kbst · pst · Jun 27, 2019 · Jun 28, 2019 · Jun 28, 2019 · Jul 12, 2019
diff --git a/aws/_modules/eks/pipeline.tf b/aws/_modules/eks/pipeline.tf
@@ -0,0 +1,28 @@
+resource "kubernetes_namespace" "pipeline" {
+  provider = kubernetes.eks
+
+  metadata {
+    name = "kbst-pipeline"
+  }
+
+  # namespace metadata may change through the manifests
+  # hence ignoring this for the terraform lifecycle
+  lifecycle {
+    ignore_changes = [metadata]
+  }
+
+  depends_on = [module.node_pool]
+}
+
+resource "kubernetes_service_account" "pipeline" {
+  provider = kubernetes.eks
+
+  metadata {
+    name      = "kbst-pipeline"
+    namespace = kubernetes_namespace.pipeline.metadata[0].name
+  }
+
+  secret {
+    name = "ssh-auth"
+  }
+}
diff --git a/cloudbuild-cleanup.yaml b/cloudbuild-cleanup.yaml
@@ -1,6 +1,7 @@
 substitutions:
     _HOME: /workspace/tests/.user
     _TF_IN_AUTOMATION: "1"
+    _CLUSTER_PAIR: cp_eks_zero
 
 steps:
 - id: docker build
@@ -14,7 +15,7 @@ steps:
 
 - id: terraform init
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -25,7 +26,7 @@ steps:
 
 - id: terraform workspace
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -37,7 +38,7 @@ steps:
 
 - id: terraform destroy
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION

diff --git a/cloudbuild-test.yaml b/cloudbuild-test.yaml
@@ -1,6 +1,7 @@
 substitutions:
     _HOME: /workspace/tests/.user
     _TF_IN_AUTOMATION: "1"
+    _CLUSTER_PAIR: cp_eks_zero
 
 steps:
 - id: docker build
@@ -12,9 +13,12 @@ steps:
   - kbst-infra-automation:bootstrap
   - ci-cd/
 
+#
+#
+# Bootstrap cluster
 - id: terraform init
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -25,7 +29,7 @@ steps:
 
 - id: terraform workspace
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -37,7 +41,7 @@ steps:
 
 - id: terraform plan
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -49,7 +53,46 @@ steps:
 
 - id: terraform apply
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
+  env:
+  - HOME=$_HOME
+  - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
+  args:
+  - terraform
+  - apply
+  - --input=false
+  - tfplan
+
+#
+#
+# Bootstrap pipeline
+- id: add pipeline base
+  name: 'kbst-infra-automation:bootstrap'
+  dir: tests/manifests/overlays/common
+  env:
+  - HOME=$_HOME
+  args:
+  - kustomize
+  - edit
+  - add
+  - base
+  - ../../bases/pipeline/base
+
+- id: terraform plan pipeline
+  name: 'kbst-infra-automation:bootstrap'
+  dir: tests/$_CLUSTER_PAIR
+  env:
+  - HOME=$_HOME
+  - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
+  args:
+  - terraform
+  - plan
+  - --input=false
+  - --out=tfplan
+
+- id: terraform apply pipeline
+  name: 'kbst-infra-automation:bootstrap'
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION

diff --git a/common/cluster_services/locals.tf b/common/cluster_services/locals.tf
@@ -5,10 +5,9 @@ locals {
 
   workspace_label = "${var.label_namespace}cluster_workspace"
   workspace       = var.metadata_labels[local.workspace_label]
-  build_path      = "manifests/overlays/${var.cluster_type}/${local.workspace}"
+  build_path      = "../manifests/overlays/${var.cluster_type}/${local.workspace}"
 
   output_file = "cluster_services.yaml"
 
   kubeconfig_path = "${local.cluster_dir}/kubeconfig"
 }
-
diff --git a/google/_modules/gke/cluster.tf b/google/_modules/gke/cluster.tf
@@ -1,4 +1,6 @@
 resource "google_container_cluster" "current" {
+  provider = "google-beta"
+
   project = var.project
   name    = var.metadata_name
 
@@ -21,6 +23,10 @@ resource "google_container_cluster" "current" {
     }
   }
 
+  workload_identity_config {
+    identity_namespace = "${var.project}.svc.id.goog"
+  }
+
   network = google_compute_network.current.self_link
 
   #
@@ -54,4 +60,3 @@ resource "google_container_cluster" "current" {
     }
   }
 }
-
diff --git a/google/_modules/gke/node_pool/main.tf b/google/_modules/gke/node_pool/main.tf
@@ -1,4 +1,6 @@
 resource "google_container_node_pool" "current" {
+  provider = "google-beta"
+
   name     = var.pool_name
   project  = var.project
   cluster  = var.metadata_name
@@ -29,11 +31,14 @@ resource "google_container_node_pool" "current" {
     labels = var.metadata_labels
 
     tags = var.metadata_tags
+
+    workload_metadata_config {
+      node_metadata = "GKE_METADATA_SERVER"
+    }
   }
 
   management {
     auto_repair  = var.auto_repair
     auto_upgrade = var.auto_upgrade
   }
 }
-
diff --git a/google/_modules/gke/outputs.tf b/google/_modules/gke/outputs.tf
@@ -2,4 +2,3 @@ output "ingress_zone_name_servers" {
   value       = google_dns_managed_zone.current.name_servers
   description = "Nameservers of the cluster's managed zone."
 }
-
diff --git a/google/_modules/gke/pipeline.tf b/google/_modules/gke/pipeline.tf
@@ -0,0 +1,58 @@
+locals {
+  k8s_sa_email = "${var.project}.svc.id.goog[${kubernetes_namespace.pipeline.metadata[0].name}/${kubernetes_service_account.pipeline.metadata[0].name}]"
+}
+
+resource "google_service_account" "pipeline" {
+  account_id = "${var.metadata_name}-pl"
+  project    = var.project
+}
+
+resource "google_project_iam_member" "container_admin" {
+  project = var.project
+  role    = "roles/container.admin"
+  member  = "serviceAccount:${google_service_account.pipeline.email}"
+}
+
+resource "google_project_iam_member" "editor" {
+  project = var.project
+  role    = "roles/editor"
+  member  = "serviceAccount:${google_service_account.pipeline.email}"
+}
+
+resource "google_project_iam_member" "workload_identity_user" {
+  project = var.project
+  role    = "roles/iam.workloadIdentityUser"
+  member  = "serviceAccount:${local.k8s_sa_email}"
+}
+
+resource "kubernetes_namespace" "pipeline" {
+  provider = kubernetes.gke
+
+  metadata {
+    name = "kbst-pipeline"
+  }
+
+  # namespace metadata may change through the manifests
+  # hence ignoring this for the terraform lifecycle
+  lifecycle {
+    ignore_changes = [metadata]
+  }
+
+  depends_on = [module.node_pool]
+}
+
+resource "kubernetes_service_account" "pipeline" {
+  provider = kubernetes.gke
+
+  metadata {
+    name      = "kbst-pipeline"
+    namespace = kubernetes_namespace.pipeline.metadata[0].name
+    annotations = {
+      "iam.gke.io/gcp-service-account" = google_service_account.pipeline.email
+    }
+  }
+
+  secret {
+    name = "ssh-auth"
+  }
+}
diff --git a/google/cluster/providers.tf b/google/cluster/providers.tf
@@ -3,7 +3,11 @@ provider "external" {
 }
 
 provider "google" {
-  version = "~> 2.8"
+  version = "~> 2.9"
+}
+
+provider "google-beta" {
+  version = "~> 2.9"
 }
 
 provider "kubernetes" {
@@ -17,4 +21,3 @@ provider "null" {
 provider "template" {
   version = "~> 2.1"
 }
-
diff --git a/pipeline/base/cm_env.yaml b/pipeline/base/cm_env.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+data:
+  TF_IN_AUTOMATION: "true"
+kind: ConfigMap
+metadata:
+  name: env
diff --git a/pipeline/base/kustomization.yaml b/pipeline/base/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonAnnotations:
+  catalog.kubestack.com/variant: base
+  app.kubernetes.io/version: v0.1.0
+
+commonLabels:
+  app.kubernetes.io/component: tektoncd
+  app.kubernetes.io/managed-by: kubestack
+  app.kubernetes.io/name: pipeline
+
+namespace: kbst-pipeline
+
+resources:
+- namespace.yaml
+- cm_env.yaml
+- pipeline.yaml
+- task_terraform_run.yaml
diff --git a/pipeline/base/namespace.yaml b/pipeline/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kbst-pipeline
diff --git a/pipeline/base/pipeline.yaml b/pipeline/base/pipeline.yaml
@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Pipeline
+metadata:
+  name: kubestack-cd
+spec:
+  params:
+  - name: ops_or_apps
+    type: string
+    default: ops
+  resources:
+    - name: source_repo
+      type: git
+  tasks:
+  - name: terraform-run
+    taskRef:
+      name: terraform-run
+    resources:
+      inputs:
+      - name: workspace
+        resource: source_repo
+    params:
+    - name: ops_or_apps
+      value: "$(params.ops_or_apps)"
diff --git a/pipeline/base/task_terraform_run.yaml b/pipeline/base/task_terraform_run.yaml
@@ -0,0 +1,50 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: terraform-run
+spec:
+  inputs:
+    resources:
+    - name: workspace
+      type: git
+      targetPath: infra
+    params:
+    - name: ops_or_apps
+      type: string
+      description: Use ops- or apps terraform workspace.
+  stepTemplate:
+    workingDir: /workspace/infra
+    envFrom:
+    - configMapRef:
+        name: env
+  steps:
+  - name: init
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - init
+  - name: workspace
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - workspace
+    - select
+    - "$(inputs.params.ops_or_apps)"
+  - name: plan
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - plan
+    - --input=false
+    - --out=tfplan
+  - name: apply
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - apply
+    - --input=false
+    - tfplan