Skip to content

Commit 0b0c1f8

Browse files
Friz-zyFriz-zy
committed
add patch for basic modules for applying node selectors and tolerations
1 parent 05bfa8c commit 0b0c1f8

File tree

8 files changed

+282
-66
lines changed

8 files changed

+282
-66
lines changed

README.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,13 @@ Setup basic EKS cluster with necessary controllers. Examples for further configu
77

88
## Depend on
99
- terraform
10-
- helm
10+
- aws cli
1111
- kubectl
1212
- [terraform-aws-eks](https://github.com/terraform-aws-modules/terraform-aws-eks)
1313
- [aws-ia/eks-blueprints-addons/aws](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons)
1414

15+
This module contain local-exec block with `kubectl patch` for applying `tolerations` and `nodeSelector` deployments in `kube-system` namespace, that will work only in unix shell, so it will fail on Windows. This patch is necessary as some of eks addons currently doesn't support `tolerations` and `nodeSelector` in their configurations, but only necessary if you will use host nodes with taints to separate `management` processes from other. You can disable it by set `apply_kubectl_patch` variable to `false`.
16+
1517
## Example
1618
```
1719
cd example
@@ -21,6 +23,8 @@ terraform apply
2123
terraform output all
2224
```
2325

26+
After `terraform destroy` check ec2 volumes for unused disks as aws-ebs-csi-driver doesn't delete it by default after deleting helm releases.
27+
2428
## Security
2529

2630
`victoria-metrics-k8s-stack` deployed without internal password protection. Multiple charts such as `apisix`, `qryn` and `uptrace` contain explicit passwords in the values and do not use k8s secrets.

example/main.tf

Lines changed: 22 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ locals {
88
ingress_domain = "cluster.local"
99
cert_manager_issuer = ""
1010

11+
cluster_version = "1.29"
12+
1113
vpc_name = "eks_${local.cluster_name}"
1214
azs = data.aws_availability_zones.available.names
1315
cidr = "10.0.0.0/16"
@@ -129,6 +131,7 @@ module "eks" {
129131
source = "../"
130132

131133
cluster_name = local.cluster_name
134+
cluster_version = local.cluster_version
132135
admin_email = local.admin_email
133136
ingress_domain = local.ingress_domain
134137
cert_manager_issuer = local.cert_manager_issuer
@@ -145,22 +148,23 @@ module "eks" {
145148
fargate_profiles = local.fargate_profiles
146149
tags = local.tags
147150

148-
enable_aws_efs_csi_driver = true
149-
enable_cert_manager = true
150-
enable_cluster_autoscaler = true
151-
enable_metrics_server = true
152-
enable_vpa = true
153-
enable_ingress_apisix = true
154-
enable_victoriametrics_operator = true
155-
enable_opentelemetry_operator = true
156-
enable_clickhouse_operator = true
157-
enable_grafana_operator = true
158-
enable_victoriametrics = true
159-
enable_grafana = true
160-
enable_uptrace = true
161-
enable_vector_agent = true
162-
enable_qryn = false
163-
enable_openobserve = false
164-
enable_openobserve_collector = false
165-
enable_kubernetes_dashboard = false
151+
enable_aws_efs_csi_driver = true
152+
enable_aws_node_termination_handler = false
153+
enable_cert_manager = true
154+
enable_cluster_autoscaler = true
155+
enable_metrics_server = true
156+
enable_vpa = true
157+
enable_ingress_apisix = true
158+
enable_victoriametrics_operator = true
159+
enable_opentelemetry_operator = true
160+
enable_clickhouse_operator = true
161+
enable_grafana_operator = true
162+
enable_victoriametrics = true
163+
enable_grafana = true
164+
enable_uptrace = true
165+
enable_vector_agent = true
166+
enable_qryn = false
167+
enable_openobserve = false
168+
enable_openobserve_collector = false
169+
enable_kubernetes_dashboard = false
166170
}

main.tf

Lines changed: 98 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -227,12 +227,7 @@ locals {
227227

