From 8426da2d36062f2650f5a320a541a2385786d444 Mon Sep 17 00:00:00 2001
From: Nicola Bucci <nicola.bucci@sparkfabrik.com>
Date: Wed, 20 Dec 2023 17:43:40 +0100
Subject: [PATCH] Update ingress-nginx module

---
 CHANGELOG.md                    | 12 ++++++++++
 README.md                       |  3 +--
 UPGRADING.md                    | 34 ++++++++++++++++++++++++++++
 files/ingress-nginx/values.yaml | 27 ++++-------------------
 ingress-nginx.tf                | 39 +++++++++++----------------------
 5 files changed, 64 insertions(+), 51 deletions(-)
 create mode 100644 UPGRADING.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bfb3f36..9fd9427 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.0.0] - 2023-12-21
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-aws-eks-bootstrap/compare/2.1.0...3.0.0)
+
+### ⚠️ Breaking changes ⚠️
+
+**ATTENTION:** read the [upgrading instructions](https://github.com/sparkfabrik/terraform-aws-eks-bootstrap/blob/3.0.0/UPGRADING.md#upgrading-from-2xy-to-300).
+
+### Changed
+
+- refs platform/#2564: update nginx-ingress controller installation module, using the module hosted on [GitHub](https://github.com/sparkfabrik/terraform-helm-ingress-nginx/).
+
 ## [2.1.0] - 2023-12-04
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-aws-eks-bootstrap/compare/2.0.0...2.1.0)
diff --git a/README.md b/README.md
index 7b44dfa..3a08cf0 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,6 @@ Bootstrap module for AWS EKS cluster.
 | [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.ebs](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.metric_server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubectl_manifest.cert_manager_cluster_issuer](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
@@ -125,7 +124,6 @@ Bootstrap module for AWS EKS cluster.
 | [kubernetes_namespace.cert_manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.customer_application](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.metric_server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [random_id.resources_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
@@ -144,6 +142,7 @@ Bootstrap module for AWS EKS cluster.
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 |
 | <a name="module_firestarter_operations"></a> [firestarter\_operations](#module\_firestarter\_operations) | ./modules/firestarter-operations | n/a |
 | <a name="module_gitlab_runner"></a> [gitlab\_runner](#module\_gitlab\_runner) | github.com/sparkfabrik/terraform-aws-eks-gitlab-runner | 4e020f8 |
+| <a name="module_ingress_nginx"></a> [ingress\_nginx](#module\_ingress\_nginx) | github.com/sparkfabrik/terraform-helm-ingress-nginx | 0.3.0 |
 | <a name="module_kube_prometheus_stack"></a> [kube\_prometheus\_stack](#module\_kube\_prometheus\_stack) | github.com/sparkfabrik/terraform-sparkfabrik-prometheus-stack | 3.0.0 |
 | <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |
 | <a name="module_node_termination_handler_irsa_role"></a> [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |
diff --git a/UPGRADING.md b/UPGRADING.md
new file mode 100644
index 0000000..4c26416
--- /dev/null
+++ b/UPGRADING.md
@@ -0,0 +1,34 @@
+# Upgrading from 2.X.Y to 3.0.0
+
+Upgrading to `3.0.0` from `2.X.Y` will destroy and recreate the ingress nginx controller resource since now we're using the external module hosted on [GitHub](https://github.com/sparkfabrik/terraform-helm-ingress-nginx/).
+To avoid that you will need to use the `moved` resource:
+
+```hcl
+moved {
+  from = module.MODULE_NAME.helm_release.ingress_nginx_release
+  to   = module.MODULE_NAME.helm_release.this
+}
+```
+
+Upgrading to `3.0.0` from `2.X.Y` will also destroy and recreate the namespace, which is caused by the change of the `kubernetes_namespace` to `kubernetes_namespace_v1` resource.
+You will need to import the new resource with the name of the current namespace.
+You can do it using the `import` resource to import the new resource using the id of the old one:
+
+```hcl
+import {
+  to = module.MODULE_NAME.kubernetes_namespace_v1.this[0]
+  id = NS_NAME
+}
+```
+
+Or manually using the terraform cli:
+
+```bash
+terraform import module.MODULE_NAME.kubernetes_namespace_v1.this[0] NS_NAME
+```
+
+And then you have to remove manually the old one from the state:
+
+```bash
+terraform state rm module.MODULE_NAME.kubernetes_namespace.ingress_nginx
+```
diff --git a/files/ingress-nginx/values.yaml b/files/ingress-nginx/values.yaml
index 42080f9..ce4f989 100644
--- a/files/ingress-nginx/values.yaml
+++ b/files/ingress-nginx/values.yaml
@@ -1,42 +1,26 @@
 ## nginx configuration
 ## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/index.md
 ##
-## AWS specific deployment: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy.yaml
-## Available at https://github.com/kubernetes/ingress-nginx/blob/master/charts/ingress-nginx/values.yaml
+## AWS specific deployment: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.8.3/deploy/static/provider/aws/deploy.yaml
+## Available at https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.8.3/charts/ingress-nginx/values.yaml
 controller:
   # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
   config:
-    ssl-redirect: "true"
-    proxy-body-size: "0"
     body-size: "0"
-    proxy-buffer-size: "128k"
+    hsts-include-subdomains: "false"
     proxy-buffers: "4 256k"
     proxy-busy-buffers-size: "256k"
-    proxy-connect-timeout: "15"
-    proxy-read-timeout: "600"
-    proxy-send-imeout: "600"
-    hsts-include-subdomains: "false"
-    server-name-hash-bucket-size: "256"
+    ssl-redirect: "true"
 
