# HashiCorp Terraform Demo for Flexible Deployment Options (FDO) - Deploy Terraform Enterprise (TFE) on Kubernetes (K8s)

This is still WIP.  Not fully working.

This demo shows how the new TFE FDO (introduced in v202309-1) can be used to deploy a 3-node TFE setup in External Services mode.   This means that the TFE data is stored externally of the TFE nodes.  This includes:
- PostgreSQL database (for storing metadata)
- S3-compatible blob storage (for storing terraform state files, configurations)
- Redis (cache for running transactions)

Ref:
- https://developer.hashicorp.com/terraform/enterprise/replicated/install/operation-modes#operational-modes
- https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/kubernetes/requirements
- https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/kubernetes/install
- https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/configuration
- https://github.com/hashicorp/terraform-enterprise-helm/blob/main/values.yaml


The diagram below is a visual representation of this configuration.
<br>
<br>

<img src="">

## Setup of the Demo

This setup is tested on MacOS and is meant to simulate a distributed setup.  The components used in this demo are:
- Vault Enterprise installed on docker (to simulate an external Vault).  This will be used for PKI certificate generation.
- PostgreSQL installed on docker (to simulate an external PostgreSQL database for the TFE setup)
- MinIO installed on docker (to simulate the external S3-compatible blob storage)
- Minikube (to simulate a K8s cluster)

Note that we will be using the docker and minikube routing to the host machine for communication between the docker postgres/minio pods and the Kubernetes cluster.  The host machine will function as a network bridge for communication.

## Requirements to Run This Demo
You will need Visual Studio Code to be installed with the Jupyter plugin.  To run this notebook in VS Code, chose the Jupyter kernel and then Bash.
- To run the current cell, use Ctrl + Enter.
- To run the current cell and advance to the next, use Shift+Enter.

# Setup Pre-requisites (One-time)

Assumes you have docker installed and brew installed

- https://docs.docker.com/desktop/install/mac-install/
- https://brew.sh/

In [None]:
# Install kind
#brew install kind

In [None]:
# Install minikube
brew install minikube

In [None]:
# Install Kubectl CLI
brew install kubernetes-cli

In [None]:
# Install Helm CLI.  This is used to install the VSO helm chart.
brew install helm

In [None]:
# Install K9s.  This is a nice console GUI for K8s.  https://k9scli.io/
brew install K9s

In [None]:
# Install latest MinIO client
brew install minio/stable/mc

In [None]:
# Install AWS CLI
brew install awscli

# Setting Up the Vault, PostgreSQL servers and K8s cluster
## Setup Vault for PKI certificate services

In [None]:
# For this demo, we will be simulating a Vault server that is hosted external from the K8s cluster.  i.e. in Docker.
export VAULT_PORT=8200
export VAULT_ADDR="http://127.0.0.1:${VAULT_PORT}"
export VAULT_TOKEN="root"

# Change the path to your license file
export VAULT_LICENSE=$(cat $HOME/vault-enterprise/vault_local/data/vault.hclic)

# Refresh Vault docker image with latest version
#docker pull hashicorp/vault-enterprise

# Optional: To pull latest image
#docker pull hashicorp/vault-enterprise:latest

# Run Vault in docker in Dev mode with Enterprise license.
# We have set VAULT_LOG_LEVEL to trace for troubleshooting purposes.  This will allow you to view detailed information as you test.
docker run -d --rm --name vault-enterprise --cap-add=IPC_LOCK \
-e "VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}" \
-e "VAULT_DEV_LISTEN_ADDRESS=:${VAULT_PORT}" \
-e "VAULT_LICENSE=${VAULT_LICENSE}" \
-e "VAULT_LOG_LEVEL=trace" \
-p ${VAULT_PORT}:${VAULT_PORT} hashicorp/vault-enterprise:latest

In [None]:
# Optional: You can enable file audit device for more information
docker exec -it vault-enterprise /bin/sh -c "mkdir /var/log/vault.d"
docker exec -it vault-enterprise /bin/sh -c "touch /var/log/vault.d/vault_audit.log"
docker exec -it vault-enterprise /bin/sh -c "chown -R vault:vault /var/log/vault.d"
vault audit enable file file_path=/var/log/vault.d/vault_audit.log

# You can run the following command in the container terminal to follow the logs
# tail -f /var/log/vault.d/vault_audit.log
# Or you can run it from outside on your host machine
# docker exec -it vault-enterprise /bin/sh -c "tail -f /var/log/vault.d/vault_audit.log"
# Use Ctrl + C to break

In [None]:
vault audit disable file

## Setup TFE External Services

TFE External Services covers:
- PostgreSQL
- Blob Storage
- Redis

Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/requirements/data-storage/postgres-requirements

In [None]:
# Run a PostgreSQL database for TFE storage
# Make sure it is a supported version.
# Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/requirements/data-storage/postgres-requirements
export PGUSER=root
export PGPASSWORD=mypassword
export PGPORT=5432

# Optional: To pull latest image
#docker pull postgres:15

# Run latest 15.x version
docker run --name postgres \
     -p $PGPORT:$PGPORT \
     --rm \
     -e POSTGRES_USER=$PGUSER \
     -e POSTGRES_PASSWORD=$PGPASSWORD \
     -d postgres:15

In [None]:
# Run a MinIO container for the S3 compatible blob storage
# Ref: https://min.io/docs/minio/container/index.html
export MINIO_ROOT_USER=root
export MINIO_ROOT_PASSWORD=mypassword
export MINIO_API_PORT=9080 # I switched from default 9000 to 9080 as there is a Mac app that is running on that port after my Mac update
export MINIO_CONSOLE_PORT=9090

#docker stop minio
#rm -r ${HOME}/minio
# Create a path for the blob storage external to the container
mkdir -p ${HOME}/minio/data

# Optional: To pull latest image
#docker pull quay.io/minio/minio

docker run \
    -p $MINIO_API_PORT:$MINIO_API_PORT \
    -p $MINIO_CONSOLE_PORT:$MINIO_CONSOLE_PORT \
    --name minio \
    --rm \
    -v ${HOME}/minio/data:/data \
    --user $(id -u):$(id -g) \
    -e "MINIO_ROOT_USER=$MINIO_ROOT_USER" \
    -e "MINIO_ROOT_PASSWORD=$MINIO_ROOT_PASSWORD" \
    -d quay.io/minio/minio server /data --address ":$MINIO_API_PORT" --console-address ":$MINIO_CONSOLE_PORT"
# You can configure MinIO to use TLS
#  --certs-dir value, -S value  path to certs directory (default: "${HOME}/.minio/certs")
# Ref: https://min.io/docs/minio/container/operations/network-encryption.html


In [None]:
# Run a redis container for the TFE cache
# Make sure it is a supported version.
# Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/requirements/data-storage/operational-mode-requirements#active-active-mode
export REDIS_PASSWORD=mypassword
export REDIS_PORT=6379

# Optional: To pull latest image
#docker pull redis:7

# We will be using Redis v7
docker run \
    -p $REDIS_PORT:$REDIS_PORT \
    --name redis \
    --rm \
    -e "MINIO_ROOT_USER=$MINIO_ROOT_USER" \
    -e "MINIO_ROOT_PASSWORD=$MINIO_ROOT_PASSWORD" \
    -d redis:7 redis-server --requirepass $REDIS_PASSWORD


In [None]:
# kind delete cluster --name $TFE_K8S_CLUSTER_NAME

In [None]:
# Start a kind cluster with 3 node (3 nodes for the TFE cluster)
# We will be doing a NodePort on port 30000 so kind needs to configure the extraPortMappings to expose port 30000 to the host.
# export TFE_K8S_CLUSTER_NAME=tfe

# kind create cluster --name $TFE_K8S_CLUSTER_NAME --image kindest/node:v1.28.0 --config - <<EOF
# kind: Cluster
# apiVersion: kind.x-k8s.io/v1alpha4
# nodes:
# - role: control-plane
#   extraPortMappings:
#   - containerPort: 30000
#     hostPort: 30000
#     listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
#     protocol: tcp # Optional, defaults to tcp
# - role: worker
# - role: worker
# - role: worker
# EOF

In [None]:
# Verify that the K8s setup is working
kubectl get pods -A

In [None]:
kubectl get svc -A

In [None]:
# Optional: Add metrics-server to be able to view CPU and memory usage
# helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
# helm repo update
# helm upgrade --install --set args={--kubelet-insecure-tls} metrics-server metrics-server/metrics-server --namespace kube-system

