Refactor Karpenter cleanup steps in destroy workflow for clarity and legacy support; enhance monitoring workflow with ingress wait and endpoint printing; update Terraform variables for node instance types and dependencies in VPC module.

Author: karimzakzouk

.github/workflows/destroy.yml

@@ -124,66 +124,73 @@ jobs:
       # ==================================================
       # PHASE 3: CLEAN UP KARPENTER RESOURCES
       # ==================================================
-      - name: Delete Karpenter Resources
+      - name: Delete Karpenter Resources (Legacy API)
         run: |
-          echo "🚗 Cleaning up Karpenter resources..."
+          echo "Cleaning up Karpenter resources (legacy API versions)..."
           
-          # Delete Karpenter custom resources first
-          echo "Deleting Karpenter NodePools and EC2NodeClasses..."
-          kubectl delete nodepool --all --ignore-not-found --timeout=60s || true
-          kubectl delete ec2nodeclass --all --ignore-not-found --timeout=60s || true
+          # Delete LEGACY Karpenter Provisioners (v1alpha5) - THIS IS WHAT YOU'RE USING
+          echo "Deleting legacy Karpenter Provisioners (v1alpha5)..."
+          kubectl delete provisioner ${{ vars.KARPENTER_NODEPOOL_NAME }} --ignore-not-found --timeout=60s || true
+          kubectl delete provisioner --all --ignore-not-found --timeout=60s || true
           
-          # Delete legacy Karpenter resources
-          echo "Deleting legacy Karpenter Provisioners and AWSNodeTemplates..."
-          kubectl delete provisioner ${{ vars.KARPENTER_NODEPOOL_NAME }} --ignore-not-found -n ${{ vars.KARPENTER_NAMESPACE }} --timeout=60s || true
-          kubectl delete provisioner --all -n ${{ vars.KARPENTER_NAMESPACE }} --ignore-not-found --timeout=60s || true
-          kubectl delete awsnodetemplate ${{ vars.KARPENTER_NODECLASS_NAME }} --ignore-not-found -n ${{ vars.KARPENTER_NAMESPACE }} --timeout=60s || true
-          kubectl delete awsnodetemplate --all -n ${{ vars.KARPENTER_NAMESPACE }} --ignore-not-found --timeout=60s || true
+          # Delete LEGACY AWSNodeTemplates (v1alpha1) - THIS IS WHAT YOU'RE USING
+          echo "Deleting legacy AWSNodeTemplates (v1alpha1)..."
+          kubectl delete awsnodetemplate ${{ vars.KARPENTER_NODECLASS_NAME }} --ignore-not-found --timeout=60s || true
+          kubectl delete awsnodetemplate --all --ignore-not-found --timeout=60s || true
           
-          echo "⏳ Waiting for Karpenter resources to be cleaned up..."
-          sleep 30
-          echo "✅ Karpenter resources cleanup completed"
+          # Remove finalizers from legacy resources if they're stuck
+          echo "Removing finalizers from stuck Provisioners..."
+          kubectl get provisioner -o name | xargs -r -I {} kubectl patch {} -p '{"metadata":{"finalizers":[]}}' --type=merge || true
+          
+          echo "Removing finalizers from stuck AWSNodeTemplates..."
+          kubectl get awsnodetemplate -o name | xargs -r -I {} kubectl patch {} -p '{"metadata":{"finalizers":[]}}' --type=merge || true
+          
+          echo "Waiting for Karpenter resources to be cleaned up..."
+          sleep 60
+          echo "Karpenter resources cleanup completed"
         continue-on-error: true
 
-      - name: Uninstall Karpenter Helm Release
+      - name: Force Delete Karpenter Nodes from Kubernetes
         run: |
-          echo "📦 Uninstalling Karpenter Helm release..."
-          helm uninstall karpenter -n ${{ vars.KARPENTER_NAMESPACE }} --timeout=300s || true
+          echo "Removing Karpenter-managed nodes from Kubernetes cluster..."
           
-          echo "⏳ Waiting for Karpenter pods to terminate..."
-          kubectl wait --for=delete pod -l app.kubernetes.io/name=karpenter -n ${{ vars.KARPENTER_NAMESPACE }} --timeout=120s || true
+          # Delete nodes that have Karpenter labels
+          kubectl get nodes -l karpenter.sh/provisioner-name --no-headers -o custom-columns=":metadata.name" | xargs -r kubectl delete node --timeout=60s || true
+          kubectl get nodes -l karpenter.sh/cluster=${{ vars.CLUSTER_NAME }} --no-headers -o custom-columns=":metadata.name" | xargs -r kubectl delete node --timeout=60s || true
           
-          echo "💥 Force deleting any remaining Karpenter pods..."
-          kubectl delete pods --all -n ${{ vars.KARPENTER_NAMESPACE }} --force --grace-period=0 || true
-          echo "✅ Karpenter Helm release uninstalled"
+          # Also try generic Karpenter node labels
+          kubectl get nodes -l node.kubernetes.io/instance-type --no-headers -o custom-columns=":metadata.name" | while read node; do
+            if kubectl describe node $node | grep -q "karpenter"; then
+              echo "Deleting Karpenter node: $node"
+              kubectl delete node $node --timeout=60s || true
+            fi
+          done || true
+          
+          echo "Node cleanup completed"
         continue-on-error: true
 
-      - name: Clean up Karpenter CRDs and Webhooks
+      - name: Clean up Karpenter CRDs and Webhooks (Kubectl Only)
         run: |
-          echo "🧹 Cleaning up Karpenter CRDs and webhooks..."
-          
-          # Delete Karpenter CRDs
-          echo "Deleting Karpenter CRDs..."
-          kubectl delete crd provisioners.karpenter.sh --ignore-not-found --timeout=60s || true
-          kubectl delete crd awsnodetemplates.karpenter.k8s.aws --ignore-not-found --timeout=60s || true
-          kubectl delete crd nodepools.karpenter.sh --ignore-not-found --timeout=60s || true
-          kubectl delete crd ec2nodeclasses.karpenter.k8s.aws --ignore-not-found --timeout=60s || true
+          echo "Cleaning up Karpenter CRDs and webhooks..."
           
-          # Delete Karpenter webhooks
+          # Delete Karpenter webhooks first (this is critical)
           echo "Deleting Karpenter webhooks..."
-          kubectl delete validatingwebhookconfiguration defaulting.webhook.karpenter.sh --ignore-not-found || true
           kubectl delete validatingwebhookconfiguration validation.webhook.karpenter.sh --ignore-not-found || true
+          kubectl delete validatingwebhookconfiguration defaulting.webhook.karpenter.sh --ignore-not-found || true
           kubectl delete mutatingwebhookconfiguration defaulting.webhook.karpenter.sh --ignore-not-found || true
           
+          # Delete LEGACY Karpenter CRDs (what you're actually using)
+          echo "Deleting LEGACY Karpenter CRDs..."
+          kubectl delete crd provisioners.karpenter.sh --ignore-not-found --timeout=60s || true
+          kubectl delete crd awsnodetemplates.karpenter.k8s.aws --ignore-not-found --timeout=60s || true
+          
           # Remove finalizers from stuck CRDs
           echo "Removing finalizers from stuck Karpenter CRDs..."
           kubectl patch crd provisioners.karpenter.sh -p '{"metadata":{"finalizers":[]}}' --type=merge || true
           kubectl patch crd awsnodetemplates.karpenter.k8s.aws -p '{"metadata":{"finalizers":[]}}' --type=merge || true
-          kubectl patch crd nodepools.karpenter.sh -p '{"metadata":{"finalizers":[]}}' --type=merge || true
-          kubectl patch crd ec2nodeclasses.karpenter.k8s.aws -p '{"metadata":{"finalizers":[]}}' --type=merge || true
-          echo "✅ Karpenter CRDs and webhooks cleanup completed"
+          
+          echo "Karpenter CRDs and webhooks cleanup completed"
         continue-on-error: true
-
       # ==================================================
       # PHASE 4: UNINSTALL HELM RELEASES
       # ==================================================

