├── user-cluster
    ├── versions.tf
    ├── output.tf
    ├── provider.tf
    ├── main.tf
    ├── ssh.tf
    ├── cluster-ha.tf
    ├── files
    │   └── cloud-config.yaml
    ├── data.tf
    ├── infra.tf
    └── iam.tf
├── .pre-commit-config.yaml
├── install-app
    ├── provider.tf
    ├── data.tf
    └── main.tf
├── .gitignore
├── charts
    └── rio
    │   └── 0.0.1
    │       ├── templates
    │           ├── service-account.yaml
    │           ├── cluster-role-binding.yaml
    │           ├── _helpers.tpl
    │           ├── deployment.yaml
    │           └── cluster-role.yaml
    │       ├── Chart.yaml
    │       ├── app-readme.md
    │       ├── values.yaml
    │       └── questions.yml
└── Readme.MD


/user-cluster/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | - repo: git://github.com/antonbabenko/pre-commit-terraform
2 |   rev: v1.19.0
3 |   hooks:
4 |     - id: terraform_fmt
5 |     - id: terraform_docs
6 | 


--------------------------------------------------------------------------------
/install-app/provider.tf:
--------------------------------------------------------------------------------
1 | provider "rancher2" {
2 |   api_url   = data.terraform_remote_state.server.outputs.rancher_url
3 |   token_key = data.terraform_remote_state.server.outputs.rancher_token
4 | }
5 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.swp
 2 | *.tfstate*
 3 | **/.terraform
 4 | **/*.plan
 5 | **/secret_files
 6 | **/*.tfenvs
 7 | **/aws_accounts/iam
 8 | .DS_Store
 9 | outputs/
10 | terraform.d/
11 | **/terraform.tfvars
12 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/templates/service-account.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 |   name: {{ template "rio.serviceAccountName" . }}
6 |   namespace: {{ .Release.Namespace }}
7 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | appVersion: 0.0.1
3 | description: Deploys Rio
4 | icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg
5 | name: rio
6 | version: 0.0.1
7 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/app-readme.md:
--------------------------------------------------------------------------------
1 | # Rio
2 | This catalog entry is for Rio.
3 | 
4 | [Rio](https://github.com/rancher/rio) is a microPaaS for Kubernetes.
5 | 
6 | Hopefully nobody reads this during the demo... I don't have a ton to say here in the example text.
7 | 


--------------------------------------------------------------------------------
/user-cluster/output.tf:
--------------------------------------------------------------------------------
 1 | output "master_addresses" {
 2 |   value = aws_instance.cluster-master.*.public_ip
 3 | }
 4 | 
 5 | output "worker_addresses" {
 6 |   value = aws_instance.cluster-worker.*.public_ip
 7 | }
 8 | 
 9 | output "cluster_id" {
10 |   value = rancher2_cluster.user-cluster.id
11 | }
12 | 


--------------------------------------------------------------------------------
/user-cluster/provider.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = "us-west-2"
 3 |   # profile = "rancher-eng"
 4 | }
 5 | 
 6 | provider "rancher2" {
 7 |   api_url   = data.terraform_remote_state.server.outputs.rancher_url
 8 |   token_key = data.terraform_remote_state.server.outputs.rancher_token
 9 | }
10 | 


--------------------------------------------------------------------------------
/user-cluster/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "remote" {
 3 |     organization = "drpebcak"
 4 |     workspaces {
 5 |       name = "rancher-as-code_user-cluster"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | locals {
11 |   name              = "cluster-demo"
12 |   rancher_version   = "v2.2.8"
13 |   instance_type     = "t3.large"
14 |   master_node_count = 3
15 |   worker_node_count = 3
16 | }
17 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/templates/cluster-role-binding.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRoleBinding
 4 | metadata:
 5 |   name: rio-controller-binding
 6 | roleRef:
 7 |   apiGroup: rbac.authorization.k8s.io
 8 |   kind: ClusterRole
 9 |   name: rio-cluster-admin
10 | subjects:
11 | - kind: ServiceAccount
12 |   name: {{ template "rio.serviceAccountName" . }}
13 |   namespace: {{ .Release.Namespace }}
14 | 


