Last active
August 7, 2023 13:57
-
-
Save ethernetdan/227008183b3141bcfa9a01c307036e58 to your computer and use it in GitHub Desktop.
PolarSignals Agent Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
locals { | |
name = "parca-agent" | |
image = "ghcr.io/parca-dev/parca-agent@${var.image_digest}" | |
labels = merge(local.selector_labels, { | |
"app.kubernetes.io/version" : var.image_version | |
}) | |
selector_labels = { | |
"app.kubernetes.io/component" : "observability" | |
"app.kubernetes.io/instance" : local.name | |
"app.kubernetes.io/name" : local.name | |
} | |
} | |
// Setup namespace with pod security | |
resource "kubernetes_namespace" "parca" { | |
metadata { | |
name = var.namespace | |
labels = merge({ | |
for label in ["audit", "enforce", "warn"] : | |
"pod-security.kubernetes.io/${label}" => "privileged" | |
}) | |
} | |
} | |
resource "kubernetes_secret" "token" { | |
metadata { | |
name = local.name | |
namespace = kubernetes_namespace.parca.id | |
} | |
data = { token = var.token } | |
} | |
resource "kubernetes_cluster_role" "cluster_watcher" { | |
metadata { | |
name = local.name | |
labels = local.labels | |
} | |
rule { | |
api_groups = [""] | |
resources = ["pods"] | |
verbs = ["list", "watch"] | |
} | |
rule { | |
api_groups = [""] | |
resources = ["nodes"] | |
verbs = ["get"] | |
} | |
} | |
resource "kubernetes_cluster_role_binding" "cluster_watcher" { | |
metadata { | |
name = local.name | |
labels = local.labels | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "ClusterRole" | |
name = kubernetes_cluster_role.cluster_watcher.metadata[0].name | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = local.name | |
namespace = kubernetes_namespace.parca.id | |
} | |
} | |
resource "kubernetes_daemonset" "agent" { | |
metadata { | |
name = local.name | |
namespace = kubernetes_namespace.parca.id | |
labels = local.labels | |
} | |
spec { | |
selector { | |
match_labels = local.selector_labels | |
} | |
template { | |
metadata { | |
labels = local.labels | |
} | |
spec { | |
container { | |
name = local.name | |
image = local.image | |
args = [ | |
"/bin/parca-agent", | |
"--log-level=info", | |
"--node=$(NODE_NAME)", | |
"--remote-store-address=grpc.polarsignals.com:443", | |
"--remote-store-bearer-token-file=/var/parca-agent/token", | |
"--debuginfo-strip", | |
"--debuginfo-temp-dir=/tmp", | |
"--debuginfo-upload-cache-duration=5m", | |
] | |
env { | |
name = "NODE_NAME" | |
value_from { | |
field_ref { field_path = "spec.nodeName" } | |
} | |
} | |
port { | |
name = "http" | |
container_port = 7071 | |
} | |
liveness_probe { | |
http_get { | |
path = "/healthy" | |
port = "http" | |
} | |
} | |
readiness_probe { | |
http_get { | |
path = "/ready" | |
port = "http" | |
} | |
} | |
security_context { | |
privileged = true | |
read_only_root_filesystem = true | |
} | |
dynamic "volume_mount" { | |
for_each = var.volumes | |
content { | |
name = volume_mount.value.name | |
mount_path = coalesce(volume_mount.value.path, "/${volume_mount.value.name}") | |
read_only = volume_mount.value.readOnly != null ? volume_mount.value.readOnly : false | |
} | |
} | |
} | |
host_pid = true | |
node_selector = { "kubernetes.io/os" = "linux" } | |
service_account_name = kubernetes_service_account.agent.metadata[0].name | |
dynamic "toleration" { | |
for_each = ["NoSchedule", "NoExecute"] | |
content { | |
effect = toleration.value | |
operator = "Exists" | |
} | |
} | |
dynamic "volume" { | |
for_each = var.volumes | |
content { | |
name = volume.value.name | |
dynamic "empty_dir" { | |
for_each = volume.value.empty != null ? [true] : [] | |
content {} | |
} | |
dynamic "host_path" { | |
for_each = volume.value.empty == null && volume.value.token == null ? [true] : [] | |
content { path = coalesce(volume.value.path, "/${volume.value.name}") } | |
} | |
dynamic "secret" { | |
for_each = volume.value.token != null ? [true] : [] | |
content { secret_name = kubernetes_secret.token.metadata[0].name } | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
resource "kubernetes_service_account" "agent" { | |
metadata { | |
name = local.name | |
namespace = kubernetes_namespace.parca.id | |
labels = local.labels | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "kubernetes_network_policy" "parca_agent" { | |
metadata { | |
name = local.name | |
namespace = kubernetes_namespace.parca.id | |
} | |
spec { | |
pod_selector { | |
match_labels = local.selector_labels | |
} | |
policy_types = ["Egress"] | |
egress { | |
to { | |
ip_block { | |
cidr = var.destination_cidr | |
} | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_providers { | |
kubernetes = { | |
source = "hashicorp/kubernetes" | |
version = "2.21.0" | |
} | |
} | |
} | |
provider "kubernetes" { | |
config_path = "~/.kube/config" | |
config_context = "minikube" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "token" { | |
description = "Token used to authenticate to PolarSignals API" | |
type = string | |
} | |
variable "namespace" { | |
description = "Namespace to deploy within cluster" | |
type = string | |
default = "profiling" | |
} | |
variable "image_version" { | |
description = "Version of the PolarSignals agent to deploy" | |
type = string | |
default = "v0.20.0" | |
} | |
variable "image_digest" { | |
description = "Digest of the PolarSignals image" | |
type = string | |
default = "sha256:f09c2b26a961e2a3ef1f7ec4f33a602e015dbe8548dfe2d43fb8bfffda893282" | |
} | |
variable "destination_cidr" { | |
description = "CIDR of the destination network" | |
type = string | |
default = "35.234.93.182/32" | |
} | |
variable "volumes" { | |
description = "Volumes used by the PolarSignals agent" | |
type = list(object({ | |
name = string | |
path = optional(string) | |
token = optional(bool) | |
empty = optional(bool) | |
readOnly = optional(bool) | |
})) | |
default = [ | |
{ name = "tmp", empty = true }, | |
{ name = "run" }, | |
{ name = "boot", readOnly = true }, | |
{ name = "modules", path = "/lib/modules" }, | |
{ name = "debugfs", path = "/sys/kernel/debug" }, | |
{ name = "cgroup", path = "/sys/fs/cgroup" }, | |
{ name = "bpffs", path = "/sys/fs/bpf" }, | |
{ name = "dbus-system", path = "/var/run/dbus/system_bus_socket" }, | |
{ name = "token", path = "/var/parca-agent", token = true }, | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment