From c8413cd35fd7265767b381a71601a59136959e4f Mon Sep 17 00:00:00 2001 From: Yuvraj Singh Date: Fri, 30 Jun 2023 17:01:41 +0530 Subject: [PATCH 01/14] added IPv6 support for add on --- .../aws-load-balancer-controller/locals.tf | 2 +- .../internal_nginx_ingress/ingress_ipv6.yaml | 76 +++++++++++++++++++ addons/nginx_ingress/nginx_ingress_ip6.yaml | 59 ++++++++++++++ examples/complete/main.tf | 1 + main.tf | 4 +- 5 files changed, 139 insertions(+), 3 deletions(-) create mode 100644 addons/internal_nginx_ingress/ingress_ipv6.yaml create mode 100644 addons/nginx_ingress/nginx_ingress_ip6.yaml diff --git a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf index 8be2238..2430ec3 100644 --- a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf +++ b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf @@ -7,7 +7,7 @@ locals { name = local.name chart = local.name repository = "https://aws.github.io/eks-charts" - version = "1.4.5" + version = "1.5.4" namespace = "kube-system" values = local.default_helm_values description = "aws-load-balancer-controller Helm Chart for ingress resources" diff --git a/addons/internal_nginx_ingress/ingress_ipv6.yaml b/addons/internal_nginx_ingress/ingress_ipv6.yaml new file mode 100644 index 0000000..cbd7c0e --- /dev/null +++ b/addons/internal_nginx_ingress/ingress_ipv6.yaml @@ -0,0 +1,76 @@ +controller: + kind: Deployment + service: + enabled: true + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-internal: "true" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack + externalTrafficPolicy: Cluster + ipFamilies: + - IPv6 + ipFamilyPolicy: PreferDualStack + internal: + enabled: false + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-internal: "true" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack + ingressClass: internal-nginx + ingressClassResource: + enabled: true + name: internal-nginx + ingressClass: internal-nginx + + + resources: + limits: + cpu: 500m + memory: 750Mi + requests: + cpu: 50m + memory: 200Mi + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + podAnnotations: + co.elastic.logs/enabled: "true" + co.elastic.logs/module: nginx + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: "kubernetes.io/hostname" + + + + + +## Enabling metrics for prometheus monitoring + + metrics: + enabled: ${enable_service_monitor} + serviceMonitor: + enabled: true + additionalLabels: + release: "prometheus-operator" diff --git a/addons/nginx_ingress/nginx_ingress_ip6.yaml b/addons/nginx_ingress/nginx_ingress_ip6.yaml new file mode 100644 index 0000000..5fa0852 --- /dev/null +++ b/addons/nginx_ingress/nginx_ingress_ip6.yaml @@ -0,0 +1,59 @@ +## Set kind to DaemonSet so no affinity is assigned to it + +controller: + kind: Deployment + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack + externalTrafficPolicy: Cluster + ipFamilies: + - IPv6 + ipFamilyPolicy: PreferDualStack + resources: + limits: + cpu: 500m + memory: 750Mi + requests: + cpu: 50m + memory: 200Mi + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + podAnnotations: + co.elastic.logs/enabled: "true" + co.elastic.logs/module: nginx + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: "kubernetes.io/hostname" + + + +## Enabling metrics for prometheus monitoring + + metrics: + enabled: ${enable_service_monitor} + serviceMonitor: + enabled: true + additionalLabels: + release: "prometheus-operator" diff --git a/examples/complete/main.tf b/examples/complete/main.tf index f7d4ac9..c3e0998 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -37,6 +37,7 @@ module "eks_bootstrap" { cluster_autoscaler_enabled = true service_monitor_crd_enabled = true karpenter_provisioner_enabled = false + enable_aws_load_balancer_controller = true karpenter_provisioner_config = { private_subnet_name = "private-subnet-name" instance_capacity_type = ["on-demand"] diff --git a/main.tf b/main.tf index c1464f0..6bc3a62 100644 --- a/main.tf +++ b/main.tf @@ -55,7 +55,7 @@ module "k8s_addons" { ingress_nginx_helm_config = { version = var.ingress_nginx_version values = [ - templatefile("${path.module}/addons/nginx_ingress/nginx_ingress.yaml", { + templatefile("${path.module}/addons/nginx_ingress/${data.aws_eks_cluster.eks.kubernetes_network_config[0].ip_family == "ipv4" ? "nginx_ingress.yaml" : "nginx_ingress_ipv6.yaml" }", { enable_service_monitor = var.service_monitor_crd_enabled }) @@ -225,7 +225,7 @@ resource "helm_release" "internal_nginx" { namespace = "internal-ingress-nginx" repository = "https://kubernetes.github.io/ingress-nginx" values = [ - templatefile("${path.module}/addons/internal_nginx_ingress/ingress.yaml", { + templatefile("${path.module}/addons/internal_nginx_ingress/${data.aws_eks_cluster.eks.kubernetes_network_config[0].ip_family == "ipv4" ? "ingress.yaml" : "ingress_ipv6.yaml"}", { enable_service_monitor = var.service_monitor_crd_enabled }) ] From 4dad73bb0623da9543c681f19c2b67a1d4154ad8 Mon Sep 17 00:00:00 2001 From: Yuvraj Singh Date: Fri, 30 Jun 2023 23:08:31 +0530 Subject: [PATCH 02/14] updated file name --- .../{nginx_ingress_ip6.yaml => nginx_ingress_ipv6.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename addons/nginx_ingress/{nginx_ingress_ip6.yaml => nginx_ingress_ipv6.yaml} (100%) diff --git a/addons/nginx_ingress/nginx_ingress_ip6.yaml b/addons/nginx_ingress/nginx_ingress_ipv6.yaml similarity index 100% rename from addons/nginx_ingress/nginx_ingress_ip6.yaml rename to addons/nginx_ingress/nginx_ingress_ipv6.yaml From a05c0865a926d544a0b2f0db6cb0a54d2784815e Mon Sep 17 00:00:00 2001 From: Yuvraj Singh Date: Tue, 4 Jul 2023 14:25:52 +0530 Subject: [PATCH 03/14] updated nginx ingress --- .../kubernetes-addons/aws-load-balancer-controller/data.tf | 5 +++++ addons/internal_nginx_ingress/ingress_ipv6.yaml | 2 +- addons/nginx_ingress/nginx_ingress_ipv6.yaml | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf index 8686476..51952ec 100644 --- a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf +++ b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf @@ -145,6 +145,11 @@ data "aws_iam_policy_document" "aws_lb" { variable = "aws:ResourceTag/ingress.k8s.aws/cluster" values = ["false"] } + condition { + test = "StringEquals" + variable = "elasticloadbalancing:CreateAction" + values = ["CreateTargetGroup", "CreateLoadBalancer"] + } } statement { diff --git a/addons/internal_nginx_ingress/ingress_ipv6.yaml b/addons/internal_nginx_ingress/ingress_ipv6.yaml index cbd7c0e..775598b 100644 --- a/addons/internal_nginx_ingress/ingress_ipv6.yaml +++ b/addons/internal_nginx_ingress/ingress_ipv6.yaml @@ -3,7 +3,7 @@ controller: service: enabled: true annotations: - service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip diff --git a/addons/nginx_ingress/nginx_ingress_ipv6.yaml b/addons/nginx_ingress/nginx_ingress_ipv6.yaml index 5fa0852..25e0e71 100644 --- a/addons/nginx_ingress/nginx_ingress_ipv6.yaml +++ b/addons/nginx_ingress/nginx_ingress_ipv6.yaml @@ -4,7 +4,7 @@ controller: kind: Deployment service: annotations: - service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack From 0f3dbf3fb50a8479236efd1f3b7de0bb385bd151 Mon Sep 17 00:00:00 2001 From: Yuvraj Singh Date: Tue, 4 Jul 2023 16:22:40 +0530 Subject: [PATCH 04/14] added cluster name inside load balancer helm --- .../kubernetes-addons/aws-load-balancer-controller/locals.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf index 2430ec3..b02a9c7 100644 --- a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf +++ b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf @@ -33,6 +33,10 @@ locals { { name = "serviceAccount.create" value = false + }, + { + name = "clusterName" + value = var.addon_context.eks_cluster_id } ], try(var.helm_config.set_values, []) From 91ff84ca06f78580d809776ff86a1acfe328eb64 Mon Sep 17 00:00:00 2001 From: Yuvraj Singh Date: Wed, 5 Jul 2023 23:14:51 +0530 Subject: [PATCH 05/14] updated policy for load balancer controller --- .../kubernetes-addons/aws-load-balancer-controller/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf index 51952ec..a59d94d 100644 --- a/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf +++ b/EKS-Blueprint/modules/kubernetes-addons/aws-load-balancer-controller/data.tf @@ -142,7 +142,7 @@ data "aws_iam_policy_document" "aws_lb" { condition { test = "Null" - variable = "aws:ResourceTag/ingress.k8s.aws/cluster" + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" values = ["false"] } condition { From 148f643b2765e63f4ee5ec586d42f70d73149527 Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Wed, 19 Jul 2023 16:32:14 +0530 Subject: [PATCH 06/14] added IPv6 support for karpenter provisioner --- .../karpenter-provisioner/templates/provisioner.yaml | 5 +++++ addons/karpenter_provisioner/main.tf | 12 ++++++++++-- addons/karpenter_provisioner/variable.tf | 12 ++++++++++++ main.tf | 2 ++ variables.tf | 1 + 5 files changed, 30 insertions(+), 2 deletions(-) diff --git a/addons/karpenter_provisioner/karpenter-provisioner/templates/provisioner.yaml b/addons/karpenter_provisioner/karpenter-provisioner/templates/provisioner.yaml index 8e54fa5..888d53c 100644 --- a/addons/karpenter_provisioner/karpenter-provisioner/templates/provisioner.yaml +++ b/addons/karpenter_provisioner/karpenter-provisioner/templates/provisioner.yaml @@ -12,6 +12,11 @@ spec: - key: karpenter.k8s.aws/instance-size operator: NotIn values: {{ .Values.karpenter_ec2_instance_type }} + {{- if .Values.karpenter_instance_hypervisor }} + - key: "karpenter.k8s.aws/instance-hypervisor" + operator: In + values: {{ .Values.karpenter_instance_hypervisor }} + {{- end }} providerRef: # optional, recommended to use instead of `provider` name: karpenter-node-template ttlSecondsAfterEmpty: 300 # optional, but never scales down if not set diff --git a/addons/karpenter_provisioner/main.tf b/addons/karpenter_provisioner/main.tf index 588fe12..33224f5 100644 --- a/addons/karpenter_provisioner/main.tf +++ b/addons/karpenter_provisioner/main.tf @@ -2,8 +2,16 @@ resource "helm_release" "karpenter_provisioner" { name = "karpenter-provisioner" chart = "${path.module}/karpenter-provisioner/" timeout = 600 - values = [ - templatefile("${path.module}/karpenter-provisioner/values.yaml", { + values = var.ipv6_enabled == true ? [ + templatefile("${path.module}/karpenter-provisioner/ipv6-values.yaml", { + subnet_selector_name = var.subnet_selector_name, + sg_selector_name = var.sg_selector_name, + karpenter_ec2_capacity_type = "[${join(",", [for s in var.karpenter_ec2_capacity_type : format("%s", s)])}]", + excluded_karpenter_ec2_instance_type = "[${join(",", var.excluded_karpenter_ec2_instance_type)}]" + instance_hypervisor = "[${join(",", var.instance_hypervisor)}]" + }) + ] : [ + templatefile("${path.module}/karpenter-provisioner/ipv4-values.yaml", { subnet_selector_name = var.subnet_selector_name, sg_selector_name = var.sg_selector_name, karpenter_ec2_capacity_type = "[${join(",", [for s in var.karpenter_ec2_capacity_type : format("%s", s)])}]", diff --git a/addons/karpenter_provisioner/variable.tf b/addons/karpenter_provisioner/variable.tf index c0631ba..4b957fa 100644 --- a/addons/karpenter_provisioner/variable.tf +++ b/addons/karpenter_provisioner/variable.tf @@ -21,3 +21,15 @@ variable "excluded_karpenter_ec2_instance_type" { type = list(string) default = [""] } + +variable "instance_hypervisor" { + description = "List of instance hypervisor that can be used by Karpenter" + type = list(string) + default = [""] +} + +variable "ipv6_enabled" { + description = "whether IPv6 enabled or not" + type = bool + default = false +} \ No newline at end of file diff --git a/main.tf b/main.tf index 6bc3a62..ea13012 100644 --- a/main.tf +++ b/main.tf @@ -203,10 +203,12 @@ module "karpenter_provisioner" { depends_on = [module.k8s_addons] source = "./addons/karpenter_provisioner" count = var.karpenter_provisioner_enabled ? 1 : 0 + ipv6_enabled = var.ipv6_enabled sg_selector_name = var.eks_cluster_name subnet_selector_name = var.karpenter_provisioner_config.private_subnet_name karpenter_ec2_capacity_type = var.karpenter_provisioner_config.instance_capacity_type excluded_karpenter_ec2_instance_type = var.karpenter_provisioner_config.excluded_instance_type + instance_hypervisor = var.karpenter_provisioner_config.instance_hypervisor } resource "kubernetes_namespace" "internal_nginx" { diff --git a/variables.tf b/variables.tf index fe19eb6..768c97f 100644 --- a/variables.tf +++ b/variables.tf @@ -233,6 +233,7 @@ variable "karpenter_provisioner_config" { private_subnet_name = "" instance_capacity_type = ["spot"] excluded_instance_type = ["nano", "micro", "small"] + instance_hypervisor = ["nitro"] } type = any } From e476fcdd207b817d6e1c129d691f3e69654660ac Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Wed, 19 Jul 2023 17:07:51 +0530 Subject: [PATCH 07/14] added configuration for IPv6 --- .../karpenter-provisioner/ipv4-values.yaml | 5 +++++ .../karpenter-provisioner/ipv6-values.yaml | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml create mode 100644 addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml diff --git a/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml b/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml new file mode 100644 index 0000000..be21c46 --- /dev/null +++ b/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml @@ -0,0 +1,5 @@ +subnet_selector_name: "${subnet_selector_name}" +sg_selector_name: "${sg_selector_name}" +karpenter_ec2_capacity_type: "${karpenter_ec2_capacity_type}" +excluded_karpenter_ec2_instance_type: "${excluded_karpenter_ec2_instance_type}" + diff --git a/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml b/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml new file mode 100644 index 0000000..68ad72c --- /dev/null +++ b/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml @@ -0,0 +1,6 @@ +subnet_selector_name: "${subnet_selector_name}" +sg_selector_name: "${sg_selector_name}" +karpenter_ec2_capacity_type: "${karpenter_ec2_capacity_type}" +excluded_karpenter_ec2_instance_type: "${excluded_karpenter_ec2_instance_type}" +karpenter_instance_hypervisor: "${instance_hypervisor}" + From 851f7a5b3f6cb5758e102835b37e7307cda4a41f Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Wed, 19 Jul 2023 17:22:28 +0530 Subject: [PATCH 08/14] added configuration for IPv6 --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index 768c97f..798841b 100644 --- a/variables.tf +++ b/variables.tf @@ -285,3 +285,9 @@ variable "cluster_issuer" { default = "letsencrypt-prod" type = string } + +variable "ipv6_enabled" { + description = "Whether enable IPv6 or not" + default = false + type = bool +} \ No newline at end of file From af45c227a9a08becd289fb79c42e77ea91a9a5cd Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Thu, 20 Jul 2023 12:03:03 +0530 Subject: [PATCH 09/14] updated README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 0b04816..f500a19 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ module "eks_bootstrap" { name = "skaf" vpc_id = "vpc-06e37f0786b7eskaf" environment = "production" + ipv6_enabled = true kms_key_arn = "arn:aws:kms:region:222222222222:key/kms_key_arn" keda_enabled = true istio_enabled = false @@ -40,6 +41,7 @@ module "eks_bootstrap" { private_subnet_name = "private_subnet_name" instance_capacity_type = ["spot"] excluded_instance_type = ["nano", "micro", "small"] + instance_hypervisor = ["nitro"] ## Instance hypervisor is picked up only if IPv6 enable is chosen } cert_manager_letsencrypt_email = "email@example.com" internal_ingress_nginx_enabled = true @@ -74,6 +76,7 @@ module "eks_bootstrap" { | Release 2.0.0 | ✔ | ✔ | ✔ | ✗ | | Release 2.1.0 | ✔ | ✔ | ✔ | ✗ | | Release 3.0.0 | ✔ | ✔ | ✔ | ✔ | +| Release 3.1.0 | ✔ | ✔ | ✔ | ✔ | ## IAM Permissions The required IAM permissions to create resources from this module can be found [here](https://github.com/squareops/terraform-aws-eks-bootstrap/blob/main/IAM.md) From 7c5109394bf563eec1ec374b435f46a861c40b86 Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Thu, 20 Jul 2023 15:37:01 +0530 Subject: [PATCH 10/14] added changes for Ipv6 --- .../modules/kubernetes-addons/README.md | 2 +- README.md | 9 ++-- addons/karpenter_provisioner/README.md | 2 + .../karpenter-provisioner/ipv4-values.yaml | 1 - .../karpenter-provisioner/ipv6-values.yaml | 1 - addons/karpenter_provisioner/main.tf | 4 +- addons/karpenter_provisioner/variable.tf | 6 +-- examples/complete/main.tf | 54 +++++++++---------- main.tf | 6 +-- variables.tf | 8 +-- 10 files changed, 47 insertions(+), 46 deletions(-) diff --git a/EKS-Blueprint/modules/kubernetes-addons/README.md b/EKS-Blueprint/modules/kubernetes-addons/README.md index 3950d83..e668891 100644 --- a/EKS-Blueprint/modules/kubernetes-addons/README.md +++ b/EKS-Blueprint/modules/kubernetes-addons/README.md @@ -214,7 +214,6 @@ | [enable\_karpenter](#input\_enable\_karpenter) | Enable Karpenter autoscaler add-on | `bool` | `false` | no | | [enable\_keda](#input\_enable\_keda) | Enable KEDA Event-based autoscaler add-on | `bool` | `false` | no | | [enable\_kube\_prometheus\_stack](#input\_enable\_kube\_prometheus\_stack) | Enable Community kube-prometheus-stack add-on | `bool` | `false` | no | -| [enable\_kubecost](#input\_enable\_kubecost) | Enable Kubecost add-on | `bool` | `false` | no | | [enable\_kuberay\_operator](#input\_enable\_kuberay\_operator) | Enable