diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 0d9c226a5..ece96b5ec 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -27,7 +27,7 @@ packages: path: credentials.useSecret - name: VELERO_IRSA_ANNOTATION description: "IRSA ARN annotation to use for Velero" - path: serviceAccount.server.annotations.irsa/role-arn + path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn loki: loki: values: @@ -52,4 +52,4 @@ packages: path: loki.storage.s3.region - name: LOKI_IRSA_ANNOTATION description: "The irsa role annotation" - path: serviceAccount.annotations.irsa/role-arn + path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn diff --git a/.gitignore b/.gitignore index 218f55004..ad3474a0f 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,6 @@ tmp-tasks.yaml cacert.b64 run/ extract-terraform.sh +**/.terraform* +cluster-config.yaml +**.tfstate diff --git a/docs/deployment/prerequisites.md b/docs/deployment/prerequisites.md index fdbc2fb3e..ddc8e038e 100644 --- a/docs/deployment/prerequisites.md +++ b/docs/deployment/prerequisites.md @@ -45,9 +45,11 @@ Several UDS Core components require persistent volumes that will be provisioned ```console ❯ kubectl get storageclass NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE -local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 55s +local-path (default) rancher.io/local-path Delete WaitForFirstConsumer true 55s ``` +It’s generally beneficial if your storage class supports volume expansion (set `allowVolumeExpansion: true`, provided your provisioner allows it). This enables you to resize volumes when needed. Additionally, be mindful of any size restrictions imposed by your provisioner. For instance, EBS volumes have a minimum size of 1Gi, which could lead to unexpected behavior, especially during Velero’s CSI backup and restore process. These constraints may also necessitate adjustments to default PVC sizes, such as Keycloak’s PVCs, which default to 512Mi in `devMode`. + #### Network Policy Support The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock). diff --git a/tasks/iac.yaml b/tasks/iac.yaml index a5d4b8f74..f13e2d4e4 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -25,7 +25,7 @@ tasks: metadata: name: ${CLUSTER_NAME} - region: us-west-2 + region: ${REGION} version: "1.30" tags: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} @@ -148,7 +148,7 @@ tasks: loki_s3_region: ${LOKI_S3_AWS_REGION} loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}" velero_use_secret: false - velero_irsa_annotation: ${VELERO_S3_ROLE_ARN}" + velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}" velero_bucket: ${VELERO_S3_BUCKET} velero_bucket_region: ${VELERO_S3_AWS_REGION} velero_bucket_provider_url: ""