Add private ALB support and subnet id support for NLB and ALB creation

examples/complete/main.tf

@@ -111,7 +111,7 @@ module "eks-addons" {
 
   ## INGRESS-NGINX
   ingress_nginx_enabled = false # to enable ingress nginx
-  private_nlb_enabled   = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together
+  private_nlb_enabled   = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together 
   ingress_nginx_config = {
     values                 = [file("${path.module}/config/ingress-nginx.yaml")]
     enable_service_monitor = false   # enable monitoring in nginx ingress
@@ -120,7 +120,7 @@ module "eks-addons" {
   }
 
   ## AWS-APPLICATION-LOAD-BALANCER-CONTROLLER
-  aws_load_balancer_controller_enabled = false # to enable load balancer controller
+  aws_load_balancer_controller_enabled = false  # to enable load balancer controller
   aws_load_balancer_controller_helm_config = {
     values                        = [file("${path.module}/config/aws-alb.yaml")]
     namespace                     = "alb" # enter namespace according to the requirement (example: "alb")
@@ -133,6 +133,7 @@ module "eks-addons" {
     k8s_dashboard_ingress_load_balancer = "nlb"                            ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB.
     private_alb_enabled                 = false                            # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together
     alb_acm_certificate_arn             = ""                               # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL.
+    ingress_class_name                  = "nginx"
     k8s_dashboard_hostname              = "k8s-dashboard.rnd.squareops.in" # Enter Hostname
   }
 
@@ -147,6 +148,10 @@ module "eks-addons" {
     slack_notification_token     = ""
     argocd_notifications_enabled = false
     ingress_class_name           = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress")
+    argocd_ingress_load_balancer = "alb"   ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB.
+    private_alb_enabled          = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together
+    alb_acm_certificate_arn      = ""      # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL.
+
   }
   argoproject_config = {
     name = "argo-project" # enter name for aro-project appProjects
@@ -160,6 +165,10 @@ module "eks-addons" {
     autoscaling_enabled = true
     hostname            = "argocd-workflow.rnd.squareops.in"
     ingress_class_name  = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress")
+    argoworkflow_ingress_load_balancer = "alb"   ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB.
+    private_alb_enabled                = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together
+    alb_acm_certificate_arn            = ""      # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL.
+
   }
 
   # VELERO
@@ -192,4 +201,4 @@ module "eks-addons" {
   ## FALCO
   falco_enabled = false # to enable falco
   slack_webhook = "xoxb-379541400966-iibMHnnoaPzVl"
-}
+}

main.tf

@@ -144,7 +144,7 @@ module "external-secrets" {
   external_secrets_secrets_manager_arns = var.external_secrets_secrets_manager_arns
 }
 
-## NGINX INGRESS
+# NGINX INGRESS
 module "ingress-nginx" {
   source            = "./modules/ingress-nginx"
   count             = var.ingress_nginx_enabled ? 1 : 0
@@ -199,7 +199,9 @@ module "kubernetes-dashboard" {
   alb_acm_certificate_arn             = var.kubernetes_dashboard_config.alb_acm_certificate_arn
   k8s_dashboard_ingress_load_balancer = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer
   private_alb_enabled                 = var.kubernetes_dashboard_config.private_alb_enabled
-  ingress_class_name                  = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name
+  ingress_class_name                  = var.kubernetes_dashboard_config == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.kubernetes_dashboard_config.ingress_class_name)
+  private_subnet_ids                  = var.private_subnet_ids
+  public_subnet_ids                   = var.public_subnet_ids
 }
 
 ## KEDA
@@ -273,7 +275,7 @@ resource "kubernetes_namespace" "argocd" {
 }
 module "argocd" {
   source     = "./modules/argocd"
-  depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx]
+  depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller]
   count      = var.argocd_enabled ? 1 : 0
   argocd_config = {
     hostname                     = var.argocd_config.hostname
@@ -282,22 +284,34 @@ module "argocd" {
     autoscaling_enabled          = var.argocd_config.autoscaling_enabled
     slack_notification_token     = var.argocd_config.slack_notification_token
     argocd_notifications_enabled = var.argocd_config.argocd_notifications_enabled
-    ingress_class_name           = var.argocd_config.ingress_class_name
+    ingress_class_name           = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argocd_config.ingress_class_name)
+    argocd_ingress_load_balancer = var.argocd_config.argocd_ingress_load_balancer
+    private_alb_enabled          = var.argocd_config.private_alb_enabled
+    alb_acm_certificate_arn      = var.argocd_config.alb_acm_certificate_arn
   }
+  private_subnet_ids           = var.private_subnet_ids
+  public_subnet_ids            = var.public_subnet_ids
   namespace = var.argocd_config.namespace
 }
 
 # argo-workflow
 module "argocd-workflow" {
   source     = "./modules/argocd-workflow"
-  depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx]
+  depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller]
   count      = var.argoworkflow_enabled ? 1 : 0
   argoworkflow_config = {
     values              = var.argoworkflow_config.values
     hostname            = var.argoworkflow_config.hostname
-    ingress_class_name  = var.argoworkflow_config.ingress_class_name
+    ingress_class_name                 = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argoworkflow_config.ingress_class_name)
+    argoworkflow_ingress_load_balancer = var.argoworkflow_config.argoworkflow_ingress_load_balancer
+    private_alb_enabled                = var.argoworkflow_config.private_alb_enabled
+    alb_acm_certificate_arn            = var.argoworkflow_config.alb_acm_certificate_arn
+
+
     autoscaling_enabled = var.argoworkflow_config.autoscaling_enabled
   }
+  private_subnet_ids           = var.private_subnet_ids
+  public_subnet_ids            = var.public_subnet_ids
   namespace = var.argoworkflow_config.namespace
 }
 

modules/argocd-workflow/config/argocd-workflow.yaml

@@ -69,7 +69,7 @@ server:
     targetMemoryUtilizationPercentage: 70
 
   ingress:
-    enabled: true
+    enabled: false
     ingressClassName: ${ingress_class_name}
     hosts:
       - ${ingress_host}

modules/argocd-workflow/main.tf

@@ -1,4 +1,5 @@
 locals {
+  alb_scheme    = var.argoworkflow_config.private_alb_enabled ? "internal" : "internet-facing"
   template_path = "${path.module}/config/argocd-workflow.yaml"
 
   # read modules template file
@@ -85,3 +86,55 @@ resource "kubernetes_secret" "argo_workflow_token_secret" {
     token = try(data.kubernetes_secret.argo-workflow-secret.data["token"], "")
   }
 }
+
+resource "kubernetes_ingress_v1" "argoworkflow-ingress" {
+  depends_on             = [helm_release.argo_workflow]
+  wait_for_load_balancer = true
+  metadata {
+    name      = "argoworkflow-ingress"
+    namespace = var.namespace
+    annotations = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? {
+      "kubernetes.io/ingress.class"                    = "alb"
+      "alb.ingress.kubernetes.io/scheme"               = local.alb_scheme
+      "alb.ingress.kubernetes.io/target-type"          = "ip"
+      "alb.ingress.kubernetes.io/certificate-arn"      = var.argoworkflow_config.alb_acm_certificate_arn,
+      "alb.ingress.kubernetes.io/subnets"              = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids)
+      "alb.ingress.kubernetes.io/healthcheck-path"     = "/"
+      "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP"
+      "alb.ingress.kubernetes.io/backend-protocol"     = "HTTP"
+      "alb.ingress.kubernetes.io/listen-ports"         = "[{\"HTTPS\":443}]"
+      "alb.ingress.kubernetes.io/ssl-redirect"         = "443"
+      "alb.ingress.kubernetes.io/group.name"           = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress"
+      } : {
+      "cert-manager.io/cluster-issuer"                 = "letsencrypt-prod"
+      "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
+      "nginx.ingress.kubernetes.io/ssl-passthrough"    = "true"
+      "kubernetes.io/ingress.class"                    = var.argoworkflow_config.ingress_class_name
+      "kubernetes.io/tls-acme"                         = "false"
+    }
+  }
+  spec {
+    ingress_class_name = var.argoworkflow_config.ingress_class_name
+    rule {
+      host = var.argoworkflow_config.hostname
+      http {
+        path {
+          path      = "/"
+          path_type = "Prefix"
+          backend {
+            service {
+              name = "argo-workflow-argo-workflows-server"
+              port {
+                number = 2746
+              }
+            }
+          }
+        }
+      }
+    }
+    tls {
+      secret_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "" : "argoworkflow-server-tls"
+      hosts       = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? [] : [var.argoworkflow_config.hostname]
+    }
+  }
+}

modules/argocd-workflow/variable.tf

@@ -18,6 +18,10 @@ variable "argoworkflow_config" {
     namespace           = ""
     hostname            = ""
     autoscaling_enabled = "true"
+    ingress_class_name                 = ""
+    argoworkflow_ingress_load_balancer = "nlb"
+    private_alb_enabled                = false
+    alb_acm_certificate_arn            = ""
   }
   description = "Specify the configuration settings for Argocd-Workflow, including the hostname, and custom YAML values."
 }
@@ -27,3 +31,20 @@ variable "chart_version" {
   type        = string
   description = "Argo workflow chart version"
 }
+
+variable "ingress_class_name" {
+  type        = string
+  default     = "nginx"
+  description = "Enter ingress class name which is created in EKS cluster"
+}
+
+variable "public_subnet_ids" {
+  type        = list(string)
+  description = "List of public subnet IDs"
+}
+
+variable "private_subnet_ids" {
+  description = "Private subnets of the VPC which can be used by EFS"
+  default     = [""]
+  type        = list(string)
+}

modules/argocd/config/values.yaml

@@ -102,7 +102,7 @@ server:
     targetMemoryUtilizationPercentage: 70
   # Argo CD server ingress configuration
   ingress:
-    enabled: true
+    enabled: false
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

modules/argocd/main.tf

@@ -1,3 +1,7 @@
+locals {
+  alb_scheme = var.argocd_config.private_alb_enabled ? "internal" : "internet-facing"
+}
+
 resource "helm_release" "argocd_deploy" {
   name       = "argo-cd"
   chart      = "argo-cd"
@@ -26,3 +30,55 @@ data "kubernetes_secret" "argocd-secret" {
     namespace = var.namespace
   }
 }
+
+resource "kubernetes_ingress_v1" "argocd-ingress" {
+  depends_on             = [helm_release.argocd_deploy]
+  wait_for_load_balancer = true
+  metadata {
+    name      = "argocd-ingress"
+    namespace = var.namespace
+    annotations = var.argocd_config.argocd_ingress_load_balancer == "alb" ? {
+      "kubernetes.io/ingress.class"                    = "alb"
+      "alb.ingress.kubernetes.io/scheme"               = local.alb_scheme
+      "alb.ingress.kubernetes.io/target-type"          = "ip"
+      "alb.ingress.kubernetes.io/certificate-arn"      = var.argocd_config.alb_acm_certificate_arn,
+      "alb.ingress.kubernetes.io/subnets"              = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids)
+      "alb.ingress.kubernetes.io/healthcheck-path"     = "/healthz"
+      "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP"
+      "alb.ingress.kubernetes.io/backend-protocol"     = "HTTP"
+      "alb.ingress.kubernetes.io/listen-ports"         = "[{\"HTTPS\":443}]"
+      "alb.ingress.kubernetes.io/ssl-redirect"         = "443"
+      "alb.ingress.kubernetes.io/group.name"           = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress"
+      } : {
+      "cert-manager.io/cluster-issuer"                 = "letsencrypt-prod"
+      "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
+      "nginx.ingress.kubernetes.io/ssl-passthrough"    = "true"
+      "kubernetes.io/ingress.class"                    = var.argocd_config.ingress_class_name
+      "kubernetes.io/tls-acme"                         = "false"
+    }
+  }
+  spec {
+    ingress_class_name = var.argocd_config.ingress_class_name
+    rule {
+      host = var.argocd_config.hostname
+      http {
+        path {
+          path      = "/"
+          path_type = "Prefix"
+          backend {
+            service {
+              name = "argo-cd-argocd-server"
+              port {
+                number = 80
+              }
+            }
+          }
+        }
+      }
+    }
+    tls {
+      secret_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "" : "argocd-server-tls"
+      hosts       = var.argocd_config.argocd_ingress_load_balancer == "alb" ? [] : [var.argocd_config.hostname]
+    }
+  }
+}

modules/argocd/variables.tf

@@ -8,6 +8,9 @@ variable "argocd_config" {
     slack_notification_token     = ""
     argocd_notifications_enabled = false
     ingress_class_name           = ""
+    argocd_ingress_load_balancer = "nlb"
+    private_alb_enabled          = false
+    alb_acm_certificate_arn      = ""
   }
   description = "Specify the configuration settings for Argocd, including the hostname, redis_ha_enabled, autoscaling, notification settings, and custom YAML values."
 }
@@ -29,3 +32,14 @@ variable "ingress_class_name" {
   default     = "nginx"
   description = "Enter ingress class name which is created in EKS cluster"
 }
+
+variable "public_subnet_ids" {
+  type        = list(string)
+  description = "List of public subnet IDs"
+}
+
+variable "private_subnet_ids" {
+  description = "Private subnets of the VPC which can be used by EFS"
+  default     = [""]
+  type        = list(string)
+}

modules/aws-load-balancer-controller/config/values.yaml

@@ -12,3 +12,6 @@ ingressClassParams:
 enableServiceMutatorWebhook: false
 
 nameOverride: ${load_balancer_controller_name}
+
+# disableIngressClassAnnotation: 
+

modules/aws-load-balancer-controller/variables.tf

@@ -39,3 +39,19 @@ variable "namespace" {
   type        = string
   default     = "kube-system"
 }
+
+# variable "public_subnet_ids" {
+#   type        = list(string)
+#   description = "List of public subnet IDs"
+# }
+
+# variable "private_alb_enabled" {
+#   description = "Control wheather to install public nlb or private nlb. Default is private"
+#   type        = bool
+#   default     = false
+# }
+
+# variable "private_subnet_ids" {
+#   type        = list(string)
+#   description = "List of private subnet IDs"
+# }

modules/ingress-nginx/main.tf

@@ -20,8 +20,6 @@ locals {
   template_values_map = yamldecode(local.template_values)
 }
 
-# Namespace creation
-
 resource "kubernetes_namespace" "this" {
   count = try(var.helm_config.create_namespace, true) && local.namespace != "kube-system" ? 1 : 0
   metadata {
@@ -47,3 +45,5 @@ module "helm_addon" {
   manage_via_gitops = var.manage_via_gitops
   addon_context     = var.addon_context
 }
+
+

modules/kubernetes-dashboard/main.tf

@@ -26,14 +26,16 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
     namespace = "kubernetes-dashboard"
     annotations = var.k8s_dashboard_ingress_load_balancer == "alb" ? {
       "kubernetes.io/ingress.class"                    = "alb"
-      "alb.ingress.kubernetes.io/scheme"               = local.alb_scheme
       "alb.ingress.kubernetes.io/target-type"          = "ip"
       "alb.ingress.kubernetes.io/certificate-arn"      = var.alb_acm_certificate_arn,
+      "alb.ingress.kubernetes.io/scheme"               = local.alb_scheme
+      "alb.ingress.kubernetes.io/subnets"              = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids)
       "alb.ingress.kubernetes.io/healthcheck-path"     = "/"
       "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTPS"
       "alb.ingress.kubernetes.io/backend-protocol"     = "HTTPS"
       "alb.ingress.kubernetes.io/listen-ports"         = "[{\"HTTPS\":443}]"
       "alb.ingress.kubernetes.io/ssl-redirect"         = "443"
+      "alb.ingress.kubernetes.io/group.name"           = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress"
       } : {
       "cert-manager.io/cluster-issuer"                    = "letsencrypt-prod"
       "kubernetes.io/ingress.class"                       = var.ingress_class_name
@@ -48,6 +50,7 @@ resource "kubernetes_ingress_v1" "k8s-ingress" {
     }
   }
   spec {
+    ingress_class_name = var.ingress_class_name
     rule {
       host = var.k8s_dashboard_hostname
       http {