Four-Lights
/
devops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(infra): enhance infrastructure with Zitadel, tenant configs, and improved cluster automation #1

Merged
thomas merged 4 commits from shuttles into main 2025-04-22 16:03:51 +00:00
Conversation 0 Commits 4 Files Changed 67 +107 -29
14 changed files with 107 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 4c4e74ff8d - Show all commits

1
infra/modules/argocd/main.tf
View File

@ -59,6 +59,7 @@ resource "helm_release" "argocd" {
oauth_client_id = var.oauth_client_id, oauth_client_id = var.oauth_client_id,
oauth_client_secret = var.oauth_client_secret, oauth_client_secret = var.oauth_client_secret,
oauth_redirect_uri = var.oauth_redirect_uri oauth_redirect_uri = var.oauth_redirect_uri
tls = var.tls
}) })
] ]
} }

20
infra/modules/argocd/values.yaml
View File

@ -42,14 +42,27 @@ server:
hostname: ${ service_uri } hostname: ${ service_uri }
annotations: annotations:
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: traefik
%{ if tls }
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-to-https@kubernetescrd,default-preserve-host-headers@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: default-redirect-to-https@kubernetescrd,default-preserve-host-headers@kubernetescrd
%{ else }
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: default-preserve-host-headers@kubernetescrd
%{ endif }
%{ if tls }
extraTls: extraTls:
- hosts: - hosts:
- ${ service_uri } - ${ service_uri }
secretName: argocd-tls secretName: argocd-tls
%{ endif }
config: config:
rbac: |
scopes: '[groups]'
"policy.csv": |
g, admin, role:admin
g, user, role:readonly
"policy.default": ''
%{ if oauth_uri != null } %{ if oauth_uri != null }
dex.config: | dex.config: |
connectors: connectors:
@ -57,9 +70,9 @@ server:
id: oidc id: oidc
name: OIDC name: OIDC
config: config:
issuer: ${ oauth_issuer } issuer: "${ oauth_issuer }"
clientID: ${ oauth_client_id } clientID: "${ oauth_client_id }"
clientSecret: ${ oauth_client_secret } clientSecret: "${ oauth_client_secret }"
insecureSkipEmailVerified: true insecureSkipEmailVerified: true
insecureEnableGroups: true insecureEnableGroups: true
scopes: scopes:
@ -67,6 +80,7 @@ server:
- email - email
- openid - openid
- groups - groups
logoutURL: "${ oauth_redirect_uri }"
claimMapping: claimMapping:
name: fullName # ArgoCD expects 'name', FusionAuth provides 'fullName' name: fullName # ArgoCD expects 'name', FusionAuth provides 'fullName'
preferred_username: email preferred_username: email

5
infra/modules/argocd/variables.tf
View File

@ -64,3 +64,8 @@ variable "oauth_redirect_uri" {
description = "OAuth redirect URI" description = "OAuth redirect URI"
default = null default = null
} }
variable "tls" {
type = bool
default = false
}

15
infra/modules/homepage/values.yaml.tftpl
View File

@ -4,21 +4,6 @@ config:
- Github: - Github:
- abbr: GH - abbr: GH
href: https://github.com/ href: https://github.com/
services:
- My First Group:
- My First Service:
href: http://localhost/
description: Homepage is awesome
- My Second Group:
- My Second Service:
href: http://localhost/
description: Homepage is the best
- My Third Group:
- My Third Service:
href: http://localhost/
description: Homepage is 😎
widgets: widgets:
# show the kubernetes widget, with the cluster summary and individual nodes # show the kubernetes widget, with the cluster summary and individual nodes
- kubernetes: - kubernetes:

11
infra/modules/minio/main.tf
View File

@ -58,6 +58,7 @@ resource "helm_release" "minio" {
admin = var.admin, admin = var.admin,
tls = var.mode == "distributed" ? false : var.tls tls = var.mode == "distributed" ? false : var.tls
ingressClass = var.ingressClass ingressClass = var.ingressClass
displayOnHomepage = var.displayOnHomepage
}) })
] ]
} }
@ -66,3 +67,13 @@ output "installed" {
value = true value = true
depends_on = [helm_release.minio] depends_on = [helm_release.minio]
} }
output "access_key" {
value = random_password.minio_access_key.result
sensitive = true
}
output "secret_key" {
value = random_password.minio_secret_key.result
sensitive = true
}

7
infra/modules/minio/values.yaml.tftpl
View File

@ -22,6 +22,13 @@ ingress:
ingress.kubernetes.io/proxy-body-size: "0" ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0"
%{ endif } %{ endif }
%{ if displayOnHomepage }
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Minio"
gethomepage.dev/description: "S3-Compatible cloud storage"
gethomepage.dev/group: "Tools"
gethomepage.dev/icon: "minio.png"
%{ endif }
apiIngress: apiIngress:
enabled: true enabled: true

6
infra/modules/minio/variables.tf
View File

@ -61,7 +61,11 @@ variable "ingressClass" {
} }
variable "storageSize" { variable "storageSize" {
type = string type = string
default = "6Gi" default = "6Gi"
} }
variable "displayOnHomepage" {
type = bool
default = false
}

13
infra/modules/mongodb/main.tf
View File

@ -56,3 +56,16 @@ output "installed" {
value = true value = true
depends_on = [helm_release.mongodb] depends_on = [helm_release.mongodb]
} }
output "connection_string" {
value = format(
"mongodb://%s:%s@%s/%s?replicaSet=rs0&authSource=admin",
"root",
random_password.mongodb_root_password.result,
join(",", [
for i in range(var.replicas) :format("mongodb-%d.mongodb-headless.mongodb.svc.cluster.local:27017", i)
]),
"admin"
)
sensitive = true
}

12
infra/modules/mongodb/values.yaml
View File

@ -16,14 +16,14 @@ mongodb:
readinessProbe: readinessProbe:
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 15
failureThreshold: 3 failureThreshold: 3
successThreshold: 1 successThreshold: 1
livenessProbe: livenessProbe:
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 20 periodSeconds: 20
timeoutSeconds: 5 timeoutSeconds: 15
failureThreshold: 6 failureThreshold: 6
# Proper shutdown handling # Proper shutdown handling
@ -55,3 +55,11 @@ auth:
- ${ database } - ${ database }
%{ endfor ~} %{ endfor ~}
%{ endif } %{ endif }
resources:
limits:
cpu: 1000m
memory: 1.5Gi
requests:
cpu: 500m
memory: 1Gi

28
infra/modules/postgresql/main.tf
View File

@ -1,4 +1,6 @@
resource "kubernetes_namespace" "postgresql" { resource "kubernetes_namespace" "postgresql" {
count = var.enabled ? 1 : 0
metadata { metadata {
name = var.namespace name = var.namespace
} }
@ -9,21 +11,32 @@ resource "kubernetes_namespace" "postgresql" {
} }
resource "random_password" "postgresql_user_password" { resource "random_password" "postgresql_user_password" {
length = 40 length = 40
special = true special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
min_special = 2
min_upper = 2
min_lower = 2
min_numeric = 2
} }
resource "random_password" "postgresql_root_password" { resource "random_password" "postgresql_root_password" {
length = 40 length = 40
special = true special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
min_special = 2
min_upper = 2
min_lower = 2
min_numeric = 2
} }
resource "kubernetes_secret" "postgresql_auth" { resource "kubernetes_secret" "postgresql_auth" {
type = "generic" count = var.enabled ? 1 : 0
type = "generic"
depends_on = [var.wait_on] depends_on = [var.wait_on]
metadata { metadata {
name = "postgresql-auth" name = "postgresql-auth"
namespace = kubernetes_namespace.postgresql.metadata.0.name namespace = kubernetes_namespace.postgresql[count.index].metadata.0.name
} }
data = { data = {
@ -33,11 +46,12 @@ resource "kubernetes_secret" "postgresql_auth" {
} }
resource "helm_release" "postgresql" { resource "helm_release" "postgresql" {
count = var.enabled ? 1 : 0
depends_on = [var.wait_on, kubernetes_secret.postgresql_auth] depends_on = [var.wait_on, kubernetes_secret.postgresql_auth]
name = "postgresql" name = "postgresql"
repository = "https://charts.bitnami.com/bitnami" repository = "https://charts.bitnami.com/bitnami"
chart = "postgresql" chart = "postgresql"
namespace = kubernetes_namespace.postgresql.metadata.0.name namespace = kubernetes_namespace.postgresql[count.index].metadata.0.name
version = "16.0.5" version = "16.0.5"
wait = true wait = true

3
infra/modules/postgresql/tenant/main.tf
View File

@ -17,6 +17,7 @@ resource "random_password" "tenant" {
} }
resource "kubernetes_job" "create-tenant" { resource "kubernetes_job" "create-tenant" {
count = var.enabled ? 1 : 0
depends_on = [var.wait_on] depends_on = [var.wait_on]
metadata { metadata {
@ -108,5 +109,5 @@ output "username" {
} }
output "job_name" { output "job_name" {
value = kubernetes_job.create-tenant.metadata[0].name value = var.enabled ? kubernetes_job.create-tenant[0].metadata[0].name : null
} }

5
infra/modules/postgresql/tenant/variables.tf
View File

@ -38,3 +38,8 @@ variable "k8s_config_yaml" {
description = "Content of k8s config yaml file" description = "Content of k8s config yaml file"
type = string type = string
} }
variable "enabled" {
type = bool
default = true
}

5
infra/modules/postgresql/variables.tf
View File

@ -16,3 +16,8 @@ variable "namespace" {
variable "username" { variable "username" {
type = string type = string
} }
variable "enabled" {
type = bool
default = true
}

5
infra/modules/rabbitmq/main.tf
View File

@ -41,3 +41,8 @@ output "installed" {
value = true value = true
depends_on = [helm_release.rabbitmq] depends_on = [helm_release.rabbitmq]
} }
output "connection_string" {
value = "rabbitmq://user:${random_password.password.result}@rabbitmq-headless.${var.namespace}.svc.cluster.local:5672/"
sensitive = true
}