--------------------------------------------------------------------------------
/install-app/data.tf:
--------------------------------------------------------------------------------
 1 | data "terraform_remote_state" "server" {
 2 |   backend = "remote"
 3 | 
 4 |   config = {
 5 |     organization = "drpebcak"
 6 |     workspaces = {
 7 |       name = "rancher-as-code_rancher-server"
 8 |     }
 9 |   }
10 | }
11 | 
12 | data "terraform_remote_state" "cluster" {
13 |   backend = "remote"
14 | 
15 |   config = {
16 |     organization = "drpebcak"
17 |     workspaces = {
18 |       name = "rancher-as-code_user-cluster"
19 |     }
20 |   }
21 | }
22 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/values.yaml:
--------------------------------------------------------------------------------
 1 | replicas: 1
 2 | image:
 3 |   repository: "rancher/rio-controller"
 4 |   tag: "v0.5.0-alpha.5"
 5 |   pullPolicy: IfNotPresent
 6 | serviceAccount:
 7 |   create: true
 8 |   name:
 9 | rio:
10 |   httpsPort: 443
11 |   httpPort: 80
12 |   serviceCidr: "10.43.0.1/16"
13 |   installMode: "ingress"
14 |   # Service Mesh Mode
15 |   smMode: "linkerd"
16 |   env:
17 |   # - name: RIO_DEBUG
18 |   #   value: "false"
19 |   # - name: IP_ADDRESSES
20 |   #   value: ""
21 |   # - name: DISABLE_FEATURES
22 |   #   value: ""
23 |   # - name: HTTP_PROXY
24 |   #   value: ""
25 |   # - name: INSTALL_MODE
26 |   #   value: ""
27 | 


--------------------------------------------------------------------------------
/user-cluster/ssh.tf:
--------------------------------------------------------------------------------
 1 | resource "tls_private_key" "ssh" {
 2 |   algorithm = "RSA"
 3 |   rsa_bits  = 4096
 4 | }
 5 | 
 6 | resource "local_file" "private_key" {
 7 |   sensitive_content = tls_private_key.ssh.private_key_pem
 8 |   filename          = "${path.module}/outputs/id_rsa"
 9 | 
10 |   provisioner "local-exec" {
11 |     command = "chmod 0600 ${path.module}/outputs/id_rsa"
12 |   }
13 | }
14 | 
15 | resource "local_file" "public_key" {
16 |   content  = tls_private_key.ssh.public_key_openssh
17 |   filename = "${path.module}/outputs/id_rsa.pub"
18 | }
19 | 
20 | resource "aws_key_pair" "ssh" {
21 |   key_name_prefix = local.name
22 |   public_key      = tls_private_key.ssh.public_key_openssh
23 | }
24 | 


--------------------------------------------------------------------------------
/user-cluster/cluster-ha.tf:
--------------------------------------------------------------------------------
 1 | resource "rancher2_cluster" "user-cluster" {
 2 |   name        = "${local.name}"
 3 |   description = "Terraform managed RKE cluster"
 4 | 
 5 |   rke_config {
 6 |     # Shows how easy it is to update
 7 |     # kubernetes_version = "v1.13.9-rancher1-2"
 8 |     kubernetes_version = "v1.14.5-rancher1-1"
 9 |     cloud_provider {
10 |       name = "aws"
11 |     }
12 | 
13 |     services {
14 |       etcd {
15 |         backup_config {
16 |           enabled        = true
17 |           interval_hours = 6
18 |           retention      = 12
19 | 
20 |           s3_backup_config {
21 |             access_key  = data.terraform_remote_state.server.outputs.etcd_backup_user_key
22 |             bucket_name = data.terraform_remote_state.server.outputs.etcd_backup_s3_bucket_id
23 |             endpoint    = "s3.us-west-2.amazonaws.com"
24 |             region      = "us-west-2"
25 |             folder      = local.name
26 |             secret_key  = data.terraform_remote_state.server.outputs.etcd_backup_user_secret
27 |           }
28 |         }
29 |       }
30 |     }
31 |   }
32 | }
33 | 


--------------------------------------------------------------------------------
/user-cluster/files/cloud-config.yaml:
--------------------------------------------------------------------------------
 1 | #cloud-config
 2 | ssh_authorized_keys:
 3 | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC06Qvs+Y9JiyOTeYNGAN/Ukq7SmeCTr7EreD1K8Lwu5VuOmo+SBZh685tNTEGV044HgFvGEOBVreDlO2ArYuwHjUBGnpQGV8/abjoeLrmZBdREAUzBQ1h2GFE/WssKUfum81cnigRK1J3tWP7emq/Y2h/Zw5F09yiCIlXMBX2auKWUCXqwG3xKTi1NVSF9N6BGyFolrAR0LZJ6k7UBXPRc/QDTclI427gSJNbnmn8LVym6YxacV/V9Y7s23iR5zYbhLPe9VJWYNk1brVvfUVb3mILVVYz76KGEq8SHdWlPQPCOp+fSJ+PezDRklnex/MmvhNrBOmMSNcpj7wSLA3hD wmaxwell@wmaxwell-laptop
 4 | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5O7k6gRYCU7YPkCH6dyXVW10izMAkDAQtQxNxdRE22 drpebcak
 5 | runcmd:
 6 | - apt-get update
 7 | - apt-get install -y apt-transport-https jq software-properties-common curl
 8 | - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
 9 | - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
10 | - apt-get update
11 | - apt-get -y install docker-ce=5:18.09.2~3-0~ubuntu-bionic
12 | - usermod -G docker -a ubuntu
13 | - ${registration_command} --internal-address $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
14 | 


--------------------------------------------------------------------------------
/install-app/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "remote" {
 3 |     organization = "drpebcak"
 4 |     workspaces {
 5 |       name = "rancher-as-code_install-app"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | resource "rancher2_catalog" "demo" {
11 |   name        = "rio-catalog"
12 |   url         = "https://github.com/drpebcak/rancher-as-code.git"
13 |   branch      = "master"
14 |   description = "Rancher-style helm repository with charts for installing Rio"
15 | }
16 | 
17 | data "rancher2_project" "system" {
18 |   cluster_id = data.terraform_remote_state.cluster.outputs.cluster_id
19 |   name       = "System"
20 | }
21 | 
22 | resource "rancher2_namespace" "rio-system" {
23 |   name        = "rio-system"
24 |   description = "Namespace for Rio components"
25 |   project_id  = data.rancher2_project.system.id
26 | }
27 | 
28 | resource "rancher2_app" "rio" {
29 |   catalog_name     = "rio-catalog"
30 |   name             = "rio"
31 |   project_id       = data.rancher2_project.system.id
32 |   target_namespace = rancher2_namespace.rio-system.name
33 |   template_name    = "rio"
34 |   template_version = "0.0.1"
35 |   depends_on       = [rancher2_catalog.demo]
36 |   values_yaml      = <<EOF
37 | rio:
38 |   env:
39 |   - name: IP_ADDRESSES
40 |     value: ${join(",", data.terraform_remote_state.cluster.outputs.worker_addresses)}
41 | EOF
42 | }
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/questions.yml:
--------------------------------------------------------------------------------
 1 | minimum_rancher_version: v2.2.8
 2 | questions:
 3 | - variable: defaultImage
 4 |   default: true
 5 |   description: "Use default Docker image"
 6 |   label: Use Default Image
 7 |   type: boolean
 8 |   show_subquestion_if: false
 9 |   group: "Container Images"
10 |   subquestions:
11 |   - variable: image.repository
12 |     default: "strongmonkey1992/rio-controller"
13 |     description: "rio-controller Docker Image Name"
14 |     type: string
15 |     label: rio-controller Docker Image Name
16 |   - variable: image.tag
17 |     default: "dev"
18 |     description: "rio-controller Docker Image Tag"
19 |     type: string
20 |     label: rio-controller Docker Image Tag
21 | - variable: rio.installMode
22 |   default: "ingress"
23 |   description: "Install mode to expose gateway"
24 |   label: Install mode
25 |   type: enum
26 |   required: true
27 |   options:
28 |     - "ingress"
29 |     - "svclb"
30 |     - "hostport"
31 | - variable: rio.httpPort
32 |   default: 80
33 |   description: "Http port service mesh gateway will listen to"
34 |   label: http port
35 |   type: int
36 |   min: 1
37 |   max: 65535
38 |   required: true
39 | - variable: rio.serviceCidr
40 |   default: "10.43.0.1/16"
41 |   description: "Cidr for service network"
42 |   label: service network cidr
43 |   type: string
44 |   required: true
45 | - variable: rio.tag
46 |   default: "dev"
47 |   description: "rio-controller Docker Image Tag"
48 |   type: string
49 |   label: rio-controller Docker Image Tag
50 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/templates/_helpers.tpl:
--------------------------------------------------------------------------------
 1 | {{/* vim: set filetype=mustache: */}}
 2 | {{/*
 3 | Expand the name of the chart.
 4 | */}}
 5 | {{- define "rio.name" -}}
 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 7 | {{- end -}}
 8 | 
 9 | {{/*
10 | Create a default fully qualified app name.
11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
12 | If release name contains chart name it will be used as a full name.
13 | */}}
14 | {{- define "rio.fullname" -}}
15 | {{- if .Values.fullnameOverride -}}
16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
17 | {{- else -}}
18 | {{- $name := default .Chart.Name .Values.nameOverride -}}
19 | {{- if contains $name .Release.Name -}}
20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
21 | {{- else -}}
22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
23 | {{- end -}}
24 | {{- end -}}
25 | {{- end -}}
26 | 
27 | {{/*
28 | Create chart name and version as used by the chart label.
29 | */}}
30 | {{- define "rio.chart" -}}
31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
32 | {{- end -}}
33 | 
34 | {{/*
35 | Create the name of the service account
36 | */}}
37 | {{- define "rio.serviceAccountName" -}}
38 | {{- if .Values.serviceAccount.create -}}
39 |     {{ default (include "rio.fullname" .) .Values.serviceAccount.name }}
40 | {{- else -}}
41 |     {{ default "default" .Values.serviceAccount.name }}
42 | {{- end -}}
43 | {{- end -}}
44 | 


--------------------------------------------------------------------------------
/user-cluster/data.tf:
--------------------------------------------------------------------------------
 1 | data "terraform_remote_state" "server" {
 2 |   backend = "remote"
 3 | 
 4 |   config = {
 5 |     organization = "drpebcak"
 6 |     workspaces = {
 7 |       name = "rancher-as-code_rancher-server"
 8 |     }
 9 |   }
10 | }
11 | 
12 | data "aws_vpc" "default" {
13 |   default = true
14 | }
15 | 
16 | data "aws_subnet_ids" "available" {
17 |   vpc_id = data.aws_vpc.default.id
18 | }
19 | 
20 | data "aws_ami" "ubuntu" {
21 |   most_recent = true
22 |   owners      = ["099720109477"]
23 | 
24 |   filter {
25 |     name   = "name"
26 |     values = ["ubuntu-minimal/images/*/ubuntu-bionic-18.04-*"]
27 |   }
28 | 
29 |   filter {
30 |     name   = "virtualization-type"
31 |     values = ["hvm"]
32 |   }
33 | 
34 |   filter {
35 |     name   = "root-device-type"
36 |     values = ["ebs"]
37 |   }
38 | 
39 |   filter {
40 |     name   = "architecture"
41 |     values = ["x86_64"]
42 |   }
43 | }
44 | 
45 | data "template_file" "worker-user_data" {
46 |   template = file("${path.module}/files/cloud-config.yaml")
47 |   vars = {
48 |     registration_command = "${rancher2_cluster.user-cluster.cluster_registration_token[0]["node_command"]} --worker"
49 |   }
50 |   depends_on = [rancher2_cluster.user-cluster]
51 | }
52 | 
53 | data "template_file" "master-user_data" {
54 |   template = file("${path.module}/files/cloud-config.yaml")
55 |   vars = {
56 |     registration_command = "${rancher2_cluster.user-cluster.cluster_registration_token[0]["node_command"]} --etcd --controlplane"
57 |   }
58 |   depends_on = [rancher2_cluster.user-cluster]
59 | }
60 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/templates/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: rio-controller
 5 |   labels:
 6 |     app: {{ template "rio.name" . }}
 7 |     chart: {{ template "rio.chart" . }}
 8 |     release: {{ .Release.Name }}
 9 |     heritage: {{ .Release.Service }}
10 | spec:
11 |   replicas: {{ .Values.replicas }}
12 |   selector:
13 |     matchLabels:
14 |       rio-controller: "true"
15 |   template:
16 |     metadata:
17 |       labels:
18 |         rio-controller: "true"
19 |     spec:
20 |       containers:
21 |       - args:
22 |         - rio-controller
23 |         env:
24 |         - name: RIO_NAMESPACE
25 |           value: {{ .Release.Namespace }}
26 |         - name: HTTPS_PORT
27 |           value: "{{ .Values.rio.httpsPort }}"
28 |         - name: HTTP_PORT
29 |           value: "{{ .Values.rio.httpPort }}"
30 |         - name: SERVICE_CIDR
31 |           value: "{{ .Values.rio.serviceCidr }}"
32 |         - name: INSTALL_MODE
33 |           value: "{{ .Values.rio.installMode }}"
34 |         - name: SM_MODE
35 |           value: "{{ .Values.rio.smMode }}"
36 |         {{- if .Values.rio.env }}
37 |         {{ range $k, $v := .Values.rio.env -}}
38 |         - name: {{ $v.name }}
39 |           value: "{{ $v.value }}"
40 |         {{ end }}
41 |         {{- end }}
42 |         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
43 |         imagePullPolicy: {{ .Values.image.pullPolicy }}
44 |         name: rio-controller
45 |       serviceAccount: {{ template "rio.serviceAccountName" . }}
46 |       serviceAccountName: {{ template "rio.serviceAccountName" . }}
47 | 


