Working protoype

Author: yorinasub17

.gitignore

@@ -21,6 +21,9 @@ build/
 */build/
 out/
 
+# Module artifacts
+os.txt
+
 # Go best practices dictate that libraries should not include the vendor directory
 vendor
 

README.md

@@ -39,16 +39,26 @@ This repo provides a Gruntwork IaC Package and has the following folder structur
   all the security best practices.
 * [modules](/modules): This folder contains the main implementation code for this Module, broken down into multiple
   standalone Submodules.
+
+  The primary module is:
+
+    * [k8s-tiller](/modules/k8s-tiller): Deploy Tiller with all the security features turned on. This includes using
+      `Secrets` for storing state and enabling TLS verification.
+
+    The deployed Tiller requires TLS certificate key pairs to operate. Additionally, clients will each need to their
+    own TLS certificate key pairs to authenticate to the deployed Tiller instance. This is based on [kubergrunt model of
+    deploying helm](https://github.com/gruntwork-io/kubergrunt/blob/master/HELM_GUIDE.md).
+
+    There are also several supporting modules that help with setting up the deployment:
+
+    * [k8s-namespace](/modules/k8s-namespace): Provision a Kubernetes `Namespace` with a default set of RBAC roles.
+    * [k8s-namespace-roles](/modules/k8s-namespace-roles): Provision a default set of RBAC roles to use in a `Namespace`.
+    * [k8s-service-account](/modules/k8s-service-account): Provision a Kubernetes `ServiceAccount`.
+
 * [examples](/examples): This folder contains examples of how to use the Submodules. The [example root
   README](/examples/README.md) provides a quickstart guide on how to use the Submodules in this Module.
 * [test](/test): Automated tests for the Submodules and examples.
 
-The following submodules are available in this module:
-
-- [k8s-namespace](/modules/k8s-namespace): Provision a Kubernetes `Namespace` with a default set of RBAC roles.
-- [k8s-namespace-roles](/modules/k8s-namespace-roles): Provision a default set of RBAC roles to use in a `Namespace`.
-- [k8s-service-account](/modules/k8s-service-account): Provision a Kubernetes `ServiceAccount`.
-
 
 ## What is Kubernetes?
 

examples/k8s-tiller-minikube/README.md

@@ -204,16 +204,21 @@ to implementing the functionalities using pure Terraform providers. This approac
   `destroy`.
 
 That said, we decided to use this approach because of limitations in the existing providers to implement the
-functionalities here in pure Terraform code:
+functionalities here in pure Terraform code.
+
+`kubergrunt` fulfills the role of generating and managing TLS certificate key pairs using Kubernetes `Secrets` as a
+database. This allows us to deploy Tiller with TLS verification enabled. We could instead use the `tls` and `kubernetes`
+providers in Terraform, but this has a few drawbacks:
 
-- The Helm provider does not have [a resource that manages
-  Tiller](https://github.com/terraform-providers/terraform-provider-helm/issues/134).
 - The [TLS provider](https://www.terraform.io/docs/providers/tls/index.html) stores the certificate key pairs in plain
   text into the Terraform state.
 - The Kubernetes Secret resource in the provider [also stores the value in plain text in the Terraform
   state](https://www.terraform.io/docs/providers/kubernetes/r/secret.html).
 - The grant and configure workflows are better suited as CLI tools than in Terraform.
 
-Note that [we intend to implement a pure Terraform version of this when the Helm provider is
-updated](https://github.com/gruntwork-io/terraform-kubernetes-helm/issues/13), but we plan to continue to maintain the
+`kubergrunt` works around this by generating the TLS certs and storing them in Kubernetes `Secrets` directly. In this
+way, the generated TLS certs never leak into the Terraform state as they are referenced by name when deploying Tiller as
+opposed to by value.
+
+Note that we intend to implement a pure Terraform version of this functionality, but we plan to continue to maintain the
 `kubergrunt` approach for folks who are wary of leaking secrets into Terraform state.

main.tf

@@ -22,7 +22,7 @@ provider "kubernetes" {
 module "tiller_namespace" {
   # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
   # to a specific version of the modules, such as the following example:
-  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-namespace?ref=v0.1.0"
+  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-namespace?ref=v0.3.0"
   source = "./modules/k8s-namespace"
 
   name = "${var.tiller_namespace}"
@@ -31,7 +31,7 @@ module "tiller_namespace" {
 module "resource_namespace" {
   # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
   # to a specific version of the modules, such as the following example:
-  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-namespace?ref=v0.1.0"
+  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-namespace?ref=v0.3.0"
   source = "./modules/k8s-namespace"
 
   name = "${var.resource_namespace}"
@@ -40,7 +40,7 @@ module "resource_namespace" {
 module "tiller_service_account" {
   # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
   # to a specific version of the modules, such as the following example:
-  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-service-account?ref=v0.1.0"
+  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-service-account?ref=v0.3.0"
   source = "./modules/k8s-service-account"
 
   name           = "${var.service_account_name}"
@@ -64,24 +64,31 @@ module "tiller_service_account" {
 }
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# DEPLOY TILLER
+# GENERATE TLS CERTIFICATES FOR USE WITH TILLER
+# This will use kubergrunt to generate TLS certificates, and upload them as Kubernetes Secrets that can then be used by
+# Tiller.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-resource "null_resource" "tiller_tls_ca_certs" {
-  provisioner "local-exec" {
-    command = "kubergrunt tls gen --ca --namespace kube-system --secret-name ${local.tls_ca_secret_name} --secret-label gruntwork.io/tiller-namespace=${var.tiller_namespace} --secret-label gruntwork.io/tiller-credentials=true --secret-label gruntwork.io/tiller-credentials-type=ca --tls-subject-json '${jsonencode(var.tls_subject)}' --tls-private-key-algorithm ${var.private_key_algorithm} ${local.tls_algorithm_config} ${local.kubectl_config_options}"
-  }
-}
-
 resource "null_resource" "tiller_tls_certs" {
   provisioner "local-exec" {
-    command = "kubergrunt tls gen --namespace ${module.tiller_namespace.name} --ca-secret-name ${local.tls_ca_secret_name} --ca-namespace kube-system --secret-name ${local.tls_secret_name} --secret-label gruntwork.io/tiller-namespace=${var.tiller_namespace} --secret-label gruntwork.io/tiller-credentials=true --secret-label gruntwork.io/tiller-credentials-type=server --tls-subject-json '${jsonencode(var.tls_subject)}' --tls-private-key-algorithm ${var.private_key_algorithm} ${local.tls_algorithm_config} ${local.kubectl_config_options}"
-  }
+    command = <<-EOF
+    # Generate CA TLS certs
+    kubergrunt tls gen --ca --namespace kube-system --secret-name ${local.tls_ca_secret_name} --secret-label gruntwork.io/tiller-namespace=${var.tiller_namespace} --secret-label gruntwork.io/tiller-credentials=true --secret-label gruntwork.io/tiller-credentials-type=ca --tls-subject-json '${jsonencode(var.tls_subject)}' --tls-private-key-algorithm ${var.private_key_algorithm} ${local.tls_algorithm_config} ${local.kubectl_config_options}
 
-  depends_on = ["null_resource.tiller_tls_ca_certs"]
+    # Then use that CA to generate server TLS certs
+    kubergrunt tls gen --namespace ${module.tiller_namespace.name} --ca-secret-name ${local.tls_ca_secret_name} --ca-namespace kube-system --secret-name ${local.tls_secret_name} --secret-label gruntwork.io/tiller-namespace=${var.tiller_namespace} --secret-label gruntwork.io/tiller-credentials=true --secret-label gruntwork.io/tiller-credentials-type=server --tls-subject-json '${jsonencode(var.tls_subject)}' --tls-private-key-algorithm ${var.private_key_algorithm} ${local.tls_algorithm_config} ${local.kubectl_config_options}
+    EOF
+  }
 }
 
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# DEPLOY TILLER
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 module "tiller" {
+  # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
+  # to a specific version of the modules, such as the following example:
+  # source = "git::[email protected]:gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-tiller?ref=v0.3.0"
   source = "./modules/k8s-tiller"
 
   tiller_service_account_name              = "${module.tiller_service_account.name}"
@@ -93,22 +100,50 @@ module "tiller" {
   # Kubergrunt will store the private key under tls.pem
   tiller_tls_key_file_name = "tls.pem"
 
-  dependencies = [
-    "${null_resource.tiller_tls_ca_certs.id}",
-    "${null_resource.tiller_tls_certs.id}",
-  ]
+  dependencies = ["${null_resource.tiller_tls_certs.id}"]
 }
 
-locals {
-  helm_home_with_default = "${var.helm_home == "" ? pathexpand("~/.helm") : var.helm_home}"
+# We use kubergrunt to wait for Tiller to be deployed. Any resources that depend on this can assume Tiller is
+# successfully deployed and up at that point.
+resource "null_resource" "wait_for_tiller" {
+  provisioner "local-exec" {
+    command = "kubergrunt helm wait-for-tiller --tiller-namespace ${module.tiller_namespace.name} --tiller-deployment-name ${module.tiller.deployment_name} --expected-tiller-version ${var.tiller_version}"
+  }
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# CONFIGURE OPERATOR HELM CLIENT
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+resource "null_resource" "grant_and_configure_helm" {
+  count = "${var.configure_helm}"
+
+  provisioner "local-exec" {
+    command = <<-EOF
+    kubergrunt helm grant --tiller-namespace ${module.tiller_namespace.name} ${local.kubectl_config_options} --tls-subject-json '${jsonencode(var.client_tls_subject)}' ${local.configure_args}
+
+    kubergrunt helm configure --helm-home ${local.helm_home_with_default} --tiller-namespace ${module.tiller_namespace.name} --resource-namespace ${module.resource_namespace.name} ${local.kubectl_config_options} ${local.configure_args}
+    EOF
+  }
 
+  depends_on = ["null_resource.wait_for_tiller"]
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# COMPUTATIONS
+# These locals compute various useful information used throughout this Terraform module.
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+locals {
   kubectl_config_options = "${var.kubectl_config_context_name != "" ? "--kubectl-context-name ${var.kubectl_config_context_name}" : ""} ${var.kubectl_config_path != "" ? "--kubeconfig ${var.kubectl_config_path}" : ""}"
 
   tls_ca_secret_name = "${var.tiller_namespace}-namespace-tiller-ca-certs"
   tls_secret_name    = "tiller-certs"
 
   tls_algorithm_config = "${var.private_key_algorithm == "ECDSA" ? "--tls-private-key-ecdsa-curve ${var.private_key_ecdsa_curve}" : "--tls-private-key-rsa-bits ${var.private_key_rsa_bits}"}"
 
+  helm_home_with_default = "${var.helm_home == "" ? pathexpand("~/.helm") : var.helm_home}"
+
   configure_args = "${
     var.helm_client_rbac_user != "" ? "--rbac-user ${var.helm_client_rbac_user}"
       : var.helm_client_rbac_group != "" ? "--rbac-group ${var.helm_client_rbac_group}"

modules/k8s-tiller/main.tf

@@ -15,6 +15,8 @@ resource "null_resource" "dependency_getter" {
 # Adapted from Tiller installer in helm client. See:
 # https://github.com/helm/helm/blob/master/cmd/helm/installer/install.go#L200
 resource "kubernetes_deployment" "tiller" {
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     namespace   = "${var.namespace}"
     name        = "${var.deployment_name}"
@@ -173,14 +175,14 @@ resource "kubernetes_deployment" "tiller" {
     # end spec
   }
 
-  depends_on = ["null_resource.dependency_getter"]
-
   # end deployment
 }
 
 # Adapted from Tiller installer in helm client. See:
 # https://github.com/helm/helm/blob/master/cmd/helm/installer/install.go#L332
 resource "kubernetes_service" "tiller" {
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     namespace   = "${var.namespace}"
     name        = "${var.service_name}"
@@ -211,8 +213,6 @@ resource "kubernetes_service" "tiller" {
       deployment = "${var.deployment_name}"
     }
   }
-
-  depends_on = ["null_resource.dependency_getter"]
 }
 
 # Global constants

modules/k8s-tiller/outputs.tf

@@ -0,0 +1,9 @@
+output "deployment_name" {
+  description = "The name of the Deployment resource that manages the Tiller Pods."
+  value       = "${kubernetes_deployment.tiller.metadata.0.name}"
+}
+
+output "service_name" {
+  description = "The name of the Service resource that fronts the Tiller Pods."
+  value       = "${kubernetes_service.tiller.metadata.0.name}"
+}

outputs.tf

@@ -0,0 +1,9 @@
+output "tiller_namespace" {
+  description = "The name of the namespace that houses Tiller."
+  value       = "${module.tiller_namespace.name}"
+}
+
+output "resource_namespace" {
+  description = "The name of the namespace where Tiller will deploy resources into."
+  value       = "${module.resource_namespace.name}"
+}

variables.tf

@@ -70,18 +70,6 @@ variable "private_key_rsa_bits" {
   default     = "2048"
 }
 
-# Undeploy options
-
-variable "force_undeploy" {
-  description = "If true, will remove the Tiller server resources even if there are releases deployed."
-  default     = false
-}
-
-variable "undeploy_releases" {
-  description = "If true, will delete deployed releases from the Tiller instance before undeploying Tiller."
-  default     = false
-}
-
 # Kubectl options
 
 variable "kubectl_config_context_name" {
@@ -96,6 +84,11 @@ variable "kubectl_config_path" {
 
 # Helm client config options
 
+variable "configure_helm" {
+  description = "Whether or not to configure the local helm client to authenticate to the deployed Tiller instance."
+  default     = true
+}
+
 variable "helm_home" {
   description = "The path to the home directory for helm that you wish to use for this deployment."
   default     = ""