This module will deploy Kubernetes utils on an already-existing EKS cluster, those are the following components:
- AWS EFS CSI Drivers for ReadWriteMany Kubernetes support. (Optional)
- Kubernetes autoscaler across all the subnets provided in private_subnets and their respective AZs. https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler
- Kubernetes Dashboard https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler
- Certificate Manager for Let's Encrypt certificates on non-ELB Ingress components https://github.com/jetstack/cert-manager
- External DNS for integration with Route 53 https://github.com/kubernetes-sigs/external-dns
- Fluent Bit for Cloudwatch Logs
- Cloudwatch Metrics
Features:
- SSM Session Manager access instead of Bastion host access. (Not sure it works anymore)
- Cloudwatch alarms for EFS-related metrics (including loss of credits)
- Cloudwatch alarms for Tx instance type loss of credits.
- Autoscaling operations notifications to Slack.
EKS version v1.18+
- AWS CLI tools installed (the
awscommand). kubectltool.- Helm > v3.2
- (Optional) Local installation of Istio as per https://istio.io/docs/setup/install/istioctl/ config location:
/istio_yaml/
These are the parameters supported by this module
| Name | Type | Default | Description | Required |
|---|---|---|---|---|
| cluster_name | string |
Name of the EKS cluster. Also used as a prefix in names of related resources. | yes | |
| vpc_id | string |
ID of the VPC this project is going to be deployed on | yes | |
| oidc_provider_arn | string |
ARN of the OIDC provider of the K8s cluster. Used for authentication. This value is given by the EKS creation process and it's used for IAM role creation | yes | |
| cluster_oidc_issuer_url | string |
URL of the OIDC issuer of the K8s cluster, Used for authentication. This value is given by the EKS creation process and it's used for IAM role creation. | yes | |
| cluster_endpoint | string |
The endpoint for your EKS Kubernetes API. | yes | |
| kubeconfig_filename | string |
The filename of the generated kubectl config. | yes | |
| dns_public_zone_names | list(string) |
[] |
The zone names of AWS route53 zones that external-dns, cert-manager, base services use. First in the list is the Primary for internal services | no |
| dns_private_suffix | string |
internal |
Private dns zone suffix for the cluster ({cluster_name}.{dns_private_suffix}) | no |
| cert_manager_enabled | bool |
false |
deploy cert-manager (https://github.com/jetstack/cert-manager) | no |
| cert_manager_chart_version | string |
v1.0.3 |
The Helm chart version of cert-manager (chart repo: https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager) | no |
| cert_manager_lets_encrypt_cluster_issuer_enabled | bool |
true |
Create default Lets encrypt cluster issuers | no |
| cert_manager_lets_encrypt_notification_email | string |
"" |
Lets encrypt certificate email notifications. default LetsEncrypt cluster issuers will not get created without this | no |
| cert_manager_lets_encrypt_default_certificate_type | string |
staging |
default cluster issuer type this can be staging or production |
no |
| aws_lb_ingress_enabled | bool |
false |
Additional IAM roles to add to the aws-auth configmap. See examples/basiπc/variables.tf for example format. | no |
| aws_lb_ingress_chart_version | string |
Check defaults in variables.tf | The Helm chart version of aws-alb-ingress-controller (chart repo: https://aws.github.io/eks-charts) | no |
| aws_lb_ingress_app_version | string |
Check defaults in variables.tf | The version of aws-alb-ingress-controller (repo: https://github.com/kubernetes-sigs/aws-load-balancer-controller)group. | yes |
| cluster_autoscaler_enabled | bool |
false |
Deploy Cluster Autoscaler (https://github.com/kubernetes/autoscaler/) group. | yes |
| cluster_autoscaler_chart_version | string |
Check defaults in variables.tf | The Helm chart version of Cluster Autoscaler (chart repo: https://github.com/kubernetes/autoscaler/ | no |
| cluster_autoscaler_image_tag | string |
Check defaults in variables.tf | The version of Cluster Autoscaler (repo: https://github.com/kubernetes/autoscaler/) | no |
| cluster_autoscaler_extra_arguments | string |
"" |
Additional container arguments for K8s Autoscaler in an HCL map. Changes how Autoscaler takes decisions. Possible values at https://github.com/kubernetes/autoscaler/blob/master/charts/cluster-autoscaler-chart/values.yaml | no |
| external_dns_enabled | bool |
false |
Deploy external_dns (https://github.com/kubernetes-sigs/external-dns) | no |
| external_dns_chart_version | string |
