Reference Architecture: NAT Gateway for DOKS and Droplet #27

[jaitjacob]

This PR aims to put together an RA as per specs in issue #27

Briefly, it will provision a VPC, a NAT gateway, a DOKS cluster with Routing Agent enables and a Droplet such that all egress traffic originate from a single IP via NAT.

Tasks:

• visual overview (nat-gateway.png)
• infra module: VPC, NAT Gateway, DOKS (with routing agent), Droplet
• cloud-init config for Droplet
• routes module: applies the Route CRD manifest to the cluster
• Route CRD that overrides default route for cluster nodes to the NAT's gateway IP
• detailed Readme.md
• tests - I will stick to the bare minimum test for terraform plan runs without errors cause I cant think of any for now.
• Makefile? (I'm not sure I need this? I did read about Makefiles in Contrib.md)

[jaitjacob]

Looks like cloud-init.yaml is supported by Ubuntu and CentOS dist only. I will need to change my droplet image attr from Fedora to Ubuntu similar to other RAs.

Ref: https://docs.digitalocean.com/products/droplets/how-to/provide-user-data/

[jaitjacob]

terraform plan Output:

1-infra> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # digitalocean_droplet.non-k8-host-droplet will be created
  + resource "digitalocean_droplet" "non-k8-host-droplet" {
      + backups              = false
      + created_at           = (known after apply)
      + disk                 = (known after apply)
      + graceful_shutdown    = false
      + id                   = (known after apply)
      + image                = "ubuntu-24-04-x64"
      + ipv4_address         = (known after apply)
      + ipv4_address_private = (known after apply)
      + ipv6                 = false
      + ipv6_address         = (known after apply)
      + locked               = (known after apply)
      + memory               = (known after apply)
      + monitoring           = false
      + name                 = "non-k8-host-droplet"
      + price_hourly         = (known after apply)
      + price_monthly        = (known after apply)
      + private_networking   = (known after apply)
      + region               = (known after apply)
      + resize_disk          = true
      + size                 = "s-1vcpu-512mb-10gb"
      + status               = (known after apply)
      + urn                  = (known after apply)
      + user_data            = (known after apply)
      + vcpus                = (known after apply)
      + volume_ids           = (known after apply)
      + vpc_uuid             = (known after apply)
    }

  # digitalocean_kubernetes_cluster.k8-cluster will be created
  + resource "digitalocean_kubernetes_cluster" "k8-cluster" {
      + cluster_subnet                   = (known after apply)
      + created_at                       = (known after apply)
      + destroy_all_associated_resources = false
      + endpoint                         = (known after apply)
      + ha                               = false
      + id                               = (known after apply)
      + ipv4_address                     = (known after apply)
      + kube_config                      = (sensitive value)
      + name                             = "k8-cluster"
      + region                           = "blr1"
      + registry_integration             = false
      + service_subnet                   = (known after apply)
      + status                           = (known after apply)
      + surge_upgrade                    = true
      + updated_at                       = (known after apply)
      + urn                              = (known after apply)
      + version                          = "latest"
      + vpc_uuid                         = (known after apply)

      + amd_gpu_device_metrics_exporter_plugin (known after apply)

      + amd_gpu_device_plugin (known after apply)

      + control_plane_firewall (known after apply)

      + maintenance_policy (known after apply)

      + node_pool {
          + actual_node_count = (known after apply)
          + auto_scale        = false
          + id                = (known after apply)
          + name              = "worker-pool"
          + node_count        = 2
          + nodes             = (known after apply)
          + size              = "s-2vcpu-2gb"
        }

      + routing_agent {
          + enabled = true
        }
    }

  # digitalocean_vpc.ra-nat-gateway-vpc will be created
  + resource "digitalocean_vpc" "ra-nat-gateway-vpc" {
      + created_at = (known after apply)
      + default    = (known after apply)
      + id         = (known after apply)
      + ip_range   = "192.168.44.0/24"
      + name       = "ra-nat-gateway-vpc"
      + region     = "blr1"
      + urn        = (known after apply)
    }

  # digitalocean_vpc_nat_gateway.this will be created
  + resource "digitalocean_vpc_nat_gateway" "this" {
      + created_at           = (known after apply)
      + egresses             = (known after apply)
      + icmp_timeout_seconds = (known after apply)
      + id                   = (known after apply)
      + name                 = "nat-gateway"
      + region               = "blr1"
      + size                 = 1
      + state                = (known after apply)
      + tcp_timeout_seconds  = (known after apply)
      + type                 = "PUBLIC"
      + udp_timeout_seconds  = (known after apply)
      + updated_at           = (known after apply)

      + vpcs {
          + gateway_ip = (known after apply)
          + vpc_uuid   = (known after apply)
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.