feat(bootstrap): add knobs to set control plane network setup and encryption config

bootstrap/helm/bootstrap/Chart.lock

@@ -13,7 +13,7 @@ dependencies:
   version: 9.25.0
 - name: aws-load-balancer-controller
   repository: https://aws.github.io/eks-charts
-  version: 1.4.8
+  version: 1.6.1
 - name: aws-ebs-csi-driver
   repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   version: 2.17.1
@@ -26,5 +26,5 @@ dependencies:
 - name: tigera-operator
   repository: https://docs.tigera.io/calico/charts
   version: v3.25.0
-digest: sha256:1d124ca9acb4e93009dfeb4273d149d075616babbad1fe3e5bb6c88540b5f96d
-generated: "2023-03-07T15:21:37.729265+01:00"
+digest: sha256:b7ee91be180afabfb812e9c8e7f7bfdfd2a1c4ebef9592ccd37e6eadd65409a2
+generated: "2023-10-04T16:18:22.110786-04:00"

bootstrap/helm/bootstrap/Chart.yaml

@@ -10,7 +10,7 @@ maintainers:
   email: [email protected]
 - name: David van der Spek
   email: [email protected]
-version: 0.8.75
+version: 0.8.76
 dependencies:
 - name: external-dns
   version: 6.14.1
@@ -30,7 +30,7 @@ dependencies:
   repository: https://kubernetes.github.io/autoscaler
 - name: aws-load-balancer-controller
   condition: aws-load-balancer-controller.enabled
-  version: 1.4.8
+  version: 1.6.1
   repository: https://aws.github.io/eks-charts
 - name: aws-ebs-csi-driver
   condition: aws-ebs-csi-driver.enabled

bootstrap/helm/bootstrap/values.yaml

@@ -64,7 +64,7 @@ aws-load-balancer-controller:
   enabled: false
   image:
     repository: public.ecr.aws/eks/aws-load-balancer-controller # TODO: this should be migrated to our vendored images
-    tag: v2.4.7
+    tag: v2.6.1
 
 snapshot-validation-webhook:
   enabled: false

bootstrap/terraform/aws-bootstrap/deps.yaml

@@ -2,7 +2,7 @@ apiVersion: plural.sh/v1alpha1
 kind: Dependencies
 metadata:
   description: Creates an EKS cluster and prepares it for bootstrapping
-  version: 0.1.54
+  version: 0.1.55
 spec:
   breaking: false
   dependencies: []

bootstrap/terraform/aws-bootstrap/main.tf

@@ -37,19 +37,23 @@ module "vpc" {
 }
 
 module "cluster" {
-  source                        = "github.com/pluralsh/terraform-aws-eks?ref=output-service-cidr"
-  cluster_name                  = var.cluster_name
-  cluster_version               = var.kubernetes_version
-  private_subnets               = local.private_subnet_ids
-  public_subnets                = local.public_subnet_ids
-  worker_private_subnets        = local.worker_private_subnet_ids
-  vpc_id                        = local.vpc_id
-  enable_irsa                   = true
-  write_kubeconfig              = false
-  create_eks                    = var.create_cluster
-  cluster_enabled_log_types     = var.cluster_enabled_log_types
-  cluster_log_retention_in_days = var.cluster_log_retention_in_days
-  cluster_log_kms_key_id        = var.cluster_log_kms_key_id
+  source                          = "github.com/pluralsh/terraform-aws-eks?ref=output-service-cidr"
+  cluster_name                    = var.cluster_name
+  cluster_version                 = var.kubernetes_version
+  private_subnets                 = local.private_subnet_ids
+  public_subnets                  = local.public_subnet_ids
+  worker_private_subnets          = local.worker_private_subnet_ids
+  vpc_id                          = local.vpc_id
+  enable_irsa                     = true
+  write_kubeconfig                = false
+  create_eks                      = var.create_cluster
+  cluster_enabled_log_types       = var.cluster_enabled_log_types
+  cluster_log_retention_in_days   = var.cluster_log_retention_in_days
+  cluster_log_kms_key_id          = var.cluster_log_kms_key_id
+  cluster_endpoint_public_access  = var.cluster_endpoint_public_access
+  cluster_endpoint_private_access = var.cluster_endpoint_private_access
+  cluster_encryption_config       = var.cluster_encryption_config
+  cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
 
   node_groups_defaults = {}
 

bootstrap/terraform/aws-bootstrap/variables.tf

@@ -7,6 +7,34 @@ Name for the vpc for the cluster
 EOF
 }
 
+
+variable "cluster_endpoint_private_access" {
+  description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled."
+  type        = bool
+  default     = false
+}
+
+variable "cluster_endpoint_public_access" {
+  description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled."
+  type        = bool
+  default     = true
+}
+
+variable "cluster_endpoint_public_access_cidrs" {
+  description = "List of CIDR blocks which can access the Amazon EKS public API server endpoint."
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "cluster_encryption_config" {
+  description = "Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format"
+  type = list(object({
+    provider_key_arn = string
+    resources        = list(string)
+  }))
+  default = []
+}
+
 variable "cluster_enabled_log_types" {
   default     = []
   description = "A list of the desired control plane logging to enable. Supported options are: api, audit, authenticator, controllerManager, scheduler. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)"