From 5d8cdbf618d42380412f4899c9ffa75127ffbe00 Mon Sep 17 00:00:00 2001
From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com>
Date: Wed, 19 Jul 2023 15:04:01 +0200
Subject: [PATCH] feat: Aks 1.26 setup ex novo (#69)
* rename aks
* upgraded module versions
* upgrated middleware
* fix terraform lock
* pre-commit fixs
---
src/aks-platform/.terraform.lock.hcl | 130 ++++++++++----------
src/aks-platform/01_network_aks.tf | 2 +-
src/aks-platform/{03_aks.tf => 02_aks.tf} | 8 +-
src/aks-platform/03_monitoring.tf | 113 +++++++++++++++++
src/aks-platform/04_rbac.tf | 4 +
src/aks-platform/05_ingress.tf | 8 +-
src/aks-platform/05_keda.tf | 6 +-
src/aks-platform/99_main.tf | 2 +-
src/aks-platform/99_main.tf.ci | 2 +-
src/aks-platform/99_variables.tf | 44 +++++++
src/aks-platform/README.md | 14 ++-
src/aks-platform/env/dev01/terraform.tfvars | 58 ++++++++-
src/aks-platform/scripts/terraform.sh | 2 +-
13 files changed, 311 insertions(+), 82 deletions(-)
rename src/aks-platform/{03_aks.tf => 02_aks.tf} (95%)
create mode 100644 src/aks-platform/03_monitoring.tf
diff --git a/src/aks-platform/.terraform.lock.hcl b/src/aks-platform/.terraform.lock.hcl
index f6d997fe..7ada47a6 100644
--- a/src/aks-platform/.terraform.lock.hcl
+++ b/src/aks-platform/.terraform.lock.hcl
@@ -2,93 +2,93 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/azuread" {
- version = "2.32.0"
+ version = "2.40.0"
constraints = "> 2.10.0"
hashes = [
- "h1:K3uwNf+SJV7Ie1bhYQJ44ERM5CK48GZtwgrSrWLBO5o=",
- "h1:RCsaMs2+E0ov7vIq9bSUoDShaFbKRhNyliWK0GIaRU0=",
- "h1:Sy8OYYyzuRrcXs+Gat/CVgJPuIuq67QnuHKygY+w8Fc=",
- "h1:aiu96Ca8j2q7J6Z/S+MOuVchJ0zhvY6YO33b6LHRvIQ=",
- "zh:1142c8f1e4a51467997ecbd218661b7bc365e2a46cd1c0cf2a17045d0943f73b",
+ "h1:dCp1/MhTXZBOhTMT40casPdBVM4J1V6sRtRPJwv8r7E=",
+ "h1:fH+wk3nY1D09xgcUHE66ox7JF5OEbwQbQbaxomt5GVQ=",
+ "h1:jtdDK7uhdbYc39Fm3nzrNCoQ/zp0boDNczn2cv9WHHQ=",
+ "h1:ym1nSH/bHzANaUBETxViclMpHL/28PzMXGYEg+HItNs=",
"zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
- "zh:6733af76a0e8473d62d11fb855aa5d823ad9eee75ea0cc508b63cf0782f2b30b",
- "zh:777f13db12b2820112f05e5728ad69901b2e8de9a63bfae081370c92dbc4e70b",
- "zh:7c357e89acb549341dc276430ed7caf6c5f90abf282b55a90d2ed05f63f358e2",
- "zh:7cc5ef7b97f9e632728b04c0f12d7f4b5c3ed123664b775d1857589ba079ebac",
- "zh:9405827a7fb475629e99feefd4a11d25fee4a3e730d724d1e0090fb80cc4d85d",
- "zh:a4ed113615fdc25ccb5349300f36f8eca0c490232c6dab6a45447642f8d4fea1",
- "zh:e61c96da855b06eafab100941d70a65c5971d479a8812bf2d3998f6300e26095",
- "zh:ea51577835d845ff4536ed1c3208d0ff54017d847d719a3e7b485ff7b7f7ba11",
- "zh:ed8de8b088c6abb3bf4a47f37dd34e60c321d9f96f1b787f8ac2e9a3c8eb1e28",
- "zh:fcc37e75e1a782379378a51e7a8fb5f103c1016cb5a4b186eb9c7e5f77f07008",
+ "zh:2bfa5dfa9b7d1fd58c3cc92251b3d140e17bca8da4cd44f6b02da51709ceeb34",
+ "zh:5327aa0643dbb3e4387f1a41b25211ac562be908b95631ca81917cc90530ed9a",
+ "zh:6365ee93a131c3f1122155890121778198ba26cf01286aa568d7343ce746f1e8",
+ "zh:75c01bbb0a337f0a32ae11fb9b74440b12230027d184244d417c852ee0fe56cd",
+ "zh:894907e8b3d31efea4597ddea7217660259950eefba1b1a47dbde1b024577e08",
+ "zh:a29f2d8b112803ce30ca75f390a9c05b87846d17b8ac32730fa44ed00d8fbeca",
+ "zh:a35f40210d810e65e20c8a16d1cba10867225e1f45826c29eb03860aa7d5fabd",
