Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Shah Newaz Khan
committed
Oct 28, 2019
1 parent
516299b
commit 245aed5
Showing
14 changed files
with
667 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package kubernetes | ||
|
||
import ( | ||
//"github.com/commitdev/commit0/util" | ||
|
||
"github.com/commitdev/commit0/config" | ||
"github.com/commitdev/commit0/templator" | ||
) | ||
|
||
func Generate(templator *templator.Templator, config *config.Commit0Config) { | ||
templator.Kubernetes.TemplateFiles(config, false) | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# EKS Terraform | ||
|
||
AWS Resources created: | ||
|
||
- EKS Cluster: AWS managed Kubernetes cluster of master servers | ||
- AutoScaling Group containing 2 m4.large instances based on the latest EKS Amazon Linux 2 AMI: Operator managed Kubernetes worker nodes for running Kubernetes service deployments | ||
- Associated VPC, Internet Gateway, Security Groups, and Subnets: Operator managed networking resources for the EKS Cluster and worker node instances | ||
- Associated IAM Roles and Policies: Operator managed access resources for EKS and worker node instances | ||
|
||
## Pre-requisites | ||
|
||
- Setup the [AWS credentials](https://www.terraform.io/docs/providers/aws/index.html#environment-variables) for terraform | ||
|
||
## Spin up cluster | ||
|
||
```shell | ||
|
||
terraform plan | ||
terraform apply | ||
|
||
``` | ||
|
||
### Connect to cluster | ||
The EKS service does not provide a cluster-level API parameter or resource to automatically configure the underlying Kubernetes cluster to allow worker nodes to join the cluster via AWS IAM role authentication. | ||
|
||
- Run `aws eks update-kubeconfig --name staging` to configure `kubectl` | ||
- Run `terraform output config_map_aws_auth` and save the configuration into a file, e.g. config_map_aws_auth.yaml | ||
- Run `kubectl apply -f config_map_aws_auth.yaml` | ||
- You can verify the worker nodes are joining the cluster via: `kubectl get nodes --watch` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
# | ||
# EKS Cluster Resources | ||
# * IAM Role to allow EKS service to manage other AWS services | ||
# * EC2 Security Group to allow networking traffic with EKS cluster | ||
# * EKS Cluster | ||
# | ||
|
||
resource "aws_iam_role" "demo-cluster" { | ||
name = "terraform-eks-demo-cluster" | ||
|
||
assume_role_policy = <<POLICY | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "eks.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" | ||
role = "${aws_iam_role.demo-cluster.name}" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" | ||
role = "${aws_iam_role.demo-cluster.name}" | ||
} | ||
|
||
resource "aws_security_group" "demo-cluster" { | ||
name = "terraform-eks-demo-cluster" | ||
description = "Cluster communication with worker nodes" | ||
vpc_id = "${aws_vpc.demo.id}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
tags = { | ||
Name = "terraform-eks-demo" | ||
} | ||
} | ||
|
||
resource "aws_security_group_rule" "demo-cluster-ingress-node-https" { | ||
description = "Allow pods to communicate with the cluster API Server" | ||
from_port = 443 | ||
protocol = "tcp" | ||
security_group_id = "${aws_security_group.demo-cluster.id}" | ||
source_security_group_id = "${aws_security_group.demo-node.id}" | ||
to_port = 443 | ||
type = "ingress" | ||
} | ||
|
||
resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" { | ||
cidr_blocks = ["${local.workstation-external-cidr}"] | ||
description = "Allow workstation to communicate with the cluster API Server" | ||
from_port = 443 | ||
protocol = "tcp" | ||
security_group_id = "${aws_security_group.demo-cluster.id}" | ||
to_port = 443 | ||
type = "ingress" | ||
} | ||
|
||
resource "aws_eks_cluster" "demo" { | ||
name = "${var.cluster-name}" | ||
role_arn = "${aws_iam_role.demo-cluster.arn}" | ||
|
||
vpc_config { | ||
security_group_ids = ["${aws_security_group.demo-cluster.id}"] | ||
subnet_ids = ["${aws_subnet.demo-0.id}","${aws_subnet.demo-1.id}"] | ||
} | ||
|
||
depends_on = [ | ||
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSClusterPolicy", | ||
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSServicePolicy", | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
# | ||
# EKS Worker Nodes Resources | ||
# * IAM role allowing Kubernetes actions to access other AWS services | ||
# * EC2 Security Group to allow networking traffic | ||
# * Data source to fetch latest EKS worker AMI | ||
# * AutoScaling Launch Configuration to configure worker instances | ||
# * AutoScaling Group to launch worker instances | ||
# | ||
|
||
resource "aws_iam_role" "demo-node" { | ||
name = "terraform-eks-demo-node" | ||
|
||
assume_role_policy = <<POLICY | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "ec2.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKSWorkerNodePolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" | ||
role = "${aws_iam_role.demo-node.name}" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKS_CNI_Policy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" | ||
role = "${aws_iam_role.demo-node.name}" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "demo-node-AmazonEC2ContainerRegistryReadOnly" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" | ||
role = "${aws_iam_role.demo-node.name}" | ||
} | ||
|
||
resource "aws_iam_instance_profile" "demo-node" { | ||
name = "terraform-eks-demo" | ||
role = "${aws_iam_role.demo-node.name}" | ||
} | ||
|
||
resource "aws_security_group" "demo-node" { | ||
name = "terraform-eks-demo-node" | ||
description = "Security group for all nodes in the cluster" | ||
vpc_id = "${aws_vpc.demo.id}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
tags = "${ | ||
map( | ||
"Name", "terraform-eks-demo-node", | ||
"kubernetes.io/cluster/${var.cluster-name}", "owned", | ||
) | ||
}" | ||
} | ||
|
||
resource "aws_security_group_rule" "demo-node-ingress-self" { | ||
description = "Allow node to communicate with each other" | ||
from_port = 0 | ||
protocol = "-1" | ||
security_group_id = "${aws_security_group.demo-node.id}" | ||
source_security_group_id = "${aws_security_group.demo-node.id}" | ||
to_port = 65535 | ||
type = "ingress" | ||
} | ||
|
||
resource "aws_security_group_rule" "demo-node-ingress-cluster" { | ||
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane" | ||
from_port = 1025 | ||
protocol = "tcp" | ||
security_group_id = "${aws_security_group.demo-node.id}" | ||
source_security_group_id = "${aws_security_group.demo-cluster.id}" | ||
to_port = 65535 | ||
type = "ingress" | ||
} | ||
|
||
data "aws_ami" "eks-worker" { | ||
filter { | ||
name = "name" | ||
values = ["amazon-eks-node-${aws_eks_cluster.demo.version}-v*"] | ||
} | ||
|
||
most_recent = true | ||
owners = ["602401143452"] # Amazon EKS AMI Account ID | ||
} | ||
|
||
# EKS currently documents this required userdata for EKS worker nodes to | ||
# properly configure Kubernetes applications on the EC2 instance. | ||
# We utilize a Terraform local here to simplify Base64 encoding this | ||
# information into the AutoScaling Launch Configuration. | ||
# More information: https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html | ||
locals { | ||
demo-node-userdata = <<USERDATA | ||
#!/bin/bash | ||
set -o xtrace | ||
/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.demo.endpoint}' --b64-cluster-ca '${aws_eks_cluster.demo.certificate_authority.0.data}' '${var.cluster-name}' | ||
USERDATA | ||
} | ||
|
||
resource "aws_launch_configuration" "demo" { | ||
associate_public_ip_address = true | ||
iam_instance_profile = "${aws_iam_instance_profile.demo-node.name}" | ||
image_id = "${data.aws_ami.eks-worker.id}" | ||
instance_type = "m4.large" | ||
name_prefix = "terraform-eks-demo" | ||
security_groups = ["${aws_security_group.demo-node.id}"] | ||
user_data_base64 = "${base64encode(local.demo-node-userdata)}" | ||
|
||
lifecycle { | ||
create_before_destroy = true | ||
} | ||
} | ||
|
||
resource "aws_autoscaling_group" "demo" { | ||
desired_capacity = 2 | ||
launch_configuration = "${aws_launch_configuration.demo.id}" | ||
max_size = 2 | ||
min_size = 1 | ||
name = "terraform-eks-demo" | ||
vpc_zone_identifier = ["${aws_subnet.demo-0.id}","${aws_subnet.demo-1.id}"] | ||
|
||
tag { | ||
key = "Name" | ||
value = "terraform-eks-demo" | ||
propagate_at_launch = true | ||
} | ||
|
||
tag { | ||
key = "kubernetes.io/cluster/${var.cluster-name}" | ||
value = "owned" | ||
propagate_at_launch = true | ||
} | ||
} |
Oops, something went wrong.