diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 89e532d..4c1133e 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -111,7 +111,7 @@ module "eks-addons" { ## INGRESS-NGINX ingress_nginx_enabled = false # to enable ingress nginx - private_nlb_enabled = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together + private_nlb_enabled = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together ingress_nginx_config = { values = [file("${path.module}/config/ingress-nginx.yaml")] enable_service_monitor = false # enable monitoring in nginx ingress @@ -120,7 +120,7 @@ module "eks-addons" { } ## AWS-APPLICATION-LOAD-BALANCER-CONTROLLER - aws_load_balancer_controller_enabled = false # to enable load balancer controller + aws_load_balancer_controller_enabled = false # to enable load balancer controller aws_load_balancer_controller_helm_config = { values = [file("${path.module}/config/aws-alb.yaml")] namespace = "alb" # enter namespace according to the requirement (example: "alb") @@ -133,6 +133,7 @@ module "eks-addons" { k8s_dashboard_ingress_load_balancer = "nlb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. private_alb_enabled = false # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + ingress_class_name = "nginx" k8s_dashboard_hostname = "k8s-dashboard.rnd.squareops.in" # Enter Hostname } @@ -147,6 +148,10 @@ module "eks-addons" { slack_notification_token = "" argocd_notifications_enabled = false ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress") + argocd_ingress_load_balancer = "alb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. + private_alb_enabled = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together + alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + } argoproject_config = { name = "argo-project" # enter name for aro-project appProjects @@ -160,6 +165,10 @@ module "eks-addons" { autoscaling_enabled = true hostname = "argocd-workflow.rnd.squareops.in" ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress") + argoworkflow_ingress_load_balancer = "alb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. + private_alb_enabled = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together + alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + } # VELERO @@ -192,4 +201,4 @@ module "eks-addons" { ## FALCO falco_enabled = false # to enable falco slack_webhook = "xoxb-379541400966-iibMHnnoaPzVl" -} +} \ No newline at end of file diff --git a/main.tf b/main.tf index ebe252f..69372a8 100644 --- a/main.tf +++ b/main.tf @@ -144,7 +144,7 @@ module "external-secrets" { external_secrets_secrets_manager_arns = var.external_secrets_secrets_manager_arns } -## NGINX INGRESS +# NGINX INGRESS module "ingress-nginx" { source = "./modules/ingress-nginx" count = var.ingress_nginx_enabled ? 1 : 0 @@ -199,7 +199,9 @@ module "kubernetes-dashboard" { alb_acm_certificate_arn = var.kubernetes_dashboard_config.alb_acm_certificate_arn k8s_dashboard_ingress_load_balancer = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer private_alb_enabled = var.kubernetes_dashboard_config.private_alb_enabled - ingress_class_name = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name + ingress_class_name = var.kubernetes_dashboard_config == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.kubernetes_dashboard_config.ingress_class_name) + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids } ## KEDA @@ -273,7 +275,7 @@ resource "kubernetes_namespace" "argocd" { } module "argocd" { source = "./modules/argocd" - depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx] + depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller] count = var.argocd_enabled ? 1 : 0 argocd_config = { hostname = var.argocd_config.hostname @@ -282,22 +284,34 @@ module "argocd" { autoscaling_enabled = var.argocd_config.autoscaling_enabled slack_notification_token = var.argocd_config.slack_notification_token argocd_notifications_enabled = var.argocd_config.argocd_notifications_enabled - ingress_class_name = var.argocd_config.ingress_class_name + ingress_class_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argocd_config.ingress_class_name) + argocd_ingress_load_balancer = var.argocd_config.argocd_ingress_load_balancer + private_alb_enabled = var.argocd_config.private_alb_enabled + alb_acm_certificate_arn = var.argocd_config.alb_acm_certificate_arn } + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids namespace = var.argocd_config.namespace } # argo-workflow module "argocd-workflow" { source = "./modules/argocd-workflow" - depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx] + depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller] count = var.argoworkflow_enabled ? 