readme now has instructions for basic kubectl operation testing. locals map used to aid in userdata

.gitignore

@@ -7,5 +7,5 @@
 .kitchen.local.yml
 Gemfile.lock
 terraform.tfstate.d/
-config
+kubeconfig
 config-map-aws-auth.yaml

CHANGELOG.md

@@ -5,8 +5,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
 project adheres to [Semantic Versioning](http://semver.org/).
 
-## [v0.1.0] - 2018-06-06
+## [v0.1.0] - 2018-06-07
 
 ### Added
 
 - Everything! Initial release of the module.
+- Kudos to @tanmng for finding and fixing bug #1.

README.md

@@ -47,6 +47,9 @@ This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tes
 3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
 4. Test using `bundle exec kitchen test` from the root of the repo.
 
+For now, connectivity to the kubernetes cluster is not tested but will be in the future.
+To test your kubectl connection manually, see the [eks_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture/README.md).
+
 ## Doc generation
 
 Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).

data.tf

@@ -29,84 +29,3 @@ data "aws_iam_policy_document" "cluster_assume_role_policy" {
     }
   }
 }
-
-resource "null_resource" "tags_as_list_of_maps" {
-  count = "${length(keys(var.tags))}"
-
-  triggers = "${map(
-    "key", "${element(keys(var.tags), count.index)}",
-    "value", "${element(values(var.tags), count.index)}",
-    "propagate_at_launch", "true"
-  )}"
-}
-
-locals {
-  asg_tags = ["${null_resource.tags_as_list_of_maps.*.triggers}"]
-
-  # More information: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
-  workers_userdata = <<USERDATA
-#!/bin/bash -xe
-
-CA_CERTIFICATE_DIRECTORY=/etc/kubernetes/pki
-CA_CERTIFICATE_FILE_PATH=$CA_CERTIFICATE_DIRECTORY/ca.crt
-mkdir -p $CA_CERTIFICATE_DIRECTORY
-echo "${aws_eks_cluster.this.certificate_authority.0.data}" | base64 -d >  $CA_CERTIFICATE_FILE_PATH
-INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
-sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /var/lib/kubelet/kubeconfig
-sed -i s,CLUSTER_NAME,${var.cluster_name},g /var/lib/kubelet/kubeconfig
-sed -i s,REGION,${data.aws_region.current.name},g /etc/systemd/system/kubelet.service
-sed -i s,MAX_PODS,20,g /etc/systemd/system/kubelet.service
-sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /etc/systemd/system/kubelet.service
-sed -i s,INTERNAL_IP,$INTERNAL_IP,g /etc/systemd/system/kubelet.service
-DNS_CLUSTER_IP=10.100.0.10
-if [[ $INTERNAL_IP == 10.* ]] ; then DNS_CLUSTER_IP=172.20.0.10; fi
-sed -i s,DNS_CLUSTER_IP,$DNS_CLUSTER_IP,g /etc/systemd/system/kubelet.service
-sed -i s,CERTIFICATE_AUTHORITY_FILE,$CA_CERTIFICATE_FILE_PATH,g /var/lib/kubelet/kubeconfig
-sed -i s,CLIENT_CA_FILE,$CA_CERTIFICATE_FILE_PATH,g  /etc/systemd/system/kubelet.service
-systemctl daemon-reload
-systemctl restart kubelet kube-proxy
-USERDATA
-
-  config_map_aws_auth = <<CONFIGMAPAWSAUTH
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: aws-auth
-  namespace: kube-system
-data:
-  mapRoles: |
-    - rolearn: ${aws_iam_role.workers.arn}
-      username: system:node:{{EC2PrivateDNSName}}
-      groups:
-        - system:bootstrappers
-        - system:nodes
-CONFIGMAPAWSAUTH
-
-  kubeconfig = <<KUBECONFIG
-
-apiVersion: v1
-clusters:
-- cluster:
-    server: ${aws_eks_cluster.this.endpoint}
-    certificate-authority-data: ${aws_eks_cluster.this.certificate_authority.0.data}
-  name: kubernetes
-contexts:
-- context:
-    cluster: kubernetes
-    user: aws
-  name: aws
-current-context: aws
-kind: Config
-preferences: {}
-users:
-- name: aws
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1alpha1
-      command: heptio-authenticator-aws
-      args:
-        - "token"
-        - "-i"
-        - "${var.cluster_name}"
-KUBECONFIG
-}

examples/eks_test_fixture/README.md

@@ -6,6 +6,19 @@ This set of templates serves a few purposes. It:
 2.  serves as the test infrastructure for CI on the project.
 3.  provides a simple way to play with the Kubernetes cluster you create.
 
+## testing with kubectl
+
+Once converged, `kubeconfig` and `config-map-aws-auth.yml` should be in this directory.
+Ensure you have a recent version of `kubectl` on your PATH ([instructions here](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl))
+
+```bash
+curl -o heptio-authenticator-aws https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/darwin/amd64/heptio-authenticator-aws
+mv heptio-authenticator-aws ~/go/bin/
+kubectl apply -f examples/eks_test_fixture/config-map-aws-auth.yaml --kubeconfig examples/eks_test_fixture/kubeconfig
+# configmap "aws-auth" created
+kubectl get nodes --watch --kubeconfig examples/eks_test_fixture/kubeconfig
+```
+
 ## IAM Permissions
 
 The following IAM policy is the minimum needed to execute the module from the test suite.

examples/eks_test_fixture/main.tf

@@ -46,9 +46,9 @@ resource "random_string" "suffix" {
   special = false
 }
 
-resource "local_file" "config" {
+resource "local_file" "kubeconfig" {
   content  = "${module.eks.kubeconfig}"
-  filename = "${path.module}/config"
+  filename = "${path.module}/kubeconfig"
 }
 
 resource "local_file" "config-map-aws-auth" {
@@ -77,5 +77,5 @@ module "eks" {
   vpc_id                = "${module.vpc.vpc_id}"
   workers_ami_id        = "${data.aws_ami.eks_worker.id}"
   cluster_ingress_cidrs = ["${local.workstation_external_cidr}"]
-  workers_instance_type = "t2.micro"
+  workers_instance_type = "t2.small"
 }

