diff --git a/deploy b/deploy index fa20bef..9a5dbe1 100755 --- a/deploy +++ b/deploy @@ -5,8 +5,8 @@ set -o pipefail -DEPLOY_MODE="flux" -readonly DEPLOY_MODE +FLUX_MANIFEST_PATH="clusters/minikube" +readonly FLUX_MANIFEST_PATH APP_NAMESPACE="app" readonly APP_NAMESPACE SECSCAN_NAMESPACE="security-scan" @@ -26,71 +26,66 @@ readonly PROM_STACK_CHART_VERSION TRIVY_CHART_VERSION="0.18.4" readonly TRIVY_CHART_VERSION +mkdir -p "${FLUX_MANIFEST_PATH}" + # Create namespaces kubectl create namespace "${APP_NAMESPACE}" kubectl create namespace "${MONITORING_NAMESPACE}" kubectl create namespace "${SECSCAN_NAMESPACE}" -# Add Deployments / Helm Charts either via fluxcd or Helm -if [ "flux" == $DEPLOY_MODE ]; then - # Add Helm Charts via Flux HelmRelease CRD - printf "Using flux to create HelmRelease\n" - # App - # Add a git repository as source for Helm Charts - ./flux create source git e2m \ - --url=https://git.e2m.io/mue/obch \ - --branch dev \ - --namespace "${APP_NAMESPACE}" - # Add a Helm OCI repository as source for Helm Charts - ./flux create source helm bitnami \ - --url=oci://registry-1.docker.io/bitnamicharts \ - --namespace "${APP_NAMESPACE}" - ./flux create helmrelease pgsql-ha \ - --chart postgresql-ha \ - --chart-version "${PGSQLHA_CHART_VERSION}" \ - --source HelmRepository/bitnami \ - --namespace "${APP_NAMESPACE}" - ./flux create helmrelease gtfso-import \ - --chart charts/gtfso-import \ - --namespace ${APP_NAMESPACE} \ - --source GitRepository/e2m - ./flux create helmrelease gtfso-vbb \ - --chart charts/gtfso-vbb \ - --namespace ${APP_NAMESPACE} \ - --source GitRepository/e2m - # Monitoring - ./flux create source helm prometheus-community \ - --url=https://prometheus-community.github.io/helm-charts \ - --namespace "${MONITORING_NAMESPACE}" - ./flux create helmrelease prometheus \ - --chart kube-prometheus-stack \ - --chart-version "${PROM_STACK_CHART_VERSION}" \ - --namespace "${MONITORING_NAMESPACE}" \ - --source=HelmRepository/prometheus-community - # Vulnerability Scan - ./flux create source helm aqua \ - --url https://aquasecurity.github.io/helm-charts/ \ - --namespace "${SECSCAN_NAMESPACE}" - ./flux create helmrelease trivy \ - --chart trivy-operator \ - --chart-version "${TRIVY_CHART_VERSION}" \ - --namespace "${SECSCAN_NAMESPACE}" \ - --source=HelmRepository/aqua -elif [ "helm" == $DEPLOY_MODE ]; then - # Add Helm Charts via Helm - printf "Using Helm to install Charts\n" - # App - helm install pgsql-ha "${PGSQLHA_OCI_URL}" \ - --version "${PGSQLHA_CHART_VERSION}" \ - --namespace "${APP_NAMESPACE}" - helm install gtfso-import charts/gtfso-import \ - --version "${GTFSO_IMPORT_CHART_VERSION}" \ - --namespace "${APP_NAMESPACE}" - helm install gtfso-vbb charts/gtfso-vbb \ - --version "${GTFSO_VBB_CHART_VERSION}" \ - --namespace "${APP_NAMESPACE}" - # Monitoring - helm repo add prometheus-community https://prometheus-community.github.io/helm-charts - helm repo update - helm install prometheus prometheus-community/kube-prometheus-stack -fi +# Add Deployments / Helm Charts via fluxcd +# Add Helm Charts via Flux HelmRelease CRD +printf "Using flux to create Sources and HelmReleases\n" +# App +# Add a git repository as source for Helm Charts +./flux create source git e2m \ + --url=https://git.e2m.io/mue/obch \ + --branch dev \ + --namespace "${APP_NAMESPACE}" \ + --export > "${FLUX_MANIFEST_PATH}/source_e2m.yaml" + +# Add a Helm OCI repository as source for Helm Charts +./flux create source helm bitnami \ + --url=oci://registry-1.docker.io/bitnamicharts \ + --namespace "${APP_NAMESPACE}" \ + --export > "${FLUX_MANIFEST_PATH}/source_bitnami.yaml" +./flux create helmrelease pgsql-ha \ + --chart postgresql-ha \ + --chart-version "${PGSQLHA_CHART_VERSION}" \ + --source HelmRepository/bitnami \ + --namespace "${APP_NAMESPACE}" \ + --export > "${FLUX_MANIFEST_PATH}/pgsql-ha.yaml" +./flux create helmrelease gtfso-import \ + --chart charts/gtfso-import \ + --namespace ${APP_NAMESPACE} \ + --source GitRepository/e2m \ + --export > "${FLUX_MANIFEST_PATH}/gtfso-import.yaml" +./flux create helmrelease gtfso-vbb \ + --chart charts/gtfso-vbb \ + --namespace ${APP_NAMESPACE} \ + --source GitRepository/e2m \ + --export > "${FLUX_MANIFEST_PATH}/gtfso-vbb.yaml" + +# Monitoring +./flux create source helm prometheus-community \ + --url=https://prometheus-community.github.io/helm-charts \ + --namespace "${MONITORING_NAMESPACE}" \ + --export > "${FLUX_MANIFEST_PATH}"/source_prometheus.yaml +./flux create helmrelease prometheus \ + --chart kube-prometheus-stack \ + --chart-version "${PROM_STACK_CHART_VERSION}" \ + --namespace "${MONITORING_NAMESPACE}" \ + --source=HelmRepository/prometheus-community \ + --export > "${FLUX_MANIFEST_PATH}/prometheus-stack.yaml" + +# Vulnerability Scan +./flux create source helm aqua \ + --url https://aquasecurity.github.io/helm-charts/ \ + --namespace "${SECSCAN_NAMESPACE}" \ + --export > "${FLUX_MANIFEST_PATH}/source_trivy.yaml" +./flux create helmrelease trivy \ + --chart trivy-operator \ + --chart-version "${TRIVY_CHART_VERSION}" \ + --namespace "${SECSCAN_NAMESPACE}" \ + --source=HelmRepository/aqua \ + --export > "${FLUX_MANIFEST_PATH}/trivy.yaml" diff --git a/setup-cluster b/setup-cluster index b0e8274..76f8447 100755 --- a/setup-cluster +++ b/setup-cluster @@ -1,6 +1,6 @@ #!/usr/bin/env bash # -# Setup a local minikube cluster +# Setup a local k8s minikube cluster # with k8s dashboard and flux # @@ -39,14 +39,15 @@ readonly VERBOSE minikube_driver="podman" +# We prefer podman but Ubuntu's podman is too old if [[ $(grep '^ID=' /etc/os-release | awk -F'=' '{print $2}') == "ubuntu" ]]; then minikube_driver="docker" fi # Start minikube -if ! $(minikube status) or $(minikube status | grep Nonexistent\|Stopped); then +if ! $(minikube status | grep Nonexistent\|Stopped); then printf 'minikube is not running\nStarting minikube..' - if (( 0=="${VERBOSE}" )); then + if [[ 0 == "${VERBOSE}" ]]; then minikube start --driver="${minikube_driver}" else minikube start --driver="${minikube_driver}" --alsologtostderr -v=7 @@ -62,26 +63,25 @@ kubectl cluster-info # Deploy k8s dashboard if [[ $(kubectl get pods -A -o wide | grep kubernetes-dashboard | grep Running) ]]; then printf "Installing k8s dashboard\n" - minikube addons enable metrics-server + # The metrics server collides with kube-prometheus-stack + #minikube addons enable metrics-server minikube dashboard & else printf 'k8s dashboard is already running\n' fi -# Install terraform if not in PATH -# or local version enforced -if ! $(which terraform) or 1=="$TF_FORCE_LOCAL"; then +# Install flux if local version enforced +if [[ "$TF_FORCE_LOCAL" = 1 ]]; then printf "Fetching terraform archive..\n" curl -LO "${TF_URL}" - unzip -o "${TF_ARCHIVE}" + unzip "${TF_ARCHIVE}" TF_CMD="./terraform" else TF_CMD="terraform" fi -# Install flux if not in PATH -# or local version enforced -if ! $(which flux) ] or 1=="$FLUX_FORCE_LOCAL"; then +# Install flux if local version enforced +if [[ "$FLUX_FORCE_LOCAL" = 1 ]]; then printf "Fetching flux archive..\n" curl -LO "${FLUX_URL}" tar xf "${FLUX_ARCHIVE}"