Skip to content

Refactor workshop to make deployment simpler #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 126 commits into
base: riv25
Choose a base branch
from
Open

Refactor workshop to make deployment simpler #316

wants to merge 126 commits into from
+4,357 −890

Conversation

punkwalker
Copy link

Issue #, if available:
N/A
Description of changes:

Overview

This PR introduces a comprehensive refactoring of workshop infrastructure, focusing on improved deployment
automation, enhanced security configurations, and streamlined cluster management.

Key Changes

🏗️ Infrastructure Refactoring

Separated cluster creation from bootstrap process for better modularity
Added dedicated cluster deployment scripts (platform/infra/terraform/cluster/)
Enhanced Terraform configuration with improved locals, variables, and provider management
Consolidated GitLab infrastructure deployment with dedicated terraform module

🔧 Script Improvements

Refactored deployment scripts with improved error handling and logging
Added comprehensive utility functions (scripts/utils.sh, argocd-utils.sh, backstage-utils.sh)
Enhanced initialization process with 0-init.sh and improved URL generation

🔐 Security & Authentication

Enhanced Keycloak configuration with improved client management and role assignments
Improved external secrets management with better secret store configurations
Added pod identity management with comprehensive IAM role configurations
Enhanced ArgoCD security with PKCE configuration and improved secret handling

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@shapirov103
Copy link
Contributor

added @allamand and @hmuthusamy for review as they had a lot of changes as well.
@punkwalker please resolve the conflicts in this PR

hmuthusamy
hmuthusamy reviewed Oct 1, 2025
View reviewed changes
gitops/addons/charts/keycloak/templates/secret-gen.yaml
name: keycloak-config
creationPolicy: Owner
deletionPolicy: Retain
deletionPolicy: Retain
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to keep the secret after the external secret is deleted?

Copy link
Author

@punkwalker punkwalker Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was being retained in riv25, so did not change it but if we agree that it should be removed, we can change the deletionPolicy

hmuthusamy
hmuthusamy reviewed Oct 1, 2025
View reviewed changes
allamand
allamand reviewed Oct 1, 2025
View reviewed changes
gitops/fleet/members/fleet-spoke-dev/values.yaml Outdated
# tenant: tenant1
# fleet_member: dev
# #TODO I think this is not used here, but already stored in the secret
# enable_cert_manager: "true"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok so this file is enabled by default now. How we defines the addons to install on spoke cluster ?

Copy link
Author

@punkwalker punkwalker Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now generating this file during init. However, enabling the addon comes from spoke cluster secret directly. The values in secret are managed from platform/infra/terraform/hub-config.yaml

@punkwalker
enable ack IAM:
cb9902b 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
wip decouple the deployment
5ab723e 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
make gitlab nlb private and use vpc origin
eda5af0 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
combine resource creation in terraform
6d3d1cc 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
enable keycloak argocd and eso for hub
a7c58d4 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
reset default addons.yaml
46d03ee 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix ack workload roles
c36f56c 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
configure argocd for PKCE
034d9ae 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix keycloak-config job
9a97fe2 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix keycloak-config job
89e69e4 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix keycloak-config job cluster-name
12cbe8e 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
remove refresh interval from keycloak-config externalsecret
b093029 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix keycloak-config job json payload
2f3a47f 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
make argocd keycloak client public
a768f78 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
try refreshPolicy: OnChange for keycloak externalsecret
f267b19 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
try spec.refreshPolicy: OnChange for keycloak externalsecret
ecaecf3 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
bum external secret to 0.19.2
9aaef2b 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
disable external-secrets
d5ff9e1 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
enable external-secrets
c8f1e45 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
bump external secret resources to v1
6f681a9 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
remove CAProvider.namespace from SecretStore
945182d 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
make keycloak admin and db password predictable
4a3398b 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
remove refreshPolicy: OnChange from keycloak external secrets
b3cfd71 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
try PushSecret for keycloak-clients
a909d4e 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix delete_argocd_apps
f93b514
@punkwalker
add cleanup logic
1c9b379 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
add webhook cleanup logic
8a65709 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix destroy.sh of boostrap
996094b 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
fix destroy.sh of boostrap
881ffcd 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
refactor scripts
2a46c8a 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
refactor scripts
8d77840 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
refactor scripts
dfa28dd 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
refactor scripts
2f66322 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
address review comments
4f2de57 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
generate spoke cluster secrets during bootstrap
fc9ccfd 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
Restore gitops/fleet/members folder that was deleted during cherry-pick
2cf8fd9
@punkwalker
Keep gitops/fleet/members as empty folders with .gitkeep files
9969577
@punkwalker
generate spoke cluster secrets during bootstrap
a036abc 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
address review comments
5a82b25 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
revert rebase values
1e9c979 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
revert rebase outputs
a6f4462 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
unused code cleanup
4a059eb 
Signed-off-by: Pankaj Walke <[email protected]>
@punkwalker
unused code cleanup
22ef85b 
Signed-off-by: Pankaj Walke <[email protected]>
hmuthusamy
hmuthusamy approved these changes Oct 2, 2025
View reviewed changes
Copy link
Collaborator

@hmuthusamy hmuthusamy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Lets cleanup once merged

platform/infra/terraform/common/gitlab_infra/versions.tf
# Backend configuration provided via CLI parameters
backend "s3" {
# bucket and provided via -backend-config
key = "gitlabinfra/terraform.tfstate"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be a var?

platform/infra/terraform/common/secrets.tf
# Store both hash and key in a single file to avoid regenerating on each run
locals {
# Update password_expiry for password and key rotation
password_expiry = "2025-12-31"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make it indefinite post RIV?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allamand allamand allamand left review comments

@hmuthusamy hmuthusamy hmuthusamy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@punkwalker @shapirov103 @allamand @hmuthusamy