Skip to content

Commit

Permalink
Update EKS example
Browse files Browse the repository at this point in the history
  • Loading branch information
janekbaraniewski committed Jul 30, 2024
1 parent ed0dc00 commit 7a0cc70
Show file tree
Hide file tree
Showing 2 changed files with 310 additions and 84 deletions.
148 changes: 84 additions & 64 deletions platform/integrations/_code/eks-pod-identity.sh
Original file line number Diff line number Diff line change
@@ -1,33 +1,39 @@
#!/bin/bash

# Variables
# Set up environment variables
export AWS_REGION="eu-central-1" # Replace with your actual AWS region if different
export CLUSTER_NAME="pod-identity-1" # Replace with your actual EKS cluster name if different
export NODE_INSTANCE_TYPE="t3.medium" # Replace with your actual instance type if different
export KEY_NAME="pod-identity-1-instance" # Replace with your actual key name if different
export SERVICE_ACCOUNT_NAME="demo-sa" # Replace with your actual service account name if different
export SERVICE_ACCOUNT_NAMESPACE="default" # Replace with your actual namespace if different
export VCLUSTER_NAME="my-vcluster" # Replace with your actual vCluster name if different
export HOST="https://your.host.com" # Replace with your actual host
export AUTH_TOKEN="..." # Replace with your actual auth token
export HOST=https://your.loft.host # Replace with your actual host
export AUTH_TOKEN=abcd1234 # Replace with your actual auth token
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export SA_ROLE_NAME="AmazonEKSTFEBSCSIRole-${CLUSTER_NAME}"

# Function to get the KSA name using curl
# Define the function to get the KSA name using curl
get_ksa_name() {
local vcluster_ksa_name=$1
local vcluster_ksa_namespace=$2
local vcluster_name=$3
local host=$4
local auth_token=$5

local resource_path="/kubernetes/management/apis/management.loft.sh/v1/translatevclusterresourcenames"
local host_with_scheme=$([[ $HOST =~ ^(http|https):// ]] && echo "$HOST" || echo "https://$HOST")
local host_with_scheme=$([[ $host =~ ^(http|https):// ]] && echo "$host" || echo "https://$host")
local sanitized_host="${host_with_scheme%/}"
local full_url="${sanitized_host}${resource_path}"

local response=$(curl -s -k -X POST "$full_url" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${AUTH_TOKEN}" \
-H "Authorization: Bearer ${auth_token}" \
-d @- <<EOF
{
"spec": {
"name": "${SERVICE_ACCOUNT_NAME}",
"namespace": "${SERVICE_ACCOUNT_NAMESPACE}",
"vclusterName": "${VCLUSTER_NAME}"
"name": "${vcluster_ksa_name}",
"namespace": "${vcluster_ksa_namespace}",
"vclusterName": "${vcluster_name}"
}
}
EOF
Expand All @@ -42,40 +48,43 @@ EOF
}

# Get the KSA name
KSA_NAME=$(get_ksa_name)
KSA_NAME=$(get_ksa_name "$SERVICE_ACCOUNT_NAME" "$SERVICE_ACCOUNT_NAMESPACE" "$VCLUSTER_NAME" "$HOST" "$AUTH_TOKEN")

# Create EKS cluster using eksctl
eksctl create cluster \
--name ${CLUSTER_NAME} \
--version 1.29 \
--region ${AWS_REGION} \
--nodegroup-name ${CLUSTER_NAME}-ng \
--node-type ${NODE_INSTANCE_TYPE} \
--nodes 2 \
--nodes-min 1 \
--nodes-max 3 \
--managed

# Create IAM role for the EBS CSI driver
aws iam create-role \
--role-name AmazonEKSTFEBSCSIRole-${CLUSTER_NAME} \
--assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy \
--role-name AmazonEKSTFEBSCSIRole-${CLUSTER_NAME} \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy

# Create service account for the EBS CSI driver
--node-type ${NODE_INSTANCE_TYPE}

# Associate IAM OIDC provider with the EKS cluster
eksctl utils associate-iam-oidc-provider --region=${AWS_REGION} --cluster=${CLUSTER_NAME} --approve

# Create IAM role for the EBS CSI driver and associate policy
eksctl create iamserviceaccount \
--name ebs-csi-controller-sa \
--namespace kube-system \
--cluster ${CLUSTER_NAME} \
--attach-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/AmazonEKSTFEBSCSIRole-${CLUSTER_NAME} \
--attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
--approve \
--override-existing-serviceaccounts
--role-only \
--role-name ${SA_ROLE_NAME} \
--region ${AWS_REGION}

# Install the AWS EBS CSI driver as an EKS managed add-on
eksctl create addon \
--name aws-ebs-csi-driver \
--cluster ${CLUSTER_NAME} \
--service-account-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${SA_ROLE_NAME} \
--region ${AWS_REGION} \
--force

# Deploy EKS Pod Identity Webhook
aws eks create-addon --region ${AWS_REGION} --cluster-name ${CLUSTER_NAME} --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1

# Wait for EKS Pod Identity Webhook to be up and running
sleep 60

# Deploy EBS CSI driver
kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/ecr/?ref=master"
kubectl get pods -n kube-system | grep 'eks-pod-identity-webhook'

# Create vcluster.yaml content dynamically
cat <<EOF > vcluster.yaml
Expand All @@ -85,14 +94,11 @@ sync:
enabled: true
EOF

# Deploy vcluster using Helm
helm repo add loft-sh https://charts.loft.sh
helm repo update
# Deploy vcluster using vcluster-cli
vcluster create ${VCLUSTER_NAME} --namespace ${VCLUSTER_NAME} -f vcluster.yaml

helm install ${VCLUSTER_NAME} loft-sh/vcluster --namespace ${VCLUSTER_NAME} --create-namespace -f vcluster.yaml

# Wait for vcluster to be ready
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=vcluster --timeout=600s -n ${VCLUSTER_NAME}
# Connect to the vCluster
vcluster connect ${VCLUSTER_NAME}

# Create example-workload.yaml content dynamically
cat <<EOF > example-workload.yaml
Expand Down Expand Up @@ -127,30 +133,44 @@ spec:
name: aws-pod
EOF

# Connect to vcluster and apply example workload
vcluster connect ${VCLUSTER_NAME} -n ${VCLUSTER_NAME} -- kubectl apply -f example-workload.yaml
cat >my-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*"
}
]
}
EOF

# Create IAM role for pod identity
aws iam create-role \
--role-name eks-pod-identity-example \
--assume-role-policy-document file://assume-role-policy.json
aws iam create-policy --policy-name my-policy --policy-document file://my-policy.json

aws iam attach-role-policy \
--role-name eks-pod-identity-example \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
EOF

# Associate IAM role with EKS service account
eksctl create iamidentitymapping \
--cluster ${CLUSTER_NAME} \
--namespace ${SERVICE_ACCOUNT_NAMESPACE} \
--service-account ${KSA_NAME} \
--arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/eks-pod-identity-example \
--approve

# Annotate Kubernetes service account
kubectl annotate serviceaccount \
--namespace ${SERVICE_ACCOUNT_NAMESPACE} \
${SERVICE_ACCOUNT_NAME} \
eks.amazonaws.com/role-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/eks-pod-identity-example

echo "Setup complete."
aws iam create-role --role-name my-role --assume-role-policy-document file://trust-relationship.json --description "my-role-description"

aws iam attach-role-policy --role-name my-role --policy-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:policy/my-policy

aws eks create-pod-identity-association --cluster-name ${CLUSTER_NAME} --role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/my-role --namespace ${VCLUSTER_NAME} --service-account ${KSA_NAME}

kubectl logs -l app=s3-list-buckets -n default
Loading

0 comments on commit 7a0cc70

Please sign in to comment.