From e87e97a8eaf23b40df932b83fc25df4a386dd7b6 Mon Sep 17 00:00:00 2001 From: maxim Date: Wed, 17 Nov 2021 17:49:28 +0600 Subject: [PATCH 1/5] refactor: do not use templates/calico-values.yaml and set necessary values in the eks-calico.tf file --- terraform/layer2-k8s/eks-calico.tf | 11 +++- terraform/layer2-k8s/helm-releases.yaml | 2 +- .../layer2-k8s/templates/calico-values.yaml | 57 ------------------- 3 files changed, 10 insertions(+), 60 deletions(-) delete mode 100644 terraform/layer2-k8s/templates/calico-values.yaml diff --git a/terraform/layer2-k8s/eks-calico.tf b/terraform/layer2-k8s/eks-calico.tf index 3425bd59..768b340b 100644 --- a/terraform/layer2-k8s/eks-calico.tf +++ b/terraform/layer2-k8s/eks-calico.tf @@ -4,9 +4,16 @@ locals { enabled = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].enabled chart = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].chart repository = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].repository - chart_version = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].version + chart_version = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].chart_version namespace = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].namespace } + aws_calico_values = < Date: Wed, 24 Nov 2021 14:25:59 +0600 Subject: [PATCH 2/5] feat: Introduce possibility to install VictoriaMetrics or Prometheus --- README.md | 1 + docs/FAQ.md | 36 +- terraform/layer2-k8s/.terraform.lock.hcl | 36 ++ .../layer2-k8s/eks-cluster-autoscaler.tf | 2 +- .../eks-ingress-nginx-controller.tf | 2 +- terraform/layer2-k8s/eks-istio.tf | 4 +- terraform/layer2-k8s/eks-keda.tf | 2 +- .../layer2-k8s/eks-kube-prometheus-stack.tf | 122 ++--- terraform/layer2-k8s/eks-loki-stack.tf | 2 +- .../eks-prometheus-operator-crds.tf | 21 + terraform/layer2-k8s/eks-reloader.tf | 2 +- .../eks-victoria-metrics-k8s-stack.tf | 489 ++++++++++++++++++ terraform/layer2-k8s/helm-releases.yaml | 14 +- terraform/layer2-k8s/main.tf | 8 + terraform/layer2-k8s/providers.tf | 6 + 15 files changed, 674 insertions(+), 73 deletions(-) create mode 100644 terraform/layer2-k8s/eks-prometheus-operator-crds.tf create mode 100644 terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf diff --git a/README.md b/README.md index c63b52bf..c3cc5931 100644 --- a/README.md +++ b/README.md @@ -446,6 +446,7 @@ This boiler installs all basic and necessary components. However, we also provid Notes: * [Gitlab-runner](docs/FAQ.md#gitlab-runner) +* [Monitoring](docs/FAQ.md#monitoring) ## TFSEC diff --git a/docs/FAQ.md b/docs/FAQ.md index 612872c0..99995783 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -218,9 +218,17 @@ runners: ... ``` +## Monitoring +This boilerplate provides two solutions for monitoring: +1. VictoriaMetrics based on [victoria-metrics-k8s-stack](https://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-metrics-k8s-stack) +2. Prometheus based on [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) + +VictoriaMetrics is installed by default. However, you can easily switch to Prometheus just **enabling** it and **disabling** VictoriaMetrics in `terraform/layer2-k8s/helm-releases.yaml`. You need to do it before first applying the layer2-k8s. +VictoriaMetrics Operator supports several [Prometheus objects](https://github.com/VictoriaMetrics/operator#overview). For example, Servicemonitor, PrometheusRule. However, we need to somehow install necessary Prometheus CRDs in a k8s cluster. So, it's done in the `eks-prometheus-operator-crds.tf` file, where we install Prometheus' CRDs separately from kube-prometheus-stack. + ## Grafana: How to add GitHub/Gitlab OAuth2 Authentication: By default we install Grafana without integrating it with GitHub or Gitlab and use basic authentication (login/password). If you want to integrate it to use OAuth2, then do next: -1. Set `grafana_oauth_type` variable in the `terraform/layer2-k8s/eks-kube-prometheus-stack.tf` to the desired value (github or gitlab). +1. Set `grafana_oauth_type` variable in the `terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf`/`terraform/layer2-k8s/eks-kube-prometheus-stack.tf` to the desired value (github or gitlab). 