feat: Aks 1.26 setup ex novo (#69)

* rename aks * upgraded module versions * upgrated middleware * fix terraform lock * pre-commit fixs
pagopa · Jul 19, 2023 · 5d8cdbf · 5d8cdbf
1 parent 3130ae3
commit 5d8cdbf
Show file tree

Hide file tree

Showing 13 changed files with 311 additions and 82 deletions.
diff --git a/src/aks-platform/.terraform.lock.hcl b/src/aks-platform/.terraform.lock.hcl
diff --git a/src/aks-platform/01_network_aks.tf b/src/aks-platform/01_network_aks.tf
@@ -1,6 +1,6 @@
 # k8s cluster subnet
 module "snet_aks" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.1"
 
   name = "${local.project}-aks-snet"
 

diff --git a/src/aks-platform/03_aks.tf → src/aks-platform/02_aks.tf b/src/aks-platform/03_aks.tf → src/aks-platform/02_aks.tf
@@ -5,7 +5,7 @@ resource "azurerm_resource_group" "rg_aks" {
 }
 
 module "aks" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v4.1.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v6.20.1"
 
   count = var.aks_enabled ? 1 : 0
 
@@ -96,6 +96,12 @@ module "aks" {
   ]
 }
 
+resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_identity" {
+  scope                = azurerm_resource_group.rg_aks.id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = module.aks[0].identity_principal_id
+}
+
 #
 # ACR connection
 #

diff --git a/src/aks-platform/03_monitoring.tf b/src/aks-platform/03_monitoring.tf
@@ -0,0 +1,113 @@
+resource "kubernetes_namespace" "monitoring" {
+  metadata {
+    name = "monitoring"
+  }
+}
+
+resource "helm_release" "prometheus" {
+  name       = "prometheus"
+  repository = "https://prometheus-community.github.io/helm-charts"
+  chart      = "prometheus"
+  version    = var.prometheus_helm.chart_version
+  namespace  = kubernetes_namespace.monitoring.metadata[0].name
+
+  set {
+    name  = "server.global.scrape_interval"
+    value = "30s"
+  }
+  set {
+    name  = "alertmanager.image.repository"
+    value = var.prometheus_helm.alertmanager.image_name
+  }
+  set {
+    name  = "alertmanager.image.tag"
+    value = var.prometheus_helm.alertmanager.image_tag
+  }
+  set {
+    name  = "alertmanager.configmapReload.prometheus.image.repository"
+    value = var.prometheus_helm.configmap_reload_prometheus.image_name
+  }
+  set {
+    name  = "alertmanager.configmapReload.prometheus.image.tag"
+    value = var.prometheus_helm.configmap_reload_prometheus.image_tag
+  }
+  set {
+    name  = "alertmanager.configmapReload.alertmanager.image.repository"
+    value = var.prometheus_helm.configmap_reload_alertmanager.image_name
+  }
+  set {
+    name  = "alertmanager.configmapReload.alertmanager.image.tag"
+    value = var.prometheus_helm.configmap_reload_alertmanager.image_tag
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.repository"
+    value = var.prometheus_helm.node_exporter.image_name
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.tag"
+    value = var.prometheus_helm.node_exporter.image_tag
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.repository"
+    value = var.prometheus_helm.node_exporter.image_name
+  }
+  set {
+    name  = "alertmanager.nodeExporter.image.tag"
+    value = var.prometheus_helm.node_exporter.image_tag
+  }
+  set {
+    name  = "alertmanager.server.image.repository"
+    value = var.prometheus_helm.server.image_name
+  }
+  set {
+    name  = "alertmanager.server.image.tag"
+    value = var.prometheus_helm.server.image_tag
+  }
+  set {
+    name  = "alertmanager.pushgateway.image.repository"
+    value = var.prometheus_helm.pushgateway.image_name
+  }
+  set {
+    name  = "alertmanager.pushgateway.image.tag"
+    value = var.prometheus_helm.pushgateway.image_tag
+  }
+}
+
+# resource "helm_release" "grafana" {
+#   name       = "grafana"
+#   repository = "https://grafana.github.io/helm-charts"
+#   chart      = "grafana"
+#   version    = var.grafana_helm_version
+#   namespace  = kubernetes_namespace.monitoring.metadata[0].name
+
+#   set {
+#     name  = "adminUser"
+#     value = data.azurerm_key_vault_secret.grafana_admin_username.value
+#   }
+
+#   set {
+#     name  = "adminPassword"
+#     value = data.azurerm_key_vault_secret.grafana_admin_password.value
+#   }
+# }
+
+resource "helm_release" "monitoring_reloader" {
+  name       = "reloader"
+  repository = "https://stakater.github.io/stakater-charts"
+  chart      = "reloader"
+  version    = var.reloader_helm.chart_version
+  namespace  = kubernetes_namespace.monitoring.metadata[0].name
+
+  set {
+    name  = "reloader.watchGlobally"
+    value = "false"
+  }
+  set {
+    name  = "reloader.deployment.image.name"
+    value = var.reloader_helm.image_name
+  }
+  set {
+    name  = "reloader.deployment.image.tag"
+    value = var.reloader_helm.image_tag
+  }
+}
diff --git a/src/aks-platform/04_rbac.tf b/src/aks-platform/04_rbac.tf
@@ -207,6 +207,10 @@ resource "kubernetes_cluster_role_binding" "edit_binding" {
     name      = data.azuread_group.adgroup_developers.object_id
     namespace = "kube-system"
   }
+
+  depends_on = [
+    module.aks
+  ]
 }
 
 resource "kubernetes_cluster_role_binding" "view_binding" {

diff --git a/src/aks-platform/05_ingress.tf b/src/aks-platform/05_ingress.tf
@@ -33,10 +33,6 @@ module "nginx_ingress" {
       name  = "controller.replicaCount"
       value = var.ingress_replica_count
     },
-    {
-      name  = "controller.service.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-health-probe-request-path"
-      value = "/healthz"
-    },
     {
       name  = "controller.nodeSelector.beta\\.kubernetes\\.io/os"
       value = "linux"
@@ -48,6 +44,10 @@ module "nginx_ingress" {
     {
       name  = "controller.admissionWebhooks.patch.nodeSelector.beta\\.kubernetes\\.io/os"
       value = "linux"
+    },
+    {
+      name  = "controller.service.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-health-probe-request-path"
+      value = "/healthz"
     }
   ]
 

diff --git a/src/aks-platform/05_keda.tf b/src/aks-platform/05_keda.tf
@@ -13,7 +13,7 @@ locals {
 }
 
 module "keda_pod_identity" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v4.1.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v6.20.1"
 
   resource_group_name = azurerm_resource_group.rg_aks.name
   location            = var.location
@@ -33,6 +33,10 @@ resource "azurerm_role_assignment" "keda_monitoring_reader" {
   scope                = data.azurerm_subscription.current.id
   role_definition_name = "Monitoring Reader"
   principal_id         = module.keda_pod_identity.identity.principal_id
+
+  depends_on = [
+    module.aks
+  ]
 }
 
 resource "helm_release" "keda" {

diff --git a/src/aks-platform/99_main.tf b/src/aks-platform/99_main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.36.0"
+      version = ">= 3.64.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

diff --git a/src/aks-platform/99_main.tf.ci b/src/aks-platform/99_main.tf.ci
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.36.0"
+      version = ">= 3.64.0"
     }
     azuread = {
       source  = "hashicorp/azuread"