Merge pull request #81 from dasmeta/DMVP-eks-update

fix(DMVP-eks): Upgrade eks module, Fix ADOT, Fix Fluent-bit
dasmeta · Oct 12, 2023 · 0c41f24 · 0c41f24
2 parents cbf0872 + 8ced620
commit 0c41f24
Show file tree

Hide file tree

Showing 17 changed files with 96 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -195,6 +195,7 @@ worker_groups = {
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.31, < 5.0.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.4.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
 
 ## Modules
 
@@ -223,6 +224,7 @@ worker_groups = {
 |------|------|
 | [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kube-state-metrics](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_namespace.meta-system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 

diff --git a/adot.tf b/adot.tf
@@ -0,0 +1,18 @@
+module "adot" {
+  source = "./modules/adot"
+
+  count = var.metrics_exporter == "adot" ? 1 : 0
+
+  cluster_name                = var.cluster_name
+  eks_oidc_root_ca_thumbprint = local.eks_oidc_root_ca_thumbprint
+  oidc_provider_arn           = module.eks-cluster[0].oidc_provider_arn
+  adot_config                 = var.adot_config
+  adot_version                = var.adot_version
+  prometheus_metrics          = var.prometheus_metrics
+  region                      = local.region
+  depends_on = [
+    module.eks-cluster,
+    helm_release.cert-manager,
+    kubernetes_namespace.meta-system
+  ]
+}
diff --git a/fluent-bit.tf b/fluent-bit.tf
@@ -40,4 +40,8 @@ module "fluent-bit" {
     outputs = ""
     filters = ""
   })
+
+  depends_on = [
+    module.eks-cluster
+  ]
 }
diff --git a/main.tf b/main.tf
@@ -249,14 +249,18 @@ module "alb-ingress-controller" {
   # create_alb_log_bucket       = true
   # alb_log_bucket_name = var.alb_log_bucket_name != "" ? var.alb_log_bucket_name : "${module.eks-cluster[0].cluster_id}-ingress-controller-log-bucket"
   # alb_log_bucket_path = var.alb_log_bucket_path != "" ? var.alb_log_bucket_path : module.eks-cluster[0].cluster_id
+
+  depends_on = [
+    module.eks-cluster
+  ]
 }
 
 module "metrics-server" {
   source = "./modules/metrics-server"
 
   count = var.create ? 1 : 0
 
-  name = var.metrics_server_name != "" ? var.metrics_server_name : "${module.eks-cluster[0].cluster_id}-metrics-server"
+  name = var.metrics_server_name != "" ? var.metrics_server_name : "${module.eks-cluster[0].cluster_name}-metrics-server"
 }
 
 module "external-secrets" {
@@ -296,24 +300,6 @@ module "efs-csi-driver" {
   cluster_oidc_arn = module.eks-cluster[0].oidc_provider_arn
 }
 
-module "adot" {
-  source = "./modules/adot"
-
-  count = var.metrics_exporter == "adot" ? 1 : 0
-
-  cluster_name                = var.cluster_name
-  eks_oidc_root_ca_thumbprint = local.eks_oidc_root_ca_thumbprint
-  oidc_provider_arn           = module.eks-cluster[0].oidc_provider_arn
-  adot_config                 = var.adot_config
-  adot_version                = var.adot_version
-  prometheus_metrics          = var.prometheus_metrics
-  region                      = local.region
-  depends_on = [
-    module.eks-cluster,
-    helm_release.cert-manager
-  ]
-}
-
 resource "helm_release" "cert-manager" {
   count = var.create_cert_manager ? 1 : var.metrics_exporter == "adot" ? 1 : 0
 

diff --git a/meta-system.tf b/meta-system.tf
@@ -0,0 +1,5 @@
+resource "kubernetes_namespace" "meta-system" {
+  metadata {
+    name = "meta-system"
+  }
+}
diff --git a/modules/adot/main.tf b/modules/adot/main.tf
@@ -19,8 +19,8 @@ resource "helm_release" "adot-collector" {
   wait             = false
 
