Merge pull request #1 from AymenSegni/develop

Develop

Author: AymenSegni

README.md

@@ -1,3 +1,64 @@
 # deploy-linkerd-terraform-helm
+
 Deploy Linkerd2 using Terraform Helm Provider. 
-Linkerd: Ultra light, ultra simple, ultra powerful. Linkerd adds security, observability, and reliability to Kubernetes, without the complexity. CNCF-hosted and 100% open source.
+Linkerd: Ultra light, ultra simple and ultra powerfu service mesh
+Linkerd adds security, observability, and reliability to Kubernetes, without the complexity. CNCF-hosted and 100% open source.
+
+## Terraform Linkerd Module
+
+This module handles Linkerd creation and configuration HA mode and Trusted Anhcor Certificate.
+The resources creation that this module will create/trigger are:
+- Create a Linkerd control plan with the provided addons
+- Setting High-Availability on demande for production cluster using a file values-ha.yaml that overrides some default values as to set things up under a high-availability scenario, analogous to the `--ha` option in linkerd install. Values such as higher number of replicas, higher memory/cpu limits and affinities are specified in that file.
+- Create trusted Anchor identity  certificate using the ECDSA P-256 algorithm
+
+## Compatibility
+
+This module is meant for use with Terraform 0.12. If you haven't
+[upgraded][terraform-0.12-upgrade] and need a Terraform
+0.11.x-compatible version of this module, the last released version
+intended for Terraform 0.11.x is [3.0.0].
+
+## Usage
+
+There are multiple usage examples but simple usage is as follows:
+
+```hcl
+
+# kubernetes and Helm provider must be explicitly specified like the following.
+
+// aks cluster
+
+data "azurerm_kubernetes_cluster" "dev_aks_cluster" {
+  name                = "dev"
+  resource_group_name = "aks_dev_resource_group"
+}
+
+// Helm provider 
+
+provider "helm" {
+  kubernetes {
+    host                   = data.azurerm_kubernetes_cluster.dev_aks_cluster.kube_admin_config.0.host
+    client_certificate     = base64decode(data.azurerm_kubernetes_cluster.dev_aks_cluster.kube_admin_config.0.client_certificate)
+    client_key             = base64decode(data.azurerm_kubernetes_cluster.dev_aks_cluster.kube_admin_config.0.client_key)
+    cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.dev_aks_cluster.kube_admin_config.0.cluster_ca_certificate)
+  }
+  alias = "aks-dev"
+}
+
+// Deploy Linkerd on DEV cluster with disabling HA Mode
+
+module "dev_linkerd" {
+  source            = "AymenSegni/deploy-linkerd-terraform-hel"
+  enable_linkerd_ha = false 
+  providers = {
+    helm = helm.aks-dev
+  }
+}
+```
+Then perform the following commands on the root folder:
+
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

anchor-cert.tf

@@ -0,0 +1,54 @@
+// Create trusted Anchor Certificate
+
+resource "tls_private_key" "trustanchor_key" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_self_signed_cert" "trustanchor_cert" {
+  key_algorithm         = tls_private_key.trustanchor_key.algorithm
+  private_key_pem       = tls_private_key.trustanchor_key.private_key_pem
+  validity_period_hours = 87600
+  is_ca_certificate     = true
+
+  subject {
+    common_name = "identity.linkerd.cluster.local"
+  }
+
+  allowed_uses = [
+    "crl_signing",
+    "cert_signing",
+    "server_auth",
+    "client_auth"
+  ]
+}
+
+resource "tls_private_key" "issuer_key" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_cert_request" "issuer_req" {
+  key_algorithm   = tls_private_key.issuer_key.algorithm
+  private_key_pem = tls_private_key.issuer_key.private_key_pem
+
+  subject {
+    common_name = "identity.linkerd.cluster.local"
+  }
+}
+
+resource "tls_locally_signed_cert" "issuer_cert" {
+  cert_request_pem      = tls_cert_request.issuer_req.cert_request_pem
+  ca_key_algorithm      = tls_private_key.trustanchor_key.algorithm
+  ca_private_key_pem    = tls_private_key.trustanchor_key.private_key_pem
+  ca_cert_pem           = tls_self_signed_cert.trustanchor_cert.cert_pem
+  validity_period_hours = 8760
+  is_ca_certificate     = true
+
+  allowed_uses = [
+    "crl_signing",
+    "cert_signing",
+    "server_auth",
+    "client_auth"
+  ]
+}

install.tf

@@ -0,0 +1,58 @@
+// Enable HA Mode
+
+resource "helm_release" "linkerd_ha" {
+  count      = var.enable_linkerd_ha == true ? 1 : 0
+  name       = "linkerd"
+  repository = "https://helm.linkerd.io/stable"
+  chart      = "linkerd2"
+  values = [
+    file("${path.module}/values-ha.yaml")
+  ]
+  set_sensitive {
+    name  = "global.identityTrustAnchorsPEM"
+    value = tls_self_signed_cert.trustanchor_cert.cert_pem
+  }
+
+  set_sensitive {
+    name  = "identity.issuer.crtExpiry"
+    value = tls_locally_signed_cert.issuer_cert.validity_end_time
+  }
+
+  set_sensitive {
+    name  = "identity.issuer.tls.crtPEM"
+    value = tls_locally_signed_cert.issuer_cert.cert_pem
+  }
+
+  set_sensitive {
+    name  = "identity.issuer.tls.keyPEM"
+    value = tls_private_key.issuer_key.private_key_pem
+  }
+}
+
+// Disable HA Mode 
+
+resource "helm_release" "linkerd_dev" {
+  count      = var.enable_linkerd_ha == false ? 1 : 0
+  name       = "linkerd"
+  repository = "https://helm.linkerd.io/stable"
+  chart      = "linkerd2"
+  set_sensitive {
+    name  = "global.identityTrustAnchorsPEM"
+    value = tls_self_signed_cert.trustanchor_cert.cert_pem
+  }
+
+  set_sensitive {
+    name  = "identity.issuer.crtExpiry"
+    value = tls_locally_signed_cert.issuer_cert.validity_end_time
+  }
+
+  set_sensitive {
+    name  = "identity.issuer.tls.crtPEM"
+    value = tls_locally_signed_cert.issuer_cert.cert_pem
+  }
+
+  set_sensitive {
+    name  = "identity.issuer.tls.keyPEM"
+    value = tls_private_key.issuer_key.private_key_pem
+  }
+}

values-ha.yaml

@@ -0,0 +1,68 @@
+# This values.yaml file contains the values needed to enable HA mode.
+# Usage:
+#   helm install -f values.yaml -f values-ha.yaml
+
+enablePodAntiAffinity: true
+
+global:
+  # proxy configuration
+  proxy:
+    resources:
+      cpu:
+        limit: "1"
+        request: 100m
+      memory:
+        limit: 250Mi
+        request: 20Mi
+
+# controller configuration
+controllerReplicas: 3
+controllerResources: &controller_resources
+  cpu: &controller_resources_cpu
+    limit: "1"
+    request: 100m
+  memory:
+    limit: 250Mi
+    request: 50Mi
+destinationResources: *controller_resources
+publicAPIResources: *controller_resources
+
+# identity configuration
+identityResources:
+  cpu: *controller_resources_cpu
+  memory:
+    limit: 250Mi
+    request: 10Mi
+
+# grafana configuration
+grafana:
+  resources:
+    cpu: *controller_resources_cpu
+    memory:
+      limit: 1024Mi
+      request: 50Mi
+
+# heartbeat configuration
+heartbeatResources: *controller_resources
+
+# prometheus configuration
+prometheusResources:
+  cpu:
+    limit: "1"
+    request: 300m
+  memory:
+    limit: 4096Mi
+    request: 300Mi
+
+# proxy injector configuration
+proxyInjectorResources: *controller_resources
+webhookFailurePolicy: Fail
+
+# service profile validator configuration
+spValidatorResources: *controller_resources
+
+# tap configuration
+tapResources: *controller_resources
+
+# web configuration
+webResources: *controller_resources

variables.tf

@@ -0,0 +1,5 @@
+variable "enable_linkerd_ha" {
+  description = "Enable Linkerd HA Mode for production cluster if true"
+  type        = bool
+  default     = false
+}