--------------------------------------------------------------------------------
/Readme.MD:
--------------------------------------------------------------------------------
 1 | # Rancher as Code
 2 | 
 3 | ### The contents of this repository are currently being rewritten into discreet modules. Expect some breakage while this is happening! The original work can be found here: https://github.com/drpebcak/rancher-as-code/tree/infra-as-code-demo
 4 | 
 5 | This repository contains:
 6 | 
 7 | 1. ~~An example on how to set up rancher server in an HA configuration using terraform.~~ This is now a separate module that can be found at https://github.com/drpebcak/terraform-rancher-server
 8 | 2. How to provision a cluster for workloads and attach that to rancher using terraform
 9 | 3. How to manage a provisioned cluster using rancher and terraform
10 | 4. How to deploy applications into the cluster using terraform
11 | 
12 | ## Usage
13 | This example uses the terraform RKE provider - https://github.com/yamamoto-febc/terraform-provider-rke. To use this, you need to follow the [installation instructions](https://github.com/yamamoto-febc/terraform-provider-rke#installation). Please note that it relies on a feature which has been merged but not released, so currently the best way to use this is to build `terraform-provider-rke` on your system rather than download from a release.
14 | 
15 | 1. Go into the `rancher-server` directory
16 | * This directory contains terraform that uses RKE to set up a kubernetes cluster, configures helm, installs cert-manager, and then installs rancher.
17 | 2. Run terraform
18 | ```
19 | terraform init
20 | terraform apply
21 | ```
22 | * You will probably want to modify some of the locals for your environment
23 | 
24 | 3. Go into the `user-cluster` directory
25 | * This directory contains terraform that uses the rancher2 provider to create a custom cluster that is managed by rancher.
26 | 4. Run terraform
27 | ```
28 | terraform init
29 | terraform apply
30 | ```
31 | * You will probably want to modify some of the locals for your environment
32 | 
33 | 5. Go to the `install-app` directory
34 | * This directory contains terraform that uses the rancher2 provider to add a custom catalog and install a helm chart.
35 | 4. Run terraform
36 | ```
37 | terraform init
38 | terraform apply
39 | ```
40 | 
41 | ### Notes
42 | If you don't work at rancher, you will probably need to modify some of this configuration. The `aws` provider assumes you want to use a specific `profile` for access to AWS. Feel free to modify this in `rancher-server` and `user-cluster`. We also sort of assume that you want a domain name for `rancher-server` based on `${local.name}.${local.domain}` - you should probably change those as well. Finally, we are assuming that you use Route53 for your DNS. In `rancher-server/infra.tf` we make a DNS record for your rancher server.  If you do not use Route53, you should change this to reference whatever DNS provider you would like to use instead.
43 | 


--------------------------------------------------------------------------------
/user-cluster/infra.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "user-cluster" {
 2 |   name   = "${local.name}-user-cluster"
 3 |   vpc_id = data.aws_vpc.default.id
 4 | 
 5 |   ingress {
 6 |     from_port = 0
 7 |     to_port   = 0
 8 |     protocol  = "-1"
 9 |     self      = true
10 |   }
11 | 
12 |   ingress {
13 |     from_port   = 80
14 |     to_port     = 80
15 |     protocol    = "TCP"
16 |     cidr_blocks = ["0.0.0.0/0"]
17 |   }
18 | 
19 |   ingress {
20 |     from_port   = 443
21 |     to_port     = 443
22 |     protocol    = "TCP"
23 |     cidr_blocks = ["0.0.0.0/0"]
24 |   }
25 | 
26 |   egress {
27 |     from_port   = 0
28 |     to_port     = 0
29 |     protocol    = "-1"
30 |     cidr_blocks = ["0.0.0.0/0"]
31 |   }
32 | }
33 | 
34 | #############################
35 | ### Create Nodes
36 | #############################
37 | resource "aws_instance" "cluster-master" {
38 |   count                       = local.master_node_count
39 |   ami                         = data.aws_ami.ubuntu.id
40 |   instance_type               = local.instance_type
41 |   key_name                    = aws_key_pair.ssh.id
42 |   user_data                   = data.template_file.master-user_data.rendered
43 |   iam_instance_profile        = aws_iam_instance_profile.cloud_provider.name
44 |   vpc_security_group_ids      = [aws_security_group.user-cluster.id]
45 |   subnet_id                   = element(tolist(data.aws_subnet_ids.available.ids), 0)
46 |   associate_public_ip_address = true
47 | 
48 |   root_block_device {
49 |     volume_type = "gp2"
50 |     volume_size = "50"
51 |   }
52 | 
53 |   tags = {
54 |     Name                                  = "${local.name}-master-${count.index}"
55 |     DoNotDelete                           = "true"
56 |     Owner                                 = "EIO_Demo"
57 |     "kubernetes.io/cluster/${local.name}" = "true"
58 |   }
59 |   lifecycle {
60 |     ignore_changes = [user_data]
61 |   }
62 | }
63 | 
64 | resource "aws_instance" "cluster-worker" {
65 |   count                       = local.worker_node_count
66 |   ami                         = data.aws_ami.ubuntu.id
67 |   instance_type               = local.instance_type
68 |   key_name                    = aws_key_pair.ssh.id
69 |   user_data                   = data.template_file.worker-user_data.rendered
70 |   iam_instance_profile        = aws_iam_instance_profile.cloud_provider.name
71 |   vpc_security_group_ids      = [aws_security_group.user-cluster.id]
72 |   subnet_id                   = element(tolist(data.aws_subnet_ids.available.ids), 0)
73 |   associate_public_ip_address = true
74 | 
75 |   root_block_device {
76 |     volume_type = "gp2"
77 |     volume_size = "50"
78 |   }
79 | 
80 |   tags = {
81 |     Name                                  = "${local.name}-user-cluster-${count.index}"
82 |     DoNotDelete                           = "true"
83 |     Owner                                 = "EIO_Demo"
84 |     "kubernetes.io/cluster/${local.name}" = "true"
85 |   }
86 |   lifecycle {
87 |     ignore_changes = [user_data]
88 |   }
89 | }
90 | 


