{"id":24630689,"url":"https://github.com/cloudon-one/kubelaunch-essentials","last_synced_at":"2026-05-16T22:04:02.000Z","repository":{"id":273328513,"uuid":"915594676","full_name":"cloudon-one/kubelaunch-essentials","owner":"cloudon-one","description":"A preconfigured Kubernetes environment with Terragrunt-based automation, service mesh, and observability baked in—ready to deploy in minutes.","archived":false,"fork":false,"pushed_at":"2025-01-21T20:35:29.000Z","size":95,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-03-20T05:43:38.431Z","etag":null,"topics":["kubernetes","platform-engineering","terraform","terragrunt"],"latest_commit_sha":null,"homepage":"https://cloudon.work","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudon-one.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-12T09:33:50.000Z","updated_at":"2025-01-21T20:35:32.000Z","dependencies_parsed_at":null,"dependency_job_id":"59533247-33ad-4b05-a359-26034aec91ff","html_url":"https://github.com/cloudon-one/kubelaunch-essentials","commit_stats":null,"previous_names":["cloudon-one/kubelaunch-essentials"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloudon-one/kubelaunch-essentials","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fkubelaunch-essentials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fkubelaunch-essentials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fkubelaunch-essentials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fkubelaunch-essentials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudon-one","download_url":"https://codeload.github.com/cloudon-one/kubelaunch-essentials/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fkubelaunch-essentials/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266516336,"owners_count":23941398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","platform-engineering","terraform","terragrunt"],"created_at":"2025-01-25T07:12:38.096Z","updated_at":"2026-05-16T22:04:01.994Z","avatar_url":"https://github.com/cloudon-one.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Terraform-%3E%3D1.12.0-844FBA?logo=terraform\" alt=\"Terraform\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Terragrunt-%3E%3D1.0.0-5C4EE5?logo=terragrunt\" alt=\"Terragrunt\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/AWS-EKS-FF9900?logo=amazon-aws\" alt=\"AWS EKS\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Kubernetes-Platform-326CE5?logo=kubernetes\u0026logoColor=white\" alt=\"Kubernetes\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Security-Hardened-green?logo=shield\" alt=\"Security\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/License-MIT-blue\" alt=\"License\"\u003e\n\u003c/p\u003e\n\n# KubeLaunch Essentials\n\nProduction-ready Kubernetes platform on AWS EKS with integrated security controls, GitOps automation, service mesh, and observability — deployed entirely via Infrastructure as Code.\n\n---\n\n## Table of Contents\n\n- [Architecture](#architecture)\n- [Component Matrix](#component-matrix)\n- [Repository Structure](#repository-structure)\n- [Quick Start](#quick-start)\n- [Configuration](#configuration)\n- [Security Hardening](#security-hardening)\n- [CI/CD Integration](#cicd-integration)\n- [Operations](#operations)\n- [Troubleshooting](#troubleshooting)\n- [Documentation](#documentation)\n- [Contributing](#contributing)\n\n---\n\n## Architecture\n\n```mermaid\ngraph TB\n    subgraph AWS[\"AWS Infrastructure\"]\n        OIDC[\"GitHub OIDC\"] --\u003e S3[\"S3 State Backend\u003cbr/\u003eKMS + DynamoDB\"]\n        Lambda[\"Secrets Rotation\u003cbr/\u003eLambda\"] --\u003e SM[\"Secrets Manager\"]\n        Audit[\"Security Audit\u003cbr/\u003eCloudWatch\"]\n    end\n\n    subgraph Core[\"1. Core Platform\"]\n        