feat: add localnode dns cache

README.md

@@ -272,7 +272,7 @@ module "karpenter" {
 | <a name="input_cluster_security_group_name"></a> [cluster\_security\_group\_name](#input\_cluster\_security\_group\_name) | Cluster security group name | `string` | `null` | no |
 | <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
 | <a name="input_cluster_service_ipv6_cidr"></a> [cluster\_service\_ipv6\_cidr](#input\_cluster\_service\_ipv6\_cidr) | The CIDR block to assign Kubernetes pod and service IP addresses from if `ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster | `string` | `null` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | EKS Cluster Version | `string` | `"1.31"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | EKS Cluster Version | `string` | `"1.32"` | no |
 | <a name="input_create_aws_auth_configmap"></a> [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no |
 | <a name="input_create_aws_observability_ns"></a> [create\_aws\_observability\_ns](#input\_create\_aws\_observability\_ns) | Whether to create AWS Observability Namespace. | `bool` | `true` | no |
 | <a name="input_create_aws_observability_ns_for_karpenter"></a> [create\_aws\_observability\_ns\_for\_karpenter](#input\_create\_aws\_observability\_ns\_for\_karpenter) | Create aws-observability namespace flag | `bool` | `false` | no |
@@ -307,8 +307,8 @@ module "karpenter" {
 | <a name="input_force_imdsv2"></a> [force\_imdsv2](#input\_force\_imdsv2) | Force IMDSv2 metadata server. | `bool` | `true` | no |
 | <a name="input_force_irsa"></a> [force\_irsa](#input\_force\_irsa) | Force usage of IAM Roles for Service Account | `bool` | `true` | no |
 | <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `set(string)` | `[]` | no |
-| <a name="input_karpenter_chart_version"></a> [karpenter\_chart\_version](#input\_karpenter\_chart\_version) | Chart version for Karpenter | `string` | `"1.2.1"` | no |
-| <a name="input_karpenter_crd_chart_version"></a> [karpenter\_crd\_chart\_version](#input\_karpenter\_crd\_chart\_version) | Chart version for Karpenter CRDs same version as `karpenter_chart_version` | `string` | `"1.2.1"` | no |
+| <a name="input_karpenter_chart_version"></a> [karpenter\_chart\_version](#input\_karpenter\_chart\_version) | Chart version for Karpenter | `string` | `"1.3.3"` | no |
+| <a name="input_karpenter_crd_chart_version"></a> [karpenter\_crd\_chart\_version](#input\_karpenter\_crd\_chart\_version) | Chart version for Karpenter CRDs same version as `karpenter_chart_version` | `string` | `"1.3.3"` | no |
 | <a name="input_karpenter_default_subnet_selector_tags"></a> [karpenter\_default\_subnet\_selector\_tags](#input\_karpenter\_default\_subnet\_selector\_tags) | Subnet selector tags for Karpenter default node class | `map(string)` | <pre>{<br/>  "kubernetes.io/role/internal-elb": "1"<br/>}</pre> | no |
 | <a name="input_karpenter_ephemeral_volume_size"></a> [karpenter\_ephemeral\_volume\_size](#input\_karpenter\_ephemeral\_volume\_size) | Ephemeral volume size for Karpenter node groups | `string` | `"50Gi"` | no |
 | <a name="input_karpenter_nodeclasses"></a> [karpenter\_nodeclasses](#input\_karpenter\_nodeclasses) | List of nodetemplate maps | <pre>list(object({<br/>    nodeclass_name                         = string<br/>    karpenter_subnet_selector_maps         = list(map(any))<br/>    karpenter_security_group_selector_maps = list(map(any))<br/>    karpenter_ami_selector_maps            = list(map(any))<br/>    karpenter_node_role                    = string<br/>    karpenter_node_tags_map                = map(string)<br/>    karpenter_node_user_data               = string<br/>    karpenter_node_metadata_options        = map(any)<br/>    karpenter_block_device_mapping = list(object({<br/>      deviceName = string<br/>      ebs = object({<br/>        encrypted           = bool<br/>        volumeSize          = string<br/>        volumeType          = string<br/>        kmsKeyID            = optional(string)<br/>        deleteOnTermination = bool<br/>      })<br/>    }))<br/>  }))</pre> | `[]` | no |

main.tf

@@ -170,10 +170,18 @@ module "eks" {
             memory = "256M"
           }
         }
+        autoScaling = {
+          enabled = true
+        }
       })
       } : {
       most_recent                 = true
       resolve_conflicts_on_update = "OVERWRITE"
+      configuration_values = jsonencode({
+        autoScaling = {
+          enabled = true
+        }
+      })
     }
     eks-pod-identity-agent = var.cluster_ip_family == "ipv4" ? {
       most_recent                 = true

