From 37d66f00513ceb0fa2e6a2907e3aebf63dabf7ef Mon Sep 17 00:00:00 2001 From: Luong Vo Date: Sat, 3 Feb 2024 01:22:08 +0700 Subject: [PATCH] feat: Support elasticache controller (#50) Signed-off-by: sharkymcdongles Signed-off-by: Luong Vo Co-authored-by: sharkymcdongles --- README.md | 3 + examples/complete/README.md | 2 + examples/complete/sample-app/elasticache.yaml | 82 ++++++++++++++++ main.tf | 98 +++++++++++++++++++ outputs.tf | 6 ++ variables.tf | 16 +++ 6 files changed, 207 insertions(+) create mode 100644 examples/complete/sample-app/elasticache.yaml diff --git a/README.md b/README.md index 80832f4..7630ada 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws |------|--------|---------| | [apigatewayv2](#module\_apigatewayv2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [elasticache](#module\_elasticache) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [emrcontainers](#module\_emrcontainers) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [eventbridge](#module\_eventbridge) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [prometheusservice](#module\_prometheusservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -92,9 +93,11 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [dynamodb](#input\_dynamodb) | ACK dynamodb Helm Chart config | `any` | `{}` | no | | [ecrpublic\_token](#input\_ecrpublic\_token) | Password decoded from the authorization token for accessing public ECR | `string` | `""` | no | | [ecrpublic\_username](#input\_ecrpublic\_username) | User name decoded from the authorization token for accessing public ECR | `string` | `""` | no | +| [elasticache](#input\_elasticache) | ACK elasticache Helm Chart config | `any` | `{}` | no | | [emrcontainers](#input\_emrcontainers) | ACK EMR container Helm Chart config | `any` | `{}` | no | | [enable\_apigatewayv2](#input\_enable\_apigatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | +| [enable\_elasticache](#input\_enable\_elasticache) | Enable ACK elasticache add-on | `bool` | `false` | no | | [enable\_emrcontainers](#input\_enable\_emrcontainers) | Enable ACK EMR container add-on | `bool` | `false` | no | | [enable\_eventbridge](#input\_enable\_eventbridge) | Enable ACK EventBridge add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index 7256353..a1948f6 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -6,6 +6,7 @@ Configuration in this directory creates an AWS EKS cluster with the following AC - ACK DynamoDB controller - ACK RDS controller - ACK S3 controller +- ACK Elasticache controller In addition, this example provisions a sample application which demonstrates using the ACK controllers for resource provisioning. The arhchitecture looks like this:
@@ -48,6 +49,7 @@ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE ack-api-gateway ack-api-gateway-75499bfcfd-d5627 1/1 Running 0 26s ack-dynamodb ack-dynamodb-76fdf5cf77-jpwd9 1/1 Running 0 26s +ack-elasticache ack-elasticache-45eeg7dv12-m5asf 1/1 Running 0 26s ack-rds ack-rds-85c7ccdbf6-tkpvz 1/1 Running 0 26s ack-s3 ack-s3-7f4c79cbc8-g4tgl 1/1 Running 0 26s kube-system aws-load-balancer-controller-596d8cb765-wwmzt 1/1 Running 0 26s diff --git a/examples/complete/sample-app/elasticache.yaml b/examples/complete/sample-app/elasticache.yaml new file mode 100644 index 0000000..bf83e44 --- /dev/null +++ b/examples/complete/sample-app/elasticache.yaml @@ -0,0 +1,82 @@ +--- +# https://aws-controllers-k8s.github.io/community/reference/elasticache/v1alpha1/cacheparametergroup/ +apiVersion: elasticache.services.k8s.aws/v1alpha1 +kind: CacheParameterGroup +metadata: + name: # cache parameter group name +spec: + cacheParameterGroupName: # cache parameter group name + cacheParameterGroupFamily: # cache parameter group family + description: # cache parameter group description + parameterNameValues: + # below is an example + - parameterName: "TIMEOUT" # parameter name + parameterValue: "100" # parameter value + # Add more parameter name and value pairs as needed + +--- + +# https://aws-controllers-k8s.github.io/community/reference/ec2/v1alpha1/securitygroup/ +apiVersion: ec2.services.k8s.aws/v1alpha1 +kind: SecurityGroup +metadata: + name: # security group name +spec: + description: # security group description + ingressRules: + - fromPort: 6379 # allow redis port + toPort: 6379 # allow redis port + ipProtocol: tcp + ipRanges: + - cidrIP: # allow traffic from the same VPC ... + description: + egressRules: + - fromPort: 0 + toPort: 65535 + ipProtocol: tcp +--- + +# https://aws-controllers-k8s.github.io/community/reference/elasticache/v1alpha1/cachesubnetgroup/ +apiVersion: elasticache.services.k8s.aws/v1alpha1 +kind: CacheSubnetGroup +metadata: + name: # cache subnet group name +spec: + cacheSubnetGroupName: # cache subnet group name + cacheSubnetGroupDescription: # cache subnet group description + description: # cache subnet group description + subnetIDs: + - # subnet ID 1 + - # subnet ID 2 + - # subnet ID 3 + # Add more subnet IDs as needed + +--- + +# https://aws-controllers-k8s.github.io/community/reference/elasticache/v1alpha1/replicationgroup/ +apiVersion: elasticache.services.k8s.aws/v1alpha1 +kind: ReplicationGroup +metadata: + name: # resource name +spec: + engine: redis + engineVersion: 7.1 # or 6.x, check https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html + replicationGroupID: # replication group id + replicationGroupDescription: # replication group description + automaticFailoverEnabled: true # or false + cacheNodeType: cache.t2.micro # check https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html + numNodeGroups: 1 # depending on your usage + replicasPerNodeGroup: 1 # depending on your usage + multiAZEnabled: false # or true + atRestEncryptionEnabled: false # or true + port: 6379 # or 6379 + snapshotRetentionLimit: 0 # or any number + cacheParameterGroupRef: + from: + name: # cache parameter group name + cacheSubnetGroupRef: + from: + name: # cache subnet group name + securityGroupRefs: + from: + name: # security group name diff --git a/main.tf b/main.tf index c892f18..ad67971 100644 --- a/main.tf +++ b/main.tf @@ -328,6 +328,104 @@ module "s3" { tags = var.tags } +################################################################################ +# elasticache +################################################################################ + +locals { + elasticache_name = "ack-elasticache" +} + +module "elasticache" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_elasticache + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/elasticache-chart:0.0.27 + name = try(var.elasticache.name, local.elasticache_name) + description = try(var.elasticache.description, "Helm Chart for elasticache controller for ACK") + namespace = try(var.elasticache.namespace, local.elasticache_name) + create_namespace = try(var.elasticache.create_namespace, true) + chart = "elasticache-chart" + chart_version = try(var.elasticache.chart_version, "0.0.27") + repository = try(var.elasticache.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.elasticache.values, []) + + timeout = try(var.elasticache.timeout, null) + repository_key_file = try(var.elasticache.repository_key_file, null) + repository_cert_file = try(var.elasticache.repository_cert_file, null) + repository_ca_file = try(var.elasticache.repository_ca_file, null) + repository_username = try(var.apigatewayv2.repository_username, local.repository_username) + repository_password = try(var.apigatewayv2.repository_password, local.repository_password) + devel = try(var.elasticache.devel, null) + verify = try(var.elasticache.verify, null) + keyring = try(var.elasticache.keyring, null) + disable_webhooks = try(var.elasticache.disable_webhooks, null) + reuse_values = try(var.elasticache.reuse_values, null) + reset_values = try(var.elasticache.reset_values, null) + force_update = try(var.elasticache.force_update, null) + recreate_pods = try(var.elasticache.recreate_pods, null) + cleanup_on_fail = try(var.elasticache.cleanup_on_fail, null) + max_history = try(var.elasticache.max_history, null) + atomic = try(var.elasticache.atomic, null) + skip_crds = try(var.elasticache.skip_crds, null) + render_subchart_notes = try(var.elasticache.render_subchart_notes, null) + disable_openapi_validation = try(var.elasticache.disable_openapi_validation, null) + wait = try(var.elasticache.wait, false) + wait_for_jobs = try(var.elasticache.wait_for_jobs, null) + dependency_update = try(var.elasticache.dependency_update, null) + replace = try(var.elasticache.replace, null) + lint = try(var.elasticache.lint, null) + + postrender = try(var.elasticache.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-elasticache-elasticache-chart-xxxxxxxxxxxxx` to `ack-elasticache-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-elasticache" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.elasticache_name + }], + try(var.elasticache.set, []) + ) + set_sensitive = try(var.elasticache.set_sensitive, []) + + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.elasticache.create_role, true) + role_name = try(var.elasticache.role_name, "ack-elasticache") + role_name_use_prefix = try(var.elasticache.role_name_use_prefix, true) + role_path = try(var.elasticache.role_path, "/") + role_permissions_boundary_arn = lookup(var.elasticache, "role_permissions_boundary_arn", null) + role_description = try(var.elasticache.role_description, "IRSA for elasticache controller for ACK") + role_policies = lookup(var.elasticache, "role_policies", { + AmazonElastiCacheFullAccess = "${local.iam_role_policy_prefix}/AmazonElastiCacheFullAccess" + }) + create_policy = try(var.elasticache.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.elasticache_name + } + } + + tags = var.tags +} + ################################################################################ # RDS ################################################################################ diff --git a/outputs.tf b/outputs.tf index 8270ac9..1c270f9 100644 --- a/outputs.tf +++ b/outputs.tf @@ -58,6 +58,12 @@ output "gitops_metadata" { namespace = try(var.eventbridge.namespace, local.eventbridge_name) service_account = local.eventbridge_name } : "ack_eventbridge_${k}" => v if var.enable_eventbridge + }, + { for k, v in { + iam_role_arn = module.elasticache.iam_role_arn + namespace = try(var.elasticache.namespace, local.elasticache_name) + service_account = local.elasticache_name + } : "ack_elasticache_${k}" => v if var.enable_elasticache } ) } diff --git a/variables.tf b/variables.tf index eca6f69..966934f 100644 --- a/variables.tf +++ b/variables.tf @@ -91,6 +91,22 @@ variable "s3" { default = {} } +################################################################################ +# S3 +################################################################################ + +variable "enable_elasticache" { + description = "Enable ACK elasticache add-on" + type = bool + default = false +} + +variable "elasticache" { + description = "ACK elasticache Helm Chart config" + type = any + default = {} +} + ################################################################################ # RDS ################################################################################