From a51635cebe7023c0f2c0881caa50014bf9da3515 Mon Sep 17 00:00:00 2001
From: Thomas Rijpstra <thomas@fourlights.nl>
Date: Fri, 20 Sep 2024 21:54:37 +0200
Subject: [PATCH] first steps for platform

---
 infra/clusters/platform/bootstrap/minio.tf    | 47 -------------------
 infra/clusters/platform/bootstrap/output.tf   | 17 -------
 .../clusters/platform/bootstrap/variables.tf  |  4 --
 infra/clusters/platform/bootstrap/vault.tf    | 34 --------------
 infra/clusters/platform/generate-tf-config.sh |  0
 infra/clusters/platform/hcloud_infra.tf       | 39 ---------------
 infra/clusters/platform/helm.tf               | 15 ++++++
 infra/clusters/platform/minio.tf              | 31 ++++++++++++
 infra/clusters/platform/rancher_cluster.tf    |  8 ----
 infra/clusters/platform/variables.tf          | 47 +++++++++++++++++++
 infra/clusters/platform/vault.tf              | 14 ++++++
 11 files changed, 107 insertions(+), 149 deletions(-)
 delete mode 100644 infra/clusters/platform/bootstrap/minio.tf
 delete mode 100644 infra/clusters/platform/bootstrap/output.tf
 delete mode 100644 infra/clusters/platform/bootstrap/variables.tf
 delete mode 100644 infra/clusters/platform/bootstrap/vault.tf
 create mode 100644 infra/clusters/platform/generate-tf-config.sh
 delete mode 100644 infra/clusters/platform/hcloud_infra.tf
 create mode 100644 infra/clusters/platform/helm.tf
 create mode 100644 infra/clusters/platform/minio.tf
 delete mode 100644 infra/clusters/platform/rancher_cluster.tf
 create mode 100644 infra/clusters/platform/variables.tf
 create mode 100644 infra/clusters/platform/vault.tf

diff --git a/infra/clusters/platform/bootstrap/minio.tf b/infra/clusters/platform/bootstrap/minio.tf
deleted file mode 100644
index eaca998..0000000
--- a/infra/clusters/platform/bootstrap/minio.tf
+++ /dev/null
@@ -1,47 +0,0 @@
-terraform {
-  required_providers {
-    minio = {
-      source = "aminueza/minio"
-      version = "~> 2.5.0"
-    }
-  }
-}
-
-provider "minio" {
-  minio_server = "localhost:9123"
-  minio_region = "eu-central-1"
-  minio_user = data.vault_kv_secret_v2.minio_creds.data["access_key"]
-  minio_password = data.vault_kv_secret_v2.minio_creds.data["secret_key"]
-}
-
-resource "minio_s3_bucket" "platform" {
-  depends_on = [data.vault_kv_secret_v2.minio_creds]
-  bucket = "platform"
-  acl = "private"
-}
-
-resource "minio_iam_user" "platform" {
-  depends_on = [data.vault_kv_secret_v2.minio_creds]
-  name = "platform"
-}
-
-resource "minio_iam_policy" "platform" {
-  depends_on = [minio_s3_bucket.platform]
-  name = "platform-policy"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = ["s3:GetObject", "s3:PutObject"]
-        Resource = ["arn:aws:s3:::platform/*"]
-      }
-    ]
-  })
-}
-
-resource "minio_iam_user_policy_attachment" "policy_attachment" {
-  depends_on = [minio_iam_user.platform, minio_iam_policy.platform]
-  user_name   = minio_iam_user.platform.name
-  policy_name = minio_iam_policy.platform.name
-}
diff --git a/infra/clusters/platform/bootstrap/output.tf b/infra/clusters/platform/bootstrap/output.tf
deleted file mode 100644
index 0cc044c..0000000
--- a/infra/clusters/platform/bootstrap/output.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-output "vault_token" {
-  value = vault_token.platform.client_token
-  sensitive = true
-}
-
-output "minio_user" {
-  value = minio_iam_user.platform.id
-}
-
-output "minio_user_status" {
-  value = minio_iam_user.platform.status
-}
-
-output "minio_user_secret" {
-  value     = minio_iam_user.platform.secret
-  sensitive = true
-}
diff --git a/infra/clusters/platform/bootstrap/variables.tf b/infra/clusters/platform/bootstrap/variables.tf
deleted file mode 100644
index 4cb800c..0000000
--- a/infra/clusters/platform/bootstrap/variables.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-variable "vault_root_token" {
-  description = "Vault (root) token to create secrets"
-  type        = string
-}
diff --git a/infra/clusters/platform/bootstrap/vault.tf b/infra/clusters/platform/bootstrap/vault.tf
deleted file mode 100644
index 03904bb..0000000
--- a/infra/clusters/platform/bootstrap/vault.tf
+++ /dev/null
@@ -1,34 +0,0 @@
-provider "vault" {
-  address = "http://127.0.0.1:8200"
-  token = var.vault_root_token
-}
-
-data "vault_kv_secret_v2" "minio_creds" {
-  mount = "management"
-  name  = "minio"
-}
-
-resource "vault_mount" "platform" {
-  path        = "platform"
-  type        = "kv"
-  options     = { version = "2" }
-  description = "KV Version 2 secret engine mount for management"
-}
-
-resource "vault_policy" "platform" {
-  name = "platform"
-
-  policy = <<EOT
-path "platform/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-# Add other necessary permissions
-EOT
-}
-
-resource "vault_token" "platform" {
-  policies  = [vault_policy.platform.name]
-  renewable = true
-  ttl       = "720h"  # 30 days
-  period    = "720h"  # Will be renewed every 30 days
-}
diff --git a/infra/clusters/platform/generate-tf-config.sh b/infra/clusters/platform/generate-tf-config.sh
new file mode 100644
index 0000000..e69de29
diff --git a/infra/clusters/platform/hcloud_infra.tf b/infra/clusters/platform/hcloud_infra.tf
deleted file mode 100644
index 975e266..0000000
--- a/infra/clusters/platform/hcloud_infra.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-# HCloud instance for creating a single node workload cluster
-resource "hcloud_server" "quickstart_node" {
-  name        = "${var.prefix}-worker"
-  image       = "ubuntu-20.04"
-  server_type = var.instance_type
-  location    = var.hcloud_location
-  ssh_keys = [hcloud_ssh_key.quickstart_ssh_key.id]
-
-  network {
-    network_id = hcloud_network.private.id
-  }
-
-  user_data = templatefile(
-    "userdata_node.template",
-    {
-      username         = local.node_username
-      register_command = module.rancher_common.custom_cluster_command
-    }
-  )
-
-  provisioner "remote-exec" {
-    inline = [
-      "echo 'Waiting for cloud-init to complete...'",
-      "cloud-init status --wait > /dev/null",
-      "echo 'Completed cloud-init!'",
-    ]
-
-    connection {
-      type        = "ssh"
-      host        = self.ipv4_address
-      user        = local.node_username
-      private_key = tls_private_key.global_key.private_key_pem
-    }
-  }
-
-  depends_on = [
-    hcloud_network_subnet.private
-  ]
-}
diff --git a/infra/clusters/platform/helm.tf b/infra/clusters/platform/helm.tf
new file mode 100644
index 0000000..5399273
--- /dev/null
+++ b/infra/clusters/platform/helm.tf
@@ -0,0 +1,15 @@
+provider "kubernetes" {
+  host                   = yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.server
+  client_certificate     = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-certificate-data)
+  client_key             = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.server
+    client_certificate     = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-certificate-data)
+    client_key             = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.certificate-authority-data)
+  }
+}
\ No newline at end of file
diff --git a/infra/clusters/platform/minio.tf b/infra/clusters/platform/minio.tf
new file mode 100644
index 0000000..b000573
--- /dev/null
+++ b/infra/clusters/platform/minio.tf
@@ -0,0 +1,31 @@
+terraform {
+  required_providers {
+    minio = {
+      source  = "aminueza/minio"
+      version = "~> 2.5.0"
+    }
+  }
+}
+
+provider "minio" {
+  minio_server   = var.minio_server
+  minio_region   = var.region
+  minio_user     = var.access_key
+  minio_password = var.secret_key
+  minio_ssl      = true
+}
+
+data "minio_s3_object" "k8s_yaml" {
+  bucket_name = var.bucket
+  object_name = "kube_config_server.yaml"
+}
+
+data "minio_s3_object" "id_rsa" {
+  bucket_name = var.bucket
+  object_name = "id_rsa"
+}
+
+data "minio_s3_object" "id_rsa_pub" {
+  bucket_name = var.bucket
+  object_name = "id_rsa.pub"
+}
diff --git a/infra/clusters/platform/rancher_cluster.tf b/infra/clusters/platform/rancher_cluster.tf
deleted file mode 100644
index d01a92e..0000000
--- a/infra/clusters/platform/rancher_cluster.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-
-# Create custom managed cluster for quickstart
-resource "rancher2_cluster_v2" "quickstart_workload" {
-  provider = rancher2.admin
-
-  name               = var.workload_cluster_name
-  kubernetes_version = var.workload_kubernetes_version
-}
diff --git a/infra/clusters/platform/variables.tf b/infra/clusters/platform/variables.tf
new file mode 100644
index 0000000..353086f
--- /dev/null
+++ b/infra/clusters/platform/variables.tf
@@ -0,0 +1,47 @@
+variable "endpoints" {
+  type = map(string)
+}
+
+variable "access_key" {
+  type = string
+  sensitive = true
+}
+
+variable "secret_key" {
+  type = string
+  sensitive = true
+}
+
+variable "bucket" {
+  type = string
+}
+
+variable "key" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+variable "minio_server" {
+  type = string
+}
+
+variable "vault_addr" {
+  type = string
+}
+
+variable "vault_token" {
+  type = string
+  sensitive = true
+}
+
+variable "node_ip" {
+  type = string
+}
+
+variable "node_username" {
+  type = string
+  default = "root"
+}
\ No newline at end of file
diff --git a/infra/clusters/platform/vault.tf b/infra/clusters/platform/vault.tf
new file mode 100644
index 0000000..0765de7
--- /dev/null
+++ b/infra/clusters/platform/vault.tf
@@ -0,0 +1,14 @@
+provider "vault" {
+  address = var.vault_addr
+  token   = var.vault_token
+}
+
+data "vault_kv_secret_v2" "hcloud" {
+  mount = "management"
+  name  = "hcloud"
+}
+
+data "vault_kv_secret_v2" "rancher" {
+  mount = "management"
+  name  = "rancher"
+}