From 5d463cf9668545d55641d8f4f31a965119803b64 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Feb 2025 20:18:58 -0500 Subject: [PATCH 01/57] yep --- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 4e4d198f..036b4c83 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -20,7 +20,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=hpa_debug" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index dc222715..3dc5880a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=read_fix" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 7b98e0ce930889d118e05b19fe359e17420f236a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 17:55:35 -0500 Subject: [PATCH 02/57] set back to normal --- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 036b4c83..4e4d198f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -20,7 +20,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=hpa_debug" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 92257896c1b199d8ec5cb5776e22576b9364dc29 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 17:57:41 -0500 Subject: [PATCH 03/57] missed tempo --- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 3dc5880a..dc222715 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=read_fix" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From d4b0560145a353609fe543d48b8a322a5f4cb74f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 19:30:06 -0500 Subject: [PATCH 04/57] fix branch ref --- .../vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index f2136034..05fdb934 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=cert_clash" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From b6cfc816b60add1565548f4af29e44292127d771 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 19:30:24 -0500 Subject: [PATCH 05/57] change branch ref to test provider-resolution --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 9eca1de2..8c65f1d8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=provider-resolution" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From db25e115468fe4fad3a10b96fe9dbb9e95fae449 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 19:33:27 -0500 Subject: [PATCH 06/57] fix min vals --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl index 29eb18d8..a11583db 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl @@ -4,9 +4,9 @@ locals { cluster_name = "platform-eng-eks-mcm" cluster_mailing_list = "matthew.c.morgan@census.gov" eks_instance_disk_size = 100 - eks_ng_desired_size = 2 + eks_ng_desired_size = 1 eks_ng_max_size = 10 - eks_ng_min_size = 0 + eks_ng_min_size = 1 enable_cluster_creator_admin_permissions = true tags = { "slim:schedule" = "8:00-17:00" From afa8bb24d2abad3eb6b8c12f89b82dbce70f8734 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 20:08:04 -0500 Subject: [PATCH 07/57] 2 is the lowest --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl index a11583db..e52f9d23 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl @@ -4,9 +4,9 @@ locals { cluster_name = "platform-eng-eks-mcm" cluster_mailing_list = "matthew.c.morgan@census.gov" eks_instance_disk_size = 100 - eks_ng_desired_size = 1 + eks_ng_desired_size = 2 eks_ng_max_size = 10 - eks_ng_min_size = 1 + eks_ng_min_size = 2 enable_cluster_creator_admin_permissions = true tags = { "slim:schedule" = "8:00-17:00" From f649b29cff9f14d12226277da6a1d75f3babc275 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 25 Feb 2025 22:02:20 -0500 Subject: [PATCH 08/57] docs and keycloak --- .checkov.yml | 24 ++ .github/platform-tg-infra.code-workspace | 22 +- configs/node-groups.yaml | 48 ++++ configs/resource-quotas.yml | 36 +++ docs/ARCHITECTURE.md | 88 ++++++ docs/DOCUMENTATION_STANDARDS.md | 56 ++++ docs/INFRASTRUCTURE_STANDARDS.md | 75 +++++ docs/MODULE_DEPENDENCIES.md | 45 +++ docs/MODULE_STANDARDS.md | 69 +++++ docs/OBSERVABILITY_STANDARDS.md | 67 +++++ docs/SECURITY_AUDIT_CHECKLIST.md | 43 +++ docs/SECURITY_BASELINE.md | 76 +++++ docs/TESTING_STANDARDS.md | 107 +++++++ docs/VERSION_CONTROL.md | 52 ++++ docs/templates/MODULE_README.md | 71 +++++ lab/_envcommon/default-versions.hcl | 21 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-keycloak/terragrunt.hcl | 46 +++ monitoring/grafana-dashboards.json | 44 +++ monitoring/prometheus-rules.yaml | 39 +++ plan.md | 271 ++++++++++++++++++ tests/terraform.tftest.hcl | 40 +++ 22 files changed, 1333 insertions(+), 9 deletions(-) create mode 100644 .checkov.yml create mode 100644 configs/node-groups.yaml create mode 100644 configs/resource-quotas.yml create mode 100644 docs/ARCHITECTURE.md create mode 100644 docs/DOCUMENTATION_STANDARDS.md create mode 100644 docs/INFRASTRUCTURE_STANDARDS.md create mode 100644 docs/MODULE_DEPENDENCIES.md create mode 100644 docs/MODULE_STANDARDS.md create mode 100644 docs/OBSERVABILITY_STANDARDS.md create mode 100644 docs/SECURITY_AUDIT_CHECKLIST.md create mode 100644 docs/SECURITY_BASELINE.md create mode 100644 docs/TESTING_STANDARDS.md create mode 100644 docs/VERSION_CONTROL.md create mode 100644 docs/templates/MODULE_README.md create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl create mode 100644 monitoring/grafana-dashboards.json create mode 100644 monitoring/prometheus-rules.yaml create mode 100644 plan.md create mode 100644 tests/terraform.tftest.hcl diff --git a/.checkov.yml b/.checkov.yml new file mode 100644 index 00000000..cc000299 --- /dev/null +++ b/.checkov.yml @@ -0,0 +1,24 @@ +branch: master +download-external-modules: true +evaluate-variables: true +external-checks-dir: + - security/custom_checks +framework: + - terraform + - kubernetes +output: + - cli + - json + - junitxml +skip-check: + - CKV_AWS_79 # Instance Metadata Service Version 1 + - CKV_AWS_130 # Ensure VPC subnets are not assigned public IP by default +quiet: true +compact: true +directory: + - . + - modules/* +secrets-scan-file-type: + - tf + - yaml + - json diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 5047434c..e7bd7b97 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -2,7 +2,7 @@ "folders": [ { "name": "platform-tg-infra", - "path": "../" + "path": ".." }, { "name": "tfmod-cert-mgr", @@ -28,6 +28,10 @@ "name": "tfmod-eks-dns", "path": "../../tfmod-eks-dns" }, + { + "name": "tfmod-gogatekeeper", + "path": "../../tfmod-gogatekeeper" + }, { "name": "tfmod-grafana", "path": "../../tfmod-grafana" @@ -48,6 +52,10 @@ "name": "tfmod-karpenter", "path": "../../tfmod-karpenter" }, + { + "name": "tfmod-keycloak", + "path": "../../tfmod-keycloak" + }, { "name": "tfmod-kiali", "path": "../../tfmod-kiali" @@ -69,13 +77,25 @@ "path": "../../tfmod-tempo" }, { + "name": "terraform-aws-eks", "path": "../../terraform-aws-eks" }, { + "name": "karpenter-provider-aws", "path": "../../karpenter-provider-aws" }, { + "name": "terragrunt", "path": "../../terragrunt" + }, + { + "path": "../../terraform-aws-rds" + }, + { + "path": "../../aws-rds" + }, + { + "path": "../../morpheus-terraform-dev" } ] } diff --git a/configs/node-groups.yaml b/configs/node-groups.yaml new file mode 100644 index 00000000..11e09cad --- /dev/null +++ b/configs/node-groups.yaml @@ -0,0 +1,48 @@ +nodeGroups: + - name: general-purpose + instanceTypes: + - m6i.xlarge + - m6a.xlarge + - m5.xlarge + minSize: 2 + maxSize: 10 + desiredSize: 2 + labels: + node-type: general + taints: [] + updateConfig: + maxUnavailable: 1 + + - name: compute-optimized + instanceTypes: + - c6i.2xlarge + - c6a.2xlarge + - c5.2xlarge + minSize: 1 + maxSize: 20 + desiredSize: 2 + labels: + node-type: compute + taints: + - key: workload + value: batch + effect: NoSchedule + updateConfig: + maxUnavailable: 2 + + - name: memory-optimized + instanceTypes: + - r6i.2xlarge + - r6a.2xlarge + - r5.2xlarge + minSize: 1 + maxSize: 10 + desiredSize: 2 + labels: + node-type: memory + taints: + - key: workload + value: memory-intensive + effect: NoSchedule + updateConfig: + maxUnavailable: 1 diff --git a/configs/resource-quotas.yml b/configs/resource-quotas.yml new file mode 100644 index 00000000..655595d0 --- /dev/null +++ b/configs/resource-quotas.yml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: default-quota +spec: + hard: + requests.cpu: "20" + requests.memory: 40Gi + limits.cpu: "40" + limits.memory: 80Gi + pods: "100" + services: "50" + secrets: "100" + configmaps: "100" + persistentvolumeclaims: "50" + +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: default-limits +spec: + limits: + - type: Container + default: + cpu: 500m + memory: 512Mi + defaultRequest: + cpu: 100m + memory: 256Mi + max: + cpu: "4" + memory: 8Gi + min: + cpu: 50m + memory: 64Mi diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md new file mode 100644 index 00000000..8ea6c671 --- /dev/null +++ b/docs/ARCHITECTURE.md @@ -0,0 +1,88 @@ +# Platform Infrastructure Architecture + +## Complete Platform Architecture + +```mermaid +graph TD + %% Core Network Infrastructure + VPC[VPC Module] --> DNS[DNS Module] + VPC --> SUBNETS[Subnet Configuration] + SUBNETS --> PRIVATE[Private Subnets] + SUBNETS --> PUBLIC[Public Subnets] + + %% EKS Cluster and Core Components + VPC --> EKS[EKS Cluster] + EKS --> IAM[IAM Roles Module] + EKS --> EKS_CONFIG[EKS Configuration] + EKS --> KARPENTER[Karpenter] + + %% Security and Access Management + EKS --> CERT_MGR[Cert Manager] + EKS --> GATEKEEPER[GoGatekeeper] + + %% Service Mesh + EKS_CONFIG --> ISTIO[Istio Service Mesh] + ISTIO --> KIALI[Kiali Dashboard] + ISTIO --> INGRESS[Service Ingress] + + %% Monitoring and Observability + EKS --> MONITORING[Monitoring Stack] + MONITORING --> PROMETHEUS[Prometheus] + MONITORING --> GRAFANA[Grafana] + MONITORING --> LOKI[Loki Log Aggregation] + MONITORING --> TEMPO[Tempo Tracing] + + %% Additional Services + EKS --> DASHBOARD[Kubernetes Dashboard] + EKS --> METRICS[Metrics Server] + EKS --> KEYCLOAK[Keycloak SSO] + + %% Infrastructure Management + TERRAGRUNT[Terragrunt] --> VPC + TERRAGRUNT --> EKS + + %% Database Layer + VPC --> RDS[RDS Database] + + %% Styling + classDef core fill:#f9f,stroke:#333,stroke-width:2px + classDef security fill:#bbf,stroke:#333,stroke-width:2px + classDef monitoring fill:#bfb,stroke:#333,stroke-width:2px + + class VPC,EKS,EKS_CONFIG core + class CERT_MGR,GATEKEEPER,IAM security + class PROMETHEUS,GRAFANA,LOKI,TEMPO monitoring +``` + +## Component Descriptions + +### Core Infrastructure +- **VPC Module**: Network foundation with public/private subnets +- **EKS Cluster**: Managed Kubernetes service +- **Karpenter**: Autoscaling node management +- **DNS Module**: Route53 DNS management + +### Security Layer +- **Cert Manager**: Certificate lifecycle management +- **GoGatekeeper**: Policy enforcement +- **IAM Roles**: AWS IAM integration + +### Service Mesh +- **Istio**: Service mesh implementation +- **Kiali**: Service mesh visualization +- **Service Ingress**: External traffic management + +### Monitoring Stack +- **Prometheus**: Metrics collection +- **Grafana**: Metrics visualization +- **Loki**: Log aggregation +- **Tempo**: Distributed tracing + +### Additional Services +- **Kubernetes Dashboard**: Cluster management UI +- **Metrics Server**: Resource metrics +- **Keycloak**: Identity management + +### Infrastructure Management +- **Terragrunt**: Infrastructure deployment orchestration +- **RDS**: Managed database services diff --git a/docs/DOCUMENTATION_STANDARDS.md b/docs/DOCUMENTATION_STANDARDS.md new file mode 100644 index 00000000..b00374bc --- /dev/null +++ b/docs/DOCUMENTATION_STANDARDS.md @@ -0,0 +1,56 @@ +# Documentation Standards Guide + +## README Structure +Each module must include a README.md with the following sections: + +1. Overview + - Purpose + - Key features + - Architecture diagram + +2. Prerequisites + - Required tooling + - Required permissions + - Dependencies + +3. Usage + - Basic example + - Advanced examples + - Input variables table + - Output variables table + +4. Architecture + - Component diagram + - Network flow + - Security considerations + +5. Operations + - Deployment guide + - Monitoring + - Troubleshooting + - Maintenance + +## Changelog Format +Use Commitizen convention: + +``` +feat: New feature +fix: Bug fix +docs: Documentation changes +style: Formatting changes +refactor: Code restructure without behavior change +test: Test updates +chore: Maintenance tasks +``` + +## Diagrams +- Use PlantUML for architecture diagrams +- Include source files in `docs/diagrams` +- Export PNG/SVG to `docs/images` +- Keep diagrams up to date with code changes + +## Usage Examples +- Provide basic and advanced examples +- Include realistic variable values +- Document required permissions +- Include expected outputs diff --git a/docs/INFRASTRUCTURE_STANDARDS.md b/docs/INFRASTRUCTURE_STANDARDS.md new file mode 100644 index 00000000..bdcdda6c --- /dev/null +++ b/docs/INFRASTRUCTURE_STANDARDS.md @@ -0,0 +1,75 @@ +# Infrastructure Standards + +## Node Group Configuration + +### Instance Types +```hcl +locals { + instance_types = { + general_purpose = ["m6i.xlarge", "m6a.xlarge", "m5.xlarge"] + compute_optimized = ["c6i.2xlarge", "c6a.2xlarge", "c5.2xlarge"] + memory_optimized = ["r6i.2xlarge", "r6a.2xlarge", "r5.2xlarge"] + } +} +``` + +### Node Labels +```yaml +labels: + node-type: [general|compute|memory] + environment: [dev|stage|prod] + workload-type: [service|batch|system] +``` + +## Auto-scaling Configuration + +### Cluster Autoscaler +```yaml +cluster-autoscaler: + scaleDownUnneededTime: 10m + scaleDownDelayAfterAdd: 10m + maxNodeProvisionTime: 15m + maxGracefulTermination: 10m +``` + +### Karpenter Settings +```yaml +provisioner: + requirements: + - key: karpenter.sh/capacity-type + operator: In + values: ["spot", "on-demand"] + limits: + resources: + cpu: 1000 + memory: 1000Gi +``` + +## Storage Classes + +### Standard Classes +```yaml +storage-classes: + standard: + type: gp3 + encrypted: true + reclaimPolicy: Delete + premium: + type: io2 + iops: 5000 + encrypted: true + reclaimPolicy: Retain +``` + +## Resource Quotas + +### Default Quotas +```yaml +quotas: + default: + requests.cpu: "20" + requests.memory: 40Gi + limits.cpu: "40" + limits.memory: 80Gi + pods: "100" +``` diff --git a/docs/MODULE_DEPENDENCIES.md b/docs/MODULE_DEPENDENCIES.md new file mode 100644 index 00000000..34372650 --- /dev/null +++ b/docs/MODULE_DEPENDENCIES.md @@ -0,0 +1,45 @@ +# Module Dependencies + +## Core Infrastructure Dependencies + +```mermaid +graph TD + VPC[VPC Module] --> EKS[EKS Module] + EKS --> EKS_CONFIG[EKS Config Module] + EKS --> KARPENTER[Karpenter Module] + EKS_CONFIG --> ISTIO[Istio Module] + ISTIO --> INGRESS[Service Ingress Module] + EKS --> MONITORING[Monitoring Stack] + MONITORING --> PROMETHEUS[Prometheus Module] + MONITORING --> GRAFANA[Grafana Module] +``` + +## Module Initialization Order + +1. Network Infrastructure + - VPC Module + - DNS Module + +2. Cluster Infrastructure + - EKS Module + - IAM Roles Module + - EKS Configuration + +3. Cluster Add-ons + - Metrics Server + - Cert Manager + - Karpenter + +4. Observability Stack + - Prometheus + - Grafana + - Loki + - Tempo + +## Version Compatibility Matrix + +| Module | Version | Dependencies | Breaking Changes | +|--------|---------|--------------|------------------| +| EKS | v1.0.0 | AWS Provider >= 4.0 | None | +| Karpenter | v0.5.0 | EKS >= 1.0.0 | Node group naming | +| Istio | v1.2.0 | EKS >= 1.0.0 | Service mesh config | diff --git a/docs/MODULE_STANDARDS.md b/docs/MODULE_STANDARDS.md new file mode 100644 index 00000000..88699ced --- /dev/null +++ b/docs/MODULE_STANDARDS.md @@ -0,0 +1,69 @@ +# Module Standards + +## Directory Structure +``` +module/ +├── README.md +├── main.tf +├── variables.tf +├── outputs.tf +├── versions.tf +├── examples/ +│ ├── basic/ +│ └── complete/ +└── tests/ + ├── defaults/ + └── complete/ +``` + +## Naming Conventions + +### Resource Naming +```hcl +resource "aws_iam_role" "example" { + name = format("%s-%s-%s", var.prefix, var.environment, var.name) + # ... +} +``` + +### Variable Structure +```hcl +variable "cluster_config" { + type = object({ + name = string + version = string + environment = string + vpc_id = string + }) + description = "EKS cluster configuration" +} +``` + +## Version Constraints + +### Provider Versions +```hcl +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0" + } + } + required_version = ">= 1.0" +} +``` + +## Documentation Requirements + +### README Structure +1. Overview +2. Usage +3. Inputs/Outputs +4. Examples +5. Requirements +6. Dependencies diff --git a/docs/OBSERVABILITY_STANDARDS.md b/docs/OBSERVABILITY_STANDARDS.md new file mode 100644 index 00000000..a6d95bbb --- /dev/null +++ b/docs/OBSERVABILITY_STANDARDS.md @@ -0,0 +1,67 @@ +# Observability Standards + +## Metrics Collection + +### Golden Signals +- Latency +- Traffic +- Errors +- Saturation + +### Standard Labels +```yaml +labels: + environment: [dev|stage|prod] + service: + team: + cost_center: +``` + +### SLO Definitions +```yaml +slos: + availability: + target: 99.9% + window: 30d + latency: + target: 95% + threshold: 500ms + window: 30d +``` + +## Logging Standards + +### Log Format +```json +{ + "timestamp": "ISO8601", + "level": "INFO|WARN|ERROR", + "service": "service_name", + "trace_id": "uuid", + "message": "log message", + "metadata": {} +} +``` + +### Retention Policy +- Hot storage: 7 days +- Warm storage: 30 days +- Cold storage: 365 days + +## Alerting Standards + +### Alert Severity Levels +- P1: Critical - Immediate action required +- P2: High - Action required within 1 hour +- P3: Medium - Action required within 24 hours +- P4: Low - Action required within 1 week + +### Alert Format +```yaml +alert: + name: AlertName + severity: P1|P2|P3|P4 + description: "Clear description of the alert" + runbook_url: "Link to runbook" + notification_channels: ["slack", "email"] +``` diff --git a/docs/SECURITY_AUDIT_CHECKLIST.md b/docs/SECURITY_AUDIT_CHECKLIST.md new file mode 100644 index 00000000..f0b1bc09 --- /dev/null +++ b/docs/SECURITY_AUDIT_CHECKLIST.md @@ -0,0 +1,43 @@ +# EKS Security Audit Checklist + +## Cluster Configuration +- [ ] EKS Control Plane Logging enabled +- [ ] Kubernetes API server endpoint private +- [ ] Secrets encryption enabled +- [ ] Latest EKS version deployed +- [ ] IRSA (IAM Roles for Service Accounts) enabled + +## Network Security +- [ ] Security groups follow least privilege +- [ ] Network policies implemented +- [ ] All ports documented and justified +- [ ] No public endpoints exposed +- [ ] VPC flow logs enabled + +## Authentication & Authorization +- [ ] IAM policies follow least privilege +- [ ] RBAC policies implemented +- [ ] Service account tokens auto-rotated +- [ ] AWS IAM authenticator configured +- [ ] Regular access review process + +## Data Protection +- [ ] EBS encryption enabled +- [ ] Secrets managed by AWS Secrets Manager +- [ ] ETCd encryption enabled +- [ ] S3 bucket encryption enabled +- [ ] Regular key rotation configured + +## Compliance +- [ ] FIPS endpoints enabled +- [ ] Compliance tags implemented +- [ ] Regular security scans configured +- [ ] Audit logging enabled +- [ ] Compliance reports automated + +## Monitoring & Alerts +- [ ] Security event logging enabled +- [ ] Alert thresholds configured +- [ ] Incident response plan documented +- [ ] Regular security testing scheduled +- [ ] Compliance monitoring automated diff --git a/docs/SECURITY_BASELINE.md b/docs/SECURITY_BASELINE.md new file mode 100644 index 00000000..ffd32a28 --- /dev/null +++ b/docs/SECURITY_BASELINE.md @@ -0,0 +1,76 @@ +# EKS Security Baseline + +## Security Group Configuration + +### Node Group Security +```hcl +# Example security group configuration +resource "aws_security_group" "node_group" { + name_prefix = "eks-node-group" + vpc_id = var.vpc_id + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + security_groups = [var.cluster_security_group_id] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} +``` + +## Encryption Standards + +### Data at Rest +- EBS Volumes: AWS KMS encryption required +- Secrets: Envelope encryption with automatic key rotation +- ETCd: AWS KMS encryption enabled + +### Data in Transit +- TLS 1.2+ required for all API communications +- mTLS required for service-to-service communication +- Certificate rotation every 90 days + +## Network Policies + +### Default Deny Policy +```yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +``` + +## Pod Security Standards + +### Baseline Pod Security +```yaml +apiVersion: pod-security.admission.config.k8s.io/v1 +kind: PodSecurityConfiguration +defaults: + enforce: "baseline" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" +``` + +## Compliance Requirements + +### GovCloud Specific +- FIPS 140-2 endpoints enabled +- NIST 800-53 controls implemented +- Regular security assessments +- Continuous monitoring enabled diff --git a/docs/TESTING_STANDARDS.md b/docs/TESTING_STANDARDS.md new file mode 100644 index 00000000..c731eaf3 --- /dev/null +++ b/docs/TESTING_STANDARDS.md @@ -0,0 +1,107 @@ +# Testing Standards + +## Validation Testing + +### Pre-commit Hooks +```yaml +repos: +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.64.0 + hooks: + - id: terraform_fmt + - id: terraform_docs + - id: terraform_tflint + - id: terraform_validate +``` + +### Static Analysis +```hcl +provider "aws" { + region = var.region + + default_tags { + tags = { + Environment = var.environment + Terraform = "true" + Project = var.project + } + } +} + +# Required variable validation +variable "environment" { + type = string + validation { + condition = contains(["dev", "stage", "prod"], var.environment) + error_message = "Environment must be dev, stage, or prod." + } +} +``` + +## Integration Testing + +### Test Structure +``` +tests/ +├── integration/ +│ ├── eks_cluster/ +│ │ ├── test_cluster.tf +│ │ └── variables.tf +│ └── monitoring/ +│ ├── test_prometheus.tf +│ └── variables.tf +└── e2e/ + └── complete_setup/ + ├── main.tf + └── outputs.tf +``` + +### Example Test Case +```hcl +module "test_eks" { + source = "../../" + + cluster_name = "test-cluster" + cluster_version = "1.24" + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + enable_logging = true +} + +output "test_cluster_status" { + value = module.test_eks.cluster_status +} +``` + +## Security Testing + +### Checkov Configuration +```yaml +checkov: + skip-check: + - CKV_AWS_79 # Ensure Instance Metadata Service Version 1 is not enabled + external-checks-dir: + - security/custom_checks +``` + +### Custom Security Checks +```python +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + +class EnsureEncryption(BaseResourceCheck): + def __init__(self): + name = "Ensure encryption is enabled" + id = "CKV_CUSTOM_1" + supported_resources = ['aws_ebs_volume'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf): + if 'encrypted' in conf.keys(): + if conf['encrypted'][0]: + return CheckResult.PASSED + return CheckResult.FAILED +``` diff --git a/docs/VERSION_CONTROL.md b/docs/VERSION_CONTROL.md new file mode 100644 index 00000000..bc433f6a --- /dev/null +++ b/docs/VERSION_CONTROL.md @@ -0,0 +1,52 @@ +# Version Control Standards + +## Semantic Versioning + +### Version Format +- MAJOR.MINOR.PATCH +- Example: 1.2.3 + +### Version Rules +1. MAJOR version - Incompatible API changes +2. MINOR version - Backwards-compatible features +3. PATCH version - Bug fixes + +## Release Process + +### Release Branches +``` +main +├── release/1.0.x +├── release/1.1.x +└── release/2.0.x +``` + +### Version Tags +```bash +# Release tags +v1.0.0 +v1.0.1 +v1.1.0 +v2.0.0 +``` + +## Breaking Changes + +### Documentation Format +```markdown +# Breaking Changes + +## Version 2.0.0 +- Changed: Resource naming convention +- Removed: Deprecated variables +- Required: AWS Provider >= 4.0 +``` + +## Upgrade Guidelines + +### Module Updates +1. Review breaking changes +2. Update dependencies +3. Test in non-production +4. Update documentation +5. Create migration guide diff --git a/docs/templates/MODULE_README.md b/docs/templates/MODULE_README.md new file mode 100644 index 00000000..99123315 --- /dev/null +++ b/docs/templates/MODULE_README.md @@ -0,0 +1,71 @@ +# Module Name + +## Overview +Brief description of the module's purpose and functionality. + +## Prerequisites +* Required tools and versions +* Required permissions +* Dependencies + +## Usage + +### Basic Example +```hcl +module "example" { + source = "path/to/module" + + // Required variables + environment = "production" + region = "us-west-2" +} +``` + +### Advanced Example +```hcl +module "example" { + source = "path/to/module" + + // Detailed configuration + environment = "production" + region = "us-west-2" + high_availability = true + backup_retention = 30 +} +``` + +## Architecture +[Insert architecture diagram] + +### Components +* Component 1 - Description +* Component 2 - Description + +### Network Flow +[Insert network flow diagram] + +## Operations + +### Deployment +Step-by-step deployment instructions + +### Monitoring +Key metrics and monitoring guidelines + +### Troubleshooting +Common issues and solutions + +## Input Variables +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| var1 | Description | type | default | yes/no | + +## Outputs +| Name | Description | +|------|-------------| +| out1 | Description | + +## Security Considerations +* Security group configurations +* IAM permissions +* Encryption settings diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index c2e4f946..9584c945 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -46,13 +46,6 @@ locals { telemetry_namespace = "telemetry" # kubectl_image_tag = "1.30.4" - ################ - # k8s-dashboard - ################ - dashboard_hostname = "k8s-dashboard" - # k8s_dashboard_metrics_scraper = "1.0.8" - k8s_dashboard_version = "6.0.6" - ################ # Cert-Manager ################ @@ -80,12 +73,26 @@ locals { grafana_tag = "11.4.0" init_chown_data_image_tag = "1.31.1" + ################ + # k8s-dashboard + ################ + dashboard_hostname = "k8s-dashboard" + k8s_dashboard_version = "6.0.6" + ################ # Karpenter ################ karpenter_helm_chart = "1.1.1" karpenter_tag = "1.1.1" + ################ + # keycloak + ################ + keycloak_app_version = "v26.1.2" + keycloak_chart_version = "24.4.10" + keycloak_hostname = "keycloak" + keycloak_namespace = "keycloak" + ################ # Kiali ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 05fdb934..6b553503 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -41,5 +41,5 @@ inputs = { # Dashboard Configuration k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - namespace = include.root.inputs.dashboard_hostname + namespace = include.root.inputs.dashboard_hostname } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl new file mode 100644 index 00000000..fbc810b8 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -0,0 +1,46 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=standards" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + vpc_id = "vpc-12345678" + database_subnet_ids = ["subnet-1", "subnet-2"] + } +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + environment = include.root.inputs.environment + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = include.root.inputs.vpc_domain_name + keycloak_version = include.root.inputs.keycloak_chart_version + keycloak_tag = include.root.inputs.keycloak_app_version + keycloak_hostname = include.root.inputs.keycloak_hostname + namespace = include.root.inputs.keycloak_namespace + admin_email = include.root.inputs.creator + database_subnet_ids = dependency.eks.outputs.database_subnet_ids + + # Database configuration + db_engine = "aurora-postgresql" + db_instance_type = "db.t4g.medium" + db_name = "keycloak" + db_user = "keycloak" + + # Project information + project_name = include.root.inputs.project_name + tags = include.root.inputs.tags +} diff --git a/monitoring/grafana-dashboards.json b/monitoring/grafana-dashboards.json new file mode 100644 index 00000000..01d36852 --- /dev/null +++ b/monitoring/grafana-dashboards.json @@ -0,0 +1,44 @@ +{ + "dashboards": [ + { + "name": "Cluster Overview", + "panels": [ + { + "title": "Node CPU Usage", + "type": "graph", + "targets": [ + { + "expr": "cluster:node_cpu:ratio_rate5m", + "legendFormat": "{{node}}" + } + ] + }, + { + "title": "Pod Resource Usage", + "type": "graph", + "targets": [ + { + "expr": "cluster:pod_cpu:usage_rate5m", + "legendFormat": "{{pod}}" + } + ] + } + ] + }, + { + "name": "Service SLOs", + "panels": [ + { + "title": "Request Latency", + "type": "graph", + "targets": [ + { + "expr": "http_request_duration_seconds:99percentile", + "legendFormat": "{{service}}" + } + ] + } + ] + } + ] +} diff --git a/monitoring/prometheus-rules.yaml b/monitoring/prometheus-rules.yaml new file mode 100644 index 00000000..fa63c5ee --- /dev/null +++ b/monitoring/prometheus-rules.yaml @@ -0,0 +1,39 @@ +groups: +- name: kubernetes.rules + rules: + - record: cluster:node_cpu:ratio_rate5m + expr: sum(rate(node_cpu_seconds_total{mode!