Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update main.tf #18

Merged
merged 1 commit into from
Sep 25, 2024
Merged

Update main.tf #18

merged 1 commit into from
Sep 25, 2024

Conversation

g1raffi
Copy link
Contributor

@g1raffi g1raffi commented Sep 25, 2024

No description provided.

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

terraform
module.training-cluster.random_password.student-passwords[2]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[7]: Refreshing state... [id=none]
module.training-cluster.random_password.rke2_cluster_secret: Refreshing state... [id=none]
module.training-cluster.random_password.argocd-admin-password: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[9]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[0]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[6]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[10]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[14]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[13]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[11]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[8]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[5]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[4]: Refreshing state... [id=none]
module.training-cluster.random_password.student-passwords[3]: Refreshing state... [id=none]
module.training-cluster.hcloud_placement_group.controlplane: Refreshing state... [id=367506]
module.training-cluster.random_password.student-passwords[1]: Refreshing state... [id=none]
module.training-cluster.hcloud_network.network: Refreshing state... [id=4461562]
module.training-cluster.random_password.student-passwords[12]: Refreshing state... [id=none]
module.training-cluster.hcloud_load_balancer.lb: Refreshing state... [id=1961409]
module.training-cluster.tls_private_key.terraform: Refreshing state... [id=7ef141b5b659f9f934c609830a849647d49e0518]
module.training-cluster.hcloud_ssh_key.terraform: Refreshing state... [id=22226408]
module.training-cluster.hcloud_network_subnet.subnet: Refreshing state... [id=4461562-10.0.0.0/24]
module.training-cluster.hcloud_load_balancer_network.lb: Refreshing state... [id=1961409-4461562]
module.training-cluster.hcloud_load_balancer_service.api: Refreshing state... [id=1961409__6443]
module.training-cluster.hcloud_load_balancer_service.rke2: Refreshing state... [id=1961409__9345]
module.training-cluster.module.api-aaaa-record.restapi_object.aaaa-record[0]: Refreshing state... [id=3183609]
module.training-cluster.module.api-a-record.restapi_object.a-record[0]: Refreshing state... [id=3183610]
module.training-cluster.hcloud_server.worker[2]: Refreshing state... [id=50826089]
module.training-cluster.hcloud_load_balancer_target.controlplane: Refreshing state... [id=lb-label-selector-tgt-28ad2ff0dac499e2dc5a0d327c5a84fa206b6f31e5813b70c1978ece66225a11-1961409]
module.training-cluster.hcloud_server.worker[1]: Refreshing state... [id=50826088]
module.training-cluster.hcloud_server.worker[0]: Refreshing state... [id=50826090]
module.training-cluster.hcloud_server_network.worker[1]: Refreshing state... [id=50826088-4461562]
module.training-cluster.hcloud_server_network.worker[2]: Refreshing state... [id=50826089-4461562]
module.training-cluster.hcloud_server_network.worker[0]: Refreshing state... [id=50826090-4461562]
module.training-cluster.hcloud_server.controlplane[2]: Refreshing state... [id=50826093]
module.training-cluster.hcloud_server.controlplane[0]: Refreshing state... [id=50826094]
module.training-cluster.hcloud_server.controlplane[1]: Refreshing state... [id=50826092]
module.training-cluster.hcloud_server_network.controlplane[0]: Refreshing state... [id=50826094-4461562]
module.training-cluster.hcloud_server_network.controlplane[1]: Refreshing state... [id=50826092-4461562]
module.training-cluster.hcloud_server_network.controlplane[2]: Refreshing state... [id=50826093-4461562]
module.training-cluster.hcloud_firewall.firewall: Refreshing state... [id=1516800]
module.training-cluster.null_resource.wait_for_k8s_api: Refreshing state... [id=3852136770949360995]
module.training-cluster.ssh_resource.getkubeconfig: Refreshing state... [id=4061873619372015873]
module.training-cluster.null_resource.cleanup-node-before-destroy[2]: Refreshing state... [id=310791739432520100]
module.training-cluster.kubernetes_secret.secretstore-secret: Refreshing state... [id=external-secrets/credentials-training.cluster.acend.ch]
module.training-cluster.null_resource.cleanup-node-before-destroy[1]: Refreshing state... [id=7882756700842965043]
module.training-cluster.null_resource.cleanup-node-before-destroy[0]: Refreshing state... [id=6241904446467040702]
