From 03e45502ff57998435ea9fbb8f2437d129655714 Mon Sep 17 00:00:00 2001 From: Carlos Santana Date: Wed, 28 Feb 2024 13:28:23 -0500 Subject: [PATCH 01/15] feat: Make gitops-bridge example to use kubectl to deploy addons and workloads (#1886) Signed-off-by: Carlos Santana --- .../gitops/getting-started-argocd/main.tf | 11 -------- .../getting-started-argocd/variables.tf | 12 --------- .../multi-cluster-hub-spoke-argocd/README.md | 26 ++++++++++++++++--- .../hub/bootstrap/workloads.yaml | 3 --- .../hub/main.tf | 7 +---- .../spokes/deploy.sh | 1 + 6 files changed, 25 insertions(+), 35 deletions(-) diff --git a/patterns/gitops/getting-started-argocd/main.tf b/patterns/gitops/getting-started-argocd/main.tf index 8ab48c046e..d58aec88b9 100644 --- a/patterns/gitops/getting-started-argocd/main.tf +++ b/patterns/gitops/getting-started-argocd/main.tf @@ -121,16 +121,6 @@ locals { } ) - argocd_app_of_appsets_addons = var.enable_gitops_auto_addons ? { - addons = file("${path.module}/bootstrap/addons.yaml") - } : {} - argocd_app_of_appsets_workloads = var.enable_gitops_auto_workloads ? { - workloads = file("${path.module}/bootstrap/workloads.yaml") - } : {} - - argocd_apps = merge(local.argocd_app_of_appsets_addons, local.argocd_app_of_appsets_workloads) - - tags = { Blueprint = local.name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" @@ -147,7 +137,6 @@ module "gitops_bridge_bootstrap" { metadata = local.addons_metadata addons = local.addons } - apps = local.argocd_apps } ################################################################################ diff --git a/patterns/gitops/getting-started-argocd/variables.tf b/patterns/gitops/getting-started-argocd/variables.tf index b4c7511302..d0ef0fe9b7 100644 --- a/patterns/gitops/getting-started-argocd/variables.tf +++ b/patterns/gitops/getting-started-argocd/variables.tf @@ -74,15 +74,3 @@ variable "gitops_workload_path" { type = string default = "getting-started-argocd/k8s" } - -variable "enable_gitops_auto_addons" { - description = "Automatically deploy addons" - type = bool - default = false -} - -variable "enable_gitops_auto_workloads" { - description = "Automatically deploy addons" - type = bool - default = false -} diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/README.md b/patterns/gitops/multi-cluster-hub-spoke-argocd/README.md index cdeabdd22b..d9c20437fb 100644 --- a/patterns/gitops/multi-cluster-hub-spoke-argocd/README.md +++ b/patterns/gitops/multi-cluster-hub-spoke-argocd/README.md @@ -59,7 +59,20 @@ that temporary file with the `kubectl` configuration. This approach offers the advantage of not altering your existing `kubectl` context, allowing you to work in other terminal windows without interference. -### Monitor GitOps Progress for Addons +### Deploy ArgoCD Apps of ApplicationSets for Addons + +This command verifies the initial ArgoCD installation, ArgoCD will be re-configured when the addons are deployed and configured from git. +```shell +kubectl --context hub get all -n argocd +``` +This command creates the application set manifest to deploy the addons. +```shell +kubectl --context hub apply -n argocd -f ../hub/bootstrap/addons.yaml +``` +The application sets defined here will then deploy addons to any spoke clusters provisioned later using Terraform + + +### Monitor GitOps Progress for Addons on Hub EKS Cluster Wait until all the ArgoCD applications' `HEALTH STATUS` is `Healthy`. Use `Ctrl+C` or `Cmd+C` to exit the `watch` command. ArgoCD Applications @@ -164,15 +177,22 @@ The output have a section `awsAuthConfig` with the `clusterName` and the `roleAR ### Verify the Addons on Spoke Clusters -Verify that the addons are ready: +The addons on the spoke clusters are deployed using the Application Sets created on the EKS Hub Cluster. Verify that the addons are ready: ```shell for i in dev staging prod ; do echo $i && kubectl --context $i get deployment -n kube-system ; done ``` +### Deploy the sample application to EKS Spoke Clusters + +This command will deploy the application using kubectl to all clusters connected to the hub cluster, using the manifest files in [./hub/bootstrap/workloads.yaml](./hub/bootstrap/workloads.yaml). +```shell +kubectl --context hub apply -n argocd -f ../hub/bootstrap/workloads.yaml +``` + ### Monitor GitOps Progress for Workloads from Hub Cluster (run on Hub Cluster context) -Watch until **all* the Workloads ArgoCD Applications are `Healthy` +Watch until all the Workloads ArgoCD Applications are `Healthy` ```shell kubectl --context hub get -n argocd applications -w diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/bootstrap/workloads.yaml b/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/bootstrap/workloads.yaml index c399039367..be5dda868c 100644 --- a/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/bootstrap/workloads.yaml +++ b/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/bootstrap/workloads.yaml @@ -10,9 +10,6 @@ spec: - clusters: selector: matchExpressions: - - key: akuity.io/argo-cd-cluster-name - operator: NotIn - values: [in-cluster] - key: environment operator: NotIn values: [control-plane] diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/main.tf b/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/main.tf index 536172751f..1d0b0db541 100644 --- a/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/main.tf +++ b/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/main.tf @@ -118,11 +118,6 @@ locals { } ) - argocd_apps = { - addons = file("${path.module}/bootstrap/addons.yaml") - workloads = file("${path.module}/bootstrap/workloads.yaml") - } - tags = { Blueprint = local.name GithubRepo = "github.com/gitops-bridge-dev/gitops-bridge" @@ -141,7 +136,7 @@ module "gitops_bridge_bootstrap" { metadata = local.addons_metadata addons = local.addons } - apps = local.argocd_apps + argocd = { namespace = local.argocd_namespace } diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/deploy.sh b/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/deploy.sh index 766cffd8d8..19b47dcd9f 100755 --- a/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/deploy.sh +++ b/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/deploy.sh @@ -23,5 +23,6 @@ else fi terraform workspace select $env +terraform workspace list terraform init terraform apply -var-file="workspaces/${env}.tfvars" From 2f5b94d86bd0bc7713660ef2608520a7d728f72f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 07:20:54 -0500 Subject: [PATCH 02/15] chore(deps): Bump github/codeql-action from 3.24.5 to 3.24.6 (#1895) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 88290d77e9..ad06e1297e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 + uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: sarif_file: results.sarif From b52080501faa472f81b6dca34c558fd45df8d09a Mon Sep 17 00:00:00 2001 From: Vijay Chintalapati Date: Mon, 4 Mar 2024 04:07:30 -0800 Subject: [PATCH 03/15] refactor: Removing the existing Istio multi-cluster pattern to prepare for replacement with a refined multi-vpc pattern (#1896) --- docs/patterns/istio-multi-cluster.md | 7 - .../0.certs-tool/.gitignore | 1 - .../0.certs-tool/Makefile.k8s.mk | 102 ------- .../0.certs-tool/Makefile.selfsigned.mk | 98 ------- .../0.certs-tool/README.md | 25 -- .../0.certs-tool/common.mk | 101 ------- .../0.certs-tool/create-certs.sh | 6 - patterns/istio-multi-cluster/0.vpc/main.tf | 122 -------- patterns/istio-multi-cluster/0.vpc/outputs.tf | 24 -- .../istio-multi-cluster/0.vpc/variables.tf | 0 .../istio-multi-cluster/0.vpc/versions.tf | 17 -- .../istio-multi-cluster/1.cluster1/README.md | 249 ---------------- .../istio-multi-cluster/1.cluster1/main.tf | 269 ------------------ .../istio-multi-cluster/1.cluster1/outputs.tf | 36 --- .../1.cluster1/variables.tf | 12 - .../1.cluster1/versions.tf | 25 -- .../istio-multi-cluster/2.cluster2/README.md | 267 ----------------- .../istio-multi-cluster/2.cluster2/main.tf | 269 ------------------ .../istio-multi-cluster/2.cluster2/outputs.tf | 36 --- .../2.cluster2/variables.tf | 12 - .../2.cluster2/versions.tf | 25 -- .../istio-remote-secret.tftpl | 18 -- .../3.istio-multi-primary/main.tf | 98 ------- .../3.istio-multi-primary/outputs.tf | 0 .../3.istio-multi-primary/variables.tf | 0 .../3.istio-multi-primary/versions.tf | 17 -- .../4.test-connectivity/istio-helloworld.yaml | 72 ----- .../4.test-connectivity/istio-sleep.yaml | 67 ----- .../4.test-connectivity/test_connectivity.sh | 46 --- patterns/istio-multi-cluster/README.md | 124 -------- 30 files changed, 2145 deletions(-) delete mode 100644 docs/patterns/istio-multi-cluster.md delete mode 100644 patterns/istio-multi-cluster/0.certs-tool/.gitignore delete mode 100644 patterns/istio-multi-cluster/0.certs-tool/Makefile.k8s.mk delete mode 100644 patterns/istio-multi-cluster/0.certs-tool/Makefile.selfsigned.mk delete mode 100644 patterns/istio-multi-cluster/0.certs-tool/README.md delete mode 100644 patterns/istio-multi-cluster/0.certs-tool/common.mk delete mode 100755 patterns/istio-multi-cluster/0.certs-tool/create-certs.sh delete mode 100644 patterns/istio-multi-cluster/0.vpc/main.tf delete mode 100644 patterns/istio-multi-cluster/0.vpc/outputs.tf delete mode 100644 patterns/istio-multi-cluster/0.vpc/variables.tf delete mode 100644 patterns/istio-multi-cluster/0.vpc/versions.tf delete mode 100644 patterns/istio-multi-cluster/1.cluster1/README.md delete mode 100644 patterns/istio-multi-cluster/1.cluster1/main.tf delete mode 100644 patterns/istio-multi-cluster/1.cluster1/outputs.tf delete mode 100644 patterns/istio-multi-cluster/1.cluster1/variables.tf delete mode 100644 patterns/istio-multi-cluster/1.cluster1/versions.tf delete mode 100644 patterns/istio-multi-cluster/2.cluster2/README.md delete mode 100644 patterns/istio-multi-cluster/2.cluster2/main.tf delete mode 100644 patterns/istio-multi-cluster/2.cluster2/outputs.tf delete mode 100644 patterns/istio-multi-cluster/2.cluster2/variables.tf delete mode 100644 patterns/istio-multi-cluster/2.cluster2/versions.tf delete mode 100644 patterns/istio-multi-cluster/3.istio-multi-primary/istio-remote-secret.tftpl delete mode 100644 patterns/istio-multi-cluster/3.istio-multi-primary/main.tf delete mode 100644 patterns/istio-multi-cluster/3.istio-multi-primary/outputs.tf delete mode 100644 patterns/istio-multi-cluster/3.istio-multi-primary/variables.tf delete mode 100644 patterns/istio-multi-cluster/3.istio-multi-primary/versions.tf delete mode 100644 patterns/istio-multi-cluster/4.test-connectivity/istio-helloworld.yaml delete mode 100644 patterns/istio-multi-cluster/4.test-connectivity/istio-sleep.yaml delete mode 100755 patterns/istio-multi-cluster/4.test-connectivity/test_connectivity.sh delete mode 100644 patterns/istio-multi-cluster/README.md diff --git a/docs/patterns/istio-multi-cluster.md b/docs/patterns/istio-multi-cluster.md deleted file mode 100644 index edf5f16af7..0000000000 --- a/docs/patterns/istio-multi-cluster.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Istio - Multi-Cluster ---- - -{% - include-markdown "../../patterns/istio-multi-cluster/README.md" -%} diff --git a/patterns/istio-multi-cluster/0.certs-tool/.gitignore b/patterns/istio-multi-cluster/0.certs-tool/.gitignore deleted file mode 100644 index b2290143a4..0000000000 --- a/patterns/istio-multi-cluster/0.certs-tool/.gitignore +++ /dev/null @@ -1 +0,0 @@ -certs diff --git a/patterns/istio-multi-cluster/0.certs-tool/Makefile.k8s.mk b/patterns/istio-multi-cluster/0.certs-tool/Makefile.k8s.mk deleted file mode 100644 index 0a4777e43d..0000000000 --- a/patterns/istio-multi-cluster/0.certs-tool/Makefile.k8s.mk +++ /dev/null @@ -1,102 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##fetch-root-ca: fetch root CA and key from a k8s cluster. -.PHONY: fetch-root-ca -rawcluster := $(shell kubectl config current-context) -cluster := $(subst /,-,$(rawcluster)) -pwd := $(shell pwd) -export KUBECONFIG - -fetch-root-ca: - @echo "fetching root ca from k8s cluster: "$(cluster)"" - @mkdir -p $(pwd)/$(cluster) - @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?) -ifeq ($(res), 1) - @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem - @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem -else - @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem - @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem -endif - -k8s-root-cert.pem: - @cat $(cluster)/k8s-root-cert.pem > $@ - -k8s-root-key.pem: - @cat $(cluster)/k8s-root-key.pem > $@ -#------------------------------------------------------------------------ -##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $<)/root-cert.pem - -%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem - @echo "generating $@" - @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ - -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: fetch-root-ca - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. -.PHONY: %-certs - -%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $@)/root-cert.pem - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 diff --git a/patterns/istio-multi-cluster/0.certs-tool/Makefile.selfsigned.mk b/patterns/istio-multi-cluster/0.certs-tool/Makefile.selfsigned.mk deleted file mode 100644 index 2a87d071f6..0000000000 --- a/patterns/istio-multi-cluster/0.certs-tool/Makefile.selfsigned.mk +++ /dev/null @@ -1,98 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##root-ca: generate root CA files (key and certificate) in current directory. -.PHONY: root-ca - -root-ca: root-key.pem root-cert.pem - -root-cert.pem: root-cert.csr root-key.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \ - -extensions req_ext -extfile root-ca.conf \ - -in $< -out $@ - -root-cert.csr: root-key.pem root-ca.conf - @echo "generating $@" - @openssl req -sha256 -new -key $< -config root-ca.conf -out $@ - -root-key.pem: - @echo "generating $@" - @openssl genrsa -out $@ 4096 -#------------------------------------------------------------------------ -##-cacerts: generate self signed intermediate certificates for and store them under directory. -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate inputs stored in $(dir $<)" - @cp root-cert.pem $(dir $<) - - -%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \ - -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. -.PHONY: %-certs - -%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp root-cert.pem $(dir $@)/root-cert.pem - - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 diff --git a/patterns/istio-multi-cluster/0.certs-tool/README.md b/patterns/istio-multi-cluster/0.certs-tool/README.md deleted file mode 100644 index ad6dd42c21..0000000000 --- a/patterns/istio-multi-cluster/0.certs-tool/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Generating Certificates for Bootstrapping Multi-cluster / Mesh Expansion Chain of Trust - -The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: -- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default `kubeconfig` is used for accessing the cluster. -- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. - -The table below describes the targets supported by both Makefiles. - -Make Target | Makefile | Description ------- | -------- | ----------- -`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. -`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. -`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. -`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. -`clean` | Both | Removes any generated root certificates, keys, and intermediate files. - -For example: - -```bash -make -f Makefile.selfsigned.mk root-ca -``` - -Note that the Makefile generates long-lived intermediate certificates. While this might be -acceptable for demonstration purposes, a more realistic and secure deployment would use -short-lived and automatically renewed certificates for the intermediate CAs. diff --git a/patterns/istio-multi-cluster/0.certs-tool/common.mk b/patterns/istio-multi-cluster/0.certs-tool/common.mk deleted file mode 100644 index ba3f90c9d5..0000000000 --- a/patterns/istio-multi-cluster/0.certs-tool/common.mk +++ /dev/null @@ -1,101 +0,0 @@ -#------------------------------------------------------------------------ -# variables: root CA -ROOTCA_DAYS ?= 3650 -ROOTCA_KEYSZ ?= 4096 -ROOTCA_ORG ?= Istio -ROOTCA_CN ?= Root CA -KUBECONFIG ?= $(HOME)/.kube/config -ISTIO_NAMESPACE ?= istio-system -# Additional variables are defined in root-ca.conf target below. - -#------------------------------------------------------------------------ -# variables: intermediate CA -INTERMEDIATE_DAYS ?= 3650 -INTERMEDIATE_KEYSZ ?= 4096 -INTERMEDIATE_ORG ?= Istio -INTERMEDIATE_CN ?= Intermediate CA -INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc -# Additional variables are defined in %/intermediate.conf target below. - -#------------------------------------------------------------------------ -# variables: workload certs: eg VM -WORKLOAD_DAYS ?= 1 -SERVICE_ACCOUNT ?= default -WORKLOAD_CN ?= Workload - -#------------------------------------------------------------------------ -# variables: files to clean -FILES_TO_CLEAN+=k8s-root-cert.pem \ - k8s-root-cert.srl \ - k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem -#------------------------------------------------------------------------ -# clean -.PHONY: clean - -clean: ## Cleans all the intermediate files and folders previously generated. - @rm -f $(FILES_TO_CLEAN) - -root-ca.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(ROOTCA_ORG)" >> $@ - @echo "CN = $(ROOTCA_CN)" >> $@ - -%/intermediate.conf: L=$(dir $@) -%/intermediate.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(INTERMEDIATE_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ - -%/workload.conf: L=$(dir $@) -%/workload.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:false" >> $@ - @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ - @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(WORKLOAD_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ diff --git a/patterns/istio-multi-cluster/0.certs-tool/create-certs.sh b/patterns/istio-multi-cluster/0.certs-tool/create-certs.sh deleted file mode 100755 index 10a976abf6..0000000000 --- a/patterns/istio-multi-cluster/0.certs-tool/create-certs.sh +++ /dev/null @@ -1,6 +0,0 @@ -# https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/#plug-in-certificates-and-key-into-the-cluster -mkdir certs -cd certs -make -f ../Makefile.selfsigned.mk root-ca -make -f ../Makefile.selfsigned.mk cluster-1-cacerts -make -f ../Makefile.selfsigned.mk cluster-2-cacerts diff --git a/patterns/istio-multi-cluster/0.vpc/main.tf b/patterns/istio-multi-cluster/0.vpc/main.tf deleted file mode 100644 index 79e24b7e61..0000000000 --- a/patterns/istio-multi-cluster/0.vpc/main.tf +++ /dev/null @@ -1,122 +0,0 @@ -provider "aws" { - region = local.region -} - -data "aws_availability_zones" "available" {} - -locals { - cluster_name = format("%s-%s", basename(path.cwd), "shared") - region = "eu-west-1" - - vpc_cidr = "10.0.0.0/16" - azs = slice(data.aws_availability_zones.available.names, 0, 3) - - tags = { - Blueprint = local.cluster_name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" - } -} - -################################################################################ -# VPC -################################################################################ - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" - - name = local.cluster_name - cidr = local.vpc_cidr - - azs = local.azs - private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] - public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] - - enable_nat_gateway = true - single_nat_gateway = true - - public_subnet_tags = { - "kubernetes.io/role/elb" = 1 - } - - private_subnet_tags = { - "kubernetes.io/role/internal-elb" = 1 - } - - tags = local.tags -} - -################################################################################ -# Cluster 1 additional security group for cross cluster communication -################################################################################ - -resource "aws_security_group" "cluster1_additional_sg" { - name = "cluster1_additional_sg" - description = "Allow communication from cluster2 SG to cluster1 SG" - vpc_id = module.vpc.vpc_id - tags = { - Name = "cluster1_additional_sg" - } -} - -resource "aws_vpc_security_group_egress_rule" "cluster1_additional_sg_allow_all_4" { - security_group_id = aws_security_group.cluster1_additional_sg.id - - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" -} - -resource "aws_vpc_security_group_egress_rule" "cluster1_additional_sg_allow_all_6" { - security_group_id = aws_security_group.cluster1_additional_sg.id - - ip_protocol = "-1" - cidr_ipv6 = "::/0" -} - -################################################################################ -# Cluster 2 additional security group for cross cluster communication -################################################################################ - -resource "aws_security_group" "cluster2_additional_sg" { - name = "cluster2_additional_sg" - description = "Allow communication from cluster1 SG to cluster2 SG" - vpc_id = module.vpc.vpc_id - tags = { - Name = "cluster2_additional_sg" - } -} - -resource "aws_vpc_security_group_egress_rule" "cluster2_additional_sg_allow_all_4" { - security_group_id = aws_security_group.cluster2_additional_sg.id - - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" -} -resource "aws_vpc_security_group_egress_rule" "cluster2_additional_sg_allow_all_6" { - security_group_id = aws_security_group.cluster2_additional_sg.id - - ip_protocol = "-1" - cidr_ipv6 = "::/0" -} - -################################################################################ -# cross SG ingress rules Cluster 2 allow to cluster 1 -################################################################################ - -resource "aws_vpc_security_group_ingress_rule" "cluster2_to_cluster_1" { - security_group_id = aws_security_group.cluster1_additional_sg.id - - referenced_security_group_id = aws_security_group.cluster2_additional_sg.id - ip_protocol = "-1" -} - -################################################################################ -# cross SG ingress rules Cluster 1 allow to cluster 2 -################################################################################ - -resource "aws_vpc_security_group_ingress_rule" "cluster1_to_cluster_2" { - security_group_id = aws_security_group.cluster2_additional_sg.id - - referenced_security_group_id = aws_security_group.cluster1_additional_sg.id - ip_protocol = "-1" -} diff --git a/patterns/istio-multi-cluster/0.vpc/outputs.tf b/patterns/istio-multi-cluster/0.vpc/outputs.tf deleted file mode 100644 index c6cbe85746..0000000000 --- a/patterns/istio-multi-cluster/0.vpc/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "vpc_id" { - description = "Amazon EKS VPC ID" - value = module.vpc.vpc_id -} - -output "subnet_ids" { - description = "Amazon EKS Subnet IDs" - value = module.vpc.private_subnets -} - -output "vpc_cidr" { - description = "Amazon EKS VPC CIDR Block." - value = local.vpc_cidr -} - -output "cluster1_additional_sg_id" { - description = "Cluster1 additional SG" - value = aws_security_group.cluster1_additional_sg.id -} - -output "cluster2_additional_sg_id" { - description = "Cluster2 additional SG" - value = aws_security_group.cluster2_additional_sg.id -} diff --git a/patterns/istio-multi-cluster/0.vpc/variables.tf b/patterns/istio-multi-cluster/0.vpc/variables.tf deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/patterns/istio-multi-cluster/0.vpc/versions.tf b/patterns/istio-multi-cluster/0.vpc/versions.tf deleted file mode 100644 index 6cbf2a99e8..0000000000 --- a/patterns/istio-multi-cluster/0.vpc/versions.tf +++ /dev/null @@ -1,17 +0,0 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.47" - } - } - - # ## Used for end-to-end testing on project; update to suit your needs - # backend "s3" { - # bucket = "" - # region = "" - # key = "e2e/istio-multi-cluster-vpc/terraform.tfstate" - # } -} diff --git a/patterns/istio-multi-cluster/1.cluster1/README.md b/patterns/istio-multi-cluster/1.cluster1/README.md deleted file mode 100644 index 695f28a43f..0000000000 --- a/patterns/istio-multi-cluster/1.cluster1/README.md +++ /dev/null @@ -1,249 +0,0 @@ -# Amazon EKS Cluster w/ Istio - -This example shows how to provision an EKS cluster with Istio. - -* Deploy EKS Cluster with one managed node group in an VPC -* Add node_security_group rules for port access required for Istio communication -* Install Istio using Helm resources in Terraform -* Install Istio Ingress Gateway using Helm resources in Terraform -* Deploy/Validate Istio communication using sample application - -Refer to the [documentation](https://istio.io/latest/docs/concepts/) for `Istio` concepts. - -## Prerequisites: - -Ensure that you have the following tools installed locally: - -1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) -2. [kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) - -## Deploy - -To provision this example: - -```sh -terraform init -terraform apply -``` - -Enter `yes` at command prompt to apply - -## Validate - -The following command will update the `kubeconfig` on your local machine and allow you to interact with your EKS Cluster using `kubectl` to validate the deployment. - -1. Run `update-kubeconfig` command: - -```sh -aws eks --region update-kubeconfig --name -``` - -2. List the nodes running currently - -```sh -kubectl get nodes -``` - -``` -# Output should look like below -NAME STATUS ROLES AGE VERSION -ip-10-0-22-173.ec2.internal Ready 48m v1.27.3-eks-a5565ad -``` - -3. List out the pods running currently: - -```sh -kubectl get pods,svc -n istio-system -``` - -``` -# Output should look like below -NAME READY STATUS RESTARTS AGE -pod/istio-ingress-6f7c5dffd8-4kww 1/1 Running 0 48m -pod/istiod-ff577f8b8-t9ww2 1/1 Running 0 48m - -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -service/istio-ingress LoadBalancer 172.20.100.3 a59363808e78d46d59bf3378cafffcec-a12f9c78cb607b6b.elb.us-east-1.amazonaws.com 15021:32118/TCP,80:32740/TCP,443:30624/TCP 48m -service/istiod ClusterIP 172.20.249.63 15010/TCP,15012/TCP,443/TCP,15014/TCP 48m -``` - -4. Verify all the helm releases installed for Istio: - -```sh -helm list -n istio-system -``` - -``` -# Output should look like below -NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -istio-base istio-system 1 2023-07-19 11:05:41.599921 -0700 PDT deployed base-1.18.1 1.18.1 -istio-ingress istio-system 1 2023-07-19 11:06:03.41609 -0700 PDT deployed gateway-1.18.1 1.18.1 -istiod istio-system 1 2023-07-19 11:05:48.087616 -0700 PDT deployed istiod-1.18.1 1.18.1 -``` - -## Test - -1. Create the sample namespace and enable the sidecar injection for this namespace - -```sh -kubectl create namespace sample -kubectl label namespace sample istio-injection=enabled -``` - -``` -namespace/sample created -namespace/sample labeled -``` - -2. Deploy helloworld app - -```sh -cat < helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v1 - labels: - app: helloworld - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v1 - template: - metadata: - labels: - app: helloworld - version: v1 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v1 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent #Always - ports: - - containerPort: 5000 -EOF - -kubectl apply -f helloworld.yaml -n sample -``` - -``` -service/helloworld created -deployment.apps/helloworld-v1 created -``` - -3. Deploy sleep app that we will use to connect to helloworld app - -```sh -cat < sleep.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleepdocs/blueprints/argocd.md - template: - metadata: - labels: - app: sleep - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: sleep-secret - optional: true -EOF - -kubectl apply -f sleep.yaml -n sample -``` - -``` -serviceaccount/sleep created -service/sleep created -deployment.apps/sleep created -``` - -4. Check all the pods in the `sample` namespace - -```sh -kubectl get pods -n sample -``` -``` -NAME READY STATUS RESTARTS AGE -helloworld-v1-b6c45f55-bx2xk 2/2 Running 0 50s -sleep-9454cc476-p2zxr 2/2 Running 0 15s -``` -5. Connect to helloworld app from sleep app and see the connectivity is using envoy proxy - -```sh -kubectl exec -n sample -c sleep \ - "$(kubectl get pod -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -v helloworld.sample:5000/hello -``` -``` -* processing: helloworld.sample:5000/hello - ... -* Connection #0 to host helloworld.sample left intact -``` - -## Destroy - -To teardown and remove the resources created in this example: - -```sh -terraform destroy -target="module.eks_blueprints_addons" -auto-approve -terraform destroy -auto-approve -``` diff --git a/patterns/istio-multi-cluster/1.cluster1/main.tf b/patterns/istio-multi-cluster/1.cluster1/main.tf deleted file mode 100644 index 0fcb4b57f1..0000000000 --- a/patterns/istio-multi-cluster/1.cluster1/main.tf +++ /dev/null @@ -1,269 +0,0 @@ -provider "aws" { - region = local.region -} - -data "terraform_remote_state" "vpc" { - backend = "local" - - config = { - path = "${path.module}/../0.vpc/terraform.tfstate" - } -} - -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } -} - -provider "helm" { - kubernetes { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } - } -} - -locals { - cluster_name = var.name - region = var.region - - cluster1_additional_sg_id = data.terraform_remote_state.vpc.outputs.cluster1_additional_sg_id - cluster2_additional_sg_id = data.terraform_remote_state.vpc.outputs.cluster2_additional_sg_id - - istio_chart_url = "https://istio-release.storage.googleapis.com/charts" - istio_chart_version = "1.18.2" - - tags = { - Blueprint = local.cluster_name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" - } -} - -################################################################################ -# Cluster -################################################################################ - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 19.16" - - cluster_name = local.cluster_name - cluster_version = "1.27" - cluster_endpoint_public_access = true - - # EKS Addons - cluster_addons = { - coredns = {} - kube-proxy = {} - vpc-cni = {} - } - - vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id - subnet_ids = data.terraform_remote_state.vpc.outputs.subnet_ids - - eks_managed_node_groups = { - cluster1 = { - instance_types = ["m5.large"] - - min_size = 1 - max_size = 5 - desired_size = 2 - vpc_security_group_ids = [local.cluster1_additional_sg_id] - } - } - - # SG Rule for nodes in cluster 2 to be able to reach to the cluster1 control plane - cluster_security_group_additional_rules = { - ingress_allow_from_other_cluster = { - description = "Access EKS from EC2 instances in other cluster." - protocol = "tcp" - from_port = 443 - to_port = 443 - type = "ingress" - source_security_group_id = local.cluster2_additional_sg_id - } - } - - # EKS K8s API cluster needs to be able to talk with the EKS worker nodes with port 15017/TCP and 15012/TCP which is used by Istio - # Istio in order to create sidecar needs to be able to communicate with webhook and for that network passage to EKS is needed. - node_security_group_additional_rules = { - ingress_15017 = { - description = "Cluster API - Istio Webhook namespace.sidecar-injector.istio.io" - protocol = "TCP" - from_port = 15017 - to_port = 15017 - type = "ingress" - source_cluster_security_group = true - } - ingress_15012 = { - description = "Cluster API to nodes ports/protocols" - protocol = "TCP" - from_port = 15012 - to_port = 15012 - type = "ingress" - source_cluster_security_group = true - } - } - - tags = local.tags -} - -################################################################################ -# EKS Blueprints Addons -################################################################################ - -module "addons" { - source = "aws-ia/eks-blueprints-addons/aws" - version = "~> 1.0" - - cluster_name = module.eks.cluster_name - cluster_endpoint = module.eks.cluster_endpoint - cluster_version = module.eks.cluster_version - oidc_provider_arn = module.eks.oidc_provider_arn - - # This is required to expose Istio Ingress Gateway - enable_aws_load_balancer_controller = true - enable_cert_manager = true - - tags = local.tags -} - -################################################################################ -# Istio -################################################################################ - -resource "kubernetes_namespace" "istio_system" { - metadata { - name = "istio-system" - labels = { - istio-injection = "enabled" - } - } -} - -resource "helm_release" "istio_base" { - - repository = local.istio_chart_url - chart = "base" - name = "istio-base" - namespace = kubernetes_namespace.istio_system.metadata[0].name - version = local.istio_chart_version - wait = false - - depends_on = [ - module.addons - ] -} - -resource "helm_release" "istiod" { - repository = local.istio_chart_url - chart = "istiod" - name = "istiod" - namespace = helm_release.istio_base.metadata[0].namespace - version = local.istio_chart_version - wait = false - - set { - name = "meshConfig.accessLogFile" - value = "/dev/stdout" - } - - set { - name = "global.multiCluster.clusterName" - value = local.cluster_name - } - - set { - name = "global.meshID" - value = local.cluster_name - } - - set { - name = "global.network" - value = local.cluster_name - } -} - -resource "helm_release" "istio_ingress" { - repository = local.istio_chart_url - chart = "gateway" - name = "istio-ingress" - namespace = helm_release.istiod.metadata[0].namespace - version = local.istio_chart_version - wait = false - - values = [ - yamlencode( - { - labels = { - istio = "ingressgateway" - } - service = { - annotations = { - "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" - "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing" - } - } - } - ) - ] -} - -################################################################################ -# Isito certs for cross-cluster traffice -# https://istio.io/latest/docs/ops/deployment/deployment-models/#trust-within-a-mesh -# https://istio.io/latest/docs/ops/diagnostic-tools/multicluster/#trust-configuration -################################################################################ - -resource "kubernetes_secret" "cacerts" { - metadata { - name = "cacerts" - namespace = "istio-system" - } - - data = { - "ca-cert.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/ca-cert.pem") - "ca-key.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/ca-key.pem") - "root-cert.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/root-cert.pem") - "cert-chain.