chore: Initial commit (#1)

* Initial commit * Add direnv
fluencelabs · Nov 4, 2024 · 7b92515 · 7b92515
1 parent 7efa32d
commit 7b92515
Show file tree

Hide file tree

Showing 30 changed files with 910 additions and 0 deletions.
diff --git a/.envrc b/.envrc
@@ -0,0 +1,2 @@
+use flake
+nix_direnv_manual_reload
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -0,0 +1,14 @@
+name: cleanup
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  destroy:
+    uses: ./.github/workflows/terraform.yml
+    with:
+      command: "destroy"
+      branch: ${{ github.event.pull_request.head.ref }}
+    secrets:
+      PAT: ${{ secrets.FLUENCEBOT_RELEASE_PLEASE_PAT }}
diff --git a/.github/workflows/create-command.yml b/.github/workflows/create-command.yml
@@ -0,0 +1,15 @@
+name: create-command
+
+on:
+  repository_dispatch:
+    types: [create-command]
+
+jobs:
+  create:
+    uses: ./.github/workflows/terraform.yml
+    with:
+      command: ${{ github.event.client_payload.slash_command.command }}
+      branch: ${{ github.event.client_payload.pull_request.head.ref }}
+      sha: ${{ github.event.client_payload.pull_request.head.sha }}
+    secrets:
+      PAT: ${{ secrets.FLUENCEBOT_RELEASE_PLEASE_PAT }}
diff --git a/.github/workflows/destroy-command.yml b/.github/workflows/destroy-command.yml
@@ -0,0 +1,15 @@
+name: destroy-command
+
+on:
+  repository_dispatch:
+    types: [destroy-command]
+
+jobs:
+  destroy:
+    uses: ./.github/workflows/terraform.yml
+    with:
+      command: ${{ github.event.client_payload.slash_command.command }}
+      branch: ${{ github.event.client_payload.pull_request.head.ref }}
+      sha: ${{ github.event.client_payload.pull_request.head.sha }}
+    secrets:
+      PAT: ${{ secrets.FLUENCEBOT_RELEASE_PLEASE_PAT }}
diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml
@@ -0,0 +1,23 @@
+name: help-command
+
+on:
+  repository_dispatch:
+    types: [help-command]
+
+jobs:
+  help:
+    runs-on: linux-amd64-t-small
+    steps:
+      - name: Update comment
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          body: |
+            > Command | Description
+            > --- | ---
+            > /help | List available commands
+            > /create | Create and bootstrap talos cluster
+            > /destroy | Destroy talos cluster and all resources
+            > /reset | Recreate talos cluster (destroy && create)
diff --git a/.github/workflows/reset-command.yml b/.github/workflows/reset-command.yml
@@ -0,0 +1,15 @@
+name: reset-command
+
+on:
+  repository_dispatch:
+    types: [reset-command]
+
+jobs:
+  reset:
+    uses: ./.github/workflows/terraform.yml
+    with:
+      command: ${{ github.event.client_payload.slash_command.command }}
+      branch: ${{ github.event.client_payload.pull_request.head.ref }}
+      sha: ${{ github.event.client_payload.pull_request.head.sha }}
+    secrets:
+      PAT: ${{ secrets.FLUENCEBOT_RELEASE_PLEASE_PAT }}
diff --git a/.github/workflows/slash.yml b/.github/workflows/slash.yml
@@ -0,0 +1,20 @@
+name: slash command
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  command:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slash Command Dispatch
+        uses: peter-evans/slash-command-dispatch@v4
+        with:
+          token: ${{ secrets.FLUENCEBOT_RELEASE_PLEASE_PAT }}
+          issue-type: pull-request
+          commands: |
+            create
+            reset
+            destroy
+            help
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -0,0 +1,120 @@
+name: terraform
+
+on:
+  workflow_call:
+    inputs:
+      command:
+        description: "The terraform command to run (create, destroy, reset)"
+        required: true
+        type: string
+      branch:
+        description: "Branch to checkout to"
+        required: true
+        type: string
+      sha:
+        description: "Last commit in the branch"
+        required: false
+        type: string
+    secrets:
+      PAT:
+        description: "Used in Flux to clone the repo"
+        required: true
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        working-directory: terraform
+
+    permissions:
+      contents: read
+      id-token: write
+
+    env:
+      TF_VAR_github_branch: ${{ inputs.branch }}
+
+    steps:
+      - name: Set latest commit status as pending
+        if: inputs.sha
+        uses: myrotvorets/[email protected]
+        with:
+          sha: ${{ inputs.sha }}
+          token: ${{ secrets.PAT }}
+          status: pending
