-
Notifications
You must be signed in to change notification settings - Fork 38
chore(ci): switch eks CI to FIPS ami, update to 1.31 k8s testing #1474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
35ca03c
chore(ci): switch eks CI to FIPS ami, update to 1.31 k8s testing
mjnagel 12df9b5
Merge branch 'main' into eks-fips-ami-switch
mjnagel 415b98e
chore: typo fix [ci skip]
mjnagel 4edcf4c
chore: bottlerocket init hpa fix [ci skip]
mjnagel 28630b3
chore: update based on pr feedback, simplify, fix bugs
mjnagel faca987
Merge branch 'main' into eks-fips-ami-switch
mjnagel 9109514
ci: [skip ci]
mjnagel 757e5e7
ci: tigger ci
mjnagel 050170f
chore: add e2e testing with no continue
mjnagel daae469
chore: mark vars as sensitive [ci skip]
mjnagel dce919c
chore: gitignore configs
mjnagel 170ddea
chore: cleanup config files, add hpa disable for iac
mjnagel f151168
chore: add neuvector manager patch for FIPS support
mjnagel 41a297a
chore: rebase
mjnagel 66741c9
ci: tigger ci
mjnagel a2d5fed
ci: [skip ci]
mjnagel b2e2069
Merge branch 'main' into eks-fips-ami-switch
mjnagel f906b23
fix: remove patch of entrypoint
mjnagel 8044fbd
Merge branch 'main' into eks-fips-ami-switch
mjnagel f585754
Merge branch 'main' into eks-fips-ami-switch
mjnagel c9a1919
Merge branch 'main' into eks-fips-ami-switch
mjnagel 83dec87
Merge branch 'main' into eks-fips-ami-switch
mjnagel File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| **/uds-config.yaml |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,154 @@ | ||
| # Copyright 2025 Defense Unicorns | ||
| # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial | ||
|
|
||
|
|
||
| # Create a custom launch template with public IP association | ||
| resource "aws_launch_template" "eks_node_group" { | ||
| name_prefix = "${var.name}-lt-" | ||
|
|
||
| network_interfaces { | ||
| associate_public_ip_address = true | ||
| delete_on_termination = true | ||
| } | ||
|
|
||
| tag_specifications { | ||
| resource_type = "instance" | ||
| tags = merge(local.tags, { | ||
| Name = "${var.name}-node" | ||
| }) | ||
| } | ||
|
|
||
| lifecycle { | ||
| create_before_destroy = true | ||
| } | ||
| } | ||
|
|
||
| # Create EKS Cluster | ||
| module "eks" { | ||
| source = "terraform-aws-modules/eks/aws" | ||
| version = "~> 20.35.0" | ||
|
|
||
| cluster_name = var.name | ||
| cluster_version = var.kubernetes_version | ||
| cluster_endpoint_public_access = true | ||
| cluster_endpoint_private_access = false | ||
|
|
||
| vpc_id = data.aws_vpc.vpc.id | ||
| subnet_ids = local.subnet_ids | ||
|
|
||
| # IAM | ||
| iam_role_permissions_boundary = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" | ||
|
|
||
| # Add CloudWatch logging | ||
| cluster_enabled_log_types = [] | ||
| cloudwatch_log_group_retention_in_days = 0 | ||
|
|
||
| # Authentication mode | ||
| authentication_mode = "API_AND_CONFIG_MAP" | ||
|
|
||
| # Enable cluster creator admin permissions | ||
| enable_cluster_creator_admin_permissions = true | ||
|
|
||
| # Security groups | ||
| create_cluster_security_group = true | ||
| create_node_security_group = true | ||
| node_security_group_enable_recommended_rules = true | ||
| node_security_group_additional_rules = { | ||
| clusterapi_ingress = { | ||
| description = "Cluster API Ingress on non-privileged ports" | ||
| protocol = "tcp" | ||
| from_port = 1025 | ||
| to_port = 65535 | ||
| type = "ingress" | ||
| source_cluster_security_group = true | ||
| } | ||
| } | ||
|
|
||
| enable_security_groups_for_pods = false | ||
|
|
||
| # Add tags to all resources | ||
| tags = local.tags | ||
|
|
||
| # Node groups | ||
| eks_managed_node_groups = { | ||
| main = { | ||
| name = var.name | ||
| instance_types = [var.instance_type] | ||
| ami_type = "BOTTLEROCKET_x86_64_FIPS" | ||
|
|
||
| min_size = var.node_group_min_size | ||
| max_size = var.node_group_max_size | ||
| desired_size = var.node_group_desired_size | ||
|
|
||
| disk_size = var.node_disk_size | ||
|
|
||
| # Let the module create the IAM role with permissions boundary | ||
| create_iam_role = true | ||
| iam_role_use_name_prefix = false | ||
| iam_role_name = "${substr(var.name, 0, 30)}-eks-node-role" | ||
| iam_role_permissions_boundary = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" | ||
|
|
||
| # Use our custom launch template that has public IP association | ||
| create_launch_template = false | ||
| launch_template_id = aws_launch_template.eks_node_group.id | ||
| launch_template_version = aws_launch_template.eks_node_group.latest_version | ||
|
|
||
| # Add required policies for node functionality | ||
| iam_role_additional_policies = { | ||
| AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" | ||
| AmazonEBSCSIDriverPolicy = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" | ||
| } | ||
|
|
||
| tags = merge(local.tags, { | ||
| PermissionsBoundary = var.permissions_boundary_name | ||
| }) | ||
| } | ||
| } | ||
|
|
||
| # EKS Addons | ||
| cluster_addons = { | ||
| vpc-cni = { | ||
| most_recent = true | ||
| configuration_values = jsonencode({ | ||
| enableNetworkPolicy = "true" | ||
| }) | ||
| } | ||
| aws-ebs-csi-driver = { | ||
| most_recent = true | ||
| } | ||
| kube-proxy = { | ||
| most_recent = true | ||
| } | ||
| coredns = { | ||
| most_recent = true | ||
| configuration_values = jsonencode({ | ||
| corefile = <<-EOT | ||
| .:53 { | ||
| errors | ||
| health { | ||
| lameduck 5s | ||
| } | ||
| ready | ||
| kubernetes cluster.local cluster.local in-addr.arpa ip6.arpa { | ||
| pods insecure | ||
| fallthrough in-addr.arpa ip6.arpa | ||
| ttl 30 | ||
| } | ||
| prometheus 0.0.0.0:9153 | ||
| forward . /etc/resolv.conf | ||
| cache 30 | ||
| loop | ||
| reload | ||
| loadbalance | ||
| rewrite stop { | ||
| name regex (.*\.admin\.uds\.dev) admin-ingressgateway.istio-admin-gateway.svc.cluster.local answer auto | ||
| } | ||
| rewrite stop { | ||
| name regex (.*\.uds\.dev) tenant-ingressgateway.istio-tenant-gateway.svc.cluster.local answer auto | ||
| } | ||
| } | ||
| EOT | ||
| }) | ||
| } | ||
| } | ||
| } | ||
|
mjnagel marked this conversation as resolved.
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # Copyright 2024 Defense Unicorns | ||
| # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial | ||
|
|
||
| # Common data sources | ||
| data "aws_caller_identity" "current" {} | ||
| data "aws_partition" "current" {} | ||
| data "aws_region" "current" {} | ||
|
|
||
| # Use existing VPC and subnets | ||
| data "aws_vpc" "vpc" { | ||
| filter { | ||
| name = "tag:Name" | ||
| values = [var.vpc_name] | ||
| } | ||
| } | ||
|
|
||
| data "aws_subnet" "eks_ci_subnet_b" { | ||
| vpc_id = data.aws_vpc.vpc.id | ||
| availability_zone = "${var.region}b" | ||
|
|
||
| filter { | ||
| name = "tag:Name" | ||
| values = [var.subnet_name] | ||
| } | ||
| } | ||
|
|
||
| data "aws_subnet" "eks_ci_subnet_c" { | ||
| vpc_id = data.aws_vpc.vpc.id | ||
| availability_zone = "${var.region}c" | ||
|
|
||
| filter { | ||
| name = "tag:Name" | ||
| values = [var.subnet_name] | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.