https://pulumi.com logo
Title
b

bitter-policeman-94135

10/26/2021, 12:07 AM
Has anyone had success with getting EBS-CSI working with Pulimi in Python? https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html ☝️ I'm having some difficulty translating these steps to Python.
b

billowy-army-68599

10/26/2021, 2:30 AM
i can probably help here, but what specifically are you struggling with?
(it'll probably be later in the week when I can create an example)
w

worried-city-86458

10/26/2021, 7:32 PM
I've got it working via dotnet/c# so you should be able to translate from there?
Using pulumi kubernetes and the new helm release resource:
// aws ebs csi driver; <https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver>
Logger.LogDebug("Installing aws ebs csi driver");
var ebsControllerRole = new RoleX($"{k8sPrefix}-ebs-csi-controller",
    new RoleXArgs
    {
        AssumeRolePolicy = IamHelpers.AssumeRoleForServiceAccount(oidcArn, oidcUrl, "kube-system", "aws-ebs-csi-controller", awsProvider),
        InlinePolicies = { ["policy"] = ReadResource("AwsEbsCsiPolicy.json") }
    },
    new ComponentResourceOptions { Provider = awsProvider });

var ebsDriverValues = ebsControllerRole.Arn.Apply(roleArn =>
    new Dictionary<string, object>
    {
        ["controller"] = new
        {
            extraVolumeTags = GetDefaultTags(),
            serviceAccount = new { name = "aws-ebs-csi-controller", annotations = new Dictionary<string, string> { ["<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>"] = roleArn } }
        },
        ["node"] = new
        {
            serviceAccount = new { name = "aws-ebs-csi-node" },
            tolerateAllTaints = true
        },
        ["storageClasses"] = new[]
        {
            new
            {
                name = "ebs-sc",
                parameters = new { encrypted = "true" },
                reclaimPolicy = "Retain"
            }
        }
    }.ToDictionary()); // workaround <https://github.com/pulumi/pulumi/issues/8013>

new Release("aws-ebs-csi-driver",
    new ReleaseArgs
    {
        Namespace = "kube-system",
        Name = "aws-ebs-csi-driver",
        RepositoryOpts = new RepositoryOptsArgs { Repo = "<https://kubernetes-sigs.github.io/aws-ebs-csi-driver>" },
        Chart = "aws-ebs-csi-driver",
        Version = K8sConfig.AwsEbsCsiDriverVersion,
        Values = ebsDriverValues,
        Atomic = true
    },
    new CustomResourceOptions { Provider = k8sProvider });
The above is the policy used for iam roles for service accounts (irsa)