Repository: particuleio/terraform-kubernetes-addons
Branch: main
Commit: 864c7b98f6d7
Files: 136
Total size: 819.1 KB
Directory structure:
gitextract_o3n_q8aa/
├── .github/
│ ├── CONTRIBUTING.md
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ └── feature_request.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── renovate.json
│ └── workflows/
│ ├── pr-title.yml
│ ├── pre-commit.yml
│ ├── release.yml
│ └── stale-actions.yaml
├── .gitignore
├── .mergify.yml
├── .pre-commit-config.yaml
├── .python-version
├── .releaserc.json
├── .terraform-docs.yml
├── CODEOWNERS
├── LICENSE
├── README.md
├── admiralty.tf
├── cert-manager-csi-driver.tf
├── cert-manager.tf
├── csi-external-snapshotter.tf
├── flux2.tf
├── grafana-mcp.tf
├── helm-dependencies.yaml
├── ingress-nginx.tf
├── k8gb.tf
├── karma.tf
├── keda.tf
├── kong-crds.tf
├── kong.tf
├── kube-prometheus-crd.tf
├── kube-prometheus.tf
├── linkerd-viz.tf
├── linkerd.tf
├── linkerd2-cni.tf
├── locals.tf
├── loki-stack.tf
├── metrics-server.tf
├── modules/
│ ├── aws/
│ │ ├── .terraform-docs.yml
│ │ ├── README.md
│ │ ├── aws-ebs-csi-driver.tf
│ │ ├── aws-efs-csi-driver.tf
│ │ ├── aws-for-fluent-bit.tf
│ │ ├── aws-load-balancer-controller.tf
│ │ ├── aws-node-termination-handler.tf
│ │ ├── cert-manager.tf
│ │ ├── cluster-autoscaler.tf
│ │ ├── cni-metrics-helper.tf
│ │ ├── data.tf
│ │ ├── examples/
│ │ │ └── README.md
│ │ ├── external-dns.tf
│ │ ├── iam/
│ │ │ ├── aws-ebs-csi-driver.json
│ │ │ ├── aws-ebs-csi-driver_kms.json
│ │ │ ├── aws-efs-csi-driver.json
│ │ │ └── aws-load-balancer-controller.json
│ │ ├── ingress-nginx.tf
│ │ ├── karpenter.tf
│ │ ├── kube-prometheus.tf
│ │ ├── locals-aws.tf
│ │ ├── loki-stack.tf
│ │ ├── prometheus-cloudwatch-exporter.tf
│ │ ├── s3-logging.tf
│ │ ├── secrets-store-csi-driver-provider-aws.tf
│ │ ├── templates/
│ │ │ ├── cert-manager-cluster-issuers.yaml.tpl
│ │ │ └── cni-metrics-helper.yaml.tpl
│ │ ├── thanos-memcached.tf
│ │ ├── thanos-storegateway.tf
│ │ ├── thanos-tls-querier.tf
│ │ ├── thanos.tf
│ │ ├── tigera-operator.tf
│ │ ├── variables-aws.tf
│ │ ├── velero.tf
│ │ ├── versions.tf
│ │ ├── victoria-metrics-k8s-stack.tf
│ │ └── yet-another-cloudwatch-exporter.tf
│ ├── azure/
│ │ ├── .terraform-docs.yml
│ │ ├── README.md
│ │ ├── ingress-nginx.tf
│ │ └── version.tf
│ ├── google/
│ │ ├── .terraform-docs.yml
│ │ ├── README.md
│ │ ├── cert-manager.tf
│ │ ├── data.tf
│ │ ├── external-dns.tf
│ │ ├── ingress-nginx.tf
│ │ ├── ip-masq-agent.tf
│ │ ├── kube-prometheus.tf
│ │ ├── loki-stack.tf
│ │ ├── manifests/
│ │ │ └── gke-ip-masq/
│ │ │ ├── ip-masq-agent-configmap.yaml
│ │ │ └── ip-masq-agent-daemonset.yaml
│ │ ├── templates/
│ │ │ ├── cert-manager-cluster-issuers.yaml.j2
│ │ │ ├── cert-manager-cluster-issuers.yaml.tpl
│ │ │ └── cni-metrics-helper.yaml.tpl
│ │ ├── thanos-memcached.tf
│ │ ├── thanos-receive.tf
│ │ ├── thanos-storegateway.tf
│ │ ├── thanos-tls-querier.tf
│ │ ├── thanos.tf
│ │ ├── variables-google.tf
│ │ ├── velero.tf
│ │ ├── versions.tf
│ │ └── victoria-metrics-k8s-stack.tf
│ └── scaleway/
│ ├── .terraform-docs.yml
│ ├── README.md
│ ├── cert-manager.tf
│ ├── examples/
│ │ └── README.md
│ ├── external-dns.tf
│ ├── ingress-nginx.tf
│ ├── kube-prometheus.tf
│ ├── locals-scaleway.tf
│ ├── loki-stack.tf
│ ├── templates/
│ │ └── cert-manager-cluster-issuers.yaml.tpl
│ ├── thanos-memcached.tf
│ ├── thanos-storegateway.tf
│ ├── thanos-tls-querier.tf
│ ├── thanos.tf
│ ├── variables-scaleway.tf
│ ├── velero.tf
│ ├── versions.tf
│ └── victoria-metrics-k8s-stack.tf
├── node-problem-detector.tf
├── priority-class.tf
├── prometheus-adapter.tf
├── prometheus-blackbox-exporter.tf
├── promtail.tf
├── reloader.tf
├── sealed-secrets.tf
├── secrets-store-csi-driver.tf
├── templates/
│ ├── cert-manager-cluster-issuers.yaml.tpl
│ └── cert-manager-csi-driver.yaml.tpl
├── tigera-operator.tf
├── traefik.tf
├── variables.tf
├── versions.tf
└── victoria-metrics-k8s-stack.tf
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/CONTRIBUTING.md
================================================
# Contributing
When contributing to this repository, please first discuss the change you wish to make via issue,
email, or any other method with the owners of this repository before making a change.
Please note we have a code of conduct, please follow it in all your interactions with the project.
## Pull Request Process
1. Ensure any install or build dependencies are removed before the end of the layer when doing a build.
2. Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations, and container parameters.
3. Once all outstanding comments and checklist items have been addressed, your contribution will be merged! Merged PRs will trigger a new release
## Checklists for contributions
- [ ] Add [semantics prefix](#semantic-pull-requests) to your PR or Commits (at least one of your commit groups)
- [ ] CI tests are passing
- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation
## Semantic Pull Requests
To generate changelog, Pull Requests or Commits must have semantic and must follow conventional specs below:
- `feat:` for new features
- `fix:` for bug fixes
- `improvement:` for enhancements
- `docs:` for documentation and examples
- `refactor:` for code refactoring
- `test:` for tests
- `ci:` for CI purpose
- `chore:` for chores stuff
The `chore` prefix skipped during changelog generation. It can be used for `chore: update changelog` commit message by example.
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Create a report to help us improve
title: "[bug]"
labels: bug
assignees: ArchiFleKs
---
## Describe the bug
A clear and concise description of what the bug is.
## What is the current behavior?
## How to reproduce? Please include a code sample if relevant.
## What's the expected behavior?
## Are you able to fix this problem and submit a PR? Link here if you have already.
## Environment details
* Affected module version:
* OS:
* Terraform version:
* Kubernetes version
## Any other relevant info
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for this project
title: "[enhancement]"
labels: enhancement
assignees: ArchiFleKs
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
# Pull request title
## Description
Please explain the changes you made here and link to any relevant issues.
### Checklist
- [ ] CI tests are passing
- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/particuleio/terraform-kubernetes-addons/#doc-generation
================================================
FILE: .github/renovate.json
================================================
{
"extends": [
":separateMajorReleases",
":ignoreUnstable",
":prImmediately",
":updateNotScheduled",
":disableRateLimiting",
":ignoreModulesAndTests",
":gitSignOff",
"group:monorepos",
"group:recommended",
"helpers:disableTypesNodeMajor",
"workarounds:all",
":automergeDigest",
":automergeMinor",
":dependencyDashboard"
],
"baseBranchPatterns": [
"main"
],
"enabledManagers": [
"helmv3",
"github-actions",
"pre-commit",
"terraform"
],
"semanticCommits": "enabled",
"platformAutomerge": false,
"helmv3": {
"enabled": true,
"managerFilePatterns": [
"/(^|/)helm-dependencies.yaml$/"
]
},
"commitMessageExtra": "to {{newVersion}} (was {{currentVersion}})",
"prHourlyLimit": 0,
"packageRules": [
{
"matchManagers": [
"github-actions"
],
"semanticCommitScope": "ci",
"semanticCommitType": "chore"
},
{
"matchManagers": [
"pre-commit"
],
"semanticCommitScope": "ci",
"semanticCommitType": "chore"
},
{
"matchManagers": [
"helmv3"
],
"semanticCommitScope": "charts",
"semanticCommitType": "fix",
"matchUpdateTypes": [
"patch",
"digest"
]
},
{
"matchManagers": [
"helmv3"
],
"semanticCommitScope": "charts",
"semanticCommitType": "feat",
"matchUpdateTypes": [
"major",
"minor"
]
},
{
"matchManagers": [
"helmv3",
"github-actions",
"pre-commit"
],
"matchUpdateTypes": [
"minor",
"patch",
"digest"
],
"addLabels": [
"automerge"
]
},
{
"matchManagers": [
"terraform"
],
"semanticCommitScope": "tf",
"semanticCommitType": "feat",
"automerge": false
}
]
}
================================================
FILE: .github/workflows/pr-title.yml
================================================
name: 'Validate PR title'
on:
pull_request_target:
types:
- opened
- edited
- synchronize
jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
# Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases
- uses: amannn/action-semantic-pull-request@v6.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
# Configure which types are allowed.
# Default: https://github.com/commitizen/conventional-commit-types
types: |
fix
feat
docs
ci
chore
# Configure that a scope must always be provided.
requireScope: false
# Configure additional validation for the subject based on a regex.
# This example ensures the subject starts with an uppercase character.
# subjectPattern: ^[A-Z].+$
# If `subjectPattern` is configured, you can use this property to override
# the default error message that is shown when the pattern doesn't match.
# The variables `subject` and `title` can be used within the message.
# subjectPatternError: |
# The subject "{subject}" found in the pull request title "{title}"
# didn't match the configured pattern. Please ensure that the subject
# starts with an uppercase character.
# For work-in-progress PRs you can typically use draft pull requests
# from Github. However, private repositories on the free plan don't have
# this option and therefore this action allows you to opt-in to using the
# special "[WIP]" prefix to indicate this state. This will avoid the
# validation of the PR title and the pull request checks remain pending.
# Note that a second check will be reported if this is enabled.
wip: true
# When using "Squash and merge" on a PR with only one commit, GitHub
# will suggest using that commit message instead of the PR title for the
# merge commit, and it's easy to commit this by mistake. Enable this option
# to also validate the commit message for one commit PRs.
validateSingleCommit: false
================================================
FILE: .github/workflows/pre-commit.yml
================================================
name: Pre-Commit
on:
pull_request:
branches:
- main
- master
workflow_dispatch:
env:
TERRAFORM_DOCS_VERSION: v0.21.0
TFLINT_VERSION: v0.61.0
jobs:
collectInputs:
name: Collect workflow inputs
runs-on: ubuntu-latest
outputs:
directories: ${{ steps.dirs.outputs.directories }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Get root directories
id: dirs
uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
preCommitMinVersions:
name: Min TF pre-commit
needs: collectInputs
runs-on: ubuntu-latest
strategy:
matrix:
directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Terraform min/max versions
id: minMax
uses: clowdhaus/terraform-min-max@v3.0.1
with:
directory: ${{ matrix.directory }}
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory != '.' }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
tflint-version: ${{ env.TFLINT_VERSION }}
args: "terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*"
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory == '.' }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
tflint-version: ${{ env.TFLINT_VERSION }}
args: "terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)"
preCommitMaxVersion:
name: Max TF pre-commit
runs-on: ubuntu-latest
needs: collectInputs
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{github.event.pull_request.head.repo.full_name}}
- name: Terraform min/max versions
id: minMax
uses: clowdhaus/terraform-min-max@v3.0.1
- name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
with:
terraform-version: ${{ steps.minMax.outputs.maxVersion }}
terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
tflint-version: ${{ env.TFLINT_VERSION }}
================================================
FILE: .github/workflows/release.yml
================================================
name: Release
on:
push:
branches:
- release
jobs:
terraform-release:
if: github.ref == 'refs/heads/release'
name: 'terraform:release'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Semantic Release
uses: cycjimmy/semantic-release-action@v3
with:
branches: |
[
'release'
]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
================================================
FILE: .github/workflows/stale-actions.yaml
================================================
name: 'Mark or close stale issues and PRs'
on:
schedule:
- cron: '0 0 * * *'
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Staling issues and PR's
days-before-stale: 30
stale-issue-label: stale
stale-pr-label: stale
stale-issue-message: |
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
stale-pr-message: |
This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days
# Not stale if have this labels or part of milestone
exempt-issue-labels: bug,wip,on-hold
exempt-pr-labels: bug,wip,on-hold
exempt-all-milestones: true
# Close issue operations
# Label will be automatically removed if the issues are no longer closed nor locked.
days-before-close: 10
delete-branch: true
close-issue-message: This issue was automatically closed because of stale in 10 days
close-pr-message: This PR was automatically closed because of stale in 10 days
================================================
FILE: .gitignore
================================================
.terragrunt-cache
.terraform
.terraform.lock.hcl
.idea
.sisyphus
================================================
FILE: .mergify.yml
================================================
pull_request_rules:
- name: Automatic approve Renovate PRs (patch/minor)
conditions:
- author=renovate[bot]
- label=automerge
actions:
review:
type: APPROVE
- name: Automatic merge Renovate PRs (patch/minor)
conditions:
- author=renovate[bot]
- base=main
- label=automerge
- "#approved-reviews-by>=1"
- check-success=Max TF pre-commit
- check-success=Validate PR title
actions:
merge:
method: squash
- name: Automatic merge on approval
conditions:
- base=main
- "#approved-reviews-by>=1"
actions:
merge:
method: squash
- name: Automatic merge on approval release
conditions:
- base=release
- "#approved-reviews-by>=1"
actions:
merge:
method: merge
================================================
FILE: .pre-commit-config.yaml
================================================
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.105.0
hooks:
- id: terraform_fmt
- id: terraform_validate
args:
- --hook-config=--retry-once-with-cleanup=true
- --tf-init-args=-upgrade
- id: terraform_docs
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
- repo: https://github.com/renovatebot/pre-commit-hooks
rev: 43.110.9
hooks:
- id: renovate-config-validator
================================================
FILE: .python-version
================================================
3.x
================================================
FILE: .releaserc.json
================================================
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@semantic-release/github"
]
}
================================================
FILE: .terraform-docs.yml
================================================
settings:
