diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a4c73eb1c..1d2f951ea 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.96.2
+ rev: v1.96.3
hooks:
- id: terraform_fmt
- id: terraform_validate
@@ -14,6 +14,6 @@ repos:
- id: check-merge-conflict
- id: end-of-file-fixer
- repo: https://github.com/renovatebot/pre-commit-hooks
- rev: 38.142.6
+ rev: 39.91.2
hooks:
- id: renovate-config-validator
diff --git a/flux2.tf b/flux2.tf
index f99c9dbe5..0bd4e5961 100644
--- a/flux2.tf
+++ b/flux2.tf
@@ -10,7 +10,7 @@ locals {
create_ns = true
namespace = "flux-system"
path = "gitops/clusters/${var.cluster-name}"
- version = "v2.2.3"
+ version = "v2.4.0"
create_github_repository = false
repository = "gitops"
repository_visibility = "public"
diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index a00f3dcf7..3b9232c53 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -6,19 +6,19 @@ dependencies:
version: 0.13.2
repository: https://charts.admiralty.io
- name: secrets-store-csi-driver
- version: 1.4.6
+ version: 1.4.7
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
- name: aws-ebs-csi-driver
- version: 2.37.0
+ version: 2.38.1
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
- name: aws-efs-csi-driver
- version: 3.1.1
+ version: 3.1.4
repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver
- name: aws-for-fluent-bit
version: 0.1.34
repository: https://aws.github.io/eks-charts
- name: aws-load-balancer-controller
- version: 1.10.1
+ version: 1.11.0
repository: https://aws.github.io/eks-charts
- name: aws-node-termination-handler
version: 0.21.0
@@ -30,7 +30,7 @@ dependencies:
version: v0.10.1
repository: https://charts.jetstack.io
- name: cluster-autoscaler
- version: 9.43.2
+ version: 9.45.0
repository: https://kubernetes.github.io/autoscaler
- name: external-dns
version: 1.15.0
@@ -39,7 +39,7 @@ dependencies:
version: 1.13.3
repository: https://charts.fluxcd.io
- name: ingress-nginx
- version: 4.11.3
+ version: 4.12.0
repository: https://kubernetes.github.io/ingress-nginx
- name: k8gb
version: v0.14.0
@@ -48,16 +48,16 @@ dependencies:
version: 1.7.2
repository: https://charts.helm.sh/stable
- name: karpenter
- version: 1.1.0
+ version: 1.1.1
repository: oci://public.ecr.aws/karpenter
- name: keda
- version: 2.16.0
+ version: 2.16.1
repository: https://kedacore.github.io/charts
- name: kong
- version: 2.43.0
+ version: 2.46.0
repository: https://charts.konghq.com
- name: kube-prometheus-stack
- version: 65.8.1
+ version: 67.8.0
repository: https://prometheus-community.github.io/helm-charts
- name: linkerd2-cni
version: 30.12.2
@@ -72,7 +72,7 @@ dependencies:
version: 30.12.11
repository: https://helm.linkerd.io/stable
- name: loki
- version: 6.22.0
+ version: 6.24.0
repository: https://grafana.github.io/helm-charts
- name: promtail
version: 6.16.6
@@ -96,25 +96,25 @@ dependencies:
version: v0.0.1
repository: https://particuleio.github.io/charts
- name: sealed-secrets
- version: 2.16.2
+ version: 2.17.0
repository: https://bitnami-labs.github.io/sealed-secrets
- - name: thanos
- version: 15.8.2
- repository: https://charts.bitnami.com/bitnami
+ - name: oci://registry-1.docker.io/bitnamicharts/thanos
+ version: 15.9.2
+ repository: ""
- name: tigera-operator
version: v3.29.1
repository: https://docs.projectcalico.org/charts
- name: traefik
- version: 33.1.0
+ version: 33.2.1
repository: https://helm.traefik.io/traefik
- - name: memcached
+ - name: oci://registry-1.docker.io/bitnamicharts/memcached
version: 7.5.3
- repository: https://charts.bitnami.com/bitnami
+ repository: ""
- name: velero
- version: 8.1.0
+ version: 8.2.0
repository: https://vmware-tanzu.github.io/helm-charts
- name: victoria-metrics-k8s-stack
- version: 0.30.0
+ version: 0.33.2
repository: https://victoriametrics.github.io/helm-charts/
- name: yet-another-cloudwatch-exporter
version: 0.14.0
diff --git a/modules/aws/kube-prometheus.tf b/modules/aws/kube-prometheus.tf
index c5e0185b0..690df52d1 100644
--- a/modules/aws/kube-prometheus.tf
+++ b/modules/aws/kube-prometheus.tf
@@ -19,7 +19,7 @@ locals {
thanos_bucket = "thanos-store-${var.cluster-name}"
thanos_bucket_force_destroy = false
thanos_store_config = null
- thanos_version = "v0.36.1"
+ thanos_version = "v0.37.2"
enabled = false
allowed_cidrs = ["0.0.0.0/0"]
default_network_policy = true
diff --git a/modules/aws/thanos-memcached.tf b/modules/aws/thanos-memcached.tf
index 362d30482..fbb7c8653 100644
--- a/modules/aws/thanos-memcached.tf
+++ b/modules/aws/thanos-memcached.tf
@@ -3,9 +3,9 @@ locals {
thanos-memcached = merge(
local.helm_defaults,
{
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].version
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].version
name = "thanos-memcached"
namespace = local.thanos["namespace"]
enabled = false
diff --git a/modules/aws/thanos.tf b/modules/aws/thanos.tf
index ef08a9df2..c672dac2a 100644
--- a/modules/aws/thanos.tf
+++ b/modules/aws/thanos.tf
@@ -3,10 +3,10 @@ locals {
thanos = merge(
local.helm_defaults,
{
- name = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+ name = "thanos"
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
create_iam_resources_irsa = true
iam_policy_override = null
diff --git a/modules/google/README.md b/modules/google/README.md
index 27e25cb7b..aeae0f94b 100644
--- a/modules/google/README.md
+++ b/modules/google/README.md
@@ -48,30 +48,30 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| Name | Source | Version |
|------|--------|---------|
-| [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0.0 |
-| [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0.0 |
-| [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-compactor](#module\_iam\_assumable\_sa\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-receive](#module\_iam\_assumable\_sa\_thanos-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-receive-compactor](#module\_iam\_assumable\_sa\_thanos-receive-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-receive-receive](#module\_iam\_assumable\_sa\_thanos-receive-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-receive-sg](#module\_iam\_assumable\_sa\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
-| [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 34.0 |
+| [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0.0 |
+| [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0.0 |
+| [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-compactor](#module\_iam\_assumable\_sa\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-receive](#module\_iam\_assumable\_sa\_thanos-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-receive-compactor](#module\_iam\_assumable\_sa\_thanos-receive-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-receive-receive](#module\_iam\_assumable\_sa\_thanos-receive-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-receive-sg](#module\_iam\_assumable\_sa\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| [iam\_assumable\_sa\_velero](#module\_iam\_assumable\_sa\_velero) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
| [kube-prometheus-stack\_grafana-iam-member](#module\_kube-prometheus-stack\_grafana-iam-member) | terraform-google-modules/iam/google//modules/member_iam | ~> 8.0 |
-| [kube-prometheus-stack\_kube-prometheus-stack\_bucket](#module\_kube-prometheus-stack\_kube-prometheus-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 8.0 |
+| [kube-prometheus-stack\_kube-prometheus-stack\_bucket](#module\_kube-prometheus-stack\_kube-prometheus-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
| [kube-prometheus-stack\_thanos\_kms\_bucket](#module\_kube-prometheus-stack\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
-| [loki-stack\_bucket](#module\_loki-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 8.0 |
-| [loki-stack\_bucket\_iam](#module\_loki-stack\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 8.0 |
+| [loki-stack\_bucket](#module\_loki-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
| [loki-stack\_kms\_bucket](#module\_loki-stack\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
-| [thanos-receive\_bucket](#module\_thanos-receive\_bucket) | terraform-google-modules/cloud-storage/google | ~> 8.0 |
+| [thanos-receive\_bucket](#module\_thanos-receive\_bucket) | terraform-google-modules/cloud-storage/google | ~> 9.0 |
| [thanos-receive\_kms\_bucket](#module\_thanos-receive\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
| [thanos-storegateway\_bucket\_iam](#module\_thanos-storegateway\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 8.0 |
-| [thanos\_bucket](#module\_thanos\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 8.0 |
+| [thanos\_bucket](#module\_thanos\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
| [thanos\_kms\_bucket](#module\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
-| [velero\_bucket](#module\_velero\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v8.0.1 |
+| [velero\_bucket](#module\_velero\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v9.0.0 |
## Resources
@@ -85,10 +85,10 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [google_dns_managed_zone_iam_member.external_dns_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
| [google_project_iam_custom_role.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
| [google_project_iam_member.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
-| [google_service_account.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_service_account_iam_policy.admin-account-iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_policy) | resource |
| [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive-receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
@@ -103,6 +103,8 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [google_storage_bucket_iam_member.thanos_receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.velero_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.velero_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -249,7 +251,6 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
-| [google_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy) | data source |
| [google_project.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
diff --git a/modules/google/cert-manager.tf b/modules/google/cert-manager.tf
index 730e6093f..a273f14d4 100644
--- a/modules/google/cert-manager.tf
+++ b/modules/google/cert-manager.tf
@@ -7,7 +7,7 @@ locals {
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].version
namespace = "cert-manager"
- service_account_name = "cert-manager"
+ service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
project_id = "default-0"
create_iam_resources = true
enable_monitoring = false
@@ -18,7 +18,7 @@ locals {
acme_email = "contact@acme.com"
acme_http01_enabled = true
acme_http01_ingress_class = "nginx"
- acme_dns01_enabled = true
+ acme_dns01_enabled = false
acme_dns01_provider = "clouddns"
acme_dns01_provider_clouddns = {
project_id = "default-0"
@@ -58,7 +58,7 @@ VALUES
module "cert_manager_workload_identity" {
count = local.cert-manager.create_iam_resources && local.cert-manager.enabled ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0.0"
+ version = "~> 35.0.0"
name = local.cert-manager.service_account_name
namespace = local.cert-manager.namespace
project_id = local.cert-manager.project_id
@@ -71,7 +71,7 @@ module "cert_manager_workload_identity" {
# to deal with Cloud DNS. The IAM permissions will be set at the resource level (DNS zone) and not at the project
# level.
resource "google_dns_managed_zone_iam_member" "cert_manager_cloud_dns_iam_permissions" {
- count = local.cert-manager.create_iam_resources && local.cert-manager.enabled ? 1 : 0
+ count = local.cert-manager.acme_dns01_enabled && local.cert-manager.create_iam_resources && local.cert-manager.enabled ? 1 : 0
project = local.cert-manager.project_id
managed_zone = local.cert-manager.managed_zone
role = "roles/dns.admin"