local.tf

@@ -0,0 +1,130 @@
+locals {
+  # Mapping from the node type that we selected and the max number of pods that it can run
+  # Taken from https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
+  max_pod_per_node = {
+    c4.large    = 29
+    c4.xlarge   = 58
+    c4.2xlarge  = 58
+    c4.4xlarge  = 234
+    c4.8xlarge  = 234
+    c5.large    = 29
+    c5.xlarge   = 58
+    c5.2xlarge  = 58
+    c5.4xlarge  = 234
+    c5.9xlarge  = 234
+    c5.18xlarge = 737
+    i3.large    = 29
+    i3.xlarge   = 58
+    i3.2xlarge  = 58
+    i3.4xlarge  = 234
+    i3.8xlarge  = 234
+    i3.16xlarge = 737
+    m3.medium   = 12
+    m3.large    = 29
+    m3.xlarge   = 58
+    m3.2xlarge  = 118
+    m4.large    = 20
+    m4.xlarge   = 58
+    m4.2xlarge  = 58
+    m4.4xlarge  = 234
+    m4.10xlarge = 234
+    m5.large    = 29
+    m5.xlarge   = 58
+    m5.2xlarge  = 58
+    m5.4xlarge  = 234
+    m5.12xlarge = 234
+    m5.24xlarge = 737
+    p2.xlarge   = 58
+    p2.8xlarge  = 234
+    p2.16xlarge = 234
+    p3.2xlarge  = 58
+    p3.8xlarge  = 234
+    p3.16xlarge = 234
+    r3.xlarge   = 58
+    r3.2xlarge  = 58
+    r3.4xlarge  = 234
+    r3.8xlarge  = 234
+    r4.large    = 29
+    r4.xlarge   = 58
+    r4.2xlarge  = 58
+    r4.4xlarge  = 234
+    r4.8xlarge  = 234
+    r4.16xlarge = 737
+    t2.small    = 8
+    t2.medium   = 17
+    t2.large    = 35
+    t2.xlarge   = 44
+    t2.2xlarge  = 44
+    x1.16xlarge = 234
+    x1.32xlarge = 234
+  }
+
+  asg_tags = ["${null_resource.tags_as_list_of_maps.*.triggers}"]
+
+  # More information: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
+  workers_userdata = <<USERDATA
+#!/bin/bash -xe
+
+CA_CERTIFICATE_DIRECTORY=/etc/kubernetes/pki
+CA_CERTIFICATE_FILE_PATH=$CA_CERTIFICATE_DIRECTORY/ca.crt
+mkdir -p $CA_CERTIFICATE_DIRECTORY
+echo "${aws_eks_cluster.this.certificate_authority.0.data}" | base64 -d >  $CA_CERTIFICATE_FILE_PATH
+INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
+sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /var/lib/kubelet/kubeconfig
+sed -i s,CLUSTER_NAME,${var.cluster_name},g /var/lib/kubelet/kubeconfig
+sed -i s,REGION,${data.aws_region.current.name},g /etc/systemd/system/kubelet.service
+sed -i s,MAX_PODS,${lookup(local.max_pod_per_node, var.workers_instance_type)},g /etc/systemd/system/kubelet.service
+sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /etc/systemd/system/kubelet.service
+sed -i s,INTERNAL_IP,$INTERNAL_IP,g /etc/systemd/system/kubelet.service
+DNS_CLUSTER_IP=10.100.0.10
+if [[ $INTERNAL_IP == 10.* ]] ; then DNS_CLUSTER_IP=172.20.0.10; fi
+sed -i s,DNS_CLUSTER_IP,$DNS_CLUSTER_IP,g /etc/systemd/system/kubelet.service
+sed -i s,CERTIFICATE_AUTHORITY_FILE,$CA_CERTIFICATE_FILE_PATH,g /var/lib/kubelet/kubeconfig
+sed -i s,CLIENT_CA_FILE,$CA_CERTIFICATE_FILE_PATH,g  /etc/systemd/system/kubelet.service
+systemctl daemon-reload
+systemctl restart kubelet kube-proxy
+USERDATA
+
+  config_map_aws_auth = <<CONFIGMAPAWSAUTH
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: ${aws_iam_role.workers.arn}
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:bootstrappers
+        - system:nodes
+CONFIGMAPAWSAUTH
+
+  kubeconfig = <<KUBECONFIG
+
+apiVersion: v1
+clusters:
+- cluster:
+    server: ${aws_eks_cluster.this.endpoint}
+    certificate-authority-data: ${aws_eks_cluster.this.certificate_authority.0.data}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: heptio-authenticator-aws
+      args:
+        - "token"
+        - "-i"
+        - "${var.cluster_name}"
+KUBECONFIG
+}

main.tf

@@ -48,6 +48,9 @@
 * 3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
 * 4. Test using `bundle exec kitchen test` from the root of the repo.
 
+For now, connectivity to the kubernetes cluster is not tested but will be in the future.
+To test your kubectl connection manually, see the [eks_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture/README.md).
+
 * ## Doc generation
 
 * Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).

workers.tf

@@ -91,3 +91,13 @@ resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryRea
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = "${aws_iam_role.workers.name}"
 }
+
+resource "null_resource" "tags_as_list_of_maps" {
+  count = "${length(keys(var.tags))}"
+
+  triggers = "${map(
+    "key", "${element(keys(var.tags), count.index)}",
+    "value", "${element(values(var.tags), count.index)}",
+    "propagate_at_launch", "true"
+  )}"
+}