Skip to content

Feat/gluekube integration #985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Feat/gluekube integration #985

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
99438e2
feat: refactor to allow adding deployment of private nginx-ingress se…
hamzabouissi Oct 20, 2025
ff99415
docs: automated helm-docs action
glueops-svc-account Oct 20, 2025
30004b9
feat: refactor
hamzabouissi Oct 20, 2025
753b346
Merge branch 'feat/gluekube_integration' of https://github.com/GlueOp…
hamzabouissi Oct 20, 2025
c9369ec
docs: automated helm-docs action
glueops-svc-account Oct 20, 2025
f8323e1
fix: etcd secret for prometheus
hamzabouissi Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 5 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,20 +167,16 @@ This chart deploys the GlueOps Platform
| host_network.kube_pometheus_stack.prometheusOperator.tls.internal_port | int | `45040` | |
| host_network.nginx_public.controller.host_port.ports.http | int | `45030` | |
| host_network.nginx_public.controller.host_port.ports.https | int | `45031` | |
| kube_etcd.enabled | string | `"placeholder_enable_kubeadm_cluster"` | |
| kube_etcd.serviceMonitor.caFile | string | `"/etc/prometheus/secrets/etcd-client/ca.crt"` | |
| kube_etcd.serviceMonitor.certFile | string | `"/etc/prometheus/secrets/etcd-client/apiserver-etcd-client.crt"` | |
| kube_etcd.serviceMonitor.keyFile | string | `"/etc/prometheus/secrets/etcd-client/apiserver-etcd-client.key"` | |
| kubeadm.enabled | string | `"placeholder_enable_kubeadm_cluster"` | |
| kubeadm.kube_etcd.serviceMonitor.caFile | string | `"/etc/prometheus/secrets/etcd-client/ca.crt"` | |
| kubeadm.kube_etcd.serviceMonitor.certFile | string | `"/etc/prometheus/secrets/etcd-client/apiserver-etcd-client.crt"` | |
| kubeadm.kube_etcd.serviceMonitor.keyFile | string | `"/etc/prometheus/secrets/etcd-client/apiserver-etcd-client.key"` | |
| loki.aws_accessKey | string | `"placeholder_loki_aws_access_key"` | Part of `loki_s3_iam_credentials` output from terraform-module-cloud-multy-prerequisites: https://github.com/GlueOps/terraform-module-cloud-multy-prerequisites |
| loki.aws_region | string | `"placeholder_aws_region"` | Should be the same `primary_region` you used in: https://github.com/GlueOps/terraform-module-cloud-multy-prerequisites |
| loki.aws_secretKey | string | `"placeholder_loki_aws_secret_key"` | Part of `loki_s3_iam_credentials` output from terraform-module-cloud-multy-prerequisites: https://github.com/GlueOps/terraform-module-cloud-multy-prerequisites |
| loki.bucket | string | `"glueops-tenant-placeholder_tenant_key-placeholder_cluster_environment-loki-primary"` | Format: glueops-tenant-placeholder_tenant_key-placeholder_cluster_environment-loki-primary, Credentials found at `loki_credentials` of json output of terraform-module-cloud-multy-prerequisites |
| nginx.controller_replica_count | int | `2` | number of replicas for ingress controller |
| node_ports.enabled | string | `"placeholder_enable_kubeadm_cluster"` | |
| node_ports.nginx.ports.http | int | `30020` | |
| node_ports.nginx.ports.https | int | `30021` | |
| node_ports.oauth2_proxy.ports.http | int | `30010` | |
| node_ports.oauth2_proxy.ports.https | int | `30011` | |
| nginx.internal.enabled | bool | `false` | |
| prometheus.volume_claim_storage_request | string | `"50"` | Volume of storage requested for each Prometheus PVC, in Gi |
| pull_request_bot.watch_for_apps_delay_seconds | string | `"10"` | number of seconds to wait before checking ArgoCD for new applications |
| tls_cert_restore.aws_accessKey | string | `"placeholder_tls_cert_restore_aws_access_key"` | Part of `loki_log_exporter` output from terraform-module-cloud-multy-prerequisites: https://github.com/GlueOps/terraform-module-cloud-multy-prerequisites |
Expand Down
12 changes: 6 additions & 6 deletions templates/application-kube-prometheus-stack.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,12 @@ spec:
registry: {{ .Values.base_registries.registry_k8s_io }}
{{- toYaml .Values.glueops_node_and_tolerations | nindent 14 }}
{{- toYaml .Values.glueops_node_and_tolerations | nindent 10 }}
{{- if .Values.kube_etcd.enabled }}
{{- if .Values.kubeadm.enabled }}
kubeEtcd:
serviceMonitor:
caFile: {{ .Values.kube_etcd.serviceMonitor.caFile }}
certFile: {{ .Values.kube_etcd.serviceMonitor.certFile }}
keyFile: {{ .Values.kube_etcd.serviceMonitor.keyFile }}
caFile: {{ .Values.kubeadm.kube_etcd.serviceMonitor.caFile }}
certFile: {{ .Values.kubeadm.kube_etcd.serviceMonitor.certFile }}
keyFile: {{ .Values.kubeadm.kube_etcd.serviceMonitor.keyFile }}
scheme: https
service:
port: 2379
Expand Down Expand Up @@ -118,9 +118,9 @@ spec:
requests:
storage: {{ .Values.prometheus.volume_claim_storage_request}}Gi
hostNetwork: {{ .Values.host_network.enabled }}
{{- if .Values.kube_etcd.enabled }}
{{- if .Values.kubeadm.enabled }}
secrets:
- etcd-client
- etcd-client-certs
{{- end }}
grafana:
{{- toYaml .Values.glueops_node_and_tolerations | nindent 10 }}
Expand Down
38 changes: 20 additions & 18 deletions templates/application-nginx-public.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,32 +105,26 @@ spec:
{{- if .Values.enable_chisel_proxy_protocol }}
chisel-operator.io/proxy-protocol: "true"
{{- end }}

type: {{- if .Values.node_ports.enabled }} "NodePort" {{- else }} "LoadBalancer" {{- end }}
{{- if .Values.node_ports.enabled }}
nodePorts:
http: {{ .Values.node_ports.nginx.ports.http }}
https: {{ .Values.node_ports.nginx.ports.https }}
type: "LoadBalancer"
{{- if .Values.kubeadm.enabled }}
externalIPs: [{{ .Values.public_loadbalancer_ips.public | join ", " }}]
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing required values definition. The code references .Values.public_loadbalancer_ips.public but this value is not defined in values.yaml, which will cause template rendering to fail.

Suggested change
externalIPs: [{{ .Values.public_loadbalancer_ips.public | join ", " }}]
externalIPs: [{{ .Values.public_loadbalancer_ips.public | default (list) | join ", " }}]

Copilot uses AI. Check for mistakes.
{{- end }}

externalTrafficPolicy: "Local"
internal:
enabled: {{ .Values.nginx.internal.enabled }}
type: "ClusterIP"
{{- if .Values.kubeadm.enabled }}
externalIPs: [{{ .Values.public_loadbalancer_ips.private | join ", " }}]
{{- end }}
externalTrafficPolicy: "Local"
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2366
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2366#issuecomment-1788923154
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# Add a pause to make time for the pod to be registered in the AWS NLB target group before proceeding with the next
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1834#issuecomment-781530724
# https://alexklibisz.com/2021/07/20/speed-limits-for-rolling-restarts-in-kubernetes#round-3-set-minreadyseconds-maxunavailable-to-0-and-maxsurge-to-1
minReadySeconds: 180
# Add sleep on preStop to allow for graceful shutdown with AWS NLB
# https://github.com/kubernetes/ingress-nginx/issues/6928
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2366#issuecomment-1118312709
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "sleep 240; /wait-shutdown"]
metrics:
enabled: true
serviceMonitor:
Expand All @@ -144,6 +138,14 @@ spec:
default: false
controllerValue: "k8s.io/public-ingress-nginx"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: use-as-public-lb
operator: In
values:
- "true"
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
Expand Down
41 changes: 21 additions & 20 deletions templates/glueops-platform-ingress/application-nginx-glueops-platform-oauth2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,32 +106,25 @@ spec:
{{- if .Values.enable_chisel_proxy_protocol }}
chisel-operator.io/proxy-protocol: "true"
{{- end }}

