Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: AWS EFS as Kubernetes PV #117

Merged
merged 34 commits into from
Jan 15, 2024
Merged

fix: AWS EFS as Kubernetes PV #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
4d380e1
Add PV for Grafana and Prometheus
lzianekhodja-aneo Jan 8, 2024
382b71c
Add PVC for grafana and prometheus
lzianekhodja-aneo Jan 9, 2024
0240f79
Update PVC for EFS
lzianekhodja-aneo Jan 9, 2024
df293ab
Update the retrieving of oidc arn of EKS for EFS CSI
lzianekhodja-aneo Jan 9, 2024
520ffaa
Add dependency between EFS CSI deployment and kubernetes service acco…
lzianekhodja-aneo Jan 9, 2024
8c172cd
Reformat
lzianekhodja-aneo Jan 9, 2024
c2d75c3
Fix node selector and tolerations for efs csi
lzianekhodja-aneo Jan 9, 2024
9028db9
Update docker images for addons
lzianekhodja-aneo Jan 9, 2024
f876f2a
Add parameter volume_binding_mode in PV for mongodb
lzianekhodja-aneo Jan 10, 2024
cebf9f7
Add parameter volume_binding_mode in PV for grafana and prometheurs
lzianekhodja-aneo Jan 10, 2024
19b251c
Fix efs csi
lzianekhodja-aneo Jan 11, 2024
ce62db3
remove node selector for efs csi
lzianekhodja-aneo Jan 11, 2024
fad832e
remove node selector for efs csi
lzianekhodja-aneo Jan 11, 2024
aa7090d
Add implicit dependency in PVC
lzianekhodja-aneo Jan 11, 2024
0725aae
update prometheus and grafana
lzianekhodja-aneo Jan 11, 2024
27ab185
update prometheus and grafana
lzianekhodja-aneo Jan 11, 2024
5cd1a41
change security context of prometheus
lzianekhodja-aneo Jan 11, 2024
6af0144
fix security context of prometheus
lzianekhodja-aneo Jan 11, 2024
263dbed
fix security context of prometheus (1)
lzianekhodja-aneo Jan 11, 2024
b6b7d42
variablize security context for mongodb, prometheus, grafana
lzianekhodja-aneo Jan 11, 2024
9d74583
Update count in storage class of mongodb
lzianekhodja-aneo Jan 11, 2024
cb5ff43
Update count in storage class of grafana and prometheus
lzianekhodja-aneo Jan 11, 2024
2a46f5c
Update EFS CSI deployment
lzianekhodja-aneo Jan 11, 2024
4b1c7a8
Update EFS CSI deployment
lzianekhodja-aneo Jan 11, 2024
1fd9d4a
clean EFS CSI deployment
lzianekhodja-aneo Jan 11, 2024
1482a73
test static PV
lzianekhodja-aneo Jan 12, 2024
3fcb927
fix test static PV
lzianekhodja-aneo Jan 12, 2024
21434a8
use dynamic PV
lzianekhodja-aneo Jan 12, 2024
f45ff4a
use dynamic PV sith security context
lzianekhodja-aneo Jan 12, 2024
a2bb99f
update role of efs csi
lzianekhodja-aneo Jan 12, 2024
c8c50c7
update role of efs csi
lzianekhodja-aneo Jan 12, 2024
aa58419
update role of efs csi
lzianekhodja-aneo Jan 12, 2024
98f88f6
update path of PVC
lzianekhodja-aneo Jan 12, 2024
a8ec1d5
terraform-docs: automated action
github-actions[bot] Jan 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion kubernetes/aws/eks/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.3.0 |
| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.10.1 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.13.0 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5.1 |

Expand All @@ -15,6 +16,7 @@
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.3.0 |
| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.10.1 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.13.0 |
| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.1 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5.1 |

Expand All @@ -34,11 +36,17 @@
| [aws_cloudwatch_event_rule.aws_node_termination_handler_asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_rule.aws_node_termination_handler_spot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_iam_policy.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.worker_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy_attachment.workers_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
| [aws_iam_role.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.efs_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.eni_config](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_service_account.efs_csi_driver_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
| [kubernetes_service_account.efs_csi_driver_node](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
| [null_resource.change_cni_label](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.patch_coredns](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.trigger_custom_cni](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
Expand All @@ -48,6 +56,7 @@
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.worker_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

Expand All @@ -59,7 +68,7 @@
| <a name="input_chart_namespace"></a> [chart\_namespace](#input\_chart\_namespace) | Version for chart | `string` | `"default"` | no |
| <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | Path to the charts repository | `string` | `"../../../charts"` | no |
| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version for chart | `string` | `"0.1.0"` | no |
| <a name="input_eks"></a> [eks](#input\_eks) | Parameters of AWS EKS | <pre>object({<br> cluster_version = string<br> cluster_endpoint_private_access = bool<br> cluster_endpoint_private_access_cidrs = list(string)<br> cluster_endpoint_private_access_sg = list(string)<br> cluster_endpoint_public_access = bool<br> cluster_endpoint_public_access_cidrs = list(string)<br> cluster_log_retention_in_days = number<br> docker_images = object({<br> cluster_autoscaler = object({<br> image = string<br> tag = string<br> })<br> instance_refresh = object({<br> image = string<br> tag = string<br> })<br> })<br> cluster_autoscaler = object({<br> expander = string<br> scale_down_enabled = bool<br> min_replica_count = number<br> scale_down_utilization_threshold = number<br> scale_down_non_empty_candidates_count = number<br> max_node_provision_time = string<br> scan_interval = string<br> scale_down_delay_after_add = string<br> scale_down_delay_after_delete = string<br> scale_down_delay_after_failure = string<br> scale_down_unneeded_time = string<br> skip_nodes_with_system_pods = bool<br> version = string<br> repository = string<br> namespace = string<br> })<br> instance_refresh = object({<br> namespace = string<br> repository = string<br> version = string<br> })<br> encryption_keys = object({<br> cluster_log_kms_key_id = string<br> cluster_encryption_config = string<br> ebs_kms_key_id = string<br> })<br> map_roles = list(object({<br> rolearn = string<br> username = string<br> groups = list(string)<br> }))<br> map_users = list(object({<br> userarn = string<br> username = string<br> groups = list(string)<br> }))<br> })</pre> | n/a | yes |
| <a name="input_eks"></a> [eks](#input\_eks) | Parameters of AWS EKS | <pre>object({<br> cluster_version = string<br> cluster_endpoint_private_access = bool<br> cluster_endpoint_private_access_cidrs = list(string)<br> cluster_endpoint_private_access_sg = list(string)<br> cluster_endpoint_public_access = bool<br> cluster_endpoint_public_access_cidrs = list(string)<br> cluster_log_retention_in_days = number<br> docker_images = object({<br> cluster_autoscaler = object({<br> image = string<br> tag = string<br> })<br> instance_refresh = object({<br> image = string<br> tag = string<br> })<br> efs_csi = object({<br> image = string<br> tag = string<br> })<br> livenessprobe = object({<br> image = string<br> tag = string<br> })<br> node_driver_registrar = object({<br> image = string<br> tag = string<br> })<br> external_provisioner = object({<br> image = string<br> tag = string<br> })<br> })<br> cluster_autoscaler = object({<br> expander = string<br> scale_down_enabled = bool<br> min_replica_count = number<br> scale_down_utilization_threshold = number<br> scale_down_non_empty_candidates_count = number<br> max_node_provision_time = string<br> scan_interval = string<br> scale_down_delay_after_add = string<br> scale_down_delay_after_delete = string<br> scale_down_delay_after_failure = string<br> scale_down_unneeded_time = string<br> skip_nodes_with_system_pods = bool<br> version = string<br> repository = string<br> namespace = string<br> })<br> instance_refresh = object({<br> namespace = string<br> repository = string<br> version = string<br> })<br> efs_csi = object({<br> name = string<br> namespace = string<br> image_pull_secrets = string<br> repository = string<br> version = string<br> })<br> encryption_keys = object({<br> cluster_log_kms_key_id = string<br> cluster_encryption_config = string<br> ebs_kms_key_id = string<br> })<br> map_roles = list(object({<br> rolearn = string<br> username = string<br> groups = list(string)<br> }))<br> map_users = list(object({<br> userarn = string<br> username = string<br> groups = list(string)<br> }))<br> })</pre> | n/a | yes |
| <a name="input_eks_managed_node_groups"></a> [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | List of EKS managed node groups | `any` | `null` | no |
| <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | List of fargate profiles | `any` | `null` | no |
| <a name="input_kubeconfig_file"></a> [kubeconfig\_file](#input\_kubeconfig\_file) | Kubeconfig file path | `string` | n/a | yes |
Expand Down
178 changes: 178 additions & 0 deletions kubernetes/aws/eks/efs-csi.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
# Allow EKS and the driver to interact with EFS
data "aws_iam_policy_document" "efs_csi_driver" {
statement {
sid = "Describe"
actions = [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
]
effect = "Allow"
resources = ["*"]
}
statement {
sid = "Create"
actions = [
"elasticfilesystem:CreateAccessPoint"
]
effect = "Allow"
resources = ["*"]
condition {
test = "StringLike"
values = [true]
variable = "aws:RequestTag/efs.csi.aws.com/cluster"
}
}
statement {
sid = "Delete"
actions = [
"elasticfilesystem:DeleteAccessPoint"
]
effect = "Allow"
resources = ["*"]
condition {
test = "StringEquals"
values = [true]
variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
}
}
statement {
sid = "TagResource"
actions = [
"elasticfilesystem:TagResource"
]
effect = "Allow"
resources = ["*"]
condition {
test = "StringLike"
values = [true]
variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
}
}
statement {
sid = "Mount"
actions = [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
]
effect = "Allow"
resources = ["*"]
}
}

resource "aws_iam_policy" "efs_csi_driver" {
name_prefix = local.efs_csi_name
description = "Policy to allow EKS and the driver to interact with EFS"
policy = data.aws_iam_policy_document.efs_csi_driver.json
tags = local.tags
}

resource "aws_iam_role" "efs_csi_driver" {
name = local.efs_csi_name
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Federated = local.oidc_arn
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"${local.oidc_url}:aud" = "sts.amazonaws.com"
"${local.oidc_url}:sub" = "system:serviceaccount:${local.efs_csi_namespace}:efs-csi-controller-sa"
}
}
}
]
})
tags = local.tags
}

resource "aws_iam_role_policy_attachment" "efs_csi_driver" {
policy_arn = aws_iam_policy.efs_csi_driver.arn
role = aws_iam_role.efs_csi_driver.name
}

resource "kubernetes_service_account" "efs_csi_driver_controller" {
metadata {
name = "efs-csi-controller-sa"
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.efs_csi_driver.arn
}
namespace = local.efs_csi_namespace
}
}

resource "kubernetes_service_account" "efs_csi_driver_node" {
metadata {
name = "efs-csi-node-sa"
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.efs_csi_driver.arn
}
namespace = local.efs_csi_namespace
}
}

resource "helm_release" "efs_csi" {
name = "efs-csi"
namespace = kubernetes_service_account.efs_csi_driver_controller.metadata[0].namespace
chart = "aws-efs-csi-driver"
repository = var.eks.efs_csi.repository
version = var.eks.efs_csi.version