KubeRay Operator add-on | `bool` | `false` | no | | [enable\_kubernetes\_dashboard](#input\_enable\_kubernetes\_dashboard) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no | | [enable\_kyverno](#input\_enable\_kyverno) | Enable Kyverno add-on | `bool` | `false` | no | @@ -265,6 +264,7 @@ | [keda\_helm\_config](#input\_keda\_helm\_config) | KEDA Event-based autoscaler add-on config | `any` | `{}` | no | | [keda\_irsa\_policies](#input\_keda\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no | | [kube\_prometheus\_stack\_helm\_config](#input\_kube\_prometheus\_stack\_helm\_config) | Community kube-prometheus-stack Helm Chart config | `any` | `{}` | no | +| [kubecost\_enabled](#input\_kubecost\_enabled) | Enable Kubecost add-on | `bool` | `false` | no | | [kubecost\_helm\_config](#input\_kubecost\_helm\_config) | Kubecost Helm Chart config | `any` | `{}` | no | | [kuberay\_operator\_helm\_config](#input\_kuberay\_operator\_helm\_config) | KubeRay Operator Helm Chart config | `any` | `{}` | no | | [kubernetes\_dashboard\_helm\_config](#input\_kubernetes\_dashboard\_helm\_config) | Kubernetes Dashboard Helm Chart config | `any` | `null` | no | diff --git a/README.md b/README.md index f500a19..2c2396e 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,7 @@ Velero is designed to work with cloud native environments, making it a popular c ## Notes -Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make sure to subscribe to the **Kubecost - Amazon EKS cost monitoring** license. +Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make sure to subscribe to the **Kubecost - Amazon EKS cost monitoring** license. ## Requirements @@ -250,7 +250,7 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make | [cert\_manager\_install\_letsencrypt\_http\_issuers](#input\_cert\_manager\_install\_letsencrypt\_http\_issuers) | Enable or disable the HTTP issuer for cert-manager | `bool` | `false` | no | | [cert\_manager\_install\_letsencrypt\_r53\_issuers](#input\_cert\_manager\_install\_letsencrypt\_r53\_issuers) | Enable or disable the creation of Route53 issuer while installing cert manager. | `bool` | `false` | no | | [cert\_manager\_letsencrypt\_email](#input\_cert\_manager\_letsencrypt\_email) | Specifies the email address to be used by cert-manager to request Let's Encrypt certificates | `string` | `""` | no | -| [cluster\_autoscaler\_chart\_version](#input\_cluster\_autoscaler\_chart\_version) | Version of the cluster autoscaler helm chart | `string` | `"9.19.1"` | no | +| [cluster\_autoscaler\_chart\_version](#input\_cluster\_autoscaler\_chart\_version) | Version of the cluster autoscaler helm chart | `string` | `"9.29.0"` | no | | [cluster\_autoscaler\_enabled](#input\_cluster\_autoscaler\_enabled) | Whether to enable the Cluster Autoscaler add-on or not. | `bool` | `false` | no | | [cluster\_issuer](#input\_cluster\_issuer) | Specify the letsecrypt cluster-issuer for ingress tls. | `string` | `"letsencrypt-prod"` | no | | [cluster\_propotional\_autoscaler\_enabled](#input\_cluster\_propotional\_autoscaler\_enabled) | Enable or disable Cluster propotional autoscaler add-on | `bool` | `false` | no | @@ -260,11 +260,12 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make | [environment](#input\_environment) | Environment identifier for the Amazon Elastic Kubernetes Service (EKS) cluster. | `string` | `""` | no | | [external\_secrets\_enabled](#input\_external\_secrets\_enabled) | Enable or disable External Secrets operator add-on for managing external secrets. | `bool` | `false` | no | | [ingress\_nginx\_enabled](#input\_ingress\_nginx\_enabled) | Enable or disable Nginx Ingress Controller add-on for routing external traffic to Kubernetes services. | `bool` | `false` | no | -| [ingress\_nginx\_version](#input\_ingress\_nginx\_version) | Specify the version of the NGINX Ingress Controller | `string` | `"4.1.4"` | no | +| [ingress\_nginx\_version](#input\_ingress\_nginx\_version) | Specify the version of the NGINX Ingress Controller | `string` | `"4.7.0"` | no | | [internal\_ingress\_nginx\_enabled](#input\_internal\_ingress\_nginx\_enabled) | Enable or disable the deployment of an internal ingress controller for Kubernetes. | `bool` | `false` | no | +| [ipv6\_enabled](#input\_ipv6\_enabled) | Whether enable IPv6 or not | `bool` | `false` | no | | [istio\_enabled](#input\_istio\_enabled) | Enable istio for service mesh. | `bool` | `false` | no | | [karpenter\_enabled](#input\_karpenter\_enabled) | Enable or disable Karpenter, a Kubernetes-native, multi-tenant, and auto-scaling solution for containerized workloads on Kubernetes. | `bool` | `false` | no | -| [karpenter\_provisioner\_config](#input\_karpenter\_provisioner\_config) | Configuration to provide settings for Karpenter, including which private subnet to use, instance capacity types, and excluded instance types. | `any` | 
{
  "excluded_instance_type": [
    "nano",
    "micro",
    "small"
  ],
  "instance_capacity_type": [
    "spot"
  ],
  "private_subnet_name": ""
}
| no | +| [karpenter\_provisioner\_config](#input\_karpenter\_provisioner\_config) | Configuration to provide settings for Karpenter, including which private subnet to use, instance capacity types, and excluded instance types. | `any` | 
{
  "excluded_instance_type": [
    "nano",
    "micro",
    "small"
  ],
  "instance_capacity_type": [
    "spot"
  ],
  "instance_hypervisor": [
    "nitro"
  ],
  "private_subnet_name": ""
}
| no | | [karpenter\_provisioner\_enabled](#input\_karpenter\_provisioner\_enabled) | Enable or disable the installation of Karpenter, which is a Kubernetes cluster autoscaler. | `bool` | `false` | no | | [keda\_enabled](#input\_keda\_enabled) | Enable or disable Kubernetes Event-driven Autoscaling (KEDA) add-on for autoscaling workloads. | `bool` | `false` | no | | [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of the KMS key used to encrypt AWS resources in the EKS cluster. | `string` | `""` | no | diff --git a/addons/karpenter_provisioner/README.md b/addons/karpenter_provisioner/README.md index 892f371..a2c701a 100644 --- a/addons/karpenter_provisioner/README.md +++ b/addons/karpenter_provisioner/README.md @@ -26,6 +26,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [excluded\_karpenter\_ec2\_instance\_type](#input\_excluded\_karpenter\_ec2\_instance\_type) | List of instance types that can be used by Karpenter | `list(string)` | 
[
  ""
]
| no | +| [instance\_hypervisor](#input\_instance\_hypervisor) | List of instance hypervisor that can be used by Karpenter | `list(string)` | 
[
  ""
]
| no | +| [ipv6\_enabled](#input\_ipv6\_enabled) | whether IPv6 enabled or not | `bool` | `false` | no | | [karpenter\_ec2\_capacity\_type](#input\_karpenter\_ec2\_capacity\_type) | EC2 provisioning capacity type | `list(string)` | 
[
  ""
]
| no | | [sg\_selector\_name](#input\_sg\_selector\_name) | Name of security group selector for karpenter provisioner. | `string` | `""` | no | | [subnet\_selector\_name](#input\_subnet\_selector\_name) | Name of subnet selector for karpenter provisioner. | `string` | `""` | no | diff --git a/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml b/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml index be21c46..6d879a6 100644 --- a/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml +++ b/addons/karpenter_provisioner/karpenter-provisioner/ipv4-values.yaml @@ -2,4 +2,3 @@ subnet_selector_name: "${subnet_selector_name}" sg_selector_name: "${sg_selector_name}" karpenter_ec2_capacity_type: "${karpenter_ec2_capacity_type}" excluded_karpenter_ec2_instance_type: "${excluded_karpenter_ec2_instance_type}" - diff --git a/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml b/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml index 68ad72c..4682312 100644 --- a/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml +++ b/addons/karpenter_provisioner/karpenter-provisioner/ipv6-values.yaml @@ -3,4 +3,3 @@ sg_selector_name: "${sg_selector_name}" karpenter_ec2_capacity_type: "${karpenter_ec2_capacity_type}" excluded_karpenter_ec2_instance_type: "${excluded_karpenter_ec2_instance_type}" karpenter_instance_hypervisor: "${instance_hypervisor}" - diff --git a/addons/karpenter_provisioner/main.tf b/addons/karpenter_provisioner/main.tf index 33224f5..321046a 100644 --- a/addons/karpenter_provisioner/main.tf +++ b/addons/karpenter_provisioner/main.tf @@ -8,9 +8,9 @@ resource "helm_release" "karpenter_provisioner" { sg_selector_name = var.sg_selector_name, karpenter_ec2_capacity_type = "[${join(",", [for s in var.karpenter_ec2_capacity_type : format("%s", s)])}]", excluded_karpenter_ec2_instance_type = "[${join(",", var.excluded_karpenter_ec2_instance_type)}]" - instance_hypervisor = "[${join(",", var.instance_hypervisor)}]" + instance_hypervisor = "[${join(",", var.instance_hypervisor)}]" }) - ] : [ + ] : [ templatefile("${path.module}/karpenter-provisioner/ipv4-values.yaml", { subnet_selector_name = var.subnet_selector_name, sg_selector_name = var.sg_selector_name, diff --git a/addons/karpenter_provisioner/variable.tf b/addons/karpenter_provisioner/variable.tf index 4b957fa..903d7ff 100644 --- a/addons/karpenter_provisioner/variable.tf +++ b/addons/karpenter_provisioner/variable.tf @@ -30,6 +30,6 @@ variable "instance_hypervisor" { variable "ipv6_enabled" { description = "whether IPv6 enabled or not" - type = bool - default = false -} \ No newline at end of file + type = bool + default = false +} diff --git a/examples/complete/main.tf b/examples/complete/main.tf index c3e0998..2904848 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -10,33 +10,33 @@ locals { } module "eks_bootstrap" { - source = "squareops/eks-bootstrap/aws" - name = local.name - vpc_id = "" - environment = local.environment - kms_key_arn = "" - keda_enabled = true - istio_enabled = false - kms_policy_arn = "" ## eks module will create kms_policy_arn - eks_cluster_name = "" - reloader_enabled = true - karpenter_enabled = true - private_subnet_ids = [""] - single_az_sc_config = [{ name = "infra-service-sc", zone = "us-east-2a" }] - kubeclarity_enabled = false - kubeclarity_hostname = "" - kubecost_enabled = false - kubecost_hostname = "" - cert_manager_enabled = true - worker_iam_role_name = "" - worker_iam_role_arn = "" - ingress_nginx_enabled = true - metrics_server_enabled = false - external_secrets_enabled = true - amazon_eks_vpc_cni_enabled = true - cluster_autoscaler_enabled = true - service_monitor_crd_enabled = true - karpenter_provisioner_enabled = false + source = "squareops/eks-bootstrap/aws" + name = local.name + vpc_id = "" + environment = local.environment + kms_key_arn = "" + keda_enabled = true + istio_enabled = false + kms_policy_arn = "" ## eks module will create kms_policy_arn + eks_cluster_name = "" + reloader_enabled = true + karpenter_enabled = true + private_subnet_ids = [""] + single_az_sc_config = [{ name = "infra-service-sc", zone = "us-east-2a" }] + kubeclarity_enabled = false + kubeclarity_hostname = "" + kubecost_enabled = false + kubecost_hostname = "" + cert_manager_enabled = true + worker_iam_role_name = "" + worker_iam_role_arn = "" + ingress_nginx_enabled = true + metrics_server_enabled = false + external_secrets_enabled = true + amazon_eks_vpc_cni_enabled = true + cluster_autoscaler_enabled = true + service_monitor_crd_enabled = true + karpenter_provisioner_enabled = false enable_aws_load_balancer_controller = true karpenter_provisioner_config = { private_subnet_name = "private-subnet-name" diff --git a/main.tf b/main.tf index ea13012..6091a07 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ data "aws_eks_cluster" "eks" { } module "service_monitor_crd" { - count = var.service_monitor_crd_enabled ? 1: 0 + count = var.service_monitor_crd_enabled ? 1 : 0 source = "./addons/service_monitor_crd" } @@ -55,7 +55,7 @@ module "k8s_addons" { ingress_nginx_helm_config = { version = var.ingress_nginx_version values = [ - templatefile("${path.module}/addons/nginx_ingress/${data.aws_eks_cluster.eks.kubernetes_network_config[0].ip_family == "ipv4" ? "nginx_ingress.yaml" : "nginx_ingress_ipv6.yaml" }", { + templatefile("${path.module}/addons/nginx_ingress/${data.aws_eks_cluster.eks.kubernetes_network_config[0].ip_family == "ipv4" ? "nginx_ingress.yaml" : "nginx_ingress_ipv6.yaml"}", { enable_service_monitor = var.service_monitor_crd_enabled }) @@ -208,7 +208,7 @@ module "karpenter_provisioner" { subnet_selector_name = var.karpenter_provisioner_config.private_subnet_name karpenter_ec2_capacity_type = var.karpenter_provisioner_config.instance_capacity_type excluded_karpenter_ec2_instance_type = var.karpenter_provisioner_config.excluded_instance_type - instance_hypervisor = var.karpenter_provisioner_config.instance_hypervisor + instance_hypervisor = var.karpenter_provisioner_config.instance_hypervisor } resource "kubernetes_namespace" "internal_nginx" { diff --git a/variables.tf b/variables.tf index 798841b..c1dd0a1 100644 --- a/variables.tf +++ b/variables.tf @@ -233,7 +233,7 @@ variable "karpenter_provisioner_config" { private_subnet_name = "" instance_capacity_type = ["spot"] excluded_instance_type = ["nano", "micro", "small"] - instance_hypervisor = ["nitro"] + instance_hypervisor = ["nitro"] } type = any } @@ -288,6 +288,6 @@ variable "cluster_issuer" { variable "ipv6_enabled" { description = "Whether enable IPv6 or not" - default = false - type = bool -} \ No newline at end of file + default = false + type = bool +} From a06a825f304459286ed9673ccb6633ecb7b1a260 Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Thu, 20 Jul 2023 16:00:23 +0530 Subject: [PATCH 11/14] resolve merge conflict --- addons/core_dns_hpa/Chart.yaml | 5 + addons/core_dns_hpa/templates/hpa.yaml | 35 + addons/core_dns_hpa/values.yaml | 5 + addons/external_secrets/README.md | 77 --- addons/external_secrets/main.tf | 41 -- .../secrets_manager_policy.tf | 64 -- .../external_secrets/session_manager_plocy.tf | 53 -- addons/external_secrets/values.yaml | 200 ------ addons/external_secrets/variables.tf | 34 - addons/external_secrets/versions.tf | 16 - addons/metrics_server/metrics_server.yaml | 2 + addons/metrics_server_vpa/Chart.yaml | 5 + addons/metrics_server_vpa/templates/vpa.yaml | 22 + addons/metrics_server_vpa/values.yaml | 5 + addons/velero/delete-snapshot.zip | Bin 615 -> 0 bytes addons/velero/main.tf | 35 +- addons/vpa_crds/values.yaml | 627 ++++++++++++++++++ main.tf | 63 +- variables.tf | 27 + 19 files changed, 819 insertions(+), 497 deletions(-) create mode 100644 addons/core_dns_hpa/Chart.yaml create mode 100644 addons/core_dns_hpa/templates/hpa.yaml create mode 100644 addons/core_dns_hpa/values.yaml delete mode 100644 addons/external_secrets/README.md delete mode 100644 addons/external_secrets/main.tf delete mode 100644 addons/external_secrets/secrets_manager_policy.tf delete mode 100644 addons/external_secrets/session_manager_plocy.tf delete mode 100644 addons/external_secrets/values.yaml delete mode 100644 addons/external_secrets/variables.tf delete mode 100644 addons/external_secrets/versions.tf create mode 100644 addons/metrics_server_vpa/Chart.yaml create mode 100644 addons/metrics_server_vpa/templates/vpa.yaml create mode 100644 addons/metrics_server_vpa/values.yaml delete mode 100644 addons/velero/delete-snapshot.zip create mode 100644 addons/vpa_crds/values.yaml diff --git a/addons/core_dns_hpa/Chart.yaml b/addons/core_dns_hpa/Chart.yaml new file mode 100644 index 0000000..632a60c --- /dev/null +++ b/addons/core_dns_hpa/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +appVersion: "1.0" +description: A Helm chart add hpa on coredns +name: corednshpa +version: 1.0.0 \ No newline at end of file diff --git a/addons/core_dns_hpa/templates/hpa.yaml b/addons/core_dns_hpa/templates/hpa.yaml new file mode 100644 index 0000000..b1b0bc0 --- /dev/null +++ b/addons/core_dns_hpa/templates/hpa.yaml @@ -0,0 +1,35 @@ +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: core-dns-hpa-cpu + namespace: kube-system +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ .Values.corednsdeploymentname}} + minReplicas: {{ .Values.minReplicas}} + maxReplicas: {{ .Values.maxReplicas}} + targetCPUUtilizationPercentage: {{ .Values.targetCPUUtilizationPercentage}} + +--- +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: core-dns-hpa-memory + namespace: kube-system +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: coredns + minReplicas: {{ .Values.minReplicas}} + maxReplicas: {{ .Values.maxReplicas}} + metrics: + - type: Resource + resource: + name: memory + target: + type: Utilization + averageValue: {{ .Values.targetMemoryUtilizationPercentage}} \ No newline at end of file diff --git a/addons/core_dns_hpa/values.yaml b/addons/core_dns_hpa/values.yaml new file mode 100644 index 0000000..22667f1 --- /dev/null +++ b/addons/core_dns_hpa/values.yaml @@ -0,0 +1,5 @@ +corednsdeploymentname: ${corednsdeploymentname} +minReplicas: ${minReplicas} +maxReplicas: ${maxReplicas} +targetCPUUtilizationPercentage: ${targetCPUUtilizationPercentage} +targetMemoryUtilizationPercentage: ${targetMemoryUtilizationPercentage} \ No newline at end of file diff --git a/addons/external_secrets/README.md b/addons/external_secrets/README.md deleted file mode 100644 index 450d11f..0000000 --- a/addons/external_secrets/README.md +++ /dev/null @@ -1,77 +0,0 @@ - -## Requirements - -| Name | Version | -|------|---------| -| [aws](#requirement\_aws) | >= 3.43.0 | -| [helm](#requirement\_helm) | >= 2.0.2 | -| [kubernetes](#requirement\_kubernetes) | >= 2.0.2 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.43.0 | -| [helm](#provider\_helm) | >= 2.0.2 | -| [kubernetes](#provider\_kubernetes) | >= 2.0.2 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [iam\_assume\_role\_oidc](#module\_iam\_assume\_role\_oidc) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 3.9.