added self-serve-infrastructure/k8s-services-openshift

Author: rberlind

self-serve-infrastructure/k8s-services-openshift/README.md

@@ -0,0 +1,35 @@
+# OpenShift Pods and Services
+Terraform configuration for deploying OpenShift pods and services to existing OpenShift clusters.
+
+## Introduction
+This Terraform configuration deploys two pods exposed as services. It is meant to be used in Terraform Enterprise (TFE). The first runs a python application called "cats-and-dogs-frontend" that lets users vote for their favorite type of pet. It stores data in the second, "cats-and-dogs-backend", which runs a redis database. The Terraform configuration replicates what a user could do with the [Kubernetes CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/), `kubectl`.
+
+It uses the kubernetes_pod and kubernetes_service resources of Terraform's Kubernetes Provider to deploy the pods and services into an OpenShift cluster previously provisioned by Terraform. It also uses the terraform_remote_state data source to copy the outputs of the targeted cluster's TFE workspace directly into the Kubernetes Provider block, avoiding the need to manually copy the outputs into variables of the TFE services workspace. It also uses the vault_addr, vault_user, and vault_k8s_auth_backend outputs from the cluster workspace. Note that it also uses a remote-exec provisioner to create an OpenShift project (namespace) called "cats-and-dogs" and a Kubernetes service account called "cats-and-dogs" which the pods use. After doing that, it uses additional provisioners to retrieve the JWT token of the cats-and-dogs service account from OpenShift.
+
+Another important aspect of this configuration is that both the frontend application and the redis database get the redis password from a Vault server after using the Kubernetes JWT token of the cats-and-dogs service account to authenticate against Vault's [Kubernetes Auth Method](https://www.vaultproject.io/docs/auth/kubernetes.html). This has the benefits that the redis password is not stored in the Terraform code and that neither the application developers nor the DBAs managing Redis will actually know what the redis password is. Only the security team that stores the password in Vault will know. The redis_db password is stored in the Vault server under "secret/<vault_user>/kubernetes/cats-and-dogs" where \<vault_user\> is the Vault username.
+
+## Deployment Prerequisites
+
+1. First deploy an OpenShift cluster with Terraform by using the Terraform code in the [k8s-cluster-openshift-aws](../../infrastructure-as-code/k8s-cluster-openshift-aws) directory of this repository and pointing a TFE workspace against it.  
+1. We assume that you have already satisfied all the prerequisites for deploying an OpenShift cluster described by the above link.
+1. We also assume that you have already forked this repository and cloned your fork to your laptop.
+
+## Deployment Steps
+Execute the following commands to deploy the pods and services to your OpenShift cluster:
+
+1. Create a new TFE workspace called k8s-services-openshift.
+1. Configure your workspace to connect to the fork of this repository in your own GitHub account.
+1. Set the Terraform Working Directory to "self-serve-infrastructure/k8s-services-openshift"
+1. Set the tfe-organization variable in your workspace to the name of the TFE organization containing your OpenShift cluster workspace.
+1. Set the k8s-cluster-workspace variable in your workspace to the name of the workspace you used to deploy your OpenShift cluster.
+1. Queue a plan for the services workspace in TFE.
+1. Confirm that you want to apply the plan.
+1. Finally, enter the cats_and_dogs_dns output in a browser. You should see the "Pets Voting App" page.
+1. Vote for your favorite pets.
+
+## Cleanup
+Execute the following steps to delete the cats-and-dogs pods and services from your OpenShift cluster.
+
+1. Define an environment variable CONFIRM_DESTROY with value 1 on the Variables tab of your services workspace.
+1. Queue a Destroy plan in T:FE from the Settings tab of your services workspace.
+1. On the Latest Run tab of your services workspace, make sure that the Plan was successful and then click the "Confirm and Apply" button to actually remove the cats-and-dogs pods and services.

self-serve-infrastructure/k8s-services-openshift/cats-and-dogs-token

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cats-and-dogs
+  namespace: cats-and-dogs

