Add TektonCD pipeline

aws/_modules/eks/pipeline.tf

@@ -0,0 +1,28 @@
+resource "kubernetes_namespace" "pipeline" {
+  provider = kubernetes.eks
+
+  metadata {
+    name = "kbst-pipeline"
+  }
+
+  # namespace metadata may change through the manifests
+  # hence ignoring this for the terraform lifecycle
+  lifecycle {
+    ignore_changes = [metadata]
+  }
+
+  depends_on = [module.node_pool]
+}
+
+resource "kubernetes_service_account" "pipeline" {
+  provider = kubernetes.eks
+
+  metadata {
+    name      = "kbst-pipeline"
+    namespace = kubernetes_namespace.pipeline.metadata[0].name
+  }
+
+  secret {
+    name = "ssh-auth"
+  }
+}

cloudbuild-cleanup.yaml

@@ -1,6 +1,7 @@
 substitutions:
     _HOME: /workspace/tests/.user
     _TF_IN_AUTOMATION: "1"
+    _CLUSTER_PAIR: cp_eks_zero
 
 steps:
 - id: docker build
@@ -14,7 +15,7 @@ steps:
 
 - id: terraform init
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -25,7 +26,7 @@ steps:
 
 - id: terraform workspace
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -37,7 +38,7 @@ steps:
 
 - id: terraform destroy
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION

cloudbuild-test.yaml

@@ -1,6 +1,7 @@
 substitutions:
     _HOME: /workspace/tests/.user
     _TF_IN_AUTOMATION: "1"
+    _CLUSTER_PAIR: cp_eks_zero
 
 steps:
 - id: docker build
@@ -14,7 +15,7 @@ steps:
 
 - id: terraform init
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -25,7 +26,7 @@ steps:
 
 - id: terraform workspace
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -37,7 +38,7 @@ steps:
 
 - id: terraform plan
   name: 'kbst-infra-automation:bootstrap'
-  dir: tests
+  dir: tests/$_CLUSTER_PAIR
   env:
   - HOME=$_HOME
   - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
@@ -47,14 +48,15 @@ steps:
   - --input=false
   - --out=tfplan
 
-- id: terraform apply
-  name: 'kbst-infra-automation:bootstrap'
-  dir: tests
-  env:
-  - HOME=$_HOME
-  - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
-  args:
-  - terraform
-  - apply
-  - --input=false
-  - tfplan
+#- id: terraform apply
+#  name: 'kbst-infra-automation:bootstrap'
+#  dir: tests/$_CLUSTER_PAIR
+#  env:
+#  - HOME=$_HOME
+#  - TF_IN_AUTOMATION=$_TF_IN_AUTOMATION
+#  args:
+#  - terraform
+#  - apply
+#  - --input=false
+#  - tfplan
+#

common/cluster_services/locals.tf

@@ -5,10 +5,9 @@ locals {
 
   workspace_label = "${var.label_namespace}cluster_workspace"
   workspace       = var.metadata_labels[local.workspace_label]
-  build_path      = "manifests/overlays/${var.cluster_type}/${local.workspace}"
+  build_path      = "../manifests/overlays/${var.cluster_type}/${local.workspace}"
 
   output_file = "cluster_services.yaml"
 
   kubeconfig_path = "${local.cluster_dir}/kubeconfig"
 }
-

google/_modules/gke/cluster.tf

@@ -1,4 +1,6 @@
 resource "google_container_cluster" "current" {
+  provider = "google-beta"
+
   project = var.project
   name    = var.metadata_name
 
@@ -21,6 +23,10 @@ resource "google_container_cluster" "current" {
     }
   }
 
+  workload_identity_config {
+    identity_namespace = "${var.project}.svc.id.goog"
+  }
+
   network = google_compute_network.current.self_link
 
   #
@@ -54,4 +60,3 @@ resource "google_container_cluster" "current" {
     }
   }
 }
-

google/_modules/gke/node_pool/main.tf

@@ -1,4 +1,6 @@
 resource "google_container_node_pool" "current" {
+  provider = "google-beta"
+
   name     = var.pool_name
   project  = var.project
   cluster  = var.metadata_name
@@ -29,11 +31,14 @@ resource "google_container_node_pool" "current" {
     labels = var.metadata_labels
 
     tags = var.metadata_tags
+
+    workload_metadata_config {
+      node_metadata = "GKE_METADATA_SERVER"
+    }
   }
 
   management {
     auto_repair  = var.auto_repair
     auto_upgrade = var.auto_upgrade
   }
 }
-

google/_modules/gke/outputs.tf

@@ -2,4 +2,3 @@ output "ingress_zone_name_servers" {
   value       = google_dns_managed_zone.current.name_servers
   description = "Nameservers of the cluster's managed zone."
 }
-

