Implement ingress-nginx helm release as module (#160)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
dspace-group · Sep 30, 2024 · f4d1766 · f4d1766
1 parent 3c81ead
commit f4d1766
Show file tree

Hide file tree

Showing 16 changed files with 132 additions and 29 deletions.
diff --git a/.github/workflows/qualitygate.yml b/.github/workflows/qualitygate.yml
@@ -20,7 +20,7 @@ jobs:
         #   # The API token for a Terraform Cloud/Enterprise instance to place within the credentials block of the Terraform CLI configuration file.
         #   cli_config_credentials_token: # optional
         #   # The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform CLI. Defaults to `latest`.
-          terraform_version: 1.2.9 # optional, default is latest
+          terraform_version: 1.3.0 # optional, default is latest
         #   # Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`.
         #   terraform_wrapper: # optional, default is true
 

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## v0.3.0
+- replaced terraform-aws-eks-blueprint addon ingress-nginx with module `modules/k8s_eks_addons/ingress-nginx.tf`
+
 ## v0.2.0
 
 - added option to use preconfigured VPC and subnets, in case of customers who

diff --git a/MAINTENANCE.md b/MAINTENANCE.md
@@ -48,3 +48,25 @@ To update your CA certificate by applying maintenance:
 2. In the navigation pane, choose Certificate update. The Databases requiring certificate update page appears.
 3. Choose the DB instance that you want to update. You can schedule the certificate rotation for your next maintenance window by choosing Schedule. Apply the rotation immediately by choosing Apply now.
 4. You are prompted to confirm the CA certificate rotation. Pick rds-ca-rsa2048-g1 and click Schedule/Confirm.
+
+# Migrate ingress-nginx addon to the module
+To migrate from terraform-aws-eks-blueprint addon ingress-nginx to custom module `modules/k8s_eks_addons/ingress-nginx.tf` follow steps:
+
+1. Enable ingress-nginx in terraform.tfvars
+2. create 'move.tf' in repository root
+3. Add following code:
+```
+moved {
+  from = module.eks-addons.module.ingress_nginx[0].module.helm_addon.helm_release.helm_addon[0]
+  to   = module.k8s_eks_addons.helm_release.ingress_nginx[0]
+}
+moved {
+  from = module.eks-addons.module.ingress_nginx[0].kubernetes_namespace_v1.this[0]
+  to   = module.k8s_eks_addons.kubernetes_namespace_v1.ingress_nginx[0]
+}
+```
+4. Run command:
+```
+terraform apply
+```
+5. Remove `move.tf` file
diff --git a/README.md b/README.md
@@ -454,7 +454,7 @@ Encryption is enabled at all AWS resources that are created by Terraform:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.7 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | = 5.37.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.4.1 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
@@ -474,6 +474,7 @@ Encryption is enabled at all AWS resources that are created by Terraform:
 |------|--------|---------|
 | <a name="module_eks"></a> [eks](#module\_eks) | git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git | v4.32.1 |
 | <a name="module_eks-addons"></a> [eks-addons](#module\_eks-addons) | git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git//modules/kubernetes-addons | v4.32.1 |
+| <a name="module_k8s_eks_addons"></a> [k8s\_eks\_addons](#module\_k8s\_eks\_addons) | ./modules/k8s_eks_addons | n/a |
 | <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_security_group_license_server"></a> [security\_group\_license\_server](#module\_security\_group\_license\_server) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_simphera_instance"></a> [simphera\_instance](#module\_simphera\_instance) | ./modules/simphera_aws_instance | n/a |
@@ -551,7 +552,6 @@ Encryption is enabled at all AWS resources that are created by Terraform:
 | <a name="input_codemeter"></a> [codemeter](#input\_codemeter) | Download link for codemeter rpm package. | `string` | `"https://www.wibu.com/support/user/user-software/file/download/13346.html?tx_wibudownloads_downloadlist%5BdirectDownload%5D=directDownload&tx_wibudownloads_downloadlist%5BuseAwsS3%5D=0&cHash=8dba7ab094dec6267346f04fce2a2bcd"` | no |