   metrics:
     enabled: true
 
-    serviceMonitor:
-      enabled: false
-
   # Mutually exclusive with keda autoscaling
   autoscaling:
-    enabled: true
     minReplicas: 2
     maxReplicas: 4
-    targetCPUUtilizationPercentage: 80
-    targetMemoryUtilizationPercentage: 80
 
   service:
-    ## Set external traffic policy to: "Local" to preserve source IP on
-    ## providers supporting it
-    ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
-    externalTrafficPolicy: "Local"
     annotations:
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
       service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
@@ -45,6 +29,3 @@ controller:
       service.beta.kubernetes.io/aws-load-balancer-type: nlb    
       proxy-real-ip-cidr: ${vpc_cidr_block}
       service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "name=${aws_load_balancer_name}"
-## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266
-rbac:
-  create: true
diff --git a/ingress-nginx.tf b/ingress-nginx.tf
index f070065..c7b4b2b 100644
--- a/ingress-nginx.tf
+++ b/ingress-nginx.tf
@@ -4,11 +4,11 @@ locals {
   ingress_nginx_nlb_name = "ingress-nginx-nlb"
 
   default_ingress_nginx_helm_config = {
-    name                   = "ingress-nginx"
-    repository             = "https://kubernetes.github.io/ingress-nginx"
-    helm_release_name      = "ingress-nginx"
-    chart_version          = "4.6.0"
-    namespace              = "ingress-nginx"    
+    name              = "ingress-nginx"
+    repository        = "https://kubernetes.github.io/ingress-nginx"
+    helm_release_name = "ingress-nginx"
+    chart_version     = "4.8.3"
+    namespace         = "ingress-nginx"
   }
 
   ingress_nginx_helm_config = merge(
@@ -19,32 +19,19 @@ locals {
   ingress_nginx_config = templatefile(
     "${path.module}/files/ingress-nginx/values.yaml",
     {
-      vpc_cidr_block = var.vpc_cidr_block
+      vpc_cidr_block         = var.vpc_cidr_block
       aws_load_balancer_name = local.ingress_nginx_nlb_name
     }
   )
 }
 
-resource "kubernetes_namespace" "ingress_nginx" {
-  count = try(local.ingress_nginx_helm_config["create_namespace"], true) && local.ingress_nginx_helm_config["namespace"] != "kube-system" && var.enable_ingress_nginx ? 1 : 0
+module "ingress_nginx" {
+  source            = "github.com/sparkfabrik/terraform-helm-ingress-nginx?ref=0.3.0"
+  chart_version     = local.ingress_nginx_helm_config.chart_version
+  namespace         = local.ingress_nginx_helm_config.namespace
+  helm_release_name = local.ingress_nginx_helm_config.helm_release_name
 
-  metadata {
-    name = local.ingress_nginx_helm_config["namespace"]
-  }
-}
-
-resource "helm_release" "ingress_nginx" {
-  count = var.enable_ingress_nginx ? 1 : 0
-
-  name       = local.ingress_nginx_helm_config.name
-  repository = local.ingress_nginx_helm_config.repository
-  chart      = local.ingress_nginx_helm_config.helm_release_name
-  namespace  = local.ingress_nginx_helm_config.namespace
-  version    = local.ingress_nginx_helm_config.chart_version
-
-  values = [local.ingress_nginx_config]
-
-  depends_on = [kubernetes_namespace.ingress_nginx]
+  additional_values = [local.ingress_nginx_config]
 }
 
 data "aws_lb" "ingress_nginx" {
@@ -54,5 +41,5 @@ data "aws_lb" "ingress_nginx" {
     "name" = local.ingress_nginx_nlb_name
   }
 
-  depends_on = [helm_release.ingress_nginx]
+  depends_on = [ingress_nginx.helm_release.this]
 }