From c3fbbb7f9cbb964e34c866ab52495f9cdbeeff1e Mon Sep 17 00:00:00 2001 From: "Masih H. Derkani" Date: Fri, 24 Jun 2022 16:41:52 +0100 Subject: [PATCH] Onboard `index-provider` as a tenant of `dev` cluster * Create a KMS key to encrypt index-provider application secrets. * Create an ECR repository to which containers will be published. * Authorize GitHub actions to accept ECR publication from index-provider repo. * Create a namespace and set up Flux CD pipeline for the index-provider. Relates to: - https://github.com/filecoin-project/index-provider/issues/246 --- deploy/infrastructure/common/ecr.tf | 1 + .../infrastructure/common/github_actions.tf | 1 + deploy/infrastructure/dev/us-east-2/eks.tf | 2 +- .../dev/us-east-2/index-provider.tf | 71 +++++++++++++++ deploy/infrastructure/dev/us-east-2/kms.tf | 2 +- .../infrastructure/dev/us-east-2/outputs.tf | 4 + .../cluster/index-provider/.sops.yaml | 6 ++ .../cluster/index-provider/flux-cd.yaml | 91 +++++++++++++++++++ .../cluster/index-provider/flux-rbac.yaml | 26 ++++++ .../cluster/index-provider/github-auth.yaml | 24 +++++ .../cluster/index-provider/kustomization.yaml | 13 +++ .../cluster/index-provider/namespace.yaml | 5 + .../dev/us-east-2/cluster/kustomization.yaml | 1 + 13 files changed, 245 insertions(+), 2 deletions(-) create mode 100644 deploy/infrastructure/dev/us-east-2/index-provider.tf create mode 100644 deploy/manifests/dev/us-east-2/cluster/index-provider/.sops.yaml create mode 100644 deploy/manifests/dev/us-east-2/cluster/index-provider/flux-cd.yaml create mode 100644 deploy/manifests/dev/us-east-2/cluster/index-provider/flux-rbac.yaml create mode 100644 deploy/manifests/dev/us-east-2/cluster/index-provider/github-auth.yaml create mode 100644 deploy/manifests/dev/us-east-2/cluster/index-provider/kustomization.yaml create mode 100644 deploy/manifests/dev/us-east-2/cluster/index-provider/namespace.yaml diff --git a/deploy/infrastructure/common/ecr.tf b/deploy/infrastructure/common/ecr.tf index cabb0a4da..48722148e 100644 --- a/deploy/infrastructure/common/ecr.tf +++ b/deploy/infrastructure/common/ecr.tf @@ -5,6 +5,7 @@ module "ecr_ue2" { "storetheindex/storetheindex", "index-observer/index-observer", "autoretrieve/autoretrieve", + "index-provider/index-provider", ] tags = local.tags } diff --git a/deploy/infrastructure/common/github_actions.tf b/deploy/infrastructure/common/github_actions.tf index 660604cf0..6a779a780 100644 --- a/deploy/infrastructure/common/github_actions.tf +++ b/deploy/infrastructure/common/github_actions.tf @@ -49,6 +49,7 @@ module "github_actions_role" { oidc_subjects_with_wildcards = [ "repo:filecoin-project/storetheindex:*", + "repo:filecoin-project/index-provider:*", "repo:filecoin-shipyard/index-observer:*", "repo:application-research/autoretrieve:*" ] diff --git a/deploy/infrastructure/dev/us-east-2/eks.tf b/deploy/infrastructure/dev/us-east-2/eks.tf index 092503693..864c8c561 100644 --- a/deploy/infrastructure/dev/us-east-2/eks.tf +++ b/deploy/infrastructure/dev/us-east-2/eks.tf @@ -38,7 +38,7 @@ module "eks" { max_size = 3 desired_size = 3 instance_types = ["r5b.xlarge"] - taints = { + taints = { dedicated = { key = "dedicated" value = "r5b" diff --git a/deploy/infrastructure/dev/us-east-2/index-provider.tf b/deploy/infrastructure/dev/us-east-2/index-provider.tf new file mode 100644 index 000000000..3f23c4de2 --- /dev/null +++ b/deploy/infrastructure/dev/us-east-2/index-provider.tf @@ -0,0 +1,71 @@ +resource "aws_kms_alias" "kms_index_provider" { + target_key_id = aws_kms_key.kms_index_provider.key_id + name = "alias${local.iam_path}index_provider" +} + +resource "aws_kms_key" "kms_index_provider" { + description = "Key used to encrypt index_provider tenant secrets" + policy = data.aws_iam_policy_document.kms_index_provider.json + is_enabled = true + + tags = local.tags +} + +data "aws_iam_policy_document" "kms_index_provider" { + statement { + sid = "Enable IAM User Permissions" + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::407967248065:root"] + } + + actions = ["kms:*"] + resources = ["*"] + } + + statement { + sid = "Allow access for Devs via sops" + + principals { + type = "AWS" + + identifiers = [ + "arn:aws:iam::407967248065:user/masih", + "arn:aws:iam::407967248065:user/marco", + "arn:aws:iam::407967248065:user/gammazero", + "arn:aws:iam::407967248065:user/will.scott", + "arn:aws:iam::407967248065:user/kylehuntsman", + "arn:aws:iam::407967248065:user/steveFraser", + "arn:aws:iam::407967248065:user/cmharden", + ] + } + + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + + resources = ["*"] + } + + + statement { + sid = "Allow Flux to decrypt" + + principals { + type = "AWS" + + identifiers = [ + module.kustomize_controller_role.iam_role_arn + ] + } + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + ] + } +} diff --git a/deploy/infrastructure/dev/us-east-2/kms.tf b/deploy/infrastructure/dev/us-east-2/kms.tf index e4c1c356f..1ec891565 100644 --- a/deploy/infrastructure/dev/us-east-2/kms.tf +++ b/deploy/infrastructure/dev/us-east-2/kms.tf @@ -79,7 +79,7 @@ data "aws_iam_policy_document" "kust_ctrlr" { "kms:DescribeKey", ] - resources = [aws_kms_key.kms_sti.arn, aws_kms_key.kms_cluster.arn, aws_kms_key.kms_autoretrieve.arn] + resources = [aws_kms_key.kms_sti.arn, aws_kms_key.kms_cluster.arn, aws_kms_key.kms_autoretrieve.arn, aws_kms_key.kms_index_provider.arn] } } diff --git a/deploy/infrastructure/dev/us-east-2/outputs.tf b/deploy/infrastructure/dev/us-east-2/outputs.tf index c896751cf..220a6cb51 100644 --- a/deploy/infrastructure/dev/us-east-2/outputs.tf +++ b/deploy/infrastructure/dev/us-east-2/outputs.tf @@ -10,6 +10,10 @@ output "kms_autoretrieve_alias_arn" { value = aws_kms_alias.kms_autoretrieve.arn } +output "kms_index_provider_alias_arn" { + value = aws_kms_alias.kms_index_provider.arn +} + output "kustomize_controller_role_arn" { value = module.kustomize_controller_role.iam_role_arn } diff --git a/deploy/manifests/dev/us-east-2/cluster/index-provider/.sops.yaml b/deploy/manifests/dev/us-east-2/cluster/index-provider/.sops.yaml new file mode 100644 index 000000000..647e6f35f --- /dev/null +++ b/deploy/manifests/dev/us-east-2/cluster/index-provider/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + - path_regex: '.+\.env' + kms: 'arn:aws:kms:us-east-2:407967248065:alias/dev/us-east-2/cluster' + - path_regex: '.+\.y(a)?ml' + encrypted_regex: '^(data|stringData)$' + kms: 'arn:aws:kms:us-east-2:407967248065:alias/dev/us-east-2/cluster' diff --git a/deploy/manifests/dev/us-east-2/cluster/index-provider/flux-cd.yaml b/deploy/manifests/dev/us-east-2/cluster/index-provider/flux-cd.yaml new file mode 100644 index 000000000..830ff4822 --- /dev/null +++ b/deploy/manifests/dev/us-east-2/cluster/index-provider/flux-cd.yaml @@ -0,0 +1,91 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: GitRepository +metadata: + name: index-provider +spec: + interval: 5m + url: https://github.com/filecoin-project/index-provider.git + ref: + branch: main + secretRef: + name: github-auth +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: index-provider +spec: + serviceAccountName: flux + decryption: + provider: sops + interval: 5m + path: "./deploy/manifests/dev/us-east-2" + sourceRef: + kind: GitRepository + name: index-provider + prune: true + +--- +apiVersion: image.toolkit.fluxcd.io/v1beta1 +kind: ImageRepository +metadata: + name: index-provider +spec: + interval: 5m + image: 407967248065.dkr.ecr.us-east-2.amazonaws.com/index-provider/index-provider + +--- +apiVersion: image.toolkit.fluxcd.io/v1alpha1 +kind: ImagePolicy +metadata: + name: index-provider +spec: + filterTags: + pattern: '^(?P\d+)-.+$' + extract: '$timestamp' + policy: + numerical: + order: asc + imageRepositoryRef: + name: index-provider + +--- +apiVersion: image.toolkit.fluxcd.io/v1beta1 +kind: ImageUpdateAutomation +metadata: + name: index-provider +spec: + interval: 5m + sourceRef: + kind: GitRepository + name: index-provider + git: + checkout: + ref: + branch: main + commit: + author: + name: sti-bot + email: sti-bot@protocol.ai + messageTemplate: | + Update {{ .AutomationObject.Namespace }}/{{ .AutomationObject.Name }} in `dev` environment + + Files: + {{ range $filename, $_ := .Updated.Files -}} + - {{ $filename }} + {{ end -}} + + Objects: + {{ range $resource, $_ := .Updated.Objects -}} + - {{ $resource.Kind }} {{ $resource.Name }} + {{ end -}} + + Images: + {{ range .Updated.Images -}} + - {{.}} + {{ end -}} + push: + branch: 'cd/dev' + update: + strategy: Setters + path: "./deploy/manifests/dev/us-east-2" diff --git a/deploy/manifests/dev/us-east-2/cluster/index-provider/flux-rbac.yaml b/deploy/manifests/dev/us-east-2/cluster/index-provider/flux-rbac.yaml new file mode 100644 index 000000000..428aa9d74 --- /dev/null +++ b/deploy/manifests/dev/us-east-2/cluster/index-provider/flux-rbac.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flux +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: flux +rules: + - apiGroups: [ '*' ] + resources: [ '*' ] + verbs: [ '*' ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: flux +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: flux +subjects: + - kind: ServiceAccount + name: flux + namespace: index-provider diff --git a/deploy/manifests/dev/us-east-2/cluster/index-provider/github-auth.yaml b/deploy/manifests/dev/us-east-2/cluster/index-provider/github-auth.yaml new file mode 100644 index 000000000..49dedbca7 --- /dev/null +++ b/deploy/manifests/dev/us-east-2/cluster/index-provider/github-auth.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-auth + namespace: index-provider +type: Opaque +stringData: + username: ENC[AES256_GCM,data:ksmDR6jmsw==,iv:OmjzLpU++L1vsuraWh84wzj0pIKgHS9LsgHOF6ijwtQ=,tag:/mFjfeygxlgN/82APndG9Q==,type:str] + password: ENC[AES256_GCM,data:Tobrq901GrlW2nMsgA3XpofF48+SYV4IBg1lyqCn6+bv7F6npyg/xA==,iv:ikKjumEXc5xkK6E6DAfO2pi1LcAwnNZAT27mou6Ysh4=,tag:QKh2xKqwLeB0daHV+EK88w==,type:str] +sops: + kms: + - arn: arn:aws:kms:us-east-2:407967248065:alias/dev/us-east-2/cluster + created_at: "2022-06-24T15:36:27Z" + enc: AQICAHjPLKH8p/5QB+TsPnURNgsbMMOlVWn14S9WvEpahS2p4wEy4eYH3r9Xm26EGTu/Q95uAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMH6pJH61KX4EC35ECAgEQgDutf0FfoDdajEl46V/VyF7y2q14sdgTJQdjmzKl8oNxKv1uA/zMG4xf1hoB816uAFSj1EuIlNYeCuEh6Q== + aws_profile: "" + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-06-24T15:36:28Z" + mac: ENC[AES256_GCM,data:5y14En7OrfMhEc08dwzJYBv/5AFoGFgdmQFtTUgxscbcFvoRr2k3w0h26UKXDPZzZEqkX194B4KJIyrtTf4hDllTWHMwR6yc9+DBnucngX2xiU4dxhcQIV/FZu+Vk78INGIXbpEr9RkSEoSMAgtgeVWpSS/qRLzjpOWYxGzs4mc=,iv:A5NOhbr1GLyT2K9FnKV4xXwGn1XRXsMf1kelJ2VjXq0=,tag:mNiuN6u2Ux6+YETiI0MYTA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.2 diff --git a/deploy/manifests/dev/us-east-2/cluster/index-provider/kustomization.yaml b/deploy/manifests/dev/us-east-2/cluster/index-provider/kustomization.yaml new file mode 100644 index 000000000..b8dc0ebfd --- /dev/null +++ b/deploy/manifests/dev/us-east-2/cluster/index-provider/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: index-provider + +commonLabels: + toolkit.fluxcd.io/tenant: index-provider + +resources: + - namespace.yaml + - flux-cd.yaml + - flux-rbac.yaml + - github-auth.yaml diff --git a/deploy/manifests/dev/us-east-2/cluster/index-provider/namespace.yaml b/deploy/manifests/dev/us-east-2/cluster/index-provider/namespace.yaml new file mode 100644 index 000000000..6ff533c47 --- /dev/null +++ b/deploy/manifests/dev/us-east-2/cluster/index-provider/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace + +metadata: + name: index-provider diff --git a/deploy/manifests/dev/us-east-2/cluster/kustomization.yaml b/deploy/manifests/dev/us-east-2/cluster/kustomization.yaml index 055ef8b1a..a6f5a5b61 100644 --- a/deploy/manifests/dev/us-east-2/cluster/kustomization.yaml +++ b/deploy/manifests/dev/us-east-2/cluster/kustomization.yaml @@ -14,3 +14,4 @@ resources: - promtail - index-observer - autoretrieve + - index-provider