diff --git a/.gitignore b/.gitignore index a8e9bca..0945469 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ base/states/* k8s/providers-dev.tf base/providers-dev.tf +k8s/provider-dev.tf +base/provider-dev.tf diff --git a/base/variables.tf b/base/variables.tf new file mode 100644 index 0000000..f6554d5 --- /dev/null +++ b/base/variables.tf @@ -0,0 +1,5 @@ +variable "root_vault_path_pki" { + description = "pki-root" + type = string + default = "pki-root" +} \ No newline at end of file diff --git a/base/vault.certificate.sign.keycloak.approle.tf b/base/vault.certificate.sign.keycloak.approle.tf index 5d78c56..2782a8c 100644 --- a/base/vault.certificate.sign.keycloak.approle.tf +++ b/base/vault.certificate.sign.keycloak.approle.tf @@ -1,12 +1,12 @@ resource "vault_auth_backend" "auth" { - type = "approle" - path = "pki-root/approle" + type = "approle" + path = "${var.root_vault_path_pki}/approle" } resource "vault_approle_auth_backend_role" "auth" { - backend = "${vault_auth_backend.auth.path}" - role_name = "keycloak" - token_policies = [vault_policy.auth.name] - secret_id_bound_cidrs = [] - token_bound_cidrs = [] + backend = "${vault_auth_backend.auth.path}" + role_name = "keycloak" + token_policies = [vault_policy.auth.name] + secret_id_bound_cidrs = [] + token_bound_cidrs = [] } diff --git a/base/vault.core.pki.tf b/base/vault.core.pki.tf index af75156..ae3c05e 100644 --- a/base/vault.core.pki.tf +++ b/base/vault.core.pki.tf @@ -1,5 +1,5 @@ resource "vault_mount" "core_root_ca" { - path = "pki-root" + path = var.root_vault_path_pki type = "pki" description = "root infrastruction" default_lease_ttl_seconds = 321408000 diff --git a/k8s/modules.tf b/k8s/modules.tf index 489a751..052532e 100644 --- a/k8s/modules.tf +++ b/k8s/modules.tf @@ -12,6 +12,10 @@ module "k8s-yandex-cluster" { folder_id = data.yandex_resourcemanager_folder.current.id } + pki_metadata = { + root_vault_path_pki = var.root_vault_path_pki + } + master_group = { name = "master" # Разрешенный префикс для сертификатов. count = 1 diff --git a/k8s/templates/helm/certmanager/values.yaml b/k8s/templates/helm/certmanager/values.yaml index 59ba366..a258651 100644 --- a/k8s/templates/helm/certmanager/values.yaml +++ b/k8s/templates/helm/certmanager/values.yaml @@ -6,6 +6,13 @@ tolerations: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule +resources: + limits: + cpu: 200m + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi webhook: tolerations: @@ -16,6 +23,13 @@ webhook: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule + resources: + limits: + cpu: 200m + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi cainjector: tolerations: @@ -26,6 +40,13 @@ cainjector: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule + resources: + limits: + cpu: 200m + memory: 100Mi + requests: + cpu: 100m + memory: 50Mi startupapicheck: diff --git a/k8s/templates/helm/cilium/values.yaml.tftpl b/k8s/templates/helm/cilium/values.yaml.tftpl index 606b6e1..d3c245c 100644 --- a/k8s/templates/helm/cilium/values.yaml.tftpl +++ b/k8s/templates/helm/cilium/values.yaml.tftpl @@ -141,6 +141,13 @@ clustermesh: monitor: # -- Enable the cilium-monitor sidecar. enabled: true + resources: + limits: + cpu: 200m + memory: 256Gi + requests: + cpu: 100m + memory: 128Mi hubble: # -- Enable Hubble (true by default). diff --git a/k8s/templates/helm/cluster-machine-approver/templates/test.yaml b/k8s/templates/helm/cluster-machine-approver/templates/test.yaml index ac3ebd6..926b869 100644 --- a/k8s/templates/helm/cluster-machine-approver/templates/test.yaml +++ b/k8s/templates/helm/cluster-machine-approver/templates/test.yaml @@ -74,6 +74,9 @@ spec: - image: dobrykot/cluster-machine-approver:v1.0.11 name: cluster-machine-approver resources: + limits: + cpu: 200m + memory: 100Mi requests: cpu: 100m memory: 50Mi diff --git a/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml b/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml index a3c1d39..b7bff4d 100644 --- a/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml +++ b/k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml @@ -47,7 +47,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -76,7 +81,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -105,7 +115,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -134,7 +149,12 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -154,7 +174,12 @@ spec: imagePullPolicy: IfNotPresent name: livenessprobe resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false @@ -197,7 +222,12 @@ spec: timeoutSeconds: 1 name: csi-controller resources: + limits: + cpu: 200m + memory: 256Mi requests: + cpu: 100m + memory: 128Mi ephemeral-storage: 60Mi securityContext: allowPrivilegeEscalation: false diff --git a/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml b/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml index d17a232..0105dc5 100644 --- a/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml +++ b/k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml @@ -22,6 +22,13 @@ spec: - operator: Exists containers: - name: csi-node-driver-registrar + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0 args: - "--v=5" @@ -38,6 +45,13 @@ spec: - name: registration-dir mountPath: /registration - name: csi-node + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi securityContext: privileged: true image: registry.deckhouse.io/yandex-csi-driver/yandex-csi-driver:v0.9.11 @@ -58,6 +72,13 @@ spec: name: csi-credentials key: service-account-json - name: liveness-probe + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi image: quay.io/k8scsi/livenessprobe:v2.0.0 args: - --csi-address=/csi/csi.sock diff --git a/k8s/variables.tf b/k8s/variables.tf index 85ef60b..37ba2c2 100644 --- a/k8s/variables.tf +++ b/k8s/variables.tf @@ -25,6 +25,12 @@ variable "yandex_folder_name" { default = "example" } +variable "root_vault_path_pki" { + description = "pki-root" + type = string + default = "pki-root" +} + variable "master_availability_zones"{ type = object({ ru-central1-a = string diff --git a/modules/k8s-yandex-cluster-infra/main.tf b/modules/k8s-yandex-cluster-infra/main.tf index b61dc8d..03596be 100644 --- a/modules/k8s-yandex-cluster-infra/main.tf +++ b/modules/k8s-yandex-cluster-infra/main.tf @@ -9,6 +9,7 @@ module "k8s-global-vars" { ssh_rsa_path = var.master_group.ssh_rsa_path pod_cidr = var.pod_cidr node_cidr_mask = var.node_cidr_mask + root_vault_path_pki = var.pki_metadata.root_vault_path_pki } module "k8s-vault" { diff --git a/modules/k8s-yandex-cluster-infra/variables.tf b/modules/k8s-yandex-cluster-infra/variables.tf index f417b26..501e200 100644 --- a/modules/k8s-yandex-cluster-infra/variables.tf +++ b/modules/k8s-yandex-cluster-infra/variables.tf @@ -37,6 +37,11 @@ variable "cloud_metadata" { } } +variable "pki_metadata" { + type = any + default = {} +} + variable "master_group"{ type = object({ name = string