Add Spegel to AKS and EKS (#936)

XenitAB · Feb 14, 2023 · ea6c5ee · ea6c5ee
1 parent 770d2c1
commit ea6c5ee
Show file tree

Hide file tree

Showing 13 changed files with 129 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,8 +9,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 
 - [#934](https://github.com/XenitAB/terraform-modules/pull/934) Add certificate permissions for resource group AAD group.
-
 - [#906](https://github.com/XenitAB/terraform-modules/pull/906) Add support for kubernetes 1.25 in Azure.
+- [#936](https://github.com/XenitAB/terraform-modules/pull/936) Add Spegel to AKS and EKS.
 
 ### Changed
 

diff --git a/modules/kubernetes/README.md b/modules/kubernetes/README.md
@@ -34,6 +34,7 @@ This directory contains all the Kubernetes Terraform modules.
 - [`control-plane-logs`](control-plane-logs/README.md)
 - [`helm-crd`](helm-crd/README.md)
 - [`helm-crd-oci`](helm-crd-oci/README.md)
+- [`spegel`](spegel/README.md)
 
 ## Style Guide
 

diff --git a/modules/kubernetes/aks-core/README.md b/modules/kubernetes/aks-core/README.md
@@ -58,6 +58,7 @@ This module is used to create AKS clusters.
 | <a name="module_prometheus_crd"></a> [prometheus\_crd](#module\_prometheus\_crd) | ../../kubernetes/helm-crd | n/a |
 | <a name="module_promtail"></a> [promtail](#module\_promtail) | ../../kubernetes/promtail | n/a |
 | <a name="module_reloader"></a> [reloader](#module\_reloader) | ../../kubernetes/reloader | n/a |
+| <a name="module_spegel"></a> [spegel](#module\_spegel) | ../../kubernetes/spegel | n/a |
 | <a name="module_trivy"></a> [trivy](#module\_trivy) | ../../kubernetes/trivy | n/a |
 | <a name="module_trivy_crd"></a> [trivy\_crd](#module\_trivy\_crd) | ../../kubernetes/helm-crd | n/a |
 | <a name="module_velero"></a> [velero](#module\_velero) | ../../kubernetes/velero | n/a |
@@ -151,6 +152,7 @@ This module is used to create AKS clusters.
 | <a name="input_promtail_config"></a> [promtail\_config](#input\_promtail\_config) | Configuration for promtail | <pre>object({<br>    azure_key_vault_name = string<br>    identity = object({<br>      client_id   = string<br>      resource_id = string<br>      tenant_id   = string<br>    })<br>    loki_address        = string<br>    excluded_namespaces = list(string)<br>  })</pre> | <pre>{<br>  "azure_key_vault_name": "",<br>  "excluded_namespaces": [],<br>  "identity": {<br>    "client_id": "",<br>    "resource_id": "",<br>    "tenant_id": ""<br>  },<br>  "loki_address": ""<br>}</pre> | no |
 | <a name="input_promtail_enabled"></a> [promtail\_enabled](#input\_promtail\_enabled) | Should promtail be enabled | `bool` | `false` | no |
 | <a name="input_reloader_enabled"></a> [reloader\_enabled](#input\_reloader\_enabled) | Should Reloader be enabled | `bool` | `true` | no |
+| <a name="input_spegel_enabled"></a> [spegel\_enabled](#input\_spegel\_enabled) | Should Spegel be enabled | `bool` | `true` | no |
 | <a name="input_subscription_name"></a> [subscription\_name](#input\_subscription\_name) | The commonName for the subscription | `string` | n/a | yes |
 | <a name="input_trivy_config"></a> [trivy\_config](#input\_trivy\_config) | Configuration for trivy | <pre>object({<br>    client_id   = string<br>    resource_id = string<br>  })</pre> | n/a | yes |
 | <a name="input_trivy_enabled"></a> [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enabled | `bool` | `true` | no |

diff --git a/modules/kubernetes/aks-core/modules.tf b/modules/kubernetes/aks-core/modules.tf
@@ -21,6 +21,7 @@ locals {
     "grafana-agent",
     "promtail",
     "prometheus",
+    "spegel",
   ]
 }
 
@@ -650,3 +651,15 @@ module "node_ttl" {
 
   status_config_map_namespace = "kube-system"
 }
+
+module "spegel" {
+  depends_on = [module.opa_gatekeeper]
+
+  for_each = {
+    for s in ["spegel"] :
+    s => s
+    if var.spegel_enabled
+  }
+
+  source = "../../kubernetes/spegel"
+}
diff --git a/modules/kubernetes/aks-core/variables.tf b/modules/kubernetes/aks-core/variables.tf
@@ -506,6 +506,11 @@ variable "node_ttl_enabled" {
   default     = true
 }
 
+variable "spegel_enabled" {
+  description = "Should Spegel be enabled"
+  type        = bool
+  default     = true
+}
 
 variable "control_plane_logs_enabled" {
   description = "Should Control plan be enabled"

diff --git a/modules/kubernetes/eks-core/README.md b/modules/kubernetes/eks-core/README.md
@@ -51,6 +51,7 @@ This module is used to configure EKS clusters.
 | <a name="module_prometheus_crd"></a> [prometheus\_crd](#module\_prometheus\_crd) | ../../kubernetes/helm-crd | n/a |
 | <a name="module_promtail"></a> [promtail](#module\_promtail) | ../../kubernetes/promtail | n/a |
 | <a name="module_reloader"></a> [reloader](#module\_reloader) | ../../kubernetes/reloader | n/a |
+| <a name="module_spegel"></a> [spegel](#module\_spegel) | ../../kubernetes/spegel | n/a |
 | <a name="module_trivy"></a> [trivy](#module\_trivy) | ../../kubernetes/trivy | n/a |
 | <a name="module_trivy_crd"></a> [trivy\_crd](#module\_trivy\_crd) | ../../kubernetes/helm-crd | n/a |
 | <a name="module_velero"></a> [velero](#module\_velero) | ../../kubernetes/velero | n/a |
@@ -131,6 +132,7 @@ This module is used to configure EKS clusters.
 | <a name="input_promtail_config"></a> [promtail\_config](#input\_promtail\_config) | Configuration for promtail | <pre>object({<br>    role_arn            = string<br>    loki_address        = string<br>    excluded_namespaces = list(string)<br>  })</pre> | <pre>{<br>  "excluded_namespaces": [],<br>  "loki_address": "",<br>  "role_arn": ""<br>}</pre> | no |
 | <a name="input_promtail_enabled"></a> [promtail\_enabled](#input\_promtail\_enabled) | Should promtail be enabled | `bool` | `false` | no |
 | <a name="input_reloader_enabled"></a> [reloader\_enabled](#input\_reloader\_enabled) | Should Reloader be enabled | `bool` | `true` | no |
+| <a name="input_spegel_enabled"></a> [spegel\_enabled](#input\_spegel\_enabled) | Should Spegel be enabled | `bool` | `true` | no |
 | <a name="input_subscription_name"></a> [subscription\_name](#input\_subscription\_name) | The commonName for the subscription | `string` | n/a | yes |
 | <a name="input_trivy_config"></a> [trivy\_config](#input\_trivy\_config) | Configuration for trivy-operator & trivy | <pre>object({<br>    trivy_operator_role_arn = string<br>    trivy_role_arn          = string<br>  })</pre> | n/a | yes |
 | <a name="input_trivy_enabled"></a> [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enabled | `bool` | `false` | no |

diff --git a/modules/kubernetes/eks-core/modules.tf b/modules/kubernetes/eks-core/modules.tf
@@ -13,7 +13,8 @@ locals {
     "prometheus",
     "reloader",
     "velero",
-    "promtail"
+    "promtail",
+    "spegel"
   ]
   dns_zone = {
     for dns in data.aws_route53_zone.this :
@@ -525,3 +526,15 @@ module "node_ttl" {
 
   status_config_map_namespace = "cluster-autoscaler"
 }
+
+module "spegel" {
+  depends_on = [module.opa_gatekeeper]
+
+  for_each = {
+    for s in ["spegel"] :
+    s => s
+    if var.spegel_enabled
+  }
+
+  source = "../../kubernetes/spegel"
+}
diff --git a/modules/kubernetes/eks-core/variables.tf b/modules/kubernetes/eks-core/variables.tf
@@ -397,3 +397,9 @@ variable "node_ttl_enabled" {
   type        = bool
   default     = true
 }
+
+variable "spegel_enabled" {
+  description = "Should Spegel be enabled"
+  type        = bool
+  default     = true
+}
diff --git a/modules/kubernetes/spegel/README.md b/modules/kubernetes/spegel/README.md
@@ -0,0 +1,37 @@
+# Spegel
+
+This module is used to add [spegel](https://github.com/XenitAB/spegel) to Kubernetes clusters.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | 2.6.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | 2.13.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.6.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.13.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
+| [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/namespace) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/modules/kubernetes/spegel/main.tf b/modules/kubernetes/spegel/main.tf
@@ -0,0 +1,38 @@
+/**
+  * # Spegel
+  *
+  * This module is used to add [spegel](https://github.com/XenitAB/spegel) to Kubernetes clusters.
+  */
+
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.13.1"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.6.0"
+    }
+  }
+}
+
+resource "kubernetes_namespace" "this" {
+  metadata {
+    name = "sepgel"
+    labels = {
+      name                = "spegel"
+      "xkf.xenit.io/kind" = "platform"
+    }
+  }
+}
+
+resource "helm_release" "this" {
+  chart       = "oci://ghcr.io/xenitab/helm-charts/spegel"
+  name        = "spegel"
+  namespace   = kubernetes_namespace.this.metadata[0].name
+  version     = "v0.0.3"
+  max_history = 3
+}
diff --git a/modules/kubernetes/spegel/outputs.tf b/modules/kubernetes/spegel/outputs.tf
diff --git a/modules/kubernetes/spegel/variables.tf b/modules/kubernetes/spegel/variables.tf
@@ -0,0 +1 @@
+
diff --git a/validation/kubernetes/spegel/main.tf b/validation/kubernetes/spegel/main.tf
@@ -0,0 +1,9 @@
+terraform {}
+
+provider "kubernetes" {}
+
+provider "helm" {}
+
+module "spegel" {
+  source = "../../../modules/kubernetes/spegel"
+}