From a6c79d3e1a5d8e0a3ea9ff7c56704e9f52212971 Mon Sep 17 00:00:00 2001
From: Nandaja Varma <nandaja.varma@gmail.com>
Date: Tue, 9 Aug 2022 10:36:04 +0000
Subject: [PATCH] Adding refresh by default

---
 install/infra/modules/eks/database.tf     | 23 ++++----
 install/infra/modules/eks/kubernetes.tf   | 70 +++++++++++++++++++----
 install/infra/single-cluster/aws/Makefile | 21 ++++++-
 3 files changed, 91 insertions(+), 23 deletions(-)

diff --git a/install/infra/modules/eks/database.tf b/install/infra/modules/eks/database.tf
index 82ea111adc5698..78154438b3c541 100644
--- a/install/infra/modules/eks/database.tf
+++ b/install/infra/modules/eks/database.tf
@@ -19,13 +19,6 @@ resource "aws_security_group" "rdssg" {
   name   = "dh-sg-${var.cluster_name}"
   vpc_id = module.vpc.vpc_id
 
-  ingress {
-    from_port   = 0
-    to_port     = 3306
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
   egress {
     from_port   = 0
     to_port     = 0
@@ -34,14 +27,24 @@ resource "aws_security_group" "rdssg" {
   }
 }
 
+resource "aws_security_group_rule" "db-ingress-nodes" {
+  description       = "Allow nodes to communicate with the db"
+  from_port         = 0
+  protocol          = "tcp"
+  cidr_blocks       = [var.vpc_cidr]
+  security_group_id = aws_security_group.rdssg[0].id
+  to_port           = 3306
+  type              = "ingress"
+}
+
 resource "aws_db_instance" "gitpod" {
   count = var.enable_external_database ? 1 : 0
 
-  allocated_storage      = 10
-  max_allocated_storage  = 100
+  allocated_storage      = 20
+  max_allocated_storage  = 120
   engine                 = "mysql"
   engine_version         = "5.7"
-  instance_class         = "db.t3.micro"
+  instance_class         = "db.m5.large"
   vpc_security_group_ids = [aws_security_group.rdssg[0].id]
   identifier             = "db-${var.cluster_name}"
   name                   = "gitpod"
diff --git a/install/infra/modules/eks/kubernetes.tf b/install/infra/modules/eks/kubernetes.tf
index 3bef25d99b283e..b80bcaf05aa9a6 100644
--- a/install/infra/modules/eks/kubernetes.tf
+++ b/install/infra/modules/eks/kubernetes.tf
@@ -20,14 +20,46 @@ module "vpc" {
   enable_dns_hostnames = true
 }
 
+resource "aws_security_group_rule" "eks-worker-ingress-self" {
+  description              = "Allow node to communicate with each other"
+  from_port                = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.nodes.id
+  source_security_group_id = aws_security_group.nodes.id
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "eks-worker-ingress-cluster" {
+  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
+  from_port                = 1025
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.nodes.id
+  source_security_group_id = aws_security_group.nodes.id
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+### Worker Node Access to EKS Master
+resource "aws_security_group_rule" "eks-cluster-ingress-node-https" {
+  description              = "Allow pods to communicate with the cluster API Server"
+  from_port                = 443
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.nodes.id
+  source_security_group_id = aws_security_group.nodes.id
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+
 resource "aws_security_group" "nodes" {
   name   = "nodes-sg-${var.cluster_name}"
   vpc_id = module.vpc.vpc_id
 
   ingress {
     from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
+    to_port     = 6443
+    protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
@@ -46,7 +78,8 @@ module "eks" {
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version
 
-  cluster_endpoint_public_access = true
+  cluster_endpoint_public_access  = true
+  cluster_endpoint_private_access = true
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.public_subnets
@@ -68,6 +101,7 @@ module "eks" {
     ami_id                     = var.image_id
     enable_bootstrap_user_data = true
     vpc_security_group_ids     = [aws_security_group.nodes.id]
+    ebs_optimized              = true
   }
 
   eks_managed_node_groups = {
@@ -77,19 +111,29 @@ module "eks" {
       name                       = "service-${var.cluster_name}"
       subnet_ids                 = module.vpc.public_subnets
       min_size                   = 1
-      max_size                   = 10
-      desired_size               = 1
+      max_size                   = 4
+      desired_size               = 2
       block_device_mappings = [{
         device_name = "/dev/sda1"
 
         ebs = [{
-          volume_size = 150
+          volume_size           = 300
+          volume_type           = "gp3"
+          throughput            = 500
+          iops                  = 6000
+          delete_on_termination = true
         }]
       }]
       labels = {
         "gitpod.io/workload_meta" = true
         "gitpod.io/workload_ide"  = true
       }
+
+      tags = {
+        "k8s.io/cluster-autoscaler/enabled" = true
+        "k8s.io/cluster-autoscaler/gitpod"  = "owned"
+      }
+
       pre_bootstrap_user_data = <<-EOT
         #!/bin/bash
         set -ex
@@ -97,7 +141,7 @@ module "eks" {
         export CONTAINER_RUNTIME="containerd"
         export USE_MAX_PODS=false
         EOF
-        # Source extra environment variables in bootstrap script
+        # Source extra environment 5ariables in bootstrap script
         sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh
         EOT
     }
@@ -107,21 +151,27 @@ module "eks" {
       name           = "ws-${var.cluster_name}"
       subnet_ids     = module.vpc.public_subnets
       min_size       = 1
-      max_size       = 10
+      max_size       = 50
       block_device_mappings = [{
         device_name = "/dev/sda1"
 
         ebs = [{
-          volume_size = 150
+          volume_size = 300
         }]
       }]
-      desired_size               = 1
+      desired_size               = 2
       enable_bootstrap_user_data = true
       labels = {
         "gitpod.io/workload_workspace_services" = true
         "gitpod.io/workload_workspace_regular"  = true
         "gitpod.io/workload_workspace_headless" = true
       }
+
+      tags = {
+        "k8s.io/cluster-autoscaler/enabled" = true
+        "k8s.io/cluster-autoscaler/gitpod"  = "owned"
+      }
+
       pre_bootstrap_user_data = <<-EOT
         #!/bin/bash
         set -ex
diff --git a/install/infra/single-cluster/aws/Makefile b/install/infra/single-cluster/aws/Makefile
index 63d56077a631cb..abf80fcce98ece 100644
--- a/install/infra/single-cluster/aws/Makefile
+++ b/install/infra/single-cluster/aws/Makefile
@@ -6,8 +6,14 @@
 init:
 	@terraform init
 
+touch-kubeconfig:
+	@touch kubeconfig
+
+cleanup-kubeconfig:
+	@rm kubeconfig
+
 .PHONY: plan
-plan: plan-cluster plan-cm-edns
+plan: touch-kubeconfig plan-cluster plan-cm-edns cleanup-kubeconfig
 
 .PHONY: apply
 apply: apply-cluster apply-tools
@@ -15,13 +21,22 @@ apply: apply-cluster apply-tools
 .PHONY: destroy
 destroy: destroy-tools destroy-cluster
 
+.PHONY: refresh
+refresh:
+	@echo "Refreshing terraform state"
+	@terraform refresh
+	@echo ""
+	@echo "Done!"
+
 .PHONY: output
-output: output-done-msg output-url output-nameservers output-registry output-database output-storage output-issuer
+output: refresh output-done-msg output-url output-nameservers output-registry output-database output-storage output-issuer
 
 output-done-msg:
+	@echo ""
+	@echo ""
 	@echo "=========================="
 	@echo "🎉🥳🔥🧡🚀"
-	@echo "Your cloud infrastructure is ready to install Gitpod. Please visit"
+	@echo "Your AWS cloud infrastructure is ready to install Gitpod. Please visit"
 	@echo "https://www.gitpod.io/docs/self-hosted/latest/getting-started#step-4-install-gitpod"
 	@echo "for your next steps."
 	@echo "================="