Infrastructure

.github/scripts/eksctl-install.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+ARCH=amd64
+PLATFORM=$(uname -s)_$ARCH
+
+curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
+
+# (Optional) Verify checksum
+curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check
+
+tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
+
+sudo mv /tmp/eksctl /usr/local/bin

.github/scripts/gpg-agent.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo ${GPG_TRUST_OWNERS} | base64 --decode > trust-file
+gpg --import-ownertrust < trust-file
+echo ${GPG_PUBLIC_KEY} | base64 --decode | gpg --import
+echo ${GPG_PRIVATE_KEY} | base64 --decode | gpg --import --batch
+echo "use-agent" >> ${HOME}/.gnupg/gpg.conf
+echo "pinentry-mode loopback" >> ${HOME}/.gnupg/gpg.conf
+touch ${HOME}/.gnupg/gpg-agent.conf
+echo "allow-loopback-pinentry" >> ${HOME}/.gnupg/gpg-agent.conf

.github/scripts/gpg-install.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sudo apt-get install gnupg

.github/scripts/kubectl-install.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+
+echo "Validate the instalation"
+
+curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
+
+echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
+
+if [ $? -eq 0 ]; then
+    echo "Previous command was successful"
+else
+    echo "Previous command failed"
+fi

.github/workflows/cv-infrastructure.yml

@@ -0,0 +1,101 @@
+name: Create AWS infrastructure
+on:
+  push:
+    branches:
+      - infrastructure
+jobs:
+  setup_roles_and_policies:
+    runs-on: ubuntu-latest
+    environment:
+      name: develop
+    env:
+      CLUSTER_ROLE_NAME: ${{ vars.CLUSTER_ROLE_NAME }}
+      CLUSTER_POLICY_NAME: ${{ vars.CLUSTER_POLICY_NAME }}
+      NODEGROUP_ROLE_NAME: ${{ vars.NODEGROUP_ROLE_NAME }}
+      NODEGROUP_POLICY_NAME: ${{ vars.NODEGROUP_POLICY_NAME }}
+      CODEPIPELINE_ROLE_NAME: ${{ vars.CODEPIPELINE_ROLE_NAME }}
+      CODEPIPELINE_POLICY_NAME: ${{ vars.CODEPIPELINE_POLICY_NAME }}
+      CODEBUILD_ROLE_NAME: ${{ vars.CODEBUILD_ROLE_NAME }}
+      CODEBUILD_POLICY_NAME: ${{ vars.CODEBUILD_POLICY_NAME }}
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup AWS CLI
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Creates the role that will assume the trust policy to deal with the cluster
+        run: aws iam create-role --role-name ${CLUSTER_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json
+
+      - name: Attaches the policy to the cluster role
+        run: aws iam put-role-policy --role-name ${CLUSTER_ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json
+
+      - name: Creates the role that will assume the trust policy to deal with the node-group
+        run: aws iam create-role --role-name ${NODEGROUP_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-trust-policy.json
+
+      - name: Attaches the policy for the node-group role
+        run: aws iam put-role-policy --role-name ${NODEGROUP_ROLE_NAME} --policy-name ${NODEGROUP_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-policy.json
+
+      - name: Create the role that will assume the trust policy to deal with the codepipeline service
+        run: aws iam create-role --role-name ${CODEPIPELINE_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/codepipeline-trust-policy.json
+
+      - name: Attaches the policy for the codepipeline role
+        run: aws iam put-role-policy --role-name ${CODEPIPELINE_ROLE_NAME} --policy-name ${CODEPIPELINE_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/codepipeline-policy.json
+
+      - name: Create the role that will assume the trust policy to deal with the codebuild service
+        run: aws iam create-role --role-name ${CODEBUILD_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/codebuild-trust-policy.json
+
+      - name: Attaches the policy for the codebuild role
+        run: aws iam put-role-policy --role-name ${CODEBUILD_ROLE_NAME} --policy-name ${CODEBUILD_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/codebuild-policy.json
+
+  create_the_cluster:
+    runs-on: ubuntu-latest
+    needs: setup_roles_and_policies
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
+      GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      GPG_TRUST_OWNERS: ${{ secrets.GPG_TRUST_OWNERS }}
+      RECIPIENT_ID: ${{ secrets.RECIPIENT_ID }}
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup the runner
+        run: |
+          sh ${GITHUB_WORKSPACE}/.github/scripts/eksctl-install.sh
+          sh ${GITHUB_WORKSPACE}/.github/scripts/gpg-install.sh
+
+      - name: Setup the keys used to create the k8s cluster
+        run: |
+          mkdir ${HOME}/.ssh/
+          echo ${SSH_PRIVATE_KEY} > ${HOME}/.ssh/k8s
+          echo ${SSH_PUBLIC_KEY} > ${HOME}/.ssh/k8s.pub
+
+      - name: Import the gpg components
+        run: |
+          echo ${GPG_TRUST_OWNERS} | base64 --decode > trust-file
+          gpg --import-ownertrust < trust-file
+          echo ${GPG_PUBLIC_KEY} | base64 --decode | gpg --import
+          echo ${GPG_PRIVATE_KEY} | base64 --decode | gpg --import --batch
+
+      - name: Creates the k8s cluster using eksctl
+        run: eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/cluster-config.yaml
+
+      - name: Encrypts the kubeconfig file
+        run: gpg --encrypt -r ${RECIPIENT_ID} --output kube_config.gpg ${HOME}/.kube/config
+
+      - name: Pushes kubeconfig artifact
+        uses: actions/[email protected]
+        with:
+          name: kube_config.gpg
+          path: ${{ github.workspace }}

.github/workflows/deployment.yml

@@ -0,0 +1,45 @@
+name: Deploy app to AWS
+on:
+  push:
+    branches:
+      - develop
+jobs:
+  get_k8s_config:
+    runs-on: ubuntu-latest
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      CLUSTER_ROLE_NAME: cv-eks-cluster-role
+      CLUSTER_POLICY_NAME: cv-eks-cluster-policy
+      NODEGROUP_ROLE_NAME: cv-eks-nodegroup-role
+      NODEGROUP_POLICY_NAME: cv-eks-nodegroup-policy
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup the runner
+        run: sh $GITHUB_WORKSPACE/.github/scripts/kubectl-install.sh
+
+      - name: Setup AWS credentials
+        run: |
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID}
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY}
+          aws configure set default.region us-west-1
+
+      - name: Download Artifact
+        uses: dawidd6/[email protected]
+        with:
+          workflow: cv-infrastructure.yml
+          name: kube_config.enc
+
+      - name: Restore the kubeconfig file
+        run: |
+          mkdir $HOME/.kube/
+          openssl enc -d -aes-256-cbc -in kube_config.enc -out $HOME/.kube/config -k ${PASSPHRASE}
+          cat $HOME/.kube/config
+
+      - name: Get awsauth config map
+        run: kubectl get -n kube-system configmap/aws-auth -o yaml > aws-auth-patch.yml

.github/workflows/manual.yml

@@ -25,22 +25,3 @@ jobs:
         JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
         JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
         JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
-
-    - name: Create NEW JIRA ticket
-      id: create
-      uses: atlassian/gajira-create@master
-      with:
-        project: CONUPDATE
-        issuetype: Task
-        summary: |
-          Github PR - nd0044 - Full Stack Nanodegree C4 | Repo: ${{ github.repository }}  | PR# ${{github.event.number}}
-        description: |
-           Repo link: https://github.com/${{ github.repository }}   
-           PR no. ${{ github.event.pull_request.number }} 
-           PR title: ${{ github.event.pull_request.title }}  
-           PR description: ${{ github.event.pull_request.description }}  
-           In addition, please resolve other issues, if any. 
-        fields: '{"components": [{"name":"nd0044 - Full Stack Nanodegree"}], "customfield_16449":"https://classroom.udacity.com/nanodegrees/nd0044/dashboard/overview", "customfield_16450":"Resolve the PR", "labels": ["github"], "priority":{"id": "4"}}'
-
-    - name: Log created issue
-      run: echo "Issue ${{ steps.create.outputs.issue }} was created"

