From d67626296482f3df01968377c828ffac093efee8 Mon Sep 17 00:00:00 2001 From: Arnaud Meukam Date: Tue, 12 Mar 2024 13:31:07 +0100 Subject: [PATCH] kops-ci: Bump EKS module Bump to v20.x version Introducing: - Access entries - Karpenter support - AL2023 support - tags on launch templates instead of the node group Signed-off-by: Arnaud Meukam --- infra/aws/terraform/kops-infra-ci/eks.tf | 58 ++++++++++++------- .../aws/terraform/kops-infra-ci/terraform.tf | 2 +- 2 files changed, 38 insertions(+), 22 deletions(-) diff --git a/infra/aws/terraform/kops-infra-ci/eks.tf b/infra/aws/terraform/kops-infra-ci/eks.tf index 2ce82ed1f11..055f47753fd 100644 --- a/infra/aws/terraform/kops-infra-ci/eks.tf +++ b/infra/aws/terraform/kops-infra-ci/eks.tf @@ -17,7 +17,7 @@ limitations under the License. module "eks" { providers = { aws = aws.kops-infra-ci } source = "terraform-aws-modules/eks/aws" - version = "19.16.0" + version = "20.8.3" cluster_name = local.cluster_name cluster_version = var.eks_version @@ -25,6 +25,10 @@ module "eks" { cluster_ip_family = "ipv4" + # Give the Terraform identity admin access to the cluster + # which will allow resources to be deployed into the cluster + enable_cluster_creator_admin_permissions = true + vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets control_plane_subnet_ids = module.vpc.intra_subnets @@ -37,36 +41,21 @@ module "eks" { "scheduler" ] - manage_aws_auth_configmap = true - - aws_auth_roles = [ - { - # AWS role used by prow to authenticate to build clusters - # Please, keep it in sync with prow deployment (AWS_ROLE_ARN) - rolearn = "arn:aws:iam::468814281478:role/Prow-EKS-Admin" - username = "arn:aws:iam::468814281478:role/Prow-EKS-Admin" - groups = ["system:masters"] - } - ] - cloudwatch_log_group_retention_in_days = 30 cluster_addons = { coredns = { - most_recent = true - resolve_conflicts = "OVERWRITE" + most_recent = true } kube-proxy = { most_recent = true } vpc-cni = { most_recent = true - resolve_conflicts = "OVERWRITE" service_account_role_arn = module.vpc_cni_irsa.iam_role_arn } aws-ebs-csi-driver = { most_recent = true - resolve_conflicts = "OVERWRITE" service_account_role_arn = module.ebs_csi_irsa.iam_role_arn } } @@ -139,10 +128,13 @@ module "eks" { AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" } - tags = merge( - var.tags, - local.asg_tags - ) + launch_template_tags = { + # enable discovery of autoscaling groups by cluster-autoscaler + "k8s.io/cluster-autoscaler/enabled" : true, + "k8s.io/cluster-autoscaler/${local.cluster_name}" : "owned", + } + + tags = var.tags } } @@ -151,6 +143,30 @@ module "eks" { }) } +//TODO(ameukam): Use access entries +module "eks-auth" { + source = "terraform-aws-modules/eks/aws//modules/aws-auth" + version = "~> 20.0" + + manage_aws_auth_configmap = true + + aws_auth_roles = [ + { + rolearn = "arn:aws:iam::468814281478:role/Prow-EKS-Admin" + username = "arn:aws:iam::468814281478:role/Prow-EKS-Admin" + groups = ["system:masters"] + }, + ] + + aws_auth_users = [ + { + userarn = "arn:aws:iam::${data.aws_organizations_organization.current.id}:user/ameukam" + username = "ameukam" + groups = ["system:masters"] + }, + ] +} + resource "aws_eks_addon" "eks_pod_identity" { provider = aws.kops-local-ci diff --git a/infra/aws/terraform/kops-infra-ci/terraform.tf b/infra/aws/terraform/kops-infra-ci/terraform.tf index eb0f2dd184d..8c9b1ae5d83 100644 --- a/infra/aws/terraform/kops-infra-ci/terraform.tf +++ b/infra/aws/terraform/kops-infra-ci/terraform.tf @@ -27,7 +27,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.29.0" + version = "~> 5.40.0" } } }