Skip to content

Commit

Permalink
doc: Update documentation related to secrets (#217)
Browse files Browse the repository at this point in the history
  • Loading branch information
mglotov authored Nov 19, 2021
1 parent ac2b6b7 commit a8ea83a
Show file tree
Hide file tree
Showing 6 changed files with 89 additions and 50 deletions.
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ You can find more about this project in Anton Babenko stream:

## FAQ: Frequently Asked Questions

[FAQ](docs/FAQ.md): Frequently Asked Questions
[FAQ](docs/FAQ.md): Frequently Asked Questions and **HOW TO**

## Architecture diagram

Expand Down Expand Up @@ -444,6 +444,9 @@ This boiler installs all basic and necessary components. However, we also provid
* layer1-aws: search `***_enable` variables and set them to **true**
* layer2-k8s: check `helm-releases.yaml` file and set **enabled: true** or **enabled:false** for components that you want to **deploy** or to **unistall**
Notes:
* [Gitlab-runner](docs/FAQ.md#gitlab-runner)
## TFSEC
[TFSEC](docs/TFSEC.md): Notes related to tfsec ignores
Expand Down
39 changes: 36 additions & 3 deletions docs/FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,12 @@ module "test_namespace" {
}
```

## How to add more restrictions for Gitlab-Runner
## Gitlab-runner
Gitlab-runner installation requieres `registration token`.
* How to generate token see [here](https://docs.gitlab.com/runner/register/#requirements).
* Set `gitlab_runner_registration_token` variable in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.

### How to add more restrictions for Gitlab-Runner
By default Gitlab-Runner can deploy into any namespaces. If you want to allow Gitlab-Runner to deploy only into specific namespaces, then do these:
* Create new Service Account:
```
Expand Down Expand Up @@ -220,5 +225,33 @@ By default we install Grafana without integrating it with GitHub or Gitlab and u
* See [this instruction](https://grafana.com/docs/grafana/latest/auth/gitlab/#gitlab-oauth2-authentication) and generate necessary tokens.
* Set `grafana_gitlab_client_id`, `grafana_gitlab_client_secret`, `grafana_gitlab_group` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
3. **GitHub**:
* See [this instruction](https://grafana.com/docs/grafana/latest/auth/github/#github-oauth2-authentication)
* Set `grafana_github_client_id`, `grafana_github_client_secret`, `grafana_github_team_ids`, `grafana_github_allowed_organizations` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
* See [this instruction](https://grafana.com/docs/grafana/latest/auth/github/#github-oauth2-authentication) and generate necessary tokens.
* Set `grafana_github_client_id`, `grafana_github_client_secret`, `grafana_github_team_ids`, `grafana_github_allowed_organizations` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.

## Alertmanager
Alertmanager is disabled in default installation. If you want to enable it, then do next:
1. Open file layer2-k8s/eks-kube-prometheus-stack.tf and change :
```yaml
locals {
....
kube_prometheus_stack_alertmanager_values = <<VALUES
# Alertmanager parameters
alertmanager:
enabled: false
....
}

to

locals {
....
kube_prometheus_stack_alertmanager_values = <<VALUES
# Alertmanager parameters
alertmanager:
enabled: true
....
}
```
### If you want to receive alerts **via Slack**, then do next:
* See [this instruction](https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack) and generate Slack Incoming Webhook
* Set `alertmanager_slack_webhook`, `alertmanager_slack_channel` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
34 changes: 11 additions & 23 deletions terraform/layer2-k8s/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.4.1 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.6.1 |
| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
| <a name="provider_template"></a> [template](#provider\_template) | 2.2.0 |
| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
| <a name="provider_time"></a> [time](#provider\_time) | 0.7.2 |

Expand Down Expand Up @@ -139,38 +138,27 @@
| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth) | data source |
| [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret) | data source |
| [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret_version) | data source |
| [template_file.cert_manager](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.certificate](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.cluster_issuer](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.elk](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.external_dns](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.external_secrets](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.ingress_nginx](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [terraform_remote_state.layer1-aws](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |

## Inputs

| Name | Description | Type | Default | Required |
| ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------- | -------------- | :------: |
| <a name="input_additional_allowed_ips"></a> [additional\_allowed\_ips](#input\_additional\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
| <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no |
| <a name="input_aws_loadbalancer_controller_enable"></a> [aws\_loadbalancer\_controller\_enable](#input\_aws\_loadbalancer\_controller\_enable) | Disable or Enable aws-loadbalancer-controller. You need to enable it if you want to use Fargate | `bool` | `false` | no |
| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.21.0"` | no |
| <a name="input_elk_index_retention_days"></a> [elk\_index\_retention\_days](#input\_elk\_index\_retention\_days) | Days before remove index from system elasticsearch | `number` | `14` | no |
| <a name="input_elk_snapshot_retention_days"></a> [elk\_snapshot\_retention\_days](#input\_elk\_snapshot\_retention\_days) | Days to capture index in snapshot | `number` | `90` | no |
| <a name="input_helm_release_history_size"></a> [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no |
| <a name="input_nginx_ingress_ssl_terminator"></a> [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no |
| <a name="input_region"></a> [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
| <a name="input_remote_state_bucket"></a> [remote\_state\_bucket](#input\_remote\_state\_bucket) | Name of the bucket for terraform state | `string` | n/a | yes |
| <a name="input_remote_state_key"></a> [remote\_state\_key](#input\_remote\_state\_key) | Key of the remote state for terraform\_remote\_state | `string` | `"layer1-aws"` | no |
| Name | Description | Type | Default | Required |
| ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ----------- | -------------- | :------: |
| <a name="input_additional_allowed_ips"></a> [additional\_allowed\_ips](#input\_additional\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
| <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no |
| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.21.0"` | no |
| <a name="input_helm_release_history_size"></a> [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no |
| <a name="input_nginx_ingress_ssl_terminator"></a> [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no |
| <a name="input_region"></a> [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
| <a name="input_remote_state_bucket"></a> [remote\_state\_bucket](#input\_remote\_state\_bucket) | Name of the bucket for terraform state | `string` | n/a | yes |
| <a name="input_remote_state_key"></a> [remote\_state\_key](#input\_remote\_state\_key) | Key of the remote state for terraform\_remote\_state | `string` | `"layer1-aws"` | no |

## Outputs

| Name | Description |
| ----------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
| <a name="output_alertmanager_domain_name"></a> [alertmanager\_domain\_name](#output\_alertmanager\_domain\_name) | Alertmanager ui address |
| <a name="output_apm_domain_name"></a> [apm\_domain\_name](#output\_apm\_domain\_name) | n/a |
| <a name="output_apm_domain_name"></a> [apm\_domain\_name](#output\_apm\_domain\_name) | APM domain name |
| <a name="output_elastic_stack_bucket_name"></a> [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name) | Name of the bucket for ELKS snapshots |
| <a name="output_elasticsearch_elastic_password"></a> [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password) | Password of the superuser 'elastic' |
| <a name="output_get_grafana_admin_password"></a> [get\_grafana\_admin\_password](#output\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret |
Expand Down
9 changes: 0 additions & 9 deletions terraform/layer2-k8s/aws-sm-secrets.tf
Original file line number Diff line number Diff line change
@@ -1,12 +1,3 @@
locals {
kibana_gitlab_client_id = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_client_id", "mock_value")
kibana_gitlab_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_client_secret", "mock_value")
kibana_gitlab_group = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_group", "mock_value")
gitlab_registration_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "gitlab_registration_token", "mock_value")
alertmanager_slack_url = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_url", "mock_value")
alertmanager_slack_channel = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_channel", "mock_value")
}

data "aws_secretsmanager_secret" "infra" {
name = "/${local.name_wo_region}/infra/layer2-k8s"
}
Expand Down
5 changes: 3 additions & 2 deletions terraform/layer2-k8s/eks-gitlab-runner.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ locals {
chart_version = local.helm_releases[index(local.helm_releases.*.id, "gitlab-runner")].chart_version
namespace = local.helm_releases[index(local.helm_releases.*.id, "gitlab-runner")].namespace
}
gitlab_runner_values = <<VALUES
gitlab_runner_registration_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "gitlab_runner_registration_token", "")
gitlab_runner_values = <<VALUES
gitlabUrl: "https://gitlab.com/"
runnerRegistrationToken: "${local.gitlab_registration_token}"
runnerRegistrationToken: "${local.gitlab_runner_registration_token}"
concurrent: 4
checkInterval: 30
Expand Down
47 changes: 35 additions & 12 deletions terraform/layer2-k8s/eks-kube-prometheus-stack.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ locals {
grafana_github_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_client_secret", "")
grafana_github_team_ids = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_team_ids", "")
grafana_github_allowed_organizations = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_allowed_organizations", "")
alertmanager_slack_webhook = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_webhook", "")
alertmanager_slack_channel = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_channel", "")
grafana_domain_name = "grafana-${local.domain_suffix}"
prometheus_domain_name = "prometheus-${local.domain_suffix}"
alertmanager_domain_name = "alertmanager-${local.domain_suffix}"
Expand Down Expand Up @@ -221,16 +223,46 @@ alertmanager:
resources:
requests:
storage: 10Gi
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
config:
global:
resolve_timeout: 5m
slack_api_url: ${local.alertmanager_slack_url}
route:
group_by: ['job']
group_wait: 30s
group_interval: 5m
repeat_interval: 12h
receiver: 'null'
routes:
- match:
alertname: Watchdog
receiver: 'null'
receivers:
- name: 'null'
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/capacityType
operator: In
values:
- ON_DEMAND
VALUES
kube_prometheus_stack_alertmanager_slack_values = <<VALUES
# Alertmanager parameters
alertmanager:
config:
global:
slack_api_url: ${local.alertmanager_slack_webhook}
route:
routes:
- match:
alertname: Watchdog
Expand All @@ -257,16 +289,6 @@ alertmanager:
{{ end }}
{{ end }}
icon_emoji: '{{ template "slack.default.iconemoji" . }}'
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/capacityType
operator: In
values:
- ON_DEMAND
VALUES
}

Expand Down Expand Up @@ -422,7 +444,8 @@ resource "helm_release" "prometheus_operator" {
local.kube_prometheus_stack_grafana_values,
local.grafana_oauth_type == "gitlab" ? local.kube_prometheus_stack_grafana_gitlab_oauth_values : null,
local.grafana_oauth_type == "github" ? local.kube_prometheus_stack_grafana_github_oauth_values : null,
local.kube_prometheus_stack_alertmanager_values
local.kube_prometheus_stack_alertmanager_values,
local.alertmanager_slack_webhook != "" ? local.kube_prometheus_stack_alertmanager_slack_values : null
])

}
Expand Down

0 comments on commit a8ea83a

Please sign in to comment.