aws-ia · vara-bonthu · Apr 18, 2021 · Apr 18, 2021 · Apr 18, 2021
@@ -0,0 +1,133 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+#---------------------------------------------------------#
+# EKS CLUSTER CORE VARIABLES
+#---------------------------------------------------------#
+#Following fields used in tagging resources and building the name of the cluster
+#e.g., eks cluster name will be {tenant}-{environment}-{zone}-{resource}
+#---------------------------------------------------------#
+org               = "aws"     # Organization Name. Used to tag resources
+tenant            = "aws001"  # AWS account name or unique id for tenant
+environment       = "preprod" # Environment area eg., preprod or prod
+zone              = "dev"     # Environment with in one sub_tenant or business unit
+terraform_version = "Terraform v0.14.9"
+#---------------------------------------------------------#
+# VPC and PRIVATE SUBNET DETAILS for EKS Cluster
+#---------------------------------------------------------#
+#This provides two options Option1 and Option2. You should choose either of one to provide VPC details to the EKS cluster
+#Option1: Creates a new VPC, private Subnets and VPC Endpoints by taking the inputs of vpc_cidr_block and private_subnets_cidr. VPC Endpoints are S3, SSM , EC2, ECR API, ECR DKR, KMS, CloudWatch Logs, STS, Elastic Load Balancing, Autoscaling
+#Option2: Provide an existing vpc_id and private_subnet_ids
+
+#---------------------------------------------------------#
+# OPTION 1
+#---------------------------------------------------------#
+create_vpc            = true
+vpc_cidr_block        = "10.1.0.0/18"
+private_subnets_cidr  = ["10.1.0.0/22", "10.1.4.0/22", "10.1.8.0/22"]
+enable_public_subnets = true
+public_subnets_cidr   = ["10.1.12.0/22", "10.1.16.0/22", "10.1.20.0/22"]
+
+#---------------------------------------------------------#
+# OPTION 2
+#---------------------------------------------------------#
+//create_vpc = false
+//vpc_id = "xxxxxx"
+//private_subnet_ids = ['xxxxxx','xxxxxx','xxxxxx']
+
+#---------------------------------------------------------#
+# EKS CONTROL PLANE VARIABLES
+#---------------------------------------------------------#
+kubernetes_version      = "1.19"
+endpoint_private_access = true
+endpoint_public_access  = true
+enable_irsa             = true
+
+enabled_cluster_log_types    = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+cluster_log_retention_period = 7
+
+#---------------------------------------------------------#
+# MANAGED WORKER NODE INPUT VARIABLES FOR ON DEMAND INSTANCES - Worker Group1
+#---------------------------------------------------------#
+on_demand_node_group_name = "mg-m5-on-demand"
+on_demand_ami_type        = "AL2_x86_64"
+on_demand_disk_size       = 50
+on_demand_instance_type   = ["m5.xlarge"]
+on_demand_desired_size    = 3
+on_demand_max_size        = 3
+on_demand_min_size        = 3
+
+#---------------------------------------------------------#
+# BOTTLEROCKET - Worker Group3
+#---------------------------------------------------------#
+# Amazon EKS optimized Bottlerocket AMI ID for a region and Kubernetes version.
+bottlerocket_node_group_name = "mg-m5-bottlerocket"
+bottlerocket_ami        = "ami-0326716ad575410ab"
+bottlerocket_disk_size       = 50
+bottlerocket_instance_type   = ["m5.large"]
+bottlerocket_desired_size    = 3
+bottlerocket_max_size        = 3
+bottlerocket_min_size        = 3
+#---------------------------------------------------------#
+# MANAGED WORKER NODE INPUT VARIABLES FOR SPOT INSTANCES - Worker Group2
+#---------------------------------------------------------#
+spot_node_group_name = "mg-m5-spot"
+spot_instance_type   = ["m5.large", "m5a.large"]
+spot_ami_type        = "AL2_x86_64"
+spot_desired_size    = 3
+spot_max_size        = 6
+spot_min_size        = 3
+
+#---------------------------------------------------------#
+# Creates a Fargate profile for default namespace
+#---------------------------------------------------------#
+fargate_profile_namespace = "default"
+
+#---------------------------------------------------------#
+# ENABLE HELM MODULES
+# Please note that you may need to download the docker images for each
+#          helm module and push it to ECR if you create fully private EKS Clusters with no access to internet to fetch docker images.
+#          README with instructions available in each HELM module under helm/
+#---------------------------------------------------------#
+# Enable this if worker Node groups has access to internet to download the docker images
+
+public_docker_repo = true
+
