├── .github ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── config.yml │ ├── feature_request.md │ └── question.md ├── pull_request_template.md └── workflows │ ├── pr-title.yaml │ ├── pre-commit.yaml │ ├── publish-docs.yaml │ └── stale-issue-pr.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── LICENSE ├── NOTICE.txt ├── README.md ├── docs ├── .pages ├── addons │ ├── argo-events.md │ ├── argo-rollouts.md │ ├── argo-workflows.md │ ├── argocd.md │ ├── aws-cloudwatch-metrics.md │ ├── aws-efs-csi-driver.md │ ├── aws-for-fluentbit.md │ ├── aws-fsx-csi-driver.md │ ├── aws-gateway-api-controller.md │ ├── aws-load-balancer-controller.md │ ├── aws-node-termination-handler.md │ ├── aws-private-ca-issuer.md │ ├── bottlerocket.md │ ├── cert-manager.md │ ├── cluster-autoscaler.md │ ├── cluster-proportional-autoscaler.md │ ├── external-dns.md │ ├── external-secrets.md │ ├── fargate-fluentbit.md │ ├── ingress-nginx.md │ ├── karpenter.md │ ├── kube-prometheus-stack.md │ ├── metrics-server.md │ ├── opa-gatekeeper.md │ ├── secrets-store-csi-driver-provider-aws.md │ ├── velero.md │ └── vertical-pod-autoscaler.md ├── amazon-eks-addons.md ├── architectures.md ├── aws-partner-addons.md ├── helm-release.md ├── images │ ├── colored-logo.png │ └── white-logo.png └── index.md ├── helm.tf ├── main.tf ├── mkdocs.yml ├── outputs.tf ├── tests ├── README.md └── complete │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── variables.tf └── versions.tf /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @aws-ia/internal-terraform-eks-admins 2 | -------------------------------------------------------------------------------- /.github/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | ## Reporting Bugs/Feature Requests 10 | 11 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 12 | 13 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 14 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 15 | 16 | - A reproducible test case or series of steps 17 | - The version of our code being used 18 | - Any modifications you've made relevant to the bug 19 | - Anything unusual about your environment or deployment 20 | 21 | ## Contributing via Pull Requests 22 | 23 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 24 | 25 | 1. You are working against the latest source on the _main_ branch. 26 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 27 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 28 | 29 | To send us a pull request, please: 30 | 31 | 1. Fork the repository. 32 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 33 | 3. Ensure local tests pass. 34 | 4. Commit to your fork using clear commit messages. 35 | 5. Send us a pull request, answering any default questions in the pull request interface. 36 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 37 | 38 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 39 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 40 | 41 | ## Finding contributions to work on 42 | 43 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 44 | 45 | ## Code of Conduct 46 | 47 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 48 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 49 | opensource-codeofconduct@amazon.com with any additional questions or comments. 50 | 51 | ## Security issue notifications 52 | 53 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 54 | 55 | ## Licensing 56 | 57 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 58 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | --- 5 | 6 | ## Description 7 | 8 | Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the `examples/*` directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running `terraform init && terraform apply` without any further changes. 9 | 10 | If your request is for a new feature, please use the `Feature request` template. 11 | 12 | - [ ] ✋ I have searched the open/closed issues and my issue is not listed. 13 | 14 | ## ⚠️ Note 15 | 16 | Before you submit an issue, please perform the following first: 17 | 18 | 1. Remove the local `.terraform` directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): `rm -rf .terraform/` 19 | 2. Re-initialize the project root to pull down modules: `terraform init` 20 | 3. Re-attempt your terraform plan or apply and check if the issue still persists 21 | 22 | ## Versions 23 | 24 | - Module version [Required]: 25 | 26 | - Terraform version: 27 | 28 | - Provider version(s): 29 | 30 | 31 | ## Reproduction Code [Required] 32 | 33 | 34 | 35 | Steps to reproduce the behavior: 36 | 37 | 38 | 39 | 40 | 41 | ## Expected behaviour 42 | 43 | 44 | 45 | ## Actual behaviour 46 | 47 | 48 | 49 | ### Terminal Output Screenshot(s) 50 | 51 | 52 | 53 | ## Additional context 54 | 55 | 56 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | --- 5 | 6 | 7 | 8 | ### Community Note 9 | 10 | * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request 11 | * Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request 12 | * If you are interested in working on this issue or have submitted a pull request, please leave a comment 13 | 14 | 15 | 16 | #### What is the outcome that you are trying to reach? 17 | 18 | 19 | 20 | #### Describe the solution you would like 21 | 22 | 23 | 24 | #### Describe alternatives you have considered 25 | 26 | 27 | 28 | #### Additional context 29 | 30 | 31 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: I have a Question 4 | --- 5 | 6 | - [ ] ✋ I have searched the open/closed issues and my issue is not listed. 7 | 8 | #### Please describe your question here 9 | 10 | 11 | 12 | #### Provide a link to the example/module related to the question 13 | 14 | 15 | 16 | #### Additional context 17 | 18 | 19 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ### What does this PR do? 2 | 3 | 🛑 Please open an issue first to discuss any significant work and flesh out details/direction - we would hate for your time to be wasted. 4 | Consult the [CONTRIBUTING](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/.github/CONTRIBUTING.md#contributing-via-pull-requests) guide for submitting pull-requests. 5 | 6 | 7 | 8 | ### Motivation 9 | 10 | 11 | - Resolves # 12 | 13 | ### More 14 | 15 | - [ ] Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes) 16 | - [ ] Yes, I ran `pre-commit run -a` with this PR 17 | 18 | ### For Moderators 19 | 20 | - [ ] E2E Test successfully complete before merge? 21 | 22 | ### Additional Notes 23 | 24 | 25 | -------------------------------------------------------------------------------- /.github/workflows/pr-title.yaml: -------------------------------------------------------------------------------- 1 | name: 'PR title' 2 | 3 | on: 4 | pull_request_target: 5 | types: 6 | - opened 7 | - edited 8 | - synchronize 9 | 10 | jobs: 11 | main: 12 | name: Validate PR title 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: amannn/action-semantic-pull-request@v5.4.0 16 | env: 17 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 18 | with: 19 | requireScope: false 20 | subjectPattern: ^[A-Z].+$ 21 | subjectPatternError: | 22 | The subject "{subject}" found in the pull request title "{title}" 23 | didn't match the configured pattern. Please ensure that the subject 24 | starts with an uppercase character. 25 | wip: true 26 | validateSingleCommit: false 27 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yaml: -------------------------------------------------------------------------------- 1 | name: pre-commit 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | paths: 8 | - '**.tf' 9 | - '**.yml' 10 | - '**.yaml' 11 | 12 | permissions: read-all 13 | 14 | env: 15 | TERRAFORM_DOCS_VERSION: v0.19.0 16 | TFLINT_VERSION: v0.53.0 17 | 18 | concurrency: 19 | group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' 20 | cancel-in-progress: true 21 | 22 | jobs: 23 | collectInputs: 24 | name: Collect workflow inputs 25 | runs-on: ubuntu-latest 26 | outputs: 27 | directories: ${{ steps.dirs.outputs.directories }} 28 | steps: 29 | - name: Checkout 30 | uses: actions/checkout@v4 31 | 32 | - name: Get root directories 33 | id: dirs 34 | uses: clowdhaus/terraform-composite-actions/directories@v1.11.1 35 | 36 | preCommitMinVersions: 37 | name: Min TF pre-commit 38 | needs: collectInputs 39 | runs-on: ubuntu-latest 40 | strategy: 41 | matrix: 42 | directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} 43 | steps: 44 | - name: Remove default Terraform 45 | run: rm -rf $(which terraform) 46 | 47 | - name: Checkout 48 | uses: actions/checkout@v4 49 | 50 | - uses: dorny/paths-filter@v3 51 | id: changes 52 | with: 53 | # We only need to check Terraform files for the current directory 54 | # because the `preCommitMaxVersion` job will run the full, 55 | # exhaustive checks (always) 56 | filters: | 57 | src: 58 | - '${{ matrix.directory }}/*.tf' 59 | 60 | - name: Terraform min/max versions 61 | uses: clowdhaus/terraform-min-max@v1.3.1 62 | if: steps.changes.outputs.src== 'true' 63 | id: minMax 64 | with: 65 | directory: ${{ matrix.directory }} 66 | 67 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} 68 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1 69 | # Run only validate pre-commit check on min version supported 70 | if: ${{ matrix.directory != '.' && steps.changes.outputs.src== 'true' }} 71 | with: 72 | terraform-version: ${{ steps.minMax.outputs.minVersion }} 73 | args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' 74 | 75 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} 76 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1 77 | # Run only validate pre-commit check on min version supported 78 | if: ${{ matrix.directory == '.' && steps.changes.outputs.src== 'true' }} 79 | with: 80 | terraform-version: ${{ steps.minMax.outputs.minVersion }} 81 | args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' 82 | 83 | preCommitMaxVersion: 84 | name: Max TF pre-commit 85 | runs-on: ubuntu-latest 86 | needs: collectInputs 87 | steps: 88 | - name: Remove default Terraform 89 | run: rm -rf $(which terraform) 90 | 91 | - name: Checkout 92 | uses: actions/checkout@v4 93 | 94 | - uses: dorny/paths-filter@v3 95 | id: changes 96 | with: 97 | filters: | 98 | src: 99 | - '**/*.tf' 100 | 101 | - name: Terraform min/max versions 102 | id: minMax 103 | uses: clowdhaus/terraform-min-max@v1.3.1 104 | if: steps.changes.outputs.src== 'true' 105 | 106 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} 107 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1 108 | if: steps.changes.outputs.src== 'true' 109 | with: 110 | terraform-version: ${{ steps.minMax.outputs.maxVersion }} 111 | terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} 112 | tflint-version: ${{ env.TFLINT_VERSION }} 113 | -------------------------------------------------------------------------------- /.github/workflows/publish-docs.yaml: -------------------------------------------------------------------------------- 1 | name: Publish docs via GitHub Pages 2 | on: 3 | push: 4 | branches: 5 | - main 6 | paths: 7 | - 'docs/**' 8 | - mkdocs.yml 9 | - README.md 10 | - '.github/workflows/publish-docs.yaml' 11 | 12 | release: 13 | types: 14 | - published 15 | 16 | env: 17 | PYTHON_VERSION: 3.11 18 | 19 | jobs: 20 | build: 21 | name: Deploy docs 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout main 25 | uses: actions/checkout@v4 26 | with: 27 | fetch-depth: 0 28 | 29 | - name: Set up Python ${{ env.PYTHON_VERSION }} 30 | uses: actions/setup-python@v4 31 | with: 32 | python-version: ${{ env.PYTHON_VERSION }} 33 | 34 | - name: Install dependencies 35 | run: | 36 | python -m pip install --upgrade pip 37 | pip install mike==1.1.2 \ 38 | mkdocs-material==9.4.7 \ 39 | mkdocs-include-markdown-plugin==6.0.3 \ 40 | mkdocs-awesome-pages-plugin==2.9.2 41 | 42 | - name: git config 43 | run: | 44 | git config --local user.email "action@github.com" 45 | git config --local user.name "GitHub Action" 46 | 47 | - name: mike deploy main 48 | if: contains(github.ref, 'refs/heads/main') 49 | run: | 50 | mike deploy --push main 51 | 52 | - name: mike deploy new version 53 | if: contains(github.ref, 'refs/tags/v') && !github.event.release.prerelease 54 | run: | 55 | VERSION=${GITHUB_REF/refs\/tags\//} 56 | mike deploy --rebase --push --update-aliases "${VERSION}" latest 57 | -------------------------------------------------------------------------------- /.github/workflows/stale-issue-pr.yaml: -------------------------------------------------------------------------------- 1 | name: 'Stale Issue/PR' 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: '0 0 * * *' 7 | 8 | permissions: read-all 9 | 10 | jobs: 11 | stale: 12 | runs-on: ubuntu-latest 13 | permissions: 14 | issues: write 15 | pull-requests: write 16 | steps: 17 | - uses: actions/stale@v9 18 | id: stale 19 | with: 20 | ascending: true 21 | close-issue-message: 'Issue closed due to inactivity.' 22 | close-pr-message: 'Pull request closed due to inactivity.' 23 | days-before-close: 10 24 | days-before-stale: 30 25 | stale-issue-label: stale 26 | stale-pr-label: stale 27 | # Not stale if have this labels 28 | exempt-issue-labels: 'bug,enhancement' 29 | exempt-pr-labels: 'bug,enhancement' 30 | operations-per-run: 100 31 | stale-issue-message: | 32 | This issue has been automatically marked as stale because it has been open 30 days 33 | with no activity. Remove stale label or comment or this issue will be closed in 10 days 34 | stale-pr-message: | 35 | This PR has been automatically marked as stale because it has been open 30 days 36 | with no activity. Remove stale label or comment or this PR will be closed in 10 days 37 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .idea 3 | # Local .terraform directories 4 | **/.terraform/* 5 | 6 | # Terraform lockfile 7 | .terraform.lock.hcl 8 | 9 | # .tfstate files 10 | *.tfstate 11 | *.tfstate.* 12 | *.tfplan 13 | 14 | # Crash log files 15 | crash.log 16 | 17 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as 18 | # password, private keys, and other secrets. These should not be part of version 19 | # control as they are data points which are potentially sensitive and subject 20 | # to change depending on the environment. 21 | *.tfvars 22 | 23 | # Ignore override files as they are usually used to override resources locally and so 24 | # are not checked in 25 | override.tf 26 | override.tf.json 27 | *_override.tf 28 | *_override.tf.json 29 | 30 | # Ignore CLI configuration files 31 | .terraformrc 32 | terraform.rc 33 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v5.0.0 4 | hooks: 5 | - id: trailing-whitespace 6 | args: ['--markdown-linebreak-ext=md'] 7 | - id: end-of-file-fixer 8 | - id: trailing-whitespace 9 | - id: check-merge-conflict 10 | - id: detect-private-key 11 | - id: detect-aws-credentials 12 | args: ['--allow-missing-credentials'] 13 | - repo: https://github.com/antonbabenko/pre-commit-terraform 14 | rev: v1.96.1 15 | hooks: 16 | - id: terraform_fmt 17 | - id: terraform_docs 18 | args: 19 | - '--args=--lockfile=false' 20 | - id: terraform_tflint 21 | args: 22 | - '--args=--only=terraform_deprecated_interpolation' 23 | - '--args=--only=terraform_deprecated_index' 24 | - '--args=--only=terraform_unused_declarations' 25 | - '--args=--only=terraform_comment_syntax' 26 | - '--args=--only=terraform_documented_outputs' 27 | - '--args=--only=terraform_documented_variables' 28 | - '--args=--only=terraform_typed_variables' 29 | - '--args=--only=terraform_module_pinned_source' 30 | - '--args=--only=terraform_naming_convention' 31 | - '--args=--only=terraform_required_version' 32 | - '--args=--only=terraform_required_providers' 33 | - '--args=--only=terraform_standard_module_structure' 34 | - '--args=--only=terraform_workspace_remote' 35 | - '--args=--only=terraform_empty_list_equality' 36 | - '--args=--only=terraform_unused_required_providers' 37 | - id: terraform_validate 38 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2023 Amazon Web Services, Inc. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Amazon EKS Blueprints Addons 2 | 3 | Terraform module to deploy Kubernetes addons on Amazon EKS clusters. 4 | 5 | ## Usage 6 | 7 | ```hcl 8 | module "eks_blueprints_addons" { 9 | source = "aws-ia/eks-blueprints-addons/aws" 10 | version = "~> 1.0" #ensure to update this to the latest/desired version 11 | 12 | cluster_name = module.eks.cluster_name 13 | cluster_endpoint = module.eks.cluster_endpoint 14 | cluster_version = module.eks.cluster_version 15 | oidc_provider_arn = module.eks.oidc_provider_arn 16 | 17 | eks_addons = { 18 | aws-ebs-csi-driver = { 19 | most_recent = true 20 | } 21 | coredns = { 22 | most_recent = true 23 | } 24 | vpc-cni = { 25 | most_recent = true 26 | } 27 | kube-proxy = { 28 | most_recent = true 29 | } 30 | } 31 | 32 | enable_aws_load_balancer_controller = true 33 | enable_cluster_proportional_autoscaler = true 34 | enable_karpenter = true 35 | enable_kube_prometheus_stack = true 36 | enable_metrics_server = true 37 | enable_external_dns = true 38 | enable_cert_manager = true 39 | cert_manager_route53_hosted_zone_arns = ["arn:aws:route53:::hostedzone/XXXXXXXXXXXXX"] 40 | 41 | tags = { 42 | Environment = "dev" 43 | } 44 | } 45 | 46 | module "eks" { 47 | source = "terraform-aws-modules/eks/aws" 48 | 49 | cluster_name = "my-cluster" 50 | cluster_version = "1.29" 51 | 52 | ... truncated for brevity 53 | } 54 | ``` 55 | 56 | ## Support & Feedback 57 | 58 | > [!IMPORTANT] 59 | > EKS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS 60 | > service and support is provided as a best-effort by the EKS Blueprints community. To provide feedback, 61 | > please use the [issues templates](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/issues) 62 | > provided. If you are interested in contributing to EKS Blueprints, see the 63 | > [Contribution guide](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/.github/CONTRIBUTING.md). 64 | 65 | 66 | ## Requirements 67 | 68 | | Name | Version | 69 | |------|---------| 70 | | [terraform](#requirement\_terraform) | >= 1.0 | 71 | | [aws](#requirement\_aws) | >= 5.0 | 72 | | [helm](#requirement\_helm) | >= 2.9 | 73 | | [kubernetes](#requirement\_kubernetes) | >= 2.20 | 74 | | [random](#requirement\_random) | >= 3.6 | 75 | | [time](#requirement\_time) | >= 0.9 | 76 | 77 | ## Providers 78 | 79 | | Name | Version | 80 | |------|---------| 81 | | [aws](#provider\_aws) | >= 5.0 | 82 | | [helm](#provider\_helm) | >= 2.9 | 83 | | [kubernetes](#provider\_kubernetes) | >= 2.20 | 84 | | [random](#provider\_random) | >= 3.6 | 85 | | [time](#provider\_time) | >= 0.9 | 86 | 87 | ## Modules 88 | 89 | | Name | Source | Version | 90 | |------|--------|---------| 91 | | [argo\_events](#module\_argo\_events) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 92 | | [argo\_rollouts](#module\_argo\_rollouts) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 93 | | [argo\_workflows](#module\_argo\_workflows) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 94 | | [argocd](#module\_argocd) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 95 | | [aws\_cloudwatch\_metrics](#module\_aws\_cloudwatch\_metrics) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 96 | | [aws\_efs\_csi\_driver](#module\_aws\_efs\_csi\_driver) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 97 | | [aws\_for\_fluentbit](#module\_aws\_for\_fluentbit) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 98 | | [aws\_fsx\_csi\_driver](#module\_aws\_fsx\_csi\_driver) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 99 | | [aws\_gateway\_api\_controller](#module\_aws\_gateway\_api\_controller) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 100 | | [aws\_load\_balancer\_controller](#module\_aws\_load\_balancer\_controller) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 101 | | [aws\_node\_termination\_handler](#module\_aws\_node\_termination\_handler) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 102 | | [aws\_node\_termination\_handler\_sqs](#module\_aws\_node\_termination\_handler\_sqs) | terraform-aws-modules/sqs/aws | 4.0.1 | 103 | | [aws\_privateca\_issuer](#module\_aws\_privateca\_issuer) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 104 | | [bottlerocket\_shadow](#module\_bottlerocket\_shadow) | aws-ia/eks-blueprints-addon/aws | ~> 1.1.1 | 105 | | [bottlerocket\_update\_operator](#module\_bottlerocket\_update\_operator) | aws-ia/eks-blueprints-addon/aws | ~> 1.1.1 | 106 | | [cert\_manager](#module\_cert\_manager) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 107 | | [cluster\_autoscaler](#module\_cluster\_autoscaler) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 108 | | [cluster\_proportional\_autoscaler](#module\_cluster\_proportional\_autoscaler) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 109 | | [external\_dns](#module\_external\_dns) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 110 | | [external\_secrets](#module\_external\_secrets) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 111 | | [gatekeeper](#module\_gatekeeper) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 112 | | [ingress\_nginx](#module\_ingress\_nginx) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 113 | | [karpenter](#module\_karpenter) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 114 | | [karpenter\_sqs](#module\_karpenter\_sqs) | terraform-aws-modules/sqs/aws | 4.0.1 | 115 | | [kube\_prometheus\_stack](#module\_kube\_prometheus\_stack) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 116 | | [metrics\_server](#module\_metrics\_server) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 117 | | [secrets\_store\_csi\_driver](#module\_secrets\_store\_csi\_driver) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 118 | | [secrets\_store\_csi\_driver\_provider\_aws](#module\_secrets\_store\_csi\_driver\_provider\_aws) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 119 | | [velero](#module\_velero) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 120 | | [vpa](#module\_vpa) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | 121 | 122 | ## Resources 123 | 124 | | Name | Type | 125 | |------|------| 126 | | [aws_autoscaling_group_tag.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group_tag) | resource | 127 | | [aws_autoscaling_lifecycle_hook.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_lifecycle_hook) | resource | 128 | | [aws_cloudformation_stack.usage_telemetry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource | 129 | | [aws_cloudwatch_event_rule.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | 130 | | [aws_cloudwatch_event_rule.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | 131 | | [aws_cloudwatch_event_target.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | 132 | | [aws_cloudwatch_event_target.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | 133 | | [aws_cloudwatch_log_group.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | 134 | | [aws_cloudwatch_log_group.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | 135 | | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource | 136 | | [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | 137 | | [aws_iam_policy.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | 138 | | [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 139 | | [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 140 | | [aws_iam_role_policy_attachment.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 141 | | [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 142 | | [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource | 143 | | [kubernetes_config_map_v1_data.aws_for_fluentbit_containerinsights](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | 144 | | [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource | 145 | | [random_bytes.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/bytes) | resource | 146 | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | 147 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 148 | | [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source | 149 | | [aws_iam_policy_document.aws_efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 150 | | [aws_iam_policy_document.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 151 | | [aws_iam_policy_document.aws_fsx_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 152 | | [aws_iam_policy_document.aws_gateway_api_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 153 | | [aws_iam_policy_document.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 154 | | [aws_iam_policy_document.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 155 | | [aws_iam_policy_document.aws_privateca_issuer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 156 | | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 157 | | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 158 | | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 159 | | [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 160 | | [aws_iam_policy_document.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 161 | | [aws_iam_policy_document.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 162 | | [aws_iam_policy_document.karpenter_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 163 | | [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 164 | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | 165 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | 166 | 167 | ## Inputs 168 | 169 | | Name | Description | Type | Default | Required | 170 | |------|-------------|------|---------|:--------:| 171 | | [argo\_events](#input\_argo\_events) | Argo Events add-on configuration values | `any` | `{}` | no | 172 | | [argo\_rollouts](#input\_argo\_rollouts) | Argo Rollouts add-on configuration values | `any` | `{}` | no | 173 | | [argo\_workflows](#input\_argo\_workflows) | Argo Workflows add-on configuration values | `any` | `{}` | no | 174 | | [argocd](#input\_argocd) | ArgoCD add-on configuration values | `any` | `{}` | no | 175 | | [aws\_cloudwatch\_metrics](#input\_aws\_cloudwatch\_metrics) | Cloudwatch Metrics add-on configuration values | `any` | `{}` | no | 176 | | [aws\_efs\_csi\_driver](#input\_aws\_efs\_csi\_driver) | EFS CSI Driver add-on configuration values | `any` | `{}` | no | 177 | | [aws\_for\_fluentbit](#input\_aws\_for\_fluentbit) | AWS Fluentbit add-on configurations | `any` | `{}` | no | 178 | | [aws\_for\_fluentbit\_cw\_log\_group](#input\_aws\_for\_fluentbit\_cw\_log\_group) | AWS Fluentbit CloudWatch Log Group configurations | `any` | `{}` | no | 179 | | [aws\_fsx\_csi\_driver](#input\_aws\_fsx\_csi\_driver) | FSX CSI Driver add-on configuration values | `any` | `{}` | no | 180 | | [aws\_gateway\_api\_controller](#input\_aws\_gateway\_api\_controller) | AWS Gateway API Controller add-on configuration values | `any` | `{}` | no | 181 | | [aws\_load\_balancer\_controller](#input\_aws\_load\_balancer\_controller) | AWS Load Balancer Controller add-on configuration values | `any` | `{}` | no | 182 | | [aws\_node\_termination\_handler](#input\_aws\_node\_termination\_handler) | AWS Node Termination Handler add-on configuration values | `any` | `{}` | no | 183 | | [aws\_node\_termination\_handler\_asg\_arns](#input\_aws\_node\_termination\_handler\_asg\_arns) | List of Auto Scaling group ARNs that AWS Node Termination Handler will monitor for EC2 events | `list(string)` | `[]` | no | 184 | | [aws\_node\_termination\_handler\_sqs](#input\_aws\_node\_termination\_handler\_sqs) | AWS Node Termination Handler SQS queue configuration values | `any` | `{}` | no | 185 | | [aws\_privateca\_issuer](#input\_aws\_privateca\_issuer) | AWS PCA Issuer add-on configurations | `any` | `{}` | no | 186 | | [bottlerocket\_shadow](#input\_bottlerocket\_shadow) | Bottlerocket Update Operator CRDs configuration values | `any` | `{}` | no | 187 | | [bottlerocket\_update\_operator](#input\_bottlerocket\_update\_operator) | Bottlerocket Update Operator add-on configuration values | `any` | `{}` | no | 188 | | [cert\_manager](#input\_cert\_manager) | cert-manager add-on configuration values | `any` | `{}` | no | 189 | | [cert\_manager\_route53\_hosted\_zone\_arns](#input\_cert\_manager\_route53\_hosted\_zone\_arns) | List of Route53 Hosted Zone ARNs that are used by cert-manager to create DNS records | `list(string)` | 
[
  "arn:aws:route53:::hostedzone/*"
]
| no | 190 | | [cluster\_autoscaler](#input\_cluster\_autoscaler) | Cluster Autoscaler add-on configuration values | `any` | `{}` | no | 191 | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for your Kubernetes API server | `string` | n/a | yes | 192 | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | 193 | | [cluster\_proportional\_autoscaler](#input\_cluster\_proportional\_autoscaler) | Cluster Proportional Autoscaler add-on configurations | `any` | `{}` | no | 194 | | [cluster\_version](#input\_cluster\_version) | Kubernetes `.` version to use for the EKS cluster (i.e.: `1.24`) | `string` | n/a | yes | 195 | | [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no | 196 | | [create\_delay\_duration](#input\_create\_delay\_duration) | The duration to wait before creating resources | `string` | `"30s"` | no | 197 | | [create\_kubernetes\_resources](#input\_create\_kubernetes\_resources) | Create Kubernetes resource with Helm or Kubernetes provider | `bool` | `true` | no | 198 | | [eks\_addons](#input\_eks\_addons) | Map of EKS add-on configurations to enable for the cluster. Add-on name can be the map keys or set with `name` | `any` | `{}` | no | 199 | | [eks\_addons\_timeouts](#input\_eks\_addons\_timeouts) | Create, update, and delete timeout configurations for the EKS add-ons | `map(string)` | `{}` | no | 200 | | [enable\_argo\_events](#input\_enable\_argo\_events) | Enable Argo Events add-on | `bool` | `false` | no | 201 | | [enable\_argo\_rollouts](#input\_enable\_argo\_rollouts) | Enable Argo Rollouts add-on | `bool` | `false` | no | 202 | | [enable\_argo\_workflows](#input\_enable\_argo\_workflows) | Enable Argo workflows add-on | `bool` | `false` | no | 203 | | [enable\_argocd](#input\_enable\_argocd) | Enable Argo CD Kubernetes add-on | `bool` | `false` | no | 204 | | [enable\_aws\_cloudwatch\_metrics](#input\_enable\_aws\_cloudwatch\_metrics) | Enable AWS Cloudwatch Metrics add-on for Container Insights | `bool` | `false` | no | 205 | | [enable\_aws\_efs\_csi\_driver](#input\_enable\_aws\_efs\_csi\_driver) | Enable AWS EFS CSI Driver add-on | `bool` | `false` | no | 206 | | [enable\_aws\_for\_fluentbit](#input\_enable\_aws\_for\_fluentbit) | Enable AWS for FluentBit add-on | `bool` | `false` | no | 207 | | [enable\_aws\_fsx\_csi\_driver](#input\_enable\_aws\_fsx\_csi\_driver) | Enable AWS FSX CSI Driver add-on | `bool` | `false` | no | 208 | | [enable\_aws\_gateway\_api\_controller](#input\_enable\_aws\_gateway\_api\_controller) | Enable AWS Gateway API Controller add-on | `bool` | `false` | no | 209 | | [enable\_aws\_load\_balancer\_controller](#input\_enable\_aws\_load\_balancer\_controller) | Enable AWS Load Balancer Controller add-on | `bool` | `false` | no | 210 | | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | 211 | | [enable\_aws\_privateca\_issuer](#input\_enable\_aws\_privateca\_issuer) | Enable AWS PCA Issuer | `bool` | `false` | no | 212 | | [enable\_bottlerocket\_update\_operator](#input\_enable\_bottlerocket\_update\_operator) | Enable Bottlerocket Update Operator add-on | `bool` | `false` | no | 213 | | [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager add-on | `bool` | `false` | no | 214 | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | 215 | | [enable\_cluster\_proportional\_autoscaler](#input\_enable\_cluster\_proportional\_autoscaler) | Enable Cluster Proportional Autoscaler | `bool` | `false` | no | 216 | | [enable\_eks\_fargate](#input\_enable\_eks\_fargate) | Identifies whether or not respective addons should be modified to support deployment on EKS Fargate | `bool` | `false` | no | 217 | | [enable\_external\_dns](#input\_enable\_external\_dns) | Enable external-dns operator add-on | `bool` | `false` | no | 218 | | [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no | 219 | | [enable\_fargate\_fluentbit](#input\_enable\_fargate\_fluentbit) | Enable Fargate FluentBit add-on | `bool` | `false` | no | 220 | | [enable\_gatekeeper](#input\_enable\_gatekeeper) | Enable Gatekeeper add-on | `bool` | `false` | no | 221 | | [enable\_ingress\_nginx](#input\_enable\_ingress\_nginx) | Enable Ingress Nginx | `bool` | `false` | no | 222 | | [enable\_karpenter](#input\_enable\_karpenter) | Enable Karpenter controller add-on | `bool` | `false` | no | 223 | | [enable\_kube\_prometheus\_stack](#input\_enable\_kube\_prometheus\_stack) | Enable Kube Prometheus Stack | `bool` | `false` | no | 224 | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | 225 | | [enable\_secrets\_store\_csi\_driver](#input\_enable\_secrets\_store\_csi\_driver) | Enable CSI Secrets Store Provider | `bool` | `false` | no | 226 | | [enable\_secrets\_store\_csi\_driver\_provider\_aws](#input\_enable\_secrets\_store\_csi\_driver\_provider\_aws) | Enable AWS CSI Secrets Store Provider | `bool` | `false` | no | 227 | | [enable\_velero](#input\_enable\_velero) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no | 228 | | [enable\_vpa](#input\_enable\_vpa) | Enable Vertical Pod Autoscaler add-on | `bool` | `false` | no | 229 | | [external\_dns](#input\_external\_dns) | external-dns add-on configuration values | `any` | `{}` | no | 230 | | [external\_dns\_route53\_zone\_arns](#input\_external\_dns\_route53\_zone\_arns) | List of Route53 zones ARNs which external-dns will have access to create/manage records (if using Route53) | `list(string)` | `[]` | no | 231 | | [external\_secrets](#input\_external\_secrets) | External Secrets add-on configuration values | `any` | `{}` | no | 232 | | [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:kms:*:*:key/*"
]
| no | 233 | | [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:secretsmanager:*:*:secret:*"
]
| no | 234 | | [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:ssm:*:*:parameter/*"
]
| no | 235 | | [fargate\_fluentbit](#input\_fargate\_fluentbit) | Fargate fluentbit add-on config | `any` | `{}` | no | 236 | | [fargate\_fluentbit\_cw\_log\_group](#input\_fargate\_fluentbit\_cw\_log\_group) | AWS Fargate Fluentbit CloudWatch Log Group configurations | `any` | `{}` | no | 237 | | [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `any` | `{}` | no | 238 | | [helm\_releases](#input\_helm\_releases) | A map of Helm releases to create. This provides the ability to pass in an arbitrary map of Helm chart definitions to create | `any` | `{}` | no | 239 | | [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no | 240 | | [karpenter](#input\_karpenter) | Karpenter add-on configuration values | `any` | `{}` | no | 241 | | [karpenter\_enable\_instance\_profile\_creation](#input\_karpenter\_enable\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1) | `bool` | `true` | no | 242 | | [karpenter\_enable\_spot\_termination](#input\_karpenter\_enable\_spot\_termination) | Determines whether to enable native node termination handling | `bool` | `true` | no | 243 | | [karpenter\_node](#input\_karpenter\_node) | Karpenter IAM role and IAM instance profile configuration values | `any` | `{}` | no | 244 | | [karpenter\_sqs](#input\_karpenter\_sqs) | Karpenter SQS queue for native node termination handling configuration values | `any` | `{}` | no | 245 | | [kube\_prometheus\_stack](#input\_kube\_prometheus\_stack) | Kube Prometheus Stack add-on configurations | `any` | `{}` | no | 246 | | [metrics\_server](#input\_metrics\_server) | Metrics Server add-on configurations | `any` | `{}` | no | 247 | | [observability\_tag](#input\_observability\_tag) | Tag to identify EKS Blueprints usage within observability tools | `string` | `"qs-1ubotj5kl"` | no | 248 | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | 249 | | [secrets\_store\_csi\_driver](#input\_secrets\_store\_csi\_driver) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no | 250 | | [secrets\_store\_csi\_driver\_provider\_aws](#input\_secrets\_store\_csi\_driver\_provider\_aws) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no | 251 | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | 252 | | [velero](#input\_velero) | Velero add-on configuration values | `any` | `{}` | no | 253 | | [vpa](#input\_vpa) | Vertical Pod Autoscaler add-on configuration values | `any` | `{}` | no | 254 | 255 | ## Outputs 256 | 257 | | Name | Description | 258 | |------|-------------| 259 | | [argo\_events](#output\_argo\_events) | Map of attributes of the Helm release created | 260 | | [argo\_rollouts](#output\_argo\_rollouts) | Map of attributes of the Helm release created | 261 | | [argo\_workflows](#output\_argo\_workflows) | Map of attributes of the Helm release created | 262 | | [argocd](#output\_argocd) | Map of attributes of the Helm release created | 263 | | [aws\_cloudwatch\_metrics](#output\_aws\_cloudwatch\_metrics) | Map of attributes of the Helm release and IRSA created | 264 | | [aws\_efs\_csi\_driver](#output\_aws\_efs\_csi\_driver) | Map of attributes of the Helm release and IRSA created | 265 | | [aws\_for\_fluentbit](#output\_aws\_for\_fluentbit) | Map of attributes of the Helm release and IRSA created | 266 | | [aws\_fsx\_csi\_driver](#output\_aws\_fsx\_csi\_driver) | Map of attributes of the Helm release and IRSA created | 267 | | [aws\_gateway\_api\_controller](#output\_aws\_gateway\_api\_controller) | Map of attributes of the Helm release and IRSA created | 268 | | [aws\_load\_balancer\_controller](#output\_aws\_load\_balancer\_controller) | Map of attributes of the Helm release and IRSA created | 269 | | [aws\_node\_termination\_handler](#output\_aws\_node\_termination\_handler) | Map of attributes of the Helm release and IRSA created | 270 | | [aws\_privateca\_issuer](#output\_aws\_privateca\_issuer) | Map of attributes of the Helm release and IRSA created | 271 | | [bottlerocket\_update\_operator](#output\_bottlerocket\_update\_operator) | Map of attributes of the Helm release and IRSA created | 272 | | [cert\_manager](#output\_cert\_manager) | Map of attributes of the Helm release and IRSA created | 273 | | [cluster\_autoscaler](#output\_cluster\_autoscaler) | Map of attributes of the Helm release and IRSA created | 274 | | [cluster\_proportional\_autoscaler](#output\_cluster\_proportional\_autoscaler) | Map of attributes of the Helm release and IRSA created | 275 | | [eks\_addons](#output\_eks\_addons) | Map of attributes for each EKS addons enabled | 276 | | [external\_dns](#output\_external\_dns) | Map of attributes of the Helm release and IRSA created | 277 | | [external\_secrets](#output\_external\_secrets) | Map of attributes of the Helm release and IRSA created | 278 | | [fargate\_fluentbit](#output\_fargate\_fluentbit) | Map of attributes of the configmap and IAM policy created | 279 | | [gatekeeper](#output\_gatekeeper) | Map of attributes of the Helm release and IRSA created | 280 | | [gitops\_metadata](#output\_gitops\_metadata) | GitOps Bridge metadata | 281 | | [helm\_releases](#output\_helm\_releases) | Map of attributes of the Helm release created | 282 | | [ingress\_nginx](#output\_ingress\_nginx) | Map of attributes of the Helm release and IRSA created | 283 | | [karpenter](#output\_karpenter) | Map of attributes of the Helm release and IRSA created | 284 | | [kube\_prometheus\_stack](#output\_kube\_prometheus\_stack) | Map of attributes of the Helm release and IRSA created | 285 | | [metrics\_server](#output\_metrics\_server) | Map of attributes of the Helm release and IRSA created | 286 | | [secrets\_store\_csi\_driver](#output\_secrets\_store\_csi\_driver) | Map of attributes of the Helm release and IRSA created | 287 | | [secrets\_store\_csi\_driver\_provider\_aws](#output\_secrets\_store\_csi\_driver\_provider\_aws) | Map of attributes of the Helm release and IRSA created | 288 | | [velero](#output\_velero) | Map of attributes of the Helm release and IRSA created | 289 | | [vpa](#output\_vpa) | Map of attributes of the Helm release and IRSA created | 290 | 291 | -------------------------------------------------------------------------------- /docs/.pages: -------------------------------------------------------------------------------- 1 | nav: 2 | - Overview: index.md 3 | - Architectures: architectures.md 4 | - Amazon EKS Addons: amazon-eks-addons.md 5 | - AWS Partner Addons: aws-partner-addons.md 6 | - Helm Releases: helm-release.md 7 | - Addons: addons 8 | -------------------------------------------------------------------------------- /docs/addons/argo-events.md: -------------------------------------------------------------------------------- 1 | # Argo Events 2 | 3 | [Argo Events](https://argoproj.github.io/argo-events/) is an open source container-native event-driven workflow automation framework for Kubernetes which helps you trigger K8s objects, Argo Workflows, Serverless workloads, etc. on events from a variety of sources. Argo Events is implemented as a Kubernetes CRD (Custom Resource Definition). 4 | 5 | ## Usage 6 | 7 | Argo Events can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_argo_events = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys Argo Events via the following configuration. 14 | 15 | ```hcl 16 | enable_argo_events = true 17 | 18 | argo_events = { 19 | name = "argo-events" 20 | chart_version = "2.4.0" 21 | repository = "https://argoproj.github.io/argo-helm" 22 | namespace = "argo-events" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | 26 | ``` 27 | 28 | Verify argo-events pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n argo-events 32 | NAME READY STATUS RESTARTS AGE 33 | argo-events-controller-manager-bfb894cdb-k8hzn 1/1 Running 0 11m 34 | ``` 35 | -------------------------------------------------------------------------------- /docs/addons/argo-rollouts.md: -------------------------------------------------------------------------------- 1 | # Argo Rollouts 2 | 3 | [Argo Rollouts](https://argo-rollouts.readthedocs.io/en/stable/) is a Kubernetes controller and set of CRDs which provide advanced deployment capabilities such as blue-green, canary, canary analysis, experimentation, and progressive delivery features to Kubernetes. 4 | 5 | ## Usage 6 | 7 | Argo Rollouts can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_argo_rollouts = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys Argo Rollouts via the following configuration. 14 | 15 | ```hcl 16 | enable_argo_rollouts = true 17 | 18 | argo_rollouts = { 19 | name = "argo-rollouts" 20 | chart_version = "2.22.3" 21 | repository = "https://argoproj.github.io/argo-helm" 22 | namespace = "argo-rollouts" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | 26 | ``` 27 | 28 | Verify argo-rollouts pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n argo-rollouts 32 | NAME READY STATUS RESTARTS AGE 33 | argo-rollouts-5db5688849-x89zb 0/1 Running 0 11s 34 | ``` 35 | -------------------------------------------------------------------------------- /docs/addons/argo-workflows.md: -------------------------------------------------------------------------------- 1 | # Argo Workflows 2 | 3 | [Argo Workflows](https://argoproj.github.io/argo-workflows/) is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows is implemented as a Kubernetes CRD (Custom Resource Definition). 4 | 5 | ## Usage 6 | 7 | Argo Workflows can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_argo_workflows = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys Argo Workflows via the following configuration. 14 | 15 | ```hcl 16 | enable_argo_workflows = true 17 | 18 | argo_workflows = { 19 | name = "argo-workflows" 20 | chart_version = "0.28.2" 21 | repository = "https://argoproj.github.io/argo-helm" 22 | namespace = "argo-workflows" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | 26 | ``` 27 | 28 | Verify argo-workflows pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n argo-workflows 32 | NAME READY STATUS RESTARTS AGE 33 | argo-workflows-server-68988cd864-22zhr 1/1 Running 0 6m32s 34 | argo-workflows-workflow-controller-7ff7b5658d-9q44f 1/1 Running 0 6m32s 35 | ``` 36 | -------------------------------------------------------------------------------- /docs/addons/argocd.md: -------------------------------------------------------------------------------- 1 | # Argo CD 2 | 3 | [Argo CD](https://argo-cd.readthedocs.io/en/stable/) is a declarative, GitOps continuous delivery tool for Kubernetes. 4 | 5 | ## Usage 6 | 7 | Argo CD can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_argocd = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys Argo CD via the following configuration. 14 | 15 | ```hcl 16 | enable_argocd = true 17 | 18 | argocd = { 19 | name = "argocd" 20 | chart_version = "5.29.1" 21 | repository = "https://argoproj.github.io/argo-helm" 22 | namespace = "argocd" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | 26 | ``` 27 | 28 | Verify argocd pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n argocd 32 | NAME READY STATUS RESTARTS AGE 33 | argo-cd-argocd-application-controller-0 1/1 Running 0 146m 34 | argo-cd-argocd-applicationset-controller-678d85f77b-rmpcb 1/1 Running 0 146m 35 | argo-cd-argocd-dex-server-7b6c9b5969-zpqnl 1/1 Running 0 146m 36 | argo-cd-argocd-notifications-controller-6d489b99c9-j6fdw 1/1 Running 0 146m 37 | argo-cd-argocd-redis-59dd95f5b5-8fx74 1/1 Running 0 146m 38 | argo-cd-argocd-repo-server-7b9bd88c95-mh2fz 1/1 Running 0 146m 39 | argo-cd-argocd-server-6f9cfdd4d5-8mfpc 1/1 Running 0 146m 40 | ``` 41 | -------------------------------------------------------------------------------- /docs/addons/aws-cloudwatch-metrics.md: -------------------------------------------------------------------------------- 1 | # AWS CloudWatch Metrics 2 | 3 | Use [AWS CloudWatch Container Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-EKS.html) to collect, aggregate, and summarize metrics and logs from your containerized applications and microservices. CloudWatch automatically collects metrics for many resources, such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. You can also set CloudWatch alarms on metrics that Container Insights collects. 4 | 5 | Container Insights collects data as performance log events using embedded metric format. These performance log events are entries that use a structured JSON schema that enables high-cardinality data to be ingested and stored at scale. From this data, CloudWatch creates aggregated metrics at the cluster, node, pod, task, and service level as CloudWatch metrics. The metrics that Container Insights collects are available in CloudWatch automatic dashboards, and also viewable in the Metrics section of the CloudWatch console. 6 | 7 | ## Usage 8 | 9 | AWS CloudWatch Metrics can be deployed by enabling the add-on via the following. 