.github/workflows/secrets.yml

@@ -0,0 +1,128 @@
+name: Create AWS infrastructure
+on:
+  push:
+    branches:
+      - infrastructure
+jobs:
+  setup_roles_and_policies:
+    if: false
+    runs-on: ubuntu-latest
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      CLUSTER_ROLE_NAME: cv-eks-cluster-role
+      CLUSTER_POLICY_NAME: cv-eks-cluster-policy
+      NODEGROUP_ROLE_NAME: cv-eks-nodegroup-role
+      NODEGROUP_POLICY_NAME: cv-eks-nodegroup-policy
+      CODEPIPELINE_ROLE_NAME: cv-codepipeline-role
+      CODEPIPELINE_POLICY_NAME: cv-codepipeline-policy
+      CODEBUILD_ROLE_NAME: cv-codebuild-role
+      CODEBUILD_POLICY_NAME: cv-codebuild-policy
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup AWS credentials
+        run: |
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID}
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY}
+          aws configure set default.region us-west-1
+
+      - name: Creates the role that will assume the trust policy to deal with the cluster
+        run: aws iam create-role --role-name ${CLUSTER_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json
+
+      - name: Attaches the policy to the cluster role
+        run: aws iam put-role-policy --role-name ${CLUSTER_ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json
+
+      - name: Creates the role that will assume the trust policy to deal with the node-group
+        run: aws iam create-role --role-name ${NODEGROUP_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-trust-policy.json
+
+      - name: Attaches the policy for the node-group role
+        run: aws iam put-role-policy --role-name ${NODEGROUP_ROLE_NAME} --policy-name ${NODEGROUP_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-policy.json
+
+      - name: Create the role that will assume the trust policy to deal with the codepipeline service
+        run: aws iam create-role --role-name ${CODEPIPELINE_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/codepipeline-trust-policy.json
+
+      - name: Attaches the policy for the codepipeline role
+        run: aws iam put-role-policy --role-name ${CODEPIPELINE_ROLE_NAME} --policy-name ${CODEPIPELINE_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/codepipeline-policy.json
+
+      - name: Create the role that will assume the trust policy to deal with the codebuild service
+        run: aws iam create-role --role-name ${CODEBUILD_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/codebuild-trust-policy.json
+
+      - name: Attaches the policy for the codebuild role
+        run: aws iam put-role-policy --role-name ${CODEBUILD_ROLE_NAME} --policy-name ${CODEBUILD_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/codebuild-policy.json
+
+  create_the_cluster:
+    if: false
+    runs-on: ubuntu-latest
+    # needs: setup_roles_and_policies
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
+      GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      GPG_TRUST_OWNERS: ${{ secrets.GPG_TRUST_OWNERS }}
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup the runner
+        run: |
+          sh ${GITHUB_WORKSPACE}/.github/scripts/eksctl-install.sh
+          sh ${GITHUB_WORKSPACE}/.github/scripts/gpg-install.sh
+
+      - name: Setup the keys used to create the k8s cluster
+        if: false
+        run: |
+          mkdir ${HOME}/.ssh/
+          echo ${SSH_PRIVATE_KEY} > ${HOME}/.ssh/k8s
+          echo ${SSH_PUBLIC_KEY} > ${HOME}/.ssh/k8s.pub
+
+      - name: Creates the k8s cluster using eksctl
+        if: false
+        run: eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/cluster-config.yaml
+
+      - name: Import the gpg components
+        run: |
+          echo ${GPG_TRUST_OWNERS} | base64 --decode > trust-file
+          gpg --import-ownertrust < trust-file
+          echo ${GPG_PUBLIC_KEY} | base64 --decode | gpg --import
+          echo ${GPG_PRIVATE_KEY} | base64 --decode | gpg --import --batch
+
+      - name: Creates fake kubeconfig file
+        run: |
+          mkdir ${HOME}/.kube/
+          cat << EOF > ${HOME}/.kube/config
+          Line1
+          EOF
+
+      - name: Encrypts the kubeconfig file
+        run: gpg --encrypt -r [email protected] --output kube_config.gpg ${HOME}/.kube/config
+
+      - name: Pushes kubeconfig artifact
+        uses: actions/[email protected]
+        with:
+          name: kube_config.gpg
+          path: ${{ github.workspace }}
+
+  manages_aws_secrets:
+    runs-on: ubuntu-latest
+    needs: create_the_cluster
+    if: false
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      CODEPIPELINE_ROLE_NAME: cv-codepipeline-role
+      CODEPIPELINE_POLICY_NAME: cv-codepipeline-policy
+    steps:
+      - name: Stores the GH_TOKEN in AWS Systems Manager Parameter Store
+        run: aws ssm put-parameter --name "MySecureStringParameter" --value "MySuperSecretValue" --type "SecureString" --key-id "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

.gitignore

@@ -28,4 +28,3 @@ htmlcov/
 .envrc
 .direnv
 
-.github/**

eksk8s/README.MD

@@ -0,0 +1,38 @@
+With regard to the file eks-cluster-policy.json:
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+              "eks:CreateCluster",
+              "eks:DescribeCluster",
+              "eks:UpdateClusterConfig",
+              "eks:UpdateClusterVersion",
+              "ssm:GetParameters"
+            ],
+            "Resource": "*" // * means that the already defined actions could be applied to any EKS cluster in the account
+        }
+    ]
+}
+
+In the file eksk8s/cluster-config.yaml the key nodeGroups.iam.instanceRoleARN has the value=arn:aws:iam::62132xxxx821:role/cv-eks-nodegroup-role. In a real project this file should be created using jinja/cookicutter in a previous step. This file should never have hard-coded values. However, for educational purposes/save time these values are hardcoded in the file.
+
+This key pair was created in aws console. It is possible to do it using the command to create it. This step involves pushing (uploading) the keys to aws via aws cli or somehow.
+
+The subnets were also created by hand in the aws console.
+
+The command `eksctl create cluster -f <file_name>` creates the file `$HOME/.kube/config` This file is the one that has the context to connect to the remote cluster. Then to store this file securely, the file should be encrypted and published in the artifacts list of the github repo. Then, in a linux terminal generate the gpg key with the command `gpg --full-generate-key`. For educational purposes I have not included a passphrase nor expiration date for this gpg key set. After, get the ID of the just created `gpg` with the command: `gpg --list-keys` Then, using the commands: `gpg --export -a KEY_ID | base64 -w 0 > public.asc` and `gpg --export-secret-keys -a KEY_ID | base64 -w 0  > private.asc` export the gpg keys that will be stored as secrets in GitHub actions. After, in the workflow import the gpg key to encrypt the file and then upload as artifact to GitHub actions repo.
+
+#### Note:
+For reference on how to deal with base64 and gpg keys use this link: https://dev.to/epam_india_python/how-we-set-up-gpg-keys-as-environment-variables-2f26
+
+In order to sort out the problem: `Fixing GPG "Inappropriate ioctl for device" errors`  I run these commands:
+`echo "use-agent" >> ${HOME}/.gnupg/gpg.conf
+ echo "pinentry-mode loopback" >> ${HOME}/.gnupg/gpg.conf
+ touch ${HOME}/.gnupg/gpg-agent.conf
+ echo "allow-loopback-pinentry" >> ${HOME}/.gnupg/gpg-agent.conf`
+
+This command: `echo ${GPG_PASSPHRASE} | gpg --batch --yes --passphrase-fd 0 --output ${HOME}/.kube/config --decrypt ${GITHUB_WORKSPACE}/artifacts/kube_config.gpg` sorts out these errors: `gpg: cannot open '/dev/tty': No such device or address` The command avoids the interaction with the command line. In this scenario, Github Actions does not have an interactive environment.
+