From 911efd77aa980fed367f6375ce7722f32fa6d226 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Fri, 1 Mar 2024 17:55:15 +0100 Subject: [PATCH 1/4] Add OIDC support for AWS Kubernetes cluster --- docs/install/kubernetes/aws.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/install/kubernetes/aws.md b/docs/install/kubernetes/aws.md index 4aed9e331..50c75d978 100644 --- a/docs/install/kubernetes/aws.md +++ b/docs/install/kubernetes/aws.md @@ -57,6 +57,9 @@ metadata: name: FlowFuse region: eu-west-1 +iam: + withOIDC: true + nodeGroups: - name: management labels: @@ -82,11 +85,6 @@ nodeGroups: allow: false ``` -Add OIDC provider for the Load Balancer and IAM roles -```bash -eksctl utils associate-iam-oidc-provider --cluster flowforge --approve -``` - ## Ingress Controller ### Nginx Ingress From 041dd8a47fc392dfeba36daf57d3317ca54df5df Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Fri, 1 Mar 2024 17:55:38 +0100 Subject: [PATCH 2/4] nginx values file name typo --- docs/install/kubernetes/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/kubernetes/aws.md b/docs/install/kubernetes/aws.md index 50c75d978..b6b76b9e5 100644 --- a/docs/install/kubernetes/aws.md +++ b/docs/install/kubernetes/aws.md @@ -91,7 +91,7 @@ nodeGroups: It is recommended to run the Nginx Ingress controller even on AWS EKS (The AWS ALB load balancer currently appears to only support up to 100 Ingress Targets which limits the number of Instance/Projects that can be run). -Create a `nginx-values.ymal` file to pass the values to the nginx helm file. +Create a `nginx-values.yaml` file to pass the values to the nginx helm file. You will need to replace the ARN for the SSL certificate created earlier From f0b3232ecfa395cf91138881ba2be116abddadfa Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Fri, 1 Mar 2024 18:36:04 +0100 Subject: [PATCH 3/4] Make sure json output is set before pipe to `jq` --- docs/install/kubernetes/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/kubernetes/aws.md b/docs/install/kubernetes/aws.md index b6b76b9e5..d39437094 100644 --- a/docs/install/kubernetes/aws.md +++ b/docs/install/kubernetes/aws.md @@ -183,7 +183,7 @@ Request move to production from sandbox (need to include examples of emails bein ``` ```bash -IAM_POLICY_ARN=$(aws iam create-policy --policy-name FlowForgeSendEmail --policy-document file://ses_policy.json | jq -r .Policy.Arn) +IAM_POLICY_ARN=$(aws iam create-policy --policy-name FlowForgeSendEmail --policy-document file://ses_policy.json --output json | jq -r .Policy.Arn) ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) OIDC_PROVIDER=$(aws eks describe-cluster --name flowforge --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///") From 38c1008930b869f770f84b76ea21cbb303f57a94 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Fri, 1 Mar 2024 21:03:19 +0100 Subject: [PATCH 4/4] Update EKS cluster configuration --- docs/install/kubernetes/aws.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/install/kubernetes/aws.md b/docs/install/kubernetes/aws.md index d39437094..725cc4939 100644 --- a/docs/install/kubernetes/aws.md +++ b/docs/install/kubernetes/aws.md @@ -60,6 +60,10 @@ metadata: iam: withOIDC: true +addons: + - name: aws-ebs-csi-driver + resolveConflicts: overwrite + nodeGroups: - name: management labels: @@ -71,7 +75,7 @@ nodeGroups: allow: false iam: withAddonPolicies: - efs: true + ebs: true - name: instance labels: role: "projects"