feat: Ephemeral cluster

packages/kyverno/enforce/exceptions/ephemeral-cluster.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: ephemeral-cluster-operation
+  namespace: kyverno
+spec:
+  exceptions:
+    - policyName: disallow-privilege-escalation
+      ruleNames:
+        - privilege-escalation
+        - autogen-privilege-escalation
+    - policyName: disallow-capabilities-strict
+      ruleNames:
+        - require-drop-all
+        - autogen-require-drop-all
+    - policyName: require-run-as-nonroot
+      ruleNames:
+        - run-as-non-root
+        - autogen-run-as-non-root
+    - policyName: restrict-seccomp-strict
+      ruleNames:
+        - check-seccomp-strict
+        - autogen-check-seccomp-strict
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+            - Deployment
+            - ReplicaSet
+            - StatefulSet
+          namespaces:
+            - ephemeral-cluster
+          names: 
+            - "*"

platform/backstage/templates/catalog-info.yaml

@@ -26,6 +26,8 @@ spec:
     - ./stepfunctions-bedrock-terraform/template-stepfunctions-bedrock-terraform.yaml
     - ./apigw-sqs-terraform/template-apigw-sqs-terraform.yaml
     - ./eventbridge-to-lambda-terraform/template-eventbridge-to-lambda-terraform.yaml
+    - ./ephemeral-cluster/template-ephemeral-cluster.yaml
+
 ---
 apiVersion: backstage.io/v1alpha1
 kind: System
@@ -34,4 +36,4 @@ metadata:
   description: Holds system information i.e, hostname, IP, OS, etc
 spec:
   owner: guest
-  hostname: HOSTNAME
+  hostname: modern-engg-591204cb6d7471ff.elb.us-west-2.amazonaws.com #HOSTNAME

platform/backstage/templates/ephemeral-cluster/template-ephemeral-cluster.yaml

@@ -0,0 +1,78 @@
+apiVersion: scaffolder.backstage.io/v1beta3
+kind: Template
+metadata:
+  description: Create a ephemeral kubernetes cluster
+  name: ephemeral-cluster
+  title: Ephemeral Kubernetes Cluster
+spec:
+  owner: guest
+  type: service
+  parameters:
+    - properties:
+        tfVars:
+          title: Terraform variables
+          properties:
+            name:
+              title: Name of the ephemeral cluster
+              type: string
+            aws_region:
+              description: AWS Region
+              type: string
+          required:
+            - name
+            - aws_region
+          type: object
+        adminRoleName:
+          description: Name of the role to give the administrative rights
+          title: Admin role name
+          type: string
+        namespace:
+          default: flux-system
+          title: Existing namespace to create this resource
+          type: string
+      title: Configuration options
+  steps:
+    - id: fetchSystem
+      name: Fetch System
+      action: catalog:fetch
+      input:
+        entityRef: system:default/system-info
+    - action: fetch:template
+      id: fetch-base
+      input:
+        url: ./template-ephemeral-cluster/
+        values:
+          adminRoleName: ${{parameters.adminRoleName}}
+          name: ${{parameters.tfVars.name}}
+          namespace: ${{parameters.namespace}}
+          tfVars: ${{parameters.tfVars}}
+      name: Fetch Base
+    - id: publish
+      name: Publishing to a gitea git repository
+      action: publish:gitea
+      input:
+        description: Example of ephemeral cluster
+        repoUrl: ${{ steps['fetchSystem'].output.entity.spec.hostname }}/gitea?repo=${{parameters.tfVars.name}}
+        defaultBranch: main
+    - id: create-argocd-app
+      name: Create ArgoCD App
+      action: cnoe:create-argocd-app
+      input:
+        appName: ${{parameters.tfVars.name}}
+        appNamespace: ${{parameters.namespace}}
+        argoInstance: in-cluster
+        projectName: default
+        # necessary until we generate our own cert
+        repoUrl: http://my-gitea-http.gitea.svc.cluster.local:3000/giteaAdmin/${{parameters.tfVars.name}}
+        path: "manifests"
+    - id: register
+      name: Register
+      action: catalog:register
+      input:
+        repoContentsUrl: ${{ steps['publish'].output.repoContentsUrl }}
+        catalogInfoPath: 'catalog-info.yaml'
+  output:
+    links:
+      - title: Open in catalog
+        icon: catalog
+        entityRef: ${{ steps['register'].output.entityRef }}

platform/backstage/templates/ephemeral-cluster/template-ephemeral-cluster/catalog-info.yaml

@@ -0,0 +1,12 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: ephemeral-cluster-${{values.name}}
+  annotations:
+    backstage.io/kubernetes-namespace: ${{values.namespace}}
+    backstage.io/kubernetes-id: ephemeral-cluster-${{values.name}}
+    argocd/app-name: ${{values.name | dump}}
+spec:
+  type: service
+  lifecycle: experimental
+  owner: guest

platform/backstage/templates/ephemeral-cluster/template-ephemeral-cluster/manifests/application-ephemeral-cluster.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${{values.name}}-ephemeral-cluster
+  namespace: argocd
+  labels:
+    cnoe.io/stackName: ${{values.name}}-ephemeral-cluster
+    cnoe.io/applicationName: ${{values.name}}-ephemeral-cluster-helm
+spec:
+  project: default
+  source:
+    chart: vcluster
+    repoURL: https://charts.loft.sh
+    targetRevision: 0.24.0
+    helm:
+      valuesObject:
+        sync:
+          fromHost:
+            nodes:
+              enabled: true
+            storageClasses:
+              enabled: true
+        controlPlane:
+          advanced:
+            virtualScheduler:
+              enabled: true
+          statefulSet:
+            persistence:
+              volumeClaim:
+                storageClass: "gp3"
+            scheduling:
+              podManagementPolicy: OrderedReady
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ${{values.name}}-ephemeral-cluster
+  syncPolicy:
+    automated: {}
+    syncOptions:
+    - CreateNamespace=true

platform/infra/terraform/argo-examples/dev-argoconnect.tf

@@ -5,11 +5,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0"
+      version = "~> 5.0"
     }
     kubectl = {
       source  = "alekc/kubectl"
-      version = ">= 2.0.0"
+      version = "~> 2.0"
     }
   }
 }

platform/infra/terraform/bootstrap/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0"
+      version = "~> 5.0"
     }
   }
 }
@@ -100,4 +100,4 @@ module "managed_grafana" {
   saml_idp_metadata_url   = var.grafana_keycloak_idp_url
 
   tags = local.tags
-}
+}

platform/infra/terraform/dev/main.tf

@@ -6,12 +6,17 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0"
+      version = "~> 5.0"
     }
     kubectl = {
       source  = "alekc/kubectl"
-      version = ">= 2.0.0"
+      version = "~> 2.0"
     }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.9"
+    }
+
   }
 }
 

platform/infra/terraform/mgmt/terraform/mgmt-cluster/day2-ops/versions.tf

@@ -4,23 +4,23 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.17"
+      version = "~> 5.17"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = ">= 2.23"
+      version = "~> 2.23"
     }
     random = {
       source  = "hashicorp/random"
-      version = ">= 3.5.1"
+      version = "~> 3.5"
     }
     kubectl = {
       source  = "alekc/kubectl"
-      version = ">= 2.0.0"
+      version = "~> 2.0"
     }
     http = {
       source  = "hashicorp/http"
-      version = ">= 3.4.4"
+      version = "~> 3.4"
     }
   }
 }

platform/infra/terraform/mgmt/terraform/mgmt-cluster/main.tf

@@ -4,11 +4,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.34"
+      version = "~> 5.34"
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">= 2.9"
+      version = "~> 2.9"
     }
   }
 }
@@ -81,4 +81,4 @@ resource "aws_cloudformation_stack" "usage_tracking" {
       }
     }
   })
-}
+}

platform/infra/terraform/mgmt/terraform/versions.tf

@@ -4,23 +4,23 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.17"
+      version = "~> 5.17"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = ">= 2.23"
+      version = "~> 2.23"
     }
     random = {
       source  = "hashicorp/random"
-      version = ">= 3.5.1"
+      version = "~> 3.5"
     }
     kubectl = {
       source  = "alekc/kubectl"
-      version = ">= 2.0.0"
+      version = "~> 2.0"
     }
     http = {
       source  = "hashicorp/http"
-      version = ">= 3.4.4"
+      version = "~> 3.4"
     }
   }
 }

platform/infra/terraform/post-deploy/dev-argoconnect.tf

@@ -6,11 +6,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0"
+      version = "~> 5.0"
     }
     kubectl = {
       source  = "alekc/kubectl"
-      version = ">= 2.0.0"
+      version = "~> 2.0"
     }
   }
 }

platform/infra/terraform/prod/main.tf

@@ -6,11 +6,15 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0"
+      version = "~> 5.0"
     }
     kubectl = {
       source  = "alekc/kubectl"
-      version = ">= 2.0.0"
+      version = "~> 2.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.9"
     }
   }
 }