aws-ia · bryantbiggs · Mar 30, 2023 · Mar 30, 2023 · Mar 30, 2023
@@ -72,7 +72,7 @@
 | <a name="module_local_volume_provisioner"></a> [local\_volume\_provisioner](#module\_local\_volume\_provisioner) | ./local-volume-provisioner | n/a |
 | <a name="module_metrics_server"></a> [metrics\_server](#module\_metrics\_server) | ./metrics-server | n/a |
 | <a name="module_nvidia_device_plugin"></a> [nvidia\_device\_plugin](#module\_nvidia\_device\_plugin) | ./nvidia-device-plugin | n/a |
-| <a name="module_ondat"></a> [ondat](#module\_ondat) | ondat/ondat-addon/eksblueprints | 0.1.2 |
+| <a name="module_ondat"></a> [ondat](#module\_ondat) | ./ondat | n/a |
 | <a name="module_opentelemetry_operator"></a> [opentelemetry\_operator](#module\_opentelemetry\_operator) | ./opentelemetry-operator | n/a |
 | <a name="module_portworx"></a> [portworx](#module\_portworx) | portworx/portworx-addon/eksblueprints | 0.0.6 |
 | <a name="module_prometheus"></a> [prometheus](#module\_prometheus) | ./prometheus | n/a |

@@ -363,8 +363,7 @@ module "kube_state_metrics" {
 }
 
 module "ondat" {
-  source  = "ondat/ondat-addon/eksblueprints"
-  version = "0.1.2"
+  source = "./ondat"
 
   count = var.enable_ondat ? 1 : 0
 

@@ -0,0 +1,79 @@
+# Ondat add-on for EKS Blueprints
+
+## Introduction
+
+[Ondat](https://ondat.io) is a highly scalable Kubernetes data plane that
+provides stateful storage for applications. This blueprint installs Ondat
+on Amazon Elastic Kubernetes Service (AWS EKS).
+
+## Key features
+
+1. Hyperconverged (all nodes have storage) or centralised (some nodes
+have storage), Kubernetes-native storage on any infrastructure - use the
+same code and storage features in-cloud and on-premises!
+1. Best-in-class performance, availability and security - individually
+encrypted volumes, performs better than competitors and synchronizes replicas
+quickly and efficiently.
+1. NFS (RWX) support allowing for performant sharing of volumes across multiple
+workloads.
+1. Free tier with 1TiB of storage under management plus unlimited replicas
+1. Larger storage capacity and business support available in paid product
+
+Find out more in our [documentation](https://docs.ondat.io/docs/concepts/)!
+
+## Examples
+
+See [blueprints](blueprints/).
+
+<!--- BEGIN_TF_DOCS --->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.11.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_helm_addon"></a> [helm\_addon](#module\_helm\_addon) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.1.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_namespace.ondat](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.storageos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_secret.etcd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_storage_class.etcd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_path             = optional(string)<br>    irsa_iam_permissions_boundary  = optional(string)<br>  })</pre> | n/a | yes |
+| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | Password for the Ondat admin user | `string` | `"storageos"` | no |
+| <a name="input_admin_username"></a> [admin\_username](#input\_admin\_username) | Username for the Ondat admin user | `string` | `"storageos"` | no |
+| <a name="input_create_cluster"></a> [create\_cluster](#input\_create\_cluster) | Determines if the StorageOSCluster and secrets should be created | `bool` | `true` | no |
+| <a name="input_etcd_ca"></a> [etcd\_ca](#input\_etcd\_ca) | The PEM encoded CA for Ondat's etcd | `string` | `null` | no |
+| <a name="input_etcd_cert"></a> [etcd\_cert](#input\_etcd\_cert) | The PEM encoded client certificate for Ondat's etcd | `string` | `null` | no |
+| <a name="input_etcd_endpoints"></a> [etcd\_endpoints](#input\_etcd\_endpoints) | A list of etcd endpoints for Ondat | `list(string)` | `[]` | no |
+| <a name="input_etcd_key"></a> [etcd\_key](#input\_etcd\_key) | The PEM encoded client key for Ondat's etcd | `string` | `null` | no |
+| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for the ondat addon | `any` | `{}` | no |
+| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no |
+| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | IAM policy ARNs for Ondat IRSA | `list(string)` | `[]` | no |
+| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_argocd_gitops_config"></a> [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD |
+<!--- END_TF_DOCS --->
@@ -0,0 +1,179 @@
+locals {
+  name                 = "ondat"
+  service_account_name = "storageos-operator"
+
+  ondat_etcd_endpoints = length(var.etcd_endpoints) == 0 ? "storageos-etcd.storageos-etcd:2379" : join(",", var.etcd_endpoints)
+
+  argocd_gitops_config = {
+    enable                             = true
+    etcdClusterCreate                  = length(var.etcd_endpoints) == 0
+    serviceAccountName                 = local.service_account_name
+    clusterSecretRefName               = "storageos-api"
+    clusterAdminUsername               = "storageos"
+    clusterAdminPassword               = "storageos"
+    clusterKvBackendAddress            = local.ondat_etcd_endpoints
+    clusterKvBackendTLSSecretName      = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].name : "storageos-etcd-secret"
+    clusterKvBackendTLSSecretNamespace = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].namespace : "storageos"
+    clusterNodeSelectorTermKey         = "storageos-node"
+    clusterNodeSelectorTermValue       = "1"
+    etcdNodeSelectorTermKey            = "storageos-etcd"
+    etcdNodeSelectorTermValue          = "1"
+  }
+
+  default_helm_values = [templatefile("${path.module}/values.yaml",
+    {
+      ondat_service_account_name   = local.service_account_name,
+      ondat_nodeselectorterm_key   = "storageos-node"
+      ondat_nodeselectorterm_value = "1"
+      etcd_nodeselectorterm_key    = "storageos-etcd"
+      etcd_nodeselectorterm_value  = "1"
+      ondat_admin_username         = "storageos",
+      ondat_admin_password         = "storageos",
+      ondat_credential_secret_name = "storageos-api",
+      etcd_address                 = local.ondat_etcd_endpoints,
+    },
+  )]
+}
+
+module "helm_addon" {
+  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon"
+
+  manage_via_gitops = var.manage_via_gitops
+
+  helm_config = merge(
+    {
+      name             = local.name
+      chart            = "ondat"
+      repository       = "https://ondat.github.io/charts"
+      version          = "0.2.5"
+      namespace        = kubernetes_namespace.ondat.metadata[0].name
+      timeout          = "1500"
+      create_namespace = false
+      values           = local.default_helm_values
+      description      = "Ondat Helm Chart for storage"
+    },
+    var.helm_config
+  )
+
+  set_values = [
+    {
+      name  = "ondat-operator.serviceAccount.name"
+      value = local.service_account_name
+    },
+    {
+      name  = "ondat-operator.cluster.create"
+      value = var.create_cluster
+    },
+    {
+      name  = "ondat-operator.cluster.secretRefName"
+      value = "storageos-api"
+    },
+    {
+      name  = "ondat-operator.cluster.kvBackend.address"
+      value = local.ondat_etcd_endpoints
+    },
+    {
+      name  = "ondat-operator.cluster.kvBackend.tlsSecretName"
+      value = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].name : "storageos-etcd-secret"
+    },
+    {
+      name  = "ondat-operator.cluster.kvBackend.tlsSecretNamespace"
+      value = length(kubernetes_secret.etcd) > 0 ? kubernetes_secret.etcd[0].metadata[0].namespace : "storageos"
+    },
+    {
+      name  = "etcd-cluster-operator.cluster.create"
+      value = length(var.etcd_endpoints) == 0
+    },
+  ]
+
+  set_sensitive_values = [
+    {
+      name  = "cluster.admin.username",
+      value = var.admin_username
+    },
+    {
+      name  = "cluster.admin.password",
+      value = var.admin_password
+    },
+  ]
+
+  irsa_config = {
+    create_kubernetes_namespace = false
+    kubernetes_namespace        = kubernetes_namespace.ondat.metadata[0].name
+
+    create_kubernetes_service_account = true
+    kubernetes_service_account        = local.service_account_name
+
+    iam_role_path                 = "/"
+    tags                          = var.addon_context.tags
+    eks_cluster_id                = var.addon_context.eks_cluster_id
+    irsa_iam_policies             = var.irsa_policies
+    irsa_iam_permissions_boundary = var.irsa_permissions_boundary
+  }
+
+  addon_context = var.addon_context
+}
+
+resource "kubernetes_namespace" "ondat" {
+  metadata {
+    name = "ondat"
+    labels = {
+      app = local.name
+    }
+  }
+}
+
+################################################################################
+# Secrets
+################################################################################
+
+resource "kubernetes_namespace" "storageos" {
+  count = length(var.etcd_endpoints) == 0 ? 0 : 1
+
+  metadata {
+    name = "storageos"
+    labels = {
+      app = local.name
+    }
+  }
+}
+
+resource "kubernetes_secret" "etcd" {
+  count = length(var.etcd_endpoints) == 0 ? 0 : 1
+
+  metadata {
+    name      = "storageos-etcd"
+    namespace = kubernetes_namespace.storageos[0].metadata[0].name
+    labels = {
+      app = local.name
+    }
+  }
+
+  data = {
+    "etcd-client-ca.crt" = var.etcd_ca
+    "etcd-client.crt"    = var.etcd_cert
+    "etcd-client.key"    = var.etcd_key
+  }
+
+  type = "kubernetes.io/storageos"
+}
+
+################################################################################
+# Storage Class
+################################################################################
+
+resource "kubernetes_storage_class" "etcd" {
+  count = length(var.etcd_endpoints) == 0 ? 1 : 0
+
+  metadata {
+    name = "etcd"
+  }
+
+  storage_provisioner = "ebs.csi.aws.com"
+  reclaim_policy      = "Retain"
+  volume_binding_mode = "WaitForFirstConsumer"
+
+  parameters = {
+    type = "gp3"
+  }
+}
@@ -0,0 +1,4 @@
+output "argocd_gitops_config" {
+  description = "Configuration used for managing the add-on with ArgoCD"
+  value       = var.manage_via_gitops ? local.argocd_gitops_config : null
+}
@@ -0,0 +1,25 @@
+ondat-operator:
+  serviceAccount:
+    create: false
+    name: ${ondat_service_account_name}
+  cluster:
+    create: true
+    secretRefName: ${ondat_credential_secret_name}
+    admin:
+      username: ${ondat_admin_username}
+      password: ${ondat_admin_password}
+    kvBackend:
+      address: ${etcd_address}
+    nodeSelectorTerm:
+      key: ${ondat_nodeselectorterm_key}
+      value: ${ondat_nodeselectorterm_value}
+etcd-cluster-operator:
+  cluster:
+    replicas: 5
+    storage: 15Gi
+    storageclass: etcd
+    nodeSelectorTerm:
+      key: ${etcd_nodeselectorterm_key}
+      value: ${etcd_nodeselectorterm_value}
+  ondat:
+    namespace: storageos
@@ -0,0 +1,72 @@
+variable "helm_config" {
+  description = "Helm provider config for the ondat addon"
+  type        = any
+  default     = {}
+}
+
+variable "manage_via_gitops" {
+  description = "Determines if the add-on should be managed via GitOps"
+  type        = bool
+  default     = false
+}
+
+variable "addon_context" {
+  description = "Input configuration for the addon"
+  type        = any
+}
+
+variable "irsa_permissions_boundary" {
+  description = "IAM Policy ARN for IRSA IAM role permissions boundary"
+  type        = string
+  default     = ""
+}
+
+variable "irsa_policies" {
+  description = "IAM policy ARNs for Ondat IRSA"
+  type        = list(string)
+  default     = []
+}
+
+variable "create_cluster" {
+  description = "Determines if the StorageOSCluster and secrets should be created"
+  type        = bool
+  default     = true
+}
+
+variable "etcd_endpoints" {
+  description = "A list of etcd endpoints for Ondat"
+  type        = list(string)
+  default     = []
+}
+
+variable "etcd_ca" {
+  description = "The PEM encoded CA for Ondat's etcd"
+  type        = string
+  default     = null
+}
+
+variable "etcd_cert" {
+  description = "The PEM encoded client certificate for Ondat's etcd"
+  type        = string
+  default     = null
+}
+
+variable "etcd_key" {
+  description = "The PEM encoded client key for Ondat's etcd"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
+variable "admin_username" {
+  description = "Username for the Ondat admin user"
+  type        = string
+  default     = "storageos"
+}
+
+variable "admin_password" {
+  description = "Password for the Ondat admin user"
+  type        = string
+  default     = "storageos"
+  sensitive   = true
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.6.1"
+    }
+  }
+}