Merge branch 'main' into release

particuleio · Feb 9, 2023 · 36222fe · 36222fe
2 parents 9fba1ec + 2dabdc3
commit 36222fe
Show file tree

Hide file tree

Showing 9 changed files with 150 additions and 9 deletions.
diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
@@ -12,7 +12,7 @@ dependencies:
     version: 2.16.0
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver
-    version: 2.3.6
+    version: 2.3.7
     repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver
   - name: aws-for-fluent-bit
     version: 0.1.22
@@ -36,7 +36,7 @@ dependencies:
     version: 9.23.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
-    version: 1.12.0
+    version: 1.12.1
     repository: https://kubernetes-sigs.github.io/external-dns/
   - name: flux
     version: 1.13.3
@@ -60,10 +60,10 @@ dependencies:
     version: 18.4.0
     repository: https://codecentric.github.io/helm-charts
   - name: kong
-    version: 2.16.0
+    version: 2.16.2
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
-    version: 44.3.1
+    version: 44.4.1
     repository: https://prometheus-community.github.io/helm-charts
   - name: kyverno
     version: 2.7.0
@@ -84,7 +84,7 @@ dependencies:
     version: 2.9.9
     repository: https://grafana.github.io/helm-charts
   - name: loki
-    version: 4.4.2
+    version: 4.6.0
     repository: https://grafana.github.io/helm-charts
   - name: promtail
     version: 6.8.2
@@ -93,13 +93,13 @@ dependencies:
     version: 3.8.3
     repository: https://kubernetes-sigs.github.io/metrics-server/
   - name: node-problem-detector
-    version: 2.3.2
+    version: 2.3.3
     repository: https://charts.deliveryhero.io/
   - name: prometheus-adapter
     version: 4.1.1
     repository: https://prometheus-community.github.io/helm-charts
   - name: prometheus-cloudwatch-exporter
-    version: 0.22.0
+    version: 0.23.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: prometheus-blackbox-exporter
     version: 7.5.0
@@ -114,7 +114,7 @@ dependencies:
     version: 2.7.3
     repository: https://bitnami-labs.github.io/sealed-secrets
   - name: strimzi-kafka-operator
-    version: 0.33.0
+    version: 0.33.1
     repository: https://strimzi.io/charts/
   - name: thanos
     version: 12.0.3

diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -68,6 +68,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | <a name="module_iam_assumable_role_yet-another-cloudwatch-exporter"></a> [iam\_assumable\_role\_yet-another-cloudwatch-exporter](#module\_iam\_assumable\_role\_yet-another-cloudwatch-exporter) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
 | <a name="module_kube-prometheus-stack_thanos_bucket"></a> [kube-prometheus-stack\_thanos\_bucket](#module\_kube-prometheus-stack\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
 | <a name="module_loki_bucket"></a> [loki\_bucket](#module\_loki\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
+| <a name="module_s3_logging_bucket"></a> [s3\_logging\_bucket](#module\_s3\_logging\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
 | <a name="module_security-group-efs-csi-driver"></a> [security-group-efs-csi-driver](#module\_security-group-efs-csi-driver) | terraform-aws-modules/security-group/aws//modules/nfs | ~> 4.0 |
 | <a name="module_thanos_bucket"></a> [thanos\_bucket](#module\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
 | <a name="module_velero_thanos_bucket"></a> [velero\_thanos\_bucket](#module\_velero\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
@@ -154,6 +155,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [helm_release.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubectl_manifest.apply](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.aws-ebs-csi-driver_vsc](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.cni-metrics-helper](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
@@ -162,6 +164,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.sync](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
 | [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -373,16 +376,20 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [flux_install.main](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/data-sources/install) | data source |
 | [flux_sync.main](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/data-sources/sync) | data source |
 | [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
+| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [kubectl_file_documents.apply](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
+| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 | [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 | [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 | [kubectl_file_documents.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 | [kubectl_file_documents.sync](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
+| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 | [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/path_documents) | data source |
 
 ## Inputs
@@ -432,6 +439,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | <a name="input_prometheus-cloudwatch-exporter"></a> [prometheus-cloudwatch-exporter](#input\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
 | <a name="input_promtail"></a> [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
 | <a name="input_rabbitmq-operator"></a> [rabbitmq-operator](#input\_rabbitmq-operator) | Customize rabbitmq-operator chart, see `rabbitmq-operator.tf` for supported values | `any` | `{}` | no |
+| <a name="input_s3-logging"></a> [s3-logging](#input\_s3-logging) | Logging configuration for bucket created by this module | `any` | `{}` | no |
 | <a name="input_sealed-secrets"></a> [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
 | <a name="input_secrets-store-csi-driver"></a> [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
 | <a name="input_secrets-store-csi-driver-provider-aws"></a> [secrets-store-csi-driver-provider-aws](#input\_secrets-store-csi-driver-provider-aws) | Enable secrets-store-csi-driver-provider-aws | `any` | `{}` | no |

diff --git a/modules/aws/kube-prometheus.tf b/modules/aws/kube-prometheus.tf
@@ -411,13 +411,23 @@ module "kube-prometheus-stack_thanos_bucket" {
   bucket = local.kube-prometheus-stack["thanos_bucket"]
   acl    = "private"
 
+  versioning = {
+    status = true
+  }
+
   server_side_encryption_configuration = {
     rule = {
       apply_server_side_encryption_by_default = {
         sse_algorithm = "AES256"
       }
     }
   }
+
+  logging = local.s3-logging.enabled ? {
+    target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id
+    target_prefix = "${var.cluster-name}/${local.kube-prometheus-stack.name}/"
+  } : {}
+
   tags = local.tags
 }
 

diff --git a/modules/aws/loki-stack.tf b/modules/aws/loki-stack.tf
@@ -30,7 +30,7 @@ locals {
       enabled: false
     monitoring:
       lokiCanary:
-        enabled: false    
+        enabled: false
       selfMonitoring:
         enabled: false
         grafanaAgent:
@@ -198,6 +198,10 @@ module "loki_bucket" {
   bucket = local.loki-stack["bucket"]
   acl    = "private"
 
+  versioning = {
+    status = true
+  }
+
   server_side_encryption_configuration = {
     rule = {
       apply_server_side_encryption_by_default = {
@@ -206,6 +210,11 @@ module "loki_bucket" {
     }
   }
 
+  logging = local.s3-logging.enabled ? {
+    target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id
+    target_prefix = "${var.cluster-name}/${local.loki-stack.name}/"
+  } : {}
+
   tags = local.tags
 
   lifecycle_rule = local.loki-stack["bucket_lifecycle_rule"]

diff --git a/modules/aws/s3-logging.tf b/modules/aws/s3-logging.tf
@@ -0,0 +1,39 @@
+locals {
+  s3-logging = merge(
+    {
+      enabled          = false
+      create_bucket    = true
+      custom_bucket_id = null
+    },
+    var.s3-logging
+  )
+}
+
+module "s3_logging_bucket" {
+  create_bucket = local.s3-logging.enabled && local.s3-logging.create_bucket
+
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 3.0"
+
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
+
+  bucket = "${var.cluster-name}-eks-addons-s3-logging"
+  acl    = "private"
+
+  versioning = {
+    status = true
+  }
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  tags = local.tags
+}
diff --git a/modules/aws/thanos.tf b/modules/aws/thanos.tf
@@ -279,13 +279,23 @@ module "thanos_bucket" {
   bucket = local.thanos["bucket"]
   acl    = "private"
 
+  versioning = {
+    status = true
+  }
+
   server_side_encryption_configuration = {
     rule = {
       apply_server_side_encryption_by_default = {
         sse_algorithm = "AES256"
       }
     }
   }
+
+  logging = local.s3-logging.enabled ? {
+    target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id
+    target_prefix = "${var.cluster-name}/${local.thanos.name}/"
+  } : {}
+
   tags = local.tags
 }
 

diff --git a/modules/aws/tigera-operator.tf b/modules/aws/tigera-operator.tf
@@ -8,18 +8,67 @@ locals {
       chart_version          = local.helm_dependencies[index(local.helm_dependencies.*.name, "tigera-operator")].version
       namespace              = "tigera-operator"
       create_ns              = true
+      manage_crds            = true
       enabled                = false
       default_network_policy = true
     },
     var.tigera-operator
   )
 
+  tigera-operator_crds = "https://raw.githubusercontent.com/projectcalico/calico/${local.tigera-operator.chart_version}/manifests/operator-crds.yaml"
+
+  calico_crds = "https://raw.githubusercontent.com/projectcalico/calico/${local.tigera-operator.chart_version}/manifests/crds.yaml"
+
+  tigera-operator_crds_apply = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? [for v in data.kubectl_file_documents.tigera-operator_crds.0.documents : {
+    data : yamldecode(v)
+    content : v
+    }
+  ] : null
+
+  calico_crds_apply = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? [for v in data.kubectl_file_documents.tigera-operator_crds.0.documents : {
+    data : yamldecode(v)
+    content : v
+    }
+  ] : null
+
   values_tigera-operator = <<-VALUES
     installation:
       kubernetesProvider: EKS
     VALUES
 }
 
+data "http" "tigera-operator_crds" {
+  count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
+  url   = local.tigera-operator_crds
+}
+
+data "http" "calico_crds" {
+  count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
+  url   = local.calico_crds
+}
+
+data "kubectl_file_documents" "tigera-operator_crds" {
+  count   = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
+  content = data.http.tigera-operator_crds[0].response_body
+}
+
+data "kubectl_file_documents" "calico_crds" {
+  count   = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
+  content = data.http.calico_crds[0].response_body
+}
+
+resource "kubectl_manifest" "tigera-operator_crds" {
+  for_each          = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.tigera-operator_crds_apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content } : {}
+  yaml_body         = each.value
+  server_side_apply = true
+}
+
+resource "kubectl_manifest" "calico_crds" {
+  for_each          = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.calico_crds_apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content } : {}
+  yaml_body         = each.value
+  server_side_apply = true
+}
+
 resource "kubernetes_namespace" "tigera-operator" {
   count = local.tigera-operator["enabled"] && local.tigera-operator["create_ns"] ? 1 : 0
 

diff --git a/modules/aws/variables-aws.tf b/modules/aws/variables-aws.tf
@@ -64,6 +64,12 @@ variable "prometheus-cloudwatch-exporter" {
   default     = {}
 }
 
+variable "s3-logging" {
+  description = "Logging configuration for bucket created by this module"
+  type        = any
+  default     = {}
+}
+
 variable "secrets-store-csi-driver-provider-aws" {
   description = "Enable secrets-store-csi-driver-provider-aws"
   type        = any

diff --git a/modules/aws/velero.tf b/modules/aws/velero.tf
@@ -173,13 +173,23 @@ module "velero_thanos_bucket" {
   bucket = local.velero.bucket
   acl    = "private"
 
+  versioning = {
+    status = true
+  }
+
   server_side_encryption_configuration = {
     rule = {
       apply_server_side_encryption_by_default = {
         sse_algorithm = "AES256"
       }
     }
   }
+
+  logging = local.s3-logging.enabled ? {
+    target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id
+    target_prefix = "${var.cluster-name}/${local.velero.name}/"
+  } : {}
+
   tags = local.tags
 }