refactor: switch from aws-managed nodegroups to self-managed (#277)

mglotov · web-flow · commit 3beda57d64cd · 2022-05-02T13:56:34.000+06:00
diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md
@@ -32,8 +32,9 @@
 |------|------|
 | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/ebs_encryption_by_default) | resource |
 | [aws_kms_key.eks](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/kms_key) | resource |
-| [kubectl_manifest.this](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.aws_auth_configmap](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [aws_acm_certificate.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/acm_certificate) | data source |
+| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/ami) | data source |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_cluster) | data source |
@@ -65,10 +66,10 @@
 | <a name="input_eks_write_kubeconfig"></a> [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
-| <a name="input_node_group_br"></a> [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | <pre>object({<br>    instance_types       = list(string)<br>    capacity_type        = string<br>    max_capacity         = number<br>    min_capacity         = number<br>    desired_capacity     = number<br>    force_update_version = bool<br>  })</pre> | <pre>{<br>  "capacity_type": "SPOT",<br>  "desired_capacity": 0,<br>  "force_update_version": true,<br>  "instance_types": [<br>    "t3a.medium",<br>    "t3.medium"<br>  ],<br>  "max_capacity": 5,<br>  "min_capacity": 0<br>}</pre> | no |
-| <a name="input_node_group_ci"></a> [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | <pre>object({<br>    instance_types       = list(string)<br>    capacity_type        = string<br>    max_capacity         = number<br>    min_capacity         = number<br>    desired_capacity     = number<br>    force_update_version = bool<br>  })</pre> | <pre>{<br>  "capacity_type": "SPOT",<br>  "desired_capacity": 0,<br>  "force_update_version": true,<br>  "instance_types": [<br>    "t3a.medium",<br>    "t3.medium"<br>  ],<br>  "max_capacity": 5,<br>  "min_capacity": 0<br>}</pre> | no |
-| <a name="input_node_group_ondemand"></a> [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | <pre>object({<br>    instance_types       = list(string)<br>    capacity_type        = string<br>    max_capacity         = number<br>    min_capacity         = number<br>    desired_capacity     = number<br>    force_update_version = bool<br>  })</pre> | <pre>{<br>  "capacity_type": "ON_DEMAND",<br>  "desired_capacity": 1,<br>  "force_update_version": true,<br>  "instance_types": [<br>    "t3a.medium"<br>  ],<br>  "max_capacity": 5,<br>  "min_capacity": 1<br>}</pre> | no |
-| <a name="input_node_group_spot"></a> [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | <pre>object({<br>    instance_types       = list(string)<br>    capacity_type        = string<br>    max_capacity         = number<br>    min_capacity         = number<br>    desired_capacity     = number<br>    force_update_version = bool<br>  })</pre> | <pre>{<br>  "capacity_type": "SPOT",<br>  "desired_capacity": 1,<br>  "force_update_version": true,<br>  "instance_types": [<br>    "t3a.medium",<br>    "t3.medium"<br>  ],<br>  "max_capacity": 5,<br>  "min_capacity": 0<br>}</pre> | no |
+| <a name="input_node_group_br"></a> [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": true,<br>  "desired_capacity": 0,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
+| <a name="input_node_group_ci"></a> [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": false,<br>  "desired_capacity": 0,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
+| <a name="input_node_group_ondemand"></a> [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": false,<br>  "desired_capacity": 1,<br>  "instance_type": "t3a.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 1,<br>  "mixed_instances_policy": null,<br>  "use_mixed_instances_policy": false<br>}</pre> | no |
+| <a name="input_node_group_spot"></a> [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": true,<br>  "desired_capacity": 1,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
 | <a name="input_pritunl_vpn_access_cidr_blocks"></a> [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no |
 | <a name="input_pritunl_vpn_server_enable"></a> [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
diff --git a/terraform/layer1-aws/aws-eks-auth.tf b/terraform/layer1-aws/aws-eks-auth.tf
@@ -16,6 +16,6 @@ locals {
     CONTENT
 }
 
-resource "kubectl_manifest" "this" {
+resource "kubectl_manifest" "aws_auth_configmap" {
   yaml_body = local.aws_auth_configmap_yaml
 }
diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf
@@ -1,3 +1,20 @@
+locals {
+  eks_worker_tags = {
+    "k8s.io/cluster-autoscaler/enabled"       = "true"
+    "k8s.io/cluster-autoscaler/${local.name}" = "owned"
+  }
+}
+
+data "aws_ami" "eks_default_bottlerocket" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["bottlerocket-aws-k8s-${var.eks_cluster_version}-x86_64-*"]
+  }
+}
+
 #tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-eks-enable-control-plane-logging tfsec:ignore:aws-eks-encrypt-secrets tfsec:ignore:aws-eks-no-public-cluster-access tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
@@ -72,108 +89,104 @@ module "eks" {
     }
   }
 
-  eks_managed_node_group_defaults = {
-    ami_type                     = "AL2_x86_64"
-    disk_size                    = 100
+  self_managed_node_group_defaults = {
+    block_device_mappings = {
+      xvda = {
+        device_name = "/dev/xvda"
+        ebs = {
+          delete_on_termination = true
+          encrypted             = false
+          volume_size           = 100
+          volume_type           = "gp3"
+        }
+
+      }
+    }
     iam_role_additional_policies = var.eks_workers_additional_policies
+    metadata_options = {
+      http_endpoint               = "enabled"
+      http_tokens                 = "required"
+      http_put_response_hop_limit = 1
+      instance_metadata_tags      = "disabled"
+    }
   }
 
-  eks_managed_node_groups = {
+  self_managed_node_groups = {
     spot = {
-      name           = "${local.name}-spot"
-      iam_role_name  = "${local.name}-spot"
-      desired_size   = var.node_group_spot.desired_capacity
-      max_size       = var.node_group_spot.max_capacity
-      min_size       = var.node_group_spot.min_capacity
-      instance_types = var.node_group_spot.instance_types
-      capacity_type  = var.node_group_spot.capacity_type
-      subnet_ids     = module.vpc.private_subnets
-
-      force_update_version = var.node_group_spot.force_update_version
-
-      labels = {
-        Environment = local.env
-        nodegroup   = "spot"
-      }
-      tags = {
-        Name = "${local.name}-spot"
-      }
+      name          = "${local.name}-spot"
+      iam_role_name = "${local.name}-spot"
+      desired_size  = var.node_group_spot.desired_capacity
+      max_size      = var.node_group_spot.max_capacity
+      min_size      = var.node_group_spot.min_capacity
+      subnet_ids    = module.vpc.private_subnets
+
+      bootstrap_extra_args       = "--kubelet-extra-args '--node-labels=eks.amazonaws.com/capacityType=SPOT  --node-labels=nodegroup=spot'"
+      capacity_rebalance         = var.node_group_spot.capacity_rebalance
+      use_mixed_instances_policy = var.node_group_spot.use_mixed_instances_policy
+      mixed_instances_policy     = var.node_group_spot.mixed_instances_policy
+
+      tags = local.eks_worker_tags
     },
     ondemand = {
-      name           = "${local.name}-ondemand"
-      iam_role_name  = "${local.name}-ondemand"
-      desired_size   = var.node_group_ondemand.desired_capacity
-      max_size       = var.node_group_ondemand.max_capacity
-      min_size       = var.node_group_ondemand.min_capacity
-      instance_types = var.node_group_ondemand.instance_types
-      capacity_type  = var.node_group_ondemand.capacity_type
-      subnet_ids     = module.vpc.private_subnets
-
-      force_update_version = var.node_group_ondemand.force_update_version
-
-      labels = {
-        Environment = local.env
-        nodegroup   = "ondemand"
-      }
-      tags = {
-        Name = "${local.name}-ondemand"
-      }
+      name          = "${local.name}-ondemand"
+      iam_role_name = "${local.name}-ondemand"
+      desired_size  = var.node_group_ondemand.desired_capacity
+      max_size      = var.node_group_ondemand.max_capacity
+      min_size      = var.node_group_ondemand.min_capacity
+      instance_type = var.node_group_ondemand.instance_type
+      subnet_ids    = module.vpc.private_subnets
+
+      bootstrap_extra_args       = "--kubelet-extra-args '--node-labels=eks.amazonaws.com/capacityType=ON_DEMAND --node-labels=nodegroup=ondemand'"
+      capacity_rebalance         = var.node_group_ondemand.capacity_rebalance
+      use_mixed_instances_policy = var.node_group_ondemand.use_mixed_instances_policy
+      mixed_instances_policy     = var.node_group_ondemand.mixed_instances_policy
+
+      tags = local.eks_worker_tags
     },
     ci = {
-      name           = "${local.name}-ci"
-      iam_role_name  = "${local.name}-ci"
-      desired_size   = var.node_group_ci.desired_capacity
-      max_size       = var.node_group_ci.max_capacity
-      min_size       = var.node_group_ci.min_capacity
-      instance_types = var.node_group_ci.instance_types
-      capacity_type  = var.node_group_ci.capacity_type
-      subnet_ids     = module.vpc.private_subnets
-
-      force_update_version = var.node_group_ci.force_update_version
-
-      labels = {
-        Environment = local.env
-        nodegroup   = "ci"
-      }
-      tags = {
-        Name = "${local.name}-ci"
-      }
-      taints = [
-        {
-          key    = "nodegroup"
-          value  = "ci"
-          effect = "NO_SCHEDULE"
-        }
-      ]
+      name          = "${local.name}-ci"
+      iam_role_name = "${local.name}-ci"
+      desired_size  = var.node_group_ci.desired_capacity
+      max_size      = var.node_group_ci.max_capacity
+      min_size      = var.node_group_ci.min_capacity
+      subnet_ids    = module.vpc.private_subnets
+
+      bootstrap_extra_args       = "--kubelet-extra-args '--node-labels=eks.amazonaws.com/capacityType=SPOT  --node-labels=nodegroup=ci --register-with-taints=nodegroup=ci:NoSchedule'"
+      capacity_rebalance         = var.node_group_ci.capacity_rebalance
+      use_mixed_instances_policy = var.node_group_ci.use_mixed_instances_policy
+      mixed_instances_policy     = var.node_group_ci.mixed_instances_policy
+
+      tags = merge(local.eks_worker_tags, { "k8s.io/cluster-autoscaler/node-template/label/nodegroup" = "ci" })
     },
     bottlerocket = {
-      name           = "${local.name}-bottlerocket"
-      iam_role_name  = "${local.name}-bottlerocket"
-      desired_size   = var.node_group_br.desired_capacity
-      max_size       = var.node_group_br.max_capacity
-      min_size       = var.node_group_br.min_capacity
-      instance_types = var.node_group_br.instance_types
-      capacity_type  = var.node_group_br.capacity_type
-      subnet_ids     = module.vpc.private_subnets
-
-      ami_type = "BOTTLEROCKET_x86_64"
-
-      force_update_version = var.node_group_br.force_update_version
-
-      labels = {
-        Environment = local.env
-        nodegroup   = "bottlerocket"
-      }
-      taints = [
-        {
-          key    = "nodegroup"
-          value  = "bottlerocket"
-          effect = "NO_SCHEDULE"
-        }
-      ]
-      tags = {
-        Name = "${local.name}-bottlerocket"
-      }
+      name          = "${local.name}-bottlerocket"
+      iam_role_name = "${local.name}-bottlerocket"
+      desired_size  = var.node_group_br.desired_capacity
+      max_size      = var.node_group_br.max_capacity
+      min_size      = var.node_group_br.min_capacity
+      subnet_ids    = module.vpc.private_subnets
+
+      platform                   = "bottlerocket"
+      ami_id                     = data.aws_ami.eks_default_bottlerocket.id
+      bootstrap_extra_args       = <<-EOT
+          [settings.host-containers.admin]
+          enabled = false
+
+          [settings.host-containers.control]
+          enabled = true
+
+          [settings.kubernetes.node-labels]
+          "eks.amazonaws.com/capacityType" = "SPOT"
+          "nodegroup" = "bottlerocket"
+
+          [settings.kubernetes.node-taints]
+          "nodegroup" = "bottlerocket:NoSchedule"
+          EOT
+      capacity_rebalance         = var.node_group_br.capacity_rebalance
+      use_mixed_instances_policy = var.node_group_br.use_mixed_instances_policy
+      mixed_instances_policy     = var.node_group_br.mixed_instances_policy
+
+      tags = merge(local.eks_worker_tags, { "k8s.io/cluster-autoscaler/node-template/label/nodegroup" = "bottlerocket" })
     }
   }
 
@@ -194,4 +207,5 @@ module "eks" {
       })
     }
   }
+
 }
diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,6 @@ locals {`
`16`	`16`	`CONTENT`
`17`	`17`	`}`
`18`	`18`
`19`		`-resource "kubectl_manifest" "this" {`
	`19`	`+resource "kubectl_manifest" "aws_auth_configmap" {`
`20`	`20`	`yaml_body = local.aws_auth_configmap_yaml`
`21`	`21`	`}`