lockfile: false
================================================
FILE: CODEOWNERS
================================================
# This is a comment.
# Each line is a file pattern followed by one or more owners.
# These owners will be the default owners for everything in
# the repo. Unless a later match takes precedence,
# @global-owner1 and @global-owner2 will be requested for
# review when someone opens a pull request.
* @particuleio/team
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: README.md
================================================
# terraform-kubernetes-addons
[](https://github.com/semantic-release/terraform-kubernetes-addons)
[](https://github.com/particuleio/terraform-kubernetes-addons/actions?query=workflow%3Aterraform-kubernetes-addons)
## Main components
| Name | Description | Generic | AWS | Scaleway | GCP | Azure |
|------|-------------|:-------:|:---:|:--------:|:---:|:-----:|
| [admiralty](https://admiralty.io/) | A system of Kubernetes controllers that intelligently schedules workloads across clusters | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) | Enable new feature and the use of `gp3` volumes | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [aws-efs-csi-driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver) | Enable EFS Support | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [aws-for-fluent-bit](https://github.com/aws/aws-for-fluent-bit) | Cloudwatch logging with fluent bit instead of fluentd | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [aws-load-balancer-controller](https://aws.amazon.com/about-aws/whats-new/2020/10/introducing-aws-load-balancer-controller/) | Use AWS ALB/NLB for ingress and services | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) | Manage spot instance lifecyle | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [aws-calico](https://github.com/aws/eks-charts/tree/master/stable/aws-calico) | Use calico for network policy | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [secrets-store-csi-driver-provider-aws](https://github.com/aws/secrets-store-csi-driver-provider-aws) | AWS Secret Store and Parameter store driver for secret store CSI driver | :heavy_check_mark: | N/A | N/A | N/A | N/A |
| [cert-manager](https://github.com/jetstack/cert-manager) | automatically generate TLS certificates, supports ACME v2 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | N/A |
| [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) | scale worker nodes based on workload | N/A | :heavy_check_mark: | Included | Included | Included |
| [cni-metrics-helper](https://docs.aws.amazon.com/eks/latest/userguide/cni-metrics-helper.html) | Provides cloudwatch metrics for VPC CNI plugins | N/A | :heavy_check_mark: | N/A | N/A | N/A |
| [external-dns](https://github.com/kubernetes-incubator/external-dns) | sync ingress and service records in route53 | :x: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |
| [flux2](https://github.com/fluxcd/flux2) | Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [ingress-nginx](https://github.com/kubernetes/ingress-nginx) | processes `Ingress` object and acts as a HTTP/HTTPS proxy (compatible with cert-manager) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |
| [k8gb](https://www.k8gb.io/) | A cloud native Kubernetes Global Balancer | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [karma](https://github.com/prymitive/karma) | An alertmanager dashboard | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [keda](https://github.com/kedacore/keda) | Kubernetes Event-driven Autoscaling | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [kong](https://konghq.com/kong) | API Gateway ingress controller | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |
| [kube-prometheus-stack](https://github.com/prometheus-operator/kube-prometheus) | Monitoring / Alerting / Dashboards | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |
| [loki-stack](https://grafana.com/oss/loki/) | Grafana Loki logging stack | :heavy_check_mark: | :heavy_check_mark: | :construction: | :x: | :x: |
| [promtail](https://grafana.com/docs/loki/latest/clients/promtail/) | Ship log to loki from other cluster (eg. mTLS) | :construction: | :heavy_check_mark: | :construction: | :x: | :x: |
| [prometheus-adapter](https://github.com/kubernetes-sigs/prometheus-adapter) | Prometheus metrics for use with the autoscaling/v2 Horizontal Pod Autoscaler in Kubernetes 1.6+ | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [prometheus-cloudwatch-exporter](https://github.com/prometheus/cloudwatch_exporter) | An exporter for Amazon CloudWatch, for Prometheus. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [prometheus-blackbox-exporter](https://github.com/prometheus/blackbox_exporter) | The blackbox exporter allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP and ICMP. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [rabbitmq-cluster-operator](https://github.com/rabbitmq/cluster-operator) | The RabbitMQ Cluster Operator automates provisioning, management of RabbitMQ clusters. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [metrics-server](https://github.com/kubernetes-incubator/metrics-server) | enable metrics API and horizontal pod scaling (HPA) | :heavy_check_mark: | :heavy_check_mark: | Included | Included | Included |
| [node-problem-detector](https://github.com/kubernetes/node-problem-detector) | Forwards node problems to Kubernetes events | :heavy_check_mark: | :heavy_check_mark: | Included | Included | Included |
| [secrets-store-csi-driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) | Secrets Store CSI driver for Kubernetes secrets - Integrates secrets stores with Kubernetes via a CSI volume. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets) | Technology agnostic, store secrets on git | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [thanos](https://thanos.io/) | Open source, highly available Prometheus setup with long term storage capabilities | :x: | :heavy_check_mark: | :construction: | :x: | :x: |
| [thanos-memcached](https://thanos.io/tip/components/query-frontend.md/#memcached) | Open source, highly available Prometheus setup with long term storage capabilities | :x: | :heavy_check_mark: | :construction: | :x: | :x: |
| [thanos-storegateway](https://thanos.io/) | Additional storegateway to query multiple object stores | :x: | :heavy_check_mark: | :construction: | :x: | :x: |
| [thanos-tls-querier](https://thanos.io/tip/operating/cross-cluster-tls-communication.md/) | Thanos TLS querier for cross cluster collection | :x: | :heavy_check_mark: | :construction: | :x: | :x: |
## Submodules
Submodules are used for specific cloud provider configuration such as IAM role for
AWS. For a Kubernetes vanilla cluster, generic addons should be used.
Any contribution supporting a new cloud provider is welcomed.
* [AWS](./modules/aws)
* [Scaleway](./modules/scaleway)
* [GCP](./modules/google)
* [Azure](./modules/azure)
## Doc generation
Code formatting and documentation for variables and outputs is generated using
[pre-commit-terraform
hooks](https://github.com/antonbabenko/pre-commit-terraform) which uses
[terraform-docs](https://github.com/segmentio/terraform-docs).
Follow [these
instructions](https://github.com/antonbabenko/pre-commit-terraform#how-to-install)
to install pre-commit locally.
And install `terraform-docs` with `go get github.com/segmentio/terraform-docs`
or `brew install terraform-docs`.
## Contributing
Report issues/questions/feature requests on in the
[issues](https://github.com/particuleio/terraform-kubernetes-addons/issues/new)
section.
Full contributing [guidelines are covered
here](https://github.com/particuleio/terraform-kubernetes-addons/blob/master/.github/CONTRIBUTING.md).
## Requirements
| Name | Version |
| ---- | ------- |
| [terraform](#requirement\_terraform) | >= 1.5.7 |
| [flux](#requirement\_flux) | ~> 1.0 |
| [github](#requirement\_github) | ~> 6.0 |
| [helm](#requirement\_helm) | ~> 3.0 |
| [http](#requirement\_http) | >= 3 |
| [kubectl](#requirement\_kubectl) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.0, != 2.12 |
| [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
| ---- | ------- |
| [flux](#provider\_flux) | ~> 1.0 |
| [github](#provider\_github) | ~> 6.0 |
| [helm](#provider\_helm) | ~> 3.0 |
| [http](#provider\_http) | >= 3 |
| [kubectl](#provider\_kubectl) | ~> 2.0 |
| [kubernetes](#provider\_kubernetes) | ~> 2.0, != 2.12 |
| [random](#provider\_random) | n/a |
| [time](#provider\_time) | n/a |
| [tls](#provider\_tls) | ~> 4.0 |
## Modules
No modules.
## Resources
| Name | Type |
| ---- | ---- |
| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |
| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.metrics-server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.metrics-server_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.metrics-server_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.metrics-server_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.tigera-operator_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.tigera-operator_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |
## Inputs
| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| [admiralty](#input\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |
| [cert-manager](#input\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cert-manager-csi-driver](#input\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cluster-autoscaler](#input\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |
| [cluster-name](#input\_cluster-name) | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
| [csi-external-snapshotter](#input\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |
| [external-dns](#input\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |
| [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |
| [grafana-mcp](#input\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |
| [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no |
| [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
| [ip-masq-agent](#input\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |
| [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |
| [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |
| [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |
| [kong](#input\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |
| [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
| [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
| [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
| [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
| [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
| [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
| [loki-stack](#input\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [metrics-server](#input\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |
| [npd](#input\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
| [priority-class](#input\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |
| [priority-class-ds](#input\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-memcached](#input\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-receive](#input\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |
| [thanos-storegateway](#input\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier](#input\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier-ca-cert](#input\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `""` | no |
| [thanos-tls-querier-ca-private-key](#input\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `""` | no |
| [tigera-operator](#input\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |
| [traefik](#input\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |
| [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
| [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
## Outputs
| Name | Description |
| ---- | ----------- |
| [grafana\_password](#output\_grafana\_password) | n/a |
| [loki-stack-ca](#output\_loki-stack-ca) | n/a |
| [loki-stack-ca-key](#output\_loki-stack-ca-key) | n/a |
| [promtail-cert](#output\_promtail-cert) | n/a |
| [promtail-key](#output\_promtail-key) | n/a |
================================================
FILE: admiralty.tf
================================================
locals {
admiralty = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "admiralty")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "admiralty")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "admiralty")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "admiralty")].version
namespace = "admiralty"
enabled = false
create_ns = true
default_network_policy = true
},
var.admiralty
)
values_admiralty = <<-VALUES
VALUES
}
resource "kubernetes_namespace" "admiralty" {
count = local.admiralty["enabled"] && local.admiralty["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.admiralty["namespace"]
}
name = local.admiralty["namespace"]
}
}
resource "helm_release" "admiralty" {
count = local.admiralty["enabled"] ? 1 : 0
repository = local.admiralty["repository"]
name = local.admiralty["name"]
chart = local.admiralty["chart"]
version = local.admiralty["chart_version"]
timeout = local.admiralty["timeout"]
force_update = local.admiralty["force_update"]
recreate_pods = local.admiralty["recreate_pods"]
wait = local.admiralty["wait"]
atomic = local.admiralty["atomic"]
cleanup_on_fail = local.admiralty["cleanup_on_fail"]
dependency_update = local.admiralty["dependency_update"]
disable_crd_hooks = local.admiralty["disable_crd_hooks"]
disable_webhooks = local.admiralty["disable_webhooks"]
render_subchart_notes = local.admiralty["render_subchart_notes"]
replace = local.admiralty["replace"]
reset_values = local.admiralty["reset_values"]
reuse_values = local.admiralty["reuse_values"]
skip_crds = local.admiralty["skip_crds"]
verify = local.admiralty["verify"]
values = [
local.values_admiralty,
local.admiralty["extra_values"]
]
namespace = local.admiralty["create_ns"] ? kubernetes_namespace.admiralty.*.metadata.0.name[count.index] : local.admiralty["namespace"]
}
resource "kubernetes_network_policy" "admiralty_default_deny" {
count = local.admiralty["enabled"] && local.admiralty["default_network_policy"] ? 1 : 0
metadata {
name = "${local.admiralty["namespace"]}-${local.admiralty["name"]}-default-deny"
namespace = local.admiralty["namespace"]
}
spec {
pod_selector {
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "admiralty_allow_namespace" {
count = local.admiralty["enabled"] && local.admiralty["default_network_policy"] ? 1 : 0
metadata {
name = "${local.admiralty["namespace"]}-${local.admiralty["name"]}-default-namespace"
namespace = local.admiralty["namespace"]
}
spec {
pod_selector {
}
ingress {
from {
namespace_selector {
match_labels = {
name = local.admiralty["namespace"]
}
}
}
}
policy_types = ["Ingress"]
}
}
================================================
FILE: cert-manager-csi-driver.tf
================================================
locals {
cert-manager-csi-driver = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager-csi-driver")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager-csi-driver")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager-csi-driver")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager-csi-driver")].version
enabled = local.cert-manager.csi_driver
default_network_policy = true
namespace = local.cert-manager.namespace
},
var.cert-manager-csi-driver
)
values_cert-manager-csi-driver = < v.content } : {}
yaml_body = each.value
}
================================================
FILE: flux2.tf
================================================
locals {
# GITHUB_TOKEN should be set for Github provider to work
# GITHUB_ORGANIZATION should be set if deploying in another ORG and not your
# github user
flux2 = merge(
{
enabled = false
create_ns = true
namespace = "flux-system"
path = "gitops/clusters/${var.cluster-name}"
version = "v2.6.1"
create_github_repository = false
repository = "gitops"
repository_visibility = "public"
branch = "main"
components_extra = ["image-reflector-controller", "image-automation-controller"]
read_only = false
default_network_policy = true
},
var.flux2
)
}
resource "kubernetes_namespace" "flux2" {
count = local.flux2["enabled"] && local.flux2["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.flux2["namespace"]
}
name = local.flux2["namespace"]
}
lifecycle {
ignore_changes = [
metadata[0].annotations,
metadata[0].labels,
]
}
}
resource "tls_private_key" "identity" {
count = local.flux2["enabled"] ? 1 : 0
algorithm = "ECDSA"
ecdsa_curve = "P521"
}
data "github_repository" "main" {
count = local.flux2["enabled"] && !local.flux2["create_github_repository"] ? 1 : 0
name = local.flux2["repository"]
}
resource "github_repository" "main" {
count = local.flux2["enabled"] && local.flux2["create_github_repository"] ? 1 : 0
name = local.flux2["repository"]
visibility = local.flux2["repository_visibility"]
auto_init = true
}
resource "github_branch_default" "main" {
count = local.flux2["enabled"] && local.flux2["create_github_repository"] ? 1 : 0
repository = local.flux2["create_github_repository"] ? github_repository.main[0].name : data.github_repository.main[0].name
branch = local.flux2["branch"]
}
resource "github_repository_deploy_key" "main" {
count = local.flux2["enabled"] ? 1 : 0
title = "flux-${local.flux2["create_github_repository"] ? github_repository.main[0].name : local.flux2["repository"]}-${local.flux2["branch"]}"
repository = local.flux2["create_github_repository"] ? github_repository.main[0].name : data.github_repository.main[0].name
key = tls_private_key.identity[0].public_key_openssh
read_only = local.flux2["read_only"]
}
resource "flux_bootstrap_git" "flux" {
count = local.flux2["enabled"] ? 1 : 0
depends_on = [
github_repository_deploy_key.main,
kubernetes_namespace.flux2
]
path = local.flux2["path"]
version = local.flux2["version"]
namespace = local.flux2["namespace"]
cluster_domain = try(local.flux2["cluster_domain"], null)
components = try(local.flux2["components"], null)
components_extra = try(local.flux2["components_extra"], null)
disable_secret_creation = try(local.flux2["disable_secret_creation"], null)
image_pull_secret = try(local.flux2["image_pull_secrets"], null)
interval = try(local.flux2["interval"], null)
kustomization_override = try(local.flux2["kustomization_override"], null)
log_level = try(local.flux2["log_level"], null)
network_policy = try(local.flux2["network_policy"], null)
recurse_submodules = try(local.flux2["recurse_submodules"], null)
registry = try(local.flux2["registry"], null)
secret_name = try(local.flux2["secret_name"], null)
toleration_keys = try(local.flux2["toleration_keys"], null)
watch_all_namespaces = try(local.flux2["watch_all_namespaces"], null)
}
resource "kubernetes_network_policy" "flux2_allow_monitoring" {
count = local.flux2["enabled"] && local.flux2["default_network_policy"] ? 1 : 0
metadata {
name = "${local.flux2["create_ns"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2["namespace"]}-allow-monitoring"
namespace = local.flux2["create_ns"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2["namespace"]
}
spec {
pod_selector {
}
ingress {
ports {
port = "8080"
protocol = "TCP"
}
from {
namespace_selector {
match_labels = {
"${local.labels_prefix}/component" = "monitoring"
}
}
}
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "flux2_allow_namespace" {
count = local.flux2["enabled"] && local.flux2["default_network_policy"] ? 1 : 0
metadata {
name = "${local.flux2["create_ns"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2["namespace"]}-allow-namespace"
namespace = local.flux2["create_ns"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2["namespace"]
}
spec {
pod_selector {
}
ingress {
from {
namespace_selector {
match_labels = {
name = local.flux2["create_ns"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2["namespace"]
}
}
}
}
policy_types = ["Ingress"]
}
}
================================================
FILE: grafana-mcp.tf
================================================
locals {
grafana-mcp = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "grafana-mcp")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "grafana-mcp")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "grafana-mcp")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "grafana-mcp")].version
namespace = "telemetry"
create_ns = false
enabled = false
default_network_policy = true
},
var.grafana-mcp
)
values_grafana-mcp = < v.content } : {}
yaml_body = each.value
server_side_apply = true
force_conflicts = true
}
================================================
FILE: kong.tf
================================================
locals {
kong = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "kong")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "kong")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "kong")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "kong")].version
namespace = "kong"
enabled = false
default_network_policy = true
ingress_cidrs = ["0.0.0.0/0"]
manage_crds = true
},
var.kong
)
values_kong = < v.response_body
} : null
}
data "http" "prometheus-operator_version" {
count = (local.victoria-metrics-k8s-stack.enabled && local.victoria-metrics-k8s-stack.install_prometheus_operator_crds) || (local.kube-prometheus-stack.enabled && local.kube-prometheus-stack.manage_crds) ? 1 : 0
url = local.prometheus-operator_chart
}
data "http" "prometheus-operator_crds" {
for_each = (local.victoria-metrics-k8s-stack.enabled && local.victoria-metrics-k8s-stack.install_prometheus_operator_crds) || (local.kube-prometheus-stack.enabled && local.kube-prometheus-stack.manage_crds) ? toset(local.prometheus-operator_crds) : []
url = each.key
}
resource "kubectl_manifest" "prometheus-operator_crds" {
for_each = (local.victoria-metrics-k8s-stack.enabled && local.victoria-metrics-k8s-stack.install_prometheus_operator_crds) || (local.kube-prometheus-stack.enabled && local.kube-prometheus-stack.manage_crds) ? local.prometheus-operator_crds_apply : {}
yaml_body = each.value
server_side_apply = true
force_conflicts = true
}
================================================
FILE: kube-prometheus.tf
================================================
locals {
kube-prometheus-stack = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].version
namespace = "monitoring"
enabled = false
allowed_cidrs = ["0.0.0.0/0"]
default_network_policy = true
manage_crds = true
},
var.kube-prometheus-stack
)
values_kube-prometheus-stack = <
## Requirements
| Name | Version |
| ---- | ------- |
| [terraform](#requirement\_terraform) | >= 1.5.7 |
| [aws](#requirement\_aws) | >= 6.28 |
| [flux](#requirement\_flux) | ~> 1.0 |
| [github](#requirement\_github) | ~> 6.0 |
| [helm](#requirement\_helm) | ~> 3.0 |
| [http](#requirement\_http) | >= 3 |
| [kubectl](#requirement\_kubectl) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.0, != 2.12 |
| [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
| ---- | ------- |
| [aws](#provider\_aws) | >= 6.28 |
| [flux](#provider\_flux) | ~> 1.0 |
| [github](#provider\_github) | ~> 6.0 |
| [helm](#provider\_helm) | ~> 3.0 |
| [http](#provider\_http) | >= 3 |
| [kubectl](#provider\_kubectl) | ~> 2.0 |
| [kubernetes](#provider\_kubernetes) | ~> 2.0, != 2.12 |
| [random](#provider\_random) | n/a |
| [time](#provider\_time) | n/a |
| [tls](#provider\_tls) | ~> 4.0 |
## Modules
| Name | Source | Version |
| ---- | ------ | ------- |
| [iam\_assumable\_role\_aws-ebs-csi-driver](#module\_iam\_assumable\_role\_aws-ebs-csi-driver) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_aws-efs-csi-driver](#module\_iam\_assumable\_role\_aws-efs-csi-driver) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_aws-for-fluent-bit](#module\_iam\_assumable\_role\_aws-for-fluent-bit) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_aws-load-balancer-controller](#module\_iam\_assumable\_role\_aws-load-balancer-controller) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_cert-manager](#module\_iam\_assumable\_role\_cert-manager) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_cluster-autoscaler](#module\_iam\_assumable\_role\_cluster-autoscaler) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_cni-metrics-helper](#module\_iam\_assumable\_role\_cni-metrics-helper) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_external-dns](#module\_iam\_assumable\_role\_external-dns) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_role\_kube-prometheus-stack\_grafana) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_role\_kube-prometheus-stack\_thanos) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_loki-stack](#module\_iam\_assumable\_role\_loki-stack) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_prometheus-cloudwatch-exporter](#module\_iam\_assumable\_role\_prometheus-cloudwatch-exporter) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_thanos](#module\_iam\_assumable\_role\_thanos) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_thanos-storegateway](#module\_iam\_assumable\_role\_thanos-storegateway) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_velero](#module\_iam\_assumable\_role\_velero) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [iam\_assumable\_role\_yet-another-cloudwatch-exporter](#module\_iam\_assumable\_role\_yet-another-cloudwatch-exporter) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | ~> 21.0 |
| [kube-prometheus-stack\_thanos\_bucket](#module\_kube-prometheus-stack\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
| [loki\_bucket](#module\_loki\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
| [s3\_logging\_bucket](#module\_s3\_logging\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
| [security-group-efs-csi-driver](#module\_security-group-efs-csi-driver) | terraform-aws-modules/security-group/aws//modules/nfs | ~> 5.0 |
| [thanos\_bucket](#module\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
| [velero\_thanos\_bucket](#module\_velero\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
## Resources
| Name | Type |
| ---- | ---- |
| [aws_cloudwatch_log_group.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_efs_file_system.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
| [aws_efs_mount_target.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
| [aws_iam_policy.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.cert-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.cni-metrics-helper](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.external-dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.karpenter_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.kube-prometheus-stack_grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_kms_alias.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |
| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.aws-node-termination-handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubectl_manifest.aws-ebs-csi-driver_vsc](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.cni-metrics-helper](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.aws-node-termination-handler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.karpenter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.metrics-server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-ebs-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-ebs-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-efs-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-efs-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-for-fluent-bit_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-for-fluent-bit_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-load-balancer-controller_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-load-balancer-controller_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-load-balancer-controller_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-node-termination-handler_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-node-termination-handler_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cluster-autoscaler_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cluster-autoscaler_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cluster-autoscaler_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karpenter_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karpenter_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karpenter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karpenter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.metrics-server_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.metrics-server_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.metrics-server_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-cloudwatch-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-cloudwatch-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.tigera-operator_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.tigera-operator_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.yet-another-cloudwatch-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.yet-another-cloudwatch-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_storage_class.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.aws-ebs-csi-driver_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.aws-ebs-csi-driver_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.aws-efs-csi-driver_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cert-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cni-metrics-helper](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external-dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.kube-prometheus-stack_grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |
## Inputs
| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| [admiralty](#input\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |
| [arn-partition](#input\_arn-partition) | ARN partition | `string` | `""` | no |
| [aws](#input\_aws) | AWS provider customization | `any` | `{}` | no |
| [aws-ebs-csi-driver](#input\_aws-ebs-csi-driver) | Customize aws-ebs-csi-driver helm chart, see `aws-ebs-csi-driver.tf` | `any` | `{}` | no |
| [aws-efs-csi-driver](#input\_aws-efs-csi-driver) | Customize aws-efs-csi-driver helm chart, see `aws-efs-csi-driver.tf` | `any` | `{}` | no |
| [aws-for-fluent-bit](#input\_aws-for-fluent-bit) | Customize aws-for-fluent-bit helm chart, see `aws-fluent-bit.tf` | `any` | `{}` | no |
| [aws-load-balancer-controller](#input\_aws-load-balancer-controller) | Customize aws-load-balancer-controller chart, see `aws-load-balancer-controller.tf` for supported values | `any` | `{}` | no |
| [aws-node-termination-handler](#input\_aws-node-termination-handler) | Customize aws-node-termination-handler chart, see `aws-node-termination-handler.tf` | `any` | `{}` | no |
| [cert-manager](#input\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cert-manager-csi-driver](#input\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cluster-autoscaler](#input\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |
| [cluster-name](#input\_cluster-name) | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
| [cni-metrics-helper](#input\_cni-metrics-helper) | Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values | `any` | `{}` | no |
| [csi-external-snapshotter](#input\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |
| [eks](#input\_eks) | EKS cluster inputs | `any` | `{}` | no |
| [external-dns](#input\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |
| [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |
| [grafana-mcp](#input\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |
| [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no |
| [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
| [ip-masq-agent](#input\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |
| [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |
| [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |
| [karpenter](#input\_karpenter) | Customize karpenter chart, see `karpenter.tf` for supported values | `any` | `{}` | no |
| [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |
| [kong](#input\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |
| [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
| [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
| [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
| [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
| [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
| [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
| [loki-stack](#input\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [metrics-server](#input\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |
| [npd](#input\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
| [priority-class](#input\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |
| [priority-class-ds](#input\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [prometheus-cloudwatch-exporter](#input\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [s3-logging](#input\_s3-logging) | Logging configuration for bucket created by this module | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver-provider-aws](#input\_secrets-store-csi-driver-provider-aws) | Enable secrets-store-csi-driver-provider-aws | `any` | `{}` | no |
| [tags](#input\_tags) | Map of tags for AWS resources | `map(any)` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-memcached](#input\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-receive](#input\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |
| [thanos-storegateway](#input\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier](#input\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier-ca-cert](#input\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `""` | no |
| [thanos-tls-querier-ca-private-key](#input\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `""` | no |
| [tigera-operator](#input\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |
| [traefik](#input\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |
| [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
| [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
| [yet-another-cloudwatch-exporter](#input\_yet-another-cloudwatch-exporter) | Customize yet-another-cloudwatch-exporter chart, see `yet-another-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
## Outputs
| Name | Description |
| ---- | ----------- |
| [karpenter\_iam](#output\_karpenter\_iam) | n/a |
| [kube-prometheus-stack](#output\_kube-prometheus-stack) | n/a |
| [kube-prometheus-stack\_sensitive](#output\_kube-prometheus-stack\_sensitive) | n/a |
| [loki-stack-ca](#output\_loki-stack-ca) | n/a |
| [promtail-cert](#output\_promtail-cert) | n/a |
| [promtail-key](#output\_promtail-key) | n/a |
| [thanos\_ca](#output\_thanos\_ca) | n/a |
| [thanos\_ca\_key](#output\_thanos\_ca\_key) | n/a |
================================================
FILE: modules/aws/aws-ebs-csi-driver.tf
================================================
locals {
aws-ebs-csi-driver = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "aws-ebs-csi-driver")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "aws-ebs-csi-driver")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "aws-ebs-csi-driver")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "aws-ebs-csi-driver")].version
namespace = "kube-system"
create_ns = false
service_account_names = {
controller = "ebs-csi-controller-sa"
node = "ebs-csi-node-sa"
}
create_iam_resources_irsa = true
create_storage_class = true
storage_class_name = "ebs-sc"
is_default_class = false
enabled = false
iam_policy_override = null
default_network_policy = true
create_kms_key = true
existing_kms_key_arn = null
override_kms_alias = null
use_kms = false
use_encryption = false
extra_sc_parameters = {}
kms_enable_key_rotation = true
volume_snapshot_class = <<-VOLUME_SNAPSHOT_CLASS
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: csi-aws-vsc
labels:
velero.io/csi-volumesnapshot-class: "true"
driver: ebs.csi.aws.com
deletionPolicy: Retain
VOLUME_SNAPSHOT_CLASS
name_prefix = "${var.cluster-name}-aws-ebs-csi-driver"
iam_use_name_prefix = false
},
var.aws-ebs-csi-driver
)
values_aws-ebs-csi-driver = < merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "external-dns")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "external-dns")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "external-dns")].version
name = k
namespace = k
service_account_name = "external-dns"
enabled = false
create_iam_resources_irsa = true
iam_policy_override = null
default_network_policy = true
name_prefix = "${var.cluster-name}"
iam_use_name_prefix = false
},
v,
) }
values_external-dns = { for k, v in local.external-dns : k => merge(
{
values = <<-VALUES
provider: aws
txtPrefix: "ext-dns-"
txtOwnerId: ${var.cluster-name}
logFormat: json
policy: sync
serviceAccount:
name: ${v["service_account_name"]}
annotations:
eks.amazonaws.com/role-arn: "${v["create_iam_resources_irsa"] ? module.iam_assumable_role_external-dns[k].arn : ""}"
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
priorityClassName: ${local.priority-class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
VALUES
},
v,
) }
}
module "iam_assumable_role_external-dns" {
for_each = local.external-dns
source = "terraform-aws-modules/iam/aws//modules/iam-role"
version = "~> 6.0"
create = each.value["enabled"] && each.value["create_iam_resources_irsa"]
name = "${each.value.name_prefix}-${each.key}"
use_name_prefix = each.value["iam_use_name_prefix"]
enable_oidc = true
oidc_provider_urls = [replace(var.eks["cluster_oidc_issuer_url"], "https://", "")]
policies = each.value["enabled"] && each.value["create_iam_resources_irsa"] ? { external-dns = aws_iam_policy.external-dns[each.key].arn } : {}
oidc_subjects = ["system:serviceaccount:${each.value["namespace"]}:${each.value["service_account_name"]}"]
tags = local.tags
}
resource "aws_iam_policy" "external-dns" {
for_each = { for k, v in local.external-dns : k => v if v["enabled"] && v["create_iam_resources_irsa"] }
name = "${each.value.name_prefix}-${each.key}"
policy = each.value["iam_policy_override"] == null ? data.aws_iam_policy_document.external-dns.json : each.value["iam_policy_override"]
tags = local.tags
}
data "aws_iam_policy_document" "external-dns" {
statement {
effect = "Allow"
actions = [
"route53:ChangeResourceRecordSets"
]
resources = ["arn:${local.arn-partition}:route53:::hostedzone/*"]
}
statement {
effect = "Allow"
actions = [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
]
resources = ["*"]
}
}
resource "kubernetes_namespace" "external-dns" {
for_each = { for k, v in local.external-dns : k => v if v["enabled"] }
metadata {
labels = {
name = each.value["namespace"]
}
name = each.value["namespace"]
}
}
resource "helm_release" "external-dns" {
for_each = { for k, v in local.external-dns : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = [
local.values_external-dns[each.key]["values"],
each.value["extra_values"]
]
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
depends_on = [
kubectl_manifest.prometheus-operator_crds
]
}
resource "kubernetes_network_policy" "external-dns_default_deny" {
for_each = { for k, v in local.external-dns : k => v if v["enabled"] && v["default_network_policy"] }
metadata {
name = "${kubernetes_namespace.external-dns[each.key].metadata.0.name}-default-deny"
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
spec {
pod_selector {
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "external-dns_allow_namespace" {
for_each = { for k, v in local.external-dns : k => v if v["enabled"] && v["default_network_policy"] }
metadata {
name = "${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-namespace"
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
spec {
pod_selector {
}
ingress {
from {
namespace_selector {
match_labels = {
name = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
}
}
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "external-dns_allow_monitoring" {
for_each = { for k, v in local.external-dns : k => v if v["enabled"] && v["default_network_policy"] }
metadata {
name = "${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-monitoring"
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
spec {
pod_selector {
}
ingress {
ports {
port = "http"
protocol = "TCP"
}
from {
namespace_selector {
match_labels = {
"${local.labels_prefix}/component" = "monitoring"
}
}
}
}
policy_types = ["Ingress"]
}
}
================================================
FILE: modules/aws/iam/aws-ebs-csi-driver.json
================================================
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:${arn-partition}:ec2:*:*:volume/*",
"arn:${arn-partition}:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:${arn-partition}:ec2:*:*:volume/*",
"arn:${arn-partition}:ec2:*:*:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
}
]
}
================================================
FILE: modules/aws/iam/aws-ebs-csi-driver_kms.json
================================================
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"${kmsKeyId}"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"${kmsKeyId}"
]
}
]
}
================================================
FILE: modules/aws/iam/aws-efs-csi-driver.json
================================================
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateAccessPoint"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/efs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:TagResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": "elasticfilesystem:DeleteAccessPoint",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
}
}
]
}
================================================
FILE: modules/aws/iam/aws-load-balancer-controller.json
================================================
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"ec2:GetSecurityGroupsForVpc",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTrustStores",
"elasticloadbalancing:DescribeListenerAttributes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:${arn-partition}:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:${arn-partition}:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:${arn-partition}:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
================================================
FILE: modules/aws/ingress-nginx.tf
================================================
locals {
ingress-nginx = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].version
namespace = "ingress-nginx"
use_nlb = false
use_nlb_ip = false
use_l7 = false
enabled = false
default_network_policy = true
linkerd-viz-enabled = false
linkerd-viz-namespace = "linkerd-viz"
ingress_cidrs = ["0.0.0.0/0"]
allowed_cidrs = ["0.0.0.0/0"]
extra_ns_labels = {}
extra_ns_annotations = {}
},
var.ingress-nginx
)
values_ingress-nginx_l4 = < v.content } : {}
yaml_body = each.value
}
================================================
FILE: modules/aws/templates/cert-manager-cluster-issuers.yaml.tpl
================================================
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: '${acme_email}'
privateKeySecretRef:
name: letsencrypt-staging
solvers:
%{ if acme_dns01_enabled }
- dns01:
route53:
region: '${aws_region}'
%{ if role_arn != "" }
role: '${role_arn}'
%{ endif }
%{ endif }
%{ if acme_http01_enabled }
- http01:
ingress:
class: '${acme_http01_ingress_class}'
%{ if acme_dns01_enabled }
selector:
matchLabels:
"use-http01-solver": "true"
%{ endif }
%{ endif }
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: '${acme_email}'
privateKeySecretRef:
name: letsencrypt
solvers:
%{ if acme_dns01_enabled }
- dns01:
route53:
region: '${aws_region}'
%{ if role_arn != "" }
role: '${role_arn}'
%{ endif }
%{ endif }
%{ if acme_http01_enabled }
- http01:
ingress:
class: '${acme_http01_ingress_class}'
%{ if acme_dns01_enabled }
selector:
matchLabels:
"use-http01-solver": "true"
%{ endif }
%{ endif }
================================================
FILE: modules/aws/templates/cni-metrics-helper.yaml.tpl
================================================
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cni-metrics-helper
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cni-metrics-helper
subjects:
- kind: ServiceAccount
name: cni-metrics-helper
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cni-metrics-helper
rules:
- apiGroups: [""]
resources:
- nodes
- pods
- pods/proxy
- services
- resourcequotas
- replicationcontrollers
- limitranges
- persistentvolumeclaims
- persistentvolumes
- namespaces
- endpoints
verbs: ["list", "watch", "get"]
- apiGroups: ["extensions"]
resources:
- daemonsets
- deployments
- replicasets
verbs: ["list", "watch"]
- apiGroups: ["apps"]
resources:
- statefulsets
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["list", "watch"]
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: cni-metrics-helper
namespace: kube-system
labels:
k8s-app: cni-metrics-helper
spec:
selector:
matchLabels:
k8s-app: cni-metrics-helper
template:
metadata:
labels:
k8s-app: cni-metrics-helper
spec:
serviceAccountName: cni-metrics-helper
containers:
- image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:${cni-metrics-helper_version}
imagePullPolicy: Always
name: cni-metrics-helper
env:
- name: USE_CLOUDWATCH
value: "true"
priorityClassName: "system-cluster-critical"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cni-metrics-helper
namespace: kube-system
annotations:
eks.amazonaws.com/role-arn: "${cni-metrics-helper_role_arn_irsa}"
================================================
FILE: modules/aws/thanos-memcached.tf
================================================
locals {
thanos-memcached = merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].name
repository = ""
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].version
name = "thanos-memcached"
namespace = local.thanos["namespace"]
enabled = false
},
var.thanos-memcached
)
values_thanos-memcached = <<-VALUES
architecture: "high-availability"
replicaCount: 2
podAntiAffinityPreset: hard
metrics:
enabled: ${local.kube-prometheus-stack["enabled"]}
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"]}
VALUES
}
resource "helm_release" "thanos-memcached" {
count = local.thanos-memcached["enabled"] ? 1 : 0
repository = local.thanos-memcached["repository"]
name = local.thanos-memcached["name"]
chart = local.thanos-memcached["chart"]
version = local.thanos-memcached["chart_version"]
timeout = local.thanos-memcached["timeout"]
force_update = local.thanos-memcached["force_update"]
recreate_pods = local.thanos-memcached["recreate_pods"]
wait = local.thanos-memcached["wait"]
atomic = local.thanos-memcached["atomic"]
cleanup_on_fail = local.thanos-memcached["cleanup_on_fail"]
dependency_update = local.thanos-memcached["dependency_update"]
disable_crd_hooks = local.thanos-memcached["disable_crd_hooks"]
disable_webhooks = local.thanos-memcached["disable_webhooks"]
render_subchart_notes = local.thanos-memcached["render_subchart_notes"]
replace = local.thanos-memcached["replace"]
reset_values = local.thanos-memcached["reset_values"]
reuse_values = local.thanos-memcached["reuse_values"]
skip_crds = local.thanos-memcached["skip_crds"]
verify = local.thanos-memcached["verify"]
values = compact([
local.values_thanos-memcached,
local.thanos-memcached["extra_values"]
])
namespace = local.thanos-memcached["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
================================================
FILE: modules/aws/thanos-storegateway.tf
================================================
locals {
thanos-storegateway = { for k, v in var.thanos-storegateway : k => merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
name = "${local.thanos["name"]}-storegateway-${k}"
create_iam_resources_irsa = true
iam_policy_override = null
enabled = false
default_global_requests = false
default_global_limits = false
bucket = null
region = null
name_prefix = "${var.cluster-name}-thanos-sg"
iam_use_name_prefix = false
},
v,
) }
values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(
{
values = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
objstoreConfig:
type: S3
config:
bucket: ${v["bucket"]}
region: ${v["region"] == null ? data.aws_region.current.region : v["region"]}
endpoint: s3.${v["region"] == null ? data.aws_region.current.region : v["region"]}.amazonaws.com
sse_config:
type: "SSE-S3"
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
enabled: false
queryFrontend:
enabled: false
compactor:
enabled: false
storegateway:
replicaCount: 2
extraFlags:
- --ignore-deletion-marks-delay=24h
enabled: true
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "${v["enabled"] && v["create_iam_resources_irsa"] ? module.iam_assumable_role_thanos-storegateway[k].arn : ""}"
pdb:
create: true
minAvailable: 1
VALUES
},
v,
) }
}
module "iam_assumable_role_thanos-storegateway" {
for_each = local.thanos-storegateway
source = "terraform-aws-modules/iam/aws//modules/iam-role"
version = "~> 6.0"
create = each.value["enabled"] && each.value["create_iam_resources_irsa"]
name = "${each.value.name_prefix}-${each.key}"
use_name_prefix = each.value["iam_use_name_prefix"]
enable_oidc = true
oidc_provider_urls = [replace(var.eks["cluster_oidc_issuer_url"], "https://", "")]
policies = each.value["enabled"] && each.value["create_iam_resources_irsa"] ? { thanos-storegateway = aws_iam_policy.thanos-storegateway[each.key].arn } : {}
oidc_wildcard_subjects = ["system:serviceaccount:${local.thanos["namespace"]}:${each.value["name"]}-storegateway"]
tags = local.tags
}
resource "aws_iam_policy" "thanos-storegateway" {
for_each = { for k, v in local.thanos-storegateway : k => v if v["enabled"] && v["create_iam_resources_irsa"] }
name = "${each.value.name_prefix}-${each.key}"
policy = each.value["iam_policy_override"] == null ? data.aws_iam_policy_document.thanos-storegateway[each.key].json : each.value["iam_policy_override"]
tags = local.tags
}
data "aws_iam_policy_document" "thanos-storegateway" {
for_each = { for k, v in local.thanos-storegateway : k => v if v["enabled"] && v["create_iam_resources_irsa"] }
statement {
effect = "Allow"
actions = [
"s3:ListBucket"
]
resources = ["arn:${local.arn-partition}:s3:::${each.value["bucket"]}"]
}
statement {
effect = "Allow"
actions = [
"s3:*Object"
]
resources = ["arn:${local.arn-partition}:s3:::${each.value["bucket"]}/*"]
}
}
resource "helm_release" "thanos-storegateway" {
for_each = { for k, v in local.thanos-storegateway : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = compact([
local.values_thanos-storegateway[each.key]["values"],
each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
each.value["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
================================================
FILE: modules/aws/thanos-tls-querier.tf
================================================
locals {
thanos-ca-key = local.thanos["generate_ca"] ? (var.thanos-tls-querier-ca-private-key != "" ? var.thanos-tls-querier-ca-private-key : tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem) : ""
thanos-ca-cert = local.thanos["generate_ca"] ? (var.thanos-tls-querier-ca-cert != "" ? var.thanos-tls-querier-ca-cert : tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem) : ""
thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
name = "${local.thanos["name"]}-tls-querier-${k}"
enabled = false
generate_cert = local.thanos["generate_ca"]
client_server_name = ""
## This default to Let's encrypt X1 root CA
grpc_client_tls_ca_pem = <<-EOV
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
EOV
stores = []
default_global_requests = false
default_global_limits = false
},
v,
) }
values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(
{
values = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
replicaCount: 2
extraFlags:
- --query.timeout=5m
- --query.lookback-delta=15m
- --query.replica-label=rule_replica
enabled: true
dnsDiscovery:
enabled: false
pdb:
create: true
minAvailable: 1
grpc:
client:
servername: ${v["client_server_name"]}
tls:
enabled: ${v["generate_cert"]}
key: |
${indent(10, v["generate_cert"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : "")}
cert: |
${indent(10, v["generate_cert"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : "")}
ca: |
${indent(10, v["generate_cert"] ? v["grpc_client_tls_ca_pem"] : "")}
stores: ${jsonencode(v["stores"])}
queryFrontend:
enabled: false
compactor:
enabled: false
storegateway:
enabled: false
VALUES
},
v,
) }
}
resource "helm_release" "thanos-tls-querier" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = compact([
local.values_thanos-tls-querier[each.key]["values"],
each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
each.value["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
resource "tls_private_key" "thanos-tls-querier-cert-key" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "thanos-tls-querier-cert-csr" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem
subject {
common_name = each.key
}
dns_names = [
each.key
]
}
resource "tls_locally_signed_cert" "thanos-tls-querier-cert" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
cert_request_pem = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem
ca_private_key_pem = local.thanos-ca-key
ca_cert_pem = local.thanos-ca-cert
validity_period_hours = 8760
early_renewal_hours = 720
allowed_uses = [
"key_encipherment",
"digital_signature",
"client_auth"
]
}
================================================
FILE: modules/aws/thanos.tf
================================================
locals {
thanos = merge(
local.helm_defaults,
{
name = "thanos"
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
repository = ""
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
create_iam_resources_irsa = true
iam_policy_override = null
create_ns = false
enabled = false
default_network_policy = true
default_global_requests = false
default_global_limits = false
create_bucket = false
bucket = "thanos-store-${var.cluster-name}"
bucket_force_destroy = false
bucket_enforce_tls = false
generate_ca = false
trusted_ca_content = null
name_prefix = "${var.cluster-name}-thanos"
iam_use_name_prefix = false
},
var.thanos
)
values_thanos = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
receive:
enabled: false
pdb:
create: true
minAvailable: 1
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "${local.thanos["enabled"] && local.thanos["create_iam_resources_irsa"] ? module.iam_assumable_role_thanos.arn : ""}"
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
extraFlags:
- --query.timeout=5m
- --query.lookback-delta=15m
- --query.replica-label=rule_replica
replicaCount: 2
replicaLabel:
- prometheus_replica
enabled: true
dnsDiscovery:
enabled: true
sidecarsService: ${local.kube-prometheus-stack["name"]}-thanos-discovery
sidecarsNamespace: "${local.kube-prometheus-stack["namespace"]}"
pdb:
create: true
minAvailable: 1
stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : "dnssrv+_grpc._tcp.${v["name"]}-query-grpc.${local.thanos["namespace"]}.svc.cluster.local"], [for k, v in local.thanos-storegateway : "dnssrv+_grpc._tcp.${v["name"]}-storegateway.${local.thanos["namespace"]}.svc.cluster.local"]))}
queryFrontend:
extraFlags:
- --query-frontend.compress-responses
- --query-range.split-interval=12h
- --labels.split-interval=12h
- --query-range.max-retries-per-request=10
- --labels.max-retries-per-request=10
- --query-frontend.log-queries-longer-than=10s
replicaCount: 2
enabled: true
pdb:
create: true
minAvailable: 1
compactor:
extraFlags:
- --deduplication.replica-label=prometheus_replica
- --deduplication.replica-label=rule_replica
strategyType: Recreate
enabled: true
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "${local.thanos["enabled"] && local.thanos["create_iam_resources_irsa"] ? module.iam_assumable_role_thanos.arn : ""}"
storegateway:
extraFlags:
- --ignore-deletion-marks-delay=24h
replicaCount: 2
enabled: true
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "${local.thanos["enabled"] && local.thanos["create_iam_resources_irsa"] ? module.iam_assumable_role_thanos.arn : ""}"
pdb:
create: true
minAvailable: 1
VALUES
values_thanos_caching = <<-VALUES
queryFrontend:
extraFlags:
- --query-frontend.compress-responses
- --query-range.split-interval=12h
- --labels.split-interval=12h
- --query-range.max-retries-per-request=10
- --labels.max-retries-per-request=10
- --query-frontend.log-queries-longer-than=10s
- |-
--query-range.response-cache-config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"timeout": "500ms"
"type": "memcached"
- |-
--labels.response-cache-config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"timeout": "500ms"
"type": "memcached"
storegateway:
extraFlags:
- --ignore-deletion-marks-delay=24h
- |-
--index-cache.config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"max_item_size": "1MiB"
"timeout": "500ms"
"type": "memcached"
- |-
--store.caching-bucket.config="blocks_iter_ttl": "5m"
"chunk_object_attrs_ttl": "24h"
"chunk_subrange_size": 16000
"chunk_subrange_ttl": "24h"
"config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"max_item_size": "1MiB"
"timeout": "500ms"
"max_chunks_get_range_requests": 3
"metafile_content_ttl": "24h"
"metafile_doesnt_exist_ttl": "15m"
"metafile_exists_ttl": "2h"
"metafile_max_size": "1MiB"
"type": "memcached"
VALUES
values_store_config = <<-VALUES
objstoreConfig:
type: S3
config:
bucket: ${local.thanos["bucket"]}
region: ${data.aws_region.current.region}
endpoint: s3.${data.aws_region.current.region}.amazonaws.com
sse_config:
type: "SSE-S3"
VALUES
values_thanos_global_requests = <<-VALUES
query:
resources:
requests:
cpu: 25m
memory: 32Mi
queryFrontend:
resources:
requests:
cpu: 25m
memory: 32Mi
compactor:
resources:
requests:
cpu: 50m
memory: 258Mi
storegateway:
resources:
requests:
cpu: 25m
memory: 64Mi
VALUES
values_thanos_global_limits = <<-VALUES
query:
resources:
limits:
memory: 128Mi
queryFrontend:
resources:
limits:
memory: 64Mi
compactor:
resources:
limits:
memory: 2Gi
storegateway:
resources:
limits:
memory: 1Gi
VALUES
}
module "iam_assumable_role_thanos" {
source = "terraform-aws-modules/iam/aws//modules/iam-role"
version = "~> 6.0"
create = local.thanos["enabled"] && local.thanos["create_iam_resources_irsa"]
name = local.thanos["name_prefix"]
use_name_prefix = local.thanos["iam_use_name_prefix"]
enable_oidc = true
oidc_provider_urls = [replace(var.eks["cluster_oidc_issuer_url"], "https://", "")]
policies = local.thanos["enabled"] && local.thanos["create_iam_resources_irsa"] ? { thanos = aws_iam_policy.thanos[0].arn } : {}
oidc_wildcard_subjects = ["system:serviceaccount:${local.thanos["namespace"]}:${local.thanos["name"]}-*"]
tags = local.tags
}
resource "aws_iam_policy" "thanos" {
count = local.thanos["enabled"] && local.thanos["create_iam_resources_irsa"] ? 1 : 0
name = local.thanos["name_prefix"]
policy = local.thanos["iam_policy_override"] == null ? data.aws_iam_policy_document.thanos.json : local.thanos["iam_policy_override"]
tags = local.tags
}
data "aws_iam_policy_document" "thanos" {
statement {
effect = "Allow"
actions = [
"s3:ListBucket"
]
resources = ["arn:${local.arn-partition}:s3:::${local.thanos["bucket"]}"]
}
statement {
effect = "Allow"
actions = [
"s3:*Object"
]
resources = ["arn:${local.arn-partition}:s3:::${local.thanos["bucket"]}/*"]
}
}
module "thanos_bucket" {
create_bucket = local.thanos["enabled"] && local.thanos["create_bucket"]
source = "terraform-aws-modules/s3-bucket/aws"
version = "~> 5.0"
control_object_ownership = true
object_ownership = "ObjectWriter"
force_destroy = local.thanos["bucket_force_destroy"]
bucket = local.thanos["bucket"]
acl = "private"
versioning = {
status = true
}
server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
sse_algorithm = "AES256"
}
}
}
logging = local.s3-logging.enabled ? {
target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id
target_prefix = "${var.cluster-name}/${local.thanos.name}/"
} : {}
attach_deny_insecure_transport_policy = local.thanos["bucket_enforce_tls"]
tags = local.tags
}
resource "kubernetes_namespace" "thanos" {
count = local.thanos["enabled"] && local.thanos["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.thanos["namespace"]
"${local.labels_prefix}/component" = "monitoring"
}
name = local.thanos["namespace"]
}
}
resource "helm_release" "thanos" {
count = local.thanos["enabled"] ? 1 : 0
repository = local.thanos["repository"]
name = local.thanos["name"]
chart = local.thanos["chart"]
version = local.thanos["chart_version"]
timeout = local.thanos["timeout"]
force_update = local.thanos["force_update"]
recreate_pods = local.thanos["recreate_pods"]
wait = local.thanos["wait"]
atomic = local.thanos["atomic"]
cleanup_on_fail = local.thanos["cleanup_on_fail"]
dependency_update = local.thanos["dependency_update"]
disable_crd_hooks = local.thanos["disable_crd_hooks"]
disable_webhooks = local.thanos["disable_webhooks"]
render_subchart_notes = local.thanos["render_subchart_notes"]
replace = local.thanos["replace"]
reset_values = local.thanos["reset_values"]
reuse_values = local.thanos["reuse_values"]
skip_crds = local.thanos["skip_crds"]
verify = local.thanos["verify"]
values = compact([
local.values_thanos,
local.values_store_config,
local.thanos["default_global_requests"] ? local.values_thanos_global_requests : null,
local.thanos["default_global_limits"] ? local.values_thanos_global_limits : null,
local.thanos-memcached["enabled"] ? local.values_thanos_caching : null,
local.thanos["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
helm_release.thanos-memcached
]
}
resource "tls_private_key" "thanos-tls-querier-ca-key" {
count = local.thanos["generate_ca"] ? 1 : 0
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "thanos-tls-querier-ca-cert" {
count = local.thanos["generate_ca"] ? 1 : 0
private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
is_ca_certificate = true
subject {
common_name = var.cluster-name
organization = var.cluster-name
}
validity_period_hours = 87600
early_renewal_hours = 720
allowed_uses = [
"cert_signing"
]
}
resource "kubernetes_secret" "thanos-ca" {
count = local.thanos["enabled"] && (local.thanos["generate_ca"] || local.thanos["trusted_ca_content"] != null) ? 1 : 0
metadata {
name = "${local.thanos["name"]}-ca"
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
}
data = {
"ca.crt" = local.thanos["generate_ca"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos["trusted_ca_content"]
}
}
output "thanos_ca" {
value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [""]), 0)
}
output "thanos_ca_key" {
value = element(concat(tls_private_key.thanos-tls-querier-ca-key[*].private_key_pem, [""]), 0)
sensitive = true
}
================================================
FILE: modules/aws/tigera-operator.tf
================================================
locals {
tigera-operator = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "tigera-operator")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "tigera-operator")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "tigera-operator")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "tigera-operator")].version
namespace = "tigera-operator"
create_ns = true
manage_crds = true
enabled = false
default_network_policy = true
},
var.tigera-operator
)
tigera-operator_crds = "https://raw.githubusercontent.com/projectcalico/calico/${local.tigera-operator.chart_version}/manifests/operator-crds.yaml"
calico_crds = "https://raw.githubusercontent.com/projectcalico/calico/${local.tigera-operator.chart_version}/manifests/crds.yaml"
tigera-operator_crds_apply = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? [for v in data.kubectl_file_documents.tigera-operator_crds.0.documents : {
data : yamldecode(v)
content : v
}
] : null
calico_crds_apply = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? [for v in data.kubectl_file_documents.tigera-operator_crds.0.documents : {
data : yamldecode(v)
content : v
}
] : null
values_tigera-operator = <<-VALUES
installation:
kubernetesProvider: EKS
VALUES
}
data "http" "tigera-operator_crds" {
count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
url = local.tigera-operator_crds
}
data "http" "calico_crds" {
count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
url = local.calico_crds
}
data "kubectl_file_documents" "tigera-operator_crds" {
count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
content = data.http.tigera-operator_crds[0].response_body
}
data "kubectl_file_documents" "calico_crds" {
count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0
content = data.http.calico_crds[0].response_body
}
resource "kubectl_manifest" "tigera-operator_crds" {
for_each = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.tigera-operator_crds_apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content } : {}
yaml_body = each.value
server_side_apply = true
force_conflicts = true
}
resource "kubectl_manifest" "calico_crds" {
for_each = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.calico_crds_apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content } : {}
yaml_body = each.value
server_side_apply = true
force_conflicts = true
}
resource "kubernetes_namespace" "tigera-operator" {
count = local.tigera-operator["enabled"] && local.tigera-operator["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.tigera-operator["namespace"]
"${local.labels_prefix}/component" = "tigera-operator"
}
name = local.tigera-operator["namespace"]
}
}
resource "helm_release" "tigera-operator" {
count = local.tigera-operator["enabled"] ? 1 : 0
repository = local.tigera-operator["repository"]
name = local.tigera-operator["name"]
chart = local.tigera-operator["chart"]
version = local.tigera-operator["chart_version"]
timeout = local.tigera-operator["timeout"]
force_update = local.tigera-operator["force_update"]
recreate_pods = local.tigera-operator["recreate_pods"]
wait = local.tigera-operator["wait"]
atomic = local.tigera-operator["atomic"]
cleanup_on_fail = local.tigera-operator["cleanup_on_fail"]
dependency_update = local.tigera-operator["dependency_update"]
disable_crd_hooks = local.tigera-operator["disable_crd_hooks"]
disable_webhooks = local.tigera-operator["disable_webhooks"]
render_subchart_notes = local.tigera-operator["render_subchart_notes"]
replace = local.tigera-operator["replace"]
reset_values = local.tigera-operator["reset_values"]
reuse_values = local.tigera-operator["reuse_values"]
skip_crds = local.tigera-operator["skip_crds"]
verify = local.tigera-operator["verify"]
values = [
local.values_tigera-operator,
local.tigera-operator["extra_values"]
]
namespace = local.tigera-operator["create_ns"] ? kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index] : local.tigera-operator["namespace"]
depends_on = [
kubectl_manifest.prometheus-operator_crds
]
}
resource "kubernetes_network_policy" "tigera-operator_default_deny" {
count = local.tigera-operator["create_ns"] && local.tigera-operator["enabled"] && local.tigera-operator["default_network_policy"] ? 1 : 0
metadata {
name = "${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-default-deny"
namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]
}
spec {
pod_selector {
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "tigera-operator_allow_namespace" {
count = local.tigera-operator["create_ns"] && local.tigera-operator["enabled"] && local.tigera-operator["default_network_policy"] ? 1 : 0
metadata {
name = "${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-allow-namespace"
namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]
}
spec {
pod_selector {
}
ingress {
from {
namespace_selector {
match_labels = {
name = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]
}
}
}
}
policy_types = ["Ingress"]
}
}
================================================
FILE: modules/aws/variables-aws.tf
================================================
variable "arn-partition" {
description = "ARN partition"
default = ""
type = string
}
variable "aws" {
description = "AWS provider customization"
type = any
default = {}
}
variable "aws-ebs-csi-driver" {
description = "Customize aws-ebs-csi-driver helm chart, see `aws-ebs-csi-driver.tf`"
type = any
default = {}
}
variable "aws-efs-csi-driver" {
description = "Customize aws-efs-csi-driver helm chart, see `aws-efs-csi-driver.tf`"
type = any
default = {}
}
variable "aws-for-fluent-bit" {
description = "Customize aws-for-fluent-bit helm chart, see `aws-fluent-bit.tf`"
type = any
default = {}
}
variable "aws-load-balancer-controller" {
description = "Customize aws-load-balancer-controller chart, see `aws-load-balancer-controller.tf` for supported values"
type = any
default = {}
}
variable "aws-node-termination-handler" {
description = "Customize aws-node-termination-handler chart, see `aws-node-termination-handler.tf`"
type = any
default = {}
}
variable "cni-metrics-helper" {
description = "Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values"
type = any
default = {}
}
variable "eks" {
description = "EKS cluster inputs"
type = any
default = {}
}
variable "karpenter" {
description = "Customize karpenter chart, see `karpenter.tf` for supported values"
type = any
default = {}
}
variable "prometheus-cloudwatch-exporter" {
description = "Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values"
type = any
default = {}
}
variable "s3-logging" {
description = "Logging configuration for bucket created by this module"
type = any
default = {}
}
variable "secrets-store-csi-driver-provider-aws" {
description = "Enable secrets-store-csi-driver-provider-aws"
type = any
default = {}
}
variable "tags" {
description = "Map of tags for AWS resources"
type = map(any)
default = {}
}
variable "yet-another-cloudwatch-exporter" {
description = "Customize yet-another-cloudwatch-exporter chart, see `yet-another-cloudwatch-exporter.tf` for supported values"
type = any
default = {}
}
================================================
FILE: modules/aws/velero.tf
================================================
locals {
velero = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].version
namespace = "velero"
service_account_name = "velero"
enabled = false
create_iam_resources_irsa = true
iam_policy_override = null
create_bucket = true
bucket = "${var.cluster-name}-velero"
bucket_force_destroy = false
bucket_enforce_tls = false
allowed_cidrs = ["0.0.0.0/0"]
default_network_policy = true
kms_key_arn_access_list = []
name_prefix = "${var.cluster-name}-velero"
iam_use_name_prefix = false
},
var.velero
)
values_velero = <
## Requirements
| Name | Version |
| ---- | ------- |
| [terraform](#requirement\_terraform) | >= 1.5.7 |
| [azurerm](#requirement\_azurerm) | ~> 4.0 |
| [flux](#requirement\_flux) | ~> 1.0 |
| [github](#requirement\_github) | ~> 6.0 |
| [helm](#requirement\_helm) | ~> 3.0 |
| [http](#requirement\_http) | >= 3 |
| [kubectl](#requirement\_kubectl) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.0, != 2.12 |
| [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
| ---- | ------- |
| [flux](#provider\_flux) | ~> 1.0 |
| [github](#provider\_github) | ~> 6.0 |
| [helm](#provider\_helm) | ~> 3.0 |
| [http](#provider\_http) | >= 3 |
| [kubectl](#provider\_kubectl) | ~> 2.0 |
| [kubernetes](#provider\_kubernetes) | ~> 2.0, != 2.12 |
| [random](#provider\_random) | n/a |
| [time](#provider\_time) | n/a |
| [tls](#provider\_tls) | ~> 4.0 |
## Modules
No modules.
## Resources
| Name | Type |
| ---- | ---- |
| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |
| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.tigera-operator_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.tigera-operator_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |
## Inputs
| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| [admiralty](#input\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |
| [cert-manager](#input\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cert-manager-csi-driver](#input\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cluster-autoscaler](#input\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |
| [cluster-name](#input\_cluster-name) | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
| [csi-external-snapshotter](#input\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |
| [external-dns](#input\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |
| [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |
| [grafana-mcp](#input\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |
| [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no |
| [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
| [ip-masq-agent](#input\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |
| [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |
| [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |
| [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |
| [kong](#input\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |
| [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
| [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
| [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
| [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
| [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
| [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
| [loki-stack](#input\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [metrics-server](#input\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |
| [npd](#input\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
| [priority-class](#input\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |
| [priority-class-ds](#input\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-memcached](#input\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-receive](#input\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |
| [thanos-storegateway](#input\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier](#input\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier-ca-cert](#input\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `""` | no |
| [thanos-tls-querier-ca-private-key](#input\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `""` | no |
| [tigera-operator](#input\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |
| [traefik](#input\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |
| [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
| [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
## Outputs
| Name | Description |
| ---- | ----------- |
| [grafana\_password](#output\_grafana\_password) | n/a |
| [loki-stack-ca](#output\_loki-stack-ca) | n/a |
| [loki-stack-ca-key](#output\_loki-stack-ca-key) | n/a |
| [promtail-cert](#output\_promtail-cert) | n/a |
| [promtail-key](#output\_promtail-key) | n/a |
================================================
FILE: modules/azure/ingress-nginx.tf
================================================
locals {
ingress-nginx = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].version
namespace = "ingress-nginx"
},
var.ingress-nginx
)
}
resource "kubernetes_namespace" "ingress-nginx" {
count = local.ingress-nginx["enabled"] ? 1 : 0
metadata {
labels = {
name = local.ingress-nginx["namespace"]
"${local.labels_prefix}/component" = "ingress"
}
name = "nginx-ingress"
}
}
resource "helm_release" "ingress-nginx" {
count = local.ingress-nginx["enabled"] ? 1 : 0
repository = local.ingress-nginx["repository"]
name = local.ingress-nginx["name"]
chart = local.ingress-nginx["chart"]
version = local.ingress-nginx["chart_version"]
timeout = local.ingress-nginx["timeout"]
force_update = local.ingress-nginx["force_update"]
recreate_pods = local.ingress-nginx["recreate_pods"]
wait = local.ingress-nginx["wait"]
atomic = local.ingress-nginx["atomic"]
cleanup_on_fail = local.ingress-nginx["cleanup_on_fail"]
dependency_update = local.ingress-nginx["dependency_update"]
disable_crd_hooks = local.ingress-nginx["disable_crd_hooks"]
disable_webhooks = local.ingress-nginx["disable_webhooks"]
render_subchart_notes = local.ingress-nginx["render_subchart_notes"]
replace = local.ingress-nginx["replace"]
reset_values = local.ingress-nginx["reset_values"]
reuse_values = local.ingress-nginx["reuse_values"]
skip_crds = local.ingress-nginx["skip_crds"]
verify = local.ingress-nginx["verify"]
values = [
local.ingress-nginx["extra_values"],
]
namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
#The ingress controller needs to be scheduled on a Linux node. Windows Server nodes shouldn't run the ingress controller
set = [{
name = "defaultBackend.nodeSelector.kubernetes\\.io/os"
value = "linux"
}]
}
================================================
FILE: modules/azure/version.tf
================================================
terraform {
required_version = ">= 1.5.7"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
helm = {
source = "hashicorp/helm"
version = "~> 3.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0, != 2.12"
}
kubectl = {
source = "alekc/kubectl"
version = "~> 2.0"
}
flux = {
source = "fluxcd/flux"
version = "~> 1.0"
}
github = {
source = "integrations/github"
version = "~> 6.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
http = {
source = "hashicorp/http"
version = ">= 3"
}
}
}
================================================
FILE: modules/google/.terraform-docs.yml
================================================
settings:
lockfile: false
================================================
FILE: modules/google/README.md
================================================
# terraform-kubernetes-addons:google
[](https://github.com/semantic-release/terraform-kubernetes-addons)
[](https://github.com/particuleio/terraform-kubernetes-addons/actions?query=workflow%3Aterraform-kubernetes-addons)
## About
Provides various addons that are often used on Kubernetes with Google and GKE.
## Terraform docs
Provides various Kubernetes addons that are often used on Kubernetes with GCP
## Requirements
| Name | Version |
| ---- | ------- |
| [terraform](#requirement\_terraform) | >= 1.3 |
| [flux](#requirement\_flux) | ~> 1.0 |
| [github](#requirement\_github) | ~> 6.0 |
| [google](#requirement\_google) | >= 4.69 |
| [google-beta](#requirement\_google-beta) | >= 4.69 |
| [helm](#requirement\_helm) | ~> 3.0 |
| [http](#requirement\_http) | >= 3 |
| [jinja](#requirement\_jinja) | ~> 2.0 |
| [kubectl](#requirement\_kubectl) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.0, != 2.12 |
| [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
| ---- | ------- |
| [flux](#provider\_flux) | ~> 1.0 |
| [github](#provider\_github) | ~> 6.0 |
| [google](#provider\_google) | >= 4.69 |
| [helm](#provider\_helm) | ~> 3.0 |
| [http](#provider\_http) | >= 3 |
| [jinja](#provider\_jinja) | ~> 2.0 |
| [kubectl](#provider\_kubectl) | ~> 2.0 |
| [kubernetes](#provider\_kubernetes) | ~> 2.0, != 2.12 |
| [random](#provider\_random) | n/a |
| [time](#provider\_time) | n/a |
| [tls](#provider\_tls) | ~> 4.0 |
## Modules
| Name | Source | Version |
| ---- | ------ | ------- |
| [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0.0 |
| [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0.0 |
| [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-compactor](#module\_iam\_assumable\_sa\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-receive](#module\_iam\_assumable\_sa\_thanos-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-receive-compactor](#module\_iam\_assumable\_sa\_thanos-receive-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-receive-receive](#module\_iam\_assumable\_sa\_thanos-receive-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-receive-sg](#module\_iam\_assumable\_sa\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [iam\_assumable\_sa\_velero](#module\_iam\_assumable\_sa\_velero) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |
| [kube-prometheus-stack\_grafana-iam-member](#module\_kube-prometheus-stack\_grafana-iam-member) | terraform-google-modules/iam/google//modules/member_iam | ~> 8.0 |
| [kube-prometheus-stack\_kube-prometheus-stack\_bucket](#module\_kube-prometheus-stack\_kube-prometheus-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 12.0 |
| [kube-prometheus-stack\_thanos\_kms\_bucket](#module\_kube-prometheus-stack\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
| [loki-stack\_bucket](#module\_loki-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 12.0 |
| [loki-stack\_kms\_bucket](#module\_loki-stack\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
| [thanos-receive\_bucket](#module\_thanos-receive\_bucket) | terraform-google-modules/cloud-storage/google | ~> 12.0 |
| [thanos-receive\_kms\_bucket](#module\_thanos-receive\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
| [thanos-storegateway\_bucket\_iam](#module\_thanos-storegateway\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 8.0 |
| [thanos\_bucket](#module\_thanos\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 12.0 |
| [thanos\_kms\_bucket](#module\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
| [velero\_bucket](#module\_velero\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v12.3.0 |
## Resources
| Name | Type |
| ---- | ---- |
| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |
| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [google_dns_managed_zone_iam_member.cert_manager_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
| [google_dns_managed_zone_iam_member.external_dns_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
| [google_project_iam_custom_role.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
| [google_project_iam_member.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
| [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive-receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_receive_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_sg_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_sg_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_receive_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.velero_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.velero_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-receive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.ip_masq_agent](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_manifest.velero_snapshot_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos-receive](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
| [google_project.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [jinja_template.cert-manager_cluster_issuers](https://registry.terraform.io/providers/NikolaLohinski/jinja/latest/docs/data-sources/template) | data source |
| [kubectl_file_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_filename_list.ip_masq_agent_manifests](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/filename_list) | data source |
## Inputs
| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| [admiralty](#input\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |
| [cert-manager](#input\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cert-manager-csi-driver](#input\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cluster-autoscaler](#input\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |
| [cluster-name](#input\_cluster-name) | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
| [cni-metrics-helper](#input\_cni-metrics-helper) | Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values | `any` | `{}` | no |
| [csi-external-snapshotter](#input\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |
| [external-dns](#input\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |
| [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |
| [gke](#input\_gke) | GKE cluster inputs | `any` | `{}` | no |
| [google](#input\_google) | GCP provider customization | `any` | `{}` | no |
| [grafana-mcp](#input\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |
| [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no |
| [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
| [ip-masq-agent](#input\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |
| [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |
| [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |
| [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |
| [kong](#input\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |
| [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
| [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
| [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
| [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
| [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
| [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
| [loki-stack](#input\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [metrics-server](#input\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |
| [npd](#input\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
| [priority-class](#input\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |
| [priority-class-ds](#input\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |
| [project\_id](#input\_project\_id) | GCP project id | `string` | `""` | no |
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [prometheus-cloudwatch-exporter](#input\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [tags](#input\_tags) | Map of tags for Google resources | `map(any)` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-memcached](#input\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-receive](#input\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |
| [thanos-storegateway](#input\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier](#input\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier-ca-cert](#input\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `""` | no |
| [thanos-tls-querier-ca-private-key](#input\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `""` | no |
| [tigera-operator](#input\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |
| [traefik](#input\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |
| [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
| [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
## Outputs
| Name | Description |
| ---- | ----------- |
| [kube-prometheus-stack](#output\_kube-prometheus-stack) | n/a |
| [kube-prometheus-stack\_sensitive](#output\_kube-prometheus-stack\_sensitive) | n/a |
| [loki-stack-ca](#output\_loki-stack-ca) | n/a |
| [promtail-cert](#output\_promtail-cert) | n/a |
| [promtail-key](#output\_promtail-key) | n/a |
| [thanos\_ca](#output\_thanos\_ca) | n/a |
================================================
FILE: modules/google/cert-manager.tf
================================================
locals {
cert-manager = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].version
namespace = "cert-manager"
service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
project_id = "default-0"
create_iam_resources = true
enable_monitoring = false
enabled = false
iam_policy_override = null
default_network_policy = true
managed_zone = "default"
acme_email = "contact@acme.com"
acme_http01_enabled = true
acme_http01_ingress_class = "nginx"
acme_dns01_enabled = false
acme_dns01_provider = "clouddns"
acme_dns01_provider_clouddns = {
project_id = "default-0"
dns_zone_name = "default"
}
acme_dns01_provider_route53 = {
aws_region = "eu-west1"
}
allowed_cidrs = ["0.0.0.0/0"]
csi_driver = false
name_prefix = "${var.cluster-name}-cert-manager"
},
var.cert-manager
)
values_cert-manager = < merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "external-dns")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "external-dns")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "external-dns")].version
project_id = "default-0"
name = k
namespace = k
service_account_name = "external-dns"
enable_monitoring = false
enabled = false
managed_zones = []
create_iam_resources = true
iam_policy_override = null
default_network_policy = true
name_prefix = "${var.cluster-name}"
},
v,
) }
values_external-dns = { for k, v in local.external-dns : k => merge(
{
values = <<-VALUES
provider: google
txtPrefix: "ext-dns-"
txtOwnerId: ${var.cluster-name}
logFormat: json
policy: sync
serviceAccount:
name: ${v.service_account_name}
annotations:
iam.gke.io/gcp-service-account: '${module.external_dns_workload_identity[k].gcp_service_account_email}'
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"] || v.enable_monitoring}
priorityClassName: ${local.priority-class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
VALUES
},
v,
) if v.enabled }
managed_zones_by_instance = flatten([
for k, v in local.external-dns : [
for idx, zone in lookup(v, "managed_zones", []) : {
zone_name = zone
instance = k
project_id = v.project_id
}
] if v.enabled && v.create_iam_resources])
}
# This module will create a Google Service account and configure the right permissions
# to be allowed to use the workload identity on GKE.
module "external_dns_workload_identity" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 44.0.0"
for_each = { for k, v in local.external-dns : k => v if v.enabled && v.create_iam_resources }
name = each.value.service_account_name
namespace = each.value.namespace
project_id = each.value.project_id
roles = ["roles/dns.reader"]
use_existing_k8s_sa = true
annotate_k8s_sa = false
}
# This module will configure the required IAM permissions for external-dns service account
# to deal with Cloud DNS. The IAM permissions will be set at the resource level (DNS zone) and not at the project
# level.
resource "google_dns_managed_zone_iam_member" "external_dns_cloud_dns_iam_permissions" {
for_each = { for idx, item in local.managed_zones_by_instance : "${item.instance}-${item.zone_name}" => item }
project = each.value.project_id
managed_zone = each.value.zone_name
role = "roles/dns.admin"
member = "serviceAccount:${module.external_dns_workload_identity[each.value.instance].gcp_service_account_email}"
}
# This resource will create a dedicated namespace for each external-dns instance.
resource "kubernetes_namespace" "external-dns" {
for_each = { for k, v in local.external-dns : k => v if v.enabled }
metadata {
labels = {
name = each.value.namespace
}
name = each.value.namespace
}
}
# This resource will create a helm release for each external-dns instance.
resource "helm_release" "external-dns" {
for_each = { for k, v in local.external-dns : k => v if v.enabled }
repository = each.value.repository
name = each.value.name
chart = each.value.chart
version = each.value.chart_version
timeout = each.value.timeout
force_update = each.value.force_update
recreate_pods = each.value.recreate_pods
wait = each.value.wait
atomic = each.value.atomic
cleanup_on_fail = each.value.cleanup_on_fail
dependency_update = each.value.dependency_update
disable_crd_hooks = each.value.disable_crd_hooks
disable_webhooks = each.value.disable_webhooks
render_subchart_notes = each.value.render_subchart_notes
replace = each.value.replace
reset_values = each.value.reset_values
reuse_values = each.value.reuse_values
skip_crds = each.value.skip_crds
verify = each.value.verify
values = [
local.values_external-dns[each.key].values,
each.value.extra_values
]
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
# This resource will create for each external-dns instance a network policy to deny all ingress traffic
# by default in the namespace.
resource "kubernetes_network_policy" "external-dns_default_deny" {
for_each = { for k, v in local.external-dns : k => v if v.enabled && v.default_network_policy }
metadata {
name = "${kubernetes_namespace.external-dns[each.key].metadata.0.name}-default-deny"
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
spec {
pod_selector {
}
policy_types = ["Ingress"]
}
}
# This resource will create for each external-dns instance a network policy to allow the
# workloads to communicate each other inside the external-dns namespace.
resource "kubernetes_network_policy" "external-dns_allow_namespace" {
for_each = { for k, v in local.external-dns : k => v if v.enabled && v.default_network_policy }
metadata {
name = "${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-namespace"
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
spec {
pod_selector {
}
ingress {
from {
namespace_selector {
match_labels = {
name = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
}
}
}
policy_types = ["Ingress"]