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/cert-chain.pem") - } -} - -################################################################################ -# Data source for Istio reader token -################################################################################ - -resource "kubernetes_secret" "istio_reader" { - depends_on = [module.addons, helm_release.istiod] - - metadata { - annotations = { - "kubernetes.io/service-account.name" = "istio-reader-service-account" - } - name = "istio-reader-service-account-istio-remote-secret-token" - namespace = "istio-system" - } - - type = "kubernetes.io/service-account-token" -} - -data "kubernetes_secret" "istio_reader" { - depends_on = [kubernetes_secret.istio_reader] - metadata { - name = "istio-reader-service-account-istio-remote-secret-token" - namespace = "istio-system" - } -} diff --git a/patterns/istio-multi-cluster/1.cluster1/outputs.tf b/patterns/istio-multi-cluster/1.cluster1/outputs.tf deleted file mode 100644 index 547f279483..0000000000 --- a/patterns/istio-multi-cluster/1.cluster1/outputs.tf +++ /dev/null @@ -1,36 +0,0 @@ -output "configure_kubectl" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" -} - -output "istio_reader_token" { - description = "Istio token for cross cluster auth" - value = data.kubernetes_secret.istio_reader.data["token"] - sensitive = true -} - -output "istio_reader_cacert" { - description = "Istio token for cross cluster auth" - value = data.kubernetes_secret.istio_reader.data["ca.crt"] - sensitive = true -} - -output "cluster_endpoint" { - description = "Cluster endpoint" - value = module.eks.cluster_endpoint -} - -output "cluster_certificate_authority_data" { - description = "Cluster ca certificate" - value = module.eks.cluster_certificate_authority_data -} - -output "cluster_name" { - description = "Cluster name" - value = module.eks.cluster_name -} - -output "cluster_region" { - description = "Cluster region" - value = local.region -} diff --git a/patterns/istio-multi-cluster/1.cluster1/variables.tf b/patterns/istio-multi-cluster/1.cluster1/variables.tf deleted file mode 100644 index cda81ee812..0000000000 --- a/patterns/istio-multi-cluster/1.cluster1/variables.tf +++ /dev/null @@ -1,12 +0,0 @@ - -variable "name" { - description = "cluster name" - type = string - default = "cluster-1" -} - -variable "region" { - description = "cluster name" - type = string - default = "eu-west-1" -} diff --git a/patterns/istio-multi-cluster/1.cluster1/versions.tf b/patterns/istio-multi-cluster/1.cluster1/versions.tf deleted file mode 100644 index 07b68ccbe0..0000000000 --- a/patterns/istio-multi-cluster/1.cluster1/versions.tf +++ /dev/null @@ -1,25 +0,0 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.47" - } - helm = { - source = "hashicorp/helm" - version = ">= 2.9" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.20" - } - } - - # ## Used for end-to-end testing on project; update to suit your needs - # backend "s3" { - # bucket = "" - # region = "" - # key = "e2e/istio-multi-cluster-vpc/terraform.tfstate" - # } -} diff --git a/patterns/istio-multi-cluster/2.cluster2/README.md b/patterns/istio-multi-cluster/2.cluster2/README.md deleted file mode 100644 index 45f0bb03bd..0000000000 --- a/patterns/istio-multi-cluster/2.cluster2/README.md +++ /dev/null @@ -1,267 +0,0 @@ -# Amazon EKS Cluster w/ Istio - -This example shows how to provision an EKS cluster with Istio. - -* Deploy EKS Cluster with one managed node group in an VPC -* Add node_security_group rules for port access required for Istio communication -* Install Istio using Helm resources in Terraform -* Install Istio Ingress Gateway using Helm resources in Terraform -* Deploy/Validate Istio communication using sample application - -Refer to the [documentation](https://istio.io/latest/docs/concepts/) for `Istio` concepts. - -## Prerequisites: - -Ensure that you have the following tools installed locally: - -1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) -2. [kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) - -## Deploy - -To provision this example: - -```sh -terraform init -terraform apply -``` - -Enter `yes` at command prompt to apply - -## Validate - -The following command will update the `kubeconfig` on your local machine and allow you to interact with your EKS Cluster using `kubectl` to validate the deployment. - -1. Run `update-kubeconfig` command: - -```sh -aws eks --region update-kubeconfig --name -``` - -2. List the nodes running currently - -```sh -kubectl get nodes -``` - -``` -# Output should look like below -NAME STATUS ROLES AGE VERSION -ip-10-0-22-173.ec2.internal Ready 48m v1.27.3-eks-a5565ad -``` - -3. List out the pods running currently: - -```sh -kubectl get pods,svc -n istio-system -``` - -``` -# Output should look like below -NAME READY STATUS RESTARTS AGE -pod/istio-ingress-6f7c5dffd8-chkww 1/1 Running 0 48m -pod/istiod-ff577f8b8-t9ww2 1/1 Running 0 48m - -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -service/istio-ingress LoadBalancer 172.20.100.3 a59363808e78d46d59bf3378cafffcec-a12f9c78cb607b6b.elb.us-east-1.amazonaws.com 15021:32118/TCP,80:32740/TCP,443:30624/TCP 48m -service/istiod ClusterIP 172.20.249.63 15010/TCP,15012/TCP,443/TCP,15014/TCP 48m -``` - -4. Verify all the helm releases installed for Istio: - -```sh -helm list -n istio-system -``` - -``` -# Output should look like below -NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -istio-base istio-system 1 2023-07-19 11:05:41.599921 -0700 PDT deployed base-1.18.1 1.18.1 -istio-ingress istio-system 1 2023-07-19 11:06:03.41609 -0700 PDT deployed gateway-1.18.1 1.18.1 -istiod istio-system 1 2023-07-19 11:05:48.087616 -0700 PDT deployed istiod-1.18.1 1.18.1 -``` - -## Test - -1. Create the sample namespace and enable the sidecar injection for this namespace - -```sh -kubectl create namespace sample -kubectl label namespace sample istio-injection=enabled -``` - -``` -namespace/sample created -namespace/sample labeled -``` - -2. Deploy helloworld app - -```sh -cat < helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v1 - labels: - app: helloworld - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v1 - template: - metadata: - labels: - app: helloworld - version: v1 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v1 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent #Always - ports: - - containerPort: 5000 -EOF - -kubectl apply -f helloworld.yaml -n sample -``` - -``` -service/helloworld created -deployment.apps/helloworld-v1 created -``` - -3. Deploy sleep app that we will use to connect to helloworld app - -```sh -cat < sleep.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleepdocs/blueprints/argocd.md - template: - metadata: - labels: - app: sleep - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: sleep-secret - optional: true -EOF - -kubectl apply -f sleep.yaml -n sample -``` - -``` -serviceaccount/sleep created -service/sleep created -deployment.apps/sleep created -``` - -4. Check all the pods in the `sample` namespace - -```sh -kubectl get pods -n sample -``` -``` -NAME READY STATUS RESTARTS AGE -helloworld-v1-b6c45f55-bx2xk 2/2 Running 0 50s -sleep-9454cc476-p2zxr 2/2 Running 0 15s -``` -5. Connect to helloworld app from sleep app and see the connectivity is using envoy proxy - -```sh -kubectl exec -n sample -c sleep \ - "$(kubectl get pod -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -v helloworld.sample:5000/hello -``` -``` -* processing: helloworld.sample:5000/hello - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.20.26.38:5000... -* Connected to helloworld.sample (172.20.26.38) port 5000 -> GET /hello HTTP/1.1 -> Host: helloworld.sample:5000 -> User-Agent: curl/8.2.0 -> Accept: */* -> -< HTTP/1.1 200 OK -< server: envoy -< date: Fri, 21 Jul 2023 18:56:09 GMT -< content-type: text/html; charset=utf-8 -< content-length: 58 -< x-envoy-upstream-service-time: 142 -< -{ [58 bytes data] -100 58 100 58 Hello version: v1, instance: helloworld-v1-b6c45f55-h592c - 0 0 392 0 --:--:-- --:--:-- --:--:-- 394 -* Connection #0 to host helloworld.sample left intact -``` - -## Destroy - -To teardown and remove the resources created in this example: - -```sh -terraform destroy -target="module.eks_blueprints_addons" -auto-approve -terraform destroy -auto-approve -``` diff --git a/patterns/istio-multi-cluster/2.cluster2/main.tf b/patterns/istio-multi-cluster/2.cluster2/main.tf deleted file mode 100644 index 27956e249e..0000000000 --- a/patterns/istio-multi-cluster/2.cluster2/main.tf +++ /dev/null @@ -1,269 +0,0 @@ -provider "aws" { - region = local.region -} - -data "terraform_remote_state" "vpc" { - backend = "local" - - config = { - path = "${path.module}/../0.vpc/terraform.tfstate" - } -} - -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } -} - -provider "helm" { - kubernetes { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } - } -} - -locals { - cluster_name = var.name - region = var.region - - cluster1_additional_sg_id = data.terraform_remote_state.vpc.outputs.cluster1_additional_sg_id - cluster2_additional_sg_id = data.terraform_remote_state.vpc.outputs.cluster2_additional_sg_id - - - istio_chart_url = "https://istio-release.storage.googleapis.com/charts" - istio_chart_version = "1.18.2" - - tags = { - Blueprint = local.cluster_name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" - } -} - -################################################################################ -# Cluster -################################################################################ - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 19.16" - - cluster_name = local.cluster_name - cluster_version = "1.27" - cluster_endpoint_public_access = true - - # EKS Addons - cluster_addons = { - coredns = {} - kube-proxy = {} - vpc-cni = {} - } - - vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id - subnet_ids = data.terraform_remote_state.vpc.outputs.subnet_ids - - eks_managed_node_groups = { - cluster2 = { - instance_types = ["m5.large"] - - min_size = 1 - max_size = 5 - desired_size = 2 - vpc_security_group_ids = [local.cluster2_additional_sg_id] - - } - } - # SG Rule for nodes in cluster 2 to be able to reach to the cluster1 control plane - cluster_security_group_additional_rules = { - ingress_allow_from_other_cluster = { - description = "Access EKS from EC2 instances in other cluster." - protocol = "tcp" - from_port = 443 - to_port = 443 - type = "ingress" - source_security_group_id = local.cluster1_additional_sg_id - } - } - - # EKS K8s API cluster needs to be able to talk with the EKS worker nodes with port 15017/TCP and 15012/TCP which is used by Istio - # Istio in order to create sidecar needs to be able to communicate with webhook and for that network passage to EKS is needed. - node_security_group_additional_rules = { - ingress_15017 = { - description = "Cluster API - Istio Webhook namespace.sidecar-injector.istio.io" - protocol = "TCP" - from_port = 15017 - to_port = 15017 - type = "ingress" - source_cluster_security_group = true - } - ingress_15012 = { - description = "Cluster API to nodes ports/protocols" - protocol = "TCP" - from_port = 15012 - to_port = 15012 - type = "ingress" - source_cluster_security_group = true - } - } - - tags = local.tags -} - -################################################################################ -# EKS Blueprints Addons -################################################################################ - -module "addons" { - source = "aws-ia/eks-blueprints-addons/aws" - version = "~> 1.0" - - cluster_name = module.eks.cluster_name - cluster_endpoint = module.eks.cluster_endpoint - cluster_version = module.eks.cluster_version - oidc_provider_arn = module.eks.oidc_provider_arn - - # This is required to expose Istio Ingress Gateway - enable_aws_load_balancer_controller = true - enable_cert_manager = true - - tags = local.tags -} - -################################################################################ -# Istio -################################################################################ - -resource "kubernetes_namespace" "istio_system" { - metadata { - name = "istio-system" - labels = { - istio-injection = "enabled" - } - } -} - -resource "helm_release" "istio_base" { - - repository = local.istio_chart_url - chart = "base" - name = "istio-base" - namespace = kubernetes_namespace.istio_system.metadata[0].name - version = local.istio_chart_version - wait = false - - depends_on = [ - module.addons - ] -} - -resource "helm_release" "istiod" { - repository = local.istio_chart_url - chart = "istiod" - name = "istiod" - namespace = helm_release.istio_base.metadata[0].namespace - version = local.istio_chart_version - wait = false - - set { - name = "meshConfig.accessLogFile" - value = "/dev/stdout" - } - - set { - name = "global.multiCluster.clusterName" - value = local.cluster_name - } - - set { - name = "global.meshID" - value = local.cluster_name - } - - set { - name = "global.network" - value = local.cluster_name - } -} - -resource "helm_release" "istio_ingress" { - repository = local.istio_chart_url - chart = "gateway" - name = "istio-ingress" - namespace = helm_release.istiod.metadata[0].namespace - version = local.istio_chart_version - wait = false - - values = [ - yamlencode( - { - labels = { - istio = "ingressgateway" - } - service = { - annotations = { - "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" - "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing" - } - } - } - ) - ] -} - -################################################################################ -# Istio certs for cross-cluster traffic -# https://istio.io/latest/docs/ops/deployment/deployment-models/#trust-within-a-mesh -# https://istio.io/latest/docs/ops/diagnostic-tools/multicluster/#trust-configuration -################################################################################ - -resource "kubernetes_secret" "cacerts" { - metadata { - name = "cacerts" - namespace = "istio-system" - } - - data = { - "ca-cert.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/ca-cert.pem") - "ca-key.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/ca-key.pem") - "root-cert.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/root-cert.pem") - "cert-chain.pem" = file("${path.module}/../certs-tool/certs/${local.cluster_name}/cert-chain.pem") - } -} - -################################################################################ -# Data source for Istio reader token -################################################################################ - -resource "kubernetes_secret" "istio_reader" { - depends_on = [module.addons, helm_release.istiod] - metadata { - annotations = { - "kubernetes.io/service-account.name" = "istio-reader-service-account" - } - name = "istio-reader-service-account-istio-remote-secret-token" - namespace = "istio-system" - } - - type = "kubernetes.io/service-account-token" -} - -data "kubernetes_secret" "istio_reader_data" { - depends_on = [kubernetes_secret.istio_reader] - metadata { - name = "istio-reader-service-account-istio-remote-secret-token" - namespace = "istio-system" - } -} diff --git a/patterns/istio-multi-cluster/2.cluster2/outputs.tf b/patterns/istio-multi-cluster/2.cluster2/outputs.tf deleted file mode 100644 index 9193c9f887..0000000000 --- a/patterns/istio-multi-cluster/2.cluster2/outputs.tf +++ /dev/null @@ -1,36 +0,0 @@ -output "configure_kubectl" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" -} - -output "istio_reader_token" { - description = "Istio token for cross cluster auth" - value = data.kubernetes_secret.istio_reader_data.data["token"] - sensitive = true -} - -output "istio_reader_cacert" { - description = "Istio token for cross cluster auth" - value = data.kubernetes_secret.istio_reader_data.data["ca.crt"] - sensitive = true -} - -output "cluster_endpoint" { - description = "Cluster endpoint" - value = module.eks.cluster_endpoint -} - -output "cluster_certificate_authority_data" { - description = "Cluster ca certificate" - value = module.eks.cluster_certificate_authority_data -} - -output "cluster_name" { - description = "Cluster name" - value = module.eks.cluster_name -} - -output "cluster_region" { - description = "Cluster region" - value = local.region -} diff --git a/patterns/istio-multi-cluster/2.cluster2/variables.tf b/patterns/istio-multi-cluster/2.cluster2/variables.tf deleted file mode 100644 index 5c73a40427..0000000000 --- a/patterns/istio-multi-cluster/2.cluster2/variables.tf +++ /dev/null @@ -1,12 +0,0 @@ - -variable "name" { - description = "cluster name" - type = string - default = "cluster-2" -} - -variable "region" { - description = "cluster name" - type = string - default = "eu-west-1" -} diff --git a/patterns/istio-multi-cluster/2.cluster2/versions.tf b/patterns/istio-multi-cluster/2.cluster2/versions.tf deleted file mode 100644 index 07b68ccbe0..0000000000 --- a/patterns/istio-multi-cluster/2.cluster2/versions.tf +++ /dev/null @@ -1,25 +0,0 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.47" - } - helm = { - source = "hashicorp/helm" - version = ">= 2.9" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.20" - } - } - - # ## Used for end-to-end testing on project; update to suit your needs - # backend "s3" { - # bucket = "" - # region = "" - # key = "e2e/istio-multi-cluster-vpc/terraform.tfstate" - # } -} diff --git a/patterns/istio-multi-cluster/3.istio-multi-primary/istio-remote-secret.tftpl b/patterns/istio-multi-cluster/3.istio-multi-primary/istio-remote-secret.tftpl deleted file mode 100644 index e868022df0..0000000000 --- a/patterns/istio-multi-cluster/3.istio-multi-primary/istio-remote-secret.tftpl +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -clusters: -- cluster: - certificate-authority-data: ${cluster_certificate_authority_data} - server: ${cluster_host} - name: ${cluster_name} -contexts: -- context: - cluster: ${cluster_name} - user: ${cluster_name} - name: ${cluster_name} -current-context: ${cluster_name} -kind: Config -preferences: {} -users: -- name: ${cluster_name} - user: - token: ${cluster_istio_reader_token} diff --git a/patterns/istio-multi-cluster/3.istio-multi-primary/main.tf b/patterns/istio-multi-cluster/3.istio-multi-primary/main.tf deleted file mode 100644 index 0a43657927..0000000000 --- a/patterns/istio-multi-cluster/3.istio-multi-primary/main.tf +++ /dev/null @@ -1,98 +0,0 @@ -data "terraform_remote_state" "cluster1" { - backend = "local" - - config = { - path = "${path.module}/../1.cluster1/terraform.tfstate" - } -} - -provider "kubernetes" { - host = data.terraform_remote_state.cluster1.outputs.cluster_endpoint - cluster_ca_certificate = base64decode(data.terraform_remote_state.cluster1.outputs.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - args = ["eks", "get-token", "--cluster-name", data.terraform_remote_state.cluster1.outputs.cluster_name, "--region", data.terraform_remote_state.cluster1.outputs.cluster_region] - } - alias = "cluster1" -} - -data "terraform_remote_state" "cluster2" { - backend = "local" - - config = { - path = "${path.module}/../2.cluster2/terraform.tfstate" - } -} - -provider "kubernetes" { - host = data.terraform_remote_state.cluster2.outputs.cluster_endpoint - cluster_ca_certificate = base64decode(data.terraform_remote_state.cluster2.outputs.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", data.terraform_remote_state.cluster2.outputs.cluster_name, "--region", data.terraform_remote_state.cluster2.outputs.cluster_region] - } - alias = "cluster2" -} - -################################################################################ -# Istio remote secret for cluster 1 (istioctl x create-remote-secret) -################################################################################ - -resource "kubernetes_secret" "istio_remote_secret_cluster2" { - provider = kubernetes.cluster1 - - metadata { - annotations = { - "kubernetes.io/service-account.name" = "istio-reader-service-account" - } - labels = { - "istio/multiCluster" = "true" - } - name = "istio-remote-secret-${data.terraform_remote_state.cluster2.outputs.cluster_name}" - namespace = "istio-system" - } - data = { - cluster1_name = templatefile("${path.module}/istio-remote-secret.tftpl", - { - cluster_certificate_authority_data = data.terraform_remote_state.cluster2.outputs.cluster_certificate_authority_data - cluster_host = data.terraform_remote_state.cluster2.outputs.cluster_endpoint - cluster_name = data.terraform_remote_state.cluster2.outputs.cluster_name - cluster_istio_reader_token = data.terraform_remote_state.cluster2.outputs.istio-reader-token - } - ) - } -} - -################################################################################ -# Istio remote secret for cluster 2 (istioctl x create-remote-secret) -################################################################################ - -resource "kubernetes_secret" "istio_remote_secret_cluster1" { - provider = kubernetes.cluster2 - - metadata { - annotations = { - "kubernetes.io/service-account.name" = "istio-reader-service-account" - } - labels = { - "istio/multiCluster" = "true" - } - name = "istio-remote-secret-${data.terraform_remote_state.cluster1.outputs.cluster_name}" - namespace = "istio-system" - } - data = { - cluster1_name = templatefile("${path.module}/istio-remote-secret.tftpl", - { - cluster_certificate_authority_data = data.terraform_remote_state.cluster1.outputs.cluster_certificate_authority_data - cluster_host = data.terraform_remote_state.cluster1.outputs.cluster_endpoint - cluster_name = data.terraform_remote_state.cluster1.outputs.cluster_name - cluster_istio_reader_token = data.terraform_remote_state.cluster1.outputs.istio-reader-token - } - ) - } -} diff --git a/patterns/istio-multi-cluster/3.istio-multi-primary/outputs.tf b/patterns/istio-multi-cluster/3.istio-multi-primary/outputs.tf deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/patterns/istio-multi-cluster/3.istio-multi-primary/variables.tf b/patterns/istio-multi-cluster/3.istio-multi-primary/variables.tf deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/patterns/istio-multi-cluster/3.istio-multi-primary/versions.tf b/patterns/istio-multi-cluster/3.istio-multi-primary/versions.tf deleted file mode 100644 index 629fc65f2d..0000000000 --- a/patterns/istio-multi-cluster/3.istio-multi-primary/versions.tf +++ /dev/null @@ -1,17 +0,0 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.20" - } - } - - # ## Used for end-to-end testing on project; update to suit your needs - # backend "s3" { - # bucket = "terraform-ssp-github-actions-state" - # region = "us-west-2" - # key = "e2e/istio-multi-cluster-multi-primary-setup/terraform.tfstate" - # } -} diff --git a/patterns/istio-multi-cluster/4.test-connectivity/istio-helloworld.yaml b/patterns/istio-multi-cluster/4.test-connectivity/istio-helloworld.yaml deleted file mode 100644 index e870420e6d..0000000000 --- a/patterns/istio-multi-cluster/4.test-connectivity/istio-helloworld.yaml +++ /dev/null @@ -1,72 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v1 - labels: - app: helloworld - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v1 - template: - metadata: - labels: - app: helloworld - version: v1 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v1 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent #Always - ports: - - containerPort: 5000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v2 - labels: - app: helloworld - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v2 - template: - metadata: - labels: - app: helloworld - version: v2 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v2 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent #Always - ports: - - containerPort: 5000 diff --git a/patterns/istio-multi-cluster/4.test-connectivity/istio-sleep.yaml b/patterns/istio-multi-cluster/4.test-connectivity/istio-sleep.yaml deleted file mode 100644 index 7ee33332a7..0000000000 --- a/patterns/istio-multi-cluster/4.test-connectivity/istio-sleep.