[ci.jenkins.io] Create private EKS cluster with "side" services (datadog, ACP, etc.)

[dduportal]

We need a private EKS cluster to run ci.jenkins.io container agents.

• No need for multiple AZs unless strictly necessary
• We want to use a private endpoint for ci.jenkins.io access to the cluster: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
  • But we also need the public endpoint to be restricted to our VPN (for admin access) and infra.ci.jenkins.io outbound IP (for terraform and Kubernetes management)
• The subnets can (and should) be private (see [ci.jenkins.io] Define virtual networking for AWS #4320)
• EKS networks considerations: https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html
• Our former Terraform code, using a module: https://github.com/jenkins-infra/aws/blob/ac02157bb6646918594827b293320f64eacffeb5/cik8s-cluster.tf
• Some addons are needed (ref. https://docs.aws.amazon.com/eks/latest/userguide/workloads-add-ons-available-eks.html):
  • Kube Proxy (of course)
  • CoreDNS (of course)
  • VPC CNI to get native VPC networking for pods and services
  • EBS CSI to ensure we can have volumes for Artifact Caching Proxy
• We need the autoscaler. Worth checking Karpenter.
• We also need the AWS LB Controller installed to allow creating a private LB for the Artifact Caching Proxy to ensure VM agents of ci.jenkins.io can reach the service
  • See https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/access-container-applications-privately-on-amazon-eks-using-aws-privatelink-and-a-network-load-balancer.html for a guide on how to expose privately the ACP service with a private LB
• About Node pools:
  • "application" ARM64 Node pool to host ACP, datadog an any other "non Jenkins agent" pods. Check the current one in azure: https://github.com/jenkins-infra/azure/blob/e81b9697e4a9cedebf10e119b6a5a112e09b651f/ci.jenkins.io-kubernetes-agents.tf#L69
  • "agents" x86 Node pool to host usual Linux agents: https://github.com/jenkins-infra/azure/blob/e81b9697e4a9cedebf10e119b6a5a112e09b651f/ci.jenkins.io-kubernetes-agents.tf#L103
  • "bom agents" x86 Node pool to host BOm agents: https://github.com/jenkins-infra/azure/blob/e81b9697e4a9cedebf10e119b6a5a112e09b651f/ci.jenkins.io-kubernetes-agents.tf#L137
  • We should start with no Spot agents for the first months (we have credits and we want to avoid too much build retries
  • Note: see [ci.jenkins.io] Move ACI agents to ephemeral Windows containers to AWS #4318 for upcoming Windows Node pool agents
• We'll have to add this cluster to jenkins-infra/kubernetes-management as usual:
  • An admin SVC account is needed like https://github.com/jenkins-infra/azure/blob/main/ci.jenkins.io-kubernetes-agents.tf#L180-L189
  • Then set up the kubeconfig credential once in SOPS secrts and create the cluster in kubernetes-management
  • Proceed to helmfile releases definitions
  • set up ACP to use a private LB and check access from the ci.jio controller or a VM agent through the private endpoint

[dduportal]

Discussed with @smerle33:

• [ci.jenkins.io] Define virtual networking for AWS #4320 reached a first milestone allowing starting work on the issue here
• Stephane prefers more the EKS topic than the VM topic: assigning EKS to @smerle33
• Scheduling for next milestone when he's back from holidays

[smerle33]

change of usage for the module since last time we used it https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md

[smerle33]

We choose to deal with all the IAM usage within the private repository https://github.com/jenkins-infra/terraform-states/commit/cfd08c45dd4153d676c9223670f927d515585679
instead of giving the module user too much power.

[dduportal]

Then we will add datadog that need the docker registry secrets

As per https://github.com/jenkins-infra/kubernetes-management/pull/6020/files#r1890521384, we'll start with datadog (changed since yesterday)

[dduportal]

Update:

• In order to operate this cluster properly, we had to set up the base bricks of EKS before next steps. We chose to do everything in Terraform to have a logical split between "EKS specific components" and "Jenkins Applications":
  • feat(eks/cijenkinsio-agents-2): setup technical addons for taint and toleration + add autoscaler terraform-aws-sponsorship#67
    • We set up node labels and taints (to allow specifying tolerations and nodeselectors for replicasets)
    • We specified tolerations to the existing EKS add ons which support it
    • We installed the cluster-autoscaler in HA mode
  • A bit of code cleanup:
    • Chore: enforce name conventions terraform-aws-sponsorship#69
    • chore: define required providers instead of empty providers terraform-aws-sponsorship#70

=> cluster still has 1 node but it is up and running

Next steps:

• Add a new "applications" node group
  • Need to choose the correct sizing
  • Drain the current "tiny linux" and remove it to use applications fully instead
• Set up cluster-autoscaler to have anti-affinity
  • Will "break" the deployment (only 1 replica running on the unique node)
  • Good test of its HA mode: it should keep working, trigger a scale-up, and auto-heal. Fallback to manual scale up if it breaks
• Set up CoreDNS to have anti-affinity
• Export node labels and taints in the JSON export
• Add datadog Helm release
  • Involve retrieving node labels from Terraform JSON export and tolerations to specify nodeSelectors and node tolerations
• Add EBS addon to support ACP
• Add ACP Helm release
  • Involve retrieving node labels from Terraform JSON export and tolerations to specify nodeSelectors and node tolerations
  • Decide which volume provisiniong pattern to use as ACP is a statefulset:
    • dynamic (PV/PVC in the helm chart) or static (Terraform defined + JSON export)
    • Topology awareness (availability zone constraint)
    • Might need to update the node group "application" to spread across the 2 subnets (distincts AZs) provided to EKS and set up 1 replica per AZ
• Track missing elements with updatecli (search for TODO in the Terraform project)
• Add the 2 new node groups for agents and bom-agents + export their labels/taints
• Set up the rest of the helm charts
• Optional: can we use instance identity to run the cluster auth (like we do for ec2) instead of creating a svc account?

[dduportal]

Next steps:

• Add a new "applications" node group
  • Need to choose the correct sizing
  • Drain the current "tiny linux" and remove it to use applications fully instead
    ...
• Export node labels and taints in the JSON export

jenkins-infra/terraform-aws-sponsorship#71

[dduportal]

Set up cluster-autoscaler to have anti-affinity
...
Set up CoreDNS to have anti-affinity

As per the cluster-autoscaler and coredns recommendations, we should not do this as it may constrain the cluster when operating upgrades. We shall let the scheduler do its job instead (as in EKS, like AKS, it relaxes constraints when possible)

[dduportal]

Export node labels and taints in the JSON export

https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json => LGTM

[dduportal]

Update: had to re-create the cluster to ensure a successful bootstrap. There was a lot of node creation attempts in NotReady due to many factors:

• Network ACL were blocking some requests to the Amazon ECRs hosting some of their addons (coredns) and the cluster-autoscaler image
• Adding tolerations to the kube proxy and CNI adds on did messed up their configuration (most probably the addon "preserve/overwrite" system that I misunderstood).
  • But it is REQUIRED for CoreDNS addon and cluster-autoscaler...

Related code changes:

• Terraform:
  • Removed tolerations from kube proxy addon: jenkins-infra/terraform-aws-sponsorship@306287a
  • Bumped kube proxy to last version to force re-apply: jenkins-infra/terraform-aws-sponsorship@a0bae89
  • Removed tinylinux node group: jenkins-infra/terraform-aws-sponsorship@8d82256
  • Removed tolerations from CNI addon + ensure node group has always 2 nodes: jenkins-infra/terraform-aws-sponsorship@542fc5d
  • Recreated the EKS cluster with a dedicated public subnet in zone A a private subnets in zones A and C (not B in which we have controller/ephemeral vms) to avoid any network ACL issue:
    • jenkins-infra/terraform-aws-sponsorship@8dc5e5d
    • jenkins-infra/terraform-aws-sponsorship@fc61ee9
• Network access to the new EKS IPs (good opportunity to track the public IPs):
  • Docker OpenVPN:
    • jenkins-infra/docker-openvpn@9adb292 (blocked by rate limit for now)
    • PR to update IPs: Update list of IPs restricted to VPN access only docker-openvpn#379
  • Puppet:
    • Deployment of the new VPN version: Bump OpenVPN Docker image version to 2.4.59 jenkins-infra#3795
    • Tracking new EKS IPs: chore(updatecli) track EKS public IPs for ci.jenkins.io-agents-2 jenkins-infra#3796
    • PR to update the new IPs: Update list of external SSH IPs (restricted to VPN access only) jenkins-infra#3797
• SOPS to add the new kubeconfig in infra.ci.jenkins.io: jenkins-infra/kubernetes-management@31cbf1d

[dduportal]

Annnnd datadog is installed: jenkins-infra/kubernetes-management#6020 Merry Christmas!

[dduportal]

Update: starting work for installing ACP.

First set of working hypothesis for the initial deployment: Internal SVC and standard (gp3) EBS persistence. Goal is to have an initial working deployment which can be used internally to the EKS cluster (e.g. by container agents).

Second set of hypothesis: Use a "private LB". Goal is to allow EC2 VM agents to access ACP, without opening it publicly.

We'll have to monitor ACP metrics once we'll start using it (mainly CPU and EBS IOPS) to see if it does not need more.

[dduportal]

First set of working hypothesis for the initial deployment: Internal SVC and EBS persistence

Task list:

• Enable CSI add-on (ref. https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html)
  • Require to set up properties
• Add EBS "premium" (start with gp3) storage classes for each zone defined for the EKS cluster
• Set up initial ACP installation (with proper setup)
  • Toleration and taints should not need to change
  • Double check the DNS resolver hostname

[dduportal]

First set of working hypothesis for the initial deployment: Internal SVC and EBS persistence

ACP is now installed (jenkins-infra/terraform-aws-sponsorship#74, jenkins-infra/terraform-aws-sponsorship#75, jenkins-infra/kubernetes-management#6073)

[dduportal]

Next steps (all elements have the same priority):

• Setup Jenkins namespace + SVC account + RBAC, and set up the controller VM IAM identity to map to this SVC account in order to have a credential-less setup (like it has been been with EC2 agents)
  • Don't forget to remove the kubeconfig's output from terraform once setup. Implies eventually updating the helm chart to NOT create a token (unneeded anymore)
• Setup ACP with an internal LB to allow reaching through EC2 agents
  • See https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/access-container-applications-privately-on-amazon-eks-using-aws-privatelink-and-a-network-load-balancer.html
  • Need to install the EKS Add-on LB (with its own IRSA identity) first
  • Then check the Kubernetes SVC required annotations and AWS Private Link addons

[smerle33]

for part 1 (jenkins namespace, service account, rbac and iam link with VM iam identity and kubernetes service account):

namespace, service account and rbac are dealt with the helm chart: https://github.com/jenkins-infra/helm-charts/tree/main/charts/jenkins-kubernetes-agents