Added support for specifying additional ports and tags for the load b…

…alancer. Docs for README.md generation.
SCT-Engineering · Nov 1, 2023 · 6e08fbe · 6e08fbe
1 parent 02d980e
commit 6e08fbe
Showing 1 changed file with 93 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -1,3 +1,54 @@
+/**
+ * # tfmod-istio
+ *
+ * Istio is a service mesh that provides encryption services to network
+ * traffic within the node and externally.
+ *
+ * Generally, for services exposed outside of the EKS cluster, istio
+ * terminates TLS connections at the istio-ingressgateway in the
+ * istio-system namespace. For pod-to-pod communication, istio sidecar
+ * proxies provide encryption for in-cluster communication.  Istio is a
+ * highly configurable service mesh and can be configured permissively
+ * (enable encryption where possible, allow non-encrypted communication
+ * if one of the services is not configured with the istio proxy) or
+ * restrictively (enforce all encryption requirements, if a pod does not
+ * have a istio proxy configured, prevent communication with that pod.)
+ *
+ * ## Important Topics / Concepts:
+ *
+ * - Gateway/VirtualService/DestinationRule objects allow for services to
+ *   be exposed outside of the cluster.
+ * - AuthorizationPolicy/RequestAuthentication objects allow for
+ *   configuration of which identities are allowed to call services, and
+ *   which services are allowed to interact with other services.
+ */
+
+locals {
+  base_tags = {
+    "boc:tf_module_name"    = local._module_name
+    "boc:tf_module_version" = local._module_version
+    "Name"                  = format("%v-istio-ingress", var.cluster_name)
+    "eks-cluster-name"      = var.cluster_name
+  }
+  tags = merge(local.base_tags, var.tags)
+
+  # Default ports for the load balancer
+  ports = concat([
+    {
+      name = "http2"
+      port = "80"
+    },
+    {
+      name = "https"
+      port = "443"
+    },
+    {
+      name = "status-port"
+      port = "15021"
+    }
+  ], var.extra_listener_ports)
+}
+
 resource "kubernetes_namespace" "ns" {
   metadata {
     name = var.namespace
@@ -24,7 +75,7 @@ resource "helm_release" "istiod" {
   chart      = "istiod"
   name       = "istiod"
   namespace  = kubernetes_namespace.ns.metadata[0].name
-  version    = var.istio_version
+  version    = var.istio_chart_version
   repository = "https://istio-release.storage.googleapis.com/charts"
 
   set {
@@ -37,11 +88,11 @@ resource "helm_release" "istiod" {
   }
   set {
     name  = "global.proxy.image"
-    value = module.images.images[local.pilot_key].dest_repository
+    value = module.images.images[local.proxy_key].dest_repository
   }
   set {
     name  = "global.proxy_init.image"
-    value = module.images.images[local.pilot_key].dest_repository
+    value = module.images.images[local.proxy_key].dest_repository
   }
 
   set {
@@ -68,13 +119,50 @@ resource "helm_release" "ingress" {
   chart      = "gateway"
   name       = "istio-ingressgateway"
   namespace  = kubernetes_namespace.ns.metadata[0].name
-  version    = var.istio_version
+  version    = var.istio_chart_version
   repository = "https://istio-release.storage.googleapis.com/charts"
 
   set {
     name  = "service.annotations.service\\.beta\\.kubernetes\\.io/aws-load-balancer-type"
     value = "nlb"
   }
+  set {
+    name  = "service.annotations.service\\.beta\\.kubernetes\\.io/aws-load-balancer-additional-resource-tags"
+    value = join(",", [for key, value in local.tags : "${key}=${value}"])
+  }
+
+  dynamic "set" {
+    for_each = local.ports
+
+    content {
+      name  = format("service.ports[%v].name", set.key)
+      value = set.value.name
+    }
+  }
+  dynamic "set" {
+    for_each = local.ports
+
+    content {
+      name  = format("service.ports[%v].port", set.key)
+      value = set.value.port
+    }
+  }
+  dynamic "set" {
+    for_each = local.ports
+
+    content {
+      name  = format("service.ports[%v].protocol", set.key)
+      value = "TCP"
+    }
+  }
+  dynamic "set" {
+    for_each = local.ports
+
+    content {
+      name  = format("service.ports[%v].targetPort", set.key)
+      value = set.value.port
+    }
+  }
 }
 
 resource "helm_release" "egress" {
@@ -85,7 +173,7 @@ resource "helm_release" "egress" {
   chart      = "gateway"
   name       = "istio-egressgateway"
   namespace  = kubernetes_namespace.ns.metadata[0].name
-  version    = var.istio_version
+  version    = var.istio_chart_version
   repository = "https://istio-release.storage.googleapis.com/charts"
 
   set {