+ "zh:b8dfb7a03547cae504fb060ca794b5b7ac139e03a098e8a9612488aa4023edc1",
+ "zh:c73b64a52d6c8ec816c073d8113cb9eb9ba99bb78af5d67423a70a127ac92e48",
+ "zh:e8687d575e9bb6a94bc593dd1a9b8e0529c391e398d877dff1a8f330f2862551",
+ "zh:ff6e70ad6146c5e3ff1aa90471d48eba67892ced5a5bde0946d1bd16b262c78c",
]
}
provider "registry.terraform.io/hashicorp/azurerm" {
- version = "3.38.0"
- constraints = ">= 3.30.0, >= 3.36.0, <= 3.38.0"
+ version = "3.64.0"
+ constraints = ">= 3.30.0, >= 3.64.0, <= 3.64.0"
hashes = [
- "h1:Isa/rY8+4+DCatuYgmDT4TYkcp/he7RrfR6jyhrm7hQ=",
- "h1:Pq4ZX7h5FM1h+NBCjReCPMy1qwaFAvJ3EY45+mObfSg=",
- "h1:Wb7brdbvDPw01eMasdl8vmkPeCZLT0rbOQRAHw2N/TY=",
- "h1:cRwQAznzBQsumUaPUvDHqmKLP+tM9jNL0kEngi4S3r0=",
- "zh:08df48bdaf162bf3da7ac2b09147d44f94fae6f3cfd97d6cf9c45cb7c1c36a44",
- "zh:220b68a3f819777872281974e6621527698575096c3a2ef78cb0aabf28665161",
- "zh:25db1128a96599ffbcc7e865579bec7c009cb4e7f7731e0e30d261ab02cc38d5",
- "zh:279444db11f570b837143559e5df7453bd8aeda4e22a9879a5a1a795bf6612a3",
- "zh:2d506b6b865f6d5143e54e139d9a61b18bdcc8b9485d2bc7237e95a53a9c7ed9",
- "zh:6ddb2cbcdf15b432508fe00ee7863f6d51a136db1746e7af03bec8ce2a09bad3",
- "zh:96b664a716678923ce0f9828eaad22b5353669fa5013ea39b7b8081a77988b85",
- "zh:a9ca583b219a3daba171ca11908547abb1b09453934950aacff17ae8b51d0ff0",
- "zh:aa497620c82afab7819736180f0a56b76da6f3e23bd0580383fda98104b4e5c2",
- "zh:ab9e9f3c35288d0bd615024f213e46d16d639c281f7d850b21971b530d08e231",
- "zh:b164a0ddb30b64c35f13dad0aa9701a4e3eb24dc8165a3e794c499f1e9070b99",
+ "h1:cmleWBjFp4eK0iQICvCKxTxECx8nvl0MAfth9mLzT70=",
+ "h1:g2p1LQQy+Ih6gWzMQTmlb6v5s9iXP3EusXIwd63APg0=",
+ "h1:mjWPxOTzxJcw4QCRopBwO568tnfZRZPAbCIEzQj2ous=",
+ "h1:y6R1GCooPE9y9BpPuhqokyYJky5T8s0dOMgFsC+VL/0=",
+ "zh:08463ceca4208419715b5816d120fe05f2abda9bea083cfe1818e25517483581",
+ "zh:130760c5ab791bd114b3edbb79b95138a60cd97f1b72e4096b33a207b367d126",
+ "zh:26403fc9be70b60fddf09b1510067763b2da57cf3b116d375b5bee048acad8d2",
+ "zh:352c79bb75c1a0d88a686c4e22fded1114de0249aba081e34265d4b11c878fc7",
+ "zh:52ee37390b70e89add8b70b43c05bc90037a723a726c63440943f9bf2f064817",
+ "zh:79ad0c72e2b15b9412f1fdb5461dfcec6ca192ab4512e70fcbcea4585c02d71e",
+ "zh:7a60226f41064a95db14e64dc0250063a621df254ee41e4b3b25ccc5ce47936d",
+ "zh:9191136871cf2ffa4f1963a6b79d6868f911f827330234421af869df616bacd0",
+ "zh:a32cb5eb225ccea6d3d5e70f948dfc4b4ed442cd20ceb80ce014a3df05ab93e8",
+ "zh:de16cb2726016e0eb9a04599fdb81b503a96263b1805243b75b202c559051a5e",
+ "zh:ee636ddb5281772071f9952f75b2c7ad7f443f25c84c96e6e78d628a151ec4ac",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
provider "registry.terraform.io/hashicorp/helm" {
- version = "2.8.0"
+ version = "2.7.1"
constraints = ">= 2.0.0"
hashes = [
- "h1:SAwW8iYsXVDhCs8UL5ElzfN6iP3q3tdObPwJiTpCkKI=",
- "h1:U0w0mUT0SwZCR0poGNSxGaZJKWcOiu4GerpGztYBiMM=",
- "h1:a98mBNghv9odh5PVmgdXapgyYJmO/ncAWkwLWdXLuY4=",
- "h1:abRryu69lsIGXctqjMVoaKqi74eE12Vzd2FLpds1/PI=",
- "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54",
- "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f",
- "zh:391fe49b4d2dc07bc717248a3fc6952189cfc49c596c514ad72a29c9a9f9d575",
- "zh:89272048e1e63f3edc3e83dfddd5a9fd4bd2a4ead104e67de1e14319294dedf1",
- "zh:a5a057c3435a854389ce8a1d98a54aaa7cbab68aca7baa436a605897aa70ff7e",
- "zh:b1098e53e1a8a3afcd325ecd0328662156b3d9c3d80948f19ba3a4eb870cee2b",
- "zh:b676f949e8274a2b6c3fa41f5428ea597125579c7b93bb50bb73a5e295a7a447",
- "zh:cdf7e9460f28c2dbfe49a79a5022bd0d474ff18120d340738aa35456ba77ebca",
- "zh:e24b59b4ed1c593facbf8051ec58550917991e2e017f3085dac5fb902d9908cb",
- "zh:e3b5e1f5543cac9d9031a028f1c1be4858fb80fae69f181f21e9465e366ebfa2",
- "zh:e9fddc0bcdb28503078456f0088851d45451600d229975fd9990ee92c7489a10",
+ "h1:11oWNeohjD8Fy9S7WQSKY3GmDZi7gVdMRp8/Wqxn410=",
+ "h1:L5qLTfZH7PnZt9+YnS7iYmPBEDQOpEjZiF0v50BRNi8=",
+ "h1:OGZRkgiLBWmoA8/a9xZnEs5gsC5JhW+75++MkCPQbqw=",
+ "h1:jIiXxDpkVLVRTuY1w6GwhWvPWbvbn4vdIkPx87rcW4U=",
+ "zh:13e2467092deeff01c4cfa2b54ba4510aa7a9b06c58f22c4215b0f4333858364",
+ "zh:4549843db4fdf5d8150e8c0734e67b54b5c3bcfc914e3221e6952f428fb984d2",
+ "zh:55b5f83ed52f93dd00a73c33c948326052efd700350c19e63bb1679b12bfcda6",
+ "zh:749397e41393289eb0ef6efd0a75911d29b8aa7f48e5d6813b4b350dad91acbd",
+ "zh:7a4a2c95b055f6c8e70d1fc7a4cc4fd6e4f04845be36e40d42d31dfc13db37b8",
+ "zh:8143e5b8218857052505c805b570889b862c618ce6cbfbddb98938ff7a5901d3",
+ "zh:856d94b3b34d6204d66c6de4feab4737c74dba037ad64e4c613e8eec61d17f1a",
+ "zh:b9b037f1edda209022df1c7fc906786970524873e27b061f3355cb9bbed2cf08",
+ "zh:c433b27f52a0600490af07f8b217ab0b1048ba347d68e6fe478aba18634e78d9",
+ "zh:da133748368c6e27b433cd7faeb7b800536c8651e7af0415452901dfc7577dbf",
+ "zh:eecc63c2dec8aafa2ffd7426800c3e1a5e31e848be01ea9511ad0184dce15945",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
provider "registry.terraform.io/hashicorp/kubernetes" {
- version = "2.16.1"
+ version = "2.22.0"
hashes = [
- "h1:O23HBuu2cPnLfW/lqvMM6eAeVx7eZgjqsK+Nz/FX2Gg=",
- "h1:PO4Ye/+lu5hCaUEOtwNOldQYoA0dqL1bcBICIpdlcd8=",
- "h1:i+DwtJK82sIWmTcQA9lL0mlET+14/QpUqv10fU2o3As=",
- "h1:kO/d+ZMZYM2tNMMFHZqBmVR0MeemoGnI2G2NSN92CrU=",
- "zh:06224975f5910d41e73b35a4d5079861da2c24f9353e3ebb015fbb3b3b996b1c",
- "zh:2bc400a8d9fe7755cca27c2551564a9e2609cfadc77f526ef855114ee02d446f",
- "zh:3a479014187af1d0aec3a1d3d9c09551b801956fe6dd29af1186dec86712731b",
- "zh:73fb0a69f1abdb02858b6589f7fab6d989a0f422f7ad95ed662aaa84872d3473",
- "zh:a33852cd382cbc8e06d3f6c018b468ad809d24d912d64722e037aed1f9bf39db",
- "zh:b533ff2214dca90296b1d22eace7eaa7e3efe5a7ae9da66a112094abc932db4f",
- "zh:ddf74d8bb1aeb01dc2c36ef40e2b283d32b2a96db73f6daaf179fa2f10949c80",
- "zh:e720f3a15d34e795fa9ff90bc755e838ebb4aef894aa2a423fb16dfa6d6b0667",
- "zh:e789ae70a658800cb0a19ef7e4e9b26b5a38a92b43d1f41d64fc8bb46539cefb",
- "zh:e8aed7dc0bd8f843d607dee5f72640dbef6835a8b1c6ea12cea5b4ec53e463f7",
+ "h1:DJr88+52tPK4Ft9xltF6YL+sRz8HWLP2ZOfFiKSB5Dc=",
+ "h1:EBi28mEwbQJXL25oZCMaPrOUvMm6fukV5hUPleKY2w0=",
+ "h1:N2Nta6li+07oT02gcgLzAU4goGIWNXY2zqKUV/9rLLE=",
+ "h1:b6Wj111/wsMNg8FrHFXrf4mCZFtSXKHx4JvbZh3YTCY=",
+ "zh:1eac662b1f238042b2068401e510f0624efaf51fd6a4dd9c49d710a49d383b61",
+ "zh:4c35651603493437b0b13e070148a330c034ac62c8967c2de9da6620b26adca4",
+ "zh:50c0e8654efb46e3a3666c638ca2e0c8aec07f985fbc80f9205bed960386dc9b",
+ "zh:5f65194ddd6ea7e89b378297d882083a4b84962edb35dd35752f0c7e9d6282a0",
+ "zh:6fc0c2d65864324edde4db84f528268065df58229fc3ee321626687b0e603637",
