-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Remove asg_node_group * Remove all add-on related code - ready for karpenter + gitops * Remove no longer required scripts * Update terraform providers * Update terraform / kubectl in CI container * Karpenter fargate role Allow pods in the karpenter namespace to run on fargate * Fixup tests * Remove unused examples * Remove local tests * fmt * Add helm to CI image * Allow cluster IAM role to be specified The design here is that new clusters all have a new IAM role per cluster. But to avoid recreating legacy clusters on upgrade, we need a way to use an externally managed IAM role. * Add fargate profile for flux-system namespace * Fix * Bring addons back * Fix addon config * Also adds fargate profile for `kube-system` or some addons will fail. * whitespace * Run coredns on fargate so addon install doesn't fail @ bootstrap
- Loading branch information
Showing
65 changed files
with
730 additions
and
2,623 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
1.2.7 | ||
1.4.6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
resource "aws_eks_addon" "vpc-cni" { | ||
cluster_name = aws_eks_cluster.control_plane.name | ||
addon_name = "vpc-cni" | ||
addon_version = local.versions.vpc_cni | ||
resolve_conflicts_on_create = "OVERWRITE" | ||
resolve_conflicts_on_update = "OVERWRITE" | ||
configuration_values = var.vpc_cni_configuration_values | ||
} | ||
|
||
resource "aws_eks_addon" "kube-proxy" { | ||
cluster_name = aws_eks_cluster.control_plane.name | ||
addon_name = "kube-proxy" | ||
addon_version = local.versions.kube_proxy | ||
resolve_conflicts_on_create = "OVERWRITE" | ||
resolve_conflicts_on_update = "OVERWRITE" | ||
configuration_values = var.kube_proxy_configuration_values | ||
} | ||
|
||
resource "aws_eks_addon" "coredns" { | ||
cluster_name = aws_eks_cluster.control_plane.name | ||
addon_name = "coredns" | ||
addon_version = local.versions.coredns | ||
resolve_conflicts_on_create = "OVERWRITE" | ||
resolve_conflicts_on_update = "OVERWRITE" | ||
configuration_values = var.coredns_configuration_values | ||
depends_on = [aws_eks_fargate_profile.critical_pods] | ||
} | ||
|
||
resource "aws_eks_addon" "ebs-csi" { | ||
cluster_name = aws_eks_cluster.control_plane.name | ||
addon_name = "aws-ebs-csi-driver" | ||
addon_version = local.versions.aws_ebs_csi_driver | ||
service_account_role_arn = aws_iam_role.aws_ebs_csi_driver.arn | ||
resolve_conflicts_on_create = "OVERWRITE" | ||
resolve_conflicts_on_update = "OVERWRITE" | ||
configuration_values = var.ebs_csi_configuration_values | ||
depends_on = [aws_eks_fargate_profile.critical_pods] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
resource "aws_iam_role" "aws_ebs_csi_driver" { | ||
name = "${var.iam_role_name_prefix}EksEBSCSIDriver-${var.name}" | ||
assume_role_policy = data.aws_iam_policy_document.aws_ebs_csi_driver_assume_role_policy.json | ||
description = "EKS CSI driver role for ${var.name} cluster" | ||
} | ||
|
||
data "aws_iam_policy_document" "aws_ebs_csi_driver_assume_role_policy" { | ||
statement { | ||
actions = ["sts:AssumeRoleWithWebIdentity"] | ||
effect = "Allow" | ||
|
||
condition { | ||
test = "StringEquals" | ||
variable = "${replace(aws_iam_openid_connect_provider.cluster_oidc.url, "https://", "")}:sub" | ||
values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa", "system:serviceaccount:kube-system:ebs-snapshot-controller"] | ||
} | ||
|
||
condition { | ||
test = "StringEquals" | ||
variable = "${replace(aws_iam_openid_connect_provider.cluster_oidc.url, "https://", "")}:aud" | ||
values = ["sts.amazonaws.com"] | ||
} | ||
|
||
principals { | ||
identifiers = [aws_iam_openid_connect_provider.cluster_oidc.arn] | ||
type = "Federated" | ||
} | ||
} | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "aws_ebs_csi_driver" { | ||
role = aws_iam_role.aws_ebs_csi_driver.id | ||
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
locals { | ||
eks_cluster_role_arn = length(var.cluster_role_arn) == 0 ? aws_iam_role.eks_cluster_role[0].arn : var.cluster_role_arn | ||
} | ||
|
||
resource "aws_iam_role" "eks_cluster_role" { | ||
count = length(var.cluster_role_arn) == 0 ? 1 : 0 | ||
name = "${var.iam_role_name_prefix}EksCluster-${var.name}" | ||
assume_role_policy = data.aws_iam_policy_document.eks_assume_role_policy.json | ||
|
||
# Resources running on the cluster are still generating logs when destroying the module resources | ||
# which results in the log group being re-created even after Terraform destroys it. Removing the | ||
# ability for the cluster role to create the log group prevents this log group from being re-created | ||
# outside of Terraform due to services still generating logs during destroy process | ||
inline_policy { | ||
name = "DenyLogGroupCreation" | ||
policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = ["logs:CreateLogGroup"] | ||
Effect = "Deny" | ||
Resource = "*" | ||
}, | ||
] | ||
}) | ||
} | ||
} | ||
|
||
data "aws_iam_policy_document" "eks_assume_role_policy" { | ||
statement { | ||
principals { | ||
type = "Service" | ||
identifiers = ["eks.amazonaws.com"] | ||
} | ||
actions = ["sts:AssumeRole"] | ||
effect = "Allow" | ||
} | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" { | ||
count = length(var.cluster_role_arn) == 0 ? 1 : 0 | ||
role = aws_iam_role.eks_cluster_role[0].name | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
data "aws_partition" "current" {} | ||
data "aws_caller_identity" "current" {} | ||
data "aws_region" "current" {} |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.