--------------------------------------------------------------------------------
/user-cluster/iam.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_iam_instance_profile" "cloud_provider" {
  2 |   name_prefix = "${local.name}"
  3 |   role        = aws_iam_role.cloud_provider.name
  4 | 
  5 |   lifecycle {
  6 |     create_before_destroy = true
  7 |   }
  8 | }
  9 | 
 10 | resource "aws_iam_role" "cloud_provider" {
 11 |   name_prefix = "${local.name}"
 12 | 
 13 |   assume_role_policy = <<EOF
 14 | {
 15 |   "Version": "2012-10-17",
 16 |   "Statement": [
 17 |     {
 18 |       "Action": "sts:AssumeRole",
 19 |       "Principal": {
 20 |         "Service": "ec2.amazonaws.com"
 21 |       },
 22 |       "Effect": "Allow",
 23 |       "Sid": ""
 24 |     }
 25 |   ]
 26 | }
 27 | EOF
 28 | 
 29 | 
 30 |   lifecycle {
 31 |     create_before_destroy = true
 32 |   }
 33 | }
 34 | 
 35 | resource "aws_iam_role_policy" "cloud_provider" {
 36 |   name_prefix = "${local.name}"
 37 |   role        = aws_iam_role.cloud_provider.id
 38 | 
 39 |   policy = <<EOF
 40 | {
 41 |   "Version": "2012-10-17",
 42 |   "Statement": [
 43 |     {
 44 |       "Effect": "Allow",
 45 |       "Action": [
 46 |         "autoscaling:DescribeAutoScalingGroups",
 47 |         "autoscaling:DescribeLaunchConfigurations",
 48 |         "autoscaling:DescribeTags",
 49 |         "ec2:DescribeInstances",
 50 |         "ec2:DescribeRegions",
 51 |         "ec2:DescribeRouteTables",
 52 |         "ec2:DescribeSecurityGroups",
 53 |         "ec2:DescribeSubnets",
 54 |         "ec2:DescribeVolumes",
 55 |         "ec2:CreateSecurityGroup",
 56 |         "ec2:CreateTags",
 57 |         "ec2:CreateVolume",
 58 |         "ec2:ModifyInstanceAttribute",
 59 |         "ec2:ModifyVolume",
 60 |         "ec2:AttachVolume",
 61 |         "ec2:AuthorizeSecurityGroupIngress",
 62 |         "ec2:CreateRoute",
 63 |         "ec2:DeleteRoute",
 64 |         "ec2:DeleteSecurityGroup",
 65 |         "ec2:DeleteVolume",
 66 |         "ec2:DetachVolume",
 67 |         "ec2:RevokeSecurityGroupIngress",
 68 |         "ec2:DescribeVpcs",
 69 |         "elasticloadbalancing:AddTags",
 70 |         "elasticloadbalancing:AttachLoadBalancerToSubnets",
 71 |         "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
 72 |         "elasticloadbalancing:CreateLoadBalancer",
 73 |         "elasticloadbalancing:CreateLoadBalancerPolicy",
 74 |         "elasticloadbalancing:CreateLoadBalancerListeners",
 75 |         "elasticloadbalancing:ConfigureHealthCheck",
 76 |         "elasticloadbalancing:DeleteLoadBalancer",
 77 |         "elasticloadbalancing:DeleteLoadBalancerListeners",
 78 |         "elasticloadbalancing:DescribeLoadBalancers",
 79 |         "elasticloadbalancing:DescribeLoadBalancerAttributes",
 80 |         "elasticloadbalancing:DetachLoadBalancerFromSubnets",
 81 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
 82 |         "elasticloadbalancing:ModifyLoadBalancerAttributes",
 83 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
 84 |         "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
 85 |         "elasticloadbalancing:AddTags",
 86 |         "elasticloadbalancing:CreateListener",
 87 |         "elasticloadbalancing:CreateTargetGroup",
 88 |         "elasticloadbalancing:DeleteListener",
 89 |         "elasticloadbalancing:DeleteTargetGroup",
 90 |         "elasticloadbalancing:DescribeListeners",
 91 |         "elasticloadbalancing:DescribeLoadBalancerPolicies",
 92 |         "elasticloadbalancing:DescribeTargetGroups",
 93 |         "elasticloadbalancing:DescribeTargetHealth",
 94 |         "elasticloadbalancing:ModifyListener",
 95 |         "elasticloadbalancing:ModifyTargetGroup",
 96 |         "elasticloadbalancing:RegisterTargets",
 97 |         "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
 98 |         "iam:CreateServiceLinkedRole",
 99 |         "kms:DescribeKey"
100 |       ],
101 |       "Resource": [
102 |         "*"
103 |       ],
104 |       "Condition": {
105 |          "StringEquals": {
106 |             "aws:RequestedRegion": "us-west-2"
107 |          }
108 |       }
109 |     }
110 |   ]
111 | }
112 | EOF
113 | 
114 | }
115 | 


--------------------------------------------------------------------------------
/charts/rio/0.0.1/templates/cluster-role.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | apiVersion: rbac.authorization.k8s.io/v1
  3 | kind: ClusterRole
  4 | metadata:
  5 |   name: rio-cluster-admin
  6 | rules:
  7 | - apiGroups:
  8 |   - ""
  9 |   resources:
 10 |   - '*'
 11 |   verbs:
 12 |   - '*'
 13 | - nonResourceURLs:
 14 |   - '*'
 15 |   verbs:
 16 |   - '*'
 17 | - apiGroups:
 18 |   - apiregistration.k8s.io
 19 |   resources:
 20 |   - apiservices
 21 |   verbs:
 22 |   - '*'
 23 | - apiGroups:
 24 |   - admissionregistration.k8s.io
 25 |   resources:
 26 |   - mutatingwebhookconfigurations
 27 |   - validatingwebhookconfigurations
 28 |   verbs:
 29 |   - '*'
 30 | - apiGroups:
 31 |   - extensions
 32 |   - apps
 33 |   resources:
 34 |   - replicasets
 35 |   - deployments
 36 |   - daemonsets
 37 |   verbs:
 38 |   - '*'
 39 | - apiGroups:
 40 |   - autoscale.rio.cattle.io
 41 |   resources:
 42 |   - '*'
 43 |   verbs:
 44 |   - '*'
 45 | - apiGroups:
 46 |   - build.knative.dev
 47 |   - caching.internal.knative.dev
 48 |   resources:
 49 |   - '*'
 50 |   verbs:
 51 |   - '*'
 52 | - apiGroups:
 53 |   - certmanager.k8s.io
 54 |   resources:
 55 |   - '*'
 56 |   verbs:
 57 |   - '*'
 58 | - apiGroups:
 59 |   - networking.k8s.io
 60 |   resources:
 61 |   - ingresses
 62 |   - ingresses/status
 63 |   verbs:
 64 |   - '*'
 65 | - apiGroups:
 66 |   - batch
 67 |   resources:
 68 |   - '*'
 69 |   verbs:
 70 |   - '*'
 71 | - apiGroups:
 72 |   - autoscaling
 73 |   resources:
 74 |   - '*'
 75 |   verbs:
 76 |   - '*'
 77 | - apiGroups:
 78 |   - rbac.authorization.k8s.io
 79 |   resources:
 80 |   - '*'
 81 |   verbs:
 82 |   - '*'
 83 | - apiGroups:
 84 |   - admin.rio.cattle.io
 85 |   resources:
 86 |   - '*'
 87 |   verbs:
 88 |   - '*'
 89 | - apiGroups:
 90 |   - rio.cattle.io
 91 |   resources:
 92 |   - '*'
 93 |   verbs:
 94 |   - '*'
 95 | - apiGroups:
 96 |   - gitwatcher.cattle.io
 97 |   resources:
 98 |   - '*'
 99 |   verbs:
100 |   - '*'
101 | - apiGroups:
102 |   - linkerd.io
103 |   resources:
104 |   - serviceprofiles
105 |   verbs:
106 |   - '*'
107 | - apiGroups:
108 |   - apiextensions.k8s.io
109 |   resources:
110 |   - customresourcedefinitions
111 |   verbs:
112 |   - '*'
113 | - apiGroups:
114 |   - authentication.istio.io
115 |   resources:
116 |   - '*'
117 |   verbs:
118 |   - '*'
119 | - apiGroups:
120 |   - networking.istio.io
121 |   resources:
122 |   - '*'
123 |   verbs:
124 |   - '*'
125 | - apiGroups:
126 |   - config.istio.io
127 |   resources:
128 |   - '*'
129 |   verbs:
130 |   - '*'
131 | - apiGroups:
132 |   - policy
133 |   resources:
134 |   - podsecuritypolicies
135 |   verbs:
136 |   - '*'
137 | - apiGroups:
138 |   - rbac.istio.io
139 |   resources:
140 |   - '*'
141 |   verbs:
142 |   - get
143 |   - watch
144 |   - list
145 | - apiGroups:
146 |   - autoscaling.internal.knative.dev
147 |   resources:
148 |   - '*'
149 |   verbs:
150 |   - '*'
151 | - apiGroups:
152 |   - split.smi-spec.io
153 |   resources:
154 |   - trafficsplits
155 |   verbs:
156 |   - '*'
157 | - apiGroups:
158 |   - serving.knative.dev
159 |   - autoscaling.internal.knative.dev
160 |   - networking.internal.knative.dev
161 |   resources:
162 |   - '*'
163 |   - '*/status'
164 |   - '*/finalizers'
165 |   verbs:
166 |   - get
167 |   - list
168 |   - create
169 |   - update
170 |   - delete
171 |   - deletecollection
172 |   - patch
173 |   - watch
174 | - apiGroups:
175 |   - tekton.dev
176 |   resources:
177 |   - tasks
178 |   - clustertasks
179 |   - taskruns
180 |   - pipelines
181 |   - pipelineruns
182 |   - pipelineresources
183 |   verbs:
184 |   - get
185 |   - list
186 |   - create
187 |   - update
188 |   - delete
189 |   - patch
190 |   - watch
191 | - apiGroups:
192 |   - tekton.dev
193 |   resources:
194 |   - taskruns/finalizers
195 |   - pipelineruns/finalizers
196 |   verbs:
197 |   - get
198 |   - list
199 |   - create
200 |   - update
201 |   - delete
202 |   - patch
203 |   - watch
204 | - apiGroups:
205 |   - tekton.dev
206 |   resources:
207 |   - tasks/status
208 |   - clustertasks/status
209 |   - taskruns/status
210 |   - pipelines/status
211 |   - pipelineruns/status
212 |   - pipelineresources/status
213 |   verbs:
214 |   - get
215 |   - list
216 |   - create
217 |   - update
218 |   - delete
219 |   - patch
220 |   - watch
221 | - apiGroups:
222 |   - policy
223 |   resourceNames:
224 |   - tekton-pipelines
225 |   resources:
226 |   - podsecuritypolicies
227 |   verbs:
228 |   - use
229 | 


--------------------------------------------------------------------------------