diff --git a/README.md b/README.md index eb23338c..bbb403c4 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Based on [this repository](https://github.com/Smana/cilium-gateway-api) ## 🏗️ Crossplane configuration -## 🔑 Federated authentication using Pinniped +## 🛂 Federated authentication using Pinniped ## 🗒️ Audit logs with Loki and Vector @@ -26,6 +26,8 @@ Anyway, I intentionnaly created a distinct directory that allows to provision th ## :closed_lock_with_key: Secrets management with Vault and external-secrets operator +## 🔑 Private PKI with Vault + ## 🌐 Network policies with Cilium ## 🕵️ CI diff --git a/clusters/mycluster-0/infrastructure.yaml b/clusters/mycluster-0/infrastructure.yaml index 831f0421..ff170609 100644 --- a/clusters/mycluster-0/infrastructure.yaml +++ b/clusters/mycluster-0/infrastructure.yaml @@ -69,6 +69,29 @@ spec: optional: true dependsOn: - name: crossplane-providers +# Deploy additional Crossplane custom resources +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: crossplane-custom-resources + namespace: flux-system +spec: + prune: true + interval: 2m0s + path: ./infrastructure/mycluster-0/crossplane/custom-resources + sourceRef: + kind: GitRepository + name: flux-system + postBuild: + substituteFrom: + - kind: ConfigMap + name: eks-mycluster-0-vars + - kind: Secret + name: eks-mycluster-0-vars + optional: true + dependsOn: + - name: crossplane-configuration --- # The infrastructure components are deployed when Crossplane is available in order to creates irsa resources apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -93,7 +116,7 @@ spec: kind: GitRepository name: flux-system dependsOn: - - name: crossplane-configuration + - name: crossplane-custom-resources --- # Gateways must be created after Kyverno's cluster policies are applied in order to add AWS annotations apiVersion: kustomize.toolkit.fluxcd.io/v1 diff --git a/clusters/mycluster-0/observability.yaml b/clusters/mycluster-0/observability.yaml index 97db111d..755ad36e 100644 --- a/clusters/mycluster-0/observability.yaml +++ b/clusters/mycluster-0/observability.yaml @@ -20,6 +20,9 @@ spec: - kind: Secret name: eks-mycluster-0-vars optional: true + # We need this s3 bucket that is used for Loki + - kind: Secret + name: ogenki-loki-s3 dependsOn: - name: crds healthChecks: diff --git a/crds/base/gateway-api/source.yaml b/crds/base/gateway-api/source.yaml index a0821537..53732960 100644 --- a/crds/base/gateway-api/source.yaml +++ b/crds/base/gateway-api/source.yaml @@ -6,4 +6,4 @@ spec: interval: 5m0s url: https://github.com/kubernetes-sigs/gateway-api ref: - tag: v0.8.0 + tag: v0.8.1 diff --git a/infrastructure/base/crossplane/custom-resources/kustomization.yaml b/infrastructure/base/crossplane/custom-resources/kustomization.yaml new file mode 100644 index 00000000..8eeccede --- /dev/null +++ b/infrastructure/base/crossplane/custom-resources/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: crossplane-system + +resources: + - loki-s3-bucket.yaml diff --git a/infrastructure/base/crossplane/custom-resources/loki-s3-bucket.yaml b/infrastructure/base/crossplane/custom-resources/loki-s3-bucket.yaml new file mode 100644 index 00000000..6f314294 --- /dev/null +++ b/infrastructure/base/crossplane/custom-resources/loki-s3-bucket.yaml @@ -0,0 +1,17 @@ +apiVersion: s3.aws.crossplane.io/v1beta1 +kind: Bucket +metadata: + name: loki + annotations: + crossplane.io/external-name: ${region}-ogenki-loki +spec: + forProvider: + acl: private + locationConstraint: ${region} + versioningConfiguration: + status: Enabled + providerConfigRef: + name: aws-provider-config + writeConnectionSecretToRef: + name: ogenki-loki-s3 + namespace: observability diff --git a/infrastructure/base/crossplane/providers/kustomization.yaml b/infrastructure/base/crossplane/providers/kustomization.yaml index b2c60f0f..c6171708 100644 --- a/infrastructure/base/crossplane/providers/kustomization.yaml +++ b/infrastructure/base/crossplane/providers/kustomization.yaml @@ -4,3 +4,4 @@ kind: Kustomization resources: - controller-config.yaml - provider-iam.yaml + - provider-s3.yaml diff --git a/infrastructure/base/crossplane/providers/provider-iam.yaml b/infrastructure/base/crossplane/providers/provider-iam.yaml index 67d9ac2c..5b3bae1e 100644 --- a/infrastructure/base/crossplane/providers/provider-iam.yaml +++ b/infrastructure/base/crossplane/providers/provider-iam.yaml @@ -3,6 +3,6 @@ kind: Provider metadata: name: provider-aws-iam spec: - package: xpkg.upbound.io/upbound/provider-aws-iam:v0.38.0 + package: xpkg.upbound.io/upbound/provider-aws-iam:v0.42.0 controllerConfigRef: name: aws-config diff --git a/infrastructure/base/crossplane/providers/provider-s3.yaml b/infrastructure/base/crossplane/providers/provider-s3.yaml new file mode 100644 index 00000000..7ed3fab5 --- /dev/null +++ b/infrastructure/base/crossplane/providers/provider-s3.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-aws-iam +spec: + package: xpkg.upbound.io/upbound/provider-aws-s3:v0.42.0 + controllerConfigRef: + name: aws-config diff --git a/infrastructure/mycluster-0/kustomization.yaml b/infrastructure/mycluster-0/kustomization.yaml index b0b9b43d..442ffb2a 100644 --- a/infrastructure/mycluster-0/kustomization.yaml +++ b/infrastructure/mycluster-0/kustomization.yaml @@ -3,4 +3,5 @@ kind: Kustomization resources: - ../base/aws-load-balancer-controller + - ../base/crossplane/custom-resources - ../base/external-dns diff --git a/observability/base/loki/helmrelease.yaml b/observability/base/loki/helmrelease.yaml new file mode 100644 index 00000000..0f09e414 --- /dev/null +++ b/observability/base/loki/helmrelease.yaml @@ -0,0 +1,34 @@ +# Based on https://grafana.com/docs/loki/latest/setup/install/helm/install-scalable/ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: loki +spec: + releaseName: loki + chart: + spec: + chart: loki + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + version: "5.35.0" + interval: 10m0s + timeout: 10m + install: + remediation: + retries: 3 + upgrade: + crds: CreateReplace + values: + fullNameOverride: loki + loki: + serviceAnnotations: + eks.amazonaws.com/role-arn: "arn:aws:iam::${aws_account_id}:role/xplane-loki-${cluster_name}" + storage: + type: s3 + s3: + endpoint: ${loki_s3_bucket_endpoint} + region: ${region} + s3ForcePathStyle: false + insecure: false diff --git a/observability/base/loki/httproute.yaml b/observability/base/loki/httproute.yaml new file mode 100644 index 00000000..4a79cd5f --- /dev/null +++ b/observability/base/loki/httproute.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: loki +spec: + parentRefs: + - name: platform + namespace: infrastructure + hostnames: + - "loki-${cluster_name}.priv.${domain_name}" + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: loki + port: 80 diff --git a/observability/base/loki/irsa.yaml b/observability/base/loki/irsa.yaml new file mode 100644 index 00000000..6bc59cc7 --- /dev/null +++ b/observability/base/loki/irsa.yaml @@ -0,0 +1,37 @@ +apiVersion: aws.platformref.upbound.io/v1alpha1 +kind: IRSA +metadata: + name: xplane-loki-${cluster_name} +spec: + deletionPolicy: Delete + parameters: + condition: StringEquals + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "*" + ] + } + ] + } + + serviceAccount: + name: loki + namespace: observability diff --git a/observability/base/loki/kustomization.yaml b/observability/base/loki/kustomization.yaml new file mode 100644 index 00000000..178f35a2 --- /dev/null +++ b/observability/base/loki/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: observability + +resources: + - helmrelease.yaml + - httproute.yaml + - irsa.yaml + - source.yaml diff --git a/observability/base/loki/source.yaml b/observability/base/loki/source.yaml new file mode 100644 index 00000000..f4960b6e --- /dev/null +++ b/observability/base/loki/source.yaml @@ -0,0 +1,7 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: grafana +spec: + interval: 30m + url: https://grafana.github.io/helm-charts diff --git a/observability/mycluster-0/kustomization.yaml b/observability/mycluster-0/kustomization.yaml index 2159c2e5..c93916ff 100644 --- a/observability/mycluster-0/kustomization.yaml +++ b/observability/mycluster-0/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - ../base/kube-prometheus-stack + - ../base/loki diff --git a/taskfile.yaml b/taskfile.yaml index 70d3f68e..a7e2c69e 100644 --- a/taskfile.yaml +++ b/taskfile.yaml @@ -1,6 +1,6 @@ env: DOCKER_IMG: "ghcr.io/antonbabenko/pre-commit-terraform" - DOCKER_TAG: "v1.79.1" + DOCKER_TAG: "v1.83.5" REPO_NAME: "action-terraform-ci" version: "3" diff --git a/terraform/eks/helm.tf b/terraform/eks/helm.tf index fa6ff37b..40e0dd05 100644 --- a/terraform/eks/helm.tf +++ b/terraform/eks/helm.tf @@ -24,3 +24,27 @@ resource "helm_release" "cilium" { kubernetes_job.delete_aws_cni_ds ] } + +resource "helm_release" "karpenter" { + namespace = "karpenter" + create_namespace = true + + name = "karpenter" + repository = "oci://public.ecr.aws/karpenter" + chart = "karpenter" + version = "v0.31.1" + + values = [ + templatefile( + "${path.module}/helm_values/karpenter.yaml", + { + cluster_name = module.eks.cluster_name, + cluster_endpoint = module.eks.cluster_endpoint, + irsa_arn = module.karpenter.irsa_arn + instance_profile_name = module.karpenter.instance_profile_name + queue_name = module.karpenter.queue_name + }) + ] + + depends_on = [helm_release.cilium] +} diff --git a/terraform/eks/helm_values/karpenter.yaml b/terraform/eks/helm_values/karpenter.yaml new file mode 100644 index 00000000..e3119c29 --- /dev/null +++ b/terraform/eks/helm_values/karpenter.yaml @@ -0,0 +1,9 @@ +settings: + aws: + clusterName: ${cluster_name} + clusterEndpoint: ${cluster_endpoint} + defaultInstanceProfile: ${instance_profile_name} + interruptionQueueName: ${queue_name} +serviceAccount: + annotations: + "eks.amazonaws.com/role-arn": ${irsa_arn} diff --git a/terraform/eks/karpenter.tf b/terraform/eks/karpenter.tf index 21b153b8..85d86a50 100644 --- a/terraform/eks/karpenter.tf +++ b/terraform/eks/karpenter.tf @@ -12,43 +12,6 @@ module "karpenter" { tags = var.tags } -resource "helm_release" "karpenter" { - namespace = "karpenter" - create_namespace = true - - name = "karpenter" - repository = "oci://public.ecr.aws/karpenter" - chart = "karpenter" - version = "v0.31.0" - - set { - name = "settings.aws.clusterName" - value = module.eks.cluster_name - } - - set { - name = "settings.aws.clusterEndpoint" - value = module.eks.cluster_endpoint - } - - set { - name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" - value = module.karpenter.irsa_arn - } - - set { - name = "settings.aws.defaultInstanceProfile" - value = module.karpenter.instance_profile_name - } - - set { - name = "settings.aws.interruptionQueueName" - value = module.karpenter.queue_name - } - - depends_on = [helm_release.cilium] -} - resource "kubectl_manifest" "karpenter_provisioner" { yaml_body = <<-YAML apiVersion: karpenter.sh/v1alpha5 diff --git a/terraform/eks/variables.tf b/terraform/eks/variables.tf index 2103826d..4b60aedc 100644 --- a/terraform/eks/variables.tf +++ b/terraform/eks/variables.tf @@ -23,13 +23,13 @@ variable "cluster_version" { variable "cilium_version" { description = "Cilium cluster version" - default = "1.14.2" + default = "1.14.3" type = string } variable "gateway_api_version" { description = "Gateway API CRDs version" - default = "v0.8.0" + default = "v0.8.1" type = string } diff --git a/terraform/eks/versions.tf b/terraform/eks/versions.tf index b97addb6..f4889b4a 100644 --- a/terraform/eks/versions.tf +++ b/terraform/eks/versions.tf @@ -20,7 +20,7 @@ terraform { } flux = { source = "fluxcd/flux" - version = "1.1.1" + version = "1.1.2" } helm = { source = "hashicorp/helm"