Merge pull request #12 from ShibraAmin18/main

added values for istio

README.md

@@ -45,6 +45,7 @@ module "eks_addons" {
  egress_gateway_enabled = false
  envoy_access_logs_enabled = true
  prometheus_monitoring_enabled = true
+ istio_values_yaml = ""
  }
  karpenter_provisioner_enabled = true
  karpenter_provisioner_config = {
@@ -78,10 +79,14 @@ module "eks_addons" {
 
 ## Compatibility
 
-| Release | Kubernetes 1.23 | Kubernetes 1.24 | Kubernetes 1.25 | Kubernetes 1.26 |
-|------------------|------------------|------------------|----------------------|----------------------|
+| Release | Kubernetes 1.23 | Kubernetes 1.24 | Kubernetes 1.25 | Kubernetes 1.26 | Kubernetes 1.27 |
+|------------------|------------------|------------------|----------------------|----------------------|----------------------|
 | Release 1.0.0 | ✔ | ✔ | ✔ | ✔ |
 | Release 1.1.0 | ✔ | ✔ | ✔ | ✔ |
+| Release 1.1.1 | ✔ | ✔ | ✔ | ✔ | ✔ |
+| Release 1.1.2 | ✔ | ✔ | ✔ | ✔ | ✔ |
+| Release 1.1.3 | ✔ | ✔ | ✔ | ✔ | ✔ |
+| Release 1.1.4 | ✔ | ✔ | ✔ | ✔ | ✔ |
 
 
 ## IAM Permissions
@@ -272,8 +277,8 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="input_cluster_issuer"></a> [cluster\_issuer](#input\_cluster\_issuer) | Specify the letsecrypt cluster-issuer for ingress tls. | `string` | `"letsencrypt-prod"` | no |
 | <a name="input_cluster_propotional_autoscaler_enabled"></a> [cluster\_propotional\_autoscaler\_enabled](#input\_cluster\_propotional\_autoscaler\_enabled) | Enable or disable Cluster propotional autoscaler add-on | `bool` | `false` | no |
 | <a name="input_core_dns_hpa_config"></a> [core\_dns\_hpa\_config](#input\_core\_dns\_hpa\_config) | Configuration to provide settings of hpa over core dns | `any` | <pre>{<br> "corednsdeploymentname": "coredns",<br> "maxReplicas": 10,<br> "minReplicas": 2,<br> "targetCPUUtilizationPercentage": 80,<br> "targetMemoryUtilizationPercentage": "150Mi"<br>}</pre> | no |
-| <a name="input_defectdojo_enabled"></a> [defectdojo\_enabled](#input\_defectdojo\_enabled) | Enable istio for service mesh. | `bool` | `true` | no |
-| <a name="input_defectdojo_hostname"></a> [defectdojo\_hostname](#input\_defectdojo\_hostname) | Specify the hostname for the kubecsot. | `string` | `"defectdojo.dev.skaf.squareops.in"` | no |
+| <a name="input_defectdojo_enabled"></a> [defectdojo\_enabled](#input\_defectdojo\_enabled) | Enable istio for service mesh. | `bool` | `false` | no |
+| <a name="input_defectdojo_hostname"></a> [defectdojo\_hostname](#input\_defectdojo\_hostname) | Specify the hostname for the kubecsot. | `string` | `""` | no |
 | <a name="input_efs_storage_class_enabled"></a> [efs\_storage\_class\_enabled](#input\_efs\_storage\_class\_enabled) | Enable or disable the Amazon Elastic File System (EFS) add-on for EKS cluster. | `bool` | `false` | no |
 | <a name="input_eks_cluster_name"></a> [eks\_cluster\_name](#input\_eks\_cluster\_name) | Fetch Cluster ID of the cluster | `string` | `""` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment identifier for the Amazon Elastic Kubernetes Service (EKS) cluster. | `string` | `""` | no |
@@ -282,7 +287,7 @@ Before enabling the **Kubecost** addon for your Amazon EKS cluster, please make
 | <a name="input_ingress_nginx_version"></a> [ingress\_nginx\_version](#input\_ingress\_nginx\_version) | Specify the version of the NGINX Ingress Controller | `string` | `"4.7.0"` | no |
 | <a name="input_internal_ingress_nginx_enabled"></a> [internal\_ingress\_nginx\_enabled](#input\_internal\_ingress\_nginx\_enabled) | Enable or disable the deployment of an internal ingress controller for Kubernetes. | `bool` | `false` | no |
 | <a name="input_ipv6_enabled"></a> [ipv6\_enabled](#input\_ipv6\_enabled) | whether IPv6 enabled or not | `bool` | `false` | no |
-| <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration to provide settings for Istio | <pre>object({<br> ingress_gateway_enabled = bool<br> ingress_gateway_namespace = optional(string, "istio-ingressgateway")<br> egress_gateway_enabled = bool<br> egress_gateway_namespace = optional(string, "istio-egressgateway")<br> envoy_access_logs_enabled = bool<br> prometheus_monitoring_enabled = bool<br> })</pre> | <pre>{<br> "egress_gateway_enabled": false,<br> "envoy_access_logs_enabled": true,<br> "ingress_gateway_enabled": true,<br> "prometheus_monitoring_enabled": true<br>}</pre> | no |
+| <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration to provide settings for Istio | <pre>object({<br> ingress_gateway_enabled = bool<br> ingress_gateway_namespace = optional(string, "istio-ingressgateway")<br> egress_gateway_enabled = bool<br> egress_gateway_namespace = optional(string, "istio-egressgateway")<br> envoy_access_logs_enabled = bool<br> prometheus_monitoring_enabled = bool<br>  istio_values_yaml = any<br> })</pre> | <pre>{<br> "egress_gateway_enabled": false,<br> "envoy_access_logs_enabled": true,<br> "ingress_gateway_enabled": true,<br> "istio_values_yaml": "",<br> "prometheus_monitoring_enabled": true<br>}</pre> | no |
 | <a name="input_istio_enabled"></a> [istio\_enabled](#input\_istio\_enabled) | Enable istio for service mesh. | `bool` | `false` | no |
 | <a name="input_karpenter_enabled"></a> [karpenter\_enabled](#input\_karpenter\_enabled) | Enable or disable Karpenter, a Kubernetes-native, multi-tenant, and auto-scaling solution for containerized workloads on Kubernetes. | `bool` | `false` | no |
 | <a name="input_karpenter_provisioner_config"></a> [karpenter\_provisioner\_config](#input\_karpenter\_provisioner\_config) | Configuration to provide settings for Karpenter, including which private subnet to use, instance capacity types, and excluded instance types. | `any` | <pre>{<br> "excluded_instance_type": [<br> "nano",<br> "micro",<br> "small"<br> ],<br> "instance_capacity_type": [<br> "spot"<br> ],<br> "instance_hypervisor": [<br> "nitro"<br> ],<br> "private_subnet_name": ""<br>}</pre> | no |

