Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor terraform to support 0.12, and bump k8s to v1.14.6 #33

Merged
merged 12 commits into from
Nov 27, 2019
Merged

Refactor terraform to support 0.12, and bump k8s to v1.14.6 #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
373fa6b
eks related module upgrade to terraform 0.12
smalltown Sep 5, 2019
fc488ef
upgrade elastikube: tf to 0.12, coredns to 1.6.2 , flannel to 0.11.0
smalltown Sep 6, 2019
1ec87dd
upgrade etcd to 3.4.0 and bug fix
smalltown Sep 7, 2019
4d84892
bug fix for ign aws-iam-auth-master and kube-audit
smalltown Sep 9, 2019
247caa0
modify for reviewing feedback
smalltown Sep 18, 2019
c29afe9
coredns bugfix
smalltown Sep 18, 2019
05ebd16
variable typo
smalltown Sep 19, 2019
a0c3fda
fix not exist variable
smalltown Sep 19, 2019
143ef02
support AWS IRSA
smalltown Sep 27, 2019
8f55e39
resolved conflict for merge master change
smalltown Nov 27, 2019
8334ce3
add workaround method for ignition
smalltown Nov 27, 2019
0663e2d
fix typo
smalltown Nov 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 24 additions & 10 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,10 @@ minutes...
~$ kubectl get node

NAME STATUS ROLES AGE VERSION
ip-10-0-48-247.ec2.internal Ready spot 2m v1.12.7
ip-10-0-66-127.ec2.internal Ready spot 2m v1.12.7
ip-10-0-71-121.ec2.internal Ready on-demand 22s v1.12.7
ip-10-0-86-182.ec2.internal Ready on-demand 2m v1.12.7
ip-10-0-48-247.ec2.internal Ready spot 2m v1.14.6
ip-10-0-66-127.ec2.internal Ready spot 2m v1.14.6
ip-10-0-71-121.ec2.internal Ready on-demand 22s v1.14.6
ip-10-0-86-182.ec2.internal Ready on-demand 2m v1.14.6
```

### ElastiKube (Self-Hosted)
Expand Down Expand Up @@ -120,12 +120,12 @@ minutes...
~$ kubectl get node

NAME STATUS ROLES AGE VERSION
ip-10-0-48-247.ec2.internal Ready master 9m v1.13.4
ip-10-0-48-117.ec2.internal Ready master 9m v1.13.4
ip-10-0-66-127.ec2.internal Ready on-demand 5m v1.13.4
ip-10-0-66-127.ec2.internal Ready on-demand 6m v1.13.4
ip-10-0-71-121.ec2.internal Ready spot 3m v1.13.4
ip-10-0-86-182.ec2.internal Ready spot 4m v1.13.4
ip-10-0-48-247.ec2.internal Ready master 9m v1.14.6
ip-10-0-48-117.ec2.internal Ready master 9m v1.14.6
ip-10-0-66-127.ec2.internal Ready on-demand 5m v1.14.6
ip-10-0-66-127.ec2.internal Ready on-demand 6m v1.14.6
ip-10-0-71-121.ec2.internal Ready spot 3m v1.14.6
ip-10-0-86-182.ec2.internal Ready spot 4m v1.14.6
```

## What’s Going On?
Expand All @@ -148,6 +148,20 @@ Create a AWS auto-scaling group with CoreOS container linux and leverage ignitio

Due to using AWS launch template, hence, it's up to user to choose spot or on demand instance type by changing the variable, refer [**aws/eks-worker**](VARIABLES.md#aws/eks-worker) and [**aws/kube-worker**](VARIABLES.md#aws/kube-worker) for the detail variable inputs

## Known Issues

### Ignition Provider Issue
This module leverage provider ignition to provision instance (etcd, master and worker node),after upgrading Terraform 0.12,there is issue about the ignition provider, althrough community already merge the [**PR**](https://github.com/terraform-providers/terraform-provider-ignition/pull/56) into master branch, but don't know why not bump a new version yet, hence, there is something need to do for workaround this issue (The following steps are running in MacOS, it needs to make some change for running in other platform)

Build the ignition provider from official GitHub master branch

```
~$ cd $GOPATH/src/github.com/terraform-providers/terraform-provider-ignition
$ make build

~$ mkdir -p ~/.terraform.d/plugins/darwin_amd64
~$ cp $GOPATH/bin/terraform-provider-ignition ~/.terraform.d/plugins/darwin_amd64/terraform-provider-ignition_v1.1.0_x4
```

## Contributing

Expand Down
41 changes: 0 additions & 41 deletions examples/aws-iam-authenticator/aws-iam-auth-master.tf
View file
Open in desktop

This file was deleted.

