prepare release

Signed-off-by: Kevin Lefevre <[email protected]>
particuleio · Jan 26, 2022 · caaf65e · caaf65e
1 parent 4e0d2d2
commit caaf65e
Show file tree

Hide file tree

Showing 20 changed files with 222 additions and 296 deletions.
diff --git a/.tool-versions b/.tool-versions
@@ -1,5 +1,5 @@
-terragrunt 0.35.16
-terraform 1.1.3
+terragrunt 0.36.0
+terraform 1.1.4
 terraform-docs 0.16.0
-tflint 0.33.1
-tfsec 0.61.3
+tflint 0.34.1
+tfsec 0.63.1
diff --git a/README.md b/README.md
@@ -12,12 +12,17 @@
 <!-- vim-markdown-toc GFM -->
 
 * [Terraform/Terragrunt](#terraformterragrunt)
+* [Contributing](#contributing)
 * [Requirements](#requirements)
   * [Terragrunt](#terragrunt)
 * [Main purposes](#main-purposes)
 * [What you get](#what-you-get)
 * [Curated Features](#curated-features)
+  * [Bottlerocket support](#bottlerocket-support)
+  * [AWS Session Manager by default](#aws-session-manager-by-default)
+  * [From and to Zero scaling with EKS Managed Node Groups](#from-and-to-zero-scaling-with-eks-managed-node-groups)
   * [Enforced security](#enforced-security)
+  * [Out of the box logging](#out-of-the-box-logging)
   * [Out of the box monitoring](#out-of-the-box-monitoring)
   * [Helm v3 provider](#helm-v3-provider)
   * [Other and not limited to](#other-and-not-limited-to)
@@ -48,6 +53,12 @@ with Terragrunt. [Archive branch is available here](https://github.com/particule
 
 * Terragrunt implementation is available in the [`terragrunt`](./terragrunt) folder.
 
+## Contributing
+
+Contribution are welcome, as well as issues, we are usually quite reactive. If
+you need more support for your project, do not hesitate to [reach us
+directly](mailto:[email protected]).
+
 ## Requirements
 
 ### Terragrunt
@@ -65,29 +76,62 @@ A production cluster all defined in IaaC with Terraform/Terragrunt:
 
 * AWS VPC if needed based on [`terraform-aws-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc)
 * EKS cluster base on [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks)
-* Kubernetes addons based on [`terraform-kubernetes-addons`](https://github.com/particuleio/terraform-kubernetes-addons): provides various addons that are often used on Kubernetes and specifically on EKS.
+* Kubernetes addons based on [`terraform-kubernetes-addons`](https://github.com/particuleio/terraform-kubernetes-addons): provides various addons that are often used on Kubernetes and specifically on EKS. This module is currated by [Particule](https://particule.io/en/) and well maintained.
 
 Everything is tied together with Terragrunt and allows you to deploy a multi
-cluster architecture in a matter of minutes (ok maybe an hour) and different AWS
-accounts for different environments.
+cluster architecture in a matter of minutes.
 
 ## Curated Features
 
-The main additionals features are the curated addons list, see
-[here](https://github.com/particuleio/terraform-kubernetes-addons) and in the
-customization of the cluster policy
+The additional features are provided by tEKS here as well as our [curated addons
+module](https://github.com/particuleio/terraform-kubernetes-addons) which
+support a bunch of various configuration.
+
+### Bottlerocket support
+
+[Bottlerocket OS](https://github.com/bottlerocket-os/bottlerocket) is available
+for node groups (see example
+(here)[https://github.com/particuleio/teks/tree/main/terragrunt/live/production/eu-west-1/clusters/demo/eks]).
+Bottle rocket is a container centric OS with less attack surface and no default
+shell.
+
+### AWS Session Manager by default
+
+All the instances (Bottlerocket or Amazon Linux) are registered with [AWS Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). No SSH keys or SSH access is open on instances. Shell access on every instance can be given with SSM for added security.
+
+```
+aws ssm start-session --target INSTANCE_ID
+```
+
+### From and to Zero scaling with EKS Managed Node Groups
+
+tEKS support scaling to and from 0, even with using [well know Kubernetes labels](https://kubernetes.io/docs/reference/labels-annotations-taints/), there are a number of [ongoing issues](https://github.com/aws/containers-roadmap/issues/724) for support of [EKS Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) with [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler). Thanks to [automatic ASG tagging](https://github.com/particuleio/teks/blob/main/terragrunt/snippets/eks-asg-tags/eks-asg-tags.tf), tEKS adds the necessary tags on autoscaling group to balance similar node groups and allow you to scale to and from 0 and even to use well know labels such as `node.kubernetes.io/instance-type` or `topology.kubernetes.io/zone
+`. The logic can be extended to support other well known labels.
 
 ### Enforced security
 
-* No IAM credentials on instances, everything is enforced with [IRSA](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)
+* No IAM credentials on instances, everything is enforced with [IRSA](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/).
 * Each addons is deployed in it's own namespace with sensible default network policies.
-* Calico Tigera Operator for network policy
+* Calico Tigera Operator for network policy.
+* PSP are enabled but not enforced because of depreciation.
+
+### Out of the box logging
+
+Three stacks are supported:
+* [AWS for Fluent Bit](https://docs.fluentbit.io/manual/installation/aws-container): Forward containers logs to Cloudwatch Logs
+* [Grafana Loki](https://grafana.com/oss/loki/): Uses [Promtail](https://grafana.com/docs/loki/latest/clients/promtail/) to forward logs
+    to [Loki](https://grafana.com/oss/loki/). Grafana or a tEKS supported
+    monitoring stack (see below) is necessary to display logs.
 
 ### Out of the box monitoring
 
 * Prometheus Operator with defaults dashboards
 * Addons that support metrics are enable along with their `serviceMonitor`
-* Custom grafana dashboard are available by default.
+* Custom grafana dashboard are available by default
+
+Two stacks are supported:
+* [Victoria Metrics](https://victoriametrics.com/) [Stack](https://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-metrics-k8s-stack): [Victoria Metrics](https://victoriametrics.com/) is a Prometheus alertnative, [compatible with prometheus CRDs](https://github.com/VictoriaMetrics/operator#overview)
+* [Kube Prometheus Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack): Classic [Prometheus](https://prometheus.io/) Monitoring
 
 ### Helm v3 provider
 
@@ -96,8 +140,7 @@ customization of the cluster policy
 
 ### Other and not limited to
 
-* priorityClasses for addons
-* use of [`kubectl-provider`], no more local exec and custom manifest are properly handled
+* priorityClasses for addons and critical addons
 * lot of manual stuff have been automated under the hood
 
 ## Requirements
@@ -111,7 +154,7 @@ Terragrunt is not a hard requirement but all the modules are tested with Terragr
 
 ## Examples
 
-[`terragrunt/live`](terragrunt/live) folder provides an opinionated directory structure for a production environment with an example using
+[`terragrunt/live`](terragrunt/live) folder provides an opinionated directory structure for a production environment.
 
 ## Additional infrastructure blocks
 

diff --git a/terragrunt/live/production/env_tags.yaml b/terragrunt/live/production/env_tags.yaml
@@ -1,2 +1,2 @@
 ---
-Environment: demo
+Environment: production
diff --git a/terragrunt/live/production/env_values.yaml b/terragrunt/live/production/env_values.yaml
@@ -1,2 +1,2 @@
-env: demo
+env: production
 default_domain_name: clusterfrak-dynamics.io
diff --git a/terragrunt/live/production/eu-west-1/clusters/demo/eks-addons-critical/terragrunt.hcl b/terragrunt/live/production/eu-west-1/clusters/demo/eks-addons-critical/terragrunt.hcl
@@ -17,7 +17,7 @@ include "eks" {
 }
 
 terraform {
-  source = "github.com/particuleio/terraform-kubernetes-addons.git//modules/aws?ref=v3.1.0"
+  source = "github.com/particuleio/terraform-kubernetes-addons.git//modules/aws?ref=v3.2.0"
 }
 
 generate "provider-local" {
@@ -26,6 +26,16 @@ generate "provider-local" {
   contents  = file("../../../../../../provider-config/eks-addons/eks-addons.tf")
 }
 
+generate "provider-github" {
+  path      = "provider-github.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "github" {
+      owner = "${include.root.locals.merged.github_owner}"
+    }
+  EOF
+}
+
 inputs = {
 
   priority-class = {
@@ -56,7 +66,7 @@ inputs = {
   aws-ebs-csi-driver = {
     enabled          = true
     is_default_class = true
-    wait             = true
+    wait             = false
     use_encryption   = true
     use_kms          = true
   }
@@ -77,9 +87,10 @@ inputs = {
   npd = {
     # Waiing for ARM image https://github.com/kubernetes/node-problem-detector/issues/586
     enabled      = true
+    wait         = false
     extra_values = <<-EXTRA_VALUES
       nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/arch: amd64
       EXTRA_VALUES
   }
 

diff --git a/terragrunt/live/production/eu-west-1/clusters/demo/eks-addons/terragrunt.hcl b/terragrunt/live/production/eu-west-1/clusters/demo/eks-addons/terragrunt.hcl
@@ -17,7 +17,7 @@ include "eks" {
 }
 
 terraform {
-  source = "github.com/particuleio/terraform-kubernetes-addons.git//modules/aws?ref=v3.1.0"
+  source = "github.com/particuleio/terraform-kubernetes-addons.git//modules/aws?ref=v3.2.0"
 }
 
 generate "provider-local" {
@@ -26,6 +26,16 @@ generate "provider-local" {
   contents  = file("../../../../../../provider-config/eks-addons/eks-addons.tf")
 }
 
