Merge pull request #5 from swisscom/develop

integrate OIDC
swisscom · Aug 2, 2023 · 5761576 · 5761576
2 parents 60522c2 + 03e24e6
commit 5761576
Show file tree

Hide file tree

Showing 31 changed files with 906 additions and 393 deletions.
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -23,16 +23,14 @@ jobs:
       if: github.ref == 'refs/heads/master'
       env:
         TF_OVERRIDE: ${{ secrets.TF_OVERRIDE }}
-        TF_TFVARS: ${{ secrets.TF_TFVARS }}
         TF_CREDENTIALS: ${{ secrets.TF_CREDENTIALS }}
-        CREDENTIALS: ${{ secrets.CREDENTIALS }}
+        CONFIG: ${{ secrets.CONFIG }}
         SSHKEY: ${{ secrets.SSHKEY }}
       run: |
         mkdir -p ~/.terraform.d || true
         echo "${TF_CREDENTIALS}" > ~/.terraform.d/credentials.tfrc.json
         echo "${TF_OVERRIDE}" > terraform/override.tf
-        echo "${TF_TFVARS}" > terraform/terraform.tfvars
-        echo "${CREDENTIALS}" > credentials.yaml
+        echo "${CONFIG}" > config.yaml
         echo "${SSHKEY}" > ssh_key_id_rsa
         chmod 600 ssh_key_id_rsa
         ssh-keygen -f ssh_key_id_rsa -y > ssh_key_id_rsa.pub
@@ -49,6 +47,10 @@ jobs:
         make install-tools
         sudo mv -f ~/bin/* /usr/local/bin/
 
+    - name: Run Config generation
+      if: github.ref == 'refs/heads/master'
+      run: make config
+
     - name: Run Terraform
       if: github.ref == 'refs/heads/master'
       run: make terraform
@@ -64,6 +66,7 @@ jobs:
     - name: Cleanup
       if: ${{ always() }}
       run: |
+        rm -f config.yaml || true
         rm -f kubeone-kubeconfig || true
         rm -f credentials.yaml || true
         rm -f terraform/terraform.tfvars || true
@@ -144,3 +147,4 @@ jobs:
       run: |
         rm -f kubeone-kubeconfig || true
         rm -f config.yml || true
+        rm -f config.yaml || true
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -45,3 +45,4 @@ jobs:
       run: |
         rm -f kubeconfig || true
         rm -f config.yml || true
+        rm -f config.yaml || true
diff --git a/.gitignore b/.gitignore
@@ -1,14 +1,47 @@
-# Temporary directories/files
-/tmp
+# ======================================================================================================================
+# modify lines below as necessary, but make sure you are using a private git repository !!!
+# remove/add configuration files, secrets, credentials, keys, etc..
+# ======================================================================================================================
+
+# all configuration files
+/config.yaml
+/credentials.yaml
+/kubeone.yaml
+/terraform/terraform.tfvars
+
+# generated kubeconfigs for cluster-admin
+/kubeone-kubeconfig
+/kubeone-*-kubeconfig
+/kubeconfig
 
-# Local .terraform directories
-**/.terraform/*
+# SSH keys
+/ssh_key_id_rsa
+/ssh_key_id_rsa.pub
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
 state_backend.tf
 
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+
+# ======================================================================================================================
+# do not modify any lines below here anymore !!!
+# ======================================================================================================================
+
+# Temporary directories/files
+/tmp
+*.tmp
+
+# Local .terraform directories
+**/.terraform/*
+
 # .tfstate directories
 .tfstate/
 
@@ -21,19 +54,9 @@ go-vcloud-director.log
 # other log files
 *.log
 
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
-# example.tfvars
-terraform.tfvars
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
+# trivy scan results
+/trivy.json
+/trivy.out
 
 # Include override files you do wish to add to version control using negated pattern
 #
@@ -45,24 +68,12 @@ override.tf.json
 # unused kubeone config file
 /terraform/kubeone.yaml
 
-# credentials
-credentials.yaml
+# helm temporary values files
+/deployments/*.yaml
 
 # OS images
 *.ova
-
-# SSH keys
-ssh_key_id_rsa
-ssh_key_id_rsa.pub
+*.ovf
 
 # kubeone tarballs
 *.tar.gz
-
-# kubeconfig
-/kubeone-kubeconfig
-/kubeone-demo-kubeconfig
-/kubeone-dev-kubeconfig
-/kubeconfig
-
-# helm temporary values files
-/deployments/*.yaml
diff --git a/Makefile b/Makefile
@@ -34,13 +34,19 @@ check-env:
 	@which kubeone 1>/dev/null || (echo '[kubeone] is missing! Get it from https://github.com/kubermatic/kubeone/ ...' && exit 1)
 	@which helm 1>/dev/null || (echo '[helm] is missing! Get it from https://helm.sh/ ...' && exit 1)
 	@which jq 1>/dev/null || (echo '[jq] is missing! Get it from https://stedolan.github.io/jq/ ...' && exit 1)
+	@which yq 1>/dev/null || (echo '[yq] is missing! Get it from https://github.com/mikefarah/yq/ ...' && exit 1)
 	@which curl 1>/dev/null || (echo '[curl] is missing! Get it from https://curl.se/ ...' && exit 1)
 	@test -f "${SSH_KEY}" || ssh-keygen -t rsa -b 4096 -f "${SSH_KEY}" -N ''
 	@chmod 640 "${SSH_PUB_KEY}" && chmod 600 "${SSH_KEY}"
 	@ssh-add "${SSH_KEY}" || true
 	@kubeone version > ${ROOT_DIR}/kubeone.version.json
 	@test -f "${TERRAFORM_DIR}/main.tf" || kubeone init --provider vmware-cloud-director --terraform --path ${TERRAFORM_DIR} --cluster-name ${CLUSTER_NAME} -c ${CREDENTIALS_FILE}
 
+.PHONY: config
+## config: (re)generate all configuration files
+config: check-env
+	@tools/config.sh
+
 .PHONY: install-tools
 ## install-tools: download and install all required CLI tools into ~/bin
 install-tools:
@@ -97,13 +103,14 @@ kubeone: check-env kubeone-apply kubeone-kubeconfig kubeone-generate-workers kub
 .PHONY: kubeone-apply
 ## kubeone-apply: run KubeOne to deploy Kubernetes
 kubeone-apply:
-	kubeone apply -c ${CREDENTIALS_FILE} -m ${CONFIG_FILE} -t ${TERRAFORM_OUTPUT} --create-machine-deployments=false --auto-approve # --verbose  # --upgrade-machine-deployments
+	kubeone apply -c ${CREDENTIALS_FILE} -m ${CONFIG_FILE} -t ${TERRAFORM_OUTPUT} --create-machine-deployments=false --auto-approve # --force-upgrade --verbose # --upgrade-machine-deployments
 
 .PHONY: kubeone-kubeconfig
 ## kubeone-kubeconfig: write kubeconfig file
 kubeone-kubeconfig:
 	kubeone kubeconfig -c ${CREDENTIALS_FILE} -m ${CONFIG_FILE} -t ${TERRAFORM_OUTPUT} > ${KUBECONFIG_FILE}
-	chmod 600 ${KUBECONFIG_FILE}
+	@chmod 600 kubeconfig 2>/dev/null || true
+	@chmod 600 ${KUBECONFIG_FILE}
 
 .PHONY: kubeone-generate-workers
 ## kubeone-generate-workers: generate a machinedeployments manifest for the cluster
@@ -124,7 +131,7 @@ kubeone-addons:
 # ======================================================================================================================
 .PHONY: deployments
 ## deployments: install all deployments on Kubernetes
-deployments: check-env deploy-longhorn deploy-ingress-nginx deploy-cert-manager deploy-kubernetes-dashboard deploy-prometheus deploy-loki deploy-promtail deploy-grafana deploy-opencost
+deployments: check-env deploy-longhorn deploy-ingress-nginx deploy-cert-manager deploy-dex deploy-oauth2-proxy deploy-kubernetes-dashboard deploy-hubble deploy-prometheus deploy-loki deploy-promtail deploy-grafana deploy-opencost
 
 .PHONY: deploy-longhorn
 ## deploy-longhorn: deploy/update Longhorn storage
@@ -141,6 +148,16 @@ deploy-ingress-nginx:
 deploy-cert-manager:
 	KUBECONFIG=${KUBECONFIG_FILE} deployments/cert-manager.sh
 
+.PHONY: deploy-dex
+## deploy-dex: deploy/update Dex
+deploy-dex:
+	KUBECONFIG=${KUBECONFIG_FILE} deployments/dex.sh
+
+.PHONY: deploy-oauth2-proxy
+## deploy-oauth2-proxy: deploy/update oauth2-proxy
+deploy-oauth2-proxy:
+	KUBECONFIG=${KUBECONFIG_FILE} deployments/oauth2-proxy.sh
+
 .PHONY: deploy-kubernetes-dashboard
 ## deploy-kubernetes-dashboard: deploy/update Kubernetes dashboard
 deploy-kubernetes-dashboard:
@@ -151,6 +168,11 @@ deploy-kubernetes-dashboard:
 dashboard-token:
 	KUBECONFIG=${KUBECONFIG_FILE} kubectl -n kubernetes-dashboard create token kubernetes-dashboard --duration "60m"
 
+.PHONY: deploy-hubble
+## deploy-hubble: deploy/update Hubble UI access
+deploy-hubble:
+	KUBECONFIG=${KUBECONFIG_FILE} deployments/hubble.sh
+
 .PHONY: deploy-prometheus
 ## deploy-prometheus: deploy/update Prometheus
 deploy-prometheus:
@@ -181,3 +203,25 @@ grafana-password:
 deploy-opencost:
 	KUBECONFIG=${KUBECONFIG_FILE} deployments/opencost.sh
 # ======================================================================================================================
+
+# ======================================================================================================================
+.PHONY: oidc-setup
+## oidc-setup: setup OIDC for the Kubernetes cluster (install Dex first!)
+oidc-setup:
+	KUBECONFIG=${KUBECONFIG_FILE} tools/oidc_setup.sh
+
+.PHONY: ssh
+## ssh: login to bastion host
+ssh: check-env
+	@tools/ssh.sh
+
+.PHONY: ssh-control-plane
+## ssh-control-plane: login to all control plane nodes (requires TMUX)
+ssh-control-plane: check-env
+	@tools/ssh_control_plane.sh
+
+.PHONY: trivy-scan
+## trivy-scan: run a Kubernetes cluster scan with Trivy
+trivy-scan: check-env
+	@tools/trivy.sh
+# ======================================================================================================================