="idle"}[5m])) by (node) / count(node_cpu_seconds_total{mode="idle"}) by (node) + + - alert: NodeCPUUsage + expr: cluster:node_cpu:ratio_rate5m > 0.8 + for: 10m + labels: + severity: warning + annotations: + description: "CPU usage on {{ $labels.node }} is above 80%" + +- name: kubernetes.pod.rules + rules: + - record: cluster:pod_cpu:usage_rate5m + expr: sum(rate(container_cpu_usage_seconds_total{container!=""}[5m])) by (pod, namespace) + + - alert: PodCPUThrottling + expr: rate(container_cpu_cfs_throttled_seconds_total[5m]) > 0 + for: 15m + labels: + severity: warning + annotations: + description: "Pod {{ $labels.pod }} in {{ $labels.namespace }} is being throttled" + +- name: application.slos + rules: + - record: http_request_duration_seconds:99percentile + expr: histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket[5m])) by (le, service)) + + - alert: HighLatency + expr: http_request_duration_seconds:99percentile > 0.5 + for: 5m + labels: + severity: critical + annotations: + description: "Service {{ $labels.service }} is experiencing high latency" diff --git a/plan.md b/plan.md new file mode 100644 index 00000000..bd058fd3 --- /dev/null +++ b/plan.md @@ -0,0 +1,271 @@ +Project Plan: EKS Infrastructure Codebase Improvements +1. Documentation Standardization + - Create centralized documentation standards guide + - Implement standardized README structure across all modules: + * Overview and purpose + * Prerequisites and dependencies + * Usage examples with variables + * Architecture diagrams + * Operations guide + - Establish changelog format using Commitizen convention + - Create architecture diagrams: + * High-level system architecture + * Module relationships + * Network flow diagrams + * Security group configurations + - Develop consistent module examples: + * Basic usage patterns + * Advanced configurations + * Migration guides + * Troubleshooting guides + - Implementation timeline: + * Week 1: Standards guide creation + * Week 2-3: README updates + * Week 4: Diagram creation + * Week 5: Example development + * Week 6: Review and refinement + +2. Security Enhancements + - EKS Security Group Configurations: + * Implement least-privilege access rules + * Restrict node group communication + * Define approved ingress/egress patterns + * Document security group dependencies + + - AWS GovCloud Security Implementation: + * Enable FIPS 140-2 compliant endpoints + * Implement NIST 800-53 controls + * Configure AWS KMS for all sensitive data + * Enable AWS Organizations SCPs + + - Encryption Configurations: + * Enable envelope encryption for secrets + * Implement at-rest encryption for EBS volumes + * Configure TLS for all service communications + * Rotate encryption keys automatically + + - Network Security Policies: + * Define default deny policies + * Create application-specific network policies + * Implement pod security policies + * Configure service mesh security + + - Implementation Timeline: + * Week 1: Security audit and gap analysis + * Week 2: Security group updates + * Week 3: Encryption improvements + * Week 4: Network policy implementation + * Week 5: Testing and validation + * Week 6: Documentation and training + +3. Observability Improvements + - Prometheus Configuration Standardization: + * Define standard metric collection rules + * Implement consistent recording rules + * Set up unified alerting rules + * Configure HA architecture + + - Metrics Collection Strategy: + * Define golden signals metrics + * Implement custom metric collectors + * Set up SLO/SLI tracking + * Configure cost metrics collection + + - Logging Framework: + * Implement structured logging + * Configure log aggregation + * Set up log retention policies + * Enable audit logging + + - Grafana Dashboards: + * Create cluster health dashboards + * Implement cost monitoring views + * Set up performance dashboards + * Configure security monitoring panels + + - Implementation Timeline: + * Week 1: Metrics standardization + * Week 2: Logging implementation + * Week 3: Dashboard creation + * Week 4: Alert configuration + * Week 5: Testing and validation + * Week 6: Documentation and training + +4. Infrastructure Optimization + - Node Group Configuration: + * Implement right-sized instance types + * Configure optimal scaling thresholds + * Set up mixed-instance policies + * Define node taints and labels + + - Auto-scaling Strategy: + * Configure Cluster Autoscaler settings + * Implement Karpenter provisioners + * Set up pod disruption budgets + * Define scaling policies + + - Storage Optimization: + * Define storage class specifications + * Implement volume encryption + * Configure backup policies + * Set up snapshot schedules + + - Resource Management: + * Implement namespace quotas + * Define limit ranges + * Configure resource requests/limits + * Set up cost allocation tags + + - Implementation Timeline: + * Week 1: Node group optimization + * Week 2: Auto-scaling implementation + * Week 3: Storage configuration + * Week 4: Resource quotas setup + * Week 5: Testing and validation + * Week 6: Documentation and training + +5. Module Organization + - Module Standardization: + * Create consistent module structure + * Implement standard naming conventions + * Define input/output patterns + * Establish version constraints + + - Variable Management: + * Create shared variable definitions + * Implement variable validation rules + * Define default value standards + * Document variable dependencies + + - Version Control: + * Implement semantic versioning + * Create version compatibility matrix + * Define upgrade paths + * Document breaking changes + + - Dependencies: + * Map module relationships + * Document cross-module dependencies + * Define initialization order + * Create dependency graphs + + - Implementation Timeline: + * Week 1: Module structure standardization + * Week 2: Variable management + * Week 3: Version control implementation + * Week 4: Dependency documentation + * Week 5: Testing and validation + * Week 6: Documentation and training + +6. Testing Framework + - Terraform Validation: + * Implement pre-commit hooks + * Configure format checking + * Add variable validation + * Set up static analysis + + - Integration Testing: + * Create test environments + * Implement end-to-end tests + * Configure smoke tests + * Set up regression testing + + - Security Testing: + * Implement security scanners + * Configure compliance checks + * Add vulnerability scanning + * Set up secret detection + + - Test Automation: + * Configure CI/CD pipelines + * Implement test reporting + * Set up coverage tracking + * Create automated rollbacks + + - Implementation Timeline: + * Week 1: Validation framework setup + * Week 2: Integration test development + * Week 3: Security scanning implementation + * Week 4: Automation configuration + * Week 5: Testing and validation + * Week 6: Documentation and training + +Implementation Priority: + - Security Enhancements (Critical) + - Observability Improvements (High) + - Infrastructure Optimization (High) + - Documentation Standardization (Medium) + - Module Organization (Medium) + - Testing Framework (Medium) + +Key Metrics: + - Security compliance score + - Resource utilization efficiency + - Documentation coverage + - Test coverage + - Code duplication reduction + - Deployment success rate + +Next Steps: + +1. Security Audit (Week 1-2) + - Perform comprehensive security assessment + * Review IAM roles and permissions + * Audit security group configurations + * Analyze network policies + * Review encryption settings + - Generate security findings report + - Prioritize security improvements + - Create remediation timeline + +2. Implementation Planning (Week 2-3) + - Create detailed project timeline + * Break down tasks by module + * Identify dependencies + * Assign ownership + * Set milestones + - Establish success criteria + - Define rollback procedures + - Create risk mitigation strategies + +3. Testing Pipeline Setup (Week 3-4) + - Configure CI/CD infrastructure + * Set up test environments + * Implement automated testing + * Configure quality gates + * Enable security scanning + - Create test data sets + - Develop test scenarios + - Implement monitoring for test environments + +4. Documentation Enhancement (Week 4-5) + - Audit existing documentation + - Create documentation templates + - Update README files + - Generate architecture diagrams + - Create operational runbooks + - Document emergency procedures + +5. Module Consolidation (Week 5-6) + - Analyze current module structure + - Identify consolidation opportunities + - Create module dependency map + - Plan refactoring phases + - Document migration steps + - Create validation checklist + +6. Validation and Review (Week 6-7) + - Conduct peer reviews + - Perform security validation + - Test documentation accuracy + - Validate monitoring setup + - Review automation effectiveness + - Gather stakeholder feedback + +7. Training and Handover (Week 7-8) + - Prepare training materials + - Schedule training sessions + - Document operational procedures + - Create troubleshooting guides + - Set up support channels + - Plan knowledge transfer sessions diff --git a/tests/terraform.tftest.hcl b/tests/terraform.tftest.hcl new file mode 100644 index 00000000..7dfcc8e8 --- /dev/null +++ b/tests/terraform.tftest.hcl @@ -0,0 +1,40 @@ +variables { + cluster_name = "test-cluster" + cluster_version = "1.24" + vpc_id = "vpc-12345678" + subnet_ids = ["subnet-1", "subnet-2"] + region = "us-gov-east-1" + environment = "test" +} + +run "cluster_creation" { + command = plan + + assert { + condition = length(aws_eks_cluster.main) > 0 + error_message = "EKS cluster was not created" + } + + assert { + condition = aws_eks_cluster.main.encryption_config[0].provider[0].key_arn != null + error_message = "EKS cluster encryption is not configured" + } +} + +run "node_groups" { + command = plan + + assert { + condition = length(aws_eks_node_group.main) > 0 + error_message = "Node groups were not created" + } +} + +run "security_groups" { + command = plan + + assert { + condition = length(aws_security_group_rule.cluster) > 0 + error_message = "Security group rules were not created" + } +} From 5923146982ee292f90560c7c7e2d6be52195c533 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 25 Feb 2025 22:43:37 -0500 Subject: [PATCH 09/57] use default for eks again --- .../eks-keycloak/terragrunt.hcl | 29 +++++++++++++------ .../platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index fbc810b8..b62bbf64 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -8,7 +8,7 @@ terraform { source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=standards" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] + arguments = ["-lock-timeout=20s"] } } @@ -21,18 +21,29 @@ dependency "eks" { } } +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-karpenter", + "../eks-prometheus" + ] +} + inputs = { + admin_email = include.root.inputs.creator + cluster_domain = include.root.inputs.vpc_domain_name + cluster_name = dependency.eks.outputs.cluster_name + environment = include.root.inputs.environment + namespace = include.root.inputs.keycloak_namespace profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - environment = include.root.inputs.environment - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = include.root.inputs.vpc_domain_name - keycloak_version = include.root.inputs.keycloak_chart_version - keycloak_tag = include.root.inputs.keycloak_app_version + + # keycloak config keycloak_hostname = include.root.inputs.keycloak_hostname - namespace = include.root.inputs.keycloak_namespace - admin_email = include.root.inputs.creator - database_subnet_ids = dependency.eks.outputs.database_subnet_ids + keycloak_tag = include.root.inputs.keycloak_app_version + keycloak_version = include.root.inputs.keycloak_chart_version # Database configuration db_engine = "aurora-postgresql" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 8c65f1d8..9eca1de2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=provider-resolution" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From a6cb4f7118aed099b299df0e05d5e34a8c35fff4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:51:13 -0500 Subject: [PATCH 10/57] tempo and kiali updates while working on keycloak --- .../eks-keycloak/terragrunt.hcl | 2 +- ...{terragrunt.hcl.disable => terragrunt.hcl} | 55 ++++++++++++------- .../eks-tempo/terragrunt.hcl | 2 +- 3 files changed, 36 insertions(+), 23 deletions(-) rename lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/{terragrunt.hcl.disable => terragrunt.hcl} (63%) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index b62bbf64..7a1fc061 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -32,7 +32,7 @@ dependencies { } inputs = { - admin_email = include.root.inputs.creator + admin_email = include.root.inputs.cluster_mailing_list cluster_domain = include.root.inputs.vpc_domain_name cluster_name = dependency.eks.outputs.cluster_name environment = include.root.inputs.environment diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl similarity index 63% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 27a255bb..ff9cee2f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -4,17 +4,31 @@ include "root" { expose = true } +dependencies { + paths = [ + "../eks", + "../eks-cert-mgr" + "../eks-config", + "../eks-dns", + "../eks-istio", + "../eks-karpenter", + "../eks-prometheus", + "../eks-grafana", + "../eks-k8s-dashboard" + ] +} + terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" # source = "../../../../../../../tfmod-kiali" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] + arguments = ["-lock-timeout=20s"] } } dependency "eks" { - config_path = "../eks" + config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { cluster_name = "a-cluster-name" @@ -23,42 +37,41 @@ dependency "eks" { dependency "eks-cert-manager" { config_path = "../eks-cert-manager" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_issuer_name = "acmpca-clusterissuer" + cluster_issuer_name = "mock-clusterissuer" } } dependency "eks-prometheus" { config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" + hostname = "prometheus.mock.svc.cluster.local" port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + url = "http://prometheus.mock.svc.cluster.local:9090/" } } - } + dependency "eks-grafana" { config_path = "../eks-grafana" mock_outputs = { internal_endpoint = { - hostname = "grafana.grafana.svc.cluster.local" - port_number = "80" - url = "https://grafana.grafana.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.dev.lab.csp2.census.gov" + hostname = "grafana.mock.svc.cluster.local" port_number = "80" - url = "https://grafana.dev.lab.csp2.census.gov:80/" + url = "https://grafana.mock.svc.cluster.local:80/" } - secret_name = "grafana" + namespace = "mock" + public_endpoint = "https://grafana.mock.mock.mock.census.gov:80/" + secret_name = "mock" } } + inputs = { - kiali_operator_version = include.root.inputs.kiali_operator_version + kiali_operator_version = include.root.inputs.kiali_operator_version kiali_application_version = include.root.inputs.kiali_application_version profile = include.root.inputs.aws_profile @@ -69,10 +82,10 @@ inputs = { prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url grafana_namespace = dependency.eks-grafana.outputs.namespace - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url - grafana_secret_name = "grafana" - # grafana_secret_name = dependency.eks-grafana.outputs.secret_name - jaeger_internal_url = "" + grafana_public_url = dependency.eks-grafana.outputs.public_endpoint + # grafana_secret_name = "grafana" + grafana_secret_name = dependency.eks-grafana.outputs.secret_name + jaeger_internal_url = "" # client_id = var.sso_client_id diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index dc222715..45bd5ecf 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=keycloak" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 2583599750dd2d97f25ef2950bf79a89b42e56c0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:51:51 -0500 Subject: [PATCH 11/57] missed a comma --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index ff9cee2f..a1f122ad 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -7,14 +7,14 @@ include "root" { dependencies { paths = [ "../eks", - "../eks-cert-mgr" + "../eks-cert-mgr", "../eks-config", "../eks-dns", "../eks-istio", "../eks-karpenter", "../eks-prometheus", "../eks-grafana", - "../eks-k8s-dashboard" + "../eks-k8s-dashboard", ] } From ccf901d5dc440174bcaf4dcb1497c6b7f6a5a114 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 21:19:26 -0500 Subject: [PATCH 12/57] almost --- .github/platform-tg-infra.code-workspace | 3 + .../eks-keycloak/terragrunt.hcl | 37 +- .../eks-keycloak/values.yml | 1391 +++++++++++++++++ .../eks-kiali/terragrunt.hcl | 14 +- .../eks-loki/terragrunt.hcl | 2 +- 5 files changed, 1425 insertions(+), 22 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index e7bd7b97..00a75854 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -96,6 +96,9 @@ }, { "path": "../../morpheus-terraform-dev" + }, + { + "path": "../../../terraform-modules/aws-common-security-groups" } ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 7a1fc061..a86417d2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -13,11 +13,19 @@ terraform { } dependency "eks" { - config_path = "../eks" + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_name = "a-cluster-name" - vpc_id = "vpc-12345678" - database_subnet_ids = ["subnet-1", "subnet-2"] + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks-config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" } } @@ -32,18 +40,19 @@ dependencies { } inputs = { - admin_email = include.root.inputs.cluster_mailing_list - cluster_domain = include.root.inputs.vpc_domain_name - cluster_name = dependency.eks.outputs.cluster_name - environment = include.root.inputs.environment - namespace = include.root.inputs.keycloak_namespace - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + admin_email = include.root.inputs.cluster_mailing_list + cluster_domain = include.root.inputs.vpc_domain_name + cluster_name = dependency.eks.outputs.cluster_name + environment = include.root.inputs.environment + namespace = include.root.inputs.keycloak_namespace + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # keycloak config - keycloak_hostname = include.root.inputs.keycloak_hostname - keycloak_tag = include.root.inputs.keycloak_app_version - keycloak_version = include.root.inputs.keycloak_chart_version + keycloak_hostname = include.root.inputs.keycloak_hostname + keycloak_tag = include.root.inputs.keycloak_app_version + keycloak_version = include.root.inputs.keycloak_chart_version + default_storage_class = dependency.eks-config.outputs.rwo_storage_class # Database configuration db_engine = "aurora-postgresql" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml new file mode 100644 index 00000000..e8b28b70 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml @@ -0,0 +1,1391 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: "" + storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec +## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service +## +enableServiceLinks: true +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the statefulset + ## + args: + - infinity +## @section Keycloak parameters + +## Bitnami Keycloak image version +## ref: https://hub.docker.com/r/bitnami/keycloak/tags/ +## @param image.registry [default: REGISTRY_NAME] Keycloak image registry +## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository +## @skip image.tag Keycloak image tag (immutable tags are recommended) +## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Keycloak image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/keycloak + tag: 26.1.2-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Keycloak authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials +## +auth: + ## @param auth.adminUser Keycloak administrator user + ## + adminUser: user + ## @param auth.adminPassword Keycloak administrator password for the new user + ## + adminPassword: "" + ## @param auth.existingSecret Existing secret containing Keycloak admin password + ## + existingSecret: "" + ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret. + ## + passwordSecretKey: "" + ## @param auth.annotations Additional custom annotations for Keycloak auth secret object + ## + annotations: {} +## Custom Certificates +## @param customCaExistingSecret Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS. +## https://www.keycloak.org/server/keycloak-truststore +## Could be created like this: kubectl create secret generic secretName --from-file=./certificateToMerge.pem +customCaExistingSecret: "" +## HTTPS settings +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption +## +tls: + ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates + ## + autoGenerated: false + ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica + ## Create this secret following the steps below: + ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl) + ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'. + ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'. + ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: + ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks + ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. + ## + existingSecret: "" + ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores + ## If "true", the Keycloak chart will look for the files tls.key and tls.crt inside the secret provided with 'existingSecret'. + ## + usePem: false + ## @param tls.truststoreFilename Truststore filename inside the existing secret + ## + truststoreFilename: "keycloak.truststore.jks" + ## @param tls.keystoreFilename Keystore filename inside the existing secret + ## + keystoreFilename: "keycloak.keystore.jks" + ## @param tls.keystorePassword Password to access the keystore when it's password-protected + ## + keystorePassword: "" + ## @param tls.truststorePassword Password to access the truststore when it's password-protected + ## + truststorePassword: "" + ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords. + ## The secret must have "tls-keystore-password" and "tls-truststore-password" keys for the keystore and truststore respectively. + ## + passwordsSecret: "" +## SPI TLS settings +## ref: https://www.keycloak.org/server/keycloak-truststore +## +spi: + ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS + ## Create this secret following the steps below: + ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'. + ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create: + ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks + ## + existingSecret: "" + ## @param spi.truststorePassword Password to access the truststore when it's password-protected + ## + truststorePassword: "" + ## @param spi.truststoreFilename Truststore filename inside the existing secret + ## + truststoreFilename: "keycloak-spi.truststore.jks" + ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords. + ## The secret must have "spi-truststore-password" key. + ## + passwordsSecret: "" + ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". + ## + hostnameVerificationPolicy: "" +## @param adminRealm Name of the admin realm +## +adminRealm: "master" +## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. +## +production: false +## @param proxyHeaders Set Keycloak proxy headers +## +proxyHeaders: "" +## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none +## DEPRECATED: use proxyHeaders instead +## ref: https://www.keycloak.org/server/reverseproxy +## +proxy: "" +## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' +## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed +## +httpRelativePath: "/" +## Keycloak Service Discovery settings +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration +## +## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified +## Specify content for keycloak.conf +## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) +## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified +## +## Example: +## configuration: |- +## foo: bar +## baz: +## +configuration: "" +## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration +## NOTE: When it's set the configuration parameter is ignored +## +existingConfigmap: "" +## @param extraStartupArgs Extra default startup args +## +extraStartupArgs: "" +## @param enableDefaultInitContainers Deploy default init containers +## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image. +## +enableDefaultInitContainers: true +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) +## +initdbScriptsConfigMap: "" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param extraEnvVars Extra environment variables to be set on Keycloak container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars +## +extraEnvVarsSecret: "" +## @section Keycloak statefulset parameters + +## @param replicaCount Number of Keycloak replicas to deploy +## +replicaCount: 1 +## @param revisionHistoryLimitCount Number of controller revisions to keep +## +revisionHistoryLimitCount: 10 +## @param containerPorts.http Keycloak HTTP container port +## @param containerPorts.https Keycloak HTTPS container port +## @param containerPorts.metrics Keycloak metrics container port +## +containerPorts: + http: 8080 + https: 8443 + metrics: 9000 +## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container +## +extraContainerPorts: [] +## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource +statefulsetAnnotations: {} +## +## Keycloak pods' SecurityContext +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Keycloak containers' Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Keycloak resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Configure extra options for Keycloak containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 300 + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe +## @param startupProbe.enabled Enable startupProbe on Keycloak containers +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 60 + successThreshold: 1 +## @param customLivenessProbe Custom Liveness probes for Keycloak +## +customLivenessProbe: {} +## @param customReadinessProbe Custom Rediness probes Keycloak +## +customReadinessProbe: {} +## @param customStartupProbe Custom Startup probes for Keycloak +## +customStartupProbe: {} +## @param lifecycleHooks LifecycleHooks to set additional configuration at startup +## +lifecycleHooks: {} +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: true +## @param hostAliases Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param podLabels Extra labels for Keycloak pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for Keycloak pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods +## +topologySpreadConstraints: [] +## @param podManagementPolicy Pod management policy for the Keycloak statefulset +## +podManagementPolicy: Parallel +## @param priorityClassName Keycloak pods' Priority Class Name +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param updateStrategy.type Keycloak statefulset strategy type +## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + rollingUpdate: {} +## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update +## +minReadySeconds: 0 +## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods +## +extraVolumes: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s) +## +extraVolumeMounts: [] +## @param initContainers Add additional init containers to the Keycloak pods +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers to the Keycloak pods +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @section Exposure parameters +## + +## Service configuration +## +service: + ## @param service.type Kubernetes service type + ## + type: ClusterIP + ## @param service.http.enabled Enable http port on service + ## + http: + enabled: true + ## @param service.ports.http Keycloak service HTTP port + ## @param service.ports.https Keycloak service HTTPS port + ## + ports: + http: 80 + https: 443 + ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + https: "" + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param service.clusterIP Keycloak service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for Keycloak service + ## + annotations: {} + ## @param service.extraPorts Extra port to expose on Keycloak service + ## + extraPorts: [] + # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead + ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service + ## + extraHeadlessPorts: [] + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service + ## + extraPorts: [] +## Keycloak ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for Keycloak + ## + enabled: false + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: keycloak.local + ## @param ingress.hostnameStrict Disables dynamically resolving the hostname from request headers. + ## Should always be set to true in production, unless your reverse proxy overwrites the Host header. + ## If enabled, the hostname option needs to be specified. + ## + hostnameStrict: false + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "{{ .Values.httpRelativePath }}" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: http + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: keycloak + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: keycloak.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - keycloak.local + ## secretName: keycloak.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: keycloak.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: keycloak.local + ## http: + ## path: / + ## backend: + ## service: + ## name: keycloak + ## port: + ## name: http + ## + extraRules: [] +## Keycloak admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +adminIngress: + ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak + ## + enabled: false + ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param adminIngress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param adminIngress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template) + ## + hostname: keycloak.local + ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template) + ## + path: "{{ .Values.httpRelativePath }}" + ## @param adminIngress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: http + ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param adminIngress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: keycloak + ## + labels: {} + ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}` + ## You can: + ## - Use the `adminIngress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true` + ## + tls: false + ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record + ## e.g: + ## extraHosts: + ## - name: keycloak.local + ## path: / + ## + extraHosts: [] + ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - keycloak.local + ## secretName: keycloak.local-tls + ## + extraTls: [] + ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: keycloak.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param adminIngress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: keycloak.local + ## http: + ## path: / + ## backend: + ## service: + ## name: keycloak + ## port: + ## name: http + ## + extraRules: [] +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section RBAC parameter +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods + ## + create: true + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount + ## + extraLabels: {} +## Specifies whether RBAC resources should be created +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## @section Other parameters +## + +## Keycloak Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation + ## + create: true + ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable + ## + maxUnavailable: "" +## Keycloak Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for Keycloak +## @param autoscaling.minReplicas Minimum number of Keycloak replicas +## @param autoscaling.maxReplicas Maximum number of Keycloak replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 +## @section Metrics parameters +## + +## Metrics configuration +## +metrics: + ## @param metrics.enabled Enable exposing Keycloak statistics + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics + ## + enabled: false + ## Keycloak metrics service parameters + ## + service: + ports: + ## @param metrics.service.ports.http Metrics service HTTP port + ## + http: 8080 + ## @param metrics.service.ports.https Metrics service HTTPS port + ## + https: 8443 + ## @param metrics.service.ports.metrics Metrics service Metrics port + ## + metrics: 9000 + ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000) + ## + extraPorts: [] + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.port Metrics service HTTP port + ## + port: metrics + ## @param metrics.serviceMonitor.scheme Metrics service scheme + ## + scheme: http + ## @param metrics.serviceMonitor.tlsConfig Metrics service TLS configuration + ## + tlsConfig: {} + ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Port, scheme, tlsConfig, interval, timeout and labellings can be overwritten. + ## + endpoints: + - path: '{{ include "keycloak.httpPath" . }}metrics' + - path: '{{ include "keycloak.httpPath" . }}realms/{{ .Values.adminRealm }}/metrics' + port: http + ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead + ## + path: "" + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Prometheus Operator alert rules configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.groups Groups, containing the alert rules. + ## Example: + ## groups: + ## - name: Keycloak + ## rules: + ## - alert: KeycloakInstanceNotAvailable + ## annotations: + ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes." + ## expr: | + ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0 + ## for: 5m + ## labels: + ## severity: critical + groups: [] +## @section keycloak-config-cli parameters + +## Configuration for keycloak-config-cli +## ref: https://github.com/adorsys/keycloak-config-cli +## +keycloakConfigCli: + ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job + ## + enabled: false + ## Bitnami keycloak-config-cli image + ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/ + ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry + ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository + ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag + ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy + ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets + ## + image: + registry: docker.io + repository: bitnami/keycloak-config-cli + tag: 6.3.0-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + helm.sh/hook: "post-install,post-upgrade,post-rollback" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "5" + ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form + ## + command: [] + ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form + ## + args: [] + ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param keycloakConfigCli.hostAliases Job pod host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## Keycloak config CLI resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## keycloak-config-cli containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context + ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser + ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup + ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot + ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged + ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem + ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation + ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## keycloak-config-cli pods' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context + ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy + ## + backoffLimit: 1 + ## @param keycloakConfigCli.podLabels Pod extra labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param keycloakConfigCli.podAnnotations Annotations for job pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## + ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + podTolerations: [] + ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set + ## Example: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables + ## + extraEnvVarsCM: "" + ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job + ## + extraVolumes: [] + ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container + ## + extraVolumeMounts: [] + ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration + ## NOTE: nil keys will be considered files to import locally + ## Example: + ## configuration: + ## realm1.json: | + ## { + ## "realm": "realm1", + ## "clients": [] + ## } + ## realm2.yaml: | + ## realm: realm2 + ## clients: [] + ## + configuration: {} + ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration + ## NOTE: This will override keycloakConfigCli.configuration + ## + existingConfigmap: "" + ## Automatic Cleanup for Finished Jobs + ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs + ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + ## + cleanupAfterFinished: + enabled: false + seconds: 600 +## @section Database parameters + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## +postgresql: + enabled: true + auth: + postgresPassword: "" + username: bn_keycloak + password: "" + database: bitnami_keycloak + existingSecret: "" + secretKeys: + userPasswordKey: password + architecture: standalone +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for Keycloak +## @param externalDatabase.password Password for the non-root username for Keycloak +## @param externalDatabase.database Keycloak database name +## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name +## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port +## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user +## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name +## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## @param externalDatabase.annotations Additional custom annotations for external database secret object +## +externalDatabase: + host: "" + port: 5432 + user: bn_keycloak + database: bitnami_keycloak + password: "" + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" + annotations: {} +## @section Keycloak Cache parameters + +## Keycloak cache configuration +## ref: https://www.keycloak.org/server/caching +## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. +## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). +## @param cache.stackName Set infinispan cache stack to use +## @param cache.stackFile Set infinispan cache stack filename to use +## @param cache.useHeadlessServiceWithAppVersion Set to true to create the headless service used for ispn containing the app version +## +cache: + enabled: true + stackName: kubernetes + stackFile: "" + useHeadlessServiceWithAppVersion: false +## @section Keycloak Logging parameters + +## Keycloak logging configuration +## ref: https://www.keycloak.org/server/logging +## @param logging.output Alternates between the default log output format or json format +## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF +## +logging: + output: default + level: INFO + diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index a1f122ad..96c225b2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -7,7 +7,7 @@ include "root" { dependencies { paths = [ "../eks", - "../eks-cert-mgr", + "../eks-cert-manager", "../eks-config", "../eks-dns", "../eks-istio", @@ -36,7 +36,7 @@ dependency "eks" { } dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" + config_path = "../eks-cert-manager" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { cluster_issuer_name = "mock-clusterissuer" @@ -44,7 +44,7 @@ dependency "eks-cert-manager" { } dependency "eks-prometheus" { - config_path = "../eks-prometheus" + config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { prometheus_server_internal_endpoint = { @@ -63,9 +63,9 @@ dependency "eks-grafana" { port_number = "80" url = "https://grafana.mock.svc.cluster.local:80/" } - namespace = "mock" - public_endpoint = "https://grafana.mock.mock.mock.census.gov:80/" - secret_name = "mock" + namespace = "mock" + public_endpoint = "https://grafana.mock.mock.mock.census.gov:80/" + secret_name = "mock" } } @@ -84,7 +84,7 @@ inputs = { grafana_namespace = dependency.eks-grafana.outputs.namespace grafana_public_url = dependency.eks-grafana.outputs.public_endpoint # grafana_secret_name = "grafana" - grafana_secret_name = dependency.eks-grafana.outputs.secret_name + grafana_secret_name = dependency.eks-grafana.outputs.secret_name jaeger_internal_url = "" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index 9d0c933c..b3849db5 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -26,7 +26,7 @@ dependency "eks-config" { config_path = "../eks-config" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - rwo_storage_class = "gp3-encrypted" + rwo_storage_class = "gp3-mock" } } From 06a62e4dd2f7204ba652c222899442d06d97da31 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 22:19:41 -0500 Subject: [PATCH 13/57] no v --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 9584c945..14cf7317 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -88,7 +88,7 @@ locals { ################ # keycloak ################ - keycloak_app_version = "v26.1.2" + keycloak_app_version = "26.1.2" keycloak_chart_version = "24.4.10" keycloak_hostname = "keycloak" keycloak_namespace = "keycloak" From 398e4348f4b9203411068c4035295c65fd2b6350 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 13:15:43 -0500 Subject: [PATCH 14/57] cleanup --- .github/platform-tg-infra.code-workspace | 20 +- lab/_envcommon/default-versions.hcl | 5 +- .../eks-keycloak/terragrunt.hcl | 2 +- .../eks-keycloak/values.yml | 1391 ----------------- 4 files changed, 9 insertions(+), 1409 deletions(-) delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 00a75854..48d30875 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -68,6 +68,10 @@ "name": "tfmod-metrics-server", "path": "../../tfmod-metrics-server" }, + { + "name": "tfmod-postgresql", + "path": "../../tfmod-postgresql" + }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" @@ -80,25 +84,9 @@ "name": "terraform-aws-eks", "path": "../../terraform-aws-eks" }, - { - "name": "karpenter-provider-aws", - "path": "../../karpenter-provider-aws" - }, { "name": "terragrunt", "path": "../../terragrunt" - }, - { - "path": "../../terraform-aws-rds" - }, - { - "path": "../../aws-rds" - }, - { - "path": "../../morpheus-terraform-dev" - }, - { - "path": "../../../terraform-modules/aws-common-security-groups" } ] } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 14cf7317..ee589fbf 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -88,10 +88,13 @@ locals { ################ # keycloak ################ - keycloak_app_version = "26.1.2" + keycloak_tag = "26.1.2" keycloak_chart_version = "24.4.10" keycloak_hostname = "keycloak" keycloak_namespace = "keycloak" + postgresql_tag = "17.4.0" + postgres_exporter_tag = "0.17.1" + os_shell_tag = "12" ################ # Kiali diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index a86417d2..48992191 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -50,7 +50,7 @@ inputs = { # keycloak config keycloak_hostname = include.root.inputs.keycloak_hostname - keycloak_tag = include.root.inputs.keycloak_app_version + keycloak_tag = include.root.inputs.keycloak_tag keycloak_version = include.root.inputs.keycloak_chart_version default_storage_class = dependency.eks-config.outputs.rwo_storage_class diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml deleted file mode 100644 index e8b28b70..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml +++ /dev/null @@ -1,1391 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) -## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - defaultStorageClass: "" - storageClass: "" - ## Security parameters - ## - security: - ## @param global.security.allowInsecureImages Allows skipping image verification - allowInsecureImages: false - ## Compatibility adaptations for Kubernetes platforms - ## - compatibility: - ## Compatibility adaptations for Openshift - ## - openshift: - ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - ## - adaptSecurityContext: auto -## @section Common parameters -## - -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname -## -fullnameOverride: "" -## @param namespaceOverride String to fully override common.names.namespace -## -namespaceOverride: "" -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec -## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service -## -enableServiceLinks: true -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param dnsPolicy DNS Policy for pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsPolicy: ClusterFirst -dnsPolicy: "" -## @param dnsConfig DNS Configuration pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsConfig: -## options: -## - name: ndots -## value: "4" -dnsConfig: {} -## @param clusterDomain Default Kubernetes cluster domain -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] -## Enable diagnostic mode in the statefulset -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the the statefulset - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the the statefulset - ## - args: - - infinity -## @section Keycloak parameters - -## Bitnami Keycloak image version -## ref: https://hub.docker.com/r/bitnami/keycloak/tags/ -## @param image.registry [default: REGISTRY_NAME] Keycloak image registry -## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository -## @skip image.tag Keycloak image tag (immutable tags are recommended) -## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy Keycloak image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled -## -image: - registry: docker.io - repository: bitnami/keycloak - tag: 26.1.2-debian-12-r0 - digest: "" - ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## Keycloak authentication parameters -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials -## -auth: - ## @param auth.adminUser Keycloak administrator user - ## - adminUser: user - ## @param auth.adminPassword Keycloak administrator password for the new user - ## - adminPassword: "" - ## @param auth.existingSecret Existing secret containing Keycloak admin password - ## - existingSecret: "" - ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret. - ## - passwordSecretKey: "" - ## @param auth.annotations Additional custom annotations for Keycloak auth secret object - ## - annotations: {} -## Custom Certificates -## @param customCaExistingSecret Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS. -## https://www.keycloak.org/server/keycloak-truststore -## Could be created like this: kubectl create secret generic secretName --from-file=./certificateToMerge.pem -customCaExistingSecret: "" -## HTTPS settings -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption -## -tls: - ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates - ## - autoGenerated: false - ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica - ## Create this secret following the steps below: - ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl) - ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'. - ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'. - ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: - ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks - ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. - ## - existingSecret: "" - ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores - ## If "true", the Keycloak chart will look for the files tls.key and tls.crt inside the secret provided with 'existingSecret'. - ## - usePem: false - ## @param tls.truststoreFilename Truststore filename inside the existing secret - ## - truststoreFilename: "keycloak.truststore.jks" - ## @param tls.keystoreFilename Keystore filename inside the existing secret - ## - keystoreFilename: "keycloak.keystore.jks" - ## @param tls.keystorePassword Password to access the keystore when it's password-protected - ## - keystorePassword: "" - ## @param tls.truststorePassword Password to access the truststore when it's password-protected - ## - truststorePassword: "" - ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords. - ## The secret must have "tls-keystore-password" and "tls-truststore-password" keys for the keystore and truststore respectively. - ## - passwordsSecret: "" -## SPI TLS settings -## ref: https://www.keycloak.org/server/keycloak-truststore -## -spi: - ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS - ## Create this secret following the steps below: - ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'. - ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create: - ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks - ## - existingSecret: "" - ## @param spi.truststorePassword Password to access the truststore when it's password-protected - ## - truststorePassword: "" - ## @param spi.truststoreFilename Truststore filename inside the existing secret - ## - truststoreFilename: "keycloak-spi.truststore.jks" - ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords. - ## The secret must have "spi-truststore-password" key. - ## - passwordsSecret: "" - ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". - ## - hostnameVerificationPolicy: "" -## @param adminRealm Name of the admin realm -## -adminRealm: "master" -## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. -## -production: false -## @param proxyHeaders Set Keycloak proxy headers -## -proxyHeaders: "" -## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none -## DEPRECATED: use proxyHeaders instead -## ref: https://www.keycloak.org/server/reverseproxy -## -proxy: "" -## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' -## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed -## -httpRelativePath: "/" -## Keycloak Service Discovery settings -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration -## -## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified -## Specify content for keycloak.conf -## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) -## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified -## -## Example: -## configuration: |- -## foo: bar -## baz: -## -configuration: "" -## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration -## NOTE: When it's set the configuration parameter is ignored -## -existingConfigmap: "" -## @param extraStartupArgs Extra default startup args -## -extraStartupArgs: "" -## @param enableDefaultInitContainers Deploy default init containers -## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image. -## -enableDefaultInitContainers: true -## @param initdbScripts Dictionary of initdb scripts -## Specify dictionary of scripts to be run at first boot -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance -## Example: -## initdbScripts: -## my_init_script.sh: | -## #!