Skip to content

A terraform module to deploy the karpenter on Amazon EKS cluster.

License

Notifications You must be signed in to change notification settings

lablabs/terraform-aws-eks-karpenter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS EKS Karpenter Terraform module

We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at https://lablabs.io/


Terraform validate pre-commit

Description

A terraform module to deploy the Karpenter on Amazon EKS cluster.

Related Projects

Check out other terraform kubernetes addons.

Deployment methods

Helm

Deploy Helm chart via Helm resource (default method, set enabled = true)

Argo Kubernetes

Deploy Helm chart as ArgoCD Application via Kubernetes manifest resource (set enabled = true and argo_enabled = true)

Warning

When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run.

To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the argo_helm_enabled variable to true.

Argo Helm

Deploy Helm chart as ArgoCD Application via Helm resource (set enabled = true, argo_enabled = true and argo_helm_enabled = true)

AWS IAM resources

To disable of creation IRSA role and IRSA policy, set irsa_role_create = false and irsa_policy_enabled = false, respectively

Role assuming

To assume role set irsa_assume_role_enabled = true and specify irsa_assume_role_arn variable

Repository configuration

In variable helm_repo_oci you can switch between OCI and non-OCI repositories types. Due to non standardized input of repository format between argocd and helm you must use correct url format for each type.

For helm_repo_oci=true in variable helm_repo_url use format without protocol prefix public.ecr.aws . If you put there https prefix it will be stripped automatically as fails safe mechanism .

For helm_repo_oci=false in variable helm_repo_url use format including protocol prefix like https://chartmuseum.example.com

Spot interruption testing

To test whether karpenter integration with SQS is working properly you can send Spot interruption Warning message to SQS queue. For more information about correct time format etc. check the documentation linked below.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-instance-termination-notices.html#ec2-spot-instance-interruption-warning-event

{
    "version": "0",
    "id": "12345678-1234-1234-1234-123456789012",
    "detail-type": "EC2 Spot Instance Interruption Warning",
    "source": "aws.ec2",
    "account": "123456789012",
    "time": "2023-03-26T22:22:33+02:00",
    "region": "eu-central-1",
    "resources": ["arn:aws:ec2:eu-central-1:123456789012:instance/i-00c05af08b38bb912"],
    "detail": {
        "instance-id": "i-00c05af08b38bb912",
        "instance-action": "action"
    }
}

Examples

See Basic example for further information.

Requirements

Name Version
terraform >= 1.1
aws >= 4.19.0
helm >= 2.6.0
kubernetes >= 2.20.0
time >= 0.9.0
utils >= 0.17.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_rule.this resource
aws_cloudwatch_event_target.this resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.this resource
aws_iam_role_policy_attachment.this_additional resource
aws_sqs_queue.this resource
aws_sqs_queue_policy.this resource
helm_release.argo_application resource
helm_release.controller resource
helm_release.crds resource
helm_release.crds_argo_application resource
kubernetes_job.crds_helm_argo_application_wait resource
kubernetes_job.helm_argo_application_wait resource
kubernetes_manifest.controller resource
kubernetes_manifest.crds resource
kubernetes_role.crds_helm_argo_application_wait resource
kubernetes_role.helm_argo_application_wait resource
kubernetes_role_binding.crds_helm_argo_application_wait resource
kubernetes_role_binding.helm_argo_application_wait resource
kubernetes_service_account.crds_helm_argo_application_wait resource
kubernetes_service_account.helm_argo_application_wait resource
aws_caller_identity.this data source
aws_eks_cluster.this data source
aws_iam_policy_document.queue data source
aws_iam_policy_document.this data source
aws_iam_policy_document.this_assume data source
aws_iam_policy_document.this_irsa data source
aws_partition.current data source
aws_region.this data source
utils_deep_merge_yaml.argo_helm_values data source
utils_deep_merge_yaml.crds_argo_helm_values data source
utils_deep_merge_yaml.crds_values data source
utils_deep_merge_yaml.values data source

Inputs

Name Description Type Default Required
cluster_identity_oidc_issuer The OIDC Identity issuer for the cluster string n/a yes
cluster_identity_oidc_issuer_arn The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account string n/a yes
cluster_name EKS Cluster ID for the cluster that can be used to join cluster node pool string n/a yes
argo_apiversion ArgoCD Appliction apiVersion string "argoproj.io/v1alpha1" no
argo_destination_server Destination server for ArgoCD Application string "https://kubernetes.default.svc" no
argo_enabled If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release bool false no
argo_helm_enabled If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info bool false no
argo_helm_values Value overrides to use when deploying argo application object with helm string "" no
argo_helm_wait_backoff_limit Backoff limit for ArgoCD Application Helm release wait job number 6 no
argo_helm_wait_node_selector Node selector for ArgoCD Application Helm release wait job map(string) {} no
argo_helm_wait_timeout Timeout for ArgoCD Application Helm release wait job string "10m" no
argo_helm_wait_tolerations Tolerations for ArgoCD Application Helm release wait job list(any) [] no
argo_info ArgoCD info manifest parameter
list(object({
name = string
value = string
}))
[
{
"name": "terraform",
"value": "true"
}
]
no
argo_kubernetes_manifest_computed_fields List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. list(string)
[
"metadata.labels",
"metadata.annotations",
"metadata.finalizers"
]
no
argo_kubernetes_manifest_field_manager_force_conflicts Forcibly override any field manager conflicts when applying the kubernetes manifest resource bool false no
argo_kubernetes_manifest_field_manager_name The name of the field manager to use when applying the kubernetes manifest resource. Defaults to Terraform string "Terraform" no
argo_kubernetes_manifest_wait_fields A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. map(string) {} no
argo_metadata ArgoCD Application metadata configuration. Override or create additional metadata parameters any
{
"finalizers": [
"resources-finalizer.argocd.argoproj.io"
]
}
no
argo_namespace Namespace to deploy ArgoCD application CRD to string "argo" no
argo_project ArgoCD Application project string "default" no
argo_spec ArgoCD Application spec configuration. Override or create additional spec parameters any {} no
argo_sync_policy ArgoCD syncPolicy manifest parameter any {} no
aws_partition AWS partition in which the resources are located. Avaliable values are aws, aws-cn, aws-us-gov string "aws" no
crds_argo_helm_values Value overrides to use when deploying argo application object with helm string "" no
crds_argo_kubernetes_manifest_computed_fields List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. list(string)
[
"metadata.labels",
"metadata.annotations",
"metadata.finalizers"
]
no
crds_argo_kubernetes_manifest_field_manager_force_conflicts Forcibly override any field manager conflicts when applying the kubernetes manifest resource bool false no
crds_argo_kubernetes_manifest_field_manager_name The name of the field manager to use when applying the kubernetes manifest resource. Defaults to Terraform string "Terraform" no
crds_argo_kubernetes_manifest_wait_fields A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. map(string) {} no
crds_argo_metadata ArgoCD Application metadata configuration. Override or create additional metadata parameters any
{
"finalizers": [
"resources-finalizer.argocd.argoproj.io"
]
}
no
crds_argo_spec ArgoCD Application spec configuration. Override or create additional spec parameters any {} no
crds_argo_sync_policy ArgoCD syncPolicy manifest parameter any {} no
crds_helm_atomic If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used bool false no
crds_helm_chart_name Helm chart name to be installed string "karpenter-crd" no
crds_helm_chart_version Version of the Helm chart string "0.36.2" no
crds_helm_cleanup_on_fail Allow deletion of new resources created in this helm upgrade when upgrade fails bool false no
crds_helm_dependency_update Runs helm dependency update before installing the chart bool false no
crds_helm_description Set helm release description attribute (visible in the history) string "" no
crds_helm_devel Use helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored bool false no
crds_helm_disable_openapi_validation If set, the installation process will not validate rendered helm templates against the Kubernetes OpenAPI Schema bool false no
crds_helm_disable_webhooks Prevent helm chart hooks from running bool false no
crds_helm_force_update Force helm resource update through delete/recreate if needed bool false no
crds_helm_keyring Location of public keys used for verification. Used only if helm_package_verify is true string "~/.gnupg/pubring.gpg" no
crds_helm_lint Run the helm chart linter during the plan bool false no
crds_helm_package_verify Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart bool false no
crds_helm_postrender Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents map(any) {} no
crds_helm_recreate_pods Perform pods restart during helm upgrade/rollback bool false no
crds_helm_release_max_history Maximum number of release versions stored per release number 0 no
crds_helm_release_name Helm release name string "karpenter-crds" no
crds_helm_render_subchart_notes If set, render helm subchart notes along with the parent bool true no
crds_helm_replace Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production bool false no
crds_helm_reset_values When upgrading, reset the values to the ones built into the helm chart bool false no
crds_helm_reuse_values When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm_reset_values' is specified, this is ignored bool false no
crds_helm_set_sensitive Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff map(any) {} no
crds_helm_timeout Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks) number 300 no
crds_helm_wait Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout bool true no
crds_helm_wait_for_jobs If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout bool false no
crds_settings Additional helm sets which will be passed to the Helm chart values, see https://github.com/aws/karpenter/tree/main/charts/karpenter-crd map(any) {} no
crds_values Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/aws/karpenter/tree/main/charts/karpenter-crd string "" no
enabled Variable indicating whether deployment is enabled bool true no
helm_atomic If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used bool false no
helm_chart_name Helm chart name to be installed string "karpenter" no
helm_chart_version Version of the Helm chart string "0.36.2" no
helm_cleanup_on_fail Allow deletion of new resources created in this helm upgrade when upgrade fails bool false no
helm_create_namespace Create the namespace if it does not yet exist bool true no
helm_dependency_update Runs helm dependency update before installing the chart bool false no
helm_description Set helm release description attribute (visible in the history) string "" no
helm_devel Use helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored bool false no
helm_disable_openapi_validation If set, the installation process will not validate rendered helm templates against the Kubernetes OpenAPI Schema bool false no
helm_disable_webhooks Prevent helm chart hooks from running bool false no
helm_force_update Force helm resource update through delete/recreate if needed bool false no
helm_keyring Location of public keys used for verification. Used only if helm_package_verify is true string "~/.gnupg/pubring.gpg" no
helm_lint Run the helm chart linter during the plan bool false no
helm_package_verify Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart bool false no
helm_postrender Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents map(any) {} no
helm_recreate_pods Perform pods restart during helm upgrade/rollback bool false no
helm_release_max_history Maximum number of release versions stored per release number 0 no
helm_release_name Helm release name string "karpenter" no
helm_render_subchart_notes If set, render helm subchart notes along with the parent bool true no
helm_replace Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production bool false no
helm_repo_ca_file Helm repositories cert file string "" no
helm_repo_cert_file Helm repositories cert file string "" no
helm_repo_key_file Helm repositories cert key file string "" no
helm_repo_oci Whether repo is OCI compatible bool true no
helm_repo_password Password for HTTP basic authentication against the helm repository string "" no
helm_repo_url Helm repository string "public.ecr.aws" no
helm_repo_username Username for HTTP basic authentication against the helm repository string "" no
helm_reset_values When upgrading, reset the values to the ones built into the helm chart bool false no
helm_reuse_values When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm_reset_values' is specified, this is ignored bool false no
helm_set_sensitive Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff map(any) {} no
helm_skip_crds If set, no CRDs will be installed before helm release bool false no
helm_timeout Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks) number 300 no
helm_wait Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout bool false no
helm_wait_for_jobs If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout bool false no
irsa_additional_policies Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy arn. map(string) {} no
irsa_assume_role_arn Assume role arn. Assume role must be enabled. string "" no
irsa_assume_role_enabled Whether IRSA is allowed to assume role defined by irsa_assume_role_arn. bool false no
irsa_policy_enabled Whether to create opinionated policy to allow operations on specified zones in policy_allowed_zone_ids. bool true no
irsa_role_create Whether to create IRSA role and annotate service account bool true no
irsa_role_name_prefix The IRSA role name prefix for karpenter string "karpenter-irsa" no
irsa_tags IRSA resources tags map(string) {} no
karpenter_node_role_arns List of roles arns which can be passed from karpenter service to newly created nodes list(any)
[
"*"
]
no
namespace The K8s namespace in which the karpenter service account has been created string "karpenter" no
queue_interruption_prefix Custom prefix for karpenter spot interruption queue string "interruption-queue" no
rbac_create Whether to create and use RBAC resources bool true no
rule_interruption_prefix Prefix used for all event bridge rules string "Karpenter" no
service_account_create Whether to create Service Account bool true no
service_account_name The k8s <$addon-name> service account name string "karpenter" no
settings Additional helm sets which will be passed to the Helm chart values, see https://artifacthub.io/packages/helm/karpenter/karpenter map(any) {} no
values Additional yaml encoded values which will be passed to the Helm chart, see https://artifacthub.io/packages/helm/karpenter/karpenter string "" no

Outputs

Name Description
helm_release_application_metadata Argo application helm release attributes
helm_release_metadata Helm release attributes
iam_irsa_role_attributes Karpenter IAM role attributes
kubernetes_application_attributes Argo kubernetes manifest attributes

Contributing and reporting issues

Feel free to create an issue in this repository if you have questions, suggestions or feature requests.

Validation, linters and pull-requests

We want to provide high quality code and modules. For this reason we are using several pre-commit hooks and GitHub Actions workflows. A pull-request to the main branch will trigger these validations and lints automatically. Please check your code before you will create pull-requests. See pre-commit documentation and GitHub Actions documentation for further details.

License

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

About

A terraform module to deploy the karpenter on Amazon EKS cluster.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published