modules/essentials/README.md

@@ -66,20 +66,24 @@ module "eks_essentials" {
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.70 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.16 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.33 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.70 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.16 |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | n/a |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.33 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.47 |
+| <a name="module_fluentbit_s3_bucket"></a> [fluentbit\_s3\_bucket](#module\_fluentbit\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.6.1 |
 | <a name="module_helm_fluent_bit"></a> [helm\_fluent\_bit](#module\_helm\_fluent\_bit) | SPHTech-Platform/release/helm | ~> 0.1.4 |
 | <a name="module_helm_kube_state_metrics"></a> [helm\_kube\_state\_metrics](#module\_helm\_kube\_state\_metrics) | SPHTech-Platform/release/helm | ~> 0.1.4 |
 | <a name="module_helm_metrics_server"></a> [helm\_metrics\_server](#module\_helm\_metrics\_server) | SPHTech-Platform/release/helm | ~> 0.1.4 |
@@ -104,10 +108,12 @@ module "eks_essentials" {
 | [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubectl_manifest.nodelocaldns](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
 | [kubernetes_annotations.gp2_storage_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations) | resource |
 | [kubernetes_namespace_v1.namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [kubernetes_pod_disruption_budget_v1.coredns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_disruption_budget_v1) | resource |
 | [kubernetes_storage_class_v1.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class_v1) | resource |
+| [random_string.s3_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_arn.node_termination_handler_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_addon_version.latest_adot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
@@ -117,6 +123,7 @@ module "eks_essentials" {
 | [aws_iam_policy_document.node_termination_handler_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_sqs_queue.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sqs_queue) | data source |
+| [kubernetes_service.kube_dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source |
 
