From 4349020747f89d7067a3e6a8bf9886ac4c39d1d4 Mon Sep 17 00:00:00 2001 From: Blayne Chard Date: Fri, 20 Oct 2023 08:49:21 +1300 Subject: [PATCH 1/2] feat: initial eks namespaces TDE-915 (#202) #### Motivation Some resources need to interact with k8s and others directly with AWS so we are using both CDK and AWS-CDK. To enable resources to be deployed we need to scaffhold out the starting blocks such as namespaces so that service accounts can be deployed using AWS-CDK. #### Modification Create a structure for initial EKS / AWS deployments in CDK and start to define what components are in CDK vs CDK8s --- config/README.md | 8 +++++--- config/eks/cluster.ts | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/config/README.md b/config/README.md index 4e1822dda..8f0fb3636 100644 --- a/config/README.md +++ b/config/README.md @@ -1,10 +1,12 @@ -# Kubernetes configuration with CDK8s +# Kubernetes configuration with CDK8s and AWS-CDK -Collection of Kubernetes resources. +Collection of AWS & Kubernetes resources. ## Components -Main entry point: [app](./app.ts) +Main entry point: [cdk8s](./cdk8s.ts) and [cdk](./cdk.ts) + +Generally all Kubernetes resources are defined with cdk8s and anything that needs AWS interactions such as service accounts are defined with CDK. - argo - Argo workflows for use with [linz/topo-workflows](https://github.com/linz/topo-workflows) diff --git a/config/eks/cluster.ts b/config/eks/cluster.ts index 8c9c0251d..2ab084144 100644 --- a/config/eks/cluster.ts +++ b/config/eks/cluster.ts @@ -68,5 +68,39 @@ export class LinzEksCluster extends Stack { // Grant the AWS Admin user ability to view the cluster const accountAdminRole = Role.fromRoleName(this, 'AccountAdminRole', 'AccountAdminRole'); this.cluster.awsAuth.addMastersRole(accountAdminRole); + + this.configureEks(); + } + + /** + * Setup the basic interactions between EKS and some of its components + * + * This should generally be limited to things that require direct interaction with AWS eg service accounts + * or name space creation + */ + configureEks(): void { + // Use fluent bit to ship logs from eks into aws + const fluentBitNs = this.cluster.addManifest('FluentBitNamespace', { + apiVersion: 'v1', + kind: 'Namespace', + metadata: { name: 'fluent-bit' }, + }); + const fluentBitSa = this.cluster.addServiceAccount('FluentBitServiceAccount', { + name: 'fluent-bit-sa', + namespace: 'fluent-bit', + }); + fluentBitSa.node.addDependency(fluentBitNs); // Ensure the namespace created first + + // Basic constructs for argo to be deployed into + const argoNs = this.cluster.addManifest('ArgoNameSpace', { + apiVersion: 'v1', + kind: 'Namespace', + metadata: { name: 'argo' }, + }); + const argoRunnerSa = this.cluster.addServiceAccount('ArgoRunnerServiceAccount', { + name: 'argo-runner-sa', + namespace: 'argo', + }); + argoRunnerSa.node.addDependency(argoNs); } } From e73fe9f7fe12786d3774619a0e42acc56efa8d94 Mon Sep 17 00:00:00 2001 From: Blayne Chard Date: Fri, 20 Oct 2023 13:12:04 +1300 Subject: [PATCH 2/2] docs: update readme for connecting to new cluster (#203) --- README.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a5ae58cd1..815fb9873 100644 --- a/README.md +++ b/README.md @@ -33,12 +33,7 @@ Then to setup the cluster, only the first time using the cluster you need to run You will need a AWS CLI > 2.7.x ```bash - -# For Imagery maintainers you will already have the correct role so no role arn is needed. -aws eks update-kubeconfig --name Workflow --region ap-southeast-2 - -# For AWS Admin users you will need to find the correct EKS role to use -aws eks update-kubeconfig --name Workflow --region ap-southeast-2 --role-arn arn:aws:iam::... +aws eks update-kubeconfig --name Workflows --region ap-southeast-2 ``` to validate the cluster is connected, @@ -54,7 +49,7 @@ ip-255-100-39-100.ap-southeast-2.compute.internal Ready 7d v1.21 to make the cli access easier you can set the default namespace to `argo` ```bash -k config set-context --current --namespace=argo +k config set-context --current --namespace=argo ``` ## Submitting a job