feat: Byoc op project (#9)

* feat: aws byoc op module

* feat: example to create byoc i project

Author: yellow-shine

examples/aws-project-byoc-i/main.tf

@@ -0,0 +1,73 @@
+data "zillizcloud_byoc_op_project_settings" "this" {
+  project_id    = var.project_id
+  data_plane_id = var.dataplane_id
+}
+
+
+module "aws_byoc_op" {
+  source     = "../../modules/aws_byoc_op"
+  aws_region = trimprefix(data.zillizcloud_byoc_op_project_settings.this.region, "aws-")
+
+  vpc_cidr            = var.vpc_cidr
+  enable_private_link = var.enable_private_link
+  eks_access_cidrs = [
+    "0.0.0.0/0"
+  ]
+  dataplane_id    = data.zillizcloud_byoc_op_project_settings.this.data_plane_id
+  k8s_node_groups = data.zillizcloud_byoc_op_project_settings.this.node_quotas
+  agent_config = {
+    auth_token = data.zillizcloud_byoc_op_project_settings.this.op_config.token
+    tag        = data.zillizcloud_byoc_op_project_settings.this.op_config.agent_image_url
+  }
+
+}
+
+resource "zillizcloud_byoc_op_project_agent" "this" {
+  project_id    = data.zillizcloud_byoc_op_project_settings.this.project_id
+  data_plane_id = data.zillizcloud_byoc_op_project_settings.this.data_plane_id
+}
+
+
+resource "zillizcloud_byoc_op_project" "this" {
+
+  lifecycle {
+    ignore_changes = [data_plane_id, project_id, aws, ext_config]
+
+  }
+
+  # required
+  data_plane_id = data.zillizcloud_byoc_op_project_settings.this.data_plane_id
+  # required
+  project_id = data.zillizcloud_byoc_op_project_settings.this.project_id
+  # required
+  ext_config = "ext_config"
+
+  aws = {
+    # option
+    region = data.zillizcloud_byoc_op_project_settings.this.region
+
+    # option
+    network = {
+      vpc_id             = module.aws_byoc_op.vpc_id
+      subnet_ids         = module.aws_byoc_op.private_subnet_ids
+      security_group_ids = [module.aws_byoc_op.security_group_id]
+      vpc_endpoint_id    = var.enable_private_link ? module.aws_byoc_op.byoc_endpoint : null
+    }
+    role_arn = {
+      storage       = module.aws_byoc_op.storage_role_arn
+      eks           = module.aws_byoc_op.eks_addon_role_arn
+      cross_account = module.aws_byoc_op.maintaince_role_arn
+    }
+    storage = {
+      bucket_id = module.aws_byoc_op.s3_bucket_ids
+    }
+
+    instances = {
+      core_vm        = "m6i.2xlarge"
+      fundamental_vm = "m6i.2xlarge"
+      search_vm      = "m6i.2xlarge"
+    }
+  }
+
+  depends_on = [data.zillizcloud_byoc_op_project_settings.this, zillizcloud_byoc_op_project_agent.this, module.aws_byoc_op]
+}

examples/aws-project-byoc-i/provider.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_version = ">=1.6.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.82.1"
+      version = ">=5.20.0"
+    }
+    zillizcloud = {
+      source  = "zilliztech/zillizcloud"
+      version = "~> 0.3.6"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+provider "zillizcloud" {
+  host_address = "https://api.cloud-uat3.zilliz.com/v2"
+}

examples/aws-project-byoc-i/variables.tf

@@ -0,0 +1,30 @@
+variable "project_id" {
+  description = "The ID of the byoc project"
+  type        = string
+  nullable    = false
+}
+
+
+variable "dataplane_id" {
+  description = "The ID of the data plane"
+  type        = string
+  nullable    = false
+}
+
+variable "vpc_cidr" {
+  description = "The CIDR block for the customer VPC"
+  type        = string
+  nullable    = false
+
+  validation {
+    condition     = var.vpc_cidr != ""
+    error_message = "variable vpc_cidr cannot be empty."
+  }
+}
+
+variable "enable_private_link" {
+  description = "Enable private link for the byoc project"
+  type        = bool
+  default     = true
+}
+

