diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a6dec64..3e23bba 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -21,7 +21,8 @@ module "eks-addons" { name = local.name tags = local.additional_tags vpc_id = "vpc-xxxxxx" # pass VPC ID - private_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Subnet IDs + private_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Private Subnet IDs + public_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Public Subnet IDs environment = local.environment ipv6_enabled = local.ipv6_enabled kms_key_arn = local.kms_key_arn @@ -110,16 +111,16 @@ module "eks-addons" { ## INGRESS-NGINX ingress_nginx_enabled = false # to enable ingress nginx - private_nlb_enabled = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together + private_nlb_enabled = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together ingress_nginx_config = { values = [file("${path.module}/config/ingress-nginx.yaml")] enable_service_monitor = false # enable monitoring in nginx ingress ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "nginx", "internal-ingress") - namespace = "nginx" # enter namespace according to the requirement (example: "nginx", "internal-ingress") + namespace = "nginx" } ## AWS-APPLICATION-LOAD-BALANCER-CONTROLLER - aws_load_balancer_controller_enabled = false # to enable load balancer controller + aws_load_balancer_controller_enabled = false # to enable load balancer controller aws_load_balancer_controller_helm_config = { values = [file("${path.module}/config/aws-alb.yaml")] namespace = "alb" # enter namespace according to the requirement (example: "alb") @@ -132,6 +133,7 @@ module "eks-addons" { k8s_dashboard_ingress_load_balancer = "nlb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. private_alb_enabled = false # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "nginx", "internal-ingress") k8s_dashboard_hostname = "k8s-dashboard.rnd.squareops.in" # Enter Hostname } @@ -146,6 +148,10 @@ module "eks-addons" { slack_notification_token = "" argocd_notifications_enabled = false ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress") + argocd_ingress_load_balancer = "alb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. + private_alb_enabled = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together + alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + } argoproject_config = { name = "argo-project" # enter name for aro-project appProjects @@ -159,6 +165,10 @@ module "eks-addons" { autoscaling_enabled = true hostname = "argocd-workflow.rnd.squareops.in" ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress") + argoworkflow_ingress_load_balancer = "alb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. + private_alb_enabled = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together + alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + } # VELERO @@ -191,4 +201,4 @@ module "eks-addons" { ## FALCO falco_enabled = false # to enable falco slack_webhook = "xoxb-379541400966-iibMHnnoaPzVl" -} +} \ No newline at end of file diff --git a/main.tf b/main.tf index 6e76b27..69372a8 100644 --- a/main.tf +++ b/main.tf @@ -144,7 +144,7 @@ module "external-secrets" { external_secrets_secrets_manager_arns = var.external_secrets_secrets_manager_arns } -## NGINX INGRESS +# NGINX INGRESS module "ingress-nginx" { source = "./modules/ingress-nginx" count = var.ingress_nginx_enabled ? 1 : 0 @@ -159,6 +159,9 @@ module "ingress-nginx" { private_nlb_enabled = var.private_nlb_enabled ingress_class_name = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name enable_service_monitor = var.ingress_nginx_config.enable_service_monitor + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnet_ids } # INGRESS-NGINX DATA SOURCE @@ -196,7 +199,9 @@ module "kubernetes-dashboard" { alb_acm_certificate_arn = var.kubernetes_dashboard_config.alb_acm_certificate_arn k8s_dashboard_ingress_load_balancer = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer private_alb_enabled = var.kubernetes_dashboard_config.private_alb_enabled - ingress_class_name = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name + ingress_class_name = var.kubernetes_dashboard_config == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.kubernetes_dashboard_config.ingress_class_name) + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids } ## KEDA @@ -270,7 +275,7 @@ resource "kubernetes_namespace" "argocd" { } module "argocd" { source = "./modules/argocd" - depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx] + depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller] count = var.argocd_enabled ? 1 : 0 argocd_config = { hostname = var.argocd_config.hostname @@ -279,22 +284,34 @@ module "argocd" { autoscaling_enabled = var.argocd_config.autoscaling_enabled slack_notification_token = var.argocd_config.slack_notification_token argocd_notifications_enabled = var.argocd_config.argocd_notifications_enabled - ingress_class_name = var.argocd_config.ingress_class_name + ingress_class_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argocd_config.ingress_class_name) + argocd_ingress_load_balancer = var.argocd_config.argocd_ingress_load_balancer + private_alb_enabled = var.argocd_config.private_alb_enabled + alb_acm_certificate_arn = var.argocd_config.alb_acm_certificate_arn } + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids namespace = var.argocd_config.namespace } # argo-workflow module "argocd-workflow" { source = "./modules/argocd-workflow" - depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx] + depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller] count = var.argoworkflow_enabled ? 1 : 0 argoworkflow_config = { values = var.argoworkflow_config.values hostname = var.argoworkflow_config.hostname - ingress_class_name = var.argoworkflow_config.ingress_class_name + ingress_class_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argoworkflow_config.ingress_class_name) + argoworkflow_ingress_load_balancer = var.argoworkflow_config.argoworkflow_ingress_load_balancer + private_alb_enabled = var.argoworkflow_config.private_alb_enabled + alb_acm_certificate_arn = var.argoworkflow_config.alb_acm_certificate_arn + + autoscaling_enabled = var.argoworkflow_config.autoscaling_enabled } + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids namespace = var.argoworkflow_config.namespace } diff --git a/modules/argocd-workflow/config/argocd-workflow.yaml b/modules/argocd-workflow/config/argocd-workflow.yaml index d43e08c..4345c19 100644 --- a/modules/argocd-workflow/config/argocd-workflow.yaml +++ b/modules/argocd-workflow/config/argocd-workflow.yaml @@ -69,7 +69,7 @@ server: targetMemoryUtilizationPercentage: 70 ingress: - enabled: true + enabled: false ingressClassName: ${ingress_class_name} hosts: - ${ingress_host} diff --git a/modules/argocd-workflow/main.tf b/modules/argocd-workflow/main.tf index 51cb200..a71c7bf 100644 --- a/modules/argocd-workflow/main.tf +++ b/modules/argocd-workflow/main.tf @@ -1,4 +1,5 @@ locals { + alb_scheme = var.argoworkflow_config.private_alb_enabled ? "internal" : "internet-facing" template_path = "${path.module}/config/argocd-workflow.yaml" # read modules template file @@ -85,3 +86,55 @@ resource "kubernetes_secret" "argo_workflow_token_secret" { token = try(data.kubernetes_secret.argo-workflow-secret.data["token"], "") } } + +resource "kubernetes_ingress_v1" "argoworkflow-ingress" { + depends_on = [helm_release.argo_workflow] + wait_for_load_balancer = true + metadata { + name = "argoworkflow-ingress" + namespace = var.namespace + annotations = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? { + "kubernetes.io/ingress.class" = "alb" + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/certificate-arn" = var.argoworkflow_config.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) + "alb.ingress.kubernetes.io/healthcheck-path" = "/" + "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP" + "alb.ingress.kubernetes.io/backend-protocol" = "HTTP" + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" + "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" + } : { + "cert-manager.io/cluster-issuer" = "letsencrypt-prod" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/ssl-passthrough" = "true" + "kubernetes.io/ingress.class" = var.argoworkflow_config.ingress_class_name + "kubernetes.io/tls-acme" = "false" + } + } + spec { + ingress_class_name = var.argoworkflow_config.ingress_class_name + rule { + host = var.argoworkflow_config.hostname + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "argo-workflow-argo-workflows-server" + port { + number = 2746 + } + } + } + } + } + } + tls { + secret_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "" : "argoworkflow-server-tls" + hosts = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? [] : [var.argoworkflow_config.hostname] + } + } +} \ No newline at end of file diff --git a/modules/argocd-workflow/variable.tf b/modules/argocd-workflow/variable.tf index 626e7f5..f445005 100644 --- a/modules/argocd-workflow/variable.tf +++ b/modules/argocd-workflow/variable.tf @@ -18,6 +18,10 @@ variable "argoworkflow_config" { namespace = "" hostname = "" autoscaling_enabled = "true" + ingress_class_name = "" + argoworkflow_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } description = "Specify the configuration settings for Argocd-Workflow, including the hostname, and custom YAML values." } @@ -27,3 +31,20 @@ variable "chart_version" { type = string description = "Argo workflow chart version" } + +variable "ingress_class_name" { + type = string + default = "nginx" + description = "Enter ingress class name which is created in EKS cluster" +} + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} diff --git a/modules/argocd/config/values.yaml b/modules/argocd/config/values.yaml index 44d0e81..8550dd2 100644 --- a/modules/argocd/config/values.yaml +++ b/modules/argocd/config/values.yaml @@ -102,7 +102,7 @@ server: targetMemoryUtilizationPercentage: 70 # Argo CD server ingress configuration ingress: - enabled: true + enabled: false annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/force-ssl-redirect: "true" diff --git a/modules/argocd/main.tf b/modules/argocd/main.tf index 47dd882..51fac00 100644 --- a/modules/argocd/main.tf +++ b/modules/argocd/main.tf @@ -1,3 +1,7 @@ +locals { + alb_scheme = var.argocd_config.private_alb_enabled ? "internal" : "internet-facing" +} + resource "helm_release" "argocd_deploy" { name = "argo-cd" chart = "argo-cd" @@ -26,3 +30,55 @@ data "kubernetes_secret" "argocd-secret" { namespace = var.namespace } } + +resource "kubernetes_ingress_v1" "argocd-ingress" { + depends_on = [helm_release.argocd_deploy] + wait_for_load_balancer = true + metadata { + name = "argocd-ingress" + namespace = var.namespace + annotations = var.argocd_config.argocd_ingress_load_balancer == "alb" ? { + "kubernetes.io/ingress.class" = "alb" + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/certificate-arn" = var.argocd_config.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) + "alb.ingress.kubernetes.io/healthcheck-path" = "/healthz" + "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP" + "alb.ingress.kubernetes.io/backend-protocol" = "HTTP" + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" + "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" + } : { + "cert-manager.io/cluster-issuer" = "letsencrypt-prod" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/ssl-passthrough" = "true" + "kubernetes.io/ingress.class" = var.argocd_config.ingress_class_name + "kubernetes.io/tls-acme" = "false" + } + } + spec { + ingress_class_name = var.argocd_config.ingress_class_name + rule { + host = var.argocd_config.hostname + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "argo-cd-argocd-server" + port { + number = 80 + } + } + } + } + } + } + tls { + secret_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "" : "argocd-server-tls" + hosts = var.argocd_config.argocd_ingress_load_balancer == "alb" ? [] : [var.argocd_config.hostname] + } + } +} \ No newline at end of file diff --git a/modules/argocd/variables.tf b/modules/argocd/variables.tf index 4ae800c..3b9f9ef 100644 --- a/modules/argocd/variables.tf +++ b/modules/argocd/variables.tf @@ -8,6 +8,9 @@ variable "argocd_config" { slack_notification_token = "" argocd_notifications_enabled = false ingress_class_name = "" + argocd_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } description = "Specify the configuration settings for Argocd, including the hostname, redis_ha_enabled, autoscaling, notification settings, and custom YAML values." } @@ -29,3 +32,14 @@ variable "ingress_class_name" { default = "nginx" description = "Enter ingress class name which is created in EKS cluster" } + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} diff --git a/modules/aws-load-balancer-controller/config/values.yaml b/modules/aws-load-balancer-controller/config/values.yaml index f6af120..e1e926b 100644 --- a/modules/aws-load-balancer-controller/config/values.yaml +++ b/modules/aws-load-balancer-controller/config/values.yaml @@ -12,3 +12,6 @@ ingressClassParams: enableServiceMutatorWebhook: false nameOverride: ${load_balancer_controller_name} + +# disableIngressClassAnnotation: + diff --git a/modules/aws-load-balancer-controller/variables.tf b/modules/aws-load-balancer-controller/variables.tf index 5e70e20..6bb7c06 100644 --- a/modules/aws-load-balancer-controller/variables.tf +++ b/modules/aws-load-balancer-controller/variables.tf @@ -39,3 +39,19 @@ variable "namespace" { type = string default = "kube-system" } + +# variable "public_subnet_ids" { +# type = list(string) +# description = "List of public subnet IDs" +# } + +# variable "private_alb_enabled" { +# description = "Control wheather to install public nlb or private nlb. Default is private" +# type = bool +# default = false +# } + +# variable "private_subnet_ids" { +# type = list(string) +# description = "List of private subnet IDs" +# } \ No newline at end of file diff --git a/modules/ingress-nginx/config/ingress_nginx.yaml b/modules/ingress-nginx/config/ingress_nginx.yaml index 2890d78..d8df5bf 100644 --- a/modules/ingress-nginx/config/ingress_nginx.yaml +++ b/modules/ingress-nginx/config/ingress_nginx.yaml @@ -5,6 +5,7 @@ controller: enabled: true annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-subnets: ${nlb_subnets} service.beta.kubernetes.io/aws-load-balancer-internal: "${private_nlb_enabled}" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "${additional_tags}" diff --git a/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml b/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml index 2d46aeb..8c6307c 100644 --- a/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml +++ b/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml @@ -4,6 +4,7 @@ controller: enabled: true annotations: service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-subnets: ${nlb_subnets} service.beta.kubernetes.io/aws-load-balancer-internal: "${private_nlb_enabled}" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip diff --git a/modules/ingress-nginx/main.tf b/modules/ingress-nginx/main.tf index 9d21906..7aa16eb 100644 --- a/modules/ingress-nginx/main.tf +++ b/modules/ingress-nginx/main.tf @@ -4,6 +4,8 @@ locals { template_path = "${path.module}/config/${var.ip_family == "ipv4" ? "ingress_nginx.yaml" : "ingress_nginx_ipv6.yaml"}" additional_tags = join(",", [for k, v in var.addon_context.tags : "${k}=${v}"]) + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnet_ids + # Read module's template file template_values = templatefile(local.template_path, { enable_service_monitor = var.enable_service_monitor @@ -11,14 +13,13 @@ locals { nlb_scheme = local.nlb_scheme ingress_class_name = var.ingress_class_name additional_tags = local.additional_tags # Pass the dynamically created string + nlb_subnets = join(",", local.nlb_subnets) }) # Convert the template values to a map template_values_map = yamldecode(local.template_values) } -# Namespace creation - resource "kubernetes_namespace" "this" { count = try(var.helm_config.create_namespace, true) && local.namespace != "kube-system" ? 1 : 0 metadata { @@ -44,3 +45,5 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops addon_context = var.addon_context } + + diff --git a/modules/ingress-nginx/variables.tf b/modules/ingress-nginx/variables.tf index 4089b82..a85ca13 100644 --- a/modules/ingress-nginx/variables.tf +++ b/modules/ingress-nginx/variables.tf @@ -54,3 +54,24 @@ variable "namespace" { description = "Creates namespace for the controller need to install" type = string } + +variable "nlb_subnets" { + description = <