Draft: Fr-41

.gitignore

@@ -8,3 +8,5 @@ base/states/*
 
 k8s/providers-dev.tf
 base/providers-dev.tf
+k8s/provider-dev.tf
+base/provider-dev.tf

base/variables.tf

@@ -0,0 +1,5 @@
+variable "root_vault_path_pki" {
+    description = "pki-root"
+    type = string
+    default = "pki-root"
+}

base/vault.certificate.sign.keycloak.approle.tf

@@ -1,12 +1,12 @@
 resource "vault_auth_backend" "auth" {
-  type = "approle"
-  path = "pki-root/approle"
+ type = "approle"
+ path = "${var.root_vault_path_pki}/approle"
 }
 
 resource "vault_approle_auth_backend_role" "auth" {
-  backend                 = "${vault_auth_backend.auth.path}"
-  role_name               = "keycloak"
-  token_policies          = [vault_policy.auth.name]
-  secret_id_bound_cidrs   = []
-  token_bound_cidrs       = []
+ backend                 = "${vault_auth_backend.auth.path}"
+ role_name               = "keycloak"
+ token_policies          = [vault_policy.auth.name]
+ secret_id_bound_cidrs   = []
+ token_bound_cidrs       = []
 }

base/vault.core.pki.tf

@@ -1,5 +1,5 @@
 resource "vault_mount" "core_root_ca" {
-  path                      = "pki-root"
+  path                      = var.root_vault_path_pki
   type                      = "pki"
   description               = "root infrastruction"
   default_lease_ttl_seconds = 321408000

k8s/modules.tf

@@ -12,6 +12,10 @@ module "k8s-yandex-cluster" {
       folder_id = data.yandex_resourcemanager_folder.current.id
     }
 
+    pki_metadata = {
+      root_vault_path_pki = var.root_vault_path_pki
+    }
+
     master_group = {
         name    = "master" # Разрешенный префикс для сертификатов.
         count   = 1

k8s/templates/helm/certmanager/values.yaml

@@ -6,6 +6,13 @@ tolerations:
   - key: node.cloudprovider.kubernetes.io/uninitialized
     value: "true"
     effect: NoSchedule
+resources:
+  limits:
+    cpu: 200m
+    memory: 100Mi          
+  requests:
+    cpu: 100m
+    memory: 50Mi
 
 webhook:
   tolerations:
@@ -16,6 +23,13 @@ webhook:
   - key: node.cloudprovider.kubernetes.io/uninitialized
     value: "true"
     effect: NoSchedule
+  resources:
+    limits:
+      cpu: 200m
+      memory: 100Mi          
+    requests:
+      cpu: 100m
+      memory: 50Mi
 
 cainjector:
   tolerations:
@@ -26,6 +40,13 @@ cainjector:
   - key: node.cloudprovider.kubernetes.io/uninitialized
     value: "true"
     effect: NoSchedule
+  resources:
+    limits:
+      cpu: 200m
+      memory: 100Mi          
+    requests:
+      cpu: 100m
+      memory: 50Mi
 
 
 startupapicheck:

k8s/templates/helm/cilium/values.yaml.tftpl

@@ -141,6 +141,13 @@ clustermesh:
 monitor:
   # -- Enable the cilium-monitor sidecar.
   enabled: true
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Gi
+    requests:
+      cpu: 100m
+      memory: 128Mi
 
 hubble:
   # -- Enable Hubble (true by default).

k8s/templates/helm/cluster-machine-approver/templates/test.yaml

@@ -74,6 +74,9 @@ spec:
         - image: dobrykot/cluster-machine-approver:v1.0.11
           name: cluster-machine-approver
           resources:
+            limits:
+              cpu: 200m
+              memory: 100Mi          
             requests:
               cpu: 100m
               memory: 50Mi

k8s/templates/helm/yandex-csi-driver/templates/csi-controller.yaml

@@ -47,7 +47,12 @@ spec:
         imagePullPolicy: IfNotPresent
         name: csi-provisioner
         resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
           requests:
+            cpu: 100m
+            memory: 128Mi   
             ephemeral-storage: 60Mi
         securityContext:
           allowPrivilegeEscalation: false
@@ -76,7 +81,12 @@ spec:
         imagePullPolicy: IfNotPresent
         name: csi-attacher
         resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
           requests:
+            cpu: 100m
+            memory: 128Mi   
             ephemeral-storage: 60Mi
         securityContext:
           allowPrivilegeEscalation: false
@@ -105,7 +115,12 @@ spec:
         imagePullPolicy: IfNotPresent
         name: csi-resizer
         resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
           requests:
+            cpu: 100m
+            memory: 128Mi   
             ephemeral-storage: 60Mi
         securityContext:
           allowPrivilegeEscalation: false
@@ -134,7 +149,12 @@ spec:
         imagePullPolicy: IfNotPresent
         name: csi-snapshotter
         resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
           requests:
+            cpu: 100m
+            memory: 128Mi   
             ephemeral-storage: 60Mi
         securityContext:
           allowPrivilegeEscalation: false
@@ -154,7 +174,12 @@ spec:
         imagePullPolicy: IfNotPresent
         name: livenessprobe
         resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
           requests:
+            cpu: 100m
+            memory: 128Mi   
             ephemeral-storage: 60Mi
         securityContext:
           allowPrivilegeEscalation: false
@@ -197,7 +222,12 @@ spec:
           timeoutSeconds: 1
         name: csi-controller
         resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
           requests:
+            cpu: 100m
+            memory: 128Mi   
             ephemeral-storage: 60Mi
         securityContext:
           allowPrivilegeEscalation: false

k8s/templates/helm/yandex-csi-driver/templates/csi-node.yaml

@@ -22,6 +22,13 @@ spec:
         - operator: Exists
       containers:
         - name: csi-node-driver-registrar
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi           
           image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
           args:
             - "--v=5"
@@ -38,6 +45,13 @@ spec:
             - name: registration-dir
               mountPath: /registration
         - name: csi-node
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi             
           securityContext:
             privileged: true
           image: registry.deckhouse.io/yandex-csi-driver/yandex-csi-driver:v0.9.11
@@ -58,6 +72,13 @@ spec:
                   name: csi-credentials
                   key: service-account-json
         - name: liveness-probe
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi             
           image: quay.io/k8scsi/livenessprobe:v2.0.0
           args:
             - --csi-address=/csi/csi.sock

k8s/variables.tf

@@ -25,6 +25,12 @@ variable "yandex_folder_name" {
   default     = "example"
 }
 
+variable "root_vault_path_pki" {
+    description = "pki-root"
+    type = string
+    default = "pki-root"
+}
+
 variable "master_availability_zones"{
   type = object({
     ru-central1-a = string

modules/k8s-yandex-cluster-infra/main.tf

@@ -9,6 +9,7 @@ module "k8s-global-vars" {
     ssh_rsa_path          = var.master_group.ssh_rsa_path
     pod_cidr              = var.pod_cidr
     node_cidr_mask        = var.node_cidr_mask
+    root_vault_path_pki   = var.pki_metadata.root_vault_path_pki
 }
 
 module "k8s-vault" {

modules/k8s-yandex-cluster-infra/variables.tf

@@ -37,6 +37,11 @@ variable "cloud_metadata" {
     }
 }
 
+variable "pki_metadata" {
+  type = any 
+  default = {}
+}
+
 variable "master_group"{
   type = object({
     name = string