Created
March 3, 2022 07:52
-
-
Save elig-salt/c14c9dcbb63d2199b7621796e6ab1bd2 to your computer and use it in GitHub Desktop.
Linkerd-Terraform-Production
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Trust Anchor (Root CA Certificate) | |
resource "tls_private_key" "trustanchor_key" { | |
count = var.enable_linkerd ? 1 : 0 | |
algorithm = "ECDSA" | |
ecdsa_curve = "P256" | |
} | |
resource "tls_self_signed_cert" "trustanchor_cert" { | |
count = var.enable_linkerd ? 1 : 0 | |
key_algorithm = tls_private_key.trustanchor_key[0].algorithm | |
private_key_pem = tls_private_key.trustanchor_key[0].private_key_pem | |
validity_period_hours = 87600 | |
is_ca_certificate = true | |
subject { | |
common_name = "identity.linkerd.cluster.local" | |
} | |
allowed_uses = [ | |
"crl_signing", | |
"cert_signing", | |
"server_auth", | |
"client_auth" | |
] | |
} | |
# Issuer Certificate | |
resource "tls_private_key" "issuer_key" { | |
count = var.enable_linkerd ? 1 : 0 | |
algorithm = "ECDSA" | |
ecdsa_curve = "P256" | |
} | |
resource "tls_cert_request" "issuer_req" { | |
count = var.enable_linkerd ? 1 : 0 | |
key_algorithm = tls_private_key.issuer_key[0].algorithm | |
private_key_pem = tls_private_key.issuer_key[0].private_key_pem | |
subject { | |
common_name = "identity.linkerd.cluster.local" | |
} | |
} | |
resource "tls_locally_signed_cert" "issuer_cert" { | |
count = var.enable_linkerd ? 1 : 0 | |
cert_request_pem = tls_cert_request.issuer_req[0].cert_request_pem | |
ca_key_algorithm = tls_private_key.trustanchor_key[0].algorithm | |
ca_private_key_pem = tls_private_key.trustanchor_key[0].private_key_pem | |
ca_cert_pem = tls_self_signed_cert.trustanchor_cert[0].cert_pem | |
validity_period_hours = 8760 | |
is_ca_certificate = true | |
allowed_uses = [ | |
"crl_signing", | |
"cert_signing", | |
"server_auth", | |
"client_auth" | |
] | |
} | |
# LinkerD | |
resource "helm_release" "linkerd2" { | |
count = var.enable_linkerd ? 1 : 0 | |
name = "linkerd" | |
repository = "https://helm.linkerd.io/stable" | |
chart = "linkerd2" | |
version = var.linkerd_version | |
values = var.enable_ha ? [file("${path.module}/values-ha.yaml")] : [] | |
set { | |
name = "identityTrustAnchorsPEM" | |
value = tls_self_signed_cert.trustanchor_cert[0].cert_pem | |
} | |
set { | |
name = "identity.issuer.crtExpiry" | |
value = tls_locally_signed_cert.issuer_cert[0].validity_end_time | |
} | |
set { | |
name = "identity.issuer.tls.crtPEM" | |
value = tls_locally_signed_cert.issuer_cert[0].cert_pem | |
} | |
set { | |
name = "identity.issuer.tls.keyPEM" | |
value = tls_private_key.issuer_key[0].private_key_pem | |
} | |
} | |
# LinkerD Viz | |
resource "helm_release" "linkerd2-viz" { | |
count = var.enable_linkerd && var.include_viz == true ? 1 : 0 | |
chart = "linkerd-viz" | |
repository = "https://helm.linkerd.io/stable" | |
version = var.linkerd_version | |
name = "linkerd2-viz" | |
values = var.enable_ha ? [file("${path.module}/viz-values-ha.yaml")] : [] | |
depends_on = [ | |
helm_release.linkerd2 | |
] | |
} | |
# LinkerD Jaeger | |
resource "helm_release" "linkerd2-jaeger" { | |
count = var.enable_linkerd && var.include_jaeger == true ? 1 : 0 | |
chart = "linkerd-jaeger" | |
repository = "https://helm.linkerd.io/stable" | |
version = var.linkerd_version | |
name = "linkerd2-jaeger" | |
set { | |
name = "linkerdVersion" | |
value = var.linkerd_version | |
} | |
depends_on = [ | |
helm_release.linkerd2 | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This values.yaml file contains the values needed to enable HA mode. | |
# Usage: | |
# helm install -f values.yaml -f values-ha.yaml | |
enablePodAntiAffinity: true | |
# proxy configuration | |
proxy: | |
resources: | |
cpu: | |
request: 100m | |
memory: | |
limit: 250Mi | |
request: 30Mi | |
# controller configuration | |
controllerReplicas: 3 | |
controllerResources: &controller_resources | |
cpu: &controller_resources_cpu | |
limit: "" | |
request: 100m | |
memory: | |
limit: 250Mi | |
request: 50Mi | |
destinationResources: *controller_resources | |
publicAPIResources: *controller_resources | |
# identity configuration | |
identityResources: | |
cpu: *controller_resources_cpu | |
memory: | |
limit: 250Mi | |
request: 10Mi | |
# heartbeat configuration | |
heartbeatResources: *controller_resources | |
# proxy injector configuration | |
proxyInjectorResources: *controller_resources | |
webhookFailurePolicy: Fail | |
# service profile validator configuration | |
spValidatorResources: *controller_resources |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "linkerd_version" { | |
description = "Helm chart version for LinkerD (LinkerD version)" | |
type = string | |
default = "2.11.1" | |
} | |
variable "enable_ha" { | |
description = "Enable high availability for Linkerd control plane" | |
type = bool | |
default = false | |
} | |
variable "include_viz" { | |
description = "Include Viz extension" | |
type = bool | |
default = true | |
} | |
variable "include_jaeger" { | |
description = "Include Jaeger extension" | |
type = bool | |
default = true | |
} | |
variable "enable_linkerd" { | |
description = "Count condition for deploying linkerd" | |
type = bool | |
default = false | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This values.yaml file contains the values needed to enable HA mode. | |
# Usage: | |
# helm install -f values.yaml -f values-ha.yaml | |
enablePodAntiAffinity: true | |
resources: &ha_resources | |
cpu: &ha_resources_cpu | |
limit: "" | |
request: 100m | |
memory: | |
limit: 250Mi | |
request: 50Mi | |
# tap configuration | |
tap: | |
replicas: 3 | |
resources: *ha_resources | |
# web configuration | |
dashboard: | |
resources: *ha_resources | |
# grafana configuration | |
grafana: | |
resources: | |
cpu: *ha_resources_cpu | |
memory: | |
limit: 1024Mi | |
request: 50Mi | |
# prometheus configuration | |
prometheus: | |
resources: | |
cpu: | |
limit: "" | |
request: 300m | |
memory: | |
limit: 8192Mi | |
request: 300Mi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment