Update EKS module, examples (#119)

* Pin provider versions in EKS modules

* Bump dependency chart versions

* Use curly-brace substitution

* Set K8s image pull secret

* Remove vestigial record_log_bucket

* Saner default for bucket name handling in EKS

* Make certificate ARN optional for eks-helm module

* Tidy up complete example documentation

Additionally, use the module from the repository in the example, rather
than the latest from Github.

* Add K8s addons, access entries configuration

* Update default versions for example Redis, Postgres

* Update eks-addons to reflect module version changes

* Additional improvements from testing:

- Do not rely on expansion for database, redis URLs
- Attach IAM role for pulling the image
- Increase default instance type to t3.medium

Author: nyergler

.claude/settings.json

@@ -1,7 +1,8 @@
 {
   "permissions": {
     "allow": [
-      "Bash(helm dependency list:*)"
+      "Bash(helm dependency list:*)",
+      "Bash(terraform-docs markdown table:*)"
     ]
   }
 }

helm/charts/polytomic/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/charts/polytomic/README.md

@@ -2,7 +2,7 @@
 
 Polytomic helm chart for kubernetes
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 ## Installing the Chart
 

helm/charts/polytomic/templates/_helpers.tpl

@@ -223,8 +223,9 @@ Build PostgreSQL connection URL
 {{- else if .Values.externalPostgresql.ssl -}}
 {{- $sslMode = "require" -}}
 {{- end -}}
-{{- printf "postgres://%s:${DATABASE_PASSWORD}@%s:%s/%s?sslmode=%s"
+{{- printf "postgres://%s:%s@%s:%s/%s?sslmode=%s"
     (include "polytomic.postgresql.username" .)
+    .Values.externalPostgresql.password
     (include "polytomic.postgresql.host" .)
     (include "polytomic.postgresql.port" .)
     (include "polytomic.postgresql.database" .)
@@ -301,11 +302,13 @@ Build Redis connection URL
 {{- $password = .Values.externalRedis.password -}}
 {{- if $password -}}
 {{- if .Values.externalRedis.ssl -}}
-{{- printf "rediss://:${REDIS_PASSWORD}@%s:%s"
+{{- printf "rediss://:%s@%s:%s"
+    $password
     (include "polytomic.redis.host" .)
     (include "polytomic.redis.port" .) -}}
 {{- else -}}
-{{- printf "redis://:${REDIS_PASSWORD}@%s:%s"
+{{- printf "redis://:%s@%s:%s"
+    $password
     (include "polytomic.redis.host" .)
     (include "polytomic.redis.port" .) -}}
 {{- end -}}
@@ -350,6 +353,10 @@ SINGLE_PLAYER: {{ .Values.polytomic.auth.single_player | quote }}
 AWS_REGION: {{ .Values.polytomic.s3.region | quote }}
 AWS_ACCESS_KEY_ID: {{ .Values.polytomic.s3.access_key_id | quote }}
 AWS_SECRET_ACCESS_KEY: {{ .Values.polytomic.s3.secret_access_key | quote }}
+RECORD_LOG_BUCKET: {{ .Values.polytomic.s3.operational_bucket | trimPrefix "s3://" | quote }}
+RECORD_LOG_REGION: {{ .Values.polytomic.s3.region | quote }}
+EXECUTION_LOG_BUCKET: {{ .Values.polytomic.s3.operational_bucket | trimPrefix "s3://" | quote }}
+EXECUTION_LOG_REGION: {{ .Values.polytomic.s3.region | quote }}
 KUBERNETES: "true"
 KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }}
 KUBERNETES_IMAGE: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}

terraform/examples/eks-complete/README.md

@@ -1,38 +1,230 @@
-# Polytomic EKS Module
+# Polytomic EKS Complete Example
 
+This example demonstrates a complete production-ready Polytomic deployment on
+AWS EKS using all three EKS Terraform modules.
 
-This module has two stages:
-- cluster install
-- app install
+## What This Example Includes
 
+A two-stage deployment that creates:
 
-The cluster module must be applied before running the app module.
+**Stage 1: Infrastructure (cluster/)**
 
+- EKS cluster with managed node groups
+- VPC with public/private subnets across 3 AZs
+- RDS PostgreSQL Multi-AZ database
+- ElastiCache Redis cluster
+- EFS filesystem for shared storage
+- S3 bucket for operations and logs
 
-## Cluster Install
+**Stage 2: Application (app/)**
+
+- AWS Load Balancer Controller
+- EFS CSI Driver
+- IAM roles (IRSA) for service accounts
+- Polytomic Helm chart deployment
+
+## Documentation
+
+**For complete deployment instructions, see [EKS Deployment Guide](../../modules/eks/INSTALL.md)**
+
+The comprehensive guide includes:
+
+- Architecture diagrams
+- Detailed prerequisites
+- Step-by-step deployment instructions
+- Configuration reference
+- Troubleshooting scenarios
+
+## Example-Specific Notes
+
+This example differs from the comprehensive guide in that it:
+
+**Does NOT manage DNS or TLS certificates**
+
+- You must manually create CNAME records pointing to the ALB
+- TLS can be handled externally (CloudFlare, CloudFront) or by providing an ACM certificate ARN
+- See step 3d in the Quick Start below for TLS options
+
+**Uses simplified configuration**
+
+- Minimal viable settings for testing
+- Defaults to HTTP (port 80) without certificate
+- Suitable for proof-of-concept deployments
+
+## Quick Start
+
+### Prerequisites
+
+Before starting, ensure you have:
+
+- AWS CLI configured with appropriate credentials
+- Terraform v1.0+
+- kubectl and helm installed
+- Polytomic license credentials (deployment name and key)
+- Google OAuth credentials (or other auth method configured)
+
+### Step 1: Deploy Infrastructure
+
+```bash
+cd cluster
+
+# Edit main.tf and configure the locals block
+# See INSTALL.md for detailed configuration options
 
