Skip to content

Commit

Permalink
feat(infra.ci/agent): new cluster in azure sponsored for infra.ci age…
Browse files Browse the repository at this point in the history
…nts (#715)

as per
jenkins-infra/helpdesk#3923 (comment)
kubernetes cluster within the sponsored subscription of azure

split in 3 PR: 
	- creation of the cluster (this one)
  	- creation of the nodes
  	- creation of kubernetes-admin-sa with the module


depends on jenkins-infra/azure-net#249 for the
network definition
  • Loading branch information
smerle33 authored Jun 10, 2024
1 parent 444e8c0 commit 1c219f7
Show file tree
Hide file tree
Showing 3 changed files with 74 additions and 6 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
backend-config
terraform-plan-output.txt
tfplan
# temporary and local test
.tmp/
# sensitive files from terraform outputs
.env*
*.zip
61 changes: 61 additions & 0 deletions infraci.jenkins.io-kubernetes-sponsored-agents.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
resource "azurerm_resource_group" "infracijio_kubernetes_agents_sponsorship" {
provider = azurerm.jenkins-sponsorship
name = "infra-ci-jenkins-io-kubernetes-agents"
location = var.location
tags = local.default_tags
}

data "azurerm_subnet" "infraci_jenkins_io_kubernetes_agent_sponsorship" {
provider = azurerm.jenkins-sponsorship
name = "${data.azurerm_virtual_network.infra_ci_jenkins_io_sponsorship.name}-infraci_jenkins_io_kubernetes-agent"
resource_group_name = data.azurerm_virtual_network.infra_ci_jenkins_io_sponsorship.resource_group_name
virtual_network_name = data.azurerm_virtual_network.infra_ci_jenkins_io_sponsorship.name
}

#trivy:ignore:avd-azu-0040 # No need to enable oms_agent for Azure monitoring as we already have datadog
resource "azurerm_kubernetes_cluster" "infracijenkinsio_agents_1" {
provider = azurerm.jenkins-sponsorship
name = "infracijenkinsio-agents-1"
sku_tier = "Standard"
## Private cluster requires network setup to allow API access from:
# - infra.ci.jenkins.io agents (for both terraform job agents and kubernetes-management agents)
# - private.vpn.jenkins.io to allow admin management (either Azure UI or kube tools from admin machines)
private_cluster_enabled = true
private_cluster_public_fqdn_enabled = true
dns_prefix = "infracijenkinsioagents1" # Avoid hyphens in this DNS host
location = azurerm_resource_group.infracijio_kubernetes_agents_sponsorship.location
resource_group_name = azurerm_resource_group.infracijio_kubernetes_agents_sponsorship.name
kubernetes_version = local.kubernetes_versions["infracijenkinsio_agents_1"]
role_based_access_control_enabled = true # default value but made explicit to please trivy

network_profile {
network_plugin = "azure"
network_plugin_mode = "overlay"
network_policy = "azure"
outbound_type = "userAssignedNATGateway"
load_balancer_sku = "standard" # Required to customize the outbound type
pod_cidr = local.infraci_jenkins_io_agents_1_pod_cidr
}

identity {
type = "SystemAssigned"
}

default_node_pool {
name = "systempool1"
only_critical_addons_enabled = true # This property is the only valid way to add the "CriticalAddonsOnly=true:NoSchedule" taint to the default node pool
vm_size = "Standard_D4pds_v5" # At least 4 vCPUS/4 Gb as per AKS best practises
os_sku = "AzureLinux"
os_disk_type = "Ephemeral"
os_disk_size_gb = 150 # Ref. Cache storage size athttps://learn.microsoft.com/fr-fr/azure/virtual-machines/dasv5-dadsv5-series#dadsv5-series (depends on the instance size)
orchestrator_version = local.kubernetes_versions["infracijenkinsio_agents_1"]
kubelet_disk_type = "OS"
enable_auto_scaling = false
node_count = 3 # 3 nodes for HA as per AKS best practises
vnet_subnet_id = data.azurerm_subnet.infraci_jenkins_io_kubernetes_agent_sponsorship.id
tags = local.default_tags
zones = local.infracijenkinsio_agents_1_compute_zones
}

tags = local.default_tags
}
17 changes: 11 additions & 6 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,20 @@ locals {
admin_username = "jenkins-infra-team"

kubernetes_versions = {
"privatek8s" = "1.27.9"
"publick8s" = "1.27.9"
"cijenkinsio_agents_1" = "1.27.9"
"cijenkinsio_agents_1" = "1.27.9"
"infracijenkinsio_agents_1" = "1.27.9"
"privatek8s" = "1.27.9"
"publick8s" = "1.27.9"
}
ci_jenkins_io_fqdn = "ci.jenkins.io"
ci_jenkins_io_agents_1_pod_cidr = "10.100.0.0/14"

publick8s_compute_zones = [3]
ci_jenkins_io_fqdn = "ci.jenkins.io"
cijenkinsio_agents_1_compute_zones = [1]
ci_jenkins_io_agents_1_pod_cidr = "10.100.0.0/14" # 10.100.0.1 - 10.103.255.255

infracijenkinsio_agents_1_compute_zones = [1]
infraci_jenkins_io_agents_1_pod_cidr = "10.100.0.0/14" # 10.100.0.1 - 10.103.255.255

publick8s_compute_zones = [3]

weekly_ci_disk_size = 8
weekly_ci_access_modes = ["ReadWriteOnce"]
Expand Down

0 comments on commit 1c219f7

Please sign in to comment.