scottk/wlan-toolsmith
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-toolsmith.git synced 2025-11-03 04:18:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

WIFI-991: alb ingress for cicd (#53)

Browse Source 
* WIFI-991: alb ingress for cicd

* WIFI-991
- helmfile;
- helm values for cicd;

* WIFI-991
- EFS for cicd;
This commit is contained in:
eugenetaranov-opsfleet
2020-11-19 12:53:01 +03:00
committed by GitHub
parent 401336126a
commit f53d38f76c
18 changed files with 544 additions and 661 deletions
Download Patch File Download Diff File Expand all files Collapse all files

233
helm-values/aws-cicd.yaml Normal file
View File

@@ -0,0 +1,233 @@
# This is a development override file.
# It overrides the default Tip-Wlan parent chart behaviour
#
# It can be tweaked, based on the need to support different
# dev environments.
# This file expects to have a GlusterFS storage solution running
# before "helm install" is performed.
#################################################################
# Global configuration overrides.
#
# These overrides will affect all helm charts (ie. applications)
# that are listed below and are 'enabled'.
#################################################################
shared:
service:
srv-https-annotations: &srv-https-annotations
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/group.name: wlan-testcluster
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:289708231103:certificate/eeab0cc5-f6d1-4bf2-a125-9dbf10daed42"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
global:
# Change to an unused port prefix range to prevent port conflicts
# with other instances running within the same k8s cluster
nodePortPrefix: 302
nodePortPrefixExt: 304
nsPrefix: tip
# image pull policy
pullPolicy: Always
repository: tip-tip-wlan-cloud-docker-repo.jfrog.io
# override default mount path root directory
# referenced by persistent volumes and log files
persistence:
# flag to enable debugging - application support required
debugEnabled: true
# Annotations for namespace
annotations: {
"helm.sh/resource-policy": keep
}
#createReleaseNamespace: false
# Docker registry secret
dockerRegistrySecret: ewoJImF1dGhzIjogewoJCSJ0aXAtdGlwLXdsYW4tY2xvdWQtZG9ja2VyLXJlcG8uamZyb2cuaW8iOiB7CgkJCSJhdXRoIjogImRHbHdMWEpsWVdRNmRHbHdMWEpsWVdRPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuOCAobGludXgpIgoJfQp9
#################################################################
# Enable/disable and configure helm charts (ie. applications)
# to customize the TIP-WLAN deployment.
#################################################################
opensync-gw-static:
enabled: false
common:
efs-provisioner:
enabled: false
provisioner:
efsFileSystemId: fs-49a5104c
awsRegion: us-west-2
efsDnsName: fs-49a5104c.efs.us-west-2.amazonaws.com
storageClass: aws-efs
opensync-gw-cloud:
service:
type: LoadBalancer
annotations:
external-dns.alpha.kubernetes.io/hostname: wlan-filestore.testcluster.lab.wlan.tip.build,opensync-controller.testcluster.lab.wlan.tip.build,opensync-redirector.testcluster.lab.wlan.tip.build
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "alb-logs-tip-wlan-testcluster-xqgkeyjvjk"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "opensync-gw-cloud"
enabled: true
externalhostaddress:
ovsdb: opensync-controller.testcluster.lab.wlan.tip.build
mqtt: opensync-mqtt-broker.testcluster.lab.wlan.tip.build
persistence:
enabled: false
filestore:
url: "https://wlan-filestore.testcluster.lab.wlan.tip.build"
opensync-mqtt-broker:
service:
type: LoadBalancer
annotations:
external-dns.alpha.kubernetes.io/hostname: "opensync-mqtt-broker.testcluster.lab.wlan.tip.build"
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "alb-logs-tip-wlan-testcluster-xqgkeyjvjk"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "opensync-mqtt-broker"
enabled: true
replicaCount: 1
persistence:
enabled: true
storageClass: "gp2"
wlan-cloud-graphql-gw:
enabled: true
ingress:
annotations:
<<: *srv-https-annotations
enabled: true
alb_https_redirect: true
hosts:
- host: wlan-graphql.testcluster.lab.wlan.tip.build
paths: [
/*
]
env:
portalsvc: wlan-portal-svc.testcluster.lab.wlan.tip.build
wlan-cloud-static-portal:
enabled: true
env:
graphql: https://wlan-graphql.testcluster.lab.wlan.tip.build
service:
type: NodePort
ingress:
annotations:
<<: *srv-https-annotations
alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=alb-logs-tip-wlan-testcluster-xqgkeyjvjk,access_logs.s3.prefix=wlan-testcluster
alb_https_redirect: true
hosts:
- host: wlan-ui.testcluster.lab.wlan.tip.build
paths: [
/*
]
wlan-portal-service:
service:
type: NodePort
nodePort_static: false
enabled: true
persistence:
enabled: true
storageClass: gp2
accessMode: ReadWriteOnce
filestoreSize: 10Gi
tsp:
host: wlan-portal-svc.testcluster.lab.wlan.tip.build
ingress:
enabled: true
alb_https_redirect: true
tls: []
annotations:
<<: *srv-https-annotations
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
alb.ingress.kubernetes.io/healthcheck-port: traffic-port
alb.ingress.kubernetes.io/healthcheck-path: /ping
hosts:
- host: wlan-portal-svc.testcluster.lab.wlan.tip.build
paths: [
/*
]
wlan-prov-service:
enabled: true
creds:
enabled: true
db:
postgresUser:
password: postgres
tipUser:
password: tip_password
schema_repo:
username: tip-read
password: tip-read
postgres:
singleDataSourceUsername: tip_user
singleDataSourcePassword: tip_password
singleDataSourceSslKeyPassword: mypassword
wlan-ssc-service:
enabled: true
creds:
sslKeyPassword: mypassword
sslKeystorePassword: mypassword
sslTruststorePassword: mypassword
cassandra:
tip_user: tip_user
tip_password: tip_password
schema_repo:
username: tip-read
password: tip-read
wlan-spc-service:
enabled: true
creds:
sslKeyPassword: mypassword
sslKeystorePassword: mypassword
sslTruststorePassword: mypassword
wlan-port-forwarding-gateway-service:
enabled: true
creds:
websocketSessionTokenEncKey: MyToKeN0MyToKeN1
externallyVisible:
host: api.wlan.testcluster.lab.wlan.tip.build
port: 30401
zookeeper:
enabled: true
replicaCount: 1
persistence:
enabled: true
storageClass: "gp2"
kafka:
enabled: true
replicaCount: 1
persistence:
enabled: true
storageClass: "gp2"
creds:
sslKeystorePassword: mypassword
sslTruststorePassword: mypassword
sslKeyPassword: mypassword
cassandra:
enabled: true
config:
replicaCount: 3
seedCount: 2
persistence:
enabled: true
storageClass: "gp2"
resources:
requests:
cpu: 500m
memory: 3800Mi
limits:
cpu: 1000m
memory: 3800Mi
creds:
sslKeystorePassword: mypassword
sslTruststorePassword: mypassword
postgresql:
enabled: true
postgresqlPassword: postgres
## NOTE: If we are using glusterfs as Storage class, we don't really need
## replication turned on, since the data is anyway replicated on glusterfs nodes
## Replication is useful:
## a. When we use HostPath as storage mechanism
## b. If master goes down and one of the slave is promoted as master
replication:
enabled: true
slaveReplicas: 1
persistence:
enabled: true
storageClass: "gp2"

2
helmfile/cloud-sdk/envs/common/cluster-autoscaler.yaml.gotmpl
View File

@@ -10,7 +10,7 @@ rbac:
create: true create: true
pspEnabled: true pspEnabled: true
serviceAccountAnnotations: serviceAccountAnnotations:
eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/tip-wlan-main-cluster-autoscaler eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/{{ .Environment.Values.eks.clusterName }}-cluster-autoscaler
extraArgs: extraArgs:
balance-similar-node-groups: true balance-similar-node-groups: true
skip-nodes-with-system-pods: false skip-nodes-with-system-pods: false

3
helmfile/cloud-sdk/envs/common/external-dns.yaml.gotmpl
View File

@@ -6,8 +6,9 @@ domainFilters:
- {{ .Environment.Values.domain }} - {{ .Environment.Values.domain }}
sources: sources:
- ingress - ingress
- service
txtOwnerId: /hostedzone/{{ .Environment.Values.eks.hostedZoneId }} txtOwnerId: /hostedzone/{{ .Environment.Values.eks.hostedZoneId }}
policy: sync policy: sync
rbac: rbac:
serviceAccountAnnotations: serviceAccountAnnotations:
eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/tip-wlan-main-external-dns eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/{{ .Environment.Values.eks.clusterName }}-external-dns

