From d1f3ddb2e6daa4a13abee47f42e6811a514e8dec Mon Sep 17 00:00:00 2001 From: Monachawla1712 Date: Mon, 9 Dec 2024 17:52:56 +0530 Subject: [PATCH 1/5] Add support of subnet id for creating NLB --- examples/complete/main.tf | 9 ++++---- main.tf | 3 +++ .../ingress-nginx/config/ingress_nginx.yaml | 1 + .../config/ingress_nginx_ipv6.yaml | 1 + modules/ingress-nginx/main.tf | 3 +++ modules/ingress-nginx/variables.tf | 21 +++++++++++++++++++ variables.tf | 21 +++++++++++++++++++ 7 files changed, 55 insertions(+), 4 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a6dec64..b0b8c8c 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -21,11 +21,12 @@ module "eks-addons" { name = local.name tags = local.additional_tags vpc_id = "vpc-xxxxxx" # pass VPC ID - private_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Subnet IDs + private_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Private Subnet IDs + public_subnets = ["subnet-xxxxx", "subnet-xxxxx"] # pass Public Subnet IDs environment = local.environment ipv6_enabled = local.ipv6_enabled kms_key_arn = local.kms_key_arn - kms_policy_arn = "arn:aws:iam::xxx:policy/eks-kms-policy" # eks module will create kms_policy_arn + kms_policy_arn = "arn:aws:iam::xxx:policy/eks-kms-policy" # eks module will create kms_policy_arn worker_iam_role_name = "eks-node-role" # enter role name created by eks module worker_iam_role_arn = "arn:aws:iam::xxx:role/eks-node-role" # enter roll ARN eks_cluster_name = data.aws_eks_cluster.cluster.name @@ -98,7 +99,7 @@ module "eks-addons" { cert_manager_helm_config = { values = [file("${path.module}/config/cert-manager.yaml")] enable_service_monitor = false # to enable monitoring for Cert Manager - cert_manager_letsencrypt_email = "email@email.com" + cert_manager_letsencrypt_email = "mona@squareops.com" } ## CONFIG-RELOADER @@ -115,7 +116,7 @@ module "eks-addons" { values = [file("${path.module}/config/ingress-nginx.yaml")] enable_service_monitor = false # enable monitoring in nginx ingress ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "nginx", "internal-ingress") - namespace = "nginx" # enter namespace according to the requirement (example: "nginx", "internal-ingress") + namespace = "nginx" } ## AWS-APPLICATION-LOAD-BALANCER-CONTROLLER diff --git a/main.tf b/main.tf index 6e76b27..4d52cef 100644 --- a/main.tf +++ b/main.tf @@ -159,6 +159,9 @@ module "ingress-nginx" { private_nlb_enabled = var.private_nlb_enabled ingress_class_name = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name enable_service_monitor = var.ingress_nginx_config.enable_service_monitor + private_subnet_ids = var.private_subnet_ids + public_subnets = var.public_subnets + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnets } # INGRESS-NGINX DATA SOURCE diff --git a/modules/ingress-nginx/config/ingress_nginx.yaml b/modules/ingress-nginx/config/ingress_nginx.yaml index 2890d78..d8df5bf 100644 --- a/modules/ingress-nginx/config/ingress_nginx.yaml +++ b/modules/ingress-nginx/config/ingress_nginx.yaml @@ -5,6 +5,7 @@ controller: enabled: true annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-subnets: ${nlb_subnets} service.beta.kubernetes.io/aws-load-balancer-internal: "${private_nlb_enabled}" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "${additional_tags}" diff --git a/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml b/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml index 2d46aeb..8c6307c 100644 --- a/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml +++ b/modules/ingress-nginx/config/ingress_nginx_ipv6.yaml @@ -4,6 +4,7 @@ controller: enabled: true annotations: service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-subnets: ${nlb_subnets} service.beta.kubernetes.io/aws-load-balancer-internal: "${private_nlb_enabled}" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip diff --git a/modules/ingress-nginx/main.tf b/modules/ingress-nginx/main.tf index 9d21906..a69246d 100644 --- a/modules/ingress-nginx/main.tf +++ b/modules/ingress-nginx/main.tf @@ -4,6 +4,8 @@ locals { template_path = "${path.module}/config/${var.ip_family == "ipv4" ? "ingress_nginx.yaml" : "ingress_nginx_ipv6.yaml"}" additional_tags = join(",", [for k, v in var.addon_context.tags : "${k}=${v}"]) + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnets + # Read module's template file template_values = templatefile(local.template_path, { enable_service_monitor = var.enable_service_monitor @@ -11,6 +13,7 @@ locals { nlb_scheme = local.nlb_scheme ingress_class_name = var.ingress_class_name additional_tags = local.additional_tags # Pass the dynamically created string + nlb_subnets = join(",", local.nlb_subnets) }) # Convert the template values to a map diff --git a/modules/ingress-nginx/variables.tf b/modules/ingress-nginx/variables.tf index 4089b82..88bc7c2 100644 --- a/modules/ingress-nginx/variables.tf +++ b/modules/ingress-nginx/variables.tf @@ -54,3 +54,24 @@ variable "namespace" { description = "Creates namespace for the controller need to install" type = string } + +variable "nlb_subnets" { + description = < Date: Mon, 9 Dec 2024 17:56:19 +0530 Subject: [PATCH 2/5] Add support of subnet ID for creation of NLB --- examples/complete/main.tf | 4 ++-- main.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index b0b8c8c..80dacda 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -26,7 +26,7 @@ module "eks-addons" { environment = local.environment ipv6_enabled = local.ipv6_enabled kms_key_arn = local.kms_key_arn - kms_policy_arn = "arn:aws:iam::xxx:policy/eks-kms-policy" # eks module will create kms_policy_arn + kms_policy_arn = "arn:aws:iam::xxx:policy/eks-kms-policy" # eks module will create kms_policy_arn worker_iam_role_name = "eks-node-role" # enter role name created by eks module worker_iam_role_arn = "arn:aws:iam::xxx:role/eks-node-role" # enter roll ARN eks_cluster_name = data.aws_eks_cluster.cluster.name @@ -99,7 +99,7 @@ module "eks-addons" { cert_manager_helm_config = { values = [file("${path.module}/config/cert-manager.yaml")] enable_service_monitor = false # to enable monitoring for Cert Manager - cert_manager_letsencrypt_email = "mona@squareops.com" + cert_manager_letsencrypt_email = "email@email.com" } ## CONFIG-RELOADER diff --git a/main.tf b/main.tf index 4d52cef..79b1e92 100644 --- a/main.tf +++ b/main.tf @@ -161,7 +161,7 @@ module "ingress-nginx" { enable_service_monitor = var.ingress_nginx_config.enable_service_monitor private_subnet_ids = var.private_subnet_ids public_subnets = var.public_subnets - nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnets + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnets } # INGRESS-NGINX DATA SOURCE From 812a4371695e2cddad3de580a47b473d57808cf1 Mon Sep 17 00:00:00 2001 From: Monachawla1712 Date: Mon, 9 Dec 2024 18:58:07 +0530 Subject: [PATCH 3/5] correct public_subnet_ids variable --- examples/complete/main.tf | 2 +- main.tf | 4 ++-- modules/ingress-nginx/main.tf | 2 +- modules/ingress-nginx/variables.tf | 2 +- variables.tf | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 80dacda..89e532d 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -22,7 +22,7 @@ module "eks-addons" { tags = local.additional_tags vpc_id = "vpc-xxxxxx" # pass VPC ID private_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Private Subnet IDs - public_subnets = ["subnet-xxxxx", "subnet-xxxxx"] # pass Public Subnet IDs + public_subnet_ids = ["subnet-xxxxx", "subnet-xxxxx"] # pass Public Subnet IDs environment = local.environment ipv6_enabled = local.ipv6_enabled kms_key_arn = local.kms_key_arn diff --git a/main.tf b/main.tf index 79b1e92..ebe252f 100644 --- a/main.tf +++ b/main.tf @@ -160,8 +160,8 @@ module "ingress-nginx" { ingress_class_name = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name enable_service_monitor = var.ingress_nginx_config.enable_service_monitor private_subnet_ids = var.private_subnet_ids - public_subnets = var.public_subnets - nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnets + public_subnet_ids = var.public_subnet_ids + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnet_ids } # INGRESS-NGINX DATA SOURCE diff --git a/modules/ingress-nginx/main.tf b/modules/ingress-nginx/main.tf index a69246d..75cdfbd 100644 --- a/modules/ingress-nginx/main.tf +++ b/modules/ingress-nginx/main.tf @@ -4,7 +4,7 @@ locals { template_path = "${path.module}/config/${var.ip_family == "ipv4" ? "ingress_nginx.yaml" : "ingress_nginx_ipv6.yaml"}" additional_tags = join(",", [for k, v in var.addon_context.tags : "${k}=${v}"]) - nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnets + nlb_subnets = var.private_nlb_enabled ? var.private_subnet_ids : var.public_subnet_ids # Read module's template file template_values = templatefile(local.template_path, { diff --git a/modules/ingress-nginx/variables.tf b/modules/ingress-nginx/variables.tf index 88bc7c2..a85ca13 100644 --- a/modules/ingress-nginx/variables.tf +++ b/modules/ingress-nginx/variables.tf @@ -69,7 +69,7 @@ variable "private_subnet_ids" { description = "List of private subnet IDs" } -variable "public_subnets" { +variable "public_subnet_ids" { type = list(string) description = "List of public subnet IDs" } diff --git a/variables.tf b/variables.tf index 0a75fea..3c0341c 100644 --- a/variables.tf +++ b/variables.tf @@ -655,7 +655,7 @@ EOT # description = "List of private subnet IDs" # } -variable "public_subnets" { +variable "public_subnet_ids" { type = list(string) description = "List of public subnet IDs" } From baba10274b87900f1859bce3bf4574fb56c9f079 Mon Sep 17 00:00:00 2001 From: Monachawla1712 Date: Fri, 13 Dec 2024 12:56:06 +0530 Subject: [PATCH 4/5] Add private ALB support and subnet id support for NLB and ALB creation --- examples/complete/main.tf | 15 ++++- main.tf | 26 +++++++-- .../config/argocd-workflow.yaml | 2 +- modules/argocd-workflow/main.tf | 53 ++++++++++++++++++ modules/argocd-workflow/variable.tf | 21 +++++++ modules/argocd/config/values.yaml | 2 +- modules/argocd/main.tf | 56 +++++++++++++++++++ modules/argocd/variables.tf | 14 +++++ .../config/values.yaml | 3 + .../aws-load-balancer-controller/variables.tf | 16 ++++++ modules/ingress-nginx/main.tf | 4 +- modules/kubernetes-dashboard/main.tf | 5 +- modules/kubernetes-dashboard/variables.tf | 13 +++++ variables.tf | 43 ++++++++------ 14 files changed, 243 insertions(+), 30 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 89e532d..4c1133e 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -111,7 +111,7 @@ module "eks-addons" { ## INGRESS-NGINX ingress_nginx_enabled = false # to enable ingress nginx - private_nlb_enabled = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together + private_nlb_enabled = false # to enable Internal (Private) Ingress , set this and ingress_nginx_enable "false" together ingress_nginx_config = { values = [file("${path.module}/config/ingress-nginx.yaml")] enable_service_monitor = false # enable monitoring in nginx ingress @@ -120,7 +120,7 @@ module "eks-addons" { } ## AWS-APPLICATION-LOAD-BALANCER-CONTROLLER - aws_load_balancer_controller_enabled = false # to enable load balancer controller + aws_load_balancer_controller_enabled = false # to enable load balancer controller aws_load_balancer_controller_helm_config = { values = [file("${path.module}/config/aws-alb.yaml")] namespace = "alb" # enter namespace according to the requirement (example: "alb") @@ -133,6 +133,7 @@ module "eks-addons" { k8s_dashboard_ingress_load_balancer = "nlb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. private_alb_enabled = false # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + ingress_class_name = "nginx" k8s_dashboard_hostname = "k8s-dashboard.rnd.squareops.in" # Enter Hostname } @@ -147,6 +148,10 @@ module "eks-addons" { slack_notification_token = "" argocd_notifications_enabled = false ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress") + argocd_ingress_load_balancer = "alb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. + private_alb_enabled = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together + alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + } argoproject_config = { name = "argo-project" # enter name for aro-project appProjects @@ -160,6 +165,10 @@ module "eks-addons" { autoscaling_enabled = true hostname = "argocd-workflow.rnd.squareops.in" ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "ingress-nginx", "internal-ingress") + argoworkflow_ingress_load_balancer = "alb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. + private_alb_enabled = "false" # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together + alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. + } # VELERO @@ -192,4 +201,4 @@ module "eks-addons" { ## FALCO falco_enabled = false # to enable falco slack_webhook = "xoxb-379541400966-iibMHnnoaPzVl" -} +} \ No newline at end of file diff --git a/main.tf b/main.tf index ebe252f..69372a8 100644 --- a/main.tf +++ b/main.tf @@ -144,7 +144,7 @@ module "external-secrets" { external_secrets_secrets_manager_arns = var.external_secrets_secrets_manager_arns } -## NGINX INGRESS +# NGINX INGRESS module "ingress-nginx" { source = "./modules/ingress-nginx" count = var.ingress_nginx_enabled ? 1 : 0 @@ -199,7 +199,9 @@ module "kubernetes-dashboard" { alb_acm_certificate_arn = var.kubernetes_dashboard_config.alb_acm_certificate_arn k8s_dashboard_ingress_load_balancer = var.kubernetes_dashboard_config.k8s_dashboard_ingress_load_balancer private_alb_enabled = var.kubernetes_dashboard_config.private_alb_enabled - ingress_class_name = var.private_nlb_enabled ? "internal-${var.ingress_nginx_config.ingress_class_name}" : var.ingress_nginx_config.ingress_class_name + ingress_class_name = var.kubernetes_dashboard_config == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.kubernetes_dashboard_config.ingress_class_name) + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids } ## KEDA @@ -273,7 +275,7 @@ resource "kubernetes_namespace" "argocd" { } module "argocd" { source = "./modules/argocd" - depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx] + depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller] count = var.argocd_enabled ? 1 : 0 argocd_config = { hostname = var.argocd_config.hostname @@ -282,22 +284,34 @@ module "argocd" { autoscaling_enabled = var.argocd_config.autoscaling_enabled slack_notification_token = var.argocd_config.slack_notification_token argocd_notifications_enabled = var.argocd_config.argocd_notifications_enabled - ingress_class_name = var.argocd_config.ingress_class_name + ingress_class_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argocd_config.ingress_class_name) + argocd_ingress_load_balancer = var.argocd_config.argocd_ingress_load_balancer + private_alb_enabled = var.argocd_config.private_alb_enabled + alb_acm_certificate_arn = var.argocd_config.alb_acm_certificate_arn } + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids namespace = var.argocd_config.namespace } # argo-workflow module "argocd-workflow" { source = "./modules/argocd-workflow" - depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx] + depends_on = [module.aws_vpc_cni, module.service-monitor-crd, kubernetes_namespace.argocd, module.ingress-nginx,module.aws-load-balancer-controller] count = var.argoworkflow_enabled ? 1 : 0 argoworkflow_config = { values = var.argoworkflow_config.values hostname = var.argoworkflow_config.hostname - ingress_class_name = var.argoworkflow_config.ingress_class_name + ingress_class_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "alb" : (var.private_nlb_enabled ? "internal-nginx" : var.argoworkflow_config.ingress_class_name) + argoworkflow_ingress_load_balancer = var.argoworkflow_config.argoworkflow_ingress_load_balancer + private_alb_enabled = var.argoworkflow_config.private_alb_enabled + alb_acm_certificate_arn = var.argoworkflow_config.alb_acm_certificate_arn + + autoscaling_enabled = var.argoworkflow_config.autoscaling_enabled } + private_subnet_ids = var.private_subnet_ids + public_subnet_ids = var.public_subnet_ids namespace = var.argoworkflow_config.namespace } diff --git a/modules/argocd-workflow/config/argocd-workflow.yaml b/modules/argocd-workflow/config/argocd-workflow.yaml index d43e08c..4345c19 100644 --- a/modules/argocd-workflow/config/argocd-workflow.yaml +++ b/modules/argocd-workflow/config/argocd-workflow.yaml @@ -69,7 +69,7 @@ server: targetMemoryUtilizationPercentage: 70 ingress: - enabled: true + enabled: false ingressClassName: ${ingress_class_name} hosts: - ${ingress_host} diff --git a/modules/argocd-workflow/main.tf b/modules/argocd-workflow/main.tf index 51cb200..a71c7bf 100644 --- a/modules/argocd-workflow/main.tf +++ b/modules/argocd-workflow/main.tf @@ -1,4 +1,5 @@ locals { + alb_scheme = var.argoworkflow_config.private_alb_enabled ? "internal" : "internet-facing" template_path = "${path.module}/config/argocd-workflow.yaml" # read modules template file @@ -85,3 +86,55 @@ resource "kubernetes_secret" "argo_workflow_token_secret" { token = try(data.kubernetes_secret.argo-workflow-secret.data["token"], "") } } + +resource "kubernetes_ingress_v1" "argoworkflow-ingress" { + depends_on = [helm_release.argo_workflow] + wait_for_load_balancer = true + metadata { + name = "argoworkflow-ingress" + namespace = var.namespace + annotations = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? { + "kubernetes.io/ingress.class" = "alb" + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/certificate-arn" = var.argoworkflow_config.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) + "alb.ingress.kubernetes.io/healthcheck-path" = "/" + "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP" + "alb.ingress.kubernetes.io/backend-protocol" = "HTTP" + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" + "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" + } : { + "cert-manager.io/cluster-issuer" = "letsencrypt-prod" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/ssl-passthrough" = "true" + "kubernetes.io/ingress.class" = var.argoworkflow_config.ingress_class_name + "kubernetes.io/tls-acme" = "false" + } + } + spec { + ingress_class_name = var.argoworkflow_config.ingress_class_name + rule { + host = var.argoworkflow_config.hostname + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "argo-workflow-argo-workflows-server" + port { + number = 2746 + } + } + } + } + } + } + tls { + secret_name = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? "" : "argoworkflow-server-tls" + hosts = var.argoworkflow_config.argoworkflow_ingress_load_balancer == "alb" ? [] : [var.argoworkflow_config.hostname] + } + } +} \ No newline at end of file diff --git a/modules/argocd-workflow/variable.tf b/modules/argocd-workflow/variable.tf index 626e7f5..f445005 100644 --- a/modules/argocd-workflow/variable.tf +++ b/modules/argocd-workflow/variable.tf @@ -18,6 +18,10 @@ variable "argoworkflow_config" { namespace = "" hostname = "" autoscaling_enabled = "true" + ingress_class_name = "" + argoworkflow_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } description = "Specify the configuration settings for Argocd-Workflow, including the hostname, and custom YAML values." } @@ -27,3 +31,20 @@ variable "chart_version" { type = string description = "Argo workflow chart version" } + +variable "ingress_class_name" { + type = string + default = "nginx" + description = "Enter ingress class name which is created in EKS cluster" +} + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} diff --git a/modules/argocd/config/values.yaml b/modules/argocd/config/values.yaml index 44d0e81..8550dd2 100644 --- a/modules/argocd/config/values.yaml +++ b/modules/argocd/config/values.yaml @@ -102,7 +102,7 @@ server: targetMemoryUtilizationPercentage: 70 # Argo CD server ingress configuration ingress: - enabled: true + enabled: false annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/force-ssl-redirect: "true" diff --git a/modules/argocd/main.tf b/modules/argocd/main.tf index 47dd882..51fac00 100644 --- a/modules/argocd/main.tf +++ b/modules/argocd/main.tf @@ -1,3 +1,7 @@ +locals { + alb_scheme = var.argocd_config.private_alb_enabled ? "internal" : "internet-facing" +} + resource "helm_release" "argocd_deploy" { name = "argo-cd" chart = "argo-cd" @@ -26,3 +30,55 @@ data "kubernetes_secret" "argocd-secret" { namespace = var.namespace } } + +resource "kubernetes_ingress_v1" "argocd-ingress" { + depends_on = [helm_release.argocd_deploy] + wait_for_load_balancer = true + metadata { + name = "argocd-ingress" + namespace = var.namespace + annotations = var.argocd_config.argocd_ingress_load_balancer == "alb" ? { + "kubernetes.io/ingress.class" = "alb" + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/certificate-arn" = var.argocd_config.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) + "alb.ingress.kubernetes.io/healthcheck-path" = "/healthz" + "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTP" + "alb.ingress.kubernetes.io/backend-protocol" = "HTTP" + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" + "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" + } : { + "cert-manager.io/cluster-issuer" = "letsencrypt-prod" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/ssl-passthrough" = "true" + "kubernetes.io/ingress.class" = var.argocd_config.ingress_class_name + "kubernetes.io/tls-acme" = "false" + } + } + spec { + ingress_class_name = var.argocd_config.ingress_class_name + rule { + host = var.argocd_config.hostname + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "argo-cd-argocd-server" + port { + number = 80 + } + } + } + } + } + } + tls { + secret_name = var.argocd_config.argocd_ingress_load_balancer == "alb" ? "" : "argocd-server-tls" + hosts = var.argocd_config.argocd_ingress_load_balancer == "alb" ? [] : [var.argocd_config.hostname] + } + } +} \ No newline at end of file diff --git a/modules/argocd/variables.tf b/modules/argocd/variables.tf index 4ae800c..3b9f9ef 100644 --- a/modules/argocd/variables.tf +++ b/modules/argocd/variables.tf @@ -8,6 +8,9 @@ variable "argocd_config" { slack_notification_token = "" argocd_notifications_enabled = false ingress_class_name = "" + argocd_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } description = "Specify the configuration settings for Argocd, including the hostname, redis_ha_enabled, autoscaling, notification settings, and custom YAML values." } @@ -29,3 +32,14 @@ variable "ingress_class_name" { default = "nginx" description = "Enter ingress class name which is created in EKS cluster" } + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} diff --git a/modules/aws-load-balancer-controller/config/values.yaml b/modules/aws-load-balancer-controller/config/values.yaml index f6af120..e1e926b 100644 --- a/modules/aws-load-balancer-controller/config/values.yaml +++ b/modules/aws-load-balancer-controller/config/values.yaml @@ -12,3 +12,6 @@ ingressClassParams: enableServiceMutatorWebhook: false nameOverride: ${load_balancer_controller_name} + +# disableIngressClassAnnotation: + diff --git a/modules/aws-load-balancer-controller/variables.tf b/modules/aws-load-balancer-controller/variables.tf index 5e70e20..6bb7c06 100644 --- a/modules/aws-load-balancer-controller/variables.tf +++ b/modules/aws-load-balancer-controller/variables.tf @@ -39,3 +39,19 @@ variable "namespace" { type = string default = "kube-system" } + +# variable "public_subnet_ids" { +# type = list(string) +# description = "List of public subnet IDs" +# } + +# variable "private_alb_enabled" { +# description = "Control wheather to install public nlb or private nlb. Default is private" +# type = bool +# default = false +# } + +# variable "private_subnet_ids" { +# type = list(string) +# description = "List of private subnet IDs" +# } \ No newline at end of file diff --git a/modules/ingress-nginx/main.tf b/modules/ingress-nginx/main.tf index 75cdfbd..7aa16eb 100644 --- a/modules/ingress-nginx/main.tf +++ b/modules/ingress-nginx/main.tf @@ -20,8 +20,6 @@ locals { template_values_map = yamldecode(local.template_values) } -# Namespace creation - resource "kubernetes_namespace" "this" { count = try(var.helm_config.create_namespace, true) && local.namespace != "kube-system" ? 1 : 0 metadata { @@ -47,3 +45,5 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops addon_context = var.addon_context } + + diff --git a/modules/kubernetes-dashboard/main.tf b/modules/kubernetes-dashboard/main.tf index 0ed0715..a7f0a27 100644 --- a/modules/kubernetes-dashboard/main.tf +++ b/modules/kubernetes-dashboard/main.tf @@ -26,14 +26,16 @@ resource "kubernetes_ingress_v1" "k8s-ingress" { namespace = "kubernetes-dashboard" annotations = var.k8s_dashboard_ingress_load_balancer == "alb" ? { "kubernetes.io/ingress.class" = "alb" - "alb.ingress.kubernetes.io/scheme" = local.alb_scheme "alb.ingress.kubernetes.io/target-type" = "ip" "alb.ingress.kubernetes.io/certificate-arn" = var.alb_acm_certificate_arn, + "alb.ingress.kubernetes.io/scheme" = local.alb_scheme + "alb.ingress.kubernetes.io/subnets" = local.alb_scheme == "internal" ? join(",", var.private_subnet_ids) : join(",", var.public_subnet_ids) "alb.ingress.kubernetes.io/healthcheck-path" = "/" "alb.ingress.kubernetes.io/healthcheck-protocol" = "HTTPS" "alb.ingress.kubernetes.io/backend-protocol" = "HTTPS" "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTPS\":443}]" "alb.ingress.kubernetes.io/ssl-redirect" = "443" + "alb.ingress.kubernetes.io/group.name" = local.alb_scheme == "internet-facing" ? "public-alb-ingress" : "private-alb-ingress" } : { "cert-manager.io/cluster-issuer" = "letsencrypt-prod" "kubernetes.io/ingress.class" = var.ingress_class_name @@ -48,6 +50,7 @@ resource "kubernetes_ingress_v1" "k8s-ingress" { } } spec { + ingress_class_name = var.ingress_class_name rule { host = var.k8s_dashboard_hostname http { diff --git a/modules/kubernetes-dashboard/variables.tf b/modules/kubernetes-dashboard/variables.tf index 565dfb0..2841b00 100644 --- a/modules/kubernetes-dashboard/variables.tf +++ b/modules/kubernetes-dashboard/variables.tf @@ -27,3 +27,16 @@ variable "private_alb_enabled" { type = bool default = false } + + +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs" +} + +variable "private_subnet_ids" { + description = "Private subnets of the VPC which can be used by EFS" + default = [""] + type = list(string) +} + diff --git a/variables.tf b/variables.tf index 3c0341c..5933229 100644 --- a/variables.tf +++ b/variables.tf @@ -501,6 +501,7 @@ variable "kubernetes_dashboard_config" { alb_acm_certificate_arn = string k8s_dashboard_hostname = string private_alb_enabled = bool + ingress_class_name = string }) default = { @@ -508,6 +509,7 @@ variable "kubernetes_dashboard_config" { alb_acm_certificate_arn = "" k8s_dashboard_hostname = "" private_alb_enabled = false + ingress_class_name = "nginx" } } @@ -525,6 +527,9 @@ variable "argocd_config" { autoscaling_enabled = bool slack_notification_token = string argocd_notifications_enabled = bool + argocd_ingress_load_balancer = string + private_alb_enabled = bool + alb_acm_certificate_arn = string ingress_class_name = string namespace = string }) @@ -536,7 +541,10 @@ variable "argocd_config" { autoscaling_enabled = false slack_notification_token = "" argocd_notifications_enabled = false - ingress_class_name = "" + argocd_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" + ingress_class_name = "nginx" namespace = "argocd" } } @@ -549,19 +557,25 @@ variable "argoworkflow_enabled" { variable "argoworkflow_config" { type = object({ - values = any - namespace = string - hostname = string - ingress_class_name = string - autoscaling_enabled = bool + values = any + namespace = string + hostname = string + ingress_class_name = string + autoscaling_enabled = bool + argoworkflow_ingress_load_balancer = string + private_alb_enabled = bool + alb_acm_certificate_arn = string }) default = { - values = {} - namespace = "argocd" - hostname = "" - ingress_class_name = "" - autoscaling_enabled = true + values = {} + namespace = "argocd" + hostname = "" + ingress_class_name = "" + autoscaling_enabled = true + argoworkflow_ingress_load_balancer = "nlb" + private_alb_enabled = false + alb_acm_certificate_arn = "" } } @@ -650,14 +664,11 @@ EOT default = [] # Default to an empty list to ensure optional usage } -# variable "private_subnet_ids" { -# type = list(string) -# description = "List of private subnet IDs" -# } - variable "public_subnet_ids" { type = list(string) description = "List of public subnet IDs" } + + From 33a49c20e5a85adab1238e373acab1b6eda4d26c Mon Sep 17 00:00:00 2001 From: Monachawla1712 Date: Fri, 13 Dec 2024 13:09:05 +0530 Subject: [PATCH 5/5] Updated nginx --- examples/complete/main.tf | 2 +- variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 4c1133e..3e23bba 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -133,7 +133,7 @@ module "eks-addons" { k8s_dashboard_ingress_load_balancer = "nlb" ##Choose your load balancer type (e.g., NLB or ALB). Enable load balancer controller, if you require ALB, Enable Ingress Nginx if NLB. private_alb_enabled = false # to enable Internal (Private) ALB , set this and aws_load_balancer_controller_enabled "true" together alb_acm_certificate_arn = "" # If using ALB in above parameter, ensure you provide the ACM certificate ARN for SSL. - ingress_class_name = "nginx" + ingress_class_name = "nginx" # enter ingress class name according to your requirement (example: "nginx", "internal-ingress") k8s_dashboard_hostname = "k8s-dashboard.rnd.squareops.in" # Enter Hostname } diff --git a/variables.tf b/variables.tf index 5933229..0ef1ea7 100644 --- a/variables.tf +++ b/variables.tf @@ -509,7 +509,7 @@ variable "kubernetes_dashboard_config" { alb_acm_certificate_arn = "" k8s_dashboard_hostname = "" private_alb_enabled = false - ingress_class_name = "nginx" + ingress_class_name = "" } } @@ -544,7 +544,7 @@ variable "argocd_config" { argocd_ingress_load_balancer = "nlb" private_alb_enabled = false alb_acm_certificate_arn = "" - ingress_class_name = "nginx" + ingress_class_name = "" namespace = "argocd" } }