From 11329e0f350d34955906f0dce9647d59de8f679d Mon Sep 17 00:00:00 2001 From: jackstockley89 Date: Wed, 5 Feb 2025 14:39:53 +0000 Subject: [PATCH] feat: New Namespace testing (DO NOT MERGE) --- .../jacksapp-test/00-namespace.yaml | 16 ++++++ .../jacksapp-test/01-rbac.yaml | 13 +++++ .../jacksapp-test/02-limitrange.yaml | 14 +++++ .../jacksapp-test/03-resourcequota.yaml | 8 +++ .../jacksapp-test/04-networkpolicy.yaml | 27 ++++++++++ .../jacksapp-test/resources/ecr.tf | 38 +++++++++++++ .../jacksapp-test/resources/main.tf | 23 ++++++++ .../jacksapp-test/resources/route53.tf | 25 +++++++++ .../jacksapp-test/resources/serviceaccount.tf | 10 ++++ .../jacksapp-test/resources/variables.tf | 54 +++++++++++++++++++ .../jacksapp-test/resources/versions.tf | 17 ++++++ 11 files changed, 245 insertions(+) create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/00-namespace.yaml create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/01-rbac.yaml create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/02-limitrange.yaml create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/03-resourcequota.yaml create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/04-networkpolicy.yaml create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/ecr.tf create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/main.tf create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/route53.tf create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/serviceaccount.tf create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/variables.tf create mode 100644 namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/versions.tf diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/00-namespace.yaml b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/00-namespace.yaml new file mode 100644 index 00000000000..99c0acc16b4 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/00-namespace.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jacksapp-test + labels: + cloud-platform.justice.gov.uk/is-production: "false" + cloud-platform.justice.gov.uk/environment-name: "test" + pod-security.kubernetes.io/enforce: restricted + annotations: + cloud-platform.justice.gov.uk/business-unit: "Platforms" + cloud-platform.justice.gov.uk/slack-channel: "cloud-platform" + cloud-platform.justice.gov.uk/application: "jack kube learning" + cloud-platform.justice.gov.uk/owner: "Cloud Platform: platforms@digital.justice.gov.uk" + cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/cloud-platform-helloworld-ruby-app" + cloud-platform.justice.gov.uk/team-name: "webops" + cloud-platform.justice.gov.uk/review-after: "2022-06-15" diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/01-rbac.yaml b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/01-rbac.yaml new file mode 100644 index 00000000000..a21927fbf6a --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/01-rbac.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jacksapp-dev-admin + namespace: jacksapp-test +subjects: + - kind: Group + name: "github:webops" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/02-limitrange.yaml b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/02-limitrange.yaml new file mode 100644 index 00000000000..801b50403c0 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/02-limitrange.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: limitrange + namespace: jacksapp-test +spec: + limits: + - default: + cpu: 1000m + memory: 1000Mi + defaultRequest: + cpu: 10m + memory: 100Mi + type: Container diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/03-resourcequota.yaml b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/03-resourcequota.yaml new file mode 100644 index 00000000000..4ade4895be3 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/03-resourcequota.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: namespace-quota + namespace: jacksapp-test +spec: + hard: + pods: "50" diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/04-networkpolicy.yaml b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/04-networkpolicy.yaml new file mode 100644 index 00000000000..c915d7fe9f2 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/04-networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default + namespace: jacksapp-test +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: {} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-ingress-controllers + namespace: jacksapp-test +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + component: ingress-controllers diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/ecr.tf b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/ecr.tf new file mode 100644 index 00000000000..1a73bcba6b0 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/ecr.tf @@ -0,0 +1,38 @@ +/* + * Make sure that you use the latest version of the module by changing the + * `ref=` value in the `source` attribute to the latest version listed on the + * releases page of this repository. + * + */ +module "ecr_credentials" { + source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=5.1.1" + team_name = var.team_name + repo_name = "${var.namespace}-live-2-ecr" + + /* + By default scan_on_push is set to true. When this is enabled then all images pushed to the repo are scanned for any security + / software vulnerabilities in your image and the results can be viewed in the console. For further details, please see: + https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html + To disable 'scan_on_push', set it to false as below: + scan_on_push = "false" + */ + + # Uncomment and provide repository names to create github actions secrets + # containing the ECR name, AWS access key, and AWS secret key, for use in + # github actions CI/CD pipelines + # github_repositories = ["my-repo"] +} + +resource "kubernetes_secret" "ecr_credentials" { + metadata { + name = "ecr-repo-${var.namespace}-live-2" + namespace = var.namespace + } + + data = { + access_key_id = module.ecr_credentials.access_key_id + secret_access_key = module.ecr_credentials.secret_access_key + repo_arn = module.ecr_credentials.repo_arn + repo_url = module.ecr_credentials.repo_url + } +} diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/main.tf b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/main.tf new file mode 100644 index 00000000000..8c3fa83f6d0 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/main.tf @@ -0,0 +1,23 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + region = "eu-west-2" +} + +provider "aws" { + alias = "london" + region = "eu-west-2" +} + +provider "aws" { + alias = "ireland" + region = "eu-west-1" +} + +provider "github" { + token = var.github_token + owner = var.github_owner +} diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/route53.tf b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/route53.tf new file mode 100644 index 00000000000..5f1d3899a1b --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/route53.tf @@ -0,0 +1,25 @@ +resource "aws_route53_zone" "route53_zone" { + name = "jacksapp-devs.service.justice.gov.uk" + + tags = { + team_name = var.team_name + business-unit = var.business_unit + application = var.application + is-production = var.is_production + environment-name = var.environment + owner = var.team_name + infrastructure-support = var.infrastructure_support + namespace = var.namespace + } +} + +resource "kubernetes_secret" "route53_zone_sec" { + metadata { + name = "jacksapp-route53-zone-output" + namespace = var.namespace + } + + data = { + zone_id = aws_route53_zone.route53_zone.zone_id + } +} diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/serviceaccount.tf b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/serviceaccount.tf new file mode 100644 index 00000000000..1f875b2a692 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/serviceaccount.tf @@ -0,0 +1,10 @@ +module "serviceaccount" { + source = "github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?ref=1.0.0" + + namespace = var.namespace + kubernetes_cluster = var.kubernetes_cluster + + # Uncomment and provide repository names to create github actions secrets + # containing the ca.crt and token for use in github actions CI/CD pipelines + # github_repositories = [""] +} diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/variables.tf b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/variables.tf new file mode 100644 index 00000000000..31851d50a64 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/variables.tf @@ -0,0 +1,54 @@ +variable "vpc_name" { +} + + +variable "kubernetes_cluster" { +} + +variable "application" { + description = "Name of Application you are deploying" + default = "jack kube learning" +} + +variable "namespace" { + default = "jacksapp-test" +} + +variable "business_unit" { + description = "Area of the MOJ responsible for the service." + default = "Platforms" +} + +variable "team_name" { + description = "The name of your development team" + default = "webops" +} + +variable "environment" { + description = "The type of environment you're deploying to." + default = "development" +} + +variable "infrastructure_support" { + description = "The team responsible for managing the infrastructure. Should be of the form team-email." + default = "platforms@digital.justice.gov.uk" +} + +variable "is_production" { + default = "false" +} + +variable "slack_channel" { + description = "Team slack channel to use if we need to contact your team" + default = "cloud-platform" +} + +variable "github_owner" { + description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials" + default = "ministryofjustice" +} + +variable "github_token" { + description = "Required by the Github Terraform provider" + default = "" +} diff --git a/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/versions.tf b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/versions.tf new file mode 100644 index 00000000000..6db1f5e71e3 --- /dev/null +++ b/namespaces/live-2.cloud-platform.service.justice.gov.uk/jacksapp-test/resources/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.2.5" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.27.0" + } + github = { + source = "integrations/github" + version = "~> 5.17.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.18.0" + } + } +}