feat: support for bottlerocket provisioning (#845)

* test arm * remove atlantis custom image * support arm images * multi arch support for toolkit * add ecr * add arm-amd image * change to org toolkit image * tag specific version * add bottlerocket for gitlab * add ssm access * tag bitnami
konstructio · Dec 19, 2024 · e39b544 · e39b544
1 parent 45c30d4
commit e39b544
Show file tree

Hide file tree

Showing 38 changed files with 104 additions and 48 deletions.
diff --git a/aws-github/templates/mgmt/components/actions-runner-controller/wait.yaml b/aws-github/templates/mgmt/components/actions-runner-controller/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - github-runner
             - --label
             - app.kubernetes.io/name=actions-runner-controller
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/argo-workflows/ecr-publish-permissions-sync.yaml b/aws-github/templates/mgmt/components/argo-workflows/ecr-publish-permissions-sync.yaml
@@ -66,7 +66,7 @@ spec:
           restartPolicy: OnFailure
           containers:
             - name: ecr-publish-permissions-sync
-              image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+              image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
               imagePullPolicy: IfNotPresent
               args:
                 - sync-ecr-token

diff --git a/aws-github/templates/mgmt/components/argo-workflows/wait.yaml b/aws-github/templates/mgmt/components/argo-workflows/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - argo
             - --label
             - app.kubernetes.io/name=argo-workflow-controller
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -77,7 +77,7 @@ spec:
             - argo
             - --label
             - app.kubernetes.io/name=argo-server
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/aws-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -39,7 +39,7 @@ spec:
             - vault-tls
             - --timeout-seconds
             - '3600'
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml b/aws-github/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml
@@ -51,7 +51,7 @@ spec:
     spec:
       containers:
         - name: argocd-oidc-restart-job
-          image: public.ecr.aws/bitnami/kubectl:1.28
+          image: docker.io/bitnami/kubectl:1.28
           command: ["/bin/sh", "-c"]
           args:
             - echo "Give me time to think" && sleep 15;

diff --git a/aws-github/templates/mgmt/components/atlantis/application.yaml b/aws-github/templates/mgmt/components/atlantis/application.yaml
@@ -13,9 +13,6 @@ spec:
     targetRevision: 4.11.2
     helm:
       values: |-
-        image:
-          repository: public.ecr.aws/kubefirst/atlantis
-          tag: "0.0.5"
         statefulSet:
           annotations:
             secret.reloader.stakater.com/reload: "atlantis-secrets"

diff --git a/aws-github/templates/mgmt/components/atlantis/wait.yaml b/aws-github/templates/mgmt/components/atlantis/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - atlantis
             - --label
             - app=atlantis
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/chartmuseum/wait.yaml b/aws-github/templates/mgmt/components/chartmuseum/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - chartmuseum
             - --label
             - app.kubernetes.io/name=chartmuseum
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/cluster-secret-store/wait.yaml b/aws-github/templates/mgmt/components/cluster-secret-store/wait.yaml
@@ -30,11 +30,11 @@ spec:
     spec:
       containers:
       - name: wait
-        image: public.ecr.aws/bitnami/kubectl:1.24
+        image: docker.io/bitnami/kubectl:1.28
         command:
         - /bin/sh
         - -c
         - |
           while ! kubectl get clustersecretstore/vault-kv-secret --namespace external-secrets-operator; do echo "waiting for external secrets store to be valid, sleeping 5 seconds"; sleep 5; done
       restartPolicy: OnFailure
-      serviceAccountName: eso-clustersecretstore
+      serviceAccountName: eso-clustersecretstore
diff --git a/aws-github/templates/mgmt/components/external-dns/wait.yaml b/aws-github/templates/mgmt/components/external-dns/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - external-dns
             - --label
             - app.kubernetes.io/name=external-dns
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: kubernetes-toolkit
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/external-secrets-operator/wait.yaml b/aws-github/templates/mgmt/components/external-secrets-operator/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - external-secrets-operator
             - --label
             - app.kubernetes.io/name=external-secrets-cert-controller
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -76,7 +76,7 @@ spec:
             - external-secrets-operator
             - --label
             - app.kubernetes.io/name=external-secrets
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -100,7 +100,7 @@ spec:
             - external-secrets-operator
             - --label
             - app.kubernetes.io/name=external-secrets-webhook
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/ingress-nginx/wait.yaml b/aws-github/templates/mgmt/components/ingress-nginx/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - ingress-nginx
             - --label
             - app.kubernetes.io/name=ingress-nginx
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/kubefirst/wait.yaml b/aws-github/templates/mgmt/components/kubefirst/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - kubefirst
             - --label
             - app.kubernetes.io/name=kubefirst-pro-ui
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/reloader/wait.yaml b/aws-github/templates/mgmt/components/reloader/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - reloader
             - --label
             - app=reloader-reloader
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-github/templates/mgmt/components/vault/wait.yaml b/aws-github/templates/mgmt/components/vault/wait.yaml
@@ -54,7 +54,7 @@ spec:
         - args:
             - wait-for
             - vault-unseal
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -74,7 +74,7 @@ spec:
         - args:
             - wait-for
             - vault-init-complete
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
           env:

diff --git a/aws-github/templates/workload-cluster/infrastructure-bootstrap/wait.yaml b/aws-github/templates/workload-cluster/infrastructure-bootstrap/wait.yaml
@@ -11,7 +11,7 @@ spec:
       serviceAccountName: argocd-server
       containers:
       - name: wait
-        image: bitnami/kubectl:1.25.12
+        image: docker.io/bitnami/kubectl:1.28
         command:
         - /bin/sh
         - -c

diff --git a/aws-github/templates/workload-cluster/infrastructure/wait.yaml b/aws-github/templates/workload-cluster/infrastructure/wait.yaml
@@ -11,7 +11,7 @@ spec:
       serviceAccountName: argocd-server
       containers:
       - name: wait
-        image: bitnami/kubectl:1.25.12
+        image: docker.io/bitnami/kubectl:1.28
         command:
         - /bin/sh
         - -c

diff --git a/aws-github/templates/workload-cluster/infrastructure/workspace.yaml b/aws-github/templates/workload-cluster/infrastructure/workspace.yaml
@@ -17,3 +17,7 @@ spec:
       value: "<WORKLOAD_NODE_COUNT>"
     - key: node_type
       value: "<WORKLOAD_NODE_TYPE>"
+    - key: ami_type
+      value: "<WORKLOAD_AMI_TYPE>"
+
+
diff --git a/aws-github/terraform/aws/eks/main.tf b/aws-github/terraform/aws/eks/main.tf
@@ -75,7 +75,7 @@ module "eks" {
   control_plane_subnet_ids = module.vpc.intra_subnets
 
   eks_managed_node_group_defaults = {
-    ami_type       = "AL2_x86_64"
+    ami_type       = "<AMI_TYPE>"
     instance_types = ["<NODE_TYPE>"]
 
     # We are using the IRSA created below for permissions
@@ -610,13 +610,34 @@ resource "aws_iam_policy" "external_dns" {
 EOT
 }
 
+resource "aws_iam_policy" "ssm_access_policy" {
+  name = "kubefirst-pro-api-ssm-access"
+  description = "Policy to allow SSM actions for kubefirst-pro-api"
+  policy = jsondecode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid = "Statement1",
+        Effect = "Allow",
+        Action = [
+          "ssm:*"
+        ],
+        Resource = [
+          "*"
+        ]
+      }
+    ]
+  })
+}
+
 module "kubefirst_api" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version = "5.40.0"
 
   role_name = "kubefirst-pro-api-${local.name}"
   role_policy_arns = {
     kubefirst = "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
+    ssm = aws_iam_policy.ssm_access_policy.arn
   }
   assume_role_condition_test = "StringLike"
   allow_self_assume_role     = true
@@ -626,7 +647,6 @@ module "kubefirst_api" {
       namespace_service_accounts = ["kubefirst:kubefirst-pro-api"]
     }
   }
-
   tags = local.tags
 }
 

diff --git a/aws-github/terraform/aws/modules/workload-cluster/main.tf b/aws-github/terraform/aws/modules/workload-cluster/main.tf
@@ -65,7 +65,7 @@ module "eks" {
   control_plane_subnet_ids = module.vpc.intra_subnets
 
   eks_managed_node_group_defaults = {
-    ami_type       = "AL2_x86_64"
+    ami_type       = var.ami_type
     instance_types = [var.node_type]
     # We are using the IRSA created below for permissions
     # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)

diff --git a/aws-github/terraform/aws/modules/workload-cluster/variables.tf b/aws-github/terraform/aws/modules/workload-cluster/variables.tf
@@ -19,3 +19,9 @@ variable "node_type" {
   default     = "t3.medium"
   type        = string
 }
+
+variable "ami_type" {
+  description = "the ami type for node group"
+  default = "AL2_x86_64"
+  type = string
+}
diff --git a/aws-gitlab/templates/mgmt/components/actions-runner-controller/wait.yaml b/aws-gitlab/templates/mgmt/components/actions-runner-controller/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - github-runner
             - --label
             - app.kubernetes.io/name=actions-runner-controller
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-gitlab/templates/mgmt/components/argo-workflows/ecr-publish-permissions-sync.yaml b/aws-gitlab/templates/mgmt/components/argo-workflows/ecr-publish-permissions-sync.yaml
@@ -66,7 +66,7 @@ spec:
           restartPolicy: OnFailure
           containers:
             - name: ecr-publish-permissions-sync
-              image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+              image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
               imagePullPolicy: IfNotPresent
               args:
                 - sync-ecr-token

diff --git a/aws-gitlab/templates/mgmt/components/argo-workflows/wait.yaml b/aws-gitlab/templates/mgmt/components/argo-workflows/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - argo
             - --label
             - app.kubernetes.io/name=argo-workflow-controller
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -77,7 +77,7 @@ spec:
             - argo
             - --label
             - app.kubernetes.io/name=argo-server
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/aws-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -39,7 +39,7 @@ spec:
             - vault-tls
             - --timeout-seconds
             - '3600'
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-gitlab/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml b/aws-gitlab/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml
@@ -51,7 +51,7 @@ spec:
     spec:
       containers:
         - name: argocd-oidc-restart-job
-          image: public.ecr.aws/bitnami/kubectl:1.28
+          image: docker.io/bitnami/kubectl:1.28
           command: ["/bin/sh", "-c"]
           args:
             - echo "Give me time to think" && sleep 15;

diff --git a/aws-gitlab/templates/mgmt/components/atlantis/wait.yaml b/aws-gitlab/templates/mgmt/components/atlantis/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - atlantis
             - --label
             - app=atlantis
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-gitlab/templates/mgmt/components/chartmuseum/wait.yaml b/aws-gitlab/templates/mgmt/components/chartmuseum/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - chartmuseum
             - --label
             - app.kubernetes.io/name=chartmuseum
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure

diff --git a/aws-gitlab/templates/mgmt/components/cluster-secret-store/wait.yaml b/aws-gitlab/templates/mgmt/components/cluster-secret-store/wait.yaml
@@ -30,11 +30,11 @@ spec:
     spec:
       containers:
       - name: wait
-        image: public.ecr.aws/bitnami/kubectl:1.24
+        image: docker.io/bitnami/kubectl:1.28
         command:
         - /bin/sh
         - -c
         - |
           while ! kubectl get clustersecretstore/vault-kv-secret --namespace external-secrets-operator; do echo "waiting for external secrets store to be valid, sleeping 5 seconds"; sleep 5; done
       restartPolicy: OnFailure
-      serviceAccountName: eso-clustersecretstore
+      serviceAccountName: eso-clustersecretstore
diff --git a/aws-gitlab/templates/mgmt/components/external-dns/wait.yaml b/aws-gitlab/templates/mgmt/components/external-dns/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - external-dns
             - --label
             - app.kubernetes.io/name=external-dns
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: kubernetes-toolkit
       restartPolicy: OnFailure

diff --git a/aws-gitlab/templates/mgmt/components/external-secrets-operator/wait.yaml b/aws-gitlab/templates/mgmt/components/external-secrets-operator/wait.yaml
@@ -52,7 +52,7 @@ spec:
             - external-secrets-operator
             - --label
             - app.kubernetes.io/name=external-secrets-cert-controller
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -76,7 +76,7 @@ spec:
             - external-secrets-operator
             - --label
             - app.kubernetes.io/name=external-secrets
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure
@@ -100,7 +100,7 @@ spec:
             - external-secrets-operator
             - --label
             - app.kubernetes.io/name=external-secrets-webhook
-          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
           imagePullPolicy: IfNotPresent
           name: wait
       restartPolicy: OnFailure