From 2cd101a202e43f04e8a1839bcc0fcd44e2c280f6 Mon Sep 17 00:00:00 2001 From: smalltown Date: Wed, 3 Apr 2019 12:08:00 +0800 Subject: [PATCH] update the document and module output description --- CHANGELOG.md | 12 ++ README.md | 12 +- VARIABLES.md | 220 ++++++++++++++++++--------- modules/aws/eks-worker/variables.tf | 12 +- modules/aws/eks/outputs.tf | 17 ++- modules/aws/eks/variables.tf | 6 +- modules/aws/elastikube/outputs.tf | 22 ++- modules/aws/kube-worker/variables.tf | 28 ++-- modules/aws/network/outputs.tf | 13 +- modules/aws/network/variables.tf | 6 +- 10 files changed, 228 insertions(+), 120 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f64c9ad7..87845a4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). + +## [[v0.0.15](https://github.com/getamis/vishwakarma/compare/v0.0.15...v0.0.14)] - 2019-04-03] + +### Added +- Add terratest script for eks example/eks-cluster +- Add tag parameter for autoscaler within eks +- Change the auth config management by refering to another [eks terraform module](https://github.com/terraform-aws-modules/terraform-aws-eks) + +### Changed +- Upgrade eks to algin with the latest official worker group provision method +- The eks worker group changed AMI from CoreOS to official EKS AMI + ## [[v0.0.14](https://github.com/getamis/vishwakarma/compare/v0.0.14...v0.0.13)] - 2019-03-28] ### Added diff --git a/README.md b/README.md index f0334896..bf6a7849 100644 --- a/README.md +++ b/README.md @@ -134,19 +134,19 @@ You have completed one Kubernetes cluster the same as below picture, and let me ![Alt text](https://cdn-images-1.medium.com/max/800/1*tvAY88CzHhxo4lBB6OUSyA.png) ## Modules -Vishwakarma include 4 major module: +Vishwakarma include serveral major modules: ### aws/network Create one AWS VPC including private and public subnet, and one ec2 instance called bastion hosts in public subnet, hence, one can access the resource hosting in the private subnet, refer [**aws/network**](VARIABLES.md#aws/network) for the detail variable inputs -### aws/eks or aws/elastikube -This module creates the AWS EKS or ElastiKube, Terraform is responsible for the complicated k8s compoments, and it takes about 10~15 minutes to complete, refer [**Here**](VARIABLES.md#aws/) for the detail variable inputs +### aws/eks and aws/elastikube +This two modules creates the K8S control plane (AWS EKS and ElastiKube), Terraform is responsible for the complicated k8s compoments, and it takes about 10~15 minutes to complete, refer [**aws/eks**](VARIABLES.md#aws/eks) and [**aws/eks**](VARIABLES.md#aws/elastikube) for the detail variable inputs -### aws/eks-worker-asg or aws/kube-worker -Create a AWS auto-scaling group with CoreOS container linux and leverage ignition to provision and register to EKS cluster / ElastiKube automatically. +### aws/eks-worker-asg and aws/kube-worker +Create a AWS auto-scaling group with CoreOS container linux and leverage ignition to provision and register to EKS cluster or ElastiKube automatically. -Due to using AWS launch template, it's up to user to choose spot or on demand instance type, refer [**Here**](VARIABLES.md#worker) for the detail variable inputs +Due to using AWS launch template, hence, it's up to user to choose spot or on demand instance type by changing the variable, refer [**aws/eks-worker**](VARIABLES.md#aws/eks-worker) and [**aws/kube-worker**](VARIABLES.md#aws/kube-worker) for the detail variable inputs ## Contributing diff --git a/VARIABLES.md b/VARIABLES.md index 25e33fe3..95508f81 100644 --- a/VARIABLES.md +++ b/VARIABLES.md @@ -1,92 +1,168 @@ # Variables ## aws/network -### inputs -| Name | Description | Type | Default | Required | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----: | :------: | :------: | -| aws_region | The AWS region to build network infrastructure | string | - | yes | -| aws_az_number | How many available zone want to be used | string | 3 | no | -| cidr_block | The CIDR block for AWS VPC | string | 10.0.0.0/16 | no | -| phase | Specific which phase service will be hosted | string | dev | no | -| project | Specific which project service will be hosted | string | vishwakarma | no | -| bastion_ami_id | The AWS AMI id for bastion, if that isn't provided, ubuntu latest ami will be used | string | "" | no | -| bastion_instance_type | The AWS instance type for bastion | string | t2.micro | no | -| bastion_key_name | The AWS EC2 key name for bastion | string | - | yes | -| private_zone | The AWS EC2 key name for bastion | string | false | no | -| extra_tags | Create a private Route53 host zone | map | {} | no | - - -### outputs +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| aws\_az\_number | How many AZs want to be used | string | `"3"` | no | +| aws\_region | The AWS region to build network infrastructure | string | n/a | yes | +| bastion\_ami\_id | The AWS AMI id for bastion | string | `""` | no | +| bastion\_instance\_type | The AWS instance type for bastion | string | `"t3.micro"` | no | +| bastion\_key\_name | The AWS EC2 key name for bastion | string | n/a | yes | +| cidr\_block | The CIDR block for AWS VPC | string | `"10.0.0.0/16"` | no | +| extra\_tags | Extra AWS tags to be applied to created resources | map | `` | no | +| phase | Specific which phase service will be hosted | string | `"test"` | no | +| private\_zone | Create a private Route53 host zone | string | `"false"` | no | +| project | Specific which project service will host | string | `"vishwakarma"` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| bastion\_public\_ip | the public ip address for ssh | +| private\_subnet\_ids | resource can not be accessed publicly when use it | +| public\_subnet\_ids | resource can be accessed publicly when use it | +| vpc\_id | vpc id created by this module | +| zone\_id | private zone id for k8s | ## aws/eks -### inputs -| Name | Description | Type | Default | Required | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----: | :------: | :------: | -| aws_region | The AWS region to build eks cluster | string | - | yes | -| vpc_cidr_block | The CIDR block of AWS VPC for eks cluster | string | 10.0.0.0/16 | no | -| exist_vpc_id | The exist AWS VPC id for EKS cluster | string | - | yes | -| exist_subnet_ids | The exist AWS subnet ids for EKS cluster | list | - | yes | -| phase | Specific which phase is used for this eks cluster, and phase + project become cluster name | string | dev | no | -| project | Specific which project is used by eks cluster, and phase + project become cluster name | string | vishwakarma | no | -| config_output_path | The path to store config, e.g. kubeconfig | string | .terraform | no | -| lb_sg_ids | The security group id which used by load balancer | list | [] | no | -| extra_tags | The AWS EC2 key name for bastion | map | {} | no | - - -### outputs +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| aws\_auth\_config\_output\_flag | Whether to write the aws-auth configmap file. | string | `"true"` | no | +| aws\_region | The AWS region to build eks cluster | string | `""` | no | +| cidr\_access\_eks\_https | The CIDR block of AWS VPC for eks cluster | list | `` | no | +| cidr\_access\_worker\_ssh | The CIDR block of AWS VPC for eks cluster | list | `` | no | +| config\_output\_path | The path to store config, e.g. kubeconfig | string | `"./terraform"` | no | +| endpoint\_private\_access | Kubernetes apiserver endpoint | string | `"true"` | no | +| endpoint\_public\_access | Kubernetes apiserver endpoint | string | `"false"` | no | +| exist\_subnet\_ids | The exist AWS subnet ids for EKS cluster | list | n/a | yes | +| extra\_tags | Extra AWS tags to be applied to created resources. | map | `` | no | +| iam\_path | If provided, all IAM roles will be created on this path. | string | `"/"` | no | +| kubeconfig\_aws\_authenticator\_additional\_args | Any additional arguments to pass to the authenticator such as the role to assume. e.g. ["-r", "MyEksRole"]. | list | `` | no | +| kubeconfig\_aws\_authenticator\_command | Command to use to fetch AWS EKS credentials. | string | `"aws-iam-authenticator"` | no | +| kubeconfig\_aws\_authenticator\_command\_args | Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name]. | list | `` | no | +| kubeconfig\_aws\_authenticator\_env\_variables | Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = "eks"}. | map | `` | no | +| kubeconfig\_name | Override the default name used for items kubeconfig. | string | `""` | no | +| kubeconfig\_output\_flag | Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`. | string | `"true"` | no | +| kubernetes\_version | Desired Kubernetes master version. If you do not specify a value, the latest available version is used. | string | `"1.12.7"` | no | +| lb\_sg\_ids | The security group id which used by load balancer | list | `` | no | +| local\_exec\_interpreter | Command to run for local-exec resources. Must be a shell-style interpreter. If you are on Windows Git Bash is a good choice. | list | `` | no | +| manage\_aws\_auth | Whether to apply the aws-auth configmap file. | string | `"true"` | no | +| map\_accounts | Additional AWS account numbers to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `` | no | +| map\_accounts\_count | The count of accounts in the map_accounts list. | string | `"0"` | no | +| map\_roles | Additional IAM roles to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `` | no | +| map\_roles\_count | The count of roles in the map_roles list. | string | `"0"` | no | +| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `` | no | +| map\_users\_count | The count of roles in the map_users list. | string | `"0"` | no | +| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | string | `""` | no | +| phase | Specific which phase is used for this eks cluster, and phase + project become cluster name | string | `"test"` | no | +| project | Specific which project is used by eks cluster, and phase + project become cluster name | string | `"vishwakarma"` | no | +| worker\_groups | The worker groups's name for generating role | list | `` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| endpoint | the eks cluster endpoint | +| id | the eks cluster name | +| kubernetes\_version | the eks cluster version | +| s3\_bucket | the s3 bucket where put kubeconfig | +| worker\_instance\_profiles | the instance profiles name for worker groups | +| worker\_role\_arns | the role arns for worker groups | +| worker\_sg\_id | the security group id for worker group | ## aws/eks-worker ### inputs -| Name | Description | Type | Default | Required | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----: | :------: | :------: | -| phase | Specific which phase is used for this eks worker node group | string | dev | no | -| project | Specific which project is used for this eks worker node group | string | vishwakarma | no | -| project | Specific which project is used for this eks worker node group | string | vishwakarma | no | -| ssh_key | The ssh key name for worker node instance | string | - | yes | -| aws_region | The AWS region to host this eks worker node group | string | - | yes | -| vpc_id | The vpc id to host this eks worker ndoe group | string | - | yes | -| aws_az_number | How many AZs want to use | string | 3 | no | -| container_linux_channel | CoreOS release channel for worker node | string | stable | no | -| container_linux_version | CoreOS release version for worker node | string | latest | no | -| cluster_name | The eks cluster name | string | - | yes | -| cluster_endpoint | The eks cluster endpoint | string | - | yes | -| certificate_authority_data | The eks cluster certificate authority data | string | - | yes | -| worker_name | The name for worker node | string | - | yes | -| ec2_type | The ec2 type for worker node | string | - | yes | -| ec2_ami | The ami for worker node | string | "" | no | -| instance_count | The minimal worker node number | string | 1 | no | -| subnet_ids | The subnet ids for worker node to host | list | - | yes | -| sg_ids | The security group IDs to be applied for work node | list | - | yes | -| load_balancers | List of ELBs to attach all worker instances to | list | [] | no | -| target_group_arns | List of target groups arn to attach all worker instances to | list | [] | no | -| container_images | Container images to use | map | - | yes | -| bootstrap_upgrade_cl | Whether to trigger a Container Linux OS upgrade during the bootstrap process | string | true | no | -| ntp_servers | A list of NTP servers to be used for time synchronization on the cluster nodes | list | [] | no | -| kubelet_node_label | A list of NTP servers to be used for time synchronization on the cluster nodes | string | "" | no | -| cloud_provider | The cloud provider to be used for the kubelet | string | aws | no | -| image_re | Regular expression used to extract repo and tag components from image strings | string | /^([^/]+/[^/]+/[^/]+):(.*)$/ | no | -| client_ca_file | The eks cercificate file path | string | /etc/kubernetes/pki/ca.crt | no | -| heptio_authenticator_aws_url | heptio authenticator aws download url | string | https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/linux/amd64/heptio-authenticator-aws | no | -| extra_tags | Extra AWS tags to be applied to created resources | map | {} | no | -| root_volume_type | The type of volume for the root block device | string | gp2 | no | -| root_volume_size | The size of the volume in gigabytes for the root block device | string | 200 | no | -| root_volume_iops | The amount of provisioned IOPS for the root block device | string | 100 | no | -| worker_iam_role | Exist IAM role to use for the instance profiles of worker nodes | string | "" | no | -| s3_bucket | The s3 bucket