228228
universal_cluster_addon_config = {
229229
most_recent = true
230-
configuration_values = jsonencode({
231-
nodeSelector = {
232-
"kubernetes.io/os" = "linux"
233-
"node.kubernetes.io/purpose" = "management"
234-
}
235-
})
230+
configuration_values = jsonencode(yamldecode(file("${path.module}/universal_values.yaml")))
236231
}
237232

238233
cluster_addons = merge(
@@ -256,21 +251,71 @@ locals {
256251
var.cluster_addons
257252
)
258253

254+
universal_values_string = templatefile("${path.module}/universal_values.yaml", {})
259255
universal_addon_config = {
260-
values = [templatefile("${path.module}/universal_values.yaml", {})]
256+
values = [local.universal_values_string]
261257
}
262258

263-
aws_efs_csi_driver_config = merge(local.universal_addon_config, var.aws_efs_csi_driver_config)
259+
# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/values.yaml
260+
aws_efs_csi_driver_config = merge(
261+
local.universal_addon_config,
262+
{
263+
values = [
264+
<<-EOT
265+
controller:
266+
${replace(local.universal_values_string, "\n", "\n ")}
267+
EOT
268+
]
269+
},
270+
var.aws_efs_csi_driver_config
271+
)
264272

265-
# aws_node_termination_handler_config = merge(local.universal_addon_config, var.aws_node_termination_handler_config)
273+
# https://github.com/aws/aws-node-termination-handler/blob/main/config/helm/aws-node-termination-handler/values.yaml
274+
aws_node_termination_handler_config = merge(local.universal_addon_config, var.aws_node_termination_handler_config)
266275

267-
cert_manager_config = merge(local.universal_addon_config, var.cert_manager_config)
276+
# https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
277+
cert_manager_config = merge(
278+
local.universal_addon_config,
279+
{
280+
values = [
281+
<<-EOT
282+
webhook:
283+
${replace(local.universal_values_string, "\n", "\n ")}
284+
cainjector:
285+
${replace(local.universal_values_string, "\n", "\n ")}
286+
startupapicheck:
287+
${replace(local.universal_values_string, "\n", "\n ")}
288+
EOT
289+
]
290+
},
291+
var.cert_manager_config
292+
)
268293

294+
# https://github.com/kubernetes/autoscaler/blob/master/charts/cluster-autoscaler/values.yaml
269295
cluster_autoscaler_config = merge(local.universal_addon_config, var.cluster_autoscaler_config)
270296

297+
# https://github.com/kubernetes-sigs/metrics-server/blob/master/charts/metrics-server/values.yaml
271298
metrics_server_config = merge(local.universal_addon_config, var.metrics_server_config)
272299

273-
vpa_config = merge(local.universal_addon_config, var.vpa_config)
300+
# https://github.com/FairwindsOps/charts/blob/master/stable/vpa/values.yaml
301+
vpa_config = merge(
302+
local.universal_addon_config,
303+
{
304+
values = [
305+
<<-EOT
306+
recommender:
307+
${replace(local.universal_values_string, "\n", "\n ")}
308+
updater:
309+
${replace(local.universal_values_string, "\n", "\n ")}
310+
admissionController:
311+
${replace(local.universal_values_string, "\n", "\n ")}
312+
mutatingWebhookConfiguration:
313+
${replace(local.universal_values_string, "\n", "\n ")}
314+
EOT
315+
]
316+
},
317+
var.vpa_config
318+
)
274319

275320
# don't like using root password for monitoring agents but for speedup
276321
openobserve_authorization = try(base64encode("${var.admin_email}:${module.openobserve.zo_root_user_password}"), "")
@@ -350,33 +395,56 @@ module "addons" {
350395
eks_addons = local.cluster_addons
351396

352397
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/docs/addons/aws-efs-csi-driver.md
398+
# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/values.yaml
353399
enable_aws_efs_csi_driver = var.enable_aws_efs_csi_driver
354400
aws_efs_csi_driver = local.aws_efs_csi_driver_config
355401

