added fluenbit and karpenter helm chart, IAM policies, merged VPC cha…

…nges (#7)
CMS-Enterprise · Jun 11, 2024 · 9a2b20b · 9a2b20b
2 parents eba3c57 + f8828e5
commit 9a2b20b
Show file tree

Hide file tree

Showing 13 changed files with 596 additions and 173 deletions.
diff --git a/eks.tf b/eks.tf
@@ -2,6 +2,7 @@ module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "20.11.0"
 
+  access_entries                               = var.eks_access_entries
   authentication_mode                          = "API_AND_CONFIG_MAP"
   cloudwatch_log_group_class                   = "STANDARD"
   cloudwatch_log_group_kms_key_id              = module.cloudwatch_kms.key_arn
@@ -13,7 +14,7 @@ module "eks" {
   cluster_security_group_name                  = "eks-${local.cluster_name}-cluster-sg"
   cluster_service_ipv4_cidr                    = "172.20.0.0/16"
   cluster_version                              = local.cluster_version
-  control_plane_subnet_ids                     = module.vpc.private_subnets
+  control_plane_subnet_ids                     = local.all_private_subnet_ids
   create_cloudwatch_log_group                  = true
   create_cluster_primary_security_group_tags   = true
   create_cluster_security_group                = true
@@ -37,24 +38,9 @@ module "eks" {
   node_security_group_enable_recommended_rules = true
   node_security_group_name                     = "eks-${local.cluster_name}-node-sg"
   node_security_group_use_name_prefix          = false
-  subnet_ids                                   = module.vpc.private_subnets
+  subnet_ids                                   = local.all_private_subnet_ids
   tags                                         = merge(var.eks_cluster_tags, { Name = local.cluster_name })
-  vpc_id                                       = module.vpc.vpc_id
-
-  access_entries = merge(var.eks_access_entries, {
-    main = {
-      principal_arn = "arn:${data.aws_caller_identity.current.provider}:iam::${data.aws_caller_identity.current.account_id}:role/ct-ado-batcave-application-admin"
-      type          = "STANDARD"
-      policy_associations = {
-        admin = {
-          policy_arn = "arn:${data.aws_caller_identity.current.provider}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-      }
-    }
-  })
+  vpc_id                                       = data.aws_vpc.vpc.id
 
   cluster_addons = {
     coredns = {
@@ -102,7 +88,7 @@ module "main_nodes" {
   create_iam_role                   = false
   iam_role_additional_policies      = { ssm = "arn:${data.aws_caller_identity.current.provider}:iam::aws:policy/AmazonSSMManagedInstanceCore" }
   iam_role_arn                      = module.eks.cluster_iam_role_arn
-  subnet_ids                        = module.vpc.private_subnets
+  subnet_ids                        = local.all_private_subnet_ids
   vpc_security_group_ids            = [module.eks.node_security_group_id]
 
   desired_size = 3
@@ -156,9 +142,6 @@ module "eks_base" {
 
   enable_aws_load_balancer_controller          = false
   enable_secrets_store_csi_driver_provider_aws = true
-  enable_aws_node_termination_handler          = true
-
-  aws_node_termination_handler_asg_arns = local.asg_arns
 
   secrets_store_csi_driver_provider_aws = {
     atomic = true
@@ -177,21 +160,6 @@ module "eks_base" {
   ]
 }
 
-
-module "karpenter" {
-  source = "terraform-aws-modules/eks/aws//modules/karpenter"
-
-  cluster_name            = module.eks.cluster_name
-  create_access_entry     = false
-  create_node_iam_role    = false
-  enable_pod_identity     = true
-  enable_spot_termination = true
-  node_iam_role_arn       = module.eks.cluster_iam_role_arn
-
-
-  tags = var.karpenter_tags
-}
-
 # This installs the gp3 storage class and makes it the default
 resource "kubernetes_storage_class_v1" "gp3" {
   storage_provisioner    = "kubernetes.io/aws-ebs"
@@ -275,3 +243,31 @@ module "aws_lb_controller_pod_identity" {
 
   tags = var.lb_controller_tags
 }
+
+module "fluentbit_pod_identity" {
+  count      = var.enable_eks_pod_identities ? 1 : 0
+  source     = "terraform-aws-modules/eks-pod-identity/aws"
+  depends_on = [helm_release.fluent-bit]
+
+  name            = "fluentbit"
+  use_name_prefix = false
+  description     = "AWS EKS fluentbit role"
+
+
+  attach_custom_policy    = true
+  source_policy_documents = [data.aws_iam_policy_document.fluent-bit.json]
+
+  associations = {
+    default = {
+      cluster_name    = local.cluster_name
+      namespace       = "kube-system"
+      service_account = "fluentbit"
+    }
+  }
+
+  tags = merge(
+    var.pod_identity_tags,
+    var.fb_tags
+  )
+
+}
diff --git a/fluentbit.tf b/fluentbit.tf
@@ -0,0 +1,40 @@
+#Cloudwatch Log Group
+resource "aws_cloudwatch_log_group" "fluent-bit" {
+  name              = var.fb_log_group_name
+  retention_in_days = var.fb_log_retention
+  kms_key_id        = var.fb_log_encryption ? var.fb_kms_key_id : ""
+  tags              = var.fb_tags
+}
+
+resource "aws_cloudwatch_log_group" "fluent-bit-system" {
+  count             = var.fb_log_systemd ? 1 : 0
+  name              = var.fb_system_log_group_name
+  retention_in_days = var.fb_system_log_retention
+  kms_key_id        = var.fb_log_encryption ? var.fb_kms_key_id : ""
+  tags              = var.fb_tags
+}
+
+#Fluentbit HELM
+resource "helm_release" "fluent-bit" {
+  depends_on = [module.eks, module.main_nodes, module.eks_base]
+  name       = "${local.cluster_name}-fluenbit"
+  repository = "https://fluent.github.io/helm-charts"
+  chart      = "fluent-bit"
+  version    = var.fb_chart_verison
+  namespace  = "kube-system"
+
+  values = [
+    local.values
+  ]
+
+  set {
+    name  = "clusterName"
+    value = local.cluster_name
+  }
+
+  set {
+    name  = "serviceAccount.name"
+    value = "fluent-bit"
+  }
+
+}
diff --git a/helm/fluentbit/values.yaml.tpl b/helm/fluentbit/values.yaml.tpl
@@ -0,0 +1,81 @@
+config:
+  ## https://docs.fluentbit.io/manual/pipeline/inputs
+  inputs: |
+    [INPUT]
+        Name               tail
+        Tag                kube.*
+        Path               /var/log/containers/*.log
+        Read_from_head     true
+        multiline.parser   docker, cri
+        Docker_Mode        On
+        Parser             docker
+        Mem_Buf_Limit      50MB
+
+    [INPUT]
+        Name systemd
+        Tag host.*
+        Systemd_Filter _SYSTEMD_UNIT=kubelet.service
+        Read_From_Tail On
+
+    ${indent(4, inputs)}
+
+  ## https://docs.fluentbit.io/manual/pipeline/filters
+  filters: |
+    [FILTER]
+        Name kubernetes
+        Match kube.*
+        Merge_Log On
+        Keep_Log Off
+        K8S-Logging.Parser On
+        K8S-Logging.Exclude On
+
+    [FILTER]
+        Name          grep
+        Match         kube.*
+        Exclude       $log ${log_filters}
+
+    [FILTER]
+        Name          grep
+        Match         kube.*
+        Exclude       $log ${additional_log_filters}
+
+%{ for value in kube_namespaces }
+    [FILTER]
+        Name          rewrite_tag
+        Match         kube.*
+        Rule          $kubernetes['namespace_name'] ^${value}$ system.$TAG false
+%{ endfor ~}
+
+    [FILTER]
+        Name          grep
+        Match         *
+        Exclude       $kubernetes['namespace_name'] ${drop_namespaces}
+
+    ${indent(4, filters)}
+  outputs: |
+    [OUTPUT]
+        Name cloudwatch_logs
+        Match  kube.*
+        region ${region}
+        log_group_name ${log_group_name}
+        log_stream_prefix from-fluent-bit-
+        log_retention_days ${log_retention_days}
+
+    [OUTPUT]
+        Name cloudwatch_logs
+        Match host.*
+        region ${region}
+        log_group_name ${system_log_group_name}
+        log_stream_prefix eks-
+        log_retention_days ${log_retention_days}
+
+    [OUTPUT]
+        Name cloudwatch_logs
+        Match  system.*
+        region ${region}
+        log_group_name ${system_log_group_name}
+        log_stream_prefix from-fluent-bit-
+        auto_create_group ${auto_create_group}
+        log_retention_days ${log_retention_days}
+
+    ${indent(4, outputs)}
diff --git a/helm/karpenter-nodes/Chart.yaml b/helm/karpenter-nodes/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A Helm chart for Karpenter Nodes
+name: karpenter-nodes
+version: 1.0.0
diff --git a/helm/karpenter-nodes/templates/ec2NodeClass.yaml b/helm/karpenter-nodes/templates/ec2NodeClass.yaml
@@ -0,0 +1,35 @@
+apiVersion: karpenter.k8s.aws/v1beta1
+kind: EC2NodeClass
+metadata:
+  name: {{ .Values.nodeClass.metadata.name | default "default" | quote }}
+  annotations:
+{{- range $key, $value := .Values.nodeClass.metadata.annotations }}
+    {{ $key }}: "{{ $value }}"
+{{- end }}
+spec:
+  amiFamily: {{ .Values.nodeClass.spec.amiFamily | default "AL2" | quote }}
+  blockDeviceMappings:
+{{- range .Values.nodeClass.spec.blockDeviceMappings }}
+    - deviceName: {{ .deviceName | quote }}
+      ebs:
+        volumeType: {{ .ebs.volumeType | quote }}
+        volumeSize: {{ .ebs.volumeSize | quote }}
+        deleteOnTermination: {{ .ebs.deleteOnTermination | quote }}
+{{- end }}
+  role: "{{ .Values.nodeClass.spec.role }}"
+  associatePublicIPAddress: {{ .Values.nodeClass.spec.associatePublicIPAddress | default false }}   
+  subnetSelectorTerms:
+    - tags:
+        Name: "{{ .Values.nodeClass.spec.subnetTag }}"
+  securityGroupSelectorTerms:
+    - tags:
+        karpenter.sh/discovery: "{{ .Values.nodeClass.spec.clustername }}"
+    - id: "{{ .Values.nodeClass.spec.securityGroupID }}"    
+  tags:
+{{- range $key, $value := .Values.nodeClass.spec.tags }}
+    {{ $key }}: "{{ $value }}"
+{{- end }}
+  userData: |
+    {{- if .Values.nodeClass.spec.userData }}
+    {{ .Values.nodeClass.spec.userData | indent 4 }}
+    {{- end }}
diff --git a/helm/karpenter-nodes/templates/nodePool.yaml b/helm/karpenter-nodes/templates/nodePool.yaml
@@ -0,0 +1,21 @@
+apiVersion: karpenter.sh/v1beta1
+kind: NodePool
+metadata:
+  name: {{ .Values.nodePool.metadata.name | default "default" | quote }}
+  annotations:
+{{- range $key, $value := .Values.nodePool.metadata.annotations }}
+    {{ $key }}: "{{ $value }}"
+{{- end }}
+spec:
+  template:
+    spec:
+      requirements:
+{{- range .Values.nodePool.spec.template.spec.requirements }}
+        - key: {{ .key | quote }}
+          operator: {{ .operator | quote }}
+          values: [{{ range $index, $value := .values }}{{ if $index }}, {{ end }}"{{ $value }}"{{ end }}]
+{{- end }}
+      nodeClassRef:
+        apiVersion: {{ .Values.nodePool.spec.template.spec.nodeClassRef.apiVersion | default "karpenter.k8s.aws/v1beta1" | quote }}
+        kind: {{ .Values.nodePool.spec.template.spec.nodeClassRef.kind | default "EC2NodeClass" | quote }}
+        name: {{ .Values.nodePool.spec.template.spec.nodeClassRef.name | default "default" | quote }}
diff --git a/helm/karpenter-nodes/values.yaml.tpl b/helm/karpenter-nodes/values.yaml.tpl
@@ -0,0 +1,56 @@
+nodeClass:
+  metadata:
+    name: "default"
+    annotations:
+      description: "EC2NodeClass for running Amazon Linux 2 nodes with custom user data"
+
+  spec:
+    amiFamily: ${amiFamily}
+    blockDeviceMappings:
+      - deviceName: "/dev/xvda"
+        ebs:
+          volumeType: "gp3"
+          volumeSize: 5
+          deleteOnTermination: true
+      - deviceName: "/dev/xvdb"
+        ebs:
+          volumeType: "gp3"
+          volumeSize: 100
+          deleteOnTermination: true
+    role: ${iamRole}
+    subnetTag: ${subnetTag}
+    securityGroupID: ${securityGroupID}   
+    tags:
+      ${tags}
+
+nodePool:
+  metadata:
+    name: "default" 
+    annotations:
+      kubernetes.io/description: "General purpose NodePool for generic workloads"
+  spec:
+    template:
+      spec:
+        requirements:
+          - key: "kubernetes.io/arch"
+            operator: "In"
+            values: ["amd64"]
+          - key: "kubernetes.io/os"
+            operator: "In"
+            values: ["linux"]
+          - key: "karpenter.sh/capacity-type"
+            operator: "In"
+            values: ["on-demand"]
+          - key: "karpenter.k8s.aws/instance-category"
+            operator: "In"
+            values: ["c", "m", "r"]
+          - key: "karpenter.k8s.aws/instance-generation"
+            operator: "Gt"
+            values: ["5"]
+          - key: "usage"
+            operator: "In"
+            values: ["application", "system"]
+        nodeClassRef:
+          apiVersion: "karpenter.k8s.aws/v1beta1"
+          kind: "EC2NodeClass"
+          name: "default"
diff --git a/helm/karpenter/values.yaml.tpl b/helm/karpenter/values.yaml.tpl
@@ -0,0 +1,27 @@
+controller:
+  tolerations:
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"
+      effect: "NoSchedule"
+
+webhook:
+  tolerations:
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"
+      effect: "NoSchedule"
+
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: usage
+          operator: In
+          values:
+          - karpenter
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      - topologyKey: "kubernetes.io/hostname"
+settings:
+  clusterName: ${cluster_name}
+  interruptionQueue: "Karpenter-"${cluster_name}