A collection of Terraform modules for deploying and managing a comprehensive Kubernetes platform with essential services and tools.
- Karpenter: Kubernetes Node Autoscaling
- External DNS: DNS Records Management
- Cert Manager: Certificate Management
- External Secrets: Secrets Management
- Istio: Service Mesh
- Kong Gateway: API Gateway
- Jaeger: Distributed Tracing
- vault: Secrets management
- Loki Stack: Log Aggregation
- Kubecost: Cost Management
- ArgoCD: GitOps & Deployment Management
- Terraform >= 1.5.0
- Kubernetes cluster (tested with EKS)
- kubectl configured to access your cluster
- Helm 3.x
- AWS CLI configured (if using AWS services)
graph TB
subgraph External["External Access"]
DNS[External DNS]
KongGW[Kong Gateway]
end
subgraph Security["Security & Identity"]
Cert[Cert Manager]
Vault[HashiCorp Vault]
ExtSecrets[External Secrets]
end
subgraph ServiceMesh["Service Mesh"]
Istio[Istio Control Plane]
IstioDP[Istio Data Plane]
Jaeger[Jaeger Tracing]
end
subgraph Observability["Observability Stack"]
Loki[Loki Stack]
Kubecost[Kubecost]
end
subgraph Automation["Platform Automation"]
ArgoCD[ArgoCD]
Atlantis[Atlantis]
Airflow[Apache Airflow]
end
subgraph Infrastructure["Infrastructure Management"]
Karpenter[Karpenter]
end
%% External Access connections
DNS --> KongGW
KongGW --> Istio
%% Security connections
Cert --> KongGW
Cert --> Istio
Vault --> ExtSecrets
ExtSecrets --> ArgoCD
%% Service Mesh connections
Istio --> IstioDP
IstioDP --> Jaeger
%% Observability connections
IstioDP --> Loki
Kubecost --> Karpenter
%% Automation connections
ArgoCD --> IstioDP
Atlantis --> Infrastructure
%% Infrastructure connections
Karpenter --> Infrastructure
classDef default fill:#f9f9f9,stroke:#333,stroke-width:2px;
classDef highlight fill:#e8f4ea,stroke:#45b164,stroke-width:2px;
This diagram shows the high-level architecture of the platform, including:
- External access layer (Kong, External DNS)
- Security components (Cert Manager, Vault)
- Service mesh (Istio, Jaeger)
- Observability stack (Loki, Kubecost)
- Automation tools (ArgoCD, Atlantis, Airflow)
- Infrastructure management (Karpenter)
flowchart LR
subgraph Internet["External Traffic"]
Client[Client]
end
subgraph IngressLayer["Ingress Layer"]
DNS[External DNS]
Cert[Cert Manager]
Kong[Kong Gateway]
end
subgraph MeshLayer["Service Mesh Layer"]
IstioGW[Istio Gateway]
IstioCP[Istio Control Plane]
end
subgraph Services["Service Layer"]
Service1[Service A]
Service2[Service B]
Service3[Service C]
end
subgraph Observability["Observability"]
Jaeger
Loki
end
Client --> DNS
DNS --> Kong
Cert --> Kong
Kong --> IstioGW
IstioGW --> IstioCP
IstioCP --> Service1
IstioCP --> Service2
IstioCP --> Service3
IstioCP -.-> Jaeger
Service1 -.-> Loki
Service2 -.-> Loki
Service3 -.-> Loki
classDef client fill:#f9f9f9,stroke:#333,stroke-width:2px;
classDef ingress fill:#e8f4ea,stroke:#45b164,stroke-width:2px;
classDef mesh fill:#e6f3ff,stroke:#2d8cf0,stroke-width:2px;
classDef service fill:#fff3e6,stroke:#ff9900,stroke-width:2px;
classDef observability fill:#f9e6ff,stroke:#9900cc,stroke-width:2px;
class Client client;
class DNS,Kong,Cert ingress;
class IstioGW,IstioCP mesh;
class Service1,Service2,Service3 service;
class Jaeger,Loki observability;
This diagram illustrates:
- External traffic flow
- Ingress configuration
- Service mesh routing
- Observability integration
flowchart TD
subgraph GitOps["GitOps Workflow"]
Git[Git Repository]
ArgoCD[ArgoCD]
Atlantis[Atlantis]
end
subgraph Secrets["Secrets Management"]
Vault[HashiCorp Vault]
ExtSecrets[External Secrets]
SecretStore[Secret Store]
end
subgraph Config["Configuration"]
Config1[Infrastructure Code]
Config2[Application Config]
Config3[Security Policies]
end
subgraph Platform["Platform Services"]
Service1[Service A]
Service2[Service B]
Monitoring[Monitoring Stack]
end
Git --> ArgoCD
Git --> Atlantis
Atlantis --> Config1
ArgoCD --> Config2
ArgoCD --> Config3
Vault --> ExtSecrets
ExtSecrets --> SecretStore
SecretStore --> Service1
SecretStore --> Service2
Service1 --> Monitoring
