diff --git a/examples/blue-green-upgrade/modules/eks_cluster/main.tf b/examples/blue-green-upgrade/modules/eks_cluster/main.tf index cc183fa03d..18b06dd3ea 100644 --- a/examples/blue-green-upgrade/modules/eks_cluster/main.tf +++ b/examples/blue-green-upgrade/modules/eks_cluster/main.tf @@ -199,7 +199,7 @@ data "aws_secretsmanager_secret_version" "admin_password_version" { } module "eks_blueprints" { - source = "github.com/aws-ia/terraform-aws-eks-blueprints?ref=v4.18.1" + source = "../../../.." cluster_name = local.name @@ -363,7 +363,8 @@ module "eks_blueprints" { #certificate_arn = aws_acm_certificate_validation.example.certificate_arn module "kubernetes_addons" { - source = "github.com/aws-ia/terraform-aws-eks-blueprints?ref=v4.18.1/modules/kubernetes-addons" + source = "../../../../modules/kubernetes-addons" + eks_cluster_id = module.eks_blueprints.eks_cluster_id eks_cluster_domain = local.eks_cluster_domain diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index b3ea443c0c..58cdcff208 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -72,7 +72,7 @@ | [local\_volume\_provisioner](#module\_local\_volume\_provisioner) | ./local-volume-provisioner | n/a | | [metrics\_server](#module\_metrics\_server) | ./metrics-server | n/a | | [nvidia\_device\_plugin](#module\_nvidia\_device\_plugin) | ./nvidia-device-plugin | n/a | -| [ondat](#module\_ondat) | ondat/ondat-addon/eksblueprints | 0.1.2 | +| [ondat](#module\_ondat) | ./ondat | n/a | | [opentelemetry\_operator](#module\_opentelemetry\_operator) | ./opentelemetry-operator | n/a | | [portworx](#module\_portworx) | portworx/portworx-addon/eksblueprints | 0.0.6 | | [prometheus](#module\_prometheus) | ./prometheus | n/a | diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 8f301570db..62080c9e4d 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -363,8 +363,7 @@ module "kube_state_metrics" { } module "ondat" { - source = "ondat/ondat-addon/eksblueprints" - version = "0.1.2" + source = "./ondat" count = var.enable_ondat ? 1 : 0 diff --git a/modules/kubernetes-addons/ondat/README.md b/modules/kubernetes-addons/ondat/README.md new file mode 100644 index 0000000000..e8b76cb3b6 --- /dev/null +++ b/modules/kubernetes-addons/ondat/README.md @@ -0,0 +1,79 @@ +# Ondat add-on for EKS Blueprints + +## Introduction + +[Ondat](https://ondat.io) is a highly scalable Kubernetes data plane that +provides stateful storage for applications. This blueprint installs Ondat +on Amazon Elastic Kubernetes Service (AWS EKS). + +## Key features + +1. Hyperconverged (all nodes have storage) or centralised (some nodes +have storage), Kubernetes-native storage on any infrastructure - use the +same code and storage features in-cloud and on-premises! +1. Best-in-class performance, availability and security - individually +encrypted volumes, performs better than competitors and synchronizes replicas +quickly and efficiently. +1. NFS (RWX) support allowing for performant sharing of volumes across multiple +workloads. +1. Free tier with 1TiB of storage under management plus unlimited replicas +1. Larger storage capacity and business support available in paid product + +Find out more in our [documentation](https://docs.ondat.io/docs/concepts/)! + +## Examples + +See [blueprints](blueprints/). + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.15.1 | +| [kubernetes](#provider\_kubernetes) | 2.11.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [helm\_addon](#module\_helm\_addon) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.1.0 | + +## Resources + +| Name | Type | +|------|------| +| [kubernetes_namespace.ondat](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.storageos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_secret.etcd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_storage_class.etcd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | +| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [addon\_context](#input\_addon\_context) | Input configuration for the addon |
object({
aws_caller_identity_account_id = string
aws_caller_identity_arn = string
aws_eks_cluster_endpoint = string
aws_partition_id = string
aws_region_name = string
eks_cluster_id = string
eks_oidc_issuer_url = string
eks_oidc_provider_arn = string
tags = map(string)
irsa_iam_role_path = optional(string)
irsa_iam_permissions_boundary = optional(string)
})
| n/a | yes | +| [admin\_password](#input\_admin\_password) | Password for the Ondat admin user | `string` | `"storageos"` | no | +| [admin\_username](#input\_admin\_username) | Username for the Ondat admin user | `string` | `"storageos"` | no | +| [create\_cluster](#input\_create\_cluster) | Determines if the StorageOSCluster and secrets should be created | `bool` | `true` | no | +| [etcd\_ca](#input\_etcd\_ca) | The PEM encoded CA for Ondat's etcd | `string` | `null` | no | +| [etcd\_cert](#input\_etcd\_cert) | The PEM encoded client certificate for Ondat's etcd | `string` | `null` | no | +| [etcd\_endpoints](#input\_etcd\_endpoints) | A list of etcd endpoints for Ondat | `list(string)` | `[]` | no | +| [etcd\_key](#input\_etcd\_key) | The PEM encoded client key for Ondat's etcd | `string` | `null` | no | +| [helm\_config](#input\_helm\_config) | Helm provider config for the ondat addon | `any` | `{}` | no | +| [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | +| [irsa\_policies](#input\_irsa\_policies) | IAM policy ARNs for Ondat IRSA | `list(string)` | `[]` | no | +| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + diff --git a/modules/kubernetes-addons/ondat/main.tf b/modules/kubernetes-addons/ondat/main.tf new file mode 100644 index 0000000000..0f9b6ca6ba --- /dev/null +++ b/modules/kubernetes-addons/ondat/main.tf @@ -0,0 +1,179 @@ +locals { + name = "ondat" + service_account_name = "storageos-operator" + + ondat_etcd_endpoints = length(var.etcd_endpoints) == 0 ? "storageos-etcd.storageos-etcd:2379" : join(",", var.etcd_endpoints) + + argocd_gitops_config = { + enable = true + etcdClusterCreate = length(var.etcd_endpoints) == 0 + serviceAccountName = local.service_account_name + clusterSecretRefName = "storageos-api" + clusterAdminUsername = "storageos" + clusterAdminPassword = "storageos" + clusterKvBackendAddress = local.ondat_etcd_endpoints + clusterKvBackendTLSSecretName = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].name : "storageos-etcd-secret" + clusterKvBackendTLSSecretNamespace = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].namespace : "storageos" + clusterNodeSelectorTermKey = "storageos-node" + clusterNodeSelectorTermValue = "1" + etcdNodeSelectorTermKey = "storageos-etcd" + etcdNodeSelectorTermValue = "1" + } + + default_helm_values = [templatefile("${path.module}/values.yaml", + { + ondat_service_account_name = local.service_account_name, + ondat_nodeselectorterm_key = "storageos-node" + ondat_nodeselectorterm_value = "1" + etcd_nodeselectorterm_key = "storageos-etcd" + etcd_nodeselectorterm_value = "1" + ondat_admin_username = "storageos", + ondat_admin_password = "storageos", + ondat_credential_secret_name = "storageos-api", + etcd_address = local.ondat_etcd_endpoints, + }, + )] +} + +module "helm_addon" { + source = "../helm-addon" + + manage_via_gitops = var.manage_via_gitops + + helm_config = merge( + { + name = local.name + chart = "ondat" + repository = "https://ondat.github.io/charts" + version = "0.2.5" + namespace = kubernetes_namespace.ondat.metadata[0].name + timeout = "1500" + create_namespace = false + values = local.default_helm_values + description = "Ondat Helm Chart for storage" + }, + var.helm_config + ) + + set_values = [ + { + name = "ondat-operator.serviceAccount.name" + value = local.service_account_name + }, + { + name = "ondat-operator.cluster.create" + value = var.create_cluster + }, + { + name = "ondat-operator.cluster.secretRefName" + value = "storageos-api" + }, + { + name = "ondat-operator.cluster.kvBackend.address" + value = local.ondat_etcd_endpoints + }, + { + name = "ondat-operator.cluster.kvBackend.tlsSecretName" + value = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].name : "storageos-etcd-secret" + }, + { + name = "ondat-operator.cluster.kvBackend.tlsSecretNamespace" + value = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].namespace : "storageos" + }, + { + name = "etcd-cluster-operator.cluster.create" + value = length(var.etcd_endpoints) == 0 + }, + ] + + set_sensitive_values = [ + { + name = "cluster.admin.username", + value = var.admin_username + }, + { + name = "cluster.admin.password", + value = var.admin_password + }, + ] + + irsa_config = { + create_kubernetes_namespace = false + kubernetes_namespace = kubernetes_namespace.ondat.metadata[0].name + + create_kubernetes_service_account = true + kubernetes_service_account = local.service_account_name + + iam_role_path = "/" + tags = var.addon_context.tags + eks_cluster_id = var.addon_context.eks_cluster_id + irsa_iam_policies = var.irsa_policies + irsa_iam_permissions_boundary = var.irsa_permissions_boundary + } + + addon_context = var.addon_context +} + +resource "kubernetes_namespace" "ondat" { + metadata { + name = "ondat" + labels = { + app = local.name + } + } +} + +################################################################################ +# Secrets +################################################################################ + +resource "kubernetes_namespace" "storageos" { + count = length(var.etcd_endpoints) == 0 ? 0 : 1 + + metadata { + name = "storageos" + labels = { + app = local.name + } + } +} + +resource "kubernetes_secret" "etcd" { + count = length(var.etcd_endpoints) == 0 ? 0 : 1 + + metadata { + name = "storageos-etcd" + namespace = kubernetes_namespace.storageos[0].metadata[0].name + labels = { + app = local.name + } + } + + data = { + "etcd-client-ca.crt" = var.etcd_ca + "etcd-client.crt" = var.etcd_cert + "etcd-client.key" = var.etcd_key + } + + type = "kubernetes.io/storageos" +} + +################################################################################ +# Storage Class +################################################################################ + +resource "kubernetes_storage_class" "etcd" { + count = length(var.etcd_endpoints) == 0 ? 1 : 0 + + metadata { + name = "etcd" + } + + storage_provisioner = "ebs.csi.aws.com" + reclaim_policy = "Retain" + volume_binding_mode = "WaitForFirstConsumer" + + parameters = { + type = "gp3" + } +} diff --git a/modules/kubernetes-addons/ondat/outputs.tf b/modules/kubernetes-addons/ondat/outputs.tf new file mode 100644 index 0000000000..b30c86b380 --- /dev/null +++ b/modules/kubernetes-addons/ondat/outputs.tf @@ -0,0 +1,4 @@ +output "argocd_gitops_config" { + description = "Configuration used for managing the add-on with ArgoCD" + value = var.manage_via_gitops ? local.argocd_gitops_config : null +} diff --git a/modules/kubernetes-addons/ondat/values.yaml b/modules/kubernetes-addons/ondat/values.yaml new file mode 100644 index 0000000000..68c6e02fe8 --- /dev/null +++ b/modules/kubernetes-addons/ondat/values.yaml @@ -0,0 +1,25 @@ +ondat-operator: + serviceAccount: + create: false + name: ${ondat_service_account_name} + cluster: + create: true + secretRefName: ${ondat_credential_secret_name} + admin: + username: ${ondat_admin_username} + password: ${ondat_admin_password} + kvBackend: + address: ${etcd_address} + nodeSelectorTerm: + key: ${ondat_nodeselectorterm_key} + value: ${ondat_nodeselectorterm_value} +etcd-cluster-operator: + cluster: + replicas: 5 + storage: 15Gi + storageclass: etcd + nodeSelectorTerm: + key: ${etcd_nodeselectorterm_key} + value: ${etcd_nodeselectorterm_value} + ondat: + namespace: storageos diff --git a/modules/kubernetes-addons/ondat/variables.tf b/modules/kubernetes-addons/ondat/variables.tf new file mode 100644 index 0000000000..916a622fee --- /dev/null +++ b/modules/kubernetes-addons/ondat/variables.tf @@ -0,0 +1,72 @@ +variable "helm_config" { + description = "Helm provider config for the ondat addon" + type = any + default = {} +} + +variable "manage_via_gitops" { + description = "Determines if the add-on should be managed via GitOps" + type = bool + default = false +} + +variable "addon_context" { + description = "Input configuration for the addon" + type = any +} + +variable "irsa_permissions_boundary" { + description = "IAM Policy ARN for IRSA IAM role permissions boundary" + type = string + default = "" +} + +variable "irsa_policies" { + description = "IAM policy ARNs for Ondat IRSA" + type = list(string) + default = [] +} + +variable "create_cluster" { + description = "Determines if the StorageOSCluster and secrets should be created" + type = bool + default = true +} + +variable "etcd_endpoints" { + description = "A list of etcd endpoints for Ondat" + type = list(string) + default = [] +} + +variable "etcd_ca" { + description = "The PEM encoded CA for Ondat's etcd" + type = string + default = null +} + +variable "etcd_cert" { + description = "The PEM encoded client certificate for Ondat's etcd" + type = string + default = null +} + +variable "etcd_key" { + description = "The PEM encoded client key for Ondat's etcd" + type = string + default = null + sensitive = true +} + +variable "admin_username" { + description = "Username for the Ondat admin user" + type = string + default = "storageos" +} + +variable "admin_password" { + description = "Password for the Ondat admin user" + type = string + default = "storageos" + sensitive = true +} diff --git a/modules/kubernetes-addons/ondat/versions.tf b/modules/kubernetes-addons/ondat/versions.tf new file mode 100644 index 0000000000..ec3c6c311a --- /dev/null +++ b/modules/kubernetes-addons/ondat/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.6.1" + } + } +}