+ "zh:73c58d007aba7f67c0aa9029794e10c2517bec565b7cb57d0f5948ea3f30e407",
+ "zh:7d6fc9d3c1843baccd2e1fc56317925a2f9df372427d30fcb5052d123adc887a",
+ "zh:a0ad9eb863b51586ea306c5f2beef74476c96684aed41a3ee99eb4b6d8898d01",
+ "zh:e218fcfbf4994ff741408a023a9d9eb6c697ce9f63ce5540d3b35226d86c963e",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
- "zh:fb3ac4f43c8b0dfc0b0103dd0f062ea72b3a34518d4c8808e3a44c9a3dd5f024",
+ "zh:f95625f317795f0e38cc6293dd31c85863f4e225209d07d1e233c50d9295083c",
+ "zh:f96e0923a632bc430267fe915794972be873887f5e761ed11451d67202e256c8",
]
}
diff --git a/src/aks-platform/01_network_aks.tf b/src/aks-platform/01_network_aks.tf
index 41b6aeeb..6673982a 100644
--- a/src/aks-platform/01_network_aks.tf
+++ b/src/aks-platform/01_network_aks.tf
@@ -1,6 +1,6 @@
# k8s cluster subnet
module "snet_aks" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.0"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.1"
name = "${local.project}-aks-snet"
diff --git a/src/aks-platform/03_aks.tf b/src/aks-platform/02_aks.tf
similarity index 95%
rename from src/aks-platform/03_aks.tf
rename to src/aks-platform/02_aks.tf
index 3188c9c6..b804a254 100644
--- a/src/aks-platform/03_aks.tf
+++ b/src/aks-platform/02_aks.tf
@@ -5,7 +5,7 @@ resource "azurerm_resource_group" "rg_aks" {
}
module "aks" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v4.1.0"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v6.20.1"
count = var.aks_enabled ? 1 : 0
@@ -96,6 +96,12 @@ module "aks" {
]
}
+resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_identity" {
+ scope = azurerm_resource_group.rg_aks.id
+ role_definition_name = "Managed Identity Operator"
+ principal_id = module.aks[0].identity_principal_id
+}
+
#
# ACR connection
#
diff --git a/src/aks-platform/03_monitoring.tf b/src/aks-platform/03_monitoring.tf
new file mode 100644
index 00000000..1e24ef92
--- /dev/null
+++ b/src/aks-platform/03_monitoring.tf
@@ -0,0 +1,113 @@
+resource "kubernetes_namespace" "monitoring" {
+ metadata {
+ name = "monitoring"
+ }
+}
+
+resource "helm_release" "prometheus" {
+ name = "prometheus"
+ repository = "https://prometheus-community.github.io/helm-charts"
+ chart = "prometheus"
+ version = var.prometheus_helm.chart_version
+ namespace = kubernetes_namespace.monitoring.metadata[0].name
+
+ set {
+ name = "server.global.scrape_interval"
+ value = "30s"
+ }
+ set {
+ name = "alertmanager.image.repository"
+ value = var.prometheus_helm.alertmanager.image_name
+ }
+ set {
+ name = "alertmanager.image.tag"
+ value = var.prometheus_helm.alertmanager.image_tag
+ }
+ set {
+ name = "alertmanager.configmapReload.prometheus.image.repository"
+ value = var.prometheus_helm.configmap_reload_prometheus.image_name
+ }
+ set {
+ name = "alertmanager.configmapReload.prometheus.image.tag"
+ value = var.prometheus_helm.configmap_reload_prometheus.image_tag
+ }
+ set {
+ name = "alertmanager.configmapReload.alertmanager.image.repository"
+ value = var.prometheus_helm.configmap_reload_alertmanager.image_name
+ }
+ set {
+ name = "alertmanager.configmapReload.alertmanager.image.tag"
+ value = var.prometheus_helm.configmap_reload_alertmanager.image_tag
+ }
+ set {
+ name = "alertmanager.nodeExporter.image.repository"
+ value = var.prometheus_helm.node_exporter.image_name
+ }
+ set {
+ name = "alertmanager.nodeExporter.image.tag"
+ value = var.prometheus_helm.node_exporter.image_tag
+ }
+ set {
+ name = "alertmanager.nodeExporter.image.repository"
+ value = var.prometheus_helm.node_exporter.image_name
+ }
+ set {
+ name = "alertmanager.nodeExporter.image.tag"
+ value = var.prometheus_helm.node_exporter.image_tag
+ }
+ set {
+ name = "alertmanager.server.image.repository"
+ value = var.prometheus_helm.server.image_name
+ }
+ set {
+ name = "alertmanager.server.image.tag"
+ value = var.prometheus_helm.server.image_tag
+ }
+ set {
+ name = "alertmanager.pushgateway.image.repository"
+ value = var.prometheus_helm.pushgateway.image_name
+ }
+ set {
+ name = "alertmanager.pushgateway.image.tag"
+ value = var.prometheus_helm.pushgateway.image_tag
+ }
+}
+
+# resource "helm_release" "grafana" {
+# name = "grafana"
+# repository = "https://grafana.github.io/helm-charts"
+# chart = "grafana"
+# version = var.grafana_helm_version
+# namespace = kubernetes_namespace.monitoring.metadata[0].name
+
+# set {
+# name = "adminUser"
+# value = data.azurerm_key_vault_secret.grafana_admin_username.value
+# }
+
+# set {
+# name = "adminPassword"
+# value = data.azurerm_key_vault_secret.grafana_admin_password.value
+# }
+# }
+
+resource "helm_release" "monitoring_reloader" {
+ name = "reloader"
+ repository = "https://stakater.github.io/stakater-charts"
+ chart = "reloader"
+ version = var.reloader_helm.chart_version
+ namespace = kubernetes_namespace.monitoring.metadata[0].name
+
+ set {
+ name = "reloader.watchGlobally"
+ value = "false"
+ }
+ set {
+ name = "reloader.deployment.image.name"
+ value = var.reloader_helm.image_name
+ }
+ set {
+ name = "reloader.deployment.image.tag"
+ value = var.reloader_helm.image_tag
+ }
+}
diff --git a/src/aks-platform/04_rbac.tf b/src/aks-platform/04_rbac.tf
index 592d6554..6f41e51a 100644
--- a/src/aks-platform/04_rbac.tf
+++ b/src/aks-platform/04_rbac.tf
@@ -207,6 +207,10 @@ resource "kubernetes_cluster_role_binding" "edit_binding" {
name = data.azuread_group.adgroup_developers.object_id
namespace = "kube-system"
}
+
+ depends_on = [
+ module.aks
+ ]
}
resource "kubernetes_cluster_role_binding" "view_binding" {
diff --git a/src/aks-platform/05_ingress.tf b/src/aks-platform/05_ingress.tf
index faea08cd..48441302 100644
--- a/src/aks-platform/05_ingress.tf
+++ b/src/aks-platform/05_ingress.tf
@@ -33,10 +33,6 @@ module "nginx_ingress" {
name = "controller.replicaCount"
value = var.ingress_replica_count
},
- {
- name = "controller.service.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-health-probe-request-path"
- value = "/healthz"
- },
{
name = "controller.nodeSelector.beta\\.kubernetes\\.io/os"
value = "linux"
@@ -48,6 +44,10 @@ module "nginx_ingress" {
{
name = "controller.admissionWebhooks.patch.nodeSelector.beta\\.kubernetes\\.io/os"
value = "linux"
+ },
+ {
+ name = "controller.service.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-health-probe-request-path"
+ value = "/healthz"
}
]
diff --git a/src/aks-platform/05_keda.tf b/src/aks-platform/05_keda.tf
index a3718b13..c0a1f7c8 100644
