A "quickstart" tutorial environment powered by Terraform & Tecent Cloud which helps you build & learn CI/CD pipeline quickly.
😄 This project is in progress, we would appreciate your precious ideas & suggestions to make it better.
You may incur some charges by setting up this pipeline, proceed with caution should you have any concerns. 🙏
If any content in this project infringes upon your rights or intellectual property, please notify us immediately. We are committed to respecting all legal rights and will promptly remove any infringing material upon verification. Please contact us with the relevant details, and we will address the issue as soon as possible.
Ingress HTTPS powered by cert-manager, Let's Encrypt & Cloudflare and sealed-secrets.
- Currently only Harbor supports HTTPS.
- Let's Encrypt regulates up to 5 certificates can be issued per exact same set of hostnames every 7 days. See more in Limit. So please don't tear-down & re-create your pipeline frequently, or you may switch to Harbor HTTP, which is by default.
- Currently we do not support
terraform{}.cloudfor HCP Terraform & Terraform Enterprise.
Host:
- Windows11 v23H2
- WSL2 Ubuntu-22.04
- Docker Desktop v4.28.0
Note: some of these are not necessary but you would need them anyway while you are going through the entire workflow.
Export env for Tencent Cloud access credentials.
It's recommended to add them into your shell configuration file, for example ~/.zshrc.
export TF_VAR_secret_id="..."
export TF_VAR_secret_key="..."Create a file named terraform.tfvars locally to store your sensitive data.
cd iac
touch terraform.tfvars# terraform.tfvars
# cloudflare
# free domain in https://register.us.kg/
domain = "..."
# https://dash.cloudflare.com/
# https://developers.cloudflare.com/fundamentals/api/get-started/create-token/
# Permission: Zone/Zone/Read, Zone/DNS/Edit
# Zone Resources: Include/All zones
cloudflare_api_token = "..."
# github
github_username = "..."
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
github_pat = "..."Note: feel free to customize any variables in variables.tf or/and files under module/ directory to build your own Terraform project.
If you want to enable Harbor HTTPS. Modify helm_harbor.tf then un-comment helm_cert_manager.tf & helm_sealed_secret.tf.
resource "helm_release" "harbor" {
name = "harbor"
repository = "https://helm.goharbor.io"
chart = "harbor"
namespace = "harbor"
version = "v1.16.0"
create_namespace = true
values = [
"${templatefile(
"./helm_harbor/https-values.yaml.tpl",
{
"prefix" : "${var.prefix}"
"domain" : "${var.domain}"
"harbor_pwd" : "${var.harbor_pwd}"
}
)}"
]
depends_on = [helm_release.ingress-nginx]
}# need approval
terraform apply
# or auto
terraform apply --auto-approve# export env in a single terminal
export KUBECONFIG=./config.yaml
# list namespaces
kubectl get ns# get urls
terraform outputterraform state rm helm_release.cert-manager
terraform state rm helm_release.harbor
terraform state rm helm_release.ingress-nginx
terraform state rm helm_release.sealed-secrets
terraform state rm helm_release.jenkins
terraform state rm helm_release.sonarqube
terraform state rm helm_release.argo-cd
terraform state rm "module.k3s"
terraform destroy --auto-approveTutorial 👈🤓
Why not merge all
helm_*.tf&helm_*/into a single file & directory?
Simply to modul-ize and make it easy to manage rather than stuffing them into a single room. If you don't need any one of modules, simply comments all lines in helm_*.tf file.
Why not use one-line
helmcommand instead of helm_release?
To be honest, helm command is much simpler then helm_release, we could even include everything into a init script & run it during the cloud vm boot-up phase. However, we'd like to stick to the mindset of "IaC" where resource as a single unit to manage. Anyway, it varies from person to person, and no matter which practice.
Geekbang DevOps Camp - lyzhang1999