Add AKS Istio and Open service mesh support (#1878)

* add osm attribute

* add aks service_mesh_profile

* Add AKS with Istio example

Author: trapeznikov

.github/workflows/standalone-compute.json

@@ -26,6 +26,7 @@
     "compute/kubernetes_services/105-cluster-usermsi",
     "compute/kubernetes_services/107-agic-brownfield",
     "compute/kubernetes_services/108-single-cluster-remote-adgroup-admin",
+    "compute/kubernetes_services/109-single-cluster-istio",
     "compute/proximity_placement_group",
     "compute/virtual_machine_scale_set/100-linux-win-vmss-lb",
     "compute/virtual_machine_scale_set/101-linux-win-vmss-agw",

examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars

@@ -0,0 +1,94 @@
+preview_features = {
+  "Microsoft.ContainerService" = [
+    "AzureServiceMeshPreview"
+  ]
+}
+
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+resource_groups = {
+  aks_re1 = {
+    name   = "aks-re1"
+    region = "region1"
+  }
+}
+
+aks_clusters = {
+  cluster_re1 = {
+    name               = "akscluster-re1-001"
+    resource_group_key = "aks_re1"
+    os_type            = "Linux"
+
+    identity = {
+      type = "SystemAssigned"
+    }
+
+    vnet_key = "spoke_aks_re1"
+
+    network_profile = {
+      network_plugin    = "azure"
+      load_balancer_sku = "standard"
+    }
+
+    # enable_rbac = true
+    role_based_access_control = {
+      enabled = true
+      azure_active_directory = {
+        managed = true
+      }
+    }
+
+    oms_agent = {
+      log_analytics_key = "central_logs_region1"
+    }
+
+    service_mesh_profile = {
+      internal_ingress_gateway_enabled = true
+      mode                             = "Istio"
+    }
+
+    # admin_groups = {
+    #   # ids = []
+    #   # azuread_groups = {
+    #   #   keys = []
+    #   # }
+    # }
+
+    load_balancer_profile = {
+      # Only one option can be set
+      managed_outbound_ip_count = 1
+    }
+
+    default_node_pool = {
+      name    = "sharedsvc"
+      vm_size = "Standard_F4s_v2"
+      #subnet_key            = "aks_nodepool_system"
+      subnet = {
+        key = "aks_nodepool_system"
+        #resource_id = "/subscriptions/97958dac-xxxx-xxxx-xxxx-9f436fa73bd4/resourceGroups/qxgc-rg-aks-re1/providers/Microsoft.Network/virtualNetworks/qxgc-vnet-aks/subnets/qxgc-snet-aks_nodepool_system"
+      }
+      enabled_auto_scaling  = false
+      enable_node_public_ip = false
+      max_pods              = 30
+      node_count            = 1
+      os_disk_size_gb       = 512
+      tags = {
+        "project" = "system services"
+      }
+    }
+
+    node_resource_group_name = "aks-nodes-re1"
+
+    addon_profile = {
+      azure_keyvault_secrets_provider = {
+        secret_rotation_enabled  = true
+        secret_rotation_interval = "2m"
+      }
+    }
+  }
+}

examples/compute/kubernetes_services/109-single-cluster-istio/diagnostics.tfvars

@@ -0,0 +1,7 @@
+diagnostic_log_analytics = {
+  central_logs_region1 = {
+    region             = "region1"
+    name               = "logs"
+    resource_group_key = "aks_re1"
+  }
+}

examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars

@@ -0,0 +1,190 @@
+vnets = {
+  spoke_aks_re1 = {
+    resource_group_key = "aks_re1"
+    region             = "region1"
+    vnet = {
+      name          = "aks"
+      address_space = ["100.64.48.0/22"]
+    }
+    specialsubnets = {}
+    subnets = {
+      aks_nodepool_system = {
+        name    = "aks_nodepool_system"
+        cidr    = ["100.64.48.0/24"]
+        nsg_key = "azure_kubernetes_cluster_nsg"
+      }
+      aks_nodepool_user1 = {
+        name    = "aks_nodepool_user1"
+        cidr    = ["100.64.49.0/24"]
+        nsg_key = "azure_kubernetes_cluster_nsg"
+      }
+      aks_nodepool_user2 = {
+        name    = "aks_nodepool_user2"
+        cidr    = ["100.64.50.0/24"]
+        nsg_key = "azure_kubernetes_cluster_nsg"
+      }
+      AzureBastionSubnet = {
+        name    = "AzureBastionSubnet" #Must be called AzureBastionSubnet
+        cidr    = ["100.64.51.64/27"]
+        nsg_key = "azure_bastion_nsg"
+      }
+      private_endpoints = {
+        name                                           = "private_endpoints"
+        cidr                                           = ["100.64.51.0/27"]
+        enforce_private_link_endpoint_network_policies = true
+      }
+      jumpbox = {
+        name    = "jumpbox"
+        cidr    = ["100.64.51.128/27"]
+        nsg_key = "azure_bastion_nsg"
+      }
+    }
+
+  }
+}
+
+network_security_group_definition = {
+  # This entry is applied to all subnets with no NSG defined
+  empty_nsg = {}
+  azure_kubernetes_cluster_nsg = {
+    nsg = [
+      {
+        name                       = "aks-http-in-allow",
+        priority                   = "100"
+        direction                  = "Inbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "80"
+        source_address_prefix      = "*"
+        destination_address_prefix = "*"
+      },
+      {
+        name                       = "aks-https-in-allow",
+        priority                   = "110"
+        direction                  = "Inbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "443"
+        source_address_prefix      = "*"
+        destination_address_prefix = "*"
+      },
+      {
+        name                       = "aks-api-out-allow-1194",
+        priority                   = "100"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Udp"
+        source_port_range          = "*"
+        destination_port_range     = "1194"
+        source_address_prefix      = "*"
+        destination_address_prefix = "AzureCloud"
+      },
+      {
+        name                       = "aks-api-out-allow-9000",
+        priority                   = "110"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "9000"
+        source_address_prefix      = "*"
+        destination_address_prefix = "AzureCloud"
+      },
+      {
+        name                       = "aks-ntp-out-allow",
+        priority                   = "120"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Udp"
+        source_port_range          = "*"
+        destination_port_range     = "123"
+        source_address_prefix      = "*"
+        destination_address_prefix = "*"
+      },
+      {
+        name                       = "aks-https-out-allow-443",
+        priority                   = "130"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "443"
+        source_address_prefix      = "*"
+        destination_address_prefix = "*"
+      },
+    ]
+  }
+  azure_bastion_nsg = {
+
+    nsg = [
+      {
+        name                       = "bastion-in-allow",
+        priority                   = "100"
+        direction                  = "Inbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "443"
+        source_address_prefix      = "*"
+        destination_address_prefix = "*"
+      },
+      {
+        name                       = "bastion-control-in-allow-443",
+        priority                   = "120"
+        direction                  = "Inbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "135"
+        source_address_prefix      = "GatewayManager"
+        destination_address_prefix = "*"
+      },
+      {
+        name                       = "Kerberos-password-change",
+        priority                   = "121"
+        direction                  = "Inbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "4443"
+        source_address_prefix      = "GatewayManager"
+        destination_address_prefix = "*"
+      },
+      {
+        name                       = "bastion-vnet-out-allow-22",
+        priority                   = "103"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "22"
+        source_address_prefix      = "*"
+        destination_address_prefix = "VirtualNetwork"
+      },
+      {
+        name                       = "bastion-vnet-out-allow-3389",
+        priority                   = "101"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "3389"
+        source_address_prefix      = "*"
+        destination_address_prefix = "VirtualNetwork"
+      },
+      {
+        name                       = "bastion-azure-out-allow",
+        priority                   = "120"
+        direction                  = "Outbound"
+        access                     = "Allow"
+        protocol                   = "Tcp"
+        source_port_range          = "*"
+        destination_port_range     = "443"
+        source_address_prefix      = "*"
+        destination_address_prefix = "AzureCloud"
+      }
+    ]
+  }
+}

modules/compute/aks/aks.tf

@@ -169,7 +169,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
     for_each = try(var.settings.addon_profile.oms_agent[*], var.settings.oms_agent[*], {})
 
     content {
-      log_analytics_workspace_id = can(oms_agent.value.log_analytics_workspace_id) ? oms_agent.value.log_analytics_workspace_id : var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id
+      log_analytics_workspace_id      = can(oms_agent.value.log_analytics_workspace_id) ? oms_agent.value.log_analytics_workspace_id : var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id
       msi_auth_for_monitoring_enabled = try(oms_agent.value.msi_auth_for_monitoring_enabled, null)
     }
   }
@@ -349,8 +349,18 @@ resource "azurerm_kubernetes_cluster" "aks" {
     }
   }
 
+  dynamic "service_mesh_profile" {
+    for_each = try(var.settings.service_mesh_profile[*], {})
+    content {
+      mode                             = try(service_mesh_profile.value.mode, null)
+      internal_ingress_gateway_enabled = try(service_mesh_profile.value.internal_ingress_gateway_enabled, null)
+      external_ingress_gateway_enabled = try(service_mesh_profile.value.external_ingress_gateway_enabled, null)
+    }
+  }
+
   node_resource_group                 = azurecaf_name.rg_node.result
   oidc_issuer_enabled                 = try(var.settings.oidc_issuer_enabled, null)
+  open_service_mesh_enabled           = try(var.settings.open_service_mesh_enabled, null)
   private_cluster_enabled             = try(var.settings.private_cluster_enabled, null)
   private_dns_zone_id                 = try(var.private_dns_zone_id, null)
   private_cluster_public_fqdn_enabled = try(var.settings.private_cluster_public_fqdn_enabled, null)