 | <a name="input_ecr_pullthrough_cache_rule_config"></a> [ecr\_pullthrough\_cache\_rule\_config](#input\_ecr\_pullthrough\_cache\_rule\_config) | Specifies if ECR pull through cache rule and accompanying resources will be created. Key 'enable' indicates whether pull through cache rule needs to be enabled for the cluster. When 'enable' is set to 'true', key 'exist' indicates whether pull through cache rule already exists for region's private ECR. If key 'enable' is set to 'true', IAM policy will be attached to the cluster's nodes. Additionally, if 'exist' is set to 'false', credentials for upstream registry and pull through cache rule will be created | <pre>object({<br>    enable = bool<br>    exist  = bool<br>  })</pre> | <pre>{<br>  "enable": false,<br>  "exist": false<br>}</pre> | no |
 | <a name="input_enable_aws_for_fluentbit"></a> [enable\_aws\_for\_fluentbit](#input\_enable\_aws\_for\_fluentbit) | Install FluentBit to send container logs to CloudWatch. | `bool` | `false` | no |
-| <a name="input_enable_ingress_nginx"></a> [enable\_ingress\_nginx](#input\_enable\_ingress\_nginx) | Enable Ingress Nginx add-on | `bool` | `false` | no |
 | <a name="input_enable_ivs"></a> [enable\_ivs](#input\_enable\_ivs) | n/a | `bool` | `false` | no |
 | <a name="input_enable_patching"></a> [enable\_patching](#input\_enable\_patching) | Scans license server EC2 instance and EKS nodes for updates. Installs patches on license server automatically. EKS nodes need to be updated manually. | `bool` | `false` | no |
 | <a name="input_gpuNodeCountMax"></a> [gpuNodeCountMax](#input\_gpuNodeCountMax) | The maximum number of nodes for gpu job execution | `number` | `12` | no |
@@ -561,6 +561,7 @@ Encryption is enabled at all AWS resources that are created by Terraform:
 | <a name="input_gpuNodeSize"></a> [gpuNodeSize](#input\_gpuNodeSize) | The machine size of the nodes for the gpu job execution | `list(string)` | <pre>[<br>  "g5.2xlarge"<br>]</pre> | no |
 | <a name="input_gpuNvidiaDriverVersion"></a> [gpuNvidiaDriverVersion](#input\_gpuNvidiaDriverVersion) | The NVIDIA driver version for GPU node group. | `string` | `"535.54.03"` | no |
 | <a name="input_infrastructurename"></a> [infrastructurename](#input\_infrastructurename) | The name of the infrastructure. e.g. simphera-infra | `string` | `"simphera"` | no |
+| <a name="input_ingress_nginx_config"></a> [ingress\_nginx\_config](#input\_ingress\_nginx\_config) | Input configuration for ingress-nginx service deployed with helm release. By setting key 'enable' to 'true', ingress-nginx service will be deployed. 'helm\_repository' is an URL for the repository of ingress-nginx helm chart, where 'helm\_version' is its respective version of a chart. 'chart\_values' is used for changing default values.yaml of an ingress-nginx chart. | <pre>object({<br>    enable          = bool<br>    helm_repository = optional(string, "https://kubernetes.github.io/ingress-nginx")<br>    helm_version    = optional(string, "4.1.4")<br>    chart_values = optional(string, <<-YAML<br>controller:<br>  images:<br>    registry: "registry.k8s.io"<br>  service:<br>    annotations:<br>      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing<br>YAML<br>    )<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
 | <a name="input_install_schedule"></a> [install\_schedule](#input\_install\_schedule) | 6-field Cron expression describing the install maintenance schedule. Must not overlap with variable scan\_schedule. | `string` | `"cron(0 3 * * ? *)"` | no |
 | <a name="input_ivsGpuNodeCountMax"></a> [ivsGpuNodeCountMax](#input\_ivsGpuNodeCountMax) | The maximum number of GPU nodes nodes for IVS jobs | `number` | `2` | no |
 | <a name="input_ivsGpuNodeCountMin"></a> [ivsGpuNodeCountMin](#input\_ivsGpuNodeCountMin) | The minimum number of GPU nodes nodes for IVS jobs | `number` | `0` | no |