/bin/bash -## echo "Do something." -## -initdbScripts: {} -## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) -## -initdbScriptsConfigMap: "" -## @param command Override default container command (useful when using custom images) -## -command: [] -## @param args Override default container args (useful when using custom images) -## -args: [] -## @param extraEnvVars Extra environment variables to be set on Keycloak container -## Example: -## extraEnvVars: -## - name: FOO -## value: "bar" -## -extraEnvVars: [] -## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars -## -extraEnvVarsCM: "" -## @param extraEnvVarsSecret Name of existing Secret containing extra env vars -## -extraEnvVarsSecret: "" -## @section Keycloak statefulset parameters - -## @param replicaCount Number of Keycloak replicas to deploy -## -replicaCount: 1 -## @param revisionHistoryLimitCount Number of controller revisions to keep -## -revisionHistoryLimitCount: 10 -## @param containerPorts.http Keycloak HTTP container port -## @param containerPorts.https Keycloak HTTPS container port -## @param containerPorts.metrics Keycloak metrics container port -## -containerPorts: - http: 8080 - https: 8443 - metrics: 9000 -## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container -## -extraContainerPorts: [] -## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource -statefulsetAnnotations: {} -## -## Keycloak pods' SecurityContext -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context -## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface -## @param podSecurityContext.supplementalGroups Set filesystem extra groups -## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup -## -podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 -## Keycloak containers' Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container -## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser -## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup -## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot -## @param containerSecurityContext.privileged Set container's Security Context privileged -## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem -## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped -## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile -## -containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" -## Keycloak resource requests and limits -## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). -## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 -## -resourcesPreset: "small" -## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) -## Example: -## resources: -## requests: -## cpu: 2 -## memory: 512Mi -## limits: -## cpu: 3 -## memory: 1024Mi -## -resources: {} -## Configure extra options for Keycloak containers' liveness, readiness and startup probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes -## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers -## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe -## @param livenessProbe.periodSeconds Period seconds for livenessProbe -## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe -## @param livenessProbe.failureThreshold Failure threshold for livenessProbe -## @param livenessProbe.successThreshold Success threshold for livenessProbe -## -livenessProbe: - enabled: true - initialDelaySeconds: 300 - periodSeconds: 1 - timeoutSeconds: 5 - failureThreshold: 3 - successThreshold: 1 -## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers -## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe -## @param readinessProbe.periodSeconds Period seconds for readinessProbe -## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe -## @param readinessProbe.failureThreshold Failure threshold for readinessProbe -## @param readinessProbe.successThreshold Success threshold for readinessProbe -## -readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 -## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe -## @param startupProbe.enabled Enable startupProbe on Keycloak containers -## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe -## @param startupProbe.periodSeconds Period seconds for startupProbe -## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe -## @param startupProbe.failureThreshold Failure threshold for startupProbe -## @param startupProbe.successThreshold Success threshold for startupProbe -## -startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 5 - timeoutSeconds: 1 - failureThreshold: 60 - successThreshold: 1 -## @param customLivenessProbe Custom Liveness probes for Keycloak -## -customLivenessProbe: {} -## @param customReadinessProbe Custom Rediness probes Keycloak -## -customReadinessProbe: {} -## @param customStartupProbe Custom Startup probes for Keycloak -## -customStartupProbe: {} -## @param lifecycleHooks LifecycleHooks to set additional configuration at startup -## -lifecycleHooks: {} -## @param automountServiceAccountToken Mount Service Account token in pod -## -automountServiceAccountToken: true -## @param hostAliases Deployment pod host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## @param podLabels Extra labels for Keycloak pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @param podAnnotations Annotations for Keycloak pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## -affinity: {} -## @param nodeSelector Node labels for pod assignment -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ -## -nodeSelector: {} -## @param tolerations Tolerations for pod assignment -## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods -## -topologySpreadConstraints: [] -## @param podManagementPolicy Pod management policy for the Keycloak statefulset -## -podManagementPolicy: Parallel -## @param priorityClassName Keycloak pods' Priority Class Name -## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ -## -priorityClassName: "" -## @param schedulerName Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -terminationGracePeriodSeconds: "" -## @param updateStrategy.type Keycloak statefulset strategy type -## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - type: RollingUpdate - rollingUpdate: {} -## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update -## -minReadySeconds: 0 -## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods -## -extraVolumes: [] -## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s) -## -extraVolumeMounts: [] -## @param initContainers Add additional init containers to the Keycloak pods -## Example: -## initContainers: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -initContainers: [] -## @param sidecars Add additional sidecar containers to the Keycloak pods -## Example: -## sidecars: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -sidecars: [] -## @section Exposure parameters -## - -## Service configuration -## -service: - ## @param service.type Kubernetes service type - ## - type: ClusterIP - ## @param service.http.enabled Enable http port on service - ## - http: - enabled: true - ## @param service.ports.http Keycloak service HTTP port - ## @param service.ports.https Keycloak service HTTPS port - ## - ports: - http: 80 - https: 443 - ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - http: "" - https: "" - ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ## - sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## @param service.clusterIP Keycloak service clusterIP IP - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## Example: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param service.annotations Additional custom annotations for Keycloak service - ## - annotations: {} - ## @param service.extraPorts Extra port to expose on Keycloak service - ## - extraPorts: [] - # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead - ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service - ## - extraHeadlessPorts: [] - ## Headless service properties - ## - headless: - ## @param service.headless.annotations Annotations for the headless service. - ## - annotations: {} - ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service - ## - extraPorts: [] -## Keycloak ingress parameters -## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## -ingress: - ## @param ingress.enabled Enable ingress record generation for Keycloak - ## - enabled: false - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param ingress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` - ## leave as `default` for most ingress controllers. - ## set to `gce` if using the GCE ingress controller - ## - controller: default - ## @param ingress.hostname Default host for the ingress record (evaluated as template) - ## - hostname: keycloak.local - ## @param ingress.hostnameStrict Disables dynamically resolving the hostname from request headers. - ## Should always be set to true in production, unless your reverse proxy overwrites the Host header. - ## If enabled, the hostname option needs to be specified. - ## - hostnameStrict: false - ## @param ingress.path [string] Default path for the ingress record (evaluated as template) - ## - path: "{{ .Values.httpRelativePath }}" - ## @param ingress.servicePort Backend service port to use - ## Default is http. Alternative is https. - ## - servicePort: http - ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param ingress.labels Additional labels for the Ingress resource. - ## e.g: - ## labels: - ## app: keycloak - ## - labels: {} - ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` - ## You can: - ## - Use the `ingress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` - ## - tls: false - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record - ## e.g: - ## extraHosts: - ## - name: keycloak.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - keycloak.local - ## secretName: keycloak.local-tls - ## - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## e.g: - ## - name: keycloak.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: keycloak.local - ## http: - ## path: / - ## backend: - ## service: - ## name: keycloak - ## port: - ## name: http - ## - extraRules: [] -## Keycloak admin ingress parameters -## ref: https://kubernetes.io/docs/user-guide/ingress/ -## -adminIngress: - ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak - ## - enabled: false - ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param adminIngress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param adminIngress.controller The ingress controller type. Currently supports `default` and `gce` - ## leave as `default` for most ingress controllers. - ## set to `gce` if using the GCE ingress controller - ## - controller: default - ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template) - ## - hostname: keycloak.local - ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template) - ## - path: "{{ .Values.httpRelativePath }}" - ## @param adminIngress.servicePort Backend service port to use - ## Default is http. Alternative is https. - ## - servicePort: http - ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param adminIngress.labels Additional labels for the Ingress resource. - ## e.g: - ## labels: - ## app: keycloak - ## - labels: {} - ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}` - ## You can: - ## - Use the `adminIngress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true` - ## - tls: false - ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record - ## e.g: - ## extraHosts: - ## - name: keycloak.local - ## path: / - ## - extraHosts: [] - ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - keycloak.local - ## secretName: keycloak.local-tls - ## - extraTls: [] - ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## e.g: - ## - name: keycloak.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param adminIngress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: keycloak.local - ## http: - ## path: / - ## backend: - ## service: - ## name: keycloak - ## port: - ## name: http - ## - extraRules: [] -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -## -networkPolicy: - ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) - ## - kubeAPIServerPorts: [443, 6443, 8443] - ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} -## @section RBAC parameter -## Specifies whether a ServiceAccount should be created -## -serviceAccount: - ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods - ## - create: true - ## @param serviceAccount.name Name of the created ServiceAccount - ## If not set and create is true, a name is generated using the fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} - ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount - ## - extraLabels: {} -## Specifies whether RBAC resources should be created -## -rbac: - ## @param rbac.create Whether to create and use RBAC resources or not - ## - create: false - ## @param rbac.rules Custom RBAC rules - ## Example: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## @section Other parameters -## - -## Keycloak Pod Disruption Budget configuration -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -## -pdb: - ## @param pdb.create Enable/disable a Pod Disruption Budget creation - ## - create: true - ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## - minAvailable: "" - ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable - ## - maxUnavailable: "" -## Keycloak Autoscaling configuration -## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ -## @param autoscaling.enabled Enable autoscaling for Keycloak -## @param autoscaling.minReplicas Minimum number of Keycloak replicas -## @param autoscaling.maxReplicas Maximum number of Keycloak replicas -## @param autoscaling.targetCPU Target CPU utilization percentage -## @param autoscaling.targetMemory Target Memory utilization percentage -## -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 11 - targetCPU: "" - targetMemory: "" - ## HPA Scaling Behavior - ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior - ## - behavior: - ## HPA behavior when scaling up - ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up - ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up - ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up - ## e.g: - ## Policy to scale 20% of the pod in 60s - ## - type: Percent - ## value: 20 - ## periodSeconds: 60 - ## - scaleUp: - stabilizationWindowSeconds: 120 - selectPolicy: Max - policies: [] - ## HPA behavior when scaling down - ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down - ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down - ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down - ## e.g: - ## Policy to scale one pod in 300s - ## - type: Pods - ## value: 1 - ## periodSeconds: 300 - ## - scaleDown: - stabilizationWindowSeconds: 300 - selectPolicy: Max - policies: - - type: Pods - value: 1 - periodSeconds: 300 -## @section Metrics parameters -## - -## Metrics configuration -## -metrics: - ## @param metrics.enabled Enable exposing Keycloak statistics - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics - ## - enabled: false - ## Keycloak metrics service parameters - ## - service: - ports: - ## @param metrics.service.ports.http Metrics service HTTP port - ## - http: 8080 - ## @param metrics.service.ports.https Metrics service HTTPS port - ## - https: 8443 - ## @param metrics.service.ports.metrics Metrics service Metrics port - ## - metrics: 9000 - ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000) - ## - extraPorts: [] - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.serviceMonitor.port Metrics service HTTP port - ## - port: metrics - ## @param metrics.serviceMonitor.scheme Metrics service scheme - ## - scheme: http - ## @param metrics.serviceMonitor.tlsConfig Metrics service TLS configuration - ## - tlsConfig: {} - ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Port, scheme, tlsConfig, interval, timeout and labellings can be overwritten. - ## - endpoints: - - path: '{{ include "keycloak.httpPath" . }}metrics' - - path: '{{ include "keycloak.httpPath" . }}realms/{{ .Values.adminRealm }}/metrics' - port: http - ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead - ## - path: "" - ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped - ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended - ## e.g: - ## scrapeTimeout: 30s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus - ## - labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration - ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## Prometheus Operator alert rules configuration - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in - ## - namespace: "" - ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - labels: {} - ## @param metrics.prometheusRule.groups Groups, containing the alert rules. - ## Example: - ## groups: - ## - name: Keycloak - ## rules: - ## - alert: KeycloakInstanceNotAvailable - ## annotations: - ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes." - ## expr: | - ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0 - ## for: 5m - ## labels: - ## severity: critical - groups: [] -## @section keycloak-config-cli parameters - -## Configuration for keycloak-config-cli -## ref: https://github.com/adorsys/keycloak-config-cli -## -keycloakConfigCli: - ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job - ## - enabled: false - ## Bitnami keycloak-config-cli image - ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/ - ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry - ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository - ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag - ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy - ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets - ## - image: - registry: docker.io - repository: bitnami/keycloak-config-cli - tag: 6.3.0-debian-12-r1 - digest: "" - ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - annotations: - helm.sh/hook: "post-install,post-upgrade,post-rollback" - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - helm.sh/hook-weight: "5" - ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form - ## - command: [] - ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form - ## - args: [] - ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod - ## - automountServiceAccountToken: true - ## @param keycloakConfigCli.hostAliases Job pod host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## Keycloak config CLI resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "small" - ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## keycloak-config-cli containers' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context - ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser - ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup - ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot - ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged - ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem - ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation - ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## keycloak-config-cli pods' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context - ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy - ## - backoffLimit: 1 - ## @param keycloakConfigCli.podLabels Pod extra labels - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param keycloakConfigCli.podAnnotations Annotations for job pod - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - ## - nodeSelector: {} - ## - ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - podTolerations: [] - ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set - ## Example: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables - ## - extraEnvVarsCM: "" - ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables - ## - extraEnvVarsSecret: "" - ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job - ## - extraVolumes: [] - ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container - ## - extraVolumeMounts: [] - ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod - ## Example: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - initContainers: [] - ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod - ## Example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration - ## NOTE: nil keys will be considered files to import locally - ## Example: - ## configuration: - ## realm1.json: | - ## { - ## "realm": "realm1", - ## "clients": [] - ## } - ## realm2.yaml: | - ## realm: realm2 - ## clients: [] - ## - configuration: {} - ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration - ## NOTE: This will override keycloakConfigCli.configuration - ## - existingConfigmap: "" - ## Automatic Cleanup for Finished Jobs - ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs - ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - ## - cleanupAfterFinished: - enabled: false - seconds: 600 -## @section Database parameters - -## PostgreSQL chart configuration -## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml -## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart -## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided -## @param postgresql.auth.username Name for a custom user to create -## @param postgresql.auth.password Password for the custom user to create -## @param postgresql.auth.database Name for a custom database to create -## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials -## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. -## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) -## -postgresql: - enabled: true - auth: - postgresPassword: "" - username: bn_keycloak - password: "" - database: bitnami_keycloak - existingSecret: "" - secretKeys: - userPasswordKey: password - architecture: standalone -## External PostgreSQL configuration -## All of these values are only used when postgresql.enabled is set to false -## @param externalDatabase.host Database host -## @param externalDatabase.port Database port number -## @param externalDatabase.user Non-root username for Keycloak -## @param externalDatabase.password Password for the non-root username for Keycloak -## @param externalDatabase.database Keycloak database name -## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials -## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name -## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port -## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user -## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name -## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials -## @param externalDatabase.annotations Additional custom annotations for external database secret object -## -externalDatabase: - host: "" - port: 5432 - user: bn_keycloak - database: bitnami_keycloak - password: "" - existingSecret: "" - existingSecretHostKey: "" - existingSecretPortKey: "" - existingSecretUserKey: "" - existingSecretDatabaseKey: "" - existingSecretPasswordKey: "" - annotations: {} -## @section Keycloak Cache parameters - -## Keycloak cache configuration -## ref: https://www.keycloak.org/server/caching -## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. -## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). -## @param cache.stackName Set infinispan cache stack to use -## @param cache.stackFile Set infinispan cache stack filename to use -## @param cache.useHeadlessServiceWithAppVersion Set to true to create the headless service used for ispn containing the app version -## -cache: - enabled: true - stackName: kubernetes - stackFile: "" - useHeadlessServiceWithAppVersion: false -## @section Keycloak Logging parameters - -## Keycloak logging configuration -## ref: https://www.keycloak.org/server/logging -## @param logging.output Alternates between the default log output format or json format -## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF -## -logging: - output: default - level: INFO - From 1cb9d51026348f364e1d3c4f99f597086abd9f10 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 13:53:47 -0500 Subject: [PATCH 15/57] namespaces --- .../vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl | 1 + .../vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl | 3 ++- .../vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 1 + .../vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 3 ++- .../vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 1 + .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 1 + .../vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 3 ++- 12 files changed, 15 insertions(+), 8 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl index ea7cc82f..ebb79488 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl @@ -47,6 +47,7 @@ inputs = { # Cert Manager Configuration cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart cluster_issuer_name = include.root.inputs.cluster_issuer_name + namespace = include.root.inputs.namespaces["cert-manager"] # Version Tags cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl index 0dfc1d31..3e003aa9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl @@ -49,5 +49,6 @@ inputs = { security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id subnets = dependency.eks.outputs.subnets vpc_id = dependency.eks.outputs.vpc_id - + operators_ns = include.root.inputs.operator_namespace + telemetry_ns = include.root.inputs.telemetry_namespace } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index e6db8bb5..5f8200b3 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -58,5 +58,5 @@ inputs = { grafana_tag = include.root.inputs.grafana_tag download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag - namespace = include.root.inputs.grafana_namespace + namespace = include.root.inputs.namespaces["grafana"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 2d1d87aa..1c312166 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -39,6 +39,6 @@ inputs = { oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn # Istio Configuration - namespace = include.root.inputs.istio_namespace + namespace = include.root.inputs.namespaces["istio"] istio_version = include.root.inputs.istio_version } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 6b553503..575bf9d7 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -41,5 +41,5 @@ inputs = { # Dashboard Configuration k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - namespace = include.root.inputs.dashboard_hostname + namespace = include.root.inputs.namespaces["k8s-dashboard"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 1ec3a41d..c6ab6043 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -46,4 +46,5 @@ inputs = { karpenter_tag = include.root.inputs.karpenter_tag karpenter_helm_chart = include.root.inputs.karpenter_helm_chart karpenter_node_group_name = dependency.eks.outputs.node_group_name + namespace = include.root.inputs.namespaces["karpenter"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 48992191..eb7eb9b1 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -44,7 +44,7 @@ inputs = { cluster_domain = include.root.inputs.vpc_domain_name cluster_name = dependency.eks.outputs.cluster_name environment = include.root.inputs.environment - namespace = include.root.inputs.keycloak_namespace + namespace = include.root.inputs.namespaces["keycloak"] profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 96c225b2..5211b5e4 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -76,7 +76,7 @@ inputs = { profile = include.root.inputs.aws_profile cluster_domain = dependency.eks.inputs.vpc_domain_name - operators_namespace = "operators" + operators_namespace = include.root.inputs.operators_namespace cluster_name = dependency.eks.outputs.cluster_name certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url @@ -86,6 +86,7 @@ inputs = { # grafana_secret_name = "grafana" grafana_secret_name = dependency.eks-grafana.outputs.secret_name jaeger_internal_url = "" + namespace = include.root.inputs.namespaces["kiali"] # client_id = var.sso_client_id diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index b3849db5..8083c570 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -51,5 +51,6 @@ inputs = { # Loki Configuration loki_chart_version = include.root.inputs.loki_chart_version loki_tag = include.root.inputs.loki_tag + namespace = include.root.inputs.namespaces["loki"] rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 4e4d198f..f3e57605 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -39,4 +39,5 @@ inputs = { # Metrics Server Configuration metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart metrics_server_tag = include.root.inputs.metrics_server_tag + namespace = include.root.inputs.namespaces["metrics-server"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index 8b16a914..cf916f12 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -50,11 +50,11 @@ inputs = { # Prometheus Configuration prometheus_chart_version = include.root.inputs.prometheus_chart_version - prometheus_namespace = include.root.inputs.prometheus_namespace prometheus_server_tag = include.root.inputs.prometheus_server_tag prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag alertmanager_tag = include.root.inputs.alertmanager_tag kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag + namespace = include.root.inputs.namespaces["prometheus"] node_exporter_tag = include.root.inputs.node_exporter_tag pushgateway_tag = include.root.inputs.pushgateway_tag rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 45bd5ecf..074fdeea 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -61,5 +61,6 @@ inputs = { # Tempo Configuration tempo_chart_version = include.root.inputs.tempo_chart_version tempo_tag = include.root.inputs.tempo_tag - namespace = include.root.inputs.tempo_namespace + namespace = include.root.inputs.namespaces["tempo"] + } From d34b6e2b1a1de9d7666b36abd6009226262f9951 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 13:55:44 -0500 Subject: [PATCH 16/57] use main --- lab/_envcommon/default-versions.hcl | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index ee589fbf..f2be7f67 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -8,7 +8,7 @@ locals { custom_service_eks_account = "${local.release_version}" eks_module_version = "20.33.1" istio_ingress_version = "${local.release_version}" - release_version = "0.1.1" # "main" # change to main when testing updated modules + release_version = "main" # "main" # change to main when testing updated modules ##################### # TF Providers @@ -46,6 +46,13 @@ locals { telemetry_namespace = "telemetry" # kubectl_image_tag = "1.30.4" + ################ + # k8s-dashboard + ################ + dashboard_hostname = "dashboard" + k8s_dashboard_metrics_scraper = "1.0.8" + k8s_dashboard_version = "6.0.6" + ################ # Cert-Manager ################ @@ -73,29 +80,12 @@ locals { grafana_tag = "11.4.0" init_chown_data_image_tag = "1.31.1" - ################ - # k8s-dashboard - ################ - dashboard_hostname = "k8s-dashboard" - k8s_dashboard_version = "6.0.6" - ################ # Karpenter ################ karpenter_helm_chart = "1.1.1" karpenter_tag = "1.1.1" - ################ - # keycloak - ################ - keycloak_tag = "26.1.2" - keycloak_chart_version = "24.4.10" - keycloak_hostname = "keycloak" - keycloak_namespace = "keycloak" - postgresql_tag = "17.4.0" - postgres_exporter_tag = "0.17.1" - os_shell_tag = "12" - ################ # Kiali ################ @@ -124,7 +114,6 @@ locals { # Prometheus ################ prometheus_chart_version = "25.26.0" - prometheus_namespace = "prometheus" prometheus_server_tag = "v2.54.0" prometheus_config_reloader_tag = "v0.75.2" alertmanager_tag = "v0.27.0" @@ -136,6 +125,5 @@ locals { # Tempo ################ tempo_chart_version = "1.18.1" - tempo_namespace = "tempo" tempo_tag = "2.7.0" } From 77e8f9d0e1416ea71f19a15e2d203b86e95dbd68 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 15:57:46 -0500 Subject: [PATCH 17/57] fmt --- .../vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl | 2 +- .../platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 5 ++--- .../vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 2 +- .../platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 10 files changed, 11 insertions(+), 12 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl index ebb79488..d1e69d00 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl @@ -47,7 +47,7 @@ inputs = { # Cert Manager Configuration cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart cluster_issuer_name = include.root.inputs.cluster_issuer_name - namespace = include.root.inputs.namespaces["cert-manager"] + namespace = include.root.inputs.namespaces["cert-manager"] # Version Tags cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl index 3e003aa9..c1328ee7 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl @@ -50,5 +50,5 @@ inputs = { subnets = dependency.eks.outputs.subnets vpc_id = dependency.eks.outputs.vpc_id operators_ns = include.root.inputs.operator_namespace - telemetry_ns = include.root.inputs.telemetry_namespace + telemetry_ns = include.root.inputs.telemetry_namespace } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 575bf9d7..61c1b716 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -41,5 +41,5 @@ inputs = { # Dashboard Configuration k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - namespace = include.root.inputs.namespaces["k8s-dashboard"] + namespace = include.root.inputs.namespaces["k8s-dashboard"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index c6ab6043..7c2ff2db 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -46,5 +46,5 @@ inputs = { karpenter_tag = include.root.inputs.karpenter_tag karpenter_helm_chart = include.root.inputs.karpenter_helm_chart karpenter_node_group_name = dependency.eks.outputs.node_group_name - namespace = include.root.inputs.namespaces["karpenter"] + namespace = include.root.inputs.namespaces["karpenter"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index eb7eb9b1..74573fa0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -44,7 +44,7 @@ inputs = { cluster_domain = include.root.inputs.vpc_domain_name cluster_name = dependency.eks.outputs.cluster_name environment = include.root.inputs.environment - namespace = include.root.inputs.namespaces["keycloak"] + namespace = include.root.inputs.namespaces["keycloak"] profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 5211b5e4..5f8f6130 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -20,7 +20,6 @@ dependencies { terraform { source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" - # source = "../../../../../../../tfmod-kiali" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -76,7 +75,7 @@ inputs = { profile = include.root.inputs.aws_profile cluster_domain = dependency.eks.inputs.vpc_domain_name - operators_namespace = include.root.inputs.operators_namespace + operator_namespace = include.root.inputs.operator_namespace cluster_name = dependency.eks.outputs.cluster_name certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url @@ -86,7 +85,7 @@ inputs = { # grafana_secret_name = "grafana" grafana_secret_name = dependency.eks-grafana.outputs.secret_name jaeger_internal_url = "" - namespace = include.root.inputs.namespaces["kiali"] + namespace = include.root.inputs.namespaces["kiali"] # client_id = var.sso_client_id diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index 8083c570..eb76fd63 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -51,6 +51,6 @@ inputs = { # Loki Configuration loki_chart_version = include.root.inputs.loki_chart_version loki_tag = include.root.inputs.loki_tag - namespace = include.root.inputs.namespaces["loki"] + namespace = include.root.inputs.namespaces["loki"] rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index f3e57605..5e520aad 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -39,5 +39,5 @@ inputs = { # Metrics Server Configuration metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart metrics_server_tag = include.root.inputs.metrics_server_tag - namespace = include.root.inputs.namespaces["metrics-server"] + namespace = include.root.inputs.namespaces["metrics-server"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index cf916f12..fd546b15 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -54,7 +54,7 @@ inputs = { prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag alertmanager_tag = include.root.inputs.alertmanager_tag kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag - namespace = include.root.inputs.namespaces["prometheus"] + namespace = include.root.inputs.namespaces["prometheus"] node_exporter_tag = include.root.inputs.node_exporter_tag pushgateway_tag = include.root.inputs.pushgateway_tag rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 074fdeea..dff1b330 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -61,6 +61,6 @@ inputs = { # Tempo Configuration tempo_chart_version = include.root.inputs.tempo_chart_version tempo_tag = include.root.inputs.tempo_tag - namespace = include.root.inputs.namespaces["tempo"] + namespace = include.root.inputs.namespaces["tempo"] } From 8356128a090e5085d1827e510656fb3de7c9dd78 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 17:20:03 -0500 Subject: [PATCH 18/57] namespace changes --- .../eks-grafana/terragrunt.hcl | 1 + .../eks-kiali/terragrunt.hcl | 114 ++++++++++-------- 2 files changed, 64 insertions(+), 51 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 5f8200b3..24ac7ca4 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -59,4 +59,5 @@ inputs = { download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag namespace = include.root.inputs.namespaces["grafana"] + service_name = "grafana" } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 5f8f6130..3d7c14a5 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -4,95 +4,107 @@ include "root" { expose = true } +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + dependencies { paths = [ "../eks", - "../eks-cert-manager", "../eks-config", "../eks-dns", - "../eks-istio", - "../eks-karpenter", - "../eks-prometheus", "../eks-grafana", - "../eks-k8s-dashboard", + "../eks-istio", + "../eks-prometheus" ] } -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_name = "a-cluster-name" + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" } } -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" +dependency "eks_config" { + config_path = "../eks-config" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_issuer_name = "mock-clusterissuer" + operators_namespace = "mock-namespace" } } -dependency "eks-prometheus" { - config_path = "../eks-prometheus" +dependency "eks_dns" { + config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus.mock.svc.cluster.local" - port_number = 9090 - url = "http://prometheus.mock.svc.cluster.local:9090/" - } + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" } } -dependency "eks-grafana" { - config_path = "../eks-grafana" +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { internal_endpoint = { hostname = "grafana.mock.svc.cluster.local" port_number = "80" url = "https://grafana.mock.svc.cluster.local:80/" } - namespace = "mock" - public_endpoint = "https://grafana.mock.mock.mock.census.gov:80/" - secret_name = "mock" + namespace = "grafana" + public_endpoint = { + hostname = "grafana.mock.lab.csp2.census.gov" + port_number = "80" + url = "https://grafana.mock.lab.csp2.census.gov:80/" + } + secret_name = "grafana" + } +} + +dependency "eks_istio" { + config_path = "../eks-istio" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "mock-namespace-istio" } } +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_internal_url = "mock-internal-url" + } +} inputs = { - kiali_operator_version = include.root.inputs.kiali_operator_version - kiali_application_version = include.root.inputs.kiali_application_version + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name - profile = include.root.inputs.aws_profile - cluster_domain = dependency.eks.inputs.vpc_domain_name - operator_namespace = include.root.inputs.operator_namespace - cluster_name = dependency.eks.outputs.cluster_name - certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name - prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url - grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks-grafana.outputs.namespace - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint - # grafana_secret_name = "grafana" - grafana_secret_name = dependency.eks-grafana.outputs.secret_name - jaeger_internal_url = "" - namespace = include.root.inputs.namespaces["kiali"] + # Kiali Configuration + service_name = "kiali" + namespace = include.root.inputs.namespaces["kiali"] + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_public_url = dependency.eks_grafana.outputs.public_endpoint + kiali_operator_version = include.root.inputs.kiali_operator_version + operator_namespace = dependency.eks_config.outputs.operator_namespace - # client_id = var.sso_client_id - # client_secret = var.sso_client_secret - # keycloak_public_url = var.keycloak_public_url - # gogatekeeper_chart_version = var.gogatekeeper_chart_version - # gogatekeeper_registry = var.gogatekeeper_registry - # gogatekeeper_repository = var.gogatekeeper_repository - # gogatekeeper_tag = var.gogatekeeper_tag + prometheus_internal_url = dependency.eks_prometheus.outputs.internal_endpoint.url + # jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url } From b1c61af2892ebce7d0b32be58d745e61de63d9d4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 18:02:17 -0500 Subject: [PATCH 19/57] update internal url ref --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 3d7c14a5..dffba300 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -103,8 +103,7 @@ inputs = { grafana_public_url = dependency.eks_grafana.outputs.public_endpoint kiali_operator_version = include.root.inputs.kiali_operator_version - operator_namespace = dependency.eks_config.outputs.operator_namespace - prometheus_internal_url = dependency.eks_prometheus.outputs.internal_endpoint.url + prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url # jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url } From a3ace6989da8d752f7852152b26f3259b28b6bd7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 20:03:32 -0500 Subject: [PATCH 20/57] fmt --- lab/_envcommon/default-versions.hcl | 3 +- .../eks-grafana/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 14 ++++- .../eks-kiali/terragrunt.hcl | 10 ++-- .../eks-postgresql/terragrunt.hcl | 56 +++++++++++++++++++ 5 files changed, 76 insertions(+), 9 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index f2be7f67..73fc1aa6 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -28,11 +28,12 @@ locals { cert-manager = "kube-system" karpenter = "kube-system" metrics-server = "kube-system" + postgresql = "kube-system" + keylcloak = "kube-system" istio = "istio-system" kiali = "istio-system" grafana = local.telemetry_namespace k8s-dashboard = local.telemetry_namespace - kiali = local.telemetry_namespace loki = local.telemetry_namespace otel = local.telemetry_namespace prometheus = local.telemetry_namespace diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 24ac7ca4..2bc7484b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -59,5 +59,5 @@ inputs = { download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag namespace = include.root.inputs.namespaces["grafana"] - service_name = "grafana" + service_name = "grafana" } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 61c1b716..c32546cd 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -29,6 +29,15 @@ dependency "eks" { } } +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id @@ -36,10 +45,11 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_domain = include.root.inputs.vpc_domain_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name # Dashboard Configuration + service_name = include.root.inputs.dashboard_hostname k8s_dashboard_version = include.root.inputs.k8s_dashboard_version namespace = include.root.inputs.namespaces["k8s-dashboard"] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index dffba300..a3757cb9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -58,13 +58,13 @@ dependency "eks_grafana" { port_number = "80" url = "https://grafana.mock.svc.cluster.local:80/" } - namespace = "grafana" - public_endpoint = { + namespace = "grafana" + public_endpoint = { hostname = "grafana.mock.lab.csp2.census.gov" port_number = "80" url = "https://grafana.mock.lab.csp2.census.gov:80/" } - secret_name = "grafana" + secret_name = "grafana" } } @@ -95,8 +95,8 @@ inputs = { cluster_name = dependency.eks.outputs.cluster_name # Kiali Configuration - service_name = "kiali" - namespace = include.root.inputs.namespaces["kiali"] + service_name = "kiali" + namespace = include.root.inputs.namespaces["kiali"] grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url grafana_namespace = dependency.eks_grafana.outputs.namespace grafana_secret_name = dependency.eks_grafana.outputs.secret_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl new file mode 100644 index 00000000..1ccfd902 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -0,0 +1,56 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-postgresql.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # PostgreSQL Configuration + service_name = include.root.inputs.postgresql_name + postgresql_version = include.root.inputs.postgresql_version + + namespace = include.root.inputs.namespaces["postgresql"] +} From 7ed43dee9d34b93793a97a1f68f67c2e1997ae20 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 20:42:06 -0500 Subject: [PATCH 21/57] versions --- lab/_envcommon/default-versions.hcl | 10 ++++++++++ .../eks-loki/terragrunt.hcl | 4 ++-- .../eks-postgresql/terragrunt.hcl | 18 +++++++++++++++--- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 73fc1aa6..6356008a 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -111,6 +111,16 @@ locals { metrics_server_helm_chart = "3.12.1" metrics_server_tag = "v0.7.1" + ################ + # PostgreSQL + ################ + os_shell_tag = "12" + postgres_exporter_tag = "0.16.0" + postgresql_repmgr_tag = "17.4.0" + pgpool_tag = "4.5.5" + postgresql_chart_version = "15.3.0" + postgresql_tag = "17.4.0" + ################ # Prometheus ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index eb76fd63..55d3830e 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -22,7 +22,7 @@ dependency "eks" { } } -dependency "eks-config" { +dependency "eks_config" { config_path = "../eks-config" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { @@ -52,5 +52,5 @@ inputs = { loki_chart_version = include.root.inputs.loki_chart_version loki_tag = include.root.inputs.loki_tag namespace = include.root.inputs.namespaces["loki"] - rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index 1ccfd902..8c61965f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -29,6 +29,14 @@ dependency "eks" { } } +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] @@ -47,10 +55,14 @@ inputs = { # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class # PostgreSQL Configuration - service_name = include.root.inputs.postgresql_name - postgresql_version = include.root.inputs.postgresql_version - + service_name = "postgresql" + os_shell_tag = include.root.inputs.os_shell_tag + postgres_exporter_tag = include.root.inputs.postgres_exporter_tag + postgresql_tag = include.root.inputs.postgresql_tag + postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag + pgpool_tag = include.root.inputs.pgpool_tag namespace = include.root.inputs.namespaces["postgresql"] } From 282958121eeab8687945ae07a11c5a011bd0ee04 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 23:26:15 -0500 Subject: [PATCH 22/57] more wip: --- lab/_envcommon/default-versions.hcl | 22 +++++++----- .../eks-keycloak/terragrunt.hcl | 36 ++++++++++++------- .../eks-postgresql/terragrunt.hcl | 14 ++++---- 3 files changed, 45 insertions(+), 27 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 6356008a..d20e4af3 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,7 +29,7 @@ locals { karpenter = "kube-system" metrics-server = "kube-system" postgresql = "kube-system" - keylcloak = "kube-system" + keycloak = "kube-system" istio = "istio-system" kiali = "istio-system" grafana = local.telemetry_namespace @@ -62,7 +62,7 @@ locals { cert_manager_controller_tag = "v${local.cert_manager_version}" cert_manager_helm_chart = "${local.cert_manager_version}" cert_manager_startupapicheck_tag = "v${local.cert_manager_version}" - cert_manager_version = "1.16.3" + cert_manager_version = "1.16.4" cert_manager_webhook_tag = "v${local.cert_manager_version}" ################ @@ -77,7 +77,6 @@ locals { download_dashboards_image_tag = "7.85.0" grafana_chart_version = "8.8.5" grafana_hostname = "grafana" - grafana_namespace = "grafana" grafana_tag = "11.4.0" init_chown_data_image_tag = "1.31.1" @@ -87,6 +86,13 @@ locals { karpenter_helm_chart = "1.1.1" karpenter_tag = "1.1.1" + ################ + # Keycloak + ################ + keycloak_chart_version = "24.4.10" + keycloak_tag = "26.1.2" + keycloak_hostname = "keycloak" + ################ # Kiali ################ @@ -114,12 +120,12 @@ locals { ################ # PostgreSQL ################ - os_shell_tag = "12" - postgres_exporter_tag = "0.16.0" - postgresql_repmgr_tag = "17.4.0" - pgpool_tag = "4.5.5" + os_shell_tag = "12" + postgres_exporter_tag = "0.16.0" + postgresql_repmgr_tag = "17.4.0" + pgpool_tag = "4.5.5" postgresql_chart_version = "15.3.0" - postgresql_tag = "17.4.0" + postgresql_tag = "17.4.0" ################ # Prometheus diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 74573fa0..f221a4b2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -21,7 +21,7 @@ dependency "eks" { } } -dependency "eks-config" { +dependency "eks_config" { config_path = "../eks-config" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { @@ -29,6 +29,15 @@ dependency "eks-config" { } } +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + dependencies { paths = [ "../eks", @@ -41,24 +50,27 @@ dependencies { inputs = { admin_email = include.root.inputs.cluster_mailing_list - cluster_domain = include.root.inputs.vpc_domain_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name - environment = include.root.inputs.environment namespace = include.root.inputs.namespaces["keycloak"] profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region # keycloak config - keycloak_hostname = include.root.inputs.keycloak_hostname - keycloak_tag = include.root.inputs.keycloak_tag - keycloak_version = include.root.inputs.keycloak_chart_version - default_storage_class = dependency.eks-config.outputs.rwo_storage_class + keycloak_hostname = include.root.inputs.keycloak_hostname + keycloak_tag = include.root.inputs.keycloak_tag + keycloak_chart_version = include.root.inputs.keycloak_chart_version + default_storage_class = dependency.eks_config.outputs.rwo_storage_class + service_name = "keycloak" + telemetry_namespace = include.root.inputs.telemetry_namespace + + # # Database configuration + postgresql_host = dependency.eks_postgresql.outputs.internal_endpoint.url - # Database configuration - db_engine = "aurora-postgresql" - db_instance_type = "db.t4g.medium" - db_name = "keycloak" - db_user = "keycloak" + db_engine = "postgresql" + # db_instance_type = "db.t4g.medium" + db_name = "keycloak_db" + db_user = "keycloak" # Project information project_name = include.root.inputs.project_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index 8c61965f..eabc5032 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -53,16 +53,16 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class # PostgreSQL Configuration - service_name = "postgresql" - os_shell_tag = include.root.inputs.os_shell_tag + service_name = "postgresql" + os_shell_tag = include.root.inputs.os_shell_tag postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_tag = include.root.inputs.postgresql_tag + postgresql_tag = include.root.inputs.postgresql_tag postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - pgpool_tag = include.root.inputs.pgpool_tag - namespace = include.root.inputs.namespaces["postgresql"] + pgpool_tag = include.root.inputs.pgpool_tag + namespace = include.root.inputs.namespaces["postgresql"] } From b6896352f48b966ef9a34f1386b477c02e8ad52f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 23:51:21 -0500 Subject: [PATCH 23/57] keycloak wip --- lab/_envcommon/default-versions.hcl | 3 ++ .../eks-keycloak/terragrunt.hcl | 29 ++++++++++++------- .../eks-postgresql/terragrunt.hcl | 5 ++++ 3 files changed, 27 insertions(+), 10 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index d20e4af3..14cd5804 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -92,6 +92,9 @@ locals { keycloak_chart_version = "24.4.10" keycloak_tag = "26.1.2" keycloak_hostname = "keycloak" + postgresql_database = "keycloak_db" + postgresql_username = "keycloak_user" + postgresql_password = "secure_password" ################ # Kiali diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index f221a4b2..8be8f8ba 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -38,13 +38,24 @@ dependency "eks_dns" { } } +dependency "eks_postgresql" { + config_path = "../eks-postgresql" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + internal_endpoint { + url = "mock-internal-endpoint-url" + } + } +} + dependencies { paths = [ "../eks", "../eks-config", "../eks-dns", "../eks-karpenter", - "../eks-prometheus" + "../eks-postgresql", + "../eks-prometheus", ] } @@ -57,20 +68,18 @@ inputs = { region = include.root.inputs.aws_region # keycloak config + default_storage_class = dependency.eks_config.outputs.rwo_storage_class + keycloak_chart_version = include.root.inputs.keycloak_chart_version keycloak_hostname = include.root.inputs.keycloak_hostname keycloak_tag = include.root.inputs.keycloak_tag - keycloak_chart_version = include.root.inputs.keycloak_chart_version - default_storage_class = dependency.eks_config.outputs.rwo_storage_class service_name = "keycloak" telemetry_namespace = include.root.inputs.telemetry_namespace - # # Database configuration - postgresql_host = dependency.eks_postgresql.outputs.internal_endpoint.url - - db_engine = "postgresql" - # db_instance_type = "db.t4g.medium" - db_name = "keycloak_db" - db_user = "keycloak" + # Database configuration + db_host = dependency.eks_postgresql.outputs.internal_endpoint.url + db_name = include.root.inputs.postgresql_database + db_password = include.root.inputs.postgresql_password + db_user = include.root.inputs.postgresql_username # Project information project_name = include.root.inputs.project_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index eabc5032..209b827f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -65,4 +65,9 @@ inputs = { postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag pgpool_tag = include.root.inputs.pgpool_tag namespace = include.root.inputs.namespaces["postgresql"] + + # Database Consumer Configuration + postgresql_database = include.root.inputs.postgresql_database + postgresql_username = include.root.inputs.postgresql_username + postgresql_password = include.root.inputs.postgresql_password } From e7b8b993ebb686f055f88a4bdef0508faa4b4304 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 12:47:07 -0500 Subject: [PATCH 24/57] update prom internal url input value --- .../eks-keycloak/terragrunt.hcl | 2 +- .../platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 6 +++++- .../eks-postgresql/terragrunt.hcl | 13 ++++++++----- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 8be8f8ba..fc0d1ab7 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -42,7 +42,7 @@ dependency "eks_postgresql" { config_path = "../eks-postgresql" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - internal_endpoint { + internal_endpoint = { url = "mock-internal-endpoint-url" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index a3757cb9..c36c773c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -80,7 +80,11 @@ dependency "eks_prometheus" { config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - prometheus_internal_url = "mock-internal-url" + prometheus_server_internal_endpoint = { + hostname = "prometheus.mock.svc.cluster.local" + port_number = "80" + url = "https://prometheus.mock.svc.cluster.local:80/" + } } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index 209b827f..4429d04a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -16,7 +16,8 @@ dependencies { paths = [ "../eks", "../eks-config", - "../eks-dns" + "../eks-dns", + "../eks-prometheus", ] } @@ -58,16 +59,18 @@ inputs = { rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class # PostgreSQL Configuration - service_name = "postgresql" + namespace = include.root.inputs.namespaces["postgresql"] os_shell_tag = include.root.inputs.os_shell_tag + pgpool_tag = include.root.inputs.pgpool_tag postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_tag = include.root.inputs.postgresql_tag postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - pgpool_tag = include.root.inputs.pgpool_tag - namespace = include.root.inputs.namespaces["postgresql"] + postgresql_tag = include.root.inputs.postgresql_tag + service_name = "postgresql" + telemetry_namespace = include.root.inputs.telemetry_namespace # Database Consumer Configuration postgresql_database = include.root.inputs.postgresql_database postgresql_username = include.root.inputs.postgresql_username postgresql_password = include.root.inputs.postgresql_password + } From 09dbab44903918eef616319d01670b2d4612324c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 12:54:47 -0500 Subject: [PATCH 25/57] test changes on prom --- .../vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index fd546b15..76650e5e 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 4d9a2940c049289db2eaf059cb524b7228af5ae8 Mon Sep 17 00:00:00 2001 From: Srini Nangunuri Date: Fri, 28 Feb 2025 17:32:25 -0500 Subject: [PATCH 26/57] deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn --- .../vpc/platform-eng-eks-srn/cluster.hcl | 28 +++++ .../eks-cert-manager/terragrunt.hcl | 57 +++++++++ .../eks-config/terragrunt.hcl | 54 +++++++++ .../eks-dns/terragrunt.hcl | 60 ++++++++++ .../eks-grafana/terragrunt.hcl | 63 ++++++++++ .../eks-istio/terragrunt.hcl | 44 +++++++ .../eks-k8s-dashboard/terragrunt.hcl | 55 +++++++++ .../eks-karpenter/terragrunt.hcl | 50 ++++++++ .../eks-keycloak/terragrunt.hcl | 87 ++++++++++++++ .../eks-kiali/terragrunt.hcl | 113 ++++++++++++++++++ .../eks-kiali/terragrunt.hcl.disabled | 108 +++++++++++++++++ .../eks-loki/terragrunt.hcl | 56 +++++++++ .../eks-metrics-server/terragrunt.hcl | 43 +++++++ .../eks-postgresql/terragrunt.hcl | 76 ++++++++++++ .../eks-prometheus/README.md | 0 .../eks-prometheus/terragrunt.hcl | 61 ++++++++++ .../eks-tempo/terragrunt.hcl | 66 ++++++++++ .../platform-eng-eks-srn/eks/terragrunt.hcl | 28 +++++ .../vpc/platform-eng-eks-test/cluster.hcl | 20 ---- .../eks-cert-manager/terragrunt.hcl | 40 ------- .../eks-config/terragrunt.hcl | 42 ------- .../eks-dns/terragrunt.hcl | 42 ------- .../eks-grafana/terragrunt.hcl | 40 ------- .../eks-istio/terragrunt.hcl | 32 ----- .../eks-k8s-dashboard/terragrunt.hcl | 36 ------ .../eks-karpenter/terragrunt.hcl | 43 ------- .../eks-kiali/terragrunt.hcl.disable | 81 ------------- .../eks-loki/terragrunt.hcl | 44 ------- .../eks-metrics-server/terragrunt.hcl | 33 ----- .../eks-prometheus/terragrunt.hcl | 38 ------ .../eks-tempo/terragrunt.hcl | 46 ------- .../platform-eng-eks-test/eks/terragrunt.hcl | 56 --------- 32 files changed, 1049 insertions(+), 593 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-test => platform-eng-eks-srn}/eks-prometheus/README.md (100%) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/cluster.