From efecd2ed871bec6b6d9150d6ff0862ba63895769 Mon Sep 17 00:00:00 2001 From: Steve Davids Date: Fri, 29 Jun 2018 18:39:22 -0400 Subject: [PATCH 1/5] Allowing a more configurable kubeconfig --- data.tf | 19 ++++++++++++++++++- templates/kubeconfig.tpl | 16 +++++++++------- variables.tf | 25 +++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 8 deletions(-) diff --git a/data.tf b/data.tf index 9fe0727..76ebcad 100644 --- a/data.tf +++ b/data.tf @@ -44,7 +44,7 @@ data "aws_iam_policy_document" "cluster_assume_role_policy" { } } -data template_file kubeconfig { +data "template_file" "kubeconfig" { template = "${file("${path.module}/templates/kubeconfig.tpl")}" vars { @@ -52,6 +52,23 @@ data template_file kubeconfig { endpoint = "${aws_eks_cluster.this.endpoint}" region = "${data.aws_region.current.name}" cluster_auth_base64 = "${aws_eks_cluster.this.certificate_authority.0.data}" + context_name = "${var.kubeconfig_context_name}" + user_name = "${var.kubeconfig_user_name}" + aws_authenticator_command = "${var.kubeconfig_aws_authenticator_command}" + aws_authenticator_additional_args = "${length(var.kubeconfig_aws_authenticator_additional_args) > 0 ? " - ${join("\n - ", var.kubeconfig_aws_authenticator_additional_args)}" : "" }" + aws_authenticator_env_variables = "${length(var.kubeconfig_aws_authenticator_env_variables) > 0 ? " env:\n${join("\n", data.template_file.aws_authenticator_env_variables.*.rendered)}" : ""}" + } +} + +data "template_file" "aws_authenticator_env_variables" { + template = < Date: Fri, 29 Jun 2018 18:41:14 -0400 Subject: [PATCH 2/5] Removed carriage return line endings. --- templates/config-map-aws-auth.yaml.tpl | 24 +++++------ templates/kubeconfig.tpl | 56 +++++++++++++------------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/templates/config-map-aws-auth.yaml.tpl b/templates/config-map-aws-auth.yaml.tpl index e5bf4fa..746817f 100644 --- a/templates/config-map-aws-auth.yaml.tpl +++ b/templates/config-map-aws-auth.yaml.tpl @@ -1,12 +1,12 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: aws-auth - namespace: kube-system -data: - mapRoles: | - - rolearn: ${role_arn} - username: system:node:{{EC2PrivateDNSName}} - groups: - - system:bootstrappers - - system:nodes +apiVersion: v1 +kind: ConfigMap +metadata: + name: aws-auth + namespace: kube-system +data: + mapRoles: | + - rolearn: ${role_arn} + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes diff --git a/templates/kubeconfig.tpl b/templates/kubeconfig.tpl index 887484d..7babdb5 100644 --- a/templates/kubeconfig.tpl +++ b/templates/kubeconfig.tpl @@ -1,29 +1,29 @@ -apiVersion: v1 -preferences: {} -kind: Config - -clusters: -- cluster: - server: ${endpoint} - certificate-authority-data: ${cluster_auth_base64} - name: ${cluster_name} - -contexts: -- context: - cluster: ${cluster_name} - user: ${user_name} - name: ${context_name} -current-context: ${context_name} - -users: -- name: ${user_name} - user: - exec: - apiVersion: client.authentication.k8s.io/v1alpha1 - command: ${aws_authenticator_command} - args: - - "token" - - "-i" - - "${cluster_name}" -${aws_authenticator_additional_args} +apiVersion: v1 +preferences: {} +kind: Config + +clusters: +- cluster: + server: ${endpoint} + certificate-authority-data: ${cluster_auth_base64} + name: ${cluster_name} + +contexts: +- context: + cluster: ${cluster_name} + user: ${user_name} + name: ${context_name} +current-context: ${context_name} + +users: +- name: ${user_name} + user: + exec: + apiVersion: client.authentication.k8s.io/v1alpha1 + command: ${aws_authenticator_command} + args: + - "token" + - "-i" + - "${cluster_name}" +${aws_authenticator_additional_args} ${aws_authenticator_env_variables} \ No newline at end of file From fddc353713fae6c082571c38e3743ed554bf7186 Mon Sep 17 00:00:00 2001 From: Steve Davids Date: Fri, 29 Jun 2018 20:38:25 -0400 Subject: [PATCH 3/5] Updated documentation with new variables. --- README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a17ff9d..e746908 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | Name | Description | Type | Default | Required | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----: | :------: | :------: | | cluster_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | string | - | yes | -| cluster_security_group_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the workers and provide API access to your current IP/32. | string | `` | no | +| cluster_security_group_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the workers and provide API access to your current IP/32. | string | `` | no | | cluster_version | Kubernetes version to use for the EKS cluster. | string | `1.10` | no | | config_output_path | Determines where config files are placed if using configure_kubectl_session and you want config files to land outside the current working directory. | string | `./` | no | | configure_kubectl_session | Configure the current session's kubectl to use the instantiated EKS cluster. | string | `true` | no | @@ -104,9 +104,17 