[TOOLS-133] Add: influxdb in main Helmfile with secrets

2025-10-28 17:42:24 +00:00 · 2021-05-27 17:20:47 +03:00
parent c838b75d42
commit 7f2452bb02
5 changed files with 128 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -42,3 +42,7 @@ tip-wlan
 id_rsa*
 *.pem
 .envrc
+*swp
+
+# Ignore Helm secrets decrypted files
+*.dec
--- a/helmfile/cloud-sdk/README.md
+++ b/helmfile/cloud-sdk/README.md
@@ -0,0 +1,58 @@
+# Helmfile
+
+This directory contains all things required for TIP EKS infrastructure setup. It uses [Helmfile](https://github.com/roboll/helmfile) for one-command installation
+
+## Requirements
+
+Following tools are required to be installed on your local machine to fully utilize this Helmfile:
+
+1. [Helmfile](https://github.com/roboll/helmfile)
+2. [Helm 3](https://helm.sh/docs/intro/install/)
+3. [Helm diff](https://github.com/databus23/helm-diff) - used during deployments by default for a better changes transparency
+4. [Helm secrets](https://github.com/jkroepke/helm-secrets)
+5. [sops](https://github.com/mozilla/sops)
+
+### Helm secrets
+
+**Helm secrets** is a tool that may be used to store secrets in Git repository in ecrypted form. **sops** is a tool that Helm secrets uses for encryption/decryption operations.
+
+Currently all secrets are stored in [secrets](./secrets) directory, where you can find all encrypted files and `.sops.yaml` file that defines that all new secrets should be encrypted with AWS KMS key.
+
+To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use `helm secrets edit $SECRET_FILE`).
+
+If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets enc $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml`
+
+You can use secrets in Helmfile the same way as values:
+
+1. Add secrets in environment
+2. Use `{{ .Environment.Values... }}` where you need it in releases definition
+
+For example, if we have secret `secrets/example.yaml`
+
+```
+example:
+  secretKey: "topSecret"
+```
+
+usage of it will look like this:
+
+```
+environments:
+  example:
+    secrets:
+      - secrets/example.yaml
+
+releases:
+- name: example
+  values:
+  - secretKey: {{ .Environment.Values.example.secretKey }}
+```
+
+## Usage
+
+1. Set credentials that are required to connect to Kubernetes cluster
+2. (optional) If you are going to use environment with secrets, make sure that you also have credentials required for access to AWS KMS key
+3. Run `helmfile --environment $ENVIRONMENT diff` to see changes that would be applied
+4. If everything is correct, run `helmfile --environment $ENVIRONMENT apply` to see changes that would be applied
+
+If you would like to limit releasae that you would like to affect, you may use labels. For example, if you want to see changes that would be done only to **influxdb** release in **amazon-cicd** environment, you may run `helmfile --environment amazon-cicd --selector app=influxdb diff`
--- a/helmfile/cloud-sdk/helmfile.yaml
+++ b/helmfile/cloud-sdk/helmfile.yaml
@@ -13,6 +13,8 @@ repositories:
  url: https://kubernetes.github.io/dashboard/
 - name: bitnami
  url: https://charts.bitnami.com/bitnami
+- name: influxdata
+  url: https://helm.influxdata.com

 environments:
  azure:
@@ -35,6 +37,8 @@ environments:
        enabled: true

  amazon-cicd:
+    secrets:
+      - secrets/influxdb.yaml
    values:
    - eks:
        clusterName: tip-wlan-main
@@ -69,6 +73,8 @@ environments:
        enabled: true
    - node-termination-handler:
        enabled: true
+    - influxdb:
+        enabled: true

 helmDefaults:
  force: false
@@ -538,3 +544,42 @@ releases:
  values:
    - deleteLocalData: true
    - podTerminationGracePeriod: -1 # use values defined in Pod
+
+- name: influxdb
+  namespace: test-bss
+  chart: influxdata/influxdb2
+  version: 2.0.1
+  condition: influxdb.enabled
+  labels:
+    role: setup
+    group: load-testing
+    app: influxdb
+    task: tools-133
+  values:
+    - image:
+        tag: 2.0.6-alpine
+    - adminUser:
+        organization: tip
+        bucket: tip-cicd
+        user: tip
+        password: {{ .Environment.Values.influxdb.adminUser.password }}
+        token: {{ .Environment.Values.influxdb.adminUser.token }}
+        retention_policy: "0s"
+    - persistence:
+        storageClass: gp2
+        size: 10Gi
+    - service:
+        type: NodePort
+    - ingress:
+        enabled: true
+        annotations:
+          kubernetes.io/ingress.class: alb
+          alb.ingress.kubernetes.io/scheme: internet-facing
+          alb.ingress.kubernetes.io/group.name: test-bss-load-testing
+          alb.ingress.kubernetes.io/certificate-arn: {{ .Environment.Values.eks.certificateARN }}
+          alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+          alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
+          alb.ingress.kubernetes.io/healthcheck-path: /health
+          external-dns.alpha.kubernetes.io/hostname: influx.cicd.{{ .Environment.Values.domain }}
+        hostname: influx.cicd.{{ .Environment.Values.domain }}
+        path: "/*"
--- a/helmfile/cloud-sdk/secrets/.sops.yaml
+++ b/helmfile/cloud-sdk/secrets/.sops.yaml
@@ -0,0 +1,2 @@
+creation_rules:
+- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets'
--- a/helmfile/cloud-sdk/secrets/influxdb.yaml
+++ b/helmfile/cloud-sdk/secrets/influxdb.yaml
@@ -0,0 +1,19 @@
+influxdb:
+    adminUser:
+        password: ENC[AES256_GCM,data:uuKbZnTC7BD45Nca8sPNn70C2+Y07zNT1NsVSlH0,iv:25HaI8Ch4u4q7DYGJzQ3tCx7wie1bOCnG1To19SK4K4=,tag:/QlNSyIOmNbNIGgnNMsVNg==,type:str]
+        token: ENC[AES256_GCM,data:i5Rr2mMWLvP9PVccXFqRGLWlEevrK/jmq8m4tOt2o8o=,iv:T82J7hduw08/VPp0EzRgPX/7++JvqdUJ5vWvJUt/y+E=,tag:b+YVnS1uLYNmT8c+Dlrlkw==,type:str]
+sops:
+    kms:
+        - arn: arn:aws:kms:us-east-2:289708231103:alias/helm-secrets
+          created_at: "2021-05-27T13:52:29Z"
+          enc: AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AEj78TGeiGCq11D91ptibJyAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMZmMl+aeSkQmID4mJAgEQgDvL9rRW2+MWDpvbOX7tsD5PGuJb9g+vWpkYiV4nPK9AkLN2/qPxfz9jGLOmaaCNnW08dkaL2lrt469mRQ==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-05-27T13:52:30Z"
+    mac: ENC[AES256_GCM,data:ooavBXhcrj8uwSxp8W9YbirO4PWJq7PROhsPSSfG6fBo+S7oPPZ3F7eM/o1wjONJF2jrbe+grQ5uZeS2ousAImE977VYG5CIfL1zidPINAXJqPP1cUDVD0a6OqLRssNIAL5NFdhcyW6ysiyg6xb6dlJCsZc+iJeoWu34Cbz5mkw=,iv:a0tbTrKt9xS5o1eWlXq/+wY01obtth9YpF/3ML7qGjE=,tag:UWYveV1lUDpYqvB8phpQ9g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.0