   metadata {
     name      = "envoy"
     namespace = "tsb"
   }
-  depends_on = [time_sleep.wait_90_seconds]
+  depends_on = [time_sleep.wait_180_seconds]
 }

modules/addons/cert-manager/manifests/certs.yaml.tmpl renamed to modules/tsb/mp/manifests/cert-manager/certs.yaml.tmpl

@@ -5,9 +5,6 @@ secrets:
   tsb:
     adminPassword: ${tsb_password}
   xcp: 
-    authModes:
-      jwt: true
-      mtls: false
     autoGenerateCerts: true
     central: 
       additionalDNSNames: 
@@ -18,7 +15,7 @@ secrets:
   ldap:
     binddn: ${ldap_binddn}
     bindpassword: ${ldap_bindpassword}
-  postgres:
+  postgres: 
     username: ${db_username}
     password: ${db_password}
 spec:
@@ -30,4 +27,12 @@ spec:
       port: 9200
       version: 7
       selfSigned: true
-      protocol: https
+      protocol: https
+  components:
+    xcp:
+      centralAuthModes:
+        jwt: true
+    internalCertProvider:
+        certManager:
+          managed: EXTERNAL
+