examples/complete/main.tf

@@ -46,6 +46,7 @@ module "eks-addons" {
  egress_gateway_enabled = true
  envoy_access_logs_enabled = true
  prometheus_monitoring_enabled = true
+ istio_values_yaml = ""
  }
  karpenter_provisioner_enabled = true
  karpenter_provisioner_config = {

main.tf

@@ -198,6 +198,7 @@ module "istio" {
  envoy_access_logs_enabled = var.istio_config.envoy_access_logs_enabled
  prometheus_monitoring_enabled = var.istio_config.prometheus_monitoring_enabled
  cert_manager_letsencrypt_email = var.cert_manager_letsencrypt_email
+ istio_values_yaml = var.istio_config.istio_values_yaml
 }
 
 data "kubernetes_service" "istio-ingress" {

modules/aws_alb/aws_alb.yaml

@@ -22,4 +22,3 @@ resources:
 
 podAnnotations:
  co.elastic.logs/enabled: "true"
-

modules/cert-manager-le-http/values.yaml

@@ -1,4 +1,3 @@
 # email:
 
 ingressClass: nginx
-

modules/core_dns_hpa/values.yaml

@@ -20,4 +20,4 @@ resources:
  memory: 200Mi
  requests:
  cpu: 100m
- memory: 100Mi
+ memory: 100Mi

modules/istio/README.md

@@ -25,11 +25,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [helm_release.istio_base](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.istio_egress](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.istio_ingress](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.istio_observability](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [kubernetes_namespace.istio_egress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.istio_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.istio_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 
@@ -43,6 +40,7 @@ No modules.
 | <a name="input_envoy_access_logs_enabled"></a> [envoy\_access\_logs\_enabled](#input\_envoy\_access\_logs\_enabled) | Enable or disable the installation of Envoy access logs across Mesh | `bool` | `false` | no |
 | <a name="input_ingress_gateway_enabled"></a> [ingress\_gateway\_enabled](#input\_ingress\_gateway\_enabled) | Enable or disable the installation of Istio Ingress Gateway. | `bool` | `true` | no |
 | <a name="input_ingress_gateway_namespace"></a> [ingress\_gateway\_namespace](#input\_ingress\_gateway\_namespace) | Name of the Kubernetes namespace where the Istio Ingress Gateway will be deployed | `string` | `"istio-ingressgateway"` | no |
+| <a name="input_istio_values_yaml"></a> [istio\_values\_yaml](#input\_istio\_values\_yaml) | Custom config values for istiod helm | `any` | `""` | no |
 | <a name="input_prometheus_monitoring_enabled"></a> [prometheus\_monitoring\_enabled](#input\_prometheus\_monitoring\_enabled) | Enable or disable the installation of Prometheus Operator's servicemonitor to monitor Istio Controlplane and Dataplane | `bool` | `false` | no |
 
 ## Outputs

modules/istio/helm/values.yaml

@@ -35,7 +35,3 @@ gateways:
  requests:
  cpu: 10m
  memory: 100Mi
-
-
-
-

modules/istio/helm/values/istiod/values.yaml

@@ -0,0 +1,25 @@
+meshConfig:
+ accessLogFile: /dev/stdout
+ accessLogFormat: |
+ [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME% traceID=%REQ(TRACEPARENT)%
+ defaultConfig:
+ discoveryAddress: istiod.istio-system.svc:15012
+ proxyMetadata: {}
+ tracing:
+ zipkin:
+ address: zipkin.istio-system:9411
+ enableAutoMtls: true
+ enablePrometheusMerge: true
+ extensionProviders:
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: otel-collector-collector.istio-system.svc.cluster.local
+ - envoyOtelAls:
+ port: 4317
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ name: otel
+ - name: skywalking
+ skywalking:
+ port: 11800
+ service: tracing.istio-system.svc.cluster.local

modules/istio/main.tf

@@ -24,7 +24,8 @@ resource "helm_release" "istiod" {
  timeout = 600
  version = "1.18.0"
  values = [
- file("${path.module}/helm/values.yaml")
+ file("${path.module}/helm/values/istiod/values.yaml"),
+ var.istio_values_yaml
  ]
 }
 
@@ -68,63 +69,3 @@ resource "helm_release" "istio_ingress" {
  }
 
 }
-
-
-resource "kubernetes_namespace" "istio_egress" {
-
- depends_on = [helm_release.istiod]
- count = var.egress_gateway_enabled ? 1 : 0
-
- metadata {
- name = var.egress_gateway_namespace
- }
-
-}
-resource "helm_release" "istio_egress" {
- depends_on = [helm_release.istiod, kubernetes_namespace.istio_egress]
- count = var.egress_gateway_enabled ? 1 : 0
-
- name = "istio-egressgateway"
- repository = "https://istio-release.storage.googleapis.com/charts"
- chart = "gateway"
- namespace = var.egress_gateway_namespace
- timeout = 600
- version = "1.18.0"
- values = [
- file("${path.module}/helm/values.yaml")
- ]
-
- set {
- name = "labels.app"
- value = "istio-egressgateway"
- }
-
- set {
- name = "labels.istio"
- value = "egressgateway"
- }
-
- set {
- name = "service.type"
- value = "ClusterIP"
- }
-}
-
-resource "helm_release" "istio_observability" {
- depends_on = [helm_release.istiod]
- name = "istio-observability"
- chart = "${path.module}/istio-observability/"
- namespace = "istio-system"
- set {
- name = "accessLogging.enabled"
- value = var.envoy_access_logs_enabled
- }
- set {
- name = "monitoring.enabled"
- value = var.prometheus_monitoring_enabled
- }
- set {
- name = "clusterIssuer.email"
- value = var.cert_manager_letsencrypt_email
- }
-}

modules/istio/variables.tf

@@ -38,3 +38,9 @@ variable "cert_manager_letsencrypt_email" {
  description = "Specifies the email address to be used by cert-manager to request Let's Encrypt certificates"
  type = string
 }
+
+variable "istio_values_yaml" {
+ description = "Custom config values for istiod helm"
+ type = any
+ default = ""
+}

modules/reloader/reloader.yaml

@@ -9,7 +9,7 @@ reloader:
  operator: In
  values:
  - "true"
- 
+
  resources:
  limits:
  cpu: "150m"

modules/velero/helm/values.yaml

@@ -28,7 +28,7 @@ affinity:
  operator: In
  values:
  - "true"
- 
+
 resources:
  requests:
  cpu: 10m

variables.tf

@@ -211,12 +211,14 @@ variable "istio_config" {
  egress_gateway_namespace = optional(string, "istio-egressgateway")
  envoy_access_logs_enabled = bool
  prometheus_monitoring_enabled = bool
+ istio_values_yaml = any
  })
  default = {
  ingress_gateway_enabled = true
  egress_gateway_enabled = false
  envoy_access_logs_enabled = true
  prometheus_monitoring_enabled = true
+ istio_values_yaml = ""
  }
 }