Check defaults in variables.tf | The Helm chart version of external_dns (chart repo: https://github.com/bitnami/charts/tree/master/bitnami/external-dns) | no |
| istio_enabled | bool |
false |
Deploy istio (https://istio.io) | no |
| istio_version | string |
Check defaults in variables.tf | The version of Istio to deploy. This is pass as the docker tag | no |
| istio_request_auth_enabled | bool |
false |
Create RequestAuthentication resource and limits to tokens with cluster audiences | no |
| istio_oauth_issuer | string |
"" |
The OAuth issuer for token verification. For auth0 this is the tennant URL | no |
| istio_oauth_jwks_uri | string |
"" |
The OAuth JWKS url for token verification against issuer public key | no |
| knative_enabled | bool |
false |
Deploy knative (https://knative.dev) | no |
| knative_version | string |
Check defaults in variables.tf | The version of knative | no |
| kong_ingress_enabled | bool |
false |
Deploy kong_ingress (https://github.com/Kong/kubernetes-ingress-controller) | no |
| kong_ingress_chart_version | string |
Check defaults in variables.tf | The Helm chart version of kong_ingress (chart repo: https://github.com/Kong/charts/tree/master/charts/kong) | no |
| ambassador_ingress_enabled | bool |
false |
Deploy Ambassador Ingress (https://www.getambassador.io/) | no |
| ambassador_ingress_chart_version | string |
Check defaults in variables.tf | The Helm chart version of Ambassador Ingress (chart repo: https://github.com/datawire/ambassador-chart) | no |
| ambassador_oauth_enabled | bool |
false |
Enable an Oauth2 filter on the Ambassador Ingress controller | no |
| ambassador_oauth_protected_hosts | list(any) |
[""] |
List of hostnames protected by oauth filter. | no |
| ambassador_oauth_url | string |
"" |
OAuth root url. For Auth0 this is https://{tentant}.eu.auth0.com | no |
| ambassador_oauth_client_id | string |
"" |
OAuth Client ID | no |
| ambassador_oauth_client_secret | string |
"" |
OAuth Client Secret | no |
| kubernetes_dashboard_enabled | bool |
"" |
Deploy Kubernetes Dashboard (https://github.com/kubernetes/dashboard) | no |
| kubernetes_dashboard_chart_version | string |
Check defaults in variables.tf | The Helm chart version of Kubernetes Dashboard (chart repo: https://github.com/kubernetes/dashboard/tree/master/aio/deploy/helm-chart/kubernetes-dashboard) | no |
| kubernetes_dashboard_ingress_enabled | bool |
false |
Enable ingress for Kubernetes Dashboard. | no |
| kubernetes_dashboard_ingress_class | string |
ambassador |
Ingress class for Kubernetes Dashboard. | no |
| kubernetes_dashboard_ingress_hostname | string |
"" |
Ingress hostname for Kubernetes Dashboard. | no |
| efs_enabled | bool |
false |
Deploy AWS EFS CSI driver (https://github.com/kubernetes-sigs/aws-efs-csi-driver) | no |
| aws_efs_chart_version | string |
Check defaults in variables.tf | The Helm chart version of AWS EFS CSI driver (chart repo: https://github.com/kubernetes-sigs/aws-efs-csi-driver/helm) | no |
| fluentbit_cloudwatchlogs_enabled | bool |
false |
Deploy fluent bit for EKS (https://github.com/aws/aws-for-fluent-bit) | no |
| fluentbit_cloudwatchlogs_chart_version | string |
Check defaults in variables.tf | The Helm chart version of AWS for fluent bit Helm chart (https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit) | no |
| fluentbit_cloudwatchlogs_image_tag | string |
Check defaults in variables.tf | The app version of AWS for fluent bit (https://github.com/aws/aws-for-fluent-bit) | no |
| fluentbit_cloudwatchlogs_log_group_name | string |
"" |
The name of the Log Group used to store all the logs in Cloudwatch Logs | yes (if installed) |
| fluentbit_cloudwatchlogs_retention_in_days | number |
Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | yes (if installed) | |
| fluentbit_cloudwatchlogs_toleration_noschedule | list(string) |
[] |
List of keys to add to pod tolerations (e.g.: mycompany.com/compute_profile). It will be added as 'operator: Exists' and 'effect: NoSchedule' | no |
| cloudwatch_metrics_enabled | bool |
false |
Deploy AWS Cloudwatch metrics agent for EKS (https://github.com/aws/amazon-cloudwatch-agent) | no |
| cloudwatch_metrics_chart_version | string |
Check defaults in variables.tf | The Helm chart version of aws-cloudwatch-metrics Helm chart (https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics). | no |
| cloudwatch_metrics_image_tag | string |
Check defaults in variables.tf | The app version of AWS Cloudwatch metrics agent for EKS (https://github.com/aws/amazon-cloudwatch-agent). | no |
For a complete list please check in the variables.tf file
The module outputs the following:
| Name | Description |
|---|