Flux service account : Kustomize Controller / Sops (#176)

* Update: Flux kustomize-controller for Sops Signed-off-by: Nicolas Lamirault <[email protected]> * Add manifests * Update: Flux kustomize-controller for Sops Signed-off-by: Nicolas Lamirault <[email protected]> * Add: KMS Encrypt/Decrypt for Terraform service account Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: kms and sops data Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: kms and sops data Signed-off-by: Nicolas Lamirault <[email protected]> * Update: rename Flux kustomize-controller service account for Sops Signed-off-by: Nicolas Lamirault <[email protected]> * Update: GKE Regular channel and machine type Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Flux version Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Sops configuration Signed-off-by: Nicolas Lamirault <[email protected]> Co-authored-by: flux <[email protected]>
portefaix · Mar 14, 2021 · 2f57da8 · 2f57da8
1 parent 97ccc78
commit 2f57da8
Show file tree

Hide file tree

Showing 19 changed files with 66 additions and 74 deletions.
diff --git a/.secrets/gcp/prod/kube-prometheus-stack/object-store.yaml b/.secrets/gcp/prod/kube-prometheus-stack/object-store.yaml
diff --git a/.secrets/gcp/prod/thanos/object-store.yaml b/.secrets/gcp/prod/thanos/object-store.yaml
diff --git a/clusters/gcp/prod/flux-system/gotk-sync.yaml b/clusters/gcp/prod/flux-system/gotk-sync.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: master
+    branch: feat/flux-service-account
   secretRef:
     name: flux-system
   url: ssh://[email protected]/nlamirault/portefaix

diff --git a/hack/gcp.mk b/hack/gcp.mk
@@ -101,6 +101,8 @@ gcp-terraform-sa: guard-ENV ## Create service account for Terraform (ENV=xxx)
 		--member serviceAccount:$(TF_SA_EMAIL) --role="roles/secretmanager.admin"
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) \
 		--member serviceAccount:$(TF_SA_EMAIL) --role="roles/cloudkms.admin"
+	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) \
+		--member serviceAccount:$(TF_SA_EMAIL) --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) \
 		--member serviceAccount:$(TF_SA_EMAIL) --role="roles/dns.admin"
 

diff --git a/hack/gcp.prod.mk b/hack/gcp.prod.mk
@@ -21,4 +21,4 @@ CLUSTER_prod = portefaix-prod-cluster-gke
 KUBE_CONTEXT_prod = gke_portefaix-prod_europe-west1-c_portefaix-prod-cluster-gke
 
 SOPS_PROVIDER_prod = gcp-kms
-SOPS_KEY_prod = projects/portefaix-prod/locations/europe-west1/keyRings/portefaix-prod-sops/cryptoKeys/portefaix-prod-sops
+SOPS_KEY_prod = projects/portefaix-prod/locations/europe-west1/keyRings/portefaix-prod-sops/cryptoKeys/portefaix-prod-sops
diff --git a/hack/scripts/bootstrap.sh b/hack/scripts/bootstrap.sh
@@ -19,7 +19,7 @@ ERROR_COLOR="\e[31m"
 WARN_COLOR="\e[35m"
 
 # FLUX_VERSION=latest
-FLUX_VERSION=v0.4.3
+FLUX_VERSION=v0.7.6
 REPOSITORY=portefaix
 
 DEFAULT_BRANCH=master
@@ -36,13 +36,6 @@ echo "Branch used: ${BRANCH}"
 flux check --pre
 [[ $? -ne 0 ]] && echo "Prerequisites were not satisfied" && exit 1
 
-# if [[ -f .secrets/k8s-secret-sealed-secret-private-key.yaml ]]; then
-# 	echo "Deleting existing sealed-secret key"
-# 	kubectl delete secrets sealed-secrets-keyps54x -n kube-system
-# 	echo "Applying existing sealed-secret key"
-# 	kubectl apply -f .secrets/k8s-secret-sealed-secret-private-key.yaml
-# fi
-
 flux bootstrap github \
 		--components=source-controller,kustomize-controller,helm-controller,notification-controller \
 		--path=${ENV}/ \

diff --git a/iac/gcp/gke/terraform/.terraform.lock.hcl b/iac/gcp/gke/terraform/.terraform.lock.hcl
diff --git a/iac/gcp/gke/terraform/tfvars/prod.tfvars b/iac/gcp/gke/terraform/tfvars/prod.tfvars
@@ -100,10 +100,10 @@ auto_repair  = true
 node_pools = [
   {
     name                    = "core"
-    node_count              = 1
+    node_count              = 2
     min_node_count          = 0
     max_node_count          = 3
-    machine_type            = "n2d-standard-4"
+    machine_type            = "n2d-standard-8"
     disk_size_gb            = 100
     max_pods_per_node       = 110
     preemptible             = true

diff --git a/iac/gcp/sops/terraform/.terraform.lock.hcl b/iac/gcp/sops/terraform/.terraform.lock.hcl
diff --git a/iac/gcp/sops/terraform/tfvars/prod.tfvars b/iac/gcp/sops/terraform/tfvars/prod.tfvars
@@ -27,4 +27,4 @@ keyring_location = "europe-west1"
 # Workload Identity
 
 namespace       = "flux-system"
-service_account = "default"
+service_account = "kustomize-controller"
diff --git a/kubernetes/overlays/dev/flux-system/sops/service-account.yaml b/kubernetes/overlays/dev/flux-system/sops/service-account.yaml
@@ -2,7 +2,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  # annotations:
-  #   iam.gke.io/gcp-service-account: [email protected]
-  name: default
+  name: kustomize-controller
   namespace: flux-system
diff --git a/kubernetes/overlays/prod/dns/external-dns/secret.yaml b/kubernetes/overlays/prod/dns/external-dns/secret.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-    values.yaml: ENC[AES256_GCM,data:Ix8c6jh0xZ740W2JBy/KFa4piylCUnYg6hGObozPf8WKkbYy1u+6U2DaYLmof0N2VjbOSAEjc4iPFlUBUgPmU3J9Gi81Ew/ISmx8mFWsYl/F5QH3KAWtjxL/2E0/NHVAINZsfS4Ig9ivcis4zGZHeGJTGRqykJ91+qO9qjDosasPeddhy6eafuud3cBUdvm//MiBbWsZKq60Bofe13ubri1wXye1PLpyF83W8dk/edPWHQknLWRZVpKvdlM9LQPmqpm2fsfcW/H7NTT+0FJDwuRp/QfmOZuCHXz61FttDTk=,iv:G61p22AVrDvc2b25vrzrzJsqXHcz8hEGncORxh2tI6E=,tag:NDYbvysAGWhZlWy31qe6JQ==,type:str]
+    values.yaml: ENC[AES256_GCM,data:hmRDM4MGl3+VBoliCu4ymZrqI9MHAte7+dqdNfMpH7eO0dOHtbp8+DXOFzq2zEzQfHFzcU/BO1PUASV/5jgFedw1+jXH8S1BwuVkC7QEsn5Qi1OqVWdgAeb6R1dSj+odjcg1Nh8Hw0b4Kfr4LsWiMsdNAqu30pWljjY/LAAb6vTws23bj1kCAkkE49pYJ0YqBGn99qJvj2KZAEQpmZepJslf9LJAvDUlld4yX7/n76jZTRwTJ61VFL64KcVQ8K988wV1iAf9qdLiwFdm2ECRVCcZYKchDI60Qgh12UonxpY=,iv:qi+mHjt5uWMrYi9nBB2gFD7OID1Pu9nMOdtLd0S6aaU=,tag:V240EF2V3kuMjiBo0uJrEw==,type:str]
 kind: Secret
 metadata:
     creationTimestamp: null
@@ -10,12 +10,12 @@ sops:
     kms: []
     gcp_kms:
     -   resource_id: projects/portefaix-prod/locations/europe-west1/keyRings/portefaix-prod-sops/cryptoKeys/portefaix-prod-sops
-        created_at: '2020-12-06T09:42:40Z'
-        enc: CiQAq0sbAzB62dnmNaDWawOD3P8mJ3LJlN2cVyHbv8tC6FDy/oQSSQDwFPyUX9nyIAtC88fWKKe8xHMoo0yLVZnTpSSZfJufFAQDn5hi0EGF3XV/Rir3U9MT4xEuK3zmghoDkow9cFB2zUSA1IINNAE=
+        created_at: '2021-02-03T19:48:36Z'
+        enc: CiUAq0sbA6N/4x83v+Ve+Lc4IjCU1XaV600lXLpSJsN41R6+TgD7EkkA82zAKlhtnIvufTqOFRjBGe6XktqZJFHT56r14NiSroQYGZ2QakZfmfSi70Es9i0qOpUBd2oZ3v528vfh6wThd/G6i2U3xarq
     azure_kv: []
     hc_vault: []
-    lastmodified: '2020-12-06T09:42:41Z'
-    mac: ENC[AES256_GCM,data:a/+Zdq+MWMwJ47GnHKEttRCVXnpnPD3OjZDyN+n3qF+4zgKvxgKEfS0YP4pfPHYaHUsyw2kvegwm0fixQ9T2Dx2Wetyz3PKdglarJ3ba9qiJKsS6j5zkWI1nCWmksePLU21Gqa4sCt9vLbS6IXJRkHvTYtroRLItIyvkjAUuKVQ=,iv:H8FaunBTwJwNtDzft7ebwaVyNitM1KgIHSECa9BJbrM=,tag:KzPtzon7VZqKA8mtpNsn1A==,type:str]
+    lastmodified: '2021-02-03T19:48:36Z'
+    mac: ENC[AES256_GCM,data:S13BODajG5ukkLpthyKixQK/pPXDTCRpxis8J3TL30oQ4CpDzQ+5oRbpS12zKJ6JtZCwPv3Et55nniBAPZwgFYF804mRr0Ltreki0NXKlezGQJcMa1pljph74J5Fsj3Q81AoqGoAkhAJ74agKWSNy+qGda5kmU48dP9f0jLYf8Q=,iv:Cj+oLICIl9vdDRneugILcfxRjpUtNLjBU2QN6q1Ra/I=,tag:dvWl1BdphjuU9Ppzw/iLvQ==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)
     version: 3.6.1
diff --git a/kubernetes/overlays/prod/flux-system/sops/service-account.yaml b/kubernetes/overlays/prod/flux-system/sops/service-account.yaml
@@ -4,5 +4,5 @@ kind: ServiceAccount
 metadata:
   annotations:
     iam.gke.io/gcp-service-account: [email protected]
-  name: default
+  name: kustomize-controller
   namespace: flux-system