.github/workflows/monitoring.yml

@@ -93,4 +93,33 @@ jobs:
           export ARGOCD_NAMESPACE=${{ inputs.argocd_namespace }}
           envsubst < ./argocd/monitoring.yml | \
             sed "s/monitoring\.yourdomain\.com/${{ steps.nginx-lb.outputs.nginx_hostname }}/g" | \
-            kubectl apply -f -
+            kubectl apply -f -
+
+      - name: Wait for Monitoring Ingress and Print Endpoints
+        run: |
+          # Wait for monitoring ingress
+          MONITORING_INGRESS=""
+          for i in {1..30}; do
+            MONITORING_INGRESS=$(kubectl get ingress -n ${{ inputs.monitoring_namespace }} -o jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}' 2>/dev/null)
+            if [[ ! -z "$MONITORING_INGRESS" ]]; then
+              echo "Monitoring ingress is ready: $MONITORING_INGRESS"
+              break
+            else
+              echo "Waiting for monitoring ingress to be ready ($i/30)..."
+              sleep 10
+            fi
+          done
+
+          # Print all service endpoints
+          ARGOCD_HOST=$(kubectl get svc argocd-server -n ${{ inputs.argocd_namespace }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo 'Not found')
+          APP_HOST=$(kubectl get svc ${{ inputs.app_name }}-svc -n ${{ inputs.app_namespace }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo 'Not found')
+          echo "🚀 ArgoCD: http://$ARGOCD_HOST"
+          echo "🌟 App: http://$APP_HOST"
+          if [[ -z "$MONITORING_INGRESS" ]]; then
+            echo "⚠️ Monitoring Ingress not ready"
+          else
+            echo "📊 Monitoring Services:"
+            echo "Prometheus: http://$MONITORING_INGRESS/prometheus"
+            echo "Grafana: http://$MONITORING_INGRESS/grafana"
+            echo "Alertmanager: http://$MONITORING_INGRESS/alertmanager"
+          fi

Terraform/4-variables.tf

@@ -51,7 +51,7 @@ variable "node_groups" {
 
   default = {
     default = {
-      instance_types = ["t3.micro"]
+      instance_types = ["t3.medium"]
       capacity_type  = "ON_DEMAND"
       scaling_config = {
         desired_size = 1

Terraform/modules/eks/main.tf

@@ -1,38 +1,4 @@
-resource "aws_eks_cluster" "main" {
-  name     = var.cluster_name
-  version  = var.cluster_version
-  role_arn = aws_iam_role.cluster.arn
-
-  access_config {
-    authentication_mode                         = "API_AND_CONFIG_MAP"
-    bootstrap_cluster_creator_admin_permissions = true
-  }
-
-  vpc_config {
-    subnet_ids = var.cluster_subnet_ids # Changed from var.subnet_ids
-  }
-
-  depends_on = [
-    aws_iam_role_policy_attachment.cluster_policy
-  ]
-
-  tags = {
-    "karpenter.sh/discovery" = var.cluster_name
-    "Name"                   = var.cluster_name
-  }
-}
-
-resource "aws_ec2_tag" "cluster_sg_karpenter" {
-  resource_id = aws_eks_cluster.main.vpc_config[0].cluster_security_group_id
-  key         = "karpenter.sh/discovery"
-  value       = var.cluster_name
-}
-# EKS OIDC Identity Provider
-resource "aws_iam_openid_connect_provider" "eks" {
-  client_id_list  = ["sts.amazonaws.com"]
-  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
-  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
-}
+data "aws_caller_identity" "current" {}
 
 resource "aws_iam_role" "cluster" {
   name = "${var.cluster_name}-cluster-role"
@@ -56,10 +22,10 @@ resource "aws_iam_role" "cluster" {
 resource "aws_iam_role_policy_attachment" "cluster_policy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
   role       = aws_iam_role.cluster.name
+  
+  depends_on = [aws_iam_role.cluster]
 }
 
-
-
 resource "aws_iam_role" "node" {
   name = "${var.cluster_name}-node-role"
   assume_role_policy = jsonencode({
@@ -86,16 +52,59 @@ resource "aws_iam_role_policy_attachment" "node_policy" {
 
   policy_arn = each.value
   role       = aws_iam_role.node.name
+  
+  depends_on = [aws_iam_role.node]
+}
+
+resource "aws_eks_cluster" "main" {
+  name     = var.cluster_name
+  version  = var.cluster_version
+  role_arn = aws_iam_role.cluster.arn
+
+  access_config {
+    authentication_mode                         = "API_AND_CONFIG_MAP"
+    bootstrap_cluster_creator_admin_permissions = true
+  }
+
+  vpc_config {
+    subnet_ids = var.cluster_subnet_ids # Changed from var.subnet_ids
+  }
+
+  depends_on = [
+    aws_iam_role.cluster,
+    aws_iam_role_policy_attachment.cluster_policy
+  ]
+
+  tags = {
+    "karpenter.sh/discovery" = var.cluster_name
+    "Name"                   = var.cluster_name
+  }
 }
 
+# EKS OIDC Identity Provider
+resource "aws_iam_openid_connect_provider" "eks" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
+  
+  depends_on = [aws_eks_cluster.main]
+}
 
+resource "aws_ec2_tag" "cluster_sg_karpenter" {
+  resource_id = aws_eks_cluster.main.vpc_config[0].cluster_security_group_id
+  key         = "karpenter.sh/discovery"
+  value       = var.cluster_name
+  
+  depends_on = [aws_eks_cluster.main]
+}
 
 resource "aws_eks_node_group" "main" {
   for_each        = var.node_groups
   cluster_name    = aws_eks_cluster.main.name
   node_group_name = each.key
   node_role_arn   = aws_iam_role.node.arn
   subnet_ids      = var.node_subnet_ids # Changed from var.subnet_ids
+  
   scaling_config {
     desired_size = each.value.scaling_config.desired_size
     max_size     = each.value.scaling_config.max_size
@@ -107,14 +116,18 @@ resource "aws_eks_node_group" "main" {
   }
 
   depends_on = [
+    aws_eks_cluster.main,
+    aws_iam_role.node,
     aws_iam_role_policy_attachment.node_policy
   ]
 }
 
 # Karpenter Node Instance Profile (reuse existing node role)
 resource "aws_iam_instance_profile" "karpenter_node" {
-  name = "KarpenterNodeInstanceProfile"
+  name = "KarpenterNodeInstanceProfile-${var.cluster_name}"
   role = aws_iam_role.node.name
+  
+  depends_on = [aws_iam_role.node]
 }
 
 # Karpenter Controller IAM Role
@@ -139,7 +152,13 @@ resource "aws_iam_role" "karpenter_controller" {
       }
     ]
   })
+  
+  depends_on = [
+    aws_eks_cluster.main,
+    aws_iam_openid_connect_provider.eks
+  ]
 }
+
 resource "aws_iam_role_policy" "karpenter_controller" {
   name = "KarpenterControllerPolicy"
   role = aws_iam_role.karpenter_controller.id
@@ -193,12 +212,12 @@ resource "aws_iam_role_policy" "karpenter_controller" {
       }
     ]
   })
+  
+  depends_on = [aws_iam_role.karpenter_controller]
 }
 
 # SQS Queue for Spot Interruption Notifications
 resource "aws_sqs_queue" "karpenter_interruption" {
   name                      = "karpenter-interruption-queue-${var.cluster_name}"
   message_retention_seconds = 300
 }
-
-data "aws_caller_identity" "current" {}