In [None]:
# stop minikube
# minikube delete

In [None]:
# Start minikube with 3 nodes
minikube start --nodes 1

In [None]:
# Optional: Enable metrics on minikube
minikube addons enable metrics-server

In [None]:
kubectl top pods
kubectl top nodes

In [None]:
# Verify minikube, Redis, MinIO, PostgreSQL, and Vault containers are running
docker ps

In [None]:
# Verify that PostgreSQL is running properly

# Setup psql alias to the container to make it easier to do CLI commands to the postgresql pod
alias psql="docker exec -it postgres psql"

# Check connection info
psql -c '\conninfo'

In [None]:
# Verify that MinIO is running properly
# Setup your MinIO client to point to your new MinIO setup with an alias called "myminio"
export MINIO_ALIAS=myminio
export MINIO_API_ADDR=http://127.0.0.1:$MINIO_API_PORT

echo "Connecting to $MINIO_API_ADDR"
echo "MinIO User: $MINIO_ROOT_USER"
echo "MinIO Password: $MINIO_ROOT_PASSWORD"
mc alias set $MINIO_ALIAS $MINIO_API_ADDR $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD
mc admin info $MINIO_ALIAS

# For minio health checks, you can use this endpoint to check for 200 code.
#curl -I http://127.0.0.1:$MINIO_API_PORT/minio/health/live

In [None]:
# Optional: Verify Redis is running properly
# Authenticate, set and get a value.
curl telnet://127.0.0.1:$REDIS_PORT << EOF
AUTH $REDIS_PASSWORD
SET TEST1 VALUE1
GET TEST1
DEL TEST1
GET TEST1
QUIT
EOF

# Configure PostgreSQL database

This requires creating a new database for TFE to install in.

In [None]:
export TFE_DB_NAME=tfedb
psql -c "CREATE DATABASE $TFE_DB_NAME;"

# Verify that the tfedb is created
psql -P pager=off -c "\l"

# Configure a S3 bucket for TFE Object Storage

In [None]:
# Generate a bucket name
export TFE_BUCKET_NAME="tfe-$(date +%s)"
# Set the S3 bucket region to the Minio default.
export TFE_BUCKET_REGION="us-east-1"

In [None]:
# Create a S3 bucket on MinIO for storing TFE objects.
# Region on MinIO defaults to 'us-east-1'

# Generate a unique bucket name using prefix and unix epoch time
# Follow bucket naming conventions - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
echo "MinIO User: $MINIO_ROOT_USER"
echo "MinIO Password: $MINIO_ROOT_PASSWORD"
# Remove the bucket if it exists
#mc rb $MINIO_ALIAS/$TFE_BUCKET_NAME
echo "Creating S3 bucket on MinIO: $TFE_BUCKET_NAME"
mc mb --region $TFE_BUCKET_REGION $MINIO_ALIAS/$TFE_BUCKET_NAME

In [None]:
# Setup a S3 policy for TFE to use
tee pol-tfe-svc.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::$TFE_BUCKET_NAME",
                "arn:aws:s3:::$TFE_BUCKET_NAME/*"
            ]
        }
    ]
}
EOF
# Additional permissions are needed by TFE to be able decrypt the bucket if S3 encryption is turned on
# MinIO Key Encryption Service (KES) supports S3 encryption with different KMS including HashiCorp Vault.
# Ref: https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-kms.html
# Ref: https://min.io/docs/minio/linux/operations/server-side-encryption/configure-minio-kes-hashicorp.html#minio-sse-vault
#     "Effect": "Allow",
#     "Action": [
#         "kms:Decrypt",
#         "kms:Encrypt",
#         "kms:DescribeKey",
#         "kms:ReEncrypt*",
#         "kms:GenerateDataKey*"
#     ],
#     "Resource": [
#         "<KMS_KEY_ARN>"
#     ]

mc admin policy create $MINIO_ALIAS pol-tfe-svc pol-tfe-svc.json
rm pol-tfe-svc.json

In [None]:
# Verify that the new pol-tfe-svc S3 policy is created
mc admin policy list $MINIO_ALIAS