1 : 0 argoworkflow_config = { values = var.argoworkflow_config.values hostname = var.argoworkflow_config.hostname - ingress_class_name = var.argoworkflow_config.ingress_class_name + ingress_class_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argoworkflow_config.ingress_class_name) + argoworkflow_ingress_load_balancer = var.argoworkflow_config.argoworkflow_ingress_load_balancer + private_alb_enabled = var.argoworkflow_config.private_alb_enabled + alb_acm_certificate_arn = var.argoworkflow_config.alb_acm_certificate_arn + + autoscaling_enabled = var.argoworkflow_config.autoscaling_enabled } + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids namespace = var.argoworkflow_config.namespace } diff --git a/modules/argocd-workflow/config/argocd-workflow.yaml b/modules/argocd-workflow/config/argocd-workflow.yaml index d43e08c..4345c19 100644 --- a/modules/argocd-workflow/config/argocd-workflow.yaml +++ b/modules/argocd-workflow/config/argocd-workflow.yaml @@ -69,7 +69,7 @@ server: targetMemoryUtilizationPercentage: 70 ingress: - enabled: true + enabled: false ingressClassName: ${ingress_class_name} hosts: - ${ingress_host} diff --git a/modules/argocd-workflow/main.tf b/modules/argocd-workflow/main.tf index 51cb200..a71c7bf 100644 --- a/modules/argocd-workflow/main.tf +++ b/modules/argocd-workflow/main.tf @@ -1,4 +1,5 @@ locals { + alb_scheme = var.argoworkflow_config.private_alb_enabled ? "internal" : "internet-facing" template_path = "${path.module}/config/argocd-workflow.yaml" # read modules template file @@ -85,3 +86,55 @@ resource "kubernetes_secret" "argo_workflow_token_secret" { token = try(data.kubernetes_secret.argo-workflow-secret.data["token"], "") } } + +resource "kubernetes_ingress_v1" "argoworkflow-ingress" { + depends_on = [helm_release.argo_workflow] + wait_for_load_balancer = true + metadata { + name = "argoworkflow-ingress" + namespace = var.namespace + annotations = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? { + "kubernetes.io/ingress.class" = "alb" + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/certificate-arn" = var.argoworkflow_config.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) + "alb.ingress.kubernetes.io/healthcheck-path" = "/" + "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP" + "alb.ingress.kubernetes.io/backend-protocol" = "HTTP" + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" + "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" + } : { + "cert-manager.io/cluster-issuer" = "letsencrypt-prod" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/ssl-passthrough" = "true" + "kubernetes.io/ingress.class" = var.argoworkflow_config.ingress_class_name + "kubernetes.io/tls-acme" = "false" + } + } + spec { + ingress_class_name = var.argoworkflow_config.ingress_class_name + rule { + host = var.argoworkflow_config.hostname + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "argo-workflow-argo-workflows-server" + port { + number = 2746 + } + } + } + } + } + } + tls { + secret_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "" : "argoworkflow-server-tls" + hosts = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? [] : [var.argoworkflow_config.hostname] + } + } +} \ No newline at end of file diff --git a/modules/argocd-workflow/variable.tf b/modules/argocd-workflow/variable.tf index 626e7f5..f445005 100644 --- a/modules/argocd-workflow/variable.tf +++ b/modules/argocd-workflow/variable.tf @@ -18,6 +18,10 @@ variable "argoworkflow_config" { namespace = "" hostname = "" autoscaling_enabled = "true" + ingress_class_name = "" + argoworkflow_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } description = "Specify the configuration settings for Argocd-Workflow, including the hostname, and custom YAML values." } @@ -27,3 +31,20 @@ variable "chart_version" { type = string description = "Argo workflow chart version" } + +variable "ingress_class_name" { + type = string + default = "nginx" + description = "Enter ingress class name which is created in EKS cluster" +} + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} diff --git a/modules/argocd/config/values.yaml b/modules/argocd/config/values.yaml index 44d0e81..8550dd2 100644 --- a/modules/argocd/config/values.yaml +++ b/modules/argocd/config/values.yaml @@ -102,7 +102,7 @@ server: targetMemoryUtilizationPercentage: 70 # Argo CD server ingress configuration ingress: - enabled: true + enabled: false annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/force-ssl-redirect: "true" diff --git a/modules/argocd/main.tf b/modules/argocd/main.tf index 47dd882..51fac00 100644 --- a/modules/argocd/main.tf +++ b/modules/argocd/main.tf @@ -1,3 +1,7 @@ +locals { + alb_scheme = var.argocd_config.private_alb_enabled ? "internal" : "internet-facing" +} + resource "helm_release" "argocd_deploy" { name = "argo-cd" chart = "argo-cd" @@ -26,3 +30,55 @@ data "kubernetes_secret" "argocd-secret" { namespace = var.namespace } } + +resource "kubernetes_ingress_v1" "argocd-ingress" { + depends_on = [helm_release.argocd_deploy] + wait_for_load_balancer = true + metadata { + name = "argocd-ingress" + namespace = var.namespace + annotations = var.argocd_config.argocd_ingress_load_balancer == "alb" ? { + "kubernetes.io/ingress.class" = "alb" + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/certificate-arn" = var.argocd_config.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) + "alb.ingress.kubernetes.io/healthcheck-path" = "/healthz" + "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP" + "alb.ingress.kubernetes.io/backend-protocol" = "HTTP" + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" + "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" + } : { + "cert-manager.io/cluster-issuer" = "letsencrypt-prod" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/ssl-passthrough" = "true" + "kubernetes.io/ingress.class" = var.argocd_config.ingress_class_name + "kubernetes.io/tls-acme" = "false" + } + } + spec { + ingress_class_name = var.argocd_config.ingress_class_name + rule { + host = var.argocd_config.hostname + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "argo-cd-argocd-server" + port { + number = 80 + } + } + } + } + } + } + tls { + secret_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "" : "argocd-server-tls" + hosts = var.argocd_config.argocd_ingress_load_balancer == "alb" ? [] : [var.argocd_config.hostname] + } + } +} \ No newline at end of file diff --git a/modules/argocd/variables.tf b/modules/argocd/variables.tf index 4ae800c..3b9f9ef 100644 --- a/modules/argocd/variables.tf +++ b/modules/argocd/variables.tf @@ -8,6 +8,9 @@ variable "argocd_config" { slack_notification_token = "" argocd_notifications_enabled = false ingress_class_name = "" + argocd_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } description = "Specify the configuration settings for Argocd, including the hostname, redis_ha_enabled, autoscaling, notification settings, and custom YAML values." } @@ -29,3 +32,14 @@ variable "ingress_class_name" { default = "nginx" description = "Enter ingress class name which is created in EKS cluster" } + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} diff --git a/modules/aws-load-balancer-controller/config/values.yaml b/modules/aws-load-balancer-controller/config/values.yaml index f6af120..e1e926b 100644 --- a/modules/aws-load-balancer-controller/config/values.yaml +++ b/modules/aws-load-balancer-controller/config/values.yaml @@ -12,3 +12,6 @@ ingressClassParams: enableServiceMutatorWebhook: false nameOverride: ${load_balancer_controller_name} + +# disableIngressClassAnnotation: + diff --git a/modules/aws-load-balancer-controller/variables.tf b/modules/aws-load-balancer-controller/variables.tf index 5e70e20..6bb7c06 100644 --- a/modules/aws-load-balancer-controller/variables.tf +++ b/modules/aws-load-balancer-controller/variables.tf @@ -39,3 +39,19 @@ variable "namespace" { type = string default = "kube-system" } + +# variable "public_subnet_ids" { +# type = list(string) +# description = "List of public subnet IDs" +# } + +# variable "private_alb_enabled" { +# description = "Control wheather to install public nlb or private nlb. Default is private" +# type = bool +# default = false +# } + +# variable "private_subnet_ids" { +# type = list(string) +# description = "List of private subnet IDs" +# } \ No newline at end of file diff --git a/modules/ingress-nginx/main.tf b/modules/ingress-nginx/main.tf index 75cdfbd..7aa16eb 100644 --- a/modules/ingress-nginx/main.tf +++ b/modules/ingress-nginx/main.tf @@ -20,8 +20,6 @@ locals { template_values_map = yamldecode(local.template_values) } -# Namespace creation - resource "kubernetes_namespace" "this" { count = try(var.helm_config.create_namespace, true) && local.namespace != "kube-system" ? 