demo

Author: akashdan90

arcadia/data.tf

@@ -1,21 +1,33 @@
-data "tfe_outputs" "infra" {
-  organization = var.tf_cloud_organization
-  workspace = "infra"
+# Read infra state from S3
+data "terraform_remote_state" "infra" {
+  backend = "s3"
+  config = {
+    bucket = "akash-terraform-state-bucket"  # Your S3 bucket name
+    key    = "infra/terraform.tfstate"       # Path to infra's state file
+    region = "us-east-1"                     # AWS region
+  }
 }
-data "tfe_outputs" "eks" {
-  organization = var.tf_cloud_organization
-  workspace = "eks"
+
+
+data "terraform_remote_state" "nap" {
+  backend = "s3"
+  config = {
+    bucket = "akash-terraform-state-bucket"  # Your S3 bucket name
+    key    = "nap/terraform.tfstate"         # Path to NAP state file
+    region = "us-east-1"                     # AWS region
+  }
 }
-data "tfe_outputs" "nap" {
-  count = data.tfe_outputs.infra.values.nap ? 1 : 0
-  organization = var.tf_cloud_organization
-  workspace = "nap"
-}
-data "tfe_outputs" "nic" {
-  count = data.tfe_outputs.infra.values.nic ? 1 : 0
-  organization = var.tf_cloud_organization
-  workspace = "nic"
+
+data "terraform_remote_state" "eks" {
+  backend = "s3"
+  config = {
+    bucket = "akash-terraform-state-bucket"  # Your S3 bucket name
+    key    = "eks-cluster/terraform.tfstate"  # Path to EKS state file
+    region = "us-east-1"                     # AWS region
+  }
 }
+
+# Get EKS cluster auth using S3 state
 data "aws_eks_cluster_auth" "auth" {
-  name = data.tfe_outputs.eks.values.cluster_name
-}
+  name = data.terraform_remote_state.eks.outputs.cluster_name
+}

arcadia/locals.tf

@@ -1,9 +1,8 @@
 locals {
-  project_prefix = data.tfe_outputs.infra.values.project_prefix
-  #external_name = try(data.tfe_outputs.nap.values.external_name, data.tfe_outputs.nic.values.external_name, "arcadia-cd-demo.sr.f5-cloud-demo.com")
-  external_name = try(data.tfe_outputs.nap[0].values.external_name, data.tfe_outputs.nic[0].values.external_name)
-  aws_region = data.tfe_outputs.infra.values.aws_region
-  host = data.tfe_outputs.eks.values.cluster_endpoint
-  cluster_ca_certificate = data.tfe_outputs.eks.values.kubeconfig-certificate-authority-data
-  cluster_name = data.tfe_outputs.eks.values.cluster_name
-} 
+  project_prefix          = data.terraform_remote_state.infra.outputs.project_prefix
+  aws_region             = data.terraform_remote_state.infra.outputs.aws_region
+  external_name          = try(data.terraform_remote_state.nap.outputs.external_name, "arcadia-cd-demo.sr.f5-cloud-demo.com")
+  host                   = data.terraform_remote_state.eks.outputs.cluster_endpoint
+  cluster_ca_certificate = data.terraform_remote_state.eks.outputs.kubeconfig-certificate-authority-data
+  cluster_name           = data.terraform_remote_state.eks.outputs.cluster_name
+}

arcadia/versions.tf

@@ -1,14 +1,29 @@
 terraform {
-  required_version = ">= 0.14.0"
+  required_version = ">= 1.6.0"
+
   required_providers {
-    aws = ">= 4"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
     kubernetes = {
-      source = "hashicorp/kubernetes"
-      version = "2.16.1"
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.23.0"
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">=2.7.0"
+      version = ">= 2.12.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.15.0"
     }
   }
-}
+  backend "s3" {
+    bucket         = "akash-terraform-state-bucket"  # Your S3 bucket name
+    key            = "arcadia/terraform.tfstate"       # Path to state file
+    region         = "us-east-1"                     # AWS region
+    dynamodb_table = "terraform-lock-table"          # DynamoDB table for state locking
+    encrypt        = true                            # Encrypt state file at rest
+  }
+}

arcadia/virtual.tf

@@ -0,0 +1,70 @@
+resource "kubernetes_manifest" "arcadia_virtualserver" {
+  manifest = {
+    apiVersion = "k8s.nginx.org/v1"
+    kind       = "VirtualServer"
+    metadata = {
+      name      = "arcadia-virtualserver"
+      namespace = "default"
+    }
+    spec = {
+      host = try(data.terraform_remote_state.nap.outputs.external_name, "arcadia-cd-demo.sr.f5-cloud-demo.com")
+      
+      # Reference the WAF policy
+      policies = [
+        {
+          name      = "waf-policy"  # Name of the WAF policy
+          namespace = "default"     # Namespace where the WAF policy is deployed
+        }
+      ]
+
+      upstreams = [
+        {
+          name    = "main-upstream"
+          service = kubernetes_service.main.metadata[0].name
+          port    = 80
+        },
+        {
+          name    = "backend-upstream"
+          service = kubernetes_service.backend.metadata[0].name
+          port    = 80
+        },
+        {
+          name    = "app2-upstream"
+          service = kubernetes_service.app_2.metadata[0].name
+          port    = 80
+        },
+        {
+          name    = "app3-upstream"
+          service = kubernetes_service.app_3.metadata[0].name
+          port    = 80
+        }
+      ]
+      routes = [
+        {
+          path = "/"
+          action = {
+            pass = "main-upstream"
+          }
+        },
+        {
+          path = "/files"
+          action = {
+            pass = "backend-upstream"
+          }
+        },
+        {
+          path = "/api"
+          action = {
+            pass = "app2-upstream"
+          }
+        },
+        {
+          path = "/app3"
+          action = {
+            pass = "app3-upstream"
+          }
+        }
+      ]
+    }
+  }
+}

arcadia/wafpolicy.tf

@@ -0,0 +1,16 @@
+resource "kubernetes_manifest" "waf_policy" {
+  manifest = {
+    apiVersion = "k8s.nginx.org/v1"
+    kind       = "Policy"
+    metadata = {
+      name      = "waf-policy"
+      namespace = "default"  # Replace with your desired namespace
+    }
+    spec = {
+      waf = {
+        enable   = true
+        apBundle = "compiled_policy.tgz"
+      }
+    }
+  }
+}

nap/charts/nginx-app-protect/values.yaml

@@ -1,69 +1,60 @@
 ---
 controller:
+  name: controller
+  kind: deployment
+  nginxplus: true
+  mgmt:
+    licenseTokenSecretName: "license-token"
+    sslVerify: false
+  nginxReloadTimeout: 60000
   appprotect:
     enable: true
     v5: true
-    volumes:
-      - name: app-protect-bd-config
-        emptyDir: {}
-      - name: app-protect-config
-        emptyDir: {}
-      - name: app-protect-bundles
-        emptyDir: {}
-        
-    volumeMounts:
-      - name: app-protect-bd-config
-        mountPath: /etc/app_protect/bd-config
-      - name: app-protect-config
-        mountPath: /etc/app_protect/config
-      - name: app-protect-bundles
-        mountPath: /etc/app_protect/bundles
-     ## Configuration for App Protect WAF v5 Enforcer
     enforcer:
-      # Host that the App Protect WAF v5 Enforcer runs on.
-      # This will normally be "127.0.0.1" as the Enforcer container
-      # will run in the same pod as the Ingress Controller container.
       host: "127.0.0.1"
-      # Port that the App Protect WAF v5 Enforcer runs on.
-      port: 50000 
+      port: 50000
       image:
-        ## The image repository of the App Protect WAF v5 Enforcer.
-        repository:  private-registry.nginx.com/nap/waf-enforcer
-        tag: "3.6.1"
-        ## The pull policy for the App Protect WAF v5 Enforcer image.
+        repository: private-registry.nginx.com/nap/waf-enforcer
+        tag: "5.4.0"
         pullPolicy: IfNotPresent
-      securityContext: 
-        readOnlyRootFilesystem: true
+      securityContext:
+        readOnlyRootFilesystem: false  # Temporarily disabled for debugging
+        allowPrivilegeEscalation: true
+        runAsNonRoot: false
     configManager:
       image:
-        ## The image repository of the App Protect WAF v5 Configuration Manager.
         repository: private-registry.nginx.com/nap/waf-config-mgr
-        ## The tag of the App Protect WAF v5 Configuration Manager image.
-        tag: "3.6.1"
-        ## The pull policy for the App Protect WAF v5 Configuration Manager image.
+        tag: "5.4.0"
         pullPolicy: IfNotPresent
       securityContext:
-        readOnlyRootFilesystem: true
-        allowPrivilegeEscalation: false
-        runAsUser: 101 #nginx
-        runAsNonRoot: true
+        readOnlyRootFilesystem: false  # Temporarily disabled for debugging
+        allowPrivilegeEscalation: true
+        runAsNonRoot: false
         capabilities:
           drop:
             - all
-  appprotectdos:
-    enable: true
+      volumeMounts:
+        - name: app-protect-bd-config
+          mountPath: /opt/app_protect/bd_config
+        - name: app-protect-config
+          mountPath: /opt/app_protect/config
+        - name: app-protect-bundles
+          mountPath: /etc/app_protect/bundles
   enableSnippets: true
   image:
-    repository: private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress
-    tag: "3.6.1"
-    pullPolicy: Always
-  nginxplus: true
+    repository: private-registry.nginx.com/nginx-ic-nap-v5/nginx-plus-ingress
+    tag: "4.0.1"
+    pullPolicy: IfNotPresent
+  securityContext:
+    readOnlyRootFilesystem: false  # Temporarily disabled for debugging
+    allowPrivilegeEscalation: true
+  logLevel: "debug"  # Increased for debugging
   nginxStatus:
-    allowCidrs: 0.0.0.0/0
+    allowCidrs: "0.0.0.0/0"
     port: 9000
   readyStatus:
     initialDelaySeconds: 30
   serviceAccount:
-    imagePullSecretName: regcred 
+    imagePullSecretName: regcred
 prometheus:
-  create: true
+  create: true

nap/charts/prometheus/values.yaml

@@ -1,4 +1,11 @@
 ---
 prometheus:
   pushgateway:
-    enabled: false
+    enabled: false
+  server:
+    persistentVolume:
+      enabled: true  
+  alertmanager:
+    persistentVolume:
+      enabled: true  
+