Add more Azure and AKS

evry-ace · Apr 30, 2020 · 6cd0928 · 6cd0928
1 parent e7eb287
commit 6cd0928
Show file tree

Hide file tree

Showing 25 changed files with 914 additions and 7 deletions.
diff --git a/charts/istio-aks/.helmignore b/charts/istio-aks/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/istio-aks/Chart.yaml b/charts/istio-aks/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.5.1"
+description: A Helm chart for installing Istio on AKS
+name: istio-aks
+version: 1.0.2
diff --git a/charts/istio-aks/templates/_helpers.tpl b/charts/istio-aks/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "istio-gke.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "istio-gke.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "istio-gke.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/istio-aks/templates/istio.yaml b/charts/istio-aks/templates/istio.yaml
@@ -0,0 +1,184 @@
+apiVersion: istio.banzaicloud.io/v1beta1
+kind: Istio
+metadata:
+  name: {{ include "istio-gke.fullname" . }}
+  labels:
+    controller-tools.k8s.io: "1.0"
+    app.kubernetes.io/name: {{ include "istio-gke.name" . }}
+    helm.sh/chart: {{ include "istio-gke.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  version: "{{ .Values.istio.version }}"
+  meshPolicy:
+    mtlsMode: {{ .Values.istio.meshPolicy.mtlsMode }}
+  autoMtls: {{ .Values.istio.autoMtls }}
+  includeIPRanges: "*"
+  excludeIPRanges: ""
+  autoInjectionNamespaces:
+    {{- toYaml .Values.istio.autoInjectionNamespaces | nindent 4 }}
+  controlPlaneSecurityEnabled: false
+  mountMtlsCerts: false
+  # priorityClassName: system-cluster-critical
+  defaultResources:
+    requests:
+      cpu: 10m
+  mixerlessTelemetry:
+    enabled: true
+  sds:
+    enabled: {{ .Values.istio.sds.enabled }}
+  istiod:
+    enabled: true
+  pilot:
+    enabled: true
+    image: "docker.io/istio/pilot:{{ .Values.istio.version }}"
+    replicaCount: 1
+    minReplicas: 1
+    maxReplicas: 5
+    traceSampling: 1.0
+    resources:
+      requests:
+        cpu: 500m
+        memory: 2048Mi
+    certProvider: "istiod"
+  citadel:
+    enabled: {{ .Values.istio.citadel.enabled }}
+    caSecretName: istio-ca-secret
+    image: "docker.io/istio/citadel:{{ .Values.istio.version }}"
+  galley:
+    enabled: false
+    image: "docker.io/istio/galley:{{ .Values.istio.version }}"
+    replicaCount: 1
+    enableServiceDiscovery: false
+    enableAnalysis: false
+  gateways:
+    enabled: {{ .Values.istio.gateways.enabled }}
+    ingress:
+      enabled: {{ .Values.istio.gateways.ingress.enabled }}
+      replicaCount: 1
+      minReplicas: 1
+      maxReplicas: 5
+      serviceType: "LoadBalancer"
+      loadBalancerIP: {{ .Values.istio.gateways.ingress.loadBalancerIP }}
+      serviceAnnotations: {}
+      serviceLabels: {}
+      ports:
+        - port: 15020
+          targetPort: 15020
+          name: status-port
+        - port: 80
+          targetPort: 80
+          name: http2
+        - port: 443
+          targetPort: 443
+          name: https
+        - port: 15443
+          targetPort: 15443
+          name: tls
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+    egress:
+      enabled: {{ .Values.istio.gateways.egress.enabled }}
+      replicaCount: 1
+      minReplicas: 1
+      maxReplicas: 5
+      serviceType: "ClusterIP"
+      serviceAnnotations: {}
+      serviceLabels: {}
+      ports:
+        - port: 80
+          targetPort: 80
+          name: http2
+        - port: 443
+          targetPort: 443
+          name: https
+        - port: 15443
+          targetPort: 15443
+          name: tls
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 256Mi
+    k8singress:
+      enabled: {{ .Values.istio.gateways.k8singress.enabled }}
+  policy:
+    enabled: {{ .Values.istio.policy.enabled }}
+    image: "docker.io/istio/mixer:{{ .Values.istio.version }}"
+    replicaCount: 1
+    minReplicas: 1
+    maxReplicas: 5
+  telemetry:
+    enabled: false
+    image: "docker.io/istio/mixer:{{ .Values.istio.version }}"
+    replicaCount: 1
+    minReplicas: 1
+    maxReplicas: 5
+  sidecarInjector:
+    enabled: {{ .Values.istio.sidecarInjector.enabled }}
+    image: "docker.io/istio/sidecar_injector:{{ .Values.istio.version }}"
+    replicaCount: 1
+    rewriteAppHTTPProbe: {{ .Values.istio.sidecarInjector.rewriteAppHTTPProbe }}
+    autoInjectionPolicyEnabled: {{ .Values.istio.sidecarInjector.autoInjectionPolicyEnabled }}
+    init:
+      resources:
+        requests:
+          cpu: 10m
+          memory: 10Mi
+        limits:
+          cpu: 100m
+          memory: 50Mi
+  nodeAgent:
+    enabled: false
+    image: "docker.io/istio/node-agent-k8s:{{ .Values.istio.version }}"
+  proxy:
+    image: "docker.io/istio/proxyv2:{{ .Values.istio.version }}"
+    accessLogFile: "/dev/stdout"
+    accessLogFormat: ""
+    accessLogEncoding: "TEXT"
+    enableCoreDump: false
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 2000m
+        memory: 1024Mi
+  proxyInit:
+    image: "docker.io/istio/proxyv2:{{ .Values.istio.version }}"
+  defaultPodDisruptionBudget:
+    enabled: true
+  outboundTrafficPolicy:
+    mode: ALLOW_ANY
+  tracing:
+    enabled: {{ .Values.istio.tracing.enabled }}
+    tracer: {{ .Values.istio.tracing.tracer }}
+    zipkin:
+      address: zipkin.istio-system:9411
+    datadog:
+        address: $(HOST_IP):8126
+    lightstep:
+        address: lightstep-satellite.lightstep:9292
+        accessToken: <access-token>
+        secure: true
+        cacertPath: /etc/lightstep/cacert.pem
+  localityLB:
+    enabled: false
+    # distribute:
+    # - from: "us-central1/*"
+    #   to:
+    #     "us-central1/*": 80
+    #     "us-central2/*": 20
+    # failover:
+    # - from: us-east
+    #   to: eu-west
+    # - from: us-west
+    #   to: us-east
+  jwtPolicy: "first-party-jwt"
diff --git a/charts/istio-aks/values.yaml b/charts/istio-aks/values.yaml
@@ -0,0 +1,47 @@
+# Default values for istio-gke.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+istio:
+  version: 1.5.1
+
+  meshPolicy:
+    mtlsMode: PERMISSIVE
+
+  autoInjectionNamespaces:
+    - default
+
+  autoMtls: true
+
+  sds:
+    enabled: true
+
+  sidecarInjector:
+    enabled: true
+
+    rewriteAppHTTPProbe: true
+    autoInjectionPolicyEnabled: true
+
+  citadel:
+    enabled: true
+
+  gateways:
+    enabled: true
+    egress:
+      enabled: true
+      sds:
+        enabled: true
+      serviceType: "ClusterIP"
+    ingress:
+      enabled: true
+      serviceType: "LoadBalancer"
+      loadBalancerIP: ""
+    k8singress:
+      enabled: false
+
+  policy:
+    enabled: true
+
+  tracing:
+    enabled: false
+    tracer: zipkin
diff --git a/external-dns.tf b/external-dns.tf
@@ -42,7 +42,7 @@ resource "helm_release" "external_dns2" {
 
   set {
     name  = "policy"
-    value = "sync"
+    value = "upsert-only"
   }
 
   set {

diff --git a/main.tf b/main.tf
@@ -30,4 +30,10 @@ module "istio" {
 
 module "aks" {
   source = "./modules/aks"
+  providers = {
+    kubernetes = kubernetes.aks
+    helm       = helm.aks
+  }
+
+  dns_project = var.google_project
 }
diff --git a/modules/aks/aks.tf b/modules/aks/aks.tf
@@ -1,4 +1,72 @@
-resource "azurerm_resource_group" "aks" {
+resource "azurerm_resource_group" "example" {
   name     = "aks-demo"
   location = "West Europe"
 }
+
+resource "azurerm_container_registry" "example" {
+  name                     = "evryflaatten"
+  location                 = azurerm_resource_group.example.location
+  resource_group_name      = azurerm_resource_group.example.name
+  sku                      = "Premium"
+  admin_enabled            = true
+}
+
+resource "azurerm_kubernetes_cluster" "example" {
+  name                = "aks-demo"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  dns_prefix          = "aksdemo"
+
+  #network_profile {
+  #  network_plugin = "kubenet"
+  #  network_policy = "calico"
+  #}
+
+  default_node_pool {
+    name    = "default"
+    type    = "VirtualMachineScaleSets"
+    vm_size = "Standard_D2_v2"
+
+    enable_auto_scaling = true
+    max_count           = 10
+    min_count           = 1
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Environment = "Production"
+  }
+}
+
+output "host" {
+  value     = azurerm_kubernetes_cluster.example.kube_config.0.host
+  sensitive = true
+}
+
+output "username" {
+  value     = azurerm_kubernetes_cluster.example.kube_config.0.username
+  sensitive = true
+}
+
+output "password" {
+  value     = azurerm_kubernetes_cluster.example.kube_config.0.password
+  sensitive = true
+}
+
+output "client_certificate" {
+  value     = azurerm_kubernetes_cluster.example.kube_config.0.client_certificate
+  sensitive = true
+}
+
+output "client_key" {
+  value     = azurerm_kubernetes_cluster.example.kube_config.0.client_key
+  sensitive = true
+}
+
+output "cluster_ca_certificate" {
+  value     = azurerm_kubernetes_cluster.example.kube_config.0.cluster_ca_certificate
+  sensitive = true
+}