module.training-cluster.kubernetes_namespace.argocd: Refreshing state... [id=argocd]
module.training-cluster.helm_release.argocd: Refreshing state... [id=argocd]
module.training-cluster.time_sleep.wait_for_argocd-cleanup: Refreshing state... [id=2024-07-24T11:36:18Z]
module.training-cluster.helm_release.appset-trainee-env[0]: Refreshing state... [id=trainee-env]
module.training-cluster.helm_release.appset-trainee-webshell[0]: Refreshing state... [id=trainee-webshell]
module.training-cluster.null_resource.cleanup-before-destroy: Refreshing state... [id=7255524688986308852]
module.training-cluster.kubernetes_manifest.external-secrets-secretstore["cert-manager"]: Refreshing state...
module.training-cluster.kubernetes_manifest.external-secrets-secretstore["kube-system"]: Refreshing state...
module.training-cluster.kubernetes_secret.argocd-cluster: Refreshing state... [id=argocd/training]
module.training-cluster.time_sleep.wait_for_bootstrap: Refreshing state... [id=2024-07-24T11:36:48Z]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # module.training-cluster.helm_release.appset-trainee-env[0] will be updated in-place
  ~ resource "helm_release" "appset-trainee-env" {
        id                         = "trainee-env"
      ~ metadata                   = [
          - {
              - app_version    = ""
              - chart          = "argocd-apps"
              - first_deployed = 1724575594
              - last_deployed  = 1727250708
              - name           = "trainee-env"
              - namespace      = "argocd"
              - notes          = ""
              - revision       = 9
              - values         = jsonencode(
                    {
                      - applicationsets = {
                          - trainee-env = {
                              - generators = [
                                  - {
                                      - list = {
                                          - elements = [
                                              - {
                                                  - cluster_admin   = "true"
                                                  - password        = "wV8LI6kqrE0sLFpc"
                                                  - password_bcrypt = "$2a$10$KblIxi0pIDxTtTDJuDuw9ecWGWVdfCUL/GGoBPyfPcNOKpZrk1h3i"
                                                  - traineename     = "user1"
                                                },
                                              - {
                                                  - cluster_admin   = "true"
                                                  - password        = "s1WaFkX-qqslK2mg"
                                                  - password_bcrypt = "$2a$10$kyE/VY11x0VFbJK9poat3u1R6rAvm5h4Zy3Uz3wWEOLGlt.8wuF7m"
                                                  - traineename     = "user2"
                                                },
                                              - {
                                                  - cluster_admin   = "true"
                                                  - password        = "2a0iJ_gt14v62lw1"
                                                  - password_bcrypt = "$2a$10$7FE8sH90fuEo2iQyfRQvA.lzcFnaXVtW01k9HRhqFXT2h7uw8O7cq"
                                                  - traineename     = "user3"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "lfhc4IkHSFi2ZIBx"
                                                  - password_bcrypt = "$2a$10$ysrRPl3ZRadNEn0eLilP0.wTjwUa0bvAppGbli9saqSMxO4tGgNpS"
                                                  - traineename     = "user4"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "ytz0L5iBz50DB4GP"
                                                  - password_bcrypt = "$2a$10$6Gma9jF6q9B6YTUg/yoRZOYfJIyacFG4RZFtRDy5SV.pcXIy6Z1EG"
                                                  - traineename     = "user5"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "YdWs7mXBoQhi-nf0"
                                                  - password_bcrypt = "$2a$10$pdPt0Uqq96JvpAesEykLm.6Jr9GUR/.SVzZcpQbvYTvsny..8uHpy"
                                                  - traineename     = "user6"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "5t.GtJkTZpZOtHkh"
                                                  - password_bcrypt = "$2a$10$3MTPK4FdD2cOLD/ZaPFoXu8LWU5IFbae9bM9Wav4lZHATz65CJgRu"
                                                  - traineename     = "user7"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "sEh26KGV0WXQg_qE"
                                                  - password_bcrypt = "$2a$10$YTx2xWxqvQEOq7tnVKOBcebldrAXxUiiwPmGU9useRAehENwNBuGG"
                                                  - traineename     = "user8"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "aDP6LUNoeAqxv5Dq"
                                                  - password_bcrypt = "$2a$10$Ycv1LAQmpUik/GDFur6DS.5m3wsE0PxMkBeAfmbiLVFbPm1YBbr4S"
                                                  - traineename     = "user9"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "vsZoOzkhgCTMG22H"
                                                  - password_bcrypt = "$2a$10$AekFl7rZmyeSkUvGSof6YOggpEqL2IsQwiFLlLDEMnVvrVcmetqBC"
                                                  - traineename     = "user10"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "a06VU3xyRwT_jgiR"
                                                  - password_bcrypt = "$2a$10$A1Sa8dQlIe51JMEzGFXGv.yBwaabpgPPC0OvoBFhMuMkGxo0qZc9e"
                                                  - traineename     = "user11"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "epGyP8tN1KAnV2Ka"
                                                  - password_bcrypt = "$2a$10$H/6IakT6mBtW8raimQMRwuqyyHmU3UiPDadOXbeG68VbRhB876wAm"
                                                  - traineename     = "user12"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "CXYO0B9gBHcVac1E"
                                                  - password_bcrypt = "$2a$10$QRXmid4QW3yFe5mPjgby9.SgcabHt.PdQw/k/Ep24vLTdOri1cuU2"
                                                  - traineename     = "user13"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = "AA6FHy8n3DaEt85K"
                                                  - password_bcrypt = "$2a$10$x08pouUGI7r3M56uE2hg/eyYRiyBpNiF1hS2m8Wac9xRTnxLJhzna"
                                                  - traineename     = "user14"
                                                },
                                              - {
                                                  - cluster_admin   = "false"
                                                  - password        = ".163ogbMMVJX5CSS"
                                                  - password_bcrypt = "$2a$10$Wsabx2R/8xj7UCs4NqqJaOW0yxhdLkzngZDx/X9uHKuFKd1SChjtO"
                                                  - traineename     = "user15"
                                                },
                                            ]
                                        }
                                    },
                                ]
                              - namespace  = "argocd"
                              - template   = {
                                  - metadata = {
                                      - name = "{{traineename}}-env"
                                    }
                                  - spec     = {
                                      - destination = {
                                          - server = "https://kubernetes.default.svc"
                                        }
                                      - project     = "trainee-environment"
                                      - source      = {
                                          - helm           = {
                                              - releaseName = "{{traineename}}-env"
                                              - values      = <<-EOT
                                                    user: {{traineename}}
                                                    password: {{password}}
                                                    password_bcrypt: {{password_bcrypt}}
                                                    cluster_name: training
                                                    cluster_domain: cluster.acend.ch
                                                    cluster_admin: {{cluster_admin}}
                                                EOT
                                            }
                                          - path           = "charts/user-env"
                                          - repoURL        = "https://github.com/acend/terraform-k8s-cluster-lab"
                                          - targetRevision = "HEAD"
                                        }
                                      - syncPolicy  = {
                                          - automated = {
                                              - prune    = true
                                              - selfHeal = true
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                )
              - version        = "2.0.1"
            },
        ] -> (known after apply)
        name                       = "trainee-env"
      ~ values                     = [
          - (sensitive value),
          + (sensitive value),
        ]
        # (26 unchanged attributes hidden)
    }

  # module.training-cluster.helm_release.appset-trainee-webshell[0] will be updated in-place
  ~ resource "helm_release" "appset-trainee-webshell" {
        id                         = "trainee-webshell"
      ~ metadata                   = [
          - {
              - app_version    = ""
              - chart          = "argocd-apps"
              - first_deployed = 1724575596
              - last_deployed  = 1727250708
              - name           = "trainee-webshell"
              - namespace      = "argocd"
              - notes          = ""
              - revision       = 9
              - values         = jsonencode(
                    {
                      - applicationsets = {
                          - trainee-webshell = {
                              - generators = [
                                  - {
                                      - list = {
                                          - elements = [
                                              - {
                                                  - password    = "$2a$10$KblIxi0pIDxTtTDJuDuw9ecWGWVdfCUL/GGoBPyfPcNOKpZrk1h3i"
                                                  - traineename = "user1"
                                                },
                                              - {
                                                  - password    = "$2a$10$kyE/VY11x0VFbJK9poat3u1R6rAvm5h4Zy3Uz3wWEOLGlt.8wuF7m"
                                                  - traineename = "user2"
                                                },
                                              - {
                                                  - password    = "$2a$10$7FE8sH90fuEo2iQyfRQvA.lzcFnaXVtW01k9HRhqFXT2h7uw8O7cq"
                                                  - traineename = "user3"
                                                },
                                              - {
                                                  - password    = "$2a$10$ysrRPl3ZRadNEn0eLilP0.wTjwUa0bvAppGbli9saqSMxO4tGgNpS"
                                                  - traineename = "user4"
                                                },
                                              - {
                                                  - password    = "$2a$10$6Gma9jF6q9B6YTUg/yoRZOYfJIyacFG4RZFtRDy5SV.pcXIy6Z1EG"
                                                  - traineename = "user5"
                                                },
                                              - {
                                                  - password    = "$2a$10$pdPt0Uqq96JvpAesEykLm.6Jr9GUR/.SVzZcpQbvYTvsny..8uHpy"
                                                  - traineename = "user6"
                                                },
                                              - {
                                                  - password    = "$2a$10$3MTPK4FdD2cOLD/ZaPFoXu8LWU5IFbae9bM9Wav4lZHATz65CJgRu"
                                                  - traineename = "user7"
                                                },
                                              - {
                                                  - password    = "$2a$10$YTx2xWxqvQEOq7tnVKOBcebldrAXxUiiwPmGU9useRAehENwNBuGG"
                                                  - traineename = "user8"
                                                },
                                              - {
                                                  - password    = "$2a$10$Ycv1LAQmpUik/GDFur6DS.5m3wsE0PxMkBeAfmbiLVFbPm1YBbr4S"
                                                  - traineename = "user9"
                                                },
                                              - {
                                                  - password    = "$2a$10$AekFl7rZmyeSkUvGSof6YOggpEqL2IsQwiFLlLDEMnVvrVcmetqBC"
                                                  - traineename = "user10"
                                                },
                                              - {
                                                  - password    = "$2a$10$A1Sa8dQlIe51JMEzGFXGv.yBwaabpgPPC0OvoBFhMuMkGxo0qZc9e"
                                                  - traineename = "user11"
                                                },
                                              - {
                                                  - password    = "$2a$10$H/6IakT6mBtW8raimQMRwuqyyHmU3UiPDadOXbeG68VbRhB876wAm"
                                                  - traineename = "user12"
                                                },
                                              - {
                                                  - password    = "$2a$10$QRXmid4QW3yFe5mPjgby9.SgcabHt.PdQw/k/Ep24vLTdOri1cuU2"
                                                  - traineename = "user13"
                                                },
                                              - {
                                                  - password    = "$2a$10$x08pouUGI7r3M56uE2hg/eyYRiyBpNiF1hS2m8Wac9xRTnxLJhzna"
                                                  - traineename = "user14"
                                                },
                                              - {
                                                  - password    = "$2a$10$Wsabx2R/8xj7UCs4NqqJaOW0yxhdLkzngZDx/X9uHKuFKd1SChjtO"
                                                  - traineename = "user15"
                                                },
                                            ]
                                        }
                                    },
                                ]
                              - namespace  = "argocd"
                              - template   = {
                                  - metadata = {
                                      - name = "{{traineename}}-webshell"
                                    }
                                  - spec     = {
                                      - destination = {
                                          - namespace = "{{traineename}}"
                                          - server    = "https://kubernetes.default.svc"
                                        }
                                      - project     = "trainee-environment"
                                      - source      = {
                                          - chart          = "webshell"
                                          - helm           = {
                                              - releaseName = "{{traineename}}-webshell"
                                              - values      = <<-EOT
                                                    user: {{traineename}}
                                                    password: {{password}}
                                                    cluster_k8s_api_host: api.training.cluster.acend.ch
                                                    ingress:
                                                      enabled: true
                                                      className: haproxy
                                                      annotations:
                                                        ingress.kubernetes.io/auth-realm: acend Webshell
                                                        ingress.kubernetes.io/auth-secret: webshell-basic-auth
                                                        ingress.kubernetes.io/auth-type: basic
                                                      hosts:
                                                      - host: {{traineename}}.training.cluster.acend.ch
                                                        paths:
                                                        - path: /
                                                          pathType: ImplementationSpecific
                                                      - host: {{traineename}}-webview.training.cluster.acend.ch
                                                        paths:
                                                        - path: /
                                                          pathType: ImplementationSpecific
                                                      tls:
                                                      - hosts:
                                                        - {{traineename}}.training.cluster.acend.ch
                                                        - {{traineename}}-webview.training.cluster.acend.ch
                                                        secretName: acend-wildcard
                                                    theia:
                                                      webview_url: {{traineename}}-webview.training.cluster.acend.ch
                                                      persistence:
                                                        enabled: true
                                                        storageclass: longhorn
                                                      resources: {"limits":null,"requests":{"cpu":"500m","memory":"1Gi"}}
                                                    dind:
                                                      persistence:
                                                        enabled: true
                                                        storageclass: longhorn
                                                        pvcsize: 10Gi
                                                      resources: {"limits":{"cpu":"2","memory":"1Gi"},"requests":{"cpu":"50m","memory":"100Mi"}}
                                                    podSecurityContext:
                                                      fsGroup: 1001
                                                    updateStrategy:
                                                      type: Recreate
                                                    rbac:
                                                      create: true   
                                                    init:
                                                      command:
                                                      - sh
                                                      - -c
                                                      - echo Welcome to the acend theia ide > /home/project/welcome
                                                EOT
                                            }
                                          - repoURL        = "https://acend.github.io/webshell-env/"
                                          - targetRevision = "0.5.12"
                                        }
                                      - syncPolicy  = {
                                          - automated = {
                                              - prune    = true
                                              - selfHeal = true
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                )
              - version        = "2.0.1"
            },
        ] -> (known after apply)
        name                       = "trainee-webshell"
      ~ values                     = [
          - (sensitive value),
          + (sensitive value),
        ]
        # (26 unchanged attributes hidden)
    }