type: {{- if .Values.node_ports.enabled }} "NodePort" {{- else }} "LoadBalancer" {{- end }}
{{- if .Values.node_ports.enabled }}
nodePorts:
http: {{ .Values.node_ports.oauth2_proxy.ports.http }}
https: {{ .Values.node_ports.oauth2_proxy.ports.https }}
type: "LoadBalancer"
{{- if .Values.kubeadm.enabled }}
externalIPs: [{{ .Values.private_loadbalancer_ips.public | join ", " }}]
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing required values definition. The code references .Values.private_loadbalancer_ips but this value is not defined in values.yaml, which will cause template rendering to fail.

Copilot uses AI. Check for mistakes.
{{- end }}

externalTrafficPolicy: "Local"
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2366
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2366#issuecomment-1788923154
internal:
enabled: {{ .Values.nginx.internal.enabled }}
type: "ClusterIP"
{{- if .Values.kubeadm.enabled }}
externalIPs: [{{ .Values.private_loadbalancer_ips.private | join ", " }}]
{{- end }}
externalTrafficPolicy: "Local"
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb

updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# Add a pause to make time for the pod to be registered in the AWS NLB target group before proceeding with the next
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1834#issuecomment-781530724
# https://alexklibisz.com/2021/07/20/speed-limits-for-rolling-restarts-in-kubernetes#round-3-set-minreadyseconds-maxunavailable-to-0-and-maxsurge-to-1
minReadySeconds: 180
# Add sleep on preStop to allow for graceful shutdown with AWS NLB
# https://github.com/kubernetes/ingress-nginx/issues/6928
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2366#issuecomment-1118312709
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "sleep 240; /wait-shutdown"]
metrics:
enabled: true
serviceMonitor:
Expand All @@ -145,6 +138,14 @@ spec:
default: false
controllerValue: "k8s.io/glueops-platform-ingress-nginx"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: use-as-lb
operator: In
values:
- "true"
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
Expand Down
24 changes: 8 additions & 16 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,17 +37,6 @@ host_network:
metricServer:
port: 45056

node_ports:
enabled: placeholder_enable_kubeadm_cluster
# the chosen http/https values are the same with LoadBalancer values
oauth2_proxy:
ports:
http: 30010
https: 30011
nginx:
ports:
http: 30020
https: 30021

# -- The Route53 subdomain for the services on your cluster. It will be used as the suffix url for argocd, grafana, vault, and any other services that come out of the box in the glueops platform. Note: you need to create this before using this repo as this repo does not provision DNS Zones for you.
# This is the domain you created through: https://github.com/GlueOps/terraform-module-cloud-multy-prerequisites
Expand Down Expand Up @@ -151,6 +140,8 @@ vault:
nginx:
# -- number of replicas for ingress controller
controller_replica_count: 2
internal:
enabled: false

pull_request_bot:
# -- number of seconds to wait before checking ArgoCD for new applications
Expand Down Expand Up @@ -396,10 +387,11 @@ container_images:

enable_chisel_proxy_protocol: false

kube_etcd:
kubeadm:
enabled: placeholder_enable_kubeadm_cluster
serviceMonitor:
caFile: /etc/prometheus/secrets/etcd-client/ca.crt
certFile: /etc/prometheus/secrets/etcd-client/apiserver-etcd-client.crt
keyFile: /etc/prometheus/secrets/etcd-client/apiserver-etcd-client.key
kube_etcd:
serviceMonitor:
caFile: /etc/prometheus/secrets/etcd-client/ca.crt
certFile: /etc/prometheus/secrets/etcd-client/apiserver-etcd-client.crt
keyFile: /etc/prometheus/secrets/etcd-client/apiserver-etcd-client.key