Migrate k8s-namespace and k8s-service-account modules

Author: yorinasub17

.circleci/config.yml

@@ -0,0 +1,151 @@
+defaults: &defaults
+  machine: true
+  environment:
+    GRUNTWORK_INSTALLER_VERSION: v0.0.21
+    TERRATEST_LOG_PARSER_VERSION: v0.13.13
+    KUBERGRUNT_VERSION: v0.1.4
+    MODULE_CI_VERSION: v0.13.3
+    TERRAFORM_VERSION: 0.11.8
+    TERRAGRUNT_VERSION: NONE
+    PACKER_VERSION: NONE
+    GOLANG_VERSION: 1.11.2
+    K8S_VERSION: v1.10.0  # Same as EKS
+    KUBECONFIG: /home/circleci/.kube/config
+    MINIKUBE_VERSION: v0.28.2  # See https://github.com/kubernetes/minikube/issues/2704
+    MINIKUBE_WANTUPDATENOTIFICATION: "false"
+    MINIKUBE_WANTREPORTERRORPROMPT: "false"
+    MINIKUBE_HOME: /home/circleci
+    CHANGE_MINIKUBE_NONE_USER: "true"
+
+# Install and setup minikube
+# https://github.com/kubernetes/minikube#linux-continuous-integration-without-vm-support
+setup_minikube: &setup_minikube
+  name: install kubectl and minikube
+  command: |
+    # install kubectl
+    curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl
+    chmod +x kubectl
+    sudo mv kubectl /usr/local/bin/
+    mkdir -p ${HOME}/.kube
+    touch ${HOME}/.kube/config
+
+    # Install minikube
+    curl -Lo minikube https://github.com/kubernetes/minikube/releases/download/${MINIKUBE_VERSION}/minikube-linux-amd64
+    chmod +x minikube
+    sudo mv minikube /usr/local/bin/
+
+    # start minikube and wait for it
+    # Ignore warnings on minikube start command, as it will log a warning due to using deprecated localkube
+    # bootstrapper. However, the localkube bootstrapper is necessary to run on CircleCI which doesn't have
+    # systemd.
+    sudo -E minikube start --vm-driver=none --kubernetes-version=${K8S_VERSION} --bootstrapper=localkube
+    # this for loop waits until kubectl can access the api server that Minikube has created
+    $(
+      for i in {1..150}; do # timeout for 5 minutes
+        kubectl get po &> /dev/null
+        if [ $? -ne 1 ]; then
+          break
+        fi
+        sleep 2
+      done
+      true
+    )
+
+install_gruntwork_utils: &install_gruntwork_utils
+  name: install gruntwork utils
+  command: |
+    curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version "${GRUNTWORK_INSTALLER_VERSION}"
+    gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "${MODULE_CI_VERSION}"
+    gruntwork-install --binary-name "terratest_log_parser" --repo "https://github.com/gruntwork-io/terratest" --tag "${TERRATEST_LOG_PARSER_VERSION}"
+    configure-environment-for-gruntwork-module \
+      --circle-ci-2-machine-executor \
+      --terraform-version ${TERRAFORM_VERSION} \
+      --terragrunt-version ${TERRAGRUNT_VERSION} \
+      --packer-version ${PACKER_VERSION} \
+      --use-go-dep \
+      --go-version ${GOLANG_VERSION} \
+      --go-src-path test \
+
+
+version: 2
+jobs:
+  setup:
+    <<: *defaults
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+          - dep-{{ checksum "test/Gopkg.lock" }}
+
+      # Install gruntwork utilities
+      - run:
+          <<: *install_gruntwork_utils
+
+      - save_cache:
+          key: dep-{{ checksum "test/Gopkg.lock" }}
+          paths:
+          - ./test/vendor
+
+      # Fail the build if the pre-commit hooks don't pass. Note: if you run pre-commit install locally, these hooks will
+      # execute automatically every time before you commit, ensuring the build never fails at this step!
+      - run: pip install pre-commit==1.11.2
+      - run: pre-commit install
+      - run: pre-commit run --all-files
+
+      - persist_to_workspace:
+          root: /home/circleci
+          paths:
+            - project
+            - terraform
+            - packer
+
+  integration_tests:
+    <<: *defaults
+    steps:
+      - attach_workspace:
+          at: /home/circleci
+
+      # The weird way you have to set PATH in Circle 2.0
+      - run: echo 'export PATH=$HOME/terraform:$HOME/packer:$PATH' >> $BASH_ENV
+
+      - run:
+          <<: *install_gruntwork_utils
+
+      - run:
+          <<: *setup_minikube
+
+      - run: 
+          name: Install kubergrunt
+          command: gruntwork-install --binary-name "kubergrunt" --repo "https://github.com/gruntwork-io/kubergrunt" --tag "${KUBERGRUNT_VERSION}"
+
+      # Execute main terratests
+      - run:
+          name: run integration tests
+          command: |
+            mkdir -p /tmp/logs
+            run-go-tests --path test --timeout 60m | tee /tmp/logs/all.log
+          no_output_timeout: 3600s
+
+      - run:
+          command: terratest_log_parser --testlog /tmp/logs/all.log --outputdir /tmp/logs
+          when: always
+      - store_artifacts:
+          path: /tmp/logs
+      - store_test_results:
+          path: /tmp/logs
+
+workflows:
+  version: 2
+  test-and-deploy:
+    jobs:
+    - setup:
+        filters:
+          tags:
+            only: /^v.*/
+
+    - integration_tests:
+        requires:
+          - setup
+        filters:
+          tags:
+            only: /^v.*/

examples/k8s-namespace-with-service-account/README.md

@@ -0,0 +1,22 @@
+# K8S Namespace with Service Account
+
+This folder shows an example of how to create a new namespace using the [`k8s-namespace`](/modules/k8s-namespace) module, and create two new `ServiceAccounts`:
+
+- One bound to `namespace-access-all` role
+- One bound to `namespace-access-read-only` role
+
+After this example you should have a new namespace with RBAC roles that can be used to grant read-write or read-only
+access to the namespace, and two `ServiceAccounts` that are bound to each of the roles.
+
+<!-- Maintainer's note: This example is primarily used for unit testing the underlying module -->
+
+## How do you run this example?
+
+To run this example, apply the Terraform templates:
+
+1. Install [Terraform](https://www.terraform.io/), minimum version: `0.9.7`.
+1. Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
+1. Open `variables.tf`, set the environment variables specified at the top of the file, and fill in any other variables
+   that don't have a default.
+1. Run `terraform init`.
+1. Run `terraform apply`.

examples/k8s-namespace-with-service-account/main.tf

@@ -0,0 +1,69 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# CREATE A NAMESPACE WITH DEFAULT RBAC ROLES AND SERVICE ACCOUNTS BOUND TO THE ROLES
+# These templates show an example of how to create a Kubernetes namespace with a set of default RBAC roles, and
+# ServiceAccounts that are bound to each default role.
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# CONFIGURE OUR KUBERNETES CONNECTIONS
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+provider "kubernetes" {
+  config_context = "${var.kubectl_config_context_name}"
+  config_path    = "${var.kubectl_config_path}"
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# CREATE THE NAMESPACE WITH RBAC ROLES
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+module "namespace" {
+  # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
+  # to a specific version of the modules, such as the following example:
+  # source = "git::git@github.com:gruntwork-io/package-k8s.git//modules/k8s-namespace?ref=v0.1.0"
+  source = "../../modules/k8s-namespace"
+
+  kubectl_config_context_name = "${var.kubectl_config_context_name}"
+  kubectl_config_path         = "${var.kubectl_config_path}"
+  name                        = "${var.name}"
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# CREATE THE SERVICE ACCOUNTS
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+module "service_account_access_all" {
+  # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
+  # to a specific version of the modules, such as the following example:
+  # source = "git::git@github.com:gruntwork-io/package-k8s.git//modules/k8s-service-account?ref=v0.1.0"
+  source = "../../modules/k8s-service-account"
+
+  kubectl_config_context_name = "${var.kubectl_config_context_name}"
+  kubectl_config_path         = "${var.kubectl_config_path}"
+  name                        = "${var.name}-admin"
+  namespace                   = "${module.namespace.name}"
+  rbac_roles                  = ["${module.namespace.rbac_access_all_role}"]
+
+  # How to tag the service account with a label
+  labels = {
+    role = "admin"
+  }
+}
+
+module "service_account_access_read_only" {
+  # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
+  # to a specific version of the modules, such as the following example:
+  # source = "git::git@github.com:gruntwork-io/package-k8s.git//modules/k8s-service-account?ref=v0.1.0"
+  source = "../../modules/k8s-service-account"
+
+  kubectl_config_context_name = "${var.kubectl_config_context_name}"
+  kubectl_config_path         = "${var.kubectl_config_path}"
+  name                        = "${var.name}-read-only"
+  namespace                   = "${module.namespace.name}"
+  rbac_roles                  = ["${module.namespace.rbac_access_read_only_role}"]
+
+  # How to tag the service account with a label
+  labels = {
+    role = "monitor"
+  }
+}

