Linkerd-Terraform-Production

main.tf

# Trust Anchor (Root CA Certificate) 

resource "tls_private_key" "trustanchor_key" {
  count       = var.enable_linkerd ? 1 : 0
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

resource "tls_self_signed_cert" "trustanchor_cert" {
  count                 = var.enable_linkerd ? 1 : 0
  key_algorithm         = tls_private_key.trustanchor_key[0].algorithm
  private_key_pem       = tls_private_key.trustanchor_key[0].private_key_pem
  validity_period_hours = 87600
  is_ca_certificate     = true

  subject {
    common_name = "identity.linkerd.cluster.local"
  }

  allowed_uses = [
    "crl_signing",
    "cert_signing",
    "server_auth",
    "client_auth"
  ]
}

# Issuer Certificate

resource "tls_private_key" "issuer_key" {
  count       = var.enable_linkerd ? 1 : 0
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

resource "tls_cert_request" "issuer_req" {
  count           = var.enable_linkerd ? 1 : 0
  key_algorithm   = tls_private_key.issuer_key[0].algorithm
  private_key_pem = tls_private_key.issuer_key[0].private_key_pem

  subject {
    common_name = "identity.linkerd.cluster.local"
  }
}

resource "tls_locally_signed_cert" "issuer_cert" {
  count                 = var.enable_linkerd ? 1 : 0
  cert_request_pem      = tls_cert_request.issuer_req[0].cert_request_pem
  ca_key_algorithm      = tls_private_key.trustanchor_key[0].algorithm
  ca_private_key_pem    = tls_private_key.trustanchor_key[0].private_key_pem
  ca_cert_pem           = tls_self_signed_cert.trustanchor_cert[0].cert_pem
  validity_period_hours = 8760
  is_ca_certificate     = true

  allowed_uses = [
    "crl_signing",
    "cert_signing",
    "server_auth",
    "client_auth"
  ]
}

# LinkerD

resource "helm_release" "linkerd2" {
  count      = var.enable_linkerd ? 1 : 0
  name       = "linkerd"
  repository = "https://helm.linkerd.io/stable"
  chart      = "linkerd2"
  version    = var.linkerd_version
  values     = var.enable_ha ? [file("${path.module}/values-ha.yaml")] : []

  set {
    name  = "identityTrustAnchorsPEM"
    value = tls_self_signed_cert.trustanchor_cert[0].cert_pem
  }

  set {
    name  = "identity.issuer.crtExpiry"
    value = tls_locally_signed_cert.issuer_cert[0].validity_end_time
  }

  set {
    name  = "identity.issuer.tls.crtPEM"
    value = tls_locally_signed_cert.issuer_cert[0].cert_pem
  }

  set {
    name  = "identity.issuer.tls.keyPEM"
    value = tls_private_key.issuer_key[0].private_key_pem
  }
}

# LinkerD Viz

resource "helm_release" "linkerd2-viz" {
  count      = var.enable_linkerd && var.include_viz == true ? 1 : 0
  chart      = "linkerd-viz"
  repository = "https://helm.linkerd.io/stable"
  version    = var.linkerd_version
  name       = "linkerd2-viz"
  values     = var.enable_ha ? [file("${path.module}/viz-values-ha.yaml")] : []

  depends_on = [
    helm_release.linkerd2
  ]
}

# LinkerD Jaeger

resource "helm_release" "linkerd2-jaeger" {
  count      = var.enable_linkerd && var.include_jaeger == true ? 1 : 0
  chart      = "linkerd-jaeger"
  repository = "https://helm.linkerd.io/stable"
  version    = var.linkerd_version
  name       = "linkerd2-jaeger"

  set {
    name  = "linkerdVersion"
    value = var.linkerd_version
  }

  depends_on = [
    helm_release.linkerd2
  ]
}

values-ha.yaml

# This values.yaml file contains the values needed to enable HA mode.
# Usage:
#   helm install -f values.yaml -f values-ha.yaml

enablePodAntiAffinity: true

# proxy configuration
proxy:
  resources:
    cpu:
      request: 100m
    memory:
      limit: 250Mi
      request: 30Mi

# controller configuration
controllerReplicas: 3
controllerResources: &controller_resources
  cpu: &controller_resources_cpu
    limit: ""
    request: 100m
  memory:
    limit: 250Mi
    request: 50Mi
destinationResources: *controller_resources
publicAPIResources: *controller_resources

# identity configuration
identityResources:
  cpu: *controller_resources_cpu
  memory:
    limit: 250Mi
    request: 10Mi

# heartbeat configuration
heartbeatResources: *controller_resources

# proxy injector configuration
proxyInjectorResources: *controller_resources
webhookFailurePolicy: Fail

# service profile validator configuration
spValidatorResources: *controller_resources

variables.tf

   
variable "linkerd_version" {
  description = "Helm chart version for LinkerD (LinkerD version)"
  type        = string
  default     = "2.11.1"
}

variable "enable_ha" {
  description = "Enable high availability for Linkerd control plane"
  type        = bool
  default     = false
}

variable "include_viz" {
  description = "Include Viz extension"
  type        = bool
  default     = true
}

variable "include_jaeger" {
  description = "Include Jaeger extension"
  type        = bool
  default     = true
}

variable "enable_linkerd" {
  description = "Count condition for deploying linkerd"
  type        = bool
  default     = false
}

viz-values-ha.yaml

# This values.yaml file contains the values needed to enable HA mode.
# Usage:
#   helm install -f values.yaml -f values-ha.yaml

enablePodAntiAffinity: true

resources: &ha_resources
  cpu: &ha_resources_cpu
    limit: ""
    request: 100m
  memory:
    limit: 250Mi
    request: 50Mi


# tap configuration
tap:
  replicas: 3
  resources: *ha_resources

# web configuration
dashboard:
  resources: *ha_resources

# grafana configuration
grafana:
  resources:
    cpu: *ha_resources_cpu
    memory:
      limit: 1024Mi
      request: 50Mi

# prometheus configuration
prometheus:
  resources:
    cpu:
      limit: ""
      request: 300m
    memory:
      limit: 8192Mi
      request: 300Mi