From 2a8417d4ae79d6a703711557d2821c34c6a327d6 Mon Sep 17 00:00:00 2001 From: sundowndev Date: Mon, 11 Oct 2021 14:46:37 +0200 Subject: [PATCH 1/2] docs: kubernetes scheduling --- docs/ci_cd/guides/kubernetes.mdx | 220 +++++++++++++++++++++++++++++++ sidebars.js | 3 +- 2 files changed, 222 insertions(+), 1 deletion(-) create mode 100644 docs/ci_cd/guides/kubernetes.mdx diff --git a/docs/ci_cd/guides/kubernetes.mdx b/docs/ci_cd/guides/kubernetes.mdx new file mode 100644 index 0000000000..b926624856 --- /dev/null +++ b/docs/ci_cd/guides/kubernetes.mdx @@ -0,0 +1,220 @@ +--- +id: kubernetes +title: Kubernetes +--- + +As demonstrated with continuous integration systems, driftctl can be scheduled to be run on a regular basis. Kubernetes also has a dedicated resource for this called [`CronJob`](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/). In this example, we will perform a scan against a AWS account. + +## Basic example + +### Prerequisites + +- Kubernetes 1.20+ + +If you use Kubernetes below v1.20, you can still use the CronJob resource definition but should tweak the specs according to the documentation since this feature became stable as of v1.20. Check the [Kubernetes website](https://kubernetes.io/docs/home/) for more information. + +### Create a dedicated namespace + +You may want to create driftctl-related resources under a dedicated namespace. Here we will simply name our namespace `driftctl`. + +```shell +$ kubectl apply -f - <" + AWS_SECRET_ACCESS_KEY: "" + type: Opaque +EOF +``` + +You may want to use a driftignore file to ignore some resources. We can mount a .driftignore file using a config map : + +```shell +$ kubectl apply -f - <" + - name: DCTL_FROM + value: "tfstate+s3:///terraform.tfstate" + - name: DCTL_TO + value: "aws+tf" + - name: DCTL_TF_PROVIDER_VERSION + value: "3.62.0" + - name: DCTL_DRIFTIGNORE + value: "/app/.driftignore" + - name: DCTL_OUTPUT + value: "console:///dev/stdout" + restartPolicy: Never + volumes: + - name: driftctl-files + configMap: + name: driftctl-cron-files-cm + items: + - key: ".driftignore" + path: ".driftignore" +EOF +``` + +### Full example + +Here's what we obtain if we gather all definitions together in a single file : + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: driftctl +--- +apiVersion: v1 +kind: Secret +metadata: + name: driftctl-cron-secret + namespace: driftctl +data: + AWS_ACCESS_KEY_ID: "" + AWS_SECRET_ACCESS_KEY: "" +type: Opaque +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: driftctl-cron-files-cm + namespace: driftctl +data: + .driftignore: | + * + !aws_s3_bucket.* +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: driftctl-cron + namespace: driftctl +spec: + schedule: "0 */1 * * *" + concurrencyPolicy: Replace + failedJobsHistoryLimit: 3 + successfulJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + containers: + - name: driftctl + image: cloudskiff/driftctl:v0.15.0 + imagePullPolicy: IfNotPresent + command: + - driftctl + - scan + volumeMounts: + - mountPath: /app + name: driftctl-files + envFrom: + - secretRef: + name: driftctl-cron-secret + env: + - name: LOG_LEVEL + value: DEBUG + - name: AWS_REGION + value: us-east-1 + - name: AWS_ROLE_ARN + value: "" + - name: DCTL_FROM + value: "tfstate+s3:///terraform.tfstate" + - name: DCTL_TO + value: "aws+tf" + - name: DCTL_TF_PROVIDER_VERSION + value: "3.62.0" + - name: DCTL_DRIFTIGNORE + value: "/app/.driftignore" + - name: DCTL_OUTPUT + value: "console:///dev/stdout" + restartPolicy: Never + volumes: + - name: driftctl-files + configMap: + name: driftctl-cron-files-cm + items: + - key: ".driftignore" + path: ".driftignore" +``` + +Put this in a new YAML file and apply it using kubectl : + +```shell +cat driftctl.yaml | kubectl apply -f - +``` + +## Generating HTML reports + +When a scan succeed, you may want to store the report somewhere permanently for human reading. In this example we will create an HTML report out of a driftctl scan and upload it to a remote S3 bucket using the AWS CLI. + +... \ No newline at end of file diff --git a/sidebars.js b/sidebars.js index b61a26b19f..d81d07c09e 100644 --- a/sidebars.js +++ b/sidebars.js @@ -47,7 +47,8 @@ module.exports = { "ci_cd/guides/circleci", "ci_cd/guides/ghaction", "ci_cd/guides/gitlabci", - "ci_cd/guides/jenkins" + "ci_cd/guides/jenkins", + "ci_cd/guides/kubernetes" ] } ], From e947c559679e909b6655d24a8581ec61c7342e5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl?= Date: Thu, 14 Oct 2021 12:17:59 +0200 Subject: [PATCH 2/2] docs: kubernetes --- docs/ci_cd/guides/kubernetes.mdx | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/docs/ci_cd/guides/kubernetes.mdx b/docs/ci_cd/guides/kubernetes.mdx index b926624856..afec7c76a0 100644 --- a/docs/ci_cd/guides/kubernetes.mdx +++ b/docs/ci_cd/guides/kubernetes.mdx @@ -28,7 +28,15 @@ EOF ### Secrets and config maps -The simpliest way to handle cloud credentials is to store them base64 encoded in a Secret. +The simpliest way to handle cloud credentials is to store them into a Secret. In order to do that you must encode the values in base64. You can that from the command line like so : + +```shell +# Flag -n ensures no trailing newline is added to the output +$ echo -n "" | base64 +PHZhbHVlPg== +``` + +Then create your secret : ```shell $ kubectl apply -f - <" AWS_SECRET_ACCESS_KEY: "" + AWS_ROLE_ARN: "" type: Opaque EOF ``` -You may want to use a driftignore file to ignore some resources. We can mount a .driftignore file using a config map : +You may also want to use a driftignore file to ignore some resources. We can mount a .driftignore file using a config map : ```shell $ kubectl apply -f - <" - name: DCTL_FROM value: "tfstate+s3:///terraform.tfstate" - name: DCTL_TO @@ -141,6 +148,7 @@ metadata: data: AWS_ACCESS_KEY_ID: "" AWS_SECRET_ACCESS_KEY: "" + AWS_ROLE_ARN: "" type: Opaque --- apiVersion: v1 @@ -181,12 +189,8 @@ spec: - secretRef: name: driftctl-cron-secret env: - - name: LOG_LEVEL - value: DEBUG - name: AWS_REGION value: us-east-1 - - name: AWS_ROLE_ARN - value: "" - name: DCTL_FROM value: "tfstate+s3:///terraform.tfstate" - name: DCTL_TO @@ -213,8 +217,11 @@ Put this in a new YAML file and apply it using kubectl : cat driftctl.yaml | kubectl apply -f - ``` -## Generating HTML reports +A job will then be triggered once per hour. + +## What's next ? -When a scan succeed, you may want to store the report somewhere permanently for human reading. In this example we will create an HTML report out of a driftctl scan and upload it to a remote S3 bucket using the AWS CLI. +Here's what you can do next to improve your worklow : -... \ No newline at end of file +- Add a container that will upload the scan result somewhere for later human reading +- Run an homemade application that will take the scan result and alert you when your infrastructure is not in sync