From ddf908ce5862164f30d3cef3c2551085b08da87d Mon Sep 17 00:00:00 2001 From: Adam Engebretson Date: Wed, 21 Oct 2020 14:30:15 -0500 Subject: [PATCH] Starting spin-kz bootstrap template --- .gitignore | 1 + .../spin-kz/.terraform-version | 1 + .../spin-kz/.truss-manifest.yaml | 22 +++++ bootstrap-templates/spin-kz/README.md | 23 +++++ bootstrap-templates/spin-kz/common.tf | 32 +++++++ bootstrap-templates/spin-kz/config.tf | 25 ++++++ .../edge/cmh/deployment/kustomization.yaml | 17 ++++ .../spin-kz/edge/cmh/kustomization.yaml | 24 +++++ bootstrap-templates/spin-kz/edge/cmh/main.tf | 27 ++++++ .../edge/cmh/postdeploy/kustomization.yaml | 17 ++++ .../edge/cmh/predeploy/kustomization.yaml | 17 ++++ .../kustomize/deployment/deployment.yaml | 65 ++++++++++++++ .../kustomize/deployment/kustomization.yaml | 2 + .../kustomize/horizontalPodAutoscaler.yaml | 44 +++++++++ .../kustomize/kustomization.yaml | 33 +++++++ .../kustomize/podDisruptionBudget.yaml | 10 +++ .../kustomize/postdeploy/job.yaml | 38 ++++++++ .../kustomize/postdeploy/kustomization.yaml | 2 + .../kustomize/predeploy/job.yaml | 38 ++++++++ .../kustomize/predeploy/kustomization.yaml | 2 + .../kustomize/service.yaml | 16 ++++ .../kustomize/virtualService.yaml | 17 ++++ .../providers.tf | 34 +++++++ .../spinnaker.tf | 89 +++++++++++++++++++ .../variables.tf | 23 +++++ .../prod/cmh/deployment/kustomization.yaml | 24 +++++ .../spin-kz/prod/cmh/kustomization.yaml | 24 +++++ bootstrap-templates/spin-kz/prod/cmh/main.tf | 27 ++++++ .../prod/cmh/postdeploy/kustomization.yaml | 17 ++++ .../prod/cmh/predeploy/kustomization.yaml | 17 ++++ .../prod/dub/deployment/kustomization.yaml | 24 +++++ .../spin-kz/prod/dub/kustomization.yaml | 24 +++++ bootstrap-templates/spin-kz/prod/dub/main.tf | 27 ++++++ .../prod/dub/postdeploy/kustomization.yaml | 17 ++++ .../prod/dub/predeploy/kustomization.yaml | 17 ++++ .../prod/syd/deployment/kustomization.yaml | 24 +++++ .../spin-kz/prod/syd/kustomization.yaml | 24 +++++ bootstrap-templates/spin-kz/prod/syd/main.tf | 27 ++++++ .../prod/syd/postdeploy/kustomization.yaml | 17 ++++ .../prod/syd/predeploy/kustomization.yaml | 17 ++++ .../staging/cmh/deployment/kustomization.yaml | 17 ++++ .../spin-kz/staging/cmh/kustomization.yaml | 24 +++++ .../spin-kz/staging/cmh/main.tf | 27 ++++++ .../staging/cmh/postdeploy/kustomization.yaml | 17 ++++ .../staging/cmh/predeploy/kustomization.yaml | 17 ++++ .../staging/dub/deployment/kustomization.yaml | 17 ++++ .../spin-kz/staging/dub/kustomization.yaml | 24 +++++ .../spin-kz/staging/dub/main.tf | 27 ++++++ .../staging/dub/postdeploy/kustomization.yaml | 17 ++++ .../staging/dub/predeploy/kustomization.yaml | 17 ++++ .../staging/syd/deployment/kustomization.yaml | 17 ++++ .../spin-kz/staging/syd/kustomization.yaml | 24 +++++ .../spin-kz/staging/syd/main.tf | 27 ++++++ .../staging/syd/postdeploy/kustomization.yaml | 17 ++++ .../staging/syd/predeploy/kustomization.yaml | 17 ++++ 55 files changed, 1252 insertions(+) create mode 100644 bootstrap-templates/spin-kz/.terraform-version create mode 100644 bootstrap-templates/spin-kz/.truss-manifest.yaml create mode 100644 bootstrap-templates/spin-kz/README.md create mode 100644 bootstrap-templates/spin-kz/common.tf create mode 100644 bootstrap-templates/spin-kz/config.tf create mode 100644 bootstrap-templates/spin-kz/edge/cmh/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/edge/cmh/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/edge/cmh/main.tf create mode 100644 bootstrap-templates/spin-kz/edge/cmh/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/edge/cmh/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/deployment.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/horizontalPodAutoscaler.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/podDisruptionBudget.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/job.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/job.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/service.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/virtualService.yaml create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/providers.tf create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/spinnaker.tf create mode 100644 bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/variables.tf create mode 100644 bootstrap-templates/spin-kz/prod/cmh/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/cmh/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/cmh/main.tf create mode 100644 bootstrap-templates/spin-kz/prod/cmh/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/cmh/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/dub/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/dub/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/dub/main.tf create mode 100644 bootstrap-templates/spin-kz/prod/dub/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/dub/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/syd/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/syd/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/syd/main.tf