Merge pull request #2 from kaizentm/eedorenko/pr-to-caf

Eedorenko/pr to caf
Azure · Apr 12, 2021 · 0aefeb0 · 0aefeb0
2 parents 57f91bc + 8efdc95
commit 0aefeb0
Show file tree

Hide file tree

Showing 11 changed files with 27 additions and 82 deletions.
diff --git a/caf b/caf
diff --git a/enterprise_scale/construction_sets/aks/flux.tf b/enterprise_scale/construction_sets/aks/flux.tf
@@ -1,17 +1,17 @@
 provider "flux" {}
 
 provider "kubectl" {
- host                   = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host
- client_key             = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key)
- client_certificate     = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate)
- cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate)  
+ host                   = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null)
+ client_key             = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null)
+ client_certificate     = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null)
+ cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null)  
 }
 
 provider "kubernetes" {
- host                   = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host
- client_key             = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key)
- client_certificate     = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate)
- cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate)  
+ host                   = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null)
+ client_key             = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null)
+ client_certificate     = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null)
+ cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null)  
 }
 
 provider "github"  {

diff --git a/...ruction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md b/...ruction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md
@@ -10,6 +10,7 @@ This is the root of the GitOps configuration directory. These Kubernetes object
 * Kubernetes RBAC Role Assignments to Azure AD Principals
 * [Kured](#kured)
 * Ingress Network Policy
+* Flux (self-managing)
 * Azure Monitor Prometheus Scraping
 * Azure KeyVault Secret Store CSI Provider
 * Azure AD Pod Identity

diff --git a/...ction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml b/...ction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml
@@ -251,6 +251,7 @@ spec:
             memory: 256Mi
       nodeSelector:
         kubernetes.io/os: linux
+        agentpool: npuser01
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -315,6 +316,7 @@ spec:
           path: /etc/kubernetes/azure.json
       nodeSelector:
         kubernetes.io/os: linux
+        agentpool: npuser01
 ---
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzurePodIdentityException
@@ -361,4 +363,5 @@ metadata:
   namespace: kube-system
 spec:
   podLabels:
-    rsName: omsagent-rs
+    rsName: omsagent-rs
+
diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars
@@ -17,7 +17,7 @@ aks_clusters = {
       type = "SystemAssigned"
     }
 
-    kubernetes_version = "1.19.6"
+    kubernetes_version = "1.19.9"
     vnet_key           = "vnet_aks_re1"
 
     network_profile = {
@@ -67,7 +67,7 @@ aks_clusters = {
       node_count            = 3
       os_disk_type          = "Ephemeral"
       os_disk_size_gb       = 80
-      orchestrator_version  = "1.19.6"
+      orchestrator_version  = "1.19.9"
       tags = {
         "project" = "system services"
       }
@@ -86,7 +86,7 @@ aks_clusters = {
         os_disk_type          = "Ephemeral"
         enable_auto_scaling  = false
         os_disk_size_gb      = 120
-        orchestrator_version = "1.19.6"
+        orchestrator_version = "1.19.9"
         tags = {
           "project" = "user services"
         }

diff --git a/...ale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars b/...ale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars
@@ -1,36 +1,36 @@
 resource_groups = {
   aks_re1 = {
-    name   = "ef-aks-re1"
+    name   = "aks-re1"
     region = "region1"
   }
 
   agw_re1 = {
-    name   = "ef-agw-re1"
+    name   = "agw-re1"
     region = "region1"
   }
 
   vnet_hub_re1 = {
-    name   = "ef-vnet-hub-re1"
+    name   = "vnet-hub-re1"
     region = "region1"
   }
 
   aks_spoke_re1 = {
-    name   = "ef-aks_spoke_re1"
+    name   = "aks_spoke_re1"
     region = "region1"
   }
 
   ops_re1 = {
-    name   = "ef-ops_re1"
+    name   = "ops_re1"
     region = "region1"
   }
 
   devops_re1 = {
-    name   = "ef-devops_re1"
+    name   = "devops_re1"
     region = "region1"
   }
 
   jumpbox_re1 = {
-    name   = "ef-jumpbox_re1"
+    name   = "jumpbox_re1"
     region = "region1"
   }
 }
diff --git a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh
@@ -4,7 +4,7 @@ storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags
 
 if [ "${storage_name}" = "null" ]; then 
     git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public
-    /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad
+    /tf/rover/rover.sh -lz /tf/caf/public/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad
     storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].name)    
 fi  
 

diff --git a/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml
@@ -1,2 +1,2 @@
 keyVaultName: "kv-secrets"
-keyVaultResourceGroupName: "rg-ef-aks-re1"
+keyVaultResourceGroupName: "rg-aks-re1"
diff --git a/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml
@@ -1,2 +1,2 @@
 logWorkspaceName: "log-logs"
-logResourceGroupName: "rg-ef-ops_re1"
+logResourceGroupName: "rg-ops_re1"
diff --git a/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml
@@ -1,5 +1,5 @@
 ClusterName: "aks-akscluster-re1-001"
-ResourceGroupName: "rg-ef-aks-re1"
+ResourceGroupName: "rg-aks-re1"
 DefaultNodePoolName: "sharedsvc"
 UserNodepoolName: "npuser01"
 AgentCount: 3

diff --git a/test b/test