We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at https://lablabs.io/
A terraform module to deploy the Karpenter on Amazon EKS cluster.
Check out other terraform kubernetes addons.
Deploy Helm chart via Helm resource (default method, set enabled = true
)
Deploy Helm chart as ArgoCD Application via Kubernetes manifest resource (set enabled = true
and argo_enabled = true
)
Warning
When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run.
To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the
argo_helm_enabled
variable totrue
.
Deploy Helm chart as ArgoCD Application via Helm resource (set enabled = true
, argo_enabled = true
and argo_helm_enabled = true
)
To disable of creation IRSA role and IRSA policy, set irsa_role_create = false
and irsa_policy_enabled = false
, respectively
To assume role set irsa_assume_role_enabled = true
and specify irsa_assume_role_arn
variable
In variable helm_repo_oci
you can switch between OCI and non-OCI repositories types. Due to non standardized input of repository format between argocd and helm you must use correct url format for each type.
For helm_repo_oci=true
in variable helm_repo_url
use format without protocol prefix public.ecr.aws
. If you put there https
prefix it will be stripped automatically as fails safe mechanism .
For helm_repo_oci=false
in variable helm_repo_url
use format including protocol prefix like https://chartmuseum.example.com
To test whether karpenter integration with SQS is working properly you can send Spot interruption Warning message to SQS queue. For more information about correct time format etc. check the documentation linked below.
{
"version": "0",
"id": "12345678-1234-1234-1234-123456789012",
"detail-type": "EC2 Spot Instance Interruption Warning",
"source": "aws.ec2",
"account": "123456789012",
"time": "2023-03-26T22:22:33+02:00",
"region": "eu-central-1",
"resources": ["arn:aws:ec2:eu-central-1:123456789012:instance/i-00c05af08b38bb912"],
"detail": {
"instance-id": "i-00c05af08b38bb912",
"instance-action": "action"
}
}
See Basic example for further information.
Name | Version |
---|---|
terraform | >= 1.1 |
aws | >= 4.19.0 |
helm | >= 2.6.0 |
kubernetes | >= 2.20.0 |
time | >= 0.9.0 |
utils | >= 0.17.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster | string |
n/a | yes |
cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account | string |
n/a | yes |
cluster_name | EKS Cluster ID for the cluster that can be used to join cluster node pool | string |
n/a | yes |
argo_apiversion | ArgoCD Appliction apiVersion | string |
"argoproj.io/v1alpha1" |
no |
argo_destination_server | Destination server for ArgoCD Application | string |
"https://kubernetes.default.svc" |
no |
argo_enabled | If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release | bool |
false |
no |
argo_helm_enabled | If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info | bool |
false |
no |
argo_helm_values | Value overrides to use when deploying argo application object with helm | string |
"" |
no |
argo_helm_wait_backoff_limit | Backoff limit for ArgoCD Application Helm release wait job | number |
6 |
no |
argo_helm_wait_node_selector | Node selector for ArgoCD Application Helm release wait job | map(string) |
{} |
no |
argo_helm_wait_timeout | Timeout for ArgoCD Application Helm release wait job | string |
"10m" |
no |
argo_helm_wait_tolerations | Tolerations for ArgoCD Application Helm release wait job | list(any) |
[] |
no |
argo_info | ArgoCD info manifest parameter | list(object({ |
[ |
no |
argo_kubernetes_manifest_computed_fields | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. | list(string) |
[ |
no |
argo_kubernetes_manifest_field_manager_force_conflicts | Forcibly override any field manager conflicts when applying the kubernetes manifest resource | bool |
false |
no |
argo_kubernetes_manifest_field_manager_name | The name of the field manager to use when applying the kubernetes manifest resource. Defaults to Terraform | string |
"Terraform" |
no |
argo_kubernetes_manifest_wait_fields | A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. | map(string) |
{} |
no |
argo_metadata | ArgoCD Application metadata configuration. Override or create additional metadata parameters | any |
{ |
no |
argo_namespace | Namespace to deploy ArgoCD application CRD to | string |
"argo" |
no |
argo_project | ArgoCD Application project | string |
"default" |
no |
argo_spec | ArgoCD Application spec configuration. Override or create additional spec parameters | any |
{} |
no |
argo_sync_policy | ArgoCD syncPolicy manifest parameter | any |
{} |
no |
aws_partition | AWS partition in which the resources are located. Avaliable values are aws , aws-cn , aws-us-gov |
string |
"aws" |
no |
crds_argo_helm_values | Value overrides to use when deploying argo application object with helm | string |
"" |
no |
crds_argo_kubernetes_manifest_computed_fields | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. | list(string) |
[ |
no |
crds_argo_kubernetes_manifest_field_manager_force_conflicts | Forcibly override any field manager conflicts when applying the kubernetes manifest resource | bool |
false |
no |
crds_argo_kubernetes_manifest_field_manager_name | The name of the field manager to use when applying the kubernetes manifest resource. Defaults to Terraform | string |
"Terraform" |
no |
crds_argo_kubernetes_manifest_wait_fields | A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. | map(string) |
{} |
no |
crds_argo_metadata | ArgoCD Application metadata configuration. Override or create additional metadata parameters | any |
{ |
no |
crds_argo_spec | ArgoCD Application spec configuration. Override or create additional spec parameters | any |
{} |
no |
crds_argo_sync_policy | ArgoCD syncPolicy manifest parameter | any |
{} |
no |
crds_helm_atomic | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | bool |
false |
no |
crds_helm_chart_name | Helm chart name to be installed | string |
"karpenter-crd" |
no |
crds_helm_chart_version | Version of the Helm chart | string |
"1.0.8" |
no |
crds_helm_cleanup_on_fail | Allow deletion of new resources created in this helm upgrade when upgrade fails | bool |
false |
no |
crds_helm_dependency_update | Runs helm dependency update before installing the chart | bool |
false |
no |
crds_helm_description | Set helm release description attribute (visible in the history) | string |
"" |
no |
crds_helm_devel | Use helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored | bool |
false |
no |
crds_helm_disable_openapi_validation | If set, the installation process will not validate rendered helm templates against the Kubernetes OpenAPI Schema | bool |
false |
no |
crds_helm_disable_webhooks | Prevent helm chart hooks from running | bool |
false |
no |
crds_helm_force_update | Force helm resource update through delete/recreate if needed | bool |
false |
no |
crds_helm_keyring | Location of public keys used for verification. Used only if helm_package_verify is true | string |
"~/.gnupg/pubring.gpg" |
no |
crds_helm_lint | Run the helm chart linter during the plan | bool |
false |
no |
crds_helm_package_verify | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | bool |
false |
no |
crds_helm_postrender | Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents | map(any) |
{} |
no |
crds_helm_recreate_pods | Perform pods restart during helm upgrade/rollback | bool |
false |
no |
crds_helm_release_max_history | Maximum number of release versions stored per release | number |
0 |
no |
crds_helm_release_name | Helm release name | string |
"karpenter-crds" |
no |
crds_helm_render_subchart_notes | If set, render helm subchart notes along with the parent | bool |
true |
no |
crds_helm_replace | Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production | bool |
false |
no |
crds_helm_reset_values | When upgrading, reset the values to the ones built into the helm chart | bool |
false |
no |
crds_helm_reuse_values | When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm_reset_values' is specified, this is ignored | bool |
false |
no |
crds_helm_set_sensitive | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff | map(any) |
{} |
no |
crds_helm_timeout | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks) | number |
300 |
no |
crds_helm_wait | Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout | bool |
true |
no |
crds_helm_wait_for_jobs | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | bool |
false |
no |
crds_settings | Additional helm sets which will be passed to the Helm chart values, see https://github.com/aws/karpenter/tree/main/charts/karpenter-crd | map(any) |
{} |
no |
crds_values | Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/aws/karpenter/tree/main/charts/karpenter-crd | string |
"" |
no |
enabled | Variable indicating whether deployment is enabled | bool |
true |
no |
helm_atomic | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | bool |
false |
no |
helm_chart_name | Helm chart name to be installed | string |
"karpenter" |
no |
helm_chart_version | Version of the Helm chart | string |
"1.0.8" |
no |
helm_cleanup_on_fail | Allow deletion of new resources created in this helm upgrade when upgrade fails | bool |
false |
no |
helm_create_namespace | Create the namespace if it does not yet exist | bool |
true |
no |
helm_dependency_update | Runs helm dependency update before installing the chart | bool |
false |
no |
helm_description | Set helm release description attribute (visible in the history) | string |
"" |
no |
helm_devel | Use helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored | bool |
false |
no |
helm_disable_openapi_validation | If set, the installation process will not validate rendered helm templates against the Kubernetes OpenAPI Schema | bool |
false |
no |
helm_disable_webhooks | Prevent helm chart hooks from running | bool |
false |
no |
helm_force_update | Force helm resource update through delete/recreate if needed | bool |
false |
no |
helm_keyring | Location of public keys used for verification. Used only if helm_package_verify is true | string |
"~/.gnupg/pubring.gpg" |
no |
helm_lint | Run the helm chart linter during the plan | bool |
false |
no |
helm_package_verify | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | bool |
false |
no |
helm_postrender | Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents | map(any) |
{} |
no |
helm_recreate_pods | Perform pods restart during helm upgrade/rollback | bool |
false |
no |
helm_release_max_history | Maximum number of release versions stored per release | number |
0 |
no |
helm_release_name | Helm release name | string |
"karpenter" |
no |
helm_render_subchart_notes | If set, render helm subchart notes along with the parent | bool |
true |
no |
helm_replace | Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production | bool |
false |
no |
helm_repo_ca_file | Helm repositories cert file | string |
"" |
no |
helm_repo_cert_file | Helm repositories cert file | string |
"" |
no |
helm_repo_key_file | Helm repositories cert key file | string |
"" |
no |
helm_repo_oci | Whether repo is OCI compatible | bool |
true |
no |
helm_repo_password | Password for HTTP basic authentication against the helm repository | string |
"" |
no |
helm_repo_url | Helm repository | string |
"public.ecr.aws" |
no |
helm_repo_username | Username for HTTP basic authentication against the helm repository | string |
"" |
no |
helm_reset_values | When upgrading, reset the values to the ones built into the helm chart | bool |
false |
no |
helm_reuse_values | When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm_reset_values' is specified, this is ignored | bool |
false |
no |
helm_set_sensitive | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff | map(any) |
{} |
no |
helm_skip_crds | If set, no CRDs will be installed before helm release | bool |
false |
no |
helm_timeout | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks) | number |
300 |
no |
helm_wait | Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout | bool |
false |
no |
helm_wait_for_jobs | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | bool |
false |
no |
irsa_additional_policies | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy arn. | map(string) |
{} |
no |
irsa_assume_role_arn | Assume role arn. Assume role must be enabled. | string |
"" |
no |
irsa_assume_role_enabled | Whether IRSA is allowed to assume role defined by irsa_assume_role_arn. | bool |
false |
no |
irsa_policy_enabled | Whether to create opinionated policy to allow operations on specified zones in policy_allowed_zone_ids . |
bool |
true |
no |
irsa_role_create | Whether to create IRSA role and annotate service account | bool |
true |
no |
irsa_role_name_prefix | The IRSA role name prefix for karpenter | string |
"karpenter-irsa" |
no |
irsa_tags | IRSA resources tags | map(string) |
{} |
no |
karpenter_node_role_arns | List of roles arns which can be passed from karpenter service to newly created nodes | list(any) |
[ |
no |
namespace | The K8s namespace in which the karpenter service account has been created | string |
"karpenter" |
no |
queue_interruption_prefix | Custom prefix for karpenter spot interruption queue | string |
"interruption-queue" |
no |
rbac_create | Whether to create and use RBAC resources | bool |
true |
no |
rule_interruption_prefix | Prefix used for all event bridge rules | string |
"Karpenter" |
no |
service_account_create | Whether to create Service Account | bool |
true |
no |
service_account_name | The k8s <$addon-name> service account name | string |
"karpenter" |
no |
settings | Additional helm sets which will be passed to the Helm chart values, see https://artifacthub.io/packages/helm/karpenter/karpenter | map(any) |
{} |
no |
values | Additional yaml encoded values which will be passed to the Helm chart, see https://artifacthub.io/packages/helm/karpenter/karpenter | string |
"" |
no |
Name | Description |
---|---|
helm_release_application_metadata | Argo application helm release attributes |
helm_release_metadata | Helm release attributes |
iam_irsa_role_attributes | Karpenter IAM role attributes |
kubernetes_application_attributes | Argo kubernetes manifest attributes |
Feel free to create an issue in this repository if you have questions, suggestions or feature requests.
We want to provide high quality code and modules. For this reason we are using several pre-commit hooks and GitHub Actions workflows. A pull-request to the main branch will trigger these validations and lints automatically. Please check your code before you will create pull-requests. See pre-commit documentation and GitHub Actions documentation for further details.
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.