to store ignition file for EC2 userdata | string | - | yes | - - -### outputs +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| aws\_az\_number | How many AZs want to use | string | `"3"` | no | +| aws\_region | The AWS region | string | `"us-west-2"` | no | +| cluster\_name | the eks cluster name | string | n/a | yes | +| enable\_autoscaler | enable autoscaler or not | string | `"false"` | no | +| extra\_tags | Extra AWS tags to be applied to created resources. | map | `` | no | +| extra\_worker\_policy\_arns | The extra policy need to be attached to worker | list | `` | no | +| kube\_node\_labels | Labels to add when registering the node in the cluster. Labels must be key=value pairs. | list | `` | no | +| kube\_node\_taints | Register the node with the given list of taints ("=:"). | list | `` | no | +| load\_balancer\_ids | A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead. | list | `` | no | +| security\_group\_ids | List of security group IDs for the cross-account elastic network interfaces to use to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| ssh\_key | The key name that should be used for the instance. | string | `""` | no | +| subnet\_ids | List of subnet IDs. Must be in at least two different availability zones. Cross-account elastic network interfaces will be created in these subnets to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| target\_group\_arns | A list of aws_alb_target_group ARNs, for use with Application Load Balancing. | list | `` | no | +| worker\_config | Desired worker nodes configuration. | map | `` | no | ## aws/elastikube ### input +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| allowed\_ssh\_cidr | (Optional) A list of CIDR networks to allow ssh access to. Defaults to "0.0.0.0/0" | list | `` | no | +| audit\_log\_backend | (Optional) Kubernetes apiserver auditing log backend configuration, there are four parameters: path, maxage, maxbackup, maxsize. | map | `` | no | +| audit\_policy\_path | (Optional) A policy path for Kubernetes apiserver to enable auditing log. | string | `""` | no | +| auth\_webhook\_path | (Optional) A path for using customize machine to authenticate to a Kubernetes cluster. | string | `""` | no | +| aws\_region | (Optional) The AWS region | string | `"us-east-1"` | no | +| cluster\_cidr | (Optional) The Kubernetes cluster CIDR. | string | `"172.24.0.0/13"` | no | +| endpoint\_public\_access | (Optional) kubernetes apiserver endpoint | string | `"false"` | no | +| etcd\_config | (Optional) Desired etcd nodes configuration. | map | `` | no | +| extra\_etcd\_ignition\_file\_ids | (Optional) Additional ignition file IDs for etcds. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details. | list | `` | no | +| extra\_etcd\_ignition\_systemd\_unit\_ids | (Optional) Additional ignition systemd unit IDs for etcds. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details. | list | `` | no | +| extra\_ignition\_file\_ids | (Optional) Additional ignition file IDs for masters. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details. | list | `` | no | +| extra\_ignition\_systemd\_unit\_ids | (Optional) Additional ignition systemd unit IDs for masters. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details. | list | `` | no | +| extra\_master\_node\_labels | (Optional) Labels to add when registering the node in the cluster. Labels must be key=value pairs. | list | `` | no | +| extra\_master\_node\_taints | (Optional) Register the node with the given list of taints ("=:"). | list | `` | no | +| extra\_tags | (Optional) Extra AWS tags to be applied to the resources. | map | `` | no | +| hostzone | (Optional) The cluster private hostname. If not specified, .com will be used. | string | `""` | no | +| kubelet\_flag\_extra\_flags | Extra user-provided flags to kubelet. | list | `` | no | +| kubernetes\_version | (Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used. | string | `"v1.13.4"` | no | +| lb\_security\_group\_ids | (Optional) List of security group IDs for the cross-account elastic network interfaces to use to allow communication to the kubernetes api server load balancer. | list | `` | no | +| master\_config | (Optional) Desired master nodes configuration. | map | `` | no | +| name | (Required) Name of the cluster. | string | n/a | yes | +| private\_subnet\_ids | (Required) List of private subnet IDs. Must be in at least two different availability zones. Cross-account elastic network interfaces will be created in these subnets to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| public\_subnet\_ids | (Required) List of public subnet IDs. Must be in at least two different availability zones. Cross-account elastic network interfaces will be created in these subnets to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| reboot\_strategy | (Optional) CoreOS reboot strategies on updates, two option here: etcd-lock or off | string | `"off"` | no | +| role\_name | (Optional) The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. | string | `""` | no | +| security\_group\_ids | (Optional) List of security group IDs for the cross-account elastic network interfaces to use to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| service\_cidr | (Optional) The Kubernetes service CIDR. | string | `"172.16.0.0/13"` | no | +| ssh\_key | The key name that should be used for the instances. | string | `""` | no | ### output +| Name | Description | +|------|-------------| +| certificate\_authority | K8S root CA Cert | +| endpoint | K8S cluster endpoint | +| id | K8S cluster name | +| master\_sg\_ids | The security group which used by K8S master | +| s3\_bucket | The S3 bucket for storing provision ignition file | +| version | K8S cluster version | +| vpc\_id | The VPC id used by K8S | +| worker\_sg\_ids | The security gruop for worker group | ## aws/kube-worker ### input - -### output \ No newline at end of file +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| aws\_region | The AWS region | string | `"us-east-1"` | no | +| cluster\_name | Name of the cluster. | string | n/a | yes | +| enable\_autoscaler | Enable to add autoscaler tag or not | string | `"false"` | no | +| extra\_ignition\_file\_ids | Additional ignition file IDs. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details. | list | `` | no | +| extra\_ignition\_systemd\_unit\_ids | Additional ignition systemd unit IDs. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details. | list | `` | no | +| extra\_tags | Extra AWS tags to be applied to created resources. | map | `` | no | +| kube\_node\_labels | Labels to add when registering the node in the cluster. Labels must be key=value pairs. | list | `` | no | +| kube\_node\_taints | Register the node with the given list of taints ("=:"). | list | `` | no | +| kube\_service\_cidr | | string | n/a | yes | +| kubelet\_flag\_extra\_flags | Extra user-provided flags to kubelet. | list | `` | no | +| kubernetes\_version | Desired Kubernetes kubelet version. If you do not specify a value, the latest available version is used. | string | `"v1.13.4"` | no | +| load\_balancer\_ids | A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead. | list | `` | no | +| reboot\_strategy | CoreOS reboot strategies on updates, two option here: etcd-lock or off | string | `"etcd-lock"` | no | +| role\_name | The Amazon Resource Name of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. | string | `""` | no | +| s3\_bucket | Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters. If name is not provided the installer will construct the name using "name" and current AWS region. | string | `""` | no | +| security\_group\_ids | List of security group IDs for the cross-account elastic network interfaces to use to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| ssh\_key | The key name that should be used for the instance. | string | `""` | no | +| subnet\_ids | List of subnet IDs. Must be in at least two different availability zones. Cross-account elastic network interfaces will be created in these subnets to allow communication between your worker nodes and the Kubernetes control plane. | list | `` | no | +| target\_group\_arns | A list of aws_alb_target_group ARNs, for use with Application Load Balancing. | list | `` | no | +| worker\_config | Desired worker nodes configuration. | map | `` | no | \ No newline at end of file diff --git a/modules/aws/eks-worker/variables.tf b/modules/aws/eks-worker/variables.tf index 38fc3f48..6dba4684 100644 --- a/modules/aws/eks-worker/variables.tf +++ b/modules/aws/eks-worker/variables.tf @@ -1,7 +1,7 @@ variable "aws_region" { type = "string" default = "us-west-2" - description = "(Optional) The AWS region" + description = "The AWS region" } variable "aws_az_number" { @@ -38,7 +38,7 @@ EOF variable "load_balancer_ids" { type = "list" default = [] - description = "(Optional) A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead." + description = "A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead." } variable "security_group_ids" { @@ -46,7 +46,7 @@ variable "security_group_ids" { default = [] description = <