From f9485be95b9e3b42da4b8abe4728b54bff52831d Mon Sep 17 00:00:00 2001 From: Jordan Acosta Date: Wed, 23 Jul 2025 15:26:38 -0700 Subject: [PATCH 1/6] feat(aks-simple): add app config --- aks-simple/README.md | 3 ++ aks-simple/actions/azure-cli.toml | 48 +++++++++++++++++++ aks-simple/actions/kubectl.toml | 20 ++++++++ aks-simple/actions/test.toml | 20 ++++++++ aks-simple/components/httpbin_helm_chart.toml | 14 ++++++ aks-simple/components/httpbin_image.toml | 8 ++++ aks-simple/components/storage.toml | 14 ++++++ aks-simple/components/values/httpbin.yaml | 5 ++ aks-simple/inputs.toml | 12 +++++ aks-simple/metadata.toml | 5 ++ aks-simple/runner.toml | 6 +++ aks-simple/sandbox.tfvars | 22 +++++++++ aks-simple/sandbox.toml | 22 +++++++++ .../components/httpbin_helm_chart/Chart.yaml | 9 ++++ .../templates/deployment.yaml | 42 ++++++++++++++++ .../httpbin_helm_chart/templates/ingress.yaml | 18 +++++++ .../httpbin_helm_chart/templates/service.yaml | 15 ++++++ aks-simple/src/components/storage/data.tf | 3 ++ aks-simple/src/components/storage/main.tf | 8 ++++ .../src/components/storage/providers.tf | 3 ++ aks-simple/src/components/storage/variable.tf | 7 +++ aks-simple/src/components/storage/versions.tf | 8 ++++ aks-simple/stack.toml | 3 ++ 23 files changed, 315 insertions(+) create mode 100644 aks-simple/README.md create mode 100644 aks-simple/actions/azure-cli.toml create mode 100644 aks-simple/actions/kubectl.toml create mode 100644 aks-simple/actions/test.toml create mode 100644 aks-simple/components/httpbin_helm_chart.toml create mode 100644 aks-simple/components/httpbin_image.toml create mode 100644 aks-simple/components/storage.toml create mode 100644 aks-simple/components/values/httpbin.yaml create mode 100644 aks-simple/inputs.toml create mode 100644 aks-simple/metadata.toml create mode 100644 aks-simple/runner.toml create mode 100644 aks-simple/sandbox.tfvars create mode 100644 aks-simple/sandbox.toml create mode 100644 aks-simple/src/components/httpbin_helm_chart/Chart.yaml create mode 100644 aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml create mode 100644 aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml create mode 100644 aks-simple/src/components/httpbin_helm_chart/templates/service.yaml create mode 100644 aks-simple/src/components/storage/data.tf create mode 100644 aks-simple/src/components/storage/main.tf create mode 100644 aks-simple/src/components/storage/providers.tf create mode 100644 aks-simple/src/components/storage/variable.tf create mode 100644 aks-simple/src/components/storage/versions.tf create mode 100644 aks-simple/stack.toml diff --git a/aks-simple/README.md b/aks-simple/README.md new file mode 100644 index 0000000..4aee27e --- /dev/null +++ b/aks-simple/README.md @@ -0,0 +1,3 @@ +# Azure EKS Simple + +An Azure EKS app that runs a single container. diff --git a/aks-simple/actions/azure-cli.toml b/aks-simple/actions/azure-cli.toml new file mode 100644 index 0000000..4c61ff4 --- /dev/null +++ b/aks-simple/actions/azure-cli.toml @@ -0,0 +1,48 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=action + +name = "azure_cli" +timeout = "1m" + +[[triggers]] +type = "manual" + +[[steps]] +name = "execute command" +inline_contents = """ +#!/usr/bin/env bash + +set -eo pipefail + +echo >&2 "installing azure cli deps..." +apk add --no-cache --update \ + python3 \ + py3-pip \ + gcc \ + musl-dev \ + python3-dev \ + libffi-dev \ + openssl-dev \ + cargo \ + make + +echo >&2 "creating a python virtualenv and installing azure cli..." +python3 -m venv /opt/venv \ + && . /opt/venv/bin/activate \ + && pip install --upgrade pip \ + && pip install --no-cache-dir azure-cli \ + && deactivate + +echo >&2 "updating PATH to include azure cli..." +ENV PATH="/opt/venv/bin:$PATH" + +echo >&2 "authenticating using the system-assigned managed identity..." +az login --identity + +echo >&2 "executing command..." +az $CMD +""" +[steps.env_vars] +APP_ID = "" +CLIENT_SECRET = "" +TENANT_ID = "" +CMD = "account show" diff --git a/aks-simple/actions/kubectl.toml b/aks-simple/actions/kubectl.toml new file mode 100644 index 0000000..c7b6ea4 --- /dev/null +++ b/aks-simple/actions/kubectl.toml @@ -0,0 +1,20 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=action + +name = "kubectl_command" +timeout = "1m" + +[[triggers]] +type = "manual" + +[[steps]] +name = "execute kubectl command" +inline_contents = """ +#!/usr/bin/env bash + +set -eo pipefail + +echo >&2 "executing command..." +kubectl $CMD +""" +[steps.env_vars] +CMD = "ls" diff --git a/aks-simple/actions/test.toml b/aks-simple/actions/test.toml new file mode 100644 index 0000000..33b1f4d --- /dev/null +++ b/aks-simple/actions/test.toml @@ -0,0 +1,20 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=action + +name = "run_shell_command" +timeout = "1m" + +[[triggers]] +type = "manual" + +[[steps]] +name = "execute command using bash" +inline_contents = """ +#!/usr/bin/env bash + +set -eo pipefail + +echo >&2 "executing command..." +$CMD +""" +[steps.env_vars] +CMD = "ls" diff --git a/aks-simple/components/httpbin_helm_chart.toml b/aks-simple/components/httpbin_helm_chart.toml new file mode 100644 index 0000000..f4bca31 --- /dev/null +++ b/aks-simple/components/httpbin_helm_chart.toml @@ -0,0 +1,14 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=helm +name = "httpbin_helm_chart" +type = "helm_chart" +chart_name = "httpbin" +namespace = "{{.nuon.install.id}}" +storage_driver = "configmap" + +[public_repo] +repo = "nuonco/example-app-configs" +directory = "aks-simple/src/components/httpbin_helm_chart" +branch = "ja/pro-1515-https-cert-component" + +[[values_file]] +contents = "./values/httpbin.yaml" diff --git a/aks-simple/components/httpbin_image.toml b/aks-simple/components/httpbin_image.toml new file mode 100644 index 0000000..96d7481 --- /dev/null +++ b/aks-simple/components/httpbin_image.toml @@ -0,0 +1,8 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=container_image + +name = "image_httpbin" +type = "container_image" + +[public] +image_url = "kennethreitz/httpbin" +tag = "latest" diff --git a/aks-simple/components/storage.toml b/aks-simple/components/storage.toml new file mode 100644 index 0000000..778b6de --- /dev/null +++ b/aks-simple/components/storage.toml @@ -0,0 +1,14 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=terraform_module + +name = "storage" +type = "terraform_module" +terraform_version = "1.11.3" + +[public_repo] +repo = "nuonco/example-app-configs" +directory = "aks-simple/src/components/storage" +branch = "ja/pro-1515-https-cert-component" + +[vars] +name = "jalocalazureaks022" +resource_group_name = "{{.nuon.install_stack.outputs.resource_group_name}}" diff --git a/aks-simple/components/values/httpbin.yaml b/aks-simple/components/values/httpbin.yaml new file mode 100644 index 0000000..e87f7f8 --- /dev/null +++ b/aks-simple/components/values/httpbin.yaml @@ -0,0 +1,5 @@ +image: + repository: "{{ .nuon.sandbox.outputs.acr.login_server}}/{{ .nuon.components.image_httpbin.outputs.image.repository }}" + tag: "{{ .nuon.components.image_httpbin.outputs.image.tag }}" +deployment: + namespace: "{{ .nuon.install.id }}" diff --git a/aks-simple/inputs.toml b/aks-simple/inputs.toml new file mode 100644 index 0000000..3b470b0 --- /dev/null +++ b/aks-simple/inputs.toml @@ -0,0 +1,12 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=inputs +[[group]] +name = "dns" +description = "DNS Configrations" +display_name = "Configurations for the root domain for Route53" + +[[input]] +name = "root_domain" +description = "The root domain. Services will be made available at subdomains of this root domain." +default = "byoc.for.everyone.example.com" +display_name = "Root Domain" +group = "dns" diff --git a/aks-simple/metadata.toml b/aks-simple/metadata.toml new file mode 100644 index 0000000..afb4b6c --- /dev/null +++ b/aks-simple/metadata.toml @@ -0,0 +1,5 @@ +version = "v2" + +description = "An Azure EKS app that runs a single container." +display_name = "Azure AKS Simple" +readme = "./README.md" diff --git a/aks-simple/runner.toml b/aks-simple/runner.toml new file mode 100644 index 0000000..ea7ca28 --- /dev/null +++ b/aks-simple/runner.toml @@ -0,0 +1,6 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=runner +runner_type = "azure" +helm_driver = "configmap" + +[env_vars] +foo = "bar" diff --git a/aks-simple/sandbox.tfvars b/aks-simple/sandbox.tfvars new file mode 100644 index 0000000..d925ca9 --- /dev/null +++ b/aks-simple/sandbox.tfvars @@ -0,0 +1,22 @@ +maintenance_role_eks_access_entry_policy_associations = { + eks_admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy" + access_scope = { + type = "cluster" + } + } + eks_view = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } +} + +additional_namespaces = ["whoami"] + +maintenance_cluster_role_rules_override = [{ + "apiGroups" = ["*"] + "resources" = ["*"] + "verbs" = ["*"] +}] diff --git a/aks-simple/sandbox.toml b/aks-simple/sandbox.toml new file mode 100644 index 0000000..7cb9889 --- /dev/null +++ b/aks-simple/sandbox.toml @@ -0,0 +1,22 @@ +#:schema https://api.nuon.co/v1/general/config-schema?source=sandbox +terraform_version = "1.11.3" + +[public_repo] +repo = "nuonco/terraform-azure-aks-sandbox" +directory = "." +branch = "main" + +[vars] +cluster_name = "n-{{.nuon.install.id}}" +enable_nuon_dns = "true" +public_root_domain = "{{ .nuon.inputs.inputs.root_domain }}" +internal_root_domain = "internal.{{ .nuon.inputs.inputs.root_domain }}" +location = "{{.nuon.cloud_account.azure.location}}" +nuon_id = "{{.nuon.install.id}}" +vnet_name = "{{.nuon.install_stack.outputs.network_name}}" +resource_group_name = "{{.nuon.install_stack.outputs.resource_group_name}}" +private_subnet_names = "{{.nuon.install_stack.outputs.private_subnet_names}}" +public_subnet_names = "{{.nuon.install_stack.outputs.public_subnet_names}}" + +[[var_file]] +contents = "./sandbox.tfvars" diff --git a/aks-simple/src/components/httpbin_helm_chart/Chart.yaml b/aks-simple/src/components/httpbin_helm_chart/Chart.yaml new file mode 100644 index 0000000..cd879f2 --- /dev/null +++ b/aks-simple/src/components/httpbin_helm_chart/Chart.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v2 +name: httpbin +description: A helm chart to deploy httpbin. +type: application +version: v0.0.1 +appVersion: "0.0.1" + +dependencies: [] diff --git a/aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml b/aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml new file mode 100644 index 0000000..59f0454 --- /dev/null +++ b/aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin + namespace: "{{ $.Values.deployment.namespace }}" + labels: + app: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + template: + metadata: + labels: + app: httpbin + spec: + containers: + - name: httpbin + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + ports: + - containerPort: 80 + name: http + resources: + limits: + cpu: ".25" + memory: "128Mi" + requests: + cpu: ".1" + memory: "64Mi" + livenessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml b/aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml new file mode 100644 index 0000000..d464bf5 --- /dev/null +++ b/aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: httpbin + namespace: "{{ $.Values.deployment.namespace }}" +spec: + rules: + - host: httpbin.inlloc439c7nwaddbbc3oduuk0.nuon.run + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: httpbin + port: + number: 80 + ingressClassName: nginx diff --git a/aks-simple/src/components/httpbin_helm_chart/templates/service.yaml b/aks-simple/src/components/httpbin_helm_chart/templates/service.yaml new file mode 100644 index 0000000..91d75fe --- /dev/null +++ b/aks-simple/src/components/httpbin_helm_chart/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: httpbin + namespace: "{{ $.Values.deployment.namespace }}" +spec: + ports: + - name: http-httpbin + port: 80 + protocol: TCP + targetPort: "http" + selector: + app: httpbin + sessionAffinity: None + type: ClusterIP diff --git a/aks-simple/src/components/storage/data.tf b/aks-simple/src/components/storage/data.tf new file mode 100644 index 0000000..812820e --- /dev/null +++ b/aks-simple/src/components/storage/data.tf @@ -0,0 +1,3 @@ +data "azurerm_resource_group" "current" { + name = var.resource_group_name +} diff --git a/aks-simple/src/components/storage/main.tf b/aks-simple/src/components/storage/main.tf new file mode 100644 index 0000000..52a19d3 --- /dev/null +++ b/aks-simple/src/components/storage/main.tf @@ -0,0 +1,8 @@ +resource "azurerm_storage_account" "main" { + name = var.name + resource_group_name = data.azurerm_resource_group.current.name + location = data.azurerm_resource_group.current.location + account_tier = "Standard" + account_replication_type = "LRS" +} + diff --git a/aks-simple/src/components/storage/providers.tf b/aks-simple/src/components/storage/providers.tf new file mode 100644 index 0000000..ab91b24 --- /dev/null +++ b/aks-simple/src/components/storage/providers.tf @@ -0,0 +1,3 @@ +provider "azurerm" { + features {} +} diff --git a/aks-simple/src/components/storage/variable.tf b/aks-simple/src/components/storage/variable.tf new file mode 100644 index 0000000..e95daf0 --- /dev/null +++ b/aks-simple/src/components/storage/variable.tf @@ -0,0 +1,7 @@ +variable "name" { + type = string +} + +variable "resource_group_name" { + type = string +} diff --git a/aks-simple/src/components/storage/versions.tf b/aks-simple/src/components/storage/versions.tf new file mode 100644 index 0000000..01abed6 --- /dev/null +++ b/aks-simple/src/components/storage/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=4.1.0" + } + } +} diff --git a/aks-simple/stack.toml b/aks-simple/stack.toml new file mode 100644 index 0000000..51a1d67 --- /dev/null +++ b/aks-simple/stack.toml @@ -0,0 +1,3 @@ +type = "azure-bicep" +name = "nuon-azure-aks-simple-{{.nuon.install.id}}" +description = "Install the Nuon runner in an Azure resource group to manage a BYOC deployment of your app." From 597ad40a13012286ecfce5232a52adc20a1a40a3 Mon Sep 17 00:00:00 2001 From: Jordan Acosta Date: Fri, 25 Jul 2025 10:58:49 -0700 Subject: [PATCH 2/6] feat(aks-simple): update components --- aks-simple/actions/azure-cli.toml | 48 ----------------- aks-simple/actions/kubectl.toml | 20 ------- aks-simple/actions/simple_action.toml | 23 ++++++++ aks-simple/actions/test.toml | 20 ------- aks-simple/components/alb.toml | 21 ++++++++ aks-simple/components/certificate.toml | 16 ++++++ aks-simple/components/httpbin_helm_chart.toml | 14 ----- aks-simple/components/httpbin_image.toml | 8 --- aks-simple/components/storage.toml | 14 ----- aks-simple/components/values/httpbin.yaml | 5 -- aks-simple/components/values/whoami.yaml | 12 +++++ aks-simple/components/whoami.toml | 15 ++++++ aks-simple/inputs.toml | 3 +- aks-simple/metadata.toml | 2 + aks-simple/runner.toml | 3 +- aks-simple/sandbox.toml | 5 +- aks-simple/src/components/alb/Chart.yaml | 9 ++++ aks-simple/src/components/alb/README.md | 50 +++++++++++++++++ .../src/components/alb/templates/alb.tpl | 52 ++++++++++++++++++ .../components/alb/templates/lib/_names.tpl | 9 ++++ aks-simple/src/components/alb/values.yaml | 11 ++++ .../certificate/.terraform.lock.hcl | 25 +++++++++ .../src/components/certificate/README.md | 30 +++++++++++ aks-simple/src/components/certificate/main.tf | 53 +++++++++++++++++++ .../src/components/certificate/outputs.tf | 3 ++ .../{storage => certificate}/providers.tf | 0 .../src/components/certificate/variables.tf | 15 ++++++ .../{storage => certificate}/versions.tf | 2 +- .../templates/deployment.yaml | 42 --------------- .../httpbin_helm_chart/templates/ingress.yaml | 18 ------- .../httpbin_helm_chart/templates/service.yaml | 15 ------ aks-simple/src/components/storage/data.tf | 3 -- aks-simple/src/components/storage/main.tf | 8 --- aks-simple/src/components/storage/variable.tf | 7 --- .../src/components/sync-secrets/Chart.yaml | 9 ++++ .../templates/secret-provider-class.tpl | 25 +++++++++ .../src/components/sync-secrets/values.yaml | 2 + .../{httpbin_helm_chart => whoami}/Chart.yaml | 4 +- .../whoami/templates/deployment.yaml | 44 +++++++++++++++ .../components/whoami/templates/service.yaml | 15 ++++++ aks-simple/stack.toml | 2 + 41 files changed, 453 insertions(+), 229 deletions(-) delete mode 100644 aks-simple/actions/azure-cli.toml delete mode 100644 aks-simple/actions/kubectl.toml create mode 100644 aks-simple/actions/simple_action.toml delete mode 100644 aks-simple/actions/test.toml create mode 100644 aks-simple/components/alb.toml create mode 100644 aks-simple/components/certificate.toml delete mode 100644 aks-simple/components/httpbin_helm_chart.toml delete mode 100644 aks-simple/components/httpbin_image.toml delete mode 100644 aks-simple/components/storage.toml delete mode 100644 aks-simple/components/values/httpbin.yaml create mode 100644 aks-simple/components/values/whoami.yaml create mode 100644 aks-simple/components/whoami.toml create mode 100644 aks-simple/src/components/alb/Chart.yaml create mode 100644 aks-simple/src/components/alb/README.md create mode 100644 aks-simple/src/components/alb/templates/alb.tpl create mode 100644 aks-simple/src/components/alb/templates/lib/_names.tpl create mode 100644 aks-simple/src/components/alb/values.yaml create mode 100644 aks-simple/src/components/certificate/.terraform.lock.hcl create mode 100644 aks-simple/src/components/certificate/README.md create mode 100644 aks-simple/src/components/certificate/main.tf create mode 100644 aks-simple/src/components/certificate/outputs.tf rename aks-simple/src/components/{storage => certificate}/providers.tf (100%) create mode 100644 aks-simple/src/components/certificate/variables.tf rename aks-simple/src/components/{storage => certificate}/versions.tf (79%) delete mode 100644 aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml delete mode 100644 aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml delete mode 100644 aks-simple/src/components/httpbin_helm_chart/templates/service.yaml delete mode 100644 aks-simple/src/components/storage/data.tf delete mode 100644 aks-simple/src/components/storage/main.tf delete mode 100644 aks-simple/src/components/storage/variable.tf create mode 100644 aks-simple/src/components/sync-secrets/Chart.yaml create mode 100644 aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl create mode 100644 aks-simple/src/components/sync-secrets/values.yaml rename aks-simple/src/components/{httpbin_helm_chart => whoami}/Chart.yaml (60%) create mode 100644 aks-simple/src/components/whoami/templates/deployment.yaml create mode 100644 aks-simple/src/components/whoami/templates/service.yaml diff --git a/aks-simple/actions/azure-cli.toml b/aks-simple/actions/azure-cli.toml deleted file mode 100644 index 4c61ff4..0000000 --- a/aks-simple/actions/azure-cli.toml +++ /dev/null @@ -1,48 +0,0 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=action - -name = "azure_cli" -timeout = "1m" - -[[triggers]] -type = "manual" - -[[steps]] -name = "execute command" -inline_contents = """ -#!/usr/bin/env bash - -set -eo pipefail - -echo >&2 "installing azure cli deps..." -apk add --no-cache --update \ - python3 \ - py3-pip \ - gcc \ - musl-dev \ - python3-dev \ - libffi-dev \ - openssl-dev \ - cargo \ - make - -echo >&2 "creating a python virtualenv and installing azure cli..." -python3 -m venv /opt/venv \ - && . /opt/venv/bin/activate \ - && pip install --upgrade pip \ - && pip install --no-cache-dir azure-cli \ - && deactivate - -echo >&2 "updating PATH to include azure cli..." -ENV PATH="/opt/venv/bin:$PATH" - -echo >&2 "authenticating using the system-assigned managed identity..." -az login --identity - -echo >&2 "executing command..." -az $CMD -""" -[steps.env_vars] -APP_ID = "" -CLIENT_SECRET = "" -TENANT_ID = "" -CMD = "account show" diff --git a/aks-simple/actions/kubectl.toml b/aks-simple/actions/kubectl.toml deleted file mode 100644 index c7b6ea4..0000000 --- a/aks-simple/actions/kubectl.toml +++ /dev/null @@ -1,20 +0,0 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=action - -name = "kubectl_command" -timeout = "1m" - -[[triggers]] -type = "manual" - -[[steps]] -name = "execute kubectl command" -inline_contents = """ -#!/usr/bin/env bash - -set -eo pipefail - -echo >&2 "executing command..." -kubectl $CMD -""" -[steps.env_vars] -CMD = "ls" diff --git a/aks-simple/actions/simple_action.toml b/aks-simple/actions/simple_action.toml new file mode 100644 index 0000000..b201d8b --- /dev/null +++ b/aks-simple/actions/simple_action.toml @@ -0,0 +1,23 @@ +#:schema https://api.nuon.co/v1/general/config-schema?type=action + +name = "simple_demonstration" +timeout = "1m" + +[[triggers]] +type = "post-provision" + +[[triggers]] +type = "manual" + +[[steps]] +name = "create secrets in cluster" +inline_contents = """ +#!/usr/bin/env sh +password=`openssl rand -hex 12` +kubectl create -n whoami secret generic whoami \ + --save-config \ + --dry-run=client \ + --from-literal=value="$password" \ + -o yaml | kubectl apply -f - +""" + diff --git a/aks-simple/actions/test.toml b/aks-simple/actions/test.toml deleted file mode 100644 index 33b1f4d..0000000 --- a/aks-simple/actions/test.toml +++ /dev/null @@ -1,20 +0,0 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=action - -name = "run_shell_command" -timeout = "1m" - -[[triggers]] -type = "manual" - -[[steps]] -name = "execute command using bash" -inline_contents = """ -#!/usr/bin/env bash - -set -eo pipefail - -echo >&2 "executing command..." -$CMD -""" -[steps.env_vars] -CMD = "ls" diff --git a/aks-simple/components/alb.toml b/aks-simple/components/alb.toml new file mode 100644 index 0000000..f2aaa19 --- /dev/null +++ b/aks-simple/components/alb.toml @@ -0,0 +1,21 @@ +#:schema https://api.nuon.co/v1/general/config-schema?type=helm + +name = "application_load_balancer" +type = "helm_chart" +chart_name = "application-load-balancer" +dependencies = ["whoami"] + +[public_repo] +repo = "nuonco/example-app-configs" +directory = "aks-simple/src/components/alb" +branch = "main" + +[values] +domain_certificate = "{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}" +domain = "{{.nuon.inputs.inputs.sub_domain}}.{{.nuon.install.sandbox.outputs.nuon_dns.public_domain.name}}" +https_port = "443" +service_name = "whoami" +service_port = "80" +install_name = "{{.nuon.install.id}}" +namespace = "whoami" +healthcheck_path = "/health" diff --git a/aks-simple/components/certificate.toml b/aks-simple/components/certificate.toml new file mode 100644 index 0000000..7e747b9 --- /dev/null +++ b/aks-simple/components/certificate.toml @@ -0,0 +1,16 @@ +#:schema https://api.nuon.co/v1/general/config-schema?type=terraform + +name = "certificate" +type = "terraform_module" +terraform_version = "1.11.3" + +[public_repo] +repo = "nuonco/example-app-configs" +directory = "aks-simple/src/components/certificate" +branch = "main" + +[vars] +install_id = "{{ .nuon.install.id }}" +region = "{{ .nuon.install_stack.outputs.region }}" +zone_id = "{{ .nuon.install.sandbox.outputs.nuon_dns.public_domain.zone_id }}" +domain_name = "*.