Merge pull request #49 from pluralsh/kevin/eng-2023-flesh-out-remaining-existing-cluster-setups

Kevin Jayne · web-flow · commit bea39e723fc4 · 2024-05-09T11:05:36.000-04:00
Kevin/eng 2023 flesh out remaining existing cluster setups
diff --git a/charts/runtime/Chart.yaml b/charts/runtime/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: runtime
 description: Sets up the basic dependencies needed to get a network stack running
 type: application
-version: 0.1.21
+version: 0.1.22
 appVersion: "0.1.0"
 dependencies:
 - name: external-dns
diff --git a/charts/runtime/values.yaml b/charts/runtime/values.yaml
@@ -80,6 +80,12 @@ ingress-nginx-private:
         networking.gke.io/load-balancer-type: "Internal"
         service.beta.kubernetes.io/azure-load-balancer-internal: "true"
         service.beta.kubernetes.io/aws-load-balancer-scheme: internal
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
     admissionWebhooks:
       enabled: false
     config:
@@ -156,7 +162,14 @@ ingress-nginx:
       enabled: false
     service:
       annotations:
+        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
         service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
     config:
       worker-shutdown-timeout: 240s
       proxy-body-size: '0'
diff --git a/existing/terraform/aws/iam.tf b/existing/terraform/aws/iam.tf
@@ -0,0 +1,43 @@
+module "assumable_role_certmanager" {
+  source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version          = "3.14.0"
+  create_role      = true
+  role_name        = "${var.cluster_name}-certmanager-extdns"
+  provider_url     = var.cluster_oidc_issuer_arn
+  role_policy_arns = [aws_iam_policy.certmanager.arn]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:${var.externaldns_namespace}:${var.externaldns_serviceaccount}",
+    "system:serviceaccount:${var.namespace}:${var.certmanager_serviceaccount}"
+  ]
+}
+
+resource "aws_iam_policy" "certmanager" {
+  name_prefix = "certmanager"
+  description = "certmanager permissions for ${var.cluster_name}"
+  policy      = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "route53:GetChange",
+          "Resource": "arn:aws:route53:::change/*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "route53:ChangeResourceRecordSets",
+            "route53:ListResourceRecordSets",
+            "route53:ListHostedZones"
+          ],
+          "Resource": "arn:aws:route53:::hostedzone/*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": "route53:ListHostedZones",
+          "Resource": "*"
+        }
+      ]
+    }
+  POLICY
+}
diff --git a/existing/terraform/aws/variables.tf b/existing/terraform/aws/variables.tf
@@ -0,0 +1,34 @@
+
+
+variable "cluster_name" {
+  description = "The name of the EKS cluster"
+  type        = string
+}
+
+variable "cluster_oidc_issuer_arn" {
+  type        = string
+  description = "The OIDC issuer URL of the EKS cluster"
+}
+
+variable "certmanager_serviceaccount" {
+  type        = string
+  default     = "certmanager"
+  description = "name of the certmanager service account"
+}
+
+variable "namespace" {
+  type    = string
+  default = "bootstrap"
+}
+
+variable "externaldns_serviceaccount" {
+  type        = string
+  default     = "externaldns"
+  description = "name of the external dns service account"
+}
+
+variable "externaldns_namespace" {
+  type        = string
+  default     = "plrl-runtime"
+  description = "name of the external dns namespace"
+}
diff --git a/helm/certmanager.yaml b/helm/certmanager.yaml
@@ -3,7 +3,8 @@ serviceAccount:
   name: cert-manager
   annotations:
     plural.sh/dummy: 'ignore'
-  # azure.workload.identity/client-id: 027c5496-d46b-40d3-8f92-a0f44dcf3500 # uncomment and update for azure
+    # eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT-ID:role/plrl-console-eks-certmanager-extdns" # uncomment and update for aws
+    # azure.workload.identity/client-id: XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX # uncomment and update for azure
 
 securityContext:
   fsGroup: 1000
diff --git a/helm/runtime.yaml b/helm/runtime.yaml
@@ -21,7 +21,8 @@ external-dns:
     name: externaldns
     annotations:
       plural.sh/dummy: ignore
-      # azure.workload.identity/client-id: 027c5496-d46b-40d3-8f92-a0f44dcf3500 # uncomment and update for azure
+      # eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT-ID:role/plrl-console-eks-certmanager-extdns" # uncomment and update for aws
+      # azure.workload.identity/client-id: XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX # uncomment and update for azure
 
   podLabels:
     azure.workload.identity/use: "true"
@@ -33,9 +34,41 @@ external-dns:
   domainFilters:
   - az.plural.sh # <- you need to change this
 
-  # For azure
-  # azure:
-  #   useWorkloadIdentityExtension: true
-  #   resourceGroup: <YOUR_RESOURCE_GROUP>
-  #   tenantId: <YOUR_TENANT_ID>
-  #   subscriptionId: <YOUR_SUBSCRIPTION_ID>
+# For azure
+# azure:
+#   useWorkloadIdentityExtension: true
+#   resourceGroup: <YOUR_RESOURCE_GROUP>
+#   tenantId: <YOUR_TENANT_ID>
+#   subscriptionId: <YOUR_SUBSCRIPTION_ID>
+
+# For aws
+# ingress-nginx:
+#   controller:
+#     service:
+#       annotations:
+#         service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+#         service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+#         service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+#         service.beta.kubernetes.io/aws-load-balancer-type: external
+#         service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+#         service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+#         service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+#     config:
+#       compute-full-forwarded-for: 'true'
+#       use-forwarded-headers: 'true'
+#       use-proxy-protocol: 'true'
+
+# ingress-nginx-private:
+#   controller:
+#     service:
+#       annotations:
+#         service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+#         service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+#         service.beta.kubernetes.io/aws-load-balancer-type: external
+#         service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+#         service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+#         service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+#     config:
+#       compute-full-forwarded-for: 'true'
+#       use-forwarded-headers: 'true'
+#       use-proxy-protocol: 'true'