Karpenter[\"Karpenter\"] \u0026 ExDNS[\"External DNS\"] \u0026 CertMgr[\"Cert Manager\"] \u0026 ExtSec[\"External Secrets\"]\n    end\n\n    subgraph Mesh[\"2. Service Mesh\"]\n        Istio[\"Istio mTLS\"] \u0026 Kong[\"Kong Gateway\"] \u0026 Jaeger[\"Jaeger\"]\n    end\n\n    subgraph Sec[\"3. Security\"]\n        Kyverno[\"Kyverno\"] \u0026 Falco[\"Falco\"] \u0026 Velero[\"Velero\"]\n    end\n\n    subgraph Obs[\"4. Observability\"]\n        Loki[\"Loki Stack\"] \u0026 Kubecost[\"Kubecost\"] \u0026 Compliance[\"CIS Scanner\"]\n    end\n\n    subgraph Tools[\"5. Platform Tools\"]\n        ArgoCD[\"ArgoCD\"] \u0026 Atlantis[\"Atlantis\"] \u0026 Vault[\"Vault\"] \u0026 Airflow[\"Airflow\"]\n    end\n\n    SM --\u003e ExtSec\n    ExtSec --\u003e ArgoCD \u0026 Vault\n    Kyverno -.-\u003e|Policy| Tools \u0026 Mesh\n    Falco -.-\u003e|Monitor| Core\n    Velero -.-\u003e|Backup| Tools\n```\n\n**Deployment order**: Core Platform -\u003e Service Mesh -\u003e Security -\u003e Observability -\u003e Platform Tools. Destroy in reverse.\n\n---\n\n## Component Matrix\n\n| Layer | Component | Version | Purpose |\n|-------|-----------|---------|---------|\n| **Core Platform** | Karpenter | v1.10.0 | Node auto-provisioning |\n| | External DNS | - | DNS automation |\n| | Cert Manager | v1.20.0 | Certificate lifecycle |\n| | External Secrets | v2.2.0 | AWS Secrets sync |\n| **Service Mesh** | Istio | v1.29.1 | mTLS, traffic management |\n| | Kong Gateway | v3.9.1 | API gateway |\n| | Jaeger | v2.16.0 | Distributed tracing |\n| **Security** | Kyverno | v3.7.1 | Admission control (4 policies) |\n| | Falco | v8.0.1 | Runtime threat detection (eBPF) |\n| | Velero | v12.0.0 | Backup \u0026 disaster recovery |\n| **Observability** | Loki Stack | v3.7.1 | Log aggregation |\n| | Kubecost | v3.0.3 | FinOps / cost monitoring |\n| | Compliance Scanner | v1.2.0 | CIS 1.8 benchmark scanning |\n| **Platform Tools** | ArgoCD | v3.3.6 | GitOps deployment |\n| | Atlantis | - | Terraform PR automation |\n| | Vault | v1.21.4 | Secrets management |\n| | Airflow | v3.1.8 | Workflow orchestration |\n| **AWS Infra** | State Backend | - | S3 + DynamoDB + KMS |\n| | GitHub OIDC | - | Federated CI/CD auth |\n| | Secrets Rotation | - | Lambda auto-rotation |\n| | Security Audit | - | CloudWatch monitoring |\n\n---\n\n## Repository Structure\n\n```\n.\n├── aws-infrastructure/              # AWS foundation (Terraform, local modules)\n│   ├── state-backend/               # S3 + DynamoDB + KMS for state\n│   ├── github-oidc/                 # GitHub Actions OIDC federation\n│   ├── external-secrets-iam/        # IRSA roles for External Secrets\n│   ├── secrets-rotation-lambda/     # Automated secrets rotation\n│   └── security-audit-automation/   # CloudWatch security monitoring\n│\n├── k8s-platform-tools/              # Kubernetes platform (Terragrunt, remote modules)\n│   ├── core-platform/               # Karpenter, External DNS, Cert Manager, External Secrets\n│   ├── service-mesh/                # Istio, Kong, Jaeger\n│   ├── security/                    # Kyverno, Falco, Velero\n│   ├── observability/               # Loki, Kubecost, Compliance Scanner\n│   ├── platform-tools/              # ArgoCD, Atlantis, Vault, Airflow\n│   ├── ci-cd-templates/             # Reusable GitHub Actions workflows\n│   ├── github-actions-templates/    # Language-specific test coverage actions\n│   ├── common.hcl                   # Shared Terragrunt config (state, provider, versions)\n│   └── platform_vars.yaml           # Single source of truth for all config\n│\n└── .github/workflows/               # OIDC-based CI/CD pipeline\n```\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n| Tool | Version | Purpose |\n|------|---------|---------|\n| Terraform | \u003e= 1.12.2 | Infrastructure provisioning |\n| Terragrunt | \u003e= 1.0.0 | Configuration orchestration |\n| AWS CLI | v2 | AWS authentication |\n| kubectl | \u003e= 1.28 | Cluster access |\n| Helm | v3.x | Chart management |\n\n### Deploy\n\n```bash\n# 1. Configure platform variables\ncd k8s-platform-tools\ncp platform_vars.yaml.example platform_vars.yaml  # Edit with your values\n\n# 2. Bootstrap AWS infrastructure\ncd ../aws-infrastructure/state-backend \u0026\u0026 terraform init \u0026\u0026 terraform apply\ncd ../github-oidc \u0026\u0026 terragrunt apply\ncd ../external-secrets-iam \u0026\u0026 terragrunt apply\n\n# 3. Deploy platform layers (in order)\ncd ../../k8s-platform-tools/core-platform \u0026\u0026 terragrunt run -a -- apply\ncd ../service-mesh \u0026\u0026 terragrunt run -a -- apply\ncd ../security \u0026\u0026 terragrunt run -a -- apply\ncd ../observability \u0026\u0026 terragrunt run -a -- apply\ncd ../platform-tools \u0026\u0026 terragrunt run -a -- apply\n\n# 4. Deploy operational security\ncd ../../aws-infrastructure/security-audit-automation \u0026\u0026 terragrunt apply\ncd ../secrets-rotation-lambda \u0026\u0026 terragrunt apply\n```\n\n### Destroy (reverse order)\n\n```bash\ncd k8s-platform-tools\nterragrunt run -a --working-dir platform-tools -- destroy\nterragrunt run -a --working-dir observability -- destroy\nterragrunt run -a --working-dir security -- destroy\nterragrunt run -a --working-dir service-mesh -- destroy\nterragrunt run -a --working-dir core-platform -- destroy\n```\n\n---\n\n## Configuration\n\nAll platform configuration lives in **`k8s-platform-tools/platform_vars.yaml`** with three sections:\n\n| YAML Path | Components |\n|-----------|------------|\n| `Platform.Tools.\u003cname\u003e.inputs` | Core platform, service mesh, platform tools |\n| `Platform.Security.\u003cname\u003e.inputs` | Kyverno, Falco, Velero |\n| `Platform.Observability.\u003cname\u003e.inputs` | Compliance Scanner |\n| `common.*` | Shared values (region, VPC, EKS, tags) |\n\n**Key convention**: Component directory name must match the YAML key exactly (resolved via `basename(get_terragrunt_dir())`).\n\n### Environment Selection\n\n```bash\nENV=dev terragrunt apply    # default\nENV=prod terragrunt apply   # production\n```\n\n### Secrets Management\n\nAll sensitive values are stored in AWS Secrets Manager and referenced as:\n```yaml\nadmin_password: \"aws-secretsmanager:///dev/argocd/admin-password\"\n```\n\nSecrets are synced to Kubernetes via External Secrets Operator with IRSA.\n\n---\n\n## Security Hardening\n\n### Phase 1: Foundation\n\n| Control | Implementation |\n|---------|---------------|\n| State encryption | S3 KMS + DynamoDB KMS with key rotation |\n| State locking | DynamoDB with prevent_destroy lifecycle |\n| CI/CD auth | GitHub OIDC federation (no long-lived keys) |\n| Secrets access | IRSA least-privilege per component |\n\n### Phase 2: Runtime\n\n| Control | Implementation |\n|---------|---------------|\n| Admission control | Kyverno: approved registries, no `latest` tag, resource limits, security contexts |\n| Threat detection | Falco eBPF: privileged containers, sensitive file access, C2 connections |\n| Backup \u0026 DR | Velero: daily full, hourly critical, weekly maintenance with S3+KMS |\n| Network policies | Default-deny with explicit allow for DNS, k8s API |\n\n### Phase 3: Operational\n\n| Control | Implementation |\n|---------|---------------|\n| Secrets rotation | Lambda-based monthly rotation with SNS notifications |\n| Compliance scanning | Weekly CIS 1.8 benchmarks with S3 reports |\n| Security monitoring | CloudWatch alarms: failed auth (\u003e10/5min), privilege escalation, policy violations |\n| Security dashboard | Centralized