Skip to content

Commit

Permalink
fix: eks iac issues, document storage class pre-reqs (#812)
Browse files Browse the repository at this point in the history
## Description

EBS impose a 1Gi size limitation on restored PVCs. This adds a short
note to pre-reqs about checking CSI limitations.

While testing with our EKS IAC I also discovered a few other issues:
- IRSA annotations were not correct
- Config did not properly variablize region
- Config had an unmatched `"` around one of the values
- Gitignore did not exclude terraform/tfstate files that shouldn't be
committed

## Related Issue

Fixes #718

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
  • Loading branch information
mjnagel authored Sep 24, 2024
1 parent 34ffc0a commit df514bd
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 5 deletions.
4 changes: 2 additions & 2 deletions .github/bundles/uds-bundle.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ packages:
path: credentials.useSecret
- name: VELERO_IRSA_ANNOTATION
description: "IRSA ARN annotation to use for Velero"
path: serviceAccount.server.annotations.irsa/role-arn
path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn
loki:
loki:
values:
Expand All @@ -52,4 +52,4 @@ packages:
path: loki.storage.s3.region
- name: LOKI_IRSA_ANNOTATION
description: "The irsa role annotation"
path: serviceAccount.annotations.irsa/role-arn
path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,6 @@ tmp-tasks.yaml
cacert.b64
run/
extract-terraform.sh
**/.terraform*
cluster-config.yaml
**.tfstate
4 changes: 3 additions & 1 deletion docs/deployment/prerequisites.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,11 @@ Several UDS Core components require persistent volumes that will be provisioned
```console
kubectl get storageclass
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 55s
local-path (default) rancher.io/local-path Delete WaitForFirstConsumer true 55s
```

It’s generally beneficial if your storage class supports volume expansion (set `allowVolumeExpansion: true`, provided your provisioner allows it). This enables you to resize volumes when needed. Additionally, be mindful of any size restrictions imposed by your provisioner. For instance, EBS volumes have a minimum size of 1Gi, which could lead to unexpected behavior, especially during Velero’s CSI backup and restore process. These constraints may also necessitate adjustments to default PVC sizes, such as Keycloak’s PVCs, which default to 512Mi in `devMode`.

#### Network Policy Support

The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock).
Expand Down
4 changes: 2 additions & 2 deletions tasks/iac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ tasks:
metadata:
name: ${CLUSTER_NAME}
region: us-west-2
region: ${REGION}
version: "1.30"
tags:
PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME}
Expand Down Expand Up @@ -148,7 +148,7 @@ tasks:
loki_s3_region: ${LOKI_S3_AWS_REGION}
loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}"
velero_use_secret: false
velero_irsa_annotation: ${VELERO_S3_ROLE_ARN}"
velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}"
velero_bucket: ${VELERO_S3_BUCKET}
velero_bucket_region: ${VELERO_S3_AWS_REGION}
velero_bucket_provider_url: ""
Expand Down

0 comments on commit df514bd

Please sign in to comment.