 ## Inputs
 
@@ -186,6 +193,7 @@ module "eks_essentials" {
 | <a name="input_cluster_autoscaler_tolerations"></a> [cluster\_autoscaler\_tolerations](#input\_cluster\_autoscaler\_tolerations) | Tolerations for Cluster Autoscaler | `any` | `[]` | no |
 | <a name="input_cluster_autoscaler_topology_spread_constraints"></a> [cluster\_autoscaler\_topology\_spread\_constraints](#input\_cluster\_autoscaler\_topology\_spread\_constraints) | Topology spread constraints for Cluster Autoscaler | `any` | <pre>[<br/>  {<br/>    "labelSelector": {<br/>      "matchLabels": {<br/>        "app.kubernetes.io/instance": "cluster-autoscaler"<br/>      }<br/>    },<br/>    "maxSkew": 1,<br/>    "topologyKey": "topology.kubernetes.io/zone",<br/>    "whenUnsatisfiable": "DoNotSchedule"<br/>  }<br/>]</pre> | no |
 | <a name="input_cluster_autoscaler_vpa"></a> [cluster\_autoscaler\_vpa](#input\_cluster\_autoscaler\_vpa) | VPA for Cluster AutoScaler | `any` | <pre>{<br/>  "containerPolicy": {},<br/>  "enabled": false,<br/>  "updateMode": "Auto"<br/>}</pre> | no |
+| <a name="input_cluster_domain_name"></a> [cluster\_domain\_name](#input\_cluster\_domain\_name) | The domain name for the cluster | `string` | `"cluster.local"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster name | `string` | n/a | yes |
 | <a name="input_cluster_resource_namespace"></a> [cluster\_resource\_namespace](#input\_cluster\_resource\_namespace) | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. | `string` | `""` | no |
 | <a name="input_configure_ecr_pull_through"></a> [configure\_ecr\_pull\_through](#input\_configure\_ecr\_pull\_through) | Configure ECR Pull Through Cache. | `bool` | `true` | no |
@@ -211,14 +219,21 @@ module "eks_essentials" {
 | <a name="input_fargate_cluster"></a> [fargate\_cluster](#input\_fargate\_cluster) | Deploying workloads on Fargate, set this to TRUE | `bool` | `false` | no |
 | <a name="input_fargate_mix_node_groups"></a> [fargate\_mix\_node\_groups](#input\_fargate\_mix\_node\_groups) | Deploying mix workloads as in EKS Manage Node Groups and Fragate Node Groups, set this to TRUE | `bool` | `false` | no |
 | <a name="input_feature_gates"></a> [feature\_gates](#input\_feature\_gates) | Feature gates to enable on the pod | `list(any)` | `[]` | no |
+| <a name="input_fluent_bit_enable_cw_output"></a> [fluent\_bit\_enable\_cw\_output](#input\_fluent\_bit\_enable\_cw\_output) | Enable cloudwatch logging | `bool` | `true` | no |
+| <a name="input_fluent_bit_enable_s3_output"></a> [fluent\_bit\_enable\_s3\_output](#input\_fluent\_bit\_enable\_s3\_output) | Enable S3 output logging | `bool` | `false` | no |
 | <a name="input_fluent_bit_enabled"></a> [fluent\_bit\_enabled](#input\_fluent\_bit\_enabled) | Enable fluent-bit helm charts installation. | `bool` | `true` | no |
+| <a name="input_fluent_bit_excluded_namespaces"></a> [fluent\_bit\_excluded\_namespaces](#input\_fluent\_bit\_excluded\_namespaces) | Namespaces to exclude from fluent-bit | `list(string)` | `[]` | no |
 | <a name="input_fluent_bit_helm_config"></a> [fluent\_bit\_helm\_config](#input\_fluent\_bit\_helm\_config) | Helm provider config for AWS for Fluent Bit. | `any` | `{}` | no |
 | <a name="input_fluent_bit_helm_config_defaults"></a> [fluent\_bit\_helm\_config\_defaults](#input\_fluent\_bit\_helm\_config\_defaults) | Helm provider default config for Fluent Bit. | `any` | <pre>{<br/>  "chart": "fluent-bit",<br/>  "description": "Fluent Bit helm Chart deployment configuration",<br/>  "name": "fluent-bit",<br/>  "namespace": "logging",<br/>  "repository": "https://fluent.github.io/helm-charts",<br/>  "version": "0.47.9"<br/>}</pre> | no |
 | <a name="input_fluent_bit_image_repository"></a> [fluent\_bit\_image\_repository](#input\_fluent\_bit\_image\_repository) | Fluent Bit Image repo | `string` | `"public.ecr.aws/aws-observability/aws-for-fluent-bit"` | no |
 | <a name="input_fluent_bit_image_tag"></a> [fluent\_bit\_image\_tag](#input\_fluent\_bit\_image\_tag) | Fluent Bit Image tag | `string` | `"2.32.0"` | no |
+| <a name="input_fluent_bit_liveness_probe"></a> [fluent\_bit\_liveness\_probe](#input\_fluent\_bit\_liveness\_probe) | Liveness probe for fluent-bit | `map(any)` | <pre>{<br/>  "httpGet": {<br/>    "path": "/",<br/>    "port": 2020<br/>  }<br/>}</pre> | no |
 | <a name="input_fluent_bit_log_group_retention"></a> [fluent\_bit\_log\_group\_retention](#input\_fluent\_bit\_log\_group\_retention) | Number of days to retain the cloudwatch logs | `number` | `30` | no |
 | <a name="input_fluent_bit_overwrite_helm_values"></a> [fluent\_bit\_overwrite\_helm\_values](#input\_fluent\_bit\_overwrite\_helm\_values) | helm values for overwrite configuration | `string` | `""` | no |
+| <a name="input_fluent_bit_readiness_probe"></a> [fluent\_bit\_readiness\_probe](#input\_fluent\_bit\_readiness\_probe) | Readiness probe for fluent-bit | `map(any)` | <pre>{<br/>  "httpGet": {<br/>    "path": "/api/v1/health",<br/>    "port": 2020<br/>  }<br/>}</pre> | no |
+| <a name="input_fluent_bit_resources"></a> [fluent\_bit\_resources](#input\_fluent\_bit\_resources) | Resources for fluent-bit | `map(any)` | <pre>{<br/>  "limits": {<br/>    "cpu": "100m",<br/>    "memory": "128Mi"<br/>  },<br/>  "requests": {<br/>    "cpu": "100m",<br/>    "memory": "128Mi"<br/>  }<br/>}</pre> | no |
 | <a name="input_fluent_bit_role_policy_arns"></a> [fluent\_bit\_role\_policy\_arns](#input\_fluent\_bit\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
+| <a name="input_fluent_bit_tolerations"></a> [fluent\_bit\_tolerations](#input\_fluent\_bit\_tolerations) | Tolerations for fluent-bit | `list(any)` | <pre>[<br/>  {<br/>    "effect": "NoSchedule",<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
 | <a name="input_helm_release_max_history"></a> [helm\_release\_max\_history](#input\_helm\_release\_max\_history) | The maximum number of history releases to keep track in each Helm release | `number` | `20` | no |
 | <a name="input_image_pull_secrets"></a> [image\_pull\_secrets](#input\_image\_pull\_secrets) | Secrets for image pulling | `list(any)` | `[]` | no |
 | <a name="input_image_repository"></a> [image\_repository](#input\_image\_repository) | Image repository | `string` | `"quay.io/jetstack/cert-manager-controller"` | no |
@@ -244,6 +259,8 @@ module "eks_essentials" {
 | <a name="input_node_exporter_enabled"></a> [node\_exporter\_enabled](#input\_node\_exporter\_enabled) | Enable prometheus-node-exporters helm charts installation. | `bool` | `true` | no |
 | <a name="input_node_exporter_helm_config"></a> [node\_exporter\_helm\_config](#input\_node\_exporter\_helm\_config) | Helm provider config for prometheus-node-exporter. | `any` | `{}` | no |
 | <a name="input_node_exporter_helm_config_defaults"></a> [node\_exporter\_helm\_config\_defaults](#input\_node\_exporter\_helm\_config\_defaults) | Helm provider default config for prometheus-node-exporter. | `any` | <pre>{<br/>  "chart": "prometheus-node-exporter",<br/>  "description": "prometheus-node-exporter helm Chart deployment configuration",<br/>  "name": "prometheus-node-exporter",<br/>  "namespace": "kube-system",<br/>  "repository": "https://prometheus-community.github.io/helm-charts",<br/>  "version": "4.39.0"<br/>}</pre> | no |
+| <a name="input_node_local_dns_address"></a> [node\_local\_dns\_address](#input\_node\_local\_dns\_address) | The local DNS IP address | `string` | `"169.254.20.10"` | no |
+| <a name="input_node_local_dns_cache_enabled"></a> [node\_local\_dns\_cache\_enabled](#input\_node\_local\_dns\_cache\_enabled) | Enable NodeLocal DNS Cache | `bool` | `true` | no |
 | <a name="input_node_selector"></a> [node\_selector](#input\_node\_selector) | Node selector for cert-manager-controller pods | `map(string)` | `{}` | no |
 | <a name="input_node_termination_handler_chart_name"></a> [node\_termination\_handler\_chart\_name](#input\_node\_termination\_handler\_chart\_name) | Chart name for Node Termination Handler. Repo: https://github.com/aws/eks-charts/tree/master/stable/aws-node-termination-handler | `string` | `"aws-node-termination-handler"` | no |
 | <a name="input_node_termination_handler_chart_repository_url"></a> [node\_termination\_handler\_chart\_repository\_url](#input\_node\_termination\_handler\_chart\_repository\_url) | Chart Repository URL for Node Termination Handler | `string` | `"https://aws.github.io/eks-charts"` | no |
@@ -270,6 +287,7 @@ module "eks_essentials" {
 | <a name="input_node_termination_handler_taint_node"></a> [node\_termination\_handler\_taint\_node](#input\_node\_termination\_handler\_taint\_node) | Taint node upon spot interruption termination notice | `bool` | `true` | no |
 | <a name="input_node_termination_namespace"></a> [node\_termination\_namespace](#input\_node\_termination\_namespace) | Namespace to deploy Node Termination Handler | `string` | `"kube-system"` | no |
 | <a name="input_node_termination_service_account"></a> [node\_termination\_service\_account](#input\_node\_termination\_service\_account) | Service account for Node Termination Handler pods | `string` | `"node-termination-handler"` | no |
+| <a name="input_nodelocal_dns_cache_image_tag"></a> [nodelocal\_dns\_cache\_image\_tag](#input\_nodelocal\_dns\_cache\_image\_tag) | The image tag for the nodelocal DNS cache | `string` | `"1.25.0"` | no |
 | <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | ARN of the OIDC Provider for IRSA | `string` | n/a | yes |
 | <a name="input_pod_annotations"></a> [pod\_annotations](#input\_pod\_annotations) | Extra annotations for pods | `map(string)` | `{}` | no |
 | <a name="input_pod_labels"></a> [pod\_labels](#input\_pod\_labels) | Extra labels for pods | `map(string)` | `{}` | no |

modules/essentials/nodelocaldns.tf

@@ -0,0 +1,18 @@
+data "kubernetes_service" "kube_dns" {
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+  }
+}
+
+# Not compatible with `IPVS`/`NFTables` mode of kube-proxy, code is only for `IPTABLES` mode 
+resource "kubectl_manifest" "nodelocaldns" {
+  count = var.node_local_dns_cache_enabled ? 1 : 0
+
+  yaml_body = templatefile("${path.module}/templates/nodelocaldns.yaml", {
+    PILLAR__DNS__DOMAIN = var.cluster_domain_name
+    PILLAR__LOCAL__DNS  = var.node_local_dns_address
+    PILLAR__DNS__SERVER = try(data.kubernetes_service.kube_dns.spec.0.cluster_ip, "172.20.0.10")
+    tag                 = var.nodelocal_dns_cache_image_tag
+  })
+}