+generate "provider-github" {
+  path      = "provider-github.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "github" {
+      owner = "${include.root.locals.merged.github_owner}"
+    }
+  EOF
+}
+
 inputs = {
 
   priority-class = {
@@ -47,10 +57,11 @@ inputs = {
   }
 
   cert-manager = {
-    enabled             = true
-    acme_http01_enabled = true
-    acme_dns01_enabled  = true
-    extra_values        = <<-EXTRA_VALUES
+    enabled                   = true
+    acme_http01_enabled       = true
+    acme_dns01_enabled        = true
+    acme_http01_ingress_class = "nginx"
+    extra_values              = <<-EXTRA_VALUES
       ingressShim:
         defaultIssuerName: letsencrypt
         defaultIssuerKind: ClusterIssuer
@@ -60,7 +71,7 @@ inputs = {
 
   cluster-autoscaler = {
     enabled      = true
-    version      = "v1.21.0"
+    version      = "v1.21.2"
     extra_values = <<-EXTRA_VALUES
       extraArgs:
         scale-down-utilization-threshold: 0.7
@@ -76,13 +87,13 @@ inputs = {
   # For this to work:
   # * GITHUB_TOKEN should be set
   flux2 = {
-    enabled               = false
+    enabled               = true
     target_path           = "gitops/clusters/${include.root.locals.merged.env}/${include.root.locals.merged.name}"
-    github_url            = "ssh://[email protected]/owner/repo"
-    repository            = "repo"
+    github_url            = "ssh://[email protected]/particuleio/teks"
+    repository            = "teks"
     branch                = "main"
-    repository_visibility = "private"
-    version               = "v0.25.1"
+    repository_visibility = "public"
+    version               = "v0.25.3"
     auto_image_update     = true
   }
 
@@ -113,7 +124,7 @@ inputs = {
     extra_values                = <<-EXTRA_VALUES
       grafana:
         image:
-          tag: 8.3.3
+          tag: 8.3.4
         deploymentStrategy:
           type: Recreate
         ingress:
@@ -140,20 +151,59 @@ inputs = {
           ruleSelectorNilUsesHelmValues: false
           serviceMonitorSelectorNilUsesHelmValues: false
           podMonitorSelectorNilUsesHelmValues: false
+          probeSelectorNilUsesHelmValues: false
           storageSpec:
             volumeClaimTemplate:
               spec:
                 accessModes: ["ReadWriteOnce"]
                 resources:
                   requests:
                     storage: 10Gi
+          resources:
+            requests:
+              cpu: 1
+              memory: 2Gi
+            limits:
+              cpu: 2
+              memory: 2Gi
       EXTRA_VALUES
   }
 
   loki-stack = {
     enabled              = true
     bucket_force_destroy = true
-
+    extra_values         = <<-VALUES
+      resources:
+        requests:
+          cpu: 1
+          memory: 2Gi
+        limits:
+          cpu: 2
+          memory: 4Gi
+      config:
+        limits_config:
+          ingestion_rate_mb: 320
+          ingestion_burst_size_mb: 512
+          max_streams_per_user: 100000
+        chunk_store_config:
+          max_look_back_period: 2160h
+        table_manager:
+          retention_deletes_enabled: true
+          retention_period: 2160h
+      ingress:
+        enabled: true
+        annotations:
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+          nginx.ingress.kubernetes.io/auth-tls-secret: "telemetry/loki-ca"
+        hosts:
+          - host: logz.${include.root.locals.merged.default_domain_name}
+            paths: ["/"]
+        tls:
+          - secretName: logz.${include.root.locals.merged.default_domain_name}
+            hosts:
+              - logz.${include.root.locals.merged.default_domain_name}
+        VALUES
     bucket_lifecycle_rule = [
       {
         id      = "log"
@@ -173,6 +223,7 @@ inputs = {
 
   promtail = {
     enabled = true
+    wait    = false
   }
 
   thanos = {