diff --git a/infra/modules/argocd/main.tf b/infra/modules/argocd/main.tf index 091ab39..805e029 100644 --- a/infra/modules/argocd/main.tf +++ b/infra/modules/argocd/main.tf @@ -59,6 +59,7 @@ resource "helm_release" "argocd" { oauth_client_id = var.oauth_client_id, oauth_client_secret = var.oauth_client_secret, oauth_redirect_uri = var.oauth_redirect_uri + tls = var.tls }) ] } diff --git a/infra/modules/argocd/values.yaml b/infra/modules/argocd/values.yaml index d838682..0041e9f 100644 --- a/infra/modules/argocd/values.yaml +++ b/infra/modules/argocd/values.yaml @@ -42,14 +42,27 @@ server: hostname: ${ service_uri } annotations: kubernetes.io/ingress.class: traefik + %{ if tls } traefik.ingress.kubernetes.io/router.entrypoints: web,websecure traefik.ingress.kubernetes.io/router.middlewares: default-redirect-to-https@kubernetescrd,default-preserve-host-headers@kubernetescrd + %{ else } + traefik.ingress.kubernetes.io/router.entrypoints: web + traefik.ingress.kubernetes.io/router.middlewares: default-preserve-host-headers@kubernetescrd + %{ endif } + %{ if tls } extraTls: - hosts: - ${ service_uri } secretName: argocd-tls + %{ endif } config: + rbac: | + scopes: '[groups]' + "policy.csv": | + g, admin, role:admin + g, user, role:readonly + "policy.default": '' %{ if oauth_uri != null } dex.config: | connectors: @@ -57,9 +70,9 @@ server: id: oidc name: OIDC config: - issuer: ${ oauth_issuer } - clientID: ${ oauth_client_id } - clientSecret: ${ oauth_client_secret } + issuer: "${ oauth_issuer }" + clientID: "${ oauth_client_id }" + clientSecret: "${ oauth_client_secret }" insecureSkipEmailVerified: true insecureEnableGroups: true scopes: @@ -67,6 +80,7 @@ server: - email - openid - groups + logoutURL: "${ oauth_redirect_uri }" claimMapping: name: fullName # ArgoCD expects 'name', FusionAuth provides 'fullName' preferred_username: email diff --git a/infra/modules/argocd/variables.tf b/infra/modules/argocd/variables.tf index 69cc207..4311573 100644 --- a/infra/modules/argocd/variables.tf +++ b/infra/modules/argocd/variables.tf @@ -64,3 +64,8 @@ variable "oauth_redirect_uri" { description = "OAuth redirect URI" default = null } + +variable "tls" { + type = bool + default = false +} diff --git a/infra/modules/homepage/values.yaml.tftpl b/infra/modules/homepage/values.yaml.tftpl index 8c40e6e..9b86d45 100644 --- a/infra/modules/homepage/values.yaml.tftpl +++ b/infra/modules/homepage/values.yaml.tftpl @@ -4,21 +4,6 @@ config: - Github: - abbr: GH href: https://github.com/ - services: - - My First Group: - - My First Service: - href: http://localhost/ - description: Homepage is awesome - - - My Second Group: - - My Second Service: - href: http://localhost/ - description: Homepage is the best - - - My Third Group: - - My Third Service: - href: http://localhost/ - description: Homepage is 😎 widgets: # show the kubernetes widget, with the cluster summary and individual nodes - kubernetes: diff --git a/infra/modules/minio/main.tf b/infra/modules/minio/main.tf index 4873dd8..cf2be2f 100644 --- a/infra/modules/minio/main.tf +++ b/infra/modules/minio/main.tf @@ -58,6 +58,7 @@ resource "helm_release" "minio" { admin = var.admin, tls = var.mode == "distributed" ? false : var.tls ingressClass = var.ingressClass + displayOnHomepage = var.displayOnHomepage }) ] } @@ -66,3 +67,13 @@ output "installed" { value = true depends_on = [helm_release.minio] } + +output "access_key" { + value = random_password.minio_access_key.result + sensitive = true +} + +output "secret_key" { + value = random_password.minio_secret_key.result + sensitive = true +} diff --git a/infra/modules/minio/values.yaml.tftpl b/infra/modules/minio/values.yaml.tftpl index 0fe6965..68568d3 100644 --- a/infra/modules/minio/values.yaml.tftpl +++ b/infra/modules/minio/values.yaml.tftpl @@ -22,6 +22,13 @@ ingress: ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0" %{ endif } + %{ if displayOnHomepage } + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Minio" + gethomepage.dev/description: "S3-Compatible cloud storage" + gethomepage.dev/group: "Tools" + gethomepage.dev/icon: "minio.png" + %{ endif } apiIngress: enabled: true diff --git a/infra/modules/minio/variables.tf b/infra/modules/minio/variables.tf index e4c0dfd..5b72ab1 100644 --- a/infra/modules/minio/variables.tf +++ b/infra/modules/minio/variables.tf @@ -61,7 +61,11 @@ variable "ingressClass" { } variable "storageSize" { - type = string + type = string default = "6Gi" } +variable "displayOnHomepage" { + type = bool + default = false +} diff --git a/infra/modules/mongodb/main.tf b/infra/modules/mongodb/main.tf index 