+#---------------------------------------------------------#
+# ENABLE METRICS SERVER
+#---------------------------------------------------------#
+metrics_server_enable = true
+
+#---------------------------------------------------------#
+# ENABLE CLUSTER AUTOSCALER
+#---------------------------------------------------------#
+cluster_autoscaler_enable = true
+
+
+//---------------------------------------------------------//
+// ENABLE ALB INGRESS CONTROLLER
+//---------------------------------------------------------//
+lb_ingress_controller_enable = true
+
+#---------------------------------------------------------#
+# ENABLE AWS_FLUENT-BIT
+#---------------------------------------------------------#
+aws_for_fluent_bit_enable = true
+fargate_fluent_bit_enable = true
+
+ekslog_retention_in_days = 1
@@ -0,0 +1,81 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bottlerocket-app1-nginx-deployment
+  labels:
+    app: bottlerocket-app1-nginx
+    WorkerType: ON_DEMAND_BOTTLEROCKET
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: bottlerocket-app1-nginx
+  template:
+    metadata:
+      labels:
+        app: bottlerocket-app1-nginx
+        WorkerType: ON_DEMAND_BOTTLEROCKET
+    spec:
+      containers:
+        - name: app1-nginx
+          image: stacksimplify/kube-nginxapp1:1.0.0
+          #          image: 958351136353.dkr.ecr.eu-west-1.amazonaws.com/stacksimplify/kube-nginxapp:1.0.0
+          ports:
+            - containerPort: 80
+      nodeSelector:
+        WorkerType: ON_DEMAND_BOTTLEROCKET
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bottlerocket-app1-nginx-nodeport-service
+  labels:
+    app: bottlerocket-app1-nginx
+    WorkerType: ON_DEMAND_BOTTLEROCKET
+  annotations:
+    #Important Note:  Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
+    alb.ingress.kubernetes.io/healthcheck-path: /app1/index.html
+spec:
+  type: NodePort
+  selector:
+    app: bottlerocket-app1-nginx
+    WorkerType: ON_DEMAND_BOTTLEROCKET
+  ports:
+    - port: 80
+      targetPort: 80
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-nginx-path-based
+  labels:
+    app: ingress-nginx-path-based
+  annotations:
+    # Ingress Core Settings
+    kubernetes.io/ingress.class: "alb"
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    # Health Check Settings
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    #Important Note:  Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
+    #alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
+    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
+    # This is required for bottlerocket
+    alb.ingress.kubernetes.io/target-type: ip
+spec:
+  rules:
+    - http:
+        paths:
+          - path: /app1/*
+            pathType: Prefix
+            backend:
+              service:
+                name: bottlerocket-app1-nginx-nodeport-service
+                port:
+                  number: 80
@@ -0,0 +1,63 @@
+
+# This service can be accessed using NLB DNS e.g., http://<NLB DNS name>>:8000/bottlerocket-greeting
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bottlerocket-greeting-service
+  namespace: default
+spec:
+  selector:
+    app: bottlerocket-greeting-pod
+  ports:
+    - name: web
+      port: 8000
+      targetPort: 8080
+  #type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bottlerocket-greeting
+  namespace: default
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: bottlerocket-greeting-pod
+  template:
+    metadata:
+      labels:
+        app: bottlerocket-greeting-pod
+    spec:
+      containers:
+        - name: bottlerocket-greeting-pod
+          # NOTE: If you are deploying this to private cluster without Internet access then pull the docker image locally and push it to ECR. refer ECR image location below
+#          image: 439595162109.dkr.ecr.eu-west-1.amazonaws.com/bottlerocket-greeting:latest
+          image: pahud/greeting
+          ports:
+            - containerPort: 8080
+      nodeSelector:
+        WorkerType: ON_DEMAND_BOTTLEROCKET
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bottlerocket-greeting-ingress
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+    traefik.ingress.kubernetes.io/router.pathmatcher: PathPrefix
+spec:
+  rules:
+    - http:
+        paths:
+          - path: "/bottlerocket-greeting"
+            pathType: Prefix
+            backend:
+              service:
+                name: bottlerocket-greeting-service
+                port:
+                  number: 8000
+
@@ -72,6 +72,17 @@ on_demand_desired_size    = 3
 on_demand_max_size        = 3
 on_demand_min_size        = 3
 
