Skip to content

Commit

Permalink
working up to cert manager
Browse files Browse the repository at this point in the history
  • Loading branch information
@4141done
4141done committed Nov 14, 2023
1 parent 07b5990 commit 9c9d0b9
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 1 deletion.
49 changes: 48 additions & 1 deletion pulumi/python/infrastructure/aws/eks/__main__.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import collections
import os
import json

import pulumi
import pulumi_aws as aws
Expand Down Expand Up @@ -81,7 +82,7 @@ def retrieve_vpc_and_subnets(vpc) -> VPCDefinition:
public_subnet_ids=vpc_definition.public_subnet_ids,
private_subnet_ids=vpc_definition.private_subnet_ids,
service_role=iam.eks_role,
create_oidc_provider=False,
create_oidc_provider=True,
version=k8s_version,
provider_credential_opts=provider_credential_opts,
tags={"Project": project_name, "Stack": stack_name}
Expand All @@ -91,6 +92,52 @@ def retrieve_vpc_and_subnets(vpc) -> VPCDefinition:
cluster = eks.Cluster(resource_name=f"{project_name}-{stack_name}",
args=cluster_args)

account = aws.get_caller_identity()
csi_role = aws.iam.Role(
"AmazonEKS_EBS_CSI_DriverRole",
assume_role_policy=pulumi.Output.all(
oidc_url=cluster.eks_cluster.identities[0].oidcs[0].issuer,
account_id=account.account_id
).apply(
lambda args: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": f'arn:aws:iam::{args["account_id"]}:oidc-provider/{args["oidc_url"].replace("https://", "")}'
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
f'{args["oidc_url"].replace("https://", "")}:aud': "sts.amazonaws.com",
f'{args["oidc_url"].replace("https://", "")}:sub': "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
}
}
]
}
)
)
)

aws.iam.RolePolicyAttachment(
'eks-ebs-csi-driver-policy-attachment',
role=csi_role.id,
policy_arn='arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy'
)

# TODO: Do I need to assign the role to the CSI Driver? Most likely?

# Creating an EKS Addon for the CSI Driver
csi_addon = aws.eks.Addon("aws-ebs-csi-driver",
cluster_name=cluster.eks_cluster.name,
addon_name="aws-ebs-csi-driver",
service_account_role_arn=csi_role.arn)

# Export the clusters' kubeconfig
pulumi.export("cluster_name", cluster.eks_cluster.name)
pulumi.export("kubeconfig", cluster.kubeconfig)
pulumi.export("csi_iam_role", csi_role)
pulumi.export("csi_addon", csi_addon)
1 change: 1 addition & 0 deletions pulumi/python/infrastructure/aws/eks/iam.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,4 @@
role=ec2_role.id,
policy_arn='arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
)

12 changes: 12 additions & 0 deletions pulumi/python/kubernetes/logstore/__main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,16 @@ def project_name_from_project_dir(dirname: str):

# Values from Chart's parameters specified hierarchically,
values={
# "image": {
# "debug": True
# },
# "diagnosticMode": {
# "enabled": True
# },
"master": {
"replicas": master_replicas,
# "livenessProbe": 300,
# "readinessProbe": 180,
"resources": {
"requests": {},
"limits": {}
Expand All @@ -95,6 +103,8 @@ def project_name_from_project_dir(dirname: str):
},
"data": {
"replicas": data_replicas,
# "livenessProbe": 300,
# "readinessProbe": 180,
"resources": {
"requests": {},
"limits": {}
Expand All @@ -106,6 +116,8 @@ def project_name_from_project_dir(dirname: str):
"ingest": {
"enabled": True,
"replicas": ingest_replicas,
# "livenessProbe": 300,
# "readinessProbe": 180,
"resources": {
"requests": {},
"limits": {}
Expand Down

0 comments on commit 9c9d0b9

Please sign in to comment.