diff --git a/modules/google/external-dns.tf b/modules/google/external-dns.tf
index 24acc9604..1093fbbe2 100644
--- a/modules/google/external-dns.tf
+++ b/modules/google/external-dns.tf
@@ -55,7 +55,7 @@ locals {
# to be allowed to use the workload identity on GKE.
module "external_dns_workload_identity" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0.0"
+ version = "~> 35.0.0"
for_each = { for k, v in local.external-dns : k => v if v.enabled && v.create_iam_resources }
diff --git a/modules/google/kube-prometheus.tf b/modules/google/kube-prometheus.tf
index 356880762..e104563de 100644
--- a/modules/google/kube-prometheus.tf
+++ b/modules/google/kube-prometheus.tf
@@ -21,7 +21,7 @@ locals {
thanos_bucket = "thanos-store-${var.cluster-name}"
thanos_bucket_force_destroy = false
thanos_store_config = null
- thanos_version = "v0.36.1"
+ thanos_version = "v0.37.2"
thanos_service_account = ""
enabled = false
allowed_cidrs = ["0.0.0.0/0"]
@@ -283,7 +283,7 @@ VALUES
module "iam_assumable_sa_kube-prometheus-stack_grafana" {
count = local.kube-prometheus-stack["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.kube-prometheus-stack["namespace"]
project_id = var.project_id
name = local.kube-prometheus-stack["grafana_service_account_name"]
@@ -294,7 +294,7 @@ module "iam_assumable_sa_kube-prometheus-stack_grafana" {
module "iam_assumable_sa_kube-prometheus-stack_thanos" {
count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_sidecar_enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.kube-prometheus-stack["namespace"]
project_id = var.project_id
name = "${local.kube-prometheus-stack["name_prefix"]}-thanos"
@@ -363,7 +363,7 @@ module "kube-prometheus-stack_kube-prometheus-stack_bucket" {
count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_create_bucket"] && local.kube-prometheus-stack["thanos_sidecar_enabled"] ? 1 : 0
source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
- version = "~> 8.0"
+ version = "~> 9.0"
project_id = var.project_id
location = data.google_client_config.current.region
diff --git a/modules/google/loki-stack.tf b/modules/google/loki-stack.tf
index 513a902cd..cf89d76a0 100644
--- a/modules/google/loki-stack.tf
+++ b/modules/google/loki-stack.tf
@@ -6,6 +6,7 @@ locals {
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].version
+ service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].name
namespace = "monitoring"
create_iam_resources = true
iam_policy_override = null
@@ -28,6 +29,8 @@ locals {
)
values_loki-stack = <<-VALUES
+ lokiCanary:
+ enabled: false
test:
enabled: false
serviceMonitor:
@@ -38,13 +41,12 @@ locals {
prometheus.io/service-monitor: "false"
priorityClassName: ${local.priority-class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
serviceAccount:
- create: false
+ annotations:
+ iam.gke.io/gcp-service-account: "${local.loki-stack.create_iam_resources && local.loki-stack.enabled ? module.iam_assumable_sa_loki-stack[0].gcp_service_account_email : ""}"
persistence:
enabled: true
loki:
auth_enabled: false
- compactor:
- shared_store: gcs
storage:
bucketNames:
chunks: "${local.loki-stack["bucket"]}"
@@ -59,38 +61,29 @@ locals {
index:
prefix: loki_index_
period: 24h
+ - from: 2024-12-20
+ store: tsdb
+ object_store: gcs
+ schema: v13
+ index:
+ prefix: loki_index_
+ period: 24h
storage_config:
gcs:
bucket_name: "${local.loki-stack["bucket"]}"
- boltdb_shipper:
- shared_store: gcs
VALUES
}
module "iam_assumable_sa_loki-stack" {
- count = local.loki-stack["enabled"] ? 1 : 0
- source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
- namespace = local.loki-stack["namespace"]
- project_id = var.project_id
- name = local.loki-stack["name"]
-}
-
-module "loki-stack_bucket_iam" {
- count = local.loki-stack["enabled"] ? 1 : 0
- source = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
- version = "~> 8.0"
-
- mode = "additive"
- storage_buckets = [local.loki-stack["bucket"]]
- bindings = {
- "roles/storage.objectViewer" = [
- "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
- ]
- "roles/storage.objectCreator" = [
- "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
- ]
- }
+ count = local.loki-stack["enabled"] ? 1 : 0
+ source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+ version = "~> 35.0"
+ namespace = local.loki-stack["namespace"]
+ project_id = var.project_id
+ name = local.loki-stack.service_account_name
+ gcp_sa_name = "${local.loki-stack.service_account_name}-stack"
+ use_existing_k8s_sa = true
+ annotate_k8s_sa = false
}
resource "kubernetes_namespace" "loki-stack" {
@@ -184,7 +177,7 @@ module "loki-stack_bucket" {
count = local.loki-stack["enabled"] && local.loki-stack["create_bucket"] ? 1 : 0
source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
- version = "~> 8.0"
+ version = "~> 9.0"
project_id = var.project_id
location = local.loki-stack["bucket_location"]
@@ -193,7 +186,26 @@ module "loki-stack_bucket" {
encryption = {
default_kms_key_name = module.loki-stack_kms_bucket[0].keys.loki-stack
}
+}
+
+resource "google_storage_bucket_iam_member" "loki-stack_gcs_iam_objectViewer_permissions" {
+ count = local.loki-stack["enabled"] ? 1 : 0
+ bucket = local.loki-stack["bucket"]
+ role = "roles/storage.objectViewer"
+ member = "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
+ depends_on = [
+ module.loki-stack_bucket
+ ]
+}
+resource "google_storage_bucket_iam_member" "loki-stack_gcs_iam_objectCreator_permissions" {
+ count = local.loki-stack["enabled"] ? 1 : 0
+ bucket = local.loki-stack["bucket"]
+ role = "roles/storage.objectCreator"
+ member = "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
+ depends_on = [
+ module.loki-stack_bucket
+ ]
}
resource "tls_private_key" "loki-stack-ca-key" {
diff --git a/modules/google/thanos-memcached.tf b/modules/google/thanos-memcached.tf
index 362d30482..fbb7c8653 100644
--- a/modules/google/thanos-memcached.tf
+++ b/modules/google/thanos-memcached.tf
@@ -3,9 +3,9 @@ locals {
thanos-memcached = merge(
local.helm_defaults,
{
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].version
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].version
name = "thanos-memcached"
namespace = local.thanos["namespace"]
enabled = false
diff --git a/modules/google/thanos-receive.tf b/modules/google/thanos-receive.tf
index 964d918d1..1cc9c155f 100644
--- a/modules/google/thanos-receive.tf
+++ b/modules/google/thanos-receive.tf
@@ -3,10 +3,10 @@ locals {
thanos-receive = merge(
local.helm_defaults,
{
- name = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+ name = "thanos"
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
create_iam_resources = true
iam_policy_override = null
@@ -120,7 +120,7 @@ locals {
module "iam_assumable_sa_thanos-receive-receive" {
count = local.thanos-receive["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.thanos-receive["namespace"]
project_id = var.project_id
name = "${local.thanos-receive["name"]}-receive"
@@ -131,7 +131,7 @@ module "iam_assumable_sa_thanos-receive-receive" {
module "iam_assumable_sa_thanos-receive-compactor" {
count = local.thanos-receive["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.thanos-receive["namespace"]
project_id = var.project_id
name = "${local.thanos-receive["name"]}-compactor"
@@ -142,7 +142,7 @@ module "iam_assumable_sa_thanos-receive-compactor" {
module "iam_assumable_sa_thanos-receive-sg" {
count = local.thanos-receive["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.thanos-receive["namespace"]
project_id = var.project_id
name = "${local.thanos-receive["name"]}-storegateway"
@@ -154,7 +154,7 @@ module "thanos-receive_bucket" {
count = local.thanos-receive["enabled"] && local.thanos-receive["create_bucket"] ? 1 : 0
source = "terraform-google-modules/cloud-storage/google"
- version = "~> 8.0"
+ version = "~> 9.0"
project_id = var.project_id
location = data.google_client_config.current.region
diff --git a/modules/google/thanos-storegateway.tf b/modules/google/thanos-storegateway.tf
index 916cad208..3b022756c 100644
--- a/modules/google/thanos-storegateway.tf
+++ b/modules/google/thanos-storegateway.tf
@@ -58,7 +58,7 @@ locals {
module "iam_assumable_sa_thanos-storegateway" {
for_each = local.thanos-storegateway
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = each.value["namespace"]
project_id = data.google_project.current.id
name = "${each.value["name_prefix"]}-${each.key}"
diff --git a/modules/google/thanos.tf b/modules/google/thanos.tf
index e16590d23..ca51a9726 100644
--- a/modules/google/thanos.tf
+++ b/modules/google/thanos.tf
@@ -3,10 +3,10 @@ locals {
thanos = merge(
local.helm_defaults,
{
- name = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+ name = "thanos"
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
create_iam_resources = true
iam_policy_override = null
@@ -224,7 +224,7 @@ locals {
module "iam_assumable_sa_thanos-receive" {
count = local.thanos["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.thanos["namespace"]
project_id = var.project_id
name = "${local.thanos["name"]}-receive"
@@ -235,7 +235,7 @@ module "iam_assumable_sa_thanos-receive" {
module "iam_assumable_sa_thanos-compactor" {
count = local.thanos["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.thanos["namespace"]
project_id = var.project_id
name = "${local.thanos["name"]}-compactor"
@@ -246,7 +246,7 @@ module "iam_assumable_sa_thanos-compactor" {
module "iam_assumable_sa_thanos-sg" {
count = local.thanos["enabled"] ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 34.0"
+ version = "~> 35.0"
namespace = local.thanos["namespace"]
project_id = var.project_id
name = "${local.thanos["name"]}-storegateway"
@@ -258,7 +258,7 @@ module "thanos_bucket" {
count = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
- version = "~> 8.0"
+ version = "~> 9.0"
project_id = var.project_id
location = local.thanos["bucket_location"]
diff --git a/modules/google/velero.tf b/modules/google/velero.tf
index 498038b4d..b42d9da0f 100644
--- a/modules/google/velero.tf
+++ b/modules/google/velero.tf
@@ -7,10 +7,9 @@ locals {
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].version
namespace = "velero"
- service_account_name = "velero"
+ service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
enabled = false
- create_iam_account = true
- iam_account_name = "gke-${substr(var.cluster-name, 0, 18)}-velero"
+ create_iam_resources = true
create_bucket = true
bucket = "${var.cluster-name}-velero"
bucket_location = "eu"
@@ -39,7 +38,7 @@ configuration:
bucket: ${local.velero["bucket"]}
default: true
config:
- serviceAccount: ${local.velero["create_iam_account"] ? google_service_account.velero[0].email : "@@SETTHIS@@"}
+ serviceAccount: ${local.velero.create_iam_resources && local.velero.enabled ? module.iam_assumable_sa_velero[0].gcp_service_account_email : "@@SETTHIS@@"}
volumeSnapshotLocation:
- name: gcp
provider: velero.io/gcp
@@ -49,7 +48,7 @@ serviceAccount:
name: ${local.velero["service_account_name"]}
create: true
annotations:
- ${local.velero["create_iam_account"] ? "iam.gke.io/gcp-service-account: ${google_service_account.velero[0].email}" : ""}
+ ${local.velero["enabled"] && local.velero["create_iam_resources"] ? "iam.gke.io/gcp-service-account: ${module.iam_assumable_sa_velero[0].gcp_service_account_email}" : ""}
priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
credentials:
useSecret: false
@@ -66,7 +65,7 @@ VALUES
resource "google_project_iam_custom_role" "velero" {
count = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
- role_id = replace(local.velero["iam_account_name"], "-", "_")
+ role_id = replace(local.velero["service_account_name"], "-", "_")
title = "${var.cluster-name} - velero"
description = "IAM role used by velero on ${var.cluster-name} to perform backup operations"
permissions = [
@@ -89,39 +88,28 @@ resource "google_project_iam_custom_role" "velero" {
]
}
-resource "google_service_account" "velero" {
- count = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
- account_id = local.velero["iam_account_name"]
- display_name = "Velero on GKE ${var.cluster-name}"
- description = "Service account for Velero on GKE cluster ${var.cluster-name}"
-}
-
resource "google_project_iam_member" "velero" {
count = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
project = data.google_project.current.project_id
role = google_project_iam_custom_role.velero[0].id
- member = google_service_account.velero[0].member
+ member = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"
}
-data "google_iam_policy" "velero" {
- binding {
- role = "roles/iam.workloadIdentityUser"
-
- members = [
- "serviceAccount:${data.google_project.current.project_id}.svc.id.goog[${local.velero["namespace"]}/${local.velero["service_account_name"]}]",
- ]
- }
+module "iam_assumable_sa_velero" {
+ count = local.velero["enabled"] && local.velero.create_iam_resources ? 1 : 0
+ source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+ version = "~> 35.0"
+ namespace = local.velero["namespace"]
+ project_id = var.project_id
+ name = local.velero.service_account_name
+ use_existing_k8s_sa = true
+ annotate_k8s_sa = false
}
-resource "google_service_account_iam_policy" "admin-account-iam" {
- count = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
- service_account_id = google_service_account.velero[0].name
- policy_data = data.google_iam_policy.velero.policy_data
-}
module "velero_bucket" {
count = (local.velero["enabled"] && local.velero["create_bucket"]) ? 1 : 0
- source = "github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket?ref=v8.0.1"
+ source = "github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket?ref=v9.0.0"
name = local.velero["name_prefix"]
project_id = data.google_project.current.project_id
@@ -130,14 +118,26 @@ module "velero_bucket" {
location = local.velero["bucket_location"]
force_destroy = local.velero["bucket_force_destroy"]
+}
- iam_members = [
- {
- role = "roles/storage.objectUser"
- member = "serviceAccount:${local.velero["iam_account_name"]}@${data.google_project.current.project_id}.iam.gserviceaccount.com" # This should be google_service_account.velero[0].member, but it's included in a loop so we have to determine it before apply
- }
+resource "google_storage_bucket_iam_member" "velero_gcs_iam_objectUser_permissions" {
+ count = local.velero["enabled"] ? 1 : 0
+ bucket = local.velero["bucket"]
+ role = "roles/storage.objectUser"
+ member = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"
+ depends_on = [
+ module.velero_bucket
+ ]
+}
+
+resource "google_storage_bucket_iam_member" "velero_gcs_iam_objectViewer_permissions" {
+ count = local.velero["enabled"] ? 1 : 0
+ bucket = local.velero["bucket"]
+ role = "roles/storage.objectViewer"
+ member = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"
+ depends_on = [
+ module.velero_bucket
]
- depends_on = [google_service_account.velero]
}
resource "kubernetes_namespace" "velero" {
diff --git a/modules/scaleway/kube-prometheus.tf b/modules/scaleway/kube-prometheus.tf
index cabfa7ec9..2595bc63b 100644
--- a/modules/scaleway/kube-prometheus.tf
+++ b/modules/scaleway/kube-prometheus.tf
@@ -13,7 +13,7 @@ locals {
thanos_bucket = "thanos-store-${var.cluster-name}"
thanos_bucket_region = local.scaleway["region"]
thanos_store_config = null
- thanos_version = "v0.36.1"
+ thanos_version = "v0.37.2"
enabled = false
allowed_cidrs = ["0.0.0.0/0"]
default_network_policy = true
diff --git a/modules/scaleway/thanos-memcached.tf b/modules/scaleway/thanos-memcached.tf
index 362d30482..fbb7c8653 100644
--- a/modules/scaleway/thanos-memcached.tf
+++ b/modules/scaleway/thanos-memcached.tf
@@ -3,9 +3,9 @@ locals {
thanos-memcached = merge(
local.helm_defaults,
{
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].version
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/memcached")].version
name = "thanos-memcached"
namespace = local.thanos["namespace"]
enabled = false
diff --git a/modules/scaleway/thanos.tf b/modules/scaleway/thanos.tf
index 3f5ac6b76..9c0bf21cb 100644
--- a/modules/scaleway/thanos.tf
+++ b/modules/scaleway/thanos.tf
@@ -3,10 +3,10 @@ locals {
thanos = merge(
local.helm_defaults,
{
- name = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+ name = "thanos"
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].name
+ repository = ""
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "oci://registry-1.docker.io/bitnamicharts/thanos")].version
namespace = "monitoring"
iam_policy_override = null
create_ns = false