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: sleep-secret - optional: true ---- diff --git a/patterns/istio-multi-cluster/4.test-connectivity/test_connectivity.sh b/patterns/istio-multi-cluster/4.test-connectivity/test_connectivity.sh deleted file mode 100755 index 9437af7c08..0000000000 --- a/patterns/istio-multi-cluster/4.test-connectivity/test_connectivity.sh +++ /dev/null @@ -1,46 +0,0 @@ -export CLUSTER_1=cluster-1 -export CLUSTER_2=cluster-2 -export AWS_DEFAULT_REGION=$(aws configure get region) -export AWS_ACCOUNT_NUMBER=$(aws sts get-caller-identity --query "Account" --output text) - -aws eks update-kubeconfig --name $CLUSTER_1 --region $AWS_DEFAULT_REGION -aws eks update-kubeconfig --name $CLUSTER_2 --region $AWS_DEFAULT_REGION - -export CTX_CLUSTER_1=arn:aws:eks:$AWS_DEFAULT_REGION:${AWS_ACCOUNT_NUMBER}:cluster/$CLUSTER_1 -export CTX_CLUSTER_2=arn:aws:eks:$AWS_DEFAULT_REGION:${AWS_ACCOUNT_NUMBER}:cluster/$CLUSTER_2 - - -kubectl exec --context="${CTX_CLUSTER_1}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_1}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello -kubectl exec --context="${CTX_CLUSTER_1}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_1}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello -kubectl exec --context="${CTX_CLUSTER_1}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_1}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello -kubectl exec --context="${CTX_CLUSTER_1}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_1}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello - - -kubectl exec --context="${CTX_CLUSTER_2}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_2}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello -kubectl exec --context="${CTX_CLUSTER_2}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_2}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello -kubectl exec --context="${CTX_CLUSTER_2}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_2}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello -kubectl exec --context="${CTX_CLUSTER_2}" -n sample -c sleep \ - "$(kubectl get pod --context="${CTX_CLUSTER_2}" -n sample -l \ - app=sleep -o jsonpath='{.items[0].metadata.name}')" \ - -- curl -sS helloworld.sample:5000/hello diff --git a/patterns/istio-multi-cluster/README.md b/patterns/istio-multi-cluster/README.md deleted file mode 100644 index ba9211ac04..0000000000 --- a/patterns/istio-multi-cluster/README.md +++ /dev/null @@ -1,124 +0,0 @@ -# Amazon EKS Multi-Cluster w/ Istio - -This pattern demonstrates 2 Amazon EKS clusters configured with Istio. -Istio will be set-up to operate in a [Multi-Primary](https://istio.io/latest/docs/setup/install/multicluster/multi-primary/) configuration, where services are shared across clusters. - -Refer to the [documentation](https://istio.io/latest/docs/concepts/) for `Istio` concepts. - -## Notable configuration - -* This sample relies on reading data from Terraform Remote State in the different folders. In a production setup, Terraform Remote State is stored in a persistent backend such as Terraform Cloud or S3. For more information, please refer to the Terraform [Backends](https://developer.hashicorp.com/terraform/language/settings/backends/configuration) documentation -* The process for connecting clusters is separated from the cluster creation as it requires all cluster to be created first, and exchange configuration between one to the other - -## Folder structure - -### [`0.certs-tool`](0.certs-tool/) - -This folder is the [Makefiles](https://github.com/istio/istio/tree/master/tools/certs) from the Istio projects to generate 1 root CA with 2 intermediate CAs for each cluster. Please refer to the ["Certificate Management"](https://istio.io/latest/docs/tasks/security/cert-management/) section in the Istio documentation. For production setup it's [highly recommended](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/#plug-in-certificates-and-key-into-the-cluster) by the Istio project to have a production-ready CA solution. - -> **_NOTE:_** The [0.certs-tool/create-certs.sh](0.certs-tool/create-certs.sh) script needs to run before the cluster creation so the code will pick up the relevant certificates - -### [`0.vpc`](0.vpc/) - -This folder creates the VPC for both clusters. The VPC creation is not part of the cluster provisioning and therefore lives in a separate folder. -To support the multi-cluster/Multi-Primary setup, this folder also creates additional security group to be used by each cluster worker nodes to allow cross-cluster communication (resources `cluster1_additional_sg` and `cluster2_additional_sg`). These security groups allow communication from one to the other and each will be added to the worker nodes of the relevant cluster - -### [`1.cluster1`](1.cluster1/) - -This folder creates an Amazon EKS Cluster, named by default `cluster-1` (see [`variables.tf`](1.cluster1/variables.tf)), with AWS Load Balancer Controller, and Istio installation. -Configurations in this folder to be aware of: - -* The cluster is configured to use the security groups created in the `0.vpc` folder (`cluster1_additional_sg` in this case). -* Kubernetes Secret named `cacerts` is created with the certificates created by the [0.certs-tool/create-certs.sh](0.certs-tool/create-certs.sh) script -* Kubernetes Secret named `cacerts` named `istio-reader-service-account-istio-remote-secret-token` of type `Service-Account` is being created. This is to replicate the [istioctl experimental create-remote-secret](https://istio.io/latest/docs/reference/commands/istioctl/#istioctl-experimental-create-remote-secret) command. This secret will be used in folder [`3.istio-multi-primary`](3.istio-multi-primary/) to apply kubeconfig secret with tokens from the other cluster to be able to communicate to the other cluster API Server - -### [`2.cluster2`](2.cluster2/) - -Same configuration as in `1.cluster1` except the name of the cluster which is `cluster-2`. - -### [`3.istio-multi-primary`](3.istio-multi-primary/) - -This folder deploys a reader secret on each cluster. It replicates the [`istioctl experimental create-remote-secret`](https://istio.io/latest/docs/reference/commands/istioctl/#istioctl-experimental-create-remote-secret) by applying a kubeconfig secret prefixed `istio-remote-secret-` with the cluster name at the end. - -### [`4.test-connectivity`](4.test-connectivity/) - -This folder test the installation connectivity. It follows the Istio guide [Verify the installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) by deploying services on each cluster, and `curl`-ing from one to the other - -## Prerequisites - -Ensure that you have the following tools installed locally: - -1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) -2. [kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) - -## Deploy - -### Prereq - Provision Certificates - -```shell -cd 0.certs-tool -./create-certs.sh -cd.. -``` - -### Step 0 - Create the VPC - -```shell -cd 0.certs-tool -./create-certs.sh -cd.. -``` - -### Step 1 - Deploy cluster-1 - -```shell -cd 1.cluster1 -terraform init -terraform apply -auto-approve -cd.. -``` - -### Step 2 - Deploy cluster-2 - -```shell -cd 2.cluster2 -terraform init -terraform apply -auto-approve -cd.. -``` - -### Step 3 - Configure Istio Multi-Primary - -```shell -cd 3.istio-multi-primary -terraform init -terraform apply -auto-approve -cd.. -``` - -### Step 4 - test installation and connectivity - -```shell -cd 4.test-connectivity -./test_connectivity.sh -cd.. -``` - -This script deploy the sample application to both clusters and run curl from a pod in one cluster to a service that is deployed in both cluster. You should expect to see responses from both `V1` and `V2` of the sample application. -The script run 4 `curl` command from cluster-1 to cluster-2 and vice versa - -## Destroy - -To teardown and remove the resources created in this example: - -```shell -cd 3.istio-multi-primary -terraform apply -destroy -autoapprove -cd ../2.cluster2 -terraform apply -destroy -autoapprove -cd ../1.cluster1 -terraform apply -destroy -autoapprove -cd ../0.vpc -terraform apply -destroy -autoapprove -``` From 19c1d5183b1d99f45024b715bd7c13e668c4a6f1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 07:01:04 -0500 Subject: [PATCH 04/15] chore(deps): Bump clowdhaus/terraform-composite-actions from 1.8.3 to 1.9.0 (#1898) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 31232f83f8..d00deb6bd1 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -55,7 +55,7 @@ jobs: restore-keys: ${{ runner.os }}-terraform- - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0 if: steps.changes.outputs.src== 'true' with: terraform-version: ${{ env.TERRAFORM_VERSION }} From af2e57db9884ab39de99c1272d7d5da6e5292fcc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 07:44:52 -0400 Subject: [PATCH 05/15] chore(deps): Bump actions/checkout from 4.1.1 to 4.1.2 (#1900) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/e2e-parallel-destroy.yml | 2 +- .github/workflows/e2e-parallel-full.yml | 6 +++--- .github/workflows/markdown-link-check.yml | 2 +- .github/workflows/plan-examples.yml | 6 +++--- .github/workflows/pre-commit.yml | 2 +- .github/workflows/publish-docs.yml | 2 +- .github/workflows/scorecards.yml | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 788fb1e44e..0ed4ea8061 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,6 +22,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.5.4 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.5.4 - name: 'Dependency Review' uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 diff --git a/.github/workflows/e2e-parallel-destroy.yml b/.github/workflows/e2e-parallel-destroy.yml index 39880ef888..286feaecdc 100644 --- a/.github/workflows/e2e-parallel-destroy.yml +++ b/.github/workflows/e2e-parallel-destroy.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Setup backend # Un-comment remote backend for use in workflow diff --git a/.github/workflows/e2e-parallel-full.yml b/.github/workflows/e2e-parallel-full.yml index 13d226ee4a..003f87d11e 100644 --- a/.github/workflows/e2e-parallel-full.yml +++ b/.github/workflows/e2e-parallel-full.yml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Auth AWS uses: aws-actions/configure-aws-credentials@v4.0.2 @@ -74,7 +74,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Setup backend # Un-comment remote backend for use in workflow @@ -167,7 +167,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Configure AWS credentials from Test account uses: aws-actions/configure-aws-credentials@v4.0.2 diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index f1415a4284..27c8b07fee 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -25,7 +25,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - uses: actions/setup-node@v4 with: node-version: '16.x' diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml index 6acf4a462a..538e535700 100644 --- a/.github/workflows/plan-examples.yml +++ b/.github/workflows/plan-examples.yml @@ -28,7 +28,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Get Terraform directories for evaluation id: dirs @@ -63,13 +63,13 @@ jobs: - name: checkout-merge if: "contains(github.event_name, 'pull_request')" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 with: ref: refs/pull/${{github.event.pull_request.number}}/merge - name: checkout if: "!contains(github.event_name, 'pull_request')" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - uses: dorny/paths-filter@v3 id: changes diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index d00deb6bd1..f6b68426a0 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -33,7 +33,7 @@ jobs: run: rm -rf $(which terraform) - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - uses: dorny/paths-filter@v3 id: changes diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index b4dc12dd44..b029ec22fe 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - name: Checkout main - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index ad06e1297e..2bfca7102c 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -36,7 +36,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.5.4 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.5.4 with: persist-credentials: false From 9dc6add9928e5b300f896df187695cb318313cf9 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Tue, 12 Mar 2024 08:49:56 -0400 Subject: [PATCH 06/15] fix: Replace un-maintained kubectl provider with an updated fork (#1901) --- .pre-commit-config.yaml | 4 +- docs/cSpell_dict.txt | 2 +- patterns/appmesh-mtls/versions.tf | 4 +- patterns/external-secrets/main.tf | 135 +++++++++--------- patterns/external-secrets/versions.tf | 4 +- patterns/multi-tenancy-with-teams/main.tf | 16 --- patterns/multi-tenancy-with-teams/versions.tf | 8 -- patterns/tls-with-aws-pca-issuer/versions.tf | 4 +- 8 files changed, 78 insertions(+), 99 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 999d31212a..a06869c712 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/streetsidesoftware/cspell-cli - rev: v8.3.0 + rev: v8.6.0 hooks: - id: cspell args: [--exclude, 'ADOPTERS.md', --exclude, '.pre-commit-config.yaml', --exclude, '.gitignore', --exclude, '*.drawio', --exclude, 'mkdocs.yml', --exclude, '.helmignore', --exclude, '.github/workflows/*', --exclude, 'patterns/istio-multi-cluster/*', --exclude, 'patterns/blue-green-upgrade/*'] @@ -19,7 +19,7 @@ repos: - id: detect-aws-credentials args: [--allow-missing-credentials] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.86.0 + rev: v1.88.1 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/docs/cSpell_dict.txt b/docs/cSpell_dict.txt index 33aad47b8b..3a3f0a96ed 100644 --- a/docs/cSpell_dict.txt +++ b/docs/cSpell_dict.txt @@ -4,6 +4,7 @@ addrs adot agones akuity +alekc algbw ALLOWVOLUMEEXPANSION amazonlinux @@ -73,7 +74,6 @@ flblogs fluentbit gameserver gameservers -gavinbunney gitops helloworld heptio diff --git a/patterns/appmesh-mtls/versions.tf b/patterns/appmesh-mtls/versions.tf index 969ce00135..c75dee437f 100644 --- a/patterns/appmesh-mtls/versions.tf +++ b/patterns/appmesh-mtls/versions.tf @@ -11,8 +11,8 @@ terraform { version = ">= 2.9" } kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.14" + source = "alekc/kubectl" + version = ">= 2.0" } } diff --git a/patterns/external-secrets/main.tf b/patterns/external-secrets/main.tf index 0a72d8dc1b..90d14cfb9e 100644 --- a/patterns/external-secrets/main.tf +++ b/patterns/external-secrets/main.tf @@ -147,22 +147,23 @@ resource "aws_kms_key" "secrets" { } resource "kubectl_manifest" "cluster_secretstore" { - yaml_body = < Date: Wed, 13 Mar 2024 07:16:24 -0400 Subject: [PATCH 07/15] chore(deps): Bump github/codeql-action from 3.24.6 to 3.24.7 (#1902) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2bfca7102c..7861cd039f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 + uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 with: sarif_file: results.sarif From d5c9253c678cea24081b0be23cd0469915da0436 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Mar 2024 18:03:18 -0400 Subject: [PATCH 08/15] chore: Update documentation for installing EFA device plugin to use official EKS chart (#1904) Co-authored-by: Apoorva Kulkarni --- .pre-commit-config.yaml | 2 +- docs/cSpell_dict.txt | 1 + patterns/elastic-fabric-adapter/README.md | 4 + patterns/elastic-fabric-adapter/main.tf | 265 ++++++-------------- patterns/elastic-fabric-adapter/versions.tf | 4 - 5 files changed, 84 insertions(+), 192 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a06869c712..6f717e8319 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,7 +19,7 @@ repos: - id: detect-aws-credentials args: [--allow-missing-credentials] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.1 + rev: v1.88.2 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/docs/cSpell_dict.txt b/docs/cSpell_dict.txt index 3a3f0a96ed..ed562d3ab2 100644 --- a/docs/cSpell_dict.txt +++ b/docs/cSpell_dict.txt @@ -144,6 +144,7 @@ tcpdump templatefile tfstate tfvars +tolerations tolist toset velero diff --git a/patterns/elastic-fabric-adapter/README.md b/patterns/elastic-fabric-adapter/README.md index f7e478873f..8e1c19269b 100644 --- a/patterns/elastic-fabric-adapter/README.md +++ b/patterns/elastic-fabric-adapter/README.md @@ -8,6 +8,10 @@ See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started ## Validate +!!! note + + The following steps are shown with `g5.8xlarge` for frugality. Values shown below will change based on the instance type selected (i.e. - `p5.48xlarge` has 8 GPUs and 32 EFA interfaces) + 1. List the nodes by instance type: ```sh diff --git a/patterns/elastic-fabric-adapter/main.tf b/patterns/elastic-fabric-adapter/main.tf index ac8a584cf9..8ab36354c5 100644 --- a/patterns/elastic-fabric-adapter/main.tf +++ b/patterns/elastic-fabric-adapter/main.tf @@ -2,18 +2,6 @@ provider "aws" { region = local.region } -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } -} - provider "helm" { kubernetes { host = module.eks.cluster_endpoint @@ -34,7 +22,7 @@ locals { name = basename(path.cwd) region = "us-west-2" - cluster_version = "1.29" + efa_instance_type = "p5.48xlarge" vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -51,10 +39,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.0" + version = "~> 20.4" cluster_name = local.name - cluster_version = local.cluster_version + cluster_version = "1.29" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster @@ -67,29 +55,12 @@ module "eks" { vpc-cni = {} } + # Add security group rules on the node group security group to allow EFA traffic + enable_efa_support = true + vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - # Extend node-to-node security group rules - node_security_group_additional_rules = { - ingress_self_all = { - description = "Node to node all ingress traffic" - protocol = "-1" - from_port = 0 - to_port = 0 - type = "ingress" - self = true - } - egress_self_all = { - description = "Node to node all egress traffic" - protocol = "-1" - from_port = 0 - to_port = 0 - type = "egress" - self = true - } - } - eks_managed_node_group_defaults = { iam_role_additional_policies = { # Not required, but used in the example to access the nodes to inspect drivers and devices @@ -98,41 +69,54 @@ module "eks" { } eks_managed_node_groups = { - # For running services that do not require GPUs + # This node group is for core addons such as CoreDNS default = { instance_types = ["m5.large"] + # Default AMI has only 8GB of storage + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 128 + volume_type = "gp3" + delete_on_termination = true + } + } + } + min_size = 1 - max_size = 5 + max_size = 2 desired_size = 2 } - efa = { + nvidia-efa = { + # The EKS AL2 GPU AMI provides all of the necessary components + # for accelerated workloads w/ EFA ami_type = "AL2_x86_64_GPU" - instance_types = ["g5.8xlarge"] + instance_types = [local.efa_instance_type] - min_size = 1 - max_size = 1 - desired_size = 1 - - subnet_ids = slice(module.vpc.private_subnets, 0, 1) - - network_interfaces = [ - { - description = "EFA interface" - delete_on_termination = true - device_index = 0 - associate_public_ip_address = false - interface_type = "efa" - } - ] + pre_bootstrap_user_data = <<-EOT + #!/usr/bin/env bash - placement = { - group_name = aws_placement_group.efa.name - } + # Mount instance store volumes in RAID-0 for Kubelet and Containerd (raid0) + # https://github.com/awslabs/amazon-eks-ami/blob/master/doc/USER_GUIDE.md#raid-0-for-kubelet-and-containerd-raid0 + /bin/setup-local-disks raid0 + EOT + + min_size = 2 + max_size = 2 + desired_size = 2 + + # This will: + # 1. Create a placement group for the node group to cluster instances together + # 2. Filter out subnets that reside in AZs that do not support the instance type + # 3. Expose all of the available EFA interfaces on the launch template + enable_efa_support = true taints = { - dedicated = { + # Ensure only GPU workloads are scheduled on this node group + gpu = { key = "nvidia.com/gpu" value = "true" effect = "NO_SCHEDULE" @@ -160,7 +144,6 @@ module "eks_blueprints_addons" { # We want to wait for the Fargate profiles to be deployed first create_delay_dependencies = [for group in module.eks.eks_managed_node_groups : group.node_group_arn] - enable_aws_efs_csi_driver = true enable_aws_fsx_csi_driver = true enable_kube_prometheus_stack = true kube_prometheus_stack = { @@ -175,6 +158,42 @@ module "eks_blueprints_addons" { enable_metrics_server = true helm_releases = { + aws-efa-k8s-device-plugin = { + repository = "https://aws.github.io/eks-charts" + chart = "aws-efa-k8s-device-plugin" + version = "v0.4.4" + namespace = "nvidia-device-plugin" + create_namespace = true + + values = [ + <<-EOT + nodeSelector: + node.kubernetes.io/instance-type: "${local.efa_instance_type}" + tolerations: + - key: nvidia.com/gpu + operator: Exists + effect: NoSchedule + EOT + ] + } + + nvidia-device-plugin = { + repository = "https://nvidia.github.io/k8s-device-plugin" + chart = "nvidia-device-plugin" + version = "0.14.4" + namespace = "nvidia-device-plugin" + create_namespace = true + + values = [ + <<-EOT + gfd: + enabled: false + nodeSelector: + node.kubernetes.io/instance-type: "${local.efa_instance_type}" + EOT + ] + } + prometheus-adapter = { description = "A Helm chart for k8s prometheus adapter" namespace = "prometheus-adapter" @@ -190,133 +209,11 @@ module "eks_blueprints_addons" { EOT ] } - gpu-operator = { - description = "A Helm chart for NVIDIA GPU operator" - namespace = "gpu-operator" - create_namespace = true - chart = "gpu-operator" - chart_version = "v23.3.2" - repository = "https://nvidia.github.io/gpu-operator" - values = [ - <<-EOT - dcgmExporter: - enabled: false - driver: - enabled: false - toolkit: - version: v1.13.5-centos7 - operator: - defaultRuntime: containerd - validator: - driver: - env: - # https://github.com/NVIDIA/gpu-operator/issues/569 - - name: DISABLE_DEV_CHAR_SYMLINK_CREATION - value: "true" - EOT - ] - } } tags = local.tags } -################################################################################ -# Amazon Elastic Fabric Adapter (EFA) -################################################################################ - -resource "kubernetes_daemonset" "aws_efa_k8s_device_plugin" { - metadata { - name = "aws-efa-k8s-device-plugin-daemonset" - namespace = "kube-system" - } - - spec { - selector { - match_labels = { - name = "aws-efa-k8s-device-plugin" - } - } - - template { - metadata { - labels = { - name = "aws-efa-k8s-device-plugin" - } - } - - spec { - volume { - name = "device-plugin" - - host_path { - path = "/var/lib/kubelet/device-plugins" - } - } - - container { - name = "aws-efa-k8s-device-plugin" - image = "602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin:v0.4.4" - - volume_mount { - name = "device-plugin" - mount_path = "/var/lib/kubelet/device-plugins" - } - - image_pull_policy = "Always" - - security_context { - capabilities { - drop = ["ALL"] - } - } - } - - host_network = true - - affinity { - node_affinity { - required_during_scheduling_ignored_during_execution { - node_selector_term { - match_expressions { - key = "beta.kubernetes.io/instance-type" - operator = "In" - values = ["c5n.18xlarge", "c5n.9xlarge", "c5n.metal", "c6a.48xlarge", "c6a.metal", "c6gn.16xlarge", "c6i.32xlarge", "c6i.metal", "c6id.32xlarge", "c6id.metal", "c6in.32xlarge", "c6in.metal", "c7g.16xlarge", "c7g.metal", "c7gd.16xlarge", "c7gn.16xlarge", "c7i.48xlarge", "dl1.24xlarge", "g4dn.12xlarge", "g4dn.16xlarge", "g4dn.8xlarge", "g4dn.metal", "g5.12xlarge", "g5.16xlarge", "g5.24xlarge", "g5.48xlarge", "g5.8xlarge", "hpc7g.16xlarge", "hpc7g.4xlarge", "hpc7g.8xlarge", "i3en.12xlarge", "i3en.24xlarge", "i3en.metal", "i4g.16xlarge", "i4i.32xlarge", "i4i.metal", "im4gn.16xlarge", "inf1.24xlarge", "m5dn.24xlarge", "m5dn.metal", "m5n.24xlarge", "m5n.metal", "m5zn.12xlarge", "m5zn.metal", "m6a.48xlarge", "m6a.metal", "m6i.32xlarge", "m6i.metal", "m6id.32xlarge", "m6id.metal", "m6idn.32xlarge", "m6idn.metal", "m6in.32xlarge", "m6in.metal", "m7a.48xlarge", "m7a.metal-48xl", "m7g.16xlarge", "m7g.metal", "m7gd.16xlarge", "m7i.48xlarge", "p3dn.24xlarge", "p4d.24xlarge", "p5.48xlarge", "r5dn.24xlarge", "r5dn.metal", "r5n.24xlarge", "r5n.metal", "r6a.48xlarge", "r6a.metal", "r6i.32xlarge", "r6i.metal", "r6id.32xlarge", "r6id.metal", "r6idn.32xlarge", "r6idn.metal", "r6in.32xlarge", "r6in.metal", "r7a.48xlarge", "r7g.16xlarge", "r7g.metal", "r7gd.16xlarge", "r7iz.32xlarge", "trn1.32xlarge", "trn1n.32xlarge", "vt1.24xlarge", "x2idn.32xlarge", "x2idn.metal", "x2iedn.32xlarge", "x2iedn.metal", "x2iezn.12xlarge", "x2iezn.metal"] - } - } - - node_selector_term { - match_expressions { - key = "node.kubernetes.io/instance-type" - operator = "In" - values = ["c5n.18xlarge", "c5n.9xlarge", "c5n.metal", "c6a.48xlarge", "c6a.metal", "c6gn.16xlarge", "c6i.32xlarge", "c6i.metal", "c6id.32xlarge", "c6id.metal", "c6in.32xlarge", "c6in.metal", "c7g.16xlarge", "c7g.metal", "c7gd.16xlarge", "c7gn.16xlarge", "c7i.48xlarge", "dl1.24xlarge", "g4dn.12xlarge", "g4dn.16xlarge", "g4dn.8xlarge", "g4dn.metal", "g5.12xlarge", "g5.16xlarge", "g5.24xlarge", "g5.48xlarge", "g5.8xlarge", "hpc7g.16xlarge", "hpc7g.4xlarge", "hpc7g.8xlarge", "i3en.12xlarge", "i3en.24xlarge", "i3en.metal", "i4g.16xlarge", "i4i.32xlarge", "i4i.metal", "im4gn.16xlarge", "inf1.24xlarge", "m5dn.24xlarge", "m5dn.metal", "m5n.24xlarge", "m5n.metal", "m5zn.12xlarge", "m5zn.metal", "m6a.48xlarge", "m6a.metal", "m6i.32xlarge", "m6i.metal", "m6id.32xlarge", "m6id.metal", "m6idn.32xlarge", "m6idn.metal", "m6in.32xlarge", "m6in.metal", "m7a.48xlarge", "m7a.metal-48xl", "m7g.16xlarge", "m7g.metal", "m7gd.16xlarge", "m7i.48xlarge", "p3dn.24xlarge", "p4d.24xlarge", "p5.48xlarge", "r5dn.24xlarge", "r5dn.metal", "r5n.24xlarge", "r5n.metal", "r6a.48xlarge", "r6a.metal", "r6i.32xlarge", "r6i.metal", "r6id.32xlarge", "r6id.metal", "r6idn.32xlarge", "r6idn.metal", "r6in.32xlarge", "r6in.metal", "r7a.48xlarge", "r7g.16xlarge", "r7g.metal", "r7gd.16xlarge", "r7iz.32xlarge", "trn1.32xlarge", "trn1n.32xlarge", "vt1.24xlarge", "x2idn.32xlarge", "x2idn.metal", "x2iedn.32xlarge", "x2iedn.metal", "x2iezn.12xlarge", "x2iezn.metal"] - } - } - } - } - } - - toleration { - key = "CriticalAddonsOnly" - operator = "Exists" - } - - toleration { - key = "aws.amazon.com/efa" - operator = "Exists" - effect = "NoSchedule" - } - - priority_class_name = "system-node-critical" - } - } - - strategy { - type = "RollingUpdate" - } - } -} - ################################################################################ # Supporting Resources ################################################################################ @@ -345,9 +242,3 @@ module "vpc" { tags = local.tags } - -# Group instances within clustered placement group so they are in close proximity -resource "aws_placement_group" "efa" { - name = local.name - strategy = "cluster" -} diff --git a/patterns/elastic-fabric-adapter/versions.tf b/patterns/elastic-fabric-adapter/versions.tf index a71baafaf3..da1dc79199 100644 --- a/patterns/elastic-fabric-adapter/versions.tf +++ b/patterns/elastic-fabric-adapter/versions.tf @@ -10,10 +10,6 @@ terraform { source = "hashicorp/helm" version = ">= 2.9" } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.20" - } } # ## Used for end-to-end testing on project; update to suit your needs From 1ce59fc329c9bfbd0bdb68d0bc5736a3fb4988ca Mon Sep 17 00:00:00 2001 From: Vijay Chintalapati Date: Fri, 15 Mar 2024 04:21:48 -0700 Subject: [PATCH 09/15] refactor: Updated code with IAM access entries (#1906) --- patterns/privatelink-access/README.md | 35 +------------------------- patterns/privatelink-access/eks.tf | 27 +++++++++++++------- patterns/privatelink-access/outputs.tf | 22 ---------------- 3 files changed, 19 insertions(+), 65 deletions(-) diff --git a/patterns/privatelink-access/README.md b/patterns/privatelink-access/README.md index 81619eb6b8..9c7a3f994f 100644 --- a/patterns/privatelink-access/README.md +++ b/patterns/privatelink-access/README.md @@ -15,25 +15,9 @@ terraform apply -target=module.eventbridge -target=module.nlb --auto-approve terraform apply --auto-approve ``` -Once the pattern has successfully deployed, you will be provided with multiple -output values. - -Review the output value for `cluster_endpoint_private`, it should look similar -to snippet below: - -```sh -aws eks update-cluster-config \ ---region us-west-2 \ ---name privatelink-access \ ---resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true -``` - -Copy the command and run it in a terminal session to take cluster API -endpoint private. - ## Test access to EKS Kubernetes API server endpoint -Of the other output values, the value `ssm_test` is provided to aid in quickly +Of the output values, the value `ssm_test` is provided to aid in quickly testing the connectivity from the client EC2 instance to the private EKS cluster via AWS PrivateLink. Copy the output value, which looks like the snippet shown below (as an example) and paste it into your terminal to execute and check the @@ -96,23 +80,6 @@ kube-system kube-proxy-mm2zc 1/1 Running 0 1m ## Destroy -Before we could destroy/teardown all the resources created, we need to ensure -that the cluster state is restored for the Terraform to do a complete cleanup. -This would mean that we make cluster API endpoint public again. - -Review the output value for `cluster_endpoint_public`, it should look similar -to snippet below: - -```sh -aws eks update-cluster-config \ ---region us-west-2 \ ---name privatelink-access \ ---resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true -``` - -Copy the command and run it in a terminal session to take cluster API -endpoint public. - {% include-markdown "../../docs/_partials/destroy.md" %} diff --git a/patterns/privatelink-access/eks.tf b/patterns/privatelink-access/eks.tf index 8cfc223c07..ad309c30b6 100644 --- a/patterns/privatelink-access/eks.tf +++ b/patterns/privatelink-access/eks.tf @@ -16,19 +16,28 @@ provider "kubernetes" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.21" + version = "~> 20.0" cluster_name = local.name cluster_version = "1.29" - cluster_endpoint_public_access = true - manage_aws_auth_configmap = true - - aws_auth_roles = [{ - rolearn = module.client_ec2_instance.iam_role_arn - username = "ec2-client" - groups = ["system:masters"] - }] + cluster_endpoint_public_access = false + enable_cluster_creator_admin_permissions = true + + access_entries = { + ec2-access-entry = { + principal_arn = module.client_ec2_instance.iam_role_arn + policy_associations = { + cluster-admin-policy = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + namespaces = [] + type = "cluster" + } + } + } + } + } cluster_addons = { coredns = {} diff --git a/patterns/privatelink-access/outputs.tf b/patterns/privatelink-access/outputs.tf index 50f5ac870d..4cee728505 100644 --- a/patterns/privatelink-access/outputs.tf +++ b/patterns/privatelink-access/outputs.tf @@ -23,25 +23,3 @@ output "ssm_test" { --output text EOT } - -output "cluster_endpoint_private" { - description = "Command to set the EKS API server endpoint access private" - value = <<-EOT - - aws eks update-cluster-config \ - --region ${local.region} \ - --name ${module.eks.cluster_name} \ - --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true - EOT -} - -output "cluster_endpoint_public" { - description = "Command to set the EKS API server endpoint access private" - value = <<-EOT - - aws eks update-cluster-config \ - --region ${local.region} \ - --name ${module.eks.cluster_name} \ - --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true - EOT -} From ea364e24606b25e67d0586650ec53cbeea2bf12a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:39:11 -0400 Subject: [PATCH 10/15] chore(deps): Bump github/codeql-action from 3.24.7 to 3.24.8 (#1907) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 7861cd039f..2030446885 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + uses: github/codeql-action/upload-sarif@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8 with: sarif_file: results.sarif From ed287b10af03bf6ebc50b7a148fe70fb1d622e3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 07:45:15 -0400 Subject: [PATCH 11/15] chore(deps): Bump actions/dependency-review-action from 4.1.3 to 4.2.3 (#1909) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 0ed4ea8061..64866956c6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.5.4 - name: 'Dependency Review' - uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 + uses: actions/dependency-review-action@0fa40c3c10055986a88de3baa0d6ec17c5a894b3 # v4.2.3 From cb67ea7c9f2a9cd27951346395b0e64fedf3ab54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Mar 2024 08:04:28 -0400 Subject: [PATCH 12/15] chore(deps): Bump github/codeql-action from 3.24.8 to 3.24.9 (#1910) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2030446885..b054bbb8cc 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8 + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: sarif_file: results.sarif From 712ae425efc744b97564df4f5bc5e3f1a9f5f6b7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 08:14:03 -0400 Subject: [PATCH 13/15] chore(deps): Bump actions/dependency-review-action from 4.2.3 to 4.2.4 (#1911) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 64866956c6..f1faeb86d1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.5.4 - name: 'Dependency Review' - uses: actions/dependency-review-action@0fa40c3c10055986a88de3baa0d6ec17c5a894b3 # v4.2.3 + uses: actions/dependency-review-action@733dd5d4a5203f238c33806593ec0f5fc5343d8c # v4.2.4 From 7d3ed7a6e8c5751b6f816d176b26824ca93f64b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 08:06:46 -0400 Subject: [PATCH 14/15] chore(deps): Bump actions/dependency-review-action from 4.2.4 to 4.2.5 (#1912) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f1faeb86d1..af5993c54b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.5.4 - name: 'Dependency Review' - uses: actions/dependency-review-action@733dd5d4a5203f238c33806593ec0f5fc5343d8c # v4.2.4 + uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5 From 9d02c366a0d1734872061192311557314b372193 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Tue, 26 Mar 2024 08:58:06 -0700 Subject: [PATCH 15/15] chore: Update README.md for karpenter-blueprints reference (#1913) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index f1c156f8b6..5fd067fac1 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,10 @@ related projects that users should be aware of: AWS-managed observability services such as Amazon Managed Service for Prometheus, Amazon Managed Grafana, AWS Distro for OpenTelemetry (ADOT) and Amazon CloudWatch +4. Karpenter Blueprints + - [`karpenter-blueprints`](https://github.com/aws-samples/karpenter-blueprints) - includes a list of common workload scenarios, + some of them go in depth with the explanation of why configuring Karpenter and Kubernetes objects in such a way is important. + ## Terraform Caveats EKS Blueprints for Terraform does not intend to teach users the recommended practices for Terraform