Forem: Mickaël Canévet The latest articles on Forem by Mickaël Canévet (@mcanevet). https://forem.com/mcanevet https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F376124%2Fcd04fcc7-0412-4576-99e0-e44b2b664531.jpeg Forem: Mickaël Canévet https://forem.com/mcanevet en Terraform Project Design — A parallel with Puppet Mickaël Canévet Mon, 03 May 2021 11:57:38 +0000 https://forem.com/camptocamp-ops/terraform-project-design-a-parallel-with-puppet-1f8o https://forem.com/camptocamp-ops/terraform-project-design-a-parallel-with-puppet-1f8o <h1> Introduction </h1> <p>Like Puppet, Terraform provides low-level objects written in a programming language that allows you to manage individual resources.</p> <p>With <em>Puppet</em>, these low-level objects, the <a href="https://puppet.com/docs/puppet/7.6/cheatsheet_core_types.html" rel="noopener noreferrer">Puppet Types and Providers</a>, written in Ruby, allow you to apply the CRUD paradigm to resources located on managed nodes.</p> <p>With <em>Terraform</em>, these low-level objects, the <a href="https://www.terraform.io/docs/language/resources/index.html" rel="noopener noreferrer">Terraform Resources</a>, written in Go, allow you to apply the CRUD paradigm to resources in an API.</p> <p>On top of this, both solutions provide a DSL: the <a href="https://puppet.com/docs/puppet/7.6/puppet_language.html" rel="noopener noreferrer">Puppet DSL</a> for Puppet and the <a href="https://www.terraform.io/docs/language/syntax/configuration.html" rel="noopener noreferrer">HashiCorp Configuration Language (HCL)</a> for Terraform. They are both declarative languages, allowing you to organize your code for higher re-usability and maintainability.</p> <h1> It's all about abstraction and convergence </h1> <p>As in Puppet, HCL is only a wrapper around the low-level resources, the only objects that actually impact your infrastructure.</p> <p>These resources ensure the convergence of your infrastructure. All other objects only allow you to organize your code in multiple abstraction layers: <a href="https://puppet.com/docs/puppet/7.6/lang_classes.html" rel="noopener noreferrer">classes</a> and <a href="https://puppet.com/docs/puppet/7.6/lang_defined_types.html" rel="noopener noreferrer">defined types</a> in Puppet; <a href="https://www.terraform.io/docs/language/modules/syntax.html" rel="noopener noreferrer">modules</a> in Terraform.</p> <p>In Puppet, you could do something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight puppet"><code><span class="k">node</span> <span class="s1">'mynode'</span> <span class="p">{</span> <span class="n">user</span> <span class="p">{</span> <span class="s1">'foo'</span><span class="p">:</span> <span class="py">ensure</span> <span class="p">=&gt;</span> <span class="n">present</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>However, if you want code re-usability and ease maintenance, you should add abstraction layers in between the node and the <code>user</code> resource.</p> <p>Since 2012 and <a href="http://craigdunn.org/2012/05/239/" rel="noopener noreferrer">Craig Dunn's famous blog post about Designing Puppet</a>, the most described (and probably used) pattern in Puppet code is to use public modules from the Puppet forge, then add 2 levels of abstraction on top of it with <a href="https://puppet.com/docs/pe/2019.8/osp/the_roles_and_profiles_method.html" rel="noopener noreferrer">Roles and Profiles</a>.</p> <p>In Terraform, you could also do very simple things without any level of abstraction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"virtualization-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"hvm"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="c1"># Canonical</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">ubuntu</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"HelloWorld"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>However, if you want to maximize re-usability, you probably want to add some abstraction layers, similar to the Roles and Profiles in Puppet. Terraform allows you to group your resources into <em>modules</em> that can than be instantiated multiple times in your code.</p> <p>The Roles and Profiles pattern in Puppet usually implements the following layers:</p> <blockquote> <p>node → role → profiles → component module → resources</p> </blockquote> <p>In Terraform, we do not manage <em>nodes</em>, so the abstraction stack starts with the <em>workspace</em> instead:</p> <blockquote> <p>workspace → root module → composition module → resource module → resource</p> </blockquote> <h1> Analogies </h1> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kkplwxlayjo8hpf9f0e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kkplwxlayjo8hpf9f0e.png" alt="Puppet vs Terraform abstractions"></a></p> <h3> Puppet Types vs Terraform Resources </h3> <p><em>Terraform</em> resources are like <em>Puppet</em> Types: they are the only low-level objects that really do something in your API (or on your Puppet node).</p> <h3> Puppet nodes vs Terraform workspaces </h3> <p>With <em>Puppet</em>, the entry point of your code is the <code>node</code> object which automatically includes the <code>Main</code> class.</p> <p><em>Terraform</em> implicitly creates a <code>default</code> workspace for your stack, which instantiates the <em>root module</em> where you can declare your infrastructure.</p> <h3> Puppet Roles vs Terraform root modules </h3> <p>The Roles and Profiles design pattern in <em>Puppet</em> suggests to assign one and only one Role class to your node.</p> <p>In <em>Terraform</em>, you don't really have the choice because you automatically have one and only one root module per workspace.</p> <h3> Puppet Profiles vs Terraform composition modules </h3> <p>In <em>Puppet</em>, you would code your business logic into Profile classes so that you can reuse it, probably with different parameters, in your various Roles.</p> <p>In <em>Terraform</em>, you could code your business logic into <strong>composition modules</strong> that you will instantiate in your root module.</p> <h3> Puppet Forge vs Terraform registry </h3> <p>Just like <em>Puppet</em> has its <a href="https://forge.puppet.com" rel="noopener noreferrer">Forge</a>, Terraform provides a <a href="https://registry.terraform.io" rel="noopener noreferrer">registry</a> for anyone to share their resource modules, which represent the first level of abstraction.</p> <h1> Examples </h1> <h2> Puppet </h2> <p>Let's provision a node running a Docker engine and a Traefik reverse proxy. The role will include both classes.</p> <h3> Code Entry Point </h3> <p>The code entry point in Puppet is the <code>manifests/site.pp</code> file. There are multiple ways to achieve node classification in Puppet, one of which is to store the node's role in its certificate. It will then be exposed as a <a href="https://puppet.com/docs/puppet/7.6/lang_facts_and_builtin_vars.html" rel="noopener noreferrer">trusted fact</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight puppet"><code><span class="c"># manifests/site.pp </span><span class="nv">$role</span> <span class="o">=</span> <span class="nv">$trusted</span><span class="p">[</span><span class="s1">'extensions'</span><span class="p">][</span><span class="s1">'pp_role'</span><span class="p">]</span> <span class="k">node</span> <span class="k">default</span> <span class="p">{</span> <span class="n">include</span> <span class="s2">"roles::</span><span class="nv">${role}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <h3> Role class </h3> <div class="highlight js-code-highlight"> <pre class="highlight puppet"><code><span class="c"># modules/roles/manifests/docker_traefik_dev.pp </span><span class="k">class</span> <span class="s1">'roles::docker_traefik_dev'</span> <span class="p">{</span> <span class="k">include</span> <span class="nc">profiles::docker</span> <span class="k">include</span> <span class="nc">profiles::traefik</span> <span class="p">}</span> </code></pre> </div> <h3> Profile classes </h3> <div class="highlight js-code-highlight"> <pre class="highlight puppet"><code><span class="c"># modules/profiles/manifests/docker.pp </span><span class="k">class</span> <span class="s1">'profiles::docker'</span> <span class="p">{</span> <span class="k">class</span> <span class="p">{</span> <span class="s1">'docker'</span><span class="p">:</span> <span class="p">}</span> <span class="k">class</span> <span class="p">{</span> <span class="s1">'docker-compose'</span><span class="p">:</span> <span class="p">}</span> <span class="p">}</span> <span class="c"># modules/profiles/manifests/traefik.pp </span><span class="k">class</span> <span class="s1">'profiles::traefik'</span><span class="p">(</span> <span class="nc">Boolean</span> <span class="nv">$enable_docker</span> <span class="o">=</span> <span class="kc">true</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">class</span> <span class="p">{</span> <span class="s1">'traefik'</span><span class="p">:</span> <span class="py">enable_docker</span> <span class="p">=&gt;</span> <span class="nv">$enable_docker</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Component modules </h3> <p>Here, we are using 3 component modules that could be published on the Puppet Forge:</p> <ul> <li>docker</li> <li>docker-compose</li> <li>traefik</li> </ul> <h2> Terraform </h2> <p>In this Terraform example, we create an AWS VPC and an EKS cluster.</p> <h3> Root module </h3> <p>The Terraform root module is the entry point of your code, which declares your stack. Here, it only includes a composition module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">src</span> <span class="p">=</span> <span class="s2">"registry.example.com/example-corp/k8s-cluster/aws"</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">,</span> <span class="s2">"eu-west-1c"</span><span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">,</span> <span class="s2">"10.0.3.0/24"</span><span class="p">]</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.101.0/24"</span><span class="p">,</span> <span class="s2">"10.0.102.0/24"</span><span class="p">,</span> <span class="s2">"10.0.103.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">eks</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"my-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.18"</span> <span class="nx">worker_groups</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"m5a.large"</span> <span class="nx">asg_max_size</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Composition module </h3> <p>The composition module is a reusable piece of code that contains your business logic. Here, it creates a VPC and deploys an EKS cluster on every instantiation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">worker_groups</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">any</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># main.tf`</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">cidr</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">azs</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">one_nat_gateway_per_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">cluster_id</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_eks_cluster_auth"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">cluster_id</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">certificate_authority</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_eks_cluster_auth</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">token</span> <span class="nx">load_config_file</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 1.9"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">worker_groups</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">worker_groups</span> <span class="p">}</span> </code></pre> </div> <p>You probably want maximum testing of this composition module, such as linting, syntax validation, integration tests…</p> <h3> Resource Module </h3> <p>Here, we are using two public modules available on the Terraform registry (but of course you could load any module from any supported source):</p> <ul> <li><a href="https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest" rel="noopener noreferrer">terraform-aws-modules/vpc/aws</a></li> <li><a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest" rel="noopener noreferrer">terraform-aws-modules/eks/aws</a></li> </ul> <h1> Rules </h1> <p>Common rules for the Puppet's <em>Roles and Profiles</em> design pattern are:</p> <ul> <li>A <strong>node</strong> includes <strong>one role</strong>, and one only,</li> <li>A <strong>role</strong> includes <strong>one or more profiles</strong> to define the type of server,</li> <li>A <strong>profile</strong> includes and manages <strong>component modules</strong> to define a logical technical stack,</li> <li> <strong>Component modules</strong> manage low-level resources,</li> <li>Modules should only be responsible for managing aspects of the component they are written for.</li> </ul> <p>In Terraform, we could also do some analogies regarding this rules:</p> <ul> <li>A <strong>workspace</strong> includes <strong>one root module</strong>, and one only. Here you don't really have the choice because Terraform imposes this to you.</li> <li>A <strong>root module</strong> includes <strong>one or more composition modules</strong> to define the type of infrastructure,</li> <li>A <strong>composition module</strong> includes and manages <strong>resource modules</strong> to define a logical technical stack,</li> <li> <strong>Resource modules</strong> manage low-level resources,</li> <li>Modules should only be responsible for managing aspects of the component they are written for.</li> </ul> <h1> Conclusion </h1> <p>Even though Puppet and Terraform have different purposes, they share similarities and can benefit from the same architecture best practices.</p> terraform puppet architecture devops Easily deploy an SKS cluster on Exoscale with Terraform Mickaël Canévet Thu, 25 Feb 2021 09:26:01 +0000 https://forem.com/camptocamp-ops/easily-deploy-an-sks-cluster-on-exoscale-with-terraform-3c3o https://forem.com/camptocamp-ops/easily-deploy-an-sks-cluster-on-exoscale-with-terraform-3c3o <p>Following the <a href="https://www.exoscale.com/syslog/introducing-scalable-kubernetes-service/">recent announcement of Exoscale's managed Kubernetes service</a>, we gave it a test run to deploy our standard stack of tools. As usual, we wanted to do it "as Code", so we chose Terraform for the task.</p> <p>Since the release of Exoscale's Terraform provider v0.22.0, it is now possible to create SKS clusters as code.</p> <p>To deploy a cluster you'll need to create all these resources:</p> <ul> <li>An <code>exoscale_sks_cluster</code>,</li> <li>One or more <code>exoscale_sks_nodepools</code>,</li> <li>An <code>exoscale_affinity</code> per node pool to ensure that all nodes in a pools are in the same anti-affinity group in case of outage in an hypervisor,</li> <li>An <code>exoscale_security_group</code> for your node pools,</li> <li>An <code>exoscale_security_group_rule</code> to allow Calico traffic behind your nodes,</li> <li>An <code>exoscale_security_group_rule</code> to allow <code>nodePorts</code> access from everywhere,</li> <li>An <code>exoscale_security_group_rule</code> to allow access to logs and exec.</li> </ul> <p>To ease the deployment of all these resources, we decided to write a <a href="https://registry.terraform.io/providers/exoscale/exoscale/latest">Terraform module</a> that we published <a href="https://registry.terraform.io/modules/camptocamp/sks/exoscale/latest">on the Terraform registry</a>.</p> <p>In order to use it, simply copy this HCL code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"sks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"camptocamp/sks/exoscale"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.3.1"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="nx">zone</span> <span class="p">=</span> <span class="s2">"de-fra-1"</span> <span class="nx">nodepools</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"router"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"medium"</span> <span class="nx">size</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span><span class="err">,</span> <span class="s2">"compute"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"small"</span> <span class="nx">size</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span><span class="err">,</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"kubeconfig"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">sks</span><span class="err">.