Merge pull request #33 from walkline/irsa

Replace Secrets Store + Secrets Manager with IRSA

.header.md

@@ -83,8 +83,8 @@ Before you can provision your Mendix environments on Amazon EKS, you must instal
     domain_name                  = "project-name-example.com"
     certificate_expiration_email = "[email protected]"
     s3_bucket_name               = "project-name"
-    cluster_id                   = ""
-    cluster_secret               = ""
+    namespace_id                 = ""
+    namespace_secret             = ""
     environments_internal_names  = ["app1", "app2", "app3"]
     ```
 
@@ -117,11 +117,7 @@ The internal name must match the name that you specify in the `environments_inte
 
 4. Depending on your provider, update **External Domain Name Registrar** or **Route53 registered domain** with the *aws_route53_zone_name_servers* values. For more information, refer to [Configuring Amazon Route 53 as your DNS service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html).
 
-5. In the developer portal, choose **Cluster Manager**, then choose the **Customization** tab. Enable **External Secrets Store**.
-
-![Customization tab](https://raw.githubusercontent.com/aws-ia/terraform-aws-mendix-private-cloud/main/doc/deployment_guide/images/secrets-store.png)
-
-6. If you're deploying more than three apps, change the default instance type of the `eks_node_instance_type` variable. By default, the instance type for the Kubernetes nodes is optimized to support up to three apps. Deploying more than three apps with the default instance type may affect the performance of your applications. For more information, refer to [Choosing an Amazon EC2 instance type](https://docs.aws.amazon.com/eks/latest/userguide/choosing-instance-type.html) in the Amazon EKS User Guide.
+5. If you're deploying more than three apps, change the default instance type of the `eks_node_instance_type` variable. By default, the instance type for the Kubernetes nodes is optimized to support up to three apps. Deploying more than three apps with the default instance type may affect the performance of your applications. For more information, refer to [Choosing an Amazon EC2 instance type](https://docs.aws.amazon.com/eks/latest/userguide/choosing-instance-type.html) in the Amazon EKS User Guide.
 
 ## Security
 
@@ -206,6 +202,9 @@ In the Mendix Private Cloud portal, in the Cluster Manager, the status of your c
 
 ## Cleanup
 
+Before cleaning up, make sure that you have deleted Mendix App environments. 
+Otherwise, you will need to manually remove some finalizers in the namespace and detach some roles from policies in AWS IAM.
+
 To clean up your environment, run the following commands:
 
 ```

README.md

@@ -84,8 +84,8 @@ Before you can provision your Mendix environments on Amazon EKS, you must instal
     domain_name                  = "project-name-example.com"
     certificate_expiration_email = "[email protected]"
     s3_bucket_name               = "project-name"
-    cluster_id                   = ""
-    cluster_secret               = ""
+    namespace_id                 = ""
+    namespace_secret             = ""
     environments_internal_names  = ["app1", "app2", "app3"]
     ```
 
@@ -118,11 +118,7 @@ The internal name must match the name that you specify in the `environments_inte
 
 4. Depending on your provider, update **External Domain Name Registrar** or **Route53 registered domain** with the *aws\_route53\_zone\_name\_servers* values. For more information, refer to [Configuring Amazon Route 53 as your DNS service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html).
 
-5. In the developer portal, choose **Cluster Manager**, then choose the **Customization** tab. Enable **External Secrets Store**.
-
-![Customization tab](https://raw.githubusercontent.com/aws-ia/terraform-aws-mendix-private-cloud/main/doc/deployment_guide/images/secrets-store.png)
-
-6. If you're deploying more than three apps, change the default instance type of the `eks_node_instance_type` variable. By default, the instance type for the Kubernetes nodes is optimized to support up to three apps. Deploying more than three apps with the default instance type may affect the performance of your applications. For more information, refer to [Choosing an Amazon EC2 instance type](https://docs.aws.amazon.com/eks/latest/userguide/choosing-instance-type.html) in the Amazon EKS User Guide.
+5. If you're deploying more than three apps, change the default instance type of the `eks_node_instance_type` variable. By default, the instance type for the Kubernetes nodes is optimized to support up to three apps. Deploying more than three apps with the default instance type may affect the performance of your applications. For more information, refer to [Choosing an Amazon EC2 instance type](https://docs.aws.amazon.com/eks/latest/userguide/choosing-instance-type.html) in the Amazon EKS User Guide.
 
 ## Security
 
@@ -207,6 +203,9 @@ In the Mendix Private Cloud portal, in the Cluster Manager, the status of your c
 
 ## Cleanup
 
+Before cleaning up, make sure that you have deleted Mendix App environments.
+Otherwise, you will need to manually remove some finalizers in the namespace and detach some roles from policies in AWS IAM.
+
 To clean up your environment, run the following commands:
 
 ```
@@ -231,7 +230,7 @@ After you deploy this Partner Solution, confirm that your resources and services
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.10 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.7.1 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.14 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.16.1 |
@@ -242,18 +241,19 @@ After you deploy this Partner Solution, confirm that your resources and services
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.10 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.7.1 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.16.1 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.4.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_container_registry"></a> [container\_registry](#module\_container\_registry) | ./modules/container-registry | n/a |
 | <a name="module_databases"></a> [databases](#module\_databases) | ./modules/databases | n/a |
-| <a name="module_eks_blueprints"></a> [eks\_blueprints](#module\_eks\_blueprints) | github.com/aws-ia/terraform-aws-eks-blueprints | v4.28.0 |
-| <a name="module_eks_blueprints_kubernetes_addons"></a> [eks\_blueprints\_kubernetes\_addons](#module\_eks\_blueprints\_kubernetes\_addons) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons | v4.28.0 |
+| <a name="module_eks_blueprints"></a> [eks\_blueprints](#module\_eks\_blueprints) | github.com/aws-ia/terraform-aws-eks-blueprints | v4.32.1 |
+| <a name="module_eks_blueprints_kubernetes_addons"></a> [eks\_blueprints\_kubernetes\_addons](#module\_eks\_blueprints\_kubernetes\_addons) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons | v4.32.1 |
 | <a name="module_file_storage"></a> [file\_storage](#module\_file\_storage) | ./modules/file-storage | n/a |
 | <a name="module_monitoring"></a> [monitoring](#module\_monitoring) | ./modules/monitoring | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | ./modules/vpc | n/a |
@@ -263,9 +263,13 @@ After you deploy this Partner Solution, confirm that your resources and services
 | Name | Type |
 |------|------|
 | [aws_ebs_encryption_by_default.ebs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_iam_policy.environment_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.provisioner_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.storage_provisioner_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_route53_zone.cluster_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [helm_release.mendix_installer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.mendix](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [random_string.random_eks_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
 
@@ -275,14 +279,16 @@ After you deploy this Partner Solution, confirm that your resources and services
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region name | `string` | n/a | yes |
 | <a name="input_certificate_expiration_email"></a> [certificate\_expiration\_email](#input\_certificate\_expiration\_email) | Let's Encrypt certificate expiration email | `string` | n/a | yes |
-| <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | Mendix Private Cloud Cluster ID | `string` | n/a | yes |
-| <a name="input_cluster_secret"></a> [cluster\_secret](#input\_cluster\_secret) | Mendix Private Cloud Cluster Secret | `string` | n/a | yes |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain name | `string` | n/a | yes |
+| <a name="input_namespace_id"></a> [namespace\_id](#input\_namespace\_id) | Mendix Private Cloud Namespace ID | `string` | n/a | yes |
+| <a name="input_namespace_secret"></a> [namespace\_secret](#input\_namespace\_secret) | Mendix Private Cloud Namespace Secret | `string` | n/a | yes |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 bucket name | `string` | n/a | yes |
 | <a name="input_allowed_ips"></a> [allowed\_ips](#input\_allowed\_ips) | List of IP adresses allowed to access EKS cluster endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_eks_cluster_name_prefix"></a> [eks\_cluster\_name\_prefix](#input\_eks\_cluster\_name\_prefix) | EKS name prefix for the new cluster | `string` | `"mendix-eks"` | no |
 | <a name="input_eks_node_instance_type"></a> [eks\_node\_instance\_type](#input\_eks\_node\_instance\_type) | EKS instance type | `string` | `"t3.medium"` | no |
 | <a name="input_environments_internal_names"></a> [environments\_internal\_names](#input\_environments\_internal\_names) | List of internal environments names | `list(string)` | <pre>[<br>  "app1"<br>]</pre> | no |
-| <a name="input_mendix_operator_version"></a> [mendix\_operator\_version](#input\_mendix\_operator\_version) | Mendix Private Cloud Operator version | `string` | `"2.10.0"` | no |
+| <a name="input_mendix_operator_version"></a> [mendix\_operator\_version](#input\_mendix\_operator\_version) | Mendix Private Cloud Operator version | `string` | `"2.12.0"` | no |
+| <a name="input_postgres_version"></a> [postgres\_version](#input\_postgres\_version) | The version of Postgres that terraform would create. | `string` | `"14.8"` | no |
 
 ## Outputs
 

charts/mendix-installer/templates/mendix-installer-configmap.yaml

@@ -6,10 +6,28 @@ metadata:
 data:
   mxpc-cli-installer-script: | 
     #/bin/sh
+    
     wget https://cdn.mendix.com/mendix-for-private-cloud/mxpc-cli/mxpc-cli-{{ .Values.mendixOperatorVersion }}-linux-amd64.tar.gz
     tar xvf mxpc-cli-{{ .Values.mendixOperatorVersion }}-linux-amd64.tar.gz
-    ./mxpc-cli base-install --namespace mendix -i {{ .Values.clusterID }} -s {{ .Values.clusterSecret }} --clusterMode connected --clusterType generic
-    ./mxpc-cli apply-config -i {{ .Values.clusterID }} -s {{ .Values.clusterSecret }} --file mendix-installer-config-file/mendix-installer-config-file
+    ./mxpc-cli base-install --namespace mendix -i {{ .Values.namespaceID }} -s {{ .Values.namespaceSecret }} --clusterMode connected --clusterType generic --clusterTag="aws-reference-deployment"
+    
+    wget --output-document=custom.crt https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
+    kubectl -n mendix create secret generic mendix-custom-tls --from-file=custom.crt=custom.crt
+    
+    ./mxpc-cli apply-config -i {{ .Values.namespaceID }} -s {{ .Values.namespaceSecret }} --file mendix-installer-config-file/mendix-installer-config-file
+
+{{- range $.Values.database_plans }}
+    ./mxpc-cli apply-config -i {{ $.Values.namespaceID }} -s {{ $.Values.namespaceSecret }} --file mendix-installer-config-db-{{ .name }}/mendix-installer-config-file
+
+    export PGUSER={{ .user }}
+    export PGHOST={{ .host }}
+    export PGPASSWORD=$(cat mendix-rds-master-pass-{{ .name }}/rds-password)
+
+    psql -c 'GRANT rds_iam TO {{ .user }};'
+
+    kubectl -n mendix delete secret mendix-rds-master-pass-{{ .name }}
+{{- end }}
+
     kubectl -n mendix patch OperatorConfiguration mendix-operator-configuration --type merge --patch '{"spec":{"endpoint":{"ingress":{"annotations":{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}}}}}'
     kubectl -n mendix patch OperatorConfiguration mendix-operator-configuration --type merge --patch '{"spec":{"endpoint":{"ingress":{"tlsSecretName":"tls-{{ .Values.appName }}"}}}}'
     kubectl -n mendix patch OperatorConfiguration mendix-operator-configuration --type merge --patch '{"spec":{"runtimeAutomountServiceAccountToken":true,"runtimeDeploymentPodAnnotations":{"linkerd.io/inject":"enabled","prometheus.io/path":"/metrics","prometheus.io/port":"8900","prometheus.io/scrape":"true"}}}'

