feat: add SKE Starter Kit

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.105.0
+    hooks:
+      - id: terraform_fmt
+      - id: terragrunt_fmt
+      - id: terragrunt_providers_lock
+        stages:
+          - manual # note: this step is very expensive, so you need to invoke it explicitly via `--hook-stage manual`
+        args:
+          - --args=-platform=darwin_arm64
+          - --args=-platform=darwin_amd64
+          - --args=-platform=linux_amd64
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace

foundations/meshstack-trial/platforms/azure/bootstrap/users.tf

@@ -7,7 +7,7 @@ resource "azuread_invitation" "users" {
 
   message {
     body = <<EOT
-You have been invited to join the Microsoft Entra ID tenant for the meshStack trial environment. 
+You have been invited to join the Microsoft Entra ID tenant for the meshStack trial environment.
 Please accept this invitation to gain access as a Global Administrator.
 EOT
   }

foundations/meshstack-trial/platforms/azure/entra-apps/meshstack-sso/outputs.tf

@@ -23,7 +23,7 @@ output "oidc_discovery_url" {
     The /common/ endpoint accepts both organisational and personal Microsoft accounts,
     matching the AzureADandPersonalMicrosoftAccount sign_in_audience set on the app.
   EOT
-  value = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"
+  value       = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"
 }
 
 output "secret_expiry" {

foundations/meshstack-trial/platforms/ske/.gitignore

@@ -0,0 +1,2 @@
+provider.tf
+plan.tfplan

foundations/meshstack-trial/platforms/ske/README.md

@@ -0,0 +1,39 @@
+# STACKIT Kubernetes Engine
+
+This contains all resources required to set up STACKIT Kubernetes Engine (SKE).
+
+## State Backend
+
+Existing GCS bucket `meshcloud-tf-states`, prefix `path/to/<module>`. Configured in [tfstate.hcl](tfstate.hcl).
+
+## Apply
+
+Requires a Vault port-forward to `localhost:8200`. Load credentials with `source setup.sh`, then apply:
+
+```bash
+terragrunt run --all apply
+```
+
+Terragrunt resolves the dependency order automatically. To target a single module: `cd <module> && terragrunt apply`, e.g. `cd kubernetes && terragrunt apply`.
+Use the graph in section [Module Dependencies](#module-dependencies) to know which modules need to be applied first.
+
+## Terragrunt Dependencies
+
+* `meshstack/platform` separate from `meshstack` as it needs `kubernetes`.
+* `kubernetes/addons/certmanager` exists as adding the `ClusterIssuer` custom resource needs the CRD from `kubernetes/addons/certmanager.tf`.
+
+![dependency graph](dep.png)
+
+Helps in knowing order of execution (arrow = depends on).
+Generate the graph with: `terragrunt dag graph | dot -Tpng > dep.png`
+
+## Access Kubernetes cluster
+
+To access the cluster, use the `stackit` CLI tool. Run:
+
+```bash
+stackit auth login
+
+stackit config set --project-id 47787660-94b9-4fb6-8bf7-53a90c41b26a
+stackit ske kubeconfig create starterkit --login
+```

foundations/meshstack-trial/platforms/ske/dns/backend.tf

@@ -0,0 +1,7 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "gcs" {
+    bucket = "meshcloud-tf-states"
+    prefix = "trial-cloudfoundation/foundations/meshstack-trial/platforms/ske/dns"
+  }
+}

foundations/meshstack-trial/platforms/ske/dns/dns.tf

@@ -0,0 +1,39 @@
+variable "dns_name" {
+  type = string
+}
+
+variable "stackit_project_id" {
+  type = string
+}
+
+variable "haproxy_lb_ip" {
+  type = string
+}
+
+
+resource "stackit_dns_zone" "this" {
+  project_id    = var.stackit_project_id
+  name          = "${var.dns_name}-ske-starterkit"
+  dns_name      = "${var.dns_name}.stackit.run"
+  contact_email = "support@meshcloud.io"
+  type          = "primary"
+  default_ttl   = 300
+}
+
+resource "stackit_dns_record_set" "A" {
+  project_id = var.stackit_project_id
+  zone_id    = stackit_dns_zone.this.zone_id
+  name       = "*.${var.dns_name}.stackit.run"
+  type       = "A"
+  records    = [var.haproxy_lb_ip]
+  comment    = "Wildcard app routing to HAProxy ingress load balancer"
+}
+
+moved {
+  from = stackit_dns_zone.idp
+  to   = stackit_dns_zone.this
+}
+
+output "zone_name" {
+  value = stackit_dns_zone.this.dns_name
+}

foundations/meshstack-trial/platforms/ske/dns/terragrunt.hcl

@@ -0,0 +1,35 @@
+include "common" {
+  path = find_in_parent_folders("common.hcl")
+}
+
+dependency "meshstack" {
+  config_path = "../meshstack"
+  mock_outputs = {
+    stackit_project_id = "00000000-0000-0000-0000-000000000000"
+  }
+}
+
+dependency "addons" {
+  config_path = "../kubernetes/addons"
+  mock_outputs = {
+    haproxy_lb_ip = "127.0.0.1"
+  }
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
+provider "stackit" {
+  default_region        = "eu01"
+  service_account_key   = ${jsonencode(get_env("STACKIT_SKE_PROJECT_SERVICE_ACCOUNT_KEY"))}
+  enable_beta_resources = true
+}
+EOF
+}
+
+inputs = {
+  stackit_project_id = dependency.meshstack.outputs.stackit_project_id
+  dns_name           = "try-meshstack"
+  haproxy_lb_ip      = dependency.addons.outputs.haproxy_lb_ip
+}

foundations/meshstack-trial/platforms/ske/dns/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.83"
+    }
+  }
+}

foundations/meshstack-trial/platforms/ske/git/backend.tf

@@ -0,0 +1,7 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "gcs" {
+    bucket = "meshcloud-tf-states"
+    prefix = "trial-cloudfoundation/foundations/meshstack-trial/platforms/ske/git"
+  }
+}

foundations/meshstack-trial/platforms/ske/git/git.tf

@@ -0,0 +1,56 @@
+variable "stackit_project_id" {
+  description = "STACKIT project UUID"
+  type        = string
+}
+
+variable "forgejo_organization" {
+  description = "Forgejo organization that should exist in the STACKIT Git instance"
+  type        = string
+}
+
+resource "stackit_git" "this" {
+  project_id = var.stackit_project_id
+  name       = var.forgejo_organization
+}
+
+moved {
+  from = stackit_git.git
+  to   = stackit_git.this
+}
+
+import {
+  to = stackit_git.this
+  id = "${var.stackit_project_id},bddcefe5-004c-4a7a-b40e-decc66d3649c"
+}
+
+# this direct input to output mapping looks funny, but reflects the manual step when bootstrapping a stackit_git instance
+# which requires creating a Personal Access Token for a Bot Account (shared platform engineering account)
+# At least we can use it here to create the Org within the (shared) Forgejo Instance
+variable "forgejo_token" {
+  type      = string
+  sensitive = true
+}
+
+
+provider "forgejo" {
+  host      = stackit_git.this.url
+  api_token = var.forgejo_token
+}
+
+resource "forgejo_organization" "this" {
+  name       = var.forgejo_organization
+  visibility = "private"
+}
+
+output "forgejo_token" {
+  value     = var.forgejo_token
+  sensitive = true
+}
+
+output "forgejo_base_url" {
+  value = stackit_git.this.url
+}
+
+output "forgejo_organization" {
+  value = forgejo_organization.this.name
+}

foundations/meshstack-trial/platforms/ske/git/terragrunt.hcl

@@ -0,0 +1,29 @@
+include "common" {
+  path = find_in_parent_folders("common.hcl")
+}
+
+dependency "meshstack" {
+  config_path = "../meshstack"
+  mock_outputs = {
+    stackit_project_id = "00000000-0000-0000-0000-000000000000"
+  }
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
+provider "stackit" {
+  default_region        = "eu01"
+  service_account_key   = ${jsonencode(get_env("STACKIT_SKE_PROJECT_SERVICE_ACCOUNT_KEY"))}
+  enable_beta_resources = true # required for stackit_git resource
+}
+EOF
+}
+
+inputs = {
+  stackit_project_id   = dependency.meshstack.outputs.stackit_project_id
+  forgejo_organization = "try-meshstack"
+  # TODO: This is a workaround that we need to create a PAT for the created STACKIT git instance
+  forgejo_token = get_env("STACKIT_GIT_FORGEJO_TOKEN", "invalid-bootstrap")
+}

foundations/meshstack-trial/platforms/ske/git/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.83"
+    }
+    forgejo = {
+      source  = "svalabs/forgejo"
+      version = "~> 1.3.0"
+    }
+  }
+}