examples/k8s-namespace-with-service-account/outputs.tf

@@ -0,0 +1,24 @@
+output "name" {
+  description = "Name of the created namespace"
+  value       = "${module.namespace.name}"
+}
+
+output "rbac_access_all_role" {
+  description = "The name of the RBAC role that grants admin level permissions on the namespace."
+  value       = "${module.namespace.rbac_access_all_role}"
+}
+
+output "rbac_access_read_only_role" {
+  description = "The name of the RBAC role that grants read only permissions on the namespace."
+  value       = "${module.namespace.rbac_access_read_only_role}"
+}
+
+output "service_account_access_all" {
+  description = "The name of the ServiceAccount that has admin level permissions."
+  value       = "${module.service_account_access_all.name}"
+}
+
+output "service_account_access_read_only" {
+  description = "The name of the ServiceAccount that has read only level permissions."
+  value       = "${module.service_account_access_read_only.name}"
+}

examples/k8s-namespace-with-service-account/variables.tf

@@ -0,0 +1,18 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MODULE PARAMETERS
+# These variables are expected to be passed in by the operator
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "name" {
+  description = "Name of the namespace to be created"
+}
+
+variable "kubectl_config_context_name" {
+  description = "The config context to use when authenticating to the Kubernetes cluster. If empty, defaults to the current context specified in the kubeconfig file."
+  default     = ""
+}
+
+variable "kubectl_config_path" {
+  description = "The path to the config file to use for kubectl. If empty, defaults to $HOME/.kube/config"
+  default     = "~/.kube/config"
+}

modules/k8s-namespace/README.md

@@ -0,0 +1,103 @@
+# K8S Namespace Module
+
+This Terraform Module manages Kubernetes
+[`Namespaces`](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/). In addition to creating
+namespaces, this module will create a set of default RBAC roles restricted to that namespace. The following roles will
+be provided by this module:
+
+- `namespace-access-all`: Admin level permissions in the namespace. Ability to read, write, and delete all resources in
+  the namespace.
+- `namespace-access-read-only`: Read only permissions to all resources in the namespace.
+
+
+## How do you use this module?
+
+* See the [root README](/README.md) for instructions on using Terraform modules.
+* This module uses [the `kubernetes` provider](https://www.terraform.io/docs/providers/kubernetes/index.html).
+* See the [examples](/examples) folder for example usage.
+* See [variables.tf](./variables.tf) for all the variables you can set on this module.
+* See [outputs.tf](./outputs.tf) for all the variables that are outputed by this module.
+
+
+## What is a Namespace?
+
+A `Namespace` is a Kubernetes resource that can be used to create a virtual environment in your cluster to separate 
+resources. It allows you to scope resources in your cluster to provide finer grained permission control and resource
+quotas.
+
+For example, suppose that you have two different teams managing separate services independently, such that the team
+should not be allowed to update or modify the other teams' services. In such a scenario, you would use namespaces to
+separate the resources between each team, and implement RBAC roles that only grant access to the namespace if you reside
+in the team that manages it.
+
+To illustrate this, let's assume that we have a team that manages
+the application services related to the core product (named `core`) and another team managing analytics services (named
+`analytics`). Let's also assume that we have already created RBAC groups for each team, named `core-group` and
+`analytics-group`.
+
+We create the namespaces using this module:
+
+```
+module "core_namespace" {
+  source = "git::git@github.com:gruntwork-io/package-k8s.git//modules/k8s-namespace?ref=v0.1.0"
+  name = "core"
+}
+
+module "analytics_namespace" {
+  source = "git::git@github.com:gruntwork-io/package-k8s.git//modules/k8s-namespace?ref=v0.1.0"
+  name = "analytics"
+}
+```
+
+In addition to creating namespaces, this will also create a set of RBAC roles that can then be bound to user and group
+entities to explicitly grant permissions to access that namespace.
+
+We can then use `kubectl` to bind the roles to the groups:
+```
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: core-role-binding
+  namespace: core
+subjects:
+- kind: Group
+  name: core
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: core-access-all
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: analytics-role-binding
+  namespace: analytics
+subjects:
+- kind: Group
+  name: analytics
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: analytics-access-all
+  apiGroup: rbac.authorization.k8s.io
+```
+
+When we apply this config with `kubectl`, users that are associated with the `core` RBAC group can now create and access
+resources deployed in the `core` namespace, and the `analytics` group can access resources in the `analytics` namespace.
+However, members of the `core` team can not access resources in the `analytics` namespace and vice versa.
+
+To summarize, use namespaces to:
+
+- Implement finer grained access control over deployed resources.
+- Implement [resource quotas](https://kubernetes.io/docs/concepts/policy/resource-quotas/) to restrict how much of the
+  cluster can be utilized by each team.
+
+
+## Why is this a Terraform Module and not a Helm Chart?
+
+This module uses Terraform to manage the `Namespace` and RBAC role resources instead of using Helm to support the use case of
+setting up Helm. When setting up the Helm server, you will want to setup a `Namespace` and `ServiceAccount` for the Helm
+server to be deployed with. This leads to a chicken and egg problem, where the `Namespace` and `ServiceAccount` needs to
+be created before Helm is available for use. As such, we rely on Terraform to set these core resources up.