Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@jrsdav
jrsdav committed Jul 7, 2021
1 parent b1267d9 commit 0549a5e
Show file tree
Hide file tree
Showing 76 changed files with 11,248 additions and 1 deletion.
294 changes: 293 additions & 1 deletion README.md
View file

Large diffs are not rendered by default.

138 changes: 138 additions & 0 deletions cert_manager.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

data "aws_iam_policy_document" "cert_manager" {
statement {
sid = "Changes"
actions = [
"route53:GetChange"
]
resources = [
"arn:aws:route53:::change/*"
]
effect = "Allow"
}

statement {
sid = "Update"
actions = [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
]
resources = [
"arn:aws:route53:::hostedzone/${var.hosted_zone_id}"
]
effect = "Allow"
}

statement {
sid = "List"
actions = [
"route53:ListHostedZonesByName"
]
resources = [
"*"
]
effect = "Allow"
}
}

data "aws_iam_policy_document" "cert_manager_sts" {
statement {
actions = [
"sts:AssumeRoleWithWebIdentity"
]
effect = "Allow"
principals {
type = "Federated"
identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)]
}
condition {
test = "StringLike"
values = [format("system:serviceaccount:%s:%s", "kube-system", "cert-manager")]
variable = format("%s:sub", local.oidc_issuer)
}
}
}

resource "aws_iam_role" "cert_manager" {
name = format("%s-cert-manager-role", module.eks.cluster_id)
description = "Role assumed by EKS ServiceAccount cert-manager"
assume_role_policy = data.aws_iam_policy_document.cert_manager_sts.json

inline_policy {
name = format("%s-cert-manager-policy", module.eks.cluster_id)
policy = data.aws_iam_policy_document.cert_manager.json
}
}

resource "helm_release" "cert_manager" {
atomic = true
chart = "cert-manager"
cleanup_on_fail = true
create_namespace = false
name = "cert-manager"
namespace = "kube-system"
repository = "https://charts.jetstack.io"
timeout = 600
version = "1.4.0"
wait = true

set {
name = "installCRDs"
value = true
}

set {
name = "serviceAccount.name"
value = "cert-manager"
}

set {
name = "extraArgs[0]"
value = "--issuer-ambient-credentials=true"
}

set {
name = "securityContext.fsGroup"
value = "65534"
}

set {
name = "serviceAccount.annotations.eks\\.amazonaws\\.com\\/role\\-arn"
value = aws_iam_role.cert_manager.arn
type = "string"
}

dynamic "set" {
for_each = var.cert_manager_service_account_annotations
content {
name = "serviceAccount.annotations.${set.key}"
value = set.value
}
}

dynamic "set" {
for_each = var.cert_manager_settings
content {
name = set.key
value = set.value
}
}
}
170 changes: 170 additions & 0 deletions cluster_autoscaler.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

resource "aws_iam_policy" "cluster_autoscaler" {
name = format("%s-cluster-autoscaler-policy", module.eks.cluster_id)
description = "Provides EC2 ASG access for cluster autoscaling"
policy = data.aws_iam_policy_document.worker_autoscaling.json
}

data "aws_iam_policy_document" "worker_autoscaling" {
statement {
sid = "eksWorkerAutoscalingAll"
effect = "Allow"

actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions",
]

resources = ["*"]
}

statement {
sid = "eksWorkerAutoscalingOwn"
effect = "Allow"

actions = [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
]

resources = ["*"]

condition {
test = "StringEquals"
variable = "autoscaling:ResourceTag/k8s.io/cluster/${module.eks.cluster_id}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_id}"
values = ["owned"]
}
}
}

resource "aws_iam_role" "cluster_autoscaler" {
name = format("%s-cluster-autoscaler-role", module.eks.cluster_id)
description = format("Allows %s assume role permissions in %s", module.eks.cluster_id, var.region)
managed_policy_arns = [aws_iam_policy.cluster_autoscaler.arn]

assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : "arn:aws:iam::${local.account_id}:oidc-provider/${local.oidc_issuer}"
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringEquals" : {
"${local.oidc_issuer}:aud" : "sts.amazonaws.com",
"${local.oidc_issuer}:sub" : "system:serviceaccount:kube-system:cluster-autoscaler"
}
}
}
]
})
}

resource "helm_release" "cluster_autoscaler" {
name = "cluster-autoscaler"
repository = "https://kubernetes.github.io/autoscaler"
chart = "cluster-autoscaler"
namespace = "kube-system"
version = "9.9.2"
wait = true
timeout = 600
atomic = true
cleanup_on_fail = true

dynamic "set" {
for_each = var.cluster_autoscaler_settings
content {
name = set.key
value = set.value
}
}

values = [
yamlencode({
"autoDiscovery" : {
"clusterName" : "${module.eks.cluster_id}",
}
"awsRegion" : "${var.region}"
"cloudProvider" : "aws"
"extraArgs" : {
"balance-similar-node-groups" : true,
"expander" : "least-waste",
"skip-nodes-with-system-pods" : false,
"logtostderr" : true,
"stderrthreshold" : "info"
"v" : "4",
"skip-nodes-with-local-storage" : false,
"expander" : "least-waste",
"node-group-auto-discovery" : "asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/${module.eks.cluster_id}"
}
"extraVolumes" : [
{
"name" : "ssl-certs",
"hostPath" : {
"path" : "/etc/ssl/certs/ca-bundle.crt"
}
}
]
"extraVolumeMounts" : [
{
"name" : "ssl-certs",
"mountPath" : "/etc/ssl/certs/ca-certificates.crt",
"readOnly" : true
}
]
"rbac" : {
"create" : true,
"pspEnabled" : true,
"serviceAccount" : {
"annotations" : {
"eks.amazonaws.com/role-arn" : "${aws_iam_role.cluster_autoscaler.arn}"
},
"create" : true,
"name" : "cluster-autoscaler",
"automountServiceAccountToken" : true
}
}
"replicaCount" : "1"
"resources" : {
"limits" : {
"cpu" : "100m",
"memory" : "300Mi"
},
"requests" : {
"cpu" : "100m",
"memory" : "300Mi"
}
}
})
]
}
Loading

0 comments on commit 0549a5e

Please sign in to comment.