Live AWS with native VPC CNI example (#519)

Author: apasyniuk

examples/eks/eks_cluster_live_migration/README.MD

@@ -0,0 +1,40 @@
+## EKS and CAST AI example with CAST AI Autoscaler policies and additional Node Configurations
+
+Following this example shows how to onboard EKS cluster to CAST AI (Phase 2), and configure CAST AI Live Migration capability.
+
+IAM policies required to connect the cluster to CAST AI in the example are created by [castai/eks-role-iam/castai module](https://github.com/castai/terraform-castai-eks-role-iam).
+
+CAST AI modules are places in one umbrella module that can be reused for different clusters and enabled/disabled
+
+Example configuration should be analysed in the following order:
+1. Create VPC - `vpc.tf`
+2. Create EKS cluster - `eks.tf`
+3. Create IAM and other CAST AI related resources to connect EKS cluster to CAST AI, configure Autoscaler and Node Configurations  - `castai.tf`
+
+# Usage
+1. Rename `tf.vars.example` to `tf.vars`
+2. Update `tf.vars` file with your cluster name, cluster region and CAST AI API token.
+
+| Variable | Description |
+| --- | --- |
+| cluster_name                = "" | Name of cluster |
+| cluster_region              = "" | Name of region of cluster |
+| castai_api_token            = "" | Cast api token |
+
+3. Initialize Terraform. Under example root folder run:
+```
+terraform init
+```
+4. Run Terraform apply:
+```
+terraform apply -var-file=tf.vars
+```
+5. To destroy resources created by this example:
+```
+terraform destroy -var-file=tf.vars
+```
+
+> **Note**
+>
+> If you are onboarding existing cluster to CAST AI you need to also update [aws-auth](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) configmap. In the configmap instance profile
+> used by CAST AI has to be present. Example of entry can be found [here](https://github.com/castai/terraform-provider-castai/blob/157babd57b0977f499eb162e9bee27bee51d292a/examples/eks/eks_cluster_autoscaler_polices/eks.tf#L28-L38).

examples/eks/eks_cluster_live_migration/castai.tf

@@ -0,0 +1,17 @@
+module "cluster" {
+  source = "./module/castai"
+  count  = var.enable_castai ? 1 : 0
+
+  cluster_name     = var.cluster_name
+  castai_api_token = var.castai_api_token
+  cluster_region   = var.cluster_region
+  vpc_id           = module.vpc.vpc_id
+  security_groups = [
+    module.eks.cluster_security_group_id,
+    module.eks.node_security_group_id,
+    aws_security_group.additional.id,
+  ]
+  subnets            = module.vpc.private_subnets
+  live_proxy_version = var.live_proxy_version
+  live_helm_version  = var.live_helm_version
+}

examples/eks/eks_cluster_live_migration/eks.tf

@@ -0,0 +1,81 @@
+# 2. Create EKS cluster.
+module "eks" {
+  source       = "terraform-aws-modules/eks/aws"
+  version      = "19.4.2"
+  putin_khuylo = true
+
+  cluster_name                   = var.cluster_name
+  cluster_version                = var.cluster_version
+  cluster_endpoint_public_access = true
+
+  cluster_addons = {
+    coredns = {
+      most_recent = true
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent = true
+    }
+  }
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  manage_aws_auth_configmap = true
+
+  aws_auth_roles = [
+    # Add the CAST AI IAM role which required for CAST AI nodes to join the cluster.
+    {
+      rolearn  = module.cluster[0].instance_profile_role_arn
+      username = "system:node:{{EC2PrivateDNSName}}"
+      groups = [
+        "system:bootstrappers",
+        "system:nodes",
+      ]
+    },
+  ]
+
+  self_managed_node_groups = {
+    node_group_1 = {
+      name          = "${var.cluster_name}-ng-1"
+      instance_type = "m5.large"
+      max_size      = 5
+      min_size      = 2
+      desired_size  = 2
+    }
+  }
+
+  eks_managed_node_groups = {
+    node_group_spot = {
+      name         = "${var.cluster_name}-spot"
+      min_size     = 1
+      max_size     = 10
+      desired_size = 1
+
+      instance_types = ["t3.large"]
+      capacity_type  = "SPOT"
+
+      update_config = {
+        max_unavailable_percentage = 50 # or set `max_unavailable`
+      }
+    }
+  }
+
+}
+
+# Example additional security group.
+resource "aws_security_group" "additional" {
+  name_prefix = "${var.cluster_name}-additional"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+    cidr_blocks = [
+      "10.0.0.0/8",
+    ]
+  }
+}

examples/eks/eks_cluster_live_migration/module/castai/castai.tf

@@ -0,0 +1,178 @@
+locals {
+  role_name = "castai-eks-role"
+
+  default_node_cfg = {
+    default = {
+      subnets              = var.subnets
+      tags                 = var.tags
+      security_groups      = var.security_groups
+      instance_profile_arn = module.castai-eks-role-iam.instance_profile_arn
+    }
+  }
+
+  default_node_tmpl = {
+    default_by_castai = {
+      name = "default-by-castai"
+      configuration_id = module.castai-eks-cluster.castai_node_configurations[
+        "default"
+      ]
+      is_default   = true
+      is_enabled   = true
+      should_taint = false
+
+      constraints = {
+        on_demand          = true
+        spot               = true
+        use_spot_fallbacks = true
+
+        enable_spot_diversity                       = false
+        spot_diversity_price_increase_limit_percent = 20
+
+        spot_interruption_predictions_enabled = true
+        spot_interruption_predictions_type    = "aws-rebalance-recommendations"
+      }
+    }
+  }
+
+  node_configuration = merge(local.default_node_cfg, {
+    live = {
+      subnets              = var.subnets,
+      instance_profile_arn = module.castai-eks-role-iam.instance_profile_arn
+      security_groups      = var.security_groups
+      init_script = base64encode(templatefile("${path.module}/eks-init-script.sh", {
+        live_proxy_version = trimspace(var.live_proxy_version)
+      }))
+      container_runtime = "containerd"
+      eks_image_family  = "al2023"
+    }
+  })
+
+  node_templates = merge(local.default_node_tmpl, {
+    live_tmpl = {
+      configuration_id = module.castai-eks-cluster.castai_node_configurations["live"]
+      is_enabled       = true
+      should_taint     = true
+    }
+  })
+}
+
+# Configure Data sources and providers required for CAST AI connection.
+data "aws_caller_identity" "current" {}
+
+resource "castai_eks_user_arn" "castai_user_arn" {
+  cluster_id = castai_eks_clusterid.cluster_id.id
+}
+
+# Create AWS IAM policies and a user to connect to CAST AI.
+module "castai-eks-role-iam" {
+  source = "castai/eks-role-iam/castai"
+
+  aws_account_id     = data.aws_caller_identity.current.account_id
+  aws_cluster_region = var.cluster_region
+  aws_cluster_name   = var.cluster_name
+  aws_cluster_vpc_id = var.vpc_id
+
+  castai_user_arn = castai_eks_user_arn.castai_user_arn.arn
+
+  create_iam_resources_per_cluster = true
+}
+
+# Configure EKS cluster connection using CAST AI eks-cluster module.
+resource "castai_eks_clusterid" "cluster_id" {
+  account_id   = data.aws_caller_identity.current.account_id
+  region       = var.cluster_region
+  cluster_name = var.cluster_name
+}
+
+module "castai-eks-cluster" {
+  source = "castai/eks-cluster/castai"
+
+  api_url                = var.castai_api_url
+  castai_api_token       = var.castai_api_token
+  grpc_url               = var.castai_grpc_url
+  wait_for_cluster_ready = true
+
+  aws_account_id     = data.aws_caller_identity.current.account_id
+  aws_cluster_region = var.cluster_region
+  aws_cluster_name   = var.cluster_name
+
+  aws_assume_role_arn        = module.castai-eks-role-iam.role_arn
+  delete_nodes_on_disconnect = var.delete_nodes_on_disconnect
+
+  default_node_configuration = module.castai-eks-cluster.castai_node_configurations["default"]
+
+  node_configurations = local.node_configuration
+
+  node_templates = local.node_templates
+
+  autoscaler_settings = {
+    enabled                                 = true
+    is_scoped_mode                          = false
+    node_templates_partial_matching_enabled = false
+
+    unschedulable_pods = {
+      enabled = true
+    }
+
+    node_downscaler = {
+      enabled = true
+
+      empty_nodes = {
+        enabled = true
+      }
+
+      evictor = {
+        aggressive_mode           = false
+        cycle_interval            = "5m10s"
+        dry_run                   = false
+        enabled                   = true
+        node_grace_period_minutes = 10
+        scoped_mode               = false
+      }
+    }
+
+    cluster_limits = {
+      enabled = true
+
+      cpu = {
+        max_cores = 20
+        min_cores = 1
+      }
+    }
+  }
+
+  # depends_on helps Terraform with creating proper dependencies graph in case of resource creation and in this case destroy.
+  # module "castai-eks-cluster" has to be destroyed before module "castai-eks-role-iam".
+  depends_on = [module.castai-eks-role-iam]
+}
+
+resource "helm_release" "live-helm" {
+  name = "castai-live"
+
+  repository = "https://castai.github.io/helm-charts"
+  chart      = "castai-live"
+  version    = var.live_helm_version
+
+  namespace         = "castai-live"
+  create_namespace  = true
+  dependency_update = true
+
+  set {
+    name  = "castai-aws-vpc-cni.enabled"
+    value = "true"
+  }
+
+  set {
+    name  = "castai.clusterID"
+    value = castai_eks_clusterid.cluster_id.id
+  }
+
+  set {
+    name  = "castai.apiKey"
+    value = var.castai_api_token
+  }
+
+  wait = false
+
+  depends_on = [module.castai-eks-cluster]
+}

…ks/eks_live_migration/eks-init-script.sh …gration/module/castai/eks-init-script.shexamples/eks/eks_live_migration/eks-init-script.sh renamed to examples/eks/eks_cluster_live_migration/module/castai/eks-init-script.sh examples/eks/eks_live_migration/eks-init-script.sh renamed to examples/eks/eks_cluster_live_migration/module/castai/eks-init-script.sh

@@ -14,31 +14,31 @@ case "$ARCH" in
     ;;
 esac
 
-CRI_URL=https://storage.googleapis.com/castai-node-components/castai-cri-proxy/releases/0.27.0
+CRI_URL=https://storage.googleapis.com/castai-node-components/castai-cri-proxy/releases/${live_proxy_version}
 
-wget ${CRI_URL}/castai-cri-proxy-linux-${ARCH}.tar.gz -O /var/tmp/castai-cri-proxy-linux-${ARCH}.tar.gz
-wget ${CRI_URL}/castai-cri-proxy_SHA256SUMS -O /var/tmp/proxy_SHA256SUMS
+wget $CRI_URL/castai-cri-proxy-linux-$ARCH.tar.gz -O /var/tmp/castai-cri-proxy-linux-$ARCH.tar.gz
+wget $CRI_URL/castai-cri-proxy_SHA256SUMS -O /var/tmp/proxy_SHA256SUMS
 SHA256_AMD64_FROM_FILE=$(head -n 1 /var/tmp/proxy_SHA256SUMS | awk '{print $1}')
 SHA256_ARM64_FROM_FILE=$(sed -n '2p' /var/tmp/proxy_SHA256SUMS | awk '{print $1}')
 pushd /var/tmp
 sha256sum --ignore-missing --check /var/tmp/proxy_SHA256SUMS
 popd
-tar -xvzf /var/tmp/castai-cri-proxy-linux-${ARCH}.tar.gz -C /var/tmp/ cri-proxy
+tar -xvzf /var/tmp/castai-cri-proxy-linux-$ARCH.tar.gz -C /var/tmp/ cri-proxy
 chmod +x /var/tmp/cri-proxy
 
 cat <<EOF >/var/tmp/pre-install.yaml
 packages:
     cri-proxy:
-        downloadURL: ${CRI_URL}
+        downloadURL: $CRI_URL
         unpackDir: /usr/local/bin
         customUnpackLocations:
           cni-proxy: /opt/cni/bin/
         arch:
             amd64:
                 fileName: castai-cri-proxy-linux-amd64.tar.gz
-                sha256sum: ${SHA256_AMD64_FROM_FILE}
+                sha256sum: $SHA256_AMD64_FROM_FILE
             arm64:
                 fileName: castai-cri-proxy-linux-arm64.tar.gz
-                sha256sum: ${SHA256_ARM64_FROM_FILE}
+                sha256sum: $SHA256_ARM64_FROM_FILE
 EOF
-sudo /var/tmp/cri-proxy install --base-config=amazon-linux-2023 --config /var/tmp/pre-install.yaml --debug
+sudo /var/tmp/cri-proxy install --base-config=amazon-linux-2023 --config /var/tmp/pre-install.yaml --debug

examples/eks/eks_cluster_live_migration/module/castai/output.tf

@@ -0,0 +1,3 @@
+output "instance_profile_role_arn" {
+  value = module.castai-eks-role-iam.instance_profile_role_arn
+}