diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index de2344a..65594a1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,7 +25,7 @@ env: PREFIX: rush # debug - CI_DEBUG: true + CI_DEBUG: false # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} @@ -34,7 +34,8 @@ env: ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} # other - # prod or staging. "" disables cert-manager annotations + # prod or staging. + # "" disables cert-manager annotations (use if you already have an existing TLS secret) CERT_API_ENVIRONMENT: "" DEMO_USER_USERNAME: demo_user # DEMO_USER_PASSWORD: ${{ secrets.DEMO_USER_PASSWORD }} @@ -53,6 +54,7 @@ env: # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} # STORAGE_KEY: 'env var set by Get-StorageKey.ps1' VELERO_ENABLED: true + WEAVE_SCOPE_ENABLED: false # terraform TF_IN_AUTOMATION: "true" @@ -96,11 +98,26 @@ jobs: echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV - # Show event info - - name: Show triggered event data - run: pwsh -command "./scripts/Get-EventData.ps1" - env: - GITHUB_CONTEXT: ${{ toJson(github) }} + # # Show event info + # - name: Show triggered event data + # run: pwsh -command "./scripts/Get-EventData.ps1" + # env: + # GITHUB_CONTEXT: ${{ toJson(github) }} + + # # Linting multiple languages + # - name: Lint Code Base + # uses: github/super-linter@v3 + # env: + # DEFAULT_BRANCH: develop + # # VALIDATE_ALL_CODEBASE: false + # VALIDATE_ANSIBLE: true + # VALIDATE_BASH: true + # VALIDATE_POWERSHELL: true + # VALIDATE_SHELL_SHFMT: true + # VALIDATE_TERRAFORM: true + # VALIDATE_TERRAFORM_TERRASCAN: true + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Login - name: Login to Azure @@ -189,11 +206,13 @@ jobs: run: ./scripts/wait.sh - # Ansible - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@6c8c141 - with: - targets: "./ansible" + # TODO: enable Ansible Lint once this issue has been resolved: https://github.com/ansible/ansible-lint-action/issues/36 + # # Ansible + # - name: Lint Ansible Playbook + # uses: ansible/ansible-lint-action@6c8c141 + # with: + # targets: "./ansible" + - name: Run Ansible playbook run: ./scripts/ansible.sh diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index e209c15..7b37c54 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -87,11 +87,11 @@ jobs: echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV - # Show event info - - name: Show triggered event data - run: pwsh -command "./scripts/Get-EventData.ps1" - env: - GITHUB_CONTEXT: ${{ toJson(github) }} + # # Show event info + # - name: Show triggered event data + # run: pwsh -command "./scripts/Get-EventData.ps1" + # env: + # GITHUB_CONTEXT: ${{ toJson(github) }} # Login - name: Login to Azure diff --git a/aad-pod-identity/aad_pod_identity_values.yaml b/aad-pod-identity/aad_pod_identity_values.yaml deleted file mode 100644 index bc6e53c..0000000 --- a/aad-pod-identity/aad_pod_identity_values.yaml +++ /dev/null @@ -1,206 +0,0 @@ -# source: https://github.com/Azure/aad-pod-identity/blob/v1.6.3/charts/aad-pod-identity/values.yaml - -# Default values for aad-pod-identity-helm. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -nameOverride: "" -fullnameOverride: "" - -image: - repository: mcr.microsoft.com/oss/azure/aad-pod-identity - imagePullPolicy: Always - -# One or more secrets to be used when pulling images -# imagePullSecrets: -# - name: myRegistryKeySecretName - -# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace -# By default, AAD Pod Identity matches pods to identities across namespaces. -# To match only pods in the namespace containing AzureIdentity set this to true. -forceNameSpaced: "false" - -# When NMI runs on a node where MIC is running, then MIC token request call is also -# intercepted by NMI. MIC can't get a valid token as to initialize and then -# assign the identity. Installing an exception for MIC would ensure all token requests -# for MIC pods directly go to IMDS and not go through the pod-identity validation -# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md -installMICException: "true" - -## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following -## (The chart will perform the base64 encoding for you for values that are stored in secrets.) -adminsecret: {} -# cloud: -# subscriptionID: -# resourceGroup: -# vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set> -# tenantID: -# clientID: -# clientSecret: -# useMSI: -# userAssignedMSIClientID: -# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment -# Allowed values: "standard", "managed" -operationMode: "standard" - -mic: - image: mic - tag: v1.6.3 - - priorityClassName: "" - - # log level. Uses V logs (glog) - logVerbosity: 0 - - resources: - limits: - cpu: 200m - memory: 1024Mi - requests: - cpu: 100m - memory: 256Mi - - podAnnotations: {} - - ## Node labels for pod assignment - ## aad-pod-identity is currently only supported on linux - nodeSelector: - kubernetes.io/os: linux - - tolerations: [] - - affinity: {} - - leaderElection: - # Override leader election instance name (default is 'hostname') - instance: "" - # Override the namespace to create leader election objects (default is default namespace) - namespace: "" - # Override leader election name (default is aad-pod-identity-mic) - name: "" - # Override leader election duration (default is 15s) - duration: "" - - # Override http liveliness probe port (default is 8080) - probePort: "" - - # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s) - syncRetryDuration: "" - - # Override the defult value of immutable identities. - immutableUserMSIs: [] - # Example of MSIs (should be replaced with the real client ids) - #- "00000000-0000-0000-0000-000000000000" - #- "11111111-1111-1111-1111-111111111111" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag - # default value is 20 - createDeleteBatch: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag - # default value is 5 - clientQps: "" - - # default value is 8888 - # prometheus port for metrics - prometheusPort: "" - - # cloud configuration used to authenticate with Azure - cloudConfig: "/etc/kubernetes/azure.json" - - # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error - # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities - # returned in the error - # Default value is 2. - updateUserMSIMaxRetry: "" - - # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors - # Default value is 1s - updateUserMSIRetryInterval: "" - - # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities - # Default value is 3m - identityAssignmentReconcileInterval: "" - -nmi: - image: nmi - tag: v1.6.3 - - priorityClassName: "" - - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - - podAnnotations: {} - - ## Node labels for pod assignment - ## aad-pod-identity is currently only supported on linux - nodeSelector: - kubernetes.io/os: linux - - tolerations: [] - - affinity: {} - - # Override iptables update interval in seconds (default is 60) - ipTableUpdateTimeIntervalInSeconds: "" - - # Override mic namespace to short circuit MIC token requests (default is default namespace) - micNamespace: "" - - # Override http liveliness probe port (default is 8080) - probePort: "8085" - - # Override number of retries in NMI to find assigned identity in CREATED state (default is 16) - retryAttemptsForCreated: "" - - # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4) - retryAttemptsForAssigned: "" - - # Override retry interval to find assigned identities in seconds (default is 5) - findIdentityRetryIntervalInSeconds: "" - - # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag - # Accepted values are true/false. Default is false. - enableScaleFeatures: "" - - # default value is 9090 - # prometheus port for metrics - prometheusPort: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag - # default is false - blockInstanceMetadata: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag - # default is false - metadataHeaderRequired: "" - -rbac: - enabled: true - # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. - # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false. - allowAccessToSecrets: true - -# Create azure identities and bindings -azureIdentities: [] - # - name: "azure-identity" - # # if not defined, then the azure identity will be deployed in the same namespace as the chart - # namespace: "" - # # type 0: MSI, type 1: Service Principal - # type: 0 - # # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name - # resourceID: "" - # clientID: "" - # binding: - # name: "azure-identity-binding" - # # The selector will also need to be included in labels for app deployment - # selector: "demo" - -# If true, install necessary custom resources. -installCRDs: false diff --git a/nginx/default_nginx_values.yaml b/nginx/default_nginx_values.yaml index 5f01710..04b6d94 100644 --- a/nginx/default_nginx_values.yaml +++ b/nginx/default_nginx_values.yaml @@ -1,11 +1,13 @@ +# source: https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/values.yaml + ## nginx configuration -## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md +## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md ## controller: - name: controller image: - repository: quay.io/kubernetes-ingress-controller/nginx-ingress-controller - tag: "0.30.0" + repository: k8s.gcr.io/ingress-nginx/controller + tag: "v0.41.2" + digest: sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -19,9 +21,9 @@ controller: # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ config: {} - # Maxmind