Merge tag '0.2.3' into fl/merge-0.2.3

aneoconsulting · Feb 12, 2024 · 867261b · 867261b
2 parents eb33756 + 112b773
commit 867261b
Show file tree

Hide file tree

Showing 18 changed files with 530 additions and 9 deletions.
diff --git a/kubernetes/aws/eks/README.md b/kubernetes/aws/eks/README.md
@@ -6,6 +6,7 @@
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.3.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.10.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.13.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5.1 |
 
@@ -15,6 +16,7 @@
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.3.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.10.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.13.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.1 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.5.1 |
 
@@ -34,11 +36,17 @@
 | [aws_cloudwatch_event_rule.aws_node_termination_handler_asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.aws_node_termination_handler_spot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_iam_policy.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.worker_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy_attachment.workers_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.efs_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.eni_config](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_service_account.efs_csi_driver_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [kubernetes_service_account.efs_csi_driver_node](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [null_resource.change_cni_label](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.patch_coredns](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.update_kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -47,6 +55,7 @@
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.worker_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 

diff --git a/kubernetes/aws/eks/efs-csi.tf b/kubernetes/aws/eks/efs-csi.tf
@@ -0,0 +1,221 @@
+locals {
+  # EFS CSI
+  efs_csi_name                          = coalesce(var.efs_csi_name, "efs-csi-driver")
+  oidc_arn                              = module.eks.oidc_provider_arn
+  oidc_url                              = trimprefix(module.eks.cluster_oidc_issuer_url, "https://")
+  efs_csi_namespace                     = coalesce(var.efs_csi_namespace, "kube-system")
+  kubernetes_service_account_controller = "efs-csi-controller-sa"
+  kubernetes_service_account_node       = "efs-csi-node-sa"
+  efs_csi_tolerations = [
+    for index in range(0, length(local.node_selector_keys)) : {
+      key      = local.node_selector_keys[index]
+      operator = "Equal"
+      value    = local.node_selector_values[index]
+      effect   = "NoSchedule"
+    }
+  ]
+  controller = {
+    controller = {
+      create                   = true
+      logLevel                 = 2
+      extraCreateMetadata      = true
+      tags                     = {}
+      deleteAccessPointRootDir = false
+      volMetricsOptIn          = false
+      podAnnotations           = {}
+      resources                = {}
+      nodeSelector             = var.node_selector
+      tolerations              = local.efs_csi_tolerations
+      affinity                 = {}
+      serviceAccount = {
+        create      = false
+        name        = kubernetes_service_account.efs_csi_driver_controller.metadata[0].name
+        annotations = {}
+      }
+      healthPort           = 9909
+      regionalStsEndpoints = false
+    }
+  }
+}
+
+# Allow EKS and the driver to interact with EFS
+data "aws_iam_policy_document" "efs_csi_driver" {
+  statement {
+    sid = "Describe"
+    actions = [
+      "elasticfilesystem:DescribeAccessPoints",
+      "elasticfilesystem:DescribeFileSystems",
+      "elasticfilesystem:DescribeMountTargets",
+      "ec2:DescribeAvailabilityZones"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+  statement {
+    sid = "Create"
+    actions = [
+      "elasticfilesystem:CreateAccessPoint"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      values   = [true]
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+    }
+  }
+  statement {
+    sid = "Delete"
+    actions = [
+      "elasticfilesystem:DeleteAccessPoint"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      values   = [true]
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+    }
+  }
+  statement {
+    sid = "TagResource"
+    actions = [
+      "elasticfilesystem:TagResource"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      values   = [true]
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+    }
+  }
+  statement {
+    sid = "Mount"
+    actions = [
+      "elasticfilesystem:ClientRootAccess",
+      "elasticfilesystem:ClientWrite",
+      "elasticfilesystem:ClientMount"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "efs_csi_driver" {
+  name_prefix = local.efs_csi_name
+  description = "Policy to allow EKS and the driver to interact with EFS"
+  policy      = data.aws_iam_policy_document.efs_csi_driver.json
+  tags        = local.tags
+}
+
+resource "aws_iam_role" "efs_csi_driver" {
+  name = local.efs_csi_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${local.oidc_url}:aud" = "sts.amazonaws.com"
+            "${local.oidc_url}:sub" = [
+              "system:serviceaccount:${local.efs_csi_namespace}:${local.kubernetes_service_account_controller}",
+              "system:serviceaccount:${local.efs_csi_namespace}:${local.kubernetes_service_account_node}"
+            ]
+          }
+        }
+      }
+    ]
+  })
+  tags = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi_driver" {
+  policy_arn = aws_iam_policy.efs_csi_driver.arn
+  role       = aws_iam_role.efs_csi_driver.name
+}
+
+resource "kubernetes_service_account" "efs_csi_driver_controller" {
+  metadata {
+    name = local.kubernetes_service_account_controller
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.efs_csi_driver.arn
+    }
+    namespace = local.efs_csi_namespace
+  }
+}
+
+resource "kubernetes_service_account" "efs_csi_driver_node" {
+  metadata {
+    name = local.kubernetes_service_account_node
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.efs_csi_driver.arn
+    }
+    namespace = local.efs_csi_namespace
+  }
+}
+
+resource "helm_release" "efs_csi" {
+  name       = "efs-csi"
+  namespace  = kubernetes_service_account.efs_csi_driver_controller.metadata[0].namespace
+  chart      = "aws-efs-csi-driver"
+  repository = var.efs_csi_repository
+  version    = var.efs_csi_version
+
+  set {
+    name  = "image.repository"
+    value = var.efs_csi_image
+  }
+  set {
+    name  = "image.tag"
+    value = var.efs_csi_tag
+  }
+  set {
+    name  = "sidecars.livenessProbe.image.repository"
+    value = var.efs_csi_liveness_probe_image
+  }
+  set {
+    name  = "sidecars.livenessProbe.image.tag"
+    value = var.efs_csi_liveness_probe_tag
+  }
+  set {
+    name  = "sidecars.nodeDriverRegistrar.image.repository"
+    value = var.efs_csi_node_driver_registrar_image
+  }
+  set {
+    name  = "sidecars.nodeDriverRegistrar.image.tag"
+    value = var.efs_csi_node_driver_registrar_tag
+  }
+  set {
+    name  = "sidecars.csiProvisioner.image.repository"
+    value = var.efs_csi_external_provisioner_image
+  }
+  set {
+    name  = "sidecars.csiProvisioner.image.tag"
+    value = var.efs_csi_external_provisioner_tag
+  }
+  set {
+    name  = "imagePullSecrets"
+    value = var.efs_csi_image_pull_secrets
+  }
+  set {
+    name  = "node.serviceAccount.create"
+    value = false
+  }
+  set {
+    name  = "node.serviceAccount.name"
+    value = kubernetes_service_account.efs_csi_driver_node.metadata[0].name
+  }
+  values = [
+    yamlencode(local.controller)
+  ]
+  depends_on = [
+    kubernetes_service_account.efs_csi_driver_controller,
+    kubernetes_service_account.efs_csi_driver_node
+  ]
+}
diff --git a/kubernetes/aws/eks/examples/complete/main.tf b/kubernetes/aws/eks/examples/complete/main.tf
@@ -68,6 +68,18 @@ module "eks" {
   vpc_id                                                   = data.aws_vpc.default.id
   vpc_pods_subnet_ids                                      = data.aws_subnets.subnets.ids
   vpc_private_subnet_ids                                   = data.aws_subnets.subnets.ids
+
+  efs_csi_image                       = "amazon/aws-efs-csi-driver"
+  efs_csi_tag                         = "v1.5.1"
+  efs_csi_liveness_probe_image        = "public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe"
+  efs_csi_liveness_probe_tag          = "v2.9.0-eks-1-22-19"
+  efs_csi_node_driver_registrar_image = "public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar"
+  efs_csi_node_driver_registrar_tag   = "v2.7.0-eks-1-22-19"
+  efs_csi_external_provisioner_image  = "public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner"
+  efs_csi_external_provisioner_tag    = "v3.4.0-eks-1-22-19"
+  efs_csi_repository                  = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
+  efs_csi_version                     = "2.3.0"
+
   eks_managed_node_groups = {
     test = {
       name                        = "workers"

diff --git a/kubernetes/aws/eks/examples/simple/main.tf b/kubernetes/aws/eks/examples/simple/main.tf
@@ -69,6 +69,17 @@ module "eks" {
   vpc_pods_subnet_ids                                      = data.aws_subnets.subnets.ids
   vpc_private_subnet_ids                                   = data.aws_subnets.subnets.ids
 
+  efs_csi_image                       = "amazon/aws-efs-csi-driver"
+  efs_csi_tag                         = "v1.5.1"
+  efs_csi_liveness_probe_image        = "public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe"
+  efs_csi_liveness_probe_tag          = "v2.9.0-eks-1-22-19"
+  efs_csi_node_driver_registrar_image = "public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar"
+  efs_csi_node_driver_registrar_tag   = "v2.7.0-eks-1-22-19"
+  efs_csi_external_provisioner_image  = "public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner"
+  efs_csi_external_provisioner_tag    = "v3.4.0-eks-1-22-19"
+  efs_csi_repository                  = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
+  efs_csi_version                     = "2.3.0"
+
   eks_managed_node_groups = {
     test = {
       name                        = "workers"

diff --git a/kubernetes/aws/eks/variables.tf b/kubernetes/aws/eks/variables.tf
@@ -235,6 +235,64 @@ variable "eks_managed_node_groups" {
   default     = null
 }
 
+# EFS
+variable "efs_csi_image" {
+  description = "EFS CSI image name"
+  type        = string
+}
+variable "efs_csi_tag" {
+  description = "EFS CSI image tag"
+  type        = string
+}
+variable "efs_csi_liveness_probe_image" {
+  description = "EFS CSI liveness probe image name"
+  type        = string
+}
+variable "efs_csi_liveness_probe_tag" {
+  description = "EFS CSI liveness probe image tag"
+  type        = string
+}
+variable "efs_csi_node_driver_registrar_image" {
+  description = "EFS CSI node driver registrar image name"
+  type        = string
+}
+variable "efs_csi_node_driver_registrar_tag" {
+  description = "EFS CSI node driver registrar image tag"
+  type        = string
+}
+variable "efs_csi_external_provisioner_image" {
+  description = "EFS CSI external provisioner image name"
+  type        = string
+}
+variable "efs_csi_external_provisioner_tag" {
+  description = "EFS CSI external provisioner image tag"
+  type        = string
+}
+
+variable "efs_csi_name" {
+  description = "EFS CSI name"
+  type        = string
+  default     = null
+}
+variable "efs_csi_namespace" {
+  description = "EFS CSI namespace"
+  type        = string
+  default     = null
+}
+variable "efs_csi_image_pull_secrets" {
+  description = "Image pull secret used to pull EFS CSI images"
+  type        = string
+  default     = null
+}
+variable "efs_csi_repository" {
+  description = "EFS CSI helm repository"
+  type        = string
+}
+variable "efs_csi_version" {
+  description = "EFS CSI helm version"
+  type        = string
+}
+
 # Encryption keys
 variable "cluster_log_kms_key_id" {
   description = "KMS id to encrypt/decrypt the cluster's logs"

diff --git a/kubernetes/aws/eks/versions.tf b/kubernetes/aws/eks/versions.tf
@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.3.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.13.0"
+    }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.10.1"

diff --git a/monitoring/onpremise/grafana/README.md b/monitoring/onpremise/grafana/README.md
@@ -27,7 +27,9 @@ No modules.
 | [kubernetes_config_map.datasources_config](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
 | [kubernetes_config_map.grafana_ini](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
 | [kubernetes_deployment.grafana](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment) | resource |
+| [kubernetes_persistent_volume_claim.grafana](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume_claim) | resource |
 | [kubernetes_service.grafana](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service) | resource |
+| [kubernetes_storage_class.grafana](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [local_file.dashboards_config_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.datasources_config_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 
@@ -39,8 +41,10 @@ No modules.
 | <a name="input_docker_image"></a> [docker\_image](#input\_docker\_image) | Docker image for Grafana | <pre>object({<br>    image              = string<br>    tag                = string<br>    image_pull_secrets = string<br>  })</pre> | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace of ArmoniK monitoring | `string` | n/a | yes |
 | <a name="input_node_selector"></a> [node\_selector](#input\_node\_selector) | Node selector for Grafana | `any` | `{}` | no |
+| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_port"></a> [port](#input\_port) | Port for Grafana service | `string` | n/a | yes |
 | <a name="input_prometheus_url"></a> [prometheus\_url](#input\_prometheus\_url) | Prometheus URL | `string` | n/a | yes |
+| <a name="input_security_context"></a> [security\_context](#input\_security\_context) | security context for MongoDB pods | <pre>object({<br>    run_as_user = number<br>    fs_group    = number<br>  })</pre> | n/a | yes |
 | <a name="input_service_type"></a> [service\_type](#input\_service\_type) | Service type which can be: ClusterIP, NodePort or LoadBalancer | `string` | n/a | yes |
 
 ## Outputs