356402
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/docs/addons/aws-node-termination-handler.md
357-
#enable_aws_node_termination_handler = var.enable_aws_node_termination_handler
358-
#aws_node_termination_handler = local.aws_node_termination_handler_config
403+
# https://github.com/aws/aws-node-termination-handler/blob/main/config/helm/aws-node-termination-handler/values.yaml
404+
enable_aws_node_termination_handler = var.enable_aws_node_termination_handler
405+
aws_node_termination_handler = local.aws_node_termination_handler_config
359406

360407
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/docs/addons/cert-manager.md
361408
# https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
362409
enable_cert_manager = var.enable_cert_manager
363410
cert_manager = local.cert_manager_config
364411

365412
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/docs/addons/cluster-autoscaler.md
413+
# https://github.com/kubernetes/autoscaler/blob/master/charts/cluster-autoscaler/values.yaml
366414
enable_cluster_autoscaler = var.enable_cluster_autoscaler
367415
cluster_autoscaler = local.cluster_autoscaler_config
368416

369417
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/docs/addons/metrics-server.md
418+
# https://github.com/kubernetes-sigs/metrics-server/blob/master/charts/metrics-server/values.yaml
370419
enable_metrics_server = var.enable_metrics_server
371420
metrics_server = local.metrics_server_config
372421

373422
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/docs/addons/vertical-pod-autoscaler.md
423+
# https://github.com/FairwindsOps/charts/blob/master/stable/vpa/values.yaml
374424
enable_vpa = var.enable_vpa
375425
vpa = local.vpa_config
376426

377427
tags = var.tags
378428
}
379429

430+
# patch addons and modules as some eks addons don't have tolerations
431+
resource "null_resource" "apply_kubectl_patch" {
432+
433+
count = var.apply_kubectl_patch? 1 : 0
434+
435+
depends_on = [
436+
#module.eks,
437+
module.addons
438+
]
439+
440+
provisioner "local-exec" {
441+
command = <<-EOT
442+
export KUBECONFIG="${module.eks.kubeconfig}"
443+
kubectl get deployments -o name -n kube-system | xargs -I {} kubectl patch {} -n kube-system -p '{"spec": {"template":{"spec":${jsonencode(yamldecode(file("${path.module}/universal_values.yaml")))}}}}'
444+
EOT
445+
}
446+
}
447+
380448
# https://cert-manager.io/docs/configuration/acme/
381449
module "cert_manager_acme_manifests" {
382450
source = "./modules/kubernetes-manifests"
@@ -445,7 +513,7 @@ module "victoriametrics_operator" {
445513
tags = var.tags
446514

447515
values = concat(
448-
[templatefile("${path.module}/universal_values.yaml", {})],
516+
[local.universal_values_string],
449517
var.victoriametrics_operator_values
450518
)
451519
}
@@ -466,7 +534,7 @@ module "opentelemetry_operator" {
466534
tags = var.tags
467535

468536
values = concat(
469-
[templatefile("${path.module}/universal_values.yaml", {})],
537+
[local.universal_values_string],
470538
var.opentelemetry_operator_values
471539
)
472540
}
@@ -487,7 +555,7 @@ module "grafana_operator" {
487555
tags = var.tags
488556

489557
values = concat(
490-
[templatefile("${path.module}/universal_values.yaml", {})],
558+
[local.universal_values_string],
491559
var.grafana_operator_values
492560
)
493561
}
@@ -508,7 +576,7 @@ module "clickhouse_operator" {
508576
tags = var.tags
509577

510578
values = concat(
511-
[templatefile("${path.module}/universal_values.yaml", {})],
579+
[local.universal_values_string],
512580
var.clickhouse_operator_values
513581
)
514582
}
@@ -532,7 +600,7 @@ module "ingress_apisix" {
532600
tags = var.tags
533601

534602
values = concat(
535-
[templatefile("${path.module}/universal_values.yaml", {})],
603+
[local.universal_values_string],
536604
[
537605
<<-EOT
538606
%{ if var.enable_victoriametrics_operator == true }
@@ -572,7 +640,7 @@ module "victoriametrics" {
572640
grafana_operator_namespace = var.grafana_operator_namespace
573641

