victorious-architect-78054
09/25/2023, 1:26 PMvictorious-church-57397
09/25/2023, 10:02 PMvictorious-architect-78054
09/25/2023, 10:04 PMdevEksCluster, err := eks.NewCluster(ctx, "rh-eks-dev", &eks.ClusterArgs{
ClusterSecurityGroup: eksSecurityGroup,
VpcId: devEksVpc.VpcId,
Fargate: pulumi.Bool(true),
// CreateOidcProvider: pulumi.Bool(true),
// Public subnets will be used for load balancers
PublicSubnetIds: devEksVpc.PublicSubnetIds,
// Private subnets will be used for cluster nodes
PrivateSubnetIds: devEksVpc.PrivateSubnetIds,
})
victorious-church-57397
09/25/2023, 10:05 PMvictorious-architect-78054
09/25/2023, 10:05 PMvictorious-church-57397
09/25/2023, 10:07 PMvictorious-architect-78054
09/25/2023, 10:08 PMvictorious-church-57397
09/25/2023, 10:08 PMvictorious-architect-78054
09/25/2023, 10:09 PMvictorious-church-57397
09/25/2023, 10:10 PMvictorious-architect-78054
09/25/2023, 10:12 PMvictorious-church-57397
09/25/2023, 10:12 PMvictorious-architect-78054
09/25/2023, 10:13 PMvictorious-church-57397
09/25/2023, 10:14 PMvictorious-architect-78054
09/25/2023, 10:14 PM_, err = helmv3.NewRelease(ctx, "aws-load-balancer-controller", &helmv3.ReleaseArgs{
Chart: pulumi.String("aws-load-balancer-controller"),
Version: pulumi.String("1.6.1"),
RepositoryOpts: helmv3.RepositoryOptsArgs{
Repo: pulumi.String("<https://aws.github.io/eks-charts>"),
},
Namespace: pulumi.String("kube-system"),
Values: pulumi.Map{
"clusterName": devEksCluster.EksCluster.Name(),
"serviceAccount": pulumi.Map{
"create": pulumi.Bool(false),
"name": serviceAccount.Metadata.Name(),
},
"region": pulumi.String("eu-central-2"),
"vpcId": devEksVpc.VpcId,
},
})
victorious-church-57397
09/25/2023, 10:14 PMvictorious-architect-78054
09/25/2023, 10:15 PM_, err = v1.NewIngress(ctx, "api-ingress", &v1.IngressArgs{
Metadata: &metav1.ObjectMetaArgs{
Annotations: pulumi.StringMap{
"<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>": pulumi.String("alb"),
"<http://alb.ingress.kubernetes.io/backend-protocol|alb.ingress.kubernetes.io/backend-protocol>": pulumi.String("HTTP"),
"<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>": pulumi.String("internet-facing"),
"<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>": pulumi.String("ip"),
},
Labels: pulumi.StringMap{
"app": pulumi.String("api"),
},
Name: pulumi.String("api-ingress"),
},
Spec: &v1.IngressSpecArgs{
Rules: v1.IngressRuleArray{
&v1.IngressRuleArgs{
Http: &v1.HTTPIngressRuleValueArgs{
Paths: v1.HTTPIngressPathArray{
&v1.HTTPIngressPathArgs{
Backend: &v1.IngressBackendArgs{
Service: &v1.IngressServiceBackendArgs{
Name: pulumi.String("my-service"), // Your service name goes here
Port: &v1.ServiceBackendPortArgs{
Number: <http://pulumi.Int|pulumi.Int>(80), // Your service target port number
},
},
},
Path: pulumi.String("/*"), // Request path to match
PathType: pulumi.String("Prefix"),
},
},
},
},
},
},
}, pulumi.Provider(eksProvider))
victorious-church-57397
09/25/2023, 10:16 PMvictorious-architect-78054
09/25/2023, 10:17 PMvictorious-church-57397
09/25/2023, 10:20 PMvictorious-architect-78054
09/25/2023, 10:20 PMvictorious-church-57397
09/25/2023, 10:21 PMvictorious-architect-78054
09/25/2023, 10:21 PMvictorious-church-57397
09/25/2023, 10:53 PMvictorious-architect-78054
09/26/2023, 1:08 PMdevEksCluster, err := eks.NewCluster(ctx, "rh-eks-dev", &eks.ClusterArgs{
ClusterSecurityGroup: eksSecurityGroup,
VpcId: devEksVpc.VpcId,
Fargate: pulumi.Bool(true),
CreateOidcProvider: pulumi.Bool(true),
// Public subnets will be used for load balancers
PublicSubnetIds: devEksVpc.PublicSubnetIds,
// Private subnets will be used for cluster nodes
PrivateSubnetIds: devEksVpc.PrivateSubnetIds,
})
ClusterSecurityGroup: eksSecurityGroup,
I guess it's not needed since the alb-controller is already automatically creating thingsvictorious-church-57397
09/26/2023, 1:14 PMvictorious-architect-78054
09/26/2023, 1:17 PMCreateOidcProvider: pulumi.Bool(true),
victorious-church-57397
09/26/2023, 1:28 PMvictorious-architect-78054
09/26/2023, 1:28 PMvictorious-church-57397
09/29/2023, 5:12 PMimport { iam } from '@pulumi/aws';
import * as k8s from '@pulumi/kubernetes';
import {
all,
ComponentResource,
ComponentResourceOptions,
Input,
Output,
} from '@pulumi/pulumi';
export type IamServiceAccountArgs = {
/**
* Name of the service account to associate with the role
*/
serviceAccountName: Input<string>;
/**
* Namespace to associate with the service account/role
*/
serviceAccountNamespace: Input<string>;
/**
* Whether to create the service account or not
* (i.e if you are using helm to create the service account, set this to false,
* then extract the roleArn from this to annotate the serviceaccount with in the helm chart)
*/
createServiceAccount?: Input<boolean>;
/**
* ARNs of the IAM policies to apply to the service account
*/
policies: Input<string>[];
/**
* The issuer of the cluster OIDC provider
*/
clusterOidcProviderIssuer: Input<string>;
/**
* The ARN of the cluster OIDC provider
*/
clusterOidcProviderArn: Input<string>;
/**
* The provider with authentication to the cluster
*/
provider: k8s.Provider;
/**
* The resource tags
*/
tags: Tags;
};
export class IamServiceAccount extends ComponentResource {
serviceAccount: k8s.core.v1.ServiceAccount;
role: iam.Role;
// TODO: remove roleArn here and just use role.arn in downstream constructors
roleArn: Output<string>;
constructor(
name: string,
{
clusterOidcProviderArn,
clusterOidcProviderIssuer,
policies,
provider,
serviceAccountName,
serviceAccountNamespace,
createServiceAccount,
tags,
}: IamServiceAccountArgs,
opts?: ComponentResourceOptions
) {
super('pkg:io:jugo:eks:IamServiceAccount', name, {}, opts);
const { assumeRolePolicy } = all([
clusterOidcProviderArn,
clusterOidcProviderIssuer,
serviceAccountNamespace,
serviceAccountName,
]).apply(
([
clusterOidcProviderArn,
clusterOidcProviderIssuer,
serviceAccountNamespace,
serviceAccountName,
]) => {
const assumeRolePolicy: iam.PolicyDocument = {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
Federated: clusterOidcProviderArn,
},
Action: 'sts:AssumeRoleWithWebIdentity',
Condition: {
StringEquals: {
[clusterOidcProviderIssuer.replace('https://', '') + ':aud']:
'sts.amazonaws.com',
[clusterOidcProviderIssuer.replace('https://', '') +
':sub']: `system:serviceaccount:${serviceAccountNamespace}:${serviceAccountName}`,
},
},
},
],
};
return { assumeRolePolicy };
}
);
createServiceAccount = createServiceAccount ?? true;
this.role = new iam.Role(
`${name}-k8s-sa-iam-role`,
{
name: `${name}-k8s-sa-iam-role`,
assumeRolePolicy,
tags: tags,
},
{ parent: opts?.parent }
);
policies.forEach((policy, i) => {
new iam.RolePolicyAttachment(
`${name}-${i}-attachment`,
{
role: this.role.name,
policyArn: policy,
},
{ parent: opts?.parent }
);
});
if (createServiceAccount) {
this.serviceAccount = new k8s.core.v1.ServiceAccount(
name,
{
metadata: {
name: serviceAccountName,
namespace: serviceAccountNamespace,
annotations: {
'eks.amazonaws.com/role-arn': this.role.arn,
},
},
},
{
provider,
parent: opts?.parent,
}
);
}
this.roleArn = this.role.arn;
}
}
victorious-architect-78054
10/06/2023, 9:41 AMvictorious-church-57397
10/06/2023, 9:43 AMvictorious-architect-78054
10/06/2023, 9:55 AM_, err = helmv3.NewRelease(ctx, "some-release", &helmv3.ReleaseArgs{
Chart: pulumi.String("./infra/charts/some-chart"),
Name: pulumi.String("some-release"),
RecreatePods: pulumi.Bool(true),
CleanupOnFail: pulumi.Bool(true),
ForceUpdate: pulumi.Bool(true),
}, pulumi.Provider(eksProvider))
error: cannot re-use a name that is still in use
victorious-church-57397
10/06/2023, 9:57 AMvictorious-architect-78054
10/06/2023, 9:57 AMvictorious-church-57397
10/06/2023, 10:28 AMvictorious-architect-78054
10/06/2023, 1:48 PMapiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: Ingress
metadata:
name: {{ .Chart.Name }}
annotations:
<http://alb.ingress.kubernetes.io/group.name|alb.ingress.kubernetes.io/group.name>: dev-load-balancer
<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>: internet-facing
<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>: instance
## SSL Settings
<http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>: arn:aws:acm:eu-central-2:949119048772:certificate/2ec19ed9-cb27-4c1d-9fe5-b8b56aca36f4
<http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>: '[{"HTTP": 80}, {"HTTPS":443}]'
#<http://alb.ingress.kubernetes.io/ssl-redirect|alb.ingress.kubernetes.io/ssl-redirect>: '443'
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /rh-backend
pathType: Prefix
backend:
service:
name: rh-backend
port:
number: 80
- path: /rh-public-api
pathType: Prefix
backend:
service:
name: rh-public-api
port:
number: 80
victorious-church-57397
10/06/2023, 1:52 PMvictorious-architect-78054
10/06/2023, 1:52 PMvictorious-church-57397
10/06/2023, 1:52 PMvictorious-architect-78054
10/06/2023, 1:53 PMvictorious-church-57397
10/06/2023, 1:53 PMvictorious-architect-78054
10/06/2023, 1:54 PMvictorious-church-57397
10/06/2023, 1:54 PMvictorious-architect-78054
10/06/2023, 1:54 PMvictorious-church-57397
10/06/2023, 1:55 PMvictorious-architect-78054
10/06/2023, 1:56 PMvictorious-church-57397
10/06/2023, 1:57 PMvictorious-architect-78054
10/06/2023, 1:57 PMvictorious-church-57397
10/06/2023, 1:57 PMvictorious-architect-78054
10/06/2023, 1:58 PMvictorious-church-57397
10/06/2023, 1:59 PMimport { iam } from '@pulumi/aws';
import * as k8s from '@pulumi/kubernetes';
import {
ComponentResource,
ComponentResourceOptions,
Input,
} from '@pulumi/pulumi';
import { serviceAccountNamespace } from './clusterConfig';
import { region } from '@pulumi/aws/config';
import { getAssumeRolePolicyDocument } from './policies';
export type ExternalDNSArgs = {
/**
* Name of the environment the cluster will be running in e.g. sandbox, prod, qa
*/
environment: Input<string>;
/**
* Name of the cluster e.g. jugo-monitoring
*/
clusterName: string;
/**
* The DNS update policy: upsert-only or sync. Defaults to sync
*/
dnsUpdatePolicy?: string;
/**
* The issuer of the cluster OIDC provider
*/
clusterOidcProviderUrl: Input<string>;
/**
* The ARN of the cluster OIDC provider
*/
clusterOidcProviderArn: Input<string>;
/**
* The provider with authentication to the cluster
*/
provider: k8s.Provider;
/**
* The resource tags
*/
tags: Tags;
};
export class ExternalDNS extends ComponentResource {
constructor(
name: string,
{
environment,
clusterName,
dnsUpdatePolicy,
clusterOidcProviderArn,
clusterOidcProviderUrl,
provider,
tags,
}: ExternalDNSArgs,
opts?: ComponentResourceOptions
) {
super('pkg:io:jugo:eks:ExternalDNS', name, {}, opts);
const externalDNSPolicyDocument: iam.PolicyDocument = {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['route53:ChangeResourceRecordSets'],
Resource: ['arn:aws:route53:::hostedzone/*'],
},
{
Effect: 'Allow',
Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'],
Resource: ['*'],
},
],
};
const saName = `${clusterName}-external-dns`;
const assumeRolePolicy = getAssumeRolePolicyDocument({
clusterOidcProviderUrl,
clusterOidcProviderArn,
provider,
saName,
});
const role = new iam.Role(
`${clusterName}-external-dns-role`,
{
name: `${clusterName}-external-dns-role`,
assumeRolePolicy,
tags,
},
{ parent: this }
);
const externalDnsPolicy = new iam.Policy(
`${clusterName}-external-dns-policy`,
{
name: `${clusterName}-external-dns-policy`,
policy: externalDNSPolicyDocument,
},
{ parent: this }
);
new iam.RolePolicyAttachment(
`${clusterName}-external-dns-policy-attachment`,
{
role: role.name,
policyArn: externalDnsPolicy.arn,
},
{ parent: this }
);
const serviceAccount = new k8s.core.v1.ServiceAccount(
saName,
{
metadata: {
name: saName,
namespace: serviceAccountNamespace,
annotations: {
'<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>': role.arn,
},
labels: {
'<http://app.kubernetes.io/component|app.kubernetes.io/component>': 'controller',
'<http://app.kubernetes.io/name|app.kubernetes.io/name>': saName,
},
},
},
{
provider,
parent: this,
}
);
let domainFilter = environment;
// See: <https://github.com/bitnami/charts/tree/main/bitnami/external-dns>
new k8s.helm.v3.Release(
`${clusterName}-external-dns`,
{
name: 'external-dns',
chart: 'external-dns',
version: '6.18.0',
namespace: 'kube-system',
values: {
provider: 'aws',
serviceAccount: {
create: false,
name: serviceAccount.metadata.name,
},
aws: {
region: region,
roleArn: role.arn,
},
zoneType: 'public',
txtOwnerId: clusterName,
domainFilters: [`${domainFilter}`],
policy: dnsUpdatePolicy || 'sync',
tolerations: [
{
key: '<http://jugo.io/node-role|jugo.io/node-role>',
operator: 'Exists',
effect: 'NoSchedule',
},
],
nodeSelector: {
'<http://jugo.io/node-role|jugo.io/node-role>': 'system',
},
},
repositoryOpts: {
repo: '<https://charts.bitnami.com/bitnami>',
},
},
{
provider,
customTimeouts: { create: '2m' },
parent: this,
}
);
}
}
victorious-architect-78054
11/01/2023, 2:14 PMvictorious-church-57397
11/01/2023, 9:36 PMvictorious-architect-78054
11/02/2023, 7:51 AM