Compare commits
7 Commits
0fd7ac69ef
...
fc6b40bb5f
Author | SHA1 | Date |
---|---|---|
Markus Rudy | fc6b40bb5f | |
renovate[bot] | fffc9db2b5 | |
3u13r | 0325483504 | |
Markus Rudy | 8704da6f5f | |
Markus Rudy | 9a1de44776 | |
Markus Rudy | 3e41e890b9 | |
Markus Rudy | 04cbfd2bd2 |
|
@ -5,6 +5,9 @@ inputs:
|
|||
kubeconfig:
|
||||
description: "The kubeconfig of the cluster to test."
|
||||
required: true
|
||||
cloudProvider:
|
||||
description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere."
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
|
@ -20,6 +23,24 @@ runs:
|
|||
kubectl apply -f lb.yml
|
||||
bazel run //e2e/internal/lb:lb_test
|
||||
|
||||
- name: Test AWS Ingress
|
||||
if: inputs.cloudProvider == 'aws'
|
||||
shell: bash
|
||||
env:
|
||||
KUBECONFIG: ${{ inputs.kubeconfig }}
|
||||
working-directory: ./.github/actions/e2e_lb
|
||||
run: |
|
||||
kubectl apply -f aws-ingress.yml
|
||||
kubectl wait -n lb-test ing/whoami --for=jsonpath='{.status.loadBalancer.ingress}' --timeout=5m
|
||||
host=$(kubectl get -n lb-test ingress whoami -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}')
|
||||
for i in $(seq 30); do
|
||||
curl --silent --fail --connect-timeout 5 --output /dev/null http://$host && exit 0
|
||||
sleep 10
|
||||
done
|
||||
echo "::error::Ingress did not become ready in the alloted time."
|
||||
kubectl describe ing -n lb-test
|
||||
exit 1
|
||||
|
||||
- name: Delete deployment
|
||||
if: always()
|
||||
shell: bash
|
||||
|
@ -28,4 +49,5 @@ runs:
|
|||
working-directory: ./.github/actions/e2e_lb
|
||||
run: |
|
||||
kubectl delete -f lb.yml
|
||||
kubectl delete --ignore-not-found -f aws-ingress.yml
|
||||
kubectl delete -f ns.yml --timeout=5m
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: whoami-internal
|
||||
namespace: lb-test
|
||||
spec:
|
||||
selector:
|
||||
app: whoami
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 80
|
||||
type: NodePort
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
namespace: lb-test
|
||||
name: whoami
|
||||
annotations:
|
||||
alb.ingress.kubernetes.io/scheme: internet-facing
|
||||
alb.ingress.kubernetes.io/target-type: instance
|
||||
spec:
|
||||
ingressClassName: alb
|
||||
rules:
|
||||
- http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: whoami-internal
|
||||
port:
|
||||
number: 80
|
|
@ -364,6 +364,7 @@ runs:
|
|||
uses: ./.github/actions/e2e_lb
|
||||
with:
|
||||
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
||||
cloudProvider: ${{ inputs.cloudProvider }}
|
||||
|
||||
- name: Run Performance Benchmark
|
||||
if: inputs.test == 'perf-bench'
|
||||
|
|
|
@ -16,6 +16,6 @@ Subsequent Constellation releases drop support for the oldest (and deprecated) K
|
|||
The following Kubernetes versions are currently supported:
|
||||
<!--AUTO_GENERATED_BY_BAZEL-->
|
||||
<!--DO_NOT_EDIT-->
|
||||
* v1.27.9
|
||||
* v1.28.5
|
||||
* v1.29.0
|
||||
* v1.27.13
|
||||
* v1.28.9
|
||||
* v1.29.4
|
||||
|
|
|
@ -4,12 +4,25 @@ Constellation integrates the native load balancers of each CSP. Therefore, to ex
|
|||
|
||||
## Internet-facing LB service on AWS
|
||||
|
||||
To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancing Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS.
|
||||
To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS.
|
||||
|
||||
Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/nlb/).
|
||||
Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/).
|
||||
|
||||
For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html).
|
||||
|
||||
:::caution
|
||||
Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources.
|
||||
:::
|
||||
|
||||
## Ingress on AWS
|
||||
|
||||
The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`.
|
||||
AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type).
|
||||
The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation.
|
||||
If a service can be exposed on a `NodePort`, the target type `instance` can be used.
|
||||
|
||||
See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information.
|
||||
|
||||
:::caution
|
||||
Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic!
