beppe/environment-ff-stage-euw1-gkecluster-primary-dev
1
0
Fork 0
mirror of https://github.com/bvanroll/environment-ff-stage-euw1-gkecluster-primary-dev.git synced 2025-08-29 20:12:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

initial config based of jenkins-x/jenkins-x-boot-config with ref v1.0.82

Browse Source
This commit is contained in:
jenkins-x-bot
2020-04-15 12:37:41 +02:00
commit 9434645ce5
106 changed files with 2971 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
kubeProviders/eks/README.md Normal file
View File

@@ -0,0 +1 @@
# Jenkins X Boot configuration for EKS

53
kubeProviders/eks/templates/irsa.tmpl.yaml Normal file
View File

@@ -0,0 +1,53 @@
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: {{ .Requirements.cluster.clusterName }}
region: {{ .Requirements.cluster.region }}
iam:
withOIDC: true
serviceAccounts:
{{- if .IAM.TektonBotPolicy }}
- metadata:
name: tekton-bot
namespace: jx
labels: {aws-usage: "jenkins-x"}
attachPolicyARNs:
- {{.IAM.TektonBotPolicy | quote}}
{{- end }}
{{- if .IAM.ExternalDNSPolicy }}
- metadata:
name: exdns-external-dns
namespace: jx
labels: {aws-usage: "jenkins-x"}
attachPolicyARNs:
- {{.IAM.ExternalDNSPolicy | quote}}
{{- end }}
{{- if .IAM.CertManagerPolicy }}
- metadata:
name: cm-cert-manager
namespace: cert-manager
labels: {aws-usage: "jenkins-x"}
attachPolicyARNs:
- {{.IAM.CertManagerPolicy | quote}}
- metadata:
name: cm-cainjector
namespace: cert-manager
labels: {aws-usage: "jenkins-x"}
attachPolicyARNs:
- {{.IAM.CertManagerPolicy | quote}}
{{- end }}
- metadata:
name: jenkins-x-controllerbuild
namespace: jx
labels: {aws-usage: "jenkins-x"}
attachPolicyARNs:
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"
- metadata:
name: jxui
namespace: jx
labels: {aws-usage: "jenkins-x"}
attachPolicyARNs:
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"

81
kubeProviders/eks/templates/jenkinsx-policies.yml Normal file
View File

@@ -0,0 +1,81 @@
Description: 'Template to generate the necessary IAM Policies for Jenkins-X EKS support '
Resources:
CFNJenkinsXPolicies:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Join [ "-", [ CFNTektonBotPolicy, Ref: PoliciesSuffixParameter] ]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cloudformation:ListStacks
- cloudformation:DescribeStacks
- cloudformation:CreateStack
- cloudformation:DeleteStack
- eks:*
- s3:*
- iam:DetachRolePolicy
- iam:GetPolicy
- iam:CreatePolicy
- iam:DeleteRole
- iam:GetOpenIDConnectProvider
Resource: "*"
CFNExternalDNSPolicies:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Join [ "-", [ CFNExternalDNSPolicy, Ref: PoliciesSuffixParameter] ]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- route53:ChangeResourceRecordSets
Resource: "arn:aws:route53:::hostedzone/*"
- Effect: Allow
Action:
- route53:ListHostedZones
- route53:ListResourceRecordSets
Resource: "*"
CFNCertManagerPolicies:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Join [ "-", [ CFNCertManagerPolicy, Ref: PoliciesSuffixParameter] ]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- route53:GetChange
Resource: "arn:aws:route53:::change/*"
- Effect: Allow
Action:
- route53:ChangeResourceRecordSets
Resource: "arn:aws:route53:::hostedzone/*"
- Effect: Allow
Action:
- route53:ListHostedZonesByName
Resource: "*"
Parameters:
PoliciesSuffixParameter:
Type: String
Description: A suffix so we can create different policies on each execution
Outputs:
CFNTektonBotPolicy:
Value:
Ref: CFNJenkinsXPolicies
Description: The ARN of the created policy
Export:
Name: !Join [ "-", [ TektonBotPolicy, Ref: PoliciesSuffixParameter] ]
CFNExternalDNSPolicy:
Value:
Ref: CFNExternalDNSPolicies
Description: The ARN of the created policy
Export:
Name: !Join [ "-", [ ExternalDNSPolicy, Ref: PoliciesSuffixParameter] ]
CFNCertManagerPolicy:
Value:
Ref: CFNCertManagerPolicies
Description: The ARN of the created policy
Export:
Name: !Join [ "-", [ CertManagerPolicy, Ref: PoliciesSuffixParameter] ]

133
kubeProviders/eks/templates/vault_cf_tmpl.yml Normal file
View File

@@ -0,0 +1,133 @@
Resources:
AWSDynamoDBTable:
Properties:
AttributeDefinitions:
- AttributeName: Path
AttributeType: S
- AttributeName: Key
AttributeType: S
KeySchema:
- AttributeName: Path
KeyType: HASH
- AttributeName: Key
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: 2
WriteCapacityUnits: 2
TableName: !Join [ "_", [ Ref: DynamoDBTableName, Ref: ResourcesSuffixParameter ] ]
Tags:
- Key: Name
Value: vault-dynamo-db-table
Type: AWS::DynamoDB::Table
AWSKMSKey:
Properties:
Description: KMS Key for bank vault unseal
KeyPolicy:
Statement:
- Action: kms:*
Effect: Allow
Principal:
AWS:
- Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
- Fn::Sub: arn:aws:iam::${AWS::AccountId}:user/${IAMUser}
Resource: "*"
Sid: Enable IAM User Permissions
Version: '2012-10-17'
Type: AWS::KMS::Key
AWSS3Bucket:
Properties:
AccessControl: Private
BucketName: !Join [ "-", [ Ref: S3BucketName, Ref: ResourcesSuffixParameter ] ]
VersioningConfiguration:
Status: Suspended
Type: AWS::S3::Bucket
AWSIAMPolicy:
DependsOn:
- AWSDynamoDBTable
- AWSS3Bucket
- AWSKMSKey
Properties:
PolicyDocument:
Statement:
- Action:
- dynamodb:DescribeLimits
- dynamodb:DescribeTimeToLive
- dynamodb:ListTagsOfResource
- dynamodb:DescribeReservedCapacityOfferings
- dynamodb:DescribeReservedCapacity
- dynamodb:ListTables
- dynamodb:BatchGetItem
- dynamodb:BatchWriteItem
- dynamodb:CreateTable
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:GetRecords
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:UpdateItem
- dynamodb:Scan
- dynamodb:DescribeTable
Effect: Allow
Resource:
Fn::Sub: "${AWSDynamoDBTable.Arn}"
Sid: DynamoDB
- Action:
- s3:PutObject
- s3:GetObject
Effect: Allow
Resource:
Fn::Sub: "${AWSS3Bucket.Arn}/*"
Sid: S3
- Action:
- s3:ListBucket
Effect: Allow
Resource:
Fn::Sub: "${AWSS3Bucket.Arn}"
Sid: S3List
- Action:
- kms:Encrypt
- kms:Decrypt
Effect: Allow
Resource:
Fn::Sub: "${AWSKMSKey.Arn}"
Sid: KMS
Version: '2012-10-17'
ManagedPolicyName: !Sub
- "vault_${AWS::StackName}-${AWS::Region}-${Suffix}"
- { Suffix: !Ref ResourcesSuffixParameter }
Users:
- !Ref IAMUser
Type: AWS::IAM::ManagedPolicy
Parameters:
ResourcesSuffixParameter:
Type: String
Description: A suffix so we can create different resources on each execution
S3BucketName:
Type: String
Description: The name of the S3 bucket to use for Vault
DynamoDBTableName:
Type: String
Description: The name of the DynamoDB table to use for VAult
IAMUser:
Type: String
Description: The name of the IAM user to use for Vault
Outputs:
AWSS3Bucket:
Value:
Ref: AWSS3Bucket
Description: The ARN of the created bucket
Export:
Name: !Sub "${AWS::StackName}-AWSS3Bucket"
AWSKMSKey:
Value:
Ref: AWSKMSKey
Description: The ARN of the created KMS Key
Export:
Name: !Sub "${AWS::StackName}-AWSKMSKey"
AWSDynamoDBTable:
Value:
Ref: AWSDynamoDBTable
Description: The ARN of the created DynamoDB table
Export:
Name: !Sub "${AWS::StackName}-AWSDynamoDBTable"

18
kubeProviders/eks/values.tmpl.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml
jenkins-x-platform:
PipelineSecrets:
# lets enable ECR docker builds
DockerConfig: |-
{
{{- if .Requirements.cluster.registry }}
"credHelpers": {
"{{ .Requirements.cluster.registry }}": "ecr-login"
}
{{- else }}
"credsStore": "ecr-login"
{{- end }}
}
docker-registry:
enabled: false