PLAT-9091 - Updated rke, rancher, tools

.circleci/config.yml

@@ -0,0 +1,55 @@
+# CircleCI 2.1 configuration file
+# Check https://circleci.com/docs/2.0/sample-config/ for more details
+#
+version: 2.1
+
+orbs:
+  terraform: circleci/terraform@3.6.0
+
+executors:
+  trivy:
+    docker:
+      - image: aquasec/trivy:0.60.0
+    environment:
+      ENV_FILE: /tmp/workspace/.env
+      WORKSPACE: /tmp/workspace
+
+jobs:
+  terraform_fmt:
+    description: Check terraform format
+    executor: terraform/default
+    working_directory: /tmp/workspace
+    steps:
+      - checkout
+      - terraform/init:
+          path: .
+      - terraform/validate:
+          path: .
+      - terraform/fmt:
+          path: .
+  scan:
+    executor: trivy
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Install trivy
+          command: |
+            apk add --update-cache --upgrade curl
+            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+      - run:
+          name: Scan filesystem
+          command: |
+            trivy fs --include-non-failures --misconfig-scanners terraform \
+            --exit-code 0 --no-progress \
+            --scanners vuln,secret,config --severity CRITICAL,HIGH,MEDIUM,LOW \
+            --output "trivy-results.json" --format json --ignore-unfixed .
+      - store_artifacts:
+          path: trivy-results.json
+          destination: trivy_output
+
+workflows:
+  Lint and Scan:
+    jobs:
+    - terraform_fmt
+    - scan

.pre-commit-config.yaml

@@ -0,0 +1,27 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: no-commit-to-branch
+      - id: check-case-conflict
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.97.4
+    hooks:
+      - id: terraform_validate
+        args:
+          - '--hook-config=--retry-once-with-cleanup=true'
+      - id: terraform_providers_lock
+        args:
+          - --tf-init-args=-upgrade
+      - id: terraform_docs
+        args:
+          - '--args=--lockfile=false'
+          - '--hook-config=--path-to-file=README.md'
+          - '--hook-config=--add-to-existing-file=true'
+          - '--hook-config=--create-file-if-not-exist=true'
+      - id: terraform_fmt
+      - id: terraform_tflint
+        args:
+          - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl'

.tflint.hcl

@@ -0,0 +1,6 @@
+plugin "aws" {
+  enabled = true
+  deep_check = false
+  version = "0.38.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}

README.md

@@ -1,5 +1,7 @@
 # terraform-aws-rancher
 
+**Note:** This module provisions Rancher clusters using RKE2 and containerd (not RKE1 or Docker).
+
 Terraform module which creates an HA deployment of Rancher inside AWS using [RanchHand](https://github.com/dominodatalab/ranchhand).
 
 ## Usage
@@ -64,4 +66,5 @@ module "rancher" {
 ```
 
 ## Development
+
 Please submit any feature enhancements, bug fixes, or ideas via pull requests or issues.

cloud-init/rke2-agent.yaml

@@ -0,0 +1,16 @@
+#cloud-config
+package_update: true
+
+write_files:
+  - path: /etc/rancher/rke2/config.yaml
+    content: |
+      server: ${server_url}
+      token: ${rke2_token}
+      node-label:
+        - "node-type=worker"
+    permissions: '0600'
+
+runcmd:
+  - curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" sh -
+  - systemctl enable rke2-agent.service
+  - systemctl start rke2-agent.service

cloud-init/rke2-server.yaml

@@ -0,0 +1,29 @@
+#cloud-config
+package_update: true
+
+packages:
+  - curl
+  - wget
+
+write_files:
+  - path: /etc/rancher/rke2/config.yaml
+    content: |
+      token: ${rke2_token}
+      %{ if server_url != "" }server: ${server_url}%{ endif }
+      tls-san:
+        - ${server_url}
+      node-taint:
+        - "${node_taint}"
+      cni: ${cni}
+      cluster-cidr: ${cluster_cidr}
+      service-cidr: ${service_cidr}
+      etcd-expose-metrics: true
+    permissions: '0600'
+
+runcmd:
+  - curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="server" sh -
+  - systemctl enable rke2-server.service
+  - systemctl start rke2-server.service
+  - mkdir -p /home/ubuntu/.kube
+  - cp /etc/rancher/rke2/rke2.yaml /home/ubuntu/.kube/config
+  - chown ubuntu:ubuntu /home/ubuntu/.kube/config

cortex.yaml

@@ -0,0 +1,18 @@
+openapi: 3.0.1
+info:
+  title: terraform-aws-rancher
+  description: Terraform module to deploy Rancher on AWS
+  x-cortex-tag: terraform-aws-rancher
+  x-cortex-type: service
+  x-cortex-git:
+    github:
+      alias: cortex
+      repository: dominodatalab/terraform-aws-rancher
+  x-cortex-owners:
+    - name: eng-distributions
+      type: group
+      provider: OKTA
+      description: Updated by eng-devprod
+  x-cortex-circle-ci:
+    projects:
+      - projectSlug: github/dominodatalab/terraform-aws-rancher

data.tf

@@ -0,0 +1,42 @@
+data "template_file" "rke2_server_userdata" {
+  template = file("${path.module}/cloud-init/rke2-server.yaml")
+  vars = {
+    cluster_cidr = local.cluster_cidr
+    cni          = var.cni_plugin
+    node_taint   = var.node_taint
+    rke2_token   = var.rke2_token
+    server_url   = var.rke2_server_url # Only for additional servers
+    service_cidr = local.service_cidr
+  }
+}
+
+data "template_file" "rke2_agent_userdata" {
+  template = file("${path.module}/cloud-init/rke2-agent.yaml")
+  vars = {
+    cluster_cidr = local.cluster_cidr
+    cni          = var.cni_plugin
+    node_taint   = var.node_taint
+    rke2_token   = var.rke2_token
+    server_url   = var.rke2_server_url # Only for additional servers
+    service_cidr = local.service_cidr
+  }
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  owners      = ["099720109477"] # Canonical
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/${var.node_os_version}-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+data "aws_vpc" "this" {
+  id = var.vpc_id
+}

locals.tf

@@ -0,0 +1,19 @@
+locals {
+  vpc_cidrs = data.aws_vpc.this.cidr_block_associations[*].cidr_block
+  vpc_id    = data.aws_vpc.this.id
+
+  ami_id = var.ami != "" ? var.ami : data.aws_ami.ubuntu.id
+
+  # Per https://docs.rke2.io/reference/https://docs.rke2.io/reference/server_config
+  # these values must be the same on all servers in the cluster
+  agent_token              = var.rke2_token != "" ? var.rke2_token : random_string.rke2_token.result
+  cluster_cidr             = var.cluster_cidr != "" ? var.cluster_cidr : "10.42.0.0/16"
+  cluster_dns              = var.cluster_dns != "" ? var.cluster_dns : "10.43.0.10"
+  cluster_domain           = var.cluster_domain
+  disable_cloud_controller = false
+  disable_kube_proxy       = false
+  egress_selector_mode     = "agent"
+  service_cidr             = var.service_cidr != "" ? var.service_cidr : "10.43.0.0/16"
+
+  tags = merge(var.tags)
+}