Skip to content

Commit

Permalink
Add knobs to set control plane network setup and encryption config
Browse files Browse the repository at this point in the history
Also bumps aws-load-balancer controller to most recent version
  • Loading branch information
michaeljguarino committed Oct 4, 2023
1 parent 7982966 commit 390e1e3
Show file tree
Hide file tree
Showing 7 changed files with 50 additions and 18 deletions.
6 changes: 3 additions & 3 deletions bootstrap/helm/bootstrap/Chart.lock
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ dependencies:
version: 9.25.0
- name: aws-load-balancer-controller
repository: https://aws.github.io/eks-charts
version: 1.4.8
version: 1.6.1
- name: aws-ebs-csi-driver
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
version: 2.17.1
Expand All @@ -26,5 +26,5 @@ dependencies:
- name: tigera-operator
repository: https://docs.tigera.io/calico/charts
version: v3.25.0
digest: sha256:1d124ca9acb4e93009dfeb4273d149d075616babbad1fe3e5bb6c88540b5f96d
generated: "2023-03-07T15:21:37.729265+01:00"
digest: sha256:b7ee91be180afabfb812e9c8e7f7bfdfd2a1c4ebef9592ccd37e6eadd65409a2
generated: "2023-10-04T16:18:22.110786-04:00"
2 changes: 1 addition & 1 deletion bootstrap/helm/bootstrap/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ dependencies:
repository: https://kubernetes.github.io/autoscaler
- name: aws-load-balancer-controller
condition: aws-load-balancer-controller.enabled
version: 1.4.8
version: 1.6.1
repository: https://aws.github.io/eks-charts
- name: aws-ebs-csi-driver
condition: aws-ebs-csi-driver.enabled
Expand Down
Binary file not shown.
Binary file not shown.
2 changes: 1 addition & 1 deletion bootstrap/helm/bootstrap/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ aws-load-balancer-controller:
enabled: false
image:
repository: public.ecr.aws/eks/aws-load-balancer-controller # TODO: this should be migrated to our vendored images
tag: v2.4.7
tag: v2.6.1

snapshot-validation-webhook:
enabled: false
Expand Down
30 changes: 17 additions & 13 deletions bootstrap/terraform/aws-bootstrap/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,19 +37,23 @@ module "vpc" {
}

module "cluster" {
source = "github.com/pluralsh/terraform-aws-eks?ref=output-service-cidr"
cluster_name = var.cluster_name
cluster_version = var.kubernetes_version
private_subnets = local.private_subnet_ids
public_subnets = local.public_subnet_ids
worker_private_subnets = local.worker_private_subnet_ids
vpc_id = local.vpc_id
enable_irsa = true
write_kubeconfig = false
create_eks = var.create_cluster
cluster_enabled_log_types = var.cluster_enabled_log_types
cluster_log_retention_in_days = var.cluster_log_retention_in_days
cluster_log_kms_key_id = var.cluster_log_kms_key_id
source = "github.com/pluralsh/terraform-aws-eks?ref=output-service-cidr"
cluster_name = var.cluster_name
cluster_version = var.kubernetes_version
private_subnets = local.private_subnet_ids
public_subnets = local.public_subnet_ids
worker_private_subnets = local.worker_private_subnet_ids
vpc_id = local.vpc_id
enable_irsa = true
write_kubeconfig = false
create_eks = var.create_cluster
cluster_enabled_log_types = var.cluster_enabled_log_types
cluster_log_retention_in_days = var.cluster_log_retention_in_days
cluster_log_kms_key_id = var.cluster_log_kms_key_id
cluster_endpoint_public_access = var.cluster_endpoint_public_access
cluster_endpoint_private_access = var.cluster_endpoint_private_access
cluster_encryption_config = var.cluster_encryption_config
cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs

node_groups_defaults = {}

Expand Down
28 changes: 28 additions & 0 deletions bootstrap/terraform/aws-bootstrap/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,34 @@ Name for the vpc for the cluster
EOF
}


variable "cluster_endpoint_private_access" {
description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled."
type = bool
default = false
}

variable "cluster_endpoint_public_access" {
description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled."
type = bool
default = true
}

variable "cluster_endpoint_public_access_cidrs" {
description = "List of CIDR blocks which can access the Amazon EKS public API server endpoint."
type = list(string)
default = ["0.0.0.0/0"]
}

variable "cluster_encryption_config" {
description = "Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format"
type = list(object({
provider_key_arn = string
resources = list(string)
}))
default = []
}

variable "cluster_enabled_log_types" {
default = []
description = "A list of the desired control plane logging to enable. Supported options are: api, audit, authenticator, controllerManager, scheduler. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)"
Expand Down

0 comments on commit 390e1e3

Please sign in to comment.