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_policy.secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.session_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [helm_release.external_secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.external_secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [cluster\_id](#input\_cluster\_id) | Fetch ID of the cluster | `string` | `""` | no | -| [enable\_service\_monitor](#input\_enable\_service\_monitor) | (optional) describe your variable | `bool` | `false` | no | -| [environment](#input\_environment) | Environment identifier for the EKS cluster | `string` | `""` | no | -| [name](#input\_name) | Specify the name of the resource | `string` | `""` | no | -| [provider\_url](#input\_provider\_url) | n/a | `string` | `""` | no | -| [region](#input\_region) | AWS region for the EKS cluster | `string` | `""` | no | - -## Outputs - -No outputs. - - -## IAM permissions - - -The Policy required is: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "iam:CreatePolicy", - "iam:DeletePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:ListPolicyVersions" - ], - "Resource": [ - "*" - ] - } - ] -} - - -``` - diff --git a/addons/external_secrets/main.tf b/addons/external_secrets/main.tf deleted file mode 100644 index df3aa56..0000000 --- a/addons/external_secrets/main.tf +++ /dev/null @@ -1,41 +0,0 @@ -resource "kubernetes_namespace" "external_secrets" { - - metadata { - name = "secrets" - } -} -module "iam_assume_role_oidc" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.9.0" - create_role = true - role_name = format("%s-%s-external-secrets-role", var.environment, var.name) - provider_url = var.provider_url - role_policy_arns = [join("", aws_iam_policy.secrets_manager_policy.*.arn), join("", aws_iam_policy.session_manager_policy.*.arn)] -} - -resource "helm_release" "external_secrets" { - depends_on = [kubernetes_namespace.external_secrets] - - name = "external-secrets" - repository = "https://external-secrets.github.io/kubernetes-external-secrets/" - chart = "kubernetes-external-secrets" - namespace = "secrets" - timeout = 600 - version = "8.5.5" - - values = [ - templatefile("${path.module}/values.yaml", { - enable_service_monitor = var.enable_service_monitor - }) - ] - - set { - name = "env.AWS_REGION" - value = var.region - } - - set { - name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" - value = module.iam_assume_role_oidc.this_iam_role_arn - } -} diff --git a/addons/external_secrets/secrets_manager_policy.tf b/addons/external_secrets/secrets_manager_policy.tf deleted file mode 100644 index cac10f4..0000000 --- a/addons/external_secrets/secrets_manager_policy.tf +++ /dev/null @@ -1,64 +0,0 @@ -resource "aws_iam_policy" "secrets_manager_policy" { - name = format("%s-%s-%s", var.environment, var.name, "secrets-manager-cluster") - path = "/" - description = "SECRETS MANAGER POLICY FOR CLUSTER." - policy = <<-EOF -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "secretsmanager:*", - "cloudformation:CreateChangeSet", - "cloudformation:DescribeChangeSet", - "cloudformation:DescribeStackResource", - "cloudformation:DescribeStacks", - "cloudformation:ExecuteChangeSet", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "kms:DescribeKey", - "kms:ListAliases", - "kms:ListKeys", - "lambda:ListFunctions", - "rds:DescribeDBClusters", - "rds:DescribeDBInstances", - "redshift:DescribeClusters", - "tag:GetResources" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "lambda:AddPermission", - "lambda:CreateFunction", - "lambda:GetFunction", - "lambda:InvokeFunction", - "lambda:UpdateFunctionConfiguration" - ], - "Effect": "Allow", - "Resource": "arn:aws:lambda:*:*:function:SecretsManager*" - }, - { - "Action": [ - "serverlessrepo:CreateCloudFormationChangeSet", - "serverlessrepo:GetApplication" - ], - "Effect": "Allow", - "Resource": "arn:aws:serverlessrepo:*:*:applications/SecretsManager*" - }, - { - "Action": [ - "s3:GetObject" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::awsserverlessrepo-changesets*", - "arn:aws:s3:::secrets-manager-rotation-apps-*/*" - ] - } - ] -} -EOF -} diff --git a/addons/external_secrets/session_manager_plocy.tf b/addons/external_secrets/session_manager_plocy.tf deleted file mode 100644 index 9009120..0000000 --- a/addons/external_secrets/session_manager_plocy.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_iam_policy" "session_manager_policy" { - name = format("%s-%s-%s", var.environment, var.name, "session-manager-cluster") - path = "/" - description = "SESSION MANAGER POLICY FOR CLUSTER." - policy = <<-EOF -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudwatch:PutMetricData", - "ds:CreateComputer", - "ds:DescribeDirectories", - "ec2:DescribeInstanceStatus", - "logs:*", - "ssm:*", - "ec2messages:*" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "ssm.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:DeleteServiceLinkedRole", - "iam:GetServiceLinkedRoleDeletionStatus" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*" - }, - { - "Effect": "Allow", - "Action": [ - "ssmmessages:CreateControlChannel", - "ssmmessages:CreateDataChannel", - "ssmmessages:OpenControlChannel", - "ssmmessages:OpenDataChannel" - ], - "Resource": "*" - } - ] -} -EOF -} diff --git a/addons/external_secrets/values.yaml b/addons/external_secrets/values.yaml deleted file mode 100644 index 36676f3..0000000 --- a/addons/external_secrets/values.yaml +++ /dev/null @@ -1,200 +0,0 @@ -# Default values for kubernetes-external-secrets. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Environment variables to set on deployment pod -env: - AWS_REGION: - POLLER_INTERVAL_MILLISECONDS: 10000 # Caution, setting this frequency may incur additional charges on some platforms - WATCH_TIMEOUT: 60000 - WATCHED_NAMESPACES: "" # Comma separated list of namespaces, empty or unset means ALL namespaces. - LOG_LEVEL: info - LOG_MESSAGE_KEY: "msg" - - #Akeyless rest-v2 endpoint - AKEYLESS_API_ENDPOINT: https://api.akeyless.io - AKEYLESS_ACCESS_ID: - #AKEYLESS_ACCESS_TYPE can be one of the following: aws_iam/azure_ad/gcp/access_key - AKEYLESS_ACCESS_TYPE: - #AKEYLESS_ACCESS_TYPE_PARAM can be one of the following: gcp-audience/azure-obj-id/access-key - #AKEYLESS_ACCESS_TYPE_PARAM: - - - # Print logs level as string ("info") rather than integer (30) - # USE_HUMAN_READABLE_LOG_LEVELS: true - METRICS_PORT: 3001 - VAULT_ADDR: http://127.0.0.1:8200 - # Set a role to be used when assuming roles specified in external secret (AWS only) - # AWS_INTERMEDIATE_ROLE_ARN: - # GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json - # Use custom endpoints for FIPS compliance - # AWS_STS_ENDPOINT: https://sts-fips.us-east-1.amazonaws.com - # AWS_SSM_ENDPOINT: http://ssm-fips.us-east-1.amazonaws.com - # AWS_SM_ENDPOINT: http://secretsmanager-fips.us-east-1.amazonaws.com - -# Create environment variables from existing k8s secrets -envVarsFromSecret: {} -# AWS_ACCESS_KEY_ID: -# secretKeyRef: aws-credentials -# key: id -# AWS_SECRET_ACCESS_KEY: -# secretKeyRef: aws-credentials -# key: key -# ALICLOUD_ENDPOINT: -# secretKeyRef: alicloud-credentials -# key: endpoint -# ALICLOUD_ACCESS_KEY_ID: -# secretKeyRef: alicloud-credentials -# key: id -# ALICLOUD_ACCESS_KEY_SECRET: -# secretKeyRef: alicloud-credentials -# key: secret -# AZURE_TENANT_ID: -# secretKeyRef: azure-credentials -# key: tenantid -# AZURE_CLIENT_ID: -# secretKeyRef: azure-credentials -# key: clientid -# AZURE_CLIENT_SECRET: -# secretKeyRef: azure-credentials -# key: clientsecret - -# Create environment variables from existing k8s secrets -envVarsFromConfigMap: {} -# AWS_ACCESS_KEY_ID: -# configMapKeyRef: aws-credentials -# key: id -# AWS_SECRET_ACCESS_KEY: -# configMapKeyRef: aws-credentials -# key: key -# ALICLOUD_ENDPOINT: -# configMapKeyRef: alicloud-credentials -# key: endpoint -# ALICLOUD_ACCESS_KEY_ID: -# configMapKeyRef: alicloud-credentials -# key: id -# ALICLOUD_ACCESS_KEY_SECRET: -# configMapKeyRef: alicloud-credentials -# key: secret -# AZURE_TENANT_ID: -# configMapKeyRef: azure-credentials -# key: tenantid -# AZURE_CLIENT_ID: -# configMapKeyRef: azure-credentials -# key: clientid -# AZURE_CLIENT_SECRET: -# configMapKeyRef: azure-credentials -# key: clientsecret - - -# List of sources to populate environment variables in the container. -# The keys defined within a source must be a C_IDENTIFIER. All invalid keys -# will be reported as an event when the container is starting. When a key -# exists in multiple sources, the value associated with the last source will -# take precedence. Values defined by an Env with a duplicate key will take precedence. -# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables -envFrom: {} -# - configMapRef: -# name: special-config -# - secretRef: -# name: special-config - - -# Create files from existing k8s secrets -# filesFromSecret: -# gcp-creds: -# secret: gcp-creds -# mountPath: /app/gcp-creds - -rbac: - # Specifies whether RBAC resources should be created - create: true - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Specifies annotations for this service account - annotations: - eks.amazonaws.com/role-arn: - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - -# Using multiple replicas is not recommended as there is no coordination between replicas. -# Replicas will try to create and update secrets concurrently which might lead to race conditions. -replicaCount: 1 - -image: - repository: ghcr.io/external-secrets/kubernetes-external-secrets - tag: 8.3.0 - pullPolicy: IfNotPresent - -imagePullSecrets: [] - -nameOverride: "" -fullnameOverride: "" - -# All label values must be strings -deploymentLabels: {} - -podAnnotations: - co.elastic.logs/enabled: "true" - -podLabels: {} - -priorityClassName: "" - -dnsConfig: {} - -securityContext: - runAsNonRoot: true - # Required for use of IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html - fsGroup: 65534 - -# A security context defines privilege and access control settings for a Pod or Container. -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -containerSecurityContext: - allowPrivilegeEscalation: true - privileged: true - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -podDisruptionBudget: {} - -serviceMonitor: - enabled: ${enable_service_monitor} - interval: "30s" - namespace: - -deploymentInitContainers: {} - -# Add in additional named volumes and volume mounts to the deployment -# -extraVolumes: [] -# - name: namedVolume -# emptyDir: {} -# -extraVolumeMounts: [] -# - name: namedVolume -# mountPath: /usr/path -# readOnly: false - -# Add additional RBAC rules to the ClusterRole granted to the service account -customClusterRoles: {} diff --git a/addons/external_secrets/variables.tf b/addons/external_secrets/variables.tf deleted file mode 100644 index 61d10b4..0000000 --- a/addons/external_secrets/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "cluster_id" { - default = "" - type = string - description = "Fetch ID of the cluster" -} - -variable "environment" { - default = "" - type = string - description = "Environment identifier for the EKS cluster" -} - -variable "name" { - default = "" - type = string - description = "Specify the name of the resource" -} - -variable "provider_url" { - default = "" - type = string -} - -variable "region" { - default = "" - type = string - description = "AWS region for the EKS cluster" -} - -variable "enable_service_monitor" { - type = bool - default = false - description = "(optional) describe your variable" -} diff --git a/addons/external_secrets/versions.tf b/addons/external_secrets/versions.tf deleted file mode 100644 index a4eea35..0000000 --- a/addons/external_secrets/versions.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.43.0" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.0.2" - } - helm = { - source = "hashicorp/helm" - version = ">= 2.0.2" - } - } -} diff --git a/addons/metrics_server/metrics_server.yaml b/addons/metrics_server/metrics_server.yaml index 375084e..dc0a883 100644 --- a/addons/metrics_server/metrics_server.yaml +++ b/addons/metrics_server/metrics_server.yaml @@ -31,3 +31,5 @@ resources: podAnnotations: co.elastic.logs/enabled: "true" + +replicas: 2 \ No newline at end of file diff --git a/addons/metrics_server_vpa/Chart.yaml b/addons/metrics_server_vpa/Chart.yaml new file mode 100644 index 0000000..cc738de --- /dev/null +++ b/addons/metrics_server_vpa/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +appVersion: "1.0" +description: A Helm chart add vpa on metrics-server +name: metricsservervpa +version: 1.0.0 \ No newline at end of file diff --git a/addons/metrics_server_vpa/templates/vpa.yaml b/addons/metrics_server_vpa/templates/vpa.yaml new file mode 100644 index 0000000..ee691dc --- /dev/null +++ b/addons/metrics_server_vpa/templates/vpa.yaml @@ -0,0 +1,22 @@ +apiVersion: "autoscaling.k8s.io/v1" +kind: VerticalPodAutoscaler +metadata: + name: metrics-server-vpa + namespace: kube-system +spec: + targetRef: + apiVersion: "apps/v1" + kind: Deployment + name: {{ .Values.metricsServerDeploymentName}} + updatePolicy: + updateMode: "Auto" + resourcePolicy: + containerPolicies: + - containerName: '*' + minAllowed: + cpu: {{ .Values.minCPU}} + memory: {{ .Values.minMemory}} + maxAllowed: + cpu: {{ .Values.maxCPU}} + memory: {{ .Values.maxMemory}} + controlledResources: ["cpu", "memory"] diff --git a/addons/metrics_server_vpa/values.yaml b/addons/metrics_server_vpa/values.yaml new file mode 100644 index 0000000..0e2371a --- /dev/null +++ b/addons/metrics_server_vpa/values.yaml @@ -0,0 +1,5 @@ +metricsServerDeploymentName: ${metricsServerDeploymentName} +minCPU: ${minCPU} +minMemory: ${minMemory} +maxCPU: ${maxCPU} +maxMemory: ${maxMemory} \ No newline at end of file diff --git a/addons/velero/delete-snapshot.zip b/addons/velero/delete-snapshot.zip deleted file mode 100644 index c38e5b807197349e5faa9e3bbab265885a71c7ce..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 615 zcmWIWW@Zs#-~d7f2E{HQ0S7`rR!VA4YDubYab99UaYlZLUO{EfB>(Q)1_DRl{}SnM zn8@4d{XdrJ-BRy`)Azm!(oke^l{%i4bJAn-j)h-#i>n7dnzHxgWAprbe^hRNwKJ%5 zeShTZp0980m+`;7J315zxBN|7x!*-n0P2~F8e~JmzM&r9L&oUp8G2KvE{QLY0=9B zR*U{Sk$!bzjMJuDy5CAB6`zn_Wg9TXd(D%HQC$1B{JR_W^6$dwulIj8!l7w^J{ZG-mkrV*Lriu!i~EQE>J2_IGXZ6c9Vs3o6XC2 zefN7~&a0<}HOA+<7sZM&nLk!P+QOC3b)Tic)$*->-Qq8&9{s<6{ph4D9m%ZD%w#>r zPe+OxSH8Gqez7k!+P4CXVtCqn#P=XqfL*UF^5<$mI-kruuJ(b7TrD zyPr#*RNB9|mcfkCt}ICUrQ)&EDou+OT`%0bT2{`HqLx|HduEQYViiw|Z6N>Y=id8H zb~*jwW?=aLKfs%v!!+vU`HPGU42PH*7y`T*nM9ZoNdj38lq6u_ZzG6>nLq-(S=m4` Nj6moBqy?EkJOJNm1ycY3 diff --git a/addons/velero/main.tf b/addons/velero/main.tf index bd7c4ae..cf63c10 100644 --- a/addons/velero/main.tf +++ b/addons/velero/main.tf @@ -55,7 +55,40 @@ resource "aws_iam_policy" "velero_iam_policy" { "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", - "s3:ListBucket" + "s3:ListBucket", + "ec2:CreateSnapshot", + "ec2:DeleteSnapshot", + "ec2:DescribeTags", + "ec2:ModifySnapshotAttribute", + "ec2:GetTags", + "iam:CreateServiceLinkedRole", + "iam:GetRole", + "iam:AttachRolePolicy", + "ec2:DescribeVolumeAttribute", + "ec2:ModifyVolumeAttribute", + "s3:GetBucketLocation", + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy", + "s3:ListBucketMultipartUploads", + "s3:GetObjectVersion", + "s3:ListObjects", + "s3:ListBucketVersions", + "sts:AssumeRole" , + "autoscaling:CreateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:DescribeSpotPriceHistory", + "ec2:RequestSpotInstances", + "ec2:TerminateInstances", + "ec2:CreateLaunchTemplateVersion", + "ec2:DeleteLaunchTemplateVersions", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "iam:PassRole" ], "Resource": "*" } diff --git a/addons/vpa_crds/values.yaml b/addons/vpa_crds/values.yaml new file mode 100644 index 0000000..aa971da --- /dev/null +++ b/addons/vpa_crds/values.yaml @@ -0,0 +1,627 @@ +# Default values for vertical-pod-autoscaler. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + # Global Docker image registry + imageRegistry: "" + + # Global Docker registry secret names as an array + imagePullSecrets: [] + +# Override Kubernetes version +kubeVersion: "" + +nameOverride: "" +fullnameOverride: "" + +# Annotations to add to all deployed objects +commonAnnotations: {} + +# Labels to add to all deployed objects +commonLabels: {} + +# Array of extra objects to deploy with the release +extraDeploy: [] + +admissionController: + # Enable the component + enabled: true + + replicaCount: 1 + + image: + # Image registry + registry: registry.k8s.io + + # Image repository + repository: autoscaling/vpa-admission-controller + + # Image tag + tag: 0.14.0 + + # Image digest + digest: "" + + # Image pull policy + pullPolicy: IfNotPresent + + pdb: + # Specifies whether a pod disruption budget should be created + create: false + + # Minimum number/percentage of pods that should remain scheduled + minAvailable: 1 + + # Maximum number/percentage of pods that may be made unavailable + # maxUnavailable: 1 + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + # Additional pod annotations + podAnnotations: {} + + # Additional pod labels + podLabels: {} + + podSecurityContext: + # fsGroup: 2000 + runAsNonRoot: true + runAsUser: 65534 + + # Priority class name + # priorityClassName : high-priority + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + livenessProbe: + # Enable liveness probe + enabled: true + + # Delay before the liveness probe is initiated + initialDelaySeconds: 0 + + # How often to perform the liveness probe + periodSeconds: 10 + + # When the liveness probe times out + timeoutSeconds: 1 + + # Minimum consecutive failures for the liveness probe to be considered failed after having succeeded + failureThreshold: 3 + + # Minimum consecutive successes for the liveness probe to be considered successful after having failed + successThreshold: 1 + + readinessProbe: + # Enable readiness probe + enabled: true + + # Delay before the readiness probe is initiated + initialDelaySeconds: 0 + + # How often to perform the readiness probe + periodSeconds: 10 + + # When the readiness probe times out + timeoutSeconds: 1 + + # Minimum consecutive failures for the readiness probe to be considered failed after having succeeded + failureThreshold: 3 + + # Minimum consecutive successes for the readiness probe to be considered successful after having failed + successThreshold: 1 + + service: + # Service annotations + annotations: {} + + # Service type + type: ClusterIP + + # Static cluster IP address or None for headless service when service type is ClusterIP + # clusterIP: 10.43.0.100 + + # Service port + # port: 8000 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 200m + # memory: 512Mi + # requests: + # cpu: 50m + # memory: 256Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + extraArgs: + # kube-api-burst: 10 + # kube-api-qps: 5 + v: 2 + # vpa-object-namespace: "" + # webhook-timeout-seconds: 30 + + # Additional container environment variables + extraEnvVars: [] + # - name: MY-NAME + # value: "MY-VALUE" + + # Name of existing ConfigMap containing additional container environment variables + extraEnvVarsCM: + + # Name of existing Secret containing additional container environment variables + extraEnvVarsSecret: + + metrics: + service: + # Metrics service annotations + annotations: {} + + # Metrics service type + type: ClusterIP + + # Metrics static cluster IP address or None for headless service when service type is ClusterIP + # clusterIP: 10.43.0.100 + + # Metrics service port + port: 8944 + + serviceMonitor: + # Specifies whether a service monitor should be created + enabled: false + # Extra annotations for the ServiceMonitor + annotations: {} + # Extra labels for the ServiceMonitor + labels: {} + # The name of the label on the target service to use as the job name in Prometheus + jobLabel: "" + # How frequently to scrape metrics + interval: "" + # Timeout after which the scrape is ended + scrapeTimeout: "" + # Specify additional relabeling of metrics + metricRelabelings: [] + # Specify general relabeling + relabelings: [] + + tls: + caCert: "" + cert: "" + key: "" + existingSecret: "" + +recommender: + replicaCount: 1 + + image: + # Image registry + registry: registry.k8s.io + + # Image repository + repository: autoscaling/vpa-recommender + + # Image tag + tag: 0.14.0 + + # Image digest + digest: "" + + # Image pull policy + pullPolicy: IfNotPresent + + pdb: + # Specifies whether a pod disruption budget should be created + create: false + + # Minimum number/percentage of pods that should remain scheduled + minAvailable: 1 + + # Maximum number/percentage of pods that may be made unavailable + # maxUnavailable: 1 + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + # Additional pod annotations + podAnnotations: {} + + # Additional pod labels + podLabels: {} + + podSecurityContext: + # fsGroup: 2000 + runAsNonRoot: true + runAsUser: 65534 + + # Priority class name + # priorityClassName : high-priority + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + livenessProbe: + # Enable liveness probe + enabled: true + + # Delay before the liveness probe is initiated + initialDelaySeconds: 0 + + # How often to perform the liveness probe + periodSeconds: 10 + + # When the liveness probe times out + timeoutSeconds: 1 + + # Minimum consecutive failures for the liveness probe to be considered failed after having succeeded + failureThreshold: 3 + + # Minimum consecutive successes for the liveness probe to be considered successful after having failed + successThreshold: 1 + + readinessProbe: + # Enable readiness probe + enabled: true + + # Delay before the readiness probe is initiated + initialDelaySeconds: 0 + + # How often to perform the readiness probe + periodSeconds: 10 + + # When the readiness probe times out + timeoutSeconds: 1 + + # Minimum consecutive failures for the readiness probe to be considered failed after having succeeded + failureThreshold: 3 + + # Minimum consecutive successes for the readiness probe to be considered successful after having failed + successThreshold: 1 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 200m + # memory: 1024Mi + # requests: + # cpu: 50m + # memory: 512Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + extraArgs: + # checkpoints-gc-interval: 10m0s + # checkpoints-timeout: 1m0s + # container-name-label: name + # container-namespace-label: namespace + # container-pod-name-label: pod_name + # cpu-histogram-decay-half-life: 24h0m0s + # cpu-integer-post-processor-enabled: false + # history-length: 8d + # history-resolution: 1h + # kube-api-burst: 10 + # kube-api-qps: 5 + # memory-aggregation-interval: 24h0m0s + # memory-aggregation-interval-count: 8 + # memory-histogram-decay-half-life: 24h0m0s + # memory-saver: false + # metric-for-pod-labels: up{job="kubernetes-pods"} + # min-checkpoints: 10 + # oom-bump-up-ratio: 1.2 + # oom-min-bump-up-bytes: 104857600 + # pod-label-prefix: pod_label_ + # pod-name-label: kubernetes_pod_name + # pod-namespace-label: kubernetes_namespace + # pod-recommendation-min-cpu-millicores: 25 + # pod-recommendation-min-memory-mb: 250 + # prometheus-address: "" + # prometheus-cadvisor-job-name: kubernetes-cadvisor + # prometheus-query-timeout: 5m + # recommendation-margin-fraction: 0.15 + # recommender-interval: 1m0s + # recommender-name: default + # storage: checkpoint + # target-cpu-percentile: 0.9 + v: 2 + # vpa-object-namespace: "" + + # Additional container environment variables + extraEnvVars: [] + # - name: MY-NAME + # value: "MY-VALUE" + + # Name of existing ConfigMap containing additional container environment variables + extraEnvVarsCM: + + # Name of existing Secret containing additional container environment variables + extraEnvVarsSecret: + + metrics: + service: + # Metrics service annotations + annotations: {} + + # Metrics service type + type: ClusterIP + + # Metrics static cluster IP address or None for headless service when service type is ClusterIP + # clusterIP: 10.43.0.100 + + # Metrics service port + port: 8942 + + serviceMonitor: + # Specifies whether a service monitor should be created + enabled: false + # Extra annotations for the ServiceMonitor + annotations: {} + # Extra labels for the ServiceMonitor + labels: {} + # The name of the label on the target service to use as the job name in Prometheus + jobLabel: "" + # How frequently to scrape metrics + interval: "" + # Timeout after which the scrape is ended + scrapeTimeout: "" + # Specify additional relabeling of metrics + metricRelabelings: [] + # Specify general relabeling + relabelings: [] + +updater: + # Enable the component + enabled: true + + replicaCount: 1 + + image: + # Image registry + registry: registry.k8s.io + + # Image repository + repository: autoscaling/vpa-updater + + # Image tag + tag: 0.14.0 + + # Image digest + digest: "" + + # Image pull policy + pullPolicy: IfNotPresent + + pdb: + # Specifies whether a pod disruption budget should be created + create: false + + # Minimum number/percentage of pods that should remain scheduled + minAvailable: 1 + + # Maximum number/percentage of pods that may be made unavailable + # maxUnavailable: 1 + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + # Additional pod annotations + podAnnotations: {} + + # Additional pod labels + podLabels: {} + + podSecurityContext: + # fsGroup: 2000 + runAsNonRoot: true + runAsUser: 65534 + + # Priority class name + # priorityClassName : high-priority + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + livenessProbe: + # Enable liveness probe + enabled: true + + # Delay before the liveness probe is initiated + initialDelaySeconds: 0 + + # How often to perform the liveness probe + periodSeconds: 10 + + # When the liveness probe times out + timeoutSeconds: 1 + + # Minimum consecutive failures for the liveness probe to be considered failed after having succeeded + failureThreshold: 3 + + # Minimum consecutive successes for the liveness probe to be considered successful after having failed + successThreshold: 1 + + readinessProbe: + # Enable readiness probe + enabled: true + + # Delay before the readiness probe is initiated + initialDelaySeconds: 0 + + # How often to perform the readiness probe + periodSeconds: 10 + + # When the readiness probe times out + timeoutSeconds: 1 + + # Minimum consecutive failures for the readiness probe to be considered failed after having succeeded + failureThreshold: 3 + + # Minimum consecutive successes for the readiness probe to be considered successful after having failed + successThreshold: 1 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 200m + # memory: 1024Mi + # requests: + # cpu: 50m + # memory: 512Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + extraArgs: + # evict-after-oom-threshold: 10m0s + # eviction-rate-burst: 1 + # eviction-rate-limit: -1 + # eviction-tolerance: 0.5 + # in-recommendation-bounds-eviction-lifetime-threshold: 12h0m0s + # kube-api-burst: 10 + # kube-api-qps: 5 + # min-replicas: 2 + # pod-update-threshold: 0.1 + # updater-interval: 1m0s + # use-admission-controller-status: true + v: 2 + # vpa-object-namespace: "" + + # Additional container environment variables + extraEnvVars: [] + # - name: MY-NAME + # value: "MY-VALUE" + + # Name of existing ConfigMap containing additional container environment variables + extraEnvVarsCM: + + # Name of existing Secret containing additional container environment variables + extraEnvVarsSecret: + + metrics: + service: + # Metrics service annotations + annotations: {} + + # Metrics service type + type: ClusterIP + + # Metrics static cluster IP address or None for headless service when service type is ClusterIP + # clusterIP: 10.43.0.100 + + # Metrics service port + port: 8943 + serviceMonitor: + # Specifies whether a service monitor should be created + enabled: false + # Extra annotations for the ServiceMonitor + annotations: {} + # Extra labels for the ServiceMonitor + labels: {} + # The name of the label on the target service to use as the job name in Prometheus + jobLabel: "" + # How frequently to scrape metrics + interval: "" + # Timeout after which the scrape is ended + scrapeTimeout: "" + # Specify additional relabeling of metrics + metricRelabelings: [] + # Specify general relabeling + relabelings: [] + +crds: + image: + # Image registry + registry: docker.io + + # Image repository + repository: bitnami/kubectl + + # Image tag + tag: 1.26.3 + + # Image digest + digest: "" + + # Image pull policy + pullPolicy: IfNotPresent + + # Additional pod annotations + podAnnotations: {} + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +tests: + image: + # Image registry + registry: ghcr.io + + # Image repository + repository: cowboysysop/pytest + + # Image tag + tag: 1.0.35 + + # Image digest + digest: "" + + # Image pull policy + pullPolicy: IfNotPresent diff --git a/main.tf b/main.tf index 6091a07..65e2e54 100644 --- a/main.tf +++ b/main.tf @@ -124,6 +124,10 @@ module "k8s_addons" { enable_amazon_eks_vpc_cni = var.amazon_eks_vpc_cni_enabled enable_aws_efs_csi_driver = var.efs_storage_class_enabled aws_efs_csi_driver_irsa_policies = [var.kms_policy_arn] + + # External Secrets + enable_external_secrets = var.external_secrets_enabled + } resource "helm_release" "cert_manager_le_http" { @@ -149,17 +153,6 @@ module "single_az_sc" { single_az_ebs_gp3_storage_class_name = each.value.name } -module "external_secrets" { - depends_on = [module.service_monitor_crd] - source = "./addons/external_secrets" - count = var.external_secrets_enabled ? 1 : 0 - name = var.name - region = data.aws_region.current.name - cluster_id = var.eks_cluster_name - environment = var.environment - provider_url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer - enable_service_monitor = var.service_monitor_crd_enabled -} ### EFS module "efs" { @@ -362,3 +355,51 @@ resource "kubernetes_ingress_v1" "kubecost" { } } } + +#hpa-coredns +resource "helm_release" "coredns-hpa" { + name = "corednshpa" + namespace = "kube-system" + chart = "${path.module}/addons/core_dns_hpa/" + timeout = 600 + values = [ + templatefile("${path.module}/addons/core_dns_hpa/values.yaml", { + minReplicas = var.core_dns_hpa_config.minReplicas, + maxReplicas = var.core_dns_hpa_config.maxReplicas, + corednsdeploymentname = var.core_dns_hpa_config.corednsdeploymentname, + targetCPUUtilizationPercentage = var.core_dns_hpa_config.targetCPUUtilizationPercentage, + targetMemoryUtilizationPercentage = var.core_dns_hpa_config.targetMemoryUtilizationPercentage + }) + ] +} + +resource "helm_release" "vpa-crds" { + count = var.metrics_server_enabled ? 1 : 0 + name = "vertical-pod-autoscaler" + namespace = "kube-system" + repository = "https://cowboysysop.github.io/charts/" + chart = "vertical-pod-autoscaler" + version = "7.2.0" + timeout = 600 + values = [ + file("${path.module}/addons/vpa_crds/values.yaml") + ] +} + +resource "helm_release" "metrics-server-vpa" { + count = var.metrics_server_enabled ? 1 : 0 + depends_on = ["helm_release.vpa-crds"] + name = "metricsservervpa" + namespace = "kube-system" + chart = "${path.module}/addons/metrics_server_vpa/" + timeout = 600 + values = [ + templatefile("${path.module}/addons/metrics_server_vpa/values.yaml", { + minCPU = var.metrics_server_vpa_config.minCPU, + minMemory = var.metrics_server_vpa_config.minMemory, + maxCPU = var.metrics_server_vpa_config.maxCPU, + maxMemory = var.metrics_server_vpa_config.maxMemory, + metricsServerDeploymentName = var.metrics_server_vpa_config.metricsServerDeploymentName + }) + ] +} diff --git a/variables.tf b/variables.tf index c1dd0a1..f999ef3 100644 --- a/variables.tf +++ b/variables.tf @@ -291,3 +291,30 @@ variable "ipv6_enabled" { default = false type = bool } + +#core-dns-hpa +variable "core_dns_hpa_config" { + description = "Configuration to provide settings of hpa over core dns" + default = { + minReplicas = 2 + maxReplicas = 10 + corednsdeploymentname = "coredns" + targetCPUUtilizationPercentage = 80 + targetMemoryUtilizationPercentage = "150Mi" + } + type = any +} + +#metrics-server-vpa +variable "metrics_server_vpa_config" { + description = "Configuration to provide settings of vpa over metrics server" + default = { + + minCPU = "25m" + maxCPU = "100m" + minMemory = "150Mi" + maxMemory = "500Mi" + metricsServerDeploymentName = "metrics-server" + } + type = any +} From 72eda4d159d4196be7f2ad4470aff85cf22af18b Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Thu, 20 Jul 2023 16:12:22 +0530 Subject: [PATCH 12/14] resolve merge conflict --- variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/variables.tf b/variables.tf index ea48551..3ec3320 100644 --- a/variables.tf +++ b/variables.tf @@ -313,3 +313,8 @@ variable "metrics_server_vpa_config" { type = anyAD } +variable "ipv6_enabled" { + description = "whether IPv6 enabled or not" + type = bool + default = false +} \ No newline at end of file From 07a302b00d8bd0beaa245b41e874682d72b1750b Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Thu, 20 Jul 2023 16:20:03 +0530 Subject: [PATCH 13/14] resolve merge conflict --- examples/complete/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 2904848..2c41c68 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -7,6 +7,7 @@ locals { Expires = "Never" Department = "Engineering" } + ipv6_enabled = false } module "eks_bootstrap" { @@ -14,6 +15,7 @@ module "eks_bootstrap" { name = local.name vpc_id = "" environment = local.environment + ipv6_enabled = local.ipv6_enabled kms_key_arn = "" keda_enabled = true istio_enabled = false From 3808f8437fe4c38aa06e4d28c3fceff5c0c6d8e5 Mon Sep 17 00:00:00 2001 From: "yuvraj.singh" Date: Thu, 20 Jul 2023 16:20:44 +0530 Subject: [PATCH 14/14] resolve merge conflict --- examples/complete/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 2c41c68..1309e13 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -44,6 +44,7 @@ module "eks_bootstrap" { private_subnet_name = "private-subnet-name" instance_capacity_type = ["on-demand"] excluded_instance_type = ["nano", "micro", "small"] + instance_hypervisor = ["nitro"] } cert_manager_letsencrypt_email = "email@email.com" internal_ingress_nginx_enabled = true