+#---------------------------------------------------------#
+# BOTTLEROCKET - Worker Group3
+#---------------------------------------------------------#
+# Amazon EKS optimized Bottlerocket AMI ID for a region and Kubernetes version.
+bottlerocket_node_group_name = "mg-m5-bottlerocket"
+bottlerocket_ami        = "ami-0326716ad575410ab"
+bottlerocket_disk_size       = 50
+bottlerocket_instance_type   = ["m5.large"]
+bottlerocket_desired_size    = 3
+bottlerocket_max_size        = 3
+bottlerocket_min_size        = 3
 #---------------------------------------------------------#
 # MANAGED WORKER NODE INPUT VARIABLES FOR SPOT INSTANCES - Worker Group2
 #---------------------------------------------------------#
@@ -120,7 +131,3 @@ aws_for_fluent_bit_enable = true
 fargate_fluent_bit_enable = true
 
 ekslog_retention_in_days = 1
-
-
-
-
@@ -20,6 +20,15 @@ data "template_file" "launch_template_userdata" {
   template = file("${path.module}/templates/userdata.sh.tpl")
 }
 
+data "template_file" "launch_template_bottle_rocket_userdata" {
+  template = file("${path.module}/templates/bottlerocket-userdata.sh.tpl")
+  vars = {
+    cluster_endpoint = var.cluster_endpoint
+    cluster_auth_base64 = var.cluster_auth_base64
+    cluster_name = var.cluster_name
+  }
+}
+
 resource "aws_launch_template" "default" {
   name_prefix            = "${var.cluster_name}-${var.node_group_name}"
   description            = "Launch Template for EKS Managed clusters"
@@ -37,7 +46,7 @@ resource "aws_launch_template" "default" {
 
   ebs_optimized = true
 
-  //  image_id      = var.eks_optimized_ami
+  image_id      = var.self_managed ? var.bottlerocket_ami : ""
   //  instance_type = var.instance_type
 
   monitoring {
@@ -55,8 +64,10 @@ resource "aws_launch_template" "default" {
     security_groups             = [var.worker_security_group_id]
   }
 
-  user_data = base64encode(
-    data.template_file.launch_template_userdata.rendered,
+  user_data = var.self_managed ? base64encode(
+    data.template_file.launch_template_bottle_rocket_userdata.rendered,
+  ) : base64encode(
+  data.template_file.launch_template_userdata.rendered,
   )
 
   lifecycle {

@@ -0,0 +1,4 @@
+[settings.kubernetes]
+api-server = "${cluster_endpoint}"
+cluster-certificate = "${cluster_auth_base64}"
+cluster-name = "${cluster_name}"
@@ -16,11 +16,24 @@
  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-variable "cluster_name" {}
+variable "cluster_auth_base64" {
+}
+variable "cluster_endpoint" {
+}
+variable "cluster_name" {
+}
 variable "node_group_name" {}
 //variable "instance_type" {}
 variable "volume_size" {
   default = "50"
 }
 variable "tags" {}
-variable "worker_security_group_id" {}
+variable "worker_security_group_id" {}
+variable "bottlerocket_ami" {
+  type        = string
+  default     = "ami-0326716ad575410ab"
+  description = "/aws/service/bottlerocket/aws-k8s-1.19/x86_64/latest/image_id"
+}
+variable "self_managed" {
+  default = false
+}