Skip to content

Commit

Permalink
chore: Sync changes from Blueprints examples refactoring (ALB control…
Browse files Browse the repository at this point in the history
…ler + Fargate FluentBit) (#163)
  • Loading branch information
bryantbiggs authored May 25, 2023
1 parent a4ef628 commit b625dd0
Show file tree
Hide file tree
Showing 19 changed files with 1,116 additions and 167 deletions.
52 changes: 52 additions & 0 deletions .github/workflows/publish-docs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Publish docs via GitHub Pages
on:
push:
branches:
- main
paths:
- "docs/**"
- "mkdocs.yml"
- README.md

release:
types:
- published

env:
PYTHON_VERSION: 3.x

jobs:
build:
name: Deploy docs
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v3
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install mike=1.1.2 mkdocs-material==9.1.4 mkdocs-include-markdown-plugin==4.0.4
- name: git config
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
- name: mike deploy main
if: contains(github.ref, 'refs/heads/main')
run: |
mike deploy --push main
- name: mike deploy new version
if: contains(github.ref, 'refs/tags/v') && !github.event.release.prerelease
run: |
VERSION=${GITHUB_REF/refs\/tags\//}
mike deploy --rebase --push --update-aliases "${VERSION}" latest
8 changes: 6 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
# EKS Blueprints Addons Terraform Module
# AWS EKS Blueprints Addons

Terraform module to deploy Kubernetes addons on AWS EKS clusters.

### 🚧 Currently under development 🚧

Expand Down Expand Up @@ -69,6 +71,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| [aws_cloudwatch_log_group.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
| [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_policy.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand All @@ -87,6 +90,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down Expand Up @@ -189,7 +193,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| <a name="output_eks_addons"></a> [eks\_addons](#output\_eks\_addons) | Map of attributes for each EKS addons enabled |
| <a name="output_external_dns"></a> [external\_dns](#output\_external\_dns) | Map of attributes of the Helm release and IRSA created |
| <a name="output_external_secrets"></a> [external\_secrets](#output\_external\_secrets) | Map of attributes of the Helm release and IRSA created |
| <a name="output_fargate_fluentbit"></a> [fargate\_fluentbit](#output\_fargate\_fluentbit) | Map of attributes of the Helm release and IRSA created |
| <a name="output_fargate_fluentbit"></a> [fargate\_fluentbit](#output\_fargate\_fluentbit) | Map of attributes of the configmap and IAM policy created |
| <a name="output_gatekeeper"></a> [gatekeeper](#output\_gatekeeper) | Map of attributes of the Helm release and IRSA created |
| <a name="output_ingress_nginx"></a> [ingress\_nginx](#output\_ingress\_nginx) | Map of attributes of the Helm release and IRSA created |
| <a name="output_karpenter"></a> [karpenter](#output\_karpenter) | Map of attributes of the Helm release and IRSA created |
Expand Down
30 changes: 30 additions & 0 deletions docs/aws-cloudwatch-metrics.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# AWS CloudWatch Metrics

Use CloudWatch Container Insights to collect, aggregate, and summarize metrics and logs from your containerized applications and microservices. CloudWatch automatically collects metrics for many resources, such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. You can also set CloudWatch alarms on metrics that Container Insights collects.

Container Insights collects data as performance log events using embedded metric format. These performance log events are entries that use a structured JSON schema that enables high-cardinality data to be ingested and stored at scale. From this data, CloudWatch creates aggregated metrics at the cluster, node, pod, task, and service level as CloudWatch metrics. The metrics that Container Insights collects are available in CloudWatch automatic dashboards, and also viewable in the Metrics section of the CloudWatch console.

## Usage

[aws-cloudwatch-metrics](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/modules/kubernetes-addons/aws-cloudwatch-metrics) can be deployed by enabling the add-on via the following.

```hcl
enable_aws_cloudwatch_metrics = true
```

You can also customize the Helm chart that deploys `aws-cloudwatch-metrics` via the following configuration:


```hcl
enable_aws_cloudwatch_metrics = true
aws_cloudwatch_metrics_irsa_policies = ["IAM Policies"]
aws_cloudwatch_metrics = {
role_policies = ["IAM Policies"] # extra policies in addition of CloudWatchAgentServerPolicy
name = "aws-cloudwatch-metrics"
repository = "https://aws.github.io/eks-charts"
chart_version = "0.0.9"
namespace = "amazon-cloudwatch"
values = [templatefile("${path.module}/values.yaml", {})] # The value `clusterName` is already set to the EKS cluster name, no need to specify here
}
```
42 changes: 42 additions & 0 deletions docs/aws-efs-csi-driver.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# AWS EFS CSI Driver

This add-on deploys the [AWS EFS CSI driver](https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html) into an EKS cluster.

## Usage

The [AWS EFS CSI driver](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/modules/kubernetes-addons/aws-efs-csi-driver) can be deployed by enabling the add-on via the following. Check out the full [example](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/examples/stateful/main.tf) to deploy an EKS Cluster with EFS backing the dynamic provisioning of persistent volumes.

```hcl
enable_aws_efs_csi_driver = true
```

Once deployed, you will be able to see a number of supporting resources in the `kube-system` namespace.

```sh
$ kubectl get deployment efs-csi-controller -n kube-system

NAME READY UP-TO-DATE AVAILABLE AGE
efs-csi-controller 2/2 2 2 4m29s
```

```sh
$ kubectl get daemonset efs-csi-node -n kube-system

NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
efs-csi-node 3 3 3 3 3 beta.kubernetes.io/os=linux 4m32s
```

You can optionally customize the Helm chart that deploys the driver via the following configuration.

```hcl
enable_aws_efs_csi_driver = true
# Optional aws_efs_csi_driver_helm_config
aws_efs_csi_driver = {
repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
chart_version = "2.4.1"
}
aws_efs_csi_driver {
role_policies = ["<ADDITIONAL_IAM_POLICY_ARN>"]
}
```
86 changes: 86 additions & 0 deletions docs/aws-load-balancer-controller.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# AWS Load Balancer Controller.

[AWS Load Balancer Controller ](https://kubernetes-sigs.github.io/aws-load-balancer-controller/) is a controller to help manage Elastic Load Balancers for a Kubernetes cluster. This Add-on deploys this controller in an Amazon EKS Cluster.

## Usage

In order to deploy the AWS Load Balancer Controller Addon via [EKS Blueprints Addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons), reference the following parameters under the `module.eks_blueprints_addons`.

```hcl
module "eks_blueprints_addons" {
enable_aws_load_balancer_controller = true
aws_load_balancer_controller = {
set = [
{
name = "vpcId"
value = module.vpc.vpc_id
},
{
name = "podDisruptionBudget.maxUnavailable"
value = 1
},
]
}
```
### Helm Chart customization

It's possible to customize your deployment using the Helm Chart parameters inside the `aws_load_balancer_controller` configuration block:

```hcl
aws_load_balancer_controller = {
set = [
{
name = "vpcId"
value = module.vpc.vpc_id
},
{
name = "podDisruptionBudget.maxUnavailable"
value = 1
},
{
name = "resources.requests.cpu"
value = 100m
},
{
name = "resources.requests.memory"
value = 128Mi
},
]
}
}
```

You can find all available Helm Chart parameter values [here](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/values.yaml).


## Validate

1. To validate the deployment, check if the `aws-load-balancer-controller` Pods were created in the `kube-system` Namespace, as the following example.

```sh
kubectl -n kube-system get pods | grep aws-load-balancer-controller
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system aws-load-balancer-controller-6cbdb58654-fvskt 1/1 Running 0 26m
kube-system aws-load-balancer-controller-6cbdb58654-sc7dk 1/1 Running 0 26m
```

2. Create a Kubernetes Ingress, using the `alb` IngressClass, pointing to an existing Service. In this example we'll use a Service called `example-svc`.

```sh
kubectl create ingress example-ingress --class alb --rule="/*=example-svc:80" \
--annotation alb.ingress.kubernetes.io/scheme=internet-facing \
--annotation alb.ingress.kubernetes.io/target-type=ip
```

```sh
kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
example-ingress alb * k8s-example-ingress-7e0d6f03e7-1234567890.us-west-2.elb.amazonaws.com 80 4m9s
```

## Resources

[GitHub Repo](https://github.com/kubernetes-sigs/aws-load-balancer-controller/)
[Helm Chart](https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller)
[AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html)
65 changes: 65 additions & 0 deletions docs/aws-private-ca-issuer.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# AWS Private CA (PCA) Issuer

[AWS Private CA](https://aws.amazon.com/private-ca/) is an AWS service that can setup and manage private CAs, as well as issue private certifiates. This Add-on deployes the AWS Private CA Issuer as an [external issuer](https://cert-manager.io/docs/configuration/external/) to **cert-manager** that signs off certificate requests using AWS Private CA in an Amazon EKS Cluster.

## Usage

### Pre-requisites

To deploy the AWS PCA, you need to install cert-manager first, refer to this [documentation](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/docs/cert-manager.md) to do it through EKS Blueprints Addons.

### Deployment

With **cert-manager** deployed in place, you can deploy the AWS Private CA Issuer Add-on via [EKS Blueprints Addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons), reference the following parameters under the `module.eks_blueprints_addons`.

```hcl
module "eks_blueprints_addons" {
enable_cert_manager = true
enable_aws_privateca_issuer = true
aws_privateca_issuer = {
acmca_arn = aws_acmpca_certificate_authority.this.arn
}
}
```

### Helm Chart customization

It's possible to customize your deployment using the Helm Chart parameters inside the `aws_load_balancer_controller` configuration block:

```hcl
aws_privateca_issuer = {
acmca_arn = aws_acmpca_certificate_authority.this.arn
namespace = "aws-privateca-issuer"
create_namespace = true
}
```

You can find all available Helm Chart parameter values [here](https://github.com/cert-manager/aws-privateca-issuer/blob/main/charts/aws-pca-issuer/values.yaml).

## Validation

1. List all the pods running in `aws-privateca-issuer` and `cert-manager` Namespace.

```sh
kubectl get pods -n aws-privateca-issuer
kubectl get pods -n cert-manager
```

2. Check the `certificate` status in it should be in `Ready` state, and be pointing to a `secret` created in the same Namespace.

```sh
kubectl get certificate -o wide
NAME READY SECRET ISSUER STATUS AGE
example True example-clusterissuer tls-with-aws-pca-issuer Certificate is up to date and has not expired 41m

kubectl get secret example-clusterissuer
NAME TYPE DATA AGE
example-clusterissuer kubernetes.io/tls 3 43m
```

## Resources

[GitHub Repo](https://github.com/cert-manager/aws-privateca-issuer)
[Helm Chart](https://github.com/cert-manager/aws-privateca-issuer/tree/main/charts/aws-pca-issuer)
[AWS Docs](https://docs.aws.amazon.com/privateca/latest/userguide/PcaKubernetes.html)
Loading

0 comments on commit b625dd0

Please sign in to comment.