Add example for IRSA and cluster-autoscaler

[max-rocket-internet]

PR o'clock

Description

Many people have requested an example using IRSA (IAM Roles for Service Accounts). So here I am adding an example for the cluster-autoscaler.

Checklist

• Change added to CHANGELOG.md. All changes must be added and breaking changes and highlighted
• CI tests are passing
• README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation

[dpiddockcmp]

👏 ❤️
Comments suggesting things to delete to remove distractions 😄

[dpiddockcmp]

Please please can fresh examples use Helm 3? No more tiller!

[barryib]

Maybe we can omit tiller installation. And add note that we must have a working helm installation. Because, it's not relevant here.

I personally use terraform with helm provider to perform cluster-autoscaler installation during my cluster setup. But it doen't matter how we install it. What we need for the serviceaccount is here https://github.com/terraform-aws-modules/terraform-aws-eks/pull/710/files#diff-5d3e96c50e09c013f8553243cb0be4d6R3-R6

[max-rocket-internet]

I agree 100%. I just haven't used Helm 3 yet 😢

I'll redo next week with Helm 3. I need to it this anyway!

[max-rocket-internet]

Maybe we can omit tiller installation.

OK good input. I'll remove that part. But I'll keep the helm install command for the chart. Is it same for Helm 3?

[barryib]

yep.

[max-rocket-internet]

@barryib do you know why the terraform_docs check is failing? I don't get it...

[barryib]

@barryib do you know why the terraform_docs check is failing? I don't get it...

Nope. But even the terraform fmt is failing.

[barryib]

@max-rocket-internet terraform-doc 0.8.0 is now in stable. We should probably update terraform pre-commit antonbabenko/pre-commit-terraform#85.

pre-commit autoupdate would probably help.

[max-rocket-internet]

We should probably update terraform pre-commit antonbabenko/pre-commit-terraform#85.

OK cool. Next week I'll have a look.

I think we should also remove the autoscaling_enabled = true option from workers and remove the autoscaling policies from the module. In a a separate PR. People can do this outside the module now and IRSA is one way to do it.

[TBeijen]

If I'm not mistaken, using IRSA on cluster-autoscaler, it would be good to add these flags to the cluster variables:

# module no longer needs to manage autoscaling policy since this is moved to the service-account IAM role
manage_worker_autoscaling_policy = false
attach_worker_autoscaling_policy = false

[max-rocket-internet]

You are not mistake but I think we just remove the autoscaling policy stuff completely and let users manage that themselves.

[TBeijen]

May I suggest: Leave the policy stuff in but change default enabled to false in next release (and ofc. mention in release notes). Then remove in subsequent release.

This would allow users to somewhat seamlessly transition to IRSA, without needing to temporary bolt on additional policies.

[max-rocket-internet]

@TBeijen actually we already have var.attach_worker_autoscaling_policy/var.manage_worker_autoscaling_policy. I'll just make a PR to set these to default of false.

[barryib]

@max-rocket-internet please change args into args: ["--args=--with-aggregate-type-defaults", "--args=--no-escape"]

[max-rocket-internet]

OK I have:

• Switched to use the public module terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc for the IAM part, it's a little bit simpler and also pushes the focus away from this module a bit 😃
• Removed helm init stuff
• Removed autoscaling_enabled = true and just added the required tag directly to the node group. This way it's clear how it works and the example won't change when we remove the policy.
• Simplified the example further by removing NAT gateways and private subnets

Please re-review @barryib @dpiddockcmp @TBeijen 🚀

[barryib]

Can you please update your branch and upgrade to terraform-docs 0.8.1 ?

[dpiddockcmp]

This looks good to me

[dpiddockcmp]

Is this resource used anywhere?

[max-rocket-internet]

Thanks. I've removed it.

[max-rocket-internet]

@barryib done rebase. Thanks for fixing the pre-commit stuff

[TBeijen]

Looks fine. As mentioned in the other PR: Makes sense also to not have 2 releases with breaking changes, so unlike what I suggested, ditching all references to manage autoscaling looks good.

[ankushagarwal]

@max-rocket-internet : Curious as to what is the reason to use worker_groups instead of node_groups in module "eks". I am not sure what the difference between them is. The managed_node_groups/main.tf example uses node_groups in module "eks"

[morganchristiansson]

worker_groups is the classic unmanaged way of doing things and allows you to use spot instances and provide kubelet args.

I believe either will work with irsa.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.