Merge remote-tracking branch 'origin/main' into diego-app-on-aks-1-26

pagopa · Jul 21, 2023 · 1754dc9 · 1754dc9
2 parents ecf31eb + 5d8cdbf
commit 1754dc9
Show file tree

Hide file tree

Showing 12 changed files with 277 additions and 33 deletions.
diff --git a/src/aks-platform/.terraform.lock.hcl b/src/aks-platform/.terraform.lock.hcl
diff --git a/src/aks-platform/01_network_aks.tf b/src/aks-platform/01_network_aks.tf
@@ -1,6 +1,6 @@
 # k8s cluster subnet
 module "snet_aks" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.1"
 
   name = "${local.project}-aks-snet"
 

diff --git a/src/aks-platform/03_aks.tf → src/aks-platform/02_aks.tf b/src/aks-platform/03_aks.tf → src/aks-platform/02_aks.tf
@@ -5,7 +5,7 @@ resource "azurerm_resource_group" "rg_aks" {
 }
 
 module "aks" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v4.1.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v6.20.1"
 
   count = var.aks_enabled ? 1 : 0
 
@@ -96,6 +96,12 @@ module "aks" {
   ]
 }
 
+resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_identity" {
+  scope                = azurerm_resource_group.rg_aks.id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = module.aks[0].identity_principal_id
+}
+
 #
 # ACR connection
 #

diff --git a/src/aks-platform/03_monitoring.tf b/src/aks-platform/03_monitoring.tf
@@ -0,0 +1,113 @@
+resource "kubernetes_namespace" "monitoring" {
+  metadata {
+    name = "monitoring"
+  }
+}
+
+resource "helm_release" "prometheus" {
+  name       = "prometheus"
+  repository = "https://prometheus-community.github.io/helm-charts"
+  chart      = "prometheus"
+  version    = var.prometheus_helm.chart_version
+  namespace  = kubernetes_namespace.monitoring.metadata[0].name
+
+  set {
+    name  = "server.global.scrape_interval"
+    value = "30s"
+  }
+  set {
+    name  = "alertmanager.image.repository"
+    value = var.prometheus_helm.alertmanager.image_name
+  }
+  set {
+    name  = "alertmanager.image.tag"
+    value = var.prometheus_helm.alertmanager.image_tag
+  }
+  set {
+    name  = "alertmanager.configmapReload.prometheus.image.repository"
+    value = var.prometheus_helm.configmap_reload_prometheus.image_name
+  }
+  set {
+    name  = "alertmanager.configmapReload.prometheus.image.tag"
+    value = var.prometheus_helm.configmap_reload_prometheus.image_tag
+  }
+  set {
+    name  = "alertmanager.configmapReload.alertmanager.image.repository"
+    value = var.prometheus_helm.configmap_reload_alertmanager.image_name
+  }
+  set {
+    name  = "alertmanager.configmapReload.alertmanager.image.tag"
+    value = var.prometheus_helm.configmap_reload_alertmanager.image_tag
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.repository"
+    value = var.prometheus_helm.node_exporter.image_name
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.tag"
+    value = var.prometheus_helm.node_exporter.image_tag
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.repository"
+    value = var.prometheus_helm.node_exporter.image_name
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.tag"
+    value = var.prometheus_helm.node_exporter.image_tag
+  }
+  set {
+    name  = "alertmanager.server.image.repository"
+    value = var.prometheus_helm.server.image_name
+  }
+  set {
+    name  = "alertmanager.server.image.tag"
+    value = var.prometheus_helm.server.image_tag
+  }
+  set {
+    name  = "alertmanager.pushgateway.image.repository"
+    value = var.prometheus_helm.pushgateway.image_name
+  }
+  set {
+    name  = "alertmanager.pushgateway.image.tag"
+    value = var.prometheus_helm.pushgateway.image_tag
+  }
+}
+
+# resource "helm_release" "grafana" {
+#   name       = "grafana"
+#   repository = "https://grafana.github.io/helm-charts"
+#   chart      = "grafana"
+#   version    = var.grafana_helm_version
+#   namespace  = kubernetes_namespace.monitoring.metadata[0].name
+
+#   set {
+#     name  = "adminUser"
+#     value = data.azurerm_key_vault_secret.grafana_admin_username.value
+#   }
+
+#   set {
+#     name  = "adminPassword"
+#     value = data.azurerm_key_vault_secret.grafana_admin_password.value
+#   }
+# }
+
+resource "helm_release" "monitoring_reloader" {
+  name       = "reloader"
+  repository = "https://stakater.github.io/stakater-charts"
+  chart      = "reloader"
+  version    = var.reloader_helm.chart_version
+  namespace  = kubernetes_namespace.monitoring.metadata[0].name
+
+  set {
+    name  = "reloader.watchGlobally"
+    value = "false"
+  }
+  set {
+    name  = "reloader.deployment.image.name"
+    value = var.reloader_helm.image_name
+  }
+  set {
+    name  = "reloader.deployment.image.tag"
+    value = var.reloader_helm.image_tag
+  }
+}
diff --git a/src/aks-platform/04_rbac.tf b/src/aks-platform/04_rbac.tf
@@ -207,6 +207,10 @@ resource "kubernetes_cluster_role_binding" "edit_binding" {
     name      = data.azuread_group.adgroup_developers.object_id
     namespace = "kube-system"
   }
+
+  depends_on = [
+    module.aks
+  ]
 }
 
 resource "kubernetes_cluster_role_binding" "view_binding" {

diff --git a/src/aks-platform/05_ingress.tf b/src/aks-platform/05_ingress.tf
@@ -33,10 +33,6 @@ module "nginx_ingress" {
       name  = "controller.replicaCount"
       value = var.ingress_replica_count
     },
-    {
-      name  = "controller.service.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-health-probe-request-path"
-      value = "/healthz"
-    },
     {
       name  = "controller.nodeSelector.beta\\.kubernetes\\.io/os"
       value = "linux"
@@ -48,6 +44,10 @@ module "nginx_ingress" {
     {
       name  = "controller.admissionWebhooks.patch.nodeSelector.beta\\.kubernetes\\.io/os"
       value = "linux"
+    },
+    {
+      name  = "controller.service.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-health-probe-request-path"
+      value = "/healthz"
     }
   ]
 

diff --git a/src/aks-platform/05_keda.tf b/src/aks-platform/05_keda.tf
@@ -13,7 +13,7 @@ locals {
 }
 
 module "keda_pod_identity" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v4.1.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v6.20.1"
 
   resource_group_name = azurerm_resource_group.rg_aks.name
   location            = var.location
@@ -33,6 +33,10 @@ resource "azurerm_role_assignment" "keda_monitoring_reader" {
   scope                = data.azurerm_subscription.current.id
   role_definition_name = "Monitoring Reader"
   principal_id         = module.keda_pod_identity.identity.principal_id
+
+  depends_on = [
+    module.aks
+  ]
 }
 
 resource "helm_release" "keda" {

diff --git a/src/aks-platform/99_main.tf b/src/aks-platform/99_main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.36.0"
+      version = ">= 3.64.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

diff --git a/src/aks-platform/99_main.tf.ci b/src/aks-platform/99_main.tf.ci
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.36.0"
+      version = ">= 3.64.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

diff --git a/src/aks-platform/99_variables.tf b/src/aks-platform/99_variables.tf
@@ -515,3 +515,47 @@ variable "nginx_helm_version" {
 variable "keda_helm_version" {
   type = string
 }
+
+variable "reloader_helm" {
+  type = object({
+    chart_version = string,
+    image_name    = string,
+    image_tag     = string
+  })
+  description = "reloader helm chart configuration"
+}
+
+variable "prometheus_helm" {
+  type = object({
+    chart_version = string,
+    alertmanager = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+    configmap_reload_prometheus = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+    configmap_reload_alertmanager = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+    configmap_reload_prometheus = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+    node_exporter = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+    server = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+    pushgateway = object({
+      image_name = string,
+      image_tag  = string,
+    }),
+  })
+  description = "prometheus helm chart configuration"
+}
diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md
@@ -30,16 +30,16 @@ Re-enable all the resource, commented before to complete the procedure
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.3.0 |
 | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | > 2.10.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.36.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.64.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aks"></a> [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v4.1.0 |
-| <a name="module_keda_pod_identity"></a> [keda\_pod\_identity](#module\_keda\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v4.1.0 |
+| <a name="module_aks"></a> [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v6.20.1 |
+| <a name="module_keda_pod_identity"></a> [keda\_pod\_identity](#module\_keda\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v6.20.1 |
 | <a name="module_nginx_ingress"></a> [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 |
-| <a name="module_snet_aks"></a> [snet\_aks](#module\_snet\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.0 |
+| <a name="module_snet_aks"></a> [snet\_aks](#module\_snet\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.20.1 |
 
 ## Resources
 
@@ -48,7 +48,10 @@ Re-enable all the resource, commented before to complete the procedure
 | [azurerm_resource_group.rg_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.aks_to_acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.keda_monitoring_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.managed_identity_operator_vs_aks_managed_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.monitoring_reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_cluster_role.cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.edit_extra](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.system_cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
@@ -59,6 +62,7 @@ Re-enable all the resource, commented before to complete the procedure
 | [kubernetes_cluster_role_binding.view_extra_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_namespace.ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [null_resource.create_vnet_core_aks_link](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
@@ -119,7 +123,9 @@ Re-enable all the resource, commented before to complete the procedure
 | <a name="input_lock_enable"></a> [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
 | <a name="input_nginx_helm_version"></a> [nginx\_helm\_version](#input\_nginx\_helm\_version) | NGINX helm verison | `string` | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | `"cstar"` | no |
+| <a name="input_prometheus_helm"></a> [prometheus\_helm](#input\_prometheus\_helm) | prometheus helm chart configuration | <pre>object({<br>    chart_version = string,<br>    alertmanager = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    configmap_reload_prometheus = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    configmap_reload_alertmanager = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    configmap_reload_prometheus = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    node_exporter = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    server = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    pushgateway = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>  })</pre> | n/a | yes |
 | <a name="input_public_ip_aksoutbound_name"></a> [public\_ip\_aksoutbound\_name](#input\_public\_ip\_aksoutbound\_name) | Public IP AKS outbound | `string` | n/a | yes |
+| <a name="input_reloader_helm"></a> [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | <pre>object({<br>    chart_version = string,<br>    image_name    = string,<br>    image_tag     = string<br>  })</pre> | n/a | yes |
 | <a name="input_rg_vnet_aks_name"></a> [rg\_vnet\_aks\_name](#input\_rg\_vnet\_aks\_name) | Resource group dedicated to VNet AKS | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br>  "CreatedBy": "Terraform"<br>}</pre> | no |
 | <a name="input_vnet_aks_name"></a> [vnet\_aks\_name](#input\_vnet\_aks\_name) | VNet dedicated to AKS | `string` | n/a | yes |