{{ .nuon.install.sandbox.outputs.nuon_dns.public_domain.name }}" diff --git a/aks-simple/components/httpbin_helm_chart.toml b/aks-simple/components/httpbin_helm_chart.toml deleted file mode 100644 index f4bca31..0000000 --- a/aks-simple/components/httpbin_helm_chart.toml +++ /dev/null @@ -1,14 +0,0 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=helm -name = "httpbin_helm_chart" -type = "helm_chart" -chart_name = "httpbin" -namespace = "{{.nuon.install.id}}" -storage_driver = "configmap" - -[public_repo] -repo = "nuonco/example-app-configs" -directory = "aks-simple/src/components/httpbin_helm_chart" -branch = "ja/pro-1515-https-cert-component" - -[[values_file]] -contents = "./values/httpbin.yaml" diff --git a/aks-simple/components/httpbin_image.toml b/aks-simple/components/httpbin_image.toml deleted file mode 100644 index 96d7481..0000000 --- a/aks-simple/components/httpbin_image.toml +++ /dev/null @@ -1,8 +0,0 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=container_image - -name = "image_httpbin" -type = "container_image" - -[public] -image_url = "kennethreitz/httpbin" -tag = "latest" diff --git a/aks-simple/components/storage.toml b/aks-simple/components/storage.toml deleted file mode 100644 index 778b6de..0000000 --- a/aks-simple/components/storage.toml +++ /dev/null @@ -1,14 +0,0 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=terraform_module - -name = "storage" -type = "terraform_module" -terraform_version = "1.11.3" - -[public_repo] -repo = "nuonco/example-app-configs" -directory = "aks-simple/src/components/storage" -branch = "ja/pro-1515-https-cert-component" - -[vars] -name = "jalocalazureaks022" -resource_group_name = "{{.nuon.install_stack.outputs.resource_group_name}}" diff --git a/aks-simple/components/values/httpbin.yaml b/aks-simple/components/values/httpbin.yaml deleted file mode 100644 index e87f7f8..0000000 --- a/aks-simple/components/values/httpbin.yaml +++ /dev/null @@ -1,5 +0,0 @@ -image: - repository: "{{ .nuon.sandbox.outputs.acr.login_server}}/{{ .nuon.components.image_httpbin.outputs.image.repository }}" - tag: "{{ .nuon.components.image_httpbin.outputs.image.tag }}" -deployment: - namespace: "{{ .nuon.install.id }}" diff --git a/aks-simple/components/values/whoami.yaml b/aks-simple/components/values/whoami.yaml new file mode 100644 index 0000000..f655a44 --- /dev/null +++ b/aks-simple/components/values/whoami.yaml @@ -0,0 +1,12 @@ +--- +namespace: "whoami" + +image: + tag: "latest" + repository: "traefik/whoami" + +deployment: + containerPort: 8000 + +service: + port: 80 diff --git a/aks-simple/components/whoami.toml b/aks-simple/components/whoami.toml new file mode 100644 index 0000000..2ea7ed1 --- /dev/null +++ b/aks-simple/components/whoami.toml @@ -0,0 +1,15 @@ +#:schema https://api.nuon.co/v1/general/config-schema?type=helm + +name = "whoami" +type = "helm_chart" +chart_name = "whoami" +namespace = "whoami" +storage_driver = "configmap" + +[public_repo] +repo = "nuonco/example-app-configs" +directory = "aks-simple/src/components/whoami" +branch = "main" + +[[values_file]] +contents = "./values/whoami.yaml" diff --git a/aks-simple/inputs.toml b/aks-simple/inputs.toml index 3b470b0..b042482 100644 --- a/aks-simple/inputs.toml +++ b/aks-simple/inputs.toml @@ -1,4 +1,5 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=inputs +#:schema https://api.nuon.co/v1/general/config-schema?type=inputs + [[group]] name = "dns" description = "DNS Configrations" diff --git a/aks-simple/metadata.toml b/aks-simple/metadata.toml index afb4b6c..f0cb1e2 100644 --- a/aks-simple/metadata.toml +++ b/aks-simple/metadata.toml @@ -1,3 +1,5 @@ +#:schema https://api.nuon.co/v1/general/config-schema?type=metadata + version = "v2" description = "An Azure EKS app that runs a single container." diff --git a/aks-simple/runner.toml b/aks-simple/runner.toml index ea7ca28..626a4e4 100644 --- a/aks-simple/runner.toml +++ b/aks-simple/runner.toml @@ -1,4 +1,5 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=runner +#:schema https://api.nuon.co/v1/general/config-schema?type=runner + runner_type = "azure" helm_driver = "configmap" diff --git a/aks-simple/sandbox.toml b/aks-simple/sandbox.toml index 7cb9889..12b58eb 100644 --- a/aks-simple/sandbox.toml +++ b/aks-simple/sandbox.toml @@ -1,10 +1,11 @@ -#:schema https://api.nuon.co/v1/general/config-schema?source=sandbox +#:schema https://api.nuon.co/v1/general/config-schema?type=sandbox + terraform_version = "1.11.3" [public_repo] repo = "nuonco/terraform-azure-aks-sandbox" directory = "." -branch = "main" +branch = "ja/pro-1522-whoami-app-config" [vars] cluster_name = "n-{{.nuon.install.id}}" diff --git a/aks-simple/src/components/alb/Chart.yaml b/aks-simple/src/components/alb/Chart.yaml new file mode 100644 index 0000000..102c274 --- /dev/null +++ b/aks-simple/src/components/alb/Chart.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v2 +name: application-load-balancer +description: A helm chart to create an alb. +type: application +version: v0.0.1 +appVersion: "0.0.1" + +dependencies: [] diff --git a/aks-simple/src/components/alb/README.md b/aks-simple/src/components/alb/README.md new file mode 100644 index 0000000..070d32e --- /dev/null +++ b/aks-simple/src/components/alb/README.md @@ -0,0 +1,50 @@ +# ALB + +Component to provision an ingress w/ annotations to make use of an AWS +Certificate Manager SSL Certificate via the +['certificate' component](../certificate). + +## Inputs/Variables + +| Variable | Description | Example | +| -------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------ | +| `install_name` | Typically, the install id. | `{{.nuon.install.id}}` | +| `name` | The name for the ingress. | `service-name`, `api`, `` | +| `domain` | The ID of the zone. Can be sourced from the sandbox. | `{{.nuon.install.sandbox.outputs.public_domain.name}}` | +| `domain_certificate` | AWS Cerficate Manager Certificate ARN. | `{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}` | +| `https_port` | port to use for https. | `443` (default: `443`) | +| `service_name` | The name of the service this ingress routes traffic to. | `api` | +| `service_port` | The port of the service this ingress routes traffic to. | `3000` (default: `3000`) | +| `healthcheck_path` | healthcheck path | `/livez`, `/readyz`, `/health` (default: `/livez`) | + +Notes + +- if no `name` is provided, `{install_name}-pubulic` will be used. +- if no `healtcheck_path` is provided the default `/livez` will be used. + +## Example Configuration + +```toml +name = "application_load_balancer" +type = "helm_chart" +chart_name = "application-load-balancer" + +[public_repo] +repo = "nuonco/components" +directory = "aws/alb" +branch = "main" + +[values] +domain_certificate = "{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}" +domain = "api.