feat: add keda helm chart (#170)

Author: mglotov

README.md

@@ -532,6 +532,9 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to chec
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress      | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet                 | We don't want to deny egress traffic in a default installation                                                                                |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress      | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default                  | We don't want to deny egress traffic in a default installation                                                                                |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress      | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default                  | We don't want to deny egress traffic in a default installation                                                                                |
+| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress      | Resource 'module.keda_namespace:kubernetes_network_policy.this[2]' allows egress traffic to the internet                                            | We don't want to deny egress traffic in a default installation                                                                                |
+| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress      | Resource 'module.keda_namespace:kubernetes_network_policy.this[1]' allows all egress traffic by default                                             | We don't want to deny egress traffic in a default installation                                                                                |
+| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress      | Resource 'module.keda_namespace:kubernetes_network_policy.this[0]' allows all egress traffic by default                                             | We don't want to deny egress traffic in a default installation                                                                                |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.reloader_namespace:kubernetes_network_policy.this[0]' allows all ingress traffic by default                                        | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.certmanager_namespace:kubernetes_network_policy.this[3]' allows all ingress traffic by default                                     | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.cluster_autoscaler_namespace:kubernetes_network_policy.this[3]' allows all ingress traffic by default                              | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
@@ -560,6 +563,8 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to chec
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default                 | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default                 | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
 | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet              | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods                                                     |
+| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.keda_namespace:kubernetes_network_policy.this[2]' allows all ingress traffic by default                                            | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
+| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress     | Resource 'module.keda_namespace:kubernetes_network_policy.this[0]' allows all ingress traffic by default                                            | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)                                                               |
 
 
 ## Contributing

terraform/layer2-k8s/eks-keda.tf

@@ -0,0 +1,63 @@
+locals {
+  keda = {
+    chart         = local.helm_charts[index(local.helm_charts.*.id, "keda")].chart
+    repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "keda")], "repository", null)
+    chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "keda")], "version", null)
+  }
+}
+
+#tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
+module "keda_namespace" {
+  source = "../modules/kubernetes-namespace"
+  name   = "keda"
+  network_policies = [
+    {
+      name         = "default-deny"
+      policy_types = ["Ingress", "Egress"]
+      pod_selector = {}
+    },
+    {
+      name         = "allow-this-namespace"
+      policy_types = ["Ingress"]
+      pod_selector = {}
+      ingress = {
+        from = [
+          {
+            namespace_selector = {
+              match_labels = {
+                name = "keda"
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      name         = "allow-egress"
+      policy_types = ["Egress"]
+      pod_selector = {}
+      egress = {
+        to = [
+          {
+            ip_block = {
+              cidr = "0.0.0.0/0"
+              except = [
+                "169.254.169.254/32"
+              ]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
+
+resource "helm_release" "kedacore" {
+  name        = "keda"
+  chart       = local.keda.chart
+  repository  = local.keda.repository
+  version     = local.keda.chart_version
+  namespace   = module.keda_namespace.name
+  wait        = true
+  max_history = var.helm_release_history_size
+}

terraform/layer2-k8s/helm-charts.yaml

@@ -59,6 +59,10 @@ charts:
     chart: ../../helm-charts/istio/istio-resources
     repository:
     version: 
+  - id: keda
+    chart: keda
+    repository: https://kedacore.github.io/charts
+    version: 2.4.0
   - id: kiali-server
     chart: kiali-server
     repository: https://kiali.org/helm-charts