charts/mendix-installer/templates/mendix-installer-job.yaml

@@ -10,14 +10,22 @@ spec:
       containers:
         - name: mxpc-cli-installer
           image: alpine
-          command: ["/bin/sh", "-c", "wget https://dl.k8s.io/release/v1.25.0/bin/linux/amd64/kubectl; mv kubectl /usr/bin/kubectl; chmod +x /usr/bin/kubectl; /mxpc-cli-installer-script;"]
+          command: ["/bin/sh", "-c", "apk --update add postgresql-client; wget https://dl.k8s.io/release/v1.25.0/bin/linux/amd64/kubectl; mv kubectl /usr/bin/kubectl; chmod +x /usr/bin/kubectl; /mxpc-cli-installer-script;"]
           volumeMounts:
             - name: mxpc-cli-installer-script
               mountPath: /mxpc-cli-installer-script
               subPath: mxpc-cli-installer-script
             - name: mendix-installer-config-file
               mountPath: mendix-installer-config-file
               readOnly: true
+{{- range $.Values.database_plans }}
+            - name: "mendix-installer-config-db-{{ .name }}"
+              mountPath: "mendix-installer-config-db-{{ .name }}"
+              readOnly: true
+            - name: "mendix-rds-master-pass-{{ .name }}"
+              mountPath: "mendix-rds-master-pass-{{ .name }}"
+              readOnly: true
+{{- end }}
       volumes:
         - name: mxpc-cli-installer-script
           configMap:
@@ -26,4 +34,12 @@ spec:
         - name: mendix-installer-config-file
           secret:
             secretName: mendix-installer-config-file
+{{- range $.Values.database_plans }}
+        - name: "mendix-installer-config-db-{{ .name }}"
+          secret:
+            secretName: "mendix-installer-config-db-{{ .name }}"
+        - name: "mendix-rds-master-pass-{{ .name }}"
+          secret:
+            secretName: "mendix-rds-master-pass-{{ .name }}"
+{{- end }}
       restartPolicy: Never

charts/mendix-installer/templates/mendix-installer-secret.yaml

@@ -10,11 +10,11 @@ stringData:
     cluster_mode: connected
     mask:
       database_plan: false
-      storage_plan: false
+      storage_plan: true
       ingress: true
       registry: true
       proxy: false
-      custom_tls: false
+      custom_tls: true
     ingress:
       type: kubernetes-ingress
       enable_tls: true
@@ -34,3 +34,64 @@ stringData:
         is_static_credential: false
         aws_iam_role: "{{ .Values.registry.iamRole }}"
         kubernetes_service_account: "mendix-builder"
+    storage_plan:
+      name: s3
+      type: amazon-s3
+      s3:
+        irsa_authentication: true
+        create_bucket: false
+        create_user: false
+        create_inline_policy: false
+        existing_bucket: "{{ .Values.storage_plan.existing_bucket }}"
+        existing_policy: "{{ .Values.storage_plan.existing_policy }}"
+        bucket_autogen_prefix: true
+        region: "{{ .Values.awsRegion }}"
+        admin_iam_role: "{{ .Values.storage_plan.admin_iam_role }}"
+        kubernetes_service_account: "{{ .Values.storage_plan.kubernetes_service_account }}"
+        oidc_url: "{{ .Values.storage_plan.oidc_url }}"
+    custom_tls:
+      ca_certificates_secret_name: mendix-custom-tls
+
+{{- range $.Values.database_plans }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "mendix-installer-config-db-{{ .name }}"
+  namespace: mendix
+type: Opaque
+stringData:
+  mendix-installer-config-file: |
+    namespace: mendix
+    cluster_mode: connected
+    mask:
+      database_plan: true
+      storage_plan: false
+      ingress: false
+      registry: false
+      proxy: false
+      custom_tls: false
+    database_plan:
+      name: "{{ .name }}"
+      type: postgres
+      postgres:
+          databaseprops:
+              host: "{{ .host }}"
+              port: {{ .port }}
+              user: "{{ .user }}"
+              password: ""
+              strict_tls: true
+          db_name: "{{ .db_name }}"
+          authentication_mode: aws-iam
+          aws_iam_role: "{{ .aws_iam_role }}"
+          kubernetes_service_account: "{{ .kubernetes_service_account }}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "mendix-rds-master-pass-{{ .name }}"
+  namespace: mendix
+type: Opaque
+stringData:
+  rds-password: "{{ .master_password }}"
+{{- end }}