license key to download GeoLite2 Databases - # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers proxySetHeaders: {} @@ -29,11 +31,6 @@ controller: # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers addHeaders: {} - # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - # Optionally customize the pod dnsConfig. dnsConfig: {} @@ -46,19 +43,20 @@ controller: # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false - ## Use host ports 80 and 443 - daemonset: - useHostPort: false + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false - hostPorts: + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: http: 80 https: 443 - ## Required only if defaultBackend.enabled = false - ## Must be / - ## - defaultBackendService: "" - ## Election ID to use for status update ## electionID: ingress-controller-leader @@ -72,15 +70,22 @@ controller: # key: value ## Security Context policies for controller pods - ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - ## notes on enabling and using sysctls ## podSecurityContext: {} - ## Allows customization of the external service - ## the ingress will be bound to via DNS + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. publishService: - enabled: false + enabled: true ## Allows overriding of the publish service to bind to ## Must be / ## @@ -96,15 +101,19 @@ controller: ## configMapNamespace: "" # defaults to .Release.Namespace - ## Allows customization of the tcp-services-configmap namespace + ## Allows customization of the tcp-services-configmap ## tcp: configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the tcp config configmap + annotations: {} - ## Allows customization of the udp-services-configmap namespace + ## Allows customization of the udp-services-configmap ## udp: configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the udp config configmap + annotations: {} ## Additional command line arguments to pass to nginx-ingress-controller ## E.g. to specify the default SSL certificate you can use @@ -125,9 +134,17 @@ controller: ## kind: Deployment - ## Annotations to be added to the controller deployment + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet ## - deploymentAnnotations: {} + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + # The update strategy to apply to the Deployment or DaemonSet ## @@ -161,10 +178,18 @@ controller: # podAffinityTerm: # labelSelector: # matchExpressions: - # - key: app + # - key: app.kubernetes.io/name # operator: In # values: - # - nginx-ingress + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller # topologyKey: kubernetes.io/hostname # # An example of required pod anti-affinity @@ -172,26 +197,47 @@ controller: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: # matchExpressions: - # - key: app + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance # operator: In # values: - # - nginx-ingress + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller # topologyKey: "kubernetes.io/hostname" + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections ## - terminationGracePeriodSeconds: 60 + terminationGracePeriodSeconds: 300 ## Node labels for controller pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## - nodeSelector: {} + nodeSelector: + kubernetes.io/os: linux ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: - failureThreshold: 3 + failureThreshold: 5 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 @@ -205,6 +251,10 @@ controller: timeoutSeconds: 1 port: 10254 + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + ## Annotations to be added to controller pods ## podAnnotations: {} @@ -213,21 +263,76 @@ controller: minAvailable: 1 - resources: {} + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: # limits: # cpu: 100m - # memory: 64Mi - # requests: - # cpu: 100m - # memory: 64Mi + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + # Mutually exclusive with keda autoscaling autoscaling: enabled: false - minReplicas: 2 + minReplicas: 1 maxReplicas: 11 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + ## Override NGINX template customTemplate: configMapName: "" @@ -238,8 +343,6 @@ controller: annotations: {} labels: {} - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false # clusterIP: "" ## List of IP addresses at which the controller services are available @@ -247,7 +350,7 @@ controller: ## externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] enableHttp: true @@ -256,13 +359,16 @@ controller: ## Set external traffic policy to: "Local" to preserve source IP on ## providers supporting it ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - externalTrafficPolicy: "" + # externalTrafficPolicy: "" # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - sessionAffinity: "" + # sessionAffinity: "" - healthCheckNodePort: 0 + # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + # the service controller allocates a port from your cluster’s NodePort range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 ports: http: 80 @@ -286,6 +392,20 @@ controller: tcp: {} udp: {} + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + annotations: {} + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + extraContainers: [] ## Additional containers to be added to the controller pod. ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. @@ -327,17 +447,21 @@ controller: # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] admissionWebhooks: - enabled: false + annotations: {} + enabled: true failurePolicy: Fail + # timeoutSeconds: 10 port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} service: annotations: {} - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false # clusterIP: "" externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 443 type: ClusterIP @@ -345,14 +469,16 @@ controller: patch: enabled: true image: - repository: jettech/kube-webhook-certgen - tag: v1.0.0 + repository: docker.io/jettech/kube-webhook-certgen + tag: v1.5.0 pullPolicy: IfNotPresent ## Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} nodeSelector: {} + tolerations: [] + runAsUser: 2000 metrics: port: 10254 @@ -364,8 +490,6 @@ controller: # prometheus.io/scrape: "true" # prometheus.io/port: "10254" - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false # clusterIP: "" ## List of IP addresses at which the stats-exporter service is available @@ -373,10 +497,12 @@ controller: ## externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 9913 type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" serviceMonitor: enabled: false @@ -389,32 +515,60 @@ controller: # any: true scrapeInterval: 30s # honorLabels: true + targetLabels: [] + metricRelabelings: [] prometheusRule: enabled: false additionalLabels: {} - namespace: "" + # namespace: "" rules: [] # # These are just examples rules, please adapt them to your needs - # - alert: TooMany500s + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 # for: 1m # labels: - # severity: critical + # severity: warning # annotations: # description: Too many 5XXs - # summary: More than 5% of the all requests did return 5XX, this require your attention - # - alert: TooMany400s + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 # for: 1m # labels: - # severity: critical + # severity: warning # annotations: # description: Too many 4XXs - # summary: More than 5% of the all requests did return 4XX, this require your attention - - - lifecycle: {} + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown priorityClassName: "" @@ -422,21 +576,25 @@ controller: ## revisionHistoryLimit: 10 +# Maxmind license key to download GeoLite2 Databases +# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases +maxmindLicenseKey: "" + ## Default 404 backend ## defaultBackend: - - ## If false, controller.defaultBackendService must be provided ## - enabled: true + enabled: false - name: default-backend image: repository: k8s.gcr.io/defaultbackend-amd64 tag: "1.5" pullPolicy: IfNotPresent # nobody user -> uid 65534 runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false extraArgs: {} @@ -506,10 +664,16 @@ defaultBackend: # cpu: 10m # memory: 20Mi + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + service: annotations: {} - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false + # clusterIP: "" ## List of IP addresses at which the default backend service is available @@ -517,7 +681,7 @@ defaultBackend: ## externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 80 type: ClusterIP diff --git a/scripts/k8s_manifests_apply.sh b/scripts/k8s_manifests_apply.sh index 4d67f68..1c3f4a1 100644 --- a/scripts/k8s_manifests_apply.sh +++ b/scripts/k8s_manifests_apply.sh @@ -26,6 +26,15 @@ kubectl version --short # message="Applying Kubernetes manifests" # echo "STARTED: $message..." +# Install Weave Scope +# https://www.weave.works/docs/scope/latest/installing/#k8s +if [ "$WEAVE_SCOPE_ENABLED" == "true" ]; then + message="Installing Weave Scope" + echo "STARTED: $message..." + kubectl apply -f "https://cloud.weave.works/k8s/scope.yaml?k8s-version=$(kubectl version | base64 | tr -d '\n')" + echo "FINISHED: $message." +fi + # # external-dns # kubectl apply -n ingress -f ./manifests/external-dns.yml # echo "FINISHED: $message." diff --git a/terraform/aks.tf b/terraform/aks.tf index a4ec96a..b6bdf8c 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -19,6 +19,7 @@ resource "azurerm_resource_group" "aks" { # Log Analytics resource "azurerm_log_analytics_workspace" "aks" { count = var.aks_container_insights_enabled ? 