Merge pull request #6 from lonelyCZ/pr-add-cm-vault

Add initial cert-manager and Vault installation scripts

.gitignore

@@ -0,0 +1,25 @@
+.vscode/
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# misc
+*.terraform.lock.hcl

README.md

@@ -27,3 +27,76 @@ Terraform is an IT infrastructure automation orchestration tool.
 ### [Install Terragrunt](https://terragrunt.gruntwork.io/docs/getting-started/install/)
 
 Terragrunt is a thin wrapper that provides extra tools for keeping your configurations DRY, working with multiple Terraform modules, and managing remote state.
+
+### Configure Terraform Plugin Cache.
+
+The configuration directory of each dependence can share the cache to improve the execution speed.
+
+```
+$ mkdir -p $HOME/.terraform.d/plugin-cache
+$ export TF_PLUGIN_CACHE_DIR="$HOME/.terraform.d/plugin-cache" 
+```
+
+## Usage Steps
+
+Take Vault as a example.
+
+### 1. Go to the installation directory of specific dependency.
+
+```
+cd cm-vault
+```
+
+### 2. Execute `terragrunt run-all init`
+```
+$ terragrunt run-all init
+INFO[0000] The stack at /root/lonelyCZ/testing-addons/cm-vault will be processed in the following order for command init:
+Group 1
+- Module /root/lonelyCZ/testing-addons/cm-vault/cm-install
+- Module /root/lonelyCZ/testing-addons/cm-vault/vault-install
+
+Group 2
+- Module /root/lonelyCZ/testing-addons/cm-vault/vault-config
+
+Group 3
+- Module /root/lonelyCZ/testing-addons/cm-vault/cm-config
+
+
+Initializing the backend...
+```
+
+### 3. Execute `terragrunt run-all apply`
+
+```
+$ terragrunt run-all apply
+INFO[0000] The stack at /root/lonelyCZ/testing-addons/cm-vault will be processed in the following order for command apply:
+Group 1
+- Module /root/lonelyCZ/testing-addons/cm-vault/cm-install
+- Module /root/lonelyCZ/testing-addons/cm-vault/vault-install
+
+Group 2
+- Module /root/lonelyCZ/testing-addons/cm-vault/vault-config
+
+Group 3
+- Module /root/lonelyCZ/testing-addons/cm-vault/cm-config
+
+Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n) y
+```
+
+### 4. Destroy Test Environment.
+
+```
+$ terragrunt run-all destroy
+INFO[0000] The stack at /root/lonelyCZ/testing-addons/cm-vault will be processed in the following order for command destroy:
+Group 1
+- Module /root/lonelyCZ/testing-addons/cm-vault/cm-config
+
+Group 2
+- Module /root/lonelyCZ/testing-addons/cm-vault/cm-install
+- Module /root/lonelyCZ/testing-addons/cm-vault/vault-config
+
+Group 3
+- Module /root/lonelyCZ/testing-addons/cm-vault/vault-install
+
+WARNING: Are you sure you want to run `terragrunt destroy` in each folder of the stack described above? There is no undo! (y/n) y
+```

cm-vault/README.md

@@ -0,0 +1,59 @@
+# Deploy and Setup Cert-manager and Vault
+
+## Goals
+
+This Terragrunt workflow deploys and configures cert-manager, Hashicorp Vault and a cert-manager Vault `ClusterIssuer` to an existing Kubernetes cluster.
+
+Vault will be deployed in the insecure dev mode with a [PKI Secrets Engine](https://www.vaultproject.io/docs/secrets/pki) configured for issuing certs for `cert-manager.io` subdomains.
+
+A `ClusterIssuer` named `vault-issuer` will be created that can issue certs from this PKI using Vault's dev root token.
+
+A `Certificate` named `demo-app-vault-cert` will be created that issued by `vault-issuer`.
+
+> Note: The allowed DNS names are restricted to subdomains of `cert-manager.io`.
+
+## Dependencies Graph
+
+Terragrunt is used to ensure the correct order of dependency installation, i.e that cert-manager `ClusterIssuer` is not created before installing cert-manager. See dependency graph below:
+
+![image](graph.svg)
+
+### cm-install
+
+To use [Helm Provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) to install Cert-Manager into Kubernetes, you need to set `kubeconfig_path` that default is `~/.kube/config`.
+
+### vault-install
+
+To use Helm Provider to install Vault into Kubernetes. By default, it is a single unsealed Vault server in the insecure dev mode with a memory storage backend.
+
+### vault-config
+
+To use Vault Provider to configure Vault. By default, it setup a [PKI Secrets Engine](https://www.vaultproject.io/docs/secrets/pki) configured for issuing certs for `cert-manager.io` subdomains.
+
+### cm-config
+
+To use Kubernetes Provider to configure Cert-Manager. By default, it create a `ClusterIssuer` named `vault-issuer` that can issue certs from this PKI using Vault's dev root token and a `Certificate` named `demo-app-vault-cert` that issued by `vault-issuer`.
+
+
+## Usage Steps
+
+Execute `terragrunt run-all init` to init providers of all modules.
+
+Execute `terragrunt run-all apply` to deploy all modules.
+
+Execute `terragrunt run-all destroy` to clean test environment.
+
+### Note
+If you want to run it in [Kind](https://kind.sigs.k8s.io/) cluster, you need to [create extra port mappings](https://kind.sigs.k8s.io/docs/user/configuration/#extra-port-mappings) to `vault-install` module to port forward.
+
+To use this config, place the contents in a file `config.yaml` and then run `kind create cluster --config=config.yaml` from the same directory.
+
+```
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 30200
+    hostPort: 30200
+```

cm-vault/cm-config/main.tf

@@ -0,0 +1,66 @@
+terraform {
+  required_providers {
+    kubernetes = {
+        source  = "hashicorp/kubernetes"
+        version = "~> 2.11.0"
+    }
+  }
+}
+
+provider "kubernetes" {
+  config_path = var.kubeconfig_path
+}
+
+// vault-token is used to connect vault
+resource "kubernetes_secret_v1" "vault-token" {
+  metadata {
+    name = "vault-token"
+    namespace = "cert-manager"
+  }
+  data = {
+    token = "root"
+  }
+  type = "opaque"
+}
+
+resource "kubernetes_manifest" "vault-issuer" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "ClusterIssuer"
+    "metadata" = {
+      "name" = "vault-issuer"
+    }
+    "spec" = {
+      "vault" = {
+        "auth" = {
+          "tokenSecretRef" = {
+            "key"  = "token"
+            "name" = "${kubernetes_secret_v1.vault-token.metadata[0].name}"
+          }
+        }
+        "path"   = "pki/sign/cert-manager-io"
+        "server" = "http://vault.vault.svc:8200"
+      }
+    }
+  }
+}
+
+resource "kubernetes_manifest" "demo-app-vault-cert" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind" = "Certificate"
+    metadata = {
+      "name" = "demo-app-vault-cert"
+      "namespace" = "default"
+    }
+    "spec" = {
+      "commonName" = "demo-app.cert-manager.io"
+      "secretName" = "demo-app-tls"
+      "dnsNames" = ["demo-app.cert-manager.io"]
+      "issuerRef" = {
+        "name" = kubernetes_manifest.vault-issuer.manifest.metadata.name
+        "kind" = kubernetes_manifest.vault-issuer.manifest.kind
+      }
+    }
+  }
+}

cm-vault/cm-config/terragrunt.hcl

@@ -0,0 +1,18 @@
+dependency "vault-install" {
+    config_path = "../vault-install"
+
+    skip_outputs = "true"
+}
+
+dependency "cm-install" {
+    config_path = "../cm-install"
+
+    skip_outputs = "true"
+}
+
+
+dependency "vault-config" {
+    config_path = "../vault-config"
+
+    skip_outputs = "true"
+}

cm-vault/cm-config/variables.tf

@@ -0,0 +1,4 @@
+variable "kubeconfig_path" {
+  type    = string
+  default = "~/.kube/config"
+}

cm-vault/cm-install/main.tf

@@ -0,0 +1,29 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.5.1"
+    }
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = var.kubeconfig_path
+  }
+}
+
+# deploy cert-manager
+resource "helm_release" "cert-manager" {
+  name             = "cert-manager"
+  repository       = "https://charts.jetstack.io"
+  chart            = "cert-manager"
+  namespace        = "cert-manager"
+  create_namespace = true
+  version          = "v1.8.0"
+
+  set {
+    name  = "installCRDs"
+    value = "true"
+  }
+}

cm-vault/cm-install/variables.tf

@@ -0,0 +1,4 @@
+variable "kubeconfig_path" {
+  type    = string
+  default = "~/.kube/config"
+}

cm-vault/vault-config/main.tf

@@ -0,0 +1,43 @@
+terraform {
+  required_providers {
+    vault = {
+      source = "hashicorp/vault"
+      version = "~> 3.5.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "http://127.0.0.1:30200"
+  token   = "root"
+}
+
+resource "vault_mount" "pki" {
+  path                      = "pki"
+  type                      = "pki"
+  max_lease_ttl_seconds     = 31536000 # 1 year
+}
+
+resource "vault_pki_secret_backend_role" "role" {
+  backend          = vault_mount.pki.path
+  name             = "cert-manager-io"
+  ttl              = 31536000 # 1 year
+  allow_ip_sans    = true
+  key_type         = "rsa"
+  key_bits         = 2048
+  allowed_domains  = ["cert-manager.io"]
+  allow_subdomains = true
+}
+
+resource "vault_pki_secret_backend_root_cert" "ca" {
+  depends_on           = [vault_mount.pki]
+  backend              = vault_mount.pki.path
+  type                 = "internal"
+  common_name          = "cert-manager.io"
+  ttl                  = "31536000" # 1 year
+  format               = "pem"
+  private_key_format   = "der"
+  key_type             = "rsa"
+  key_bits             = 2048
+  exclude_cn_from_sans = true
+}

cm-vault/vault-config/terragrunt.hcl

@@ -0,0 +1,5 @@
+dependency "vault-install" {
+    config_path = "../vault-install"
+
+    skip_outputs = "true"
+}