39 changes: 0 additions & 39 deletions examples/aws-iam-authenticator/variables.tf
View file
Open in desktop

This file was deleted.

38 changes: 38 additions & 0 deletions examples/aws-iam/certs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
module "pod_identity_webhook_root_ca" {
source = "../../modules/tls/certificate-authority"

cert_config = {
common_name = local.cluster_name
organization = local.cluster_name
validity_period_hours = var.certs_validity_period_hours
}

rsa_bits = 2048
self_signed = true
}

module "pod_identity_webhook_cert" {
source = "../../modules/tls/certificate"

ca_config = {
algorithm = module.pod_identity_webhook_root_ca.algorithm
key_pem = module.pod_identity_webhook_root_ca.private_key_pem
cert_pem = module.pod_identity_webhook_root_ca.cert_pem
}

cert_config = {
common_name = "pod-identity-webhook"
organization = local.cluster_name
validity_period_hours = var.certs_validity_period_hours
}

cert_hostnames = ["${var.pod_identity_webhook_service_name}.${var.pod_identity_webhook_service_namespace}.svc"]

cert_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]

self_signed = true
}
37 changes: 37 additions & 0 deletions examples/aws-iam/ign-authenticator.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
module "ignition_aws_iam_authenticator" {
source = "../../modules/ignitions/aws-iam-auth-master"

webhook_kubeconfig_ca = module.kubernetes.certificate_authority
webhook_kubeconfig_path = var.auth_webhook_path
}

data "aws_s3_bucket" "kubernetes" {
bucket = module.kubernetes.s3_bucket
}

data "template_file" "kubeconfig_iam" {

template = file("${path.module}/resources/kubeconfig.iam")

vars = {
api_server_endpoint = module.kubernetes.endpoint
cluster_name = local.cluster_name
cluster_ca = module.kubernetes.certificate_authority
}
}

resource "aws_s3_bucket_object" "kubeconfig_iam" {
bucket = data.aws_s3_bucket.kubernetes.id

key = "kubeconfig.iam"
content = data.template_file.kubeconfig_iam.rendered
acl = "private"

server_side_encryption = "AES256"
content_type = "text/plain"

tags = merge(map(
"Name", "kubeconfig.iam",
"kubernetes.io/cluster/${local.cluster_name}", "owned",
), var.extra_tags)
}
0 examples/aws-iam-authenticator/k8s/nginx.yml → examples/aws-iam/k8s/nginx.yaml
View file
Open in desktop
File renamed without changes.
110 changes: 110 additions & 0 deletions examples/aws-iam/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
locals {
cluster_name = "${var.phase}-${var.project}"
}



# ---------------------------------------------------------------------------------------------------------------------
# Network
# ---------------------------------------------------------------------------------------------------------------------

module "network" {
source = "../../modules/aws/network"
bastion_key_name = var.key_pair_name
project = var.project
phase = var.phase
extra_tags = var.extra_tags
}

# ---------------------------------------------------------------------------------------------------------------------
# ElastiKube
# ---------------------------------------------------------------------------------------------------------------------

module "kubernetes" {
source = "../../modules/aws/elastikube"

name = local.cluster_name
kubernetes_version = var.kubernetes_version
service_cidr = var.service_cidr
cluster_cidr = var.cluster_cidr

etcd_config = {
instance_count = "1"
ec2_type = "t3.medium"
root_volume_iops = "0"
root_volume_size = "100"
root_volume_type = "gp2"
}

master_config = {
instance_count = "1"
ec2_type_1 = "t3.medium"
ec2_type_2 = "t2.medium"
root_volume_iops = "100"
root_volume_size = "256"
root_volume_type = "gp2"

on_demand_base_capacity = 0
on_demand_percentage_above_base_capacity = 100
spot_instance_pools = 1
}

oidc_issuer_confg = {
issuer = "https://s3-${var.aws_region}.amazonaws.com/${aws_s3_bucket.oidc.id}"
api_audiences = var.oidc_api_audiences
}

extra_ignition_file_ids = "${module.ignition_aws_iam_authenticator.files}"
extra_ignition_systemd_unit_ids = "${module.ignition_aws_iam_authenticator.systemd_units}"

hostzone = "${var.project}.cluster"
endpoint_public_access = var.endpoint_public_access
private_subnet_ids = module.network.private_subnet_ids
public_subnet_ids = module.network.public_subnet_ids
ssh_key = var.key_pair_name
reboot_strategy = "off"
auth_webhook_path = var.auth_webhook_path


extra_tags = merge(map(
"Phase", var.phase,
"Project", var.project,
), var.extra_tags)
}

# ---------------------------------------------------------------------------------------------------------------------
# Worker Node (On Spot Instance)
# ---------------------------------------------------------------------------------------------------------------------

module "worker_spot" {
source = "../../modules/aws/kube-worker"

cluster_name = local.cluster_name
kubernetes_version = var.kubernetes_version
kube_service_cidr = var.service_cidr

security_group_ids = module.kubernetes.worker_sg_ids
subnet_ids = module.network.private_subnet_ids

worker_config = {
name = "spot"
instance_count = "1"
ec2_type_1 = "m5.large"
ec2_type_2 = "m4.large"
root_volume_iops = "0"
root_volume_size = "40"
root_volume_type = "gp2"

on_demand_base_capacity = 0
on_demand_percentage_above_base_capacity = 0
spot_instance_pools = 1
}

s3_bucket = module.kubernetes.s3_bucket
ssh_key = var.key_pair_name

extra_tags = merge(map(
"Phase", var.phase,
"Project", var.project,
), var.extra_tags)
}
29 changes: 29 additions & 0 deletions examples/aws-iam/oidc.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "aws_s3_bucket" "oidc" {
bucket = "${local.cluster_name}-oidc-${md5("${local.cluster_name}-oidc")}"
acl = "public-read"

tags = merge(map(
"Name", "${local.cluster_name}-oidc-${md5("${local.cluster_name}-oidc")}",
"Phase", var.phase,
"Project", var.project,
), var.extra_tags)
}

resource "null_resource" "oidc_thumbprint" {
provisioner "local-exec" {
command = "openssl s_client -connect s3-${var.aws_region}.amazonaws.com:443 -servername s3-${var.aws_region}.amazonaws.com -showcerts < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -sha1 -noout -fingerprint | cut -d '=' -f 2 | tr -d ':' > ${path.module}/.terraform/oidc_thumbprint"
}
}

data "local_file" "oidc_thumbprint" {
filename = "${path.module}/.terraform/oidc_thumbprint"
depends_on = [null_resource.oidc_thumbprint]
}

resource "aws_iam_openid_connect_provider" "irsa" {
url = "https://s3-${var.aws_region}.amazonaws.com/${aws_s3_bucket.oidc.id}"

client_id_list = [ var.oidc_api_audiences ]

thumbprint_list = [ chomp(data.local_file.oidc_thumbprint.content) ]
}
23 changes: 23 additions & 0 deletions examples/aws-iam/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
output "bastion_public_ip" {
value = module.network.bastion_public_ip
}

output "ignition_s3_bucket" {
value = module.kubernetes.s3_bucket
}

output "oidc_s3_bucket" {
value = aws_s3_bucket.oidc.id
}

output "oidc_issuer_pub" {
value = module.kubernetes.oidc_issuer_pubkey
}

output "tls_crt" {
value = module.pod_identity_webhook_cert.cert_pem
}

output "tls_key" {
value = module.pod_identity_webhook_cert.private_key_pem
}
Loading