Ja/pro 1515 https cert component

aks-simple/README.md

@@ -0,0 +1,3 @@
+# Azure EKS Simple
+
+An Azure EKS app that runs a single container.

aks-simple/actions/simple_action.toml

@@ -0,0 +1,23 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=action
+
+name    = "simple_demonstration"
+timeout = "1m"
+
+[[triggers]]
+type = "post-provision"
+
+[[triggers]]
+type = "manual"
+
+[[steps]]
+name    = "create secrets in cluster"
+inline_contents = """
+#!/usr/bin/env sh
+password=`openssl rand -hex 12`
+kubectl create -n whoami secret generic whoami \
+  --save-config    \
+  --dry-run=client \
+  --from-literal=value="$password" \
+  -o yaml | kubectl apply -f -
+"""
+

aks-simple/components/alb.toml

@@ -0,0 +1,21 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=helm
+
+name         = "application_load_balancer"
+type         = "helm_chart"
+chart_name   = "application-load-balancer"
+dependencies = ["whoami"]
+
+[public_repo]
+repo      = "nuonco/example-app-configs"
+directory = "aks-simple/src/components/alb"
+branch    = "ja/pro-1515-https-cert-component"
+
+[values]
+domain             = "{{.nuon.inputs.inputs.sub_domain}}.{{.nuon.install.sandbox.outputs.public_domain.name}}"
+domain_certificate_secret_id = "{{.nuon.components.certificate.outputs.secret_id}}"
+https_port         = "443"
+service_name       = "whoami"
+service_port       = "80"
+install_name       = "{{.nuon.install.id}}"
+namespace          = "whoami"
+healthcheck_path   = "/health"

aks-simple/components/certificate.toml

@@ -0,0 +1,17 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=terraform
+
+name              = "certificate"
+type              = "terraform_module"
+terraform_version = "1.11.3"
+
+[public_repo]
+repo      = "nuonco/example-app-configs"
+directory = "aks-simple/src/components/certificate"
+branch    = "ja/pro-1515-https-cert-component"
+
+[vars]
+key_vault_name = "{{ .nuon.install_stack.outputs.key_vault_name }}"
+resource_group_name = "{{ .nuon.install_stack.outputs.resource_group_name }}"
+install_id  = "{{ .nuon.install.id }}"
+zone_id     = "{{ .nuon.install.sandbox.outputs.public_domain.id }}"
+domain_name = "*.{{ .nuon.install.sandbox.outputs.public_domain.name }}"

aks-simple/components/values/whoami.yaml

@@ -0,0 +1,12 @@
+---
+namespace: "whoami"
+
+image:
+  tag: "latest"
+  repository: "traefik/whoami"
+
+deployment:
+  containerPort: 8000
+
+service:
+  port: 80

aks-simple/components/whoami.toml

@@ -0,0 +1,15 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=helm
+
+name           = "whoami"
+type           = "helm_chart"
+chart_name     = "whoami"
+namespace      = "whoami"
+storage_driver = "configmap"
+
+[public_repo]
+repo      = "nuonco/example-app-configs"
+directory = "aks-simple/src/components/whoami"
+branch    = "ja/pro-1515-https-cert-component"
+
+[[values_file]]
+contents = "./values/whoami.yaml"

aks-simple/inputs.toml

@@ -0,0 +1,13 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=inputs
+
+[[group]]
+name         = "dns"
+description  = "DNS Configrations"
+display_name = "Configurations for the root domain for Route53"
+
+[[input]]
+name         = "root_domain"
+description  = "The root domain. Services will be made available at subdomains of this root domain."
+default      = "byoc.for.everyone.example.com"
+display_name = "Root Domain"
+group        = "dns"

aks-simple/metadata.toml

@@ -0,0 +1,7 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=metadata
+
+version = "v2"
+
+description = "An Azure EKS app that runs a single container."
+display_name = "Azure AKS Simple"
+readme       = "./README.md"

aks-simple/runner.toml

@@ -0,0 +1,7 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=runner
+
+runner_type = "azure"
+helm_driver = "configmap"
+
+[env_vars]
+foo = "bar"

aks-simple/sandbox.tfvars

@@ -0,0 +1,22 @@
+maintenance_role_eks_access_entry_policy_associations = {
+  eks_admin = {
+    policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
+    access_scope = {
+      type = "cluster"
+    }
+  }
+  eks_view = {
+    policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+    access_scope = {
+      type = "cluster"
+    }
+  }
+}
+
+additional_namespaces = ["whoami"]
+
+maintenance_cluster_role_rules_override = [{
+  "apiGroups" = ["*"]
+  "resources" = ["*"]
+  "verbs"     = ["*"]
+}]

aks-simple/sandbox.toml

@@ -0,0 +1,23 @@
+#:schema https://api.nuon.co/v1/general/config-schema?type=sandbox
+
+terraform_version = "1.11.3"
+
+[public_repo]
+repo      = "nuonco/terraform-azure-aks-sandbox"
+directory = "."
+branch    = "ja/pro-1534-secrets-syncing"
+
+[vars]
+cluster_name         = "n-{{.nuon.install.id}}"
+enable_nuon_dns      = "true"
+public_root_domain   = "{{ .nuon.inputs.inputs.root_domain }}"
+internal_root_domain = "internal.{{ .nuon.inputs.inputs.root_domain }}"
+location = "{{.nuon.cloud_account.azure.location}}"
+nuon_id = "{{.nuon.install.id}}"
+vnet_name = "{{.nuon.install_stack.outputs.network_name}}"
+resource_group_name = "{{.nuon.install_stack.outputs.resource_group_name}}"
+private_subnet_names = "{{.nuon.install_stack.outputs.private_subnet_names}}"
+public_subnet_names = "{{.nuon.install_stack.outputs.public_subnet_names}}"
+
+[[var_file]]
+contents = "./sandbox.tfvars"

aks-simple/src/components/alb/Chart.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v2
+name: application-load-balancer
+description: A helm chart to create an alb.
+type: application
+version: v0.0.1
+appVersion: "0.0.1"
+
+dependencies: []

aks-simple/src/components/alb/README.md

@@ -0,0 +1,50 @@
+# ALB
+
+Component to provision an ingress w/ annotations to make use of an AWS
+Certificate Manager SSL Certificate via the
+['certificate' component](../certificate).
+
+## Inputs/Variables
+
+| Variable             | Description                                             | Example                                                                  |
+| -------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------ |
+| `install_name`       | Typically, the install id.                              | `{{.nuon.install.id}}`                                                   |
+| `name`               | The name for the ingress.                               | `service-name`, `api`, ``                                                |
+| `domain`             | The ID of the zone. Can be sourced from the sandbox.    | `{{.nuon.install.sandbox.outputs.public_domain.name}}`                   |
+| `domain_certificate` | AWS Cerficate Manager Certificate ARN.                  | `{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}` |
+| `https_port`         | port to use for https.                                  | `443` (default: `443`)                                                   |
+| `service_name`       | The name of the service this ingress routes traffic to. | `api`                                                                    |
+| `service_port`       | The port of the service this ingress routes traffic to. | `3000` (default: `3000`)                                                 |
+| `healthcheck_path`   | healthcheck path                                        | `/livez`, `/readyz`, `/health` (default: `/livez`)                       |
+
+Notes
+
+- if no `name` is provided, `{install_name}-pubulic` will be used.
+- if no `healtcheck_path` is provided the default `/livez` will be used.
+
+## Example Configuration
+
+```toml
+name       = "application_load_balancer"
+type       = "helm_chart"
+chart_name = "application-load-balancer"
+
+[public_repo]
+repo      = "nuonco/components"
+directory = "aws/alb"
+branch    = "main"
+
+[values]
+domain_certificate = "{{.nuon.components.certificate.outputs.public_domain_certificate_arn}}"
+domain             = "api.{{.nuon.install.sandbox.outputs.public_domain.name}}"
+https_port         = "443"
+service_name       = "api"
+service_port       = "api"
+install_name       = "{{.nuon.install.id}}"
+```
+
+## Note
+
+This component depends on outputs of the
+[`certificate` component](../certificate). It is important to note, the
+`domain_name` of the certificate component should match the `domain` value here.

aks-simple/src/components/alb/templates/alb.tpl

@@ -0,0 +1,52 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "common.name" . }}
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+spec:
+  tls:
+    - hosts:
+      - {{ .Values.domain }}
+    - secretName: "https-cert"
+  rules:
+  - host: {{ .Values.domain }}
+    http:
+      paths:
+      - backend:
+          serviceName: {{ .Values.service_name }}
+          servicePort: {{ .Values.service_port | default "3000" }}
+
+# ---
+# apiVersion: networking.k8s.io/v1
+# kind: Ingress
+# metadata:
+#   name: {{ include "common.name" . }}
+#   namespace: {{ .Values.namespace }}
+#   labels:
+#     app.nuon.co/install: {{ .Values.install_name }}
+#   annotations:
+#     alb.ingress.kubernetes.io/scheme: internet-facing
+#     alb.ingress.kubernetes.io/target-type: ip
+#     alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":{{ .Values.https_port | default "443" }}}]'
+#     alb.ingress.kubernetes.io/aws-load-balancer-ssl-ports: https
+#     alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.healthcheck_path | default "/livez" | quote }}
+#     alb.ingress.kubernetes.io/healthcheck-interval-seconds: '5'
+#     alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '2'
+#     alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
+#     alb.ingress.kubernetes.io/healthy-threshold-count: '2'
+#     alb.ingress.kubernetes.io/certificate-arn: {{ .Values.domain_certificate }}
+#     external-dns.alpha.kubernetes.io/hostname: {{ .Values.domain }}
+# spec:
+#   ingressClassName: alb
+#   rules:
+#     - http:
+#         paths:
+#           - path: /
+#             pathType: Prefix
+#             backend:
+#               service:
+#                 name: {{ .Values.service_name }}
+#                 port:
+#                   number: {{ .Values.service_port | default "3000" }}

aks-simple/src/components/alb/templates/lib/_names.tpl

@@ -0,0 +1,9 @@
+{{- define "common.name" -}}
+
+{{- if .Values.name }}
+{{- .Values.name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-public" .Values.install_name }}
+{{- end }}
+
+{{- end }}

aks-simple/src/components/alb/templates/sync-secret.tpl

@@ -0,0 +1,23 @@
+---
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: azure-kv-sync
+  namespace: {{ .Values.namespace }}
+spec:
+  provider: azure
+  secretObjects:
+  - secretName: https-cert
+    type: Opaque
+    data:
+    - objectName: https-cert
+      key: https-cert
+  parameters:
+    useVMManagedIdentity: "true"
+    keyvaultName: {{. Values.key_vault_name }}
+    objects: |
+      array:
+        - |
+          objectName: https-cert
+          objectType: secret
+  tenantId: {{ .Values.tenant_id }}

aks-simple/src/components/alb/values.yaml

@@ -0,0 +1,14 @@
+install_name: ""
+install_id: ""
+tenant_id: ""
+key_vault_name: ""
+
+name: ""
+domain: ""
+domain_certificate: ""
+https_port: ""
+service_name: ""
+service_port: ""
+
+healthcheck_path: "/livez"
+namespace: ""

aks-simple/src/components/certificate/README.md

@@ -0,0 +1,30 @@
+# Certificate
+
+Component to provision an AWS Certificate Manager SSL Certificate.
+
+## Inputs/Variables
+
+| Variable      | Description                                          | Example                                                   |
+| ------------- | ---------------------------------------------------- | --------------------------------------------------------- |
+| `zone_id`     | The ID of the zone. Can be sourced from the sandbox. | `{{.nuon.install.sandbox.outputs.public_domain.zone_id}}` |
+| `domain_name` | The domain name. Usually provided by the sandbox.    | `{{.nuon.install.sandbox.outputs.public_domain.name}}`    |
+
+## Example Configuration
+
+```toml
+name = "certificate"
+type = "terraform_module"
+terraform_version = "1.10.4"
+
+[public_repo]
+repo      = "nuonco/components"
+directory = "aws/certificate"
+branch    = "main"
+
+[vars]
+zone_id     = "{{.nuon.install.sandbox.outputs.public_domain.zone_id}}"
+domain_name = "{{.nuon.install.sandbox.outputs.public_domain.name}}"
+# NOTE: it is also possible to use a subdomain or wildcard here.
+# domain_name = "subdomain.{{.nuon.install.sandbox.outputs.public_domain.name}}"
+# domain_name = "*.{{.nuon.install.sandbox.outputs.public_domain.name}}"
+```