</span><span class="nx">kubeconfig</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Export your API keys:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">EXOSCALE_API_KEY</span><span class="o">=</span>... <span class="nv">$ </span><span class="nb">export </span><span class="nv">EXOSCALE_API_SECRET</span><span class="o">=</span>... </code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform apply </code></pre> </div> <p>This will deploy an SKS cluster with 2 nodepools (one that we'll dedicate for our Ingress Controller and one to host our applications), one anti-affinity group per nodepool and a security group with proper rules so that everything runs properly (you'll still have to open access to http and https ports if needed).</p> <p>You can retrieve the kubeconfig for the kube-admin user using this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform output <span class="nt">-json</span> kubeconfig | jq <span class="nt">-r</span> <span class="nb">.</span> <span class="o">&gt;</span> ~/.kube/config </code></pre> </div> <p><small>NOTE: make sure to not overwrite a previous cluster configuration or prefer working with environment variables with <code>KUBECONFIG=~/path/to/sks-config</code></small></p> <p>You should then be able to connect to the cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods <span class="nt">--all-namespaces</span> </code></pre> </div> <p>And voilà.</p> kubernetes devops terraform showdev 4 ways to inject secrets into an application Mickaël Canévet Mon, 24 Aug 2020 14:27:40 +0000 https://forem.com/camptocamp-ops/4-ways-to-inject-secrets-into-an-application-cem https://forem.com/camptocamp-ops/4-ways-to-inject-secrets-into-an-application-cem <p>Most applications require secrets, for example to connect to a database, communicate with another application using tokens or certificates, define an admin password…</p> <p>Dealing with this is often a headache. Even when you have a proper secret management tool, it's sometimes a nightmare to inject the secrets into the application where it needs to be used.</p> <h1> The 4 ways </h1> <h2> First way: build time </h2> <p>This is probably the worst way to do it.</p> <p>Examples:</p> <ul> <li>Build a WAR file, or a Docker image or any artifact with a configuration file that contains the secret in plain text.</li> </ul> <p>Pros:</p> <ul> <li>Your deployment tool does not need permissions to decrypt the secrets.</li> </ul> <p>Cons:</p> <ul> <li>Your whole artifact becomes a secret;</li> <li>You have to rebuild and redeploy when you want to renew a secret.</li> </ul> <h2> Second way: deploy time </h2> <p>Examples:</p> <ul> <li>Give a Continuous Deployment pipeline access to a secrets store an let it inject the secrets in the application's configuration files;</li> <li>Give a Continuous Deployment tool, like ArgoCD, access to a secrets store an let it inject the secrets in the application's configuration files.</li> </ul> <p>Pros:</p> <ul> <li>You don't have to rebuild when you want to renew a secret.</li> </ul> <p>Cons:</p> <ul> <li>Your deployment tool needs permissions to retrieve and decrypt the secrets;</li> <li>You have to redeploy when you want to renew a secret.</li> </ul> <h2> Third way: start time </h2> <p>Examples:</p> <ul> <li>Use Kubernetes <a href="https://github.com/kubernetes-sigs/secrets-store-csi-driver">Secret Store CSI drivers</a> to inject secrets as volumes or secrets;</li> <li>Use HashiCorp <a href="https://www.vaultproject.io/">Vault</a> as a secret store and <a href="https://www.vaultproject.io/docs/platform/k8s/injector">Vault Agent Injector</a> as an <em>init</em> container to create configuration files before the application starts.</li> </ul> <p>Pros:</p> <ul> <li>Your deployment tool does not need permissions to decrypt the secrets;</li> <li>You don't have to redeploy when you want to renew a secret.</li> </ul> <p>Cons:</p> <ul> <li>You need to restart your application when you want to renew a secret.</li> </ul> <h2> Forth way: run time </h2> <p>Examples:</p> <ul> <li>AWS instance profiles;</li> <li>HashiCorp Vault as secret store and Vault Agent Injector in <em>sidecar</em> mode.</li> </ul> <p>Pros:</p> <ul> <li>You can renew your secret without even having to restart your application, allowing a dynamic secrets mechanism.</li> </ul> <p>Cons:</p> <ul> <li>You probably need to adapt your application (or not if you already use an SDK that supports it).</li> </ul> <h1> Conclusion </h1> <p>Do you know any more ways to inject secrets in your applications? Let me know in the comments!</p> devops kubernetes security secrets Use Kustomize to post-render Helm charts in ArgoCD Mickaël Canévet Tue, 18 Aug 2020 13:50:18 +0000 https://forem.com/camptocamp-ops/use-kustomize-to-post-render-helm-charts-in-argocd-2ml6 https://forem.com/camptocamp-ops/use-kustomize-to-post-render-helm-charts-in-argocd-2ml6 <p>In an ideal world you wouldn't have to perform multiple steps for the rendering, but unfortunately we don't live in an ideal world...</p> <h1> Kustomize </h1> <p>Nowadays, most applications that are meant to be deployed in Kubernetes provide a Helm chart to ease deployment. Unfortunately, sometimes the Helm chart is not flexible enough to do what you want to do, so you have to fork and contribute and hope that your contribution is quickly merged upstream so that you don't have to maintain your fork.</p> <p>Instead of pointing to your fork, you could use <a href="https://kustomize.io/">Kustomize</a> to apply some post-rendering to your templatized Helm release. This is possible natively since Helm 3.1 using the <a href="https://helm.sh/docs/topics/advanced/"><code>--post-process</code> flag</a>.</p> <h1> Integration in ArgoCD </h1> <p>At Camptocamp, we use <a href="https://argoproj.github.io/argo-cd/">ArgoCD</a> to manage the deployment of our objects into Kubernetes. Let's see how we can use Kustomize to do post-rendering of Helm charts in ArgoCD:</p> <p>At first, declare a new config management plugin into your <code>argocd-cm</code> configMap (the way to do it depends on the way you deployed ArgoCD):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">configManagementPlugins</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- name: kustomized-helm</span> <span class="s">init:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["helm dependency build || true"]</span> <span class="s">generate:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["helm template . --name-template $ARGOCD_APP_NAME --namespace $ARGOCD_APP_NAMESPACE --include-crds &gt; all.yaml &amp;&amp; kustomize build"]</span> </code></pre> </div> <p>Then add a <code>kustomization.yaml</code> file next to your application's <code>Chart.yaml</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">all.yaml</span> <span class="na">patchesJson6902</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">apps</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">patch</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">- op: remove</span> <span class="s">path: /spec/template/spec/securityContext</span> </code></pre> </div> <p>Now configure your <code>Applications</code> object to use this plugin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">myproject</span> <span class="na">source</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.source.repoURL</span> <span class="pi">}}</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.source.targetRevision</span> <span class="pi">}}</span> <span class="na">plugin</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kustomized-helm</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">myproject</span> <span class="na">server</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.destination.server</span> <span class="pi">}}</span> </code></pre> </div> <p>And... voilà!</p> <h1> Integration in App of Apps </h1> <p>One thing that I often do is to use <code>spec.source.helm</code> in my <code>Application</code> object to pass some values that comes from my <a href="https://argoproj.github.io/argo-cd/operator-manual/cluster-bootstrapping/">app of apps</a>. This is not possible using a configuration plugin as the keys <code>helm</code> and <code>plugin</code> are mutually exclusive.</p> <p>The workaround I found is to use plugin's envs. You have to change your config management plugin configuration to (note the <code>$HELM_ARGS</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">configManagementPlugins</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- name: kustomized-helm</span> <span class="s">init:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["helm dependency build || true"]</span> <span class="s">generate:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["echo \"$HELM_VALUES\" | helm template . --name-template $ARGOCD_APP_NAME --namespace $ARGOCD_APP_NAMESPACE $HELM_ARGS -f - --include-crds &gt; all.yaml &amp;&amp; kustomize build"]</span> </code></pre> </div> <p>You'll then be able to use this in your <code>Application</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">myproject</span> <span class="na">source</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.source.repoURL</span> <span class="pi">}}</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.source.targetRevision</span> <span class="pi">}}</span> <span class="na">plugin</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kustomized-helm</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">HELM_ARGS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">--set</span><span class="nv"> </span><span class="s">targetRevision={{</span><span class="nv"> </span><span class="s">.Values.spec.source.targetRevision</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">myproject</span> <span class="na">server</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.destination.server</span> <span class="pi">}}</span> </code></pre> </div> <p>Or<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">myproject</span> <span class="na">source</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">myapplication</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.source.repoURL</span> <span class="pi">}}</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.source.targetRevision</span> <span class="pi">}}</span> <span class="na">plugin</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kustomized-helm</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">HELM_VALUES</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">targetRevision: {{ .Values.spec.source.targetRevision }}</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">myproject</span> <span class="na">server</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.spec.destination.server</span> <span class="pi">}}</span> </code></pre> </div> kubernetes devops tutorial argocd