Feat/addon velero (#27)

* feat: New helm addon Velero, version 5.0.2 * feat: irsa with ec2-volume and s3 permission to store and fetch backups * feat: use irsa instead of IAM-Keys for velero * feat: update velero script in basic example * fix: tf-lint bucket name issue * fix: readme github-action * terraform fmt * comment fixes
clouddrove · Sep 25, 2023 · 1c792c2 · 1c792c2
1 parent 3cdc968
commit 1c792c2
Show file tree

Hide file tree

Showing 25 changed files with 1,132 additions and 31 deletions.
diff --git a/_examples/basic/.tflint.hcl → .tflint.hcl b/_examples/basic/.tflint.hcl → .tflint.hcl
diff --git a/README.md b/README.md
@@ -46,6 +46,8 @@
 |istio_ingress|False | No |
 |kiali_server|False | No |
 |fluent_bit|False | No |
+|new_relic|False | No |
+|velero|False | No |
 
 <br/>
 
@@ -76,6 +78,8 @@
 |ingress_nginx_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L337-L380) | No |
 |kubeclarity_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L389-L410) | No |
 |fluent_bit_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L420-L509) | No |
+|new_relic_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L519-L536) | No |
+|velero_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L545-L580) | No |
 
 </br>
 
@@ -96,6 +100,8 @@
 | ingress_nginx_extra_configs | No |
 | kubeclarity_extra_configs | No |
 | fluent_bit_extra_configs | No |
+| new_relic_extra_configs | No |
+| velero_extra_configs | No |
 
 
 ## Outputs
@@ -154,6 +160,14 @@
 | fluent_bit_namespace | namespace where fluent-bit is deployed | 
 | fluent_bit_chart_version | Chart version of fluent-bit addon's helmchart | 
 | fluent_bit_repository | Repository URL of fluent-bit helmchart |
+| new_relic_namespace | namespace where new-relic is deployed | 
+| new_relic_chart_version | Chart version of new-relic addon's helmchart | 
+| new_relic_repository | Repository URL of new-relic helmchart |
+| velero_service_account | ServiceAccount name created by IRSA module for velero| 
+| velero_iam_policy | IAM Policy used to create IRSA | 
+| velero_namespace | namespace where velero is deployed | 
+| velero_chart_version | Chart version of velero addon's helmchart | 
+| velero_repository | Repository URL of velero helmchart |
 
 ## How to Use
 
@@ -164,9 +178,9 @@
 ```bash
 module "addons" {
   source  = "clouddrove/eks-addons/aws"
-  version = "0.0.4"
+  version = "0.0.6"
 
-  depends_on       = [module.eks.cluster_name]
+  depends_on       = [module.eks]
   eks_cluster_name = module.eks.cluster_name
 
   # -- Enable Addons
@@ -180,6 +194,8 @@ module "addons" {
   calico_tigera                = false
   kubeclarity                  = true
   ingress_nginx                = true
+  velero                       = true
+  new_relic                    = true
 
   # -- Addons with mandatory variable
   istio_ingress             = true

diff --git a/README.yaml b/README.yaml
@@ -0,0 +1,112 @@
+---
+#
+# This is the canonical configuration for the `README.md`
+# Run `make readme` to rebuild the `README.md`
+
+# Name of this project
+name: Terraform AWS EKS ADDONS
+# License of this project
+license: "APACHE"
+
+# Canonical GitHub repo
+github_repo: clouddrove/terraform-aws-eks-addons
+
+# Badges to display
+badges:
+  - name: "Latest Release"
+    image: "https://img.shields.io/github/release/clouddrove/terraform-aws-eks-addons.svg"
+    url: "https://github.com/clouddrove/terraform-aws-eks-addons/releases/latest"
+  - name: "tfsec"
+    image: "https://github.com/clouddrove/terraform-aws-eks-addons/actions/workflows/tfsec.yml/badge.svg"
+    url: "https://github.com/clouddrove/terraform-aws-eks-addons/actions/workflows/tfsec.yml"
+  - name: "Licence"
+    image: "https://img.shields.io/badge/License-APACHE-blue.svg"
+    url: "LICENSE.md"
+
+prerequesties:
+  - name: Terraform 1.4.6
+    url: https://learn.hashicorp.com/terraform/getting-started/install.html
+
+#  description of this project
+description: |-
+  A Terraform Addons module to customize & install widely used helmchart during or after creation of your AWS EKS cluster.
+# extra content
+include:
+  - "terraform.md"
+
+# How to use this project
+# How to use this project
+usage: |-
+  Here are some examples of how you can use this module in your inventory structure:
+
+  ### addons basic example
+  ```hcl
+    module "addons" {
+    source  = "clouddrove/eks-addons/aws"
+    version = "0.0.6"
+
+    depends_on       = [module.eks]
+    eks_cluster_name = module.eks.cluster_name
+
+    # -- Enable Addons
+    aws_load_balancer_controller = true
+    aws_efs_csi_driver           = true
+    calico_tigera                = true
+    fluent_bit                   = true
+
+    # -- Addons with mandatory manifest files
+    istio_ingress   = true
+    istio_manifests = {
+      istio_ingress_manifest_file_path = ["./config/istio/ingress.yaml", "./config/istio/ingress-internal.yaml"]
+      istio_gateway_manifest_file_path = ["./config/istio/gateway.yaml"]
+      }
+    kiali_server    = true
+    kiali_manifests = {
+      kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml"
+      }
+    external_secrets          = true
+    externalsecrets_manifests = {
+      secret_store_manifest_file_path     = "./config/external-secret/secret-store.yaml"
+      external_secrets_manifest_file_path = "./config/external-secret/external-secret.yaml"
+      secret_manager_name                 = "external_secrets"
+      }
+    }
+  ```
+
+  ### addons complete example
+  ```hcl
+    module "addons" {
+    source  = "clouddrove/eks-addons/aws"
+    version = "0.0.6"
+
+    depends_on       = [module.eks]
+    eks_cluster_name = module.eks.cluster_name
+
+    # -- Enable Addons
+    aws_load_balancer_controller = true
+    aws_efs_csi_driver           = true
+    calico_tigera                = true
+
+    # -- Addons with mandatory manifest files
+    istio_ingress   = true
+    istio_manifests = {
+      istio_ingress_manifest_file_path = ["./config/istio/ingress.yaml", "./config/istio/ingress-internal.yaml"]
+      istio_gateway_manifest_file_path = ["./config/istio/gateway.yaml"]
+      }
+
+    # -- Path of override-values.yaml file
+    aws_load_balancer_controller_helm_config = { values = [file("./config/override-aws-load-balancer-controller.yaml")] }
+    aws_efs_csi_driver_helm_config           = { values = [file("./config/override-aws-efs-csi-driver.yaml")] }
+    calico_tigera_helm_config                = { values = [file("./config/calico-tigera-values.yaml")] }
+    istio_ingress_helm_config                = { values = [file("./config/istio/override-values.yaml")] }    
+
+    # -- Override Helm Release attributes
+    aws_load_balancer_controller_extra_configs = var.aws_load_balancer_controller_extra_configs
+    aws_efs_csi_driver_extra_configs           = var.aws_efs_csi_driver_extra_configs
+    calico_tigera_extra_configs                = var.calico_tigera_extra_configs
+    istio_ingress_extra_configs                = var.istio_ingress_extra_configs
+
+    # -- Custome IAM Policy Json Content or Json file path
+    cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
+    }
+  ```
diff --git a/_examples/basic/main.tf b/_examples/basic/main.tf
@@ -156,7 +156,7 @@ resource "aws_iam_policy" "node_additional" {
 module "addons" {
   source = "../../"
 
-  depends_on       = [module.eks.cluster_name]
+  depends_on       = [module.eks]
   eks_cluster_name = module.eks.cluster_name
 
   # -- Enable Addons
@@ -171,6 +171,7 @@ module "addons" {
   kubeclarity                  = true
   ingress_nginx                = true
   fluent_bit                   = true
+  velero                       = true
 
   # -- Addons with mandatory variable
   istio_ingress             = true
@@ -179,4 +180,7 @@ module "addons" {
   kiali_manifests           = var.kiali_manifests
   external_secrets          = true
   externalsecrets_manifests = var.externalsecrets_manifests
+
+  # -- Extra helm_release attributes
+  velero_extra_configs = var.velero_extra_configs
 }
diff --git a/_examples/basic/variables.tf b/_examples/basic/variables.tf
@@ -36,4 +36,14 @@ variable "externalsecrets_manifests" {
     secret_manager_name                 = "external_secrets"
   }
   description = "yaml manifest file path to create ExternalSecret, SecretStore and custome SecretManger name"
+}
+
+#------------ EXTRA CONFIGS -----------
+variable "velero_extra_configs" {
+  type = any
+  default = {
+    timeout     = 300
+    atomic      = true
+    bucket_name = "velero-addons"
+  }
 }
diff --git a/_examples/complete/config/override-fluent-bit.yaml b/_examples/complete/config/override-fluent-bit.yaml
@@ -81,4 +81,5 @@ config:
         log_group_name      /aws/containerinsights/{{ .Values.eks_configs.cluster_name }}/application
         auto_create_group   true
         extra_user_agent    container-insights
-        log_stream_prefix   eks-
+        log_stream_prefix   eks-
+        log_retention_days  7
diff --git a/_examples/complete/config/override-kubeclarity.yaml b/_examples/complete/config/override-kubeclarity.yaml
@@ -11,12 +11,17 @@ kubeclarity:
   podAnnotations:
     co.elastic.logs/enabled: "true"
 
-
-# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
-# Make sure the ingress remains internal if you decide to enable it.
-  service:
-    type: LoadBalancer
-    port: 80
+  # -- Application Load Balancer
+  ingress:
+    enabled: true
+    labels: {}
     annotations:
-      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
-      service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"
+      kubernetes.io/ingress.class: alb
+      alb.ingress.kubernetes.io/group.name: ingress
+      alb.ingress.kubernetes.io/load-balancer-name: kubeclarity-eks-alb
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/scheme: internet-facing
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'    
+
+    hosts:
+      - host: test.addons.com
diff --git a/_examples/complete/config/override-velero.yaml b/_examples/complete/config/override-velero.yaml
@@ -0,0 +1,36 @@
+initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.7.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+
+## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation,
+## and additional server settings.
+configuration:
+  backupStorageLocation:
+  - name: aws
+    default: "true"
+    provider: aws        
+
+  volumeSnapshotLocation:
+  - name: aws
+    provider: aws
+    config:
+      region: "us-east-1"
+
+
+# Info about the secret to be used by the Velero deployment, which
+# should contain credentials for the cloud provider IAM account you've
+# set up for Velero.
+credentials:
+  useSecret: false
+  secretContents: {}
+
+
+# Whether to deploy the node-agent daemonset.
+deployNodeAgent: true
+nodeAgent:
+  podVolumePath: /var/lib/kubelet/pods
+  privileged: true  
diff --git a/_examples/complete/main.tf b/_examples/complete/main.tf
@@ -149,7 +149,7 @@ resource "aws_iam_policy" "node_additional" {
 module "addons" {
   source = "../../"
 
-  depends_on       = [module.eks.cluster_name]
+  depends_on       = [module.eks]
   eks_cluster_name = module.eks.cluster_name
 
   # -- Enable Addons
@@ -159,12 +159,14 @@ module "addons" {
   aws_node_termination_handler = true
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
-  karpenter                    = true
-  calico_tigera                = true
-  new_relic                    = false
-  kubeclarity                  = true
-  ingress_nginx                = true
-  fluent_bit                   = true
+  # karpenter                    = false    # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
+  calico_tigera = true
+  new_relic     = true
+  kubeclarity   = true
+  ingress_nginx = true
+  fluent_bit    = true
+  velero        = true
+
   # -- Addons with mandatory variable
   istio_ingress             = true
   istio_manifests           = var.istio_manifests
@@ -188,6 +190,7 @@ module "addons" {
   ingress_nginx_helm_config                = { values = [file("./config/override-ingress-nginx.yaml")] }
   kubeclarity_helm_config                  = { values = [file("./config/override-kubeclarity.yaml")] }
   fluent_bit_helm_config                   = { values = [file("./config/override-fluent-bit.yaml")] }
+  velero_helm_config                       = { values = [file("./config/override-velero.yaml")] }
   new_relic_helm_config                    = { values = [file("./config/override-new-relic.yaml")] }
 
   # -- Override Helm Release attributes
@@ -205,8 +208,9 @@ module "addons" {
   ingress_nginx_extra_configs                = var.ingress_nginx_extra_configs
   kubeclarity_extra_configs                  = var.kubeclarity_extra_configs
   fluent_bit_extra_configs                   = var.fluent_bit_extra_configs
+  velero_extra_configs                       = var.velero_extra_configs
   new_relic_extra_configs                    = var.new_relic_extra_configs
 
-  # -- Custom IAM Policy Json Content or Json file path
+  # -- Custom IAM Policy Json for Addon's ServiceAccount
   cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
 }
diff --git a/_examples/complete/outputs.tf b/_examples/complete/outputs.tf
@@ -7,4 +7,16 @@ output "cluster_name" {
 
 output "region" {
   value = local.region
+}
+
+output "update_kubeconfig" {
+  value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${local.region}"
+}
+
+output "velero_post_installation" {
+  value = <<EOF
+Once velero server is up and running you need the client before you can use it
+1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz
+2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client  
+  EOF  
 }
diff --git a/_examples/complete/variables.tf b/_examples/complete/variables.tf
@@ -117,6 +117,15 @@ variable "fluent_bit_extra_configs" {
   }
 }
 
+variable "velero_extra_configs" {
+  type = any
+  default = {
+    timeout     = 300
+    atomic      = true
+    bucket_name = "velero-addons"
+  }
+}
+
 variable "new_relic_extra_configs" {
   type    = any
   default = {}

diff --git a/addons/fluent-bit/main.tf b/addons/fluent-bit/main.tf
@@ -59,7 +59,9 @@ resource "aws_iam_policy" "policy" {
                 "logs:DescribeLogStreams",
                 "logs:DescribeLogGroups",
                 "logs:CreateLogStream",
-                "logs:CreateLogGroup"
+                "logs:CreateLogGroup",
+                "logs:DeleteRetentionPolicy",
+                "logs:PutRetentionPolicy"
             ],
             "Resource": "*"
         },