574642
values = concat(
575-
[templatefile("${path.module}/universal_values.yaml", {})],
643+
[local.universal_values_string],
576644
[
577645
<<-EOT
578646
%{ if var.enable_victoriametrics_operator == true }
@@ -647,7 +715,7 @@ module "victoriametrics" {
647715
auth_chart_version = var.victoriametrics_auth_chart_version
648716
auth_set = var.victoriametrics_auth_set
649717
auth_values = concat(
650-
[templatefile("${path.module}/universal_values.yaml", {})],
718+
[local.universal_values_string],
651719
[
652720
<<-EOT
653721
%{ if var.victoriametrics_auth_ingress_enabled == true }
@@ -719,7 +787,7 @@ module "grafana" {
719787
grafana_operator_namespace = var.grafana_operator_namespace
720788

721789
values = concat(
722-
[templatefile("${path.module}/universal_values.yaml", {})],
790+
[local.universal_values_string],
723791
[
724792
<<-EOT
725793
%{ if var.enable_victoriametrics_operator == true }
@@ -778,7 +846,7 @@ module "uptrace" {
778846
grafana_operator_namespace = var.grafana_operator_namespace
779847

780848
values = concat(
781-
[templatefile("${path.module}/universal_values.yaml", {})],
849+
[local.universal_values_string],
782850
[
783851
<<-EOT
784852
%{ if var.uptrace_ingress_enabled == true }
@@ -819,15 +887,15 @@ module "uptrace" {
819887
clickhouse_set = var.uptrace_clickhouse_set
820888

821889
clickhouse_values = concat(
822-
[templatefile("${path.module}/universal_values.yaml", {})],
890+
[local.universal_values_string],
823891
var.uptrace_clickhouse_values
824892
)
825893

826894
postgresql_chart_version = var.uptrace_postgresql_chart_version
827895
postgresql_set = var.uptrace_postgresql_set
828896

829897
postgresql_values = concat(
830-
[templatefile("${path.module}/universal_values.yaml", {})],
898+
[local.universal_values_string],
831899
var.uptrace_postgresql_values
832900
)
833901
}
@@ -854,7 +922,7 @@ module "qryn" {
854922
grafana_operator_namespace = var.grafana_operator_namespace
855923

856924
values = concat(
857-
[templatefile("${path.module}/universal_values.yaml", {})],
925+
[local.universal_values_string],
858926
[
859927
<<-EOT
860928
%{ if var.enable_victoriametrics_operator == true }
@@ -895,7 +963,7 @@ module "qryn" {
895963
clickhouse_set = var.qryn_clickhouse_set
896964

897965
clickhouse_values = concat(
898-
[templatefile("${path.module}/universal_values.yaml", {})],
966+
[local.universal_values_string],
899967
var.qryn_clickhouse_values
900968
)
901969
}
@@ -920,7 +988,7 @@ module "openobserve" {
920988
oidc_provider_arn = module.eks.oidc_provider_arn
921989

922990
values = concat(
923-
[templatefile("${path.module}/universal_values.yaml", {})],
991+
[local.universal_values_string],
924992
[
925993
<<-EOT
926994
%{ if var.openobserve_ingress_enabled == true }
@@ -974,7 +1042,7 @@ module "openobserve_collector" {
9741042
zo_authorization = "Basic ${local.openobserve_authorization}"
9751043

9761044
values = concat(
977-
[templatefile("${path.module}/universal_values.yaml", {})],
1045+
[local.universal_values_string],
9781046
var.openobserve_collector_values
9791047
)
9801048
}
@@ -992,7 +1060,7 @@ module "vector_agent" {
9921060
tags = var.tags
9931061

9941062
values = concat(
995-
[templatefile("${path.module}/universal_values.yaml", {})],
1063+
[local.universal_values_string],
9961064
[
9971065
<<-EOT
9981066
role: "Agent"
@@ -1074,7 +1142,7 @@ module "kubernetes_dashboard" {
10741142
tags = var.tags
10751143

10761144
values = concat(
1077-
[templatefile("${path.module}/universal_values.yaml", {})],
1145+
[local.universal_values_string],
10781146
[
10791147
<<-EOT
10801148
%{ if var.kubernetes_dashboard_ingress_enabled == true }

0 commit comments

Comments
 (0)