-```sh
-cd cluster 
 terraform init
+terraform apply
 ```
 
+**Deployment time**: ~15-20 minutes
+
+**Note**: The EKS module automatically configures node IAM roles with ECR read permissions, so pods can pull from private ECR repositories without needing imagePullSecrets.
+
+### Step 2: Deploy Application
 
-Fill in the `locals` block at the top with the desired values.
+```bash
+cd ../app
 
-```sh
+# Edit main.tf and configure:
+# - Polytomic deployment credentials
+# - Domain name and authentication settings
+# - Optional: certificate_arn if using ACM
+
+terraform init
 terraform apply
 ```
 
-## App Install
+**Deployment time**: ~5-10 minutes
 
-```sh
-cd app 
-terraform init
+### Step 3: Configure DNS
+
+```bash
+# Get ALB hostname
+kubectl get ingress -n polytomic polytomic -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
+
+# Create CNAME record pointing your domain to the ALB hostname
+# Example using Route53:
+HOSTED_ZONE_ID="Z1234567890ABC"
+DOMAIN_NAME="app.polytomic-local.com"
+ALB_HOSTNAME=$(kubectl get ingress -n polytomic polytomic -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+
+aws route53 change-resource-record-sets \
+  --hosted-zone-id $HOSTED_ZONE_ID \
+  --change-batch "{
+    \"Changes\": [{
+      \"Action\": \"UPSERT\",
+      \"ResourceRecordSet\": {
+        \"Name\": \"$DOMAIN_NAME\",
+        \"Type\": \"CNAME\",
+        \"TTL\": 300,
+        \"ResourceRecords\": [{\"Value\": \"$ALB_HOSTNAME\"}]
+      }
+    }]
+  }"
+```
+
+### Step 4: Access Application
+
+```bash
+# Verify pods are running
+kubectl get pods -n polytomic
+
+# Access the application at your configured domain
+# HTTP by default; HTTPS if certificate_arn was provided
+```
+
+## TLS Configuration Options
+
+This example does not manage TLS certificates by default. Choose one of these options:
+
+### Option 1: External TLS Termination (Recommended)
+
+Use CloudFlare, CloudFront, or another CDN to handle TLS:
+
+- The ALB serves HTTP on port 80
+- Your CDN terminates TLS and forwards to ALB
+- No ACM certificate needed
+
+### Option 2: ACM Certificate
+
+If you have an ACM certificate in the same AWS account/region:
+
+```hcl
+# In app/main.tf, add to eks_helm module:
+module "eks_helm" {
+  # ... existing config ...
+  certificate_arn = "arn:aws:acm:us-east-2:123456789:certificate/your-cert-id"
+}
+```
+
+### Option 3: Manual Certificate Creation
+
+Uncomment the certificate resources at the bottom of [app/main.tf](app/main.tf), then:
+
+```bash
+cd app
 terraform apply
+terraform output certificate_arn
+
+# Get validation records
+aws acm describe-certificate --certificate-arn <arn> | \
+  jq -r '.Certificate.DomainValidationOptions[0].ResourceRecord'
+```
+
+Add the CNAME validation record to your DNS provider, then the certificate will be issued.
+
+## Configuration Files
+
+**cluster/main.tf** - Infrastructure configuration
+
+- EKS cluster settings (node size, count)
+- Database configuration (RDS instance class, storage)
+- Redis configuration (instance type, cluster size)
+- VPC and networking
+
+**app/main.tf** - Application configuration
+
+- Polytomic deployment credentials
+- Domain and authentication settings
+- Helm chart values
+- Optional ACM certificate
+
+See [INSTALL.md](../../modules/eks/INSTALL.md) for detailed configuration options.
+
+## Cleanup
+
+Destroy resources in reverse order:
+
+```bash
+cd app && terraform destroy
+cd ../cluster && terraform destroy
 ```
 
-Obtain the ingress loadbalancer name to create a CNAME record in your DNS.
+**Warning**: This permanently deletes all data. Ensure you have backups.
+
+## Troubleshooting
+
+For common issues, see the [Troubleshooting section in INSTALL.md](../../modules/eks/INSTALL.md#troubleshooting).
+
+Quick diagnostics:
+
+```bash
+# Check pod status
+kubectl get pods -n polytomic
+
+# View pod logs
+kubectl logs -n polytomic -l app.kubernetes.io/component=web --tail=50
+
+# Check ALB controller
+kubectl logs -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller
+
+# If seeing ImagePullBackOff errors, verify the node IAM role has ECR permissions
+kubectl describe pod -n polytomic <pod-name> | grep -A 5 "Events:"
 ```
-aws eks update-kubeconfig --name ${YOUR LOCAL.PREFIX VALUE}-cluster --region ${YOUR LOCAL.REGION VALUE}
-kubectl get ingress -n polytomic
-```
+
+## Additional Resources
+
+- [EKS Deployment Guide (INSTALL.md)](../../modules/eks/INSTALL.md) - Complete deployment documentation
+- [eks Module README](../../modules/eks/README.md) - Module reference
+- [eks-addons Module README](../../modules/eks-addons/README.md)
+- [eks-helm Module README](../../modules/eks-helm/README.md)
+- [Helm Chart Documentation](../../../helm/charts/polytomic/README.md)