Merge branch 'master' into Add--vpc_id-and-Region

Author: Arzianghanchi

addons/aws-xray/config/aws-xray.yaml

@@ -0,0 +1,71 @@
+# Default values for aws-xray.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+image:
+  repository: public.ecr.aws/xray/aws-xray-daemon
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+priorityClassName: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 10001
+
+securityContext: {}
+  # User ID for xray user from https://github.com/aws/aws-xray-daemon/blob/master/Dockerfile
+  # fsGroup: 10001
+
+xray:
+  # Specify your AWS region
+  region:
+  # Change the log level, from most verbose to least: dev, debug, info, warn, error, prod (default).
+  loglevel: prod
+  # ARN of IAM role to assume
+  roleArn:
+  # Port to be used as a hostPort and containerPort on the pod
+  containerPort: 2000
+
+service:
+  port: 2000
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## Tolerations for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+##
+tolerations: []
+
+## Affinity for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+##
+affinity: {}

addons/aws-xray/data.tf

@@ -0,0 +1,6 @@
+data "aws_eks_cluster" "eks_cluster" {
+  # this makes downstream resources wait for data plane to be ready
+  name = var.eks_cluster_name
+}
+
+data "aws_region" "current" {}

addons/aws-xray/locals.tf

@@ -0,0 +1,40 @@
+locals {
+  name = "aws-xray"
+  default_helm_config = {
+    name                       = try(var.aws_xray_extra_configs.name, local.name)
+    chart                      = try(var.aws_xray_extra_configs.chart, local.name)
+    repository                 = try(var.aws_xray_extra_configs.repository, "https://okgolove.github.io/helm-charts")
+    version                    = try(var.aws_xray_extra_configs.version, "4.0.8")
+    namespace                  = try(var.aws_xray_extra_configs.namespace, "monitoring")
+    create_namespace           = try(var.aws_xray_extra_configs.create_namespace, true)
+    description                = "AWS X-Ray helm Chart deployment configuration"
+    timeout                    = try(var.aws_xray_extra_configs.timeout, "600")
+    lint                       = try(var.aws_xray_extra_configs.lint, "false")
+    repository_key_file        = try(var.aws_xray_extra_configs.repository_key_file, "")
+    repository_cert_file       = try(var.aws_xray_extra_configs.repository_cert_file, "")
+    repository_username        = try(var.aws_xray_extra_configs.repository_username, "")
+    repository_password        = try(var.aws_xray_extra_configs.repository_password, "")
+    verify                     = try(var.aws_xray_extra_configs.verify, "false")
+    keyring                    = try(var.aws_xray_extra_configs.keyring, "")
+    disable_webhooks           = try(var.aws_xray_extra_configs.disable_webhooks, "false")
+    reuse_values               = try(var.aws_xray_extra_configs.reuse_values, "false")
+    reset_values               = try(var.aws_xray_extra_configs.reset_values, "false")
+    force_update               = try(var.aws_xray_extra_configs.force_update, "false")
+    recreate_pods              = try(var.aws_xray_extra_configs.recreate_pods, "false")
+    cleanup_on_fail            = try(var.aws_xray_extra_configs.cleanup_on_fail, "false")
+    max_history                = try(var.aws_xray_extra_configs.max_history, "0")
+    atomic                     = try(var.aws_xray_extra_configs.atomic, "false")
+    skip_crds                  = try(var.aws_xray_extra_configs.skip_crds, "false")
+    render_subchart_notes      = try(var.aws_xray_extra_configs.render_subchart_notes, "true")
+    disable_openapi_validation = try(var.aws_xray_extra_configs.disable_openapi_validation, "false")
+    wait                       = try(var.aws_xray_extra_configs.wait, "true")
+    wait_for_jobs              = try(var.aws_xray_extra_configs.wait_for_jobs, "false")
+    dependency_update          = try(var.aws_xray_extra_configs.dependency_update, "false")
+    replace                    = try(var.aws_xray_extra_configs.replace, "false")
+  }
+
+  helm_config = merge(
+    local.default_helm_config,
+    var.helm_config
+  )
+}

addons/aws-xray/main.tf

@@ -0,0 +1,61 @@
+module "helm_addon" {
+  source = "../helm"
+
+  manage_via_gitops = var.manage_via_gitops
+  helm_config       = local.helm_config
+  addon_context     = var.addon_context
+
+  set_values = [
+    {
+      name  = "serviceAccount.create"
+      value = "false"
+    },
+    {
+      name  = "serviceAccount.name"
+      value = "${local.name}-sa"
+    },
+    {
+      name  = "xray.region"
+      value = data.aws_region.current.name
+    }
+  ]
+
+  # -- IRSA Configurations
+  irsa_config = {
+    irsa_iam_policies                 = [aws_iam_policy.policy.arn]
+    irsa_iam_role_name                = "${local.name}-${var.eks_cluster_name}"
+    create_kubernetes_service_account = true
+    kubernetes_service_account        = "${local.name}-sa"
+    kubernetes_namespace              = local.default_helm_config.namespace
+    eks_oidc_provider_arn             = replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")
+    account_id                        = var.account_id
+  }
+
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = format("%s-%s-IAM-Policy", local.name, var.eks_cluster_name)
+  path        = "/"
+  description = "IAM Policy used by ${local.name}-${var.eks_cluster_name} IAM Role"
+  policy      = var.iampolicy_json_content != null ? var.iampolicy_json_content : <<-EOT
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSXRayDaemonWriteAccess",
+            "Effect": "Allow",
+            "Action": [
+                "xray:PutTraceSegments",
+                "xray:PutTelemetryRecords",
+                "xray:GetSamplingRules",
+                "xray:GetSamplingTargets",
+                "xray:GetSamplingStatisticSummaries"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+} 
+EOT
+}

addons/aws-xray/output.tf

@@ -0,0 +1,12 @@
+output "namespace" {
+  value = local.default_helm_config.namespace
+}
+
+output "chart_version" {
+  value = local.default_helm_config.version
+}
+
+output "repository" {
+  value = local.default_helm_config.repository
+}
+ 

addons/aws-xray/variable.tf

@@ -0,0 +1,48 @@
+variable "helm_config" {
+  description = "Helm provider config for AWS X-Ray"
+  type        = any
+  default     = {}
+}
+
+variable "manage_via_gitops" {
+  description = "Determines if the add-on should be managed via GitOps"
+  type        = bool
+  default     = false
+}
+
+variable "addon_context" {
+  description = "Input configuration for the addon"
+  type = object({
+    aws_caller_identity_account_id = string
+    aws_caller_identity_arn        = string
+    aws_eks_cluster_endpoint       = string
+    aws_partition_id               = string
+    aws_region_name                = string
+    eks_cluster_id                 = string
+    eks_oidc_issuer_url            = string
+    eks_oidc_provider_arn          = string
+    tags                           = map(string)
+  })
+}
+
+variable "aws_xray_extra_configs" {
+  description = "Override attributes of helm_release terraform resource"
+  type        = any
+  default     = {}
+}
+
+variable "eks_cluster_name" {
+  type    = string
+  default = ""
+}
+
+variable "account_id" {
+  type    = string
+  default = ""
+}
+
+variable "iampolicy_json_content" {
+  description = "Custom IAM Policy for AWS X-Ray IRSA"
+  type        = string
+  default     = null
+}

addons/aws-xray/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+  }
+}

docs/io.md

@@ -20,6 +20,10 @@
 | aws\_node\_termination\_handler | Enable AWS Node Termination Handler add-on | `bool` | `false` | no |
 | aws\_node\_termination\_handler\_extra\_configs | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
 | aws\_node\_termination\_handler\_helm\_config | Path to override-values.yaml for AWS Node Termination Handler Helm Chart | `any` | `null` | no |
+| aws\_xray | Enable AWS XRAY add-on | `bool` | `false` | no |
+| aws\_xray\_extra\_configs | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
+| aws\_xray\_helm\_config | Path to override-values.yaml for AWS X-Ray Helm Chart | `any` | `null` | no |
+| aws\_xray\_iampolicy\_json\_content | Custom IAM Policy for AWS X-Ray IRSA | `string` | `null` | no |
 | calico\_tigera | Enable Tigera's Calico add-on | `bool` | `false` | no |
 | calico\_tigera\_extra\_configs | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
 | calico\_tigera\_helm\_config | Path to override-values.yaml for Calico Helm Chart | `any` | `null` | no |

examples/basic/config/external-secret/override-values.yaml

@@ -8,7 +8,7 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"
 
 ## Using limits and requests
 

examples/basic/config/keda/override-keda.yaml

@@ -6,4 +6,4 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"

examples/basic/config/override-external-dns.yaml

@@ -14,4 +14,4 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"

examples/basic/config/reloader/override-reloader.yaml

@@ -9,7 +9,7 @@ reloader:
             - key: "eks.amazonaws.com/nodegroup"
               operator: In
               values:
-              - "critical"
+              - "critical-nodes"
 
     resources:
       limits:

examples/basic/main.tf

@@ -4,7 +4,7 @@
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "5.19.0"
+  version = "5.21.0"
 
   name = "${local.name}-vpc"
   cidr = local.vpc_cidr

examples/complete/config/aws_xray-values.yaml

@@ -0,0 +1,17 @@
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: "eks.amazonaws.com/nodegroup"
+          operator: In
+          values:
+          - "critical-nodes"
+
+resources:
+  requests:
+    cpu: 256m
+    memory: 32Mi
+  limits:
+    cpu: 512m
+    memory: 64Mi

examples/complete/config/external-secret/override-values.yaml

@@ -8,7 +8,7 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"
 
 ## Using limits and requests
 

examples/complete/config/grafana/override-grafana.yaml

@@ -6,7 +6,7 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"
 resources:
   limits:
     cpu: 300m

examples/complete/config/istio/istio_ingress_override.yaml

@@ -6,7 +6,7 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"
 
 service:
   type: NodePort

examples/complete/config/istio/istiod_override.yaml

@@ -1,3 +1,3 @@
 pilot:
   nodeSelector: 
-    "eks.amazonaws.com/nodegroup" : "critical"
+    "eks.amazonaws.com/nodegroup" : "critical-nodes"

examples/complete/config/istio/override-values.yaml

@@ -1,6 +1,6 @@
 global:
   defaultNodeSelector:
-    "eks.amazonaws.com/nodegroup" : "critical"
+    "eks.amazonaws.com/nodegroup" : "critical-nodes"
 
 service:
   type: NodePort

examples/complete/config/keda/override-keda.yaml

@@ -6,4 +6,4 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"

examples/complete/config/kiali/override-values.yaml

@@ -8,7 +8,7 @@ deployment:
           - key: "eks.amazonaws.com/nodegroup"
             operator: In
             values:
-            - "critical"
+            - "critical-nodes"
 
 ## Using limits and requests
 

examples/complete/config/override-actions-runner-controller.yaml

@@ -8,7 +8,7 @@ affinity:
         - key: "eks.amazonaws.com/nodegroup"
           operator: In
           values:
-          - "critical"
+          - "critical-nodes"
 
 resources:
   limits: