-
Notifications
You must be signed in to change notification settings - Fork 14
/
ekscluster-kfd-v1alpha2.yaml.tpl
478 lines (477 loc) · 23 KB
/
ekscluster-kfd-v1alpha2.yaml.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
---
apiVersion: kfd.sighup.io/v1alpha2
kind: EKSCluster
metadata:
# The name of the cluster, will be also used as a prefix for all the other resources created on AWS
name: {{.Name}}
spec:
# This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster,
# it supports git tags and branches
distributionVersion: {{.DistributionVersion}}
# This sections defines where to store the terraform state files used by furyctl
toolsConfiguration:
terraform:
state:
s3:
# This value defines which bucket will be used to store all the states
bucketName: example-bucket
# This value defines which folder will be used to store all the states inside the bucket
keyPrefix: example-cluster/
# This value defines in which region the bucket is
region: eu-west-1
# This value defines in which AWS region the cluster and all the related resources will be created
region: eu-west-1
# This map defines which will be the common tags that will be added to all the resources created on AWS
tags:
env: "example"
k8s: "example2"
# This first section, infrastructure, defines the underlying network and eventual VPN bastions that will be provisioned.
# If you already have a VPC, you can remove this key from the configuration file
infrastructure:
# This key defines the VPC that will be created in AWS
vpc:
network:
# This is the CIDR of the VPC
cidr: 10.1.0.0/16
subnetsCidrs:
# These are the CIRDs for the private subnets, where the nodes, the pods, and the private load balancers will be created
private:
- 10.1.0.0/20
- 10.1.16.0/20
- 10.1.32.0/20
# These are the CIDRs for the public subnets, where the public load balancers and the VPN servers will be created
public:
- 10.1.48.0/24
- 10.1.49.0/24
- 10.1.50.0/24
# This section defines the creation of VPN bastions
vpn:
# The number of instance to create, 0 to skip the creation
instances: 2
# The port used by the OpenVPN server
port: 1194
# The size of the AWS ec2 instance
instanceType: t3.micro
# The size of the disk in GB
diskSize: 50
# The username of the account to create in the bastion's operating system
operatorName: sighup
# The dhParamsBits size used for the creation of the .pem file that will be used in the dh openvpn server.conf file
dhParamsBits: 2048
# The CIDR that will be used to assign IP addresses to the VPN clients when connected
vpnClientsSubnetCidr: 172.16.0.0/16
# ssh access settings
ssh:
# Not yet supported
publicKeys: []
# The github user name list that will be used to get the ssh public key that will be added as authorized key to the operatorName user
githubUsersName:
- johndoe
# The CIDR enabled in the security group that can access the bastions in SSH
allowedFromCidrs:
- 0.0.0.0/0
# This section describes how the EKS cluster will be created
kubernetes:
# This key contains the ssh public key that can connect to the nodes via SSH using the ec2-user user
nodeAllowedSshPublicKey: "ssh-ed25519 XYZ"
# Either `launch_configurations`, `launch_templates` or `both`. For new clusters use `launch_templates`, for existing cluster you'll need to migrate from `launch_configurations` to `launch_templates` using `both` as interim.
nodePoolsLaunchKind: "launch_templates"
# Optional Kubernetes Cluster log retention in days. Defaults to 90 days.
# logRetentionDays: 90
# This map defines the access to the Kubernetes API server
apiServer:
privateAccess: true
publicAccess: false
privateAccessCidrs: ['0.0.0.0/0']
publicAccessCidrs: ['0.0.0.0/0']
# logRetentionDays: 90
# This array contains the definition of the nodepools in the cluster
nodePools:
# This is the name of the nodepool
- name: infra
# This optional map defines a different AMI to use for the instances
#ami:
# id: ami-0123456789abcdef0
# owner: "123456789012"
# This map defines the max and min number of nodes in the nodepool autoscaling group
size:
min: 1
max: 3
# This map defines the characteristics of the instance that will be used in the node pool
instance:
# The instance type
type: t3.xlarge
# If the instance is a spot instance
spot: false
# The instance disk size in GB
volumeSize: 50
# This optional array defines additional target groups to attach to the instances in the node pool
#attachedTargetGroups:
# - arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/example-external-nginx/0123456789abcdee
# - arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/example-internal-nginx/0123456789abcdef
# Kubernetes labels that will be added to the nodes
labels:
nodepool: infra
node.kubernetes.io/role: infra
# Kubernetes taints that will be added to the nodes
taints:
- node.kubernetes.io/role=infra:NoSchedule
# AWS tags that will be added to the ASG and EC2 instances, the example shows the labels needed by cluster autoscaler
tags:
k8s.io/cluster-autoscaler/node-template/label/nodepool: "worker"
k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/role: "worker"
# Optional additional firewall rules that will be attached to the nodes
#additionalFirewallRules:
# # The name of the rule
# - name: traffic_80_from_172_31_0_0_16
# # The type of the rule, can be ingress or egress
# type: ingress
# # The CIDR blocks for the FW rule. At the moment the first item of the list will be used, others will be ignored. See https://github.com/sighupio/fury-eks-installer/issues/46
# cidrBlocks:
# - 172.31.0.0/16
# # The protocol
# protocol: TCP
# # The ports range
# ports:
# from: 80
# to: 80
# # Additional AWS tags
# tags: {}
# aws-auth configmap definition, see https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html for more informations
awsAuth: {}
# additionalAccounts:
# - "777777777777"
# - "88888888888"
# users:
# - username: "johndoe"
# groups:
# - system:masters
# userarn: "arn:aws:iam::123456789012:user/johndoe"
# roles:
# - username: "example"
# groups:
# - example:masters
# rolearn: "arn:aws:iam::123456789012:role/k8s-example-role"
# Optional. Use when spec.infrastructure is left empty and the VPC is not managed by furyctl
# vpcId: "vpc-123456780"
# This section describes how the KFD distribution will be installed
distribution:
# This common configuration will be applied to all the packages that will be installed in the cluster
common:
# The node selector to use to place the pods for all the KFD packages
nodeSelector:
node.kubernetes.io/role: infra
# The tolerations that will be added to the pods for all the KFD packages
tolerations:
- effect: NoSchedule
key: node.kubernetes.io/role
value: infra
# This section contains all the configurations for all the KFD core modules
modules:
# This section contains all the configurations for the ingress module
ingress:
# This optional key is used to override automatic parameters
#overrides:
# # This key is used to override the spec.distribution.common.nodeSelector settings. Set to a custom value or use an empty object {} to not add the common node selector.
# nodeSelector: null
# # This key is used to override the spec.distribution.common.tolerations settings. Set to a custom value or use an empty object {} to not add the common tolerations.
# tolerations: null
# # This key is used to override some parameters on the ingresses managed by this module
# ingresses:
# forecastle:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is directory.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone
baseDomain: internal.example.dev
# configurations for the nginx ingress controller package
nginx:
# type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created
type: dual
# the tls section defines how the tls for the ingresses should be managed
tls:
# provider can be certManager, secret
provider: certManager
# if provider is set as secret, this key will be used to create the certificate in the cluster
# secret:
# the certificate file content or you can use the file notation to get the content from a file
# cert: "{file://relative/path/to/ssl.crt}"
# the key file, a file notation can be used to get the content from a file
# key: "{file://relative/path/to/ssl.key}"
# the ca file, a file notation can be used to get the content from a file
# ca: "{file://relative/path/to/ssl.ca}"
# configuration for the cert-manager package
certManager:
# the configuration for the clusterIssuer that will be created
clusterIssuer:
# the name of the clusterIssuer
name: letsencrypt-fury
# the email used during issuing procedures
email: example@sighup.io
# you can configure the clusterIssuer by specifing type (can be http01 or dns01, if dns01 the route53 integration will be used) or custom solvers
type: http01
# the custom solvers configurations
# solvers:
# - http01:
# ingress:
# class: nginx
# DNS definition, used in conjunction with externalDNS package to automate DNS management and certificates emission
dns:
# the public DNS zone definition
public:
# the name of the zone
name: "example.dev"
# manage if we need to create the zone, or if it already exists and we only need to adopt/use it
create: false
# the private DNS zone definition, that will be attached to the VPC
private:
# the name of the zone
name: "internal.example.dev"
# defines if we need to create the zone, or if it already exists and we only need to adopt/use it
create: false
# This section contains all the configurations for the logging module
logging:
# This optional key is used to override automatic parameters
#overrides:
# # This key is used to override the spec.distribution.common.nodeSelector setting. Set to a custom value or use an empty object {} to not add the common node selector.
# nodeSelector: null
# # This key is used to override the spec.distribution.common.tolerations setting. Set to a custom value or use an empty object {} to not add the common tolerations.
# tolerations: null
# # This key is used to override some parameters on the ingresses managed by this module
# ingresses:
# opensearchDashboards:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is opensearch-dashboards.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# cerebro:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is cerebro.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# minio:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is minio.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# can be opensearch or loki
type: opensearch
# configurations for the opensearch package
opensearch:
# the type of opensearch to install, can be single or triple
type: single
## optional settings to override requests and limits
#resources:
# requests:
# cpu: ""
# memory: ""
# limits:
# cpu: ""
# memory: ""
# the PVC size used by opensearch, for each pod
storageSize: "150Gi"
# configurations for the minio-ha package
minio:
# the PVC size for each minio disk, 6 disks total
storageSize: "20Gi"
# configurations for the loki package
# loki:
## optional settings to override requests and limits, common for each component
#resources:
# requests:
# cpu: ""
# memory: ""
# limits:
# cpu: ""
# memory: ""
# This section contains all the configurations for the monitoring module
monitoring:
# This optional key is used to override automatic parameters
#overrides:
# # This key is used to override the spec.distribution.common.nodeSelector setting. Set to a custom value or use an empty object {} to not add the common node selector.
# nodeSelector: null
# # This key is used to override the spec.distribution.common.tolerations setting. Set to a custom value or use an empty object {} to not add the common tolerations.
# tolerations: null
# # This key is used to override some parameters on the ingresses managed by this module
# ingresses:
# prometheus:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is prometheus.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# alertmanager:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is alertmanager.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# grafana:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is grafana.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# configurations for the prometheus package
#prometheus:
# # optional settings to override requests and limits
# resources:
# requests:
# cpu: ""
# memory: ""
# limits:
# cpu: ""
# memory: ""
# configurations for the alertmanager package
alertmanager:
# The webhook url to send deadman switch monitoring, for example to use with healthchecks.io
deadManSwitchWebhookUrl: ""
# The slack webhook url to send alerts
slackWebhookUrl: https://slack.com
# This section contains all the configurations for the policy (opa) module
policy:
# type can be gatekeeper or none
type: gatekeeper
# This optional key is used to override automatic parameters
#overrides:
# # This key is used to override the spec.distribution.common.nodeSelector setting. Set to a custom value or use an empty object {} to not add the common node selector.
# nodeSelector: null
# # This key is used to override the spec.distribution.common.tolerations setting. Set to a custom value or use an empty object {} to not add the common tolerations.
# tolerations: null
# # This key is used to override some parameters on the ingresses managed by this module
# ingresses:
# gpm:
# # if authentication is globally enabled, it can be disabled for this ingress.
# disableAuth: false
# # the host can be overridden, by default is gpm.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# configurations for the gatekeeper package
gatekeeper:
# This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them.
additionalExcludedNamespaces: []
# This section contains all the configurations for the Disaster Recovery module
dr:
# can be none or eks
type: eks
# Configurations for the velero package
velero:
# Velero configurations for EKS cluster
eks:
# The S3 bucket that will be created to store the backups
bucketName: example-velero
# The region where the bucket will be created (can be different from the overall region defined in .spec.region)
region: eu-west-1
# This optional key is used to override automatic parameters
#overrides:
# # This key is used to override the spec.distribution.common.nodeSelector setting. Set to a custom value or use an empty object {} to not add the common node selector.
# nodeSelector: null
# # This key is used to override the spec.distribution.common.tolerations setting. Set to a custom value or use an empty object {} to not add the common tolerations.
# tolerations: null
# This section contains all the configurations for the auth module
auth:
# This optional key is used to override automatic parameters
#overrides:
# # This key is used to override the spec.distribution.common.nodeSelector setting. Set to a custom value or use an empty object {} to not add the common node selector.
# nodeSelector: null
# # This key is used to override the spec.distribution.common.tolerations setting. Set to a custom value or use an empty object {} to not add the common tolerations.
# tolerations: null
# ingresses:
# pomerium:
# # the host can be overridden, by default is pomerium.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
# dex:
# # the host can be overridden, by default is login.{.spec.distribution.modules.ingress.baseDomain}
# host: ""
# # the ingressClass can be overridden if needed
# ingressClass: ""
provider:
# The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso
type: none
# configuration for the basicAuth if .spec.distribution.modules.auth.provider.type is basicAuth
basicAuth:
# The username
username: admin
# The password
password: "{env://KFD_BASIC_AUTH_PASSWORD}"
# The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone
baseDomain: example.dev
# Configuration for the pomerium package, used only if .spec.distribution.modules.auth.provider.type is sso
#pomerium:
# # Additional policy configuration
# policy: |
# - from: https://myapp.example.dev
# to: http://myapp.svc.cluster.local:8000
# cors_allow_preflight: true
# timeout: 30s
# # Secrets configurations for pomerium and dex (pomerium connect to dex proxy for the SSO process)
# secrets:
# COOKIE_SECRET: "{env://KFD_AUTH_POMERIUM_COOKIE_SECRET}"
# IDP_CLIENT_SECRET: "{env://KFD_AUTH_POMERIUM_IDP_CLIENT_SECRET}"
# SHARED_SECRET: "{env://KFD_AUTH_POMERIUM_SHARED_SECRET}"
## Configuration for the pomerium package, used only if .spec.distribution.modules.auth.provider.type is sso
#dex:
# # Dex connectors configuration
# connectors:
# - type: github
# id: github
# name: GitHub
# config:
# clientID: "{env://KFD_AUTH_DEX_CONNECTORS_GITHUB_CLIENT_ID}"
# clientSecret: "{env://KFD_AUTH_DEX_CONNECTORS_GITHUB_CLIENT_SECRET}"
# redirectURI: https://login.example.dev/callback
# loadAllGroups: false
# teamNameField: slug
# useLoginAsID: false
# Custom Patches to add or override fields in the generated manifests
#customPatches:
# configMapGenerator:
# - name: a-configmap
# files:
# - /path/to/config.example
# - name: b-configmap
# envs:
# - /path/to/envs.env
# patches:
# - target:
# group: ""
# version: v1
# kind: Service
# name: cluster-autoscaler
# namespace: kube-system
# path: /path/to/patch.yaml
# patchesStrategicMerge:
# - |
# ---
# apiVersion: v1
# kind: Service
# metadata:
# labels:
# label1: value1
# name: cluster-autoscaler
# namespace: kube-system
# secretGenerator:
# - name: a-secret
# files:
# - /path/to/config.example
# - name: b-secret
# envs:
# - /path/to/envs.env