2. **Gitlab**: * See [this instruction](https://grafana.com/docs/grafana/latest/auth/gitlab/#gitlab-oauth2-authentication) and generate necessary tokens. * Set `grafana_gitlab_client_id`, `grafana_gitlab_client_secret`, `grafana_gitlab_group` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`. @@ -230,7 +238,31 @@ By default we install Grafana without integrating it with GitHub or Gitlab and u ## Alertmanager Alertmanager is disabled in default installation. If you want to enable it, then do next: -1. Open file layer2-k8s/eks-kube-prometheus-stack.tf and change : +1. VictoriaMetrics: + Open file layer2-k8s/eks-victoria-metrics-k8s-stack.tf and change : +```yaml +locals { +.... + victoria_metrics_k8s_stack_alertmanager_values = < v.body } : {} + yaml_body = each.value +} diff --git a/terraform/layer2-k8s/eks-reloader.tf b/terraform/layer2-k8s/eks-reloader.tf index e5e63d68..ee65bcb3 100644 --- a/terraform/layer2-k8s/eks-reloader.tf +++ b/terraform/layer2-k8s/eks-reloader.tf @@ -4,7 +4,7 @@ locals { enabled = local.helm_releases[index(local.helm_releases.*.id, "reloader")].enabled chart = local.helm_releases[index(local.helm_releases.*.id, "reloader")].chart repository = local.helm_releases[index(local.helm_releases.*.id, "reloader")].repository - chart_version = local.helm_releases[index(local.helm_releases.*.id, "reloader")].version + chart_version = local.helm_releases[index(local.helm_releases.*.id, "reloader")].chart_version namespace = local.helm_releases[index(local.helm_releases.*.id, "reloader")].namespace } } diff --git a/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf b/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf new file mode 100644 index 00000000..5287da30 --- /dev/null +++ b/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf @@ -0,0 +1,489 @@ +locals { + victoria_metrics_k8s_stack = { + name = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].id + enabled = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].enabled + chart = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].chart + repository = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].repository + chart_version = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].chart_version + namespace = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].namespace + } + victoria_metrics_k8s_stack_grafana_oauth_type = "gitlab" # we support three options: without ouath (empty value), github or gitlab. Default is empty + victoria_metrics_k8s_stack_grafana_password = local.victoria_metrics_k8s_stack.enabled ? random_string.victoria_metrics_k8s_stack_grafana_password[0].result : "" + victoria_metrics_k8s_stack_grafana_gitlab_client_id = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_client_id", "") + victoria_metrics_k8s_stack_grafana_gitlab_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_client_secret", "") + victoria_metrics_k8s_stack_grafana_gitlab_group = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_group", "") + victoria_metrics_k8s_stack_grafana_github_client_id = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_client_id", "") + victoria_metrics_k8s_stack_grafana_github_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_client_secret", "") + victoria_metrics_k8s_stack_grafana_github_team_ids = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_team_ids", "") + victoria_metrics_k8s_stack_grafana_github_allowed_organizations = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_allowed_organizations", "") + victoria_metrics_k8s_stack_alertmanager_slack_webhook = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_webhook", "") + victoria_metrics_k8s_stack_alertmanager_slack_channel = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_channel", "") + victoria_metrics_k8s_stack_grafana_domain_name = "grafana-${local.domain_suffix}" + victoria_metrics_k8s_stack_alertmanager_domain_name = "alertmanager-${local.domain_suffix}" + victoria_metrics_k8s_stack_values = <- + {{ range .Alerts -}} + *Alert:* {{ .Annotations.title }}{{ if .Labels.severity }} - `{{ .Labels.severity }}`{{ end }} + + *Description:* {{ .Annotations.description }} {{ .Annotations.message }} + + *Details:* + {{ range .Labels.SortedPairs }} • *{{ .Name }}:* `{{ .Value }}` + {{ end }} + {{ end }} +VALUES +} + +#tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress +module "victoria_metrics_k8s_stack_namespace" { + count = local.victoria_metrics_k8s_stack.enabled ? 1 : 0 + + source = "../modules/kubernetes-namespace" + name = local.victoria_metrics_k8s_stack.namespace + network_policies = [ + { + name = "default-deny" + policy_types = ["Ingress", "Egress"] + pod_selector = {} + }, + { + name = "allow-this-namespace" + policy_types = ["Ingress"] + pod_selector = {} + ingress = { + from = [ + { + namespace_selector = { + match_labels = { + name = local.victoria_metrics_k8s_stack.namespace + } + } + } + ] + } + }, + { + name = "allow-ingress" + policy_types = ["Ingress"] + pod_selector = {} + ingress = { + + from = [ + { + namespace_selector = { + match_labels = { + name = local.ingress_nginx.namespace + } + } + } + ] + } + }, + { + name = "allow-control-plane" + policy_types = ["Ingress"] + pod_selector = { + match_expressions = { + key = "app" + operator = "In" + values = ["${local.victoria_metrics_k8s_stack.name}-operator"] + } + } + ingress = { + ports = [ + { + port = "10250" + protocol = "TCP" + } + ] + from = [ + { + ip_block = { + cidr = "0.0.0.0/0" + } + } + ] + } + }, + { + name = "allow-egress" + policy_types = ["Egress"] + pod_selector = {} + egress = { + to = [ + { + ip_block = { + cidr = "0.0.0.0/0" + except = [ + "169.254.169.254/32" + ] + } + } + ] + } + } + ] +} + +module "aws_iam_victoria_metrics_k8s_stack_grafana" { + count = local.victoria_metrics_k8s_stack.enabled ? 1 : 0 + + source = "../modules/aws-iam-eks-trusted" + name = "${local.name}-grafana" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AllowReadingMetricsFromCloudWatch", + "Effect" : "Allow", + "Action" : [ + "cloudwatch:ListMetrics", + "cloudwatch:GetMetricStatistics", + "cloudwatch:GetMetricData" + ], + "Resource" : "*" + }, + { + "Sid" : "AllowReadingTagsInstancesRegionsFromEC2", + "Effect" : "Allow", + "Action" : [ + "ec2:DescribeTags", + "ec2:DescribeInstances", + "ec2:DescribeRegions" + ], + "Resource" : "*" + }, + { + "Sid" : "AllowReadingResourcesForTags", + "Effect" : "Allow", + "Action" : "tag:GetResources", + "Resource" : "*" + } + ] + }) +} + +resource "random_string" "victoria_metrics_k8s_stack_grafana_password" { + count = local.victoria_metrics_k8s_stack.enabled ? 1 : 0 + length = 20 + special = true +} + +resource "helm_release" "victoria_metrics_k8s_stack" { + count = local.victoria_metrics_k8s_stack.enabled ? 1 : 0 + + name = local.victoria_metrics_k8s_stack.name + chart = local.victoria_metrics_k8s_stack.chart + repository = local.victoria_metrics_k8s_stack.repository + version = local.victoria_metrics_k8s_stack.chart_version + namespace = module.victoria_metrics_k8s_stack_namespace[count.index].name + max_history = var.helm_release_history_size + + values = compact([ + local.victoria_metrics_k8s_stack_values, + local.victoria_metrics_k8s_stack_grafana_values, + local.victoria_metrics_k8s_stack_grafana_oauth_type == "gitlab" ? local.victoria_metrics_k8s_stack_grafana_gitlab_oauth_values : null, + local.victoria_metrics_k8s_stack_grafana_oauth_type == "github" ? local.victoria_metrics_k8s_stack_grafana_github_oauth_values : null, + local.victoria_metrics_k8s_stack_alertmanager_values, + local.victoria_metrics_k8s_stack_alertmanager_slack_webhook != "" ? local.victoria_metrics_k8s_stack_alertmanager_slack_values : null + ]) + + depends_on = [ + kubectl_manifest.kube_prometheus_stack_operator_crds, + helm_release.calico_daemonset + ] + +} + +output "victoria_metrics_k8s_stack_grafana_domain_name" { + value = local.victoria_metrics_k8s_stack.enabled ? local.victoria_metrics_k8s_stack_grafana_domain_name : null + description = "Grafana dashboards address" +} + +output "victoria_metrics_k8s_stack_grafana_admin_password" { + value = local.victoria_metrics_k8s_stack.enabled ? local.victoria_metrics_k8s_stack_grafana_password : null + sensitive = true + description = "Grafana admin password" +} + +output "victoria_metrics_k8s_stack_get_grafana_admin_password" { + value = local.victoria_metrics_k8s_stack.enabled ? "kubectl get secrets -n ${local.victoria_metrics_k8s_stack.namespace} victoria-metrics-k8s-stack-grafana -o jsonpath='{.data.admin-password}' | base64 --decode; echo" : null + description = "Command which gets admin password from kubernetes secret" +} diff --git a/terraform/layer2-k8s/helm-releases.yaml b/terraform/layer2-k8s/helm-releases.yaml index 8a80279e..21891396 100644 --- a/terraform/layer2-k8s/helm-releases.yaml +++ b/terraform/layer2-k8s/helm-releases.yaml @@ -93,7 +93,7 @@ releases: enabled: false chart: keda repository: https://kedacore.github.io/charts - version: 2.4.0 + chart_version: 2.4.0 namespace: keda - id: kiali enabled: false @@ -102,10 +102,10 @@ releases: chart_version: 1.36 namespace: kiali - id: kube-prometheus-stack - enabled: true + enabled: false chart: kube-prometheus-stack repository: https://prometheus-community.github.io/helm-charts - chart_version: 13.12.0 + chart_version: 19.3.0 #https://github.com/prometheus-community/helm-charts/issues/1500 namespace: monitoring - id: loki-stack enabled: true @@ -117,7 +117,7 @@ releases: enabled: true chart: reloader repository: https://stakater.github.io/stakater-charts - version: 0.0.81 + chart_version: 0.0.81 namespace: reloader - id: teamcity enabled: false @@ -125,3 +125,9 @@ releases: repository: chart_version: namespace: teamcity + - id: victoria-metrics-k8s-stack + enabled: true + chart: victoria-metrics-k8s-stack + repository: https://victoriametrics.github.io/helm-charts + chart_version: 0.5.9 + namespace: monitoring diff --git a/terraform/layer2-k8s/main.tf b/terraform/layer2-k8s/main.tf index 13b05500..eeba7fd6 100644 --- a/terraform/layer2-k8s/main.tf +++ b/terraform/layer2-k8s/main.tf @@ -14,6 +14,14 @@ terraform { source = "helm" version = "2.4.1" } + http = { + source = "hashicorp/http" + version = "2.1.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = "1.13.1" + } } } diff --git a/terraform/layer2-k8s/providers.tf b/terraform/layer2-k8s/providers.tf index 2c83baa3..44422888 100644 --- a/terraform/layer2-k8s/providers.tf +++ b/terraform/layer2-k8s/providers.tf @@ -9,6 +9,12 @@ provider "kubernetes" { token = data.aws_eks_cluster_auth.main.token } +provider "kubectl" { + host = data.aws_eks_cluster.main.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.main.token +} + provider "helm" { kubernetes { host = data.aws_eks_cluster.main.endpoint From efcf467c75898cb48c311e649aedd7d62f3adb9b Mon Sep 17 00:00:00 2001 From: maxim Date: Wed, 24 Nov 2021 14:40:49 +0600 Subject: [PATCH 3/5] fix: turn off Grafana gitlab oauth --- terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf b/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf index 5287da30..0163eac9 100644 --- a/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf +++ b/terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf @@ -7,7 +7,7 @@ locals { chart_version = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].chart_version namespace = local.helm_releases[index(local.helm_releases.*.id, "victoria-metrics-k8s-stack")].namespace } - victoria_metrics_k8s_stack_grafana_oauth_type = "gitlab" # we support three options: without ouath (empty value), github or gitlab. Default is empty + victoria_metrics_k8s_stack_grafana_oauth_type = "" # we support three options: without ouath (empty value), github or gitlab. Default is empty victoria_metrics_k8s_stack_grafana_password = local.victoria_metrics_k8s_stack.enabled ? random_string.victoria_metrics_k8s_stack_grafana_password[0].result : "" victoria_metrics_k8s_stack_grafana_gitlab_client_id = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_client_id", "") victoria_metrics_k8s_stack_grafana_gitlab_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_client_secret", "") From b5571fdcdc113130140d2890f14ce75eee2300f0 Mon Sep 17 00:00:00 2001 From: maxim Date: Wed, 24 Nov 2021 17:02:23 +0600 Subject: [PATCH 4/5] fix documentation in layer2-aws --- terraform/layer2-k8s/README.md | 93 +++++++++++++++++++--------------- 1 file changed, 53 insertions(+), 40 deletions(-) diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md index 6fb6912b..80c6a2b3 100644 --- a/terraform/layer2-k8s/README.md +++ b/terraform/layer2-k8s/README.md @@ -52,6 +52,8 @@ | [terraform](#requirement\_terraform) | 1.0.10 | | [aws](#requirement\_aws) | 3.64.2 | | [helm](#requirement\_helm) | 2.4.1 | +| [http](#requirement\_http) | 2.1.0 | +| [kubectl](#requirement\_kubectl) | 1.13.1 | | [kubernetes](#requirement\_kubernetes) | 2.6.1 | ## Providers @@ -60,6 +62,8 @@ | ---------------------------------------------------------------------- | ------- | | [aws](#provider\_aws) | 3.64.2 | | [helm](#provider\_helm) | 2.4.1 | +| [http](#provider\_http) | 2.1.0 | +| [kubectl](#provider\_kubectl) | 1.13.1 | | [kubernetes](#provider\_kubernetes) | 2.6.1 | | [random](#provider\_random) | 3.1.0 | | [terraform](#provider\_terraform) | n/a | @@ -67,33 +71,35 @@ ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ------- | -| [aws\_iam\_autoscaler](#module\_aws\_iam\_autoscaler) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a | -| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_external\_secrets](#module\_aws\_iam\_external\_secrets) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_grafana](#module\_aws\_iam\_grafana) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/kubernetes-namespace | n/a | -| [aws\_node\_termination\_handler\_namespace](#module\_aws\_node\_termination\_handler\_namespace) | ../modules/kubernetes-namespace | n/a | -| [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/kubernetes-namespace | n/a | -| [cluster\_autoscaler\_namespace](#module\_cluster\_autoscaler\_namespace) | ../modules/kubernetes-namespace | n/a | -| [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a | -| [elk\_namespace](#module\_elk\_namespace) | ../modules/kubernetes-namespace | n/a | -| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/kubernetes-namespace | n/a | -| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../modules/kubernetes-namespace | n/a | -| [fargate\_namespace](#module\_fargate\_namespace) | ../modules/kubernetes-namespace | n/a | -| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/kubernetes-namespace | n/a | -| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/kubernetes-namespace | n/a | -| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/kubernetes-namespace | n/a | -| [keda\_namespace](#module\_keda\_namespace) | ../modules/kubernetes-namespace | n/a | -| [kiali\_namespace](#module\_kiali\_namespace) | ../modules/kubernetes-namespace | n/a | -| [loki\_namespace](#module\_loki\_namespace) | ../modules/kubernetes-namespace | n/a | -| [monitoring\_namespace](#module\_monitoring\_namespace) | ../modules/kubernetes-namespace | n/a | -| [reloader\_namespace](#module\_reloader\_namespace) | ../modules/kubernetes-namespace | n/a | +| Name | Source | Version | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------- | +| [aws\_iam\_autoscaler](#module\_aws\_iam\_autoscaler) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a | +| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_external\_secrets](#module\_aws\_iam\_external\_secrets) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/kubernetes-namespace | n/a | +| [aws\_node\_termination\_handler\_namespace](#module\_aws\_node\_termination\_handler\_namespace) | ../modules/kubernetes-namespace | n/a | +| [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/kubernetes-namespace | n/a | +| [cluster\_autoscaler\_namespace](#module\_cluster\_autoscaler\_namespace) | ../modules/kubernetes-namespace | n/a | +| [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a | +| [elk\_namespace](#module\_elk\_namespace) | ../modules/kubernetes-namespace | n/a | +| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/kubernetes-namespace | n/a | +| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../modules/kubernetes-namespace | n/a | +| [fargate\_namespace](#module\_fargate\_namespace) | ../modules/kubernetes-namespace | n/a | +| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/kubernetes-namespace | n/a | +| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/kubernetes-namespace | n/a | +| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/kubernetes-namespace | n/a | +| [keda\_namespace](#module\_keda\_namespace) | ../modules/kubernetes-namespace | n/a | +| [kiali\_namespace](#module\_kiali\_namespace) | ../modules/kubernetes-namespace | n/a | +| [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/kubernetes-namespace | n/a | +| [loki\_namespace](#module\_loki\_namespace) | ../modules/kubernetes-namespace | n/a | +| [reloader\_namespace](#module\_reloader\_namespace) | ../modules/kubernetes-namespace | n/a | +| [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../modules/kubernetes-namespace | n/a | ## Resources @@ -123,21 +129,25 @@ | [helm_release.loki_stack](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | | [helm_release.prometheus_operator](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | | [helm_release.reloader](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | | [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | | [kubernetes_secret.elasticsearch_credentials](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | | [kubernetes_secret.elasticsearch_s3_user_creds](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | | [kubernetes_secret.kibana_enc_key](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | | [kubernetes_storage_class.advanced](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/storage_class) | resource | | [random_string.elasticsearch_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [random_string.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [random_string.kibana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.kube_prometheus_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.victoria_metrics_k8s_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [time_sleep.wait_10_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth) | data source | | [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret_version) | data source | +| [http_http.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/http/2.1.0/docs/data-sources/http) | data source | | [terraform_remote_state.layer1-aws](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -155,16 +165,19 @@ ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | -| [alertmanager\_domain\_name](#output\_alertmanager\_domain\_name) | Alertmanager ui address | -| [apm\_domain\_name](#output\_apm\_domain\_name) | APM domain name | -| [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name) | Name of the bucket for ELKS snapshots | -| [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password) | Password of the superuser 'elastic' | -| [get\_grafana\_admin\_password](#output\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret | -| [gitlab\_runner\_cache\_bucket\_name](#output\_gitlab\_runner\_cache\_bucket\_name) | Name of the s3 bucket for gitlab-runner cache | -| [grafana\_admin\_password](#output\_grafana\_admin\_password) | Grafana admin password | -| [grafana\_domain\_name](#output\_grafana\_domain\_name) | Grafana dashboards address | -| [kibana\_domain\_name](#output\_kibana\_domain\_name) | Kibana dashboards address | -| [prometheus\_domain\_name](#output\_prometheus\_domain\_name) | Prometheus ui address | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | +| [apm\_domain\_name](#output\_apm\_domain\_name) | APM domain name | +| [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name) | Name of the bucket for ELKS snapshots | +| [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password) | Password of the superuser 'elastic' | +| [gitlab\_runner\_cache\_bucket\_name](#output\_gitlab\_runner\_cache\_bucket\_name) | Name of the s3 bucket for gitlab-runner cache | +| [kibana\_domain\_name](#output\_kibana\_domain\_name) | Kibana dashboards address | +| [kube\_prometheus\_stack\_alertmanager\_domain\_name](#output\_kube\_prometheus\_stack\_alertmanager\_domain\_name) | Alertmanager ui address | +| [kube\_prometheus\_stack\_get\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret | +| [kube\_prometheus\_stack\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_grafana\_admin\_password) | Grafana admin password | +| [kube\_prometheus\_stack\_grafana\_domain\_name](#output\_kube\_prometheus\_stack\_grafana\_domain\_name) | Grafana dashboards address | +| [kube\_prometheus\_stack\_prometheus\_domain\_name](#output\_kube\_prometheus\_stack\_prometheus\_domain\_name) | Prometheus ui address | +| [victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret | +| [victoria\_metrics\_k8s\_stack\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_grafana\_admin\_password) | Grafana admin password | +| [victoria\_metrics\_k8s\_stack\_grafana\_domain\_name](#output\_victoria\_metrics\_k8s\_stack\_grafana\_domain\_name) | Grafana dashboards address | \ No newline at end of file From 8b865b52078dc702fd7f317f2f6e6a6c79711b85 Mon Sep 17 00:00:00 2001 From: maxim Date: Wed, 24 Nov 2021 17:36:00 +0600 Subject: [PATCH 5/5] fix syntax errors in FAQ.md --- docs/FAQ.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/FAQ.md b/docs/FAQ.md index 99995783..32a2a963 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -223,12 +223,12 @@ This boilerplate provides two solutions for monitoring: 1. VictoriaMetrics based on [victoria-metrics-k8s-stack](https://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-metrics-k8s-stack) 2. Prometheus based on [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) -VictoriaMetrics is installed by default. However, you can easily switch to Prometheus just **enabling** it and **disabling** VictoriaMetrics in `terraform/layer2-k8s/helm-releases.yaml`. You need to do it before first applying the layer2-k8s. +VictoriaMetrics is installed by default. However, you can easily switch to Prometheus just **enabling** it and **disabling** VictoriaMetrics in `terraform/layer2-k8s/helm-releases.yaml`. You need to do it before the first apply of the layer2-k8s. VictoriaMetrics Operator supports several [Prometheus objects](https://github.com/VictoriaMetrics/operator#overview). For example, Servicemonitor, PrometheusRule. However, we need to somehow install necessary Prometheus CRDs in a k8s cluster. So, it's done in the `eks-prometheus-operator-crds.tf` file, where we install Prometheus' CRDs separately from kube-prometheus-stack. ## Grafana: How to add GitHub/Gitlab OAuth2 Authentication: By default we install Grafana without integrating it with GitHub or Gitlab and use basic authentication (login/password). If you want to integrate it to use OAuth2, then do next: -1. Set `grafana_oauth_type` variable in the `terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf`/`terraform/layer2-k8s/eks-kube-prometheus-stack.tf` to the desired value (github or gitlab). +1. Set `grafana_oauth_type` variable in the `terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf` or `terraform/layer2-k8s/eks-kube-prometheus-stack.tf` to the desired value (github or gitlab). 2. **Gitlab**: * See [this instruction](https://grafana.com/docs/grafana/latest/auth/gitlab/#gitlab-oauth2-authentication) and generate necessary tokens. * Set `grafana_gitlab_client_id`, `grafana_gitlab_client_secret`, `grafana_gitlab_group` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.