Merge pull request #11 from robertchoi80/main

add sealed-secrets setup workflow

deploy_apps/tks-lma-federation-wftpl.yaml

@@ -9,8 +9,7 @@ spec:
     parameters:
     - name: site_name
       value: "hanu-reference"
-    # TODO: This should be renamed to app_group_name
-    - name: app_name
+    - name: app_group
       value: "lma"
     # Replace these urls properly for your env #
     - name: site_repo_url
@@ -88,7 +87,7 @@ spec:
           - name: cluster_name
             value: "{{item.name}}"
           - name: app_group
-            value: "{{workflow.parameters.app_name}}"
+            value: "{{workflow.parameters.app_group}}"
           - name: chart
             value: "thanos"
           - name: kv_map_str 
@@ -108,7 +107,7 @@ spec:
           - name: cluster_name
             value: "{{steps.collectThanosScEndpoints.outputs.parameters.cur_cluster_name}}"
           - name: app_group
-            value: "{{workflow.parameters.app_name}}"
+            value: "{{workflow.parameters.app_group}}"
           - name: chart
             value: "thanos"
           - name: kv_map_str

deploy_apps/tks-remove-servicemesh-wftpl.yaml

@@ -26,7 +26,7 @@ spec:
             template: delete-argocd-app
             arguments:
               parameters:
-                - name: app_name
+                - name: app_group
                   value: service-mesh
                 - name: site_name
                   value: "{{workflow.parameters.site_name}}"
@@ -71,7 +71,7 @@ spec:
     - name: delete-argocd-app
       inputs:
         parameters:
-          - name: app_name
+          - name: app_group
           - name: site_name
       container:
         name: delete-argocd-app
@@ -98,7 +98,7 @@ spec:
               name: decapod-argocd-config
         env:
           - name: APP_NAME
-            value: "{{inputs.parameters.app_name}}"
+            value: "{{inputs.parameters.app_group}}"
           - name: SITE_NAME
             value: '{{inputs.parameters.site_name}}'
       activeDeadlineSeconds: 900

deploy_apps/tks-service-mesh-wftpl.yaml

@@ -9,7 +9,7 @@ spec:
     parameters:
       - name: site_name
         value: hanu-reference
-      - name: app_name
+      - name: app_group
         value: service-mesh
       - name: manifest_repo_url
         value: 'https://github.com/openinfradev/decapod-manifests'

sealed_secrets/README.md

@@ -0,0 +1,5 @@
+## Install kubeseal binary
+```
+$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/kubeseal-linux-amd64 -O kubeseal
+$ sudo install -m 755 kubeseal-linux-amd64 /usr/local/bin/kubeseal
+```

sealed_secrets/deploy-secrets.yaml

@@ -0,0 +1,69 @@
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: deploy-secrets
+  namespace: argo
+spec:
+  templates:
+  - name: deploySecretsToUserCluster
+    activeDeadlineSeconds: 120
+    inputs:
+      parameters:
+      - name: repo_url   # Eg, "tks-management/011b88fa-4d53-439f-9336-67845f994051/25db54c6-d6cb-459b-9148-1b02ac545753"
+      - name: secret_path  # Eg, "sealed-cert/secret.yaml"
+      - name: kubeconfig_secret_name  # Eg, "25db54c6-d6cb-459b-9148-1b02ac545753-kubeconfig"
+    container:
+      image: k8s.gcr.io/hyperkube:v1.18.8
+      imagePullPolicy: IfNotPresent
+      command:
+      - /bin/bash
+      - -c
+      - |
+  
+        cat <<< "$KUBE_CONFIG" > /etc/kubeconfig
+
+        git clone https://$(echo -n $gittoken)@$repo_url
+        repo_name=$(basename $repo_url)
+
+        kubectl apply --kubeconfig=/etc/kubeconfig -f $repo_name/"{{inputs.parameters.secret_path}}"
+
+        # TODO: need to add logic to check if the secret was successfully created?
+
+      envFrom:
+        - secretRef:
+            name: "gittoken"
+      env:
+        - name: repo_url
+          value: "{{ inputs.parameters.repo_url }}"
+        - name: KUBE_CONFIG
+          valueFrom:
+            secretKeyRef:
+              name: "{{ inputs.parameters.kubeconfig_secret_name }}"
+              key: value
+
+  - name: deploySecretsToAdminCluster
+    activeDeadlineSeconds: 120
+    inputs:
+      parameters:
+      - name: repo_url   # Eg, "openinfradev/tks-admin-site"
+      - name: secret_path  # Eg, "directory/secret.yaml"
+    container:
+      image: k8s.gcr.io/hyperkube:v1.18.8
+      imagePullPolicy: IfNotPresent
+      command:
+      - /bin/bash
+      - -c
+      - |
+
+        git clone https://$(echo -n $gittoken)@$repo_url
+        repo_name=$(basename $repo_url)
+
+        kubectl apply -f $repo_name/"{{inputs.parameters.secret_path}}"
+
+        # TODO: need to add logic to check if the secret was successfully created?
+      env:
+        - name: repo_url
+          value: "{{ inputs.parameters.repo_url }}"
+      envFrom:
+        - secretRef:
+            name: "gittoken"

sealed_secrets/setup-sealed-secrets-on-admincluster.yaml

@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: setup-sealed-secrets-on-admincluster
+  namespace: argo
+spec:
+  entrypoint: process
+  arguments:
+    parameters:
+    # For create-application task #
+    - name: manifest_repo_url
+      value: "https://github.com/openinfradev/decapod-manifests"
+    - name: site_name
+      value: "hanu-reference"
+    - name: app_group
+      value: "sealed-secrets"
+    - name: revision
+      value: "main"
+## Uncomment following lines and customize to fetch any secrets you want ##
+#    - name: master_key_repo_url
+#      value: "github.com/openinfradev/tks-admin-site"
+#    - name: master_key_secret_name
+#      value: "github.com/openinfradev/tks-admin-site"
+#    - name: sealed_secrets_repo_url
+#      value: "github.com/openinfradev/tks-admin-site"
+#      ...
+###########################################################################
+  templates:
+  - name: process
+    steps:
+    - - name: deployMasterKey
+        templateRef:
+          name: deploy-secrets
+          template: deploySecretsToAdminCluster
+        arguments:
+          parameters:
+          # In case of user cluster, repo url should be constructed from parameters
+          # such as git_account, contract id & cluster id.
+          - name: repo_url
+            value: "github.com/openinfradev/tks-admin-site"
+          - name: secret_path
+            value: "sealed-secret-key/master-key-secret.yaml"
+
+    - - name: installControllers
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                 { "path": "sealed-secrets-controller", "namespace": "kube-system" },
+                 { "path": "kubed", "namespace": "kube-system" }
+              ]
+
+    - - name: deploySealedSecret
+        templateRef:
+          name: deploy-secrets
+          template: deploySecretsToAdminCluster
+        arguments:
+          parameters:
+          - name: repo_url
+            value: "github.com/openinfradev/tks-admin-site"
+          - name: secret_path
+            value: "sealed-certificates/taco-cat-tls-sealed.yaml"

sealed_secrets/setup-sealed-secrets-on-usercluster.yaml

@@ -0,0 +1,67 @@
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: setup-sealed-secrets-on-usercluster
+  namespace: argo
+spec:
+  entrypoint: process
+  arguments:
+    parameters:
+    - name: git_account
+      value: "tks-management"
+    - name: contract_id
+      value: "011b88fa-4d53-439f-9336-67845f994051"
+    - name: cluster_id
+      value: ""
+    - name: app_group
+      value: "sealed-secrets"
+    - name: revision
+      value: "main"
+  templates:
+  - name: process
+    steps:
+    - - name: deployMasterKey
+        templateRef:
+          name: deploy-secrets
+          template: deploySecretsToUserCluster
+        arguments:
+          parameters:
+          - name: repo_url
+            value: "github.com/openinfradev/tks-admin-site"
+          - name: secret_path
+            value: "sealed-secret-key/master-key-secret.yaml"
+          - name: kubeconfig_secret_name
+            value: "{{workflow.parameters.cluster_id}}-kubeconfig"
+
+    - - name: installControllers
+        templateRef:
+          name: tks-create-application-new
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                 { "path": "sealed-secrets-controller", "namespace": "kube-system" },
+                 { "path": "kubed", "namespace": "kube-system" }
+              ]
+
+    - - name: deploySealedSecret
+        templateRef:
+          name: deploy-secrets
+          template: deploySecretsToUserCluster
+        arguments:
+          parameters:
+          ##########################################################################
+          # For real use case example 
+          #- name: repo_url
+          #  value: "github.com/tks-management/{{workflow.parameters.contract_id}}"
+          #- name: secret_path
+          #  value: "sealed-certificates/user-cat-tls-sealed.yaml"
+          ##########################################################################
+          - name: repo_url
+            value: "github.com/openinfradev/tks-admin-site"
+          - name: secret_path
+            value: "sealed-certificates/taco-cat-tls-sealed.yaml"
+          - name: kubeconfig_secret_name
+            value: "{{workflow.parameters.cluster_id}}-kubeconfig"

tks-cluster/create-usercluster-wftpl.yaml

@@ -17,50 +17,45 @@ spec:
       value: main
     - name: tks_admin
       value: "tks-admin"
-    - name: app_name
+    - name: app_group
       value: "tks-cluster"
 
   templates:
   - name: deploy
-    dag:
-      tasks:
-      - name: tks-create-cluster-site
+    steps:
+    - - name: tks-create-cluster-site
         template: new-cluster-site
-        dependencies: []
 
-      - name: k8s-by-capi
+    - - name: k8s-by-capi
         templateRef:
-          name: tks-create-application
-          template: AppGroupOnAdmin
+          name: tks-create-application-new
+          template: installAppsOnAdmin
         arguments:
           parameters: 
           - name: list
             value: |
               [
                 { "path": "cluster-api-aws", "namespace": "argo" }
               ]
-        dependencies: [tks-create-cluster-site]
 
-      - name: wait-for-clster-is-registered
-        template: wait-template
-        dependencies: [k8s-by-capi]
+    - - name: wait-for-clster-to-be-registered
+        template: wait-for-cluster-registration
 
-      - name: ready-for-cni-and-csi
+      # TODO: What does this name mean? Wait for CNI?
+    - - name: ready-for-cni-and-csi
         templateRef:
-          name: tks-create-application
-          template: AppGroup
+          name: tks-create-application-new
+          template: installApps
         arguments:
           parameters: 
           - name: list
             value: |
               [
                 { "path": "ingress-nginx", "namespace": "taco-system" },
-                { "path": "kubed", "namespace": "taco-system" },
                 { "path": "kubernetes-addons", "namespace": "taco-system" }
               ]
-        dependencies: [k8s-by-capi, wait-for-clster-is-registered ]
 
-  - name: wait-template
+  - name: wait-for-cluster-registration
     activeDeadlineSeconds: 1800
     container:
       image: ghcr.io/openinfradev/argocd-cli:v2.0.1
@@ -71,7 +66,7 @@ spec:
         yes | ./argocd login --insecure $ARGO_SERVER --username $ARGO_USERNAME --password $ARGO_PASSWORD
 
         while [ $(./argocd cluster list | grep \ $target\ | wc -l ) == 0 ]; do
-            echo "> Wait for cluster is registered"
+            echo "> Wait for cluster to be registered"
             sleep 30
         done
       envFrom: