Start Putting together the pieces for NaaS along with bugfixes (#33)

* bump kind version Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * cleaning up some files Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * clean up files Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * revert the version bump as for some reason .22 caused huge spikes of CPU locally Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * fix metadata Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * add kyverno-policies and PSS baseline to the Hub cluster Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * start adding in custom kyverno policy repo Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * keep building up the BYOP Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * start adding in custome policy repositories in backstage Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * update to simplify Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * keep trucking away at adding in custom policy repo Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * Delete .DS_Store * update the composition so it already includes the new app in argo Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * update kube versions Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * update kube versions Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * rename hostcluster to hub for clarity Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * forgot to rename the yaml file Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * make sure we output the right things regardless of the cluster type Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * add awscli to the install packages for porter bundle Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * add AWS credentials extraction so we can use AWS kubeconfig Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * dont forget about non EKS... Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> * pass in the right path.... Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com> --------- Signed-off-by: Boris Kurktchiev <kurktchiev@gmail.com>
back-stack · Mar 1, 2024 · f130024 · f130024
1 parent 83c52fb
commit f130024
Show file tree

Hide file tree

Showing 17 changed files with 120 additions and 27 deletions.
diff --git a/argocd/.gitkeep b/argocd/.gitkeep
diff --git a/backstage/app-config.yaml b/backstage/app-config.yaml
@@ -3,7 +3,7 @@ app:
   baseUrl: http://localhost:3000
 
 organization:
-  name: My Company
+  name: The BACK Stack
 
 backend:
   # Used for enabling authentication, secret is shared by all backend plugins

diff --git a/backstage/catalog/components/kyverno-repo.yaml b/backstage/catalog/components/kyverno-repo.yaml
@@ -0,0 +1,10 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: kyverno-policy-repository
+  description: Bring your own Policies
+spec:
+  type: service
+  lifecycle: production
+  owner: infrastructure
+  system: back-stack
diff --git a/backstage/catalog/resources.yaml b/backstage/catalog/resources.yaml
@@ -5,4 +5,4 @@ metadata:
   description: A collection of all resources
 spec:
   targets:
-    - ./resources/hostcluster.yaml
+    - ./resources/hub.yaml
diff --git a/backstage/catalog/resources/hostcluster.yaml → backstage/catalog/resources/hub.yaml b/backstage/catalog/resources/hostcluster.yaml → backstage/catalog/resources/hub.yaml
@@ -1,7 +1,7 @@
 apiVersion: backstage.io/v1alpha1
 kind: Resource
 metadata:
-  name: hostcluster
+  name: hub
   annotations:
     kubernetes.io/api-server: https://kubernetes.default.svc
     kubernetes.io/api-server-certificate-authority: ''
@@ -10,4 +10,4 @@ metadata:
 spec:
   type: kubernetes-cluster
   system: back-stack
-  owner: infrastructure
+  owner: infrastructure
diff --git a/backstage/catalog/templates/application/template.yaml b/backstage/catalog/templates/application/template.yaml
@@ -25,6 +25,10 @@ spec:
           title: Application Source
           type: string
           description: The source repository of the application to deploy
+        custom_kyverno_policies:
+          title: Custom Policy Repository Location
+          type: string
+          description: The source repository of the custome Kyverno policies specific to the application
         application_source_path:
           title: Path
           type: string
@@ -71,16 +75,16 @@ spec:
       action: publish:github:pull-request
       input:
         allowedHosts: ['github.com']
-        title: Request for new application deployment 
+        title: Request for new application deployment
         description: |
           Application Source: ${{ parameters.application_source }}
           Cluster ID: ${{ parameters.cluster_id }}
-        repoUrl: ${{ parameters.repo_url }} 
+        repoUrl: ${{ parameters.repo_url }}
         branchName: ${{ parameters.pull_request_branch_name }}
   output:
     text:
       - title: Accept Pull Request
         content: |
           Your New Application Request has been published to GitHub
 
-           To finish deploying the application, review and accept the [pull request](${{ steps['publish'].output.remoteUrl }}) 
+           To finish deploying the application, review and accept the [pull request](${{ steps['publish'].output.remoteUrl }})
diff --git a/backstage/catalog/templates/cluster/aks/template.yaml b/backstage/catalog/templates/cluster/aks/template.yaml
@@ -43,6 +43,10 @@ spec:
           type: string
           description: Instance type associated with the Node Group.
           default: Standard_B2s
+        custom_kyverno_policies:
+          title: Custom Policy Repository Location
+          type: string
+          description: The source repository of the custome Kyverno policies specific to the cluster
     - title: Destination
       required:
         - repo_url
@@ -76,18 +80,18 @@ spec:
       action: publish:github:pull-request
       input:
         allowedHosts: ['github.com']
-        title: Request for new cluster 
+        title: Request for new cluster
         description: |
           Cluster ID: ${{ parameters.cluster_id }}
           Region:     ${{ parameters.region }}
           Version:    ${{ parameters.version }}
           Nodes:      ${{ parameters.nodes_instance_type }} (${{ parameters.nodes_count }})
-        repoUrl: ${{ parameters.repo_url }} 
+        repoUrl: ${{ parameters.repo_url }}
         branchName: ${{ parameters.pull_request_branch_name }}
   output:
     text:
       - title: Accept Pull Request
         content: |
           Your New Cluster Request has been published to GitHub.
 
-          To finish creating the cluster, review and accept the [pull request](${{ steps['publish'].output.remoteUrl }}) 
+          To finish creating the cluster, review and accept the [pull request](${{ steps['publish'].output.remoteUrl }})
diff --git a/backstage/catalog/templates/cluster/eks/template.yaml b/backstage/catalog/templates/cluster/eks/template.yaml
@@ -34,6 +34,7 @@ spec:
           description: Kubernetes version of the Cluster
           default: "1.28"
           enum:
+            - "1.29"
             - "1.28"
             - "1.27"
             - "1.26"
@@ -49,6 +50,10 @@ spec:
           type: string
           description: Instance type associated with the Node Group.
           default: t3.small
+        custom_kyverno_policies:
+          title: Custom Policy Repository Location
+          type: string
+          description: The source repository of the custome Kyverno policies specific to the cluster
     - title: Destination
       required:
         - repo_url
@@ -83,18 +88,18 @@ spec:
       action: publish:github:pull-request
       input:
         allowedHosts: ['github.com']
-        title: Request for new cluster 
+        title: Request for new cluster
         description: |
           Cluster ID: ${{ parameters.cluster_id }}
           Region:     ${{ parameters.region }}
           Version:    ${{ parameters.version }}
           Nodes:      ${{ parameters.nodes_instance_type }} (${{ parameters.nodes_count }})
-        repoUrl: ${{ parameters.repo_url }} 
+        repoUrl: ${{ parameters.repo_url }}
         branchName: ${{ parameters.pull_request_branch_name }}
   output:
     text:
       - title: Accept Pull Request
         content: |
           Your New Cluster Request has been published to GitHub.
 
-          To finish creating the cluster, review and accept the [pull request](${{ steps['publish'].output.remoteUrl }}) 
+          To finish creating the cluster, review and accept the [pull request](${{ steps['publish'].output.remoteUrl }})
diff --git a/bundle/.gitignore b/bundle/.gitignore
diff --git a/bundle/helpers.sh b/bundle/helpers.sh
@@ -124,7 +124,21 @@ ensure_kubernetes() {
     KIND_DIND_IP=$(docker inspect -f "{{ .NetworkSettings.Networks.kind.IPAddress }}" ${CLUSTER_NAME}-control-plane)
     sed -i -e "s@server: .*@server: https://${KIND_DIND_IP}:6443@" ${K8S_CFG_INTERNAL}
   fi
-  kubectl get ns >/dev/null
+  elif [ "$CLUSTER_TYPE" = "eks" ]; then
+    if [ ! -d "~/.aws" ]; then
+      mkdir ~/.aws
+    fi
+    # Drop in AWS credentials so we can run aws-cli
+    echo -n "$AWS_CREDENTIALS" > ~/.aws/credentials
+    # there is no difference between internal and external
+    # when we are dealing with anything other than KinD
+    cp ${K8S_CFG_INTERNAL} ${K8S_CFG_EXTERNAL}
+    kubectl get ns >/dev/null
+  fi
+  else
+    cp ${K8S_CFG_INTERNAL} ${K8S_CFG_EXTERNAL}
+    kubectl get ns >/dev/null
+  fi
 }
 
 return_argo_initial_pass() {

diff --git a/bundle/template.Dockerfile b/bundle/template.Dockerfile
@@ -18,7 +18,7 @@ FROM --platform=linux/amd64 debian:stable-slim
 
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
-    apt-get update && apt-get install -y ca-certificates curl
+    apt-get update && apt-get install -y ca-certificates curl awscli
 
 # Install KinD
 RUN curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 && \

diff --git a/crossplane/apis/cluster/aks/definition.yaml b/crossplane/apis/cluster/aks/definition.yaml
@@ -30,6 +30,9 @@ spec:
                   id:
                     type: string
                     description: ID of this Cluster that other objects will use to refer to it.
+                  custom_kyverno_policies:
+                    type: string
+                    description: The source repository of the custom Kyverno policies specific to the application
                   region:
                     type: string
                     description: Region is the region you'd like your resource to be created in.

diff --git a/crossplane/apis/cluster/eks/definition.yaml b/crossplane/apis/cluster/eks/definition.yaml
@@ -30,6 +30,9 @@ spec:
                   id:
                     type: string
                     description: ID of this Cluster that other objects will use to refer to it.
+                  custom_kyverno_policies:
+                    type: string
+                    description: The source repository of the custom Kyverno policies specific to the application
                   region:
                     type: string
                     description: Region is the region you'd like your resource to be created in.
@@ -50,12 +53,13 @@ spec:
                     type: string
                     description: Kubernetes version of the Cluster
                     enum:
+                    - "1.29"
                     - "1.28"
                     - "1.27"
                     - "1.26"
                     - "1.25"
                     - "1.24"
-                    default: "1.28"
+                    default: "1.29"
                   nodes:
                     type: object
                     description: Cluster node configuration parameters.

diff --git a/crossplane/apis/hub/composition.yaml b/crossplane/apis/hub/composition.yaml
@@ -131,6 +131,32 @@ spec:
             string:
               type: Format
               fmt: "%s-argocd"
+      - name: argocd-applications-application
+        base:
+          apiVersion: kubernetes.crossplane.io/v1alpha1
+          kind: Object
+          spec:
+            forProvider:
+              manifest:
+                apiVersion: argoproj.io/v1alpha1
+                kind: Application
+                metadata:
+                  name: clusters
+                  namespace: argocd
+                spec:
+                  project: default
+                  source:
+                    repoURL: repository # patched
+                    path: demo/applications
+                    targetRevision: HEAD
+                  destination:
+                    name: hub
+                    namespace: default
+        patches:
+        - type: PatchSet
+          patchSetName: target-cluster
+        - fromFieldPath: spec.parameters.repository
+          toFieldPath: spec.forProvider.manifest.spec.source.repoURL
       - name: argocd-clusters-application
         base:
           apiVersion: kubernetes.crossplane.io/v1alpha1
@@ -150,7 +176,7 @@ spec:
                     path: demo/clusters
                     targetRevision: HEAD
                   destination:
-                    name: hostcluster
+                    name: hub
                     namespace: default
         patches:
         - type: PatchSet
@@ -258,7 +284,7 @@ spec:
         patches:
         - type: PatchSet
           patchSetName: target-cluster
-      - name: argocd-hostcluster-secret
+      - name: argocd-hub-secret
         base:
           apiVersion: kubernetes.crossplane.io/v1alpha1
           kind: Object
@@ -270,10 +296,10 @@ spec:
                 metadata:
                   labels:
                     argocd.argoproj.io/secret-type: cluster
-                  name: hostcluster
+                  name: hub
                   namespace: argocd
                 data:
-                  name: aG9zdGNsdXN0ZXI= # hostcluster
+                  name: aHViCg== # hub
                   server: aHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3Zj # https://kubernetes.default.svc
                   config: eyJ0bHNDbGllbnRDb25maWciOnsiaW5zZWN1cmUiOmZhbHNlfX0= #'{"tlsClientConfig":{"insecure":false}}'
         patches:
@@ -509,6 +535,29 @@ spec:
             string:
               type: Format
               fmt: "%s-kyverno"
+      - name: kyverno-policies
+        base:
+          apiVersion: helm.crossplane.io/v1beta1
+          kind: Release
+          metadata:
+            annotations:
+              crossplane.io/external-name: kyverno-policies
+          spec:
+            forProvider:
+              namespace: kyverno
+              chart:
+                name: kyverno-policies
+                repository: https://kyverno.github.io/kyverno
+        patches:
+        - type: PatchSet
+          patchSetName: target-cluster
+        - fromFieldPath: metadata.name
+          toFieldPath: metadata.name
+          transforms:
+          - type: string
+            string:
+              type: Format
+              fmt: "%s-kyverno-policies"
       - name: kyverno-argocd-cluster-generation-clusterpolicy
         base:
           apiVersion: kubernetes.crossplane.io/v1alpha1
@@ -525,7 +574,7 @@ spec:
                     policies.kyverno.io/category: Argo
                     policies.kyverno.io/severity: medium
                     policies.kyverno.io/subject: Secret
-                    kyverno.io/kyverno-version: 1.7.1
+                    kyverno.io/kyverno-version: 1.11.0
                     policies.kyverno.io/minversion: 1.7.0
                     policies.kyverno.io/description: >-
                       This policy generates and synchronizes Argo CD cluster secrets from Kubeconfig secrets.
@@ -655,7 +704,7 @@ spec:
               type: Format
               fmt: "%s-vault"
       - name: vault-poststart-script
-        base: 
+        base:
           apiVersion: kubernetes.crossplane.io/v1alpha1
           kind: Object
           spec:
@@ -668,7 +717,7 @@ spec:
                   namespace: vault
                 data:
                   run.sh: |
-                    sleep 4 
+                    sleep 4
                     vault auth enable kubernetes
                     vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
                     vault policy write crossplane - <<EOF

diff --git a/crossplane/apis/hub/definition.yaml b/crossplane/apis/hub/definition.yaml
@@ -33,6 +33,10 @@ spec:
                   repository:
                     type: string
                     description: The URL of the git repository where claims will be synchronized
+                  kyverno-policy-repository:
+                    type: string
+                    # TODO: describe what format the repository is expected to be in
+                    description: The URL of the git repository where custom kyverno policies are stored
                   backstage:
                     type: object
                     description: Configuration for the Backstage deployment

diff --git a/imgs/arch.svg b/imgs/arch.svg
diff --git a/kyverno/.gitkeep b/kyverno/.gitkeep