terraform: add aws-eks-operator #44
Conversation
|
@rajsinghtech, I'd appreciate your review when you have a chance. |
There was a problem hiding this comment.
Pull request overview
This PR adds a new Terraform module for deploying an AWS EKS cluster with the Tailscale Kubernetes operator, enabling secure cluster access through Tailscale's mesh network.
- Introduces a complete Terraform configuration for EKS with Tailscale operator integration
- Configures provider authentication using AWS EKS token-based authentication
- Includes comprehensive documentation with deployment and verification instructions
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| terraform/aws/aws-eks-operator/versions.tf | Defines Terraform version constraints and configures AWS, Kubernetes, and Helm providers with EKS authentication |
| terraform/aws/aws-eks-operator/variables.tf | Declares Tailscale OAuth credentials as sensitive variables with validation rules |
| terraform/aws/aws-eks-operator/outputs.tf | Exports VPC ID, cluster name, namespace, and kubeconfig commands for cluster access |
| terraform/aws/aws-eks-operator/main.tf | Implements the main infrastructure including VPC, EKS cluster, and Tailscale operator Helm deployment |
| terraform/aws/aws-eks-operator/README.md | Provides comprehensive documentation for prerequisites, deployment steps, and verification procedures |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 12 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
…ples-infrastructure-as-code into clstokes/eks-operator
|
Looks pretty good, thanks @clstokes, there is much more we could expand on here, for example run a kind: connector resource and advertise the pod and service cidr's via an app connector for the cluster domain of WIll approve for now but please review the feedback 🥇 |
| } | ||
| apiServerProxyConfig = { | ||
| mode = true | ||
| tags = "tag:k8s-operator,tag:k8s-api-server" |
There was a problem hiding this comment.
Why are you setting tag here? this field doesn't even exist please see https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/chart/values.yaml#L131
in addition tag:k8s-api-server is outside of the scope of what our documented used tags are.
| yamlencode({ | ||
| operatorConfig = { | ||
| image = { | ||
| repo = "tailscale/k8s-operator" |
There was a problem hiding this comment.
| repo = "tailscale/k8s-operator" | |
| repository = "tailscale/k8s-operator" |
https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/chart/values.yaml#L52
In helm u can fill the values with stuff that doesnt exist and things will silently still work. So you likely weren't running into issues for these reasons.
| output "cmd_kubectl_ha_proxy_apply" { | ||
| description = "Command to deploy the Tailscale high availability API server proxy - https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy" | ||
| value = "OPERATOR_NAME=${helm_release.tailscale_operator.name} envsubst < tailscale-api-server-ha-proxy.yaml | kubectl apply -f -" | ||
| } | ||
|
|
||
| output "cmd_kubectl_ha_proxy_delete" { | ||
| description = "Command to delete the Tailscale high availability API server proxy - https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy" | ||
| value = "OPERATOR_NAME=${helm_release.tailscale_operator.name} envsubst < tailscale-api-server-ha-proxy.yaml | kubectl delete -f -" |
There was a problem hiding this comment.
| output "cmd_kubectl_ha_proxy_apply" { | |
| description = "Command to deploy the Tailscale high availability API server proxy - https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy" | |
| value = "OPERATOR_NAME=${helm_release.tailscale_operator.name} envsubst < tailscale-api-server-ha-proxy.yaml | kubectl apply -f -" | |
| } | |
| output "cmd_kubectl_ha_proxy_delete" { | |
| description = "Command to delete the Tailscale high availability API server proxy - https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy" | |
| value = "OPERATOR_NAME=${helm_release.tailscale_operator.name} envsubst < tailscale-api-server-ha-proxy.yaml | kubectl delete -f -" | |
| output "cmd_kubectl_ha_proxy_apply" { | |
| description = "Command to deploy the Tailscale high availability API server proxy - https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy" | |
| value = "HA_PROXY_SERVICE_NAME=${local.ha_proxy_service_name} envsubst < tailscale-api-server-ha-proxy.yaml | kubectl apply -f -" | |
| } | |
| output "cmd_kubectl_ha_proxy_delete" { | |
| description = "Command to delete the Tailscale high availability API server proxy - https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy" | |
| value = "HA_PROXY_SERVICE_NAME=${local.ha_proxy_service_name} envsubst < tailscale-api-server-ha-proxy.yaml | kubectl delete -f -" |
Untested but I think this is correct
|
|
||
| ```shell | ||
| kubectl get pods -n tailscale | ||
| kubectl logs -n tailscale -l app.kubernetes.io/name=$(terraform output -raw operator_name) |
There was a problem hiding this comment.
| kubectl logs -n tailscale -l app.kubernetes.io/name=$(terraform output -raw operator_name) | |
| kubectl logs -n tailscale -l app=operator |
is probably easier
| After deployment, configure kubectl to access your cluster using Tailscale: | ||
|
|
||
| ```shell | ||
| tailscale configure kubeconfig ${terraform output -raw operator_name} |
There was a problem hiding this comment.
| tailscale configure kubeconfig ${terraform output -raw operator_name} | |
| tailscale configure kubeconfig $(terraform output -raw operator_name) |
command substitution is ( not {
| hostname = local.operator_name | ||
| } | ||
| apiServerProxyConfig = { | ||
| mode = true |
There was a problem hiding this comment.
| mode = true | |
| mode = "true" | |
| allowImpersonation = "true" |
https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/chart/values.yaml#L132 defualts to false but because your using proxygroup in auth mode you will need cluster roles created and allow impersonation.
spec:
type: kube-apiserver
kubeAPIServer:
mode: auth
No description provided.