create mode 100644 bootstrap-templates/spin-kz/prod/syd/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/prod/syd/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/cmh/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/cmh/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/cmh/main.tf create mode 100644 bootstrap-templates/spin-kz/staging/cmh/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/cmh/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/dub/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/dub/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/dub/main.tf create mode 100644 bootstrap-templates/spin-kz/staging/dub/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/dub/predeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/syd/deployment/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/syd/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/syd/main.tf create mode 100644 bootstrap-templates/spin-kz/staging/syd/postdeploy/kustomization.yaml create mode 100644 bootstrap-templates/spin-kz/staging/syd/predeploy/kustomization.yaml diff --git a/.gitignore b/.gitignore index 99049af..ec36006 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ secrets.yaml # vscode .vscode/ +.truss/ \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/.terraform-version b/bootstrap-templates/spin-kz/.terraform-version new file mode 100644 index 0000000..a477b5a --- /dev/null +++ b/bootstrap-templates/spin-kz/.terraform-version @@ -0,0 +1 @@ +0.12.29 \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/.truss-manifest.yaml b/bootstrap-templates/spin-kz/.truss-manifest.yaml new file mode 100644 index 0000000..7208fd2 --- /dev/null +++ b/bootstrap-templates/spin-kz/.truss-manifest.yaml @@ -0,0 +1,22 @@ +name: spin-kz +description: Deploy your application using Spinnaker and Kustomize +version: 0.1.0 +params: + - name: name + type: string + prompt: What's the name of your app? + - name: role + type: string + prompt: What's the role of your service? (i.e. api, web) + - name: httpPort + type: string + prompt: What is your app's HTTP port? + - name: githubRepo + type: string + prompt: Full https URL of your GitHub Repo + - name: image + type: string + prompt: What is the name of your Docker image? Don't include any tags + - name: smoketestImage + type: string + prompt: What is the name of your Smoketest Docker image? Don't include any tags \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/README.md b/bootstrap-templates/spin-kz/README.md new file mode 100644 index 0000000..8c754ab --- /dev/null +++ b/bootstrap-templates/spin-kz/README.md @@ -0,0 +1,23 @@ +# Deploying {{ .Params.name }} + +This is how you deploy {{ .Params.name }} on Truss! Spinnaker pipelins are available at https://prod.spinnaker.bridgeops.sh/#/applications/{{ .Params.name }}/executions + +## Directory Structure + +- `{{ .TrussDir }}/` - Holds your tenant configuration and Spinnaker Application + - `/modules/{{ .Params.name }}-{{ .Params.role }}` - Holds the deployment configuration for a single instance of {{ .Params.name }} + - `/kustomize` - Kubernetes manifests for {{ .Params.name }}'s common infrastructure components + - `/deployment` - Base config for deployment + - `/postdeploy` - Base config for post-deploy job + - `/predeploy` - Base config for pre-deploy job + - `/{edge|staging|prod}/{cmh|dub|syd}/` - Holds deployment configuration for a given environment/region of {{ .Params.name }} + - `/kustomize` - Environment-specific infra overrides + - `/deployment` - Environment-speicifc deployment overrides + - `/postdeploy` - Environment-specific post-deploy overrides + - `/predeploy` - Environment-specific pre-deploy overrides + +## Runbook + +- Provision your tenant: `cd {{ .TrussDir }} && terraform init && terraform apply` +- Provision a given environment (i.e. edge-cmh): `cd {{ .TrussDir }}/edge/cmh && terraform init && terraform apply` +- Retrieve realtime logs (i.e. edge-cmh): `truss wrap -e cmh-edge -- kubectl -n {{ .Params.name }}-edge logs -c {{ .Params.name }}-{{ .Params.role }} deployment/{{ .Params.name }}-{{ .Params.role }}` \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/common.tf b/bootstrap-templates/spin-kz/common.tf new file mode 100644 index 0000000..20aa943 --- /dev/null +++ b/bootstrap-templates/spin-kz/common.tf @@ -0,0 +1,32 @@ +module "truss-tenant" { + source = "git::ssh://git@github.com/instructure/truss//modules/truss-tenant" + name = "{{ .Params.name }}" + istio = true + apps = [{ + name = "{{ .Params.role }}" + vault = [{ + path = "secret/data/bridge/{env}/{region}/shared/*" + capabilities = ["read", "list"] + }, { + path = "secret/data/bridge/{env}/{region}/{{ .Params.name }}/*" + capabilities = ["read", "list"] + }] + }] + # iamStatements = [{ + # Effect = "Allow" + # Resource = ["arn:aws:s3:::*"] + # Action = ["s3:*"] + # }] +} + +resource "spinnaker_application" "application" { + name = "{{ .Params.name }}" + email = "bridge-eng@instructure.com" + instance_port = {{ .Params.httpPort }} + + permissions { + read = ["bridge-engineering-all"] + write = ["bridge-engineering-all"] + execute = ["bridge-engineering-all"] + } +} \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/config.tf b/bootstrap-templates/spin-kz/config.tf new file mode 100644 index 0000000..5e16262 --- /dev/null +++ b/bootstrap-templates/spin-kz/config.tf @@ -0,0 +1,25 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "spinnaker" { + address = "https://api-prod.spinnaker.bridgeops.sh" + cert_path = "~/.spin/shared-prod/spinnaker-client.crt" + key_path = "~/.spin/shared-prod/spinnaker-client.key" +} \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/edge/cmh/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/edge/cmh/deployment/kustomization.yaml new file mode 100644 index 0000000..9f8d392 --- /dev/null +++ b/bootstrap-templates/spin-kz/edge/cmh/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-edge" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-edge-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-edge-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/edge/cmh/kustomization.yaml b/bootstrap-templates/spin-kz/edge/cmh/kustomization.yaml new file mode 100644 index 0000000..1cec7fd --- /dev/null +++ b/bootstrap-templates/spin-kz/edge/cmh/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-edge +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: edge + region: cmh + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"edge","region":"us-east-2"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}-edge.nonprod-cmh.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/edge/cmh/main.tf b/bootstrap-templates/spin-kz/edge/cmh/main.tf new file mode 100644 index 0000000..886b8a5 --- /dev/null +++ b/bootstrap-templates/spin-kz/edge/cmh/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/edge/cmh/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "edge" + region_code = "cmh" +} diff --git a/bootstrap-templates/spin-kz/edge/cmh/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/edge/cmh/postdeploy/kustomization.yaml new file mode 100644 index 0000000..dea116d --- /dev/null +++ b/bootstrap-templates/spin-kz/edge/cmh/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-edge" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-edge-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-edge-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/edge/cmh/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/edge/cmh/predeploy/kustomization.yaml new file mode 100644 index 0000000..097fc7b --- /dev/null +++ b/bootstrap-templates/spin-kz/edge/cmh/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-edge" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-edge-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-edge-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/deployment.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/deployment.yaml new file mode 100644 index 0000000..ef66c7c --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ .Params.name }}-{{ .Params.role }}" + annotations: + traffic.spinnaker.io/load-balancers: '["service {{ .Params.name }}-{{ .Params.role }}"]' + labels: + version: "${trigger['parameters']['sha']}" +spec: + replicas: 2 + revisionHistoryLimit: 2 + selector: + matchLabels: + service-role: "{{ .Params.role }}" + template: + metadata: + labels: + version: "${trigger['parameters']['sha']}" + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.security.banzaicloud.io/vault-addr: "https://vault.vault.svc.cluster.local:8200" + vault.security.banzaicloud.io/vault-path: kubernetes + vault.security.banzaicloud.io/vault-skip-verify: "true" + # ad.datadoghq.com/{{ .Params.name }}-{{ .Params.role }}.check_names: '["openmetrics"]' + # ad.datadoghq.com/{{ .Params.name }}-{{ .Params.role }}.init_configs: "[{}]" + # ad.datadoghq.com/{{ .Params.name }}-{{ .Params.role }}.instances: "[{}]" + spec: + containers: + - envFrom: + - configMapRef: + name: "{{ .Params.name }}-{{ .Params.role }}" + name: "{{ .Params.name }}-{{ .Params.role }}" + image: "{{ .Params.image }}:${trigger['parameters']['sha']}" + imagePullPolicy: Always + ports: + - containerPort: {{ .Params.httpPort }} + name: http + protocol: TCP + + livenessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + path: /health-check + port: http + initialDelaySeconds: 60 + periodSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + path: /health-check + port: http + initialDelaySeconds: 60 + periodSeconds: 15 + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + imagePullSecrets: + - name: starlord diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/kustomization.yaml new file mode 100644 index 0000000..ff6d7ee --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - deployment.yaml \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/horizontalPodAutoscaler.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/horizontalPodAutoscaler.yaml new file mode 100644 index 0000000..84ee2ba --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/horizontalPodAutoscaler.yaml @@ -0,0 +1,44 @@ +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: hpa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ .Params.name }}-{{ .Params.role }} + + # Configure your scaling parameters + minReplicas: 2 + maxReplicas: 10 + metrics: + # Uncomment the following lines to scale by CPU + # - type: Resource + # resource: + # name: cpu + # target: + # type: Utilization + # averageUtilization: 80 + + # Uncomment the following lines to scale by Memory + # - type: Resource + # resource: + # name: memory + # target: + # type: Utilization + # averageUtilization: 80 + + # Uncomment the following lines to scale by Datadog metrics + # - type: External + # external: + # metric: + # name: sidekiq.queue_latency + # selector: + # matchLabels: + # # These matchLabels refer to Datadog tags, adjust as necessary + # region: cmh + # env: prod + # queuename: myqueue + # target: + # type: Value + # Value: "60" \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/kustomization.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/kustomization.yaml new file mode 100644 index 0000000..09f2a06 --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/kustomization.yaml @@ -0,0 +1,33 @@ +--- +# Use this to add labels to all of your deployment's resources +commonLabels: + app: {{ .Params.name }} + role: {{ .Params.role }} + +# Use this to add annotations to all of your deployment's resources +commonAnnotations: {} + +# Resources to include in the deployment +resources: + - service.yaml + - podDisruptionBudget.yaml + - virtualService.yaml + # Uncomment this line to enable autoscaling. You'll need to add `app_resources` + # in ../spinnaker.tf for this to work. Lastly, customize your scaling in + # `./horizontalPodAutoscaler.yaml`. See https://truss.bridgeops.sh/#/howto/autoscaling + # - horizontalPodAutoscaler.yaml + +# Generate config maps for your deployment. This should be overridden in an +# environment-specific kustomization.yaml. Defaults go here. +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + literals: + - RAILS_ENV=production + - INST_DOG_TAGS='{}' + - INST_STATSD_HOST="datadog" + - INST_STATSD_APPEND_HOSTNAME="false" + +# Since we're using Spinnaker to create the Deployment, we need to disable this +# fancy Kustomize feature. +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/podDisruptionBudget.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/podDisruptionBudget.yaml new file mode 100644 index 0000000..4a5bcbe --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/podDisruptionBudget.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: pdb +spec: + # How many pods can Kubernetes make unavailable during cluster upgrades? + maxUnavailable: 1 + selector: + matchLabels: {} diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/job.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/job.yaml new file mode 100644 index 0000000..b2f34bb --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/job.yaml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + ttl: 4 days + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + labels: + version: "${trigger['parameters']['sha']}" +spec: + backoffLimit: 3 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + vault.security.banzaicloud.io/vault-addr: "https://vault.vault.svc.cluster.local:8200" + vault.security.banzaicloud.io/vault-path: kubernetes + vault.security.banzaicloud.io/vault-skip-verify: "true" + labels: + version: "${trigger['parameters']['sha']}" + spec: + containers: + - name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy" + image: "{{ .Params.image }}:${trigger['parameters']['sha']}" + imagePullPolicy: Always + envFrom: + - configMapRef: + name: "{{ .Params.name }}-{{ .Params.role }}" + # args: + # - --pre-deploy + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + restartPolicy: Never + ttlSecondsAfterFinished: 86400 diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/kustomization.yaml new file mode 100644 index 0000000..ceefc6b --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - job.yaml diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/job.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/job.yaml new file mode 100644 index 0000000..70b9d96 --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/job.yaml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + ttl: 4 days + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + labels: + version: "${trigger['parameters']['sha']}" +spec: + backoffLimit: 3 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + vault.security.banzaicloud.io/vault-addr: "https://vault.vault.svc.cluster.local:8200" + vault.security.banzaicloud.io/vault-path: kubernetes + vault.security.banzaicloud.io/vault-skip-verify: "true" + labels: + version: "${trigger['parameters']['sha']}" + spec: + containers: + - name: "{{ .Params.name }}-{{ .Params.role }}-predeploy" + image: "{{ .Params.image }}:${trigger['parameters']['sha']}" + imagePullPolicy: Always + envFrom: + - configMapRef: + name: "{{ .Params.name }}-{{ .Params.role }}" + # args: + # - --pre-deploy + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + restartPolicy: Never + ttlSecondsAfterFinished: 86400 diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/kustomization.yaml new file mode 100644 index 0000000..ceefc6b --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - job.yaml diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/service.