Merge branch 'main' into remove-default-ns-fargate

modules/essentials/README.md

@@ -294,7 +294,7 @@ module "eks_essentials" {
 | <a name="input_webhook_node_selector"></a> [webhook\_node\_selector](#input\_webhook\_node\_selector) | Node selector for webhook | `map(string)` | `{}` | no |
 | <a name="input_webhook_pod_annotations"></a> [webhook\_pod\_annotations](#input\_webhook\_pod\_annotations) | Extra annotations for webhook pods | `map(string)` | `{}` | no |
 | <a name="input_webhook_pod_labels"></a> [webhook\_pod\_labels](#input\_webhook\_pod\_labels) | Extra labels for webhook pods | `map(string)` | `{}` | no |
-| <a name="input_webhook_port"></a> [webhook\_port](#input\_webhook\_port) | Port used by webhook to listen for request from Kubernetes Master | `number` | `10250` | no |
+| <a name="input_webhook_port"></a> [webhook\_port](#input\_webhook\_port) | Port used by webhook to listen for request from Kubernetes Master | `number` | `10260` | no |
 | <a name="input_webhook_readiness_probe"></a> [webhook\_readiness\_probe](#input\_webhook\_readiness\_probe) | Readiness probe for webhook | `map(any)` | <pre>{<br>  "failureThreshold": 3,<br>  "initialDelaySeconds": 5,<br>  "periodSeconds": 5,<br>  "successThreshold": 1,<br>  "timeoutSeconds": 5<br>}</pre> | no |
 | <a name="input_webhook_replica_count"></a> [webhook\_replica\_count](#input\_webhook\_replica\_count) | Number of replicas for webhook | `number` | `1` | no |
 | <a name="input_webhook_resources"></a> [webhook\_resources](#input\_webhook\_resources) | Webhook pod resources | `map(any)` | <pre>{<br>  "limits": {<br>    "cpu": "100m",<br>    "memory": "300Mi"<br>  },<br>  "requests": {<br>    "cpu": "100m",<br>    "memory": "300Mi"<br>  }<br>}</pre> | no |

modules/essentials/fluent_bit.tf

@@ -25,6 +25,7 @@ locals {
 
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key Not using CMK to save cost
 resource "aws_cloudwatch_log_group" "aws_for_fluent_bit" {
   #checkov:skip=CKV_AWS_158:Not using CMK to save cost
   #checkov:skip=CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"

modules/essentials/variables.tf

@@ -1014,7 +1014,7 @@ variable "webhook_service_account_annotations" {
 variable "webhook_port" {
   description = "Port used by webhook to listen for request from Kubernetes Master"
   type        = number
-  default     = 10250
+  default     = 10260
 }
 
 variable "webhook_host_network" {

modules/karpenter/karpenter.tf

@@ -147,6 +147,24 @@ resource "kubernetes_manifest" "karpenter_node_template" {
       subnetSelector        = each.value.karpenter_subnet_selector_map
       securityGroupSelector = each.value.karpenter_security_group_selector_map
       amiFamily             = each.value.karpenter_ami_family
+      blockDeviceMappings = [
+        {
+          deviceName = "/dev/xvda"
+          ebs = {
+            volumeSize = each.value.karpenter_root_volume_size
+            volumeType = "gp3"
+            encrypted  = true
+          }
+        },
+        {
+          deviceName = "/dev/xvdb"
+          ebs = {
+            volumeSize = each.value.karpenter_ephemeral_volume_size
+            volumeType = "gp3"
+            encrypted  = true
+          }
+        },
+      ]
 
       tags = each.value.karpenter_nodetemplate_tag_map
     }

modules/karpenter/variables.tf

@@ -64,6 +64,8 @@ variable "karpenter_nodetemplates" {
     karpenter_security_group_selector_map = map(string)
     karpenter_nodetemplate_tag_map        = map(string)
     karpenter_ami_family                  = string
+    karpenter_root_volume_size            = string
+    karpenter_ephemeral_volume_size       = string
   }))
   default = []
   ## sample below
@@ -73,6 +75,8 @@ variable "karpenter_nodetemplates" {
   #   karpenter_security_group_selector_map = {}
   #   karpenter_nodetemplate_tag_map        = {}
   #   karpenter_ami_family                  = "Bottlerocket"
+  #   karpenter_root_volume_size            = "5Gi"
+  #   karpenter_ephemeral_volume_size       = "50Gi"
   # }]
 }