From ef10c42254ee0dd7baa668706f4be828175dea46 Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 18:22:20 -0800 Subject: [PATCH 01/19] Kubernetes - Github Runner --- .../aws/kubernetes/github_runner/README.md | 3 + .../github_runner/helm_values.tpl.yaml | 1 + .../aws/kubernetes/github_runner/main.tf | 63 ++++++++++++++++ .../aws/kubernetes/github_runner/variables.tf | 73 +++++++++++++++++++ 4 files changed, 140 insertions(+) create mode 100644 terraform-modules/aws/kubernetes/github_runner/README.md create mode 100644 terraform-modules/aws/kubernetes/github_runner/helm_values.tpl.yaml create mode 100644 terraform-modules/aws/kubernetes/github_runner/main.tf create mode 100644 terraform-modules/aws/kubernetes/github_runner/variables.tf diff --git a/terraform-modules/aws/kubernetes/github_runner/README.md b/terraform-modules/aws/kubernetes/github_runner/README.md new file mode 100644 index 000000000..9de2f3b73 --- /dev/null +++ b/terraform-modules/aws/kubernetes/github_runner/README.md @@ -0,0 +1,3 @@ +# Github Runner + +Source: https://github.com/actions-runner-controller/actions-runner-controller diff --git a/terraform-modules/aws/kubernetes/github_runner/helm_values.tpl.yaml b/terraform-modules/aws/kubernetes/github_runner/helm_values.tpl.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/terraform-modules/aws/kubernetes/github_runner/helm_values.tpl.yaml @@ -0,0 +1 @@ +--- diff --git a/terraform-modules/aws/kubernetes/github_runner/main.tf b/terraform-modules/aws/kubernetes/github_runner/main.tf new file mode 100644 index 000000000..83e06c9c9 --- /dev/null +++ b/terraform-modules/aws/kubernetes/github_runner/main.tf @@ -0,0 +1,63 @@ +locals { + helm_repository = "https://actions-runner-controller.github.io/actions-runner-controller" + official_chart_name = "actions-runner-controller" +} + +# +# Helm values +# +data "template_file" "helm_values" { + template = file("${path.module}/helm_values.tpl.yaml") + vars = { + # awsAccountID = data.aws_caller_identity.current.account_id + # clusterName = var.cluster_name + # serviceAccountName = local.official_chart_name + # chartName = local.official_chart_name + } +} + +module "helm_generic" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.27" + + repository = local.helm_repository + official_chart_name = local.official_chart_name + user_chart_name = var.user_chart_name + helm_version = var.helm_chart_version + namespace = var.k8s_namespace + helm_values = data.template_file.helm_values.rendered + helm_values_2 = var.helm_values_2 + + depends_on = [ + module.iam_assumable_role_admin + ] +} + +# +# kubernetes-external-secret +# +resource "kubernetes_manifest" "kube_secret_crd" { + count = var.enable_kubernetes_external_secret ? 1 : 0 + + manifest = { + apiVersion = "kubernetes-client.io/v1" + kind = "ExternalSecret" + + metadata = { + name = var.kubernetes_external_secret_name + namespace = var.k8s_namespace + } + + spec = { + backendType = "secretsManager" + + data = [ + { + # AWS Secrets name + key = var.aws_secret_name + # The name in the k8s secret + name = var.k8s_secret_key_name + }, + ] + } + } +} diff --git a/terraform-modules/aws/kubernetes/github_runner/variables.tf b/terraform-modules/aws/kubernetes/github_runner/variables.tf new file mode 100644 index 000000000..113443804 --- /dev/null +++ b/terraform-modules/aws/kubernetes/github_runner/variables.tf @@ -0,0 +1,73 @@ +# variable "aws_region" { +# type = string +# default = "us-east-1" +# description = "AWS region" +# } + +# variable "cluster_name" { +# type = string +# default = "cluster" +# description = "EKS cluster name" +# } + +# variable "eks_cluster_id" { +# type = string +# default = "" +# description = "EKS cluster ID" +# } + +# variable "eks_cluster_oidc_issuer_url" { +# type = string +# default = "" +# description = "EKS cluster oidc issuer url" +# } + +variable "user_chart_name" { + default = "actions-runner-controller" + description = "The Helm name to install this chart under" +} + +variable "helm_chart_version" { + default = "1.2.0" + description = "The version of this helm chart to use" +} + +variable "k8s_namespace" { + default = "actions-runner-controller" +} + +variable "helm_values_2" { + type = string + default = "" + description = "Helm values that will overwrite the helm chart defaults and this modules default for further user customization" +} + +# variable "route53_hosted_zones" { +# type = string +# default = "*" +# description = "The hosted zone permissions granted to: arn:aws:route53:::hostedzone/ Date: Tue, 25 Jan 2022 18:26:53 -0800 Subject: [PATCH 02/19] removing iam resource --- terraform-modules/aws/kubernetes/github_runner/main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/terraform-modules/aws/kubernetes/github_runner/main.tf b/terraform-modules/aws/kubernetes/github_runner/main.tf index 83e06c9c9..ed100e89b 100644 --- a/terraform-modules/aws/kubernetes/github_runner/main.tf +++ b/terraform-modules/aws/kubernetes/github_runner/main.tf @@ -27,9 +27,6 @@ module "helm_generic" { helm_values = data.template_file.helm_values.rendered helm_values_2 = var.helm_values_2 - depends_on = [ - module.iam_assumable_role_admin - ] } # From 3fff9e9c600528b727bd13a7fa81c3aee5911a1b Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 19:38:23 -0800 Subject: [PATCH 03/19] Adding generate-cert module --- .../github_runner/README.md | 5 + .../github_runner/helm_values.tpl.yaml | 0 .../github_runner/main.tf | 27 ++++++ .../github_runner/variables.tf | 32 +------ terraform-modules/generate-cert/README.md | 8 ++ terraform-modules/generate-cert/main.tf | 72 +++++++++++++++ terraform-modules/generate-cert/outputs.tf | 11 +++ terraform-modules/generate-cert/variables.tf | 92 +++++++++++++++++++ 8 files changed, 216 insertions(+), 31 deletions(-) rename terraform-modules/aws/{kubernetes => helm}/github_runner/README.md (57%) rename terraform-modules/aws/{kubernetes => helm}/github_runner/helm_values.tpl.yaml (100%) rename terraform-modules/aws/{kubernetes => helm}/github_runner/main.tf (71%) rename terraform-modules/aws/{kubernetes => helm}/github_runner/variables.tf (65%) create mode 100644 terraform-modules/generate-cert/README.md create mode 100644 terraform-modules/generate-cert/main.tf create mode 100644 terraform-modules/generate-cert/outputs.tf create mode 100644 terraform-modules/generate-cert/variables.tf diff --git a/terraform-modules/aws/kubernetes/github_runner/README.md b/terraform-modules/aws/helm/github_runner/README.md similarity index 57% rename from terraform-modules/aws/kubernetes/github_runner/README.md rename to terraform-modules/aws/helm/github_runner/README.md index 9de2f3b73..13a99d177 100644 --- a/terraform-modules/aws/kubernetes/github_runner/README.md +++ b/terraform-modules/aws/helm/github_runner/README.md @@ -1,3 +1,8 @@ # Github Runner Source: https://github.com/actions-runner-controller/actions-runner-controller + + +Requirements: +* cert-manager +* kubernetes-external-secrets (optional) diff --git a/terraform-modules/aws/kubernetes/github_runner/helm_values.tpl.yaml b/terraform-modules/aws/helm/github_runner/helm_values.tpl.yaml similarity index 100% rename from terraform-modules/aws/kubernetes/github_runner/helm_values.tpl.yaml rename to terraform-modules/aws/helm/github_runner/helm_values.tpl.yaml diff --git a/terraform-modules/aws/kubernetes/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf similarity index 71% rename from terraform-modules/aws/kubernetes/github_runner/main.tf rename to terraform-modules/aws/helm/github_runner/main.tf index ed100e89b..891ba8fac 100644 --- a/terraform-modules/aws/kubernetes/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -3,6 +3,15 @@ locals { official_chart_name = "actions-runner-controller" } +# +# create namespace +# +module "namespace" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/kubernetes/namespace?ref=v1.0.50" + + name = var.k8s_namespace +} + # # Helm values # @@ -27,6 +36,9 @@ module "helm_generic" { helm_values = data.template_file.helm_values.rendered helm_values_2 = var.helm_values_2 + depends_on = [ + module.namespace + ] } # @@ -57,4 +69,19 @@ resource "kubernetes_manifest" "kube_secret_crd" { ] } } + + depends_on = [ + module.namespace + ] } + +# +# Generate self signed certs for use with the runner: +# doc: https://github.com/actions-runner-controller/actions-runner-controller#using-without-cert-manager +# Even the cert-manager is configured to generate a self signed cert +# +module "cert" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/generate-cert?ref=github-runner" + + name = var.k8s_namespace +} \ No newline at end of file diff --git a/terraform-modules/aws/kubernetes/github_runner/variables.tf b/terraform-modules/aws/helm/github_runner/variables.tf similarity index 65% rename from terraform-modules/aws/kubernetes/github_runner/variables.tf rename to terraform-modules/aws/helm/github_runner/variables.tf index 113443804..ea782adf2 100644 --- a/terraform-modules/aws/kubernetes/github_runner/variables.tf +++ b/terraform-modules/aws/helm/github_runner/variables.tf @@ -1,34 +1,10 @@ -# variable "aws_region" { -# type = string -# default = "us-east-1" -# description = "AWS region" -# } - -# variable "cluster_name" { -# type = string -# default = "cluster" -# description = "EKS cluster name" -# } - -# variable "eks_cluster_id" { -# type = string -# default = "" -# description = "EKS cluster ID" -# } - -# variable "eks_cluster_oidc_issuer_url" { -# type = string -# default = "" -# description = "EKS cluster oidc issuer url" -# } - variable "user_chart_name" { default = "actions-runner-controller" description = "The Helm name to install this chart under" } variable "helm_chart_version" { - default = "1.2.0" + default = "0.15.1" description = "The version of this helm chart to use" } @@ -42,12 +18,6 @@ variable "helm_values_2" { description = "Helm values that will overwrite the helm chart defaults and this modules default for further user customization" } -# variable "route53_hosted_zones" { -# type = string -# default = "*" -# description = "The hosted zone permissions granted to: arn:aws:route53:::hostedzone/ Date: Tue, 25 Jan 2022 19:43:15 -0800 Subject: [PATCH 04/19] Updating intput type --- terraform-modules/aws/helm/github_runner/main.tf | 5 ++++- terraform-modules/generate-cert/variables.tf | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index 891ba8fac..410cfb948 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -83,5 +83,8 @@ resource "kubernetes_manifest" "kube_secret_crd" { module "cert" { source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/generate-cert?ref=github-runner" - name = var.k8s_namespace + dns_names = [ + "webhook-service.actions-runner-system.svc", + "webhook-service.actions-runner-system.svc.cluster.local", + ] } \ No newline at end of file diff --git a/terraform-modules/generate-cert/variables.tf b/terraform-modules/generate-cert/variables.tf index d32e495fc..7364b0ccd 100644 --- a/terraform-modules/generate-cert/variables.tf +++ b/terraform-modules/generate-cert/variables.tf @@ -33,12 +33,12 @@ variable "common_name" { variable "dns_names" { description = "List of DNS names for which the certificate will be valid (e.g. foo.example.com)." - type = "list" + type = list(string) } variable "ip_addresses" { description = "List of IP addresses for which the certificate will be valid (e.g. 127.0.0.1)." - type = "list" + type = list(string) } variable "validity_period_hours" { @@ -52,7 +52,7 @@ variable "validity_period_hours" { variable "ca_allowed_uses" { description = "List of keywords from RFC5280 describing a use that is permitted for the CA certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses." - type = "list" + type = list(string) default = [ "cert_signing", @@ -63,7 +63,7 @@ variable "ca_allowed_uses" { variable "allowed_uses" { description = "List of keywords from RFC5280 describing a use that is permitted for the issued certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses." - type = "list" + type = list(string) default = [ "key_encipherment", From 0e000207f3f6b2a65c697dc642e54ab914fd3db7 Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 19:56:01 -0800 Subject: [PATCH 05/19] Updating var usage --- terraform-modules/aws/helm/github_runner/main.tf | 14 ++++++++++++-- terraform-modules/generate-cert/main.tf | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index 410cfb948..2ed4b2505 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -83,8 +83,18 @@ resource "kubernetes_manifest" "kube_secret_crd" { module "cert" { source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/generate-cert?ref=github-runner" + ca_public_key_file_path = "/tmp/ca_public_key_file" + public_key_file_path = "/tmp/public_key_file" + private_key_file_path = "/tmp/private_key_file" + owner = "k8s" + ca_common_name = "k8s" + common_name = "k8s" + ip_addresses = [] + validity_period_hours = 43830 + organization_name = "k8s" + dns_names = [ - "webhook-service.actions-runner-system.svc", - "webhook-service.actions-runner-system.svc.cluster.local", + "webhook-service.${var.k8s_namespace}.svc", + "webhook-service.${var.k8s_namespace}.svc.cluster.local", ] } \ No newline at end of file diff --git a/terraform-modules/generate-cert/main.tf b/terraform-modules/generate-cert/main.tf index 46f45710d..351665360 100644 --- a/terraform-modules/generate-cert/main.tf +++ b/terraform-modules/generate-cert/main.tf @@ -14,7 +14,7 @@ resource "tls_self_signed_cert" "ca" { is_ca_certificate = true validity_period_hours = "${var.validity_period_hours}" - allowed_uses = ["${var.ca_allowed_uses}"] + allowed_uses = var.ca_allowed_uses subject { common_name = "${var.ca_common_name}" From 9fdd6cd691d28b3497aed371a51417eda1ddb557 Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 19:57:41 -0800 Subject: [PATCH 06/19] Updating var usage --- terraform-modules/generate-cert/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform-modules/generate-cert/main.tf b/terraform-modules/generate-cert/main.tf index 351665360..063fb4c15 100644 --- a/terraform-modules/generate-cert/main.tf +++ b/terraform-modules/generate-cert/main.tf @@ -46,8 +46,8 @@ resource "tls_cert_request" "cert" { key_algorithm = "${tls_private_key.cert.algorithm}" private_key_pem = "${tls_private_key.cert.private_key_pem}" - dns_names = ["${var.dns_names}"] - ip_addresses = ["${var.ip_addresses}"] + dns_names = var.dns_names + ip_addresses = var.ip_addresses subject { common_name = "${var.common_name}" From 1c75c1b8828d7d2c219e4b8c0392e1b3b4299805 Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 20:00:39 -0800 Subject: [PATCH 07/19] Updating var usage --- terraform-modules/generate-cert/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-modules/generate-cert/main.tf b/terraform-modules/generate-cert/main.tf index 063fb4c15..a5bbaa7b0 100644 --- a/terraform-modules/generate-cert/main.tf +++ b/terraform-modules/generate-cert/main.tf @@ -63,7 +63,7 @@ resource "tls_locally_signed_cert" "cert" { ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" validity_period_hours = "${var.validity_period_hours}" - allowed_uses = ["${var.allowed_uses}"] + allowed_uses = var.allowed_uses # Store the certificate's public key in a file. provisioner "local-exec" { From bfb5ddc4d9059e3f3ff511e5a76488dde3a170a6 Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 20:16:14 -0800 Subject: [PATCH 08/19] Updating var usage --- terraform-modules/generate-cert/main.tf | 18 +++++++++--------- terraform-modules/generate-cert/outputs.tf | 12 ++++++------ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/terraform-modules/generate-cert/main.tf b/terraform-modules/generate-cert/main.tf index a5bbaa7b0..ec6c31c32 100644 --- a/terraform-modules/generate-cert/main.tf +++ b/terraform-modules/generate-cert/main.tf @@ -22,9 +22,9 @@ resource "tls_self_signed_cert" "ca" { } # Store the CA public key in a file. - provisioner "local-exec" { - command = "echo '${tls_self_signed_cert.ca.cert_pem}' > '${var.ca_public_key_file_path}' && chmod ${var.permissions} '${var.ca_public_key_file_path}' && chown ${var.owner} '${var.ca_public_key_file_path}'" - } + # provisioner "local-exec" { + # command = "echo '${tls_self_signed_cert.ca.cert_pem}' > '${var.ca_public_key_file_path}' && chmod ${var.permissions} '${var.ca_public_key_file_path}' && chown ${var.owner} '${var.ca_public_key_file_path}'" + # } } # --------------------------------------------------------------------------------------------------------------------- @@ -37,9 +37,9 @@ resource "tls_private_key" "cert" { rsa_bits = "${var.private_key_rsa_bits}" # Store the certificate's private key in a file. - provisioner "local-exec" { - command = "echo '${tls_private_key.cert.private_key_pem}' > '${var.private_key_file_path}' && chmod ${var.permissions} '${var.private_key_file_path}' && chown ${var.owner} '${var.private_key_file_path}'" - } + # provisioner "local-exec" { + # command = "echo '${tls_private_key.cert.private_key_pem}' > '${var.private_key_file_path}' && chmod ${var.permissions} '${var.private_key_file_path}' && chown ${var.owner} '${var.private_key_file_path}'" + # } } resource "tls_cert_request" "cert" { @@ -66,7 +66,7 @@ resource "tls_locally_signed_cert" "cert" { allowed_uses = var.allowed_uses # Store the certificate's public key in a file. - provisioner "local-exec" { - command = "echo '${tls_locally_signed_cert.cert.cert_pem}' > '${var.public_key_file_path}' && chmod ${var.permissions} '${var.public_key_file_path}' && chown ${var.owner} '${var.public_key_file_path}'" - } + # provisioner "local-exec" { + # command = "echo '${tls_locally_signed_cert.cert.cert_pem}' > '${var.public_key_file_path}' && chmod ${var.permissions} '${var.public_key_file_path}' && chown ${var.owner} '${var.public_key_file_path}'" + # } } diff --git a/terraform-modules/generate-cert/outputs.tf b/terraform-modules/generate-cert/outputs.tf index 89dd1daea..c054d70d7 100644 --- a/terraform-modules/generate-cert/outputs.tf +++ b/terraform-modules/generate-cert/outputs.tf @@ -1,11 +1,11 @@ -output "ca_public_key_file_path" { - value = "${var.ca_public_key_file_path}" +output "ca_public_key" { + value = tls_self_signed_cert.ca.cert_pem } -output "public_key_file_path" { - value = "${var.public_key_file_path}" +output "public_key" { + value = tls_locally_signed_cert.cert.cert_pem } -output "private_key_file_path" { - value = "${var.private_key_file_path}" +output "private_key" { + value = tls_private_key.cert.private_key_pem } From 70e0fd5b2c26631ff71fc09b5780976dd8c0f310 Mon Sep 17 00:00:00 2001 From: gar Date: Tue, 25 Jan 2022 20:47:03 -0800 Subject: [PATCH 09/19] Updating var usage --- .../helm/github_runner/helm_values.tpl.yaml | 5 ++++ .../aws/helm/github_runner/main.tf | 26 +++++++++++++++++-- terraform-modules/generate-cert/outputs.tf | 4 +-- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/terraform-modules/aws/helm/github_runner/helm_values.tpl.yaml b/terraform-modules/aws/helm/github_runner/helm_values.tpl.yaml index ed97d539c..d43c1eb19 100644 --- a/terraform-modules/aws/helm/github_runner/helm_values.tpl.yaml +++ b/terraform-modules/aws/helm/github_runner/helm_values.tpl.yaml @@ -1 +1,6 @@ --- +# Using our own self signed cert +# https://github.com/actions-runner-controller/actions-runner-controller#using-without-cert-manager +certManagerEnabled: false +admissionWebHooks: + caBundle: ${ca_public_key} diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index 2ed4b2505..c2ae07cdc 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -18,6 +18,7 @@ module "namespace" { data "template_file" "helm_values" { template = file("${path.module}/helm_values.tpl.yaml") vars = { + ca_public_key = module.cert.ca_public_key # awsAccountID = data.aws_caller_identity.current.account_id # clusterName = var.cluster_name # serviceAccountName = local.official_chart_name @@ -37,7 +38,9 @@ module "helm_generic" { helm_values_2 = var.helm_values_2 depends_on = [ - module.namespace + module.cert, + kubernetes_secret_v1.this, + module.namespace, ] } @@ -97,4 +100,23 @@ module "cert" { "webhook-service.${var.k8s_namespace}.svc", "webhook-service.${var.k8s_namespace}.svc.cluster.local", ] -} \ No newline at end of file +} + +resource "kubernetes_secret_v1" "this" { + metadata { + name = "webhook-server-cert" + namespace = var.k8s_namespace + } + + data = { + "tls.crt" = module.cert.client_cert + "tls.key" = module.cert.client_private_key + } + + type = "kubernetes.io/tls" + + depends_on = [ + module.cert, + module.namespace, + ] +} diff --git a/terraform-modules/generate-cert/outputs.tf b/terraform-modules/generate-cert/outputs.tf index c054d70d7..e1ab9cb5b 100644 --- a/terraform-modules/generate-cert/outputs.tf +++ b/terraform-modules/generate-cert/outputs.tf @@ -2,10 +2,10 @@ output "ca_public_key" { value = tls_self_signed_cert.ca.cert_pem } -output "public_key" { +output "client_cert" { value = tls_locally_signed_cert.cert.cert_pem } -output "private_key" { +output "client_private_key" { value = tls_private_key.cert.private_key_pem } From 6e2cd432b7c792cef8c25d05df48a5dd04b3859b Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 10:22:33 -0800 Subject: [PATCH 10/19] Updating cert secrets --- terraform-modules/aws/helm/github_runner/main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index c2ae07cdc..eb57f08e7 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -18,11 +18,7 @@ module "namespace" { data "template_file" "helm_values" { template = file("${path.module}/helm_values.tpl.yaml") vars = { - ca_public_key = module.cert.ca_public_key - # awsAccountID = data.aws_caller_identity.current.account_id - # clusterName = var.cluster_name - # serviceAccountName = local.official_chart_name - # chartName = local.official_chart_name + ca_public_key = base64encode(module.cert.ca_public_key) } } @@ -47,6 +43,9 @@ module "helm_generic" { # # kubernetes-external-secret # +# Using the Github PAT method +# doc: https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication +# This is the secret referencing the PAT token in AWS Secret resource "kubernetes_manifest" "kube_secret_crd" { count = var.enable_kubernetes_external_secret ? 1 : 0 @@ -104,7 +103,8 @@ module "cert" { resource "kubernetes_secret_v1" "this" { metadata { - name = "webhook-server-cert" + name = "actions-runner-controller-serving-cert" + # name = "webhook-server-cert" namespace = var.k8s_namespace } From f12253f523c682ec8c03b627824ba518dd77aa80 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:06:20 -0800 Subject: [PATCH 11/19] Fixing vars --- .../aws/helm/github_runner/main.tf | 38 ++++++++++++++++++- .../aws/helm/github_runner/variables.tf | 6 +++ 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index eb57f08e7..d690daa5c 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -98,12 +98,14 @@ module "cert" { dns_names = [ "webhook-service.${var.k8s_namespace}.svc", "webhook-service.${var.k8s_namespace}.svc.cluster.local", + "${var.k8s_namespace}-webhook.${var.k8s_namespace}.svc", + "${var.k8s_namespace}-webhook.${var.k8s_namespace}.svc", ] } resource "kubernetes_secret_v1" "this" { metadata { - name = "actions-runner-controller-serving-cert" + name = "${var.k8s_namespace}-serving-cert" # name = "webhook-server-cert" namespace = var.k8s_namespace } @@ -120,3 +122,37 @@ resource "kubernetes_secret_v1" "this" { module.namespace, ] } + +# +# Github Action Runner deployments +# +# The above deploys the control nodes. This deploys the actual Github Action runners +# where the jobs will run in. This creates the "RunnerDeployment" CRD which will +# Create the runner deployments. +# +# Docs: https://github.com/actions-runner-controller/actions-runner-controller#runnerdeployments +# +# To view the runner: github.com -> settings -> Actions -> Runners +# +resource "kubernetes_manifest" "runnerDeployment" { + manifest = { + apiVersion = "actions.summerwind.dev/v1alpha1" + kind = "RunnerDeployment" + + metadata = { + name = "runnerdeploy" + namespace = var.k8s_namespace + } + + spec = { + replicas = 2 + + template ={ + spec = { + repository = "ManagedKube/kubernetes-ops" + env = [] + } + } + } + } +} diff --git a/terraform-modules/aws/helm/github_runner/variables.tf b/terraform-modules/aws/helm/github_runner/variables.tf index ea782adf2..3c0fbef7d 100644 --- a/terraform-modules/aws/helm/github_runner/variables.tf +++ b/terraform-modules/aws/helm/github_runner/variables.tf @@ -41,3 +41,9 @@ variable "k8s_secret_key_name" { description = "The key name in the k8s secret. enable_kubernetes_external_secret must be set to true" default = "github_token" } + +variable "runner_repository_name" { + type = string + description = "Runner config. The repository name to associate this runner to" + default = null +} From 68916ea19ebd1b4da8fc1311134317ddada30db4 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:12:50 -0800 Subject: [PATCH 12/19] Adding test gha workflow --- .../github-self-hosted-runner-testing.yaml | 36 +++++++++++++++++++ .../aws/helm/github_runner/main.tf | 6 ++++ 2 files changed, 42 insertions(+) create mode 100644 .github/workflows/github-self-hosted-runner-testing.yaml diff --git a/.github/workflows/github-self-hosted-runner-testing.yaml b/.github/workflows/github-self-hosted-runner-testing.yaml new file mode 100644 index 000000000..1edd94534 --- /dev/null +++ b/.github/workflows/github-self-hosted-runner-testing.yaml @@ -0,0 +1,36 @@ +# The name of the pipeline. Must be unique. +name: "Terraform - AWS" + +on: + push: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-modules/aws/helm/github_runner/**' + branches: + - main + pull_request: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-modules/aws/helm/github_runner/**' + +jobs: + ## This generates a matrix of changed directory to run Terraform on + generate_matrix: + #runs-on: ubuntu-latest + runs-on: custom-runner + env: + # The path that you want to construct the matrix on. Only files in this + # path that has changed will be included in. + TERRAFORM_CHECK_PATH: terraform-environments/aws/dev + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 2 + + - name: get parent directory and set matrix + id: set-matrix + run: | + echo hi diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index d690daa5c..2db59a771 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -151,6 +151,12 @@ resource "kubernetes_manifest" "runnerDeployment" { spec = { repository = "ManagedKube/kubernetes-ops" env = [] + + # The labels on how to target this runner from the GHA's workflow files + # Doc: https://github.com/actions-runner-controller/actions-runner-controller#runner-labels + labels = [ + "custom-runner" + ] } } } From 2f3f01943326d5225b0da08b2aefd5e7cac04d4e Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:17:10 -0800 Subject: [PATCH 13/19] Adding test gha workflow --- .github/workflows/github-self-hosted-runner-testing.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/github-self-hosted-runner-testing.yaml b/.github/workflows/github-self-hosted-runner-testing.yaml index 1edd94534..72e5992b2 100644 --- a/.github/workflows/github-self-hosted-runner-testing.yaml +++ b/.github/workflows/github-self-hosted-runner-testing.yaml @@ -17,7 +17,7 @@ on: jobs: ## This generates a matrix of changed directory to run Terraform on - generate_matrix: + self_hosted_runner: #runs-on: ubuntu-latest runs-on: custom-runner env: @@ -30,7 +30,7 @@ jobs: with: fetch-depth: 2 - - name: get parent directory and set matrix - id: set-matrix + - name: Runing on self hosted runner run: | echo hi + ifconfig From d85ca151c4e3d6244978796d934b06af3396cf99 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:22:38 -0800 Subject: [PATCH 14/19] Updating workflow --- .github/workflows/github-self-hosted-runner-testing.yaml | 3 ++- terraform-modules/aws/helm/github_runner/main.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/github-self-hosted-runner-testing.yaml b/.github/workflows/github-self-hosted-runner-testing.yaml index 72e5992b2..9cf29002a 100644 --- a/.github/workflows/github-self-hosted-runner-testing.yaml +++ b/.github/workflows/github-self-hosted-runner-testing.yaml @@ -19,6 +19,7 @@ jobs: ## This generates a matrix of changed directory to run Terraform on self_hosted_runner: #runs-on: ubuntu-latest + # Label from the CRD deployment: https://github.com/actions-runner-controller/actions-runner-controller#runner-labels runs-on: custom-runner env: # The path that you want to construct the matrix on. Only files in this @@ -33,4 +34,4 @@ jobs: - name: Runing on self hosted runner run: | echo hi - ifconfig + ps aux diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index 2db59a771..f1e764983 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -145,7 +145,7 @@ resource "kubernetes_manifest" "runnerDeployment" { } spec = { - replicas = 2 + replicas = 1 template ={ spec = { From 8a9673859e23ee4f753b5eab8237d875d569966d Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:25:26 -0800 Subject: [PATCH 15/19] Updating workflow --- .github/workflows/github-self-hosted-runner-testing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/github-self-hosted-runner-testing.yaml b/.github/workflows/github-self-hosted-runner-testing.yaml index 9cf29002a..705d4386b 100644 --- a/.github/workflows/github-self-hosted-runner-testing.yaml +++ b/.github/workflows/github-self-hosted-runner-testing.yaml @@ -35,3 +35,4 @@ jobs: run: | echo hi ps aux + curl -v https://651D35E97B291CC344F098C47028D880.gr7.us-west-2.eks.amazonaws.com -k From 3b7983ede3437c608d0bc08494614db4bd870a14 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:30:22 -0800 Subject: [PATCH 16/19] Parameterizing the runners creation fields --- terraform-modules/aws/helm/github_runner/main.tf | 6 +++--- .../aws/helm/github_runner/variables.tf | 12 ++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index f1e764983..2c33b5df4 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -140,7 +140,7 @@ resource "kubernetes_manifest" "runnerDeployment" { kind = "RunnerDeployment" metadata = { - name = "runnerdeploy" + name = var.runner_deployment_name namespace = var.k8s_namespace } @@ -149,13 +149,13 @@ resource "kubernetes_manifest" "runnerDeployment" { template ={ spec = { - repository = "ManagedKube/kubernetes-ops" + repository = var.runner_repository_name env = [] # The labels on how to target this runner from the GHA's workflow files # Doc: https://github.com/actions-runner-controller/actions-runner-controller#runner-labels labels = [ - "custom-runner" + var.runner_label ] } } diff --git a/terraform-modules/aws/helm/github_runner/variables.tf b/terraform-modules/aws/helm/github_runner/variables.tf index 3c0fbef7d..194af0d04 100644 --- a/terraform-modules/aws/helm/github_runner/variables.tf +++ b/terraform-modules/aws/helm/github_runner/variables.tf @@ -47,3 +47,15 @@ variable "runner_repository_name" { description = "Runner config. The repository name to associate this runner to" default = null } + +variable "runner_label" { + type = string + description = "Runner config. The label to place onto the runner and the label to use on the runs-on field in the GHA workflow file." + default = "self-hosted" +} + +variable "runner_deployment_name" { + type = string + description = "Runner config. The runner CRD deployment name." + default = "runnerdeploy" +} From 1feb72704ddb2660b7dcab080073e80098f12d65 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:36:30 -0800 Subject: [PATCH 17/19] Parameterizing the replica field --- terraform-modules/aws/helm/github_runner/main.tf | 2 +- terraform-modules/aws/helm/github_runner/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index 2c33b5df4..9b322a945 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -145,7 +145,7 @@ resource "kubernetes_manifest" "runnerDeployment" { } spec = { - replicas = 1 + replicas = var.runner_number_of_replicas template ={ spec = { diff --git a/terraform-modules/aws/helm/github_runner/variables.tf b/terraform-modules/aws/helm/github_runner/variables.tf index 194af0d04..c0d5b6872 100644 --- a/terraform-modules/aws/helm/github_runner/variables.tf +++ b/terraform-modules/aws/helm/github_runner/variables.tf @@ -59,3 +59,9 @@ variable "runner_deployment_name" { description = "Runner config. The runner CRD deployment name." default = "runnerdeploy" } + +variable "runner_number_of_replicas" { + type = number + description = "Runner config. The number of runner replicas to create" + default = 1 +} From 2e865f6c7eeb1ee651cd704edf9c23710121b930 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:42:50 -0800 Subject: [PATCH 18/19] Removing unused env input --- terraform-modules/aws/helm/github_runner/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-modules/aws/helm/github_runner/main.tf b/terraform-modules/aws/helm/github_runner/main.tf index 9b322a945..2a0df4c0f 100644 --- a/terraform-modules/aws/helm/github_runner/main.tf +++ b/terraform-modules/aws/helm/github_runner/main.tf @@ -150,7 +150,7 @@ resource "kubernetes_manifest" "runnerDeployment" { template ={ spec = { repository = var.runner_repository_name - env = [] + # env = [] # The labels on how to target this runner from the GHA's workflow files # Doc: https://github.com/actions-runner-controller/actions-runner-controller#runner-labels From 2107de553cca99126f04dd100d2eaa6335947d28 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 26 Jan 2022 11:45:30 -0800 Subject: [PATCH 19/19] Updating readme --- terraform-modules/aws/helm/github_runner/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform-modules/aws/helm/github_runner/README.md b/terraform-modules/aws/helm/github_runner/README.md index 13a99d177..32736fe87 100644 --- a/terraform-modules/aws/helm/github_runner/README.md +++ b/terraform-modules/aws/helm/github_runner/README.md @@ -6,3 +6,7 @@ Source: https://github.com/actions-runner-controller/actions-runner-controller Requirements: * cert-manager * kubernetes-external-secrets (optional) + +# Runner type support + +Currently this module only supports the PAT runner type.