Giters

merps / terraform-volterra-secure-k8s-gateway

Volterra Terraform Module for Secure k8s Gateway Use-Case

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

terraform-volterra-secure-k8s-gateway

Lint Status LICENSE

This is a terraform module to create Volterra's Secure Kubernetes Gateway usecase. Read the Secure Kubernetes Gateway usecase guide to learn more.

Overview

Image of ADN Usecase

Prerequisites:

AWS Account

  • AWS Programmatic access credentials

    You should already have a user create in AWS account and have already have aws programmatic access credentials for the user.

  • AWS IAM Policy for the user

    Follow this link to add permission for AWS IAM user. You may need to contact your IAM admin to do this.

Volterra Account

  • Signup For Volterra Account

    If you don't have a Volterra account. Please follow this link to signup

  • Download Volterra API credentials file

    Follow how to generate API Certificate to create API credentials

  • Setup domain delegation

    Follow steps from this link to create domain delegation.

Command Line Tools

  • Install terraform

    For homebrew installed on macos, run below command to install terraform. For rest of the os follow the instructions from this link to install terraform

    $ brew tap hashicorp/tap
$ brew install hashicorp/tap/terraform

# to update
$ brew upgrade hashicorp/tap/terraform

  • Install Kubectl

    Please follow this doc to install kubectl

  • Install aws-iam-authenticator

    Please follow this doc to install aws-iam-authenticator

  • Export the API certificate password as environment variable, this is needed for volterra provider to work

    export VES_P12_PASSWORD=<your credential password>

Usage Example

variable "api_url" {
  #--- UNCOMMENT FOR TEAM OR ORG TENANTS
  # default = "https://<TENANT-NAME>.console.ves.volterra.io/api"
  #--- UNCOMMENT FOR INDIVIDUAL/FREEMIUM
  # default = "https://console.ves.volterra.io/api"
}

# This points the absolute path of the api credentials file you downloaded from Volterra
variable "api_p12_file" {
  default = "path/to/your/api-creds.p12"
}

# Below is an option to pass access key and secret key as you probably don't want to save it in a file
# Use env variable before you run `terraform apply` command
# export TF_VAR_aws_access_key=<your aws access key>
# export TF_VAR_aws_secret_key=<your aws secret key>
variable "aws_access_key" {}

variable "aws_secret_key" {}

variable "aws_region" {
  default = "us-east-2"
}

variable "aws_az" {
  default = "us-east-2a"
}

variable "app_fqdn" {}

variable "namespace" {
  default = ""
}

variable "name" {}

# This is the VPC CIDR for AWS
variable "aws_vpc_cidr" {
  default = "192.168.0.0/22"
}

# Map to hold different CE CIDR, if you are not using default aws_vpc_cidr then you need to change the below map as well
variable "aws_subnet_ce_cidr" {
  default = {
    "outside"  = "192.168.0.0/25"
    "inside"   = "192.168.0.192/26"
    "workload" = "192.168.0.128/26"
  }
}

# Map to hold different EKS cidr with key as desired AZ on which the subnet should exist
variable "aws_subnet_eks_cidr" {
  default = {
    "us-east-2a" = "192.168.1.0/25"
    "us-east-2b" = "192.168.1.128/25"
  }
}

locals{
  namespace = var.namespace != "" ? var.namespace : var.name
}

terraform {
  required_providers {
    volterra = {
      source = "volterraedge/volterra"
      version = "0.1.0"
    }
  }
}

provider "volterra" {
  api_p12_file = var.api_p12_file
  url          = var.api_url
}

module "skg" {
  source              = "volterraedge/secure-k8s-gateway/volterra"
  version             = "0.1.2"
  skg_name            = var.name
  volterra_namespace  = local.namespace
  app_domain          = var.app_fqdn
  aws_secret_key      = var.aws_secret_key
  aws_access_key      = var.aws_access_key
  aws_region          = var.aws_region
  aws_az              = var.aws_az
  aws_vpc_cidr        = var.aws_vpc_cidr
  aws_subnet_ce_cidr  = var.aws_subnet_ce_cidr
  aws_subnet_eks_cidr = var.aws_subnet_eks_cidr
}

output "kubeconfig_filename" {
  value = module.skg.kubeconfig_filename
}

output "app_url" {
  value = module.skg.app_url
}

Requirements

Name Version
terraform >= 0.12.9, != 0.13.0
aws >= 3.22.0
local >= 2.0
null >= 3.0
volterra 0.1.0

Providers

Name Version
aws >= 3.22.0
local >= 2.0
null >= 3.0
volterra 0.1.0

Inputs

Name Description Type Default Required
allow_dns_list List of IP prefixes to be allowed list(string) 
[
  "8.8.8.8/32"
]
 no
allow_tls_prefix_list Allow TLS prefix list list(string) 
[
  "gcr.io",
  "storage.googleapis.com",
  "docker.io",
  "docker.com",
  "amazonaws.com"
]
 no
app_domain FQDN for the app. If you have delegated domain prod.example.com, then your app_domain can be <app_name>.prod.example.com string n/a yes
aws_access_key AWS Access Key. Programmable API access key needed for creating the site string n/a yes
aws_az AWS Availability Zone in which the site will be created string n/a yes
aws_instance_type AWS instance type used for the Volterra site string "t3.2xlarge" no
aws_region AWS Region where Site will be created string n/a yes
aws_secret_key AWS Secret Access Key. Programmable API secret access key needed for creating the site string n/a yes
aws_subnet_ce_cidr Map to hold different CE cidr with key as name of subnet map(string) n/a yes
aws_subnet_eks_cidr Map to hold different EKS cidr with key as desired AZ on which the subnet should exist map(string) n/a yes
aws_vpc_cidr AWS VPC CIDR, that will be used to create the vpc while creating the site string n/a yes
certified_hardware Volterra certified hardware used to create Volterra site on AWS string "aws-byol-multi-nic-voltmesh" no
deny_dns_list List of IP prefixes to be denied list(string) 
[
  "8.8.4.4/32"
]
 no
eks_port_range EKS port range to be allowed list(string) 
[
  "30000-32767"
]
 no
enable_hsts Flag to enable hsts for HTTPS loadbalancer bool false no
enable_redirect Flag to enable http redirect to HTTPS loadbalancer bool true no
js_cookie_expiry Javascript cookie expiry time in seconds number 3600 no
js_script_delay Javascript challenge delay in miliseconds number 5000 no
kubeconfig_output_path Ouput file path, where the kubeconfig will be stored string "./" no
site_disk_size Disk size in GiB number 80 no
skg_name SKG Name. Also used as a prefix in names of related resources. string n/a yes
ssh_public_key SSH Public Key string "" no
volterra_namespace Volterra app namespace where the object will be created. This cannot be system or shared ns. string n/a yes
volterra_namespace_exists Flag to create or use existing volterra namespace string false no

Outputs

Name Description
app_url Domain VIP to access the app deployed on EKS
kubeconfig_filename EKS kubeconfig file name

About

Volterra Terraform Module for Secure k8s Gateway Use-Case

License:Apache License 2.0

Languages

Language:HCL 59.7%Language:Smarty 40.3%