}
}
# This resource will create for each external-dns instance a network policy to allow the
# monitoring agent to collect metrics.
resource "kubernetes_network_policy" "external-dns_allow_monitoring" {
for_each = { for k, v in local.external-dns : k => v if v.enabled && v.default_network_policy }
metadata {
name = "${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-monitoring"
namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name
}
spec {
pod_selector {
}
ingress {
ports {
port = "http"
protocol = "TCP"
}
from {
namespace_selector {
match_labels = {
"${local.labels_prefix}/component" = "monitoring"
}
}
}
}
policy_types = ["Ingress"]
}
}
================================================
FILE: modules/google/ingress-nginx.tf
================================================
locals {
ingress-nginx = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].version
namespace = "ingress-nginx"
use_nlb = false
enabled = false
default_network_policy = true
ingress_cidrs = ["0.0.0.0/0"]
allowed_cidrs = ["0.0.0.0/0"]
extra_ns_labels = {}
extra_ns_annotations = {}
},
var.ingress-nginx
)
values_ingress-nginx_l4 = <0.31.x"
VALUES
values_dashboard_thanos = < merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
name = "${local.thanos["name"]}-storegateway-${k}"
create_iam_resources = true
iam_policy_override = null
enabled = false
default_global_requests = false
default_global_limits = false
bucket = null
region = null
name_prefix = "${var.cluster-name}-thanos-sg"
},
v,
) }
values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(
{
values = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
objstoreConfig:
type: GCS
config:
bucket: ${v["bucket"]}
service_account: "${v["name_prefix"]}-thanos-sg"
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
enabled: false
queryFrontend:
enabled: false
compactor:
enabled: false
storegateway:
replicaCount: 2
extraFlags:
- --ignore-deletion-marks-delay=24h
enabled: true
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "${v["enabled"] && v["create_iam_resources"] ? module.iam_assumable_sa_thanos-storegateway[k].iam_role_arn : ""}"
iam.gke.io/gcp-service-account: "${v["enabled"] && v["create_iam_resources"] ? module.iam_assumable_sa_thanos-storegateway[k].gcp_service_account_name : ""}"
pdb:
create: true
minAvailable: 1
VALUES
},
v,
) }
}
module "iam_assumable_sa_thanos-storegateway" {
for_each = local.thanos-storegateway
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 44.0"
namespace = each.value["namespace"]
project_id = data.google_project.current.id
name = "${each.value["name_prefix"]}-${each.key}"
}
module "thanos-storegateway_bucket_iam" {
for_each = local.thanos-storegateway
source = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
version = "~> 8.0"
mode = "additive"
storage_buckets = [each.value["bucket"]]
bindings = {
"roles/storage.objectViewer" = [
"serviceAccount:${module.iam_assumable_sa_thanos-storegateway["${each.key}"].gcp_service_account_email}"
]
}
}
resource "helm_release" "thanos-storegateway" {
for_each = { for k, v in local.thanos-storegateway : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = compact([
local.values_thanos-storegateway[each.key]["values"],
each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
each.value["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
================================================
FILE: modules/google/thanos-tls-querier.tf
================================================
locals {
thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
name = "${local.thanos["name"]}-tls-querier-${k}"
enabled = false
generate_cert = local.thanos["generate_ca"]
client_server_name = ""
## This default to Let's encrypt X1 root CA
grpc_client_tls_ca_pem = <<-EOV
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
EOV
stores = []
default_global_requests = false
default_global_limits = false
},
v,
) }
values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(
{
values = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
replicaCount: 2
extraFlags:
- --query.timeout=5m
- --query.lookback-delta=15m
- --query.replica-label=rule_replica
enabled: true
dnsDiscovery:
enabled: false
pdb:
create: true
minAvailable: 1
grpc:
client:
servername: ${v["client_server_name"]}
tls:
enabled: ${v["generate_cert"]}
key: |
${indent(10, v["generate_cert"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : "")}
cert: |
${indent(10, v["generate_cert"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : "")}
ca: |
${indent(10, v["generate_cert"] ? v["grpc_client_tls_ca_pem"] : "")}
stores: ${jsonencode(v["stores"])}
queryFrontend:
enabled: false
compactor:
enabled: false
storegateway:
enabled: false
VALUES
},
v,
) }
}
resource "helm_release" "thanos-tls-querier" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = compact([
local.values_thanos-tls-querier[each.key]["values"],
each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
each.value["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
resource "tls_private_key" "thanos-tls-querier-cert-key" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "thanos-tls-querier-cert-csr" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem
subject {
common_name = each.key
}
dns_names = [
each.key
]
}
resource "tls_locally_signed_cert" "thanos-tls-querier-cert" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
cert_request_pem = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem
ca_private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
ca_cert_pem = tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem
validity_period_hours = 8760
allowed_uses = [
"key_encipherment",
"digital_signature",
"client_auth"
]
}
================================================
FILE: modules/google/thanos.tf
================================================
locals {
thanos = merge(
local.helm_defaults,
{
name = "thanos"
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
repository = ""
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
create_iam_resources = true
iam_policy_override = null
create_ns = false
enabled = false
default_network_policy = true
default_global_requests = false
default_global_limits = false
create_bucket = false
bucket = "thanos-store-${var.cluster-name}"
bucket_force_destroy = false
bucket_location = "europe-west1"
bucket_public_access_prevention = "enforced"
kms_bucket_location = "europe-west1"
generate_ca = false
trusted_ca_content = null
name_prefix = "gke-thanos"
},
var.thanos
)
thanos_bucket = (
local.thanos["enabled"] && local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_create_bucket"] ? module.kube-prometheus-stack_kube-prometheus-stack_bucket[0].name :
local.thanos["enabled"] && local.thanos["create_bucket"] ? module.thanos_bucket[0].name : local.thanos["bucket"]
)
values_thanos = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
receive:
enabled: false
pdb:
create: true
minAvailable: 1
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: "${local.thanos["enabled"] && local.thanos["create_iam_resources"] ? module.iam_assumable_sa_thanos-receive[0].gcp_service_account_email : ""}"
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
extraFlags:
- --query.timeout=5m
- --query.lookback-delta=15m
- --query.replica-label=rule_replica
replicaCount: 2
replicaLabel:
- prometheus_replica
enabled: true
dnsDiscovery:
enabled: true
sidecarsService: ${local.kube-prometheus-stack["name"]}-thanos-discovery
sidecarsNamespace: "${local.kube-prometheus-stack["namespace"]}"
pdb:
create: true
minAvailable: 1
stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : "dnssrv+_grpc._tcp.${v["name"]}-query-grpc.${local.thanos["namespace"]}.svc.cluster.local"], [for k, v in local.thanos-storegateway : "dnssrv+_grpc._tcp.${v["name"]}-storegateway.${local.thanos["namespace"]}.svc.cluster.local"]))}
queryFrontend:
extraFlags:
- --query-frontend.compress-responses
- --query-range.split-interval=12h
- --labels.split-interval=12h
- --query-range.max-retries-per-request=10
- --labels.max-retries-per-request=10
- --query-frontend.log-queries-longer-than=10s
replicaCount: 2
enabled: true
pdb:
create: true
minAvailable: 1
compactor:
extraFlags:
- --deduplication.replica-label=prometheus_replica
- --deduplication.replica-label=rule_replica
strategyType: Recreate
enabled: true
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: "${local.thanos["enabled"] && local.thanos["create_iam_resources"] ? module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email : ""}"
storegateway:
extraFlags:
- --ignore-deletion-marks-delay=24h
replicaCount: 2
enabled: true
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: "${local.thanos["enabled"] && local.thanos["create_iam_resources"] ? module.iam_assumable_sa_thanos-sg[0].gcp_service_account_email : ""}"
pdb:
create: true
minAvailable: 1
VALUES
values_thanos_caching = <<-VALUES
queryFrontend:
extraFlags:
- --query-frontend.compress-responses
- --query-range.split-interval=12h
- --labels.split-interval=12h
- --query-range.max-retries-per-request=10
- --labels.max-retries-per-request=10
- --query-frontend.log-queries-longer-than=10s
- |-
--query-range.response-cache-config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"timeout": "500ms"
"type": "memcached"
- |-
--labels.response-cache-config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"timeout": "500ms"
"type": "memcached"
storegateway:
extraFlags:
- --ignore-deletion-marks-delay=24h
- |-
--index-cache.config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"max_item_size": "1MiB"
"timeout": "500ms"
"type": "memcached"
- |-
--store.caching-bucket.config="blocks_iter_ttl": "5m"
"chunk_object_attrs_ttl": "24h"
"chunk_subrange_size": 16000
"chunk_subrange_ttl": "24h"
"config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"max_item_size": "1MiB"
"timeout": "500ms"
"max_chunks_get_range_requests": 3
"metafile_content_ttl": "24h"
"metafile_doesnt_exist_ttl": "15m"
"metafile_exists_ttl": "2h"
"metafile_max_size": "1MiB"
"type": "memcached"
VALUES
values_store_config = <<-VALUES
objstoreConfig:
type: GCS
config:
bucket: ${local.thanos_bucket}
VALUES
values_thanos_global_requests = <<-VALUES
query:
resources:
requests:
cpu: 25m
memory: 32Mi
queryFrontend:
resources:
requests:
cpu: 25m
memory: 32Mi
compactor:
resources:
requests:
cpu: 50m
memory: 258Mi
storegateway:
resources:
requests:
cpu: 25m
memory: 64Mi
VALUES
values_thanos_global_limits = <<-VALUES
query:
resources:
limits:
memory: 128Mi
queryFrontend:
resources:
limits:
memory: 64Mi
compactor:
resources:
limits:
memory: 2Gi
storegateway:
resources:
limits:
memory: 1Gi
VALUES
}
module "iam_assumable_sa_thanos-receive" {
count = local.thanos["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 44.0"
namespace = local.thanos["namespace"]
project_id = var.project_id
name = "${local.thanos["name"]}-receive"
use_existing_k8s_sa = true
annotate_k8s_sa = false
}
module "iam_assumable_sa_thanos-compactor" {
count = local.thanos["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 44.0"
namespace = local.thanos["namespace"]
project_id = var.project_id
name = "${local.thanos["name"]}-compactor"
use_existing_k8s_sa = true
annotate_k8s_sa = false
}
module "iam_assumable_sa_thanos-sg" {
count = local.thanos["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 44.0"
namespace = local.thanos["namespace"]
project_id = var.project_id
name = "${local.thanos["name"]}-storegateway"
use_existing_k8s_sa = true
annotate_k8s_sa = false
}
module "thanos_bucket" {
count = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
version = "~> 12.0"
project_id = var.project_id
location = local.thanos["bucket_location"]
name = local.thanos["bucket"]
encryption = {
default_kms_key_name = module.thanos_kms_bucket[0].keys.thanos
}
public_access_prevention = local.thanos["bucket_public_access_prevention"]
}
module "thanos_kms_bucket" {
count = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
source = "terraform-google-modules/kms/google"
version = "~> 4.0"
project_id = var.project_id
location = local.thanos["kms_bucket_location"]
keyring = "thanos"
keys = ["thanos"]
owners = [
"serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com"
]
set_owners_for = [
"thanos"
]
}
# GCS permissions for thanos service account
resource "google_storage_bucket_iam_member" "thanos_receive_gcs_iam_objectViewer_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.objectViewer"
member = "serviceAccount:${module.iam_assumable_sa_thanos-receive[0].gcp_service_account_email}"
}
resource "google_storage_bucket_iam_member" "thanos_receive_gcs_iam_objectCreator_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.objectCreator"
member = "serviceAccount:${module.iam_assumable_sa_thanos-receive[0].gcp_service_account_email}"
}
# GCS permissions for thanos compactor service account
resource "google_storage_bucket_iam_member" "thanos_compactor_gcs_iam_objectViewer_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.objectViewer"
member = "serviceAccount:${module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email}"
}
resource "google_storage_bucket_iam_member" "thanos_compactor_gcs_iam_objectCreator_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.objectCreator"
member = "serviceAccount:${module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email}"
}
resource "google_storage_bucket_iam_member" "thanos_compactor_gcs_iam_legacyBucketWriter_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.legacyBucketWriter"
member = "serviceAccount:${module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email}"
}
# GCS permissions for thanos storage gateway service account
resource "google_storage_bucket_iam_member" "thanos_sg_gcs_iam_objectViewer_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.objectViewer"
member = "serviceAccount:${module.iam_assumable_sa_thanos-sg[0].gcp_service_account_email}"
}
resource "google_storage_bucket_iam_member" "thanos_sg_gcs_iam_objectCreator_permissions" {
count = local.thanos["enabled"] ? 1 : 0
bucket = local.thanos_bucket
role = "roles/storage.objectCreator"
member = "serviceAccount:${module.iam_assumable_sa_thanos-sg[0].gcp_service_account_email}"
}
resource "kubernetes_namespace" "thanos" {
count = local.thanos["enabled"] && local.thanos["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.thanos["namespace"]
"${local.labels_prefix}/component" = "monitoring"
}
name = local.thanos["namespace"]
}
}
resource "helm_release" "thanos" {
count = local.thanos["enabled"] ? 1 : 0
repository = local.thanos["repository"]
name = local.thanos["name"]
chart = local.thanos["chart"]
version = local.thanos["chart_version"]
timeout = local.thanos["timeout"]
force_update = local.thanos["force_update"]
recreate_pods = local.thanos["recreate_pods"]
wait = local.thanos["wait"]
atomic = local.thanos["atomic"]
cleanup_on_fail = local.thanos["cleanup_on_fail"]
dependency_update = local.thanos["dependency_update"]
disable_crd_hooks = local.thanos["disable_crd_hooks"]
disable_webhooks = local.thanos["disable_webhooks"]
render_subchart_notes = local.thanos["render_subchart_notes"]
replace = local.thanos["replace"]
reset_values = local.thanos["reset_values"]
reuse_values = local.thanos["reuse_values"]
skip_crds = local.thanos["skip_crds"]
verify = local.thanos["verify"]
values = compact([
local.values_thanos,
local.values_store_config,
local.thanos["default_global_requests"] ? local.values_thanos_global_requests : null,
local.thanos["default_global_limits"] ? local.values_thanos_global_limits : null,
local.thanos-memcached["enabled"] ? local.values_thanos_caching : null,
local.thanos["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
helm_release.thanos-memcached
]
}
resource "tls_private_key" "thanos-tls-querier-ca-key" {
count = local.thanos["enabled"] && local.thanos["generate_ca"] ? 1 : 0
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "thanos-tls-querier-ca-cert" {
count = local.thanos["enabled"] && local.thanos["generate_ca"] ? 1 : 0
private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
is_ca_certificate = true
subject {
common_name = var.cluster-name
organization = var.cluster-name
}
validity_period_hours = 87600
allowed_uses = [
"cert_signing"
]
}
resource "kubernetes_secret" "thanos-ca" {
count = local.thanos["enabled"] && (local.thanos["generate_ca"] || local.thanos["trusted_ca_content"] != null) ? 1 : 0
metadata {
name = "${local.thanos["name"]}-ca"
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
}
data = {
"ca.crt" = local.thanos["generate_ca"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos["trusted_ca_content"]
}
}
output "thanos_ca" {
value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [""]), 0)
}
================================================
FILE: modules/google/variables-google.tf
================================================
variable "google" {
description = "GCP provider customization"
type = any
default = {}
}
variable "project_id" {
description = "GCP project id"
type = string
default = ""
}
variable "cni-metrics-helper" {
description = "Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values"
type = any
default = {}
}
variable "gke" {
description = "GKE cluster inputs"
type = any
default = {}
}
variable "prometheus-cloudwatch-exporter" {
description = "Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values"
type = any
default = {}
}
variable "tags" {
description = "Map of tags for Google resources"
type = map(any)
default = {}
}
================================================
FILE: modules/google/velero.tf
================================================
locals {
velero = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].version
namespace = "velero"
service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
enabled = false
create_iam_resources = true
create_bucket = true
bucket = "${var.cluster-name}-velero"
bucket_location = "eu"
bucket_force_destroy = false
bucket_versioning = false
allowed_cidrs = ["0.0.0.0/0"]
default_network_policy = true
kms_key_arn_access_list = []
name_prefix = "${var.cluster-name}-velero"
snapshot_location = "eu"
create_snapshot_class = true
},
var.velero
)
values_velero = <
## Requirements
| Name | Version |
| ---- | ------- |
| [terraform](#requirement\_terraform) | >= 1.5.7 |
| [flux](#requirement\_flux) | ~> 1.0 |
| [github](#requirement\_github) | ~> 6.0 |
| [helm](#requirement\_helm) | ~> 3.0 |
| [http](#requirement\_http) | >= 3 |
| [kubectl](#requirement\_kubectl) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.0, != 2.12 |
| [scaleway](#requirement\_scaleway) | >= 2.2.0 |
| [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
| ---- | ------- |
| [flux](#provider\_flux) | ~> 1.0 |
| [github](#provider\_github) | ~> 6.0 |
| [helm](#provider\_helm) | ~> 3.0 |
| [http](#provider\_http) | >= 3 |
| [kubectl](#provider\_kubectl) | ~> 2.0 |
| [kubernetes](#provider\_kubernetes) | ~> 2.0, != 2.12 |
| [random](#provider\_random) | n/a |
| [scaleway](#provider\_scaleway) | >= 2.2.0 |
| [time](#provider\_time) | n/a |
| [tls](#provider\_tls) | ~> 4.0 |
## Modules
No modules.