{{.nuon.install.sandbox.outputs.public_domain.name}}" +https_port = "443" +service_name = "api" +service_port = "api" +install_name = "{{.nuon.install.id}}" +``` + +## Note + +This component depends on outputs of the +[`certificate` component](../certificate). It is important to note, the +`domain_name` of the certificate component should match the `domain` value here. diff --git a/aks-simple/src/components/alb/templates/alb.tpl b/aks-simple/src/components/alb/templates/alb.tpl new file mode 100644 index 0000000..9f91f3f --- /dev/null +++ b/aks-simple/src/components/alb/templates/alb.tpl @@ -0,0 +1,52 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "common.name" . }} + annotations: + kubernetes.io/ingress.class: azure/application-gateway +spec: + tls: + - hosts: + - {{ .Values.domain }} + - secretName: + rules: + - host: {{ .Values.domain }} + http: + paths: + - backend: + serviceName: {{ .Values.service_name }} + servicePort: {{ .Values.service_port | default "3000" }} + +# --- +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: {{ include "common.name" . }} +# namespace: {{ .Values.namespace }} +# labels: +# app.nuon.co/install: {{ .Values.install_name }} +# annotations: +# alb.ingress.kubernetes.io/scheme: internet-facing +# alb.ingress.kubernetes.io/target-type: ip +# alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":{{ .Values.https_port | default "443" }}}]' +# alb.ingress.kubernetes.io/aws-load-balancer-ssl-ports: https +# alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.healthcheck_path | default "/livez" | quote }} +# alb.ingress.kubernetes.io/healthcheck-interval-seconds: '5' +# alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '2' +# alb.ingress.kubernetes.io/unhealthy-threshold-count: '2' +# alb.ingress.kubernetes.io/healthy-threshold-count: '2' +# alb.ingress.kubernetes.io/certificate-arn: {{ .Values.domain_certificate }} +# external-dns.alpha.kubernetes.io/hostname: {{ .Values.domain }} +# spec: +# ingressClassName: alb +# rules: +# - http: +# paths: +# - path: / +# pathType: Prefix +# backend: +# service: +# name: {{ .Values.service_name }} +# port: +# number: {{ .Values.service_port | default "3000" }} diff --git a/aks-simple/src/components/alb/templates/lib/_names.tpl b/aks-simple/src/components/alb/templates/lib/_names.tpl new file mode 100644 index 0000000..c71945d --- /dev/null +++ b/aks-simple/src/components/alb/templates/lib/_names.tpl @@ -0,0 +1,9 @@ +{{- define "common.name" -}} + +{{- if .Values.name }} +{{- .Values.name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-public" .Values.install_name }} +{{- end }} + +{{- end }} diff --git a/aks-simple/src/components/alb/values.yaml b/aks-simple/src/components/alb/values.yaml new file mode 100644 index 0000000..0ee8723 --- /dev/null +++ b/aks-simple/src/components/alb/values.yaml @@ -0,0 +1,11 @@ +install_name: "" + +name: "" +domain: "" +domain_certificate: "" +https_port: "" +service_name: "" +service_port: "" + +healthcheck_path: "/livez" +namespace: "" diff --git a/aks-simple/src/components/certificate/.terraform.lock.hcl b/aks-simple/src/components/certificate/.terraform.lock.hcl new file mode 100644 index 0000000..8e71062 --- /dev/null +++ b/aks-simple/src/components/certificate/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.97.0" + constraints = ">= 4.40.0, >= 5.67.0" + hashes = [ + "h1:rUDE0OgA+6IiEA+w0cPp3/QQNH4SpjFjYcQ6p7byKS4=", + "zh:02790ad98b767d8f24d28e8be623f348bcb45590205708334d52de2fb14f5a95", + "zh:088b4398a161e45762dc28784fcc41c4fa95bd6549cb708b82de577f2d39ffc7", + "zh:0c381a457b7af391c43fc0167919443f6105ad2702bde4d02ddea9fd7c9d3539", + "zh:1a4b57a5043dcca64d8b8bae8b30ef4f6b98ed2144f792f39c4e816d3f1e2c56", + "zh:1bf00a67f39e67664337bde065180d41d952242801ebcd1c777061d4ffaa1cc1", + "zh:24c549f53d6bd022af31426d3e78f21264d8a72409821669e7fd41966ae68b2b", + "zh:3abda50bbddb35d86081fe39522e995280aea7f004582c4af22112c03ac8b375", + "zh:7388ed7f21ce2eb46bd9066626ce5f3e2a5705f67f643acce8ae71972f66eaf6", + "zh:96740f2ff94e5df2b2d29a5035a1a1026fe821f61712b2099b224fb2c2277663", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9f399f8e8683a3a3a6d63a41c7c3a5a5f266eedef40ea69eba75bacf03699879", + "zh:bcf2b288d4706ebd198f75d2159663d657535483331107f2cdef381f10688baf", + "zh:cc76c8a9fc3bad05a8779c1f80fe8c388734f1ec1dd0affa863343490527b466", + "zh:de4359cf1b057bfe7a563be93829ec64bf72e7a2b85a72d075238081ef5eb1db", + "zh:e208fa77051a1f9fa1eff6c5c58aabdcab0de1695b97cdea7b8dd81df3e0ed73", + ] +} diff --git a/aks-simple/src/components/certificate/README.md b/aks-simple/src/components/certificate/README.md new file mode 100644 index 0000000..16ee742 --- /dev/null +++ b/aks-simple/src/components/certificate/README.md @@ -0,0 +1,30 @@ +# Certificate + +Component to provision an AWS Certificate Manager SSL Certificate. + +## Inputs/Variables + +| Variable | Description | Example | +| ------------- | ---------------------------------------------------- | --------------------------------------------------------- | +| `zone_id` | The ID of the zone. Can be sourced from the sandbox. | `{{.nuon.install.sandbox.outputs.public_domain.zone_id}}` | +| `domain_name` | The domain name. Usually provided by the sandbox. | `{{.nuon.install.sandbox.outputs.public_domain.name}}` | + +## Example Configuration + +```toml +name = "certificate" +type = "terraform_module" +terraform_version = "1.10.4" + +[public_repo] +repo = "nuonco/components" +directory = "aws/certificate" +branch = "main" + +[vars] +zone_id = "{{.nuon.install.sandbox.outputs.public_domain.zone_id}}" +domain_name = "{{.nuon.install.sandbox.outputs.public_domain.name}}" +# NOTE: it is also possible to use a subdomain or wildcard here. +# domain_name = "subdomain.{{.nuon.install.sandbox.outputs.public_domain.name}}" +# domain_name = "*.{{.nuon.install.sandbox.outputs.public_domain.name}}" +``` diff --git a/aks-simple/src/components/certificate/main.tf b/aks-simple/src/components/certificate/main.tf new file mode 100644 index 0000000..527f648 --- /dev/null +++ b/aks-simple/src/components/certificate/main.tf @@ -0,0 +1,53 @@ +resource "azurerm_key_vault_certificate" "example" { + name = "${var.install_id}-cert" + key_vault_id = var.key_vault_id + + certificate_policy { + issuer_parameters { + name = "Self" # or "Unknown" for imported, or the name of a CA + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + + lifetime_action { + action { + action_type = "AutoRenew" + } + + trigger { + days_before_expiry = 30 + } + } + + secret_properties { + content_type = "application/x-pkcs12" + } + + x509_certificate_properties { + # Server Authentication = 1.3.6.1.5.5.7.3.1 + # Client Authentication = 1.3.6.1.5.5.7.3.2 + extended_key_usage = ["1.3.6.1.5.5.7.3.1"] + + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + + subject_alternative_names { + dns_names = [var.domain_name] + } + + subject = "CN=${var.domain_name}" + validity_in_months = 12 + } + } +} diff --git a/aks-simple/src/components/certificate/outputs.tf b/aks-simple/src/components/certificate/outputs.tf new file mode 100644 index 0000000..c612898 --- /dev/null +++ b/aks-simple/src/components/certificate/outputs.tf @@ -0,0 +1,3 @@ +output "public_domain_certificate_arn" { + value = module.certificate.acm_certificate_arn +} diff --git a/aks-simple/src/components/storage/providers.tf b/aks-simple/src/components/certificate/providers.tf similarity index 100% rename from aks-simple/src/components/storage/providers.tf rename to aks-simple/src/components/certificate/providers.tf diff --git a/aks-simple/src/components/certificate/variables.tf b/aks-simple/src/components/certificate/variables.tf new file mode 100644 index 0000000..d5ec5f1 --- /dev/null +++ b/aks-simple/src/components/certificate/variables.tf @@ -0,0 +1,15 @@ +variable "key_vault_id" { + type = string +} + +variable "install_id" { + type = string +} + +variable "domain_name" { + type = string +} + +variable "zone_id" { + type = string +} diff --git a/aks-simple/src/components/storage/versions.tf b/aks-simple/src/components/certificate/versions.tf similarity index 79% rename from aks-simple/src/components/storage/versions.tf rename to aks-simple/src/components/certificate/versions.tf index 01abed6..3919de5 100644 --- a/aks-simple/src/components/storage/versions.tf +++ b/aks-simple/src/components/certificate/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=4.1.0" + version = "=3.0.0" } } } diff --git a/aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml b/aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml deleted file mode 100644 index 59f0454..0000000 --- a/aks-simple/src/components/httpbin_helm_chart/templates/deployment.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: httpbin - namespace: "{{ $.Values.deployment.namespace }}" - labels: - app: httpbin -spec: - replicas: 1 - selector: - matchLabels: - app: httpbin - template: - metadata: - labels: - app: httpbin - spec: - containers: - - name: httpbin - image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" - ports: - - containerPort: 80 - name: http - resources: - limits: - cpu: ".25" - memory: "128Mi" - requests: - cpu: ".1" - memory: "64Mi" - livenessProbe: - httpGet: - path: / - port: 80 - initialDelaySeconds: 5 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 80 - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml b/aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml deleted file mode 100644 index d464bf5..0000000 --- a/aks-simple/src/components/httpbin_helm_chart/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: httpbin - namespace: "{{ $.Values.deployment.namespace }}" -spec: - rules: - - host: httpbin.inlloc439c7nwaddbbc3oduuk0.nuon.run - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: httpbin - port: - number: 80 - ingressClassName: nginx diff --git a/aks-simple/src/components/httpbin_helm_chart/templates/service.yaml b/aks-simple/src/components/httpbin_helm_chart/templates/service.yaml deleted file mode 100644 index 91d75fe..0000000 --- a/aks-simple/src/components/httpbin_helm_chart/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: httpbin - namespace: "{{ $.Values.deployment.namespace }}" -spec: - ports: - - name: http-httpbin - port: 80 - protocol: TCP - targetPort: "http" - selector: - app: httpbin - sessionAffinity: None - type: ClusterIP diff --git a/aks-simple/src/components/storage/data.tf b/aks-simple/src/components/storage/data.tf deleted file mode 100644 index 812820e..0000000 --- a/aks-simple/src/components/storage/data.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "azurerm_resource_group" "current" { - name = var.resource_group_name -} diff --git a/aks-simple/src/components/storage/main.tf b/aks-simple/src/components/storage/main.tf deleted file mode 100644 index 52a19d3..0000000 --- a/aks-simple/src/components/storage/main.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "azurerm_storage_account" "main" { - name = var.name - resource_group_name = data.azurerm_resource_group.current.name - location = data.azurerm_resource_group.current.location - account_tier = "Standard" - account_replication_type = "LRS" -} - diff --git a/aks-simple/src/components/storage/variable.tf b/aks-simple/src/components/storage/variable.tf deleted file mode 100644 index e95daf0..0000000 --- a/aks-simple/src/components/storage/variable.tf +++ /dev/null @@ -1,7 +0,0 @@ -variable "name" { - type = string -} - -variable "resource_group_name" { - type = string -} diff --git a/aks-simple/src/components/sync-secrets/Chart.yaml b/aks-simple/src/components/sync-secrets/Chart.yaml new file mode 100644 index 0000000..6e1bcd4 --- /dev/null +++ b/aks-simple/src/components/sync-secrets/Chart.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v2 +name: secrets-sync +description: A helm chart to sync secrets. +type: application +version: v0.0.1 +appVersion: "0.0.1" + +dependencies: [] diff --git a/aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl b/aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl new file mode 100644 index 0000000..f576442 --- /dev/null +++ b/aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl @@ -0,0 +1,25 @@ +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: azure-kv-sync + namespace: default +spec: + provider: azure + secretObjects: + - secretName: https-cert + type: Opaque + data: + - objectName: https-cert + key: username + parameters: + usePodIdentity: "false" + useVMManagedIdentity: "true" + userAssignedIdentityID: "" + keyvaultName: "" + objects: | + array: + - | + objectName: foo + objectType: secret + tenantId: "" diff --git a/aks-simple/src/components/sync-secrets/values.yaml b/aks-simple/src/components/sync-secrets/values.yaml new file mode 100644 index 0000000..82dcada --- /dev/null +++ b/aks-simple/src/components/sync-secrets/values.yaml @@ -0,0 +1,2 @@ +secrets: + - cert: "foo" diff --git a/aks-simple/src/components/httpbin_helm_chart/Chart.yaml b/aks-simple/src/components/whoami/Chart.yaml similarity index 60% rename from aks-simple/src/components/httpbin_helm_chart/Chart.yaml rename to aks-simple/src/components/whoami/Chart.yaml index cd879f2..78e189f 100644 --- a/aks-simple/src/components/httpbin_helm_chart/Chart.yaml +++ b/aks-simple/src/components/whoami/Chart.yaml @@ -1,7 +1,7 @@ --- apiVersion: v2 -name: httpbin -description: A helm chart to deploy httpbin. +name: whoami +description: A helm chart to deploy whoami. type: application version: v0.0.1 appVersion: "0.0.1" diff --git a/aks-simple/src/components/whoami/templates/deployment.yaml b/aks-simple/src/components/whoami/templates/deployment.yaml new file mode 100644 index 0000000..e6f2052 --- /dev/null +++ b/aks-simple/src/components/whoami/templates/deployment.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami + namespace: {{ .Values.namespace | default .Release.Namespace | quote }} + labels: + app: whoami +spec: + replicas: 1 + selector: + matchLabels: + app: whoami + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + - name: "WHOAMI_PORT_NUMBER" + value: "{{ .Values.deployment.containerPort }}" + ports: + - containerPort: {{ .Values.deployment.containerPort }} + resources: + limits: + cpu: ".25" + memory: "128Mi" + requests: + cpu: ".1" + memory: "64Mi" + livenessProbe: + httpGet: + path: /health + port: {{ .Values.deployment.containerPort }} + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: {{ .Values.deployment.containerPort }} + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/aks-simple/src/components/whoami/templates/service.yaml b/aks-simple/src/components/whoami/templates/service.yaml new file mode 100644 index 0000000..5e5b742 --- /dev/null +++ b/aks-simple/src/components/whoami/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: whoami + namespace: {{ .Values.namespace | default .Release.Namespace | quote }} +spec: + ports: + - name: http-whoami + port: 80 + protocol: TCP + targetPort: {{ .Values.deployment.containerPort }} + selector: + app: whoami + sessionAffinity: None + type: ClusterIP diff --git a/aks-simple/stack.toml b/aks-simple/stack.toml index 51a1d67..d616975 100644 --- a/aks-simple/stack.toml +++ b/aks-simple/stack.toml @@ -1,3 +1,5 @@ +#:schema https://api.nuon.co/v1/general/config-schema?type=stack + type = "azure-bicep" name = "nuon-azure-aks-simple-{{.nuon.install.id}}" description = "Install the Nuon runner in an Azure resource group to manage a BYOC deployment of your app." From 5a52737a998e342d7645f319d9f1a32aaf604b52 Mon Sep 17 00:00:00 2001 From: Jordan Acosta Date: Sun, 27 Jul 2025 15:29:30 -0700 Subject: [PATCH 3/6] feat(aks-simple): https cert secret --- aks-simple/components/alb.toml | 2 +- aks-simple/components/certificate.toml | 2 +- aks-simple/components/whoami.toml | 2 +- aks-simple/sandbox.toml | 2 +- aks-simple/src/components/alb/templates/alb.tpl | 2 +- .../templates/sync-secret.tpl} | 12 +++++------- aks-simple/src/components/alb/values.yaml | 3 +++ aks-simple/src/components/certificate/main.tf | 3 ++- aks-simple/src/components/sync-secrets/Chart.yaml | 9 --------- aks-simple/src/components/sync-secrets/values.yaml | 2 -- 10 files changed, 15 insertions(+), 24 deletions(-) rename aks-simple/src/components/{sync-secrets/templates/secret-provider-class.tpl => alb/templates/sync-secret.tpl} (62%) delete mode 100644 aks-simple/src/components/sync-secrets/Chart.yaml delete mode 100644 aks-simple/src/components/sync-secrets/values.yaml diff --git a/aks-simple/components/alb.toml b/aks-simple/components/alb.toml index f2aaa19..adc812d 100644 --- a/aks-simple/components/alb.toml +++ b/aks-simple/components/alb.toml @@ -8,7 +8,7 @@ dependencies = ["whoami"] [public_repo] repo = "nuonco/example-app-configs" directory = "aks-simple/src/components/alb" -branch = "main" +branch = "ja/pro-1515-https-cert-component" [values] domain_certificate = "{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}" diff --git a/aks-simple/components/certificate.toml b/aks-simple/components/certificate.toml index 7e747b9..a2345cd 100644 --- a/aks-simple/components/certificate.toml +++ b/aks-simple/components/certificate.toml @@ -7,7 +7,7 @@ terraform_version = "1.11.3" [public_repo] repo = "nuonco/example-app-configs" directory = "aks-simple/src/components/certificate" -branch = "main" +branch = "ja/pro-1515-https-cert-component" [vars] install_id = "{{ .nuon.install.id }}" diff --git a/aks-simple/components/whoami.toml b/aks-simple/components/whoami.toml index 2ea7ed1..ab4ab04 100644 --- a/aks-simple/components/whoami.toml +++ b/aks-simple/components/whoami.toml @@ -9,7 +9,7 @@ storage_driver = "configmap" [public_repo] repo = "nuonco/example-app-configs" directory = "aks-simple/src/components/whoami" -branch = "main" +branch = "ja/pro-1515-https-cert-component" [[values_file]] contents = "./values/whoami.yaml" diff --git a/aks-simple/sandbox.toml b/aks-simple/sandbox.toml index 12b58eb..8a57100 100644 --- a/aks-simple/sandbox.toml +++ b/aks-simple/sandbox.toml @@ -5,7 +5,7 @@ terraform_version = "1.11.3" [public_repo] repo = "nuonco/terraform-azure-aks-sandbox" directory = "." -branch = "ja/pro-1522-whoami-app-config" +branch = "ja/pro-1534-secrets-syncing" [vars] cluster_name = "n-{{.nuon.install.id}}" diff --git a/aks-simple/src/components/alb/templates/alb.tpl b/aks-simple/src/components/alb/templates/alb.tpl index 9f91f3f..a9274f3 100644 --- a/aks-simple/src/components/alb/templates/alb.tpl +++ b/aks-simple/src/components/alb/templates/alb.tpl @@ -9,7 +9,7 @@ spec: tls: - hosts: - {{ .Values.domain }} - - secretName: + - secretName: "https-cert" rules: - host: {{ .Values.domain }} http: diff --git a/aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl b/aks-simple/src/components/alb/templates/sync-secret.tpl similarity index 62% rename from aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl rename to aks-simple/src/components/alb/templates/sync-secret.tpl index f576442..a9a5026 100644 --- a/aks-simple/src/components/sync-secrets/templates/secret-provider-class.tpl +++ b/aks-simple/src/components/alb/templates/sync-secret.tpl @@ -3,7 +3,7 @@ apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-kv-sync - namespace: default + namespace: {{ .Values.namespace }} spec: provider: azure secretObjects: @@ -11,15 +11,13 @@ spec: type: Opaque data: - objectName: https-cert - key: username + key: https-cert parameters: - usePodIdentity: "false" useVMManagedIdentity: "true" - userAssignedIdentityID: "" - keyvaultName: "" + keyvaultName: {{. Values.key_vault_name }} objects: | array: - | - objectName: foo + objectName: https-cert objectType: secret - tenantId: "" + tenantId: {{ .Values.tenant_id }} diff --git a/aks-simple/src/components/alb/values.yaml b/aks-simple/src/components/alb/values.yaml index 0ee8723..f3c42ec 100644 --- a/aks-simple/src/components/alb/values.yaml +++ b/aks-simple/src/components/alb/values.yaml @@ -1,4 +1,7 @@ install_name: "" +install_id: "" +tenant_id: "" +key_vault_name: "" name: "" domain: "" diff --git a/aks-simple/src/components/certificate/main.tf b/aks-simple/src/components/certificate/main.tf index 527f648..0266ffa 100644 --- a/aks-simple/src/components/certificate/main.tf +++ b/aks-simple/src/components/certificate/main.tf @@ -1,5 +1,6 @@ resource "azurerm_key_vault_certificate" "example" { - name = "${var.install_id}-cert" + # name = "${var.install_id}-cert" + name = "https-cert" key_vault_id = var.key_vault_id certificate_policy { diff --git a/aks-simple/src/components/sync-secrets/Chart.yaml b/aks-simple/src/components/sync-secrets/Chart.yaml deleted file mode 100644 index 6e1bcd4..0000000 --- a/aks-simple/src/components/sync-secrets/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v2 -name: secrets-sync -description: A helm chart to sync secrets. -type: application -version: v0.0.1 -appVersion: "0.0.1" - -dependencies: [] diff --git a/aks-simple/src/components/sync-secrets/values.yaml b/aks-simple/src/components/sync-secrets/values.yaml deleted file mode 100644 index 82dcada..0000000 --- a/aks-simple/src/components/sync-secrets/values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -secrets: - - cert: "foo" From 971be64a773e9b0e52bffc4a8c1b183937636db4 Mon Sep 17 00:00:00 2001 From: Jordan Acosta Date: Tue, 29 Jul 2025 15:41:39 -0700 Subject: [PATCH 4/6] fix(aks-simple): use azure sandbox outputs --- aks-simple/components/alb.toml | 4 ++-- aks-simple/components/certificate.toml | 6 +++--- aks-simple/src/components/certificate/main.tf | 2 +- aks-simple/src/components/certificate/outputs.tf | 16 ++++++++++++++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/aks-simple/components/alb.toml b/aks-simple/components/alb.toml index adc812d..a3d2801 100644 --- a/aks-simple/components/alb.toml +++ b/aks-simple/components/alb.toml @@ -11,8 +11,8 @@ directory = "aks-simple/src/components/alb" branch = "ja/pro-1515-https-cert-component" [values] -domain_certificate = "{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}" -domain = "{{.nuon.inputs.inputs.sub_domain}}.{{.nuon.install.sandbox.outputs.nuon_dns.public_domain.name}}" +domain = "{{.nuon.inputs.inputs.sub_domain}}.{{.nuon.install.sandbox.outputs.public_domain.name}}" +domain_certificate_secret_id = "{{.nuon.components.certificate.outputs.secret_id}}" https_port = "443" service_name = "whoami" service_port = "80" diff --git a/aks-simple/components/certificate.toml b/aks-simple/components/certificate.toml index a2345cd..1d44bb3 100644 --- a/aks-simple/components/certificate.toml +++ b/aks-simple/components/certificate.toml @@ -10,7 +10,7 @@ directory = "aks-simple/src/components/certificate" branch = "ja/pro-1515-https-cert-component" [vars] +key_vault_id = "/subscriptions/{{ .nuon.install_stack.outputs.subscription_id }}/resourceGroups/{{ .nuon.install.id }}-rg/providers/Microsoft.KeyVault/vaults/{{ .nuon.install.id }}" install_id = "{{ .nuon.install.id }}" -region = "{{ .nuon.install_stack.outputs.region }}" -zone_id = "{{ .nuon.install.sandbox.outputs.nuon_dns.public_domain.zone_id }}" -domain_name = "*.{{ .nuon.install.sandbox.outputs.nuon_dns.public_domain.name }}" +zone_id = "{{ .nuon.install.sandbox.outputs.public_domain.id }}" +domain_name = "*.{{ .nuon.install.sandbox.outputs.public_domain.name }}" diff --git a/aks-simple/src/components/certificate/main.tf b/aks-simple/src/components/certificate/main.tf index 0266ffa..d04b740 100644 --- a/aks-simple/src/components/certificate/main.tf +++ b/aks-simple/src/components/certificate/main.tf @@ -1,4 +1,4 @@ -resource "azurerm_key_vault_certificate" "example" { +resource "azurerm_key_vault_certificate" "main" { # name = "${var.install_id}-cert" name = "https-cert" key_vault_id = var.key_vault_id diff --git a/aks-simple/src/components/certificate/outputs.tf b/aks-simple/src/components/certificate/outputs.tf index c612898..ef17bed 100644 --- a/aks-simple/src/components/certificate/outputs.tf +++ b/aks-simple/src/components/certificate/outputs.tf @@ -1,3 +1,15 @@ -output "public_domain_certificate_arn" { - value = module.certificate.acm_certificate_arn +output "name" { + value = azurerm_key_vault_certificate.main.name +} + +output "key_vault_id" { + value = azurerm_key_vault_certificate.main.key_vault_id +} + +output "id" { + value = azurerm_key_vault_certificate.main.id +} + +output "secret_id" { + value = azurerm_key_vault_certificate.main.secret_id } From 1581db45a51516fcc4987fb6094be2c829fe704c Mon Sep 17 00:00:00 2001 From: Jordan Acosta Date: Wed, 30 Jul 2025 08:49:39 -0700 Subject: [PATCH 5/6] fix(aks-simple): keyvault names have 24 characters max --- aks-simple/components/certificate.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aks-simple/components/certificate.toml b/aks-simple/components/certificate.toml index 1d44bb3..05f8d0f 100644 --- a/aks-simple/components/certificate.toml +++ b/aks-simple/components/certificate.toml @@ -10,7 +10,7 @@ directory = "aks-simple/src/components/certificate" branch = "ja/pro-1515-https-cert-component" [vars] -key_vault_id = "/subscriptions/{{ .nuon.install_stack.outputs.subscription_id }}/resourceGroups/{{ .nuon.install.id }}-rg/providers/Microsoft.KeyVault/vaults/{{ .nuon.install.id }}" +key_vault_id = "/subscriptions/{{ .nuon.install_stack.outputs.subscription_id }}/resourceGroups/{{ .nuon.install.id }}-rg/providers/Microsoft.KeyVault/vaults/{{ trunc 24 .nuon.install.id }}" install_id = "{{ .nuon.install.id }}" zone_id = "{{ .nuon.install.sandbox.outputs.public_domain.id }}" domain_name = "*.{{ .nuon.install.sandbox.outputs.public_domain.name }}" From 2da949300aceb51c9570ec757c65b57237b975af Mon Sep 17 00:00:00 2001 From: Jordan Acosta Date: Wed, 30 Jul 2025 14:14:24 -0700 Subject: [PATCH 6/6] feat(aks-simple): test permissions --- aks-simple/components/certificate.toml | 3 +- aks-simple/src/components/certificate/main.tf | 108 +++++++++--------- .../src/components/certificate/outputs.tf | 30 ++--- aks-simple/src/components/certificate/test.tf | 28 +++++ .../src/components/certificate/variables.tf | 6 +- 5 files changed, 104 insertions(+), 71 deletions(-) create mode 100644 aks-simple/src/components/certificate/test.tf diff --git a/aks-simple/components/certificate.toml b/aks-simple/components/certificate.toml index 05f8d0f..768c743 100644 --- a/aks-simple/components/certificate.toml +++ b/aks-simple/components/certificate.toml @@ -10,7 +10,8 @@ directory = "aks-simple/src/components/certificate" branch = "ja/pro-1515-https-cert-component" [vars] -key_vault_id = "/subscriptions/{{ .nuon.install_stack.outputs.subscription_id }}/resourceGroups/{{ .nuon.install.id }}-rg/providers/Microsoft.KeyVault/vaults/{{ trunc 24 .nuon.install.id }}" +key_vault_name = "{{ .nuon.install_stack.outputs.key_vault_name }}" +resource_group_name = "{{ .nuon.install_stack.outputs.resource_group_name }}" install_id = "{{ .nuon.install.id }}" zone_id = "{{ .nuon.install.sandbox.outputs.public_domain.id }}" domain_name = "*.{{ .nuon.install.sandbox.outputs.public_domain.name }}" diff --git a/aks-simple/src/components/certificate/main.tf b/aks-simple/src/components/certificate/main.tf index d04b740..a3a6b79 100644 --- a/aks-simple/src/components/certificate/main.tf +++ b/aks-simple/src/components/certificate/main.tf @@ -1,54 +1,54 @@ -resource "azurerm_key_vault_certificate" "main" { - # name = "${var.install_id}-cert" - name = "https-cert" - key_vault_id = var.key_vault_id - - certificate_policy { - issuer_parameters { - name = "Self" # or "Unknown" for imported, or the name of a CA - } - - key_properties { - exportable = true - key_size = 2048 - key_type = "RSA" - reuse_key = true - } - - lifetime_action { - action { - action_type = "AutoRenew" - } - - trigger { - days_before_expiry = 30 - } - } - - secret_properties { - content_type = "application/x-pkcs12" - } - - x509_certificate_properties { - # Server Authentication = 1.3.6.1.5.5.7.3.1 - # Client Authentication = 1.3.6.1.5.5.7.3.2 - extended_key_usage = ["1.3.6.1.5.5.7.3.1"] - - key_usage = [ - "cRLSign", - "dataEncipherment", - "digitalSignature", - "keyAgreement", - "keyCertSign", - "keyEncipherment", - ] - - subject_alternative_names { - dns_names = [var.domain_name] - } - - subject = "CN=${var.domain_name}" - validity_in_months = 12 - } - } -} +# resource "azurerm_key_vault_certificate" "main" { +# # name = "${var.install_id}-cert" +# name = "https-cert" +# key_vault_id = var.key_vault_id +# +# certificate_policy { +# issuer_parameters { +# name = "Self" # or "Unknown" for imported, or the name of a CA +# } +# +# key_properties { +# exportable = true +# key_size = 2048 +# key_type = "RSA" +# reuse_key = true +# } +# +# lifetime_action { +# action { +# action_type = "AutoRenew" +# } +# +# trigger { +# days_before_expiry = 30 +# } +# } +# +# secret_properties { +# content_type = "application/x-pkcs12" +# } +# +# x509_certificate_properties { +# # Server Authentication = 1.3.6.1.5.5.7.3.1 +# # Client Authentication = 1.3.6.1.5.5.7.3.2 +# extended_key_usage = ["1.3.6.1.5.5.7.3.1"] +# +# key_usage = [ +# "cRLSign", +# "dataEncipherment", +# "digitalSignature", +# "keyAgreement", +# "keyCertSign", +# "keyEncipherment", +# ] +# +# subject_alternative_names { +# dns_names = [var.domain_name] +# } +# +# subject = "CN=${var.domain_name}" +# validity_in_months = 12 +# } +# } +# } diff --git a/aks-simple/src/components/certificate/outputs.tf b/aks-simple/src/components/certificate/outputs.tf index ef17bed..95512f6 100644 --- a/aks-simple/src/components/certificate/outputs.tf +++ b/aks-simple/src/components/certificate/outputs.tf @@ -1,15 +1,15 @@ -output "name" { - value = azurerm_key_vault_certificate.main.name -} - -output "key_vault_id" { - value = azurerm_key_vault_certificate.main.key_vault_id -} - -output "id" { - value = azurerm_key_vault_certificate.main.id -} - -output "secret_id" { - value = azurerm_key_vault_certificate.main.secret_id -} +# output "name" { +# value = azurerm_key_vault_certificate.main.name +# } +# +# output "key_vault_id" { +# value = azurerm_key_vault_certificate.main.key_vault_id +# } +# +# output "id" { +# value = azurerm_key_vault_certificate.main.id +# } +# +# output "secret_id" { +# value = azurerm_key_vault_certificate.main.secret_id +# } diff --git a/aks-simple/src/components/certificate/test.tf b/aks-simple/src/components/certificate/test.tf new file mode 100644 index 0000000..0f46440 --- /dev/null +++ b/aks-simple/src/components/certificate/test.tf @@ -0,0 +1,28 @@ +data "azurerm_client_config" "current" {} + +output "client_object_id" { + value = data.azurerm_client_config.current.object_id +} + +output "subscription_id" { + value = data.azurerm_client_config.current.subscription_id +} + +output "tenant_id" { + value = data.azurerm_client_config.current.tenant_id +} + +data "azurerm_key_vault" "test" { + name = var.key_vault_name + resource_group_name = var.resource_group_name +} + +output "vault_uri" { + value = data.azurerm_key_vault.test.vault_uri +} + +# resource "azurerm_key_vault_secret" "test" { +# name = "testsecret" +# value = "sometestvalue" +# key_vault_id = data.azurerm_key_vault.test.id +# } diff --git a/aks-simple/src/components/certificate/variables.tf b/aks-simple/src/components/certificate/variables.tf index d5ec5f1..deea95a 100644 --- a/aks-simple/src/components/certificate/variables.tf +++ b/aks-simple/src/components/certificate/variables.tf @@ -1,4 +1,8 @@ -variable "key_vault_id" { +variable "key_vault_name" { + type = string +} + +variable "resource_group_name" { type = string }