google/_modules/gke/pipeline.tf

@@ -0,0 +1,58 @@
+locals {
+  k8s_sa_email = "${var.project}.svc.id.goog[${kubernetes_namespace.pipeline.metadata[0].name}/${kubernetes_service_account.pipeline.metadata[0].name}]"
+}
+
+resource "google_service_account" "pipeline" {
+  account_id = "${var.metadata_name}-pl"
+  project    = var.project
+}
+
+resource "google_project_iam_member" "container_admin" {
+  project = var.project
+  role    = "roles/container.admin"
+  member  = "serviceAccount:${google_service_account.pipeline.email}"
+}
+
+resource "google_project_iam_member" "editor" {
+  project = var.project
+  role    = "roles/editor"
+  member  = "serviceAccount:${google_service_account.pipeline.email}"
+}
+
+resource "google_project_iam_member" "workload_identity_user" {
+  project = var.project
+  role    = "roles/iam.workloadIdentityUser"
+  member  = "serviceAccount:${local.k8s_sa_email}"
+}
+
+resource "kubernetes_namespace" "pipeline" {
+  provider = kubernetes.gke
+
+  metadata {
+    name = "kbst-pipeline"
+  }
+
+  # namespace metadata may change through the manifests
+  # hence ignoring this for the terraform lifecycle
+  lifecycle {
+    ignore_changes = [metadata]
+  }
+
+  depends_on = [module.node_pool]
+}
+
+resource "kubernetes_service_account" "pipeline" {
+  provider = kubernetes.gke
+
+  metadata {
+    name      = "kbst-pipeline"
+    namespace = kubernetes_namespace.pipeline.metadata[0].name
+    annotations = {
+      "iam.gke.io/gcp-service-account" = google_service_account.pipeline.email
+    }
+  }
+
+  secret {
+    name = "ssh-auth"
+  }
+}

google/cluster/providers.tf

@@ -3,7 +3,11 @@ provider "external" {
 }
 
 provider "google" {
-  version = "~> 2.8"
+  version = "~> 2.9"
+}
+
+provider "google-beta" {
+  version = "~> 2.9"
 }
 
 provider "kubernetes" {
@@ -17,4 +21,3 @@ provider "null" {
 provider "template" {
   version = "~> 2.1"
 }
-

pipeline/base/cm_env.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+data:
+  TF_IN_AUTOMATION: "true"
+kind: ConfigMap
+metadata:
+  name: env

pipeline/base/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonAnnotations:
+  catalog.kubestack.com/variant: base
+  app.kubernetes.io/version: v0.1.0
+
+commonLabels:
+  app.kubernetes.io/component: tektoncd
+  app.kubernetes.io/managed-by: kubestack
+  app.kubernetes.io/name: pipeline
+
+namespace: kbst-pipeline
+
+resources:
+- namespace.yaml
+- cm_env.yaml
+- pipeline.yaml
+- task_terraform_run.yaml

pipeline/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kbst-pipeline

pipeline/base/pipeline.yaml

@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Pipeline
+metadata:
+  name: kubestack-cd
+spec:
+  params:
+  - name: ops_or_apps
+    type: string
+    default: ops
+  resources:
+    - name: source_repo
+      type: git
+  tasks:
+  - name: terraform-run
+    taskRef:
+      name: terraform-run
+    resources:
+      inputs:
+      - name: workspace
+        resource: source_repo
+    params:
+    - name: ops_or_apps
+      value: "$(params.ops_or_apps)"

pipeline/base/task_terraform_run.yaml

@@ -0,0 +1,50 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: terraform-run
+spec:
+  inputs:
+    resources:
+    - name: workspace
+      type: git
+      targetPath: infra
+    params:
+    - name: ops_or_apps
+      type: string
+      description: Use ops- or apps terraform workspace.
+  stepTemplate:
+    workingDir: /workspace/infra
+    envFrom:
+    - configMapRef:
+        name: env
+  steps:
+  - name: init
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - init
+  - name: workspace
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - workspace
+    - select
+    - "$(inputs.params.ops_or_apps)"
+  - name: plan
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - plan
+    - --input=false
+    - --out=tfplan
+  - name: apply
+    image: kubestack/cd:dev-1
+    command:
+    - terraform
+    args:
+    - apply
+    - --input=false
+    - tfplan

quickstart/src/ci-cd/Dockerfile

@@ -15,7 +15,7 @@ RUN mkdir -p /opt/bin
 # Default versions
 ARG KUBECTL_VERSION=v1.14.0
 ARG KUSTOMIZE_VERSION=2.0.3
-ARG TERRAFORM_VERSION=0.12.2
+ARG TERRAFORM_VERSION=0.12.6
 ARG AWS_IAM_AUTHENTICATOR_VERSION=0.3.0
 ARG GOOGLE_CLOUD_SDK_VERSION=239.0.0
 ARG AZURE_CLI_VERSION=2.0.63

quickstart/src/manifests/bases/pipeline

@@ -0,0 +1 @@
+../../../../pipeline

quickstart/src/manifests/bases/tektoncd/base/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonAnnotations:
+  app.kubernetes.io/version: v0.6.0
+  catalog.kubestack.com/heritage: kubestack.com/catalog/tektoncd
+  catalog.kubestack.com/variant: base
+commonLabels:
+  app.kubernetes.io/component: controller
+  app.kubernetes.io/managed-by: kubestack
+  app.kubernetes.io/name: tektoncd
+resources:
+- release.yaml