Skip to content

feature/M0-1150-up-tg-stack deploy infra via boilerplate #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vb0om wants to merge 3 commits into
base: terragrunt
Choose a base branch
from
Open

feature/M0-1150-up-tg-stack deploy infra via boilerplate #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9d680bd
feature/M0-1150-khvorov-up-tg-stack deploy infra via boilerplate
vb0om Apr 30, 2025
84277af
add istio egress gateway to helm release;add sec group for cluster ap…
vb0om May 8, 2025
9f656f5
change namespace for istio-egressgateway
vb0om May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions terraform/modules/aws-eks/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ module "eks" {
service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
configuration_values = jsonencode({
enableNetworkPolicy = "true"
env = {
ENABLE_PREFIX_DELEGATION = "true"
WARM_PREFIX_TARGET = "1"
WARM_IP_TARGET = "5"
MINIMUM_IP_TARGET = "2"
}
})
}
aws-ebs-csi-driver = {
Expand All @@ -51,6 +57,14 @@ module "eks" {
type = "ingress"
self = true
}
ingress_allow_all_traffic_cluster_api = {
description = "Allow all traffic from Cluster API"
protocol = "all"
from_port = 0
to_port = 0
type = "ingress"
source_security_group_id = module.eks.cluster_security_group_id
}
}

self_managed_node_group_defaults = {
Expand Down Expand Up @@ -96,6 +110,7 @@ module "eks" {
spec:
kubelet:
config:
maxPods: 110
shutdownGracePeriod: 30s
featureGates:
DisableKubeletCloudCredentialProviders: true
Expand Down
3 changes: 2 additions & 1 deletion terraform/modules/k8s-addons/eks-aws-loadbalancer-controller.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ module "aws_iam_aws_loadbalancer_controller" {
count = local.aws_load_balancer_controller.enabled ? 1 : 0

source = "../aws-iam-eks-trusted"
name = "${local.name}-aws-lb-controller"
name = "${local.name}-aws-lb-control"
region = local.region
oidc_provider_arn = local.eks_oidc_provider_arn
policy = jsonencode({
Expand Down Expand Up @@ -450,6 +450,7 @@ resource "kubernetes_ingress_v1" "default" {
namespace = module.ingress_nginx_namespace[count.index].name
}
spec {
# ingress_class_name = "nginx"
rule {
http {
path {
Expand Down
106 changes: 98 additions & 8 deletions terraform/modules/k8s-addons/eks-istio.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
locals {
istio = {
name = local.helm_releases[index(local.helm_releases.*.id, "istio")].id
enabled = local.helm_releases[index(local.helm_releases.*.id, "istio")].enabled
chart = local.helm_releases[index(local.helm_releases.*.id, "istio")].chart
repository = local.helm_releases[index(local.helm_releases.*.id, "istio")].repository
chart_version = local.helm_releases[index(local.helm_releases.*.id, "istio")].chart_version
namespace = local.helm_releases[index(local.helm_releases.*.id, "istio")].namespace
name = local.helm_releases[index(local.helm_releases.*.id, "istio")].id
enabled = local.helm_releases[index(local.helm_releases.*.id, "istio")].enabled
chart = local.helm_releases[index(local.helm_releases.*.id, "istio")].chart
repository = local.helm_releases[index(local.helm_releases.*.id, "istio")].repository
chart_version = local.helm_releases[index(local.helm_releases.*.id, "istio")].chart_version
namespace = local.helm_releases[index(local.helm_releases.*.id, "istio")].namespace
egress_gateway_enabled = local.helm_releases[index(local.helm_releases.*.id, "istio")].egress_gateway_enabled
}
kiali_server = {
name = local.helm_releases[index(local.helm_releases.*.id, "kiali")].id
Expand All @@ -19,8 +20,8 @@ locals {
pilot:
resources:
requests:
cpu: "500m"
memory: "2Gi"
cpu: "100m"
memory: "500Mi"
limits:
cpu: "500m"
memory: "2Gi"
Expand All @@ -32,6 +33,10 @@ global:
autoInject: enabled
excludeIPRanges: "169.254.169.254/32"
holdApplicationUntilProxyStarts: true
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY # Deny traffic to outside hosts by default(Only hosts defined by Istio crds)
accessLogFile: /dev/stdout # Add trace logs to istiod components(istiod pod, sidecar)
VALUES
kiali_server_prometheus_endpoint = local.victoria_metrics_k8s_stack.enabled ? "http://vmsingle-${local.victoria_metrics_k8s_stack.name}.${local.victoria_metrics_k8s_stack.namespace}:8429" : "http://${local.kube_prometheus_stack.name}-prometheus.${local.kube_prometheus_stack.namespace}:9090"
kiali_server_grafana_endpoint = local.victoria_metrics_k8s_stack.enabled ? "http://${local.victoria_metrics_k8s_stack.name}-grafana.${local.victoria_metrics_k8s_stack.namespace}" : "http://${local.kube_prometheus_stack.name}-grafana.${local.kube_prometheus_stack.namespace}"
Expand Down Expand Up @@ -93,6 +98,37 @@ spec:
- path: /stats/prometheus
targetPort: http-envoy-prom
interval: 15s
VALUES
istio_egress_gateway_values = <<VALUES
defaults:
service:
type: ClusterIP
labels:
istio: egressgateway
VALUES
istio_egress_gateway_manifest = <<VALUES
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- hosts:
- "*"
port:
name: http-port
number: 80
protocol: HTTP
- hosts:
- "*"
port:
name: https-port
number: 443
protocol: HTTPS
tls:
mode: PASSTHROUGH
VALUES
}

Expand Down Expand Up @@ -219,6 +255,36 @@ module "istio_system_namespace" {
}
]
}
},
{
name = "allow-ingress-egress-gateway"
policy_types = ["Ingress"]
pod_selector = {
match_expressions = {
key = "istio"
operator = "In"
values = ["egressgateway"]
}
}
ingress = {
ports = [
{
port = "80"
protocol = "TCP"
},
{
port = "443"
protocol = "TCP"
}
]
from = [
{
ip_block = {
cidr = "0.0.0.0/0"
}
}
]
}
}
], local.kiali_server.enabled ? [{
name = "allow-kiali-namespace"
Expand Down Expand Up @@ -352,6 +418,23 @@ resource "helm_release" "istiod" {
depends_on = [helm_release.istio_base, kubectl_manifest.kube_prometheus_stack_operator_crds]
}

resource "helm_release" "istio-egressgateway" {
count = local.istio.egress_gateway_enabled && local.istio.enabled ? 1 : 0

name = "istio-egressgateway"
chart = "gateway"
repository = local.istio.repository
version = local.istio.chart_version
namespace = module.istio_system_namespace[count.index].name
max_history = var.helm_release_history_size

values = [
local.istio_egress_gateway_values
]

depends_on = [helm_release.istiod]
}

resource "kubectl_manifest" "istio_prometheus_service_monitor_cp" {
count = local.istio.enabled ? 1 : 0
yaml_body = local.istio_prometheus_service_monitor_cp_manifest
Expand All @@ -366,6 +449,13 @@ resource "kubectl_manifest" "istio_prometheus_service_monitor_dp" {
depends_on = [helm_release.istiod]
}

resource "kubectl_manifest" "istio_egress_gateway" {
count = local.istio.egress_gateway_enabled && local.istio.enabled ? 1 : 0
yaml_body = local.istio_egress_gateway_manifest
override_namespace = module.istio_system_namespace[count.index].name
depends_on = [helm_release.istio_base, helm_release.istiod, helm_release.istio-egressgateway]
}

resource "helm_release" "kiali" {
count = local.kiali_server.enabled ? 1 : 0

Expand Down
10 changes: 9 additions & 1 deletion terraform/modules/k8s-addons/eks-kube-prometheus-stack.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ prometheus:
storage: 30Gi
resources:
requests:
cpu: 200m
cpu: 100m
memory: 1024Mi
limits:
cpu: 400m
Expand Down Expand Up @@ -121,6 +121,14 @@ grafana:
datasources:
enabled: true

resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi

datasources:
datasources.yaml:
apiVersion: 1
Expand Down
11 changes: 9 additions & 2 deletions terraform/modules/k8s-addons/eks-loki-stack.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ loki:
cpu: 1
memory: 1Gi
requests:
cpu: 500m
memory: 1Gi
cpu: 100m
memory: 500Mi
config:
limits_config:
enforce_metric_name: false
Expand Down Expand Up @@ -51,6 +51,13 @@ promtail:
tolerations:
- effect: NoSchedule
operator: Exists
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi

fluent-bit:
enabled: false
Expand Down
9 changes: 5 additions & 4 deletions terraform/modules/k8s-addons/helm-releases.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ releases:
chart_version: 1.14.4
namespace: external-dns
- id: external-secrets
enabled: true
enabled: false
chart: external-secrets
repository: https://charts.external-secrets.io
chart_version: 0.10.0
Expand All @@ -54,19 +54,20 @@ releases:
chart_version: 4.10.1
namespace: ingress-nginx
- id: istio
enabled: false
enabled: true
chart:
repository: https://istio-release.storage.googleapis.com/charts
chart_version: 1.22.0
namespace: istio-system
egress_gateway_enabled: true
- id: keda
enabled: false
chart: keda
repository: https://kedacore.github.io/charts
chart_version: 2.14.2
namespace: keda
- id: kiali
enabled: false
enabled: true
chart: kiali-server
repository: https://kiali.org/helm-charts
chart_version: 1.84.0
Expand All @@ -84,7 +85,7 @@ releases:
chart_version: 2.10.2
namespace: loki
- id: reloader
enabled: true
enabled: false
chart: reloader
repository: https://stakater.github.io/stakater-charts
chart_version: 1.0.97
Expand Down
21 changes: 13 additions & 8 deletions terraform/modules/k8s-karpenter/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
locals {
eks_cluster_endpoint = data.aws_eks_cluster.main.endpoint
karpenter = {
name = try(var.helm.release_name, "karpenter")
enabled = true
chart = try(var.helm.chart_name, "karpenter")
repository = try(var.helm.repository, "oci://public.ecr.aws/karpenter")
chart_version = try(var.helm.chart_version, "1.0.6")
namespace = try(var.helm.namespace, "karpenter")
name = try(var.helm.release_name, "karpenter")
enabled = true
chart = try(var.helm.chart_name, "karpenter")
repository = try(var.helm.repository, "oci://public.ecr.aws/karpenter")
chart_version = try(var.helm.chart_version, "1.0.6")
namespace = try(var.helm.namespace, "karpenter")
allocatable_pod_ips = try(var.helm.allocatable_pod_ips, 110)
}

karpenter_values = <<VALUES
Expand Down Expand Up @@ -80,6 +81,8 @@ spec:
securityGroupSelectorTerms:
- tags:
karpenter.sh/discovery: ${var.name}
kubelet:
maxPods: ${local.karpenter.allocatable_pod_ips}
tags:
karpenter.sh/discovery: ${var.name}
blockDeviceMappings:
Expand Down Expand Up @@ -112,6 +115,8 @@ spec:
securityGroupSelectorTerms:
- tags:
karpenter.sh/discovery: ${var.eks_cluster_id}
kubelet:
maxPods: ${local.karpenter.allocatable_pod_ips}
tags:
karpenter.sh/discovery: ${var.eks_cluster_id}
blockDeviceMappings:
Expand Down Expand Up @@ -143,8 +148,8 @@ resource "helm_release" "this" {
namespace = module.namespace[count.index].name
max_history = 3

repository_username = data.aws_ecrpublic_authorization_token.token.user_name
repository_password = data.aws_ecrpublic_authorization_token.token.password
# repository_username = data.aws_ecrpublic_authorization_token.token.user_name
# repository_password = data.aws_ecrpublic_authorization_token.token.password

values = [
local.karpenter_values
Expand Down
2 changes: 1 addition & 1 deletion terragrunt/.terragrunt-version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.58.5
0.70.0
25 changes: 25 additions & 0 deletions terragrunt/ACCOUNT_ID/aws-users-password-policy/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading