From 71c6e30d7d1180a8408497ab5dcf8c233a51d3c9 Mon Sep 17 00:00:00 2001 From: Rayane Bellazaar Date: Fri, 23 Jun 2023 10:31:11 +0200 Subject: [PATCH] feat: add IP mask agent addons for google Signed-off-by: Rayane Bellazaar --- README.md | 1 + modules/google/README.md | 3 ++ modules/google/ip-mask-agent.tf | 17 +++++++ .../gke-ip-masq/ip-masq-agent-configmap.yaml | 14 ++++++ .../gke-ip-masq/ip-masq-agent-daemonset.yaml | 45 +++++++++++++++++++ variables.tf | 6 +++ 6 files changed, 86 insertions(+) create mode 100644 modules/google/ip-mask-agent.tf create mode 100644 modules/google/manifests/gke-ip-masq/ip-masq-agent-configmap.yaml create mode 100644 modules/google/manifests/gke-ip-masq/ip-masq-agent-daemonset.yaml diff --git a/README.md b/README.md index 72f9dbea1..6db0a267b 100644 --- a/README.md +++ b/README.md @@ -281,6 +281,7 @@ No modules. | [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no | | [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no | | [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no | +| [ip-mask-agent](#input\_ip-mask-agent) | Configure ip mask agent chart, see `ip-mask-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no | | [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no | | [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no | | [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no | diff --git a/modules/google/README.md b/modules/google/README.md index ffd98fc50..ad42fdf3b 100644 --- a/modules/google/README.md +++ b/modules/google/README.md @@ -53,6 +53,7 @@ User guides, feature documentation and examples are available [here](https://git | [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.ip_masq_agent](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | @@ -67,6 +68,7 @@ User guides, feature documentation and examples are available [here](https://git | [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [jinja_template.cert-manager_cluster_issuers](https://registry.terraform.io/providers/NikolaLohinski/jinja/latest/docs/data-sources/template) | data source | | [kubectl_file_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source | +| [kubectl_filename_list.ip_masq_agent_manifests](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/filename_list) | data source | ## Inputs @@ -82,6 +84,7 @@ User guides, feature documentation and examples are available [here](https://git | [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no | | [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no | | [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no | +| [ip-mask-agent](#input\_ip-mask-agent) | Configure ip mask agent chart, see `ip-mask-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no | | [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no | | [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no | | [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no | diff --git a/modules/google/ip-mask-agent.tf b/modules/google/ip-mask-agent.tf new file mode 100644 index 000000000..ffdabd4a7 --- /dev/null +++ b/modules/google/ip-mask-agent.tf @@ -0,0 +1,17 @@ +locals { + ip-mask-agent = merge( + { + enabled = false + }, + var.ip-mask-agent + ) +} + +data "kubectl_filename_list" "ip_masq_agent_manifests" { + pattern = "./manifests/gke-ip-masq/*.yaml" +} + +resource "kubectl_manifest" "ip_masq_agent" { + count = local.ip-mask-agent.enabled ? 1 : 0 + yaml_body = file(element(data.kubectl_filename_list.ip_masq_agent_manifests.matches, count.index)) +} diff --git a/modules/google/manifests/gke-ip-masq/ip-masq-agent-configmap.yaml b/modules/google/manifests/gke-ip-masq/ip-masq-agent-configmap.yaml new file mode 100644 index 000000000..faf39e636 --- /dev/null +++ b/modules/google/manifests/gke-ip-masq/ip-masq-agent-configmap.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ip-masq-agent + namespace: kube-system +data: + config: | + nonMasqueradeCIDRs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + resyncInterval: 60s + masqLinkLocal: false diff --git a/modules/google/manifests/gke-ip-masq/ip-masq-agent-daemonset.yaml b/modules/google/manifests/gke-ip-masq/ip-masq-agent-daemonset.yaml new file mode 100644 index 000000000..519e28487 --- /dev/null +++ b/modules/google/manifests/gke-ip-masq/ip-masq-agent-daemonset.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ip-masq-agent + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: ip-masq-agent + template: + metadata: + labels: + k8s-app: ip-masq-agent + spec: + hostNetwork: true + containers: + - name: ip-masq-agent + image: gke.gcr.io/ip-masq-agent:v2.9.3-v0.2.4-gke.5 + args: + # The masq-chain must be IP-MASQ + - --masq-chain=IP-MASQ + # To non-masquerade reserved IP ranges by default, + # uncomment the following line. + # - --nomasq-all-reserved-ranges + securityContext: + privileged: true + volumeMounts: + - name: config-volume + mountPath: /etc/config + volumes: + - name: config-volume + configMap: + name: ip-masq-agent + optional: true + items: + - key: config + path: ip-masq-agent + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/variables.tf b/variables.tf index d19cdee61..b1d3af68c 100644 --- a/variables.tf +++ b/variables.tf @@ -219,3 +219,9 @@ variable "victoria-metrics-k8s-stack" { type = any default = {} } + +variable "ip-mask-agent" { + description = "Configure ip mask agent chart, see `ip-mask-agent.tf` for supported values. This addon works only on GCP." + type = any + default = {} +}