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/service.yaml new file mode 100644 index 0000000..47cd983 --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Params.name }}-{{ .Params.role }} + labels: {} # populated by Kustomize + annotations: + moniker.spinnaker.io/application: {{ .Params.name }} + moniker.spinnaker.io/cluster: service {{ .Params.name }}-{{ .Params.role }} +spec: + selector: + service-role: "{{ .Params.role }}" + ports: + - name: http + protocol: TCP + port: 80 + targetPort: {{ .Params.httpPort }} diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/virtualService.yaml b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/virtualService.yaml new file mode 100644 index 0000000..dfa0033 --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/virtualService.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Params.name }}-{{ .Params.role }} +spec: + gateways: + - default-gateway.istio-system + hosts: [] # Patch with Kustomize! + http: + - route: + - destination: + port: + number: 80 + host: {{ .Params.name }}-{{ .Params.role }} + match: + - uri: + prefix: "/" diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/providers.tf b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/providers.tf new file mode 100644 index 0000000..b866c0e --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/providers.tf @@ -0,0 +1,34 @@ +provider "aws" { + region = module.bridge_lookups.region_lookup[var.region_code] + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "spinnaker" { + address = "https://api-prod.spinnaker.bridgeops.sh" + cert_path = "~/.spin/shared-prod/spinnaker-client.crt" + key_path = "~/.spin/shared-prod/spinnaker-client.key" +} + +module "bridge_lookups" { + source = "git@github.com:instructure/truss.git//modules/lookups" +} + +# provider "aws" { +# alias = "cmh" +# region = "us-east-2" +# allowed_account_ids = ["127178877223"] + +# assume_role { +# role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" +# } +# } + +# data "aws_s3_bucket_object" "kubeconfig" { +# bucket = "truss-kubeconfig-us-east-2" +# key = "kubeconfig-truss-${var.truss_env}-${var.region_code}" +# provider = aws.cmh +# } diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/spinnaker.tf b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/spinnaker.tf new file mode 100644 index 0000000..6c10434 --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/spinnaker.tf @@ -0,0 +1,89 @@ +module "deploy-pipeline" { + source = "git::ssh://gerrit.instructure.com:29418/bridge-terraform-modules//bridge-spinnaker-eks-pipeline" + + service = "{{ .Params.name }}" + role = "{{ .Params.role }}" + environment = var.app_env + region = var.region_code + + version_id = var.app_env == "prod" ? local.prod_version_id : local.nonprod_version_id + commit_message = var.app_env == "prod" ? local.prod_commit_message : local.nonprod_commit_message + committer_name = var.app_env == "prod" ? local.prod_committer_name : local.nonprod_committer_name + committer_email = var.app_env == "prod" ? local.prod_committer_email : local.nonprod_committer_email + + parameters = { + sha = { + default = null + description = "Git commit SHA" + label = null + required = true + } + message = { + default = null + description = "Git commit message" + label = null + required = true + } + committer_name = { + default = null + description = "Git committer name" + label = null + required = true + } + committer_email = { + default = null + description = "Git committer email" + label = null + required = true + } + } + + infra_kustomize = { + artifact_account = "inst-bridge-github" + github_repo = "{{ .Params.githubRepo }}" + github_branch = "master" + checkout_subpath = "{{ .TrussDir }}" + kustomize_file_path = "{{ .TrussDir }}/${var.app_env}/${var.region_code}/kustomization.yaml" + } + + # predeploy_kustomize = { + # artifact_account = "inst-bridge-github" + # github_repo = "{{ .Params.githubRepo }}" + # github_branch = "master" + # checkout_subpath = "{{ .TrussDir }}" + # kustomize_file_path = "{{ .TrussDir }}/${var.app_env}/${var.region_code}/predeploy/kustomization.yaml" + # } + + deploy_kustomize = { + artifact_account = "inst-bridge-github" + github_repo = "{{ .Params.githubRepo }}" + github_branch = "master" + checkout_subpath = "{{ .TrussDir }}" + kustomize_file_path = "{{ .TrussDir }}/${var.app_env}/${var.region_code}/deployment/kustomization.yaml" + } + + # postdeploy_kustomize = { + # artifact_account = "inst-bridge-github" + # github_repo = "{{ .Params.githubRepo }}" + # github_branch = "master" + # checkout_subpath = "{{ .TrussDir }}" + # kustomize_file_path = "{{ .TrussDir }}/${var.app_env}/${var.region_code}/postdeploy/kustomization.yaml" + # } + + smoketest_image = "{{ .Params.smoketestImage }}" + + # slack_channel = "#bridge_noisy" + enable_manual_gate = var.app_env == "prod" +} + + +locals { + nonprod_version_id = "$${trigger['parameters']['sha']}" + nonprod_commit_message = "$${trigger['parameters']['message']}" + nonprod_committer_name = "$${trigger['parameters']['committer_name']}" + nonprod_committer_email = "$${trigger['parameters']['committer_email']}" + prod_version_id = "$${trigger['parentExecution']['trigger']['parameters']['sha']}" + prod_commit_message = "$${trigger['parentExecution']['trigger']['parameters']['message']}" + prod_committer_name = "$${trigger['parentExecution']['trigger']['parameters']['committer_name']}" + prod_committer_email = "$${trigger['parentExecution']['trigger']['parameters']['committer_email']}" +} diff --git a/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/variables.tf b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/variables.tf new file mode 100644 index 0000000..fba7638 --- /dev/null +++ b/bootstrap-templates/spin-kz/modules/{{ .Params.name }}-{{ .Params.role }}/variables.tf @@ -0,0 +1,23 @@ +locals { + app = "{{ .Params.name }}" +} + +variable "truss_env" { + type = string + description = "Truss environment, i.e. nonprod, prod, dev" +} + +variable "app_env" { + type = string + description = "App environment, i.e. edge, staging, perf, prod" +} + +variable "region_code" { + type = string + description = "Short region code, i.e. cmh, iad, syd, dub" +} + +variable "account" { + type = string + default = "bridge-shared" +} diff --git a/bootstrap-templates/spin-kz/prod/cmh/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/prod/cmh/deployment/kustomization.yaml new file mode 100644 index 0000000..58557ce --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/cmh/deployment/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + labels: + version: "${trigger['parentExecution']['trigger']['parameters']['sha']}" + spec: + template: + metadata: + labels: + version: "${trigger['parentExecution']['trigger']['parameters']['sha']}" + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} + containers: + - name: "{{ .Params.name }}-{{ .Params.role }}" + image: "{{ .Params.image }}:${trigger['parentExecution']['trigger']['parameters']['sha']}" \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/prod/cmh/kustomization.yaml b/bootstrap-templates/spin-kz/prod/cmh/kustomization.yaml new file mode 100644 index 0000000..9ee17fc --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/cmh/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-prod +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: prod + region: cmh + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"prod","region":"us-east-2"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}.prod-cmh.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/prod/cmh/main.tf b/bootstrap-templates/spin-kz/prod/cmh/main.tf new file mode 100644 index 0000000..4a9a4f6 --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/cmh/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/prod/cmh/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "prod" + region_code = "cmh" +} diff --git a/bootstrap-templates/spin-kz/prod/cmh/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/prod/cmh/postdeploy/kustomization.yaml new file mode 100644 index 0000000..e17357f --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/cmh/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/prod/cmh/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/prod/cmh/predeploy/kustomization.yaml new file mode 100644 index 0000000..36e51fe --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/cmh/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/prod/dub/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/prod/dub/deployment/kustomization.yaml new file mode 100644 index 0000000..58557ce --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/dub/deployment/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + labels: + version: "${trigger['parentExecution']['trigger']['parameters']['sha']}" + spec: + template: + metadata: + labels: + version: "${trigger['parentExecution']['trigger']['parameters']['sha']}" + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} + containers: + - name: "{{ .Params.name }}-{{ .Params.role }}" + image: "{{ .Params.image }}:${trigger['parentExecution']['trigger']['parameters']['sha']}" \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/prod/dub/kustomization.yaml b/bootstrap-templates/spin-kz/prod/dub/kustomization.yaml new file mode 100644 index 0000000..1b407bb --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/dub/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-prod +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: prod + region: dub + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"prod","region":"eu-west-1"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}.prod-dub.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/prod/dub/main.tf b/bootstrap-templates/spin-kz/prod/dub/main.tf new file mode 100644 index 0000000..8501658 --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/dub/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/prod/dub/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "prod" + region_code = "dub" +} diff --git a/bootstrap-templates/spin-kz/prod/dub/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/prod/dub/postdeploy/kustomization.yaml new file mode 100644 index 0000000..e17357f --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/dub/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/prod/dub/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/prod/dub/predeploy/kustomization.yaml new file mode 100644 index 0000000..36e51fe --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/dub/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/prod/syd/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/prod/syd/deployment/kustomization.yaml new file mode 100644 index 0000000..58557ce --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/syd/deployment/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + labels: + version: "${trigger['parentExecution']['trigger']['parameters']['sha']}" + spec: + template: + metadata: + labels: + version: "${trigger['parentExecution']['trigger']['parameters']['sha']}" + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} + containers: + - name: "{{ .Params.name }}-{{ .Params.role }}" + image: "{{ .Params.image }}:${trigger['parentExecution']['trigger']['parameters']['sha']}" \ No newline at end of file diff --git a/bootstrap-templates/spin-kz/prod/syd/kustomization.yaml b/bootstrap-templates/spin-kz/prod/syd/kustomization.yaml new file mode 100644 index 0000000..acdc0df --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/syd/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-prod +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: prod + region: syd + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"prod","region":"ap-southeast-2"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}.prod-syd.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/prod/syd/main.tf b/bootstrap-templates/spin-kz/prod/syd/main.tf new file mode 100644 index 0000000..28059c1 --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/syd/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/prod/syd/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "prod" + region_code = "syd" +} diff --git a/bootstrap-templates/spin-kz/prod/syd/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/prod/syd/postdeploy/kustomization.yaml new file mode 100644 index 0000000..e17357f --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/syd/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/prod/syd/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/prod/syd/predeploy/kustomization.yaml new file mode 100644 index 0000000..36e51fe --- /dev/null +++ b/bootstrap-templates/spin-kz/prod/syd/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-prod" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-prod-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-prod-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/cmh/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/staging/cmh/deployment/kustomization.yaml new file mode 100644 index 0000000..03a98ce --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/cmh/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/cmh/kustomization.yaml b/bootstrap-templates/spin-kz/staging/cmh/kustomization.yaml new file mode 100644 index 0000000..aecab7a --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/cmh/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-staging +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: staging + region: cmh + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"staging","region":"us-east-2"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}-staging.nonprod-cmh.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/staging/cmh/main.tf b/bootstrap-templates/spin-kz/staging/cmh/main.tf new file mode 100644 index 0000000..fcc10ce --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/cmh/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/staging/cmh/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "staging" + region_code = "cmh" +} diff --git a/bootstrap-templates/spin-kz/staging/cmh/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/staging/cmh/postdeploy/kustomization.yaml new file mode 100644 index 0000000..32842f5 --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/cmh/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/cmh/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/staging/cmh/predeploy/kustomization.yaml new file mode 100644 index 0000000..f5e223a --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/cmh/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/dub/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/staging/dub/deployment/kustomization.yaml new file mode 100644 index 0000000..03a98ce --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/dub/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/dub/kustomization.yaml b/bootstrap-templates/spin-kz/staging/dub/kustomization.yaml new file mode 100644 index 0000000..ae4c775 --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/dub/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-staging +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: staging + region: dub + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"staging","region":"eu-west-1"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}-staging.nonprod-dub.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/staging/dub/main.tf b/bootstrap-templates/spin-kz/staging/dub/main.tf new file mode 100644 index 0000000..f311357 --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/dub/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/staging/dub/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "staging" + region_code = "dub" +} diff --git a/bootstrap-templates/spin-kz/staging/dub/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/staging/dub/postdeploy/kustomization.yaml new file mode 100644 index 0000000..32842f5 --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/dub/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/dub/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/staging/dub/predeploy/kustomization.yaml new file mode 100644 index 0000000..f5e223a --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/dub/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/syd/deployment/kustomization.yaml b/bootstrap-templates/spin-kz/staging/syd/deployment/kustomization.yaml new file mode 100644 index 0000000..03a98ce --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/syd/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/deployment + +patchesStrategicMerge: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/syd/kustomization.yaml b/bootstrap-templates/spin-kz/staging/syd/kustomization.yaml new file mode 100644 index 0000000..73b922f --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/syd/kustomization.yaml @@ -0,0 +1,24 @@ +namespace: {{ .Params.name }}-staging +bases: + - ../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize + +commonLabels: + env: staging + region: syd + +configMapGenerator: + - name: {{ .Params.name }}-{{ .Params.role }} + behavior: merge + literals: + - AWS_REGION=us-east-2 + - INST_DOG_TAGS='{"project":"{{ .Params.name }}","environment":"staging","region":"ap-southeast-2"}' + +patchesStrategicMerge: + - |- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: {{ .Params.name }}-{{ .Params.role }} + spec: + hosts: + - {{ .Params.name }}-staging.nonprod-syd.truss.bridgeops.sh diff --git a/bootstrap-templates/spin-kz/staging/syd/main.tf b/bootstrap-templates/spin-kz/staging/syd/main.tf new file mode 100644 index 0000000..4562a1b --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/syd/main.tf @@ -0,0 +1,27 @@ +terraform { + backend "s3" { + bucket = "bridge-shared-terraform-us-east-2" + key = "{{ .Params.name }}/{{ .TrussDir }}/staging/syd/terraform.tfstate" + region = "us-east-2" + acl = "bucket-owner-full-control" + encrypt = true + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +provider "aws" { + region = "us-east-2" + allowed_account_ids = ["127178877223"] + + assume_role { + role_arn = "arn:aws:iam::127178877223:role/xacct/ops-admin" + } +} + +module "app" { + source = "../../modules/{{ .Params.name }}-{{ .Params.role }}" + + truss_env = "nonprod" + app_env = "staging" + region_code = "syd" +} diff --git a/bootstrap-templates/spin-kz/staging/syd/postdeploy/kustomization.yaml b/bootstrap-templates/spin-kz/staging/syd/postdeploy/kustomization.yaml new file mode 100644 index 0000000..32842f5 --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/syd/postdeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/postdeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-postdeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }} diff --git a/bootstrap-templates/spin-kz/staging/syd/predeploy/kustomization.yaml b/bootstrap-templates/spin-kz/staging/syd/predeploy/kustomization.yaml new file mode 100644 index 0000000..f5e223a --- /dev/null +++ b/bootstrap-templates/spin-kz/staging/syd/predeploy/kustomization.yaml @@ -0,0 +1,17 @@ +namespace: "{{ .Params.name }}-staging" +bases: + - ../../../modules/{{ .Params.name }}-{{ .Params.role }}/kustomize/predeploy + +patchesStrategicMerge: + - |- + apiVersion: batch/v1 + kind: Job + metadata: + name: "{{ .Params.name }}-{{ .Params.role }}-predeploy-${trigger['parameters']['sha']}" + spec: + template: + metadata: + annotations: + vault.security.banzaicloud.io/vault-role: {{ .Params.name }}-staging-{{ .Params.role }} + spec: + serviceAccountName: {{ .Params.name }}-staging-{{ .Params.role }}