v2.3.5

Restrict Ingress to Cloud.gov by default (#100)

* new: restrict ingress to cloud.gov by default

Reference: https://cloud.gov/docs/management/static-egress/#cloudgov-egress-ranges

* new: all ingress from itself

In order for ingress to apply properly, sometimes source address translation happens before the network policy takes effect, so all internal ingress traffic as well, Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

* new: allow tester to interact with cluster

This does not explicitly test that traffic is restricted without this configuration, but the configuration would not allow github or anyone's individual IP to connect to the cluster by default

* lint: terraform fmt

* fix: bug in awscli..

https://github.com/aws/aws-cli/issues/6920

* refactor: use vpc module output to get vpc cidr

Better than hardcoding the internal cidr range

* lint: remove whitespace :)

This was bothering me for a long time haha..

* fix: bad rename

module.vpc.vpc_cidr_block --> local.vpc_cidr_range

v2.3.4

Changes:

- Tighten terraform dependencies around cluster-functional
- Don't create Ingress Controller atomically with helm
- Increase ALB Controller Destroy Delay (30s -> 60s)
- Update managed node group parameters for changes in eks module ('desired_capacity' changed to 'desired_size')

v2.3.3

Wait to create k8s storage class for PVs until the cluster is functional

v2.3.2

Fix issues with domain/subdomain/lb_name format

ACM Certificate
HostedZoneDomainName
LB Name

v2.3.0

Upgrade Versions

Upgrades:
 - Upgrade Terraform from 0.13 to 1.1.5
 - Upgrade EKS module from 14.0 to 18.6

Updates:
 - Update AWS LB Controller IAM Policy to 2.3.1

Resulting Changes:
 - Process EKS addons through the EKS module as opposed to as standalone
resources
 - Manually manage Kubeconfig file since module no longer handles it
 - No need to manually manage tls_certificate
 - Add security group rules to manage EKS cluster communication

v2.2.1

FIX: Restore dependency on eks cluster ready; Enable EBS encryption

v2.2.0

Update ALB Controller to provision NLBs (#69)

* new: update ALB Controller to provision NLBs

reconfigure Ingress to give the ALB 'LoadBalancer' servive type for NLB configuration

* Trigger the creation of an NLB through annotations on the ingress-nginx service

* NLB is provisioned
* Target groups appear healthy
* DNS entry is created
* Traffic is getting all the way through to the ingress-nginx controller ("400 bad request" from nginx)

* fix: attempt to use the subdomain name directly

Parsing the LB name out of 'data.kubernetes_service.ingress_service' is hard, so let's see if this passes

* fix: try to wait until ingress_service is created

* Install the VPC CNI so NLBs work correctly

Also removes some extraneous parameters (the defaults are fine), and configures the controller to pass through the real client IP.

* fix: ebs addon takes a while sometimes to become ready

It's 'degraded' until it has enough replicas in EKS which varies on the number of nodes in the EKS cluster, it then becomes 'active'

* cleanup: addd docs for EBS cleanup; fix terraform error

* update: aws lb controller from branch to tag

* docs: update readme with new features

* new: add variable input to install vpc cni

* lint: terraform fmt

* fix: change install_vpc_cni var from number to bool

* fix: terraform bool, brokerpak boolean :/

Co-authored-by: Bret Mogilefsky <bret.mogilefsky@gsa.gov>

v2.1.0

Skip installing the EFS CSI driver; it's already installed

v2.0.0

Upgrade the deployed solr-operator and CRDs to version 0.5.0