From 9c9d0b957e50fe66df14b60a00b97cf8119d2a14 Mon Sep 17 00:00:00 2001 From: Javier Evans Date: Tue, 14 Nov 2023 12:27:41 -0800 Subject: [PATCH] working up to cert manager --- .../python/infrastructure/aws/eks/__main__.py | 49 ++++++++++++++++++- pulumi/python/infrastructure/aws/eks/iam.py | 1 + pulumi/python/kubernetes/logstore/__main__.py | 12 +++++ 3 files changed, 61 insertions(+), 1 deletion(-) diff --git a/pulumi/python/infrastructure/aws/eks/__main__.py b/pulumi/python/infrastructure/aws/eks/__main__.py index 13a17264..0834caa9 100644 --- a/pulumi/python/infrastructure/aws/eks/__main__.py +++ b/pulumi/python/infrastructure/aws/eks/__main__.py @@ -1,5 +1,6 @@ import collections import os +import json import pulumi import pulumi_aws as aws @@ -81,7 +82,7 @@ def retrieve_vpc_and_subnets(vpc) -> VPCDefinition: public_subnet_ids=vpc_definition.public_subnet_ids, private_subnet_ids=vpc_definition.private_subnet_ids, service_role=iam.eks_role, - create_oidc_provider=False, + create_oidc_provider=True, version=k8s_version, provider_credential_opts=provider_credential_opts, tags={"Project": project_name, "Stack": stack_name} @@ -91,6 +92,52 @@ def retrieve_vpc_and_subnets(vpc) -> VPCDefinition: cluster = eks.Cluster(resource_name=f"{project_name}-{stack_name}", args=cluster_args) +account = aws.get_caller_identity() +csi_role = aws.iam.Role( + "AmazonEKS_EBS_CSI_DriverRole", + assume_role_policy=pulumi.Output.all( + oidc_url=cluster.eks_cluster.identities[0].oidcs[0].issuer, + account_id=account.account_id + ).apply( + lambda args: json.dumps( + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": f'arn:aws:iam::{args["account_id"]}:oidc-provider/{args["oidc_url"].replace("https://", "")}' + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + f'{args["oidc_url"].replace("https://", "")}:aud': "sts.amazonaws.com", + f'{args["oidc_url"].replace("https://", "")}:sub': "system:serviceaccount:kube-system:ebs-csi-controller-sa" + } + } + } + ] + } + ) + ) + ) + +aws.iam.RolePolicyAttachment( + 'eks-ebs-csi-driver-policy-attachment', + role=csi_role.id, + policy_arn='arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy' +) + +# TODO: Do I need to assign the role to the CSI Driver? Most likely? + +# Creating an EKS Addon for the CSI Driver +csi_addon = aws.eks.Addon("aws-ebs-csi-driver", + cluster_name=cluster.eks_cluster.name, + addon_name="aws-ebs-csi-driver", + service_account_role_arn=csi_role.arn) + # Export the clusters' kubeconfig pulumi.export("cluster_name", cluster.eks_cluster.name) pulumi.export("kubeconfig", cluster.kubeconfig) +pulumi.export("csi_iam_role", csi_role) +pulumi.export("csi_addon", csi_addon) diff --git a/pulumi/python/infrastructure/aws/eks/iam.py b/pulumi/python/infrastructure/aws/eks/iam.py index 9e9cc33a..0c9a3146 100644 --- a/pulumi/python/infrastructure/aws/eks/iam.py +++ b/pulumi/python/infrastructure/aws/eks/iam.py @@ -68,3 +68,4 @@ role=ec2_role.id, policy_arn='arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly', ) + diff --git a/pulumi/python/kubernetes/logstore/__main__.py b/pulumi/python/kubernetes/logstore/__main__.py index aaf48da8..020e9bb0 100644 --- a/pulumi/python/kubernetes/logstore/__main__.py +++ b/pulumi/python/kubernetes/logstore/__main__.py @@ -83,8 +83,16 @@ def project_name_from_project_dir(dirname: str): # Values from Chart's parameters specified hierarchically, values={ + # "image": { + # "debug": True + # }, + # "diagnosticMode": { + # "enabled": True + # }, "master": { "replicas": master_replicas, + # "livenessProbe": 300, + # "readinessProbe": 180, "resources": { "requests": {}, "limits": {} @@ -95,6 +103,8 @@ def project_name_from_project_dir(dirname: str): }, "data": { "replicas": data_replicas, + # "livenessProbe": 300, + # "readinessProbe": 180, "resources": { "requests": {}, "limits": {} @@ -106,6 +116,8 @@ def project_name_from_project_dir(dirname: str): "ingest": { "enabled": True, "replicas": ingest_replicas, + # "livenessProbe": 300, + # "readinessProbe": 180, "resources": { "requests": {}, "limits": {}