diff --git a/k8s-eks-addons.tf b/k8s-eks-addons.tf
@@ -0,0 +1,7 @@
+module "k8s_eks_addons" {
+  source = "./modules/k8s_eks_addons"
+
+  ingress_nginx_config = merge(var.ingress_nginx_config, { subnets_ids = local.public_subnets })
+
+  depends_on = [module.eks.eks_cluster_arn]
+}
diff --git a/k8s.tf b/k8s.tf
@@ -28,7 +28,6 @@ module "eks-addons" {
   enable_aws_load_balancer_controller  = false
   enable_cluster_autoscaler            = true
   enable_aws_for_fluentbit             = var.enable_aws_for_fluentbit
-  enable_ingress_nginx                 = var.enable_ingress_nginx
   tags                                 = var.tags
   aws_for_fluentbit_helm_config = {
     values = [templatefile("${path.module}/templates/fluentbit_values.yaml", {
@@ -39,17 +38,6 @@ module "eks-addons" {
     dependency_update = true
   }
 
-  ingress_nginx_helm_config = {
-    values = [templatefile("${path.module}/templates/nginx_values.yaml", {
-      internal       = "false",
-      scheme         = "internet-facing",
-      public_subnets = join(", ", local.public_subnets)
-    })]
-    namespace         = "nginx",
-    create_namespace  = true
-    dependency_update = true
-  }
-
   cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config
   #depends_on                     = [module.eks.managed_node_groups]
 }

diff --git a/modules/k8s_eks_addons/ingress-nginx.tf b/modules/k8s_eks_addons/ingress-nginx.tf
@@ -0,0 +1,26 @@
+resource "kubernetes_namespace_v1" "ingress_nginx" {
+  count = var.ingress_nginx_config.enable ? 1 : 0
+
+  metadata {
+    name = "nginx"
+  }
+}
+
+resource "helm_release" "ingress_nginx" {
+  count = var.ingress_nginx_config.enable ? 1 : 0
+
+  namespace         = kubernetes_namespace_v1.ingress_nginx[0].metadata[0].name
+  name              = "ingress-nginx"
+  chart             = "ingress-nginx"
+  repository        = var.ingress_nginx_config.helm_repository
+  version           = var.ingress_nginx_config.helm_version
+  description       = "The NGINX HelmChart Ingress Controller deployment configuration"
+  dependency_update = true
+  values = [
+    templatefile("${path.module}/templates/nginx_values.yaml", {
+      public_subnets = join(", ", var.ingress_nginx_config.subnets_ids)
+    }),
+    var.ingress_nginx_config.chart_values
+  ]
+  timeout = 1200
+}
diff --git a/templates/nginx_values.yaml → ...8s_eks_addons/templates/nginx_values.yaml b/templates/nginx_values.yaml → ...8s_eks_addons/templates/nginx_values.yaml
@@ -4,8 +4,6 @@ controller:
       service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
       service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
-      service.beta.kubernetes.io/aws-load-balancer-scheme: "${scheme}"
-      service.beta.kubernetes.io/aws-load-balancer-internal: "${internal}"
       service.beta.kubernetes.io/aws-load-balancer-target-node-labels: kubernetes.io/os=linux
       service.beta.kubernetes.io/aws-load-balancer-subnets: "${public_subnets}"
       service.beta.kubernetes.io/aws-load-balancer-type: "nlb"

diff --git a/modules/k8s_eks_addons/variables.tf b/modules/k8s_eks_addons/variables.tf
@@ -0,0 +1,10 @@
+variable "ingress_nginx_config" {
+  description = "Ingress Nginx configuration"
+  type = object({
+    enable          = bool
+    helm_repository = string
+    helm_version    = string
+    chart_values    = string
+    subnets_ids     = list(string)
+  })
+}
diff --git a/modules/k8s_eks_addons/versions.tf b/modules/k8s_eks_addons/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.4.1"
+    }
+
+  }
+}
diff --git a/modules/simphera_aws_instance/versions.tf b/modules/simphera_aws_instance/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.2.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
 

diff --git a/terraform.json.example b/terraform.json.example
@@ -9,7 +9,6 @@
     "exist": false
   },
   "enable_aws_for_fluentbit": false,
-  "enable_ingress_nginx": false,
   "enable_ivs": false,
   "enable_patching": false,
   "gpuNodeCountMax": 12,
@@ -21,6 +20,9 @@
   ],
   "gpuNvidiaDriverVersion": "535.54.03",
   "infrastructurename": "simphera",
+  "ingress_nginx_config": {
+    "enable": false
+  },
   "install_schedule": "cron(0 3 * * ? *)",
   "ivsGpuNodeCountMax": 2,
   "ivsGpuNodeCountMin": 0,

diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -23,9 +23,6 @@ ecr_pullthrough_cache_rule_config = {
 # Install FluentBit to send container logs to CloudWatch.
 enable_aws_for_fluentbit = false
 
-# Enable Ingress Nginx add-on
-enable_ingress_nginx = false
-
 enable_ivs = false
 
 # Scans license server EC2 instance and EKS nodes for updates.
@@ -56,6 +53,14 @@ gpuNvidiaDriverVersion = "535.54.03"
 # The name of the infrastructure. e.g. simphera-infra
 infrastructurename = "simphera"
 
+# Input configuration for ingress-nginx service deployed with helm release.
+# By setting key 'enable' to 'true', ingress-nginx service will be deployed.
+# 'helm_repository' is an URL for the repository of ingress-nginx helm chart, where 'helm_version' is its respective version of a chart.
+# 'chart_values' is used for changing default values.yaml of an ingress-nginx chart.
+ingress_nginx_config = {
+  "enable": false
+}
+
 # 6-field Cron expression describing the install maintenance schedule. Must not overlap with variable scan_schedule.
 install_schedule = "cron(0 3 * * ? *)"
 

diff --git a/variables.tf b/variables.tf
@@ -208,12 +208,6 @@ variable "rtMaps_link" {
   default     = "http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2"
 }
 
-variable "enable_ingress_nginx" {
-  type        = bool
-  description = "Enable Ingress Nginx add-on"
-  default     = false
-}
-
 variable "map_accounts" {
   type        = list(string)
   description = "Additional AWS account numbers to add to the aws-auth ConfigMap"
@@ -240,6 +234,27 @@ variable "map_users" {
   default     = []
 }
 
+variable "ingress_nginx_config" {
+  type = object({
+    enable          = bool
+    helm_repository = optional(string, "https://kubernetes.github.io/ingress-nginx")
+    helm_version    = optional(string, "4.1.4")
+    chart_values = optional(string, <<-YAML
+controller:
+  images:
+    registry: "registry.k8s.io"
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+YAML
+    )
+  })
+  description = "Input configuration for ingress-nginx service deployed with helm release. By setting key 'enable' to 'true', ingress-nginx service will be deployed. 'helm_repository' is an URL for the repository of ingress-nginx helm chart, where 'helm_version' is its respective version of a chart. 'chart_values' is used for changing default values.yaml of an ingress-nginx chart."
+  default = {
+    enable = false
+  }
+}
+
 variable "simpheraInstances" {
   type = map(object({
     name                         = string

diff --git a/versions.tf b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.1.7"
+  required_version = ">= 1.3.0"
 
   required_providers {
     aws = {