  # module.training-cluster.helm_release.argocd will be updated in-place
  ~ resource "helm_release" "argocd" {
        id                         = "argocd"
      ~ metadata                   = [
          - {
              - app_version    = "v2.12.3"
              - chart          = "argo-cd"
              - first_deployed = 1721820908
              - last_deployed  = 1727250615
              - name           = "argocd"
              - namespace      = "argocd"
              - notes          = <<-EOT
                    In order to access the server UI you have the following options:
                    
                    1. kubectl port-forward service/argocd-server -n argocd 8080:443
                    
                        and then open the browser on http://localhost:8080 and accept the certificate
                    
                    2. enable ingress in the values file `server.ingress.enabled` and either
                          - Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
                          - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
                    
                    
                    After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
                    
                    kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
                    
                    (You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
                EOT
              - revision       = 22
              - values         = jsonencode(
                    {
                      - configs    = {
                          - cm     = {
                              - "accounts.user1"         = "apiKey, login"
                              - "accounts.user10"        = "apiKey, login"
                              - "accounts.user11"        = "apiKey, login"
                              - "accounts.user12"        = "apiKey, login"
                              - "accounts.user13"        = "apiKey, login"
                              - "accounts.user14"        = "apiKey, login"
                              - "accounts.user15"        = "apiKey, login"
                              - "accounts.user2"         = "apiKey, login"
                              - "accounts.user3"         = "apiKey, login"
                              - "accounts.user4"         = "apiKey, login"
                              - "accounts.user5"         = "apiKey, login"
                              - "accounts.user6"         = "apiKey, login"
                              - "accounts.user7"         = "apiKey, login"
                              - "accounts.user8"         = "apiKey, login"
                              - "accounts.user9"         = "apiKey, login"
                              - create                   = true
                              - "dex.config"             = <<-EOT
                                    connectors:
                                      - type: gitea
                                        id: gitea
                                        name: Gitea
                                        config:
                                          clientID: $gitea-oauthclient-argocd:client_id
                                          clientSecret: $gitea-oauthclient-argocd:client_secret
                                          redirectURI: https://argocd.training.cluster.acend.ch/api/dex/callback
                                          baseURL: https://gitea.training.cluster.acend.ch
                                          loadAllGroups: true
                                EOT
                              - "kustomize.buildOptions" = "--enable-helm"
                              - "resource.exclusions"    = <<-EOT
                                    - kinds:
                                      - "CiliumIdentity"
                                      - "ciliumidentities"
                                      - "CiliumEndpoint"
                                      - "ciliumendpoints"
                                      - "CiliumNode"
                                      - "ciliumnodes"
                                EOT
                            }
                          - params = {
                              - "application.namespaces" = "user*"
                              - "server.insecure"        = true
                            }
                          - rbac   = {
                              - "policy.csv" = <<-EOT
                                    p, role:student, applications, *, */*, allow
                                    
                                    p, role:student, applications, *, infra/*, deny
                                    p, role:student, applications, *, trainee-environment/*, deny
                                    
                                    p, role:student, clusters, get, *, allow
                                    p, role:student, clusters, update, *, allow
                                    p, role:student, repositories, get, *, allow
                                    p, role:student, repositories, create, *, allow
                                    p, role:student, repositories, update, *, allow
                                    p, role:student, repositories, delete, *, allow
                                    
                                    p, role:student, projects, get, *, allow
                                    p, role:student, projects, create, *, allow
                                    p, role:student, projects, update, *, allow
                                    p, role:student, projects, delete, *, allow
                                    
                                    p, role:student, projects, *, infra, deny
                                    p, role:student, projects, *, trainee-environment, deny
                                    
                                    g, acend:trainees, role:student
                                    
                                    g, user1, role:student
                                    g, user2, role:student
                                    g, user3, role:student
                                    g, user4, role:student
                                    g, user5, role:student
                                    g, user6, role:student
                                    g, user7, role:student
                                    g, user8, role:student
                                    g, user9, role:student
                                    g, user10, role:student
                                    g, user11, role:student
                                    g, user12, role:student
                                    g, user13, role:student
                                    g, user14, role:student
                                    g, user15, role:student
                                    
                                    g, acend:admins, role:admin
                                EOT
                            }
                          - secret = {
                              - argocdServerAdminPassword = "$2a$10$zN6GmNBMcRJanXd2uX/Eu.UZYEfoWkEQKdXtqxhbMJauVAaZDZ5tC"
                              - extra                     = {
                                  - "accounts.user1.password"       = "$2a$10$KblIxi0pIDxTtTDJuDuw9ecWGWVdfCUL/GGoBPyfPcNOKpZrk1h3i"
                                  - "accounts.user1.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user10.password"      = "$2a$10$AekFl7rZmyeSkUvGSof6YOggpEqL2IsQwiFLlLDEMnVvrVcmetqBC"
                                  - "accounts.user10.passwordMtime" = "2024-09-25T07:50:12Z"
                                  - "accounts.user11.password"      = "$2a$10$A1Sa8dQlIe51JMEzGFXGv.yBwaabpgPPC0OvoBFhMuMkGxo0qZc9e"
                                  - "accounts.user11.passwordMtime" = "2024-09-25T07:50:12Z"
                                  - "accounts.user12.password"      = "$2a$10$H/6IakT6mBtW8raimQMRwuqyyHmU3UiPDadOXbeG68VbRhB876wAm"
                                  - "accounts.user12.passwordMtime" = "2024-09-25T07:50:12Z"
                                  - "accounts.user13.password"      = "$2a$10$QRXmid4QW3yFe5mPjgby9.SgcabHt.PdQw/k/Ep24vLTdOri1cuU2"
                                  - "accounts.user13.passwordMtime" = "2024-09-25T07:50:12Z"
                                  - "accounts.user14.password"      = "$2a$10$x08pouUGI7r3M56uE2hg/eyYRiyBpNiF1hS2m8Wac9xRTnxLJhzna"
                                  - "accounts.user14.passwordMtime" = "2024-09-25T07:50:12Z"
                                  - "accounts.user15.password"      = "$2a$10$Wsabx2R/8xj7UCs4NqqJaOW0yxhdLkzngZDx/X9uHKuFKd1SChjtO"
                                  - "accounts.user15.passwordMtime" = "2024-09-25T07:50:12Z"
                                  - "accounts.user2.password"       = "$2a$10$kyE/VY11x0VFbJK9poat3u1R6rAvm5h4Zy3Uz3wWEOLGlt.8wuF7m"
                                  - "accounts.user2.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user3.password"       = "$2a$10$7FE8sH90fuEo2iQyfRQvA.lzcFnaXVtW01k9HRhqFXT2h7uw8O7cq"
                                  - "accounts.user3.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user4.password"       = "$2a$10$ysrRPl3ZRadNEn0eLilP0.wTjwUa0bvAppGbli9saqSMxO4tGgNpS"
                                  - "accounts.user4.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user5.password"       = "$2a$10$6Gma9jF6q9B6YTUg/yoRZOYfJIyacFG4RZFtRDy5SV.pcXIy6Z1EG"
                                  - "accounts.user5.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user6.password"       = "$2a$10$pdPt0Uqq96JvpAesEykLm.6Jr9GUR/.SVzZcpQbvYTvsny..8uHpy"
                                  - "accounts.user6.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user7.password"       = "$2a$10$3MTPK4FdD2cOLD/ZaPFoXu8LWU5IFbae9bM9Wav4lZHATz65CJgRu"
                                  - "accounts.user7.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user8.password"       = "$2a$10$YTx2xWxqvQEOq7tnVKOBcebldrAXxUiiwPmGU9useRAehENwNBuGG"
                                  - "accounts.user8.passwordMtime"  = "2024-09-25T07:50:12Z"
                                  - "accounts.user9.password"       = "$2a$10$Ycv1LAQmpUik/GDFur6DS.5m3wsE0PxMkBeAfmbiLVFbPm1YBbr4S"
                                  - "accounts.user9.passwordMtime"  = "2024-09-25T07:50:12Z"
                                }
                            }
                        }
                      - controller = {
                          - metrics = {
                              - enabled = true
                            }
                        }
                      - global     = {
                          - domain       = "argocd.training.cluster.acend.ch"
                          - nodeSelector = {
                              - "node-role.kubernetes.io/control-plane" = "true"
                            }
                          - tolerations  = [
                              - {
                                  - effect   = "NoSchedule"
                                  - key      = "node-role.kubernetes.io/control-plane"
                                  - operator = "Equal"
                                  - value    = "true"
                                },
                            ]
                        }
                      - server     = {
                          - ingress     = {
                              - enabled          = true
                              - extraTls         = [
                                  - {
                                      - hosts      = [
                                          - "argocd.training.cluster.acend.ch",
                                        ]
                                      - secretName = "acend-wildcard"
                                    },
                                ]
                              - hostname         = "argocd.training.cluster.acend.ch"
                              - ingressClassName = "haproxy"
                            }
                          - ingressGrpc = {
                              - enabled          = true
                              - extraTls         = [
                                  - {
                                      - hosts      = [
                                          - "argocd-grpc.training.cluster.acend.ch",
                                        ]
                                      - secretName = "acend-wildcard"
                                    },
                                ]
                              - hostname         = "argocd-grpc.training.cluster.acend.ch"
                              - ingressClassName = "haproxy"
                            }
                        }
                    }
                )
              - version        = "7.5.2"
            },
        ] -> (known after apply)
        name                       = "argocd"
      ~ values                     = [
          - (sensitive value),
          - <<-EOT
                configs:
                  rbac: 
                    policy.csv: |
                      p, role:student, applications, *, */*, allow
                
                      p, role:student, applications, *, infra/*, deny
                      p, role:student, applications, *, trainee-environment/*, deny
                
                      p, role:student, clusters, get, *, allow
                      p, role:student, clusters, update, *, allow
                      p, role:student, repositories, get, *, allow
                      p, role:student, repositories, create, *, allow
                      p, role:student, repositories, update, *, allow
                      p, role:student, repositories, delete, *, allow
                
                      p, role:student, projects, get, *, allow
                      p, role:student, projects, create, *, allow
                      p, role:student, projects, update, *, allow
                      p, role:student, projects, delete, *, allow
                
                      p, role:student, projects, *, infra, deny
                      p, role:student, projects, *, trainee-environment, deny
                
                      g, acend:trainees, role:student
                
                      g, user1, role:student
                      g, user2, role:student
                      g, user3, role:student
                      g, user4, role:student
                      g, user5, role:student
                      g, user6, role:student
                      g, user7, role:student
                      g, user8, role:student
                      g, user9, role:student
                      g, user10, role:student
                      g, user11, role:student
                      g, user12, role:student
                      g, user13, role:student
                      g, user14, role:student
                      g, user15, role:student
                
                      g, acend:admins, role:admin
            EOT,
          - <<-EOT
                global:
                  nodeSelector:
                    node-role.kubernetes.io/control-plane: "true"
                  tolerations:
                  - key: node-role.kubernetes.io/control-plane
                    operator: Equal
                    value: "true"
                    effect: "NoSchedule"
                
                controller:
                  metrics:
                    enabled: true
                
                configs:
                  cm:
                    create: true
                    kustomize.buildOptions: "--enable-helm"
                    resource.exclusions: |
                      - kinds:
                        - "CiliumIdentity"
                        - "ciliumidentities"
                        - "CiliumEndpoint"
                        - "ciliumendpoints"
                        - "CiliumNode"
                        - "ciliumnodes"
                    dex.config: |
                      connectors:
                        - type: gitea
                          id: gitea
                          name: Gitea
                          config:
                            clientID: $gitea-oauthclient-argocd:client_id
                            clientSecret: $gitea-oauthclient-argocd:client_secret
                            redirectURI: https://argocd.training.cluster.acend.ch/api/dex/callback
                            baseURL: https://gitea.training.cluster.acend.ch
                            loadAllGroups: true
                  params:
                    server.insecure: true
                    application.namespaces: user*
                
                server:
                  ingress:
                    enabled: true
                    ingressClassName: haproxy
                    extraTls:
                    - secretName: acend-wildcard
                  ingressGrpc:
                    enabled: true
                    ingressClassName: haproxy
                    extraTls:
                    - secretName: acend-wildcard
            EOT,
        ] -> (known after apply)
        # (26 unchanged attributes hidden)

        # (6 unchanged blocks hidden)
    }

  # module.training-cluster.random_password.student-passwords[5] will be destroyed
  # (because index [5] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[6] will be destroyed
  # (because index [6] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[7] will be destroyed
  # (because index [7] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[8] will be destroyed
  # (because index [8] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[9] will be destroyed
  # (because index [9] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[10] will be destroyed
  # (because index [10] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[11] will be destroyed
  # (because index [11] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[12] will be destroyed
  # (because index [12] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[13] will be destroyed
  # (because index [13] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

  # module.training-cluster.random_password.student-passwords[14] will be destroyed
  # (because index [14] is out of range for count)
  - resource "random_password" "student-passwords" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = ".-_" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

Plan: 0 to add, 3 to change, 10 to destroy.

Changes to Outputs:
  ~ count-students        = 15 -> 5
  ~ student-passwords     = (sensitive value)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @g1raffi, Workflow: Deploy

@g1raffi g1raffi merged commit e000493 into main Sep 25, 2024
1 check passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@g1raffi