20
helmfile/cloud-sdk/helmfile.yaml
View File

@@ -1,6 +1,6 @@
repositories: repositories:
- name: stable - name: stable
url: https://kubernetes-charts.storage.googleapis.com url: https://charts.helm.sh/stable
- name: kiwigrid - name: kiwigrid
url: https://kiwigrid.github.io url: https://kiwigrid.github.io
- name: nginx - name: nginx
@@ -31,7 +31,7 @@ environments:
clusterName: tip-wlan-main clusterName: tip-wlan-main
region: us-east-2 region: us-east-2
accountID: 289708231103 accountID: 289708231103
hostedZoneId: Z09534373UTXT2L1YL912 hostedZoneId: Z054431439VV8JBXTLZ8B
certificateARN: arn:aws:acm:us-east-2:289708231103:certificate/510429bd-1a3d-4c43-90ce-8e340795a888 certificateARN: arn:aws:acm:us-east-2:289708231103:certificate/510429bd-1a3d-4c43-90ce-8e340795a888
- monitoring: - monitoring:
namespace: monitoring namespace: monitoring
@@ -49,6 +49,8 @@ environments:
enabled: true enabled: true
- external-dns: - external-dns:
enabled: true enabled: true
- alb-ingress:
enabled: true
helmDefaults: helmDefaults:
force: false force: false
@@ -292,3 +294,17 @@ releases:
kubernetes.io/ingress.class: nginx-sso kubernetes.io/ingress.class: nginx-sso
hosts: hosts:
- kibana.{{ .Environment.Values.domain }} - kibana.{{ .Environment.Values.domain }}
- name: aws-load-balancer-controller
<<: *default
condition: alb-ingress.enabled
chart: eks/aws-load-balancer-controller
version: 1.0.5
values:
- serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.eks.accountID }}:role/{{ .Values.eks.clusterName }}-alb-ingress
clusterName: {{ .Values.eks.clusterName }}
enableShield: false
enableWaf: false
enableWafv2: false
logLevel: debug

224
terraform/wifi-289708231103/cloudsdk_cicd/alb_ingress_controller.tf Normal file
View File

@@ -0,0 +1,224 @@
module "alb_ingress_iam_role" {
source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-assumable-role-with-oidc?ref=v2.12.0"
role_name = "${module.eks.cluster_id}-alb-ingress"
provider_url = local.oidc_provider_url
role_policy_arns = [
aws_iam_policy.alb_ingress_iam_policy.arn,
]
create_role = true
}
resource "aws_iam_policy" "alb_ingress_iam_policy" {
name_prefix = "alb-ingress-iam-policy-"
description = "ALB ingress policy for cluster ${local.cluster_name}"
policy = data.aws_iam_policy_document.alb_ingress_iam_policy.json
}
data "aws_iam_policy_document" "alb_ingress_iam_policy" {
statement {
actions = [
"iam:CreateServiceLinkedRole",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
]
effect = "Allow"
resources = ["*"]
}
statement {
actions = [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
]
effect = "Allow"
resources = ["*"]
}
statement {
actions = [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
]
effect = "Allow"
resources = ["*"]
}
statement {
actions = [
"ec2:CreateSecurityGroup"
]
effect = "Allow"
resources = ["*"]
}
statement {
actions = [
"ec2:CreateTags"
]
effect = "Allow"
resources = ["arn:aws:ec2:*:*:security-group/*"]
condition {
test = "StringEquals"
values = ["CreateSecurityGroup"]
variable = "ec2:CreateAction"
}
condition {
test = "Null"
values = ["false"]
variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
}
}
statement {
actions = [
"ec2:CreateTags",
"ec2:DeleteTags"
]
effect = "Allow"
resources = ["arn:aws:ec2:*:*:security-group/*"]
condition {
test = "Null"
values = ["true"]
variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
}
condition {
test = "Null"
values = ["false"]
variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
}
}
statement {
actions = [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
]
effect = "Allow"
resources = ["arn:aws:ec2:*:*:security-group/*"]
condition {
test = "Null"
values = ["false"]
variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
}
}
statement {
actions = [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
]
effect = "Allow"
resources = ["*"]
condition {
test = "Null"
values = ["false"]
variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
}
}
statement {
actions = [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
]
effect = "Allow"
resources = ["*"]
}
statement {
actions = [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
]
effect = "Allow"
resources = [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
condition {
test = "Null"
values = ["true"]
variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
}
condition {
test = "Null"
values = ["false"]
variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
}
}
statement {
actions = [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DeleteTargetGroup"
]
effect = "Allow"
resources = ["*"]
condition {
test = "Null"
values = ["false"]
variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
}
}
statement {
actions = [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
]
effect = "Allow"
resources = ["*"]
}
}

68
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_filestore_nlb.tf
View File

@@ -1,68 +0,0 @@
resource "aws_lb" "cloudsdk_filestore" {
name = "${var.deployment}-filestore"
load_balancer_type = "network"
internal = false
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
}
resource "aws_lb_target_group" "cloudsdk_filestore" {
name = "${var.deployment}-filestore"
port = var.service_ingress["filestore"]["internal_port"]
protocol = var.service_ingress["filestore"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
interval = 30
protocol = var.service_ingress["filestore"]["internal_protocol"]
healthy_threshold = 2
unhealthy_threshold = 2
port = var.service_ingress["filestore"]["internal_port"]
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_filestore" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_lb_target_group.cloudsdk_filestore.arn
}
resource "aws_lb_listener" "cloudsdk_filestore" {
load_balancer_arn = aws_lb.cloudsdk_filestore.arn
port = var.service_ingress["filestore"]["external_port"]
protocol = var.service_ingress["filestore"]["external_protocol"]
default_action {
target_group_arn = aws_lb_target_group.cloudsdk_filestore.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_filestore" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["filestore"]["internal_port"]
to_port = var.service_ingress["filestore"]["internal_port"]
protocol = "TCP"
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
resource "aws_route53_record" "cloudsdk_filestore" {
name = format("wlan-filestore.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = aws_lb.cloudsdk_filestore.dns_name
zone_id = aws_lb.cloudsdk_filestore.zone_id
evaluate_target_health = true
}
}

94
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_graphql_alb.tf
View File

@@ -1,94 +0,0 @@
resource "aws_alb" "cloudsdk_graphql" {
name = "${var.deployment}-graphql"
internal = false
security_groups = [aws_security_group.cloudsdk_lb.id]
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
access_logs {
bucket = aws_s3_bucket.alb_logs.id
prefix = "${var.deployment}-graphql"
enabled = true
}
}
resource "aws_alb_target_group" "cloudsdk_graphql" {
name = "${var.deployment}-graphql"
port = var.service_ingress["graphql"]["internal_port"]
protocol = var.service_ingress["graphql"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
path = var.service_ingress["graphql"]["healthcheck_path"]
interval = 30
protocol = var.service_ingress["graphql"]["internal_protocol"]
matcher = "200"
timeout = 5
healthy_threshold = 2
unhealthy_threshold = 2
port = var.service_ingress["graphql"]["internal_port"]
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_graphql" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_alb_target_group.cloudsdk_graphql.arn
}
resource "aws_alb_listener" "cloudsdk_graphql_http" {
load_balancer_arn = aws_alb.cloudsdk_graphql.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
protocol = var.service_ingress["graphql"]["external_protocol"]
status_code = "HTTP_301"
port = var.service_ingress["graphql"]["external_port"]
}
}
}
resource "aws_alb_listener" "cloudsdk_graphql_https" {
load_balancer_arn = aws_alb.cloudsdk_graphql.arn
port = var.service_ingress["graphql"]["external_port"]
protocol = var.service_ingress["graphql"]["external_protocol"]
ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
certificate_arn = aws_acm_certificate.cloudsdk.arn
default_action {
target_group_arn = aws_alb_target_group.cloudsdk_graphql.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_graphql" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["graphql"]["internal_port"]
to_port = var.service_ingress["graphql"]["internal_port"]
protocol = "TCP"
source_security_group_id = aws_security_group.cloudsdk_lb.id
type = "ingress"
}
resource "aws_route53_record" "cloudsdk_graphql" {
name = format("wlan-graphql.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = var.ingress_lb
zone_id = aws_alb.cloudsdk_graphql.zone_id
evaluate_target_health = true
}
}

68
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwcontroller_nlb.tf
View File

@@ -1,68 +0,0 @@
resource "aws_lb" "cloudsdk_gwcontroller" {
name = "${var.deployment}-gwcontroller"
load_balancer_type = "network"
internal = false
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
}
resource "aws_lb_target_group" "cloudsdk_gwcontroller" {
name = "${var.deployment}-gwcontroller"
port = var.service_ingress["gwcontroller"]["internal_port"]
protocol = var.service_ingress["gwcontroller"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
interval = 30
protocol = var.service_ingress["gwcontroller"]["internal_protocol"]
healthy_threshold = 2
unhealthy_threshold = 2
port = "traffic-port"
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_gwcontroller" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_lb_target_group.cloudsdk_gwcontroller.arn
}
resource "aws_lb_listener" "cloudsdk_gwcontroller" {
load_balancer_arn = aws_lb.cloudsdk_gwcontroller.arn
port = var.service_ingress["gwcontroller"]["external_port"]
protocol = var.service_ingress["gwcontroller"]["external_protocol"]
default_action {
target_group_arn = aws_lb_target_group.cloudsdk_gwcontroller.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_gwcontroller" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["gwcontroller"]["internal_port"]
to_port = var.service_ingress["gwcontroller"]["internal_port"]
protocol = "TCP"
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
resource "aws_route53_record" "cloudsdk_gwcontroller" {
name = format("opensync-controller.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = aws_lb.cloudsdk_gwcontroller.dns_name
zone_id = aws_lb.cloudsdk_gwcontroller.zone_id
evaluate_target_health = true
}
}

68
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwredirector_nlb.tf
View File

@@ -1,68 +0,0 @@
resource "aws_lb" "cloudsdk_gwredirector" {
name = "${var.deployment}-gwredirector"
load_balancer_type = "network"
internal = false
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
}
resource "aws_lb_target_group" "cloudsdk_gwredirector" {
name = "${var.deployment}-gwredirector"
port = var.service_ingress["gwredirector"]["internal_port"]
protocol = var.service_ingress["gwredirector"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
interval = 30
protocol = var.service_ingress["gwredirector"]["internal_protocol"]
healthy_threshold = 2
unhealthy_threshold = 2
port = "traffic-port"
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_gwredirector" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_lb_target_group.cloudsdk_gwredirector.arn
}
resource "aws_lb_listener" "cloudsdk_gwredirector" {
load_balancer_arn = aws_lb.cloudsdk_gwredirector.arn
port = var.service_ingress["gwredirector"]["external_port"]
protocol = var.service_ingress["gwredirector"]["external_protocol"]
default_action {
target_group_arn = aws_lb_target_group.cloudsdk_gwredirector.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_gwredirector" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["gwredirector"]["internal_port"]
to_port = var.service_ingress["gwredirector"]["internal_port"]
protocol = "TCP"
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
resource "aws_route53_record" "cloudsdk_gwredirector" {
name = format("opensync-redirector.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = aws_lb.cloudsdk_gwredirector.dns_name
zone_id = aws_lb.cloudsdk_gwredirector.zone_id
evaluate_target_health = true
}
}

44
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_lb_shared_resources.tf
View File

@@ -1,34 +1,14 @@
resource "aws_security_group" "cloudsdk_lb" { resource "random_string" "random_suffix" {
name = "cloudsdk-${var.deployment}-lb" length = 10
description = "SG for EKS LBs servicing ${local.cluster_name}/${var.deployment}} EKS cluster" special = false
vpc_id = module.vpc_main.vpc_id upper = false
tags = local.tags lower = true
} number = false
resource "aws_security_group_rule" "cloudsdk_lb_egress" {
from_port = 0
to_port = 65535
protocol = -1
security_group_id = aws_security_group.cloudsdk_lb.id
type = "egress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
resource "aws_security_group_rule" "cloudsdk_lb_ingress_http" {
for_each = toset(["80", "443"])
from_port = each.key
to_port = each.key
protocol = "TCP"
security_group_id = aws_security_group.cloudsdk_lb.id
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
} }
resource "aws_s3_bucket" "alb_logs" { resource "aws_s3_bucket" "alb_logs" {
bucket_prefix = "alb-logs-" bucket = "alb-logs-${var.org}-${var.project}-${var.deployment}-${random_string.random_suffix.result}"
acl = "private" acl = "private"
versioning { versioning {
enabled = false enabled = false
@@ -86,12 +66,12 @@ data "aws_iam_policy_document" "alb_logs_policy" {
resources = ["${aws_s3_bucket.alb_logs.arn}/*"] resources = ["${aws_s3_bucket.alb_logs.arn}/*"]
// Elastic Load Balancing Account ID in us-east-2 // Elastic Load Balancing Account ID https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
// https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
principals { principals {
type = "AWS" type = "AWS"
identifiers = [ identifiers = [
"arn:aws:iam::033677994240:root", "arn:aws:iam::127311923021:root", # us-east-1
"arn:aws:iam::033677994240:root", # us-east-2
] ]
} }
} }
@@ -130,4 +110,4 @@ resource "aws_route53_record" "aws_route53_zone_cloudsdk_main_glue" {
type = "NS" type = "NS"
zone_id = data.terraform_remote_state.route_53.outputs.zone_id zone_id = data.terraform_remote_state.route_53.outputs.zone_id
records = aws_route53_zone.cloudsdk.name_servers records = aws_route53_zone.cloudsdk.name_servers
} }

68
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_mqtt_nlb.tf
View File

@@ -1,68 +0,0 @@
resource "aws_lb" "cloudsdk_mqtt" {
name = "${var.deployment}-mqtt"
load_balancer_type = "network"
internal = false
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
}
resource "aws_lb_target_group" "cloudsdk_mqtt" {
name = "${var.deployment}-mqtt"
port = var.service_ingress["mqtt"]["internal_port"]
protocol = var.service_ingress["mqtt"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
interval = 30
protocol = var.service_ingress["mqtt"]["internal_protocol"]
healthy_threshold = 2
unhealthy_threshold = 2
port = var.service_ingress["mqtt"]["internal_port"]
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_mqtt" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_lb_target_group.cloudsdk_mqtt.arn
}
resource "aws_lb_listener" "cloudsdk_mqtt" {
load_balancer_arn = aws_lb.cloudsdk_mqtt.arn
port = var.service_ingress["mqtt"]["external_port"]
protocol = var.service_ingress["mqtt"]["internal_protocol"]
default_action {
target_group_arn = aws_lb_target_group.cloudsdk_mqtt.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_mqtt" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["mqtt"]["internal_port"]
to_port = var.service_ingress["mqtt"]["internal_port"]
protocol = "TCP"
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
resource "aws_route53_record" "cloudsdk_mqtt" {
name = format("opensync-mqtt-broker.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = aws_lb.cloudsdk_mqtt.dns_name
zone_id = aws_lb.cloudsdk_mqtt.zone_id
evaluate_target_health = true
}
}

94
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_portal_alb.tf
View File

@@ -1,94 +0,0 @@
resource "aws_alb" "cloudsdk_portal" {
name = "${var.deployment}-portal"
internal = false
security_groups = [aws_security_group.cloudsdk_lb.id]
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
access_logs {
bucket = aws_s3_bucket.alb_logs.id
prefix = "${var.deployment}-portal"
enabled = true
}
}
resource "aws_alb_target_group" "cloudsdk_portal" {
name = "${var.deployment}-portal"
port = var.service_ingress["portal"]["internal_port"]
protocol = var.service_ingress["portal"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
path = var.service_ingress["portal"]["healthcheck_path"]
interval = 30
protocol = var.service_ingress["portal"]["internal_protocol"]
matcher = "200"
timeout = 5
healthy_threshold = 2
unhealthy_threshold = 2
port = var.service_ingress["portal"]["internal_port"]
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_portal" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_alb_target_group.cloudsdk_portal.arn
}
resource "aws_alb_listener" "cloudsdk_portal_http" {
load_balancer_arn = aws_alb.cloudsdk_portal.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
protocol = var.service_ingress["portal"]["external_protocol"]
status_code = "HTTP_301"
port = var.service_ingress["portal"]["external_port"]
}
}
}
resource "aws_alb_listener" "cloudsdk_portal_https" {
load_balancer_arn = aws_alb.cloudsdk_portal.arn
port = var.service_ingress["portal"]["external_port"]
protocol = var.service_ingress["portal"]["external_protocol"]
ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
certificate_arn = aws_acm_certificate.cloudsdk.arn
default_action {
target_group_arn = aws_alb_target_group.cloudsdk_portal.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_portal" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["portal"]["internal_port"]
to_port = var.service_ingress["portal"]["internal_port"]
protocol = "TCP"
source_security_group_id = aws_security_group.cloudsdk_lb.id
type = "ingress"
}
resource "aws_route53_record" "cloudsdk_portal" {
name = format("wlan-ui.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = var.ingress_lb
zone_id = aws_alb.cloudsdk_portal.zone_id
evaluate_target_health = true
}
}

94
terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_serviceport_alb.tf
View File

@@ -1,94 +0,0 @@
resource "aws_alb" "cloudsdk_serviceport" {
name = "${var.deployment}-serviceport"
internal = false
security_groups = [aws_security_group.cloudsdk_lb.id]
enable_cross_zone_load_balancing = true
subnets = module.vpc_main.public_subnets
enable_deletion_protection = false
idle_timeout = 30
tags = local.tags
access_logs {
bucket = aws_s3_bucket.alb_logs.id
prefix = "${var.deployment}-serviceport"
enabled = true
}
}
resource "aws_alb_target_group" "cloudsdk_serviceport" {
name = "${var.deployment}-serviceport"
port = var.service_ingress["serviceport"]["internal_port"]
protocol = var.service_ingress["serviceport"]["internal_protocol"]
vpc_id = module.vpc_main.vpc_id
deregistration_delay = 20
proxy_protocol_v2 = false
health_check {
path = var.service_ingress["serviceport"]["healthcheck_path"]
interval = 30
protocol = var.service_ingress["serviceport"]["internal_protocol"]
matcher = "200"
timeout = 5
healthy_threshold = 2
unhealthy_threshold = 2
port = var.service_ingress["serviceport"]["internal_port"]
}
tags = local.tags
}
resource "aws_autoscaling_attachment" "cloudsdk_serviceport" {
for_each = toset(module.eks.workers_asg_names)
autoscaling_group_name = each.key
alb_target_group_arn = aws_alb_target_group.cloudsdk_serviceport.arn
}
resource "aws_alb_listener" "cloudsdk_serviceport_http" {
load_balancer_arn = aws_alb.cloudsdk_serviceport.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
protocol = var.service_ingress["serviceport"]["external_protocol"]
status_code = "HTTP_301"
port = var.service_ingress["serviceport"]["external_port"]
}
}
}
resource "aws_alb_listener" "cloudsdk_serviceport_https" {
load_balancer_arn = aws_alb.cloudsdk_serviceport.arn
port = var.service_ingress["serviceport"]["external_port"]
protocol = var.service_ingress["serviceport"]["external_protocol"]
ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
certificate_arn = aws_acm_certificate.cloudsdk.arn
default_action {
target_group_arn = aws_alb_target_group.cloudsdk_serviceport.arn
type = "forward"
}
}
resource "aws_security_group_rule" "cloudsdk_serviceport" {
security_group_id = module.eks.worker_security_group_id
from_port = var.service_ingress["serviceport"]["internal_port"]
to_port = var.service_ingress["serviceport"]["internal_port"]
protocol = "TCP"
source_security_group_id = aws_security_group.cloudsdk_lb.id
type = "ingress"
}
resource "aws_route53_record" "cloudsdk_serviceport" {
name = format("wlan-portal-svc.%s.%s", var.deployment, var.base_domain)
type = "A"
zone_id = aws_route53_zone.cloudsdk.zone_id
allow_overwrite = true
alias {
name = aws_alb.cloudsdk_serviceport.dns_name
zone_id = aws_alb.cloudsdk_serviceport.zone_id
evaluate_target_health = true
}
}

37
terraform/wifi-289708231103/cloudsdk_cicd/efs.tf Normal file
View File

@@ -0,0 +1,37 @@
resource "aws_security_group" "efs" {
name = "${var.org}-${var.project}-${var.env}-efs"
description = "${var.org}-${var.project}-${var.env}-efs"
vpc_id = module.vpc_main.vpc_id
tags = {
Name = "${var.org}-${var.project}-${var.env}"
Project = var.project
Environment = var.env
}
}
resource "aws_security_group_rule" "efs_ingress" {
from_port = 2049
to_port = 2049
protocol = "tcp"
type = "ingress"
security_group_id = aws_security_group.efs.id
source_security_group_id = module.eks.worker_security_group_id
}
resource "aws_efs_file_system" "default" {
creation_token = "${var.org}-${var.project}-${var.env}-default"
tags = {
Name = "${var.org}-${var.project}-${var.env}-default"
Project = var.project
Environment = var.env
}
}
resource "aws_efs_mount_target" "default" {
for_each = toset(module.vpc_main.private_subnets)
file_system_id = aws_efs_file_system.default.id
subnet_id = each.key
security_groups = [aws_security_group.efs.id]
}

2
terraform/wifi-289708231103/cloudsdk_cicd/eks.tf
View File

@@ -87,7 +87,7 @@ locals {
"Env" = var.env "Env" = var.env
"Project" = var.project "Project" = var.project
} }
user_roles = [ user_roles = [
{ {
userarn = aws_iam_user.gh-actions-user.arn userarn = aws_iam_user.gh-actions-user.arn
username = aws_iam_user.gh-actions-user.name username = aws_iam_user.gh-actions-user.name

16
terraform/wifi-289708231103/cloudsdk_cicd/outputs.tf
View File

@@ -2,6 +2,10 @@ output "cluster_autoscaler_role_arn" {
value = module.cluster_autoscaler_cluster_role.this_iam_role_arn value = module.cluster_autoscaler_cluster_role.this_iam_role_arn
} }
output "alb_ingress_controller_role_arn" {
value = module.alb_ingress_iam_role.this_iam_role_arn
}
output "external_dns_role_arn" { output "external_dns_role_arn" {
value = module.external_dns_cluster_role.this_iam_role_arn value = module.external_dns_cluster_role.this_iam_role_arn
} }
@@ -17,3 +21,15 @@ output "vpc_private_subnets_ids" {
output "vpc_private_route_table_ids" { output "vpc_private_route_table_ids" {
value = module.vpc_main.private_route_table_ids value = module.vpc_main.private_route_table_ids
} }
output "lb_s3_bucket_logging" {
value = aws_s3_bucket.alb_logs.id
}
output "efs_id" {
value = aws_efs_file_system.default.id
}
output "efs_dns" {
value = aws_efs_file_system.default.dns_name
}

54
terraform/wifi-289708231103/cloudsdk_cicd/terraform.tfvars
View File

@@ -22,57 +22,3 @@ eks_admin_roles = ["AWSReservedSSO_SystemAdministrator_622371b0ceece6f8"]
base_domain = "lab.wlan.tip.build" base_domain = "lab.wlan.tip.build"
deployment = "cicd" deployment = "cicd"
service_ingress = {
"filestore" : {
"external_port" : 443,
"internal_port" : 30227,
"external_protocol" : "TCP",
"internal_protocol" : "TCP",
"healthcheck_path" : "",
},
"graphql" : {
"external_port" : 443,
"internal_port" : 30223,
"external_protocol" : "HTTPS",
"internal_protocol" : "HTTP",
"healthcheck_path" : "/graphql",
},
"serviceport" : {
"external_port" : 443,
"internal_port" : 30251,
"external_protocol" : "HTTPS",
"internal_protocol" : "HTTPS",
"healthcheck_path" : "/ping",
},
"portal" : {
"external_port" : 443,
"internal_port" : 30233,
"external_protocol" : "HTTPS",
"internal_protocol" : "HTTP",
"healthcheck_path" : "/",
},
"gwcontroller" : {
"external_port" : 6640,
"internal_port" : 30229,
"external_protocol" : "TCP",
"internal_protocol" : "TCP",
"healthcheck_path" : "",
},
"gwredirector" : {
"external_port" : 6643,
"internal_port" : 30230,
"external_protocol" : "TCP",
"internal_protocol" : "TCP",
"healthcheck_path" : "",
},
"mqtt" : {
"external_port" : 1883,
"internal_port" : 30231,
"external_protocol" : "TCP",
"internal_protocol" : "TCP",
"healthcheck_path" : "",
},
}
ingress_lb = "a46650fef61b84171825228af3cfc4b2-1416366176.us-east-2.elb.amazonaws.com"

16
terraform/wifi-289708231103/cloudsdk_cicd/variables.tf
View File

@@ -75,19 +75,3 @@ variable "deployment" {
description = "Deployment name" description = "Deployment name"
type = string type = string
} }
variable "service_ingress" {
description = "Load balancer configuration for ELK services"
type = map(object({
internal_protocol = string
internal_port = number
external_protocol = string
external_port = number
healthcheck_path = string
}))
}
variable "ingress_lb" {
description = "Ingress LB dns endpoint"
type = string
}