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | tags | A map of tags to add to all resources. | string | `` | no | | vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes | | worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `` | no | -| worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no | +| worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no | | worker_sg_ingress_from_port | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | string | `1025` | no | | workers_group_defaults | Default values for target groups as defined by the list of maps. | map | `` | no | +| kubeconfig_context_name | Name of the kubeconfig context. | map | `aws` | no | +| kubeconfig_user_name | Name of the kubeconfig user. | map | `aws` | no | +| kubeconfig_aws_authenticator_command | Command to use to to fetch AWS EKS credentials | map | `heptio-authenticator-aws` | no | +| kubeconfig_aws_authenticator_additional_args | Any additional arguments to pass to the authenticator such as the role to assume `["-r", "MyEksRole"]` | map | `` | no | +| kubeconfig_aws_authenticator_env_variables | Environment variables that should be used when executing the authenticator i.e. `{ AWS_PROFILE = "eks"}` | map | `` | no | + + + ## Outputs From 34cf66b47d23772cea304cba9a5ecf50a9080cea Mon Sep 17 00:00:00 2001 From: Steve Davids Date: Fri, 29 Jun 2018 20:49:40 -0400 Subject: [PATCH 4/5] Fixed terraform formatting --- data.tf | 16 +++++++++------- variables.tf | 10 +++++----- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/data.tf b/data.tf index 76ebcad..c47075f 100644 --- a/data.tf +++ b/data.tf @@ -48,12 +48,12 @@ data "template_file" "kubeconfig" { template = "${file("${path.module}/templates/kubeconfig.tpl")}" vars { - cluster_name = "${var.cluster_name}" - endpoint = "${aws_eks_cluster.this.endpoint}" - region = "${data.aws_region.current.name}" - cluster_auth_base64 = "${aws_eks_cluster.this.certificate_authority.0.data}" - context_name = "${var.kubeconfig_context_name}" - user_name = "${var.kubeconfig_user_name}" + cluster_name = "${var.cluster_name}" + endpoint = "${aws_eks_cluster.this.endpoint}" + region = "${data.aws_region.current.name}" + cluster_auth_base64 = "${aws_eks_cluster.this.certificate_authority.0.data}" + context_name = "${var.kubeconfig_context_name}" + user_name = "${var.kubeconfig_user_name}" aws_authenticator_command = "${var.kubeconfig_aws_authenticator_command}" aws_authenticator_additional_args = "${length(var.kubeconfig_aws_authenticator_additional_args) > 0 ? " - ${join("\n - ", var.kubeconfig_aws_authenticator_additional_args)}" : "" }" aws_authenticator_env_variables = "${length(var.kubeconfig_aws_authenticator_env_variables) > 0 ? " env:\n${join("\n", data.template_file.aws_authenticator_env_variables.*.rendered)}" : ""}" @@ -65,10 +65,12 @@ data "template_file" "aws_authenticator_env_variables" { - name: $${key} value: $${value} EOF + count = "${length(var.kubeconfig_aws_authenticator_env_variables)}" + vars { value = "${element(values(var.kubeconfig_aws_authenticator_env_variables), count.index)}" - key = "${element(keys(var.kubeconfig_aws_authenticator_env_variables), count.index)}" + key = "${element(keys(var.kubeconfig_aws_authenticator_env_variables), count.index)}" } } diff --git a/variables.tf b/variables.tf index b8a9ee5..b8a3320 100644 --- a/variables.tf +++ b/variables.tf @@ -76,25 +76,25 @@ variable "worker_sg_ingress_from_port" { variable "kubeconfig_context_name" { description = "Name of the kubeconfig context." - default = "aws" + default = "aws" } variable "kubeconfig_user_name" { description = "Name of the kubeconfig user." - default = "aws" + default = "aws" } variable "kubeconfig_aws_authenticator_command" { description = "Command to use to to fetch AWS EKS credentials" - default = "heptio-authenticator-aws" + default = "heptio-authenticator-aws" } variable "kubeconfig_aws_authenticator_additional_args" { description = "Any additional arguments to pass to the authenticator such as the role to assume [\"-r\", \"MyEksRole\"]" - default = [] + default = [] } variable "kubeconfig_aws_authenticator_env_variables" { description = "Environment variables that should be used when executing the authenticator i.e. { AWS_PROFILE = \"eks\"}" - default = {} + default = {} } From e955c17bb54566daacf82943b2a8100003d253ba Mon Sep 17 00:00:00 2001 From: Steve Davids Date: Fri, 29 Jun 2018 20:55:48 -0400 Subject: [PATCH 5/5] Removed extra whitespace. --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index e746908..4e5994d 100644 --- a/README.md +++ b/README.md @@ -113,9 +113,6 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | kubeconfig_aws_authenticator_additional_args | Any additional arguments to pass to the authenticator such as the role to assume `["-r", "MyEksRole"]` | map | `` | no | | kubeconfig_aws_authenticator_env_variables | Environment variables that should be used when executing the authenticator i.e. `{ AWS_PROFILE = "eks"}` | map | `` | no | - - - ## Outputs | Name | Description |