spike - how cluster bootstrapping could happen via terraform

[enekofb]

At the back of weaveworks/weave-gitops-private#101

We would like to discover whether cluster bootstrapping could happen via terraform and its limitations/tradeoffs

AC

We have discovered whether it is feasible to bootstrap a cluster with the following capabilities

• a set of compliance and security runtime capabilities = policy agent and secrets management
• a set of compliance and security runtime resources = policy library, secrets for flux to access a git repo, and secrets for flux to sync a profile from a private helm repo
• we are able to deliver changes to this layer by upgrading secrets management or a secret in particular
• the solution works with CAPI or Terraform provisioned infrastructure

[serboctor]

Relates to #2170

[enekofb]

Board https://miro.com/app/board/uXjVPzq4lPE=/?share_link_id=115903226257

[enekofb]

provisioned environment on https://github.com/weaveworks/clusters-config/tree/cluster-wge2205

kubeconfig

aws eks --region eu-north-1 update-kubeconfig --name wge2205

ui http://wge2205.eng-sandbox.weave.works/

tf-controller weaveworks/clusters-config@7255e46

flux-system                         policy-agent-65c9dcc968-bh2bd                                     1/1     Running   0             5m13s
flux-system                         source-controller-6849d5845f-5pzbq                                1/1     Running   0             6m26s
flux-system                         tf-controller-5f4cb65659-xclzd                                    1/1     Running   0             5m57s
flux-system                         weave-gitops-enterprise-cluster-controller-74d7557b67-69flz       2/2     Running   0             3m18s

configuration repo https://github.com/weaveworks/clusters-config/tree/cluster-wge2205/eksctl-clusters/clusters/wge2205

[enekofb]

Secrets runtime provisioned via
https://github.com/weaveworks/clusters-config/blob/cluster-wge2205/eksctl-clusters/clusters/wge2205/external-secrets-kustomization.yaml
https://github.com/weaveworks/clusters-config/tree/cluster-wge2205/eksctl-clusters/terraform/external-secrets

Syncing secrets via
https://github.com/weaveworks/clusters-config/blob/cluster-wge2205/eksctl-clusters/clusters/wge2205/sync-secrets-kustomization.yaml
https://github.com/weaveworks/clusters-config/tree/cluster-wge2205/eksctl-clusters/terraform/sync-secrets

Remote Syncing secrets via
https://github.com/weaveworks/clusters-config/blob/cluster-wge2205/eksctl-clusters/terraform/sync-secrets-remote/main.tf#L17-L22

Issues found

• troubleshooting while developing for gitops delivery
• authz

[enekofb]

✅ provision flux into a leaf cluster

using this module

https://github.com/weaveworks/clusters-config/blob/cluster-wge-2205/eksctl-clusters/terraform/flux/main.tf
https://github.com/weaveworks/clusters-config/blob/cluster-wge-2205/eksctl-clusters/apps/flux-leaf/flux-leaf.yaml

kubectl_manifest.install["apiextensions.k8s.io/v1/customresourcedefinition/receivers.notification.toolkit.fluxcd.io"]: Creation complete after 0s [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/receivers.notification.toolkit.fluxcd.io]
kubectl_manifest.install["apps/v1/deployment/flux-system-leaf/source-controller"]: Creation complete after 9s [id=/apis/apps/v1/namespaces/flux-system-leaf/deployments/source-controller]
kubectl_manifest.install["apps/v1/deployment/flux-system-leaf/notification-controller"]: Creation complete after 8s [id=/apis/apps/v1/namespaces/flux-system-leaf/deployments/notification-controller]
kubectl_manifest.install["apps/v1/deployment/flux-system-leaf/kustomize-controller"]: Creation complete after 8s [id=/apis/apps/v1/namespaces/flux-system-leaf/deployments/kustomize-controller]
kubectl_manifest.install["apps/v1/deployment/flux-system-leaf/helm-controller"]: Still creating... [10s elapsed]
kubectl_manifest.install["apps/v1/deployment/flux-system-leaf/helm-controller"]: Creation complete after 16s [id=/apis/apps/v1/namespaces/flux-system-leaf/deployments/helm-controller]
kubernetes_secret.main: Creating...
kubernetes_secret.main: Creation complete after 0s [id=flux-system-leaf/flux-system]

https://wge-2205.eng-sandbox.weave.works/terraform/object/details?clusterName=management&name=flux-leaf&namespace=flux-system

flux-system-leaf                    helm-controller-85cccfdd85-f5fz4                                  1/1     Running   0              12s
flux-system-leaf                    kustomize-controller-696cdb77d9-8j4q8                             1/1     Running   0              12s
flux-system-leaf                    notification-controller-7b665fb8bd-x9tbp                          1/1     Running   0              12s
flux-system-leaf                    source-controller-64c85f9fc4-jz6jn                                1/1     Running   0              12s
f