10 | 11 | ```hcl 12 | enable_aws_cloudwatch_metrics = true 13 | ``` 14 | 15 | You can also customize the Helm chart that deploys `aws-cloudwatch-metrics` via the following configuration: 16 | 17 | ```hcl 18 | enable_aws_cloudwatch_metrics = true 19 | 20 | aws_cloudwatch_metrics_irsa_policies = ["IAM Policies"] 21 | aws_cloudwatch_metrics = { 22 | role_policies = ["IAM Policies"] # extra policies in addition of CloudWatchAgentServerPolicy 23 | name = "aws-cloudwatch-metrics" 24 | repository = "https://aws.github.io/eks-charts" 25 | chart_version = "0.0.9" 26 | namespace = "amazon-cloudwatch" 27 | values = [templatefile("${path.module}/values.yaml", {})] # The value `clusterName` is already set to the EKS cluster name, no need to specify here 28 | } 29 | ``` 30 | 31 | Verify aws-cloudwatch-metrics pods are running 32 | 33 | ```sh 34 | $ kubectl get pods -n amazon-cloudwatch 35 | 36 | NAME READY STATUS RESTARTS AGE 37 | aws-cloudwatch-metrics-2dt5h 1/1 Running 0 149m 38 | ``` 39 | -------------------------------------------------------------------------------- /docs/addons/aws-efs-csi-driver.md: -------------------------------------------------------------------------------- 1 | # AWS EFS CSI Driver 2 | 3 | This add-on deploys the [AWS EFS CSI driver](https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html) into an EKS cluster. 4 | 5 | ## Usage 6 | 7 | The AWS EFS CSI driver can be deployed by enabling the add-on via the following. Check out the full [example](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/examples/stateful/main.tf) to deploy an EKS Cluster with EFS backing the dynamic provisioning of persistent volumes. 8 | 9 | ```hcl 10 | enable_aws_efs_csi_driver = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys the driver via the following configuration. 14 | 15 | ```hcl 16 | enable_aws_efs_csi_driver = true 17 | 18 | # Optional aws_efs_csi_driver_helm_config 19 | aws_efs_csi_driver = { 20 | repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" 21 | chart_version = "2.4.1" 22 | } 23 | aws_efs_csi_driver { 24 | role_policies = [""] 25 | } 26 | ``` 27 | 28 | Once deployed, you will be able to see a number of supporting resources in the `kube-system` namespace. 29 | 30 | ```sh 31 | $ kubectl get deployment efs-csi-controller -n kube-system 32 | 33 | NAME READY UP-TO-DATE AVAILABLE AGE 34 | efs-csi-controller 2/2 2 2 4m29s 35 | ``` 36 | 37 | ```sh 38 | $ kubectl get daemonset efs-csi-node -n kube-system 39 | 40 | NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE 41 | efs-csi-node 3 3 3 3 3 beta.kubernetes.io/os=linux 4m32s 42 | ``` 43 | 44 | ## Validate EFS CSI Driver 45 | 46 | Follow the static provisioning example described [here](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/static_provisioning/README.md) to validate the CSI driver is working as expected. 47 | -------------------------------------------------------------------------------- /docs/addons/aws-for-fluentbit.md: -------------------------------------------------------------------------------- 1 | # AWS for Fluent Bit 2 | 3 | AWS provides a [Fluent Bit](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html) image with plugins for both CloudWatch Logs and Kinesis Data Firehose. We recommend using Fluent Bit as your log router because it has a lower resource utilization rate than Fluentd. 4 | 5 | ## Usage 6 | 7 | AWS for Fluent Bit can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_aws_for_fluentbit = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys AWS for Fluent Bit via the following configuration. 14 | 15 | ```hcl 16 | enable_aws_for_fluentbit = true 17 | aws_for_fluentbit_cw_log_group = { 18 | create = true 19 | use_name_prefix = true # Set this to true to enable name prefix 20 | name_prefix = "eks-cluster-logs-" 21 | retention = 7 22 | } 23 | aws_for_fluentbit = { 24 | name = "aws-for-fluent-bit" 25 | chart_version = "0.1.28" 26 | repository = "https://aws.github.io/eks-charts" 27 | namespace = "kube-system" 28 | values = [templatefile("${path.module}/values.yaml", {})] 29 | } 30 | ``` 31 | 32 | If you want to enable [Container Insights on Amazon EKS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-EKS-quickstart.html) through Fluent Bit, you need to add the following parameter in your configuration: 33 | 34 | ```hcl 35 | enable_aws_for_fluentbit = true 36 | aws_for_fluentbit = { 37 | enable_containerinsights = true 38 | } 39 | ``` 40 | 41 | By default, ClusterInsights will not enable the `kubelet` monitoring feature, with AWS for FluentBit integration, since this is an optional feature that is suggested to be enabled only on large clusters. To enable the [ClusterInsights Use_Kubelet feature](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html) you'll need to provide a few more parametees: 42 | 43 | ```hcl 44 | enable_aws_for_fluentbit = true 45 | aws_for_fluentbit = { 46 | enable_containerinsights = true 47 | kubelet_monitoring = true 48 | set = [{ 49 | name = "cloudWatchLogs.autoCreateGroup" 50 | value = true 51 | }, 52 | { 53 | name = "hostNetwork" 54 | value = true 55 | }, 56 | { 57 | name = "dnsPolicy" 58 | value = "ClusterFirstWithHostNet" 59 | } 60 | ] 61 | } 62 | ``` 63 | 64 | ## Verify the Fluent Bit setup 65 | 66 | Verify aws-for-fluentbit pods are running. 67 | 68 | ```sh 69 | $ kubectl -n kube-system get pods -l app.kubernetes.io/name=aws-for-fluent-bit 70 | NAME READY STATUS RESTARTS AGE 71 | aws-for-fluent-bit-6lhkj 1/1 Running 0 15m 72 | aws-for-fluent-bit-sbn9b 1/1 Running 0 15m 73 | aws-for-fluent-bit-svhwq 1/1 Running 0 15m 74 | ``` 75 | 76 | Open the [CloudWatch console](https://console.aws.amazon.com/cloudwatch/) 77 | 78 | In the navigation pane, choose Log groups. 79 | 80 | Make sure that you're in the Region where you deployed Fluent Bit. 81 | 82 | Check the list of log groups in the Region. You should see the following: 83 | 84 | ```sh 85 | /aws/eks/complete/aws-fluentbit-logs 86 | ``` 87 | 88 | If you enabled Container Insights, you should also see the following Log Groups in your CloudWatch Console. 89 | 90 | ```sh 91 | /aws/containerinsights/Cluster_Name/application 92 | 93 | /aws/containerinsights/Cluster_Name/host 94 | 95 | /aws/containerinsights/Cluster_Name/dataplane 96 | ``` 97 | 98 | Navigate to one of these log groups and check the Last Event Time for the log streams. If it is recent relative to when you deployed Fluent Bit, the setup is verified. 99 | 100 | There might be a slight delay in creating the /dataplane log group. This is normal as these log groups only get created when Fluent Bit starts sending logs for that log group. 101 | -------------------------------------------------------------------------------- /docs/addons/aws-fsx-csi-driver.md: -------------------------------------------------------------------------------- 1 | # AWS FSx CSI Driver 2 | 3 | This add-on deploys the [Amazon FSx CSI Driver](https://docs.aws.amazon.com/eks/latest/userguide/fsx-csi.html) in to an Amazon EKS Cluster. 4 | 5 | ## Usage 6 | 7 | The Amazon FSx CSI Driver can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_aws_fsx_csi_driver = true 11 | ``` 12 | 13 | ### Helm Chart customization 14 | 15 | You can optionally customize the Helm chart deployment using a configuration like the following. 16 | 17 | ```hcl 18 | enable_aws_fsx_csi_driver = true 19 | aws_fsx_csi_driver = { 20 | namespace = "aws-fsx-csi-driver" 21 | chart_version = "1.6.0" 22 | role_policies = 23 | } 24 | ``` 25 | 26 | You can find all available Helm Chart parameter values [here](https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/charts/aws-fsx-csi-driver/values.yaml) 27 | 28 | ## Validation 29 | 30 | Once deployed, you will be able to see a number of supporting resources in the `kube-system` namespace. 31 | 32 | ```sh 33 | $ kubectl -n kube-system get deployment fsx-csi-controller 34 | 35 | NAME READY UP-TO-DATE AVAILABLE AGE 36 | fsx-csi-controller 2/2 2 2 4m29s 37 | 38 | $ kubectl -n kube-system get pods -l app=fsx-csi-controller 39 | NAME READY STATUS RESTARTS AGE 40 | fsx-csi-controller-56c6d9bbb8-89cpc 4/4 Running 0 3m30s 41 | fsx-csi-controller-56c6d9bbb8-9wnlh 4/4 Running 0 3m30s 42 | ``` 43 | 44 | ```sh 45 | $ kubectl -n kube-system get daemonset fsx-csi-node 46 | NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE 47 | fsx-csi-node 3 3 3 3 3 kubernetes.io/os=linux 5m27s 48 | 49 | $ kubectl -n kube-system get pods -l app=fsx-csi-node 50 | NAME READY STATUS RESTARTS AGE 51 | fsx-csi-node-7c5z6 3/3 Running 0 5m29s 52 | fsx-csi-node-d5q28 3/3 Running 0 5m29s 53 | fsx-csi-node-hlg8q 3/3 Running 0 5m29s 54 | ``` 55 | 56 | Create a StorageClass. Replace the SubnetID and the SecurityGroupID with your own values. More details [here](https://docs.aws.amazon.com/eks/latest/userguide/fsx-csi.html). 57 | 58 | ```sh 59 | $ cat < 67 | securityGroupIds: 68 | perUnitStorageThroughput: "200" 69 | deploymentType: PERSISTENT_1 70 | mountOptions: 71 | - flock 72 | EOF 73 | ``` 74 | 75 | ```sh 76 | $ kubect describe storageclass fsx-sc 77 | Name: fsx-sc 78 | IsDefaultClass: No 79 | Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"fsx-sc"},"mountOptions":null,"parameters":{"deploymentType":"PERSISTENT_1","perUnitStorageThroughput":"200","securityGroupIds":"sg-q1w2e3r4t5y6u7i8o","subnetId":"subnet-q1w2e3r4t5y6u7i8o"},"provisioner":"fsx.csi.aws.com"} 80 | 81 | Provisioner: fsx.csi.aws.com 82 | Parameters: deploymentType=PERSISTENT_1,perUnitStorageThroughput=200,securityGroupIds=sg-q1w2e3r4t5y6u7i8o,subnetId=subnet-q1w2e3r4t5y6u7i8o 83 | AllowVolumeExpansion: 84 | MountOptions: 85 | ReclaimPolicy: Delete 86 | VolumeBindingMode: Immediate 87 | Events: 88 | ``` 89 | 90 | Create a PVC. 91 | 92 | ```sh 93 | $ cat < 63 | Annotations: 64 | API Version: gateway.networking.k8s.io/v1beta1 65 | Kind: GatewayClass 66 | Metadata: 67 | Creation Timestamp: 2023-06-22T22:33:32Z 68 | Generation: 1 69 | Resource Version: 819021 70 | UID: aac59195-8f37-4c23-a2a5-b0f363deda77 71 | Spec: 72 | Controller Name: application-networking.k8s.aws/gateway-api-controller 73 | Status: 74 | Conditions: 75 | Last Transition Time: 2023-06-22T22:33:32Z 76 | Message: Accepted 77 | Observed Generation: 1 78 | Reason: Accepted 79 | Status: True 80 | Type: Accepted 81 | Events: 82 | ``` 83 | -------------------------------------------------------------------------------- /docs/addons/aws-load-balancer-controller.md: -------------------------------------------------------------------------------- 1 | # AWS Load Balancer Controller 2 | 3 | [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/) is a controller to help manage Elastic Load Balancers for a Kubernetes cluster. This Add-on deploys this controller in an Amazon EKS Cluster. 4 | 5 | ## Usage 6 | 7 | In order to deploy the AWS Load Balancer Controller Addon via [EKS Blueprints Addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons), reference the following parameters under the `module.eks_blueprints_addons`. 8 | 9 | > **_NOTE_**: In versions 2.5 and newer, the AWS Load Balancer Controller becomes the default controller for Kubernetes service resources with the type: LoadBalancer and makes an AWS Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the spec.loadBalancerClass field to service.k8s.aws/nlb for new services of type: LoadBalancer. You can turn off this feature and revert to using the legacy Cloud Provider as the default controller, by setting the helm chart value enableServiceMutatorWebhook to false. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. 10 | 11 | ```hcl 12 | module "eks_blueprints_addons" { 13 | 14 | enable_aws_load_balancer_controller = true 15 | aws_load_balancer_controller = { 16 | set = [ 17 | { 18 | name = "vpcId" 19 | value = module.vpc.vpc_id 20 | }, 21 | { 22 | name = "podDisruptionBudget.maxUnavailable" 23 | value = 1 24 | }, 25 | { 26 | name = "enableServiceMutatorWebhook" 27 | value = "false" 28 | } 29 | ] 30 | } 31 | ``` 32 | 33 | ### Helm Chart customization 34 | 35 | It's possible to customize your deployment using the Helm Chart parameters inside the `aws_load_balancer_controller` configuration block: 36 | 37 | ```hcl 38 | aws_load_balancer_controller = { 39 | set = [ 40 | { 41 | name = "vpcId" 42 | value = module.vpc.vpc_id 43 | }, 44 | { 45 | name = "podDisruptionBudget.maxUnavailable" 46 | value = 1 47 | }, 48 | { 49 | name = "resources.requests.cpu" 50 | value = 100m 51 | }, 52 | { 53 | name = "resources.requests.memory" 54 | value = 128Mi 55 | }, 56 | ] 57 | } 58 | } 59 | ``` 60 | 61 | You can find all available Helm Chart parameter values [here](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/values.yaml). 62 | 63 | ## Validate 64 | 65 | 1. To validate the deployment, check if the `aws-load-balancer-controller` Pods were created in the `kube-system` Namespace, as the following example. 66 | 67 | ```sh 68 | kubectl -n kube-system get pods | grep aws-load-balancer-controller 69 | NAMESPACE NAME READY STATUS RESTARTS AGE 70 | kube-system aws-load-balancer-controller-6cbdb58654-fvskt 1/1 Running 0 26m 71 | kube-system aws-load-balancer-controller-6cbdb58654-sc7dk 1/1 Running 0 26m 72 | ``` 73 | 74 | 2. Create a Kubernetes Ingress, using the `alb` IngressClass, pointing to an existing Service. In this example we'll use a Service called `example-svc`. 75 | 76 | ```sh 77 | kubectl create ingress example-ingress --class alb --rule="/*=example-svc:80" \ 78 | --annotation alb.ingress.kubernetes.io/scheme=internet-facing \ 79 | --annotation alb.ingress.kubernetes.io/target-type=ip 80 | ``` 81 | 82 | ```sh 83 | kubectl get ingress 84 | NAME CLASS HOSTS ADDRESS PORTS AGE 85 | example-ingress alb * k8s-example-ingress-7e0d6f03e7-1234567890.us-west-2.elb.amazonaws.com 80 4m9s 86 | ``` 87 | 88 | ## Resources 89 | 90 | [GitHub Repo](https://github.com/kubernetes-sigs/aws-load-balancer-controller/) 91 | [Helm Chart](https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller) 92 | [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html) 93 | -------------------------------------------------------------------------------- /docs/addons/aws-node-termination-handler.md: -------------------------------------------------------------------------------- 1 | # AWS Node Termination Handler 2 | 3 | This project ensures that the Kubernetes control plane responds appropriately to events that can cause your EC2 instance to become unavailable, such as [EC2 maintenance events](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html), [EC2 Spot interruptions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html), [ASG Scale-In](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroupLifecycle.html#as-lifecycle-scale-in), ASG AZ Rebalance, and EC2 Instance Termination via the API or Console. If not handled, your application code may not stop gracefully, take longer to recover full availability, or accidentally schedule work to nodes that are going down. 4 | 5 | ## Usage 6 | 7 | AWS Node Termination Handler can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_aws_node_termination_handler = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys AWS Node Termination Handler via the following configuration. 14 | 15 | ```hcl 16 | enable_aws_node_termination_handler = true 17 | 18 | aws_node_termination_handler = { 19 | name = "aws-node-termination-handler" 20 | chart_version = "0.21.0" 21 | repository = "https://aws.github.io/eks-charts" 22 | namespace = "aws-node-termination-handler" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | 26 | ``` 27 | 28 | Verify aws-node-termination-handler pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n aws-node-termination-handler 32 | NAME READY STATUS RESTARTS AGE 33 | aws-node-termination-handler-6f598b6b89-6mqgk 1/1 Running 1 (22h ago) 26h 34 | ``` 35 | 36 | Verify SQS Queue is created. 37 | 38 | ```sh 39 | $ aws sqs list-queues 40 | 41 | { 42 | "QueueUrls": [ 43 | "https://sqs.us-east-1.amazonaws.com/XXXXXXXXXXXXXX/aws_node_termination_handler20221123072051157700000004" 44 | ] 45 | } 46 | ``` 47 | 48 | Verify Event Rules are created. 49 | 50 | ```sh 51 | $ aws event list-rules 52 | { 53 | [ 54 | { 55 | "Name": "NTH-ASGTerminiate-20230602191740664900000025", 56 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTH-ASGTerminiate-20230602191740664900000025", 57 | "EventPattern": "{\"detail-type\":[\"EC2 Instance-terminate Lifecycle Action\"],\"source\":[\"aws.autoscaling\"]}", 58 | "State": "ENABLED", 59 | "Description": "Auto scaling instance terminate event", 60 | "EventBusName": "default" 61 | }, 62 | { 63 | "Name": "NTH-HealthEvent-20230602191740079300000022", 64 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTH-HealthEvent-20230602191740079300000022", 65 | "EventPattern": "{\"detail-type\":[\"AWS Health Event\"],\"source\":[\"aws.health\"]}", 66 | "State": "ENABLED", 67 | "Description": "AWS health event", 68 | "EventBusName": "default" 69 | }, 70 | { 71 | "Name": "NTH-InstanceRebalance-20230602191740077100000021", 72 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTH-InstanceRebalance-20230602191740077100000021", 73 | "EventPattern": "{\"detail-type\":[\"EC2 Instance Rebalance Recommendation\"],\"source\":[\"aws.ec2\"]}", 74 | "State": "ENABLED", 75 | "Description": "EC2 instance rebalance recommendation", 76 | "EventBusName": "default" 77 | }, 78 | { 79 | "Name": "NTH-InstanceStateChange-20230602191740165000000024", 80 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTH-InstanceStateChange-20230602191740165000000024", 81 | "EventPattern": "{\"detail-type\":[\"EC2 Instance State-change Notification\"],\"source\":[\"aws.ec2\"]}", 82 | "State": "ENABLED", 83 | "Description": "EC2 instance state-change notification", 84 | "EventBusName": "default" 85 | }, 86 | { 87 | "Name": "NTH-SpotInterrupt-20230602191740077100000020", 88 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTH-SpotInterrupt-20230602191740077100000020", 89 | "EventPattern": "{\"detail-type\":[\"EC2 Spot Instance Interruption Warning\"],\"source\":[\"aws.ec2\"]}", 90 | "State": "ENABLED", 91 | "Description": "EC2 spot instance interruption warning", 92 | "EventBusName": "default" 93 | }, 94 | { 95 | "Name": "NTHASGTermRule", 96 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTHASGTermRule", 97 | "EventPattern": "{\"detail-type\":[\"EC2 Instance-terminate Lifecycle Action\"],\"source\":[\"aws.autoscaling\"]}", 98 | "State": "ENABLED", 99 | "EventBusName": "default" 100 | }, 101 | { 102 | "Name": "NTHInstanceStateChangeRule", 103 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTHInstanceStateChangeRule", 104 | "EventPattern": "{\"detail-type\":[\"EC2 Instance State-change Notification\"],\"source\":[\"aws.ec2\"]}", 105 | "State": "ENABLED", 106 | "EventBusName": "default" 107 | }, 108 | { 109 | "Name": "NTHRebalanceRule", 110 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTHRebalanceRule", 111 | "EventPattern": "{\"detail-type\":[\"EC2 Instance Rebalance Recommendation\"],\"source\":[\"aws.ec2\"]}", 112 | "State": "ENABLED", 113 | "EventBusName": "default" 114 | }, 115 | { 116 | "Name": "NTHScheduledChangeRule", 117 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTHScheduledChangeRule", 118 | "EventPattern": "{\"detail-type\":[\"AWS Health Event\"],\"source\":[\"aws.health\"]}", 119 | "State": "ENABLED", 120 | "EventBusName": "default" 121 | }, 122 | { 123 | "Name": "NTHSpotTermRule", 124 | "Arn": "arn:aws:events:us-west-2:XXXXXXXXXXXXXX:rule/NTHSpotTermRule", 125 | "EventPattern": "{\"detail-type\":[\"EC2 Spot Instance Interruption Warning\"],\"source\":[\"aws.ec2\"]}", 126 | "State": "ENABLED", 127 | "EventBusName": "default" 128 | } 129 | ] 130 | } 131 | ``` 132 | -------------------------------------------------------------------------------- /docs/addons/aws-private-ca-issuer.md: -------------------------------------------------------------------------------- 1 | # AWS Private CA Issuer 2 | 3 | [AWS Private CA](https://aws.amazon.com/private-ca/) is an AWS service that can setup and manage private CAs, as well as issue private certificates. This add-on deploys the AWS Private CA Issuer as an [external issuer](https://cert-manager.io/docs/configuration/external/) to **cert-manager** that signs off certificate requests using AWS Private CA in an Amazon EKS Cluster. 4 | 5 | ## Usage 6 | 7 | ### Pre-requisites 8 | 9 | To deploy the AWS PCA, you need to install cert-manager first, refer to this [documentation](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/docs/cert-manager.md) to do it through EKS Blueprints Addons. 10 | 11 | ### Deployment 12 | 13 | With **cert-manager** deployed in place, you can deploy the AWS Private CA Issuer Add-on via [EKS Blueprints Addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons), reference the following parameters under the `module.eks_blueprints_addons`. 14 | 15 | ```hcl 16 | module "eks_blueprints_addons" { 17 | 18 | enable_cert_manager = true 19 | enable_aws_privateca_issuer = true 20 | aws_privateca_issuer = { 21 | acmca_arn = aws_acmpca_certificate_authority.this.arn 22 | } 23 | } 24 | ``` 25 | 26 | ### Helm Chart customization 27 | 28 | It's possible to customize your deployment using the Helm Chart parameters inside the `aws_load_balancer_controller` configuration block: 29 | 30 | ```hcl 31 | aws_privateca_issuer = { 32 | acmca_arn = aws_acmpca_certificate_authority.this.arn 33 | namespace = "aws-privateca-issuer" 34 | create_namespace = true 35 | } 36 | ``` 37 | 38 | You can find all available Helm Chart parameter values [here](https://github.com/cert-manager/aws-privateca-issuer/blob/main/charts/aws-pca-issuer/values.yaml). 39 | 40 | ## Validation 41 | 42 | 1. List all the pods running in `aws-privateca-issuer` and `cert-manager` Namespace. 43 | 44 | ```sh 45 | kubectl get pods -n aws-privateca-issuer 46 | kubectl get pods -n cert-manager 47 | ``` 48 | 49 | 2. Check the `certificate` status in it should be in `Ready` state, and be pointing to a `secret` created in the same Namespace. 50 | 51 | ```sh 52 | kubectl get certificate -o wide 53 | NAME READY SECRET ISSUER STATUS AGE 54 | example True example-clusterissuer tls-with-aws-pca-issuer Certificate is up to date and has not expired 41m 55 | 56 | kubectl get secret example-clusterissuer 57 | NAME TYPE DATA AGE 58 | example-clusterissuer kubernetes.io/tls 3 43m 59 | ``` 60 | 61 | ## Resources 62 | 63 | [GitHub Repo](https://github.com/cert-manager/aws-privateca-issuer) 64 | [Helm Chart](https://github.com/cert-manager/aws-privateca-issuer/tree/main/charts/aws-pca-issuer) 65 | [AWS Docs](https://docs.aws.amazon.com/privateca/latest/userguide/PcaKubernetes.html) 66 | -------------------------------------------------------------------------------- /docs/addons/bottlerocket.md: -------------------------------------------------------------------------------- 1 | # Bottlerocket and Bottlerocket Update Operator 2 | 3 | [Bottlerocket](https://aws.amazon.com/bottlerocket/) is a Linux-based open-source operating system that focuses on security and maintainability, providing a reliable, consistent, and safe platform for container-based workloads. 4 | 5 | The [Bottlerocket Update Operator (BRUPOP)](https://github.com/bottlerocket-os/bottlerocket-update-operator/tree/develop) is a Kubernetes operator that coordinates Bottlerocket updates on hosts in a cluster. It relies on a controller deployment on one node to orchestrate updates across the cluster, an agent daemon set on every Bottlerocket node, which is responsible for periodically querying and performing updates rolled out in waves to reduce the impact of issues, and an API Server that performs additional authorization. 6 | 7 | [Cert-manager](https://cert-manager.io/) is required for the API server to use a CA certificate when communicating over SSL with the agents. 8 | 9 | - [Helm charts](https://github.com/bottlerocket-os/bottlerocket-update-operator/tree/develop/deploy/charts) 10 | 11 | ## Requirements 12 | 13 | BRUPOP perform updates on Nodes running with Bottlerocket OS only. Here are some code snippets of how to setup up Bottlerocket OS Nodes using Managed Node Groups with [Terraform Amazon EKS module](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest) and [Karpenter Node Classes](https://karpenter.sh/docs/concepts/nodeclasses/). 14 | 15 | Notice the label `bottlerocket.aws/updater-interface-version=2.0.0` set in the `[settings.kubernetes.node-labels]` section. This label is required for the BRUPOP Agent to query and perform updates. Nodes not labeled will not be checked by the agent. 16 | 17 | ### Managed Node Groups 18 | 19 | ```hcl 20 | module "eks" { 21 | source = "terraform-aws-modules/eks/aws" 22 | version = "~> 19.21" 23 | ... 24 | eks_managed_node_groups = { 25 | bottlerocket = { 26 | platform = "bottlerocket" 27 | ami_type = "BOTTLEROCKET_x86_64" 28 | instance_types = ["m5.large", "m5a.large"] 29 | 30 | iam_role_attach_cni_policy = true 31 | 32 | min_size = 1 33 | max_size = 5 34 | desired_size = 3 35 | 36 | enable_bootstrap_user_data = true 37 | bootstrap_extra_args = <<-EOT 38 | [settings.host-containers.admin] 39 | enabled = false 40 | [settings.host-containers.control] 41 | enabled = true 42 | [settings.kernel] 43 | lockdown = "integrity" 44 | [settings.kubernetes.node-labels] 45 | "bottlerocket.aws/updater-interface-version" = "2.0.0" 46 | [settings.kubernetes.node-taints] 47 | "CriticalAddonsOnly" = "true:NoSchedule" 48 | EOT 49 | } 50 | } 51 | } 52 | ``` 53 | 54 | ### Karpenter 55 | 56 | ```yaml 57 | apiVersion: karpenter.k8s.aws/v1beta1 58 | kind: EC2NodeClass 59 | metadata: 60 | name: bottlerocket-example 61 | spec: 62 | ... 63 | amiFamily: Bottlerocket 64 | userData: | 65 | [settings.kubernetes] 66 | "kube-api-qps" = 30 67 | "shutdown-grace-period" = "30s" 68 | "shutdown-grace-period-for-critical-pods" = "30s" 69 | [settings.kubernetes.eviction-hard] 70 | "memory.available" = "20%" 71 | [settings.kubernetes.node-labels] 72 | "bottlerocket.aws/updater-interface-version" = "2.0.0" 73 | ``` 74 | 75 | ## Usage 76 | 77 | [BRUPOP](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/) can be deployed with the default configuration by enabling the add-on via the following. Notice the parameter `wait = true` set for Cert-Manager, this is needed since BRUPOP requires that Cert-Manager CRDs are already present in the cluster to be deployed. 78 | 79 | ```hcl 80 | module "eks_blueprints_addons" { 81 | source = "aws-ia/eks-blueprints-addons/aws" 82 | version = "~> 1.13" 83 | 84 | cluster_name = module.eks.cluster_name 85 | cluster_endpoint = module.eks.cluster_endpoint 86 | cluster_version = module.eks.cluster_version 87 | oidc_provider_arn = module.eks.oidc_provider_arn 88 | 89 | enable_cert_manager = true 90 | cert_manager = { 91 | wait = true 92 | } 93 | enable_bottlerocket_update_operator = true 94 | } 95 | ``` 96 | 97 | You can also customize the Helm charts that deploys `bottlerocket_update_operator` and the `bottlerocket_shadow` via the following configuration: 98 | 99 | ```hcl 100 | enable_bottlerocket_update_operator = true 101 | 102 | bottlerocket_update_operator = { 103 | name = "brupop-operator" 104 | description = "A Helm chart for BRUPOP" 105 | chart_version = "1.3.0" 106 | namespace = "brupop" 107 | set = [{ 108 | name = "scheduler_cron_expression" 109 | value = "0 * * * * * *" # Default Unix Cron syntax, set to check every hour. Example "0 0 23 * * Sat *" Perform update checks every Saturday at 23H / 11PM 110 | }] 111 | } 112 | 113 | bottlerocket_shadow = { 114 | name = "brupop-crds" 115 | description = "A Helm chart for BRUPOP CRDs" 116 | chart_version = "1.0.0" 117 | } 118 | ``` 119 | 120 | To see a complete working example, see the [`bottlerocket`](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/patterns/bottlerocket) Blueprints Pattern. 121 | 122 | ## Validate 123 | 124 | 1. Run `update-kubeconfig` command: 125 | 126 | ```bash 127 | aws eks --region update-kubeconfig --name 128 | ``` 129 | 130 | 2. Test by listing velero resources provisioned: 131 | 132 | ```bash 133 | $ kubectl -n brupop-bottlerocket-aws get all 134 | 135 | NAME READY STATUS RESTARTS AGE 136 | pod/brupop-agent-5nv6m 1/1 Running 1 (33h ago) 33h 137 | pod/brupop-agent-h4vw9 1/1 Running 1 (33h ago) 33h 138 | pod/brupop-agent-sr9ms 1/1 Running 2 (33h ago) 33h 139 | pod/brupop-apiserver-6ccb74f599-4c9lv 1/1 Running 0 33h 140 | pod/brupop-apiserver-6ccb74f599-h6hg8 1/1 Running 0 33h 141 | pod/brupop-apiserver-6ccb74f599-svw8n 1/1 Running 0 33h 142 | pod/brupop-controller-deployment-58d46595cc-7vxnt 1/1 Running 0 33h 143 | 144 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 145 | service/brupop-apiserver ClusterIP 172.20.153.72 443/TCP 33h 146 | service/brupop-controller-server ClusterIP 172.20.7.127 80/TCP 33h 147 | 148 | NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE 149 | daemonset.apps/brupop-agent 3 3 3 3 3 33h 150 | 151 | NAME READY UP-TO-DATE AVAILABLE AGE 152 | deployment.apps/brupop-apiserver 3/3 3 3 33h 153 | deployment.apps/brupop-controller-deployment 1/1 1 1 33h 154 | 155 | NAME DESIRED CURRENT READY AGE 156 | replicaset.apps/brupop-apiserver-6ccb74f599 3 3 3 33h 157 | replicaset.apps/brupop-controller-deployment-58d46595cc 1 1 1 33h 158 | 159 | $ kubectl describe apiservices.apiregistration.k8s.io v2.brupop.bottlerocket.aws 160 | Name: v2.brupop.bottlerocket.aws 161 | Namespace: 162 | Labels: kube-aggregator.kubernetes.io/automanaged=true 163 | Annotations: 164 | API Version: apiregistration.k8s.io/v1 165 | Kind: APIService 166 | Metadata: 167 | Creation Timestamp: 2024-01-30T16:27:15Z 168 | Resource Version: 8798 169 | UID: 034abe22-7e5f-4040-9b64-8ca9d55a4af6 170 | Spec: 171 | Group: brupop.bottlerocket.aws 172 | Group Priority Minimum: 1000 173 | Version: v2 174 | Version Priority: 100 175 | Status: 176 | Conditions: 177 | Last Transition Time: 2024-01-30T16:27:15Z 178 | Message: Local APIServices are always available 179 | Reason: Local 180 | Status: True 181 | Type: Available 182 | Events: 183 | ``` 184 | 185 | 1. If not set during the deployment, add the required label `bottlerocket.aws/updater-interface-version=2.0.0` as shown below to all the Nodes that you want to have updates handled by BRUPOP. 186 | 187 | ```bash 188 | $ kubectl label node ip-10-0-34-87.us-west-2.compute.internal bottlerocket.aws/updater-interface-version=2.0.0 189 | node/ip-10-0-34-87.us-west-2.compute.internal labeled 190 | 191 | $ kubectl get nodes -L bottlerocket.aws/updater-interface-version 192 | NAME STATUS ROLES AGE VERSION UPDATER-INTERFACE-VERSION 193 | ip-10-0-34-87.us-west-2.compute.internal Ready 34h v1.28.1-eks-d91a302 2.0.0 194 | ``` 195 | 196 | 4. Because the default cron schedule for BRUPOP is set to check for updates every minute, you'll be able to see in a few minutes that the Node had it's version updated automatically with no downtime. 197 | 198 | ```bash 199 | kubectl get nodes 200 | NAME STATUS ROLES AGE VERSION 201 | ip-10-0-34-87.us-west-2.compute.internal Ready 34h v1.28.4-eks-d91a302 202 | ``` 203 | -------------------------------------------------------------------------------- /docs/addons/cert-manager.md: -------------------------------------------------------------------------------- 1 | # Cert-Manager 2 | 3 | [Cert-manager](https://cert-manager.io/) is a X.509 certificate controller for Kubernetes-like workloads. It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry. This Add-on deploys this controller in an Amazon EKS Cluster. 4 | 5 | ## Usage 6 | 7 | To deploy cert-manager Add-on via [EKS Blueprints Addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons), reference the following parameters under the `module.eks_blueprints_addons`. 8 | 9 | ```hcl 10 | module "eks_blueprints_addons" { 11 | 12 | enable_cert_manager = true 13 | } 14 | ``` 15 | 16 | #### :warning: **Fargate kubelet port conflict** :warning: 17 | When running on Fargate the kubelet port conflicts with the secure webhook port cert-manager uses so you will need to change it. 18 | ```hcl 19 | # cert-manager default webhook port conflicts with the kubelet port on Fargate 20 | # so we change it to avoid the conflict. 21 | # SEE: https://github.com/cert-manager/cert-manager/issues/3237 22 | enable_cert_manager = true 23 | cert_manager = { 24 | set = [ 25 | { 26 | name = "webhook.securePort" 27 | value = 10260 28 | }, 29 | ] 30 | } 31 | ``` 32 | 33 | ### Helm Chart customization 34 | 35 | It's possible to customize your deployment using the Helm Chart parameters inside the `cert-manager` configuration block: 36 | 37 | ```hcl 38 | cert-manager = { 39 | chart_version = "v1.11.1" 40 | namespace = "cert-manager" 41 | create_namespace = true 42 | } 43 | ``` 44 | 45 | You can find all available Helm Chart parameter values [here](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml) 46 | 47 | ## Validation 48 | 49 | 1. Validate if the Cert-Manger Pods are Running. 50 | 51 | ```sh 52 | kubectl -n cert-manager get pods 53 | NAME READY STATUS RESTARTS AGE 54 | cert-manager-5989bcc87-96qvf 1/1 Running 0 2m49s 55 | cert-manager-cainjector-9b44ddb68-8c7b9 1/1 Running 0 2m49s 56 | cert-manager-webhook-776b65456-k6br4 1/1 Running 0 2m49s 57 | ``` 58 | 59 | 2. Create a SelfSigned ClusterIssuer resource in the cluster. 60 | 61 | ```yaml 62 | apiVersion: cert-manager.io/v1 63 | kind: ClusterIssuer 64 | metadata: 65 | name: selfsigned-cluster-issuer 66 | spec: 67 | selfSigned: {} 68 | ``` 69 | 70 | ```sh 71 | kubectl get clusterissuers -o wide selfsigned-cluster-issuer 72 | NAME READY STATUS AGE 73 | selfsigned-cluster-issuer True 3m 74 | ``` 75 | 76 | 3. Create a Certificate in a given Namespace. 77 | 78 | ```yaml 79 | apiVersion: cert-manager.io/v1 80 | kind: Certificate 81 | metadata: 82 | name: example 83 | namespace: default 84 | spec: 85 | isCA: true 86 | commonName: example 87 | secretName: example-secret 88 | privateKey: 89 | algorithm: ECDSA 90 | size: 256 91 | issuerRef: 92 | name: selfsigned-cluster-issuer 93 | kind: ClusterIssuer 94 | group: cert-manager.io 95 | ``` 96 | 97 | 4. Check the `certificate` status in it should be in `Ready` state, and be pointing to a `secret` created in the same Namespace. 98 | 99 | ```sh 100 | kubectl get certificate -o wide 101 | NAME READY SECRET ISSUER STATUS AGE 102 | example True example-secret selfsigned-cluster-issuer Certificate is up to date and has not expired 44s 103 | 104 | kubectl get secret example-secret 105 | NAME TYPE DATA AGE 106 | example-secret kubernetes.io/tls 3 70s 107 | ``` 108 | 109 | ## Resources 110 | 111 | [GitHub Repo](https://github.com/cert-manager/cert-manager) 112 | [Helm Chart](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/) 113 | -------------------------------------------------------------------------------- /docs/addons/cluster-autoscaler.md: -------------------------------------------------------------------------------- 1 | # Cluster Autoscaler 2 | 3 | The Kubernetes [Cluster Autoscaler](https://github.com/kubernetes/autoscaler) automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see [Cluster Autoscaler on AWS](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md). 4 | 5 | ## Usage 6 | 7 | Cluster Autoscaler can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_cluster_autoscaler = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys Cluster Autoscaler via the following configuration. 14 | 15 | ```hcl 16 | enable_cluster_autoscaler = true 17 | 18 | cluster_autoscaler = { 19 | name = "cluster-autoscaler" 20 | chart_version = "9.29.0" 21 | repository = "https://kubernetes.github.io/autoscaler" 22 | namespace = "kube-system" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | 26 | ``` 27 | 28 | Verify cluster-autoscaler pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n kube-system 32 | NAME READY STATUS RESTARTS AGE 33 | cluster-autoscaler-aws-cluster-autoscaler-7ff79bc484-pm8g9 1/1 Running 1 (2d ago) 2d5h 34 | ``` 35 | -------------------------------------------------------------------------------- /docs/addons/cluster-proportional-autoscaler.md: -------------------------------------------------------------------------------- 1 | # Cluster Proportional Autoscaler 2 | 3 | Horizontal cluster-proportional-autoscaler watches over the number of schedulable nodes and cores of the cluster and resizes the number of replicas for the required resource. This functionality may be desirable for applications that need to be autoscaled with the size of the cluster, such as CoreDNS and other services that scale with the number of nodes/pods in the cluster. 4 | 5 | The [cluster-proportional-autoscaler](https://github.com/kubernetes-sigs/cluster-proportional-autoscaler) helps to scale the applications using deployment or replicationcontroller or replicaset. This is an alternative solution to Horizontal Pod Autoscaling. 6 | It is typically installed as a **Deployment** in your cluster. 7 | 8 | Refer to the [eks-best-practices-guides](https://aws.github.io/aws-eks-best-practices/reliability/docs/dataplane/#configure-cluster-proportional-scaler-for-coredns) for addional configuration guidanance. 9 | 10 | ## Usage 11 | 12 | This add-on requires both `enable_cluster_proportional_autoscaler` and `cluster_proportional_autoscaler` as mandatory fields. 13 | 14 | The example shows how to enable `cluster-proportional-autoscaler` for `CoreDNS Deployment`. CoreDNS deployment is not configured with HPA. So, this add-on helps to scale CoreDNS Add-on according to the size of the nodes and cores. 15 | 16 | This Add-on can be used to scale any application with Deployment objects. 17 | 18 | ```hcl 19 | enable_cluster_proportional_autoscaler = true 20 | cluster_proportional_autoscaler = { 21 | values = [ 22 | <<-EOT 23 | nameOverride: kube-dns-autoscaler 24 | 25 | # Formula for controlling the replicas. Adjust according to your needs 26 | # replicas = max( ceil( cores * 1/coresPerReplica ) , ceil( nodes * 1/nodesPerReplica ) ) 27 | config: 28 | linear: 29 | coresPerReplica: 256 30 | nodesPerReplica: 16 31 | min: 1 32 | max: 100 33 | preventSinglePointFailure: true 34 | includeUnschedulableNodes: true 35 | 36 | # Target to scale. In format: deployment/*, replicationcontroller/* or replicaset/* (not case sensitive). 37 | options: 38 | target: deployment/coredns # Notice the target as `deployment/coredns` 39 | 40 | serviceAccount: 41 | create: true 42 | name: kube-dns-autoscaler 43 | 44 | podSecurityContext: 45 | seccompProfile: 46 | type: RuntimeDefault 47 | supplementalGroups: [65534] 48 | fsGroup: 65534 49 | 50 | resources: 51 | limits: 52 | cpu: 100m 53 | memory: 128Mi 54 | requests: 55 | cpu: 100m 56 | memory: 128Mi 57 | 58 | tolerations: 59 | - key: "CriticalAddonsOnly" 60 | operator: "Exists" 61 | description: "Cluster Proportional Autoscaler for CoreDNS Service" 62 | EOT 63 | ] 64 | } 65 | ``` 66 | ### Expected result 67 | The `cluster-proportional-autoscaler` pod running in the `kube-system` namespace. 68 | ```bash 69 | kubectl -n kube-system get po -l app.kubernetes.io/instance=cluster-proportional-autoscaler 70 | NAME READY STATUS RESTARTS AGE 71 | cluster-proportional-autoscaler-kube-dns-autoscaler-d8dc8477xx7 1/1 Running 0 21h 72 | ``` 73 | The `cluster-proportional-autoscaler-kube-dns-autoscaler` config map exists. 74 | ```bash 75 | kubectl -n kube-system get cm cluster-proportional-autoscaler-kube-dns-autoscaler 76 | NAME DATA AGE 77 | cluster-proportional-autoscaler-kube-dns-autoscaler 1 21h 78 | ``` 79 | 80 | ## Testing 81 | To test that `coredns` pods scale, first take a baseline of how many nodes the cluster has and how many `coredns` pods are running. 82 | ```bash 83 | kubectl get nodes 84 | NAME STATUS ROLES AGE VERSION 85 | ip-10-0-19-243.ec2.internal Ready 21h v1.26.4-eks-0a21954 86 | ip-10-0-25-182.ec2.internal Ready 21h v1.26.4-eks-0a21954 87 | ip-10-0-40-138.ec2.internal Ready 21h v1.26.4-eks-0a21954 88 | ip-10-0-8-136.ec2.internal Ready 21h v1.26.4-eks-0a21954 89 | 90 | kubectl get po -n kube-system -l k8s-app=kube-dns 91 | NAME READY STATUS RESTARTS AGE 92 | coredns-7975d6fb9b-dlkdd 1/1 Running 0 21h 93 | coredns-7975d6fb9b-xqqwp 1/1 Running 0 21h 94 | ``` 95 | 96 | Change the following parameters in the hcl code above so a scaling event can be easily triggered: 97 | ```hcl 98 | config: 99 | linear: 100 | coresPerReplica: 4 101 | nodesPerReplica: 2 102 | min: 1 103 | max: 4 104 | ``` 105 | and execute `terraform apply`. 106 | 107 | Increase the managed node group desired size, in this example from 4 to 5. This can be done via the AWS Console. 108 | 109 | Check that the new node came up and `coredns` scaled up. 110 | ```bash 111 | NAME STATUS ROLES AGE VERSION 112 | ip-10-0-14-120.ec2.internal Ready 10m v1.26.4-eks-0a21954 113 | ip-10-0-19-243.ec2.internal Ready 21h v1.26.4-eks-0a21954 114 | ip-10-0-25-182.ec2.internal Ready 21h v1.26.4-eks-0a21954 115 | ip-10-0-40-138.ec2.internal Ready 21h v1.26.4-eks-0a21954 116 | ip-10-0-8-136.ec2.internal Ready 21h v1.26.4-eks-0a21954 117 | 118 | kubectl get po -n kube-system -l k8s-app=kube-dns 119 | NAME READY STATUS RESTARTS AGE 120 | coredns-7975d6fb9b-dlkdd 1/1 Running 0 21h 121 | coredns-7975d6fb9b-ww64t 1/1 Running 0 10m 122 | coredns-7975d6fb9b-xqqwp 1/1 Running 0 21h 123 | ``` 124 | -------------------------------------------------------------------------------- /docs/addons/external-dns.md: -------------------------------------------------------------------------------- 1 | # External DNS 2 | 3 | [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) makes Kubernetes resources discoverable via public DNS servers. Like KubeDNS, it retrieves a list of resources (Services, Ingresses, etc.) from the Kubernetes API to determine a desired list of DNS records. Unlike KubeDNS, however, it's not a DNS server itself, but merely configures other DNS providers accordingly—e.g. [AWS Route 53](https://aws.amazon.com/route53/). 4 | 5 | ## Usage 6 | 7 | External DNS can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_external_dns = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys External DNS via the following configuration. 14 | 15 | ```hcl 16 | enable_external_dns = true 17 | 18 | external_dns = { 19 | name = "external-dns" 20 | chart_version = "1.12.2" 21 | repository = "https://kubernetes-sigs.github.io/external-dns/" 22 | namespace = "external-dns" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | external_dns_route53_zone_arns = ["XXXXXXXXXXXXXXXXXXXXXXX"] 26 | ``` 27 | 28 | Verify external-dns pods are running. 29 | 30 | ```sh 31 | $ kubectl get pods -n external-dns 32 | NAME READY STATUS RESTARTS AGE 33 | external-dns-849b89c675-ffnf6 1/1 Running 1 (2d ago) 2d5h 34 | ``` 35 | 36 | To further configure external-dns, refer to the examples: 37 | 38 | * [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws-load-balancer-controller.md) 39 | * [Route53](docs/tutorials/aws.md) 40 | * [Same domain for public and private Route53 zones](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/public-private-route53.md) 41 | * [Cloud Map](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws-sd.md) 42 | * [Kube Ingress AWS Controller](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/kube-ingress-aws.md) 43 | -------------------------------------------------------------------------------- /docs/addons/external-secrets.md: -------------------------------------------------------------------------------- 1 | # External Secrets 2 | 3 | [External Secrets Operator](https://github.com/external-secrets/external-secrets) is a Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, and many more. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret. 4 | 5 | ## Usage 6 | 7 | External Secrets can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_external_secrets = true 11 | ``` 12 | 13 | You can optionally customize the Helm chart that deploys External Secrets via the following configuration. 14 | 15 | ```hcl 16 | enable_external_secrets = true 17 | 18 | external_secrets = { 19 | name = "external-secrets" 20 | chart_version = "0.9.13" 21 | repository = "https://charts.external-secrets.io" 22 | namespace = "external-secrets" 23 | values = [templatefile("${path.module}/values.yaml", {})] 24 | } 25 | ``` 26 | 27 | Verify external-secrets pods are running. 28 | 29 | ```sh 30 | $ kubectl get pods -n external-secrets 31 | NAME READY STATUS RESTARTS AGE 32 | external-secrets-67bfd5b47c-xc5xf 1/1 Running 1 (2d1h ago) 2d6h 33 | external-secrets-cert-controller-8f75c6f79-qcfx4 1/1 Running 1 (2d1h ago) 2d6h 34 | external-secrets-webhook-78f6bd456-76wmm 1/1 Running 1 (2d1h ago) 2d6h 35 | ``` 36 | 37 | ## EKS Fargate 38 | 39 | By default, `external-secrets` creates a webhook pod that listens on port `10250` [[Reference](https://github.com/external-secrets/external-secrets/issues/1306#issuecomment-1171540600)]: 40 | 41 | > yes, by default we use port 10250 for the webhook pod because it's generally allowed throughout most default firewall implementations (GKE, EKS), but it conflicts with Fargate. Any port number should do the trick, as long as there is no sg rules or NACLs blocking it :). 42 | 43 | This module adds a value `enable_eks_fargate` which will change the webhook port from `10250` to `9443` which matches the [prior default value](https://github.com/external-secrets/external-secrets/issues/1078#issuecomment-1117077327) for `external-secrets` and is typically an acceptable port value within most clusters firewalls today. 44 | -------------------------------------------------------------------------------- /docs/addons/fargate-fluentbit.md: -------------------------------------------------------------------------------- 1 | # Fargate FluentBit 2 | 3 | Amazon EKS on Fargate offers a built-in log router based on Fluent Bit. This means that you don't explicitly run a Fluent Bit container as a sidecar, but Amazon runs it for you. All that you have to do is configure the log router. The configuration happens through a dedicated ConfigMap, that is deployed via this Add-on. 4 | 5 | ## Usage 6 | 7 | To configure the Fargate Fluentbit ConfigMap via the [EKS Blueprints Addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons), just reference the following parameters under the `module.eks_blueprints_addons`. 8 | 9 | ```hcl 10 | module "eks_blueprints_addons" { 11 | 12 | enable_fargate_fluentbit = true 13 | fargate_fluentbit = { 14 | flb_log_cw = true 15 | } 16 | } 17 | ``` 18 | 19 | It's possible to customize the CloudWatch Log Group parameters in the `fargate_fluentbit_cw_log_group` configuration block: 20 | 21 | ```hcl 22 | fargate_fluentbit_cw_log_group = { 23 | 24 | name = "existing-log-group" 25 | name_prefix = "dev-environment-logs" 26 | retention = 7 27 | kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" 28 | skip_destroy = true 29 | } 30 | ``` 31 | 32 | ## Validation 33 | 34 | 1. Check if the `aws-logging` configMap for Fargate Fluentbit was created. 35 | 36 | ```sh 37 | kubectl -n aws-observability get configmap aws-logging -o yaml 38 | apiVersion: v1 39 | data: 40 | filters.conf: | 41 | [FILTER] 42 | Name parser 43 | Match * 44 | Key_Name log 45 | Parser regex 46 | Preserve_Key True 47 | Reserve_Data True 48 | flb_log_cw: "true" 49 | output.conf: | 50 | [OUTPUT] 51 | Name cloudwatch_logs 52 | Match * 53 | region us-west-2 54 | log_group_name /fargate-serverless/fargate-fluentbit-logs20230509014113352200000006 55 | log_stream_prefix fargate-logs- 56 | auto_create_group true 57 | parsers.conf: | 58 | [PARSER] 59 | Name regex 60 | Format regex 61 | Regex ^(?