diff --git a/main.tf b/main.tf index c9fa24b..f599126 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,54 @@ +/** + * # tfmod-istio + * + * Istio is a service mesh that provides encryption services to network + * traffic within the node and externally. + * + * Generally, for services exposed outside of the EKS cluster, istio + * terminates TLS connections at the istio-ingressgateway in the + * istio-system namespace. For pod-to-pod communication, istio sidecar + * proxies provide encryption for in-cluster communication. Istio is a + * highly configurable service mesh and can be configured permissively + * (enable encryption where possible, allow non-encrypted communication + * if one of the services is not configured with the istio proxy) or + * restrictively (enforce all encryption requirements, if a pod does not + * have a istio proxy configured, prevent communication with that pod.) + * + * ## Important Topics / Concepts: + * + * - Gateway/VirtualService/DestinationRule objects allow for services to + * be exposed outside of the cluster. + * - AuthorizationPolicy/RequestAuthentication objects allow for + * configuration of which identities are allowed to call services, and + * which services are allowed to interact with other services. + */ + +locals { + base_tags = { + "boc:tf_module_name" = local._module_name + "boc:tf_module_version" = local._module_version + "Name" = format("%v-istio-ingress", var.cluster_name) + "eks-cluster-name" = var.cluster_name + } + tags = merge(local.base_tags, var.tags) + + # Default ports for the load balancer + ports = concat([ + { + name = "http2" + port = "80" + }, + { + name = "https" + port = "443" + }, + { + name = "status-port" + port = "15021" + } + ], var.extra_listener_ports) +} + resource "kubernetes_namespace" "ns" { metadata { name = var.namespace @@ -24,7 +75,7 @@ resource "helm_release" "istiod" { chart = "istiod" name = "istiod" namespace = kubernetes_namespace.ns.metadata[0].name - version = var.istio_version + version = var.istio_chart_version repository = "https://istio-release.storage.googleapis.com/charts" set { @@ -37,11 +88,11 @@ resource "helm_release" "istiod" { } set { name = "global.proxy.image" - value = module.images.images[local.pilot_key].dest_repository + value = module.images.images[local.proxy_key].dest_repository } set { name = "global.proxy_init.image" - value = module.images.images[local.pilot_key].dest_repository + value = module.images.images[local.proxy_key].dest_repository } set { @@ -68,13 +119,50 @@ resource "helm_release" "ingress" { chart = "gateway" name = "istio-ingressgateway" namespace = kubernetes_namespace.ns.metadata[0].name - version = var.istio_version + version = var.istio_chart_version repository = "https://istio-release.storage.googleapis.com/charts" set { name = "service.annotations.service\\.beta\\.kubernetes\\.io/aws-load-balancer-type" value = "nlb" } + set { + name = "service.annotations.service\\.beta\\.kubernetes\\.io/aws-load-balancer-additional-resource-tags" + value = join(",", [for key, value in local.tags : "${key}=${value}"]) + } + + dynamic "set" { + for_each = local.ports + + content { + name = format("service.ports[%v].name", set.key) + value = set.value.name + } + } + dynamic "set" { + for_each = local.ports + + content { + name = format("service.ports[%v].port", set.key) + value = set.value.port + } + } + dynamic "set" { + for_each = local.ports + + content { + name = format("service.ports[%v].protocol", set.key) + value = "TCP" + } + } + dynamic "set" { + for_each = local.ports + + content { + name = format("service.ports[%v].targetPort", set.key) + value = set.value.port + } + } } resource "helm_release" "egress" { @@ -85,7 +173,7 @@ resource "helm_release" "egress" { chart = "gateway" name = "istio-egressgateway" namespace = kubernetes_namespace.ns.metadata[0].name - version = var.istio_version + version = var.istio_chart_version repository = "https://istio-release.storage.googleapis.com/charts" set {