diff --git a/infra/terraform/.gitignore b/infra/terraform/.gitignore index 2e5cea7..6d8887a 100644 --- a/infra/terraform/.gitignore +++ b/infra/terraform/.gitignore @@ -1,5 +1,6 @@ .env -.terraform/ -.terraform.lock.hcl -terraform.tfstate -terraform.tfstate.backup +**/.env +**/.terraform/ +**/.terraform.lock.hcl +**/terraform.tfstate +**/terraform.tfstate.backup diff --git a/infra/terraform/README.md b/infra/terraform/README.md index 3509de2..c11501a 100644 --- a/infra/terraform/README.md +++ b/infra/terraform/README.md @@ -35,3 +35,5 @@ tofu init tofu plan tofu apply ``` + +## Kubernetes and Helm diff --git a/infra/terraform/kubernetes/backend.tf b/infra/terraform/kubernetes/backend.tf new file mode 100644 index 0000000..dbe613a --- /dev/null +++ b/infra/terraform/kubernetes/backend.tf @@ -0,0 +1,14 @@ +terraform { + backend "s3" { + bucket = "terraform-state" # Name of the MinIO bucket + key = "proxmox/terraform.tfstate" # Path to the state file in the bucket + endpoint = var.minio_endpoint # MinIO API endpoint + access_key = var.minio_access_key # MinIO access key + secret_key = var.minio_secret_key # MinIO secret key + region = "us-east-1" # Arbitrary region (MinIO ignores this) + skip_credentials_validation = true # Skip AWS-specific credential checks + skip_metadata_api_check = true # Skip AWS metadata API checks + skip_region_validation = true # Skip AWS region validation + use_path_style = true # Use path-style URLs[](http:///) + } +} \ No newline at end of file diff --git a/infra/terraform/kubernetes/main.tf b/infra/terraform/kubernetes/main.tf new file mode 100644 index 0000000..6e889a2 --- /dev/null +++ b/infra/terraform/kubernetes/main.tf @@ -0,0 +1,22 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.37.1" + } + helm = { + source = "hashicorp/helm" + version = "3.0.2" + } + } +} + +provider "kubernetes" { + config_path = "~/.kube/config" +} + +provider "helm" { + kubernetes { + config_path = "~/.kube/config" + } +} \ No newline at end of file diff --git a/infra/terraform/kubernetes/portfolio.tf b/infra/terraform/kubernetes/portfolio.tf new file mode 100644 index 0000000..42a8d2d --- /dev/null +++ b/infra/terraform/kubernetes/portfolio.tf @@ -0,0 +1,50 @@ +resource "kubernetes_namespace" "portfolio" { + metadata { + name = "my-portfolio" + } +} + +resource "kubernetes_secret" "docker_secret" { + metadata { + name = "docker-registry-credentials" + namespace = "my-portfolio" + } + + type = "kubernetes.io/dockerconfigjson" + + data = { + ".dockerconfigjson" = jsonencode({ + auths = { + "${var.docker_registry_host}" = { + username = var.docker_username + password = var.docker_password + auth = base64encode("${var.docker_username}:${var.docker_password}") + } + } + }) + } + + depends_on = [kubernetes_namespace.portfolio] +} + +locals { + # Read and process the YAML file with placeholders + manifest_content = templatefile("../../../kubernetes/my-portfolio/portfolioManifest.yaml", { + PORTFOLIO_HOST = var.portfolio_host + DOCKER_REGISTRY_HOST = var.docker_registry_host + }) + # Split into individual documents + manifest_documents = split("---", replace(local.manifest_content, "/\\n\\s*\\n/", "---")) +} + +resource "kubernetes_manifest" "portfolio_manifest" { + for_each = { for i, doc in local.manifest_documents : i => doc if trimspace(doc) != "" } + + manifest = yamldecode(each.value) + + field_manager { + force_conflicts = true + } + + depends_on = [kubernetes_namespace.portfolio] +} \ No newline at end of file diff --git a/infra/terraform/kubernetes/variables.tf b/infra/terraform/kubernetes/variables.tf new file mode 100644 index 0000000..d1b65ec --- /dev/null +++ b/infra/terraform/kubernetes/variables.tf @@ -0,0 +1,35 @@ +# variables for minio backend configuration +variable "minio_access_key" { + description = "MinIO access key" + type = string +} + +variable "minio_secret_key" { + description = "MinIO secret key" + type = string +} + +variable "minio_endpoint" { + description = "MinIO API endpoint" + type = string +} + +variable "portfolio_host" { + description = "Host for the portfolio application" + type = string +} + +variable "docker_registry_host" { + description = "Host for the Docker registry" + type = string +} + +variable "docker_username" { + description = "Docker registry username" + type = string +} + +variable "docker_password" { + description = "Docker registry password" + type = string +} \ No newline at end of file diff --git a/kubernetes/README.md b/kubernetes/README.md index d940938..aa6caaf 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -213,7 +213,7 @@ registry. kubectl create namespace my-portfolio source .env -kubectl create secret docker-registry my-registry-secret \ +kubectl create secret docker-registry docker-registry-credentials \ --docker-server="$DOCKER_REGISTRY_HOST" \ --docker-username="$DOCKER_USER" \ --docker-password="$DOCKER_PASSWORD" \ @@ -611,9 +611,10 @@ envsubst < gitea/configMap.yaml | kubectl apply -n gitea -f - helm upgrade --install gitea gitea-charts/gitea -f gitea/values.yaml \ --namespace gitea \ + --version 10.0.0 \ --atomic \ --set ingress.hosts[0].host=$GITEA_HOST \ - --set ingress.tls[0].hosts[0]=$DNSNAME \ + --set ingress.tls[0].hosts[0]=$GITEA_HOST \ --set gitea.admin.username=$GITEA_USER \ --set gitea.admin.password=$GITEA_PASSWORD \ --set gitea.admin.email=$GITEA_EMAIL \ diff --git a/kubernetes/gitea/values.yaml b/kubernetes/gitea/values.yaml index de3df8b..0ced4eb 100644 --- a/kubernetes/gitea/values.yaml +++ b/kubernetes/gitea/values.yaml @@ -15,6 +15,7 @@ gitea: email: email image: + registry: ghcr.io repository: gitea tag: 1.23.7 @@ -45,13 +46,17 @@ resources: ingress: enabled: true + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + cert-manager.io/cluster-issuer: "acme-issuer" hosts: - host: git.example.com paths: - path: / pathType: Prefix tls: - - secretName: wildcard-cert-secret + - secretName: gitea-tls-cert hosts: - "*.example.com" diff --git a/kubernetes/my-portfolio/portfolioManifest.yaml b/kubernetes/my-portfolio/portfolioManifest.yaml index f322fcf..cabada6 100644 --- a/kubernetes/my-portfolio/portfolioManifest.yaml +++ b/kubernetes/my-portfolio/portfolioManifest.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: portfolio-app + namespace: my-portfolio labels: app: portfolio-app spec: @@ -15,7 +16,7 @@ spec: app: portfolio-app spec: imagePullSecrets: - - name: my-registry-secret + - name: docker-registry-credentials containers: - name: portfolio-app image: "${DOCKER_REGISTRY_HOST}/taqi/portfolio/my-portfolio-app:latest" @@ -29,6 +30,7 @@ apiVersion: v1 kind: Service metadata: name: portfolio-app-svc + namespace: my-portfolio spec: type: ClusterIP ports: @@ -42,6 +44,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: portfolio + namespace: my-portfolio annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure cert-manager.io/cluster-issuer: "acme-issuer"