1 : 0 metadata { @@ -47,3 +45,5 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops addon_context = var.addon_context } + + diff --git a/modules/kubernetes-dashboard/main.tf b/modules/kubernetes-dashboard/main.tf index 0ed0715..a7f0a27 100644 --- a/modules/kubernetes-dashboard/main.tf +++ b/modules/kubernetes-dashboard/main.tf @@ -26,14 +26,16 @@ resource "kubernetes_ingress_v1" "k8s-ingress" { namespace = "kubernetes-dashboard" annotations = var.k8s_dashboard_ingress_load_balancer == "alb" ? { "kubernetes.io/ingress.class" = "alb" - "alb.ingress.kubernetes.io/scheme" = local.alb_scheme "alb.ingress.kubernetes.io/target-type" = "ip" "alb.ingress.kubernetes.io/certificate-arn" = var.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) "alb.ingress.kubernetes.io/healthcheck-path" = "/" "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTPS" "alb.ingress.kubernetes.io/backend-protocol" = "HTTPS" "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" } : { "cert-manager.io/cluster-issuer" = "letsencrypt-prod" "kubernetes.io/ingress.class" = var.ingress_class_name @@ -48,6 +50,7 @@ resource "kubernetes_ingress_v1" "k8s-ingress" { } } spec { + ingress_class_name = var.ingress_class_name rule { host = var.k8s_dashboard_hostname http { diff --git a/modules/kubernetes-dashboard/variables.tf b/modules/kubernetes-dashboard/variables.tf index 565dfb0..2841b00 100644 --- a/modules/kubernetes-dashboard/variables.tf +++ b/modules/kubernetes-dashboard/variables.tf @@ -27,3 +27,16 @@ variable "private_alb_enabled" { type = bool default = false } + + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} + diff --git a/variables.tf b/variables.tf index 3c0341c..5933229 100644 --- a/variables.tf +++ b/variables.tf @@ -501,6 +501,7 @@ variable "kubernetes_dashboard_config" { alb_acm_certificate_arn = string k8s_dashboard_hostname = string private_alb_enabled = bool + ingress_class_name = string }) default = { @@ -508,6 +509,7 @@ variable "kubernetes_dashboard_config" { alb_acm_certificate_arn = "" k8s_dashboard_hostname = "" private_alb_enabled = false + ingress_class_name = "nginx" } } @@ -525,6 +527,9 @@ variable "argocd_config" { autoscaling_enabled = bool slack_notification_token = string argocd_notifications_enabled = bool + argocd_ingress_load_balancer = string + private_alb_enabled = bool + alb_acm_certificate_arn = string ingress_class_name = string namespace = string }) @@ -536,7 +541,10 @@ variable "argocd_config" { autoscaling_enabled = false slack_notification_token = "" argocd_notifications_enabled = false - ingress_class_name = "" + argocd_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" + ingress_class_name = "nginx" namespace = "argocd" } } @@ -549,19 +557,25 @@ variable "argoworkflow_enabled" { variable "argoworkflow_config" { type = object({ - values = any - namespace = string - hostname = string - ingress_class_name = string - autoscaling_enabled = bool + values = any + namespace = string + hostname = string + ingress_class_name = string + autoscaling_enabled = bool + argoworkflow_ingress_load_balancer = string + private_alb_enabled = bool + alb_acm_certificate_arn = string }) default = { - values = {} - namespace = "argocd" - hostname = "" - ingress_class_name = "" - autoscaling_enabled = true + values = {} + namespace = "argocd" + hostname = "" + ingress_class_name = "" + autoscaling_enabled = true + argoworkflow_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } } @@ -650,14 +664,11 @@ EOT default = [] # Default to an empty list to ensure optional usage } -# variable "private_subnet_ids" { -# type = list(string) -# description = "List of private subnet IDs" -# } - variable "public_subnet_ids" { type = list(string) description = "List of public subnet IDs" } + +