5b16d72..7110384 100644 --- a/infra/modules/mongodb/main.tf +++ b/infra/modules/mongodb/main.tf @@ -56,3 +56,16 @@ output "installed" { value = true depends_on = [helm_release.mongodb] } + +output "connection_string" { + value = format( + "mongodb://%s:%s@%s/%s?replicaSet=rs0&authSource=admin", + "root", + random_password.mongodb_root_password.result, + join(",", [ + for i in range(var.replicas) :format("mongodb-%d.mongodb-headless.mongodb.svc.cluster.local:27017", i) + ]), + "admin" + ) + sensitive = true +} diff --git a/infra/modules/mongodb/values.yaml b/infra/modules/mongodb/values.yaml index 86acfeb..b0a4614 100644 --- a/infra/modules/mongodb/values.yaml +++ b/infra/modules/mongodb/values.yaml @@ -16,14 +16,14 @@ mongodb: readinessProbe: initialDelaySeconds: 30 periodSeconds: 10 - timeoutSeconds: 5 + timeoutSeconds: 15 failureThreshold: 3 successThreshold: 1 livenessProbe: initialDelaySeconds: 60 periodSeconds: 20 - timeoutSeconds: 5 + timeoutSeconds: 15 failureThreshold: 6 # Proper shutdown handling @@ -55,3 +55,11 @@ auth: - ${ database } %{ endfor ~} %{ endif } + +resources: + limits: + cpu: 1000m + memory: 1.5Gi + requests: + cpu: 500m + memory: 1Gi diff --git a/infra/modules/postgresql/main.tf b/infra/modules/postgresql/main.tf index 0e2ef9f..5de514b 100644 --- a/infra/modules/postgresql/main.tf +++ b/infra/modules/postgresql/main.tf @@ -1,4 +1,6 @@ resource "kubernetes_namespace" "postgresql" { + count = var.enabled ? 1 : 0 + metadata { name = var.namespace } @@ -9,21 +11,32 @@ resource "kubernetes_namespace" "postgresql" { } resource "random_password" "postgresql_user_password" { - length = 40 - special = true + length = 40 + special = true + override_special = "!#$%&*()-_=+[]{}<>:?" + min_special = 2 + min_upper = 2 + min_lower = 2 + min_numeric = 2 } resource "random_password" "postgresql_root_password" { - length = 40 - special = true + length = 40 + special = true + override_special = "!#$%&*()-_=+[]{}<>:?" + min_special = 2 + min_upper = 2 + min_lower = 2 + min_numeric = 2 } resource "kubernetes_secret" "postgresql_auth" { - type = "generic" + count = var.enabled ? 1 : 0 + type = "generic" depends_on = [var.wait_on] metadata { name = "postgresql-auth" - namespace = kubernetes_namespace.postgresql.metadata.0.name + namespace = kubernetes_namespace.postgresql[count.index].metadata.0.name } data = { @@ -33,11 +46,12 @@ resource "kubernetes_secret" "postgresql_auth" { } resource "helm_release" "postgresql" { + count = var.enabled ? 1 : 0 depends_on = [var.wait_on, kubernetes_secret.postgresql_auth] name = "postgresql" repository = "https://charts.bitnami.com/bitnami" chart = "postgresql" - namespace = kubernetes_namespace.postgresql.metadata.0.name + namespace = kubernetes_namespace.postgresql[count.index].metadata.0.name version = "16.0.5" wait = true diff --git a/infra/modules/postgresql/tenant/main.tf b/infra/modules/postgresql/tenant/main.tf index d2cad9b..b8b3182 100644 --- a/infra/modules/postgresql/tenant/main.tf +++ b/infra/modules/postgresql/tenant/main.tf @@ -17,6 +17,7 @@ resource "random_password" "tenant" { } resource "kubernetes_job" "create-tenant" { + count = var.enabled ? 1 : 0 depends_on = [var.wait_on] metadata { @@ -108,5 +109,5 @@ output "username" { } output "job_name" { - value = kubernetes_job.create-tenant.metadata[0].name + value = var.enabled ? kubernetes_job.create-tenant[0].metadata[0].name : null } diff --git a/infra/modules/postgresql/tenant/variables.tf b/infra/modules/postgresql/tenant/variables.tf index 46c3a52..bc30f8c 100644 --- a/infra/modules/postgresql/tenant/variables.tf +++ b/infra/modules/postgresql/tenant/variables.tf @@ -38,3 +38,8 @@ variable "k8s_config_yaml" { description = "Content of k8s config yaml file" type = string } + +variable "enabled" { + type = bool + default = true +} diff --git a/infra/modules/postgresql/variables.tf b/infra/modules/postgresql/variables.tf index 3c3eb32..1e10dd0 100644 --- a/infra/modules/postgresql/variables.tf +++ b/infra/modules/postgresql/variables.tf @@ -16,3 +16,8 @@ variable "namespace" { variable "username" { type = string } + +variable "enabled" { + type = bool + default = true +} diff --git a/infra/modules/rabbitmq/main.tf b/infra/modules/rabbitmq/main.tf index ea2d5e1..36fd0a8 100644 --- a/infra/modules/rabbitmq/main.tf +++ b/infra/modules/rabbitmq/main.tf @@ -41,3 +41,8 @@ output "installed" { value = true depends_on = [helm_release.rabbitmq] } + +output "connection_string" { + value = "rabbitmq://user:${random_password.password.result}@rabbitmq-headless.${var.namespace}.svc.cluster.local:5672/" + sensitive = true +}