   values = [
-    contains(keys(var.adot_config), "helm_values") && var.adot_config.helm_values != null ?
-    var.adot_config.helm_values :
+    contains(keys(var.adot_config), "helm_values") && contains(keys(var.adot_config), "helm_values") != null ?
+    contains(keys(var.adot_config), "helm_values") :
     templatefile("${path.module}/templates/adot-values.yaml.tpl", {
       region                     = local.region
       cluster_name               = var.cluster_name
@@ -29,6 +29,7 @@ resource "helm_release" "adot-collector" {
       metrics                    = local.merged_metrics
       metrics_namespace_specific = local.merged_namespace_specific
       prometheus_metrics         = var.prometheus_metrics
+      namespace                  = var.namespace
     })
   ]
 

diff --git a/modules/adot/templates/adot-values.yaml.tpl b/modules/adot/templates/adot-values.yaml.tpl
@@ -12,7 +12,7 @@ adotCollector:
     sidecarPullPolicy: "Always"
   daemonSet:
     createNamespace: false
-    namespace: adot
+    namespace: ${namespace}
     serviceAccount:
       create: false
       annotations: {}

diff --git a/modules/adot/tests/promethus_metrics/README.md b/modules/adot/tests/promethus_metrics/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | n/a |
 | <a name="provider_test"></a> [test](#provider\_test) | n/a |
 
 ## Modules

diff --git a/modules/adot/tests/template_file/README.md b/modules/adot/tests/template_file/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_helm"></a> [helm](#provider\_helm) | n/a |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.9.0 |
 | <a name="provider_test"></a> [test](#provider\_test) | n/a |
 
 ## Modules

diff --git a/modules/eks/README.md b/modules/eks/README.md
@@ -47,7 +47,7 @@ module "cluster_min" {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_eks-cluster"></a> [eks-cluster](#module\_eks-cluster) | terraform-aws-modules/eks/aws | 18.30.0 |
+| <a name="module_eks-cluster"></a> [eks-cluster](#module\_eks-cluster) | terraform-aws-modules/eks/aws | 18.31.2 |
 
 ## Resources
 

diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf
@@ -24,6 +24,14 @@ locals {
       type                          = "ingress"
       source_cluster_security_group = true
     },
+    ingress_cluster_self = {
+      description = "Access Security Group Self"
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      type        = "ingress"
+      self        = true
+    },
     egress_all = {
       description      = "Node all egress"
       protocol         = "-1"

diff --git a/modules/eks/main.tf b/modules/eks/main.tf
@@ -4,7 +4,7 @@
 
 module "eks-cluster" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "18.30.0"
+  version = "18.31.2"
 
   # per Upgrade from v17.x to v18.x, see here for details https://github.com/terraform-aws-modules/terraform-aws-eks/blob/681e00aafea093be72ec06ada3825a23a181b1c5/docs/UPGRADE-18.0.md
   prefix_separator                   = ""

diff --git a/modules/fluent-bit/README.md b/modules/fluent-bit/README.md
@@ -51,10 +51,11 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | AWS EKS Cluster name. | `string` | n/a | yes |
 | <a name="input_create_log_group"></a> [create\_log\_group](#input\_create\_log\_group) | Wether or no to create log group. | `bool` | `true` | no |
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Wether or no to create namespace. | `bool` | `false` | no |
-| <a name="input_drop_namespaces"></a> [drop\_namespaces](#input\_drop\_namespaces) | Flunt bit doesn't send logs for this namespaces | `list(string)` | <pre>[<br>  "kube-system",<br>  "opentelemetry-operator-system",<br>  "adot",<br>  "cert-manager"<br>]</pre> | no |
+| <a name="input_drop_namespaces"></a> [drop\_namespaces](#input\_drop\_namespaces) | Flunt bit doesn't send logs for this namespaces | `list(string)` | <pre>[<br>  "kube-system",<br>  "opentelemetry-operator-system",<br>  "adot",<br>  "cert-manager",<br>  "opentelemetry.*",<br>  "meta.*"<br>]</pre> | no |
 | <a name="input_eks_oidc_root_ca_thumbprint"></a> [eks\_oidc\_root\_ca\_thumbprint](#input\_eks\_oidc\_root\_ca\_thumbprint) | n/a | `string` | n/a | yes |
 | <a name="input_fluent_bit_config"></a> [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | <pre>{<br>  "filters": "",<br>  "inputs": "",<br>  "outputs": ""<br>}</pre> | no |
 | <a name="input_fluent_bit_name"></a> [fluent\_bit\_name](#input\_fluent\_bit\_name) | Container resource name. | `string` | `"fluent-bit"` | no |
+| <a name="input_kube_namespaces"></a> [kube\_namespaces](#input\_kube\_namespaces) | Kubernates namespaces | `list(string)` | <pre>[<br>  "kube.*",<br>  "meta.*",<br>  "adot.*",<br>  "devops.*",<br>  "cert-manager.*",<br>  "git.*",<br>  "opentelemetry.*",<br>  "stakater.*",<br>  "renovate.*"<br>]</pre> | no |
 | <a name="input_log_filters"></a> [log\_filters](#input\_log\_filters) | Fluent bit doesn't send logs if message consists of this values | `list(string)` | <pre>[<br>  "kube-probe",<br>  "health",<br>  "prometheus",<br>  "liveness"<br>]</pre> | no |
 | <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | Log group name fluent-bit will be streaming logs into. | `string` | `"fluentbit-default-log-group"` | no |
 | <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | If set to a number greater than zero, and newly create log group's retention policy is set to this many days. Valid values are: [0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] | `number` | `90` | no |

diff --git a/modules/fluent-bit/locals.tf b/modules/fluent-bit/locals.tf
@@ -14,6 +14,7 @@ locals {
     inputs                 = try(var.fluent_bit_config.inputs, "")
     outputs                = try(var.fluent_bit_config.outputs, "")
     filters                = try(var.fluent_bit_config.filters, "")
+    kube_namespaces        = var.kube_namespaces
   }
 
   values = var.values_yaml == "" ? templatefile("${path.module}/values.yaml.tpl", local.config_settings) : var.values_yaml

diff --git a/modules/fluent-bit/values.yaml.tpl b/modules/fluent-bit/values.yaml.tpl
@@ -31,24 +31,31 @@ config:
 
     [FILTER]
         Name          grep
-        Match         app.*
-        Exclude       $message ${log_filters}
+        Match         kube.*
+        Exclude       $log ${log_filters}
 
     [FILTER]
         Name          grep
-        Match         app.*
-        Exclude       $message ${additional_log_filters}
+        Match         kube.*
+        Exclude       $log ${additional_log_filters}
 
+%{ for value in kube_namespaces }
     [FILTER]
-        Name          grep
+        Name          rewrite_tag
         Match         kube.*
+        Rule          $kubernetes['namespace_name'] ^${value}$ system.$TAG false
+%{ endfor ~}
+
+    [FILTER]
+        Name          grep
+        Match         *
         Exclude       $kubernetes['namespace_name'] ${drop_namespaces}
 
     ${indent(4, filters)}
   outputs: |
     [OUTPUT]
         Name cloudwatch_logs
-        Match   *
+        Match  kube.*
         region ${region}
         log_group_name ${log_group_name}
         log_stream_prefix from-fluent-bit-
@@ -57,7 +64,16 @@ config:
 
     [OUTPUT]
         Name cloudwatch_logs
-        Match  kube.*
+        Match host.*
+        region ${region}
+        log_group_name ${system_log_group_name}
+        log_stream_prefix eks-
+        auto_create_group Off
+        log_retention_days ${log_retention_days}
+
+    [OUTPUT]
+        Name cloudwatch_logs
+        Match  system.*
         region ${region}
         log_group_name ${system_log_group_name}
         log_stream_prefix from-fluent-bit-

diff --git a/modules/fluent-bit/variables.tf b/modules/fluent-bit/variables.tf
@@ -95,11 +95,29 @@ variable "drop_namespaces" {
     "kube-system",
     "opentelemetry-operator-system",
     "adot",
-    "cert-manager"
+    "cert-manager",
+    "opentelemetry.*",
+    "meta.*",
   ]
   description = "Flunt bit doesn't send logs for this namespaces"
 }
 
+variable "kube_namespaces" {
+  type = list(string)
+  default = [
+    "kube.*",
+    "meta.*",
+    "adot.*",
+    "devops.*",
+    "cert-manager.*",
+    "git.*",
+    "opentelemetry.*",
+    "stakater.*",
+    "renovate.*"
+  ]
+  description = "Kubernates namespaces"
+}
+
 variable "log_filters" {
   type = list(string)
   default = [

diff --git a/tests/basic/README.md b/tests/basic/README.md
@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules