feat: add privatek8s cluster (#214)

* feat: add privatek8s cluster * fix tfsec errors * add dns zone, record and public IP * fix A record and default node pool tags * add automatic kubernetes patch versions upgrades * custom node resource group name, applied to the public IP address * fix availability zones * use default node resource group name * dual stack comment * AAD RBAC managed true * role assignment * fix 'PublicIPAndLBSkuDoNotMatch' error when deploying public-nginx-ingress * LGTM * comment out api_server_authorized_ip_ranges * fix missing var. and data subscription * Ignore tfsec error
4 months ago · 2e2437e283
parent 651994b369
commit 2e2437e283
6 changed files with 143 additions and 1 deletions
--- a/dns.tf
+++ b/dns.tf
@ -0,0 +1,7 @@
+data "azurerm_resource_group" "proddns_jenkinsio" {
+  name = "proddns_jenkinsio"
+}
+
+data "azurerm_dns_zone" "jenkinsio" {
+  name = "jenkins.io"
+}
--- a/locals.tf
+++ b/locals.tf
@ -33,4 +33,9 @@ locals {
      }
    }
  }
+
+  default_tags = {
+    scope      = "terraform-managed"
+    repository = "jenkins-infra/azure"
+  }
 }
--- a/privatek8s.tf
+++ b/privatek8s.tf
@ -0,0 +1,122 @@
+data "azurerm_subscription" "jenkins" {
+}
+
+resource "azurerm_resource_group" "privatek8s" {
+  name     = "privatek8s"
+  location = var.location
+  tags     = local.default_tags
+}
+
+resource "random_pet" "suffix_privatek8s" {
+  # You want to taint this resource in order to get a new pet
+}
+
+resource "azurerm_subnet" "privatek8s_tier" {
+  name                 = "privatek8s-tier"
+  resource_group_name  = data.azurerm_resource_group.private_prod.name
+  virtual_network_name = data.azurerm_virtual_network.private_prod.name
+  address_prefixes     = ["10.242.0.0/16"]
+}
+
+#tfsec:ignore:azure-container-logging #tfsec:ignore:azure-container-limit-authorized-ips
+resource "azurerm_kubernetes_cluster" "privatek8s" {
+  name                              = "privatek8s-${random_pet.suffix_privatek8s.id}"
+  location                          = azurerm_resource_group.privatek8s.location
+  resource_group_name               = azurerm_resource_group.privatek8s.name
+  kubernetes_version                = var.kubernetes_version
+  dns_prefix                        = "privatek8s-${random_pet.suffix_privatek8s.id}"
+  role_based_access_control_enabled = true # default value, added to please tfsec
+  # api_server_authorized_ip_ranges   = ["176.185.227.180/32"] # TODO: set correct value
+
+  network_profile {
+    network_plugin = "azure"
+    network_policy = "azure"
+    ## https://learn.microsoft.com/en-gb/azure/aks/configure-kubenet-dual-stack
+    # ip_versions = ["IPv4", "IPv6"]
+  }
+
+  default_node_pool {
+    name           = "systempool"
+    vm_size        = "Standard_D2as_v4"
+    node_count     = 1
+    vnet_subnet_id = azurerm_subnet.privatek8s_tier.id
+    tags           = local.default_tags
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = local.default_tags
+}
+
+resource "azurerm_kubernetes_cluster_node_pool" "linuxpool" {
+  name                  = "linuxpool"
+  vm_size               = "Standard_D4s_v3"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id
+  enable_auto_scaling   = true
+  min_count             = 0
+  max_count             = 3
+  zones                 = [1, 2, 3]
+  vnet_subnet_id        = azurerm_subnet.privatek8s_tier.id
+  tags                  = local.default_tags
+}
+
+resource "azurerm_kubernetes_cluster_node_pool" "infracipool" {
+  name                  = "infracipool"
+  vm_size               = "Standard_D4s_v3"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id
