Skip to content

Commit

Permalink
Additional fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
danmanners committed Dec 2, 2023
1 parent 6559bcd commit 28f05a7
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 29 deletions.
29 changes: 19 additions & 10 deletions iac/cloud/pulumi/modules/bastion.ts
Original file line number Diff line number Diff line change
Expand Up @@ -80,26 +80,35 @@ export function createBastion(
{
Sid: "VisualEditor0",
Effect: "Allow",
Action: "ecr:GetAuthorizationToken",
Resource: "*",
},
{
Sid: "VisualEditor1",
Effect: "Allow",
Action: [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"ecr:ListImages",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
],
Resource: [
"arn:aws:kms:us-east-1:977656673179:key/7e829b85-6fed-4598-b675-8ebeea105c4c",
"arn:aws:ecr:us-east-1:977656673179:repository/homelab-provisioning",
],
},
{
Sid: "VisualEditor1",
Sid: "VisualEditor2",
Effect: "Allow",
Action: "ecr:GetAuthorizationToken",
Resource: "*",
Action: [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
],
Resource: [
"arn:aws:kms:us-east-1:977656673179:key/7e829b85-6fed-4598-b675-8ebeea105c4c",
],
},
],
}),
Expand Down Expand Up @@ -166,7 +175,7 @@ export function createBastion(
// Instance Metadata
metadataOptions: {
httpPutResponseHopLimit: 4,
httpEndpoint: "enabled",
httpEndpoint: "enabled",
},

// Tags
Expand Down
2 changes: 2 additions & 0 deletions iac/cloud/talos/talconfig.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ nodes:
gateway: 10.4.0.1

controlPlane:
schematic: {}
patches:
- |-
cluster:
Expand Down Expand Up @@ -109,6 +110,7 @@ controlPlane:
- 169.254.169.123
worker:
schematic: {}
patches:
- |-
cluster:
Expand Down
4 changes: 2 additions & 2 deletions iac/cloud/talos_bootstrapping/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Set Args
ARG ALPINE_VERSION=3.18
ARG TALOS_VERSION=v1.5.5
ARG TALHELPER_VERSION=v1.15.0
ARG TALHELPER_VERSION=v1.16.1
ARG SOPS_VERSION=v3.8.1
ARG KUBECTL_VERSION=v1.28.4
ARG KUSTOMIZE_VERSION=v5.2.1
Expand All @@ -28,7 +28,7 @@ RUN apk add --no-cache wget tar upx && \
wget -qO /opt/init/talosctl https://github.com/siderolabs/talos/releases/download/${TALOS_VERSION}/talosctl-linux-${ARCH} && \
chmod +x /opt/init/talosctl && \
# Download the talhelper binary and make it executable
echo "Installing talhelper version ${TALOS_VERSION}" && \
echo "Installing talhelper version ${TALHELPER_VERSION}" && \
wget -qO- https://github.com/budimanjojo/talhelper/releases/download/${TALHELPER_VERSION}/talhelper_linux_${ARCH}.tar.gz | \
tar -xz -C /opt/init talhelper && \
# Download the sops binary and make it executable
Expand Down
38 changes: 21 additions & 17 deletions iac/cloud/talos_bootstrapping/bootstrapping.sh
Original file line number Diff line number Diff line change
@@ -1,30 +1,34 @@
# Fetch the AWS Credentials Token
export TOKEN=$(curl -XPUT \
"http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# # Set the URL we'll hit twice
# export url="http://169.254.169.254/latest/meta-data/iam/security-credentials"

# Use the token to fetch the AWS Credentials
curl -vH "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/iam/security-credentials/sops-decrypt >/tmp/creds.json
# # Generate the Token
# export TOKEN=$(curl -sXPUT \
# "http://169.254.169.254/latest/api/token" \
# -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Configure our AWS Credentials
mkdir -p ~/.aws/
cat <<EOF >~/.aws/config
[default]
aws_access_key_id=$(cat /tmp/creds.json | jq -r '.AccessKeyId')
aws_secret_access_key=$(cat /tmp/creds.json | jq -r '.SecretAccessKey')
region=us-east-1
EOF
# # Generate our AWS Credentials
# curl -sH "X-aws-ec2-metadata-token: $TOKEN" ${url}/$(curl -s ${url}) >/tmp/creds.json

# # Configure our AWS Credentials
# mkdir -p ~/.aws/
# cat <<EOF >~/.aws/credentials
# [default]
# aws_access_key_id=$(cat /tmp/creds.json | jq -r '.AccessKeyId')
# aws_secret_access_key=$(cat /tmp/creds.json | jq -r '.SecretAccessKey')
# region=us-east-1
# EOF

# Clone the homelab repo
git clone \
--depth 1 \
--branch feature/restructure \
https://github.com/danmanners/homelab-kube-cluster.git \
/tmp/homelab-kube-cluster

# Change to the repo directory and Build the Talos Configs
cd /tmp/homelab-kube-cluster/cloud/talos &&
talhelper genconfig
cd /tmp/homelab-kube-cluster/iac/cloud/talos
sops -d -i talsecret.sops.yaml
talhelper genconfig

# Check if the cluster has already been deployed
if $(talosctl --talosconfig clusterconfig/talosconfig kubeconfig /tmp/kubeconfig); then
Expand Down

0 comments on commit 28f05a7

Please sign in to comment.