In [None]:
# Create a new IAM programmatic credentials in MinIO with the created policy
export AWS_ACCESS_KEY_ID=$(openssl rand -base64 20 | tr -dc 'a-zA-Z0-9') # Generate random string of length 20
export AWS_SECRET_ACCESS_KEY=$(openssl rand -base64 20 | tr -dc 'a-zA-Z0-9')
mc admin user add $MINIO_ALIAS $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
mc admin policy attach $MINIO_ALIAS pol-tfe-svc --user $AWS_ACCESS_KEY_ID

In [None]:
# Optional.  You can log into minio to view the create bucket, user, and policy.
echo "MinIO User: $MINIO_ROOT_USER"
echo "MinIO Password: $MINIO_ROOT_PASSWORD"
open http://127.0.0.1:9090

In [None]:
# Verify that you can connect to the S3 bucket using the AWS CLI
echo "AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID"
echo "AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY"
echo "S3 endpoint: $MINIO_API_ADDR"

# unset the AWS_SESSION_TOKEN if it is set, otherwise there will be an error
unset AWS_SESSION_TOKEN

# Verify that the new credentials can see the TFE S3 bucket
echo
echo "Listing buckets:"
aws --region $TFE_BUCKET_REGION --endpoint-url $MINIO_API_ADDR s3 ls
# Write a test file
echo "hello world" | aws --region $TFE_BUCKET_REGION --endpoint-url $MINIO_API_ADDR s3 cp - s3://$TFE_BUCKET_NAME/hello.txt
# List S3 bucket contents.  You should see the test file listed.
echo
echo "Listing bucket $TFE_BUCKET_NAME contents:"
aws --region $TFE_BUCKET_REGION --endpoint-url $MINIO_API_ADDR s3 ls s3://$TFE_BUCKET_NAME
# Remove test file
aws --region $TFE_BUCKET_REGION --endpoint-url $MINIO_API_ADDR s3 rm s3://$TFE_BUCKET_NAME/hello.txt

In [None]:
aws --region $TFE_BUCKET_REGION --endpoint-url $MINIO_API_ADDR s3 ls s3://$TFE_BUCKET_NAME

# Generate PKI certificates for your TFE cluster

We will be using Vault's PKI engine to generate private TLS certificates for use by this TFE cluster.

In [None]:
# Enable PKI engine at the default mount path
vault secrets enable pki

In [None]:
# configure max lease ttl on certificates - 8760h or 365 days
vault secrets tune -max-lease-ttl=8760h pki

In [None]:
# Create the CA, the private key is kept inside Vault.
# Alternatively, generate an intermediate CA and sign with your root CA.
# CA cert is valid for 8760h or 365 days
vault write pki/root/generate/internal \
    common_name=my-org.com \
    ttl=8760h

In [None]:
# configure Vault with the URL's for CRL
vault write pki/config/urls \
    issuing_certificates="$VAULT_ADDR/v1/pki/ca,host.minikube.internal:$VAULT_PORT" \
    crl_distribution_points="$VAULT_ADDR/v1/pki/crl,host.minikube.internal:$VAULT_PORT"

In [None]:
# Store the CA certificate to import into your keychain.  Using keychain app to import in.

# Create folder to store certs
mkdir certs

# Export CA certificate
curl http://127.0.0.1:8200/v1/pki/ca_chain > certs/ca.crt
open certs/ca.crt

In [None]:
# Note: To avoid cert warnings, open keychain app and configure CA cert for my-org.com to Always Trust in the properties
open -a "keychain Access.app"

<img src="images/trust-ca-cert.png">

In [None]:
# Create the certs for the TFE setup
# For now, using "localhost" to avoid DNS setup
export TFE_CLUSTER_NAME=localhost

vault write pki/roles/tfe-web-role \
    allowed_domains=$TFE_CLUSTER_NAME \
    allow_subdomains=true \
    max_ttl=8760h

In [None]:
# Generate the web cert and place it in the nginx folder
vault write -format=json pki/issue/tfe-web-role \
    common_name=$TFE_CLUSTER_NAME > cert.json
jq -r .data.certificate < cert.json > certs/cert.pem
jq -r .data.private_key < cert.json > certs/cert.key

# Setup TFE Cluster with Helm

As we have prepared our external storage services and certificates, we can now proceed to setup TFE on the K8s cluster.

Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/kubernetes/install

In [None]:
# Log into the TFE FDO repo with your license and pull the TFE docker image
# Update the location of your license file as required
export TFE_LICENSE=$(cat $HOME/tfe-fdo-enterprise/terraform.hclic)
#export TFE_VERSION=$(curl -s https://images.releases.hashicorp.com/v2/hashicorp/terraform-enterprise/tags/list -u terraform:$TFE_LICENSE | jq -r '[.tags[] | select (. | startswith("v"))] | sort_by(".") | reverse | .[0]')
export TFE_VERSION=$(curl -s https://images.releases.hashicorp.com/v2/hashicorp/terraform-enterprise/tags/list -u terraform:$TFE_LICENSE | jq -r '[.tags[] | select (. | startswith("v"))] | sort_by(".") | .[0]')
echo "Latest TFE version: $TFE_VERSION"

# Verify that you are able to log in and pull the docker image from your machine
echo $TFE_LICENSE |  docker login --username terraform images.releases.hashicorp.com --password-stdin
docker pull images.releases.hashicorp.com/hashicorp/terraform-enterprise:$TFE_VERSION

In [None]:
# Load the TFE docker image into the minikube nodes
minikube image load images.releases.hashicorp.com/hashicorp/terraform-enterprise:$TFE_VERSION

In [None]:
# Verify the TFE image is loaded in minikube
minikube image list

In [None]:
# Load the TFE docker image into the kind nodes
#kind load docker-image images.releases.hashicorp.com/hashicorp/terraform-enterprise:$TFE_VERSION -n $TFE_K8S_CLUSTER_NAME

In [None]:
# Create a K8s namespace for your TFE cluster
export TFE_NAMESPACE=tfe-ns

kubectl create ns $TFE_NAMESPACE

In [None]:
# Note that because I have loaded the TFE image earlier, this step is not required for the demo.

# Create an image pull secret in <TFE_NAMESPACE> to fetch the terraform-enterprise container from the <DOCKER_REGISTRY_URL>.
# This URL can be images.releases.hashicorp.com, or your internal container registry.  e.g. airgap setups.
# This step is important otherwise you will get an ImagePullErr on your TFE pod when running the helm installation
kubectl create secret docker-registry terraform-enterprise --docker-server=images.releases.hashicorp.com \
    --docker-username=terraform --docker-password=$TFE_LICENSE  -n $TFE_NAMESPACE

In [None]:
# Add the HashiCorp repo (Only required for the first time)
helm repo add hashicorp https://helm.releases.hashicorp.com

In [None]:
# Optional.  Update the repo (Only required when new versions are released)
helm repo update

In [None]:
minikube addons enable ingress

In [None]:
# Verify that the ingress controller pods are running in the ingress-nginx namespace
kubectl get pods -n ingress-nginx

In [None]:
helm delete terraform-enterprise -n $TFE_NAMESPACE

In [None]:
# Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/kubernetes/requirements
# As we are using MinIO for the S3 compatible storage, TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE will be set to false.
echo "Installing in K8s namespace: $TFE_NAMESPACE"
echo "TFE Cluster name: $TFE_CLUSTER_NAME"
echo "TFE Database name: $TFE_DB_NAME"
echo "PostgreSQL Username: $PGUSER"
echo "PostgreSQL Username: $PGPASSWORD"
echo "PostgreSQL Port Number: $PGPORT"
echo "Redis Port Number: $REDIS_PORT"
echo "Redis Password: $REDIS_PASSWORD"
echo "S3 endpoint: $MINIO_API_ADDR"
echo "S3 Bucket name: $TFE_BUCKET_NAME"
echo "AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID"
echo "AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY"
rm values.yaml
# Set TFE encryption password
export TFE_ENCRYPTION_PASSWORD=encryptme
# For full list of parameters, see this.
# Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/configuration
# See helm chart default values
# Ref: https://github.com/hashicorp/terraform-enterprise-helm/blob/main/values.yaml
tee values.yaml <<EOF
replicaCount: 1
ingress:
  enabled: true
service:
  type: LoadBalancer
  port: 443
  targetPort: 443
  nodePort: 32443
tls:
  certData: $(cat certs/cert.pem | base64)
  keyData: $(cat certs/cert.key | base64)
  caCertData: $(cat certs/ca.crt | base64)
image:
  repository: images.releases.hashicorp.com
  name: hashicorp/terraform-enterprise
  tag: $TFE_VERSION
env:
  variables:
    TFE_HOSTNAME: $TFE_CLUSTER_NAME
    TFE_IACT_SUBNETS: 0.0.0.0/0
    TFE_DATABASE_HOST: host.minikube.internal:$PGPORT
    TFE_DATABASE_NAME: $TFE_DB_NAME
    TFE_DATABASE_PARAMETERS: sslmode=disable
    TFE_DATABASE_USER: $PGUSER
    TFE_REDIS_HOST: host.minikube.internal:$REDIS_PORT
    TFE_REDIS_USE_TLS: false
    TFE_REDIS_USE_AUTH: true
    TFE_OBJECT_STORAGE_TYPE: s3
    TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE: false
    TFE_OBJECT_STORAGE_S3_BUCKET: $TFE_BUCKET_NAME
    TFE_OBJECT_STORAGE_S3_ENDPOINT: http://host.minikube.internal:$MINIO_API_PORT
    TFE_OBJECT_STORAGE_S3_REGION: $TFE_BUCKET_REGION
    TFE_CAPACITY_CONCURRENCY: 10
  secrets:
    TFE_DATABASE_PASSWORD: $PGPASSWORD
    TFE_OBJECT_STORAGE_S3_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
    TFE_OBJECT_STORAGE_S3_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
    TFE_REDIS_PASSWORD: $REDIS_PASSWORD
    TFE_LICENSE: $TFE_LICENSE
    TFE_ENCRYPTION_PASSWORD: $TFE_ENCRYPTION_PASSWORD
EOF
#    TFE_HTTP_PORT: 80
#    TFE_HTTPS_PORT: 443

# Render the terraform-enterprise chart with your custom values file
#helm template terraform-enterprise hashicorp/terraform-enterprise --values values.yaml -n $TFE_NAMESPACE 
# Install TFE with helm using the configuration values
helm install terraform-enterprise hashicorp/terraform-enterprise --values values.yaml -n $TFE_NAMESPACE 

In [None]:
kubectl get deployments -A

In [None]:
kubectl expose deployment terraform-enterprise -n tfe-ns --type=NodePort --port=8443

In [None]:
# This should have been configured by the helm chart
kubectl expose deployment web --type=NodePort --port=8080

In [None]:
kubectl get service -A

In [None]:
# To view listening ports in the TFE container.  Use K9s and type 's' to get a shell to the container
ss -tuln

In [None]:
# We will be exposing the vault nodes using a NodePort on port 30000
# vault-active: "true" is commented out.  If included, it will only route to the leader node
kubectl apply -n $TFE_NAMESPACE  -f - <<EOF
kind: Service
apiVersion: v1
metadata:
  name: port-tfe-svc
spec:
  type: NodePort 
  selector:
    app: terraform-enterprise
  ports:
    - name: http
      nodePort: 30080
      port: 8080
      targetPort: 8080
    - name: https
      nodePort: 30443
      port: 8443
      targetPort: 8443
EOF

In [None]:
kubectl get ingress -A

In [None]:
#minikube service terraform-enterprise --url -n tfe-ns
minikube service port-tfe-svc --url -n tfe-ns

In [None]:
minikube ip

In [None]:
# For troubleshooting, if the TFE pod is running you can use K9s to open a shell into the TFE pod to check the individual logs 
# Ref: https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/troubleshooting
open /opt/homebrew/bin/k9s
# Type '0' to view all namespaces
# Select the TFE pod and type 's' to open a shell
# Run this command to check the status of all TFE services.  All services should be running except postgres and redis.
# supervisorctl status
# All the logs for each component is here.  Check each log for errors.
# cd /var/log/terraform-enterprise
# Grep for all errors in the current folder for the word 'error' (case insensitive option)
# grep -r -i . -e 'error'
# Check for listening ports
# ss -tuln

In [None]:
# We will be exposing the TFE nodes using a NodePort on port 30000
# vault-active: "true" is commented out.  If included, it will only route to the leader node
kubectl apply -n $TFE_NAMESPACE -f - <<EOF
kind: Service
apiVersion: v1
metadata:
  name: port-tfe-svc
spec:
  type: NodePort 
  selector:
    app: terraform-enterprise
  ports:
    - nodePort: 30000
      port: 443
      targetPort: 443
EOF

In [None]:
open http://localhost:30000

In [None]:
kubectl delete svc port-tfe-svc -n $TFE_NAMESPACE

In [None]:
kubectl expose deployment terraform-enterprise --type=NodePort --port=8080 -n $TFE_NAMESPACE

In [None]:
kubectl expose deployment terraform-enterprise --type=NodePort --port=8443 -n $TFE_NAMESPACE

In [None]:

kubectl get service terraform-enterprise --output='jsonpath="{.spec.ports[0].nodePort}"' -n $TFE_NAMESPACE

In [None]:
kubectl get pods -o wide -n $TFE_NAMESPACE  

# End of Demo

# Cleanup

In [None]:
# Cleanup

# Delete TFE
helm delete terraform-enterprise -n $TFE_NAMESPACE

# stop vault
docker stop vault-enterprise

# stop postgres
docker stop postgres

# stop redis
docker stop redis

# stop minio and clean up data folder
docker stop minio
rm -r ${HOME}/minio/data

# Clear up generated certs
rm -r certs

# Remove temp files
rm cert.json
rm values.yaml

# stop minikube
minikube delete

# Delete kind cluster
kind delete cluster --name $TFE_K8S_CLUSTER_NAME


In [None]:
# Manual Cleanup step
open -a "keychain Access.app"
# Remove the my-org.com certificate

# Appendix - Other Useful Commands

In [None]:
# For debugging, for testing the K8s API
echo "JWT Token: $JWT_TOKEN_DEFAULT_DEMONS"
echo "K8s API Internal URL: $KUBE_INT_API"
curl $KUBE_INT_API/apis/apps/v1/ \
  --cacert ~/.minikube/ca.crt  \
  --header "Authorization: Bearer $JWT_TOKEN_DEFAULT_DEMONS"

In [None]:
# For testing connectivity.  Bash shell to a temporary pod and do curl commands
kubectl run my-shell --rm -i --tty --image ubuntu -- bash
apt update
apt install curl
curl http://host.minikube.internal:8200 

In [None]:
# View all K8s pod details - wide format
kubectl get pod -o wide -A

# Getting K8s secrets sample
kubectl get secrets -n $KUBENAMESPACE  --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name'

In [None]:
# Delete previous deployment example
kubectl delete deployment -n $KUBENAMESPACE vso-db-demo

In [None]:
# Docker network commands
# Internal host name - host.docker.internal
docker network ls
docker network connect <network> <container>
docker network create --driver bridge vso-connect

# Get IP address of Vault pod
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' vault-enterprise


In [None]:
# Optional for troubleshooting common issues

# docker ps -a
# docker exec -it tfe-worker sh

# Image pull issues
# SSH into minikube.  Verify that you can pull the docker image.
echo "Run this command to log into an SSH shell on minikube"
echo
echo "minikube ssh -n minikube"
echo
echo "Run these commands in the minikube SSH shell to verify that you can login to the private repo and pull the image properly"
echo
echo "docker login --username terraform images.releases.hashicorp.com"
echo "docker pull images.releases.hashicorp.com/hashicorp/terraform-enterprise:$TFE_VERSION"
echo
echo "Enter this password when prompted:"
echo
echo $TFE_LICENSE

In [None]:
# Follow minikube logs
new minikube logs -f

In [None]:
# Launch K8s dashboard
minikube dashboard

In [None]:
export TFE_HOSTNAME=localhost
open "https://${TFE_HOSTNAME}:30000/admin/account/new?token=$(docker exec terraform-enterprise-tfe-1 /usr/local/bin/retrieve-iact)"


In [None]:
kubectl get pods -n $TFE_NAMESPACE

In [None]:
export TFE_ADMIN_TOKEN=$(kubectl exec -n $TFE_NAMESPACE -it terraform-enterprise-5878656ffd-mdv2z -- tfectl admin token)
echo "TFE Admin Token: $TFE_ADMIN_TOKEN"

In [None]:
open "https://${TFE_HOSTNAME}:30000/admin/account/new?token=$TFE_ADMIN_TOKEN"

In [None]:
https://localhost:30000/admin/account/new?token=c35aa1b467d3da5dd475aa885375d0cd11e6fd2814d66af23ee9271c5d84d405

In [None]:
# Reclaim space used by docker if you get a "no space left on device" error
docker system prune --all --force --volumes