fix(DMVP-5330): fix in main test for fluent-bit and have option to se…

…t image pull secrets for fluent-bit pods

README.md

@@ -268,7 +268,7 @@ worker_groups = {
 | <a name="input_enable_sso_rbac"></a> [enable\_sso\_rbac](#input\_enable\_sso\_rbac) | Enable SSO RBAC integration or not | `bool` | `false` | no |
 | <a name="input_enable_waf_for_alb"></a> [enable\_waf\_for\_alb](#input\_enable\_waf\_for\_alb) | Enables WAF and WAF V2 addons for ALB | `bool` | `false` | no |
 | <a name="input_external_secrets_namespace"></a> [external\_secrets\_namespace](#input\_external\_secrets\_namespace) | The namespace of external-secret operator | `string` | `"kube-system"` | no |
-| <a name="input_fluent_bit_configs"></a> [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | <pre>object({<br>    fluent_bit_name       = optional(string, "")<br>    log_group_name        = optional(string, "")<br>    system_log_group_name = optional(string, "")<br>    log_retention_days    = optional(number, 90)<br>    values_yaml           = optional(string, "")<br>    configs = optional(object({<br>      inputs                     = optional(string, "")<br>      filters                    = optional(string, "")<br>      outputs                    = optional(string, "")<br>      cloudwatch_outputs_enabled = optional(bool, true)<br>    }), {})<br>    drop_namespaces        = optional(list(string), [])<br>    log_filters            = optional(list(string), [])<br>    additional_log_filters = optional(list(string), [])<br>    kube_namespaces        = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "additional_log_filters": [<br>    "ELB-HealthChecker",<br>    "Amazon-Route53-Health-Check-Service"<br>  ],<br>  "configs": {<br>    "cloudwatch_outputs_enabled": true,<br>    "filters": "",<br>    "inputs": "",<br>    "outputs": ""<br>  },<br>  "drop_namespaces": [<br>    "kube-system",<br>    "opentelemetry-operator-system",<br>    "adot",<br>    "cert-manager",<br>    "opentelemetry.*",<br>    "meta.*"<br>  ],<br>  "fluent_bit_name": "",<br>  "kube_namespaces": [<br>    "kube.*",<br>    "meta.*",<br>    "adot.*",<br>    "devops.*",<br>    "cert-manager.*",<br>    "git.*",<br>    "opentelemetry.*",<br>    "stakater.*",<br>    "renovate.*"<br>  ],<br>  "log_filters": [<br>    "kube-probe",<br>    "health",<br>    "prometheus",<br>    "liveness"<br>  ],<br>  "log_group_name": "",<br>  "log_retention_days": 90,<br>  "system_log_group_name": "",<br>  "values_yaml": ""<br>}</pre> | no |
+| <a name="input_fluent_bit_configs"></a> [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | <pre>object({<br>    fluent_bit_name       = optional(string, "")<br>    log_group_name        = optional(string, "")<br>    system_log_group_name = optional(string, "")<br>    log_retention_days    = optional(number, 90)<br>    values_yaml           = optional(string, "")<br>    configs = optional(object({<br>      inputs                     = optional(string, "")<br>      filters                    = optional(string, "")<br>      outputs                    = optional(string, "")<br>      cloudwatch_outputs_enabled = optional(bool, true)<br>    }), {})<br>    drop_namespaces        = optional(list(string), [])<br>    log_filters            = optional(list(string), [])<br>    additional_log_filters = optional(list(string), [])<br>    kube_namespaces        = optional(list(string), [])<br>    image_pull_secrets     = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "additional_log_filters": [<br>    "ELB-HealthChecker",<br>    "Amazon-Route53-Health-Check-Service"<br>  ],<br>  "configs": {<br>    "cloudwatch_outputs_enabled": true,<br>    "filters": "",<br>    "inputs": "",<br>    "outputs": ""<br>  },<br>  "drop_namespaces": [<br>    "kube-system",<br>    "opentelemetry-operator-system",<br>    "adot",<br>    "cert-manager",<br>    "opentelemetry.*",<br>    "meta.*"<br>  ],<br>  "fluent_bit_name": "",<br>  "image_pull_secrets": [],<br>  "kube_namespaces": [<br>    "kube.*",<br>    "meta.*",<br>    "adot.*",<br>    "devops.*",<br>    "cert-manager.*",<br>    "git.*",<br>    "opentelemetry.*",<br>    "stakater.*",<br>    "renovate.*"<br>  ],<br>  "log_filters": [<br>    "kube-probe",<br>    "health",<br>    "prometheus",<br>    "liveness"<br>  ],<br>  "log_group_name": "",<br>  "log_retention_days": 90,<br>  "system_log_group_name": "",<br>  "values_yaml": ""<br>}</pre> | no |
 | <a name="input_manage_aws_auth"></a> [manage\_aws\_auth](#input\_manage\_aws\_auth) | n/a | `bool` | `true` | no |
 | <a name="input_map_roles"></a> [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_metrics_exporter"></a> [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no |

