clouddrove · anmolnagpal · Oct 5, 2023 · Oct 4, 2023 · Oct 4, 2023 · Oct 4, 2023
@@ -166,12 +166,13 @@ module "addons" {
   aws_node_termination_handler = true
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
-  karpenter                    = false
-  calico_tigera                = false
+  kube_state_metrics           = true
+  karpenter                    = false # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
+  calico_tigera                = true
+  new_relic                    = true
   kubeclarity                  = true
   ingress_nginx                = true
   fluent_bit                   = true
-  velero                       = true
   keda                         = true
   certification_manager        = true
 
@@ -181,7 +182,9 @@ module "addons" {
   kiali_server     = true
   kiali_manifests  = var.kiali_manifests
   external_secrets = true
+  velero           = true
+  velero_extra_configs = {
+    bucket_name = "velero-addons"
+  }
 
-  # -- Extra helm_release attributes
-  velero_extra_configs = var.velero_extra_configs
 }
@@ -22,14 +22,4 @@ variable "kiali_manifests" {
     kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml"
   }
   description = "Path to VirtualService manifest for kiali-dashboard"
-}
-
-#------------ EXTRA CONFIGS -----------
-variable "velero_extra_configs" {
-  type = any
-  default = {
-    timeout     = 300
-    atomic      = true
-    bucket_name = "velero-addons"
-  }
 }
@@ -9,10 +9,10 @@ spec:
     name: external-secrets-store             # -- Provide previously created secret store name
     kind: SecretStore
   target:
-    name: externalsecret-data                # -- Name of secret which will contain data specified below
+    name: externalsecret-data                # -- Name of Kubernetes secret which will contain data specified below
     creationPolicy: Owner
   data:
-  - secretKey: do_not_delete_this_key        # -- AWS Secret-Manager secret key
+  - secretKey: external_secret_key           # -- Kubernetes Secret `externalsecret-data` KEY name
     remoteRef:
-      key: external_secrets                  # -- Same as 'externalsecrets_manifest["secret_manager_name"]
-      property: do_not_delete_this_key       # -- AWS Secret-Manager secret key
+      key: external_secrets_addon            # -- AWS Secret Name, same as `var.external_secrets_extra_configs.secret_manager_name`
+      property: external_secret              # -- AWS Secret-Manager secret key
@@ -0,0 +1,14 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+            ],
+            "Effect": "Allow",
+            "Resource": "*",
+            "Sid": "ExternalSecretsDefault"
+        }
+    ],
+    "Version": "2012-10-17"
+} 
@@ -217,30 +217,11 @@ module "addons" {
   kube_state_metrics_extra_configs           = var.kube_state_metrics_extra_configs
   keda_extra_configs                         = var.keda_extra_configs
   certification_manager_extra_configs        = var.certification_manager_extra_configs
-
-  external_secrets_extra_configs = {
-    irsa_assume_role_policy = jsonencode({
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Effect" : "Allow",
-          "Principal" : {
-            "Federated" : module.eks.oidc_provider_arn
-          },
-          "Action" : "sts:AssumeRoleWithWebIdentity",
-          "Condition" : {
-            "StringLike" : {
-              "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
-            }
-          }
-        }
-      ]
-    })
-    secret_manager_name = "external_secrets_addon"
-  }
+  external_secrets_extra_configs             = var.external_secrets_extra_configs
 
   # -- Custom IAM Policy Json for Addon's ServiceAccount
   cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
+  external_secrets_iampolicy_json_content   = file("./custom-iam-policies/external-secrets.json")
 }
 
 module "addons-internal" {

@@ -15,4 +15,8 @@ output "update_kubeconfig" {
 
 output "velero_post_installation" {
   value = indent(2, "Once velero server is up and running you need the client before you can use it - \n  1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz \n  2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client")
+}
+
+output "istio-ingress" {
+  value = indent(2, "Istio does not support the installation of istio-helmchart in a namespace other than istio-system. We have provided a namespace feature in case Istio-helmchart maintainers fix this issue.")
 }
@@ -145,13 +145,11 @@ variable "istio_manifests_internal" {
 variable "istio_ingress_extra_configs_internal" {
   type = any
   default = {
-    name                   = "istio-ingress-internal"
-    namespace              = "istio-system"
-    istiobase_release_name = "base-internal"
-    istiod_release_name    = "istiod-internal"
-    create_namespace       = true
-    install_istiobase      = false
-    install_istiod         = false
+    name              = "istio-ingress-internal"
+    namespace         = "istio-system"
+    create_namespace  = false
+    install_istiobase = false
+    install_istiod    = false
   }
 }
 
@@ -168,4 +166,12 @@ variable "kiali_manifests" {
 variable "kiali_server_extra_configs" {
   type    = any
   default = {}
+}
+
+# ------------------ EXTERNAL SECRETS ------------------------------------------
+variable "external_secrets_extra_configs" {
+  type = any
+  default = {
+    secret_manager_name = "external_secrets_addon"
+  }
 }
@@ -12,7 +12,7 @@ locals {
     lint                       = try(var.aws_ebs_csi_driver_extra_configs.lint, "false")
     repository_key_file        = try(var.aws_ebs_csi_driver_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.aws_ebs_csi_driver_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "")
+    repository_username        = try(var.aws_ebs_csi_driver_extra_configs.repository_username, "")
     repository_password        = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "")
     verify                     = try(var.aws_ebs_csi_driver_extra_configs.verify, "false")
     keyring                    = try(var.aws_ebs_csi_driver_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
     replace                    = try(var.aws_ebs_csi_driver_extra_configs.replace, "false")
   }
 
-  aws_ebs_csi_driver_extra_configs = var.aws_ebs_csi_driver_extra_configs
-
   helm_config = merge(
     local.default_helm_config,
     var.helm_config,
-    local.aws_ebs_csi_driver_extra_configs
   )
 }
@@ -5,7 +5,6 @@ module "helm_addon" {
   helm_config       = local.helm_config
   addon_context     = var.addon_context
 
-  depends_on = [kubernetes_namespace_v1.this]
   set_values = [
     {
       name  = "controller.serviceAccount.create"
@@ -59,12 +58,4 @@ resource "aws_iam_policy" "policy" {
   ]
 }  
 EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
-  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
-  metadata {
-    name = local.helm_config["namespace"]
-  }
-}
+}
@@ -12,7 +12,7 @@ locals {
     lint                       = try(var.aws_efs_csi_driver_extra_configs.lint, "false")
     repository_key_file        = try(var.aws_efs_csi_driver_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.aws_efs_csi_driver_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.aws_efs_csi_driver_extra_configs.repository_password, "")
+    repository_username        = try(var.aws_efs_csi_driver_extra_configs.repository_username, "")
     repository_password        = try(var.aws_efs_csi_driver_extra_configs.repository_password, "")
     verify                     = try(var.aws_efs_csi_driver_extra_configs.verify, "false")
     keyring                    = try(var.aws_efs_csi_driver_extra_configs.keyring, "")

@@ -5,7 +5,6 @@ module "helm_addon" {
   helm_config       = local.helm_config
   addon_context     = var.addon_context
 
-  depends_on = [kubernetes_namespace_v1.this]
   set_values = [
     {
       name  = "image.repository"
@@ -93,12 +92,4 @@ resource "aws_iam_policy" "policy" {
     ]
   }  
 EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
-  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
-  metadata {
-    name = local.helm_config["namespace"]
-  }
-}
+}
@@ -12,7 +12,7 @@ locals {
     lint                       = try(var.aws_load_balancer_controller_extra_configs.lint, "false")
     repository_key_file        = try(var.aws_load_balancer_controller_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.aws_load_balancer_controller_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.aws_load_balancer_controller_extra_configs.repository_password, "")
+    repository_username        = try(var.aws_load_balancer_controller_extra_configs.repository_username, "")
     repository_password        = try(var.aws_load_balancer_controller_extra_configs.repository_password, "")
     verify                     = try(var.aws_load_balancer_controller_extra_configs.verify, "false")
     keyring                    = try(var.aws_load_balancer_controller_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
     replace                    = try(var.aws_load_balancer_controller_extra_configs.replace, "false")
   }
 
-  aws_load_balancer_controller_extra_configs = var.aws_load_balancer_controller_extra_configs
-
   helm_config = merge(
     local.default_helm_config,
     var.helm_config,
-    local.aws_load_balancer_controller_extra_configs
   )
 }
@@ -5,7 +5,6 @@ module "helm_addon" {
   helm_config       = local.helm_config
   addon_context     = var.addon_context
 
-  depends_on = [kubernetes_namespace_v1.this]
   set_values = [
     {
       name  = "clusterName"
@@ -289,12 +288,4 @@ resource "aws_iam_policy" "policy" {
     ]
 }  
   EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
-  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
-  metadata {
-    name = local.helm_config["namespace"]
-  }
-}
+}
@@ -12,7 +12,7 @@ locals {
     lint                       = try(var.aws_node_termination_handler_extra_configs.lint, "false")
     repository_key_file        = try(var.aws_node_termination_handler_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.aws_node_termination_handler_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.aws_node_termination_handler_extra_configs.repository_password, "")
+    repository_username        = try(var.aws_node_termination_handler_extra_configs.repository_username, "")
     repository_password        = try(var.aws_node_termination_handler_extra_configs.repository_password, "")
     verify                     = try(var.aws_node_termination_handler_extra_configs.verify, "false")
     keyring                    = try(var.aws_node_termination_handler_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
     replace                    = try(var.aws_node_termination_handler_extra_configs.replace, "false")
   }
 
-  aws_node_termination_handler_extra_configs = var.aws_node_termination_handler_extra_configs
-
   helm_config = merge(
     local.default_helm_config,
     var.helm_config,
-    local.aws_node_termination_handler_extra_configs
   )
 }
@@ -4,14 +4,4 @@ module "helm_addon" {
   manage_via_gitops = var.manage_via_gitops
   helm_config       = local.helm_config
   addon_context     = var.addon_context
-
-  depends_on = [kubernetes_namespace_v1.this]
-}
-
-resource "kubernetes_namespace_v1" "this" {
-  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
-  metadata {
-    name = local.helm_config["namespace"]
-  }
 }
@@ -13,7 +13,7 @@ locals {
     lint                       = try(var.calico_tigera_extra_configs.lint, "false")
     repository_key_file        = try(var.calico_tigera_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.calico_tigera_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.calico_tigera_extra_configs.repository_password, "")
+    repository_username        = try(var.calico_tigera_extra_configs.repository_username, "")
     repository_password        = try(var.calico_tigera_extra_configs.repository_password, "")
     verify                     = try(var.calico_tigera_extra_configs.verify, "false")
     keyring                    = try(var.calico_tigera_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
     replace                    = try(var.calico_tigera_extra_configs.replace, "false")
   }
 
-  calico_tigera_extra_configs = var.calico_tigera_extra_configs
-
   helm_config = merge(
     local.default_helm_config,
     var.helm_config,
-    local.calico_tigera_extra_configs
   )
 }
@@ -4,17 +4,6 @@ module "helm_addon" {
   manage_via_gitops = var.manage_via_gitops
   helm_config       = local.helm_config
   addon_context     = var.addon_context
-
-  depends_on = [kubernetes_namespace.this]
-
-}
-
-resource "kubernetes_namespace" "this" {
-  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
-  metadata {
-    name = local.helm_config["namespace"]
-  }
 }
 
 resource "kubectl_manifest" "calico_node" {

@@ -13,7 +13,7 @@ locals {
     lint                       = try(var.certification_manager_extra_configs.lint, "false")
     repository_key_file        = try(var.certification_manager_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.certification_manager_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.certification_manager_extra_configs.repository_password, "")
+    repository_username        = try(var.certification_manager_extra_configs.repository_username, "")
     repository_password        = try(var.certification_manager_extra_configs.repository_password, "")
     verify                     = try(var.certification_manager_extra_configs.verify, "false")
     keyring                    = try(var.certification_manager_extra_configs.keyring, "")

@@ -12,7 +12,7 @@ locals {
     lint                       = try(var.cluster_autoscaler_extra_configs.lint, "false")
     repository_key_file        = try(var.cluster_autoscaler_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.cluster_autoscaler_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.cluster_autoscaler_extra_configs.repository_password, "")
+    repository_username        = try(var.cluster_autoscaler_extra_configs.repository_username, "")
     repository_password        = try(var.cluster_autoscaler_extra_configs.repository_password, "")
     verify                     = try(var.cluster_autoscaler_extra_configs.verify, "false")
     keyring                    = try(var.cluster_autoscaler_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
     replace                    = try(var.cluster_autoscaler_extra_configs.replace, "false")
   }
 
-  cluster_autoscaler_extra_configs = var.cluster_autoscaler_extra_configs
-
   helm_config = merge(
     local.default_helm_config,
     var.helm_config,
-    local.cluster_autoscaler_extra_configs
   )
 }