From bee026ecbf136e2a839af289c560e41d54df8ce0 Mon Sep 17 00:00:00 2001 From: xwrace Date: Wed, 18 Jan 2023 02:58:22 +0300 Subject: [PATCH 1/2] add root_vault_path_pki and resources --- .gitignore | 2 ++ base/keycloak.tf | 26 ++++++++-------- base/variables.tf | 5 ++++ ...vault.certificate.sign.keycloak.approle.tf | 14 ++++----- base/vault.core.pki.tf | 2 +- k8s/modules.tf | 6 +++- k8s/templates/helm/certmanager/values.yaml | 21 +++++++++++++ k8s/templates/helm/cilium/values.yaml.tftpl | 7 +++++ .../templates/test.yaml | 3 ++ .../templates/csi-controller.yaml | 30 +++++++++++++++++++ .../yandex-csi-driver/templates/csi-node.yaml | 21 +++++++++++++ k8s/variables.tf | 6 ++++ modules/k8s-yandex-cluster-infra/main.tf | 1 + modules/k8s-yandex-cluster-infra/variables.tf | 5 ++++ 14 files changed, 127 insertions(+), 22 deletions(-) create mode 100644 base/variables.tf diff --git a/.gitignore b/.gitignore index a8e9bca..0945469 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ base/states/* k8s/providers-dev.tf base/providers-dev.tf +k8s/provider-dev.tf +base/provider-dev.tf diff --git a/base/keycloak.tf b/base/keycloak.tf index 40dc14f..ecad224 100644 --- a/base/keycloak.tf +++ b/base/keycloak.tf @@ -1,16 +1,16 @@ # create groups openid client scope -resource "keycloak_openid_client_scope" "groups" { - realm_id = local.idp_provider_realm - name = "groups" - include_in_token_scope = true - gui_order = 1 -} -resource "keycloak_openid_group_membership_protocol_mapper" "groups" { - realm_id = local.idp_provider_realm - client_scope_id = keycloak_openid_client_scope.groups.id - name = "groups" - claim_name = "groups" - full_path = false -} +#resource "keycloak_openid_client_scope" "groups" { +# realm_id = local.idp_provider_realm +# name = "groups" +# include_in_token_scope = true +# gui_order = 1 +#} +#resource "keycloak_openid_group_membership_protocol_mapper" "groups" { +# realm_id = local.idp_provider_realm +# client_scope_id = keycloak_openid_client_scope.groups.id +# name = "groups" +# claim_name = "groups" +# full_path = false +#} # create kube openid client diff --git a/base/variables.tf b/base/variables.tf new file mode 100644 index 0000000..f6554d5 --- /dev/null +++ b/base/variables.tf @@ -0,0 +1,5 @@ +variable "root_vault_path_pki" { + description = "pki-root" + type = string + default = "pki-root" +} \ No newline at end of file diff --git a/base/vault.certificate.sign.keycloak.approle.tf b/base/vault.certificate.sign.keycloak.approle.tf index 5d78c56..2782a8c 100644 --- a/base/vault.certificate.sign.keycloak.approle.tf +++ b/base/vault.certificate.sign.keycloak.approle.tf @@ -1,12 +1,12 @@ resource "vault_auth_backend" "auth" { - type = "approle" - path = "pki-root/approle" + type = "approle" + path = "${var.root_vault_path_pki}/approle" } resource "vault_approle_auth_backend_role" "auth" { - backend = "${vault_auth_backend.auth.path}" - role_name = "keycloak" - token_policies = [vault_policy.auth.name] - secret_id_bound_cidrs = [] - token_bound_cidrs = [] + backend = "${vault_auth_backend.auth.path}" + role_name = "keycloak" + token_policies = [vault_policy.auth.name] + secret_id_bound_cidrs = [] + token_bound_cidrs = [] } diff --git a/base/vault.core.pki.tf b/base/vault.core.pki.tf index af75156..ae3c05e 100644 --- a/base/vault.core.pki.tf +++ b/base/vault.core.pki.tf @@ -1,5 +1,5 @@ resource "vault_mount" "core_root_ca" { - path = "pki-root" + path = var.root_vault_path_pki type = "pki" description = "root infrastruction" default_lease_ttl_seconds = 321408000 diff --git a/k8s/modules.tf b/k8s/modules.tf index 489a751..4e20d2b 100644 --- a/k8s/modules.tf +++ b/k8s/modules.tf @@ -12,6 +12,10 @@ module "k8s-yandex-cluster" { folder_id = data.yandex_resourcemanager_folder.current.id } + pki_metadata = { + root_vault_path_pki = var.root_vault_path_pki + } + master_group = { name = "master" # Разрешенный префикс для сертификатов. count = 1 @@ -63,7 +67,7 @@ module "k8s-yandex-cluster" { metadata = { user_data_template = "fraima" # all | packer | fraima } - ssh_username = "dkot" + ssh_username = "xwrace" ssh_rsa_path = "~/.ssh/id_rsa.pub" } } diff --git a/k8s/templates/helm/certmanager/values.yaml b/k8s/templates/helm/certmanager/values.yaml index 59ba366..a258651 100644 --- a/k8s/templates/helm/certmanager/values.yaml +++ b/k8s/templates/helm/certmanager/values.yaml @@ -6,6 +6,13 @@ tolerations: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule +resources: + limits: + cpu: 200m + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi webhook: tolerations: @@ -16,6 +23,13 @@ webhook: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule + resources: + limits: + cpu: 200m + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi cainjector: tolerations: @@ -26,6 +40,13 @@ cainjector: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule + resources: + limits: + cpu: 200m + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi startupapicheck: diff --git a/k8s/templates/helm/cilium/values.yaml.tftpl b/k8s/templates/helm/cilium/values.yaml.tftpl index 606b6e1..d3c245c 100644 --- a/k8s/templates/helm/cilium/values.yaml.tftpl +++ b/k8s/templates/helm/cilium/values.yaml.tftpl @@ -141,6 +141,13 @@ clustermesh: monitor: # -- Enable the cilium-monitor sidecar. enabled: true + resources: + limits: + cpu: 200m + memory: 256Gi + requests: + cpu: 100m + memory: 128Mi hubble: # -- Enable Hubble (true by default). diff --git a/k8s/templates/helm/cluster-machine-approver/templates/test.yaml b/k8s/templates/helm/cluster-machine-approver/templates/test.yaml index ac3ebd6..926b869 100644 --- a/k8s/templates/helm/cluster-machine-approver/templates/test.yaml +++ b/k8s/templates/helm/cluster-machine-approver/templates/test.yaml @@ -74,6 +74,9 @@ spec: - image: dobrykot/cluster-machine-approver:v1.0.11 name: cluster-machine-approver resources: + limits: + cpu: 200m + memory: 100Mi requests: cpu: 100m memory: 50Mi diff --git a/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml b/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml index a3c1d39..b7bff4d 100644 --- a/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml +++ b/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml @@ -47,7 +47,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -76,7 +81,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -105,7 +115,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -134,7 +149,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -154,7 +174,12 @@ spec: imagePullPolicy: IfNotPresent name: livenessprobe resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -197,7 +222,12 @@ spec: timeoutSeconds: 1 name: csi-controller resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false diff --git a/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml b/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml index d17a232..0105dc5 100644 --- a/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml +++ b/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml @@ -22,6 +22,13 @@ spec: - operator: Exists containers: - name: csi-node-driver-registrar + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0 args: - "--v=5" @@ -38,6 +45,13 @@ spec: - name: registration-dir mountPath: /registration - name: csi-node + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi securityContext: privileged: true image: registry.deckhouse.io/yandex-csi-driver/yandex-csi-driver:v0.9.11 @@ -58,6 +72,13 @@ spec: name: csi-credentials key: service-account-json - name: liveness-probe + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi image: quay.io/k8scsi/livenessprobe:v2.0.0 args: - --csi-address=/csi/csi.sock diff --git a/k8s/variables.tf b/k8s/variables.tf index 85ef60b..37ba2c2 100644 --- a/k8s/variables.tf +++ b/k8s/variables.tf @@ -25,6 +25,12 @@ variable "yandex_folder_name" { default = "example" } +variable "root_vault_path_pki" { + description = "pki-root" + type = string + default = "pki-root" +} + variable "master_availability_zones"{ type = object({ ru-central1-a = string diff --git a/modules/k8s-yandex-cluster-infra/main.tf b/modules/k8s-yandex-cluster-infra/main.tf index b61dc8d..03596be 100644 --- a/modules/k8s-yandex-cluster-infra/main.tf +++ b/modules/k8s-yandex-cluster-infra/main.tf @@ -9,6 +9,7 @@ module "k8s-global-vars" { ssh_rsa_path = var.master_group.ssh_rsa_path pod_cidr = var.pod_cidr node_cidr_mask = var.node_cidr_mask + root_vault_path_pki = var.pki_metadata.root_vault_path_pki } module "k8s-vault" { diff --git a/modules/k8s-yandex-cluster-infra/variables.tf b/modules/k8s-yandex-cluster-infra/variables.tf index f417b26..501e200 100644 --- a/modules/k8s-yandex-cluster-infra/variables.tf +++ b/modules/k8s-yandex-cluster-infra/variables.tf @@ -37,6 +37,11 @@ variable "cloud_metadata" { } } +variable "pki_metadata" { + type = any + default = {} +} + variable "master_group"{ type = object({ name = string From bd2657e43ddb7476458214203b6da8fed7bb9a03 Mon Sep 17 00:00:00 2001 From: xwrace Date: Wed, 18 Jan 2023 03:07:07 +0300 Subject: [PATCH 2/2] add root_vault_path_pki and resources --- base/keycloak.tf | 26 +++++++++++++------------- k8s/modules.tf | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/base/keycloak.tf b/base/keycloak.tf index ecad224..40dc14f 100644 --- a/base/keycloak.tf +++ b/base/keycloak.tf @@ -1,16 +1,16 @@ # create groups openid client scope -#resource "keycloak_openid_client_scope" "groups" { -# realm_id = local.idp_provider_realm -# name = "groups" -# include_in_token_scope = true -# gui_order = 1 -#} -#resource "keycloak_openid_group_membership_protocol_mapper" "groups" { -# realm_id = local.idp_provider_realm -# client_scope_id = keycloak_openid_client_scope.groups.id -# name = "groups" -# claim_name = "groups" -# full_path = false -#} +resource "keycloak_openid_client_scope" "groups" { + realm_id = local.idp_provider_realm + name = "groups" + include_in_token_scope = true + gui_order = 1 +} +resource "keycloak_openid_group_membership_protocol_mapper" "groups" { + realm_id = local.idp_provider_realm + client_scope_id = keycloak_openid_client_scope.groups.id + name = "groups" + claim_name = "groups" + full_path = false +} # create kube openid client diff --git a/k8s/modules.tf b/k8s/modules.tf index 4e20d2b..052532e 100644 --- a/k8s/modules.tf +++ b/k8s/modules.tf @@ -67,7 +67,7 @@ module "k8s-yandex-cluster" { metadata = { user_data_template = "fraima" # all | packer | fraima } - ssh_username = "xwrace" + ssh_username = "dkot" ssh_rsa_path = "~/.ssh/id_rsa.pub" } }