fluent-bit.tf

@@ -14,6 +14,7 @@ module "fluent-bit" {
   log_group_name        = try(var.fluent_bit_configs.log_group_name, "") != "" ? var.fluent_bit_configs.log_group_name : "fluent-bit-cloudwatch-${module.eks-cluster[0].cluster_id}"
   system_log_group_name = try(var.fluent_bit_configs.system_log_group_name, "")
   log_retention_days    = try(var.fluent_bit_configs.log_retention_days, 90)
+  image_pull_secrets    = try(var.fluent_bit_configs.image_pull_secrets, [])
 
   values_yaml = try(var.fluent_bit_configs.values_yaml, "")
 

modules/fluent-bit/README.md

@@ -55,6 +55,7 @@ No modules.
 | <a name="input_eks_oidc_root_ca_thumbprint"></a> [eks\_oidc\_root\_ca\_thumbprint](#input\_eks\_oidc\_root\_ca\_thumbprint) | n/a | `string` | n/a | yes |
 | <a name="input_fluent_bit_config"></a> [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | <pre>{<br>  "cloudwatch_outputs_enabled": true,<br>  "filters": "",<br>  "inputs": "",<br>  "outputs": ""<br>}</pre> | no |
 | <a name="input_fluent_bit_name"></a> [fluent\_bit\_name](#input\_fluent\_bit\_name) | Container resource name. | `string` | `"fluent-bit"` | no |
+| <a name="input_image_pull_secrets"></a> [image\_pull\_secrets](#input\_image\_pull\_secrets) | Secret name which can we use for download image | `list(string)` | `[]` | no |
 | <a name="input_kube_namespaces"></a> [kube\_namespaces](#input\_kube\_namespaces) | Kubernates namespaces | `list(string)` | <pre>[<br>  "kube.*",<br>  "meta.*",<br>  "adot.*",<br>  "devops.*",<br>  "cert-manager.*",<br>  "git.*",<br>  "opentelemetry.*",<br>  "stakater.*",<br>  "renovate.*"<br>]</pre> | no |
 | <a name="input_log_filters"></a> [log\_filters](#input\_log\_filters) | Fluent bit doesn't send logs if message consists of this values | `list(string)` | <pre>[<br>  "kube-probe",<br>  "health",<br>  "prometheus",<br>  "liveness"<br>]</pre> | no |
 | <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | Log group name fluent-bit will be streaming logs into. | `string` | `"fluentbit-default-log-group"` | no |

modules/fluent-bit/locals.tf

@@ -16,6 +16,7 @@ locals {
     filters                    = try(var.fluent_bit_config.filters, "")
     cloudwatch_outputs_enabled = try(var.fluent_bit_config.cloudwatch_outputs_enabled, true)
     kube_namespaces            = var.kube_namespaces
+    imagePullSecrets           = [for item in var.image_pull_secrets : { name : item }]
   }
 
   values = var.values_yaml == "" ? templatefile("${path.module}/values.yaml.tpl", local.config_settings) : var.values_yaml

modules/fluent-bit/values.yaml.tpl

@@ -1,3 +1,4 @@
+imagePullSecrets: ${jsonencode(imagePullSecrets)}
 config:
   ## https://docs.fluentbit.io/manual/pipeline/inputs
   inputs: |

modules/fluent-bit/variables.tf

@@ -138,3 +138,9 @@ variable "additional_log_filters" {
   ]
   description = "Fluent bit doesn't send logs if message consists of this values"
 }
+
+variable "image_pull_secrets" {
+  type        = list(string)
+  default     = []
+  description = "Secret name which can we use for download image"
+}

tests/eks-fluent-bit/0-setup.tf

@@ -1,16 +1,12 @@
 terraform {
   required_providers {
-    test = {
-      source = "terraform.io/builtin/test"
-    }
-
     aws = {
       source  = "hashicorp/aws"
       version = ">= 3.41"
     }
   }
 
-  required_version = ">= 1.3.0, < 1.6.0"
+  required_version = ">= 1.3.0, < 2.0.0"
 }
 
 /**

tests/eks-fluent-bit/1-example.tf

@@ -12,33 +12,28 @@ data "aws_subnet_ids" "subnets" {
 module "this" {
   source = "../.."
 
-  account_id = "0000000000"
   adot_config = {
     "accept_namespace_regex" : "(default|kube-system)",
     "additional_metrics" : [],
     "log_group_name" : "adot-logs"
   }
   cluster_enabled_log_types = ["audit"]
-  cluster_name              = "eks-dev"
+  cluster_name              = "test-eks-fluent-bit"
   cluster_version           = "1.27"
   metrics_exporter          = "adot"
   node_groups = {
     "dev_nodes" : {
-      "desired_size" : 2,
-      "max_capacity" : 5,
-      "max_size" : 5,
-      "min_size" : 2
+      "desired_size" : 1,
+      "max_capacity" : 1,
+      "max_size" : 1,
+      "min_size" : 1
     }
   }
   node_groups_default = {
     "capacity_type" : "SPOT",
     "instance_types" : ["t3.medium"]
   }
   send_alb_logs_to_cloudwatch = false
-  users = [
-    { "username" : "dasmeta" },
-  ]
-
   vpc = {
     link = {
       id                 = data.aws_vpcs.ids.ids[0]
@@ -47,10 +42,11 @@ module "this" {
   }
 
   fluent_bit_configs = {
-    config = {
+    configs = {
       inputs  = templatefile("${path.module}/templates/inputs.yaml.tpl", {})
       outputs = templatefile("${path.module}/templates/outputs.yaml.tpl", {})
       filters = templatefile("${path.module}/templates/filters.yaml.tpl", {})
+      # cloudwatch_outputs_enabled = false # uncomment in case you want also to disable default cloudwatch log exporters/outputs
     }
     drop_namespaces = [
       "kube-system",

tests/eks-fluent-bit/README.md

@@ -5,15 +5,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, < 1.6.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, < 2.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.41 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.41 |
-| <a name="provider_test"></a> [test](#provider\_test) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
 
 ## Modules
 
@@ -25,7 +24,6 @@
 
 | Name | Type |
 |------|------|
-| test_assertions.dummy | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_subnet_ids.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
 | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |

tests/eks-fluent-bit/templates/outputs.yaml.tpl

@@ -1,7 +1,7 @@
 [OUTPUT]
     Name s3
     Match test.*
-    bucket s3-bucket
+    bucket test-eks-fluent-bit-dasmeta
     region eu-central-1
     total_file_size 250M
     s3_key_format /%Y/%m/%d/%H_%M_%S.gz

variables.tf

@@ -121,13 +121,15 @@ variable "fluent_bit_configs" {
     log_filters            = optional(list(string), [])
     additional_log_filters = optional(list(string), [])
     kube_namespaces        = optional(list(string), [])
+    image_pull_secrets     = optional(list(string), [])
   })
   default = {
     fluent_bit_name       = ""
     log_group_name        = ""
     system_log_group_name = ""
     log_retention_days    = 90
     values_yaml           = ""
+    image_pull_secrets    = []
     configs = {
       inputs                     = ""
       outputs                    = ""