devonfw · isandesh1986 · Jun 29, 2022 · Jun 29, 2022 · Jun 29, 2022 · Jul 7, 2022
diff --git a/documentation/github/setup-eks-provisioning-pipeline.asciidoc b/documentation/github/setup-eks-provisioning-pipeline.asciidoc
@@ -0,0 +1,100 @@
+:toc: macro
+toc::[]
+:idprefix:
+:idseparator: -
+
+= Setting up the AWS EKS provisioning workflow
+In this section we will create a workflow which will provision an AWS EKS cluster. This workflow will be configured to be manually triggered by the user. As part of EKS cluster provisioning, a NGINX Ingress controller is deployed and a .env file with the name `eks-variables` is created in .github folder, which contains, among others, the DNS name of the Ingress controller, that you you will need to add as CNAME record on the domains used in your application Ingress manifest files. Refer to the appendix to retrieve the DNS name of the Ingress controller independently. 
+
+The creation of the workflow will follow the project workflow, so a new branch named `feature/eks-provisioning` will be created, the YAML file for the workflow and the terraform files for creating the cluster will be pushed to it.
+
+Then, a Pull Request (PR) will be created in order to merge the new branch into the appropriate branch (provided in `-b` flag). The PR will be automatically merged if the repository policies are met. If the merge is not possible, either the PR URL will be shown as output, or it will be opened in your web browser if using `-w` flag.
+
+The script located at `/scripts/pipelines/github/pipeline_generator.sh` will automatically create this new branch, create the EKS provisioning workflow based on the YAML template, create the Pull Request and, if it is possible, merge this new branch into the specified branch.
+
+=== Prerequisites
+
+* Add AWS credentials as https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository[Github Secrets] in your repository.
+
+* A S3 Bucket. You can use an existing one or https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html#using-s3-commands-managing-buckets-creating[create a new one] with the following command:
+```
+aws s3 mb <bucket name>
+# Example: aws s3 mb s3://terraformStateBucket
+```
+
+* An AWS IAM user with https://github.com/devonfw/hangar/blob/master/documentation/aws/setup-aws-account-iam-for-eks.asciidoc#check-iam-user-permissions[required permissions] to provision the EKS cluster.
+
+* This script will commit and push the corresponding YAML template into your repository, so please be sure your local repository is up-to-date (i.e you have pulled the latest changes with `git pull`).
+
+== Creating the workflow using provided script
+
+Before executing the workflow generator, you will need to customize some input variables about the environment. Also, you may want to use existing VPC and subnets instead of creating new ones. To do so, you can either edit `terraform.tfvars` file or take advantage of the `set-terraform-variables.sh` script located at `/scripts/environment-provisioning/aws/eks`, which allows you to create or update values for the required variables, passing them as flags.
+
+Example: creating a new VPC on cluster creation:
+
+```
+./set-terraform-variables.sh --region <region name> --instance_type <workers instance type> --vpc_name <vpc name> --vpc_cidr_block <vpc cidr block>
+```
+Example: reusing existing VPC and subnets:
+```
+./set-terraform-variables.sh --region <region name> --instance_type <workers instance type> --existing_vpc_id <vpc id> --existing_vpc_private_subnets <array of subnet ids>
+```
+* Rancher is installed by default on the cluster after provisioning. If you wish to change this, please update `eks-pipeline.cfg` accordingly.
+
+=== Usage
+```
+pipeline_generator.sh \
+  -c <config file path> \
+  -n <pipeline name> \
+  -d <project local path> \
+  --cluster-name <cluster name> \  
+  --s3-bucket <s3 bucket name> \
+  --s3-key-path <s3 key path> \
+  [-b <branch>] \
+  [-w]
+```
+
+NOTE: The config file for the EKS provisioning workflow is located at `/scripts/pipelines/github/templates/eks/eks-pipeline.cfg`.
+
+=== Flags
+```
+-c, --config-file        [Required] Configuration file containing workflow definition.
+-n, --pipeline-name      [Required] Name that will be set to the workflow.
+-d, --local-directory    [Required] Local directory of your project (the path should always be using '/' and not '\').
+    --cluster-name       [Required] Name for the cluster."
+    --s3-bucket          [Required] Name of the S3 bucket where the Terraform state of the cluster will be stored.
+    --s3-key-path        [Required] Path within the S3 bucket where the Terraform state of the cluster will be stored.
+-b, --target-branch                 Name of the branch to which the Pull Request will target. PR is not created if the flag is not provided.
+-w                                  Open the Pull Request on the web browser if it cannot be automatically merged. Requires -b flag.
+```
+
+=== Example
+
+```
+./pipeline_generator.sh -c ./templates/eks/eks-pipeline.cfg -n eks-provisioning -d C:/Users/$USERNAME/Desktop/quarkus-project --cluster-name hangar-eks-cluster --s3-bucket terraformStateBucket --s3-key-path eks/state -b develop -w
+```
+
+== Appendix: Interacting with the cluster
+
+First, generate a `kubeconfig` file for accessing the AWS EKS cluster:
+
+```
+aws eks update-kubeconfig --name <cluster name> --region <aws region>
+```
+Now you can use `kubectl` tool to communicate with the cluster.