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.command == 'destroy' && 'main' || inputs.branch }}
+
+      - name: Get Vault token
+        uses: hashicorp/[email protected]
+        with:
+          url: "https://vault.fluence.dev"
+          path: jwt/github
+          role: ci-spectrum
+          method: jwt
+          jwtGithubAudience: "https://github.com/fluencelabs"
+          jwtTtl: 300
+          exportToken: false
+          secrets: |
+            kv/digitalocean/gitops token | DIGITALOCEAN_TOKEN ;
+            kv/cloudflare/gitops token | CLOUDFLARE_API_TOKEN ;
+            kv/ci/spectrum-ci id | AWS_ACCESS_KEY_ID ;
+            kv/ci/spectrum-ci secret | AWS_SECRET_ACCESS_KEY ;
+
+      - name: Sanitize branch name
+        id: sanitize
+        run: |
+          BRANCH="${{ inputs.branch }}"
+          # Sanitize branch name for DNS compatibility
+          BRANCH="${BRANCH//[^a-zA-Z0-9-]/-}"
+          BRANCH="${BRANCH//+(-)/-}"
+          BRANCH="${BRANCH,,}" # Convert to lowercase
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: terraform init
+        run: terraform init
+
+      - name: terraform workspace
+        run: |
+          terraform workspace select -or-create=true ${{ steps.sanitize.outputs.branch }}
+
+      - name: Run terraform command
+        run: |
+          case ${{ inputs.command }} in
+          create)
+            terraform apply -auto-approve ;;
+          destroy)
+            terraform destroy -auto-approve ;;
+          reset)
+            terraform destroy -auto-approve
+            terraform apply -auto-approve
+          ;;
+          *)
+            echo "No such command ${{ inputs.command }}"
+            exit 1
+          ;;
+          esac
+
+      - name: Upload Artifacts
+        if: inputs.command == 'create' || inputs.command == 'reset'
+        uses: actions/upload-artifact@v4
+        with:
+          name: configs
+          path: |
+            terraform/kubeconfig
+            terraform/talosconfig
+
+      - name: Set latest commit status as ${{ job.status }}
+        uses: myrotvorets/set-commit-status-action@master
+        if: inputs.sha && always()
+        with:
+          sha: ${{ inputs.sha }}
+          token: ${{ secrets.PAT }}
+          status: ${{ job.status }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,7 @@
+.tfstate*
+.terraform/
+**lock.hcl
+**.pyc
+.direnv
+kubeconfig
+talosconfig
diff --git a/Justfile b/Justfile
@@ -0,0 +1,4 @@
+download:
+  rm -f kubeconfig talosconfig
+  gh run download -n configs
+  nix-direnv-reload
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,47 @@
+{
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+  inputs.systems.url = "github:nix-systems/default";
+  inputs.flake-utils = {
+    url = "github:numtide/flake-utils";
+    inputs.systems.follows = "systems";
+  };
+
+  outputs =
+    { nixpkgs, flake-utils, ... }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgs = import nixpkgs {
+          system = "${system}";
+          config.allowUnfree = true;
+        };
+      in
+      {
+        formatter = pkgs.nixfmt-rfc-style;
+        devShells.default = pkgs.mkShell {
+          name = "spectrum";
+
+          packages = [
+            pkgs.bashInteractive
+            pkgs.nixfmt-rfc-style
+            pkgs.just
+	    pkgs.gh
+
+            pkgs.talosctl
+            pkgs.kubectl
+            pkgs.kubernetes-helm
+            pkgs.kubevirt
+            pkgs.cilium-cli
+            pkgs.flux
+            pkgs.terraform
+          ];
+
+          shellHook = ''
+          [[ -f $FLUENCE_SECRETS ]] && source $FLUENCE_SECRETS
+          [[ -f ./kubeconfig ]] && export KUBECONFIG=$(realpath ./kubeconfig)
+          [[ -f ./talosconfig ]] && export TALOSCONFIG=$(realpath ./talosconfig)
+          '';
+        };
+      }
+    );
+}
diff --git a/flux/dev/ingress-nginx/helm-release.yml b/flux/dev/ingress-nginx/helm-release.yml
@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: "4.11.3"
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx
+        namespace: ingress-nginx
+      interval: 12h
+  values:
+    controller:
+      kind: DaemonSet
+      service:
+        type: LoadBalancer
+        nodePorts:
+          http: 30100
+          https: 30101
+        externalTrafficPolicy: Local
diff --git a/flux/dev/ingress-nginx/helm-repository.yml b/flux/dev/ingress-nginx/helm-repository.yml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+spec:
+  interval: 24h
+  url: https://kubernetes.github.io/ingress-nginx