Service2 --> Monitoring
classDef git fill:#f9f9f9,stroke:#333,stroke-width:2px;
classDef secrets fill:#e8f4ea,stroke:#45b164,stroke-width:2px;
classDef config fill:#e6f3ff,stroke:#2d8cf0,stroke-width:2px;
classDef services fill:#fff3e6,stroke:#ff9900,stroke-width:2px;
class Git,ArgoCD,Atlantis git;
class Vault,ExtSecrets,SecretStore secrets;
class Config1,Config2,Config3 config;
class Service1,Service2,Monitoring services;
This diagram shows:
- GitOps workflows
- Secrets management
- Configuration distribution
- Service integration
Each module follows a consistent structure:
k8s-platform-<component>/
βββ README.md # Module documentation
βββ main.tf # Main Terraform configuration
βββ variables.tf # Input variables
βββ outputs.tf # Output values
βββ versions.tf # Provider & version constraints
βββ examples/ # Example implementations
β βββ main.tf
βββ templates/ # Helm values templates
βββ values.yaml
- Clone the repository:
git clone https://github.com/cloudon-one/k8s-platform-modules.git- Choose the modules you need and create your configuration:
module "cert_manager" {
source = "./k8s-platform-cert-manager"
# ... configuration ...
}
module "external_dns" {
source = "./k8s-platform-external-dns"
# ... configuration ...
}
# Add more modules as neededmodule "karpenter" {
source = "./k8s-platform-karpenter"
cluster_name = "my-cluster"
}module "external_dns" {
source = "./k8s-platfrom-external-dns"
domain = "example.com"
}module "istio" {
source = "./k8s-platform-istio"
enable_monitoring = true
}module "kong" {
source = "./k8s-platform-kong-gw"
enable_proxy_protocol = true
}module "loki" {
source = "./k8s-platform-loki-stack"
retention_days = 30
}Each module has its own configuration options. Please refer to the individual module's README.md for detailed configuration options.
graph TD
A[Cert Manager] --> B[Istio]
A --> C[Kong Gateway]
D[External DNS] --> C
E[External Secrets] --> F[Applications]
B --> G[Jaeger]
H[ArgoCD] --> I[Platform Services]
J[Vault] --> E
- HTTPS enabled by default
- RBAC configurations included
- Network policies defined
- Security context constraints
- Service mesh security
- Prometheus metrics exposed
- Grafana dashboards included
- Tracing with Jaeger
- Logging with Loki
- Cost monitoring with Kubecost
- Fork the repository
- Create your feature branch
- Commit your changes
- Create a pull request
- All secrets are managed through external-secrets
- TLS certificates are managed by cert-manager
- Network policies are enforced through Istio
- Regular security scanning with built-in tools
- Update component versions
- Review resource utilization
- Monitor costs with Kubecost
- Backup critical configurations
Update component versions in respective terragrunt.hcl files:
inputs = {
chart_version = "x.y.z"
}For issues and support:
- Check existing issues
- Create a new issue with:
- Environment details
- Error messages
- Steps to reproduce
This project is licensed under the MIT License - see the LICENSE file for details.
-
Infrastructure as Code
- Use GitOps workflows
- Implement proper state management
- Version your infrastructure code
-
Security
- Enable RBAC
- Use network policies
- Implement secret management
- Enable service mesh security features
-
Monitoring
- Set up proper alerting
- Implement logging
- Enable tracing
- Monitor costs
-
Scalability
- Use node autoscaling
- Implement pod autoscaling
- Configure proper resource requests/limits
Each module contains its own detailed README with:
- Configuration options
- Example usage
- Common pitfalls
- Troubleshooting guide
For support, please open an issue in the repository.
| Module | Kubernetes Version | Terraform Version | Provider Version |
|---|---|---|---|
| ArgoCD | >=1.24 | >=1.0.0 | >=2.0.0 |
| Istio | >=1.24 | >=1.0.0 | >=2.0.0 |
| Cert Manager | >=1.24 | >=1.0.0 | >=2.0.0 |
| Kong Gateway | >=1.24 | >=1.0.0 | >=2.0.0 |
| External DNS | >=1.24 | >=1.0.0 | >=2.0.0 |
| Vault | >=1.24 | >=1.0.0 | >=2.0.0 |
Please refer to individual module READMEs for specific upgrade instructions.