self-serve-infrastructure/k8s-services-openshift/cats-and-dogs.yaml

@@ -0,0 +1,216 @@
+terraform {
+  required_version = ">= 0.11.5"
+}
+
+data "terraform_remote_state" "k8s_cluster" {
+  backend = "atlas"
+  config {
+    name = "${var.tfe_organization}/${var.k8s_cluster_workspace}"
+  }
+}
+
+provider "kubernetes" {
+  host = "${data.terraform_remote_state.k8s_cluster.k8s_endpoint}"
+  client_certificate = "${base64decode(data.terraform_remote_state.k8s_cluster.k8s_master_auth_client_certificate)}"
+  client_key = "${base64decode(data.terraform_remote_state.k8s_cluster.k8s_master_auth_client_key)}"
+  cluster_ca_certificate = "${base64decode(data.terraform_remote_state.k8s_cluster.k8s_master_auth_cluster_ca_certificate)}"
+}
+
+resource "null_resource" "service_account" {
+
+  provisioner "file" {
+    source = "cats-and-dogs.yaml"
+    destination = "~/cats-and-dogs.yaml"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "oc new-project cats-and-dogs --description=\"cats and dogs project\" --display-name=\"cats-and-dogs\"",
+      "kubectl create -f cats-and-dogs.yaml",
+      "kubectl get serviceaccount cats-and-dogs -o yaml > cats-and-dogs-service.yaml",
+      "kubectl get secret $(grep \"cats-and-dogs-token\" cats-and-dogs-service.yaml | cut -d ':' -f 2 | sed 's/ //') -o yaml > cats-and-dogs-secret.yaml",
+      "sed -n 6,6p cats-and-dogs-secret.yaml | cut -d ':' -f 2 | sed 's/ //' | base64 -d > cats-and-dogs-token"
+    ]
+  }
+
+  connection {
+    host = "${data.terraform_remote_state.k8s_cluster.master_public_dns}"
+    type = "ssh"
+    agent = false
+    user = "ec2-user"
+    private_key = "${var.private_key_data}"
+    bastion_host = "${data.terraform_remote_state.k8s_cluster.bastion_public_dns}"
+  }
+}
+
+resource "null_resource" "get_service_account_token" {
+  provisioner "remote-exec" {
+    inline = [
+      "scp -o StrictHostKeyChecking=no -i ~/.ssh/private-key.pem ec2-user@${data.terraform_remote_state.k8s_cluster.master_public_dns}:~/cats-and-dogs-token cats-and-dogs-token"
+    ]
+
+    connection {
+      host = "${data.terraform_remote_state.k8s_cluster.bastion_public_dns}"
+      type = "ssh"
+      agent = false
+      user = "ec2-user"
+      private_key = "${var.private_key_data}"
+    }
+  }
+
+  provisioner "local-exec" {
+    command = "echo \"${var.private_key_data}\" > private-key.pem"
+  }
+
+  provisioner "local-exec" {
+    command = "chmod 400 private-key.pem"
+  }
+
+  provisioner "local-exec" {
+    command = "scp -o StrictHostKeyChecking=no -i private-key.pem  ec2-user@${data.terraform_remote_state.k8s_cluster.bastion_public_dns}:~/cats-and-dogs-token cats-and-dogs-token"
+  }
+
+  depends_on = ["null_resource.service_account"]
+}
+
+data "null_data_source" "retrieve_token_from_file" {
+  inputs = {
+    cats_and_dogs_token = "${file("cats-and-dogs-token")}"
+  }
+  depends_on = ["null_resource.get_service_account_token"]
+}
+
+resource "kubernetes_pod" "cats-and-dogs-backend" {
+  metadata {
+    name = "cats-and-dogs-backend"
+    namespace = "cats-and-dogs"
+    labels {
+      App = "cats-and-dogs-backend"
+    }
+  }
+  spec {
+    service_account_name = "cats-and-dogs"
+    container {
+      image = "rberlind/cats-and-dogs-backend:k8s-auth"
+      image_pull_policy = "Always"
+      name  = "cats-and-dogs-backend"
+      command = ["/app/start_redis.sh"]
+      env = {
+        name = "VAULT_ADDR"
+        value = "${data.terraform_remote_state.k8s_cluster.vault_addr}"
+      }
+      env = {
+        name = "VAULT_K8S_BACKEND"
+        value = "${data.terraform_remote_state.k8s_cluster.vault_k8s_auth_backend}"
+      }
+      env = {
+        name = "VAULT_USER"
+        value = "${data.terraform_remote_state.k8s_cluster.vault_user}"
+      }
+      env = {
+        name = "K8S_TOKEN"
+        value = "${data.null_data_source.retrieve_token_from_file.outputs["cats_and_dogs_token"]}"
+      }
+      port {
+        container_port = 6379
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "cats-and-dogs-backend" {
+  metadata {
+    name = "cats-and-dogs-backend"
+    namespace = "cats-and-dogs"
+  }
+  spec {
+    selector {
+      App = "${kubernetes_pod.cats-and-dogs-backend.metadata.0.labels.App}"
+    }
+    port {
+      port = 6379
+      target_port = 6379
+    }
+  }
+}
+
+resource "kubernetes_pod" "cats-and-dogs-frontend" {
+  metadata {
+    name = "cats-and-dogs-frontend"
+    namespace = "cats-and-dogs"
+    labels {
+      App = "cats-and-dogs-frontend"
+    }
+  }
+  spec {
+    service_account_name = "cats-and-dogs"
+    container {
+      image = "rberlind/cats-and-dogs-frontend:k8s-auth"
+      image_pull_policy = "Always"
+      name  = "cats-and-dogs-frontend"
+      env = {
+        name = "REDIS"
+        value = "cats-and-dogs-backend"
+      }
+      env = {
+        name = "VAULT_ADDR"
+        value = "${data.terraform_remote_state.k8s_cluster.vault_addr}"
+      }
+      env = {
+        name = "VAULT_K8S_BACKEND"
+        value = "${data.terraform_remote_state.k8s_cluster.vault_k8s_auth_backend}"
+      }
+      env = {
+        name = "VAULT_USER"
+        value = "${data.terraform_remote_state.k8s_cluster.vault_user}"
+      }
+      env = {
+        name = "K8S_TOKEN"
+        value = "${data.null_data_source.retrieve_token_from_file.outputs["cats_and_dogs_token"]}"
+      }
+      port {
+        container_port = 80
+      }
+    }
+  }
+
+  depends_on = ["kubernetes_service.cats-and-dogs-backend"]
+}
+
+resource "kubernetes_service" "cats-and-dogs-frontend" {
+  metadata {
+    name = "cats-and-dogs-frontend"
+    namespace = "cats-and-dogs"
+  }
+  spec {
+    selector {
+      App = "${kubernetes_pod.cats-and-dogs-frontend.metadata.0.labels.App}"
+    }
+    port {
+      port = 80
+      target_port = 80
+    }
+    type = "LoadBalancer"
+  }
+}
+
+resource "null_resource" "expose_route" {
+
+  provisioner "remote-exec" {
+    inline = [
+      "oc expose service cats-and-dogs-frontend --hostname=cats-and-dogs-frontend.${data.terraform_remote_state.k8s_cluster.master_public_ip}.xip.io"
+    ]
+  }
+
+  connection {
+    host = "${data.terraform_remote_state.k8s_cluster.master_public_dns}"
+    type = "ssh"
+    agent = false
+    user = "ec2-user"
+    private_key = "${var.private_key_data}"
+    bastion_host = "${data.terraform_remote_state.k8s_cluster.bastion_public_dns}"
+  }
+
+  depends_on = ["kubernetes_service.cats-and-dogs-frontend"]
+
+}

self-serve-infrastructure/k8s-services-openshift/main.tf

@@ -0,0 +1,7 @@
+output "cats_and_dogs_dns" {
+  value = "http://cats-and-dogs-frontend.${data.terraform_remote_state.k8s_cluster.master_public_ip}.xip.io"
+}
+
+output "cats_and_dogs_token" {
+  value = "${data.null_data_source.retrieve_token_from_file.outputs["cats_and_dogs_token"]}"
+}

self-serve-infrastructure/k8s-services-openshift/outputs.tf

@@ -0,0 +1,12 @@
+variable "tfe_organization" {
+  description = "TFE organization"
+  default = "RogerBerlind"
+}
+
+variable "k8s_cluster_workspace" {
+  description = "workspace to use for the k8s cluster"
+}
+
+variable "private_key_data" {
+  description = "contents of the private key"
+} 

self-serve-infrastructure/k8s-services-openshift/variables.tf

@@ -6,7 +6,7 @@ This Terraform configuration deploys two pods exposed as services. It is meant t
 
 It uses the kubernetes_pod and kubernetes_service resources of Terraform's Kubernetes Provider to deploy the pods and services into a Kubernetes cluster previously provisioned by Terraform. It also uses the terraform_remote_state data source to copy the outputs of the targeted cluster's TFE workspace directly into the Kubernetes Provider block, avoiding the need to manually copy the outputs into variables of the TFE services workspace. It also uses the vault_addr, vault_user, and vault_k8s_auth_backend outputs from the cluster workspace. Note that it also creates a Kubernetes service account called "cats-and-dogs" which the pods use.
 
-Another important aspect of this configuration is that both the frontend application and the redis database get the redis password from a Vault server after using the Kubernetes JWT token of the cats-and-dogs service account to authenticate against Vault's Kubernetes auth backend. This has the benefits that the redis password is not stored in the Terraform code and that neither the application developers nor the DBAs managing Redis need to know what the redis password is. Only the security team that stores the password in Vault know it. The redis_db password is stored in the Vault server under "secret/<vault_user>/kubernetes/cats-and-dogs" where \<vault_user\> is the Vault username.
+Another important aspect of this configuration is that both the frontend application and the redis database get the redis password from a Vault server after using the Kubernetes JWT token of the cats-and-dogs service account to authenticate against Vault's Kubernetes auth method. This has the benefits that the redis password is not stored in the Terraform code and that neither the application developers nor the DBAs managing Redis need to know what the redis password is. Only the security team that stores the password in Vault know it. The redis_db password is stored in the Vault server under "secret/<vault_user>/kubernetes/cats-and-dogs" where \<vault_user\> is the Vault username.
 
 ## Deployment Prerequisites