Skip to content

Commit

Permalink
feat(loki): first version of loki deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
Smana committed Oct 21, 2023
1 parent 3377ba0 commit 67ba418
Show file tree
Hide file tree
Showing 23 changed files with 210 additions and 46 deletions.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Based on [this repository](https://github.com/Smana/cilium-gateway-api)

## 🏗️ Crossplane configuration

## 🔑 Federated authentication using Pinniped
## 🛂 Federated authentication using Pinniped

## 🗒️ Audit logs with Loki and Vector

Expand All @@ -26,6 +26,8 @@ Anyway, I intentionnaly created a distinct directory that allows to provision th

## :closed_lock_with_key: Secrets management with Vault and external-secrets operator

## 🔑 Private PKI with Vault

## 🌐 Network policies with Cilium

## 🕵️ CI
Expand Down
25 changes: 24 additions & 1 deletion clusters/mycluster-0/infrastructure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,29 @@ spec:
optional: true
dependsOn:
- name: crossplane-providers
# Deploy additional Crossplane custom resources
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: crossplane-custom-resources
namespace: flux-system
spec:
prune: true
interval: 2m0s
path: ./infrastructure/mycluster-0/crossplane/custom-resources
sourceRef:
kind: GitRepository
name: flux-system
postBuild:
substituteFrom:
- kind: ConfigMap
name: eks-mycluster-0-vars
- kind: Secret
name: eks-mycluster-0-vars
optional: true
dependsOn:
- name: crossplane-configuration
---
# The infrastructure components are deployed when Crossplane is available in order to creates irsa resources
apiVersion: kustomize.toolkit.fluxcd.io/v1
Expand All @@ -93,7 +116,7 @@ spec:
kind: GitRepository
name: flux-system
dependsOn:
- name: crossplane-configuration
- name: crossplane-custom-resources
---
# Gateways must be created after Kyverno's cluster policies are applied in order to add AWS annotations
apiVersion: kustomize.toolkit.fluxcd.io/v1
Expand Down
3 changes: 3 additions & 0 deletions clusters/mycluster-0/observability.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ spec:
- kind: Secret
name: eks-mycluster-0-vars
optional: true
# We need this s3 bucket that is used for Loki
- kind: Secret
name: ogenki-loki-s3
dependsOn:
- name: crds
healthChecks:
Expand Down
2 changes: 1 addition & 1 deletion crds/base/gateway-api/source.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ spec:
interval: 5m0s
url: https://github.com/kubernetes-sigs/gateway-api
ref:
tag: v0.8.0
tag: v0.8.1
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: crossplane-system

resources:
- loki-s3-bucket.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
name: loki
annotations:
crossplane.io/external-name: ${region}-ogenki-loki
spec:
forProvider:
acl: private
locationConstraint: ${region}
versioningConfiguration:
status: Enabled
providerConfigRef:
name: aws-provider-config
writeConnectionSecretToRef:
name: ogenki-loki-s3
namespace: observability
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ kind: Kustomization
resources:
- controller-config.yaml
- provider-iam.yaml
- provider-s3.yaml
2 changes: 1 addition & 1 deletion infrastructure/base/crossplane/providers/provider-iam.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@ kind: Provider
metadata:
name: provider-aws-iam
spec:
package: xpkg.upbound.io/upbound/provider-aws-iam:v0.38.0
package: xpkg.upbound.io/upbound/provider-aws-iam:v0.42.0
controllerConfigRef:
name: aws-config
8 changes: 8 additions & 0 deletions infrastructure/base/crossplane/providers/provider-s3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-s3
spec:
package: xpkg.upbound.io/upbound/provider-aws-s3:v0.42.0
controllerConfigRef:
name: aws-config
1 change: 1 addition & 0 deletions infrastructure/mycluster-0/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ kind: Kustomization

resources:
- ../base/aws-load-balancer-controller
- ../base/crossplane/custom-resources
- ../base/external-dns
34 changes: 34 additions & 0 deletions observability/base/loki/helmrelease.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Based on https://grafana.com/docs/loki/latest/setup/install/helm/install-scalable/
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: loki
spec:
releaseName: loki
chart:
spec:
chart: loki
sourceRef:
kind: HelmRepository
name: grafana
namespace: flux-system
version: "5.35.0"
interval: 10m0s
timeout: 10m
install:
remediation:
retries: 3
upgrade:
crds: CreateReplace
values:
fullNameOverride: loki
loki:
serviceAnnotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::${aws_account_id}:role/xplane-loki-${cluster_name}"
storage:
type: s3
s3:
endpoint: ${loki_s3_bucket_endpoint}
region: ${region}
s3ForcePathStyle: false
insecure: false
18 changes: 18 additions & 0 deletions observability/base/loki/httproute.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: loki
spec:
parentRefs:
- name: platform
namespace: infrastructure
hostnames:
- "loki-${cluster_name}.priv.${domain_name}"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: loki
port: 80
38 changes: 38 additions & 0 deletions observability/base/loki/irsa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: aws.platformref.upbound.io/v1alpha1
kind: IRSA
metadata:
name: xplane-loki-${cluster_name}
spec:
deletionPolicy: Delete
parameters:
condition: StringEquals
policyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${region}-ogenki-loki",
"arn:aws:s3:::${region}-ogenki-loki/*"
]
},
{
"Sid": "WritePermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::${region}-ogenki-loki/*"
}
]
}
serviceAccount:
name: loki
namespace: observability
9 changes: 9 additions & 0 deletions observability/base/loki/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: observability

