From 7f2452bb027cdad324b240a986664f0eacc97924 Mon Sep 17 00:00:00 2001 From: Dmitry Dunaev Date: Thu, 27 May 2021 17:20:47 +0300 Subject: [PATCH] [TOOLS-133] Add: influxdb in main Helmfile with secrets --- .gitignore | 4 ++ helmfile/cloud-sdk/README.md | 58 ++++++++++++++++++++++++ helmfile/cloud-sdk/helmfile.yaml | 45 ++++++++++++++++++ helmfile/cloud-sdk/secrets/.sops.yaml | 2 + helmfile/cloud-sdk/secrets/influxdb.yaml | 19 ++++++++ 5 files changed, 128 insertions(+) create mode 100644 helmfile/cloud-sdk/README.md create mode 100644 helmfile/cloud-sdk/secrets/.sops.yaml create mode 100644 helmfile/cloud-sdk/secrets/influxdb.yaml diff --git a/.gitignore b/.gitignore index dc02ce5..ef0b6d4 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,7 @@ tip-wlan id_rsa* *.pem .envrc +*swp + +# Ignore Helm secrets decrypted files +*.dec diff --git a/helmfile/cloud-sdk/README.md b/helmfile/cloud-sdk/README.md new file mode 100644 index 0000000..5ef19e4 --- /dev/null +++ b/helmfile/cloud-sdk/README.md @@ -0,0 +1,58 @@ +# Helmfile + +This directory contains all things required for TIP EKS infrastructure setup. It uses [Helmfile](https://github.com/roboll/helmfile) for one-command installation + +## Requirements + +Following tools are required to be installed on your local machine to fully utilize this Helmfile: + +1. [Helmfile](https://github.com/roboll/helmfile) +2. [Helm 3](https://helm.sh/docs/intro/install/) +3. [Helm diff](https://github.com/databus23/helm-diff) - used during deployments by default for a better changes transparency +4. [Helm secrets](https://github.com/jkroepke/helm-secrets) +5. [sops](https://github.com/mozilla/sops) + +### Helm secrets + +**Helm secrets** is a tool that may be used to store secrets in Git repository in ecrypted form. **sops** is a tool that Helm secrets uses for encryption/decryption operations. + +Currently all secrets are stored in [secrets](./secrets) directory, where you can find all encrypted files and `.sops.yaml` file that defines that all new secrets should be encrypted with AWS KMS key. + +To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use `helm secrets edit $SECRET_FILE`). + +If you need to encrypt new file, you simply need to write it in plaintext, then run `helm secrets enc $PLAINTEXT_SECRET_FILE` - helm secrets will automatically use encryption key defined in `.sops.yaml` + +You can use secrets in Helmfile the same way as values: + +1. Add secrets in environment +2. Use `{{ .Environment.Values... }}` where you need it in releases definition + +For example, if we have secret `secrets/example.yaml` + +``` +example: + secretKey: "topSecret" +``` + +usage of it will look like this: + +``` +environments: + example: + secrets: + - secrets/example.yaml + +releases: +- name: example + values: + - secretKey: {{ .Environment.Values.example.secretKey }} +``` + +## Usage + +1. Set credentials that are required to connect to Kubernetes cluster +2. (optional) If you are going to use environment with secrets, make sure that you also have credentials required for access to AWS KMS key +3. Run `helmfile --environment $ENVIRONMENT diff` to see changes that would be applied +4. If everything is correct, run `helmfile --environment $ENVIRONMENT apply` to see changes that would be applied + +If you would like to limit releasae that you would like to affect, you may use labels. For example, if you want to see changes that would be done only to **influxdb** release in **amazon-cicd** environment, you may run `helmfile --environment amazon-cicd --selector app=influxdb diff` diff --git a/helmfile/cloud-sdk/helmfile.yaml b/helmfile/cloud-sdk/helmfile.yaml index 0fe239f..ede6125 100644 --- a/helmfile/cloud-sdk/helmfile.yaml +++ b/helmfile/cloud-sdk/helmfile.yaml @@ -13,6 +13,8 @@ repositories: url: https://kubernetes.github.io/dashboard/ - name: bitnami url: https://charts.bitnami.com/bitnami +- name: influxdata + url: https://helm.influxdata.com environments: azure: @@ -35,6 +37,8 @@ environments: enabled: true amazon-cicd: + secrets: + - secrets/influxdb.yaml values: - eks: clusterName: tip-wlan-main @@ -69,6 +73,8 @@ environments: enabled: true - node-termination-handler: enabled: true + - influxdb: + enabled: true helmDefaults: force: false @@ -538,3 +544,42 @@ releases: values: - deleteLocalData: true - podTerminationGracePeriod: -1 # use values defined in Pod + +- name: influxdb + namespace: test-bss + chart: influxdata/influxdb2 + version: 2.0.1 + condition: influxdb.enabled + labels: + role: setup + group: load-testing + app: influxdb + task: tools-133 + values: + - image: + tag: 2.0.6-alpine + - adminUser: + organization: tip + bucket: tip-cicd + user: tip + password: {{ .Environment.Values.influxdb.adminUser.password }} + token: {{ .Environment.Values.influxdb.adminUser.token }} + retention_policy: "0s" + - persistence: + storageClass: gp2 + size: 10Gi + - service: + type: NodePort + - ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/group.name: test-bss-load-testing + alb.ingress.kubernetes.io/certificate-arn: {{ .Environment.Values.eks.certificateARN }} + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}' + alb.ingress.kubernetes.io/healthcheck-path: /health + external-dns.alpha.kubernetes.io/hostname: influx.cicd.{{ .Environment.Values.domain }} + hostname: influx.cicd.{{ .Environment.Values.domain }} + path: "/*" diff --git a/helmfile/cloud-sdk/secrets/.sops.yaml b/helmfile/cloud-sdk/secrets/.sops.yaml new file mode 100644 index 0000000..fcaa26c --- /dev/null +++ b/helmfile/cloud-sdk/secrets/.sops.yaml @@ -0,0 +1,2 @@ +creation_rules: +- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets' diff --git a/helmfile/cloud-sdk/secrets/influxdb.yaml b/helmfile/cloud-sdk/secrets/influxdb.yaml new file mode 100644 index 0000000..7dbaa2f --- /dev/null +++ b/helmfile/cloud-sdk/secrets/influxdb.yaml @@ -0,0 +1,19 @@ +influxdb: + adminUser: + password: ENC[AES256_GCM,data:uuKbZnTC7BD45Nca8sPNn70C2+Y07zNT1NsVSlH0,iv:25HaI8Ch4u4q7DYGJzQ3tCx7wie1bOCnG1To19SK4K4=,tag:/QlNSyIOmNbNIGgnNMsVNg==,type:str] + token: ENC[AES256_GCM,data:i5Rr2mMWLvP9PVccXFqRGLWlEevrK/jmq8m4tOt2o8o=,iv:T82J7hduw08/VPp0EzRgPX/7++JvqdUJ5vWvJUt/y+E=,tag:b+YVnS1uLYNmT8c+Dlrlkw==,type:str] +sops: + kms: + - arn: arn:aws:kms:us-east-2:289708231103:alias/helm-secrets + created_at: "2021-05-27T13:52:29Z" + enc: AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AEj78TGeiGCq11D91ptibJyAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMZmMl+aeSkQmID4mJAgEQgDvL9rRW2+MWDpvbOX7tsD5PGuJb9g+vWpkYiV4nPK9AkLN2/qPxfz9jGLOmaaCNnW08dkaL2lrt469mRQ== + aws_profile: "" + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2021-05-27T13:52:30Z" + mac: ENC[AES256_GCM,data:ooavBXhcrj8uwSxp8W9YbirO4PWJq7PROhsPSSfG6fBo+S7oPPZ3F7eM/o1wjONJF2jrbe+grQ5uZeS2ousAImE977VYG5CIfL1zidPINAXJqPP1cUDVD0a6OqLRssNIAL5NFdhcyW6ysiyg6xb6dlJCsZc+iJeoWu34Cbz5mkw=,iv:a0tbTrKt9xS5o1eWlXq/+wY01obtth9YpF/3ML7qGjE=,tag:UWYveV1lUDpYqvB8phpQ9g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.0