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-cert-manager/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-config/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-grafana/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-istio/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-k8s-dashboard/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-karpenter/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali/terragrunt.hcl.disable delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-loki/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-metrics-server/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl new file mode 100644 index 00000000..656de00e --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl @@ -0,0 +1,28 @@ +locals { + # Cluster specific configuration + cluster_endpoint_public_access = true + cluster_name = "platform-eng-eks-srn" + cluster_mailing_list = "srinivasa.nangunuri@census.gov" + eks_instance_disk_size = 100 + eks_ng_desired_size = 2 + eks_ng_max_size = 10 + eks_ng_min_size = 2 + enable_cluster_creator_admin_permissions = true + tags = { + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + } + + # Common configuration + common_retry_args = { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } + + common_dependencies = ["../eks", "../eks-config"] + + common_mock_eks = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl new file mode 100644 index 00000000..d1e69d00 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl @@ -0,0 +1,57 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-karpenter" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + cluster_version = include.root.inputs.cluster_version + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + cluster_mailing_list = include.root.inputs.cluster_mailing_list + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Cert Manager Configuration + cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart + cluster_issuer_name = include.root.inputs.cluster_issuer_name + namespace = include.root.inputs.namespaces["cert-manager"] + + # Version Tags + cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag + cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag + cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag + cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl new file mode 100644 index 00000000..c1328ee7 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl @@ -0,0 +1,54 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +dependencies { + paths = [ + "../eks", + "../eks-karpenter" + ] +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = "mock-cluster" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = [{ data = "mock-cert-data" }] + eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"] + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + security_group_all_worker_mgmt_id = "sg-mock" + subnets = ["subnet-mock1", "subnet-mock2"] + vpc_id = "vpc-mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id + subnets = dependency.eks.outputs.subnets + vpc_id = dependency.eks.outputs.vpc_id + operators_ns = include.root.inputs.operator_namespace + telemetry_ns = include.root.inputs.telemetry_namespace +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl new file mode 100644 index 00000000..2bf9b72f --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl @@ -0,0 +1,60 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + subnets = ["subnet-mock1", "subnet-mock2", "subnet-mock3"] + } +} + +dependency "eks-istio" { + config_path = "../eks-istio" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + istio_ingress_lb = { + dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com" + zone_id = "MOCKZONEID" + } + } +} + +dependencies { + paths = [ + "../eks-config", + "../eks-istio", + "../eks-karpenter" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = include.root.inputs.cluster_name + + # Network Configuration + istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb + route53_endpoints = include.root.inputs.route53_endpoints + vpc_domain_name = include.root.inputs.vpc_domain_name + vpc_name = include.root.inputs.vpc_name + + # Additional Configuration + tags = include.root.inputs.tags +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl new file mode 100644 index 00000000..2bc7484b --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl @@ -0,0 +1,63 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_loki" { + config_path = "../eks-loki" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mocked" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-karpenter", + "../eks-loki" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = include.root.inputs.vpc_domain_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Storage Configuration + rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class + + # Grafana Configuration + grafana_chart_version = include.root.inputs.grafana_chart_version + grafana_tag = include.root.inputs.grafana_tag + download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag + init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag + namespace = include.root.inputs.namespaces["grafana"] + service_name = "grafana" +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl new file mode 100644 index 00000000..1c312166 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl @@ -0,0 +1,44 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Istio Configuration + namespace = include.root.inputs.namespaces["istio"] + istio_version = include.root.inputs.istio_version +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl new file mode 100644 index 00000000..c32546cd --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl @@ -0,0 +1,55 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=mcmCluster" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # Dashboard Configuration + service_name = include.root.inputs.dashboard_hostname + k8s_dashboard_version = include.root.inputs.k8s_dashboard_version + namespace = include.root.inputs.namespaces["k8s-dashboard"] +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl new file mode 100644 index 00000000..7c2ff2db --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl @@ -0,0 +1,50 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = ["../eks"] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = "mock-cluster" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + node_group_name = "mock-node-group" + vpc_id = "vpc-mock" + subnets = ["subnet-mock1", "subnet-mock2"] + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Karpenter Configuration + karpenter_tag = include.root.inputs.karpenter_tag + karpenter_helm_chart = include.root.inputs.karpenter_helm_chart + karpenter_node_group_name = dependency.eks.outputs.node_group_name + namespace = include.root.inputs.namespaces["karpenter"] +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl new file mode 100644 index 00000000..fc0d1ab7 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl @@ -0,0 +1,87 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=standards" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_postgresql" { + config_path = "../eks-postgresql" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + internal_endpoint = { + url = "mock-internal-endpoint-url" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-karpenter", + "../eks-postgresql", + "../eks-prometheus", + ] +} + +inputs = { + admin_email = include.root.inputs.cluster_mailing_list + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + namespace = include.root.inputs.namespaces["keycloak"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # keycloak config + default_storage_class = dependency.eks_config.outputs.rwo_storage_class + keycloak_chart_version = include.root.inputs.keycloak_chart_version + keycloak_hostname = include.root.inputs.keycloak_hostname + keycloak_tag = include.root.inputs.keycloak_tag + service_name = "keycloak" + telemetry_namespace = include.root.inputs.telemetry_namespace + + # Database configuration + db_host = dependency.eks_postgresql.outputs.internal_endpoint.url + db_name = include.root.inputs.postgresql_database + db_password = include.root.inputs.postgresql_password + db_user = include.root.inputs.postgresql_username + + # Project information + project_name = include.root.inputs.project_name + tags = include.root.inputs.tags +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl new file mode 100644 index 00000000..c36c773c --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl @@ -0,0 +1,113 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-grafana", + "../eks-istio", + "../eks-prometheus" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + operators_namespace = "mock-namespace" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + internal_endpoint = { + hostname = "grafana.mock.svc.cluster.local" + port_number = "80" + url = "https://grafana.mock.svc.cluster.local:80/" + } + namespace = "grafana" + public_endpoint = { + hostname = "grafana.mock.lab.csp2.census.gov" + port_number = "80" + url = "https://grafana.mock.lab.csp2.census.gov:80/" + } + secret_name = "grafana" + } +} + +dependency "eks_istio" { + config_path = "../eks-istio" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "mock-namespace-istio" + } +} + +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus.mock.svc.cluster.local" + port_number = "80" + url = "https://prometheus.mock.svc.cluster.local:80/" + } + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # Kiali Configuration + service_name = "kiali" + namespace = include.root.inputs.namespaces["kiali"] + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_public_url = dependency.eks_grafana.outputs.public_endpoint + + kiali_operator_version = include.root.inputs.kiali_operator_version + + prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url + # jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled new file mode 100644 index 00000000..a06c6e68 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled @@ -0,0 +1,108 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-grafana", + "../eks-istio", + "../eks-prometheus" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks-config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + operators_namespace = "mock-namespace" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + internal_endpoint = { + hostname = "grafana.mock.svc.cluster.local" + port_number = "80" + url = "https://grafana.mock.svc.cluster.local:80/" + } + namespace = "grafana" + public_endpoint = { + hostname = "grafana.mock.lab.csp2.census.gov" + port_number = "80" + url = "https://grafana.mock.lab.csp2.census.gov:80/" + } + secret_name = "grafana" + } +} + +dependency "eks_istio" { + config_path = "../eks-istio" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "mock-namespace-istio" + } +} + +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_internal_url = "mock-internal-url" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # Kiali Configuration + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_public_url = dependency.eks_grafana.outputs.public_endpoint.url + + kiali_operator_version = include.root.inputs.kiali_operator_version + operators_namespace = dependency.eks-config.outputs.operators_namespace + + prometheus_internal_url = dependency.eks_prometheus.outputs.internal_endpoint + jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl new file mode 100644 index 00000000..55d3830e --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl @@ -0,0 +1,56 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-metrics-server", + "../eks-dns" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Loki Configuration + loki_chart_version = include.root.inputs.loki_chart_version + loki_tag = include.root.inputs.loki_tag + namespace = include.root.inputs.namespaces["loki"] + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl new file mode 100644 index 00000000..5e520aad --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl @@ -0,0 +1,43 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +dependencies { + paths = [ + "../eks", + "../eks-config" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + } +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + + # Metrics Server Configuration + metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart + metrics_server_tag = include.root.inputs.metrics_server_tag + namespace = include.root.inputs.namespaces["metrics-server"] +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl new file mode 100644 index 00000000..4429d04a --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl @@ -0,0 +1,76 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-postgresql.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-prometheus", + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class + + # PostgreSQL Configuration + namespace = include.root.inputs.namespaces["postgresql"] + os_shell_tag = include.root.inputs.os_shell_tag + pgpool_tag = include.root.inputs.pgpool_tag + postgres_exporter_tag = include.root.inputs.postgres_exporter_tag + postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag + postgresql_tag = include.root.inputs.postgresql_tag + service_name = "postgresql" + telemetry_namespace = include.root.inputs.telemetry_namespace + + # Database Consumer Configuration + postgresql_database = include.root.inputs.postgresql_database + postgresql_username = include.root.inputs.postgresql_username + postgresql_password = include.root.inputs.postgresql_password + +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/README.md similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/README.md rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/README.md diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl new file mode 100644 index 00000000..76650e5e --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl @@ -0,0 +1,61 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=mcmCluster" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-metrics-server", + "../eks-dns" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks-config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-encyrpted" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Prometheus Configuration + prometheus_chart_version = include.root.inputs.prometheus_chart_version + prometheus_server_tag = include.root.inputs.prometheus_server_tag + prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag + alertmanager_tag = include.root.inputs.alertmanager_tag + kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag + namespace = include.root.inputs.namespaces["prometheus"] + node_exporter_tag = include.root.inputs.node_exporter_tag + pushgateway_tag = include.root.inputs.pushgateway_tag + rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl new file mode 100644 index 00000000..dff1b330 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl @@ -0,0 +1,66 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=keycloak" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks-prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_namespace = "prometheus" + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.prometheus.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-karpenter", + "../eks-prometheus" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Prometheus Configuration + prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace + prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number + + # Tempo Configuration + tempo_chart_version = include.root.inputs.tempo_chart_version + tempo_tag = include.root.inputs.tempo_tag + namespace = include.root.inputs.namespaces["tempo"] + +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl new file mode 100644 index 00000000..9eca1de2 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl @@ -0,0 +1,28 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = include.root.inputs.cluster_name + cluster_version = include.root.inputs.cluster_version + + # Additional Configuration + tags = include.root.inputs.tags +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/cluster.hcl deleted file mode 100644 index 8d2831cf..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/cluster.hcl +++ /dev/null @@ -1,20 +0,0 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl - -# Set cluster specific variables. These are automatically pulled in to configure the remote state bucket in the root -# terragrunt.hcl configuration. -locals { - cluster_endpoint_public_access = true - cluster_name = "platform-eng-eks-mcm" - creator = "matthew.c.morgan@census.gov" - eks_instance_disk_size = 100 - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 0 - enable_cluster_creator_admin_permissions = true - terraform = true - terragrunt = true - tags = { - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-cert-manager/terragrunt.hcl deleted file mode 100644 index 35e355aa..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-cert-manager/terragrunt.hcl +++ /dev/null @@ -1,40 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - skip_outputs = true -} - -inputs = { - cluster_name = dependency.eks.outputs.cluster_name - cluster_mailing_list = dependency.eks.inputs.creator - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart - cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag - cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag - cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag - cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag - cluster_issuer_name = include.root.inputs.cluster_issuer_name -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-config/terragrunt.hcl deleted file mode 100644 index d4a60dbc..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-config/terragrunt.hcl +++ /dev/null @@ -1,42 +0,0 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl - -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_certificate_authority_data = [{ data = "THISISAVERYLONGCERTSTRINGTHATGOESHEREFORSURENODYEP" }] - cluster_endpoint = "https://12345ABCDEE42BF9C24D4C362D1DC.sk1.us-gov-east-1.eks.amazonaws.com" - cluster_name = "a-cluster-name" - eks_managed_node_groups_autoscaling_group_names = ["eks-eks-a-cluster-name-node_group-0000000000000000000000000-5ac8a5e3-14dd-c043-2cc9-f4b6ffb36d32"] - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - security_group_all_worker_mgmt_id = "sg-00b0000000000000" - subnets = ["subnet-00000000000000001", "subnet-00000000000000002", "subnet-00000000000000003"] - token = [{ token = "THISISTHETOKENTHATDOESNTEXISTTHEREAREMANYLIKEITBUTHISONEISFORACLUSTER" }] - vpc_id = "a-vpc-id" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - vpc_id = dependency.eks.outputs.vpc_id - cluster_name = dependency.eks.outputs.cluster_name - subnets = dependency.eks.outputs.subnets - security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id - eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - kubectl_image_tag = include.root.inputs.kubectl_image_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl deleted file mode 100644 index 6e28781b..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl +++ /dev/null @@ -1,42 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - subnets = ["subnet-abcdefgh", "subnet-12345678", "subnet-ab12cd34"] - } -} - -dependency "istio" { - config_path = "../eks-istio" - mock_outputs = { - istio_ingress_lb = { - dns_name = "a1111111111111111111111111111111-2bbbbbbbbbbbbbbb.elb.us-gov-east-1.amazonaws.com" - zone_id = "ZABC123456DEF" - } - } -} - -inputs = { - cluster_name = dependency.eks.inputs.cluster_name - istio_ingress_lb = dependency.istio.outputs.istio_ingress_lb - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - subnets = dependency.eks.outputs.subnets - tags = dependency.eks.inputs.tags - vpc_domain_name = dependency.eks.inputs.vpc_domain_name - vpc_name = dependency.eks.inputs.vpc_name - route53_endpoints = include.root.inputs.route53_endpoints -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-grafana/terragrunt.hcl deleted file mode 100644 index 65ab33fe..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-grafana/terragrunt.hcl +++ /dev/null @@ -1,40 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-loki" { - config_path = "../eks-loki" - mock_outputs = { - rwo_storage_class = "gp3-encrypted" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = dependency.eks.inputs.vpc_domain_name - public_hostname = include.root.inputs.grafana_hostname - rwo_storage_class = dependency.eks-loki.outputs.rwo_storage_class - grafana_chart_version = include.root.inputs.grafana_chart_version - grafana_tag = include.root.inputs.grafana_tag - download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag - init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-istio/terragrunt.hcl deleted file mode 100644 index c7c22c81..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-istio/terragrunt.hcl +++ /dev/null @@ -1,32 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} -dependency "eks-karpenter" { - config_path = "../eks-karpenter" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - istio_chart_version = include.root.inputs.istio_version - istio_version = include.root.inputs.istio_version -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-k8s-dashboard/terragrunt.hcl deleted file mode 100644 index cd1961b6..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-k8s-dashboard/terragrunt.hcl +++ /dev/null @@ -1,36 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - vpc_domain_name = "example.com" - } -} - -dependency "eks-loki" { - config_path = "../eks-loki" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = dependency.eks.inputs.vpc_domain_name - public_hostname = include.root.inputs.dashboard_hostname - k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - # datasources = dependency.eks-loki.outputs.gateway_internal_endpoint -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-karpenter/terragrunt.hcl deleted file mode 100644 index 6b1a862f..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-karpenter/terragrunt.hcl +++ /dev/null @@ -1,43 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_endpoint = "https://0000000000000000AAAAAAAAAAAAAAAA.sk1.us-gov-east-1.eks.amazonaws.com" - cluster_name = "a-cluster-name" - node_group_name = "node_group_a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - vpc_id = "a-vpc-name" - } -} - -dependency "eks-config" { - config_path = "../eks-config" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.outputs.cluster_name - karpenter_node_group_name = dependency.eks.outputs.node_group_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - vpc_id = dependency.eks.outputs.vpc_id - karpenter_helm_chart = include.root.inputs.karpenter_helm_chart - karpenter_tag = include.root.inputs.karpenter_tag - kubectl_tag = include.root.inputs.kubectl_image_tag - -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali/terragrunt.hcl.disable deleted file mode 100644 index 1e04fe0d..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali/terragrunt.hcl.disable +++ /dev/null @@ -1,81 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" - # source = "../../../../../../../tfmod-kiali" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" - mock_outputs = { - cluster_issuer_name = "acmpca-clusterissuer" - } -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - } -} -dependency "eks-grafana" { - config_path = "../eks-grafana" - mock_outputs = { - internal_endpoint = { - hostname = "grafana.grafana.svc.cluster.local" - port_number = "80" - url = "https://grafana.grafana.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.dev.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.dev.lab.csp2.census.gov:80/" - } - secret_name = "grafana" - } -} - -inputs = { - kiali_operator_version = include.root.inputs.kiali_operator_version - kiali_application_version = include.root.inputs.kiali_application_version - - profile = include.root.inputs.aws_profile - cluster_domain = dependency.eks.inputs.vpc_domain_name - operators_namespace = "operators" - cluster_name = dependency.eks.outputs.cluster_name - certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name - prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url - grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks-grafana.outputs.namespace - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url - grafana_secret_name = "grafana" - # grafana_secret_name = dependency.eks-grafana.outputs.secret_name - jaeger_internal_url = "" - - - # client_id = var.sso_client_id - # client_secret = var.sso_client_secret - # keycloak_public_url = var.keycloak_public_url - # gogatekeeper_chart_version = var.gogatekeeper_chart_version - # gogatekeeper_registry = var.gogatekeeper_registry - # gogatekeeper_repository = var.gogatekeeper_repository - # gogatekeeper_tag = var.gogatekeeper_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-loki/terragrunt.hcl deleted file mode 100644 index 2c6b6be5..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-loki/terragrunt.hcl +++ /dev/null @@ -1,44 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} -dependency "eks-istio" { - config_path = "../eks-istio" - skip_outputs = true -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - loki_chart_version = include.root.inputs.loki_chart_version - loki_tag = include.root.inputs.loki_tag - canary_tag = include.root.inputs.canary_tag - enterprise_logs_provisioner_tag = include.root.inputs.enterprise_logs_provisioner_tag - gateway_tag = include.root.inputs.gateway_tag - memcached_tag = include.root.inputs.memcached_tag - exporter_tag = include.root.inputs.exporter_tag - sidecar_tag = include.root.inputs.sidecar_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-metrics-server/terragrunt.hcl deleted file mode 100644 index 387653b9..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-metrics-server/terragrunt.hcl +++ /dev/null @@ -1,33 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - cluster_name = dependency.eks.outputs.cluster_name - region = include.root.inputs.aws_region - metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart - metrics_server_tag = include.root.inputs.metrics_server_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/terragrunt.hcl deleted file mode 100644 index e6c54b16..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/terragrunt.hcl +++ /dev/null @@ -1,38 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-dns" { - config_path = "../eks-dns" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - prometheus_chart_version = include.root.inputs.prometheus_chart_version - prometheus_server_tag = include.root.inputs.prometheus_server_tag - prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag - alertmanager_tag = include.root.inputs.alertmanager_tag - kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag - node_exporter_tag = include.root.inputs.node_exporter_tag - pushgateway_tag = include.root.inputs.pushgateway_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl deleted file mode 100644 index e9ebd485..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl +++ /dev/null @@ -1,46 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - prometheus_namespace = "prometheus" - } -} - -inputs = { - account_id = include.root.locals.account_id - profile = include.root.locals.aws_profile - region = include.root.locals.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace - tempo_chart_version = include.root.inputs.tempo_chart_version - tempo_tag = include.root.inputs.tempo_tag - -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl deleted file mode 100644 index cc7c8935..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl +++ /dev/null @@ -1,56 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -locals { - # Set cluster/platform specific variables, or extract from the hierarchy. - account_id = include.root.inputs.aws_account_id - cluster_endpoint_public_access = include.root.inputs.cluster_endpoint_public_access - cluster_name = include.root.inputs.cluster_name - cluster_version = include.root.inputs.cluster_version - creator = include.root.inputs.creator - eks_instance_disk_size = include.root.inputs.eks_instance_disk_size - eks_ng_desired_size = include.root.inputs.eks_ng_desired_size - eks_ng_max_size = include.root.inputs.eks_ng_max_size - eks_ng_min_size = include.root.inputs.eks_ng_min_size - eks_vpc_name = include.root.inputs.vpc_name - enable_cluster_creator_admin_permissions = include.root.inputs.enable_cluster_creator_admin_permissions - environment_abbr = include.root.inputs.environment_abbr - organization = include.root.inputs.organization - profile = include.root.inputs.aws_profile - project_name = include.root.inputs.project_name - project_number = include.root.inputs.project_number - project_role = include.root.inputs.project_role - region = include.root.inputs.aws_region - tags = include.root.inputs.tags - terraform = include.root.inputs.terraform - terragrunt = include.root.inputs.terragrunt - vpc_domain_name = include.root.inputs.vpc_domain_name -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -inputs = { - aws_account_id = local.account_id - cluster_endpoint_public_access = local.cluster_endpoint_public_access - cluster_name = local.cluster_name - cluster_version = local.cluster_version - creator = local.creator - eks_instance_disk_size = local.eks_instance_disk_size - eks_ng_desired_size = local.eks_ng_desired_size - eks_ng_max_size = local.eks_ng_max_size - eks_ng_min_size = local.eks_ng_min_size - eks_vpc_name = local.eks_vpc_name - enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions - os_username = local.creator - shared_vpc_label = local.environment_abbr - tags = local.tags -} From da84c26e9de9cd954309b73bacfa35b83e400761 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 18:28:43 -0500 Subject: [PATCH 27/57] testing more autoscaling stuffs --- .gitignore | 3 +++ .../vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4b072ca2..e99855b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,8 @@ # Local .terraform directories **/.terraform/* +**/apply.log +**/plan.log +**/destroy.log # terraform lock file. **/.terraform.lock.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 1c312166..5c0574f2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 7c2ff2db..3066ef1e 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 5e520aad..2fafb091 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -20,7 +20,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 7c9a31e195732bf61adf4505f702d2c7828615bd Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 3 Mar 2025 17:40:25 -0500 Subject: [PATCH 28/57] wip --- lab/_envcommon/default-versions.hcl | 12 +- .../eks-keycloak/terragrunt.hcl | 21 +--- .../eks-kiali/terragrunt.hcl | 1 - .../eks-kiali/terragrunt.hcl.disabled | 108 ------------------ .../eks-postgresql/terragrunt.hcl | 76 ------------ 5 files changed, 11 insertions(+), 207 deletions(-) delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disabled delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 14cd5804..5954272f 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -89,12 +89,13 @@ locals { ################ # Keycloak ################ - keycloak_chart_version = "24.4.10" - keycloak_tag = "26.1.2" + keycloak_chart_version = "24.4.11" + keycloak_tag = "26.1.3" keycloak_hostname = "keycloak" - postgresql_database = "keycloak_db" - postgresql_username = "keycloak_user" - postgresql_password = "secure_password" + keycloak_database = "keycloak_db" + keycloak_username = "keycloak_user" + # keycloak_password = "secure_password" + postgresql_tag = "17.4.0-debian-12-r2" ################ # Kiali @@ -128,7 +129,6 @@ locals { postgresql_repmgr_tag = "17.4.0" pgpool_tag = "4.5.5" postgresql_chart_version = "15.3.0" - postgresql_tag = "17.4.0" ################ # Prometheus diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index fc0d1ab7..b4ed91b3 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -38,23 +38,12 @@ dependency "eks_dns" { } } -dependency "eks_postgresql" { - config_path = "../eks-postgresql" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - internal_endpoint = { - url = "mock-internal-endpoint-url" - } - } -} - dependencies { paths = [ "../eks", "../eks-config", "../eks-dns", "../eks-karpenter", - "../eks-postgresql", "../eks-prometheus", ] } @@ -75,11 +64,11 @@ inputs = { service_name = "keycloak" telemetry_namespace = include.root.inputs.telemetry_namespace - # Database configuration - db_host = dependency.eks_postgresql.outputs.internal_endpoint.url - db_name = include.root.inputs.postgresql_database - db_password = include.root.inputs.postgresql_password - db_user = include.root.inputs.postgresql_username + # # Database configuration + # db_host = dependency.eks_postgresql.outputs.internal_endpoint.url + keycloak_database = include.root.inputs.keycloak_database + # keycloak_password = include.root.inputs.keycloak_password + keycloak_user = include.root.inputs.keycloak_username # Project information project_name = include.root.inputs.project_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index c36c773c..130fd567 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -17,7 +17,6 @@ dependencies { "../eks", "../eks-config", "../eks-dns", - "../eks-grafana", "../eks-istio", "../eks-prometheus" ] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disabled b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disabled deleted file mode 100644 index a06c6e68..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disabled +++ /dev/null @@ -1,108 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-grafana", - "../eks-istio", - "../eks-prometheus" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks-config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - operators_namespace = "mock-namespace" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_grafana" { - config_path = "../eks-grafana" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - internal_endpoint = { - hostname = "grafana.mock.svc.cluster.local" - port_number = "80" - url = "https://grafana.mock.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.mock.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.mock.lab.csp2.census.gov:80/" - } - secret_name = "grafana" - } -} - -dependency "eks_istio" { - config_path = "../eks-istio" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - namespace = "mock-namespace-istio" - } -} - -dependency "eks_prometheus" { - config_path = "../eks-prometheus" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - prometheus_internal_url = "mock-internal-url" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - - # Kiali Configuration - grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks_grafana.outputs.namespace - grafana_secret_name = dependency.eks_grafana.outputs.secret_name - grafana_public_url = dependency.eks_grafana.outputs.public_endpoint.url - - kiali_operator_version = include.root.inputs.kiali_operator_version - operators_namespace = dependency.eks-config.outputs.operators_namespace - - prometheus_internal_url = dependency.eks_prometheus.outputs.internal_endpoint - jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl deleted file mode 100644 index 4429d04a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ /dev/null @@ -1,76 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-postgresql.git?ref=main" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-prometheus", - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class - - # PostgreSQL Configuration - namespace = include.root.inputs.namespaces["postgresql"] - os_shell_tag = include.root.inputs.os_shell_tag - pgpool_tag = include.root.inputs.pgpool_tag - postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - postgresql_tag = include.root.inputs.postgresql_tag - service_name = "postgresql" - telemetry_namespace = include.root.inputs.telemetry_namespace - - # Database Consumer Configuration - postgresql_database = include.root.inputs.postgresql_database - postgresql_username = include.root.inputs.postgresql_username - postgresql_password = include.root.inputs.postgresql_password - -} From e3d15ced63ef195db979d5d6cadd12f6028cd2b8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 4 Mar 2025 16:46:57 -0500 Subject: [PATCH 29/57] wip --- lab/_envcommon/default-versions.hcl | 73 ++++++++----------- .../eks-cert-manager/terragrunt.hcl | 5 +- .../eks-config/terragrunt.hcl | 3 +- .../eks-dns/terragrunt.hcl | 4 +- .../eks-grafana/terragrunt.hcl | 3 +- .../eks-istio/terragrunt.hcl | 4 +- .../eks-karpenter/terragrunt.hcl | 5 +- .../eks-metrics-server/terragrunt.hcl | 1 - 8 files changed, 47 insertions(+), 51 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 5954272f..888aabb1 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -24,6 +24,8 @@ locals { ##################### # Namespaces Config ##################### + operator_namespace = "operator" + telemetry_namespace = "telemetry" namespaces = { cert-manager = "kube-system" karpenter = "kube-system" @@ -43,16 +45,6 @@ locals { ##################### # EKS Config ##################### - operator_namespace = "operator" - telemetry_namespace = "telemetry" - # kubectl_image_tag = "1.30.4" - - ################ - # k8s-dashboard - ################ - dashboard_hostname = "dashboard" - k8s_dashboard_metrics_scraper = "1.0.8" - k8s_dashboard_version = "6.0.6" ################ # Cert-Manager @@ -62,29 +54,35 @@ locals { cert_manager_controller_tag = "v${local.cert_manager_version}" cert_manager_helm_chart = "${local.cert_manager_version}" cert_manager_startupapicheck_tag = "v${local.cert_manager_version}" - cert_manager_version = "1.16.4" + cert_manager_version = "1.17.1" cert_manager_webhook_tag = "v${local.cert_manager_version}" + ################ + # Grafana + ################ + download_dashboards_image_tag = "2.1.0" + grafana_chart_version = "8.10.1" + grafana_hostname = "grafana" + grafana_tag = "11.5.2" + ################ # Istio ################ istio_namespace = "istio-system" - istio_version = "1.24.2" + istio_version = "1.25.0" ################ - # Grafana + # k8s-dashboard ################ - download_dashboards_image_tag = "7.85.0" - grafana_chart_version = "8.8.5" - grafana_hostname = "grafana" - grafana_tag = "11.4.0" - init_chown_data_image_tag = "1.31.1" + dashboard_hostname = "dashboard" + k8s_dashboard_metrics_scraper = "1.0.8" + k8s_dashboard_version = "6.0.6" ################ # Karpenter ################ - karpenter_helm_chart = "1.1.1" - karpenter_tag = "1.1.1" + karpenter_helm_chart = "1.3.0" + karpenter_tag = "1.3.0" ################ # Keycloak @@ -106,44 +104,35 @@ locals { ################ # Loki ################ - loki_chart_version = "6.25.0" - loki_tag = "3.3.2" + loki_chart_version = "6.27.0" + loki_tag = "3.4.2" canary_tag = "3.0.0" enterprise_logs_provisioner_tag = "v1.7.0" gateway_tag = "1.25.2-alpine" - memcached_tag = "1.6.23-alpine" + memcached_tag = "1.6.37" exporter_tag = "v0.14.4" sidecar_tag = "1.27.4" ################ # Metrics Server ################ - metrics_server_helm_chart = "3.12.1" - metrics_server_tag = "v0.7.1" - - ################ - # PostgreSQL - ################ - os_shell_tag = "12" - postgres_exporter_tag = "0.16.0" - postgresql_repmgr_tag = "17.4.0" - pgpool_tag = "4.5.5" - postgresql_chart_version = "15.3.0" + metrics_server_helm_chart = "3.12.2" + metrics_server_tag = "0.7.2" ################ # Prometheus ################ - prometheus_chart_version = "25.26.0" - prometheus_server_tag = "v2.54.0" + prometheus_chart_version = "27.5.1" + prometheus_server_tag = "v3.2.1" prometheus_config_reloader_tag = "v0.75.2" - alertmanager_tag = "v0.27.0" - kube_state_metrics_tag = "v2.13.0" - node_exporter_tag = "v1.8.2" - pushgateway_tag = "v1.9.0" + alertmanager_tag = "v0.28.0" + kube_state_metrics_tag = "v2.15.0" + node_exporter_tag = "v1.9.0" + pushgateway_tag = "v1.11.0" ################ # Tempo ################ - tempo_chart_version = "1.18.1" - tempo_tag = "2.7.0" + tempo_chart_version = "1.18.2" + tempo_tag = "2.7.1" } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl index d1e69d00..7ea7f9cc 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=cicd" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() @@ -17,7 +17,8 @@ dependencies { paths = [ "../eks", "../eks-config", - "../eks-karpenter" + "../eks-karpenter", + "../eks-metrics-server", ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl index c1328ee7..4a6a659f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl @@ -7,7 +7,8 @@ include "root" { dependencies { paths = [ "../eks", - "../eks-karpenter" + "../eks-karpenter", + "../eks-metrics-server", ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl index 2bf9b72f..0c5a7887 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl @@ -34,9 +34,11 @@ dependency "eks-istio" { dependencies { paths = [ + "../eks", "../eks-config", "../eks-istio", - "../eks-karpenter" + "../eks-karpenter", + "../eks-metrics-server", ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 2bc7484b..52182320 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=namespaces" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -57,7 +57,6 @@ inputs = { grafana_chart_version = include.root.inputs.grafana_chart_version grafana_tag = include.root.inputs.grafana_tag download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag - init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag namespace = include.root.inputs.namespaces["grafana"] service_name = "grafana" } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 5c0574f2..81e9823b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -15,7 +15,9 @@ terraform { dependencies { paths = [ "../eks", - "../eks-config" + "../eks-cert-manager", + "../eks-config", + "../eks-metrics-server", ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 3066ef1e..c14b79ae 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -14,7 +14,10 @@ terraform { } dependencies { - paths = ["../eks"] + paths = [ + "../eks", + "../eks-metrics-server", + ] } dependency "eks" { diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 2fafb091..18983eee 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -7,7 +7,6 @@ include "root" { dependencies { paths = [ "../eks", - "../eks-config" ] } From f3260cc77b5f2f9206669768ca1cbb188a7e44af Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 4 Mar 2025 22:01:22 -0500 Subject: [PATCH 30/57] wip --- lab/_envcommon/default-versions.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 888aabb1..c4de0058 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -60,7 +60,7 @@ locals { ################ # Grafana ################ - download_dashboards_image_tag = "2.1.0" + download_dashboards_image_tag = "stable" grafana_chart_version = "8.10.1" grafana_hostname = "grafana" grafana_tag = "11.5.2" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index c32546cd..35da2fd9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,8 @@ dependencies { paths = [ "../eks", "../eks-config", - "../eks-dns" + "../eks-dns", + "../eks-prometheus" ] } From 4e3768825a9d25bd8038ec16e052ba31a943e2b5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 4 Mar 2025 22:18:03 -0500 Subject: [PATCH 31/57] use my eks --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 9eca1de2..3b248bab 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 221e219db0ae385a56e878049f1209e3ca5de0fe Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 5 Mar 2025 00:38:33 -0500 Subject: [PATCH 32/57] isolate karpenter again for debug --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index c4de0058..0c810ec7 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -28,7 +28,7 @@ locals { telemetry_namespace = "telemetry" namespaces = { cert-manager = "kube-system" - karpenter = "kube-system" + karpenter = "karpenter" metrics-server = "kube-system" postgresql = "kube-system" keycloak = "kube-system" From a905497e66ea764a52f9e6616d2478ad76ad9000 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 5 Mar 2025 19:40:01 -0500 Subject: [PATCH 33/57] 1.3.0 is not ready --- lab/_envcommon/default-versions.hcl | 4 ++-- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 0c810ec7..c434f481 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -81,8 +81,8 @@ locals { ################ # Karpenter ################ - karpenter_helm_chart = "1.3.0" - karpenter_tag = "1.3.0" + karpenter_helm_chart = "1.2.2" + karpenter_tag = "1.2.2" ################ # Keycloak diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index c14b79ae..062cf73a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -44,6 +44,7 @@ inputs = { cluster_endpoint = dependency.eks.outputs.cluster_endpoint cluster_name = dependency.eks.outputs.cluster_name oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + vpc_id = dependency.eks.outputs.vpc_id # Karpenter Configuration karpenter_tag = include.root.inputs.karpenter_tag From 8f8a1ab03cae93e8994d359d2c22a7cc5eb0051a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 6 Mar 2025 15:50:29 -0500 Subject: [PATCH 34/57] make grafana work again --- lab/_envcommon/default-versions.hcl | 13 +++++++------ .../platform-eng-eks-mcm/eks-grafana/terragrunt.hcl | 11 ++++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index c434f481..1a445f68 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -60,10 +60,11 @@ locals { ################ # Grafana ################ - download_dashboards_image_tag = "stable" - grafana_chart_version = "8.10.1" - grafana_hostname = "grafana" - grafana_tag = "11.5.2" + grafana_hostname = "grafana" + grafana_operator_chart_version = "4.9.7" + grafana_operator_tag = "5.16.0" + grafana_tag = "11.5.2" + os_shell_image_tag = "12" ################ # Istio @@ -81,8 +82,8 @@ locals { ################ # Karpenter ################ - karpenter_helm_chart = "1.2.2" - karpenter_tag = "1.2.2" + karpenter_helm_chart = "1.3.1" + karpenter_tag = "1.3.1" ################ # Keycloak diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 52182320..79865951 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -54,9 +54,10 @@ inputs = { rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class # Grafana Configuration - grafana_chart_version = include.root.inputs.grafana_chart_version - grafana_tag = include.root.inputs.grafana_tag - download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag - namespace = include.root.inputs.namespaces["grafana"] - service_name = "grafana" + grafana_operator_chart_version = include.root.inputs.grafana_operator_chart_version + grafana_operator_tag = include.root.inputs.grafana_operator_tag + grafana_tag = include.root.inputs.grafana_tag + namespace = include.root.inputs.namespaces["grafana"] + os_shell_image_tag = include.root.inputs.os_shell_image_tag + service_name = "grafana" } From 5309908e6830ea7c7a2991b04d6d3bef92c23063 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 6 Mar 2025 17:04:47 -0500 Subject: [PATCH 35/57] increment grafana operator chart version --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 1a445f68..65e72243 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -61,7 +61,7 @@ locals { # Grafana ################ grafana_hostname = "grafana" - grafana_operator_chart_version = "4.9.7" + grafana_operator_chart_version = "4.9.8" grafana_operator_tag = "5.16.0" grafana_tag = "11.5.2" os_shell_image_tag = "12" From 44e1884a64c0fbbad39e43d065ea93982531f9f6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 6 Mar 2025 23:02:10 -0500 Subject: [PATCH 36/57] otel added --- lab/_envcommon/default-versions.hcl | 7 ++ .../eks-gogatekeeper/terragrunt.hcl | 77 +++++++++++++++++++ .../eks-grafana/terragrunt.hcl | 2 - .../eks-otel/terragrunt.hcl | 61 +++++++++++++++ .../eks-tempo/terragrunt.hcl | 6 +- 5 files changed, 148 insertions(+), 5 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 65e72243..2f53935b 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -32,6 +32,7 @@ locals { metrics-server = "kube-system" postgresql = "kube-system" keycloak = "kube-system" + gogatekeeper = "kube-system" istio = "istio-system" kiali = "istio-system" grafana = local.telemetry_namespace @@ -57,6 +58,12 @@ locals { cert_manager_version = "1.17.1" cert_manager_webhook_tag = "v${local.cert_manager_version}" + ################ + # GoGatekeeper + ################ + gogatekeeper_tag = "3.2.1" + gogatekeeper_chart_version = "gatekeeper-0.1.53" + ################ # Grafana ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl new file mode 100644 index 00000000..8ab5bcee --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -0,0 +1,77 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=keycloak" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + public_endpoint = "mock.grafaba.example.com" + } +} + +dependency "eks_keycloak" { + config_path = "../eks-keycloak" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + public_endpoint = "mock.keycloak.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + "../eks-grafana", + "../eks-keycloak", + "../eks-prometheus", + ] +} + +inputs = { + # Base Cluster Config + cluster_domain = dependency.eks_dns.outputs.cluster_domain + namespace = include.root.inputs.namespaces["gogatekeeper"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Gatekeeper Config + gogatekeeper_tag = include.root.inputs.gogatekeeper_tag + gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + + # Service Behind Gatekeeper Config + service_name = "grafana" + redirection_url = dependency.eks_grafana.outputs.public_endpoint + # client_id = dependency.eks_keycloak.outputs.client_id + # client_secret = dependency.eks_keycloak.outputs.client_secret + client_id = "client_id" + client_secret = "client_secret" +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 79865951..85570c82 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -32,9 +32,7 @@ dependency "eks_loki" { dependencies { paths = [ "../eks", - "../eks-config", "../eks-dns", - "../eks-karpenter", "../eks-loki" ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl new file mode 100644 index 00000000..db2df664 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl @@ -0,0 +1,61 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=main" + # source = "../../../../../../../tfmod-open-telemetry" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-loki", + "../eks-prometheus", + "../eks-tempo" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} + +dependency "eks-loki" { + config_path = "../eks-loki" + mock_outputs = { + gateway_internal_endpoint = { + hostname = "loki-gateway.telemetry.svc.cluster.local" + portNumber = "80" + url = "http://loki-gateway.telemetry.svc.cluster.local:80/" + } + } +} + +dependency "eks-tempo" { + config_path = "../eks-tempo" + mock_outputs = { + tempo_otlp_endpoint = { + hostname = "tempo.telemetry.svc.cluster.local" + portNumber = 4317 + url = "http://tempo.telemetry.svc.cluster.local:4317/" + } + } +} + +inputs = { + profile = include.root.inputs.aws_profile + cluster_name = dependency.eks.outputs.cluster_name + region = include.root.inputs.aws_region + namespace = include.root.inputs.namespaces["otel"] + loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url + tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl index dff1b330..e94c5a43 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl @@ -25,7 +25,9 @@ dependency "eks-prometheus" { config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { + prometheus_svc = "prometheus-server" prometheus_namespace = "prometheus" + prometheus_port = 80 prometheus_server_internal_endpoint = { hostname = "prometheus-server.prometheus.svc.cluster.local" port_number = 9090 @@ -37,9 +39,7 @@ dependency "eks-prometheus" { dependencies { paths = [ "../eks", - "../eks-config", "../eks-dns", - "../eks-karpenter", "../eks-prometheus" ] } @@ -55,6 +55,7 @@ inputs = { oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn # Prometheus Configuration + prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number @@ -62,5 +63,4 @@ inputs = { tempo_chart_version = include.root.inputs.tempo_chart_version tempo_tag = include.root.inputs.tempo_tag namespace = include.root.inputs.namespaces["tempo"] - } From 0f9cbdd10890d62242bc77137a3c625b797eed66 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 00:39:14 -0500 Subject: [PATCH 37/57] fix gatekeeper chart version --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 2f53935b..f7551df5 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -62,7 +62,7 @@ locals { # GoGatekeeper ################ gogatekeeper_tag = "3.2.1" - gogatekeeper_chart_version = "gatekeeper-0.1.53" + gogatekeeper_chart_version = "0.1.53" ################ # Grafana From efd9d3c966c33f27d1f3550ecc5b3ec82f10d700 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 18:03:15 -0500 Subject: [PATCH 38/57] ordering --- .../vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl | 2 -- .../vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl | 2 -- .../eks-k8s-dashboard/terragrunt.hcl | 2 -- .../vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 3 --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 9 +-------- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 3 --- 6 files changed, 1 insertion(+), 20 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl index 0c5a7887..6ab98584 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl @@ -35,9 +35,7 @@ dependency "eks-istio" { dependencies { paths = [ "../eks", - "../eks-config", "../eks-istio", - "../eks-karpenter", "../eks-metrics-server", ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 81e9823b..3f6e3e08 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -16,8 +16,6 @@ dependencies { paths = [ "../eks", "../eks-cert-manager", - "../eks-config", - "../eks-metrics-server", ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 35da2fd9..794593fc 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -15,9 +15,7 @@ terraform { dependencies { paths = [ "../eks", - "../eks-config", "../eks-dns", - "../eks-prometheus" ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index b4ed91b3..4eb36b95 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -43,7 +43,6 @@ dependencies { "../eks", "../eks-config", "../eks-dns", - "../eks-karpenter", "../eks-prometheus", ] } @@ -65,9 +64,7 @@ inputs = { telemetry_namespace = include.root.inputs.telemetry_namespace # # Database configuration - # db_host = dependency.eks_postgresql.outputs.internal_endpoint.url keycloak_database = include.root.inputs.keycloak_database - # keycloak_password = include.root.inputs.keycloak_password keycloak_user = include.root.inputs.keycloak_username # Project information diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 130fd567..5ee1bc72 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -17,6 +17,7 @@ dependencies { "../eks", "../eks-config", "../eks-dns", + "../eks-grafana", "../eks-istio", "../eks-prometheus" ] @@ -67,14 +68,6 @@ dependency "eks_grafana" { } } -dependency "eks_istio" { - config_path = "../eks-istio" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - namespace = "mock-namespace-istio" - } -} - dependency "eks_prometheus" { config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index dff1b330..133b6981 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -37,9 +37,6 @@ dependency "eks-prometheus" { dependencies { paths = [ "../eks", - "../eks-config", - "../eks-dns", - "../eks-karpenter", "../eks-prometheus" ] } From c133413b90d514b715ebeecf845fb6c42c071c72 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 18:06:05 -0500 Subject: [PATCH 39/57] test branch --- .../vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index 55d3830e..0c85b080 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -31,7 +31,7 @@ dependency "eks_config" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 26fcef34b6215cdf798c230b1238e7549d78b557 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 18:36:19 -0500 Subject: [PATCH 40/57] use newer image --- lab/_envcommon/default-versions.hcl | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index f7551df5..51a2734e 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -114,11 +114,8 @@ locals { ################ loki_chart_version = "6.27.0" loki_tag = "3.4.2" - canary_tag = "3.0.0" enterprise_logs_provisioner_tag = "v1.7.0" - gateway_tag = "1.25.2-alpine" - memcached_tag = "1.6.37" - exporter_tag = "v0.14.4" + gateway_tag = "1.27-alpine" sidecar_tag = "1.27.4" ################ From 5f95a1726113927a109f8cf35e5e34dbe6c8c467 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 19:17:44 -0500 Subject: [PATCH 41/57] update loki memcached --- lab/_envcommon/default-versions.hcl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 51a2734e..77b8c058 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -116,6 +116,8 @@ locals { loki_tag = "3.4.2" enterprise_logs_provisioner_tag = "v1.7.0" gateway_tag = "1.27-alpine" + memcached_tag = "1.6.36-alpine" + exporter_tag = "v0.15.0" sidecar_tag = "1.27.4" ################ From 2a73cfa9f3f9827c3b7d35a6c2f720ce4864818e Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 20:38:48 -0500 Subject: [PATCH 42/57] vers --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 77b8c058..3da1ac69 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -116,7 +116,7 @@ locals { loki_tag = "3.4.2" enterprise_logs_provisioner_tag = "v1.7.0" gateway_tag = "1.27-alpine" - memcached_tag = "1.6.36-alpine" + memcached_tag = "1.6.37" exporter_tag = "v0.15.0" sidecar_tag = "1.27.4" From 1a941d4ea32e57f15ab2f73ff119d40baad37f1a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 10 Mar 2025 22:38:17 -0400 Subject: [PATCH 43/57] keycloak defaults --- lab/_envcommon/default-versions.hcl | 6 +++--- .../vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 3da1ac69..2010d0fa 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -98,9 +98,9 @@ locals { keycloak_chart_version = "24.4.11" keycloak_tag = "26.1.3" keycloak_hostname = "keycloak" - keycloak_database = "keycloak_db" - keycloak_username = "keycloak_user" - # keycloak_password = "secure_password" + keycloak_database = "bitnami_keycloak" + keycloak_username = "bn_keycloak" + keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 4eb36b95..17d055a4 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -66,6 +66,7 @@ inputs = { # # Database configuration keycloak_database = include.root.inputs.keycloak_database keycloak_user = include.root.inputs.keycloak_username + keycloak_password = include.root.inputs.keycloak_password # Project information project_name = include.root.inputs.project_name From 20943a0ed7d74c4f83e08aaba724f3925455c083 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 10 Mar 2025 23:09:40 -0400 Subject: [PATCH 44/57] put keycloak in keycloak namespace for debug --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 2010d0fa..9ef6c292 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -31,7 +31,7 @@ locals { karpenter = "karpenter" metrics-server = "kube-system" postgresql = "kube-system" - keycloak = "kube-system" + keycloak = "keycloak" gogatekeeper = "kube-system" istio = "istio-system" kiali = "istio-system" From 5d487c573420acfb6bb0393e58bc5a6cf08d868d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 16:14:47 -0400 Subject: [PATCH 45/57] removed a few folders from workspace --- .github/platform-tg-infra.code-workspace | 8 ----- .../eks-grafana/terragrunt.hcl | 32 ++++++++++++++++++- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 48d30875..1c8a26d6 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -8,14 +8,6 @@ "name": "tfmod-cert-mgr", "path": "../../tfmod-cert-mgr" }, - { - "name": "tfmod-config-job", - "path": "../../tfmod-config-job" - }, - { - "name": "tfmod-custom-iam-role-for-service-account-eks", - "path": "../../tfmod-custom-iam-role-for-service-account-eks" - }, { "name": "tfmod-eks", "path": "../../tfmod-eks" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 85570c82..66564d6d 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -24,8 +24,33 @@ dependency "eks" { dependency "eks_loki" { config_path = "../eks-loki" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mocked" + loki_internal_endpoint = { + url = "mock.loki.enpoint.example.com" + } + } +} + +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mocked" + prometheus_server_internal_endpoint = { + url = "mock.prometheus.enpoint.example.com" + } + } +} + +dependency "eks_tempo" { + config_path = "../eks-tempo" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { rwo_storage_class = "gp3-mocked" + tempo_internal_endpoint = { + url = "mock.tempo.enpoint.example.com" + } } } @@ -33,7 +58,9 @@ dependencies { paths = [ "../eks", "../eks-dns", - "../eks-loki" + "../eks-loki", + "../eks-prometheus", + "../eks-tempo" ] } @@ -58,4 +85,7 @@ inputs = { namespace = include.root.inputs.namespaces["grafana"] os_shell_image_tag = include.root.inputs.os_shell_image_tag service_name = "grafana" + loki_endpoint = dependency.eks_loki.outputs.gateway_internal_endpoint.url + prometheus_endpoint = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url + tempo_endpoint = dependency.eks_tempo.outputs.tempo_internal_endpoint.url } From bdcd45234cfae1dc9663fb8ad23664dfd9433ced Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:41:49 -0400 Subject: [PATCH 46/57] update grafana tg --- .../platform-eng-eks-mcm/eks-grafana/terragrunt.hcl | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 66564d6d..3e4b9e7c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -21,6 +21,14 @@ dependency "eks" { } } +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.domain.example.com" + } +} + dependency "eks_loki" { config_path = "../eks-loki" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] @@ -72,7 +80,7 @@ inputs = { # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = include.root.inputs.vpc_domain_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn # Storage Configuration From af1b60b7f87ad9aa9e75bc638ad7bca05589a8af Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:45:22 -0400 Subject: [PATCH 47/57] remove old module from workspace --- .github/platform-tg-infra.code-workspace | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 1c8a26d6..41d9b00b 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -60,10 +60,6 @@ "name": "tfmod-metrics-server", "path": "../../tfmod-metrics-server" }, - { - "name": "tfmod-postgresql", - "path": "../../tfmod-postgresql" - }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" From 7efb9b66bbe5208e7a05e373dc1473b48bc8f5df Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:51:29 -0400 Subject: [PATCH 48/57] reset branches to default --- .../vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl index 7ea7f9cc..5e03cd4a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=cicd" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 8ab5bcee..39106588 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=keycloak" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 3e4b9e7c..86997bd5 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=namespaces" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 3f6e3e08..0cd1e1f9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 794593fc..1d02df66 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 062cf73a..4fb97069 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 17d055a4..cb0cf71c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=standards" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 5ee1bc72..4e759966 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index 0c85b080..55d3830e 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -31,7 +31,7 @@ dependency "eks_config" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 18983eee..fd02a7ac 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -19,7 +19,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl index db2df664..763aa7c5 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index 76650e5e..fd546b15 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 133b6981..30d8620c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=keycloak" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From e651e2d9a3752c99923db710ec62dff9b28265b9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:56:25 -0400 Subject: [PATCH 49/57] missed one --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 3b248bab..9eca1de2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 0a7b2795aaee7784cf9633b092ad7205f95cb111 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 20:09:08 -0400 Subject: [PATCH 50/57] fmt --- .github/platform-tg-infra.code-workspace | 4 ++++ lab/_envcommon/default-versions.hcl | 12 ++++++------ .../eks-gogatekeeper/terragrunt.hcl | 14 +++++++------- .../eks-grafana/terragrunt.hcl | 6 +++--- .../eks-keycloak/terragrunt.hcl | 2 +- .../platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 1 - .../platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 1 - .../platform-eng-eks-mcm/eks-otel/terragrunt.hcl | 12 ++++++------ .../eks-prometheus/terragrunt.hcl | 5 ++--- .../platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 4 ++-- .../eks-keycloak/terragrunt.hcl | 8 ++++---- .../platform-eng-eks-srn/eks-tempo/terragrunt.hcl | 6 +++--- 12 files changed, 38 insertions(+), 37 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 41d9b00b..8451c3ae 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -60,6 +60,10 @@ "name": "tfmod-metrics-server", "path": "../../tfmod-metrics-server" }, + { + "name": "tfmod-open-telemetry", + "path": "../../tfmod-open-telemetry" + }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 9ef6c292..929c2d9c 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -8,7 +8,7 @@ locals { custom_service_eks_account = "${local.release_version}" eks_module_version = "20.33.1" istio_ingress_version = "${local.release_version}" - release_version = "main" # "main" # change to main when testing updated modules + release_version = "mcmCluster" # "main" # change to main when testing updated modules ##################### # TF Providers @@ -61,7 +61,7 @@ locals { ################ # GoGatekeeper ################ - gogatekeeper_tag = "3.2.1" + gogatekeeper_tag = "3.2.1" gogatekeeper_chart_version = "0.1.53" ################ @@ -98,10 +98,10 @@ locals { keycloak_chart_version = "24.4.11" keycloak_tag = "26.1.3" keycloak_hostname = "keycloak" - keycloak_database = "bitnami_keycloak" - keycloak_username = "bn_keycloak" - keycloak_password = "this is my very secure and totally random password horse battery staple now" - postgresql_tag = "17.4.0-debian-12-r2" + keycloak_database = "bitnami_keycloak" + keycloak_username = "bn_keycloak" + keycloak_password = "this is my very secure and totally random password horse battery staple now" + postgresql_tag = "17.4.0-debian-12-r2" ################ # Kiali diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 39106588..86c95d46 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -25,7 +25,7 @@ dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_domain = "mock.example.com" + cluster_domain = "mock.example.com" } } @@ -33,7 +33,7 @@ dependency "eks_grafana" { config_path = "../eks-grafana" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - public_endpoint = "mock.grafaba.example.com" + public_endpoint = "mock.grafaba.example.com" } } @@ -41,7 +41,7 @@ dependency "eks_keycloak" { config_path = "../eks-keycloak" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - public_endpoint = "mock.keycloak.example.com" + public_endpoint = "mock.keycloak.example.com" } } @@ -63,15 +63,15 @@ inputs = { region = include.root.inputs.aws_region # Gatekeeper Config - gogatekeeper_tag = include.root.inputs.gogatekeeper_tag + gogatekeeper_tag = include.root.inputs.gogatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint # Service Behind Gatekeeper Config - service_name = "grafana" + service_name = "grafana" redirection_url = dependency.eks_grafana.outputs.public_endpoint # client_id = dependency.eks_keycloak.outputs.client_id # client_secret = dependency.eks_keycloak.outputs.client_secret - client_id = "client_id" + client_id = "client_id" client_secret = "client_secret" } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 86997bd5..7830797b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -25,7 +25,7 @@ dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_domain = "mock.domain.example.com" + cluster_domain = "mock.domain.example.com" } } @@ -33,8 +33,8 @@ dependency "eks_loki" { config_path = "../eks-loki" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - rwo_storage_class = "gp3-mocked" - loki_internal_endpoint = { + rwo_storage_class = "gp3-mocked" + gateway_internal_endpoint = { url = "mock.loki.enpoint.example.com" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index cb0cf71c..8b6cb48c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -65,7 +65,7 @@ inputs = { # # Database configuration keycloak_database = include.root.inputs.keycloak_database - keycloak_user = include.root.inputs.keycloak_username + keycloak_user = include.root.inputs.keycloak_username keycloak_password = include.root.inputs.keycloak_password # Project information diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 4e759966..8302826a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,6 @@ dependencies { paths = [ "../eks", "../eks-config", - "../eks-dns", "../eks-grafana", "../eks-istio", "../eks-prometheus" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index 55d3830e..e126331b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -9,7 +9,6 @@ dependencies { "../eks", "../eks-config", "../eks-metrics-server", - "../eks-dns" ] } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl index 763aa7c5..2c93211d 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl @@ -33,9 +33,9 @@ dependency "eks-loki" { config_path = "../eks-loki" mock_outputs = { gateway_internal_endpoint = { - hostname = "loki-gateway.telemetry.svc.cluster.local" - portNumber = "80" - url = "http://loki-gateway.telemetry.svc.cluster.local:80/" + hostname = "loki-gateway.mock.svc.cluster.local" + portNumber = 3210 + url = "http://loki-gateway.mock.svc.cluster.local:3210/" } } } @@ -44,9 +44,9 @@ dependency "eks-tempo" { config_path = "../eks-tempo" mock_outputs = { tempo_otlp_endpoint = { - hostname = "tempo.telemetry.svc.cluster.local" - portNumber = 4317 - url = "http://tempo.telemetry.svc.cluster.local:4317/" + hostname = "tempo.mock.svc.cluster.local" + portNumber = 1234 + url = "http://tempo.mock.svc.cluster.local:1234/" } } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index fd546b15..80e24e8f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -17,7 +17,6 @@ dependencies { "../eks", "../eks-config", "../eks-metrics-server", - "../eks-dns" ] } @@ -30,7 +29,7 @@ dependency "eks" { } } -dependency "eks-config" { +dependency "eks_config" { config_path = "../eks-config" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { @@ -57,5 +56,5 @@ inputs = { namespace = include.root.inputs.namespaces["prometheus"] node_exporter_tag = include.root.inputs.node_exporter_tag pushgateway_tag = include.root.inputs.pushgateway_tag - rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 30d8620c..e94ad7f0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -27,9 +27,9 @@ dependency "eks-prometheus" { mock_outputs = { prometheus_namespace = "prometheus" prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" + hostname = "prometheus-server.mock.svc.cluster.local" port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + url = "http://prometheus-server.mock.svc.cluster.local:9090/" } } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl index fc0d1ab7..248432dd 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl @@ -42,7 +42,7 @@ dependency "eks_postgresql" { config_path = "../eks-postgresql" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - internal_endpoint = { + internal_endpoint = { url = "mock-internal-endpoint-url" } } @@ -76,10 +76,10 @@ inputs = { telemetry_namespace = include.root.inputs.telemetry_namespace # Database configuration - db_host = dependency.eks_postgresql.outputs.internal_endpoint.url - db_name = include.root.inputs.postgresql_database + db_host = dependency.eks_postgresql.outputs.internal_endpoint.url + db_name = include.root.inputs.postgresql_database db_password = include.root.inputs.postgresql_password - db_user = include.root.inputs.postgresql_username + db_user = include.root.inputs.postgresql_username # Project information project_name = include.root.inputs.project_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl index e94c5a43..e1b17d6a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl @@ -25,9 +25,9 @@ dependency "eks-prometheus" { config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - prometheus_svc = "prometheus-server" + prometheus_svc = "prometheus-server" prometheus_namespace = "prometheus" - prometheus_port = 80 + prometheus_port = 80 prometheus_server_internal_endpoint = { hostname = "prometheus-server.prometheus.svc.cluster.local" port_number = 9090 @@ -55,7 +55,7 @@ inputs = { oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn # Prometheus Configuration - prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname + prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number From 0f0af4af82ed404d411bf8ca7d293b350b1baace Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 20:47:31 -0400 Subject: [PATCH 51/57] more fmt --- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 1 - .../vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 4fb97069..25c22d7c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -23,7 +23,6 @@ dependencies { dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { cluster_name = "mock-cluster" cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 8b6cb48c..83550651 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -33,8 +33,7 @@ dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + cluster_domain = "mock.example.com" } } From 908c0ad0500066c5b692da574e31f4fc44a18d8f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 22:07:43 -0400 Subject: [PATCH 52/57] use client id and secret --- .../eks-gogatekeeper/terragrunt.hcl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 86c95d46..9d5ac6b3 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -68,10 +68,10 @@ inputs = { keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint # Service Behind Gatekeeper Config - service_name = "grafana" + service_name = "test_gc" redirection_url = dependency.eks_grafana.outputs.public_endpoint - # client_id = dependency.eks_keycloak.outputs.client_id - # client_secret = dependency.eks_keycloak.outputs.client_secret - client_id = "client_id" - client_secret = "client_secret" + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + # client_id = "client_id" + # client_secret = "client_secret" } From 9a391c547bc94fe9c4a076c2f82f5b90b2b515de Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 22:55:14 -0400 Subject: [PATCH 53/57] fix service name regex violation --- .../vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 9d5ac6b3..37f8e0b9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -68,10 +68,8 @@ inputs = { keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint # Service Behind Gatekeeper Config - service_name = "test_gc" + service_name = "test-gc" redirection_url = dependency.eks_grafana.outputs.public_endpoint client_id = dependency.eks_keycloak.outputs.client_id client_secret = dependency.eks_keycloak.outputs.client_secret - # client_id = "client_id" - # client_secret = "client_secret" } From 5c85b178da4c41bd00fdafd9084cde5b661c5810 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 13 Mar 2025 12:30:34 -0400 Subject: [PATCH 54/57] updates --- .github/platform-tg-infra.code-workspace | 3 +++ lab/_envcommon/default-versions.hcl | 8 ++++---- .../eks-gogatekeeper/terragrunt.hcl | 15 ++++++++++----- .../eks-keycloak/terragrunt.hcl | 5 ++++- 4 files changed, 21 insertions(+), 10 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 8451c3ae..d243b5d4 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -79,6 +79,9 @@ { "name": "terragrunt", "path": "../../terragrunt" + }, + { + "path": "../../tfmod-config-job" } ] } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 929c2d9c..11e1d97c 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -24,8 +24,8 @@ locals { ##################### # Namespaces Config ##################### - operator_namespace = "operator" - telemetry_namespace = "telemetry" + operator_namespace = "aoperator" + telemetry_namespace = "atelemetry" namespaces = { cert-manager = "kube-system" karpenter = "karpenter" @@ -98,8 +98,8 @@ locals { keycloak_chart_version = "24.4.11" keycloak_tag = "26.1.3" keycloak_hostname = "keycloak" - keycloak_database = "bitnami_keycloak" - keycloak_username = "bn_keycloak" + keycloak_database = "keycloak" + keycloak_username = "keycloak" keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 37f8e0b9..119537e6 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -42,6 +42,9 @@ dependency "eks_keycloak" { mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { public_endpoint = "mock.keycloak.example.com" + discovery_url = "mock.keycloak.example.com/auth" + client_id = "mock-client-id" + client_secret = "mock-client-secret" } } @@ -65,11 +68,13 @@ inputs = { # Gatekeeper Config gogatekeeper_tag = include.root.inputs.gogatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + keycloak_discovery_url = dependency.eks_keycloak.outputs.discovery_url # Service Behind Gatekeeper Config - service_name = "test-gc" - redirection_url = dependency.eks_grafana.outputs.public_endpoint - client_id = dependency.eks_keycloak.outputs.client_id - client_secret = dependency.eks_keycloak.outputs.client_secret + service_name = "test-gc" + upstream_url = dependency.eks_grafana.outputs.public_endpoint + redirection_url = dependency.eks_grafana.outputs.public_endpoint + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 83550651..74132d72 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -47,7 +47,6 @@ dependencies { } inputs = { - admin_email = include.root.inputs.cluster_mailing_list cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name namespace = include.root.inputs.namespaces["keycloak"] @@ -59,6 +58,10 @@ inputs = { keycloak_chart_version = include.root.inputs.keycloak_chart_version keycloak_hostname = include.root.inputs.keycloak_hostname keycloak_tag = include.root.inputs.keycloak_tag + realm_email = include.root.inputs.cluster_mailing_list + realm_name = "master" + realm_password = include.root.inputs.keycloak_password + realm_username = include.root.inputs.keycloak_username service_name = "keycloak" telemetry_namespace = include.root.inputs.telemetry_namespace From 0d0fd5efe9c3802fe0e7a2cf2e2f0f6908cbc095 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 13 Mar 2025 14:13:34 -0400 Subject: [PATCH 55/57] update from lukes pr --- .../eks-kiali/terragrunt.hcl | 53 +++++++++++++------ 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 8302826a..3bf43660 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -12,16 +12,6 @@ terraform { } } -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-grafana", - "../eks-istio", - "../eks-prometheus" - ] -} - dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] @@ -31,11 +21,11 @@ dependency "eks" { } } -dependency "eks_config" { - config_path = "../eks-config" +dependency "eks_cert_manager" { + config_path = "../eks-cert-manager" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - operators_namespace = "mock-namespace" + cluster_issuer_name = "mock-issuer" } } @@ -44,7 +34,6 @@ dependency "eks_dns" { mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" } } @@ -79,6 +68,30 @@ dependency "eks_prometheus" { } } +dependency "eks_tempo" { + config_path = "../eks-tempo" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + tempo_internal_endpoint = { + hostname = "tempo.mock.svc.cluster.local" + port_number = "80" + url = "https://tempo.mock.svc.cluster.local:80/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-grafana", + "../eks-istio", + "../eks-prometheus", + "../eks-tempo", + ] +} + + inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id @@ -88,17 +101,25 @@ inputs = { # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name + certificate_issuer = dependency.eks_cert_manager.outputs.cluster_issuer_name # Kiali Configuration service_name = "kiali" - namespace = include.root.inputs.namespaces["kiali"] + namespace = include.root.inputs.namespaces["kiali"] + istio_namespace = include.root.inputs.namespaces["istio"] grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url grafana_namespace = dependency.eks_grafana.outputs.namespace grafana_secret_name = dependency.eks_grafana.outputs.secret_name grafana_public_url = dependency.eks_grafana.outputs.public_endpoint + kiali_application_version = include.root.inputs.kiali_application_version kiali_operator_version = include.root.inputs.kiali_operator_version prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url - # jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_public_url = dependency.eks_grafana.outputs.public_endpoint + tempo_datasource_id = dependency.eks_grafana.outputs.tempo_datasource_id + tempo_internal_url = dependency.eks_tempo.outputs.tempo_internal_endpoint.url } From 98a0a07a38991ba3d5e1c1cbc3b9fa7832b66972 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 13 Mar 2025 15:48:53 -0400 Subject: [PATCH 56/57] disable gatekeeper --- .../eks-gogatekeeper/{terragrunt.hcl => terragrunt.hcl.off} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/{terragrunt.hcl => terragrunt.hcl.off} (100%) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl.off similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl.off From d6bff735bbfb2dc69709ed73bfb94c8dd4e91e46 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 17 Mar 2025 17:06:44 -0400 Subject: [PATCH 57/57] updated --- lab/_envcommon/default-versions.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 11e1d97c..478dc672 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -8,7 +8,7 @@ locals { custom_service_eks_account = "${local.release_version}" eks_module_version = "20.33.1" istio_ingress_version = "${local.release_version}" - release_version = "mcmCluster" # "main" # change to main when testing updated modules + release_version = "main" # "main" # change to main when testing updated modules ##################### # TF Providers diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 3bf43660..f1c9bdcb 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -53,6 +53,7 @@ dependency "eks_grafana" { url = "https://grafana.mock.lab.csp2.census.gov:80/" } secret_name = "grafana" + tempo_datasource_id = "mock-tempo-datasource-id" } }