modules/aws_byoc_op/cloud-agent/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: cloud-agent
+description: Cloud-agent for Zilliz BYOInfra
+
+type: application
+version: 0.0.1
+appVersion: "0.0.1"

modules/aws_byoc_op/cloud-agent/templates/cloud-agent-cm.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+data:
+  application.yml: |
+    server:
+      port: 9501
+      additionalPorts: 9502,9503
+    
+    byoc:
+      tunnel:
+        serverHost: {{ .Values.config.tunnel.serverHost }}
+        authToken: "{{ .Values.config.tunnel.authToken }}"
+        dataPlaneId: {{ .Values.config.tunnel.dataPlaneId }}
+
+    spring:
+      jackson:
+        mapper:
+          accept-case-insensitive-properties: true
+
+      profiles:
+        active: dev
+      application:
+        name: cloud-agent
+      
+kind: ConfigMap
+metadata:
+  name: cloud-agent
+  namespace: vdc

modules/aws_byoc_op/cloud-agent/templates/cloud-agent-deployment.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    configmap.reloader.stakater.com/reload: cloud-agent
+  name: cloud-agent
+  namespace: vdc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: vdc
+      app.kubernetes.io/name: cloud-agent
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: vdc
+        app.kubernetes.io/name: cloud-agent
+    spec:
+      containers:
+      - env:
+        - name: SPRING_CONFIG_LOCATION
+          value: file:///spring-config/application.yml
+        - name: BYOC_K8S_TOKEN
+          value: "{{  .Values.config.tunnel.k8sToken }}"
+        - name: BYOC_K8S_KEY
+          value: "{{ .Values.config.tunnel.authToken }}"
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /cloud/check_healthy_db
+            port: 9501
+          initialDelaySeconds: 90
+          periodSeconds: 30
+          successThreshold: 1
+        name: cloud-agent
+        ports:
+        - containerPort: 9501
+        - containerPort: 9502
+        - containerPort: 9503
+        - containerPort: 9504
+        readinessProbe:
+          httpGet:
+            path: /cloud/check_healthy_db
+            port: 9501
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2
+            memory: 2Gi
+          requests:
+            cpu: 1
+            memory: 1Gi
+        volumeMounts:
+        - mountPath: /spring-config
+          name: spring-config
+      nodeSelector:
+        node-role/vdc: "true"
+      tolerations:
+      - effect: NoExecute
+        key: node-role/vdc
+        operator: Equal
+        value: "true"
+      volumes:
+      - configMap:
+          name: cloud-agent
+        name: spring-config

modules/aws_byoc_op/cloud-agent/values.yaml

@@ -0,0 +1,10 @@
+image:
+  repository: ""
+  tag: ""
+
+config:
+  tunnel:
+    serverHost: ""
+    authToken: ""
+    dataPlaneId: ""
+    k8sToken: ""

modules/aws_byoc_op/conf.yaml

@@ -0,0 +1,7 @@
+vpce_service_ids:
+  us-west-2: vpce-svc-0dfdaa96b9114453c
+  eu-central-1: vpce-svc-0d5ce1ec4decbc7df 
+private_zone_name: byoc-uat.zillizcloud.com
+agent_config: 
+  server_host: zilliz-byoc-us.byoc-uat.zillizcloud.com
+  repository: 306787409409.dkr.ecr.us-west-2.amazonaws.com/zilliz-byoc/vdc/cloud-agent