--- a/src/aks-platform/05_keda.tf
+++ b/src/aks-platform/05_keda.tf
@@ -13,7 +13,7 @@ locals {
}
module "keda_pod_identity" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v4.1.0"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v6.20.1"
resource_group_name = azurerm_resource_group.rg_aks.name
location = var.location
@@ -33,6 +33,10 @@ resource "azurerm_role_assignment" "keda_monitoring_reader" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Monitoring Reader"
principal_id = module.keda_pod_identity.identity.principal_id
+
+ depends_on = [
+ module.aks
+ ]
}
resource "helm_release" "keda" {
diff --git a/src/aks-platform/99_main.tf b/src/aks-platform/99_main.tf
index 36eaa837..754d3a9b 100644
--- a/src/aks-platform/99_main.tf
+++ b/src/aks-platform/99_main.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
- version = ">= 3.36.0"
+ version = ">= 3.64.0"
}
azuread = {
source = "hashicorp/azuread"
diff --git a/src/aks-platform/99_main.tf.ci b/src/aks-platform/99_main.tf.ci
index be975b4f..5249a96e 100644
--- a/src/aks-platform/99_main.tf.ci
+++ b/src/aks-platform/99_main.tf.ci
@@ -3,7 +3,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
- version = ">= 3.36.0"
+ version = ">= 3.64.0"
}
azuread = {
source = "hashicorp/azuread"
diff --git a/src/aks-platform/99_variables.tf b/src/aks-platform/99_variables.tf
index 882b6371..5f7131cb 100644
--- a/src/aks-platform/99_variables.tf
+++ b/src/aks-platform/99_variables.tf
@@ -515,3 +515,47 @@ variable "nginx_helm_version" {
variable "keda_helm_version" {
type = string
}
+
+variable "reloader_helm" {
+ type = object({
+ chart_version = string,
+ image_name = string,
+ image_tag = string
+ })
+ description = "reloader helm chart configuration"
+}
+
+variable "prometheus_helm" {
+ type = object({
+ chart_version = string,
+ alertmanager = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ configmap_reload_prometheus = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ configmap_reload_alertmanager = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ configmap_reload_prometheus = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ node_exporter = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ server = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ pushgateway = object({
+ image_name = string,
+ image_tag = string,
+ }),
+ })
+ description = "prometheus helm chart configuration"
+}
diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md
index 41d0d6f4..12cbb544 100644
--- a/src/aks-platform/README.md
+++ b/src/aks-platform/README.md
@@ -30,16 +30,16 @@ Re-enable all the resource, commented before to complete the procedure
|------|---------|
| [terraform](#requirement\_terraform) | >=1.3.0 |
| [azuread](#requirement\_azuread) | > 2.10.0 |
-| [azurerm](#requirement\_azurerm) | >= 3.36.0 |
+| [azurerm](#requirement\_azurerm) | >= 3.64.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v4.1.0 |
-| [keda\_pod\_identity](#module\_keda\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v4.1.0 |
+| [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v6.20.1 |
+| [keda\_pod\_identity](#module\_keda\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v6.20.1 |
| [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 |
-| [snet\_aks](#module\_snet\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.0 |
+| [snet\_aks](#module\_snet\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.20.1 |
## Resources
@@ -48,7 +48,10 @@ Re-enable all the resource, commented before to complete the procedure
| [azurerm_resource_group.rg_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_role_assignment.aks_to_acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.keda_monitoring_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.managed_identity_operator_vs_aks_managed_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.monitoring_reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_cluster_role.cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
| [kubernetes_cluster_role.edit_extra](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
| [kubernetes_cluster_role.system_cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
@@ -59,6 +62,7 @@ Re-enable all the resource, commented before to complete the procedure
| [kubernetes_cluster_role_binding.view_extra_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
| [kubernetes_namespace.ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [null_resource.create_vnet_core_aks_link](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
@@ -119,7 +123,9 @@ Re-enable all the resource, commented before to complete the procedure
| [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
| [nginx\_helm\_version](#input\_nginx\_helm\_version) | NGINX helm verison | `string` | n/a | yes |
| [prefix](#input\_prefix) | n/a | `string` | `"cstar"` | no |
+| [prometheus\_helm](#input\_prometheus\_helm) | prometheus helm chart configuration | object({
chart_version = string,
alertmanager = object({
image_name = string,
image_tag = string,
}),
configmap_reload_prometheus = object({
image_name = string,
image_tag = string,
}),
configmap_reload_alertmanager = object({
image_name = string,
image_tag = string,
}),
configmap_reload_prometheus = object({
image_name = string,
image_tag = string,
}),
node_exporter = object({
image_name = string,
image_tag = string,
}),
server = object({
image_name = string,
image_tag = string,
}),
pushgateway = object({
image_name = string,
image_tag = string,
}),
}) | n/a | yes |
| [public\_ip\_aksoutbound\_name](#input\_public\_ip\_aksoutbound\_name) | Public IP AKS outbound | `string` | n/a | yes |
+| [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | object({
chart_version = string,
image_name = string,
image_tag = string
}) | n/a | yes |
| [rg\_vnet\_aks\_name](#input\_rg\_vnet\_aks\_name) | Resource group dedicated to VNet AKS | `string` | n/a | yes |
| [tags](#input\_tags) | n/a | `map(any)` | {
"CreatedBy": "Terraform"
} | no |
| [vnet\_aks\_name](#input\_vnet\_aks\_name) | VNet dedicated to AKS | `string` | n/a | yes |
diff --git a/src/aks-platform/env/dev01/terraform.tfvars b/src/aks-platform/env/dev01/terraform.tfvars
index b14dbf08..fce70726 100644
--- a/src/aks-platform/env/dev01/terraform.tfvars
+++ b/src/aks-platform/env/dev01/terraform.tfvars
@@ -99,8 +99,60 @@ aks_addons = {
pod_identity_enabled = true,
}
-ingress_replica_count = "2"
+ingress_replica_count = "1"
