From 8a06a6e7006e4bed5630bd49c7434d76c59e0b5e Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 5 Jun 2023 17:08:14 -0400 Subject: [PATCH] fix: Localize partner addons to remove cyclical/dynamic link pointed at `main` (#1634) --- .github/workflows/plan-examples.yml | 1 + .github/workflows/pre-commit.yml | 1 + .pre-commit-config.yaml | 2 +- modules/kubernetes-addons/README.md | 4 +- modules/kubernetes-addons/main.tf | 16 +-- modules/kubernetes-addons/portworx/README.md | 3 + modules/kubernetes-addons/portworx/locals.tf | 86 ++++++++++++ modules/kubernetes-addons/portworx/main.tf | 7 + modules/kubernetes-addons/portworx/outputs.tf | 0 .../kubernetes-addons/portworx/values.yaml | 123 ++++++++++++++++++ .../kubernetes-addons/portworx/variables.tf | 11 ++ .../kubernetes-addons/portworx/versions.tf | 18 +++ modules/kubernetes-addons/sysdig/README.md | 3 + modules/kubernetes-addons/sysdig/locals.tf | 27 ++++ modules/kubernetes-addons/sysdig/main.tf | 7 + modules/kubernetes-addons/sysdig/outputs.tf | 4 + .../sysdig/values-sysdig.yaml | 17 +++ modules/kubernetes-addons/sysdig/variables.tf | 35 +++++ modules/kubernetes-addons/sysdig/versions.tf | 14 ++ 19 files changed, 366 insertions(+), 13 deletions(-) create mode 100644 modules/kubernetes-addons/portworx/README.md create mode 100644 modules/kubernetes-addons/portworx/locals.tf create mode 100644 modules/kubernetes-addons/portworx/main.tf create mode 100644 modules/kubernetes-addons/portworx/outputs.tf create mode 100644 modules/kubernetes-addons/portworx/values.yaml create mode 100644 modules/kubernetes-addons/portworx/variables.tf create mode 100644 modules/kubernetes-addons/portworx/versions.tf create mode 100644 modules/kubernetes-addons/sysdig/README.md create mode 100644 modules/kubernetes-addons/sysdig/locals.tf create mode 100644 modules/kubernetes-addons/sysdig/main.tf create mode 100644 modules/kubernetes-addons/sysdig/outputs.tf create mode 100644 modules/kubernetes-addons/sysdig/values-sysdig.yaml create mode 100644 modules/kubernetes-addons/sysdig/variables.tf create mode 100644 modules/kubernetes-addons/sysdig/versions.tf diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml index c28e77ca89..60d02b36e3 100644 --- a/.github/workflows/plan-examples.yml +++ b/.github/workflows/plan-examples.yml @@ -5,6 +5,7 @@ on: pull_request_target: branches: - main + - v4 workflow_dispatch: concurrency: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 4e4ac382d1..137a7efa27 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -4,6 +4,7 @@ on: pull_request: branches: - main + - v4 paths: - '**.tf' - '**.yml' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1adb378661..cc20962986 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: - id: detect-aws-credentials args: ['--allow-missing-credentials'] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.78.0 + rev: v1.80.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 58cdcff208..e062865cf3 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -74,7 +74,7 @@ | [nvidia\_device\_plugin](#module\_nvidia\_device\_plugin) | ./nvidia-device-plugin | n/a | | [ondat](#module\_ondat) | ./ondat | n/a | | [opentelemetry\_operator](#module\_opentelemetry\_operator) | ./opentelemetry-operator | n/a | -| [portworx](#module\_portworx) | portworx/portworx-addon/eksblueprints | 0.0.6 | +| [portworx](#module\_portworx) | ./portworx | n/a | | [prometheus](#module\_prometheus) | ./prometheus | n/a | | [promtail](#module\_promtail) | ./promtail | n/a | | [reloader](#module\_reloader) | ./reloader | n/a | @@ -83,7 +83,7 @@ | [spark\_history\_server](#module\_spark\_history\_server) | ./spark-history-server | n/a | | [spark\_k8s\_operator](#module\_spark\_k8s\_operator) | ./spark-k8s-operator | n/a | | [strimzi\_kafka\_operator](#module\_strimzi\_kafka\_operator) | ./strimzi-kafka-operator | n/a | -| [sysdig\_agent](#module\_sysdig\_agent) | sysdiglabs/sysdig-addon/eksblueprints | 0.0.3 | +| [sysdig\_agent](#module\_sysdig\_agent) | ./sysdig | n/a | | [tetrate\_istio](#module\_tetrate\_istio) | ./tetrate-istio | n/a | | [thanos](#module\_thanos) | ./thanos | n/a | | [traefik](#module\_traefik) | ./traefik | n/a | diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 62080c9e4d..2fee971912 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -389,12 +389,14 @@ module "kube_prometheus_stack" { } module "portworx" { - count = var.enable_portworx ? 1 : 0 - source = "portworx/portworx-addon/eksblueprints" - version = "0.0.6" + source = "./portworx" + + count = var.enable_portworx ? 1 : 0 + helm_config = var.portworx_helm_config addon_context = local.addon_context } + module "prometheus" { count = var.enable_prometheus ? 1 : 0 source = "./prometheus" @@ -441,8 +443,7 @@ module "strimzi_kafka_operator" { } module "sysdig_agent" { - source = "sysdiglabs/sysdig-addon/eksblueprints" - version = "0.0.3" + source = "./sysdig" count = var.enable_sysdig_agent ? 1 : 0 helm_config = var.sysdig_agent_helm_config @@ -450,11 +451,6 @@ module "sysdig_agent" { } module "tetrate_istio" { - # source = "tetratelabs/tetrate-istio-addon/eksblueprints" - # version = "0.0.7" - - # TODO - remove local source and revert to remote once - # https://github.com/tetratelabs/terraform-eksblueprints-tetrate-istio-addon/pull/12 is merged source = "./tetrate-istio" count = var.enable_tetrate_istio ? 1 : 0 diff --git a/modules/kubernetes-addons/portworx/README.md b/modules/kubernetes-addons/portworx/README.md new file mode 100644 index 0000000000..f1994d004a --- /dev/null +++ b/modules/kubernetes-addons/portworx/README.md @@ -0,0 +1,3 @@ +# Portworx add-on for EKS Blueprints + +Local copy of https://github.com/portworx/terraform-eksblueprints-portworx-addon diff --git a/modules/kubernetes-addons/portworx/locals.tf b/modules/kubernetes-addons/portworx/locals.tf new file mode 100644 index 0000000000..7e3bbb85be --- /dev/null +++ b/modules/kubernetes-addons/portworx/locals.tf @@ -0,0 +1,86 @@ +resource "random_string" "id" { + length = 4 + special = false + upper = false +} + +locals { + name = "portworx-${random_string.id.result}" + namespace = "kube-system" + service_account_name = "${local.name}-sa-${random_string.id.result}" + + aws_marketplace_config = try(var.helm_config["set"][index(var.helm_config.set[*].name, "aws.marketplace")], null) + use_aws_marketplace = local.aws_marketplace_config != null ? local.aws_marketplace_config["value"] : false + + default_helm_config = { + name = local.name + description = "A Helm chart for portworx" + chart = "portworx" + repository = "https://raw.githubusercontent.com/portworx/eks-blueprint-helm/main/repo/stable" + version = "2.11.0" + namespace = local.namespace + values = local.default_helm_values + } + + helm_config = merge( + local.default_helm_config, + var.helm_config + ) + + irsa_iam_policies_list = local.use_aws_marketplace != false ? [aws_iam_policy.portworx_eksblueprint_metering[0].arn] : [] + + irsa_config = { + create_kubernetes_namespace = false + kubernetes_namespace = local.namespace + create_kubernetes_service_account = true + kubernetes_service_account = local.service_account_name + irsa_iam_policies = local.irsa_iam_policies_list + } + + default_helm_values = [templatefile("${path.module}/values.yaml", { + imageVersion = "2.11.0" + clusterName = local.name + drives = "type=gp2,size=200" + useInternalKVDB = true + kvdbDevice = "type=gp2,size=150" + envVars = "" + maxStorageNodesPerZone = 3 + useOpenshiftInstall = false + etcdEndPoint = "" + dataInterface = "" + managementInterface = "" + useStork = true + storkVersion = "2.11.0" + customRegistryURL = "" + registrySecret = "" + licenseSecret = "" + monitoring = false + enableCSI = false + enableAutopilot = false + KVDBauthSecretName = "" + eksServiceAccount = local.service_account_name + awsAccessKeyId = "" + awsSecretAccessKey = "" + deleteType = "UninstallAndWipe" + } + )] +} + +resource "aws_iam_policy" "portworx_eksblueprint_metering" { + count = try(local.use_aws_marketplace, false) ? 1 : 0 + name = "portworx_eksblueprint_metering-${random_string.id.result}" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "aws-marketplace:MeterUsage", + "aws-marketplace:RegisterUsage" + ], + Effect = "Allow", + Resource = "*" + }, + ] + }) +} diff --git a/modules/kubernetes-addons/portworx/main.tf b/modules/kubernetes-addons/portworx/main.tf new file mode 100644 index 0000000000..e764030b4b --- /dev/null +++ b/modules/kubernetes-addons/portworx/main.tf @@ -0,0 +1,7 @@ +module "helm_addon" { + source = "../helm-addon" + + addon_context = var.addon_context + helm_config = local.helm_config + irsa_config = local.irsa_config +} diff --git a/modules/kubernetes-addons/portworx/outputs.tf b/modules/kubernetes-addons/portworx/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/kubernetes-addons/portworx/values.yaml b/modules/kubernetes-addons/portworx/values.yaml new file mode 100644 index 0000000000..230e207ce1 --- /dev/null +++ b/modules/kubernetes-addons/portworx/values.yaml @@ -0,0 +1,123 @@ +# Please uncomment and specify values for these options as per your requirements. + +deployOperator: true # Deploy the Portworx operator +deployCluster: true # Deploy the Portworx cluster + +imageVersion: ${imageVersion} # Version of the PX Image. +pxOperatorImageVersion: 1.9.0 # Version of the PX operator image. + +openshiftInstall: ${useOpenshiftInstall} # Defaults to false for installing Portworx on Openshift . +isTargetOSCoreOS: false # Is your target OS CoreOS? Defaults to false. +pksInstall: false # installation on PKS (Pivotal Container Service) +EKSInstall: true # installation on EKS. +AKSInstall: false # installation on AKS +etcdEndPoint: ${etcdEndPoint} # The ETCD endpoint. Should be in the format etcd:http://:2379. If there are multiple etcd endpoints they need to be ";" seperated. + # the default value is empty since it requires to be explicity set using either the --set option of -f values.yaml. +clusterName: ${clusterName} # This is the default. please change it to your cluster name. +usefileSystemDrive: false # true/false Instructs PX to use an unmounted Drive even if it has a filesystem. +usedrivesAndPartitions: false # Defaults to false. Change to true and PX will use unmounted drives and partitions. +drives: ${drives} # NOTE: This is a ";" seperated list of drives. For eg: "/dev/sda;/dev/sdb;/dev/sdc" or + # "type=gp2,size=200;type=gp3,size=500". Defaults to use -A switch. +journalDevice: +maxStorageNodesPerZone: ${maxStorageNodesPerZone} # The maximum number of storage nodes desired per zone, in case of cloud drive provisioning + +secretType: k8s # Defaults to k8s, but can be kvdb/k8s/aws-kms/vault/ibm-kp. It is autopopulated to ibm-kp + # if the environment is IKS. + +dataInterface: ${dataInterface} # Name of the interface +managementInterface: none # Name of the interface +serviceType: none # Kubernetes service type for services deployed by the Operator. Direct Values like + # 'LoadBalancer', 'NodePort' will change all services. To change the types of specific + # services, value can be specified as 'portworx-service:LoadBalancer;portworx-api:ClusterIP' + +envVars: ${envVars} # DEPRECATED: Use envs section to set env variables + # NOTE: This is a ";" seperated list of environment variables. + # For eg: MYENV1=myvalue1;MYENV2=myvalue2 + +envs: # Add environment variables to the Portworx container in all Kubernetes supported formats + # - name: AWS_CA_BUNDLE + # value: "/etc/pwx/objectstore-cert/objectstore.pem" + # - name: AWS_ACCESS_KEY_ID + # valueFrom: + # secretKeyRef: + # name: aws-creds + # key: access-key + +miscArgs: none # Miscellaneous arguments that will be passed to portworx verbatim. Only use this if there is + # no equivalent way to specify these options directly via a StorageCluster spec field. + +disableStorageClass: false # Instructs Operator to not install the default Portworx StorageClasses. + +stork: ${useStork} # Use Stork https://docs.portworx.com/scheduler/kubernetes/stork.html for hyperconvergence. +storkVersion: ${storkVersion} # Optional: version of Stork. For eg: 2.7.0, when it's empty Portworx operator will pick up + # version according to Portworx version. + +storkSpec: # Optional Stork configurations + args: # Pass arguments to Stork container. Example: verbose='true';webhook-controller='false' + volumes: # Add volumes to Stork container. Refer the top level volumes for schema. + +customRegistryURL: ${customRegistryURL} #Url wherre to pull Portworx image from +registrySecret: ${registrySecret} #Image registery credentials to pull Portworx Images from a secure registry +licenseSecret: ${licenseSecret} #Kubernetes secret name that has Portworx licensing information + +monitoring: ${monitoring} + +deployOnMaster: false # For POC only +csi: ${enableCSI} # Enable CSI +aut: ${enableAutopilot} # Enable AutoPilot + + +internalKVDB: ${useInternalKVDB} # internal KVDB +kvdbDevice: ${kvdbDevice} # specify a separate device to store KVDB data, only used when internalKVDB is set to true + +etcd: # DEPRECATED: Use kvdb.authSecretName for configuring secure etcd + credentials: none:none # Username and password for ETCD authentication in the form user:password + certPath: none # Base path where the certificates are placed. (example: if the certificates ca,crt and the key are in /etc/pwx/etcdcerts the value should be provided as /etc/pwx/etcdcerts) + ca: none # Location of CA file for ETCD authentication. Should be /path/to/server.ca + cert: none # Location of certificate for ETCD authentication. Should be /path/to/server.crt + key: none # Location of certificate key for ETCD authentication Should be /path/to/servery.key + +consul: # DEPRECATED: Use kvdb.authSecretName for configuring secure consul + token: none # ACL token value used for Consul authentication. (example: 398073a8-5091-4d9c-871a-bbbeb030d1f6) + +kvdb: + authSecretName: ${KVDBauthSecretName} # Refer https://docs.portworx.com/reference/etcd/#securing-with-certificates-in-kubernetes to + # create a kvdb secret and specify the name of the secret here + +volumes: # Add volumes to Portworx container. Supported volume types: Host, Secret, ConfigMap + # - name: objectstore-cert + # mountPath: /etc/pwx/objectstore-cert + # secret: + # secretName: objectstore-cert + # items: + # - key: objectstore.pem + # path: objectstore.pem + +tolerations: # Add tolerations + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + +serviceAccount: + hook: + create: true + name: + +aws: + marketplace: + eksServiceAccount: ${eksServiceAccount} + accessKeyId: ${awsAccessKeyId} + secretAccessKey: ${awsSecretAccessKey} + +deleteType: ${deleteType} + +clusterToken: + create: true # Create cluster token + secretName: px-vol-encryption # Name of kubernetes secret to be created. Requires clusterToken.create to be true. + serviceAccountName: px-create-cluster-token # Service account name to use for post-install hook to create cluster token + +#requirePxEnabledTag: true # if set to true, portworx will only install on nodes with px/enabled: true label. Not required in most scenarios. + +deleteStrategy: # Optional: Delete strategy for the portworx cluster + type: # Valid values: Uninstall, UninstallAndWipe diff --git a/modules/kubernetes-addons/portworx/variables.tf b/modules/kubernetes-addons/portworx/variables.tf new file mode 100644 index 0000000000..9c99f07327 --- /dev/null +++ b/modules/kubernetes-addons/portworx/variables.tf @@ -0,0 +1,11 @@ +variable "helm_config" { + description = "Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs" + type = any + default = {} +} + +variable "addon_context" { + description = "Input configuration for the addon" + type = any + default = {} +} diff --git a/modules/kubernetes-addons/portworx/versions.tf b/modules/kubernetes-addons/portworx/versions.tf new file mode 100644 index 0000000000..4ec4fc423b --- /dev/null +++ b/modules/kubernetes-addons/portworx/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.67" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 3.0" + } + } +} diff --git a/modules/kubernetes-addons/sysdig/README.md b/modules/kubernetes-addons/sysdig/README.md new file mode 100644 index 0000000000..042c8ea6a5 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/README.md @@ -0,0 +1,3 @@ +# Sysdig Addon for EKS Blueprints + +Locally copy of https://github.com/sysdiglabs/terraform-eksblueprints-sysdig-addon diff --git a/modules/kubernetes-addons/sysdig/locals.tf b/modules/kubernetes-addons/sysdig/locals.tf new file mode 100644 index 0000000000..71522d64c3 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/locals.tf @@ -0,0 +1,27 @@ +locals { + name = "sysdig" + namespace = "sysdig" + + set_values = [] + + default_helm_config = { + name = local.name + chart = "sysdig-deploy" + repository = "https://charts.sysdig.com" + version = "1.5.71" + namespace = local.namespace + create_namespace = true + values = local.default_helm_values + set = [] + description = "Sysdig HelmChart Sysdig-Deploy configuration" + wait = false + } + + helm_config = merge( + local.default_helm_config, + var.helm_config + ) + + default_helm_values = [templatefile("${path.module}/values-sysdig.yaml", {}, )] + +} diff --git a/modules/kubernetes-addons/sysdig/main.tf b/modules/kubernetes-addons/sysdig/main.tf new file mode 100644 index 0000000000..a913bdcae0 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/main.tf @@ -0,0 +1,7 @@ +module "helm_addon" { + source = "../helm-addon" + + addon_context = var.addon_context + set_values = local.set_values + helm_config = local.helm_config +} diff --git a/modules/kubernetes-addons/sysdig/outputs.tf b/modules/kubernetes-addons/sysdig/outputs.tf new file mode 100644 index 0000000000..b5d714acb4 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/outputs.tf @@ -0,0 +1,4 @@ +output "argocd_gitops_config" { + description = "Configuration used for managing the add-on with ArgoCD" + value = var.manage_via_gitops ? { enable = true } : null +} diff --git a/modules/kubernetes-addons/sysdig/values-sysdig.yaml b/modules/kubernetes-addons/sysdig/values-sysdig.yaml new file mode 100644 index 0000000000..8628751261 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/values-sysdig.yaml @@ -0,0 +1,17 @@ +global: + kspm: + deploy: true +agent: + sysdig: + settings: + collector_port: 6443 +nodeAnalyzer: + nodeAnalyzer: + benchmarkRunner: + deploy: false + runtimeScanner: + settings: + eveEnabled: true + secure: + vulnerabilityManagement: + newEngineOnly: true diff --git a/modules/kubernetes-addons/sysdig/variables.tf b/modules/kubernetes-addons/sysdig/variables.tf new file mode 100644 index 0000000000..9a81f7fb51 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/variables.tf @@ -0,0 +1,35 @@ +#Helm config +variable "helm_config" { + type = any + description = "Helm Configuration for Sysdig Agent" + default = {} +} + +# Manage via gitops +variable "manage_via_gitops" { + description = "Determines if the add-on should be managed via GitOps" + type = bool + default = false +} + +# tflint-ignore: terraform_unused_declarations +variable "cluster_name" { + description = "Cluster name" + type = string + default = "" +} + +variable "addon_context" { + description = "Input configuration for the addon" + type = object({ + aws_caller_identity_account_id = string + aws_caller_identity_arn = string + aws_eks_cluster_endpoint = string + aws_partition_id = string + aws_region_name = string + eks_cluster_id = string + eks_oidc_issuer_url = string + eks_oidc_provider_arn = string + tags = map(string) + }) +} diff --git a/modules/kubernetes-addons/sysdig/versions.tf b/modules/kubernetes-addons/sysdig/versions.tf new file mode 100644 index 0000000000..d2ddf87cc2 --- /dev/null +++ b/modules/kubernetes-addons/sysdig/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + } +}