feat: addons output variables and extra_helm_configs, fix: default value file and kiali-istio dependency

.github/workflows/readme.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - master
-      - feat/addon_kubeclarity
 
 jobs:
   readme-create:

README.md

@@ -31,63 +31,150 @@
 
 ## Inputs
 
-| Name | Description | Default | Required |
-|------|-------------|---------|:--------:|
-|metrics_server| To install metrics-server helmchart on eks cluster | False | Yes |
-|metrics_server_helm_config | option to provide path to override-values.yaml | {values = "addons/metrics-server/config/metrics_server.yaml"} | No |
-|cluster_autoscaler| To install cluster-autoscaler helmchart on eks cluster | False | Yes |
-|cluster_autoscaler_helm_config | option to provide path to override-values.yaml | {values = "addons/cluster-autoscaler/config/cluster_autoscaler.yaml"} | No |
-|aws_load_balancer_controller| To install aws-load-balancer-controller helmchart on eks cluster | False | Yes |
-|aws_load_balancer_controller_helm_config | option to provide path to override-values.yaml | {values = "addons/aws-load-balancer-controller/config/aws_load_balancer_controller.yaml"} | No |
-|aws_node_termination_handler| To install aws-node-termination-handler helmchart on eks cluster | False | Yes |
-|aws_node_termination_handler_helm_config | option to provide path to override-values.yaml | {values = "addons/aws-node-termination-handler/config/aws_node_termination_handler.yaml"} | No |
-|aws_efs_csi_driver| To install aws-efs-csi-driver helmchart on eks cluster | False | Yes |
-|aws_efs_csi_driver_helm_config | option to provide path to override-values.yaml | {values = "addons/aws-efs-csi-driver/config/aws_efs_csi_driver.yaml"} | No |
-|aws_ebs_csi_driver| To install aws-ebs-csi-driver helmchart on eks cluster | False | Yes |
-|aws_ebs_csi_driver_helm_config | option to provide path to override-values.yaml | {values = "addons/aws-ebs-csi-driver/config/aws_ebs_csi_driver.yaml"} | No |
-|karpenter| To install karpenter helmchart on eks cluster | False | Yes |
-|karpenter_helm_config | option to provide path to override-values.yaml | {values = "addons/karpenter/config/karpenter.yaml"} | No |
-|calico_tigera| To install Calico helmchart on eks cluster | False | Yes |
-|calico_tigera_helm_config | option to provide path to override-values.yaml | {values = "addons/calico-tigera/config/calico-tigera-values.yaml"} | No |
-|istio_ingress| To install Istio-ingress helmchart on eks cluster | False | Yes |
-|istio_manifests| Kubernetes yaml manifests to create `ingress` and `gateway` with specified `host` | addons/istio-ingress/config/manifest/*.yaml | Yes |
-|istio_ingress_helm_config | option to provide path to override-values.yaml | {values = "addons/istio-ingress/config/override-values.yaml"} | No |
-|kiali_server| To install Kiali Dashboard helmchart on eks cluster | False | Yes |
-|kiali_manifests| Includes VirtualService manifest file path and flag to install prometheus, grafana & jaeger | kiali_manifests { <br/>kiali_virtualservice_file_path = addons/kiali-server/config/kiali_vs.yaml <br> enable_monitoring = true <br/>}| Yes |
-|kiali_server_helm_config | option to provide path to override-values.yaml | {values = "addons/kiali-server/config/kiali_server.yaml"} | No |
+**To install any of the below listed addon in your EKS Cluster -**
+
+| Name | Default | Required |
+|------|---------|----------|
+|metrics_server| False | No |
+|cluster_autoscaler|False | No ||
+|aws_load_balancer_controller|False | No |cluster | False | Yes |
+|aws_node_termination_handler|False | No |cluster | False | Yes |
+|aws_efs_csi_driver|False | No ||
+|aws_ebs_csi_driver|False | No ||
+|karpenter|False | No |
+|calico_tigera|False | No |
+|istio_ingress|False | No |
+|kiali_server|False | No |
+
+<br/>
+
+**To Provide path of kubectl mainfests -**
+
+| Name | Description| Default | Required |
+|------|------------|---------|----------|
+|istio_manifests| .yaml manifests to create `ingress` and `gateway` with specified `host` | An empty string is set as path for `ingress` and `gateway` | Yes |
+|kiali_manifests| Includes VirtualService manifest file path | An empty string is set as path for `kiali-virtualService.yaml` | Yes |
+|externalsecrets_manifests| To create ExternalSecret, SecretStore and SecretManger of your name. | An empty string is set as path for `ExternalSecret` and `SecretStore` yaml files. SecretManager Name: `addon-external_secrets` | Yes |
+
+</br>
+
+**To Provide path of override-values.yaml-**
+| Name |Default | Required |
+|------|--------|----------|
+|metrics_server_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L5-L37) | No |
+|cluster_autoscaler_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L46-L69) | No |
+|aws_load_balancer_controller_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L78-L100) | No |
+|aws_node_termination_handler_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L109-L132) | No |
+|aws_efs_csi_driver_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L141-L163) | No |
+|aws_ebs_csi_driver_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L172-L213) | No |
+|karpenter_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L222-L246) | No |
+|calico_tigera_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L294-L304) | No |
+|istio_ingress_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L252-L257) | No |
+|kiali_server_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L265-L285) | No |
+|external_secrets_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L312-L328) | No |
+|ingress_nginx_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L337-L380) | No |
+|kubeclarity_helm_config | [click here](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/override_values.tf#L389-L410) | No |
+
+</br>
+
+**To Override [attributes](https://github.com/clouddrove/terraform-aws-eks-addons/blob/master/addons/helm/main.tf#L4-L33) of helm_release resource -**
+| Name | Required |
+|------|----------|
+| metrics_server_extra_configs | No |
+| cluster_autoscaler_extra_configs | No |
+| karpenter_extra_configs | No |
+| aws_load_balancer_controller_extra_configs | No |
+| aws_node_termination_handler_extra_configs | No |
+| aws_efs_csi_driver_extra_configs | No |
+| aws_ebs_csi_driver_extra_configs | No |
+| calico_tigera_extra_configs | No |
+| istio_ingress_extra_configs | No |
+| kiali_server_extra_configs | No |
+| external_secrets_extra_configs | No |
+| ingress_nginx_extra_configs | No |
+| kubeclarity_extra_configs | No |
 
 
 ## Outputs
-
-No outputs.
+| Name | Description |
+|------|-------------|
+| metrics_server_namespace | namespace where metrics-server is deployed | 
+| metrics_server_chart_version | Chart version of metrics-server addon's helmchart | 
+| metrics_server_repository | Repository URL of metrics-server helmchart | 
+| cluster_autoscaler_service_account | ServiceAccount name created by IRSA module for cluster-autoscaler| 
+| cluster_autoscaler_iam_policy | IAM Policy used to create IRSA | 
+| cluster_autoscaler_namespace | namespace where cluster-autoscaler is deployed | 
+| cluster_autoscaler_chart_version | Chart version of cluster-autoscaler addon's helmchart | 
+| cluster_autoscaler_repository | Repository URL of cluster-autoscaler helmchart | 
+| aws_efs_csi_driver_service_account | ServiceAccount name created by IRSA module for aws-efs-csi-driver | 
+| aws_efs_csi_driver_iam_policy | IAM Policy used to create IRSA | 
+| aws_efs_csi_driver_namespace | namespace where aws-efs-csi-driver is deployed | 
+| aws_efs_csi_driver_chart_version | Chart version of aws-efs-csi-driver addon's helmchart | 
+| aws_efs_csi_driver_repository | Repository URL of aws-efs-csi-driver helmchart | 
+| aws_ebs_csi_driver_service_account | ServiceAccount name created by IRSA module for aws-ebs-csi-driver | 
+| aws_ebs_csi_driver_iam_policy | IAM Policy used to create IRSA | 
+| aws_ebs_csi_driver_namespace | namespace where aws-ebs-csi-driver is deployed | 
+| aws_ebs_csi_driver_chart_version | Chart version of aws-ebs-csi-driver addon's helmchart | 
+| aws_ebs_csi_driver_repository | Repository URL of aws-ebs-csi-driver helmchart | 
+| karpenter_service_account | ServiceAccount name created by IRSA module for karpenter | 
+| karpenter_iam_policy | IAM Policy used to create IRSA | 
+| karpenter_namespace | namespace where karpenter is deployed | 
+| karpenter_chart_version | Chart version of karpenter addon's helmchart | 
+| karpenter_repository | Repository URL of karpenter helmchart | 
+| istio_ingress_namespace | namespace where istio-ingress is deployed | 
+| istio_ingress_chart_version | Chart version of istio-ingress addon's helmchart | 
+| istio_ingress_repository | Repository URL of istio-ingress helmchart | 
+| kiali_server_namespace | namespace where kiali-dashboard is deployed | 
+| kiali_server_chart_version | Chart version of kiali-dashboard addon's helmchart | 
+| kiali_server_repository | Repository URL of kiali-dashboard helmchart | 
+| calico_tigera_namespace | namespace where calico is deployed | 
+| calico_tigera_chart_version | Chart version of calico addon's helmchart | 
+| calico_tigera_repository | Repository URL of calico helmchart | 
+| external_secrets_secret_manager_name | Name of AWS Secret Manager Created by external-secret addon |
+| external_secrets_service_account |ServiceAccount name created by IRSA module for external-secret | 
+| external_secrets_namespace | namespace where external-secret is deployed | 
+| external_secrets_chart_version | Chart version of external-secret addon's helmchart | 
+| external_secrets_repository | Repository URL of external-secret helmchart | 
+| ingress_nginx_namespace | namespace where ingress-nginx is deployed | 
+| ingress_nginx_chart_version | Chart version of ingress-nginx addon's helmchart | 
+| ingress_nginx_repository | Repository URL of ingress-nginx helmchart | 
+| kubeclarity_namespace | namespace where kubeclarity is deployed | 
+| kubeclarity_chart_version | Chart version of kubeclarity addon's helmchart | 
+| kubeclarity_repository | Repository URL of kubeclarity helmchart | 
 
 ## How to Use
 
 - A complete documentation to use `Calico` with AWS EKS is present [here](https://docs.aws.amazon.com/eks/latest/userguide/calico.html)
-- An example of usage is given [here](https://github.com/clouddrove/terraform-helm-eks-addons/blob/master/_examples/complete/main.tf#L190-L232) and below also.
 
 - Use below terraform module in your infrastructure's terraform script.
 
 ```bash
 module "addons" {
   source  = "clouddrove/eks-addons/aws"
-  version = "0.0.1"
+  version = "0.0.4"
 
-  depends_on       = [module.eks.cluster_id]
+  depends_on       = [module.eks.cluster_name]
   eks_cluster_name = module.eks.cluster_name
 
+  # -- Enable Addons
   metrics_server               = true
   cluster_autoscaler           = true
   aws_load_balancer_controller = true
   aws_node_termination_handler = true
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
-
-  kiali_server    = true
-  kiali_manifests = var.kiali_manifests
-
-  istio_ingress   = true
-  istio_manifests = var.istio_manifests
+  karpenter                    = false
+  calico_tigera                = false
+  kubeclarity                  = true
+  ingress_nginx                = true
+
+  # -- Addons with mandatory variable
+  istio_ingress             = true
+  istio_manifests           = var.istio_manifests
+  kiali_server              = true
+  kiali_manifests           = var.kiali_manifests
+  external_secrets          = true
+  externalsecrets_manifests = var.externalsecrets_manifests
 }
 
 ```
@@ -98,7 +185,7 @@ module "addons" {
   - Our `istio-ingress` addon creates an Application Load Balancer on AWS by using `aws-load-balancer-controller`. 
   - aws-load-balancer-controller adds a `finalizer` field in `ingress` resource to prevent its manual deletion.
   - Another case is that, this ingress will be **non-deletable** if aws-load-balancer-controller gets deleted before deletion of ingress
-  - Terraform does not controlls order of destructure which is sometimes causing `aws-load-balancer-controller` helmchart uninstallation before istio-ingress deletion. 
+  - Terraform does not controlls order of destructure which is sometimes causing `aws-load-balancer-controller` helmchart | uninstallation before istio-ingress deletion. 
   - The same issue will come when an appliaction uses ingress of type ALB; In this case we need to delete `istio-ingress` & ALB of applications manually by following some extra steps as shown below.
     1. Set `istio_ingress` to `false` in your terraform addon module.
     2. Run `terraform apply`, this will delete all the resource created by istio-ingress addon including istio-load-balancer.
@@ -110,12 +197,15 @@ module "addons" {
 
 - ### Calico CNI
   Our `calico-tigera` addon creates `trigera-operator` and `calico-node` out of which `calico-node` is being created using a manifest (calico-deployment.yaml). This manifest create two serviceAccounts (`calico-cni-plugin` & `calico-node`) which needs to be delete manually as shown below -
-  1. Run `kubectl edit serviceAccount calico-cni-plugin -n calico-system` and delete `finalizer` block, then save and exit.
-  2. Run `kubectl edit serviceAccount calico-node -n calico-system` and delete `finalizer` block, then save and exit.
-  3. If both serviceAccount aren't deleted then run below command to delete them 
+  1. Run below patch command to remove `finalizer` field from both the serviceAccount. 
+  ```bash
+  kubectl patch serviceAccount calico-cni-plugin calico-node -n calico-system -p '{"metadata":{"finalizers":[]}}' --type=merge
+  ```
+  2. If both serviceAccount aren't deleted yet then run below command to delete them 
   ```bash
   kubectl delete serviceAccount calico-cni-plugin calico-node -n calico-system
   ```
+  3. Delete `calico-system` namespace also by running `kubectl delete namespace calico-system` command. Wait for some time until successful deletion of the namespace. 
 
 
 

_examples/basic/locals.tf

@@ -1,16 +1,18 @@
 
 locals {
 
-  name   = "tf-helm-addons"
-  region = "us-east-1"
+  name        = "tf-helm-addons"
+  environment = "test"
+  region      = "us-east-1"
 
   vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
   tags = {
-    Example    = local.name
-    GithubRepo = "terraform-helm-eks-addons"
-    GithubOrg  = "clouddrove"
+    Name        = local.name
+    Environment = local.environment
+    GithubRepo  = "terraform-helm-eks-addons"
+    GithubOrg   = "clouddrove"
   }
   cluster_version = "1.26"
 }

_examples/basic/main.tf

@@ -193,6 +193,7 @@ module "addons" {
   depends_on       = [module.eks.cluster_name]
   eks_cluster_name = module.eks.cluster_name
 
+  # -- Enable Addons
   metrics_server               = true
   cluster_autoscaler           = true
   aws_load_balancer_controller = true
@@ -202,17 +203,13 @@ module "addons" {
   karpenter                    = false
   calico_tigera                = false
   kubeclarity                  = true
+  ingress_nginx                = true
 
-  ingress_nginx               = true
-  nginx_ingress_extra_configs = var.nginx_ingress_extra_configs
-
-
-  kiali_server    = true
-  kiali_manifests = var.kiali_manifests
-
+  # -- Addons with mandatory variable
+  istio_ingress             = true
+  istio_manifests           = var.istio_manifests
+  kiali_server              = true
+  kiali_manifests           = var.kiali_manifests
   external_secrets          = true
   externalsecrets_manifests = var.externalsecrets_manifests
-
-  istio_ingress   = true
-  istio_manifests = var.istio_manifests
 }

_examples/basic/variables.tf

@@ -9,18 +9,15 @@ variable "region" {
 }
 
 variable "cluster_endpoint_public_access" {
-  type    = bool
-  default = true
+  type        = bool
+  default     = true
+  description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled"
 }
 
 variable "cluster_endpoint_private_access" {
-  type    = bool
-  default = true
-}
-
-variable "iam_role_use_name_prefix" {
-  type    = string
-  default = "terraform-helm-eks-addons"
+  type        = bool
+  default     = true
+  description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled"
 }
 
 variable "token" {
@@ -37,6 +34,7 @@ variable "istio_manifests" {
     istio_ingress_manifest_file_path = "./config/istio/ingress.yaml"
     istio_gateway_manifest_file_path = "./config/istio/gateway.yaml"
   }
+  description = "Path to yaml manifests to create Ingress and Gateway with specified host"
 }
 
 variable "kiali_manifests" {
@@ -46,9 +44,9 @@ variable "kiali_manifests" {
   default = {
     kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml"
   }
+  description = "Path to VirtualService manifest for kiali-dashboard"
 }
 
-#--------------EXTERNAL SECRET---------------
 variable "externalsecrets_manifests" {
   type = object({
     secret_store_manifest_file_path     = string
@@ -60,10 +58,5 @@ variable "externalsecrets_manifests" {
     external_secrets_manifest_file_path = "./config/external-secret/external-secret.yaml"
     secret_manager_name                 = "external_secrets"
   }
-}
-
-#--------------INGRESS NGINX------------
-variable "nginx_ingress_extra_configs" {
-  type    = any
-  default = {}
+  description = "yaml manifest file path to create ExternalSecret, SecretStore and custome SecretManger name"
 }

_examples/complete/config/istio/gateway.yaml

@@ -1,8 +1,9 @@
+# -- Make sure to use same Namespace for Gateway, Ingress & var.istio_ingress_extra_configs["namespace"], default namespace is set to `istio-system`.
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: istio-gateway
-  namespace: istio-system
+  namespace: istio
 spec:
   selector:
     istio: ingressgateway

_examples/complete/config/istio/ingress.yaml

@@ -1,9 +1,9 @@
----
+# -- Make sure to use same Namespace for Ingress, Gateway & var.istio_ingress_extra_configs["namespace"], default namespace is set to `istio-system`.
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: istio-ingress
-  namespace: istio-system
+  namespace: istio
   annotations:
     kubernetes.io/ingress.class: alb
     alb.ingress.kubernetes.io/scheme: internet-facing

_examples/complete/config/istio/virtual-service.yaml

@@ -1,3 +1,7 @@
+# If application will be deployed using HelmChart(ChartName=myapp) then:
+# replace `appname`      by  `{{ include "myapp.fullname" . }}`  and
+# replace `istio-system` by  `{{ include "myapp.namespace" . }}`
+
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -12,7 +16,7 @@ metadata:
   namespace: istio-system
 spec:
   gateways:
-  - istio-system/istio-gateway
+  - istio/istio-gateway
   hosts:
   - test.clouddrove.com
   http:

_examples/complete/custom-iam-policies/cluster-autoscaler.json

@@ -0,0 +1,16 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "autoscaling:Describe*",
+                "eks:Describe*",
+                "autoscaling:SetDesiredCapacity",
+                "autoscaling:TerminateInstanceInAutoScalingGroup",
+                "elasticloadbalancing:DescribeLoadBalancers"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ],
+    "Version": "2012-10-17"
+}