github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-04-26 10:28:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

readme now has instructions for basic kubectl operation testing. locals map used to aid in userdata

Browse Source
This commit is contained in:
brandoconnor
2018-06-07 02:52:43 -07:00
parent 9ed27801be
commit 67d2946b58
9 changed files with 165 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -7,5 +7,5 @@
.kitchen.local.yml .kitchen.local.yml
Gemfile.lock Gemfile.lock
terraform.tfstate.d/ terraform.tfstate.d/
config kubeconfig
config-map-aws-auth.yaml config-map-aws-auth.yaml

3
CHANGELOG.md
View File

@@ -5,8 +5,9 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
project adheres to [Semantic Versioning](http://semver.org/). project adheres to [Semantic Versioning](http://semver.org/).
## [v0.1.0] - 2018-06-06 ## [v0.1.0] - 2018-06-07
### Added ### Added
- Everything! Initial release of the module. - Everything! Initial release of the module.
- Kudos to @tanmng for finding and fixing bug #1.

3
README.md
View File

@@ -47,6 +47,9 @@ This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tes
3. Ensure your AWS environment is configured (i.e. credentials and region) for test. 3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
4. Test using `bundle exec kitchen test` from the root of the repo. 4. Test using `bundle exec kitchen test` from the root of the repo.
For now, connectivity to the kubernetes cluster is not tested but will be in the future.
To test your kubectl connection manually, see the [eks_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture/README.md).
## Doc generation ## Doc generation
Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs). Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).

81
data.tf
View File

@@ -29,84 +29,3 @@ data "aws_iam_policy_document" "cluster_assume_role_policy" {
} }
} }
} }
resource "null_resource" "tags_as_list_of_maps" {
count = "${length(keys(var.tags))}"
triggers = "${map(
"key", "${element(keys(var.tags), count.index)}",
"value", "${element(values(var.tags), count.index)}",
"propagate_at_launch", "true"
)}"
}
locals {
asg_tags = ["${null_resource.tags_as_list_of_maps.*.triggers}"]
# More information: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
workers_userdata = <<USERDATA
#!/bin/bash -xe
CA_CERTIFICATE_DIRECTORY=/etc/kubernetes/pki
CA_CERTIFICATE_FILE_PATH=$CA_CERTIFICATE_DIRECTORY/ca.crt
mkdir -p $CA_CERTIFICATE_DIRECTORY
echo "${aws_eks_cluster.this.certificate_authority.0.data}" | base64 -d > $CA_CERTIFICATE_FILE_PATH
INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /var/lib/kubelet/kubeconfig
sed -i s,CLUSTER_NAME,${var.cluster_name},g /var/lib/kubelet/kubeconfig
sed -i s,REGION,${data.aws_region.current.name},g /etc/systemd/system/kubelet.service
sed -i s,MAX_PODS,20,g /etc/systemd/system/kubelet.service
sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /etc/systemd/system/kubelet.service
sed -i s,INTERNAL_IP,$INTERNAL_IP,g /etc/systemd/system/kubelet.service
DNS_CLUSTER_IP=10.100.0.10
if [[ $INTERNAL_IP == 10.* ]] ; then DNS_CLUSTER_IP=172.20.0.10; fi
sed -i s,DNS_CLUSTER_IP,$DNS_CLUSTER_IP,g /etc/systemd/system/kubelet.service
sed -i s,CERTIFICATE_AUTHORITY_FILE,$CA_CERTIFICATE_FILE_PATH,g /var/lib/kubelet/kubeconfig
sed -i s,CLIENT_CA_FILE,$CA_CERTIFICATE_FILE_PATH,g /etc/systemd/system/kubelet.service
systemctl daemon-reload
systemctl restart kubelet kube-proxy
USERDATA
config_map_aws_auth = <<CONFIGMAPAWSAUTH
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: ${aws_iam_role.workers.arn}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
CONFIGMAPAWSAUTH
kubeconfig = <<KUBECONFIG
apiVersion: v1
clusters:
- cluster:
server: ${aws_eks_cluster.this.endpoint}
certificate-authority-data: ${aws_eks_cluster.this.certificate_authority.0.data}
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "${var.cluster_name}"
KUBECONFIG
}

13
examples/eks_test_fixture/README.md
View File

@@ -6,6 +6,19 @@ This set of templates serves a few purposes. It:
2. serves as the test infrastructure for CI on the project. 2. serves as the test infrastructure for CI on the project.
3. provides a simple way to play with the Kubernetes cluster you create. 3. provides a simple way to play with the Kubernetes cluster you create.
## testing with kubectl
Once converged, `kubeconfig` and `config-map-aws-auth.yml` should be in this directory.
Ensure you have a recent version of `kubectl` on your PATH ([instructions here](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl))
```bash
curl -o heptio-authenticator-aws https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/darwin/amd64/heptio-authenticator-aws
mv heptio-authenticator-aws ~/go/bin/
kubectl apply -f examples/eks_test_fixture/config-map-aws-auth.yaml --kubeconfig examples/eks_test_fixture/kubeconfig
# configmap "aws-auth" created
kubectl get nodes --watch --kubeconfig examples/eks_test_fixture/kubeconfig
```
## IAM Permissions ## IAM Permissions
The following IAM policy is the minimum needed to execute the module from the test suite. The following IAM policy is the minimum needed to execute the module from the test suite.

6
examples/eks_test_fixture/main.tf
View File

@@ -46,9 +46,9 @@ resource "random_string" "suffix" {
special = false special = false
} }
resource "local_file" "config" { resource "local_file" "kubeconfig" {
content = "${module.eks.kubeconfig}" content = "${module.eks.kubeconfig}"
filename = "${path.module}/config" filename = "${path.module}/kubeconfig"
} }
resource "local_file" "config-map-aws-auth" { resource "local_file" "config-map-aws-auth" {
@@ -77,5 +77,5 @@ module "eks" {
vpc_id = "${module.vpc.vpc_id}" vpc_id = "${module.vpc.vpc_id}"
workers_ami_id = "${data.aws_ami.eks_worker.id}" workers_ami_id = "${data.aws_ami.eks_worker.id}"
cluster_ingress_cidrs = ["${local.workstation_external_cidr}"] cluster_ingress_cidrs = ["${local.workstation_external_cidr}"]
workers_instance_type = "t2.micro" workers_instance_type = "t2.small"
} }

130
local.tf Normal file
View File

@@ -0,0 +1,130 @@
locals {
# Mapping from the node type that we selected and the max number of pods that it can run
# Taken from https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
max_pod_per_node = {
c4.large = 29
c4.xlarge = 58
c4.2xlarge = 58
c4.4xlarge = 234
c4.8xlarge = 234
c5.large = 29
c5.xlarge = 58
c5.2xlarge = 58
c5.4xlarge = 234
c5.9xlarge = 234
c5.18xlarge = 737
i3.large = 29
i3.xlarge = 58
i3.2xlarge = 58
i3.4xlarge = 234
i3.8xlarge = 234
i3.16xlarge = 737
m3.medium = 12
m3.large = 29
m3.xlarge = 58
m3.2xlarge = 118
m4.large = 20
m4.xlarge = 58
m4.2xlarge = 58
m4.4xlarge = 234
m4.10xlarge = 234
m5.large = 29
m5.xlarge = 58
m5.2xlarge = 58
m5.4xlarge = 234
m5.12xlarge = 234
m5.24xlarge = 737
p2.xlarge = 58
p2.8xlarge = 234
p2.16xlarge = 234
p3.2xlarge = 58
p3.8xlarge = 234
p3.16xlarge = 234
r3.xlarge = 58
r3.2xlarge = 58
r3.4xlarge = 234
r3.8xlarge = 234
r4.large = 29
r4.xlarge = 58
r4.2xlarge = 58
r4.4xlarge = 234
r4.8xlarge = 234
r4.16xlarge = 737
t2.small = 8
t2.medium = 17
t2.large = 35
t2.xlarge = 44
t2.2xlarge = 44
x1.16xlarge = 234
x1.32xlarge = 234
}
asg_tags = ["${null_resource.tags_as_list_of_maps.*.triggers}"]
# More information: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
workers_userdata = <<USERDATA
#!/bin/bash -xe
CA_CERTIFICATE_DIRECTORY=/etc/kubernetes/pki
CA_CERTIFICATE_FILE_PATH=$CA_CERTIFICATE_DIRECTORY/ca.crt
mkdir -p $CA_CERTIFICATE_DIRECTORY
echo "${aws_eks_cluster.this.certificate_authority.0.data}" | base64 -d > $CA_CERTIFICATE_FILE_PATH
INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /var/lib/kubelet/kubeconfig
sed -i s,CLUSTER_NAME,${var.cluster_name},g /var/lib/kubelet/kubeconfig
sed -i s,REGION,${data.aws_region.current.name},g /etc/systemd/system/kubelet.service
sed -i s,MAX_PODS,${lookup(local.max_pod_per_node, var.workers_instance_type)},g /etc/systemd/system/kubelet.service
sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.this.endpoint},g /etc/systemd/system/kubelet.service
sed -i s,INTERNAL_IP,$INTERNAL_IP,g /etc/systemd/system/kubelet.service
DNS_CLUSTER_IP=10.100.0.10
if [[ $INTERNAL_IP == 10.* ]] ; then DNS_CLUSTER_IP=172.20.0.10; fi
sed -i s,DNS_CLUSTER_IP,$DNS_CLUSTER_IP,g /etc/systemd/system/kubelet.service
sed -i s,CERTIFICATE_AUTHORITY_FILE,$CA_CERTIFICATE_FILE_PATH,g /var/lib/kubelet/kubeconfig
sed -i s,CLIENT_CA_FILE,$CA_CERTIFICATE_FILE_PATH,g /etc/systemd/system/kubelet.service
systemctl daemon-reload
systemctl restart kubelet kube-proxy
USERDATA
config_map_aws_auth = <<CONFIGMAPAWSAUTH
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: ${aws_iam_role.workers.arn}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
CONFIGMAPAWSAUTH
kubeconfig = <<KUBECONFIG
apiVersion: v1
clusters:
- cluster:
server: ${aws_eks_cluster.this.endpoint}
certificate-authority-data: ${aws_eks_cluster.this.certificate_authority.0.data}
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "${var.cluster_name}"
KUBECONFIG
}

3
main.tf
View File

@@ -48,6 +48,9 @@
* 3. Ensure your AWS environment is configured (i.e. credentials and region) for test. * 3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
* 4. Test using `bundle exec kitchen test` from the root of the repo. * 4. Test using `bundle exec kitchen test` from the root of the repo.
For now, connectivity to the kubernetes cluster is not tested but will be in the future.
To test your kubectl connection manually, see the [eks_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture/README.md).
* ## Doc generation * ## Doc generation
* Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs). * Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).

10
workers.tf
View File

@@ -91,3 +91,13 @@ resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryRea
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = "${aws_iam_role.workers.name}" role = "${aws_iam_role.workers.name}"
} }
resource "null_resource" "tags_as_list_of_maps" {
count = "${length(keys(var.tags))}"
triggers = "${map(
"key", "${element(keys(var.tags), count.index)}",
"value", "${element(values(var.tags), count.index)}",
"propagate_at_launch", "true"
)}"
}