|
||||
:::
|
||||
|
|
|
@ -33,14 +33,6 @@ import (
|
|||
// Also, the charts are not rendered correctly without all of these values.
|
||||
func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, output state.Infrastructure) map[string]any {
|
||||
extraVals := map[string]any{}
|
||||
if conformanceMode {
|
||||
extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
|
||||
extraVals["kubeProxyReplacement"] = "partial"
|
||||
extraVals["sessionAffinity"] = true
|
||||
extraVals["cni"] = map[string]any{
|
||||
"chainingMode": "portmap",
|
||||
}
|
||||
}
|
||||
|
||||
strictMode := map[string]any{}
|
||||
// TODO(@3u13r): Once we are able to set the subnet of the load balancer VMs
|
||||
|
@ -75,6 +67,28 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
|
|||
},
|
||||
}
|
||||
|
||||
// When --conformance is set, we try to mitigate https://github.com/cilium/cilium/issues/9207
|
||||
// Users are discouraged of ever using this mode, except if they truly
|
||||
// require protocol differentiation to work and cannot mitigate that any other way.
|
||||
// Since there should always be workarounds, we only support this mode to
|
||||
// pass the K8s conformance tests. It is not supported to switch to or from
|
||||
// this mode after Constellation has been initialized.
|
||||
// This only works for the K8s conformance tests up to K8s 1.28.
|
||||
if conformanceMode {
|
||||
extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
|
||||
extraVals["kubeProxyReplacement"] = "false"
|
||||
extraVals["sessionAffinity"] = true
|
||||
extraVals["cni"] = map[string]any{
|
||||
"chainingMode": "portmap",
|
||||
}
|
||||
extraVals["ipMasqAgent"] = map[string]any{
|
||||
"enabled": false,
|
||||
}
|
||||
extraVals["bpf"] = map[string]any{
|
||||
"masquerade": false,
|
||||
}
|
||||
}
|
||||
|
||||
return extraVals
|
||||
}
|
||||
|
||||
|
|
|
@ -181,11 +181,11 @@ const (
|
|||
|
||||
// currently supported versions.
|
||||
//nolint:revive
|
||||
V1_27 ValidK8sVersion = "v1.27.9" // renovate:kubernetes-release
|
||||
V1_27 ValidK8sVersion = "v1.27.13" // renovate:kubernetes-release
|
||||
//nolint:revive
|
||||
V1_28 ValidK8sVersion = "v1.28.5" // renovate:kubernetes-release
|
||||
V1_28 ValidK8sVersion = "v1.28.9" // renovate:kubernetes-release
|
||||
//nolint:revive
|
||||
V1_29 ValidK8sVersion = "v1.29.0" // renovate:kubernetes-release
|
||||
V1_29 ValidK8sVersion = "v1.29.4" // renovate:kubernetes-release
|
||||
|
||||
// Default k8s version deployed by Constellation.
|
||||
Default ValidK8sVersion = V1_28
|
||||
|
@ -198,7 +198,7 @@ const (
|
|||
// VersionConfigs holds download URLs for all required kubernetes components for every supported version.
|
||||
var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
||||
V1_27: {
|
||||
ClusterVersion: "v1.27.9", // renovate:kubernetes-release
|
||||
ClusterVersion: "v1.27.13", // renovate:kubernetes-release
|
||||
KubernetesComponents: components.Components{
|
||||
{
|
||||
Url: "https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz", // renovate:cni-plugins-release
|
||||
|
@ -213,33 +213,33 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
|||
Extract: true,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.27.9/bin/linux/amd64/kubelet", // renovate:kubernetes-release
|
||||
Hash: "sha256:ede60eea3acbac3f35dbb23d7b148f45cf169ebbb20af102d3ce141fc0bac60c",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.27.13/bin/linux/amd64/kubelet", // renovate:kubernetes-release
|
||||
Hash: "sha256:ed68df2a77f3057ab47f57eacb6e9310e91731e4f43c58a3c3b5c857d78d0080",
|
||||
InstallPath: constants.KubeletPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.27.9/bin/linux/amd64/kubeadm", // renovate:kubernetes-release
|
||||
