xpk/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-eks.git synced 2025-09-09 19:32:58 +08:00
Code Activity

fix: Rebuild examples (#1625)

Browse Source
This commit is contained in:
Dawid Rogaczewski
2021-10-12 15:20:14 +02:00
committed by GitHub
parent 54a5f1e42b
commit 99d289988d
45 changed files with 1281 additions and 708 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/irsa/README.md
+49 -44
View File
@@ -2,64 +2,69 @@
This example shows how to create an IAM role to be used for a Kubernetes `ServiceAccount`. It will create a policy and role to be used by the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) using the [public Helm chart](https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler).
The AWS documentation for IRSA is here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
See [the official documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) for more details.
## Setup
## Usage
Run Terraform:
To run this example you need to execute:
```
terraform init
terraform apply
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Set kubectl context to the new cluster: `export KUBECONFIG=kubeconfig_test-eks-irsa`
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
Check that there is a node that is `Ready`:
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
```
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-2-190.us-west-2.compute.internal Ready <none> 6m39s v1.14.8-eks-b8860f
```
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.22.0 |
| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.4 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
Replace `<ACCOUNT ID>` with your AWS account ID in `cluster-autoscaler-chart-values.yaml`. There is output from terraform for this.
## Providers
Install the chart using the provided values file:
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.22.0 |
| <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
```
$ helm repo add autoscaler https://kubernetes.github.io/autoscaler
$ helm repo update
$ helm install cluster-autoscaler --namespace kube-system autoscaler/cluster-autoscaler --values cluster-autoscaler-chart-values.yaml
```
## Modules
## Verify
| Name | Source | Version |
|------|--------|---------|
| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | |
| <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
Ensure the cluster-autoscaler pod is running:
## Resources
```
$ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler-chart"
NAME READY STATUS RESTARTS AGE
cluster-autoscaler-aws-cluster-autoscaler-chart-5545d4b97-9ztpm 1/1 Running 0 3m
```
| Name | Type |
|------|------|
| [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [helm_release.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
| [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
Observe the `AWS_*` environment variables that were added to the pod automatically by EKS:
## Inputs
```
kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler-chart" -o yaml | grep -A3 AWS_ROLE_ARN
No inputs.
- name: AWS_ROLE_ARN
value: arn:aws:iam::xxxxxxxxx:role/cluster-autoscaler
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
```
## Outputs
Verify it is working by checking the logs, you should see that it has discovered the autoscaling group successfully:
```
kubectl --namespace=kube-system logs -l "app.kubernetes.io/name=aws-cluster-autoscaler-chart"
I0128 14:59:00.901513 1 auto_scaling_groups.go:354] Regenerating instance to ASG map for ASGs: [test-eks-irsa-worker-group-12020012814125354700000000e]
I0128 14:59:00.969875 1 auto_scaling_groups.go:138] Registering ASG test-eks-irsa-worker-group-12020012814125354700000000e
I0128 14:59:00.969906 1 aws_manager.go:263] Refreshed ASG list, next refresh after 2020-01-28 15:00:00.969901767 +0000 UTC m=+61.310501783
```
| Name | Description |
|------|-------------|
| <a name="output_aws_account_id"></a> [aws\_account\_id](#output\_aws\_account\_id) | IAM AWS account id |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
examples/irsa/cluster-autoscaler-chart-values.yaml
-14
View File
@@ -1,14 +0,0 @@
awsRegion: eu-west-1
rbac:
create: true
serviceAccount:
# This value should match local.k8s_service_account_name in locals.tf
name: cluster-autoscaler-aws-cluster-autoscaler-chart
annotations:
# This value should match the ARN of the role created by module.iam_assumable_role_admin in irsa.tf
eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT ID>:role/cluster-autoscaler"
autoDiscovery:
clusterName: test-eks-irsa
enabled: true
examples/irsa/irsa.tf
+57 -1
View File
@@ -1,6 +1,62 @@
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
locals {
k8s_service_account_namespace = "kube-system"
k8s_service_account_name = "cluster-autoscaler-aws"
}
provider "helm" {
kubernetes {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
}
resource "helm_release" "cluster-autoscaler" {
depends_on = [
module.eks
]
name = "cluster-autoscaler"
namespace = local.k8s_service_account_namespace
repository = "https://kubernetes.github.io/autoscaler"
chart = "cluster-autoscaler"
version = "9.10.7"
create_namespace = false
set {
name = "awsRegion"
value = data.aws_region.current.name
}
set {
name = "rbac.serviceAccount.name"
value = local.k8s_service_account_name
}
set {
name = "rbac.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
value = module.iam_assumable_role_admin.iam_role_arn
type = "string"
}
set {
name = "autoDiscovery.clusterName"
value = local.name
}
set {
name = "autoDiscovery.enabled"
value = "true"
}
set {
name = "rbac.create"
value = "true"
}
}
module "iam_assumable_role_admin" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "3.6.0"
version = "~> 4.0"
create_role = true
role_name = "cluster-autoscaler"
examples/irsa/locals.tf
-5
View File
@@ -1,5 +0,0 @@
locals {
cluster_name = "test-eks-irsa"
k8s_service_account_namespace = "kube-system"
k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler-chart"
}
examples/irsa/main.tf
+87 -37
View File
@@ -1,7 +1,62 @@
provider "aws" {
region = "eu-west-1"
region = local.region
}
locals {
name = "irsa-${random_string.suffix.result}"
cluster_version = "1.20"
region = "eu-west-1"
}
################################################################################
# EKS Module
################################################################################
module "eks" {
source = "../.."
cluster_name = local.name
cluster_version = local.cluster_version
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
enable_irsa = true
worker_groups = [
{
name = "worker-group-1"
instance_type = "t3.medium"
asg_desired_capacity = 1
asg_max_size = 4
tags = [
{
"key" = "k8s.io/cluster-autoscaler/enabled"
"propagate_at_launch" = "false"
"value" = "true"
},
{
"key" = "k8s.io/cluster-autoscaler/${local.name}"
"propagate_at_launch" = "false"
"value" = "owned"
}
]
}
]
tags = {
Example = local.name
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
}
################################################################################
# Kubernetes provider configuration
################################################################################
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
@@ -16,50 +71,45 @@ provider "kubernetes" {
token = data.aws_eks_cluster_auth.cluster.token
}
data "aws_availability_zones" "available" {}
################################################################################
# Supporting Resources
################################################################################
data "aws_caller_identity" "current" {}
data "aws_availability_zones" "available" {
}
resource "random_string" "suffix" {
length = 8
special = false
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.64.0"
name = "test-vpc"
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"
name = local.name
cidr = "10.0.0.0/16"
azs = data.aws_availability_zones.available.names
public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
"kubernetes.io/cluster/${local.name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
private_subnet_tags = {
"kubernetes.io/cluster/${local.name}" = "shared"
"kubernetes.io/role/internal-elb" = "1"
}
tags = {
Example = local.name
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
}
module "eks" {
source = "../.."
cluster_name = local.cluster_name
cluster_version = "1.20"
subnets = module.vpc.public_subnets
vpc_id = module.vpc.vpc_id
enable_irsa = true
worker_groups = [
{
name = "worker-group-1"
instance_type = "t3.medium"
asg_desired_capacity = 1
tags = [
{
"key" = "k8s.io/cluster-autoscaler/enabled"
"propagate_at_launch" = "false"
"value" = "true"
},
{
"key" = "k8s.io/cluster-autoscaler/${local.cluster_name}"
"propagate_at_launch" = "false"
"value" = "owned"
}
]
}
]
}
examples/irsa/versions.tf
+2 -1
View File
@@ -5,6 +5,7 @@ terraform {
aws = ">= 3.22.0"
local = ">= 1.4"
random = ">= 2.1"
kubernetes = "~> 1.11"
kubernetes = "~> 2.0"
helm = "~> 2.0"
}
}