+  enable_auto_scaling   = true
+  min_count             = 0
+  max_count             = 2
+  zones                 = [1, 2, 3]
+  vnet_subnet_id        = azurerm_subnet.privatek8s_tier.id
+
+  # Spot instances
+  priority        = "Spot"
+  eviction_policy = "Delete"
+  spot_max_price  = "-1" # in $, -1 = On demand pricing
+  # Note: label and taint added automatically when in "Spot" priority, putting it here to explicit them
+  node_labels = {
+    "kubernetes.azure.com/scalesetpriority" = "spot"
+  }
+  node_taints = [
+    "kubernetes.azure.com/scalesetpriority=spot:NoSchedule"
+  ]
+
+  tags = local.default_tags
+}
+
+resource "azurerm_public_ip" "public_privatek8s" {
+  name                = "public-privatek8s"
+  resource_group_name = azurerm_kubernetes_cluster.privatek8s.node_resource_group
+  location            = var.location
+  allocation_method   = "Static"
+  sku                 = "Standard" # Needed to fix the error "PublicIPAndLBSkuDoNotMatch"
+  tags                = local.default_tags
+}
+
+resource "azurerm_dns_a_record" "public_privatek8s" {
+  name                = "public.privatek8s"
+  zone_name           = data.azurerm_dns_zone.jenkinsio.name
+  resource_group_name = data.azurerm_resource_group.proddns_jenkinsio.name
+  ttl                 = 300
+  records             = [azurerm_public_ip.public_privatek8s.ip_address]
+  tags                = local.default_tags
+}
+
+resource "azurerm_role_assignment" "privatek8s_networkcontributor" {
+  scope                            = "${data.azurerm_subscription.jenkins.id}/resourceGroups/${data.azurerm_resource_group.private_prod.name}/providers/Microsoft.Network/virtualNetworks/${data.azurerm_virtual_network.private_prod.name}/subnets/${azurerm_subnet.privatek8s_tier.name}" # azurerm_subnet.privatek8s_tier.name
+  role_definition_name             = "Network Contributor"
+  principal_id                     = azurerm_kubernetes_cluster.privatek8s.identity[0].principal_id
+  skip_service_principal_aad_check = true
+}
+
+output "privatek8s_kube_config" {
+  value     = azurerm_kubernetes_cluster.privatek8s.kube_config_raw
+  sensitive = true
+}
+
+output "privatek8s_public_ip_address" {
+  value = azurerm_public_ip.public_privatek8s.ip_address
+}
--- a/providers.tf
+++ b/providers.tf
@ -10,7 +10,7 @@ provider "postgresql" {
    * Don't forget to also check the network security group rules
  - If running locally, ensure that:
    * your /etc/hosts defines an entry with <azurerm_postgresql_flexible_server.public.fqdn> to 127.0.0.1
-    * you've opened an SSH tunnel such as `-L 5432:<azurerm_postgresql_flexible_server.public.fqdn>:5432` through a machine of the private network
+    * you've opened an SSH tunnel such as `ssh -L 5432:<azurerm_postgresql_flexible_server.public.fqdn>:5432` through a machine of the private network
  **/
  host      = azurerm_postgresql_flexible_server.public.fqdn
  username  = local.public_pgsql_admin_login
--- a/variables.tf
+++ b/variables.tf
@ -2,3 +2,8 @@ variable "location" {
  type    = string
  default = "East US 2"
 }
+
+variable "kubernetes_version" {
+  type    = string
+  default = "1.23.12"
+}
--- a/vnets.tf
+++ b/vnets.tf
@ -21,6 +21,9 @@
 #                        |                |
 #                        +----------------+
 #
+#
+# See also https://github.com/jenkins-infra/azure/blob/legacy-tf/plans/vnets.tf
+
 ## RESOURCE GROUPS
 ################################################################################
 data "azurerm_resource_group" "public_prod" {