1 : 0 + # The Workspace name is globally unique name = var.log_analytics_workspace_name location = azurerm_resource_group.aks.location @@ -35,7 +36,8 @@ resource "azurerm_log_analytics_workspace" "aks" { } resource "azurerm_log_analytics_solution" "aks" { - count = var.aks_container_insights_enabled ? 1 : 0 + count = var.aks_container_insights_enabled ? 1 : 0 + solution_name = "ContainerInsights" location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name @@ -49,77 +51,31 @@ resource "azurerm_log_analytics_solution" "aks" { } # AKS -resource "azurerm_kubernetes_cluster" "aks" { - name = var.azurerm_kubernetes_cluster_name - location = azurerm_resource_group.aks.location - resource_group_name = azurerm_resource_group.aks.name - dns_prefix = var.prefix - kubernetes_version = var.kubernetes_version - sku_tier = var.sla_sku - - default_node_pool { - name = var.agent_pool_profile_name - type = "VirtualMachineScaleSets" - orchestrator_version = var.kubernetes_version - node_count = var.agent_pool_node_count - vm_size = var.agent_pool_profile_vm_size - os_disk_size_gb = var.agent_pool_profile_disk_size_gb - enable_auto_scaling = var.agent_pool_enable_auto_scaling - min_count = var.agent_pool_node_min_count - max_count = var.agent_pool_node_max_count - } - - linux_profile { - admin_username = var.admin_username - - ssh_key { - key_data = chomp( - coalesce( - var.ssh_public_key, - tls_private_key.ssh.public_key_openssh, - ) - ) - } - } - - # managed identity block: https://www.terraform.io/docs/providers/azurerm/r/kubernetes_cluster.html#type-1 - identity { - type = "SystemAssigned" +# https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest +module "aks" { + source = "adamrushuk/aks/azurerm" + version = "0.4.1" + + kubernetes_version = var.kubernetes_version + location = azurerm_resource_group.aks.location + resource_group_name = azurerm_resource_group.aks.name + name = var.azurerm_kubernetes_cluster_name + sla_sku = var.sla_sku + aad_auth_enabled = true + azure_policy_enabled = false + tags = var.tags + + # override defaults + default_node_pool = { + name = var.agent_pool_profile_name + count = var.agent_pool_node_count + vm_size = var.agent_pool_profile_vm_size + enable_auto_scaling = var.agent_pool_enable_auto_scaling + min_count = var.agent_pool_node_min_count + max_count = var.agent_pool_node_max_count + os_disk_size_gb = var.agent_pool_profile_disk_size_gb } - # TODO Enable RBAC and AAD auth: https://app.zenhub.com/workspaces/aks-nexus-velero-5e602702ee332f0fc76d35dd/issues/adamrushuk/aks-nexus-velero/105 - role_based_access_control { - enabled = true - - # azure_active_directory { - # managed = true - # admin_group_object_ids = [ - # data.azuread_group.aks.id - # ] - # } - } - - addon_profile { - # cannot remove this deprecated block yet, due to this issue: - # https://github.com/terraform-providers/terraform-provider-azurerm/issues/7716 - kube_dashboard { - enabled = false - } - - oms_agent { - enabled = var.aks_container_insights_enabled - log_analytics_workspace_id = var.aks_container_insights_enabled ? azurerm_log_analytics_workspace.aks[0].id : null - } - } - - tags = var.tags - - lifecycle { - ignore_changes = [ - service_principal, - default_node_pool[0].node_count, - tags, - # addon_profile, - ] - } + # add-ons + log_analytics_workspace_id = var.aks_container_insights_enabled == true ? azurerm_log_analytics_workspace.aks[0].id : "" } diff --git a/terraform/data.tf b/terraform/data.tf index 6e06f9a..9a0dea9 100644 --- a/terraform/data.tf +++ b/terraform/data.tf @@ -6,5 +6,5 @@ data "azuread_group" "aks" { } data "azurerm_resource_group" "aks_node_rg" { - name = azurerm_kubernetes_cluster.aks.node_resource_group + name = module.aks.node_resource_group } diff --git a/terraform/dns.tf b/terraform/dns.tf index 438ecf8..09a0f59 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -10,8 +10,8 @@ data "azurerm_dns_zone" "dns" { # external-dns managed identity resource "azurerm_user_assigned_identity" "external_dns" { - resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group - location = azurerm_kubernetes_cluster.aks.location + resource_group_name = module.aks.node_resource_group + location = var.location name = "mi-external-dns" } @@ -40,7 +40,7 @@ resource "kubernetes_namespace" "external_dns" { delete = "15m" } - depends_on = [azurerm_kubernetes_cluster.aks] + depends_on = [module.aks] } data "template_file" "azureIdentity_external_dns" { @@ -78,9 +78,10 @@ resource "null_resource" "azureIdentity_external_dns" { resource "helm_release" "external_dns" { chart = "external-dns" name = "external-dns" - namespace = "external-dns" + namespace = kubernetes_namespace.external_dns.metadata[0].name repository = "https://charts.bitnami.com/bitnami" version = var.external_dns_chart_version + timeout = 600 # values = [file("helm/NOT_USED.yaml")] set { @@ -124,9 +125,7 @@ resource "helm_release" "external_dns" { value = "external-dns" } - timeout = 600 depends_on = [ - kubernetes_namespace.external_dns, azurerm_role_assignment.aks_dns_mi_to_rg, azurerm_role_assignment.aks_dns_mi_to_zone ] diff --git a/terraform/helm/aad_pod_identity_values.yaml b/terraform/helm/aad_pod_identity_values.yaml index cbc226f..2f5c077 100644 --- a/terraform/helm/aad_pod_identity_values.yaml +++ b/terraform/helm/aad_pod_identity_values.yaml @@ -1,5 +1,4 @@ -# source: https://github.com/Azure/aad-pod-identity/blob/v1.6.3/charts/aad-pod-identity/values.yaml - +# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.0/charts/aad-pod-identity/values.yaml # Default values for aad-pod-identity-helm. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -32,7 +31,7 @@ installMICException: "true" adminsecret: {} # cloud: # subscriptionID: -# resourceGroup: +# resourceGroup: # vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set> # tenantID: # clientID: @@ -45,12 +44,13 @@ operationMode: "standard" mic: image: mic - tag: v1.6.3 + tag: v1.7.0 priorityClassName: "" - # log level. Uses V logs (glog) + # log level. Uses V logs (klog) logVerbosity: 0 + loggingFormat: "" resources: limits: @@ -124,10 +124,14 @@ mic: nmi: image: nmi - tag: v1.6.3 + tag: v1.7.0 priorityClassName: "" + # log level. Uses V logs (klog) + logVerbosity: 0 + loggingFormat: "" + resources: limits: cpu: 200m @@ -181,6 +185,10 @@ nmi: # default is false metadataHeaderRequired: "" + # enable running aad-pod-identity on clusters with kubenet + # default is false + allowNetworkPluginKubenet: false + rbac: enabled: true # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. @@ -189,7 +197,7 @@ rbac: # Create azure identities and bindings azureIdentities: [] - # - name: "velero" + # - name: "azure-identity" # # if not defined, then the azure identity will be deployed in the same namespace as the chart # namespace: "" # # type 0: MSI, type 1: Service Principal @@ -198,9 +206,9 @@ azureIdentities: [] # resourceID: "" # clientID: "" # binding: - # name: "velero-binding" + # name: "azure-identity-binding" # # The selector will also need to be included in labels for app deployment - # selector: "velero" + # selector: "demo" # If true, install necessary custom resources. installCRDs: false diff --git a/terraform/helm_aad_pod_identity.tf b/terraform/helm_aad_pod_identity.tf index 71e35ca..b4a41e5 100644 --- a/terraform/helm_aad_pod_identity.tf +++ b/terraform/helm_aad_pod_identity.tf @@ -3,14 +3,14 @@ # role assignment for aad-pod-identity # https://azure.github.io/aad-pod-identity/docs/getting-started/role-assignment/#performing-role-assignments resource "azurerm_role_assignment" "aks_mi_aks_node_rg_vm_contributor" { - principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id + principal_id = module.aks.kubelet_identity[0].object_id role_definition_name = "Virtual Machine Contributor" scope = data.azurerm_resource_group.aks_node_rg.id skip_service_principal_aad_check = true } resource "azurerm_role_assignment" "aks_mi_aks_node_rg_mi_operator" { - principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id + principal_id = module.aks.kubelet_identity[0].object_id role_definition_name = "Managed Identity Operator" scope = data.azurerm_resource_group.aks_node_rg.id skip_service_principal_aad_check = true @@ -20,7 +20,7 @@ data "template_file" "azureIdentities" { template = file("${path.module}/files/azureIdentities.yaml.tpl") vars = { resourceID = azurerm_user_assigned_identity.velero[0].id - clientID = azurerm_user_assigned_identity.velero[0].client_id + clientID = azurerm_user_assigned_identity.velero[0].client_id } } @@ -33,18 +33,19 @@ resource "kubernetes_namespace" "aad_pod_identity" { delete = "15m" } - depends_on = [azurerm_kubernetes_cluster.aks] + depends_on = [module.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html resource "helm_release" "aad_pod_identity" { chart = "aad-pod-identity" name = "aad-pod-identity" - namespace = "aad-pod-identity" + namespace = kubernetes_namespace.aad_pod_identity.metadata[0].name repository = "https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts" version = var.aad_pod_identity_chart_version + timeout = 600 - values = [ + values = [ file("helm/aad_pod_identity_values.yaml"), data.template_file.azureIdentities.rendered ] @@ -54,12 +55,15 @@ resource "helm_release" "aad_pod_identity" { value = "true" } + # allow Kubenet: https://azure.github.io/aad-pod-identity/docs/configure/aad_pod_identity_on_kubenet/ + set { + name = "nmi.allowNetworkPluginKubenet" + value = "true" + } + # https://github.com/Azure/aad-pod-identity/wiki/Debugging#increasing-the-verbosity-of-the-logs set { name = "mic.logVerbosity" value = 6 } - - timeout = 600 - depends_on = [kubernetes_namespace.aad_pod_identity] } diff --git a/terraform/helm_akv2k8s.tf b/terraform/helm_akv2k8s.tf index 1560e08..16b3718 100644 --- a/terraform/helm_akv2k8s.tf +++ b/terraform/helm_akv2k8s.tf @@ -14,7 +14,7 @@ resource "azurerm_key_vault_access_policy" "aks" { key_vault_id = data.azurerm_key_vault.kv.id tenant_id = data.azurerm_subscription.current.tenant_id - object_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id + object_id = module.aks.kubelet_identity[0].object_id certificate_permissions = [ "get" @@ -30,11 +30,13 @@ resource "azurerm_key_vault_access_policy" "aks" { } +# Requires "kube_admin_config_raw" as has AAD Auth enabled +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#kube_admin_config_raw resource "local_file" "kubeconfig" { - sensitive_content = azurerm_kubernetes_cluster.aks.kube_config_raw + sensitive_content = module.aks.full_object.kube_admin_config_raw filename = var.aks_config_path - depends_on = [azurerm_kubernetes_cluster.aks] + depends_on = [module.aks] } # https://www.terraform.io/docs/provisioners/local-exec.html @@ -97,15 +99,13 @@ resource "null_resource" "akv2k8s_exceptions" { resource "helm_release" "akv2k8s" { chart = "akv2k8s" name = "akv2k8s" - namespace = "akv2k8s" + namespace = kubernetes_namespace.akv2k8s.metadata[0].name repository = "http://charts.spvapi.no" version = var.akv2k8s_chart_version + timeout = 600 set { name = "controller.logLevel" value = "debug" } - - timeout = 600 - depends_on = [kubernetes_namespace.akv2k8s] } diff --git a/terraform/helm_cert_manager.tf b/terraform/helm_cert_manager.tf index 8313c7f..448ca38 100644 --- a/terraform/helm_cert_manager.tf +++ b/terraform/helm_cert_manager.tf @@ -7,9 +7,10 @@ resource "helm_release" "cert_manager" { chart = "cert-manager" name = "cert-manager" - namespace = "ingress" + namespace = kubernetes_namespace.ingress.metadata[0].name repository = "https://charts.jetstack.io" version = var.cert_manager_chart_version + timeout = 600 set { name = "global.logLevel" @@ -20,7 +21,4 @@ resource "helm_release" "cert_manager" { name = "installCRDs" value = "true" } - - timeout = 600 - depends_on = [kubernetes_namespace.ingress] } diff --git a/terraform/helm_nexus.tf b/terraform/helm_nexus.tf index 9409164..d0e2fe1 100644 --- a/terraform/helm_nexus.tf +++ b/terraform/helm_nexus.tf @@ -9,17 +9,19 @@ resource "kubernetes_namespace" "nexus" { delete = "15m" } - depends_on = [azurerm_kubernetes_cluster.aks] + depends_on = [module.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html resource "helm_release" "nexus" { chart = "sonatype-nexus" name = "nexus" - namespace = "nexus" + namespace = kubernetes_namespace.nexus.metadata[0].name repository = "https://adamrushuk.github.io/charts/" version = var.nexus_chart_version - values = ["${file("helm/nexus_values.yaml")}"] + timeout = 600 + + values = ["${file("helm/nexus_values.yaml")}"] set { name = "image.tag" @@ -51,6 +53,5 @@ resource "helm_release" "nexus" { value = var.nexus_tls_secret_name } - timeout = 600 - depends_on = [helm_release.nginx, kubernetes_namespace.nexus] + depends_on = [helm_release.nginx] } diff --git a/terraform/helm_nginx.tf b/terraform/helm_nginx.tf index 713fc04..9183f50 100644 --- a/terraform/helm_nginx.tf +++ b/terraform/helm_nginx.tf @@ -9,17 +9,16 @@ resource "kubernetes_namespace" "ingress" { delete = "15m" } - depends_on = [azurerm_kubernetes_cluster.aks] + depends_on = [module.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html resource "helm_release" "nginx" { chart = "ingress-nginx" name = "nginx" - namespace = "ingress" + namespace = kubernetes_namespace.ingress.metadata[0].name repository = "https://kubernetes.github.io/ingress-nginx" version = var.nginx_chart_version - values = ["${file("helm/nginx_values.yaml")}"] timeout = 600 - depends_on = [kubernetes_namespace.ingress] + values = ["${file("helm/nginx_values.yaml")}"] } diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 2e8b498..dd91373 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -1,18 +1,14 @@ # WARNING: this outputs credential / login config # output "aks_config" { -# value = azurerm_kubernetes_cluster.aks +# value = module.aks # } output "aks_credentials_command" { - value = "az aks get-credentials --resource-group ${azurerm_kubernetes_cluster.aks.resource_group_name} --name ${azurerm_kubernetes_cluster.aks.name} --overwrite-existing" -} - -output "aks_browse_command" { - value = "az aks browse --resource-group ${azurerm_kubernetes_cluster.aks.resource_group_name} --name ${azurerm_kubernetes_cluster.aks.name}" + value = "az aks get-credentials --resource-group ${azurerm_resource_group.aks.name} --name ${module.aks.name} --overwrite-existing" } output "aks_node_resource_group" { - value = azurerm_kubernetes_cluster.aks.node_resource_group + value = module.aks.node_resource_group } # output "ssh_private_key" { @@ -29,9 +25,9 @@ output "aks_node_resource_group" { # } # output "client_certificate" { -# value = azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate +# value = module.aks.kube_config[0].client_certificate # } # output "kube_config" { -# value = azurerm_kubernetes_cluster.aks.kube_config_raw +# value = module.aks.kube_config_raw # } diff --git a/terraform/providers.tf b/terraform/providers.tf index 32ccfb2..b646423 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.34.0" + version = "2.37.0" features {} } @@ -38,18 +38,18 @@ provider "azurerm" { # https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#statically-defined-credentials provider "kubernetes" { load_config_file = false # when you wish not to load the local config file - host = azurerm_kubernetes_cluster.aks.kube_config.0.host - client_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate) - client_key = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_key) - cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate) + host = module.aks.full_object.kube_admin_config[0].host + client_certificate = base64decode(module.aks.full_object.kube_admin_config[0].client_certificate) + client_key = base64decode(module.aks.full_object.kube_admin_config[0].client_key) + cluster_ca_certificate = base64decode(module.aks.full_object.kube_admin_config[0].cluster_ca_certificate) } provider "helm" { kubernetes { load_config_file = false - host = azurerm_kubernetes_cluster.aks.kube_config.0.host - client_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate) - client_key = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_key) - cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate) + host = module.aks.full_object.kube_admin_config[0].host + client_certificate = base64decode(module.aks.full_object.kube_admin_config[0].client_certificate) + client_key = base64decode(module.aks.full_object.kube_admin_config[0].client_key) + cluster_ca_certificate = base64decode(module.aks.full_object.kube_admin_config[0].cluster_ca_certificate) } } diff --git a/terraform/variables.tf b/terraform/variables.tf index bbdf248..3db9ff1 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -15,19 +15,22 @@ variable "kubernetes_version" { # # https://kubernetes.github.io/ingress-nginx/deploy/#using-helm # https://github.com/kubernetes/ingress-nginx/releases -# https://github.com/kubernetes/ingress-nginx/blob/master/charts/ingress-nginx/Chart.yaml#L3 +# https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/Chart.yaml#L3 +# helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.7.1" + default = "3.11.0" } # https://hub.helm.sh/charts/jetstack/cert-manager +# helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { default = "v1.0.4" } # https://github.com/vmware-tanzu/helm-charts/releases +# helm search repo vmware-tanzu/velero variable "velero_chart_version" { - default = "2.13.6" + default = "2.13.7" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -36,26 +39,30 @@ variable "nexus_image_tag" { } # https://github.com/adamrushuk/charts/releases +# helm search repo adamrushuk/sonatype-nexus variable "nexus_chart_version" { - default = "0.2.7" + default = "0.2.8" } # https://github.com/SparebankenVest/public-helm-charts/releases # https://github.com/SparebankenVest/helm-charts/tree/gh-pages/akv2k8s # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 +# helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { default = "1.1.26" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 +# helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "2.0.2" + default = "2.0.3" } # https://bitnami.com/stack/external-dns/helm -# https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L3 +# https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 +# helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "3.5.0" + default = "4.0.0" } #endregion Versions @@ -128,7 +135,7 @@ variable "sla_sku" { variable "aks_container_insights_enabled" { description = "Should Container Insights monitoring be enabled" - default = false + default = true } variable "aks_config_path" { diff --git a/terraform/velero.tf b/terraform/velero.tf index e4d75eb..6bb1ee3 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -52,7 +52,7 @@ resource "kubernetes_namespace" "velero" { delete = "15m" } - depends_on = [azurerm_kubernetes_cluster.aks] + depends_on = [module.aks] } resource "kubernetes_secret" "velero_credentials" { @@ -69,7 +69,7 @@ resource "kubernetes_secret" "velero_credentials" { data = { cloud = <