set {
name = "image.repository"
value = var.eks.docker_images.efs_csi.image
}
set {
name = "image.tag"
value = var.eks.docker_images.efs_csi.tag
}
set {
name = "sidecars.livenessProbe.image.repository"
value = var.eks.docker_images.livenessprobe.image
}
set {
name = "sidecars.livenessProbe.image.tag"
value = var.eks.docker_images.livenessprobe.tag
}
set {
name = "sidecars.nodeDriverRegistrar.image.repository"
value = var.eks.docker_images.node_driver_registrar.image
}
set {
name = "sidecars.nodeDriverRegistrar.image.tag"
value = var.eks.docker_images.node_driver_registrar.tag
}
set {
name = "sidecars.csiProvisioner.image.repository"
value = var.eks.docker_images.external_provisioner.image
}
set {
name = "sidecars.csiProvisioner.image.tag"
value = var.eks.docker_images.external_provisioner.tag
}
set {
name = "imagePullSecrets"
value = var.eks.efs_csi.image_pull_secrets
}
set {
name = "node.serviceAccount.create"
value = false
}
set {
name = "node.serviceAccount.name"
value = kubernetes_service_account.efs_csi_driver_node.metadata[0].name
}
values = [
yamlencode(local.controller)
]
depends_on = [
kubernetes_service_account.efs_csi_driver_controller,
kubernetes_service_account.efs_csi_driver_node
]
}
58 changes: 47 additions & 11 deletions kubernetes/aws/eks/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,6 @@ locals {
aws_node_termination_handler_spot_name = "${var.name}-spot-termination"
kubeconfig_output_path = coalesce(var.kubeconfig_file, "${path.root}/generated/kubeconfig")

# Custom ENI
subnets = {
subnets = [
for index, id in var.vpc.pods_subnet_ids : {
subnet_id = id
az_name = element(data.aws_availability_zones.available.names, index)
security_group_ids = [module.eks.node_security_group_id]
}
]
}

# Node selector
node_selector_keys = keys(var.node_selector)
node_selector_values = values(var.node_selector)
Expand All @@ -52,6 +41,53 @@ locals {
]
}

# EFS CSI
efs_csi_name = try(var.eks.efs_csi.name, "efs-csi-driver")
oidc_arn = module.eks.oidc_provider_arn
oidc_url = trimprefix(module.eks.cluster_oidc_issuer_url, "https://")
efs_csi_namespace = try(var.eks.efs_csi.namespace, "kube-system")
efs_csi_tolerations = [
for index in range(0, length(local.node_selector_keys)) : {
key = local.node_selector_keys[index]
operator = "Equal"
value = local.node_selector_values[index]
effect = "NoSchedule"
}
]
controller = {
controller = {
create = true
logLevel = 2
extraCreateMetadata = true
tags = {}
deleteAccessPointRootDir = false
volMetricsOptIn = false
podAnnotations = {}
resources = {}
nodeSelector = var.node_selector
tolerations = local.efs_csi_tolerations
affinity = {}
serviceAccount = {
create = false
name = kubernetes_service_account.efs_csi_driver_controller.metadata[0].name
annotations = {}
}
healthPort = 9909
regionalStsEndpoints = false
}
}

# Custom ENI
subnets = {
subnets = [
for index, id in var.vpc.pods_subnet_ids : {
subnet_id = id
az_name = element(data.aws_availability_zones.available.names, index)
security_group_ids = [module.eks.node_security_group_id]
}
]
}

# Patch coredns
patch_coredns_spec = {
spec = {
Expand Down
23 changes: 23 additions & 0 deletions kubernetes/aws/eks/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,22 @@ variable "eks" {
image = string
tag = string
})
efs_csi = object({
image = string
tag = string
})
livenessprobe = object({
image = string
tag = string
})
node_driver_registrar = object({
image = string
tag = string
})
external_provisioner = object({
image = string
tag = string
})
})
cluster_autoscaler = object({
expander = string
Expand All @@ -112,6 +128,13 @@ variable "eks" {
repository = string
version = string
})
efs_csi = object({
name = string
namespace = string
image_pull_secrets = string
repository = string
version = string
})
encryption_keys = object({
cluster_log_kms_key_id = string
cluster_encryption_config = string
Expand Down
4 changes: 4 additions & 0 deletions kubernetes/aws/eks/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ terraform {
source = "hashicorp/aws"
version = ">= 5.3.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = ">= 2.13.0"
}
helm = {
source = "hashicorp/helm"
version = ">= 2.10.1"
Expand Down
Loading
Loading