+
+To enable an IAM user to connect to the EKS cluster, please refer https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html[here].
+
+To get the DNS name of the NGINX Ingress controller on the EKS cluster, run the below command:
+```
+kubectl get svc --namespace nginx-ingress nginx-ingress-nginx-ingress-controller -o jsonpath={.status.loadBalancer.ingress[0].hostname}
+```
+
+Rancher will be available on `https://<ingress controller domain>/dashboard`.
+
+== Appendix: Rancher resources
+
+* https://rancher.com/docs/rancher/v2.6/en/cluster-admin/cluster-access/kubectl/[Downloading `kubeconfig`].
+* https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/[RBAC]
+* https://rancher.com/docs/rancher/v2.6/en/monitoring-alerting/[Monitoring]
+* https://rancher.com/docs/rancher/v2.6/en/logging/[Logging]
diff --git a/scripts/pipelines/github/templates/common/install-ingress-controller.sh b/scripts/pipelines/github/templates/common/install-ingress-controller.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+helm repo add bitnami "https://charts.bitnami.com/bitnami"
+helm repo update
+helm upgrade --install nginx-ingress "nginx-ingress-controller" --set ingressClassResource.default=true --set containerSecurityContext.allowPrivilegeEscalation=false --repo "https://charts.bitnami.com/bitnami" --namespace nginx-ingress --create-namespace
diff --git a/scripts/pipelines/github/templates/eks/eks-pipeline.cfg b/scripts/pipelines/github/templates/eks/eks-pipeline.cfg
@@ -0,0 +1,60 @@
+# Mandatory flags.
+mandatoryFlags="$pipelineName,$configFile,$localDirectory,$s3Bucket,$s3KeyPath,$clusterName,"
+# Path to the templates.
+templatesPath="scripts/pipelines/github/templates/eks"
+# YAML file name.
+yamlFile="eks-provisioning.yml"
+# Script name.
+scriptFile=""
+# Source branch.
+sourceBranch="feature/eks-provisioning"
+# Path to terraform templates.
+terraformTemplatesPath="scripts/environment-provisioning/aws/eks"
+# Path to terraform scripts.
+terraformPath=".terraform/eks"
+# Installs Rancher on EKS cluster if set to true
+if test -z ${installRancher}
+    installRancher=false
+fi
+# AWS Region where to provision resources.
+region=eu-west-1
+
+# Function that copies the script to test the application.
+function copyScript {
+    # Create .terraform/eks folder if it does not exist.
+    mkdir -p "${localDirectory}/${terraformPath}"
+
+    # Copy the terraform files.
+    cd "${hangarPath}/${terraformTemplatesPath}"
+    cp * "${localDirectory}/${terraformPath}"
+
+    # Copy the script for the DNS name into the directory.
+    cp "${hangarPath}/${commonTemplatesPath}/install-ingress-controller.sh" "${localDirectory}/${scriptFilePath}/install-ingress-controller.sh"
+
+    # Copy the script to install rancher into the directory.
+    cp "${hangarPath}/${templatesPath}/install-rancher.sh" "${localDirectory}/${scriptFilePath}/install-rancher.sh"
+
+    # Copy the script for the DNS name into the directory.
+    cp "${hangarPath}/${templatesPath}/obtain-dns.sh" "${localDirectory}/${scriptFilePath}/obtain-dns.sh"    
+
+}
+
+function addPipelineVariables {
+    export installRancher="$installRancher"
+    export region="$region"
+    envsubst '${pipelineName} ${clusterName} ${s3Bucket} ${s3KeyPath} ${installRancher} ${region}' < "${hangarPath}/${templatesPath}/${yamlFile}.template" > "${localDirectory}/${pipelinePath}/${yamlFile}"
+}
+
+
+function commitFiles {
+    # Add the terraform files.
+    git add .terraform -f
+
+    # Changing all files to be executable.
+    find .terraform -type f -name '*.sh' -exec git update-index --chmod=+x {} \;
+
+    # Git commit and push it into the repository.
+    git commit -m "Adding the terraform files"
+    git push -u origin ${sourceBranch}
+}
+
diff --git a/scripts/pipelines/github/templates/eks/eks-provisioning.yml.template b/scripts/pipelines/github/templates/eks/eks-provisioning.yml.template
@@ -0,0 +1,126 @@
+name: $pipelineName
+
+on: 
+  workflow_dispatch:
+    inputs:
+      cluster_name:
+        description: 'Name for the cluster.'
+        required: true
+        type: string
+        default: $clusterName
+      s3_bucket:
+        description: 'Name of the S3 bucket where the Terraform state of the cluster will be stored.'
+        required: true
+        type: string
+        default: $s3Bucket
+      s3_keypath:
+        description: 'Path within the S3 bucket where the Terraform state of the cluster will be stored.'
+        required: true
+        type: string
+        default: $s3KeyPath
+      aws_region:
+        description: 'AWS Region where to provision resources.'
+        required: true
+        type: string
+        default: $region
+      install_rancher:
+        description: 'Installs Rancher on EKS when set to true.'
+        required: true
+        type: string
+        default: $installRancher 
+      cluster_operation:
+        description: 'Operation to be performed on EKS Cluster. create or destroy'
+        required: false
+        type: string
+        default: 'create'           
+
+env:
+  TERRAFORM_WORKING_DIRECTORY: ".terraform/eks"
+
+jobs:
+  terraform-actions:
+    name: Provisioning EKS
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@master
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ github.event.inputs.aws_region }}
+
+    - name: Uninstall Helm charts
+      if: ${{ github.event.inputs.cluster_operation == 'destroy' }}     
+      id: uninstallhelmcharts
+      run: |
+        aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws eks update-kubeconfig --name ${{ github.event.inputs.cluster_name }} --region eu-west-1
+        helm list --all-namespaces
+        helm ls -a --all-namespaces | awk 'NR > 1 { print  "-n "$2, $1}' | xargs -L1 helm delete
+        echo 'LIST OF RELEASES AFTER HELM UNINSTALL..'
+        helm list --all-namespaces
+
+    - name: Terraform Init
+      if:     
+      id: init
+      working-directory: ${{ env.TERRAFORM_WORKING_DIRECTORY }}
+      run: terraform init -backend-config=bucket=${{ github.event.inputs.s3_bucket }} -backend-config=key=${{ github.event.inputs.s3_keypath }} -backend-config=region=${{ github.event.inputs.aws_region }}
+      continue-on-error: false
+
+    - name: Terraform Apply
+      if: ${{ github.event.inputs.cluster_operation == 'create' }}    
+      id: apply
+      working-directory: ${{ env.TERRAFORM_WORKING_DIRECTORY }}
+      run: terraform apply -var 'cluster_name=${{ github.event.inputs.cluster_name }}' --auto-approve
+      continue-on-error: false
+
+    - name: Terraform Destroy
+      if: ${{ github.event.inputs.cluster_operation == 'destroy' }}        
+      id: destroy
+      working-directory: ${{ env.TERRAFORM_WORKING_DIRECTORY }}
+      run: terraform apply -destroy -var 'cluster_name=${{ github.event.inputs.cluster_name }}' --auto-approve
+      continue-on-error: false
+
+    - name: Install NGINX Ingress controller
+      if: ${{ github.event.inputs.cluster_operation == 'create' }}    
+      id: installnginx
+      run: |      
+        aws eks update-kubeconfig --name ${{ github.event.inputs.cluster_name }} --region ${{ github.event.inputs.aws_region }}        
+        ../common/install-ingress-controller.sh
+
+    - name: Obtain Ingress Controller domain name
+      if: ${{ github.event.inputs.cluster_operation == 'create' }}    
+      id: obtaindns
+      run: | 
+       aws eks update-kubeconfig --name ${{ github.event.inputs.cluster_name }} --region ${{ github.event.inputs.aws_region }}
+       dnsname=$(./scripts/obtain-dns.sh)
+       echo "::set-output name=dnsname::$dnsname"
+
+    - name: Publish Ingress Controller domain name
+      if: ${{ github.event.inputs.cluster_operation == 'create' }}    
+      id: publishdns
+      run: |
+        cd .github
+        mkdir vars
+        cd vars
+        touch "eks_variables.env"
+        echo "cluster_name=${{ github.event.inputs.cluster_name }}" >> eks_variables.env
+        echo "dns_name=${{ steps.obtaindns.outputs.dnsname }}" >> eks_variables.env
+
+    - name: Push EKS variables
+      if: ${{ github.event.inputs.cluster_operation == 'create' }}
+      uses: EndBug/add-and-commit@v7
+      with:
+        default_author: github_actions
+        cwd: '.github/vars/'
+
+    - name: Install Rancher
+      id: installrancher
+      if: ${{ github.event.inputs.install_rancher == 'true' && github.event.inputs.cluster_operation == 'create'}}
+      run: |
+        ./scripts/install-rancher.sh ${{ steps.obtaindns.outputs.dnsname }}
+
diff --git a/scripts/pipelines/github/templates/eks/install-rancher.sh b/scripts/pipelines/github/templates/eks/install-rancher.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+helm repo add rancher-latest "https://releases.rancher.com/server-charts/latest"
+
+kubectl create namespace cattle-system
+
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.crds.yaml
+
+helm repo add jetstack https://charts.jetstack.io
+
+helm repo update
+
+# Install the cert-manager Helm chart
+helm install cert-manager "jetstack/cert-manager"  --namespace cert-manager --create-namespace --version v1.5.1
+
+helm install rancher "rancher-latest/rancher" --namespace cattle-system --set hostname="$1" --set replicas=3
diff --git a/scripts/pipelines/github/templates/eks/obtain-dns.sh b/scripts/pipelines/github/templates/eks/obtain-dns.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+dnsName=$(kubectl get svc --namespace nginx-ingress nginx-ingress-nginx-ingress-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+while test -z "$dnsName"
+do
+    sleep 5s
+    dnsName=$(kubectl get svc --namespace nginx-ingress nginx-ingress-nginx-ingress-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+done
+echo $dnsName