Start Basic Pulumi Typescript Implementation (#39)

* Start Basic Pulumi Typescript Implementation

Signed-off-by: Blake Romano <[email protected]>

* Update README.md (#40)

Signed-off-by: Blake Romano <[email protected]>

* update crossplane pattern (#44)

* update crossplane

---------

Signed-off-by: Carlos Santana <[email protected]>
Signed-off-by: Blake Romano <[email protected]>

* update gitops-bridge refernce from git to terraform registry (#46)

Signed-off-by: Carlos Santana <[email protected]>
Signed-off-by: Blake Romano <[email protected]>

* add argo workflow

Signed-off-by: Carlos Santana <[email protected]>
Signed-off-by: Blake Romano <[email protected]>

* Argo workflows ingress (#47)

* initial work argo-workflows

Signed-off-by: Carlos Santana <[email protected]>

Signed-off-by: Blake Romano <[email protected]>

* Update README.md (#48)

Signed-off-by: Blake Romano <[email protected]>

* update argo workflows (#49)

Signed-off-by: Carlos Santana <[email protected]>
Signed-off-by: Blake Romano <[email protected]>

* Karpenter pattern (#50)

* update argo workflows

Signed-off-by: Carlos Santana <[email protected]>

* add karpenter pattern

Signed-off-by: Carlos Santana <[email protected]>

* make eks 1.29

Signed-off-by: Carlos Santana <[email protected]>

---------

Signed-off-by: Carlos Santana <[email protected]>
Signed-off-by: Blake Romano <[email protected]>

* Update README.md (#51)

Signed-off-by: Blake Romano <[email protected]>

* Update Pulumi Implementation Details to be more specific, add bootstrap command.

Signed-off-by: Blake Romano <[email protected]>

---------

Signed-off-by: Blake Romano <[email protected]>
Signed-off-by: Carlos Santana <[email protected]>
Co-authored-by: Carlos Santana <[email protected]>

Author: blakeromano

argocd/iac/pulumi/eks/typescript/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

argocd/iac/pulumi/eks/typescript/Pulumi.dev.yaml

@@ -0,0 +1,11 @@
+config:
+  aws:region: us-east-1
+  cidrBlock: 10.0.0.0/16
+  awsAccountId: "54321"
+  clusterType: "spoke"
+  hubStackName: "hub"
+  githubOrg: "gitops-bridge"
+  githubRepo: "repoName"
+  secretPath: "foo/bar/spoke.yaml"
+  implementationType: "github"
+  clusterComponents: {}

argocd/iac/pulumi/eks/typescript/Pulumi.hub.yaml

@@ -0,0 +1,10 @@
+config:
+  aws:region: us-east-1
+  awsAccountId: "1234"
+  cidrBlock: 10.0.0.0/16
+  githubOrg: "gitops-bridge"
+  githubRepo: "repoName"
+  secretPath: "hub.yaml"
+  clusterType: "hub"
+  implementationType: "github"
+  clusterComponents: {}

argocd/iac/pulumi/eks/typescript/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: gitops-bridge-ts
+runtime: nodejs
+description: GitOps Bridge Implementation with Pulumi Typescript

argocd/iac/pulumi/eks/typescript/README.md

@@ -0,0 +1,28 @@
+# Pulumi Typescript GitOps Bridge
+
+### How to Start Your Hub Cluster:
+
+1. Create applicable stack files you need - The `Pulumi.dev.yaml` and `Pulumi.hub.yaml` each correspond to one stack for your hub cluster and one stack for a development environment spoke cluster
+2. Create a GitOps Repo - Add a README.md and stub out the files you will be adding the ArgoCD Cluster secrets to. 
+3. Update configuration values as you need - You will want to update Stack Files with configuration for Github Repo/Org, as well as AWS Account ID, CIDRs, etc;
+4. Add any extra resources you may need in your given environment
+5. Add an Environment Variable for `GITHUB_TOKEN` in your deployment env (local, Github Actions, AWS Code Pipeline, etc;)
+6. `pulumi up --stack hub`
+7. Wait for the Resources to create like VPC, EKS Cluster, and IAM permissions
+8. Run `./bootstrap.sh`
+
+
+### How to Add Spoke Clusters:
+
+1. Add any extra resources you may need in your given environment
+2. Add an Environment Variable for `GITHUB_TOKEN` in your deployment env (local, Github Actions, AWS Code Pipeline, etc;)
+3. Run Pulumi Up for the Spoke Cluster's Stack `pulumi up --stack dev`
+4. Wait for the Resources to create like VPC, EKS Cluster, and IAM permissions
+5. Apply the Secret resource that was added to the GitOps Repository
+
+### Productionizing your Implementation
+
+* Add Authentication for ArgoCD to be able to grab from your Organization's private repository
+* Add ApplicationSets to your configuration by looking at the GitOps Bridge Control Plane Template for resources you need
+* Create an ArgoCD Application that manages deployment of your Cluster Secret
+* Move your EKS Cluster to be a private access endpoint

argocd/iac/pulumi/eks/typescript/bootstrap.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+export AWS_PROFILE=default
+
+# Load config from YAML
+get_value() {
+    yq eval ".config.$1" Pulumi.hub.yaml
+}
+
+# Load config from YAML
+githubOrg=$(get_value "githubOrg")
+githubRepo=$(get_value "githubRepo")
+secretPath=$(get_value "secretPath")
+
+# Clone the GitHub repo
+git clone "https://github.com/$githubOrg/$githubRepo.git"
+
+# Add EKS cluster to kubeconfig
+aws eks --region us-east-1 update-kubeconfig --name hub-cluster --alias hub-cluster
+
+# Install ArgoCD
+kubectl create namespace argocd --context hub-cluster
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml --context hub-cluster
+
+kubectl apply -f "$githubRepo/$secretPath"
+
+# Echo command to port forward ArgoCD and get admin password
+echo "To port forward ArgoCD run: kubectl -n argocd port-forward svc/argocd-server 8080:443 &"
+echo "Password can be retrieved by running: kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d"

argocd/iac/pulumi/eks/typescript/github.ts

@@ -0,0 +1,98 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as github from "@pulumi/github";
+import * as yaml from 'js-yaml';
+import { getValue } from "./utils"
+import { env } from "process";
+
+export class GitOpsClusterConfig {
+  private config: pulumi.Config;
+  private outputs: {[key: string]: pulumi.Output<any>};
+
+  constructor(outputs: {[key: string]: pulumi.Output<any>}, config: pulumi.Config, clusterAuthority: pulumi.Output<string>) {
+    this.config = config
+    this.outputs = outputs
+    const annotations = this.generateAnnotations(pulumi.getStack())
+    const serverConfig = this.generateConfig(clusterAuthority)
+    getValue(pulumi.all([annotations, serverConfig]).apply(([annotations, serverConfig]) => {
+      return {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          labels: this.generateLabels(),
+          annotations: annotations,
+          name: `${pulumi.getStack()}-cluster-secret`,
+          namespace: "argocd",
+        },
+        type: "Opaque",
+        stringData: {
+          name: pulumi.getStack(),
+          server: config.require("clusterType") === "hub" ? "https://kubernetes.default.svc" : `https://${annotations.k8s_service_host}`
+        },
+        data: {
+          config: Buffer.from(serverConfig).toString("base64"),
+        },
+      }
+    })).then(fileContents => {
+      const provider = new github.Provider("github", {
+        token: env.GITHUB_TOKEN,
+        owner: config.require("githubOrg"),
+      })
+      new github.RepositoryFile("argo-cluster-secret.yaml", {
+        repository: config.require("githubRepo"),
+        file: config.require("secretPath"),
+        content: yaml.dump(fileContents),
+        branch: "main",
+        commitMessage: `Update Argo Config Secret for ${pulumi.getStack()}`,
+        overwriteOnCreate: true,
+      }, {provider: provider});
+    })
+    .catch(err => console.log(err))
+  }
+
+  private generateConfig(clusterAuthority: pulumi.Output<string>) {
+    if (this.config.require("clusterType") !== "hub") {
+      return pulumi.all([this.outputs.argoRoleArn, clusterAuthority]).apply(([argoRoleArn, clusterAuthority]) => `{
+  "awsAuthConfig": {
+    "clusterName": "${this.config.require("name")}-cluster",
+    "roleARN": "${argoRoleArn}"
+  },
+  "tlsClientConfig": {
+    "insecure": false,
+    "caData": "${clusterAuthority}"
+  }
+}
+`)
+  }
+  return `{
+  "tlsClientConfig": {
+    "insecure": false
+  }
+}
+`
+  }
+
+  private generateAnnotations(name: string) {
+    // Add More Outputs as needed to output to cluster secret
+    const outputs = pulumi.all([
+      this.outputs.clusterName,
+      this.outputs.clusterApiEndpoint,
+    ])
+    const annotations = outputs.apply(([
+      clusterName,
+      clusterApiEndpoint,
+    ]) => {
+      return {
+        "aws_cluster_name": clusterName,
+        "k8s_service_host": clusterApiEndpoint.split("://")[1],
+      }
+    })
+    return annotations
+  }
+
+  private generateLabels() {
+    return {
+      "argocd.argoproj.io/secret-type": "cluster",
+      ...this.config.requireObject<Object>("clusterComponents"),
+    }
+  }
+}

argocd/iac/pulumi/eks/typescript/iam.ts

@@ -0,0 +1,77 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+
+export function createArgoRole(
+  awsAccountId: string, 
+  oidcProviderUrl: pulumi.Output<any>, 
+  config: pulumi.Config,
+  ) {
+  if (config.require("clusterType") === "spoke") {
+    const hubStack = new pulumi.StackReference("hub-argorole-ref", {
+      name: config.require("hubStackName")
+    })
+    const outputs = hubStack.getOutput("outputs") as pulumi.Output<{[key: string]: string}>
+    const policy = outputs.apply((outputs) => JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Principal: {
+            AWS: outputs.argoRoleArn
+          },
+          Action: "sts:AssumeRole"
+        }
+      ]
+    }))
+    return new aws.iam.Role("argo-role", {
+      assumeRolePolicy: policy
+    })
+  }
+  return new aws.iam.Role("argo-role", {
+    inlinePolicies: [
+      {
+        name: "Argo",
+        policy: JSON.stringify({
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Sid: "ArgoSecrets",
+              Action: [
+                "secretsmanager:List*",
+                "secretsmanager:Read*"
+              ],
+              Resource: "*",
+              Effect: "Allow",
+            },
+            {
+              Sid: "AssumeRoles",
+              Action: [
+                "sts:AssumeRole"
+              ],
+              Resource: "*",
+              Effect: "Allow"
+            },
+          ],
+        })
+      }
+    ],
+    assumeRolePolicy: oidcProviderUrl.apply(v => JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Principal: {
+            Federated: `arn:aws:iam::${awsAccountId}:oidc-provider/${v}`
+          },
+          Action: "sts:AssumeRoleWithWebIdentity",
+          Condition: {
+            StringLike: {
+              [`${v}:sub`]: ["system:serviceaccount:argocd:argocd-application-controller", "system:serviceaccount:argocd:argocd-server"],
+              [`${v}:aud`]: "sts.amazonaws.com"
+            }
+          }
+        }
+      ]
+    }))
+  })
+}

argocd/iac/pulumi/eks/typescript/index.ts

@@ -0,0 +1,101 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as awsx from "@pulumi/awsx";
+import * as eks from "@pulumi/eks";
+import { createArgoRole } from "./iam"
+import { GitOpsClusterConfig } from "./github"
+
+const stackName = pulumi.getStack()
+const config = new pulumi.Config()
+let roleMappings: eks.RoleMapping[] = []
+
+export const outputs: {[key: string]: any} = {
+  "stackName": stackName,
+}
+
+// VPC Config
+const vpc = new awsx.ec2.Vpc("vpc", {
+  cidrBlock: config.require("cidrBlock"),
+  numberOfAvailabilityZones: 3,
+  enableDnsHostnames: true,
+  enableDnsSupport: true,
+  subnetSpecs: [
+    {
+      type: awsx.ec2.SubnetType.Private,
+      tags: {
+        "karpenter.sh/discovery": `${stackName}-cluster`,
+        [`kubernetes.io/cluster/${stackName}-cluster`]: "owned",
+        "kubernetes.io/role/internal-elb": "1",
+      },
+    },
+    {
+      type: awsx.ec2.SubnetType.Isolated,
+      name: "tgw-attachment-subnet",
+      cidrMask: 27,
+    },
+    {
+      type: awsx.ec2.SubnetType.Public,
+      tags: {
+        [`kubernetes.io/cluster/${stackName}-cluster`]: "owned",
+        "kubernetes.io/role/elb": "1",
+      },
+    },
+  ],
+})
+
+// If we are creating a spoke cluster we need to create argoRole first, ensure it
+// gets added to auth mapping for the cluster with the correct permissions
+if (config.require("clusterType") === "spoke") {
+  const argoRole = createArgoRole(config.require("awsAccountId"), pulumi.output(""), config)
+  roleMappings.push({
+    roleArn: argoRole.arn,
+    username: argoRole.arn,
+    groups: ["system:masters"],
+  })
+  outputs.argoRoleArn = argoRole.arn
+}
+
+// Create EKS Cluster with a default node group
+const eksCluster = new eks.Cluster(`${stackName}-cluster`, {
+  name: `${stackName}-cluster`,
+  vpcId: vpc.vpcId,
+  version: "1.29",
+  publicSubnetIds: vpc.publicSubnetIds,
+  privateSubnetIds: vpc.privateSubnetIds,
+  roleMappings: roleMappings,
+  nodeSecurityGroupTags: {
+    "karpenter.sh/discovery": `${stackName}-cluster`
+  },
+  createOidcProvider: true,
+  clusterTags: {
+    "karpenter.sh/discovery": `${stackName}-cluster`,
+  },
+  nodeGroupOptions: {
+    nodeSubnetIds: vpc.privateSubnetIds,
+    nodeRootVolumeEncrypted: true,
+    nodeRootVolumeType: "gp3",
+    minSize: 1,
+    maxSize: 50,
+    desiredCapacity: 10,
+  },
+})
+
+outputs.clusterName = eksCluster.eksCluster.name
+outputs.clusterApiEndpoint = eksCluster.core.endpoint
+
+const oidcProviderUrl = eksCluster.core.oidcProvider?.url as pulumi.Output<string>
+
+// If we are creating the hub cluster we need pods in eks cluster to be able to assume
+// so we need cluster created first
+if (config.require("clusterType") === "hub") {
+  const argoRole = createArgoRole(config.require("awsAccountId"), oidcProviderUrl, config)
+  outputs.argoRoleArn = argoRole.arn
+}
+
+// Create the GitOps Configuration for the given cluster, one method being to upload
+// a file to be added to Github Repo which GitOps Controller could manage or 
+// we can create secret object and directly apply that to the cluster
+if (config.require("implementationType") === "github") {
+  new GitOpsClusterConfig(outputs, config, eksCluster.eksCluster.certificateAuthority.data)
+} else if (config.require("implementationType") === "secret") {
+  // TODO Implement
+}

argocd/iac/pulumi/eks/typescript/package.json

@@ -0,0 +1,16 @@
+{
+    "name": "gitops-bridge-ts",
+    "main": "index.ts",
+    "devDependencies": {
+        "@types/js-yaml": "^4.0.9",
+        "@types/node": "^16.18.61"
+    },
+    "dependencies": {
+        "@pulumi/aws": "^5.0.0",
+        "@pulumi/awsx": "^1.0.0",
+        "@pulumi/eks": "^2.0.0",
+        "@pulumi/github": "^5.22.0",
+        "@pulumi/pulumi": "^3.0.0",
+        "process": "^0.11.10"
+    }
+}