## Resources
| Name | Type |
| ---- | ---- |
| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |
| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.scaleway-webhook-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_secret.cert-manager_scaleway_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.external-dns_scaleway_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [scaleway_object_bucket.kube-prometheus-stack_thanos_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |
| [scaleway_object_bucket.loki_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |
| [scaleway_object_bucket.thanos_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |
| [scaleway_object_bucket.velero_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |
| [scaleway_object_bucket_acl.kube-prometheus-stack_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |
| [scaleway_object_bucket_acl.loki_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |
| [scaleway_object_bucket_acl.thanos_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |
| [scaleway_object_bucket_acl.velero_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |
| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |
| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |
## Inputs
| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| [admiralty](#input\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |
| [cert-manager](#input\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cert-manager-csi-driver](#input\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
| [cert-manager\_scaleway\_webhook\_dns](#input\_cert-manager\_scaleway\_webhook\_dns) | Scaleway webhook dns customization | `any` | `{}` | no |
| [cluster-autoscaler](#input\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |
| [cluster-name](#input\_cluster-name) | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
| [csi-external-snapshotter](#input\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |
| [external-dns](#input\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |
| [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |
| [grafana-mcp](#input\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |
| [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no |
| [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
| [ip-masq-agent](#input\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |
| [k8gb](#input\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |
| [kapsule](#input\_kapsule) | Kapsule cluster inputs | `any` | `{}` | no |
| [karma](#input\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |
| [keda](#input\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |
| [kong](#input\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |
| [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
| [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
| [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
| [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
| [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
| [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
| [loki-stack](#input\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [metrics-server](#input\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |
| [npd](#input\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
| [priority-class](#input\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |
| [priority-class-ds](#input\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [scaleway](#input\_scaleway) | Scaleway provider customization | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [tags](#input\_tags) | Map of tags for Scaleway resources | `map(any)` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-memcached](#input\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-receive](#input\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |
| [thanos-storegateway](#input\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier](#input\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
| [thanos-tls-querier-ca-cert](#input\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `""` | no |
| [thanos-tls-querier-ca-private-key](#input\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `""` | no |
| [tigera-operator](#input\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |
| [traefik](#input\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |
| [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
| [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
## Outputs
| Name | Description |
| ---- | ----------- |
| [grafana\_password](#output\_grafana\_password) | n/a |
| [loki-stack-ca](#output\_loki-stack-ca) | n/a |
| [promtail-cert](#output\_promtail-cert) | n/a |
| [promtail-key](#output\_promtail-key) | n/a |
| [thanos\_ca](#output\_thanos\_ca) | n/a |
================================================
FILE: modules/scaleway/cert-manager.tf
================================================
locals {
cert-manager = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].version
namespace = "cert-manager"
service_account_name = "cert-manager"
enabled = false
default_network_policy = true
acme_email = "contact@acme.com"
acme_http01_enabled = false
acme_http01_ingress_class = "nginx"
acme_dns01_enabled = false
acme_dns01_provider = ""
acme_dns01_hosted_zone_id = ""
acme_dns01_aws_secret = ""
acme_dns01_aws_access_key_id = ""
acme_dns01_aws_access_key_secret = ""
acme_dns01_region = ""
acme_dns01_google_project = ""
acme_dns01_google_secret = ""
acme_dns01_google_service_account_key = ""
allowed_cidrs = ["0.0.0.0/0"]
csi_driver = false
},
var.cert-manager
)
cert-manager_scaleway_webhook_dns = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "scaleway-webhook")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "scaleway-webhook")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "scaleway-webhook")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "scaleway-webhook")].version
enabled = local.cert-manager["acme_dns01_enabled"] && local.cert-manager["enabled"]
secret_name = "scaleway-credentials"
},
var.cert-manager_scaleway_webhook_dns
)
values_cert-manager = < merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
name = "${local.thanos["name"]}-storegateway-${k}"
create_iam_resources_irsa = true
iam_policy_override = null
enabled = false
default_global_requests = false
default_global_limits = false
bucket = null
region = null
},
v,
) }
values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(
{
values = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
objstoreConfig:
type: S3
config:
bucket: ${v["bucket"]}
region: ${v["region"] == null ? local.scaleway["region"] : v["region"]}
endpoint: s3.${v["region"] == null ? local.scaleway["region"] : v["region"]}.scw.cloud
signature_version2: false
access_key: ${local.scaleway["scw_access_key"]}
secret_key: ${local.scaleway["scw_secret_key"]}
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
enabled: false
queryFrontend:
enabled: false
compactor:
enabled: false
storegateway:
replicaCount: 2
extraFlags:
- --ignore-deletion-marks-delay=24h
enabled: true
pdb:
create: true
minAvailable: 1
VALUES
},
v,
) }
}
resource "helm_release" "thanos-storegateway" {
for_each = { for k, v in local.thanos-storegateway : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = compact([
local.values_thanos-storegateway[each.key]["values"],
each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
each.value["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
================================================
FILE: modules/scaleway/thanos-tls-querier.tf
================================================
locals {
thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(
local.helm_defaults,
{
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
name = "${local.thanos["name"]}-tls-querier-${k}"
enabled = false
generate_cert = local.thanos["generate_ca"]
client_server_name = ""
## This default to Let's encrypt X1 root CA
grpc_client_tls_ca_pem = <<-EOV
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
EOV
stores = []
default_global_requests = false
default_global_limits = false
},
v,
) }
values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(
{
values = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
replicaCount: 2
extraFlags:
- --query.timeout=5m
- --query.lookback-delta=15m
- --query.replica-label=rule_replica
enabled: true
dnsDiscovery:
enabled: false
pdb:
create: true
minAvailable: 1
grpc:
client:
servername: ${v["client_server_name"]}
tls:
enabled: ${v["generate_cert"]}
key: |
${indent(10, v["generate_cert"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : "")}
cert: |
${indent(10, v["generate_cert"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : "")}
ca: |
${indent(10, v["generate_cert"] ? v["grpc_client_tls_ca_pem"] : "")}
stores: ${jsonencode(v["stores"])}
queryFrontend:
enabled: false
compactor:
enabled: false
storegateway:
enabled: false
VALUES
},
v,
) }
}
resource "helm_release" "thanos-tls-querier" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] }
repository = each.value["repository"]
name = each.value["name"]
chart = each.value["chart"]
version = each.value["chart_version"]
timeout = each.value["timeout"]
force_update = each.value["force_update"]
recreate_pods = each.value["recreate_pods"]
wait = each.value["wait"]
atomic = each.value["atomic"]
cleanup_on_fail = each.value["cleanup_on_fail"]
dependency_update = each.value["dependency_update"]
disable_crd_hooks = each.value["disable_crd_hooks"]
disable_webhooks = each.value["disable_webhooks"]
render_subchart_notes = each.value["render_subchart_notes"]
replace = each.value["replace"]
reset_values = each.value["reset_values"]
reuse_values = each.value["reuse_values"]
skip_crds = each.value["skip_crds"]
verify = each.value["verify"]
values = compact([
local.values_thanos-tls-querier[each.key]["values"],
each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
each.value["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
]
}
resource "tls_private_key" "thanos-tls-querier-cert-key" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "thanos-tls-querier-cert-csr" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem
subject {
common_name = each.key
}
dns_names = [
each.key
]
}
resource "tls_locally_signed_cert" "thanos-tls-querier-cert" {
for_each = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
cert_request_pem = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem
ca_private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
ca_cert_pem = tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem
validity_period_hours = 8760
allowed_uses = [
"key_encipherment",
"digital_signature",
"client_auth"
]
}
================================================
FILE: modules/scaleway/thanos.tf
================================================
locals {
thanos = merge(
local.helm_defaults,
{
name = "thanos"
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
repository = ""
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
iam_policy_override = null
create_ns = false
enabled = false
default_network_policy = true
default_global_requests = false
default_global_limits = false
create_bucket = false
bucket = "thanos-store-${var.cluster-name}"
generate_ca = false
trusted_ca_content = null
},
var.thanos
)
values_thanos = <<-VALUES
global:
security:
allowInsecureImages: true
image:
registry: quay.io
repository: thanos/thanos
tag: v0.37.2
receive:
enabled: false
pdb:
create: true
minAvailable: 1
metrics:
enabled: true
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
query:
extraFlags:
- --query.timeout=5m
- --query.lookback-delta=15m
- --query.replica-label=rule_replica
replicaCount: 2
replicaLabel:
- prometheus_replica
enabled: true
dnsDiscovery:
enabled: true
sidecarsService: ${local.kube-prometheus-stack["name"]}-thanos-discovery
sidecarsNamespace: "${local.kube-prometheus-stack["namespace"]}"
pdb:
create: true
minAvailable: 1
stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : "dnssrv+_grpc._tcp.${v["name"]}-query-grpc.${local.thanos["namespace"]}.svc.cluster.local"], [for k, v in local.thanos-storegateway : "dnssrv+_grpc._tcp.${v["name"]}-storegateway.${local.thanos["namespace"]}.svc.cluster.local"]))}
queryFrontend:
extraFlags:
- --query-frontend.compress-responses
- --query-range.split-interval=12h
- --labels.split-interval=12h
- --query-range.max-retries-per-request=10
- --labels.max-retries-per-request=10
- --query-frontend.log-queries-longer-than=10s
replicaCount: 2
enabled: true
pdb:
create: true
minAvailable: 1
compactor:
extraFlags:
- --deduplication.replica-label=prometheus_replica
- --deduplication.replica-label=rule_replica
strategyType: Recreate
enabled: true
storegateway:
extraFlags:
- --ignore-deletion-marks-delay=24h
replicaCount: 2
enabled: true
pdb:
create: true
minAvailable: 1
VALUES
values_thanos_caching = <<-VALUES
queryFrontend:
extraFlags:
- --query-frontend.compress-responses
- --query-range.split-interval=12h
- --labels.split-interval=12h
- --query-range.max-retries-per-request=10
- --labels.max-retries-per-request=10
- --query-frontend.log-queries-longer-than=10s
- |-
--query-range.response-cache-config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"timeout": "500ms"
"type": "memcached"
- |-
--labels.response-cache-config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"timeout": "500ms"
"type": "memcached"
storegateway:
extraFlags:
- --ignore-deletion-marks-delay=24h
- |-
--index-cache.config="config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"max_item_size": "1MiB"
"timeout": "500ms"
"type": "memcached"
- |-
--store.caching-bucket.config="blocks_iter_ttl": "5m"
"chunk_object_attrs_ttl": "24h"
"chunk_subrange_size": 16000
"chunk_subrange_ttl": "24h"
"config":
"addresses":
- "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
"dns_provider_update_interval": "10s"
"max_async_buffer_size": 10000
"max_async_concurrency": 20
"max_get_multi_batch_size": 0
"max_get_multi_concurrency": 100
"max_idle_connections": 100
"max_item_size": "1MiB"
"timeout": "500ms"
"max_chunks_get_range_requests": 3
"metafile_content_ttl": "24h"
"metafile_doesnt_exist_ttl": "15m"
"metafile_exists_ttl": "2h"
"metafile_max_size": "1MiB"
"type": "memcached"
VALUES
values_store_config = <<-VALUES
objstoreConfig:
type: S3
config:
bucket: ${local.kube-prometheus-stack["thanos_bucket"]}
region: ${local.kube-prometheus-stack["thanos_bucket_region"]}
endpoint: s3.${local.kube-prometheus-stack["thanos_bucket_region"]}.scw.cloud
access_key: ${local.scaleway["scw_access_key"]}
secret_key: ${local.scaleway["scw_secret_key"]}
signature_version2: false
VALUES
values_thanos_global_requests = <<-VALUES
query:
resources:
requests:
cpu: 25m
memory: 32Mi
queryFrontend:
resources:
requests:
cpu: 25m
memory: 32Mi
compactor:
resources:
requests:
cpu: 50m
memory: 258Mi
storegateway:
resources:
requests:
cpu: 25m
memory: 64Mi
VALUES
values_thanos_global_limits = <<-VALUES
query:
resources:
limits:
memory: 128Mi
queryFrontend:
resources:
limits:
memory: 64Mi
compactor:
resources:
limits:
memory: 2Gi
storegateway:
resources:
limits:
memory: 1Gi
VALUES
}
resource "scaleway_object_bucket" "thanos_bucket" {
count = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
name = local.thanos["bucket"]
}
resource "scaleway_object_bucket_acl" "thanos_bucket_acl" {
count = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
bucket = scaleway_object_bucket.thanos_bucket.0.id
acl = "private"
}
resource "kubernetes_namespace" "thanos" {
count = local.thanos["enabled"] && local.thanos["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.thanos["namespace"]
"${local.labels_prefix}/component" = "monitoring"
}
name = local.thanos["namespace"]
}
}
resource "helm_release" "thanos" {
count = local.thanos["enabled"] ? 1 : 0
repository = local.thanos["repository"]
name = local.thanos["name"]
chart = local.thanos["chart"]
version = local.thanos["chart_version"]
timeout = local.thanos["timeout"]
force_update = local.thanos["force_update"]
recreate_pods = local.thanos["recreate_pods"]
wait = local.thanos["wait"]
atomic = local.thanos["atomic"]
cleanup_on_fail = local.thanos["cleanup_on_fail"]
dependency_update = local.thanos["dependency_update"]
disable_crd_hooks = local.thanos["disable_crd_hooks"]
disable_webhooks = local.thanos["disable_webhooks"]
render_subchart_notes = local.thanos["render_subchart_notes"]
replace = local.thanos["replace"]
reset_values = local.thanos["reset_values"]
reuse_values = local.thanos["reuse_values"]
skip_crds = local.thanos["skip_crds"]
verify = local.thanos["verify"]
values = compact([
local.values_thanos,
local.values_store_config,
local.thanos["default_global_requests"] ? local.values_thanos_global_requests : null,
local.thanos["default_global_limits"] ? local.values_thanos_global_limits : null,
local.thanos-memcached["enabled"] ? local.values_thanos_caching : null,
local.thanos["extra_values"]
])
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
depends_on = [
helm_release.kube-prometheus-stack,
helm_release.thanos-memcached
]
}
resource "tls_private_key" "thanos-tls-querier-ca-key" {
count = local.thanos["generate_ca"] ? 1 : 0
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "thanos-tls-querier-ca-cert" {
count = local.thanos["generate_ca"] ? 1 : 0
private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
is_ca_certificate = true
subject {
common_name = var.cluster-name
organization = var.cluster-name
}
validity_period_hours = 87600
allowed_uses = [
"cert_signing"
]
}
resource "kubernetes_secret" "thanos-ca" {
count = local.thanos["enabled"] && (local.thanos["generate_ca"] || local.thanos["trusted_ca_content"] != null) ? 1 : 0
metadata {
name = "${local.thanos["name"]}-ca"
namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
}
data = {
"ca.crt" = local.thanos["generate_ca"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos["trusted_ca_content"]
}
}
output "thanos_ca" {
value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [""]), 0)
}
================================================
FILE: modules/scaleway/variables-scaleway.tf
================================================
variable "scaleway" {
description = "Scaleway provider customization"
type = any
default = {}
}
variable "kapsule" {
description = "Kapsule cluster inputs"
type = any
default = {}
}
variable "cert-manager_scaleway_webhook_dns" {
description = "Scaleway webhook dns customization"
type = any
default = {}
}
variable "tags" {
description = "Map of tags for Scaleway resources"
type = map(any)
default = {}
}
================================================
FILE: modules/scaleway/velero.tf
================================================
locals {
velero = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].version
namespace = "velero"
service_account_name = "velero"
enabled = false
create_bucket = true
bucket = "${var.cluster-name}-velero"
bucket_force_destroy = false
default_network_policy = true
name_prefix = "${var.cluster-name}-velero"
secret_name = "velero-scaleway-credentials"
},
var.velero
)
values_velero = < v.content } : {}
yaml_body = each.value
server_side_apply = true
force_conflicts = true
}
resource "kubectl_manifest" "calico_crds" {
for_each = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.calico_crds_apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content } : {}
yaml_body = each.value
server_side_apply = true
force_conflicts = true
}
resource "kubernetes_namespace" "tigera-operator" {
count = local.tigera-operator["enabled"] && local.tigera-operator["create_ns"] ? 1 : 0
metadata {
labels = {
name = local.tigera-operator["namespace"]
"${local.labels_prefix}/component" = "tigera-operator"
}
name = local.tigera-operator["namespace"]
}
}
resource "helm_release" "tigera-operator" {
count = local.tigera-operator["enabled"] ? 1 : 0
repository = local.tigera-operator["repository"]
name = local.tigera-operator["name"]
chart = local.tigera-operator["chart"]
version = local.tigera-operator["chart_version"]
timeout = local.tigera-operator["timeout"]
force_update = local.tigera-operator["force_update"]
recreate_pods = local.tigera-operator["recreate_pods"]
wait = local.tigera-operator["wait"]
atomic = local.tigera-operator["atomic"]
cleanup_on_fail = local.tigera-operator["cleanup_on_fail"]
dependency_update = local.tigera-operator["dependency_update"]
disable_crd_hooks = local.tigera-operator["disable_crd_hooks"]
disable_webhooks = local.tigera-operator["disable_webhooks"]
render_subchart_notes = local.tigera-operator["render_subchart_notes"]
replace = local.tigera-operator["replace"]
reset_values = local.tigera-operator["reset_values"]
reuse_values = local.tigera-operator["reuse_values"]
skip_crds = local.tigera-operator["skip_crds"]
verify = local.tigera-operator["verify"]
values = [
local.values_tigera-operator,
local.tigera-operator["extra_values"]
]
namespace = local.tigera-operator["create_ns"] ? kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index] : local.tigera-operator["namespace"]
depends_on = [
kubectl_manifest.prometheus-operator_crds
]
}
resource "kubernetes_network_policy" "tigera-operator_default_deny" {
count = local.tigera-operator["create_ns"] && local.tigera-operator["enabled"] && local.tigera-operator["default_network_policy"] ? 1 : 0
metadata {
name = "${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-default-deny"
namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]
}
spec {
pod_selector {
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "tigera-operator_allow_namespace" {
count = local.tigera-operator["create_ns"] && local.tigera-operator["enabled"] && local.tigera-operator["default_network_policy"] ? 1 : 0
metadata {
name = "${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-allow-namespace"
namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]
}
spec {
pod_selector {
}
ingress {
from {
namespace_selector {
match_labels = {
name = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]
}
}
}
}
policy_types = ["Ingress"]
}
}
================================================
FILE: traefik.tf
================================================
locals {
traefik = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "traefik")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "traefik")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "traefik")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "traefik")].version
namespace = "traefik"
enabled = false
ingress_cidrs = ["0.0.0.0/0"]
default_network_policy = true
manage_crds = true
},
var.traefik
)
values_traefik = <