doc: Update documentation related to secrets (#217)

mglotov · web-flow · commit a8ea83ad9c1e · 2021-11-19T16:39:39.000+06:00
diff --git a/README.md b/README.md
@@ -79,7 +79,7 @@ You can find more about this project in Anton Babenko stream:
 
 ## FAQ: Frequently Asked Questions
 
-[FAQ](docs/FAQ.md): Frequently Asked Questions
+[FAQ](docs/FAQ.md): Frequently Asked Questions and **HOW TO**
 
 ## Architecture diagram
 
@@ -444,6 +444,9 @@ This boiler installs all basic and necessary components. However, we also provid
 * layer1-aws: search `***_enable` variables and set them to **true**
 * layer2-k8s: check `helm-releases.yaml` file and set **enabled: true** or **enabled:false** for components that you want to **deploy** or to **unistall**
 
+Notes:
+* [Gitlab-runner](docs/FAQ.md#gitlab-runner)
+
 ## TFSEC
 
 [TFSEC](docs/TFSEC.md): Notes related to tfsec ignores
diff --git a/docs/FAQ.md b/docs/FAQ.md
@@ -155,7 +155,12 @@ module "test_namespace" {
 }
 ```
 
-## How to add more restrictions for Gitlab-Runner
+## Gitlab-runner
+Gitlab-runner installation requieres `registration token`. 
+* How to generate token see [here](https://docs.gitlab.com/runner/register/#requirements). 
+* Set `gitlab_runner_registration_token` variable in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
+
+### How to add more restrictions for Gitlab-Runner
 By default Gitlab-Runner can deploy into any namespaces. If you want to allow Gitlab-Runner to deploy only into specific namespaces, then do these:
 * Create new Service Account:
 ```
@@ -220,5 +225,33 @@ By default we install Grafana without integrating it with GitHub or Gitlab and u
    * See [this instruction](https://grafana.com/docs/grafana/latest/auth/gitlab/#gitlab-oauth2-authentication) and generate necessary tokens.
    * Set `grafana_gitlab_client_id`, `grafana_gitlab_client_secret`, `grafana_gitlab_group` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
 3. **GitHub**:
-   * See [this instruction](https://grafana.com/docs/grafana/latest/auth/github/#github-oauth2-authentication)
-   * Set `grafana_github_client_id`, `grafana_github_client_secret`, `grafana_github_team_ids`, `grafana_github_allowed_organizations` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
+   * See [this instruction](https://grafana.com/docs/grafana/latest/auth/github/#github-oauth2-authentication) and generate necessary tokens.
+   * Set `grafana_github_client_id`, `grafana_github_client_secret`, `grafana_github_team_ids`, `grafana_github_allowed_organizations` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
+
+## Alertmanager
+Alertmanager is disabled in default installation. If you want to enable it, then do next:
+1. Open file layer2-k8s/eks-kube-prometheus-stack.tf and change :
+```yaml
+locals {
+....
+  kube_prometheus_stack_alertmanager_values         = <<VALUES
+# Alertmanager parameters
+alertmanager:
+  enabled: false
+....
+}
+
+to
+
+locals {
+....
+  kube_prometheus_stack_alertmanager_values         = <<VALUES
+# Alertmanager parameters
+alertmanager:
+  enabled: true
+....
+}
+```
+### If you want to receive alerts **via Slack**, then do next:
+* See [this instruction](https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack) and generate Slack Incoming Webhook 
+* Set `alertmanager_slack_webhook`, `alertmanager_slack_channel` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md
@@ -62,7 +62,6 @@
 | <a name="provider_helm"></a> [helm](#provider\_helm)                   | 2.4.1   |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.6.1   |
 | <a name="provider_random"></a> [random](#provider\_random)             | 3.1.0   |
-| <a name="provider_template"></a> [template](#provider\_template)       | 2.2.0   |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform)    | n/a     |
 | <a name="provider_time"></a> [time](#provider\_time)                   | 0.7.2   |
 
@@ -139,38 +138,27 @@
 | [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth)                                                           | data source |
 | [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret)                                                | data source |
 | [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret_version)                                | data source |
-| [template_file.cert_manager](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                       | data source |
-| [template_file.certificate](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                        | data source |
-| [template_file.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                 | data source |
-| [template_file.cluster_issuer](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                     | data source |
-| [template_file.elk](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                                | data source |
-| [template_file.external_dns](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                       | data source |
-| [template_file.external_secrets](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                   | data source |
-| [template_file.ingress_nginx](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file)                                                      | data source |
 | [terraform_remote_state.layer1-aws](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state)                                       | data source |
 
 ## Inputs
 
-| Name                                                                                                                                           | Description                                                                                     | Type        | Default        | Required |
-| ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------- | -------------- | :------: |
-| <a name="input_additional_allowed_ips"></a> [additional\_allowed\_ips](#input\_additional\_allowed\_ips)                                       | IP addresses allowed to connect to private resources                                            | `list(any)` | `[]`           |    no    |
-| <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids)                                                | List of allowed AWS account IDs                                                                 | `list`      | `[]`           |    no    |
-| <a name="input_aws_loadbalancer_controller_enable"></a> [aws\_loadbalancer\_controller\_enable](#input\_aws\_loadbalancer\_controller\_enable) | Disable or Enable aws-loadbalancer-controller. You need to enable it if you want to use Fargate | `bool`      | `false`        |    no    |
-| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version)                           | Version of cluster autoscaler                                                                   | `string`    | `"v1.21.0"`    |    no    |
-| <a name="input_elk_index_retention_days"></a> [elk\_index\_retention\_days](#input\_elk\_index\_retention\_days)                               | Days before remove index from system elasticsearch                                              | `number`    | `14`           |    no    |
-| <a name="input_elk_snapshot_retention_days"></a> [elk\_snapshot\_retention\_days](#input\_elk\_snapshot\_retention\_days)                      | Days to capture index in snapshot                                                               | `number`    | `90`           |    no    |
-| <a name="input_helm_release_history_size"></a> [helm\_release\_history\_size](#input\_helm\_release\_history\_size)                            | How much helm releases to store                                                                 | `number`    | `5`            |    no    |
-| <a name="input_nginx_ingress_ssl_terminator"></a> [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator)                   | Select SSL termination type                                                                     | `string`    | `"lb"`         |    no    |
-| <a name="input_region"></a> [region](#input\_region)                                                                                           | Default infrastructure region                                                                   | `string`    | `"us-east-1"`  |    no    |
-| <a name="input_remote_state_bucket"></a> [remote\_state\_bucket](#input\_remote\_state\_bucket)                                                | Name of the bucket for terraform state                                                          | `string`    | n/a            |   yes    |
-| <a name="input_remote_state_key"></a> [remote\_state\_key](#input\_remote\_state\_key)                                                         | Key of the remote state for terraform\_remote\_state                                            | `string`    | `"layer1-aws"` |    no    |
+| Name                                                                                                                         | Description                                          | Type        | Default        | Required |
+| ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ----------- | -------------- | :------: |
+| <a name="input_additional_allowed_ips"></a> [additional\_allowed\_ips](#input\_additional\_allowed\_ips)                     | IP addresses allowed to connect to private resources | `list(any)` | `[]`           |    no    |
+| <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids)                              | List of allowed AWS account IDs                      | `list`      | `[]`           |    no    |
+| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version)         | Version of cluster autoscaler                        | `string`    | `"v1.21.0"`    |    no    |
+| <a name="input_helm_release_history_size"></a> [helm\_release\_history\_size](#input\_helm\_release\_history\_size)          | How much helm releases to store                      | `number`    | `5`            |    no    |
+| <a name="input_nginx_ingress_ssl_terminator"></a> [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type                          | `string`    | `"lb"`         |    no    |
+| <a name="input_region"></a> [region](#input\_region)                                                                         | Default infrastructure region                        | `string`    | `"us-east-1"`  |    no    |
+| <a name="input_remote_state_bucket"></a> [remote\_state\_bucket](#input\_remote\_state\_bucket)                              | Name of the bucket for terraform state               | `string`    | n/a            |   yes    |
+| <a name="input_remote_state_key"></a> [remote\_state\_key](#input\_remote\_state\_key)                                       | Key of the remote state for terraform\_remote\_state | `string`    | `"layer1-aws"` |    no    |
 
 ## Outputs
 
 | Name                                                                                                                                      | Description                                              |
 | ----------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
 | <a name="output_alertmanager_domain_name"></a> [alertmanager\_domain\_name](#output\_alertmanager\_domain\_name)                          | Alertmanager ui address                                  |
-| <a name="output_apm_domain_name"></a> [apm\_domain\_name](#output\_apm\_domain\_name)                                                     | n/a                                                      |
+| <a name="output_apm_domain_name"></a> [apm\_domain\_name](#output\_apm\_domain\_name)                                                     | APM domain name                                          |
 | <a name="output_elastic_stack_bucket_name"></a> [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name)                     | Name of the bucket for ELKS snapshots                    |
 | <a name="output_elasticsearch_elastic_password"></a> [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password)        | Password of the superuser 'elastic'                      |
 | <a name="output_get_grafana_admin_password"></a> [get\_grafana\_admin\_password](#output\_get\_grafana\_admin\_password)                  | Command which gets admin password from kubernetes secret |
diff --git a/terraform/layer2-k8s/aws-sm-secrets.tf b/terraform/layer2-k8s/aws-sm-secrets.tf
@@ -1,12 +1,3 @@
-locals {
-  kibana_gitlab_client_id     = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_client_id", "mock_value")
-  kibana_gitlab_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_client_secret", "mock_value")
-  kibana_gitlab_group         = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_group", "mock_value")
-  gitlab_registration_token   = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "gitlab_registration_token", "mock_value")
-  alertmanager_slack_url      = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_url", "mock_value")
-  alertmanager_slack_channel  = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_channel", "mock_value")
-}
-
 data "aws_secretsmanager_secret" "infra" {
   name = "/${local.name_wo_region}/infra/layer2-k8s"
 }
diff --git a/terraform/layer2-k8s/eks-gitlab-runner.tf b/terraform/layer2-k8s/eks-gitlab-runner.tf
@@ -7,9 +7,10 @@ locals {
     chart_version = local.helm_releases[index(local.helm_releases.*.id, "gitlab-runner")].chart_version
     namespace     = local.helm_releases[index(local.helm_releases.*.id, "gitlab-runner")].namespace
   }
-  gitlab_runner_values = <<VALUES
+  gitlab_runner_registration_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "gitlab_runner_registration_token", "")
+  gitlab_runner_values             = <<VALUES
 gitlabUrl: "https://gitlab.com/"
-runnerRegistrationToken: "${local.gitlab_registration_token}"
+runnerRegistrationToken: "${local.gitlab_runner_registration_token}"
 concurrent: 4
 checkInterval: 30
 
diff --git a/terraform/layer2-k8s/eks-kube-prometheus-stack.tf b/terraform/layer2-k8s/eks-kube-prometheus-stack.tf
@@ -16,6 +16,8 @@ locals {
   grafana_github_client_secret         = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_client_secret", "")
   grafana_github_team_ids              = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_team_ids", "")
   grafana_github_allowed_organizations = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_allowed_organizations", "")
+  alertmanager_slack_webhook           = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_webhook", "")
+  alertmanager_slack_channel           = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_channel", "")
   grafana_domain_name                  = "grafana-${local.domain_suffix}"
   prometheus_domain_name               = "prometheus-${local.domain_suffix}"
   alertmanager_domain_name             = "alertmanager-${local.domain_suffix}"
@@ -221,16 +223,46 @@ alertmanager:
           resources:
             requests:
               storage: 10Gi
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 200m
+        memory: 256Mi
   config:
     global:
       resolve_timeout: 5m
-      slack_api_url: ${local.alertmanager_slack_url}
     route:
       group_by: ['job']
       group_wait: 30s
       group_interval: 5m
       repeat_interval: 12h
       receiver: 'null'
+      routes:
+        - match:
+            alertname: Watchdog
+          receiver: 'null'
+    receivers:
+    - name: 'null'
+
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: eks.amazonaws.com/capacityType
+                operator: In
+                values:
+                  - ON_DEMAND
+VALUES
+  kube_prometheus_stack_alertmanager_slack_values   = <<VALUES
+# Alertmanager parameters
+alertmanager:
+  config:
+    global:
+      slack_api_url: ${local.alertmanager_slack_webhook}
+    route:
       routes:
         - match:
             alertname: Watchdog
@@ -257,16 +289,6 @@ alertmanager:
             {{ end }}
             {{ end }}
           icon_emoji: '{{ template "slack.default.iconemoji" . }}'
-
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-          - matchExpressions:
-              - key: eks.amazonaws.com/capacityType
-                operator: In
-                values:
-                  - ON_DEMAND
 VALUES
 }
 
@@ -422,7 +444,8 @@ resource "helm_release" "prometheus_operator" {
     local.kube_prometheus_stack_grafana_values,
     local.grafana_oauth_type == "gitlab" ? local.kube_prometheus_stack_grafana_gitlab_oauth_values : null,
     local.grafana_oauth_type == "github" ? local.kube_prometheus_stack_grafana_github_oauth_values : null,
-    local.kube_prometheus_stack_alertmanager_values
+    local.kube_prometheus_stack_alertmanager_values,
+    local.alertmanager_slack_webhook != "" ? local.kube_prometheus_stack_alertmanager_slack_values : null
   ])
 
 }