Hash: "sha256:78dddac376fa2f04116022cb44ed39ccb9cb0104e05c5b21b220d5151e5c0f86",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.27.13/bin/linux/amd64/kubeadm", // renovate:kubernetes-release
|
||||
Hash: "sha256:b88c30b7067f095b7fa02c5560cc50d6e69a5a9fecc606ef477dc7efc86453b9",
|
||||
InstallPath: constants.KubeadmPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.27.9/bin/linux/amd64/kubectl", // renovate:kubernetes-release
|
||||
Hash: "sha256:d0caae91072297b2915dd65f6ef3055d27646dce821ec67d18da35ba9a8dc85b",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.27.13/bin/linux/amd64/kubectl", // renovate:kubernetes-release
|
||||
Hash: "sha256:e991f163197cbd85bbff22f656a74d48b69db5addfa43cc04cca0cf5328f57f1",
|
||||
InstallPath: constants.KubectlPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI3LjlAc2hhMjU2OjkyMjc0ZTgyZTI0NTJkYzA0ZmVkOTMzY2U2ZTQyMWM2NGUzMGQxNGQ4NjhkMDdiZmIwNzY5N2E5NjE0YTFkYjgifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI3LjEzQHNoYTI1Njo3YTM0YmZlYjcxOWMyNmEwOWJmMjZiZjUxYjhiZjM0N2Q0MWY0ZWQ1ZTMwZTkzNGY2Y2E3M2FjMTk3MjA3NGE3In1d",
|
||||
InstallPath: patchFilePath("kube-apiserver"),
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI3LjlAc2hhMjU2OjczNWFlZmY1YTJlNjI4MmUwZWI3MjQ1YmUyNGIzZGEwNzYyOTdmOWU0ZmJhMmIzMjA5NGNjZjYxYTA4Y2NjYzIifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI3LjEzQHNoYTI1Njo5NGVmNzdkZDQxNzYzZjMwZDNkOGViNWNhNWZhNzIwZjI4OWMyNGZlNTc5NGE3YTYyZTJkYTEwODJiOTVkMjhlIn1d",
|
||||
InstallPath: patchFilePath("kube-controller-manager"),
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI3LjlAc2hhMjU2OmYzOTc1OTU2YWQyMzY2N2NhOGY1NTdkNzY0MDQyNTNjYjdlODE1Y2E3Zjc3YWVkOTBlMWFlN2Q2NWU4OGYyYjEifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI3LjEzQHNoYTI1NjpkMTA4NDI0NTk5ZmI3NjI1NDQxNmIwYTU2MDlkYjUzMGE4YmQzNzJhNzg4N2ZiNTYzNjc1MzI4ODU5YmRmZWIyIn1d",
|
||||
InstallPath: patchFilePath("kube-scheduler"),
|
||||
},
|
||||
{
|
||||
|
@ -265,7 +265,7 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
|||
ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.27.5@sha256:410ffc3f7307b6173c630de8de6e40175376c8c170d64b6c8b6e4baadda020df", // renovate:container
|
||||
},
|
||||
V1_28: {
|
||||
ClusterVersion: "v1.28.5", // renovate:kubernetes-release
|
||||
ClusterVersion: "v1.28.9", // renovate:kubernetes-release
|
||||
KubernetesComponents: components.Components{
|
||||
{
|
||||
Url: "https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz", // renovate:cni-plugins-release
|
||||
|
@ -280,33 +280,33 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
|||
Extract: true,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.28.5/bin/linux/amd64/kubelet", // renovate:kubernetes-release
|
||||
Hash: "sha256:bf37335da58182783a8c63866ec1f895b4c436e3ed96bdd87fe3f8ae8004ba1d",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.28.9/bin/linux/amd64/kubelet", // renovate:kubernetes-release
|
||||
Hash: "sha256:f3af46cff11c675a80d91ebb38ebc4e85a9f813ce93e56ee131e7fea1491b786",
|
||||
InstallPath: constants.KubeletPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.28.5/bin/linux/amd64/kubeadm", // renovate:kubernetes-release
|
||||
Hash: "sha256:2b54078c5ea9e85b27f162f508e0bf834a2753e52a57e896812ec3dca92fe9cd",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.28.9/bin/linux/amd64/kubeadm", // renovate:kubernetes-release
|
||||
Hash: "sha256:a4d8acf0a74cb1d07d96a1a34148f54c6420874221af16d8ec902d9bffc7ef89",
|
||||
InstallPath: constants.KubeadmPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.28.5/bin/linux/amd64/kubectl", // renovate:kubernetes-release
|
||||
Hash: "sha256:2a44c0841b794d85b7819b505da2ff3acd5950bd1bcd956863714acc80653574",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.28.9/bin/linux/amd64/kubectl", // renovate:kubernetes-release
|
||||
Hash: "sha256:b4693d0b22f509250694b10c7727c42b427d570af04f2065fe23a55d6c0051f1",
|
||||
InstallPath: constants.KubectlPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjVAc2hhMjU2OjRiYjZmNDZiYWE5ODA1MjM5OWVlMjI3MGQ1OTEyZWRiOTdkNGY4NjAyZWEyZTI3MDBmMDUyN2E4ODcyMjgxMTIifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjlAc2hhMjU2OjdkMTFjNjJiMjRjZjVkM2ViMWZmZDZhYzMxNWU2MzI4ZmExYWUyMzk2ZDQ1NzJkNDY3NDA0M2U5YTdkZDRlYzIifV0=",
|
||||
InstallPath: patchFilePath("kube-apiserver"),
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjVAc2hhMjU2OjZlOGM5MTcxZjc0YTRlM2ZhZGVkY2U4Zjg2NWY1ODA5MmE1OTc2NTBhNzA5NzAyZjJiMTIyZjZjYTNiNmNkMzIifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjlAc2hhMjU2OmZmNmRhMTYxNGIyMTJjNGNiMDI3ZGI2NjQwYzJmMDAyYTA3MjNiMzg1N2JlOWE2OWUzZWM2YWQ0ZWE4YTVlMWMifV0=",
|
||||
InstallPath: patchFilePath("kube-controller-manager"),
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjVAc2hhMjU2OjlhNDhlMzNlNDU0YzkwNGNmNTNjMTQ0YThkMGFlM2Y1YTRjMmM1YmQwODZiODk1M2FkN2Q1YTYzN2I5YWEwMDcifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjlAc2hhMjU2OmMyZDJmOTcyM2M0MjU0MDEwYjE4Y2YzODcwYjdmMTZkNzE3MTlkNTlhOWMxNGY5NWNjNWZhMmU1MjRkODU4NjkifV0=",
|
||||
InstallPath: patchFilePath("kube-scheduler"),
|
||||
},
|
||||
{
|
||||
|
@ -332,7 +332,7 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
|||
ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.27.5@sha256:410ffc3f7307b6173c630de8de6e40175376c8c170d64b6c8b6e4baadda020df", // renovate:container
|
||||
},
|
||||
V1_29: {
|
||||
ClusterVersion: "v1.29.0", // renovate:kubernetes-release
|
||||
ClusterVersion: "v1.29.4", // renovate:kubernetes-release
|
||||
KubernetesComponents: components.Components{
|
||||
{
|
||||
Url: "https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz", // renovate:cni-plugins-release
|
||||
|
@ -347,33 +347,33 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
|||
Extract: true,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.29.0/bin/linux/amd64/kubelet", // renovate:kubernetes-release
|
||||
Hash: "sha256:e1c38137db8d8777eed8813646b59bf4d22d19b9011ab11dc28e2e34f6b80a05",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.29.4/bin/linux/amd64/kubelet", // renovate:kubernetes-release
|
||||
Hash: "sha256:58571f0ed62543a9bbac541e52c15d8385083113a463e23aec1341d0b5043939",
|
||||
InstallPath: constants.KubeletPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.29.0/bin/linux/amd64/kubeadm", // renovate:kubernetes-release
|
||||
Hash: "sha256:629d4630657caace9c819fd3797f4a70c397fbd41a2a7e464a0507dad675d52c",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.29.4/bin/linux/amd64/kubeadm", // renovate:kubernetes-release
|
||||
Hash: "sha256:ea20ab064f716ab7f69a36d72df340257b31c9721ea86e1cf9d70b35999ddeea",
|
||||
InstallPath: constants.KubeadmPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.29.0/bin/linux/amd64/kubectl", // renovate:kubernetes-release
|
||||
Hash: "sha256:0e03ab096163f61ab610b33f37f55709d3af8e16e4dcc1eb682882ef80f96fd5",
|
||||
Url: "https://storage.googleapis.com/kubernetes-release/release/v1.29.4/bin/linux/amd64/kubectl", // renovate:kubernetes-release
|
||||
Hash: "sha256:10e343861c3cb0010161e703307ba907add2aeeeaffc6444779ad915f9889c88",
|
||||
InstallPath: constants.KubectlPath,
|
||||
Extract: false,
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI5LjBAc2hhMjU2OjkyMWQ5ZDRjZGE0MGJkNDgxMjgzMzc1ZDM5ZDEyYjI0ZjUxMjgxNjgyYWU0MWY2ZGE0N2Y2OWNiMDcyNjQzYmMifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI5LjRAc2hhMjU2OjgwYmVmODIwZTk1NzdmMTQ5ZTUyMTkxOTZmNGRlZjQ5MTJhZWQ1ZmFiYmYwN2Q3YzQxNWQyNDEwNWY5ZWMwNTkifV0=",
|
||||
InstallPath: patchFilePath("kube-apiserver"),
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI5LjBAc2hhMjU2OmQxZTM4ZWEyNWIyN2U1N2I0MTk5NWVmNTlhZDc2ZGQzMzQ4MTg1M2E1YjhkMWE5MWFiYjdhOGJlMzJiN2U3ZGEifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI5LjRAc2hhMjU2OjM4YTgzMjZkZjk3ZDI4NDY4MjQ5MTcwYWE2MzI1MGI4Y2U3Yjg3OTMxNTVmZjczZTI0ZDcwOTQyNGQ1YzlmMDkifV0=",
|
||||
InstallPath: patchFilePath("kube-controller-manager"),
|
||||
},
|
||||
{
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI5LjBAc2hhMjU2OjVkZjMxMDIzNGU0Zjk0NjNiMTVkMTY2Nzc4ZDY5NzgzMGE1MWMwMDM3ZmYyOGExNzU5ZGFhYWQyZDNjZGU5OTEifV0=",
|
||||
Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI5LjRAc2hhMjU2OjhkYzZhODY1MzE2NDA0YWM3ODVmYmU4OWQ3MTY3ZmVkOThlNjljYTk4MDgyMDZiNTU2YWRmYTZkZDZkNDk3ZDAifV0=",
|
||||
InstallPath: patchFilePath("kube-scheduler"),
|
||||
},
|
||||
{
|
||||
|
|
|
@ -69,7 +69,7 @@ resource "constellation_cluster" "azure_example" {
|
|||
See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports.
|
||||
- `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image))
|
||||
- `init_secret` (String) Secret used for initialization of the cluster.
|
||||
- `kubernetes_version` (String) The Kubernetes version to use for the cluster. The supported versions are [v1.27.9 v1.28.5 v1.29.0].
|
||||
- `kubernetes_version` (String) The Kubernetes version to use for the cluster. The supported versions are [v1.27.13 v1.28.9 v1.29.4].
|
||||
- `master_secret` (String) Hex-encoded 32-byte master secret for the cluster.
|
||||
- `master_secret_salt` (String) Hex-encoded 32-byte master secret salt for the cluster.
|
||||
- `measurement_salt` (String) Hex-encoded 32-byte measurement salt for the cluster.
|
||||
|
|
|
@ -77,6 +77,7 @@ go_library(
|
|||
"infrastructure/aws/modules/public_private_subnet/output.tf",
|
||||
"infrastructure/openstack/modules/stackit_loadbalancer/main.tf",
|
||||
"infrastructure/openstack/modules/stackit_loadbalancer/variables.tf",
|
||||
"infrastructure/iam/aws/alb_policy.json",
|
||||
],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/terraform",
|
||||
visibility = ["//visibility:public"],
|
||||
|
|
|
@ -0,0 +1,242 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:CreateServiceLinkedRole"
|
||||
],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:DescribeAccountAttributes",
|
||||
"ec2:DescribeAddresses",
|
||||
"ec2:DescribeAvailabilityZones",
|
||||
"ec2:DescribeInternetGateways",
|
||||
"ec2:DescribeVpcs",
|
||||
"ec2:DescribeVpcPeeringConnections",
|
||||
"ec2:DescribeSubnets",
|
||||
"ec2:DescribeSecurityGroups",
|
||||
"ec2:DescribeInstances",
|
||||
"ec2:DescribeNetworkInterfaces",
|
||||
"ec2:DescribeTags",
|
||||
"ec2:GetCoipPoolUsage",
|
||||
"ec2:DescribeCoipPools",
|
||||
"elasticloadbalancing:DescribeLoadBalancers",
|
||||
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
||||
"elasticloadbalancing:DescribeListeners",
|
||||
"elasticloadbalancing:DescribeListenerCertificates",
|
||||
"elasticloadbalancing:DescribeSSLPolicies",
|
||||
"elasticloadbalancing:DescribeRules",
|
||||
"elasticloadbalancing:DescribeTargetGroups",
|
||||
"elasticloadbalancing:DescribeTargetGroupAttributes",
|
||||
"elasticloadbalancing:DescribeTargetHealth",
|
||||
"elasticloadbalancing:DescribeTags",
|
||||
"elasticloadbalancing:DescribeTrustStores"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"cognito-idp:DescribeUserPoolClient",
|
||||
"acm:ListCertificates",
|
||||
"acm:DescribeCertificate",
|
||||
"iam:ListServerCertificates",
|
||||
"iam:GetServerCertificate",
|
||||
"waf-regional:GetWebACL",
|
||||
"waf-regional:GetWebACLForResource",
|
||||
"waf-regional:AssociateWebACL",
|
||||
"waf-regional:DisassociateWebACL",
|
||||
"wafv2:GetWebACL",
|
||||
"wafv2:GetWebACLForResource",
|
||||
"wafv2:AssociateWebACL",
|
||||
"wafv2:DisassociateWebACL",
|
||||
"shield:GetSubscriptionState",
|
||||
"shield:DescribeProtection",
|
||||
"shield:CreateProtection",