resources:
- helmrelease.yaml
- httproute.yaml
- irsa.yaml
- source.yaml
7 changes: 7 additions & 0 deletions observability/base/loki/source.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: grafana
spec:
interval: 30m
url: https://grafana.github.io/helm-charts
1 change: 1 addition & 0 deletions observability/mycluster-0/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ kind: Kustomization

resources:
- ../base/kube-prometheus-stack
- ../base/loki
2 changes: 1 addition & 1 deletion taskfile.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
env:
DOCKER_IMG: "ghcr.io/antonbabenko/pre-commit-terraform"
DOCKER_TAG: "v1.79.1"
DOCKER_TAG: "v1.83.5"
REPO_NAME: "action-terraform-ci"

version: "3"
Expand Down
24 changes: 24 additions & 0 deletions terraform/eks/helm.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,27 @@ resource "helm_release" "cilium" {
kubernetes_job.delete_aws_cni_ds
]
}

resource "helm_release" "karpenter" {
namespace = "karpenter"
create_namespace = true

name = "karpenter"
repository = "oci://public.ecr.aws/karpenter"
chart = "karpenter"
version = "v0.31.1"

values = [
templatefile(
"${path.module}/helm_values/karpenter.yaml",
{
cluster_name = module.eks.cluster_name,
cluster_endpoint = module.eks.cluster_endpoint,
irsa_arn = module.karpenter.irsa_arn
instance_profile_name = module.karpenter.instance_profile_name
queue_name = module.karpenter.queue_name
})
]

depends_on = [helm_release.cilium]
}
9 changes: 9 additions & 0 deletions terraform/eks/helm_values/karpenter.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
settings:
aws:
clusterName: ${cluster_name}
clusterEndpoint: ${cluster_endpoint}
defaultInstanceProfile: ${instance_profile_name}
interruptionQueueName: ${queue_name}
serviceAccount:
annotations:
"eks.amazonaws.com/role-arn": ${irsa_arn}
37 changes: 0 additions & 37 deletions terraform/eks/karpenter.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,43 +12,6 @@ module "karpenter" {
tags = var.tags
}

resource "helm_release" "karpenter" {
namespace = "karpenter"
create_namespace = true

name = "karpenter"
repository = "oci://public.ecr.aws/karpenter"
chart = "karpenter"
version = "v0.31.0"

set {
name = "settings.aws.clusterName"
value = module.eks.cluster_name
}

set {
name = "settings.aws.clusterEndpoint"
value = module.eks.cluster_endpoint
}

set {
name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
value = module.karpenter.irsa_arn
}

set {
name = "settings.aws.defaultInstanceProfile"
value = module.karpenter.instance_profile_name
}

set {
name = "settings.aws.interruptionQueueName"
value = module.karpenter.queue_name
}

depends_on = [helm_release.cilium]
}

resource "kubectl_manifest" "karpenter_provisioner" {
yaml_body = <<-YAML
apiVersion: karpenter.sh/v1alpha5
Expand Down
4 changes: 2 additions & 2 deletions terraform/eks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ variable "cluster_version" {

variable "cilium_version" {
description = "Cilium cluster version"
default = "1.14.2"
default = "1.14.3"
type = string
}

variable "gateway_api_version" {
description = "Gateway API CRDs version"
default = "v0.8.0"
default = "v0.8.1"
type = string
}

Expand Down
2 changes: 1 addition & 1 deletion terraform/eks/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ terraform {
}
flux = {
source = "fluxcd/flux"
version = "1.1.1"
version = "1.1.2"
}
helm = {
source = "hashicorp/helm"
Expand Down
2 changes: 1 addition & 1 deletion terraform/network/tailscale.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ resource "tailscale_acl" "this" {
// Allow the subnet router to advertise the VPC CIDR.
autoApprovers = {
routes = {
"${module.vpc.vpc_cidr_block}" = [var.tailscale.tailnet]
"${module.vpc.vpc_cidr_block}"" = [var.tailscale.tailnet]
}
}

Expand Down

0 comments on commit 67ba418

Please sign in to comment.