CloudWatch dashboard |\n\n---\n\n## CI/CD Integration\n\n### Main Workflow (`.github/workflows/terragrunt-plan-apply-oidc.yaml`)\n\nOIDC-authenticated pipeline with manual dispatch:\n\n```\nWorkflow Dispatch → OIDC Auth → Init → Validate → Plan → [Approval] → Apply\n```\n\n| Feature | Detail |\n|---------|--------|\n| Authentication | AWS OIDC (no static credentials) |\n| Environments | dev, qa, prod (selectable) |\n| Approval | Required before apply via GitHub Issues |\n| Artifacts | Plan output stored 30 days |\n| Tools | Terraform 1.12.2, Terragrunt 1.0.0 |\n\n### Reusable Templates (`k8s-platform-tools/ci-cd-templates/`)\n\n| Template | Purpose |\n|----------|---------|\n| `terragrunt-plan-apply.yaml` | Full pipeline: TFSEC, Checkov, Infracost, drift detection |\n| `reusable-docker-build.yaml` | Multi-platform Docker builds with Trivy scanning |\n| `terragrunt-fmt-commit.yaml` | Auto-format with TFLint, PR creation |\n| `get-env-func.yaml` | Branch-to-environment mapping |\n\n---\n\n## Operations\n\n### Monitoring\n\n```bash\n# Security dashboard\ncd aws-infrastructure/security-audit-automation \u0026\u0026 terragrunt output dashboard_url\n\n# Compliance reports\naws s3 ls s3://\u003cowner\u003e-\u003cenv\u003e-compliance-reports/\n\n# Falco alerts\nkubectl logs -n falco -l app.kubernetes.io/name=falco | grep CRITICAL\n\n# Kyverno policy reports\nkubectl get clusterpolicyreport -o yaml\n\n# Velero backup status\nvelero backup get\n```\n\n### State Management\n\n```bash\nterragrunt state list                     # List resources\nterragrunt state pull \u003e backup.tfstate    # Backup state\nterragrunt force-unlock \u003cLOCK_ID\u003e         # Unlock stuck state\n```\n\n---\n\n## Troubleshooting\n\n| Problem | Solution |\n|---------|----------|\n| State locked | `terragrunt force-unlock \u003cLOCK_ID\u003e` |\n| Config not applied | Verify directory name matches `platform_vars.yaml` key |\n| Module fetch fails | Check git access to `github.com/cloudon-one/k8s-platform-modules`, verify `ref=dev` exists |\n| OIDC auth fails | `aws iam list-open-id-connect-providers` and check role trust policy |\n| Policy blocks deploy | Set Kyverno to Audit: `kubectl patch clusterpolicy \u003cname\u003e -p '{\"spec\":{\"validationFailureAction\":\"Audit\"}}'` |\n| Secrets not syncing | `kubectl describe externalsecret \u003cname\u003e -n \u003cnamespace\u003e` |\n| Dependency errors | Verify parent layer is deployed; check deployment order |\n\n---\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [Security Review](./SECURITY_REVIEW.md) | Initial security audit findings |\n| [Security Implementation Plan](./SECURITY_IMPLEMENTATION_PLAN.md) | Complete security roadmap |\n| [Phase 1 Deployment](./PHASE1_FOUNDATION_SECURITY_DEPLOYMENT.md) | Foundation security guide |\n| [Phase 2 Deployment](./PHASE2_SECURITY_DEPLOYMENT.md) | Runtime security guide |\n| [Phase 3 Deployment](./PHASE3_OPERATIONAL_SECURITY_DEPLOYMENT.md) | Operational security guide |\n| [IaC Summary](./INFRASTRUCTURE_AS_CODE_SUMMARY.md) | Infrastructure as Code overview |\n\n---\n\n## Contributing\n\n1. Fork the repository\n2. Create feature branch (`git checkout -b feature/my-feature`)\n3. Follow existing Terragrunt/Terraform patterns\n4. Update `platform_vars.yaml` for configuration changes\n5. Open a Pull Request\n\n---\n\n## License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n---\n\n\u003cp align=\"center\"\u003e\u003cb\u003eBuilt for production Kubernetes deployments\u003c/b\u003e\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fkubelaunch-essentials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudon-one%2Fkubelaunch-essentials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fkubelaunch-essentials/lists"}