adding AWS LB controller to the default installation (#376)

Author: smarunich

modules/aws/k8s/main.tf

@@ -127,6 +127,27 @@ provider "kubernetes" {
   }
 }
 
+provider "helm" {
+  kubernetes {
+    host                   = module.eks.cluster_endpoint
+    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "/bin/sh"
+      args        = ["-c", "for i in $(seq 1 30); do curl -s -k -f ${module.eks.cluster_endpoint}/healthz > /dev/null && break || sleep 10; done && aws eks --region ${data.aws_availability_zones.available.id} get-token --cluster-name ${var.cluster_name}"]
+    }
+  }
+}
+
+module "load_balancer_controller" {
+  source                           = "git::https://github.com/smarunich/terraform-aws-eks-lb-controller.git"
+  helm_chart_version               = var.lb_controller_helm_chart_version
+  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
+  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
+  cluster_name                     = var.cluster_name
+  settings                         = var.lb_controller_settings
+}
+
 resource "local_file" "gen_kubeconfig_sh" {
   content         = "eksctl utils write-kubeconfig --cluster ${var.cluster_name} --region ${data.aws_availability_zones.available.id} --kubeconfig ${var.cluster_name}-kubeconfig"
   filename        = "${var.output_path}/generate-${var.cluster_name}-kubeconfig.sh"

modules/aws/k8s/variables.tf

@@ -38,4 +38,12 @@ variable "output_path" {
 
 variable "tags" {
   type = map(any)
+}
+
+variable "lb_controller_helm_chart_version" {
+  default = "1.7.1"
+}
+
+variable "lb_controller_settings" {
+  default = { "controllerConfig" = { "featureGates" = { "SubnetsClusterTagCheck" : "false" } } }
 }

modules/tsb/mp/main.tf

@@ -81,6 +81,7 @@ resource "helm_release" "managementplane" {
     tsb_password = coalesce(var.tsb_password, random_password.tsb.result)
     tsb_org      = var.tsb_org
     tsb_fqdn     = var.tsb_fqdn
+    cloud        = can(regex("eks", var.k8s_host)) ? "aws" : "none"
   })]
   set {
     name  = "secrets.tsb.cert"

modules/tsb/mp/manifests/tsb/managementplane-values.yaml.tmpl

@@ -18,6 +18,14 @@ spec:
   components:
     frontEnvoy:
       port: 443
+%{ if cloud == "aws"}
+      kubeSpec:
+        service:
+          annotations:
+            service.beta.kubernetes.io/aws-load-balancer-type: external
+            service.beta.kubernetes.io/aws-load-balancer-attributes: "load_balancing.cross_zone.enabled=true"
+            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+%{ endif }
     webUI:
       kubeSpec:
         overlays: