Kubestack is a framework for Kubernetes platform engineering teams to define the entire cloud native stack in one Terraform code base and continuously evolve the platform safely through GitOps.
APACHE-2.0 License
Bot releases are hidden (Show)
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.19.0-beta.0...v0.19.1-beta.0
Update framework versions for all modules, the Dockerfile and also run terraform init --upgrade
to update the locked provider versions.
Published by pst about 1 year ago
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.18.2-beta.0...v0.19.0-beta.0
Update framework versions for all modules, the Dockerfile and also run terraform init --upgrade
to update the locked provider versions.
Published by pst over 1 year ago
terraform fmt -recursive
by @anhdle14 in https://github.com/kbst/terraform-kubestack/pull/304
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.18.1-beta.0...v0.18.2-beta.0
Update framework versions for all modules, the Dockerfile and also run terraform init --upgrade
to update the locked provider versions.
Published by pst over 1 year ago
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.18.0-beta.0...v0.18.1-beta.0
Update framework versions for all modules, the Dockerfile and also run terraform init --upgrade
to update the locked provider versions.
Published by pst almost 2 years ago
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.17.1-beta.0...v0.18.0-beta.0
Upgrade the versions for each module and the source image in the Dockerfile. Also run terraform init --upgrade
to update the provider versions in the lock file.
There are no specific steps required for EKS. There are two optional steps for AKS and GKE. See below for details.
The azurerm
provider has a number of breaking changes in the latest version. Most have been handled inside the module and do not require special steps during upgrade. There is one exception, the reserved ingress IP.
Upstream refactored how zones are handled across resources. Kubestack let Azure handle the zones for the ingress IP, but previous provider versions stored them in state. The upgraded provider wants to destroy and recreate the IP because the zones in state don't match what's specified in code (null).
Users that do not want the IP to be recreated, have to set the zones explicitly to match what's in state.
configuration = {
# Settings for Apps-cluster
apps = {
# [...]
default_ingress_ip_zones = "1,2,3"
# [...]
}
# [...]
}
Starting with Kubernetes v1.24 GKE will default to COS_containerd
instead of COS
for the node image type. Kubestack follows upstream and defaults to the Containerd version for new node pools starting with this release. For existing node pools, you can set cluster_image_type
for the default node pool configured as part of the cluster module or image_type
for additional node pools to either COS_containerd
or COS
to explicitly set this for a respective node pool.
Published by pst about 2 years ago
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.17.0-beta.0...v0.17.1-beta.0
Update framework versions for all modules, the Dockerfile and also run terraform init --upgrade
to update the locked provider versions.
Published by pst over 2 years ago
Full Changelog: https://github.com/kbst/terraform-kubestack/compare/v0.16.3-beta.0...v0.17.0-beta.0
Both EKS and GKE until now had a kubernetes
provider configured inside the cluster module. The change away from exec based kubeconfigs allowed removing the providers configured inside the modules, and correct this anti-pattern.
This change requires that upgrading users configure the kubernetes
provider in the root module, and then pass the configured provider into the cluster module.
EKS Example
module "eks_zero" {
providers = {
aws = aws.eks_zero
# pass kubernetes provider to the EKS cluster module
kubernetes = kubernetes.eks_zero
}
# [...]
}
# configure aliased kubernetes provider EKS
provider "kubernetes" {
alias = "eks_zero"
host = local.eks_zero_kubeconfig["clusters"][0]["cluster"]["server"]
cluster_ca_certificate = base64decode(local.eks_zero_kubeconfig["clusters"][0]["cluster"]["certificate-authority-data"])
token = local.eks_zero_kubeconfig["users"][0]["user"]["token"]
}
GKE Example
module "gke_zero" {
# add providers block and pass kubernetes provider for GKE cluster module
providers = {
kubernetes = kubernetes.gke_zero
}
# [...]
}
# configure aliased kubernetes provider for GKE
provider "kubernetes" {
alias = "gke_zero"
host = local.gke_zero_kubeconfig["clusters"][0]["cluster"]["server"]
cluster_ca_certificate = base64decode(local.gke_zero_kubeconfig["clusters"][0]["cluster"]["certificate-authority-data"])
token = local.gke_zero_kubeconfig["users"][0]["user"]["token"]
}
Published by pst over 2 years ago
No special steps required. Update the module versions and the image tag in the Dockerfile. Then run the pipeline to apply.
Published by pst over 2 years ago
No special steps required. Update the module versions and the image tag in the Dockerfile. Then run the pipeline to apply.
Published by pst over 2 years ago
No special steps required. Update the module versions and the image tag in the Dockerfile. Then run the pipeline to apply.
Published by pst almost 3 years ago
v1.0.11
#242Both the azurerm
and the google
Terraform providers have breaking changes in their respective Kubernetes cluster resource attributes. This Kubestack release updates the modules to adhere to the latest provider version. As such, you should run terraform init --upgrade
to update the locked provider versions in your terraform.lock.hcl
file.
Once you do, you will also get a new version of the kustomization
provider, which switches the default ID format. This switch was necessary, to allow the provider to handle apiVersion
updates like required for Ingress without recreating the resources. But the change of the ID format means the ID changes in the Terraform state, which causes an unnecessary destroy-and-recreate plan.
You have two options:
terraform state mv
the resources, after which, the plan will not try to recreate them anymore.legacy_id_format = true
in the kustomization
provider blocks, usually located in the *_providers.tf
files.Previously, the default node pool and the control plane used the same subnets. Additionally, those subnets use a /24
CIDR, which means there is only a low number of IP addresses for the control plane and the default node pool to share.
This release by default switches to separate control plane and node pool subnets. The subnet change requires the node pool to be recreated. When recreating the default node pool is not an option at this point in time, you can retain the previous behavior by setting cluster_vpc_legacy_node_subnets = true
.
See the following subnet visualization for the default setup: https://www.davidc.net/sites/default/subnets/subnets.html?network=10.18.0.0&mask=16&division=23.ff4011
While not strictly required, this change is a fix for a bug that recreates the Route53 DNS hosts unnecessarily. The depends_on
on the module propagates to the data sources, which causes them to only be read on apply, and causes the zone_id
in the DNS hosts to be known-after-apply and cause a recreate plan.
To avoid this, remove the depends_on
line from the eks_zero_dns_zone
module in your eks_zero_ingress.tf
file.
Previously, the AKS modules included an in-module provider configuration to set the provider's required features attribute. However, in-module provider configurations are highly discouraged and in this release Kubestack removed this for the azurerm provider in the AKS module.
This means, during upgrade AKS users have to add the following to their aks_zero_providers.tf
:
provider "azurerm" {
features {}
}
Making the Azure log analytics configurable for the AKS module required making the azurerm_log_analytics_workspace
and azurerm_log_analytics_solution
resources conditional using count
. This change may show up as a one-time outside of Terraform
change when upgrading existing AKS configurations to Kubestack version v0.16.0-beta.0. Log analytics can be enabled using enable_log_analytics = true
, the default, or disabled using enable_log_analytics = false
.
Published by pst about 3 years ago
EKS: Bugfix release: Update EKS-D image to Kubernetes v1.21.1
Published by pst about 3 years ago
aws-cn
or aws-us-gov
partitions #201 thanks @jdmarblemetadata_name
to meet google_service_account
account_id
max length #205 thanks @Spazzy757azuread_service_principal_password
value attribute #210When upgrading an AKS cluster, the Azure policy agent block, even if disabled by default, requires applying with --target
.
terraform apply --target module.aks_zero
Published by pst over 3 years ago
Like any Kubestack upgrade, change the version of your cluster module(s) and the image tag in the Dockerfiles. The depreciation of the cluster-manifests additionally requires manual changes. While we strive to avoid high effort migrations like this, in this case the benefits outweigh the downsides drastically. Because Kubestack is still in beta, we also decided to not take on the long term maintenance effort of providing a backwards compatible alternative for such a significant change.
The previous approach of having Kustomize overlays defined under manifests/
and have the cluster modules implicitly provision the resulting Kubernetes resources had two major drawbacks:
With this release, Kubestack cluster modules do not provision the YAML in manifests/
implicitly anymore. Instead, all catalog services are now available as first class Terraform modules. In addition, there is a new custom-manifests module, that can be used to provision your bespoke YAML in the same way as the modules from the catalog.
This change simplifies the mental model by both clusters and cluster services simply being Terraform modules now. At the same time, because cluster-service-modules still use Kustomize under the hood, the benefit of low effort maintenance to follow new upstream releases is preserved. But because the overlay is now defined dynamically using HCL, you can now fully customize all Kubernetes resources from Terraform values.
To learn more about how these modules allow full customization of the Kubernetes resources from Terraform, check the detailed documentation.
There are three cases to consider for this upgrade:
depends_on
approach internally and simplifies the Terraform configuration in your root module. It is possible to use the custom-manifest module to apply an entire overlay from manifests/overlays
as is. But it's recommended to call the module once for each base instead, to clearly separate independent Kubernetes resources from each other in the Terraform state.In all three cases, Terraform will generate destroy and recreate plans for all affected Kubernetes resources, because even though the Kubernetes resources don't change, their location in the Terraform state changes. You have two options here. You can either plan a maintenance window and run the destroy and recreate apply. Or you can manually terraform state mv
resources in the state until Terraform does not generate a destroy and recreate plan anymore. And only then run the apply.
For the ingress migration, you will in any case have a small service disruption, because the service type loadbalancer needs to be switched to fix the issue with two cloud loadbalancers being created. This destroys the old LB, creates a new and switches DNS over. During testing, this caused 5-10 minutes of downtime. For critical environments and least disruption, we suggest lowering the DNS TTL ahead of time, and let the decrease propagate before starting the migration during a maintenance window. In AWS' case, the new ELB gets a new CNAME. Since Kubestack uses Route53 Alias records, the disruption is kept to a minimum. For both Azure and Google Cloud, Kubestack uses reserved IP addresses. These will be reused by the new cloud loadbalancers, leaving DNS unchanged. But for all three providers, it will take a bit of time until the new loadbalancers are back in service.
Published by pst over 3 years ago
Update the version in Dockerfile, Dockerfile.loc and clusters.tf to v0.14.1-beta.0
.
Users of Kubestack releases before v0.14
who are not ready to update to this latest Kubestack release, can manually update the Terraform versions used to a Terraform patch releases that matches the minor release bundled with their current Kubestack release.
First, select the updated Terraform version for your Kubestack release:
v0.10.0-beta.0
update Terraform to v0.12.31
v0.11.0-beta.0
to v0.12.1-beta.0
update Terraform to v0.13.7
v0.12.2-beta.0
to v0.13.0-beta.1
update Terraform to v0.14.11
Then edit your Dockerfile to download the new Terraform binary in a temporary stage and copy the binary over to your final stage.
# Add before FROM kubestack/framework
FROM python:3.8-slim as tfupgrade
RUN apt-get update && apt-get install -y curl unzip
ARG TERRAFORM_VERSION=___DESIRED_TERRAFORM_VERSION___
RUN echo "TERRAFORM_VERSION: ${TERRAFORM_VERSION}" \
&& curl -LO https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \
&& unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /tmp \
&& chmod +x /tmp/terraform \
&& /tmp/terraform version
# Add after FROM kubestack/framework
COPY --from=tfupgrade /tmp/terraform /opt/bin/terraform
Published by pst over 3 years ago
terraform.hcl.lock
approachterraform test
feature #185For clusters provisioned using the Azure network plugin (network_plugin = "azure"
) the changed virtual network (vnet) and subnet names will trigger a destroy and recreate plan. To keep the legacy names for existing clusters that you do not wish to recreate set legacy_vnet_name = true
.
Published by pst over 3 years ago
Published by pst over 3 years ago
sku_tier
- thanks @to266current_config
, current_metadata
and kubeconfig
outputsPlease note, Pod-managed identities, the Azure equivalent to Google workload identity and AWS IAM roles for service accounts, is only in preview and not available through the Azure Terraform provider yet. As such, this release only adds support for improved IAM integration on GKE and EKS.
Migrate to IAM roles for service accounts (IRSA)
The EKS module now provisions an OIDC provider by default to enable IAM roles for service accounts. Users that wish to not provision the OIDC provider can disable this by setting disable_openid_connect_provider = true
.
Using IRSA, in addition to the OIDC provider, requires configuring IAM roles and Kubernetes annotations. Refer to the EKS documentation for more details. This feature alone, does not prevent workloads on the cluster from assuming node roles.
Migrate to workload identities
The GKE module now by default enables workload identities support on the cluster and sets the workload metadata config for the default node pool to GKE_METADATA_SERVER
.
Terraform generates an in-place update but the migration may cause disruptions if workloads currently depend on node roles. Please refer to the GKE documentation for more information.
To retain the previous behaviour, Kubestack users can set disable_workload_identity = false
or alternatively leave workload identity enabled but set the workload metadata config explicitly, e.g. node_workload_metadata_config = "EXPOSE"
.
Migrate from service principals to managed identities
AKS requires a service principal to grant the Kubernetes control plan access to the Azure API, to e.g. provision loadbalancers. AKS has moved from manual service principals to managed identities. From the Azure documentation:
Clusters using service principals eventually reach a state in which the service principal must be renewed to keep the cluster working. Managing service principals adds complexity, which is why it's easier to use managed identities instead.
The change in Terraform triggers a destroy-and-recreate plan for the cluster and its dependencies.
Users may be able to migrate by following the Azure documentation to manually migrate from service principals to managed identities using the az
CLI, before running the Terraform apply. At the time of writing the upgrade is marked as a preview feature. Please refer to the upstream documentation but the following worked during release testing:
az extension add --name aks-preview
# needs Owner permissions
az aks update -g RESOURCE_GROUP -n CLUSTER_NAME --enable-managed-identity
az aks nodepool upgrade --cluster-name CLUSTER_NAME --name default --node-image-only --resource-group RESOURCE_GROUP
After that, a Terraform plan will merely destroy the old service principal related resources, but not recreate the cluster.
Kubestack AKS users that wish to not migrate and retain the previous configuration using manually maintained service principals can set disable_managed_identities = true
instead of doing the manual migration.
Published by pst over 3 years ago
Published by pst almost 4 years ago
kustomize
CLI and the Kustomize Terraform provider to support Kustomize components
. #149enabled_cluster_log_types = ""
. To enable a subset of log types, specify them as a comma separated string, e.g. enabled_cluster_log_types = "audit,authenticator"
would enable only the audit and authenticator log types.node_image = "ghcr.io/kbst/kind-eks-d:v1.18.9-kbst.1"
for your loc
environment in config.auto.tfvars
to update existing repositories to use EKS-D.v0.12.0-beta.0
release followed upstream and made private nodes the default. Private nodes require Cloud NAT to have internet access, e.g. to download Docker images. This release by default includes Cloud NAT for private node clusters. To have private nodes without internet access or to configure custom NAT, set enable_cloud_nat = false
.