🚧 The second part is being written and will be soon available ....
This repository is dedicated to showcasing the Flux Opentofu Controller, a tool designed to bridge the gap between Kubernetes and cloud resource management. By leveraging the power and the flexibility of Opentofu modules, the Flux Controller enables seamless management of cloud infrastructure directly from within a Kubernetes cluster. Set within an Amazon EKS cluster, this demonstration provides a hands-on example of deploying the tofu-controller and configuring it to manage resources effectively. The core configurations and examples reside in infrastructure/controlplane-0/tofu-controller.
graph TD;
Namespaces-->CRDs;
CRDs-->Observability;
CRDs-->CloudResources;
CloudResources-->Security;
Security-->Applications;
This diagram can be hard to understand so these are the key information:
- Namespaces are the first resources to be created, all other resources may be namespace scoped
- CRDs that allow to extend Kubernetes capabilities must be present in order to use them in all other applications when needed (Including Tofu controller CRDs)
- Cloud resources may be required by applications. For instance the EPI give permissions to AWS services.
- Security defines
external-secretsthat are needed by some applications in order to start.
Due to a known issue with Tailscale and Terraform integration as outlined in Tailscale issue #182, the Access Control Lists (ACLs) must be imported manually before proceeding with the Terraform apply. This step ensures that the ACLs are properly recognized by Terraform's state management, avoiding conflicts or errors during the infrastructure deployment process.
First, navigate to the terragrunt/network directory where the Terraform network configuration is located. Use the following command to import the existing Tailscale ACLs into your Terraform state.
cd terragrunt/network
terragrunt import --var-file variables.tfvars tailscale_acl.this aclOnce the ACLs are imported, you can proceed with deploying your infrastructure. The deployment includes three main modules as visualized below:
graph LR;
Network-->EKS;
EKS-->TofuAWS["Tofu controller AWS requirements"];
-
Network: This module sets up the Virtual Private Cloud (VPC), subnets, and the Tailscale subnet router necessary for private connections within the infrastructure. For more information on configuring Tailscale in a VPC environment, refer to my previous blog post on Tailscale.
-
EKS: This module deploys an Elastic Kubernetes Service (EKS) cluster, configures Karpenter for efficient node provisioning, and bootstraps Flux for GitOps-based cluster management.
-
Tofu Controller AWS Requirements: Sets up the required IAM permissions for the Tofu controller to manage AWS Cloud resources. It also involves the creation of a secret used by the "Branch Planner".
To deploy all modules and apply the configuration changes, use the following Terragrunt command:
cd terragrunt/tofu-controller
terragrunt run-all apply2 things are checked
- The Opentofu code quality, conformance and security using pre-commit-terraform.
- The kustomize and Kubernetes conformance using kubeconform and building the kustomize configuration.
In order to run the CI checks locally just run the following command
ℹ️ It requires task to be installed
task checkThe same tasks are run in Github Actions.