# This is the k8s ingress controller ip. It must be in the aks subnet range.
ingress_load_balancer_ip = "10.11.100.250"
-nginx_helm_version = "4.1.0"
-keda_helm_version = "2.6.2"
+nginx_helm_version = "4.7.1"
+keda_helm_version = "2.11.1"
+
+# chart releases: https://github.com/stakater/Reloader/releases
+# image tags: https://hub.docker.com/r/stakater/reloader/tags
+reloader_helm = {
+ chart_version = "v1.0.30"
+ image_name = "stakater/reloader"
+ image_tag = "v1.0.30"
+}
+
+# chart releases: https://github.com/prometheus-community/helm-charts/releases?q=tag%3Aprometheus-15&expanded=true
+# quay.io/prometheus/alertmanager image tags: https://quay.io/repository/prometheus/alertmanager?tab=tags
+# jimmidyson/configmap-reload image tags: https://hub.docker.com/r/jimmidyson/configmap-reload/tags
+# quay.io/prometheus/node-exporter image tags: https://quay.io/repository/prometheus/node-exporter?tab=tags
+# quay.io/prometheus/prometheus image tags: https://quay.io/repository/prometheus/prometheus?tab=tags
+# prom/pushgateway image tags:https://hub.docker.com/r/prom/pushgateway/tags
+prometheus_helm = {
+ chart_version = "15.18.0"
+ alertmanager = {
+ image_name = "quay.io/prometheus/alertmanager"
+ image_tag = "v0.25.0"
+ }
+ configmap_reload_prometheus = {
+ image_name = "jimmidyson/configmap-reload"
+ image_tag = "v0.9.0"
+ }
+ configmap_reload_alertmanager = {
+ image_name = "jimmidyson/configmap-reload"
+ image_tag = "v0.9.0"
+ }
+ node_exporter = {
+ image_name = "quay.io/prometheus/node-exporter"
+ image_tag = "v1.6.1"
+ }
+ server = {
+ image_name = "quay.io/prometheus/prometheus"
+ image_tag = "v2.45.0"
+ }
+ pushgateway = {
+ image_name = "prom/pushgateway"
+ image_tag = "v1.6.0"
+ }
+}
+
+# chart releases: https://github.com/pagopa/aks-microservice-chart-blueprint/releases
+# image tags: https://github.com/pagopa/infra-ssl-check/releases
+tls_cert_check_helm = {
+ chart_version = "1.21.0"
+ image_name = "ghcr.io/pagopa/infra-ssl-check"
+ image_tag = "v1.2.2@sha256:22f4b53177cc8891bf10cbd0deb39f60e1cd12877021c3048a01e7738f63e0f9"
+}
+
+tls_checker_https_endpoints_to_check = []
diff --git a/src/aks-platform/scripts/terraform.sh b/src/aks-platform/scripts/terraform.sh
index 3d3b93a9..b1cfd9d6 100755
--- a/src/aks-platform/scripts/terraform.sh
+++ b/src/aks-platform/scripts/terraform.sh
@@ -26,7 +26,7 @@ function download_tool() {
return 1
else
chmod +x $tool
- echo "${tool} downloaded! Please note this tool WON'T be copied in your **/bin folder for safety reasons.
+ echo "${tool} downloaded! Please note this tool WON'T be copied in your **/bin folder for safety reasons.
You need to do it yourself!"
read -p "Press enter to continue"