modules/aws_byoc_op/data.tf

@@ -0,0 +1,34 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  config = yamldecode(file("${path.module}/conf.yaml"))
+  // available zones
+  azs = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  // auto-generate private subnets cidr
+  private_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 2, k)]
+  public_subnets  = [cidrsubnet(cidrsubnet(var.vpc_cidr, 2, 3), 6, 62)]
+  // security group ingress and egress rules
+  sg_egress_ports     = [443]
+  sg_ingress_protocol = ["tcp", "udp"]
+  sg_egress_protocol  = ["tcp", "udp"]
+
+  // eks output
+  eks_oidc_url = replace(aws_eks_cluster.zilliz_byoc_cluster.identity[0].oidc[0].issuer, "https://", "")
+  // bucket output
+  bucket_id = module.s3_bucket["milvus"].s3_bucket_id
+
+  // input parameters:
+  vpc_cidr = var.vpc_cidr
+  region       = var.aws_region
+  
+  dataplane_id = var.dataplane_id
+
+  // node groups
+
+  k8s_node_groups = var.k8s_node_groups
+
+  account_id = data.aws_caller_identity.current.account_id
+
+  
+}

modules/aws_byoc_op/eks.tf

@@ -0,0 +1,98 @@
+# aws_eks_cluster.my_cluster:
+resource "aws_eks_cluster" "zilliz_byoc_cluster" {
+  bootstrap_self_managed_addons = false
+  enabled_cluster_log_types = []
+  name = local.dataplane_id
+
+  role_arn = aws_iam_role.eks_role.arn
+  tags = {
+
+    "Vendor" = "zilliz-byoc"
+  }
+  tags_all = {
+
+    "Vendor" = "zilliz-byoc"
+  }
+  # version = "1.31"
+
+  access_config {
+    authentication_mode                         = "CONFIG_MAP"
+    bootstrap_cluster_creator_admin_permissions = true
+  }
+
+  # kubernetes_network_config {
+  #   ip_family         = "ipv4"
+  #   service_ipv4_cidr = "10.255.0.0/16"
+  # }
+
+  upgrade_policy {
+    support_type = "EXTENDED"
+  }
+
+  vpc_config {
+    endpoint_private_access = true
+    endpoint_public_access  = true
+    public_access_cidrs = var.eks_access_cidrs
+    security_group_ids = [
+      aws_security_group.zilliz_byoc_sg.id
+    ]
+    subnet_ids = module.vpc.private_subnets
+  }
+}
+
+
+# aws_eks_addon.kube-proxy:
+resource "aws_eks_addon" "kube-proxy" {
+  addon_name    = "kube-proxy"
+  # addon_version = "v1.27.6-eksbuild.2"
+  cluster_name  = local.dataplane_id
+
+  depends_on = [ aws_eks_cluster.zilliz_byoc_cluster ]
+  
+  tags = {
+
+    "Vendor" = "zilliz-byoc"
+  }
+  tags_all = {
+
+    "Vendor" = "zilliz-byoc"
+  }
+}
+
+# aws_eks_addon.vpc-cni:
+resource "aws_eks_addon" "vpc-cni" {
+  addon_name    = "vpc-cni"
+  # addon_version = "v1.15.3-eksbuild.1"
+  cluster_name  = local.dataplane_id
+  
+  depends_on = [ aws_eks_cluster.zilliz_byoc_cluster ]
+
+  tags = {
+
+    "Vendor" = "zilliz-byoc"
+  }
+  tags_all = {
+
+    "Vendor" = "zilliz-byoc"
+  }
+}
+
+data "aws_eks_cluster_auth" "example" {
+  name = aws_eks_cluster.zilliz_byoc_cluster.name
+}
+
+
+data "tls_certificate" "eks" {
+  url = aws_eks_cluster.zilliz_byoc_cluster.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "eks" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
+  url             = aws_eks_cluster.zilliz_byoc_cluster.identity[0].oidc[0].issuer
+
+  tags = {
+    "Vendor" = "zilliz-byoc"
+  }
+}
+