DMVP-6378: to have nginx ingress load balancer external/internet-facing by default

README.md

@@ -206,8 +206,10 @@ worker_groups = {
 ## karpenter enabled
 ### NOTES:
 ###  - enabling karpenter automatically disables cluster auto-scaler
-###  - then enabling karpenter on existing old cluster there is possibility to see cycle-dependency error, to overcome this you need at first to apply main eks module change (`terraform apply --target "module.<eks-module-name>.module.eks-cluster"`) and then rest of cluster-autoloader destroy and karpenter install onse
+###  - if vpc have been created externally(not inside this module) then you may need to set the following tags on private subnets `karpenter.sh/discovery=<cluster-name>`
+###  - then enabling karpenter on existing old cluster there is possibility to see cycle-dependency error, to overcome this you need at first to apply main eks module change (`terraform apply --target "module.<eks-module-name>.module.eks-cluster"`) and then rest of cluster-autoloader destroy and karpenter install ones
 ###  - when destroying cluster which have karpenter enabled there is possibility of failure on karpenter resource removal, you need to run destruction one more time to get it complete
+###  - in order to be able to use spot instances you may need to create AWSServiceRoleForEC2Spot IAM role on aws account(TODO: check and create this role on account module automatically), here is the doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/service-linked-roles-spot-instance-requests.html , otherwise karpenter created `nodeclaim` kubernetes resource will show AuthFailure.ServiceLinkedRoleCreationNotPermitted error
 ```terraform
 module "eks" {
  source  = "dasmeta/eks/aws"
@@ -340,7 +342,7 @@ module "eks" {
 | <a name="input_map_roles"></a> [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_metrics_exporter"></a> [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no |
 | <a name="input_metrics_server_name"></a> [metrics\_server\_name](#input\_metrics\_server\_name) | n/a | `string` | `"metrics-server"` | no |
-| <a name="input_nginx_ingress_controller_config"></a> [nginx\_ingress\_controller\_config](#input\_nginx\_ingress\_controller\_config) | Nginx ingress controller configs | <pre>object({<br>    enabled          = optional(bool, false)<br>    name             = optional(string, "nginx")<br>    create_namespace = optional(bool, true)<br>    namespace        = optional(string, "ingress-nginx")<br>    replicacount     = optional(number, 3)<br>    metrics_enabled  = optional(bool, true)<br>  })</pre> | <pre>{<br>  "create_namespace": true,<br>  "enabled": false,<br>  "metrics_enabled": true,<br>  "name": "nginx",<br>  "namespace": "ingress-nginx",<br>  "replicacount": 3<br>}</pre> | no |
+| <a name="input_nginx_ingress_controller_config"></a> [nginx\_ingress\_controller\_config](#input\_nginx\_ingress\_controller\_config) | Nginx ingress controller configs | <pre>object({<br>    enabled          = optional(bool, false)<br>    name             = optional(string, "nginx")<br>    create_namespace = optional(bool, true)<br>    namespace        = optional(string, "ingress-nginx")<br>    replicacount     = optional(number, 3)<br>    metrics_enabled  = optional(bool, true)<br>    configs          = optional(any, {}) # Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx/4.12.0?modal=values<br>  })</pre> | <pre>{<br>  "create_namespace": true,<br>  "enabled": false,<br>  "metrics_enabled": true,<br>  "name": "nginx",<br>  "namespace": "ingress-nginx",<br>  "replicacount": 3<br>}</pre> | no |
 | <a name="input_node_groups"></a> [node\_groups](#input\_node\_groups) | Map of EKS managed node group definitions to create | `any` | <pre>{<br>  "default": {<br>    "desired_size": 2,<br>    "iam_role_additional_policies": [<br>      "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"<br>    ],<br>    "instance_types": [<br>      "t3.large"<br>    ],<br>    "max_size": 4,<br>    "min_size": 2<br>  }<br>}</pre> | no |
 | <a name="input_node_groups_default"></a> [node\_groups\_default](#input\_node\_groups\_default) | Map of EKS managed node group default configurations | `any` | <pre>{<br>  "disk_size": 50,<br>  "iam_role_additional_policies": [<br>    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"<br>  ],<br>  "instance_types": [<br>    "t3.large"<br>  ]<br>}</pre> | no |
 | <a name="input_node_security_group_additional_rules"></a> [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | n/a | `any` | <pre>{<br>  "ingress_cluster_10250": {<br>    "description": "Metric server to node groups",<br>    "from_port": 10250,<br>    "protocol": "tcp",<br>    "self": true,<br>    "to_port": 10250,<br>    "type": "ingress"<br>  }<br>}</pre> | no |

main.tf

@@ -209,8 +209,10 @@
  * ## karpenter enabled
  * ### NOTES:
  * ###  - enabling karpenter automatically disables cluster auto-scaler
- * ###  - then enabling karpenter on existing old cluster there is possibility to see cycle-dependency error, to overcome this you need at first to apply main eks module change (`terraform apply --target "module.<eks-module-name>.module.eks-cluster"`) and then rest of cluster-autoloader destroy and karpenter install onse
+ * ###  - if vpc have been created externally(not inside this module) then you may need to set the following tags on private subnets `karpenter.sh/discovery=<cluster-name>`
+ * ###  - then enabling karpenter on existing old cluster there is possibility to see cycle-dependency error, to overcome this you need at first to apply main eks module change (`terraform apply --target "module.<eks-module-name>.module.eks-cluster"`) and then rest of cluster-autoloader destroy and karpenter install ones
  * ###  - when destroying cluster which have karpenter enabled there is possibility of failure on karpenter resource removal, you need to run destruction one more time to get it complete
+ * ###  - in order to be able to use spot instances you may need to create AWSServiceRoleForEC2Spot IAM role on aws account(TODO: check and create this role on account module automatically), here is the doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/service-linked-roles-spot-instance-requests.html , otherwise karpenter created `nodeclaim` kubernetes resource will show AuthFailure.ServiceLinkedRoleCreationNotPermitted error
  * ```terraform
  * module "eks" {
  *  source  = "dasmeta/eks/aws"

modules/nginx-ingress-controller/README.md

@@ -15,7 +15,9 @@
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_custom_default_configs_merged"></a> [custom\_default\_configs\_merged](#module\_custom\_default\_configs\_merged) | cloudposse/config/yaml//modules/deepmerge | 1.0.2 |
 
 ## Resources
 
@@ -27,7 +29,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The app chart version | `string` | `"4.11.3"` | no |
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | The app chart version | `string` | `"4.12.0"` | no |
+| <a name="input_configs"></a> [configs](#input\_configs) | Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx/4.12.0?modal=values | `any` | `{}` | no |
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Create namespace or use existing one | `bool` | `true` | no |
 | <a name="input_metrics_enabled"></a> [metrics\_enabled](#input\_metrics\_enabled) | Enable metric export | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name | `string` | `"nginx"` | no |

modules/nginx-ingress-controller/main.tf

@@ -1,14 +1,44 @@
 resource "helm_release" "ingress-nginx" {
-  name       = var.name
-  repository = "https://kubernetes.github.io/ingress-nginx"
-  values = [
-    templatefile("${path.module}/values.yaml.tpl", {
-      replicacount    = var.replicacount
-      metrics_enabled = var.metrics_enabled
-    })
-  ]
+  name             = var.name
+  repository       = "https://kubernetes.github.io/ingress-nginx"
+  values           = [jsonencode(module.custom_default_configs_merged.merged)]
   chart            = "ingress-nginx"
   namespace        = var.namespace
   version          = var.chart_version
-  create_namespace = true
+  create_namespace = var.create_namespace
+}
+
+
+module "custom_default_configs_merged" {
+  source  = "cloudposse/config/yaml//modules/deepmerge"
+  version = "1.0.2"
+
+  maps = [
+    {
+      controller = {
+        config = {
+          use-forwarded-headers         = "true"
+          enable-underscores-in-headers = "true"
+        }
+        replicaCount = var.replicacount
+        metrics = {
+          enabled : var.metrics_enabled
+        }
+        service = {
+          annotations = {
+            "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing"
+          }
+        }
+      }
+    },
+    var.metrics_enabled ? {
+      controller = {
+        podAnnotations = {
+          "prometheus.io/scrape" = true
+          "prometheus.io/port"   = 10254
+        }
+      }
+    } : {},
+    var.configs
+  ]
 }

modules/nginx-ingress-controller/variables.tf

@@ -12,7 +12,7 @@ variable "namespace" {
 
 variable "chart_version" {
   type        = string
-  default     = "4.11.3"
+  default     = "4.12.0"
   description = "The app chart version"
 }
 
@@ -33,3 +33,9 @@ variable "metrics_enabled" {
   default     = true
   description = "Enable metric export"
 }
+
+variable "configs" {
+  type        = any
+  default     = {}
+  description = "Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx/4.12.0?modal=values"
+}

nginx-ingress-controller.tf

@@ -8,4 +8,5 @@ module "nginx-ingress-controller" {
   namespace        = var.nginx_ingress_controller_config.namespace
   replicacount     = var.nginx_ingress_controller_config.replicacount
   metrics_enabled  = var.nginx_ingress_controller_config.metrics_enabled
+  configs          = var.nginx_ingress_controller_config.configs
 }

variables.tf

@@ -334,6 +334,7 @@ variable "nginx_ingress_controller_config" {
     namespace        = optional(string, "ingress-nginx")
     replicacount     = optional(number, 3)
     metrics_enabled  = optional(bool, true)
+    configs          = optional(any, {}) # Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx/4.12.0?modal=values
   })
 
   default = {