|
||||
"shield:DeleteProtection"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:AuthorizeSecurityGroupIngress",
|
||||
"ec2:RevokeSecurityGroupIngress"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:CreateSecurityGroup"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:CreateTags"
|
||||
],
|
||||
"Resource": "arn:aws:ec2:*:*:security-group/*",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"ec2:CreateAction": "CreateSecurityGroup"
|
||||
},
|
||||
"Null": {
|
||||
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:CreateTags",
|
||||
"ec2:DeleteTags"
|
||||
],
|
||||
"Resource": "arn:aws:ec2:*:*:security-group/*",
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
|
||||
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:AuthorizeSecurityGroupIngress",
|
||||
"ec2:RevokeSecurityGroupIngress",
|
||||
"ec2:DeleteSecurityGroup"
|
||||
],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:CreateLoadBalancer",
|
||||
"elasticloadbalancing:CreateTargetGroup"
|
||||
],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:CreateListener",
|
||||
"elasticloadbalancing:DeleteListener",
|
||||
"elasticloadbalancing:CreateRule",
|
||||
"elasticloadbalancing:DeleteRule"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:AddTags",
|
||||
"elasticloadbalancing:RemoveTags"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
|
||||
],
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
|
||||
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:AddTags",
|
||||
"elasticloadbalancing:RemoveTags"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
||||
"elasticloadbalancing:SetIpAddressType",
|
||||
"elasticloadbalancing:SetSecurityGroups",
|
||||
"elasticloadbalancing:SetSubnets",
|
||||
"elasticloadbalancing:DeleteLoadBalancer",
|
||||
"elasticloadbalancing:ModifyTargetGroup",
|
||||
"elasticloadbalancing:ModifyTargetGroupAttributes",
|
||||
"elasticloadbalancing:DeleteTargetGroup"
|
||||
],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:AddTags"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
|
||||
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
|
||||
],
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"elasticloadbalancing:CreateAction": [
|
||||
"CreateTargetGroup",
|
||||
"CreateLoadBalancer"
|
||||
]
|
||||
},
|
||||
"Null": {
|
||||
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:RegisterTargets",
|
||||
"elasticloadbalancing:DeregisterTargets"
|
||||
],
|
||||
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:SetWebAcl",
|
||||
"elasticloadbalancing:ModifyListener",
|
||||
"elasticloadbalancing:AddListenerCertificates",
|
||||
"elasticloadbalancing:RemoveListenerCertificates",
|
||||
"elasticloadbalancing:ModifyRule"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -242,3 +242,20 @@ resource "aws_iam_role_policy_attachment" "csi_driver_policy_control_plane" {
|
|||
role = aws_iam_role.control_plane_role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
|
||||
}
|
||||
|
||||
// This policy is required by the AWS load balancer controller and can be found at
|
||||
// https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/b44633a/docs/install/iam_policy.json.
|
||||
resource "aws_iam_policy" "lb_policy" {
|
||||
name = "${var.name_prefix}_lb_policy"
|
||||
policy = file("${path.module}/alb_policy.json")
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "attach_lb_policy_worker" {
|
||||
role = aws_iam_role.worker_node_role.name
|
||||
policy_arn = aws_iam_policy.lb_policy.arn
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "attach_lb_policy_control_plane" {
|
||||
role = aws_iam_role.control_plane_role.name
|
||||
policy_arn = aws_iam_policy.lb_policy.arn
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue