├── Terraform ├── outputs.tf ├── data.tf ├── variables.tf ├── modules │ ├── ecr │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── main.tf │ ├── vpc │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── main.tf │ ├── eks │ │ ├── data.tf │ │ ├── variables.tf │ │ ├── provider.tf │ │ ├── outputs.tf │ │ └── main.tf │ └── helm │ │ ├── main.tf │ │ └── variables.tf ├── ecr.tf ├── iam.tf ├── provider.tf ├── eks.tf ├── vpc.tf └── helm.tf ├── GitOps ├── apps │ ├── values.yaml │ ├── resource │ │ ├── go │ │ │ └── resource.yaml │ │ └── spring │ │ │ └── resource.yaml │ ├── templates │ │ ├── ingress.yaml │ │ └── server.yaml │ └── Chart.yaml ├── server │ ├── values.yaml │ ├── templates │ │ ├── Service.yaml │ │ └── Deployment.yaml │ └── Chart.yaml └── deploy │ ├── Chart.yaml │ └── templates │ └── template.yaml ├── Spring ├── src │ ├── main │ │ ├── resources │ │ │ └── application.properties │ │ └── java │ │ │ └── com │ │ │ └── example │ │ │ └── spring │ │ │ ├── Application.java │ │ │ └── controller │ │ │ └── HealthController.java │ └── test │ │ └── java │ │ └── com │ │ └── example │ │ └── spring │ │ └── ApplicationTests.java ├── settings.gradle ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── Dockerfile ├── .gitignore ├── build.gradle ├── gradlew.bat └── gradlew ├── k8s ├── helm-charts │ ├── argo-cd │ │ ├── .helmignore │ │ ├── values.yaml │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── ingress.yaml │ ├── aws-load-balancer-controller │ │ ├── ci │ │ │ ├── extra_args │ │ │ └── values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── pdb.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── servicemonitor.yaml │ │ │ ├── service.yaml │ │ │ ├── ingressclass.yaml │ │ │ ├── rbac.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── webhook.yaml │ │ │ └── deployment.yaml │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── values.yaml │ │ ├── crds │ │ │ └── crds.yaml │ │ └── README.md │ └── application │ │ ├── Chart.yaml │ │ ├── values.yaml │ │ ├── .helmignore │ │ └── templates │ │ └── argocd-application.yaml └── apps │ └── kube-prometheus-stack │ └── Chart.yaml ├── Go ├── main ├── Dockerfile └── main.go ├── Architecture └── msa-architecture.png ├── README.md ├── .gitignore └── .github └── workflows ├── Gh-Pages-Repository.yml ├── Go-CI.yml └── Spring-CI.yml /Terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Terraform/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" {} -------------------------------------------------------------------------------- /GitOps/apps/values.yaml: -------------------------------------------------------------------------------- 1 | spec: 2 | namespace: default -------------------------------------------------------------------------------- /Spring/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Spring/settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'Spring' 2 | -------------------------------------------------------------------------------- /k8s/helm-charts/argo-cd/.helmignore: -------------------------------------------------------------------------------- 1 | /*.tgz 2 | output 3 | ci/ 4 | *.gotmpl 5 | -------------------------------------------------------------------------------- /Go/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Junho-06/MSA-Architecture-Practice/HEAD/Go/main -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/ci/extra_args: -------------------------------------------------------------------------------- 1 | --set clusterName=k8s-ci-cluster 2 | -------------------------------------------------------------------------------- /Go/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine 2 | 3 | ADD . . 4 | 5 | RUN go build main.go 6 | 7 | CMD ["./main"] -------------------------------------------------------------------------------- /k8s/helm-charts/argo-cd/values.yaml: -------------------------------------------------------------------------------- 1 | argo-cd: 2 | configs: 3 | params: 4 | server.insecure: true -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | AWS Load Balancer controller installed! 2 | -------------------------------------------------------------------------------- /Terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | type = string 3 | description = "default region" 4 | } -------------------------------------------------------------------------------- /Terraform/modules/ecr/outputs.tf: -------------------------------------------------------------------------------- 1 | output "ecr_repository_url" { 2 | value = aws_ecr_repository.repo.repository_url 3 | } -------------------------------------------------------------------------------- /Architecture/msa-architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Junho-06/MSA-Architecture-Practice/HEAD/Architecture/msa-architecture.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MSA-Architecture-Practice 2 | 3 | MSA Infrastructure Architecture 를 구상 / 구성 해봅니다. 4 | 5 | ![image](Architecture/msa-architecture.png) -------------------------------------------------------------------------------- /Spring/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Junho-06/MSA-Architecture-Practice/HEAD/Spring/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /k8s/helm-charts/application/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: application 3 | description: argo-cd study application 4 | type: application 5 | version: 0.1.10 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /Spring/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openjdk:17-alpine 2 | 3 | EXPOSE 8080 4 | 5 | ARG JAR_FILE=build/libs/Spring-0.0.1-SNAPSHOT.jar 6 | ADD ${JAR_FILE} ./Spring-0.0.1.jar 7 | 8 | ENTRYPOINT ["java", "-jar", "/Spring-0.0.1.jar"] -------------------------------------------------------------------------------- /k8s/helm-charts/argo-cd/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: v2.3.4 3 | name: argo-cd 4 | description: study argo-cd chart 5 | version: 0.1.22 6 | dependencies: 7 | - name: argo-cd 8 | version: 5.45.0 9 | repository: https://argoproj.github.io/argo-helm -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/ci/values.yaml: -------------------------------------------------------------------------------- 1 | # CI testing values for aws-load-balancer-controller 2 | 3 | region: us-west-2 4 | image: 5 | repository: public.ecr.aws/eks/aws-load-balancer-controller 6 | tag: v2.4.5 7 | pullPolicy: Always 8 | -------------------------------------------------------------------------------- /Terraform/modules/ecr/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | description = "ecr repository name" 4 | } 5 | 6 | variable "is_scan_on_push" { 7 | type = bool 8 | description = "default is true" 9 | default = true 10 | } -------------------------------------------------------------------------------- /Terraform/modules/vpc/outputs.tf: -------------------------------------------------------------------------------- 1 | output "vpc_id" { 2 | value = module.vpc.vpc_id 3 | } 4 | 5 | output "public_subnet_ids" { 6 | value = module.vpc.public_subnets 7 | } 8 | 9 | output "private_subnet_ids" { 10 | value = module.vpc.private_subnets 11 | } -------------------------------------------------------------------------------- /GitOps/server/values.yaml: -------------------------------------------------------------------------------- 1 | config: 2 | replicas: 1 3 | service_name: null 4 | imageTag: null 5 | containerPort: null 6 | prefix: null 7 | volume_name: null 8 | volume_mount_path: null 9 | volume_secret_name: null 10 | volume_secret_namespace: null -------------------------------------------------------------------------------- /Terraform/modules/ecr/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecr_repository" "repo" { 2 | name = var.name 3 | image_tag_mutability = "MUTABLE" 4 | force_delete = true 5 | 6 | image_scanning_configuration { 7 | scan_on_push = var.is_scan_on_push 8 | } 9 | } -------------------------------------------------------------------------------- /GitOps/apps/resource/go/resource.yaml: -------------------------------------------------------------------------------- 1 | config: 2 | volume: 3 | name: null 4 | mountPath: null 5 | secretName: null 6 | serviceAccount: null 7 | replicas: 1 8 | service_name: go 9 | imageTag: aebe713785fa8d4e180877574d6ad7d93c784460 10 | containerPort: 8080 11 | prefix: /go 12 | -------------------------------------------------------------------------------- /GitOps/apps/resource/spring/resource.yaml: -------------------------------------------------------------------------------- 1 | config: 2 | volume: 3 | name: null 4 | mountPath: null 5 | secretName: null 6 | serviceAccount: null 7 | replicas: 1 8 | service_name: spring 9 | imageTag: aebe713785fa8d4e180877574d6ad7d93c784460 10 | containerPort: 8080 11 | prefix: /spring 12 | -------------------------------------------------------------------------------- /Spring/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip 4 | networkTimeout=10000 5 | validateDistributionUrl=true 6 | zipStoreBase=GRADLE_USER_HOME 7 | zipStorePath=wrapper/dists 8 | -------------------------------------------------------------------------------- /Spring/src/test/java/com/example/spring/ApplicationTests.java: -------------------------------------------------------------------------------- 1 | package com.example.spring; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class ApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Terraform/modules/eks/data.tf: -------------------------------------------------------------------------------- 1 | # data "aws_eks_cluster" "cluster" { 2 | # name = module.eks.cluster_name 3 | # } 4 | 5 | # data "aws_eks_cluster_auth" "cluster" { 6 | # name = module.eks.cluster_name 7 | # } 8 | 9 | # data "aws_caller_identity" "current" {} 10 | # data "aws_partition" "current" {} 11 | # data "aws_availability_zones" "available" {} -------------------------------------------------------------------------------- /Terraform/modules/vpc/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name_prefix" { 2 | type = string 3 | } 4 | 5 | variable "vpc_cidr" { 6 | type = string 7 | } 8 | 9 | variable "azs" { 10 | type = list(string) 11 | } 12 | 13 | variable "public_subnets" { 14 | type = list(string) 15 | } 16 | 17 | variable "private_subnets" { 18 | type = list(string) 19 | } -------------------------------------------------------------------------------- /Terraform/modules/helm/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "this" { 2 | name = var.name 3 | namespace = try(var.namespace) 4 | repository = var.repository 5 | chart = var.chart 6 | version = var.chart_version 7 | 8 | replace = var.replace 9 | cleanup_on_fail = var.cleanup_on_fail 10 | create_namespace = var.create_namespace 11 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ### Terraform ### 2 | **/.terraform/* 3 | 4 | .terraform.lock.hcl 5 | **/.terraform.lock.hcl 6 | 7 | *.tfstate 8 | *.tfstate.* 9 | 10 | crash.log 11 | crash.*.log 12 | 13 | *.tfvars 14 | *.tfvars.json 15 | 16 | override.tf 17 | override.tf.json 18 | *_override.tf 19 | *_override.tf.json 20 | 21 | .terraformrc 22 | terraform.rc 23 | 24 | 25 | **/*.drawio.bkp -------------------------------------------------------------------------------- /Terraform/modules/eks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name_prefix" { 2 | } 3 | variable "cluster_version" { 4 | } 5 | variable "vpc_id" { 6 | } 7 | variable "private_subnets" { 8 | } 9 | variable "instance_type" { 10 | } 11 | variable "capacity_type" { 12 | } 13 | 14 | variable "nodegroup_min_size" { 15 | } 16 | variable "nodegroup_max_size" { 17 | } 18 | variable "nodegroup_desired_size" { 19 | } -------------------------------------------------------------------------------- /k8s/helm-charts/application/values.yaml: -------------------------------------------------------------------------------- 1 | projects: 2 | - name: application 3 | applications: 4 | - name: application 5 | namespace: argocd 6 | source: 7 | path: GitOps/deploy 8 | repoURL: https://github.com/Junho-06/MSA-Architecture-Practice.git 9 | syncPolicy: 10 | automated: 11 | prune: true 12 | selfHeal: true -------------------------------------------------------------------------------- /Spring/src/main/java/com/example/spring/Application.java: -------------------------------------------------------------------------------- 1 | package com.example.spring; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class Application { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(Application.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Terraform/ecr.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | ecr_names = { 3 | msa_ecr_go_registry = "msa_ecr_go_registry", 4 | msa_ecr_spring_registry = "msa_ecr_spring_registry" 5 | } 6 | region = "ap-northeast-2" 7 | } 8 | 9 | module "ecr" { 10 | source = "./modules/ecr" 11 | 12 | for_each = local.ecr_names 13 | name = each.value 14 | } 15 | 16 | output "ecr_url" { 17 | value = [ 18 | for v in module.ecr : v.ecr_repository_url 19 | ] 20 | } -------------------------------------------------------------------------------- /Terraform/iam.tf: -------------------------------------------------------------------------------- 1 | module "load_balancer_controller_irsa_role" { 2 | source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" 3 | role_name = "load-balancer-controller" 4 | attach_load_balancer_controller_policy = true 5 | oidc_providers = { 6 | ex = { 7 | provider_arn = module.eks.oidc_provider_arn 8 | namespace_service_accounts = ["kube-system:aws-load-balancer-controller"] 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /Terraform/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "5.15.0" 6 | } 7 | helm = { 8 | source = "hashicorp/helm" 9 | version = "2.11.0" 10 | } 11 | } 12 | cloud { 13 | hostname = "app.terraform.io" 14 | organization = "solo-study" 15 | workspaces { 16 | name = "msa-practice" 17 | } 18 | } 19 | } 20 | 21 | 22 | provider "aws" { 23 | region = var.region 24 | } -------------------------------------------------------------------------------- /k8s/helm-charts/application/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | crds/kustomization.yaml 25 | test.yaml 26 | -------------------------------------------------------------------------------- /Terraform/eks.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_version = "1.27" 3 | node_type = "t3.small" 4 | capacity_type = "ON_DEMAND" 5 | } 6 | 7 | module "eks" { 8 | source = "./modules/eks" 9 | 10 | name_prefix = local.name_prefix 11 | cluster_version = local.cluster_version 12 | instance_type = local.node_type 13 | capacity_type = local.capacity_type 14 | 15 | vpc_id = module.vpc.vpc_id 16 | private_subnets = module.vpc.private_subnet_ids 17 | 18 | nodegroup_min_size = 1 19 | nodegroup_max_size = 5 20 | nodegroup_desired_size = 2 21 | } -------------------------------------------------------------------------------- /Terraform/modules/helm/variables.tf: -------------------------------------------------------------------------------- 1 | variable "repository" { 2 | type = string 3 | } 4 | variable "name" { 5 | type = string 6 | } 7 | variable "namespace" { 8 | type = string 9 | default = "default" 10 | } 11 | variable "chart" { 12 | type = string 13 | } 14 | variable "chart_version" { 15 | type = string 16 | } 17 | variable "replace" { 18 | type = bool 19 | default = true 20 | } 21 | variable "cleanup_on_fail" { 22 | type = bool 23 | default = true 24 | } 25 | variable "create_namespace" { 26 | type = bool 27 | default = true 28 | } -------------------------------------------------------------------------------- /Terraform/vpc.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name_prefix = "msa" 3 | azs = ["${data.aws_region.current.name}a", "${data.aws_region.current.name}b"] 4 | public_subnets = ["10.0.0.0/24", "10.0.16.0/24"] 5 | private_subnets = ["10.0.32.0/24", "10.0.64.0/24"] 6 | vpc_cidr = "10.0.0.0/16" 7 | } 8 | 9 | module "vpc" { 10 | source = "./modules/vpc" 11 | 12 | vpc_cidr = local.vpc_cidr 13 | azs = local.azs 14 | private_subnets = local.private_subnets 15 | public_subnets = local.public_subnets 16 | name_prefix = local.name_prefix 17 | } -------------------------------------------------------------------------------- /GitOps/server/templates/Service.yaml: -------------------------------------------------------------------------------- 1 | {{- $fullname := (printf "%s" .Values.name) }} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ $fullname }} 7 | labels: 8 | app: {{ $fullname }} 9 | project: {{ .Values.name }} 10 | spec: 11 | type: ClusterIP 12 | selector: 13 | app: {{ $fullname }} 14 | ports: 15 | - name: http 16 | port: 80 17 | targetPort: {{ .Values.containerPort }} 18 | protocol: TCP 19 | - name: port 20 | port: {{ .Values.containerPort }} 21 | targetPort: {{ .Values.containerPort }} 22 | protocol: TCP -------------------------------------------------------------------------------- /k8s/apps/kube-prometheus-stack/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kube-prometheus-stack 3 | description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. 4 | type: application 5 | version: 48.3.7 6 | appVersion: v0.66.0 7 | kubeVersion: ">=1.16.0-0" 8 | dependencies: 9 | - name: kube-prometheus-stack 10 | version: 51.2.0 11 | repository: https://prometheus-community.github.io/helm-charts -------------------------------------------------------------------------------- /Terraform/modules/eks/provider.tf: -------------------------------------------------------------------------------- 1 | provider "kubernetes" { 2 | host = data.aws_eks_cluster.cluster.endpoint 3 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) 4 | token = data.aws_eks_cluster_auth.cluster.token 5 | } 6 | 7 | provider "helm" { 8 | kubernetes { 9 | host = data.aws_eks_cluster.cluster.endpoint 10 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) 11 | token = data.aws_eks_cluster_auth.cluster.token 12 | } 13 | } -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.podDisruptionBudget (gt (int .Values.replicaCount) 1) }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "aws-load-balancer-controller.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 9 | spec: 10 | selector: 11 | matchLabels: 12 | {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} 13 | {{- toYaml .Values.podDisruptionBudget | nindent 2 }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /Spring/.gitignore: -------------------------------------------------------------------------------- 1 | HELP.md 2 | .gradle 3 | build/ 4 | !gradle/wrapper/gradle-wrapper.jar 5 | !**/src/main/**/build/ 6 | !**/src/test/**/build/ 7 | 8 | ### STS ### 9 | .apt_generated 10 | .classpath 11 | .factorypath 12 | .project 13 | .settings 14 | .springBeans 15 | .sts4-cache 16 | bin/ 17 | !**/src/main/**/bin/ 18 | !**/src/test/**/bin/ 19 | 20 | ### IntelliJ IDEA ### 21 | .idea 22 | *.iws 23 | *.iml 24 | *.ipr 25 | out/ 26 | !**/src/main/**/out/ 27 | !**/src/test/**/out/ 28 | 29 | ### NetBeans ### 30 | /nbproject/private/ 31 | /nbbuild/ 32 | /dist/ 33 | /nbdist/ 34 | /.nb-gradle/ 35 | 36 | ### VS Code ### 37 | .vscode/ 38 | -------------------------------------------------------------------------------- /Spring/src/main/java/com/example/spring/controller/HealthController.java: -------------------------------------------------------------------------------- 1 | package com.example.spring.controller; 2 | 3 | import org.springframework.http.HttpStatus; 4 | import org.springframework.http.ResponseEntity; 5 | import org.springframework.web.bind.annotation.GetMapping; 6 | import org.springframework.web.bind.annotation.RequestMapping; 7 | import org.springframework.web.bind.annotation.RestController; 8 | 9 | @RestController 10 | @RequestMapping 11 | public class HealthController { 12 | 13 | @GetMapping("/healthz") 14 | public ResponseEntity returnHealthStatus() { 15 | return new ResponseEntity<>(HttpStatus.OK); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /Go/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "log" 6 | "net/http" 7 | ) 8 | 9 | func main() { 10 | handler := http.HandlerFunc(handleRequest) 11 | http.Handle("/healthz", handler) 12 | http.ListenAndServe(":8080", nil) 13 | } 14 | 15 | func handleRequest(w http.ResponseWriter, r *http.Request) { 16 | w.WriteHeader(http.StatusOK) 17 | w.Header().Set("Content-Type", "application/json") 18 | resp := make(map[string]string) 19 | resp["message"] = "Http Status OK" 20 | jsonResp, err := json.Marshal(resp) 21 | if err != nil { 22 | log.Fatalf("Error happened in JSON marshal. Err: %s", err) 23 | } 24 | w.Write(jsonResp) 25 | return 26 | } 27 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: v2.6.1 3 | description: AWS Load Balancer Controller Helm chart for Kubernetes 4 | home: https://github.com/aws/eks-charts 5 | icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png 6 | keywords: 7 | - eks 8 | - alb 9 | - load balancer 10 | - ingress 11 | - nlb 12 | maintainers: 13 | - email: kishorj@users.noreply.github.com 14 | name: kishorj 15 | url: https://github.com/kishorj 16 | - email: m00nf1sh@users.noreply.github.com 17 | name: m00nf1sh 18 | url: https://github.com/m00nf1sh 19 | name: aws-load-balancer-controller 20 | sources: 21 | - https://github.com/aws/eks-charts 22 | version: 1.6.4 23 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "aws-load-balancer-controller.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 14 | {{- with .Values.serviceAccount.imagePullSecrets }} 15 | imagePullSecrets: 16 | {{ toYaml . }} 17 | {{- end }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /Terraform/modules/eks/outputs.tf: -------------------------------------------------------------------------------- 1 | output "cluster_id" { 2 | value = module.eks.cluster_id 3 | } 4 | 5 | output "cluster_primary_security_group_id" { 6 | value = module.eks.cluster_primary_security_group_id 7 | } 8 | 9 | output "cluster_name" { 10 | value = module.eks.cluster_name 11 | } 12 | 13 | output "oidc_provider_arn" { 14 | value = module.eks.oidc_provider_arn 15 | } 16 | 17 | output "iam_role_arn" { 18 | value = module.eks.eks_managed_node_groups["initial"].iam_role_arn 19 | } 20 | 21 | output "cluster_endpoint" { 22 | value = data.aws_eks_cluster.cluster.endpoint 23 | } 24 | 25 | output "cluster_ca_certificate" { 26 | value = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) 27 | } 28 | 29 | output "cluster_auth_token" { 30 | value = data.aws_eks_cluster_auth.cluster.token 31 | } -------------------------------------------------------------------------------- /k8s/helm-charts/argo-cd/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | alb.ingress.kubernetes.io/healthcheck-path: / 6 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP 7 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}]' 8 | alb.ingress.kubernetes.io/scheme: internet-facing 9 | alb.ingress.kubernetes.io/target-type: ip 10 | kubernetes.io/ingress.class: alb 11 | finalizers: 12 | - ingress.k8s.aws/resources 13 | name: argocd-ingress # 인그레스 이름 정하기 14 | namespace: argocd # 설치할 네임스페이스 15 | spec: 16 | rules: 17 | - http: 18 | paths: 19 | - path: / 20 | backend: 21 | service: 22 | name: argo-cd-argocd-server # 연결할 서비스 (이부분은 고정) 23 | port: 24 | number: 80 # (이부분도 고정) 25 | pathType: Prefix -------------------------------------------------------------------------------- /Spring/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java' 3 | id 'org.springframework.boot' version '3.1.3' 4 | id 'io.spring.dependency-management' version '1.1.3' 5 | } 6 | 7 | group = 'com.example' 8 | version = '0.0.1-SNAPSHOT' 9 | 10 | java { 11 | sourceCompatibility = '17' 12 | } 13 | 14 | configurations { 15 | compileOnly { 16 | extendsFrom annotationProcessor 17 | } 18 | } 19 | 20 | repositories { 21 | mavenCentral() 22 | } 23 | 24 | dependencies { 25 | implementation 'org.springframework.boot:spring-boot-starter-web' 26 | compileOnly 'org.projectlombok:lombok' 27 | annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor' 28 | annotationProcessor 'org.projectlombok:lombok' 29 | testImplementation 'org.springframework.boot:spring-boot-starter-test' 30 | } 31 | 32 | tasks.named('test') { 33 | useJUnitPlatform() 34 | } 35 | -------------------------------------------------------------------------------- /Terraform/modules/vpc/main.tf: -------------------------------------------------------------------------------- 1 | module "vpc" { 2 | source = "terraform-aws-modules/vpc/aws" 3 | version = "~> 4.0" 4 | 5 | name = "${var.name_prefix}-vpc" 6 | cidr = var.vpc_cidr 7 | azs = var.azs 8 | 9 | public_subnets = var.public_subnets 10 | private_subnets = var.private_subnets 11 | 12 | enable_nat_gateway = true 13 | single_nat_gateway = true 14 | one_nat_gateway_per_az = false 15 | 16 | private_subnet_tags = { 17 | # kubernetes.io/role/internal-elb 태그 : load balancer controller 가 subnet을 찾을 수 있도록 18 | "kubernetes.io/role/internal-elb" = "1" 19 | } 20 | 21 | public_subnet_tags = { 22 | # kubernetes.io/role/elb 태그 : load balancer controller 가 subnet을 찾을 수 있도록 23 | "kubernetes.io/role/elb" = "1" 24 | } 25 | 26 | nat_gateway_tags = { 27 | Name = "${var.name_prefix}-nat" 28 | } 29 | 30 | igw_tags = { 31 | Name = "${var.name_prefix}-igw" 32 | } 33 | map_public_ip_on_launch = true 34 | } -------------------------------------------------------------------------------- /GitOps/apps/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | alb.ingress.kubernetes.io/healthcheck-path: / 6 | alb.ingress.kubernetes.io/healthcheck-protocol: HTTP 7 | alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}]' 8 | alb.ingress.kubernetes.io/scheme: internet-facing 9 | alb.ingress.kubernetes.io/target-type: ip 10 | kubernetes.io/ingress.class: alb 11 | finalizers: 12 | - ingress.k8s.aws/resources 13 | name: application-ingress 14 | namespace: default 15 | spec: 16 | rules: 17 | - http: 18 | paths: 19 | - path: /go 20 | pathType: Prefix 21 | backend: 22 | service: 23 | name: go 24 | port: 25 | number: 80 26 | - path: /spring 27 | pathType: Prefix 28 | backend: 29 | service: 30 | name: spring 31 | port: 32 | number: 80 33 | -------------------------------------------------------------------------------- /GitOps/apps/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: applications 3 | description: Applications 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 1.0.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: "1.0" -------------------------------------------------------------------------------- /GitOps/deploy/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: applications 3 | description: Applications 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 1.0.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: "1.0" -------------------------------------------------------------------------------- /GitOps/server/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: applications 3 | description: Applications 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 1.0.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: "1.0" -------------------------------------------------------------------------------- /k8s/helm-charts/application/templates/argocd-application.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.projects }} 2 | {{ $projectName := .name }} 3 | --- 4 | apiVersion: argoproj.io/v1alpha1 5 | kind: AppProject 6 | metadata: 7 | name: {{ $projectName }} 8 | namespace: argocd 9 | # Finalizer that ensures that project is not deleted until it is not referenced by any application 10 | finalizers: 11 | - resources-finalizer.argocd.argoproj.io 12 | spec: 13 | sourceRepos: 14 | - '*' 15 | destinations: 16 | - namespace: '*' 17 | server: '*' 18 | clusterResourceWhitelist: 19 | - group: '*' 20 | kind: '*' 21 | {{- range .applications }} 22 | --- 23 | apiVersion: argoproj.io/v1alpha1 24 | kind: Application 25 | metadata: 26 | name: {{ .name }} 27 | namespace: argocd 28 | spec: 29 | destination: 30 | namespace: {{ .namespace }} 31 | server: https://kubernetes.default.svc 32 | project: {{ $projectName }} 33 | source: 34 | path: {{ .source.path }} 35 | repoURL: {{ .source.repoURL }} 36 | targetRevision: HEAD 37 | syncPolicy: 38 | automated: 39 | prune: {{ .syncPolicy.automated.prune }} 40 | selfHeal: {{ .syncPolicy.automated.selfHeal }} 41 | {{- end }} 42 | {{- end }} -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if.Values.serviceMonitor.enabled -}} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "aws-load-balancer-controller.fullname" . }} 6 | {{- if .Values.serviceMonitor.namespace }} 7 | namespace: {{ .Values.serviceMonitor.namespace }} 8 | {{- else }} 9 | namespace: {{ .Release.Namespace | quote }} 10 | {{- end }} 11 | labels: 12 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 13 | {{- with .Values.serviceMonitor.additionalLabels }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | jobLabel: {{ .Release.Name }} 18 | namespaceSelector: 19 | matchNames: 20 | - {{ .Release.Namespace }} 21 | selector: 22 | matchLabels: 23 | {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} 24 | matchExpressions: 25 | - key: prometheus.io/service-monitor 26 | operator: NotIn 27 | values: 28 | - "false" 29 | endpoints: 30 | - port: metrics-server 31 | path: /metrics 32 | {{- with .Values.serviceMonitor.interval }} 33 | interval: {{ . }} 34 | {{- end }} 35 | {{- end -}} -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if.Values.serviceMonitor.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "aws-load-balancer-controller.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.serviceAnnotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 13 | spec: 14 | ports: 15 | - port: 8080 16 | name: metrics-server 17 | targetPort: metrics-server 18 | selector: 19 | {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }} 20 | --- 21 | {{- end }} 22 | apiVersion: v1 23 | kind: Service 24 | metadata: 25 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 26 | namespace: {{ .Release.Namespace }} 27 | {{- with .Values.serviceAnnotations }} 28 | annotations: 29 | {{- toYaml . | nindent 4 }} 30 | {{- end }} 31 | labels: 32 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 33 | app.kubernetes.io/component: webhook 34 | prometheus.io/service-monitor: "false" 35 | spec: 36 | ports: 37 | - port: 443 38 | name: webhook-server 39 | targetPort: webhook-server 40 | selector: 41 | {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }} 42 | -------------------------------------------------------------------------------- /GitOps/deploy/templates/template.yaml: -------------------------------------------------------------------------------- 1 | {{- $destination := "https://kubernetes.default.svc" }} 2 | {{- $repository := "https://github.com/Junho-06/MSA-Architecture-Practice.git" }} 3 | {{- $imageRegistry := "250832144271.dkr.ecr.ap-northeast-2.amazonaws.com" }} 4 | {{- $project := "application" }} 5 | {{- $namespace := "default" }} 6 | 7 | apiVersion: argoproj.io/v1alpha1 8 | kind: ApplicationSet 9 | metadata: 10 | name: applications 11 | namespace: argocd 12 | labels: 13 | layer: applications 14 | spec: 15 | template: 16 | metadata: 17 | name: 'application' 18 | spec: 19 | project: {{ $project }} 20 | destination: 21 | server: {{ $destination }} 22 | namespace: {{ $namespace }} 23 | source: 24 | path: GitOps/apps 25 | repoURL: {{ $repository }} 26 | targetRevision: HEAD 27 | helm: 28 | valueFiles: 29 | - 'values.yaml' 30 | values: | 31 | {{- $map := 32 | (dict "spec" 33 | (dict 34 | "project" $project 35 | "destination" 36 | (dict "server" $destination) 37 | "source" 38 | (dict "serverPath" "GitOps/server" "repoURL" $repository "targetRevision" "HEAD" "imageRegistry" $imageRegistry) 39 | ) 40 | ) 41 | }} 42 | {{- $map | toYaml | nindent 12 | toString }} 43 | syncPolicy: 44 | automated: 45 | prune: true 46 | selfHeal: true 47 | syncOptions: 48 | - Createnamespace=true -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/ingressclass.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | [caution] AWSLoadBalancerController <= v2.4.2 expects referenced IngressClassParams to be created before IngressClass. 3 | We use a list here to force Helm create IngressClassParams(if any) before apply any IngressClass changes. 4 | */}} 5 | {{- if .Values.createIngressClassResource }} 6 | apiVersion: v1 7 | kind: List 8 | metadata: 9 | name: ingress-class 10 | items: 11 | {{- if .Values.ingressClassParams.create }} 12 | - apiVersion: elbv2.k8s.aws/v1beta1 13 | kind: IngressClassParams 14 | metadata: 15 | name: {{ include "aws-load-balancer-controller.ingressClassParamsName" . }} 16 | labels: 17 | {{- include "aws-load-balancer-controller.labels" . | nindent 6 }} 18 | {{- with .Values.ingressClassParams.spec }} 19 | spec: 20 | {{- toYaml . | nindent 4 }} 21 | {{- end }} 22 | {{- end }} 23 | - apiVersion: networking.k8s.io/v1 24 | kind: IngressClass 25 | metadata: 26 | name: {{ .Values.ingressClass }} 27 | labels: 28 | {{- include "aws-load-balancer-controller.labels" . | nindent 6 }} 29 | {{- if .Values.ingressClassConfig.default }} 30 | annotations: 31 | ingressclass.kubernetes.io/is-default-class: "true" 32 | {{- end }} 33 | spec: 34 | controller: ingress.k8s.aws/alb 35 | {{- if or .Values.ingressClassParams.name (and .Values.ingressClassParams.create .Values.ingressClassParams.spec) }} 36 | parameters: 37 | apiGroup: elbv2.k8s.aws 38 | kind: IngressClassParams 39 | name: {{ include "aws-load-balancer-controller.ingressClassParamsName" . }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /GitOps/apps/templates/server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ApplicationSet 3 | metadata: 4 | name: '{{ .Values.spec.project }}-servers' 5 | namespace: argocd 6 | spec: 7 | generators: 8 | - git: 9 | repoURL: {{ .Values.spec.source.repoURL }} 10 | revision: HEAD 11 | files: 12 | - path: "GitOps/apps/resource/**/resource.yaml" 13 | template: 14 | metadata: 15 | name: '{{`{{ config.service_name }}`}}' 16 | labels: 17 | project: '{{`{{ config.service_name }}`}}' 18 | layer: server 19 | spec: 20 | project: {{ .Values.spec.project }} 21 | destination: 22 | server: {{ .Values.spec.destination.server }} 23 | namespace: {{ .Values.spec.namespace }} 24 | source: 25 | path: {{ .Values.spec.source.serverPath }} 26 | repoURL: {{ .Values.spec.source.repoURL }} 27 | targetRevision: {{ .Values.spec.source.targetRevision }} 28 | helm: 29 | values: |- 30 | name: '{{`{{ config.service_name }}`}}' 31 | imageRegistry: '{{ .Values.spec.source.imageRegistry }}' 32 | imageTag: '{{`{{ config.imageTag }}`}}' 33 | containerPort: '{{`{{ config.containerPort }}`}}' 34 | prefix: '{{`{{ config.prefix }}`}}' 35 | replicas: {{`{{ config.replicas }}`}} 36 | volume: 37 | name: '{{`{{ config.volume.name }}`}}' 38 | mountPath: '{{`{{ config.volume.mountPath }}`}}' 39 | secretName: '{{`{{ config.volume.secretName }}`}}' 40 | serviceAccount: '{{`{{ config.serviceAccount }}`}}' 41 | syncPolicy: 42 | automated: 43 | prune: true 44 | selfHeal: true -------------------------------------------------------------------------------- /Terraform/helm.tf: -------------------------------------------------------------------------------- 1 | provider "helm" { 2 | kubernetes { 3 | host = module.eks.cluster_endpoint 4 | cluster_ca_certificate = module.eks.cluster_ca_certificate 5 | token = module.eks.cluster_auth_token 6 | } 7 | } 8 | 9 | locals { 10 | helm-repository = "https://junho-06.github.io/MSA-Architecture-Practice" 11 | 12 | argocd-name = "argo-cd" 13 | argocd-version = "0.1.22" 14 | argocd-namespace = "argocd" 15 | 16 | application-name = "application" 17 | application-version = "0.1.10" 18 | 19 | aws-load-balancer-controller-name = "aws-load-balancer-controller" 20 | aws-load-balancer-controller-version = "1.6.4" 21 | aws-load-balancer-controller-namespace = "kube-system" 22 | } 23 | 24 | module "argo-cd" { 25 | source = "./modules/helm" 26 | name = local.argocd-name 27 | namespace = local.argocd-namespace 28 | repository = local.helm-repository 29 | chart = local.argocd-name 30 | chart_version = local.argocd-version 31 | 32 | create_namespace = true 33 | } 34 | 35 | module "application" { 36 | source = "./modules/helm" 37 | name = local.application-name 38 | namespace = local.argocd-namespace 39 | repository = local.helm-repository 40 | chart = local.application-name 41 | chart_version = local.application-version 42 | 43 | create_namespace = true 44 | } 45 | 46 | module "aws-load-balancer-controller" { 47 | source = "./modules/helm" 48 | name = local.aws-load-balancer-controller-name 49 | namespace = local.aws-load-balancer-controller-namespace 50 | repository = local.helm-repository 51 | chart = local.aws-load-balancer-controller-name 52 | chart_version = local.aws-load-balancer-controller-version 53 | 54 | create_namespace = true 55 | } -------------------------------------------------------------------------------- /.github/workflows/Gh-Pages-Repository.yml: -------------------------------------------------------------------------------- 1 | name: gh-pages-Repository 2 | on: 3 | push: 4 | branches: 5 | - main 6 | paths: 7 | - "k8s/helm-charts/**" 8 | 9 | workflow_dispatch: 10 | 11 | permissions: read-all 12 | 13 | jobs: 14 | publish: 15 | permissions: 16 | contents: write 17 | packages: write 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Checkout 21 | uses: actions/checkout@v3.5.3 22 | with: 23 | fetch-depth: 0 24 | 25 | - name: Install Helm 26 | uses: azure/setup-helm@v3.5 27 | with: 28 | version: v3.10.1 29 | 30 | - name: Add helm repo 31 | run: | 32 | helm repo add argo https://argoproj.github.io/argo-helm 33 | helm repo add dandydeveloper https://dandydeveloper.github.io/charts/ 34 | 35 | - name: Helm build 36 | run: | 37 | changed_helm_packages=$(git diff --name-only HEAD~1 | grep '^k8s/helm-charts/' | cut -d/ -f1-3) 38 | 39 | while IFS=$'\n' read -r package_directory; do 40 | helm dependency build $package_directory 41 | helm package $package_directory 42 | done <<< "$changed_helm_packages" 43 | 44 | - name: checkout gh-pages branch and helm index 45 | run: | 46 | git checkout gh-pages -- 47 | helm repo index . 48 | 49 | - name: Commit The Chart Realease 50 | uses: stefanzweifel/git-auto-commit-action@v4 51 | with: 52 | commit_message: ${{ github.event.head_commit.message }} 53 | commit_options: '--no-verify --signoff' 54 | branch: gh-pages 55 | skip_checkout: true 56 | repository: . 57 | commit_user_name: Junho-06 58 | commit_user_email: ${{ secrets.commit_user_email }} 59 | commit_author: Junho-06 <${{ secrets.commit_user_email }}> -------------------------------------------------------------------------------- /GitOps/server/templates/Deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $fullname := (printf "%s" .Values.name) }} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ $fullname }} 7 | labels: 8 | app: {{ $fullname }} 9 | project: {{ .Values.name }} 10 | spec: 11 | revisionHistoryLimit: 0 12 | {{- if .Values.replicas }} 13 | replicas: {{ .Values.replicas }} 14 | strategy: 15 | type: RollingUpdate 16 | rollingUpdate: 17 | maxSurge: 50% 18 | maxUnavailable: 50% 19 | {{- end }} 20 | selector: 21 | matchLabels: 22 | app: {{ $fullname }} 23 | template: 24 | metadata: 25 | annotations: 26 | sidecar.istio.io/proxyCPU: "5m" 27 | sidecar.istio.io/proxyMemory: "128Mi" 28 | labels: 29 | app: {{ $fullname }} 30 | project: {{ .Values.name }} 31 | spec: 32 | topologySpreadConstraints: 33 | - maxSkew: 1 34 | topologyKey: kubernetes.io/hostname 35 | whenUnsatisfiable: DoNotSchedule 36 | labelSelector: 37 | matchLabels: 38 | app: {{ $fullname }} 39 | {{- if ne .Values.serviceAccount "" }} 40 | serviceAccountName: {{ .Values.serviceAccount }} 41 | {{- end }} 42 | containers: 43 | - name: {{ $fullname }} 44 | image: {{ .Values.imageRegistry }}/msa_ecr_{{ .Values.name }}_registry:{{ .Values.imageTag }} 45 | imagePullPolicy: Always 46 | ports: 47 | - containerPort: {{ .Values.containerPort }} 48 | {{- if ne .Values.volume.name "" }} 49 | volumeMounts: 50 | - mountPath: {{ .Values.volume.mountPath }} 51 | name: {{ .Values.volume.name }} 52 | readOnly: true 53 | {{- end }} 54 | resources: 55 | requests: 56 | memory: "516Mi" 57 | cpu: "5m" 58 | {{- if ne .Values.volume.name "" }} 59 | volumes: 60 | - name: {{ .Values.volume.name }} 61 | secret: 62 | secretName: {{ .Values.volume.secretName }} 63 | {{- end }} -------------------------------------------------------------------------------- /Spring/gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | 17 | @if "%DEBUG%"=="" @echo off 18 | @rem ########################################################################## 19 | @rem 20 | @rem Gradle startup script for Windows 21 | @rem 22 | @rem ########################################################################## 23 | 24 | @rem Set local scope for the variables with windows NT shell 25 | if "%OS%"=="Windows_NT" setlocal 26 | 27 | set DIRNAME=%~dp0 28 | if "%DIRNAME%"=="" set DIRNAME=. 29 | @rem This is normally unused 30 | set APP_BASE_NAME=%~n0 31 | set APP_HOME=%DIRNAME% 32 | 33 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 34 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 35 | 36 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 37 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 38 | 39 | @rem Find java.exe 40 | if defined JAVA_HOME goto findJavaFromJavaHome 41 | 42 | set JAVA_EXE=java.exe 43 | %JAVA_EXE% -version >NUL 2>&1 44 | if %ERRORLEVEL% equ 0 goto execute 45 | 46 | echo. 47 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 48 | echo. 49 | echo Please set the JAVA_HOME variable in your environment to match the 50 | echo location of your Java installation. 51 | 52 | goto fail 53 | 54 | :findJavaFromJavaHome 55 | set JAVA_HOME=%JAVA_HOME:"=% 56 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 57 | 58 | if exist "%JAVA_EXE%" goto execute 59 | 60 | echo. 61 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 62 | echo. 63 | echo Please set the JAVA_HOME variable in your environment to match the 64 | echo location of your Java installation. 65 | 66 | goto fail 67 | 68 | :execute 69 | @rem Setup the command line 70 | 71 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 72 | 73 | 74 | @rem Execute Gradle 75 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* 76 | 77 | :end 78 | @rem End local scope for the variables with windows NT shell 79 | if %ERRORLEVEL% equ 0 goto mainEnd 80 | 81 | :fail 82 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 83 | rem the _cmd.exe /c_ return code! 84 | set EXIT_CODE=%ERRORLEVEL% 85 | if %EXIT_CODE% equ 0 set EXIT_CODE=1 86 | if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% 87 | exit /b %EXIT_CODE% 88 | 89 | :mainEnd 90 | if "%OS%"=="Windows_NT" endlocal 91 | 92 | :omega 93 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 9 | rules: 10 | - apiGroups: [""] 11 | resources: [configmaps] 12 | verbs: [create] 13 | - apiGroups: [""] 14 | resources: [configmaps] 15 | resourceNames: [aws-load-balancer-controller-leader] 16 | verbs: [get, patch, update] 17 | - apiGroups: 18 | - "coordination.k8s.io" 19 | resources: 20 | - leases 21 | verbs: 22 | - create 23 | - apiGroups: 24 | - "coordination.k8s.io" 25 | resources: 26 | - leases 27 | resourceNames: 28 | - aws-load-balancer-controller-leader 29 | verbs: 30 | - get 31 | - update 32 | - patch 33 | --- 34 | apiVersion: rbac.authorization.k8s.io/v1 35 | kind: RoleBinding 36 | metadata: 37 | name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-rolebinding 38 | namespace: {{ .Release.Namespace }} 39 | labels: 40 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 41 | roleRef: 42 | apiGroup: rbac.authorization.k8s.io 43 | kind: Role 44 | name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role 45 | subjects: 46 | - kind: ServiceAccount 47 | name: {{ template "aws-load-balancer-controller.serviceAccountName" . }} 48 | namespace: {{ .Release.Namespace }} 49 | --- 50 | apiVersion: rbac.authorization.k8s.io/v1 51 | kind: ClusterRole 52 | metadata: 53 | name: {{ template "aws-load-balancer-controller.fullname" . }}-role 54 | labels: 55 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 56 | rules: 57 | - apiGroups: ["elbv2.k8s.aws"] 58 | resources: [targetgroupbindings] 59 | verbs: [create, delete, get, list, patch, update, watch] 60 | - apiGroups: ["elbv2.k8s.aws"] 61 | resources: [ingressclassparams] 62 | verbs: [get, list, watch] 63 | - apiGroups: [""] 64 | resources: [events] 65 | verbs: [create, patch] 66 | - apiGroups: [""] 67 | resources: [pods] 68 | verbs: [get, list, watch] 69 | - apiGroups: ["networking.k8s.io"] 70 | resources: [ingressclasses] 71 | verbs: [get, list, watch] 72 | - apiGroups: ["", "extensions", "networking.k8s.io"] 73 | resources: [services, ingresses] 74 | verbs: [get, list, patch, update, watch] 75 | - apiGroups: [""] 76 | resources: [nodes, namespaces, endpoints] 77 | verbs: [get, list, watch] 78 | {{- if .Values.clusterSecretsPermissions.allowAllSecrets }} 79 | - apiGroups: [""] 80 | resources: [secrets] 81 | verbs: [get, list, watch] 82 | {{- end }} 83 | - apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"] 84 | resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status] 85 | verbs: [update, patch] 86 | - apiGroups: ["discovery.k8s.io"] 87 | resources: [endpointslices] 88 | verbs: [get, list, watch] 89 | --- 90 | apiVersion: rbac.authorization.k8s.io/v1 91 | kind: ClusterRoleBinding 92 | metadata: 93 | name: {{ template "aws-load-balancer-controller.fullname" . }}-rolebinding 94 | labels: 95 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 96 | roleRef: 97 | apiGroup: rbac.authorization.k8s.io 98 | kind: ClusterRole 99 | name: {{ template "aws-load-balancer-controller.fullname" . }}-role 100 | subjects: 101 | - kind: ServiceAccount 102 | name: {{ template "aws-load-balancer-controller.serviceAccountName" . }} 103 | namespace: {{ .Release.Namespace }} 104 | {{- end }} 105 | -------------------------------------------------------------------------------- /Terraform/modules/eks/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_name = "${var.name_prefix}-cluster" 3 | cluster_version = var.cluster_version 4 | region = "ap-northeast-2" 5 | vpc_id = var.vpc_id 6 | private_subnets = var.private_subnets 7 | current_username = element(split("/", data.aws_caller_identity.current.arn), 1) 8 | instance_type = var.instance_type 9 | capacity_type = var.capacity_type 10 | } 11 | 12 | module "eks" { 13 | source = "terraform-aws-modules/eks/aws" 14 | version = "19.16.0" 15 | 16 | cluster_name = local.cluster_name 17 | cluster_version = local.cluster_version 18 | 19 | cluster_endpoint_private_access = true 20 | cluster_endpoint_public_access = true 21 | 22 | vpc_id = local.vpc_id 23 | subnet_ids = local.private_subnets 24 | 25 | enable_irsa = true 26 | 27 | cluster_enabled_log_types = [] 28 | create_cloudwatch_log_group = false 29 | 30 | eks_managed_node_group_defaults = { 31 | instance_types = [local.instance_type] 32 | capacity_type = local.capacity_type 33 | } 34 | eks_managed_node_groups = { 35 | initial = { 36 | instance_types = [local.instance_type] 37 | create_security_group = false 38 | create_launch_template = true 39 | launch_template_name = "msa-default-lt" 40 | 41 | min_size = var.nodegroup_min_size 42 | max_size = var.nodegroup_max_size 43 | desired_size = var.nodegroup_desired_size 44 | 45 | iam_role_additional_policies = { 46 | ssm_managed_instance_core = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" 47 | } 48 | } 49 | } 50 | 51 | # Extend cluster security group rules 52 | cluster_security_group_additional_rules = { 53 | ingress_nodes_ephemeral_ports_tcp = { 54 | description = "To node 1025-65535" 55 | protocol = "tcp" 56 | from_port = 1025 57 | to_port = 65535 58 | type = "ingress" 59 | source_node_security_group = true 60 | } 61 | egress_nodes_ephemeral_ports_tcp = { 62 | description = "To node 1025-65535" 63 | protocol = "tcp" 64 | from_port = 1025 65 | to_port = 65535 66 | type = "egress" 67 | source_node_security_group = true 68 | } 69 | } 70 | 71 | # Extend node-to-node security group rules 72 | node_security_group_additional_rules = { 73 | ingress_self_all = { 74 | description = "Node to node all ports/protocols" 75 | protocol = "-1" 76 | from_port = 0 77 | to_port = 0 78 | type = "ingress" 79 | self = true 80 | } 81 | egress_all = { 82 | description = "Node all egress" 83 | protocol = "-1" 84 | from_port = 0 85 | to_port = 0 86 | type = "egress" 87 | cidr_blocks = ["0.0.0.0/0"] 88 | ipv6_cidr_blocks = ["::/0"] 89 | } 90 | } 91 | 92 | manage_aws_auth_configmap = true 93 | 94 | aws_auth_users = [ 95 | { 96 | userarn = data.aws_caller_identity.current.arn 97 | username = local.current_username 98 | groups = ["system:masters"] 99 | } 100 | ] 101 | 102 | aws_auth_accounts = [ 103 | data.aws_caller_identity.current.account_id 104 | ] 105 | } 106 | 107 | data "aws_eks_cluster" "cluster" { 108 | name = module.eks.cluster_name 109 | depends_on = [module.eks.cluster_name] 110 | } 111 | 112 | data "aws_eks_cluster_auth" "cluster" { 113 | name = module.eks.cluster_name 114 | } 115 | 116 | data "aws_caller_identity" "current" {} 117 | data "aws_partition" "current" {} 118 | data "aws_availability_zones" "available" {} -------------------------------------------------------------------------------- /.github/workflows/Go-CI.yml: -------------------------------------------------------------------------------- 1 | name: Go CI 2 | 3 | on: 4 | push: 5 | paths: 6 | - "Go/**" 7 | branches: [ "main" ] 8 | 9 | workflow_dispatch: 10 | 11 | jobs: 12 | build: 13 | runs-on: ubuntu-latest 14 | env: 15 | working_directory: ./Go 16 | 17 | steps: 18 | - uses: actions/checkout@v3 19 | 20 | - name: Set up Go 21 | uses: actions/setup-go@v4 22 | with: 23 | go-version: '1.20' 24 | 25 | - name: Build 26 | run: | 27 | cd ${{ env.working_directory }} 28 | go build main.go 29 | 30 | - name: Configure AWS Credentials 31 | uses: aws-actions/configure-aws-credentials@v2 32 | with: 33 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 34 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 35 | aws-region: ${{ secrets.AWS_REGION }} 36 | 37 | - name: Login to Amazon ECR 38 | id: login-ecr 39 | uses: aws-actions/amazon-ecr-login@v1 40 | 41 | - name: Build, tag, and push docker image to Amazon ECR 42 | env: 43 | REGISTRY: ${{ steps.login-ecr.outputs.registry }} 44 | REPOSITORY: msa_ecr_go_registry 45 | IMAGE_TAG: ${{ github.sha }} 46 | run: | 47 | cd ${{ env.working_directory }} 48 | docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . 49 | docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG 50 | 51 | - name: Set env 52 | id: set_env 53 | run: | 54 | echo "service_name=go" >> $GITHUB_ENV 55 | echo "service_prefix=/go" >> $GITHUB_ENV 56 | echo "image_tag=${{ github.sha }}" >> $GITHUB_ENV 57 | echo "service_port=8080" >> $GITHUB_ENV 58 | 59 | - name: Pull Commit 60 | run: git pull 61 | 62 | - name: Get config file path 63 | id: config-file 64 | working-directory: ${{ github.workspace }} 65 | run: | 66 | config_file_dir="./GitOps/apps/resource/${{ env.service_name }}" 67 | mkdir -p "$config_file_dir" 68 | 69 | config_file_path="$config_file_dir/resource.yaml" 70 | if [ ! -e "$config_file_path" ]; then 71 | echo "config file is not exists" 72 | touch "$config_file_path" 73 | yq eval ".config.volume.name = null | \ 74 | .config.volume.mountPath = null | \ 75 | .config.volume.secretName = null | \ 76 | .config.serviceAccount = null | \ 77 | .config.replicas = 1" -i $config_file_path 78 | else 79 | echo "config file is exists" 80 | fi 81 | 82 | echo "config_file_path=$config_file_path" >> $GITHUB_OUTPUT 83 | 84 | - name: Use yq to modify Config file 85 | working-directory: ${{ github.workspace }} 86 | run: | 87 | prefix='' 88 | if [ -n "${{ env.service_prefix }}" ] && [ "${{ env.service_prefix }}" != "null" ]; then 89 | prefix='.config.prefix = "${{ env.service_prefix }}"' 90 | else 91 | prefix='.config.prefix = null' 92 | fi 93 | 94 | yq eval -i ".config.service_name = \"${{ env.service_name }}\" | \ 95 | .config.imageTag = \"${{ env.image_tag }}\" | \ 96 | .config.containerPort = ${{ env.service_port }} | \ 97 | $prefix" -i ${{ steps.config-file.outputs.config_file_path }} 98 | 99 | - name: Commit The New Image Reference 100 | if: ${{ env.service_name && env.service_prefix && env.image_tag}} 101 | uses: stefanzweifel/git-auto-commit-action@v4 102 | with: 103 | commit_message: "update :: ${{ env.service_name }}: Deploy new image ${{ env.image_tag }}" 104 | branch: main 105 | commit_options: '--no-verify --signoff' 106 | repository: . 107 | commit_user_name: Junho-06 108 | commit_user_email: ${{ secrets.commit_user_email }} 109 | commit_author: Junho-06 <${{ secrets.commit_user_email }}> -------------------------------------------------------------------------------- /.github/workflows/Spring-CI.yml: -------------------------------------------------------------------------------- 1 | name: Spring CI 2 | 3 | on: 4 | push: 5 | paths: 6 | - "Spring/**" 7 | branches: [ "main" ] 8 | 9 | workflow_dispatch: 10 | 11 | jobs: 12 | build: 13 | runs-on: ubuntu-latest 14 | env: 15 | working_directory: ./Spring 16 | 17 | steps: 18 | - uses: actions/checkout@v3 19 | - name: Set up JDK 17 20 | uses: actions/setup-java@v3 21 | with: 22 | java-version: '17' 23 | distribution: 'temurin' 24 | cache: gradle 25 | 26 | - name: Setup Gradle 27 | uses: gradle/gradle-build-action@v2 28 | 29 | - name: Grant execute permission for gradlew & Build with Gradle 30 | run: | 31 | cd ${{ env.working_directory }} 32 | chmod +x ./gradlew 33 | ./gradlew clean build 34 | 35 | - name: Configure AWS Credentials 36 | uses: aws-actions/configure-aws-credentials@v2 37 | with: 38 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 39 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 40 | aws-region: ${{ secrets.AWS_REGION }} 41 | 42 | - name: Login to Amazon ECR 43 | id: login-ecr 44 | uses: aws-actions/amazon-ecr-login@v1 45 | 46 | - name: Build, tag, and push docker image to Amazon ECR 47 | env: 48 | REGISTRY: ${{ steps.login-ecr.outputs.registry }} 49 | REPOSITORY: msa_ecr_spring_registry 50 | IMAGE_TAG: ${{ github.sha }} 51 | run: | 52 | cd ${{ env.working_directory }} 53 | docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . 54 | docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG 55 | 56 | - name: Set env 57 | id: set_env 58 | run: | 59 | echo "service_name=spring" >> $GITHUB_ENV 60 | echo "service_prefix=/spring" >> $GITHUB_ENV 61 | echo "image_tag=${{ github.sha }}" >> $GITHUB_ENV 62 | echo "service_port=8080" >> $GITHUB_ENV 63 | 64 | - name: Pull Commit 65 | run: git pull 66 | 67 | - name: Get config file path 68 | id: config-file 69 | working-directory: ${{ github.workspace }} 70 | run: | 71 | config_file_dir="./GitOps/apps/resource/${{ env.service_name }}" 72 | mkdir -p "$config_file_dir" 73 | 74 | config_file_path="$config_file_dir/resource.yaml" 75 | if [ ! -e "$config_file_path" ]; then 76 | echo "config file is not exists" 77 | touch "$config_file_path" 78 | yq eval ".config.volume.name = null | \ 79 | .config.volume.mountPath = null | \ 80 | .config.volume.secretName = null | \ 81 | .config.serviceAccount = null | \ 82 | .config.replicas = 1" -i $config_file_path 83 | else 84 | echo "config file is exists" 85 | fi 86 | 87 | echo "config_file_path=$config_file_path" >> $GITHUB_OUTPUT 88 | 89 | - name: Use yq to modify Config file 90 | working-directory: ${{ github.workspace }} 91 | run: | 92 | prefix='' 93 | if [ -n "${{ env.service_prefix }}" ] && [ "${{ env.service_prefix }}" != "null" ]; then 94 | prefix='.config.prefix = "${{ env.service_prefix }}"' 95 | else 96 | prefix='.config.prefix = null' 97 | fi 98 | 99 | yq eval -i ".config.service_name = \"${{ env.service_name }}\" | \ 100 | .config.imageTag = \"${{ env.image_tag }}\" | \ 101 | .config.containerPort = ${{ env.service_port }} | \ 102 | $prefix" -i ${{ steps.config-file.outputs.config_file_path }} 103 | 104 | - name: Commit The New Image Reference 105 | if: ${{ env.service_name && env.service_prefix && env.image_tag}} 106 | uses: stefanzweifel/git-auto-commit-action@v4 107 | with: 108 | commit_message: "update :: ${{ env.service_name }}: Deploy new image ${{ env.image_tag }}" 109 | branch: main 110 | commit_options: '--no-verify --signoff' 111 | repository: . 112 | commit_user_name: Junho-06 113 | commit_user_email: ${{ secrets.commit_user_email }} 114 | commit_author: Junho-06 <${{ secrets.commit_user_email }}> -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "aws-load-balancer-controller.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "aws-load-balancer-controller.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "aws-load-balancer-controller.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Chart name prefix for resource names 36 | Strip the "-controller" suffix from the default .Chart.Name if the nameOverride is not specified. 37 | This enables using a shorter name for the resources, for example aws-load-balancer-webhook. 38 | */}} 39 | {{- define "aws-load-balancer-controller.namePrefix" -}} 40 | {{- $defaultNamePrefix := .Chart.Name | trimSuffix "-controller" -}} 41 | {{- default $defaultNamePrefix .Values.nameOverride | trunc 42 | trimSuffix "-" -}} 42 | {{- end -}} 43 | 44 | {{/* 45 | Common labels 46 | */}} 47 | {{- define "aws-load-balancer-controller.labels" -}} 48 | helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }} 49 | {{ include "aws-load-balancer-controller.selectorLabels" . }} 50 | {{- if .Chart.AppVersion }} 51 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 52 | {{- end }} 53 | app.kubernetes.io/managed-by: {{ .Release.Service }} 54 | {{- if .Values.additionalLabels }} 55 | {{ toYaml .Values.additionalLabels }} 56 | {{- end -}} 57 | {{- end -}} 58 | 59 | {{/* 60 | Selector labels 61 | */}} 62 | {{- define "aws-load-balancer-controller.selectorLabels" -}} 63 | app.kubernetes.io/name: {{ include "aws-load-balancer-controller.name" . }} 64 | app.kubernetes.io/instance: {{ .Release.Name }} 65 | {{- end -}} 66 | 67 | {{/* 68 | Create the name of the service account to use 69 | */}} 70 | {{- define "aws-load-balancer-controller.serviceAccountName" -}} 71 | {{- if .Values.serviceAccount.create -}} 72 | {{ default (include "aws-load-balancer-controller.fullname" .) .Values.serviceAccount.name }} 73 | {{- else -}} 74 | {{ default "default" .Values.serviceAccount.name }} 75 | {{- end -}} 76 | {{- end -}} 77 | 78 | {{/* 79 | Create the name of the webhook service 80 | */}} 81 | {{- define "aws-load-balancer-controller.webhookService" -}} 82 | {{- printf "%s-webhook-service" (include "aws-load-balancer-controller.namePrefix" .) -}} 83 | {{- end -}} 84 | 85 | {{/* 86 | Create the name of the webhook cert secret 87 | */}} 88 | {{- define "aws-load-balancer-controller.webhookCertSecret" -}} 89 | {{- printf "%s-tls" (include "aws-load-balancer-controller.namePrefix" .) -}} 90 | {{- end -}} 91 | 92 | {{/* 93 | Generate certificates for webhook 94 | */}} 95 | {{- define "aws-load-balancer-controller.webhookCerts" -}} 96 | {{- $serviceName := (include "aws-load-balancer-controller.webhookService" .) -}} 97 | {{- $secretName := (include "aws-load-balancer-controller.webhookCertSecret" .) -}} 98 | {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} 99 | {{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}} 100 | caCert: {{ .Values.webhookTLS.caCert | b64enc }} 101 | clientCert: {{ .Values.webhookTLS.cert | b64enc }} 102 | clientKey: {{ .Values.webhookTLS.key | b64enc }} 103 | {{- else if and .Values.keepTLSSecret $secret -}} 104 | caCert: {{ index $secret.data "ca.crt" }} 105 | clientCert: {{ index $secret.data "tls.crt" }} 106 | clientKey: {{ index $secret.data "tls.key" }} 107 | {{- else -}} 108 | {{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}} 109 | {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}} 110 | {{- $cert := genSignedCert (include "aws-load-balancer-controller.fullname" .) nil $altNames 3650 $ca -}} 111 | caCert: {{ $ca.Cert | b64enc }} 112 | clientCert: {{ $cert.Cert | b64enc }} 113 | clientKey: {{ $cert.Key | b64enc }} 114 | {{- end -}} 115 | {{- end -}} 116 | 117 | {{/* 118 | Convert map to comma separated key=value string 119 | */}} 120 | {{- define "aws-load-balancer-controller.convertMapToCsv" -}} 121 | {{- range $key, $value := . -}} {{ $key }}={{ $value }}, {{- end -}} 122 | {{- end -}} 123 | 124 | {{/* 125 | Create the name of the ingressClassParams 126 | */}} 127 | {{- define "aws-load-balancer-controller.ingressClassParamsName" -}} 128 | {{ default .Values.ingressClass .Values.ingressClassParams.name }} 129 | {{- end -}} 130 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/webhook.yaml: -------------------------------------------------------------------------------- 1 | {{ $tls := fromYaml ( include "aws-load-balancer-controller.webhookCerts" . ) }} 2 | --- 3 | apiVersion: admissionregistration.k8s.io/v1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | {{- if $.Values.enableCertManager }} 7 | annotations: 8 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert 9 | {{- end }} 10 | name: {{ include "aws-load-balancer-controller.namePrefix" . }}-webhook 11 | labels: 12 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 13 | webhooks: 14 | - clientConfig: 15 | {{ if not $.Values.enableCertManager -}} 16 | caBundle: {{ $tls.caCert }} 17 | {{ end }} 18 | service: 19 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 20 | namespace: {{ $.Release.Namespace }} 21 | path: /mutate-v1-pod 22 | failurePolicy: Fail 23 | name: mpod.elbv2.k8s.aws 24 | admissionReviewVersions: 25 | - v1beta1 26 | namespaceSelector: 27 | matchExpressions: 28 | {{ if .Values.webhookNamespaceSelectors }} 29 | {{ toYaml .Values.webhookNamespaceSelectors | nindent 4 }} 30 | {{ else }} 31 | - key: elbv2.k8s.aws/pod-readiness-gate-inject 32 | operator: In 33 | values: 34 | - enabled 35 | {{ end }} 36 | objectSelector: 37 | matchExpressions: 38 | - key: app.kubernetes.io/name 39 | operator: NotIn 40 | values: 41 | - {{ include "aws-load-balancer-controller.name" . }} 42 | {{- if .Values.objectSelector.matchExpressions }} 43 | {{- toYaml .Values.objectSelector.matchExpressions | nindent 4 }} 44 | {{- end }} 45 | {{- if .Values.objectSelector.matchLabels }} 46 | matchLabels: 47 | {{- toYaml .Values.objectSelector.matchLabels | nindent 6 }} 48 | {{- end }} 49 | rules: 50 | - apiGroups: 51 | - "" 52 | apiVersions: 53 | - v1 54 | operations: 55 | - CREATE 56 | resources: 57 | - pods 58 | sideEffects: None 59 | {{- if .Values.enableServiceMutatorWebhook }} 60 | - clientConfig: 61 | {{ if not $.Values.enableCertManager -}} 62 | caBundle: {{ $tls.caCert }} 63 | {{ end }} 64 | service: 65 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 66 | namespace: {{ $.Release.Namespace }} 67 | path: /mutate-v1-service 68 | failurePolicy: Fail 69 | name: mservice.elbv2.k8s.aws 70 | admissionReviewVersions: 71 | - v1beta1 72 | objectSelector: 73 | matchExpressions: 74 | - key: app.kubernetes.io/name 75 | operator: NotIn 76 | values: 77 | - {{ include "aws-load-balancer-controller.name" . }} 78 | rules: 79 | - apiGroups: 80 | - "" 81 | apiVersions: 82 | - v1 83 | operations: 84 | - CREATE 85 | resources: 86 | - services 87 | sideEffects: None 88 | {{- end }} 89 | - clientConfig: 90 | {{ if not $.Values.enableCertManager -}} 91 | caBundle: {{ $tls.caCert }} 92 | {{ end }} 93 | service: 94 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 95 | namespace: {{ $.Release.Namespace }} 96 | path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding 97 | failurePolicy: Fail 98 | name: mtargetgroupbinding.elbv2.k8s.aws 99 | admissionReviewVersions: 100 | - v1beta1 101 | rules: 102 | - apiGroups: 103 | - elbv2.k8s.aws 104 | apiVersions: 105 | - v1beta1 106 | operations: 107 | - CREATE 108 | - UPDATE 109 | resources: 110 | - targetgroupbindings 111 | sideEffects: None 112 | --- 113 | apiVersion: admissionregistration.k8s.io/v1 114 | kind: ValidatingWebhookConfiguration 115 | metadata: 116 | {{- if $.Values.enableCertManager }} 117 | annotations: 118 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert 119 | {{- end }} 120 | name: {{ include "aws-load-balancer-controller.namePrefix" . }}-webhook 121 | labels: 122 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 123 | webhooks: 124 | - clientConfig: 125 | {{ if not $.Values.enableCertManager -}} 126 | caBundle: {{ $tls.caCert }} 127 | {{ end }} 128 | service: 129 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 130 | namespace: {{ $.Release.Namespace }} 131 | path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams 132 | failurePolicy: Fail 133 | name: vingressclassparams.elbv2.k8s.aws 134 | admissionReviewVersions: 135 | - v1beta1 136 | objectSelector: 137 | matchExpressions: 138 | - key: app.kubernetes.io/name 139 | operator: NotIn 140 | values: 141 | - {{ include "aws-load-balancer-controller.name" . }} 142 | rules: 143 | - apiGroups: 144 | - elbv2.k8s.aws 145 | apiVersions: 146 | - v1beta1 147 | operations: 148 | - CREATE 149 | - UPDATE 150 | resources: 151 | - ingressclassparams 152 | sideEffects: None 153 | - clientConfig: 154 | {{ if not $.Values.enableCertManager -}} 155 | caBundle: {{ $tls.caCert }} 156 | {{ end }} 157 | service: 158 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 159 | namespace: {{ $.Release.Namespace }} 160 | path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding 161 | failurePolicy: Fail 162 | name: vtargetgroupbinding.elbv2.k8s.aws 163 | admissionReviewVersions: 164 | - v1beta1 165 | rules: 166 | - apiGroups: 167 | - elbv2.k8s.aws 168 | apiVersions: 169 | - v1beta1 170 | operations: 171 | - CREATE 172 | - UPDATE 173 | resources: 174 | - targetgroupbindings 175 | sideEffects: None 176 | - clientConfig: 177 | {{ if not $.Values.enableCertManager -}} 178 | caBundle: {{ $tls.caCert }} 179 | {{ end }} 180 | service: 181 | name: {{ template "aws-load-balancer-controller.webhookService" . }} 182 | namespace: {{ $.Release.Namespace }} 183 | path: /validate-networking-v1-ingress 184 | failurePolicy: Fail 185 | matchPolicy: Equivalent 186 | name: vingress.elbv2.k8s.aws 187 | admissionReviewVersions: 188 | - v1beta1 189 | rules: 190 | - apiGroups: 191 | - networking.k8s.io 192 | apiVersions: 193 | - v1 194 | operations: 195 | - CREATE 196 | - UPDATE 197 | resources: 198 | - ingresses 199 | sideEffects: None 200 | --- 201 | {{- if not $.Values.enableCertManager }} 202 | apiVersion: v1 203 | kind: Secret 204 | metadata: 205 | name: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} 206 | namespace: {{ .Release.Namespace }} 207 | labels: 208 | {{ include "aws-load-balancer-controller.labels" . | indent 4 }} 209 | type: kubernetes.io/tls 210 | data: 211 | ca.crt: {{ $tls.caCert }} 212 | tls.crt: {{ $tls.clientCert }} 213 | tls.key: {{ $tls.clientKey }} 214 | {{- else }} 215 | apiVersion: cert-manager.io/v1 216 | kind: Certificate 217 | metadata: 218 | name: {{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert 219 | namespace: {{ .Release.Namespace }} 220 | labels: 221 | {{ include "aws-load-balancer-controller.labels" . | indent 4 }} 222 | spec: 223 | dnsNames: 224 | - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc 225 | - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }} 226 | issuerRef: 227 | kind: Issuer 228 | name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer 229 | secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} 230 | --- 231 | apiVersion: cert-manager.io/v1 232 | kind: Issuer 233 | metadata: 234 | name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer 235 | namespace: {{ .Release.Namespace }} 236 | labels: 237 | {{ include "aws-load-balancer-controller.labels" . | indent 4 }} 238 | spec: 239 | selfSigned: {} 240 | {{- end }} 241 | -------------------------------------------------------------------------------- /Spring/gradlew: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # Copyright © 2015-2021 the original authors. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # https://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | ############################################################################## 20 | # 21 | # Gradle start up script for POSIX generated by Gradle. 22 | # 23 | # Important for running: 24 | # 25 | # (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is 26 | # noncompliant, but you have some other compliant shell such as ksh or 27 | # bash, then to run this script, type that shell name before the whole 28 | # command line, like: 29 | # 30 | # ksh Gradle 31 | # 32 | # Busybox and similar reduced shells will NOT work, because this script 33 | # requires all of these POSIX shell features: 34 | # * functions; 35 | # * expansions «$var», «${var}», «${var:-default}», «${var+SET}», 36 | # «${var#prefix}», «${var%suffix}», and «$( cmd )»; 37 | # * compound commands having a testable exit status, especially «case»; 38 | # * various built-in commands including «command», «set», and «ulimit». 39 | # 40 | # Important for patching: 41 | # 42 | # (2) This script targets any POSIX shell, so it avoids extensions provided 43 | # by Bash, Ksh, etc; in particular arrays are avoided. 44 | # 45 | # The "traditional" practice of packing multiple parameters into a 46 | # space-separated string is a well documented source of bugs and security 47 | # problems, so this is (mostly) avoided, by progressively accumulating 48 | # options in "$@", and eventually passing that to Java. 49 | # 50 | # Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, 51 | # and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; 52 | # see the in-line comments for details. 53 | # 54 | # There are tweaks for specific operating systems such as AIX, CygWin, 55 | # Darwin, MinGW, and NonStop. 56 | # 57 | # (3) This script is generated from the Groovy template 58 | # https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt 59 | # within the Gradle project. 60 | # 61 | # You can find Gradle at https://github.com/gradle/gradle/. 62 | # 63 | ############################################################################## 64 | 65 | # Attempt to set APP_HOME 66 | 67 | # Resolve links: $0 may be a link 68 | app_path=$0 69 | 70 | # Need this for daisy-chained symlinks. 71 | while 72 | APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path 73 | [ -h "$app_path" ] 74 | do 75 | ls=$( ls -ld "$app_path" ) 76 | link=${ls#*' -> '} 77 | case $link in #( 78 | /*) app_path=$link ;; #( 79 | *) app_path=$APP_HOME$link ;; 80 | esac 81 | done 82 | 83 | # This is normally unused 84 | # shellcheck disable=SC2034 85 | APP_BASE_NAME=${0##*/} 86 | APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit 87 | 88 | # Use the maximum available, or set MAX_FD != -1 to use that value. 89 | MAX_FD=maximum 90 | 91 | warn () { 92 | echo "$*" 93 | } >&2 94 | 95 | die () { 96 | echo 97 | echo "$*" 98 | echo 99 | exit 1 100 | } >&2 101 | 102 | # OS specific support (must be 'true' or 'false'). 103 | cygwin=false 104 | msys=false 105 | darwin=false 106 | nonstop=false 107 | case "$( uname )" in #( 108 | CYGWIN* ) cygwin=true ;; #( 109 | Darwin* ) darwin=true ;; #( 110 | MSYS* | MINGW* ) msys=true ;; #( 111 | NONSTOP* ) nonstop=true ;; 112 | esac 113 | 114 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 115 | 116 | 117 | # Determine the Java command to use to start the JVM. 118 | if [ -n "$JAVA_HOME" ] ; then 119 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 120 | # IBM's JDK on AIX uses strange locations for the executables 121 | JAVACMD=$JAVA_HOME/jre/sh/java 122 | else 123 | JAVACMD=$JAVA_HOME/bin/java 124 | fi 125 | if [ ! -x "$JAVACMD" ] ; then 126 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 127 | 128 | Please set the JAVA_HOME variable in your environment to match the 129 | location of your Java installation." 130 | fi 131 | else 132 | JAVACMD=java 133 | if ! command -v java >/dev/null 2>&1 134 | then 135 | die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 136 | 137 | Please set the JAVA_HOME variable in your environment to match the 138 | location of your Java installation." 139 | fi 140 | fi 141 | 142 | # Increase the maximum file descriptors if we can. 143 | if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then 144 | case $MAX_FD in #( 145 | max*) 146 | # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. 147 | # shellcheck disable=SC3045 148 | MAX_FD=$( ulimit -H -n ) || 149 | warn "Could not query maximum file descriptor limit" 150 | esac 151 | case $MAX_FD in #( 152 | '' | soft) :;; #( 153 | *) 154 | # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. 155 | # shellcheck disable=SC3045 156 | ulimit -n "$MAX_FD" || 157 | warn "Could not set maximum file descriptor limit to $MAX_FD" 158 | esac 159 | fi 160 | 161 | # Collect all arguments for the java command, stacking in reverse order: 162 | # * args from the command line 163 | # * the main class name 164 | # * -classpath 165 | # * -D...appname settings 166 | # * --module-path (only if needed) 167 | # * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. 168 | 169 | # For Cygwin or MSYS, switch paths to Windows format before running java 170 | if "$cygwin" || "$msys" ; then 171 | APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) 172 | CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) 173 | 174 | JAVACMD=$( cygpath --unix "$JAVACMD" ) 175 | 176 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 177 | for arg do 178 | if 179 | case $arg in #( 180 | -*) false ;; # don't mess with options #( 181 | /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath 182 | [ -e "$t" ] ;; #( 183 | *) false ;; 184 | esac 185 | then 186 | arg=$( cygpath --path --ignore --mixed "$arg" ) 187 | fi 188 | # Roll the args list around exactly as many times as the number of 189 | # args, so each arg winds up back in the position where it started, but 190 | # possibly modified. 191 | # 192 | # NB: a `for` loop captures its iteration list before it begins, so 193 | # changing the positional parameters here affects neither the number of 194 | # iterations, nor the values presented in `arg`. 195 | shift # remove old arg 196 | set -- "$@" "$arg" # push replacement arg 197 | done 198 | fi 199 | 200 | 201 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 202 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' 203 | 204 | # Collect all arguments for the java command; 205 | # * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of 206 | # shell script including quotes and variable substitutions, so put them in 207 | # double quotes to make sure that they get re-expanded; and 208 | # * put everything else in single quotes, so that it's not re-expanded. 209 | 210 | set -- \ 211 | "-Dorg.gradle.appname=$APP_BASE_NAME" \ 212 | -classpath "$CLASSPATH" \ 213 | org.gradle.wrapper.GradleWrapperMain \ 214 | "$@" 215 | 216 | # Stop when "xargs" is not available. 217 | if ! command -v xargs >/dev/null 2>&1 218 | then 219 | die "xargs is not available" 220 | fi 221 | 222 | # Use "xargs" to parse quoted args. 223 | # 224 | # With -n1 it outputs one arg per line, with the quotes and backslashes removed. 225 | # 226 | # In Bash we could simply go: 227 | # 228 | # readarray ARGS < <( xargs -n1 <<<"$var" ) && 229 | # set -- "${ARGS[@]}" "$@" 230 | # 231 | # but POSIX shell has neither arrays nor command substitution, so instead we 232 | # post-process each arg (as a line of input to sed) to backslash-escape any 233 | # character that might be a shell metacharacter, then use eval to reverse 234 | # that process (while maintaining the separation between arguments), and wrap 235 | # the whole thing up as a single "set" statement. 236 | # 237 | # This will of course break if any of these variables contains a newline or 238 | # an unmatched quote. 239 | # 240 | 241 | eval "set -- $( 242 | printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | 243 | xargs -n1 | 244 | sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | 245 | tr '\n' ' ' 246 | )" '"$@"' 247 | 248 | exec "$JAVACMD" "$@" 249 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "aws-load-balancer-controller.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | {{- if .Values.deploymentAnnotations }} 7 | annotations: 8 | {{- toYaml .Values.deploymentAnnotations | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} 12 | spec: 13 | replicas: {{ .Values.replicaCount }} 14 | selector: 15 | matchLabels: 16 | {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} 17 | {{- with .Values.updateStrategy }} 18 | strategy: 19 | {{ toYaml . | nindent 4 }} 20 | {{- end }} 21 | template: 22 | metadata: 23 | labels: 24 | {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 8 }} 25 | {{- if .Values.podLabels }} 26 | {{- toYaml .Values.podLabels | nindent 8 }} 27 | {{- end }} 28 | annotations: 29 | {{- if not .Values.serviceMonitor.enabled }} 30 | prometheus.io/scrape: "true" 31 | prometheus.io/port: "{{ (split ":" .Values.metricsBindAddr)._1 | default 8080 }}" 32 | {{- end}} 33 | {{- if .Values.podAnnotations }} 34 | {{- toYaml .Values.podAnnotations | nindent 8 }} 35 | {{- end }} 36 | spec: 37 | {{- with .Values.imagePullSecrets }} 38 | imagePullSecrets: 39 | {{- toYaml . | nindent 8 }} 40 | {{- end }} 41 | serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }} 42 | volumes: 43 | - name: cert 44 | secret: 45 | defaultMode: 420 46 | secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} 47 | {{- with .Values.extraVolumes }} 48 | {{ toYaml . | nindent 6 }} 49 | {{- end }} 50 | securityContext: 51 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 52 | {{- if .Values.hostNetwork }} 53 | hostNetwork: true 54 | {{- end }} 55 | {{- if .Values.dnsPolicy }} 56 | dnsPolicy: {{ .Values.dnsPolicy }} 57 | {{- end }} 58 | containers: 59 | - name: {{ .Chart.Name }} 60 | args: 61 | - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }} 62 | {{- if .Values.ingressClass }} 63 | - --ingress-class={{ .Values.ingressClass }} 64 | {{- end }} 65 | {{- if .Values.region }} 66 | - --aws-region={{ .Values.region }} 67 | {{- end }} 68 | {{- if .Values.vpcId }} 69 | - --aws-vpc-id={{ .Values.vpcId }} 70 | {{- end }} 71 | {{- if .Values.awsApiEndpoints }} 72 | - --aws-api-endpoints={{ .Values.awsApiEndpoints }} 73 | {{- end }} 74 | {{- if .Values.awsApiThrottle }} 75 | - --aws-api-throttle={{ join "," .Values.awsApiThrottle }} 76 | {{- end }} 77 | {{- if .Values.awsMaxRetries }} 78 | - --aws-max-retries={{ .Values.awsMaxRetries }} 79 | {{- end }} 80 | {{- if kindIs "bool" .Values.enablePodReadinessGateInject }} 81 | - --enable-pod-readiness-gate-inject={{ .Values.enablePodReadinessGateInject }} 82 | {{- end }} 83 | {{- if kindIs "bool" .Values.enableShield }} 84 | - --enable-shield={{ .Values.enableShield }} 85 | {{- end }} 86 | {{- if kindIs "bool" .Values.enableWaf }} 87 | - --enable-waf={{ .Values.enableWaf }} 88 | {{- end }} 89 | {{- if kindIs "bool" .Values.enableWafv2 }} 90 | - --enable-wafv2={{ .Values.enableWafv2 }} 91 | {{- end }} 92 | {{- if .Values.metricsBindAddr }} 93 | - --metrics-bind-addr={{ .Values.metricsBindAddr }} 94 | {{- end }} 95 | {{- if .Values.ingressMaxConcurrentReconciles }} 96 | - --ingress-max-concurrent-reconciles={{ .Values.ingressMaxConcurrentReconciles }} 97 | {{- end }} 98 | {{- if .Values.serviceMaxConcurrentReconciles }} 99 | - --service-max-concurrent-reconciles={{ .Values.serviceMaxConcurrentReconciles }} 100 | {{- end }} 101 | {{- if .Values.targetgroupbindingMaxConcurrentReconciles }} 102 | - --targetgroupbinding-max-concurrent-reconciles={{ .Values.targetgroupbindingMaxConcurrentReconciles }} 103 | {{- end }} 104 | {{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }} 105 | - --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }} 106 | {{- end }} 107 | {{- if .Values.logLevel }} 108 | - --log-level={{ .Values.logLevel }} 109 | {{- end }} 110 | {{- if .Values.webhookBindPort }} 111 | - --webhook-bind-port={{ .Values.webhookBindPort }} 112 | {{- end }} 113 | {{- if .Values.syncPeriod }} 114 | - --sync-period={{ .Values.syncPeriod }} 115 | {{- end }} 116 | {{- if .Values.watchNamespace }} 117 | - --watch-namespace={{ .Values.watchNamespace }} 118 | {{- end }} 119 | {{- if kindIs "bool" .Values.disableIngressClassAnnotation }} 120 | - --disable-ingress-class-annotation={{ .Values.disableIngressClassAnnotation }} 121 | {{- end }} 122 | {{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }} 123 | - --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }} 124 | {{- end }} 125 | {{- if .Values.defaultSSLPolicy }} 126 | - --default-ssl-policy={{ .Values.defaultSSLPolicy }} 127 | {{- end }} 128 | {{- if .Values.externalManagedTags }} 129 | - --external-managed-tags={{ join "," .Values.externalManagedTags }} 130 | {{- end }} 131 | {{- if .Values.defaultTags }} 132 | - --default-tags={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.defaultTags | trimSuffix "," }} 133 | {{- end }} 134 | {{- if kindIs "bool" .Values.enableEndpointSlices }} 135 | - --enable-endpoint-slices={{ .Values.enableEndpointSlices }} 136 | {{- end }} 137 | {{- if kindIs "bool" .Values.enableBackendSecurityGroup }} 138 | - --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }} 139 | {{- end }} 140 | {{- if .Values.backendSecurityGroup }} 141 | - --backend-security-group={{ .Values.backendSecurityGroup }} 142 | {{- end }} 143 | {{- if kindIs "bool" .Values.disableRestrictedSecurityGroupRules }} 144 | - --disable-restricted-sg-rules={{ .Values.disableRestrictedSecurityGroupRules }} 145 | {{- end }} 146 | {{- if .Values.controllerConfig.featureGates }} 147 | - --feature-gates={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.controllerConfig.featureGates | trimSuffix "," }} 148 | {{- end }} 149 | {{- if ne .Values.defaultTargetType "instance" }} 150 | - --default-target-type={{ .Values.defaultTargetType }} 151 | {{- end }} 152 | {{- if .Values.env }} 153 | env: 154 | {{- range $key, $value := .Values.env }} 155 | - name: {{ $key }} 156 | value: "{{ $value }}" 157 | {{- end }} 158 | {{- end }} 159 | securityContext: 160 | {{- toYaml .Values.securityContext | nindent 10 }} 161 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 162 | imagePullPolicy: {{ .Values.image.pullPolicy }} 163 | volumeMounts: 164 | - mountPath: /tmp/k8s-webhook-server/serving-certs 165 | name: cert 166 | readOnly: true 167 | {{- with .Values.extraVolumeMounts }} 168 | {{ toYaml . | nindent 8 }} 169 | {{- end }} 170 | ports: 171 | - name: webhook-server 172 | containerPort: {{ .Values.webhookBindPort | default 9443 }} 173 | protocol: TCP 174 | - name: metrics-server 175 | containerPort: {{ (split ":" .Values.metricsBindAddr)._1 | default 8080 }} 176 | protocol: TCP 177 | resources: 178 | {{- toYaml .Values.resources | nindent 10 }} 179 | {{- with .Values.livenessProbe }} 180 | livenessProbe: 181 | {{- toYaml . | nindent 10 }} 182 | {{- end }} 183 | terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} 184 | {{- with .Values.nodeSelector }} 185 | nodeSelector: 186 | {{- toYaml . | nindent 8 }} 187 | {{- end }} 188 | {{- if .Values.affinity }} 189 | affinity: 190 | {{- toYaml .Values.affinity | nindent 8 }} 191 | {{- else if .Values.configureDefaultAffinity }} 192 | affinity: 193 | podAntiAffinity: 194 | preferredDuringSchedulingIgnoredDuringExecution: 195 | - weight: 100 196 | podAffinityTerm: 197 | labelSelector: 198 | matchExpressions: 199 | - key: app.kubernetes.io/name 200 | operator: In 201 | values: 202 | - {{ include "aws-load-balancer-controller.name" . }} 203 | topologyKey: kubernetes.io/hostname 204 | {{- end }} 205 | {{- with .Values.tolerations }} 206 | tolerations: 207 | {{- toYaml . | nindent 8 }} 208 | {{- end }} 209 | {{- if .Values.priorityClassName }} 210 | priorityClassName: {{ .Values.priorityClassName | quote }} 211 | {{- end }} 212 | {{- with .Values.topologySpreadConstraints }} 213 | topologySpreadConstraints: 214 | {{- toYaml . | nindent 8 }} 215 | {{- end }} 216 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for aws-load-balancer-controller. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 2 6 | 7 | image: 8 | repository: public.ecr.aws/eks/aws-load-balancer-controller 9 | tag: v2.6.1 10 | pullPolicy: IfNotPresent 11 | 12 | imagePullSecrets: [] 13 | nameOverride: "" 14 | fullnameOverride: "" 15 | 16 | serviceAccount: 17 | # Specifies whether a service account should be created 18 | create: true 19 | # Annotations to add to the service account 20 | annotations: 21 | eks.amazonaws.com/role-arn: arn:aws:iam::250832144271:role/load-balancer-controller 22 | # The name of the service account to use. 23 | # If not set and create is true, a name is generated using the fullname template 24 | name: aws-load-balancer-controller 25 | # Automount API credentials for a Service Account. 26 | automountServiceAccountToken: true 27 | # List of image pull secrets to add to the Service Account. 28 | imagePullSecrets: 29 | # - name: docker 30 | 31 | rbac: 32 | # Specifies whether rbac resources should be created 33 | create: true 34 | 35 | podSecurityContext: 36 | fsGroup: 65534 37 | 38 | securityContext: 39 | # capabilities: 40 | # drop: 41 | # - ALL 42 | readOnlyRootFilesystem: true 43 | runAsNonRoot: true 44 | allowPrivilegeEscalation: false 45 | 46 | # Time period for the controller pod to do a graceful shutdown 47 | terminationGracePeriodSeconds: 10 48 | 49 | resources: {} 50 | # We usually recommend not to specify default resources and to leave this as a conscious 51 | # choice for the user. This also increases chances charts run on environments with little 52 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 53 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 54 | # limits: 55 | # cpu: 100m 56 | # memory: 128Mi 57 | # requests: 58 | # cpu: 100m 59 | # memory: 128Mi 60 | 61 | # priorityClassName specifies the PriorityClass to indicate the importance of controller pods 62 | # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass 63 | priorityClassName: system-cluster-critical 64 | 65 | nodeSelector: {} 66 | 67 | tolerations: [] 68 | 69 | # affinity specifies a custom affinity for the controller pods 70 | affinity: {} 71 | 72 | # configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent 73 | # co-location on the same node. This will get ignored if you specify a custom affinity configuration. 74 | configureDefaultAffinity: true 75 | 76 | # topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to 77 | # control how Pods are spread across your cluster among failure-domains such as regions, zones, 78 | # nodes, and other user-defined topology domains. 79 | # 80 | # more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ 81 | topologySpreadConstraints: {} 82 | 83 | updateStrategy: {} 84 | # type: RollingUpdate 85 | # rollingUpdate: 86 | # maxSurge: 1 87 | # maxUnavailable: 1 88 | 89 | # serviceAnnotations contains annotations to be added to the provisioned webhook service resource 90 | serviceAnnotations: {} 91 | 92 | # deploymentAnnotations contains annotations for the controller deployment 93 | deploymentAnnotations: {} 94 | 95 | podAnnotations: {} 96 | 97 | podLabels: {} 98 | 99 | # additionalLabels -- Labels to add to each object of the chart. 100 | additionalLabels: {} 101 | 102 | # Enable cert-manager 103 | enableCertManager: false 104 | 105 | # The name of the Kubernetes cluster. A non-empty value is required 106 | clusterName: msa-cluster 107 | 108 | # cluster contains configurations specific to the kubernetes cluster 109 | cluster: 110 | # Cluster DNS domain (required for requesting TLS certificates) 111 | dnsDomain: cluster.local 112 | 113 | # The ingress class this controller will satisfy. If not specified, controller will match all 114 | # ingresses without ingress class annotation and ingresses of type alb 115 | ingressClass: alb 116 | 117 | # ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. 118 | ingressClassParams: 119 | create: true 120 | # The name of ingressClassParams resource will be referred in ingressClass 121 | name: 122 | spec: {} 123 | # Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource. 124 | # We recommend creating ingressClassParams resources separately after installing this chart and the 125 | # controller is functional. 126 | # 127 | # You can set the specifications in the `helm install` command through `--set` or `--set-string` 128 | # If you do want to specify in the values.yaml, uncomment the following 129 | # lines, adjust them as necessary, and remove the curly braces after 'spec:' 130 | # 131 | # namespaceSelector: 132 | # matchLabels: 133 | # group: 134 | # scheme: 135 | # ipAddressType: 136 | # tags: 137 | # loadBalancerAttributes: 138 | # - key: 139 | # value: 140 | 141 | # To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. 142 | # If specified as true, the IngressClass resource will be created. 143 | createIngressClassResource: true 144 | 145 | # The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. 146 | region: ap-northeast-2 147 | 148 | # The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically 149 | vpcId: 150 | 151 | # Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) 152 | awsApiEndpoints: 153 | 154 | # awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) 155 | # example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" 156 | awsApiThrottle: 157 | 158 | # Maximum retries for AWS APIs (default 10) 159 | awsMaxRetries: 160 | 161 | # Default target type. Used as the default value of the "alb.ingress.kubernetes.io/target-type" and 162 | # "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations. 163 | # Possible values are "ip" and "instance" 164 | # The value "ip" should be used for ENI-based CNIs, such as the Amazon VPC CNI, 165 | # Calico with encapsulation disabled, or Cilium with masquerading disabled. 166 | # The value "instance" should be used for overlay-based CNIs, such as Calico in VXLAN or IPIP mode or 167 | # Cilium with masquerading enabled. 168 | defaultTargetType: instance 169 | 170 | # If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) 171 | enablePodReadinessGateInject: 172 | 173 | # Enable Shield addon for ALB (default true) 174 | enableShield: 175 | 176 | # Enable WAF addon for ALB (default true) 177 | enableWaf: 178 | 179 | # Enable WAF V2 addon for ALB (default true) 180 | enableWafv2: 181 | 182 | # Maximum number of concurrently running reconcile loops for ingress (default 3) 183 | ingressMaxConcurrentReconciles: 184 | 185 | # Set the controller log level - info(default), debug (default "info") 186 | logLevel: 187 | 188 | # The address the metric endpoint binds to. (default ":8080") 189 | metricsBindAddr: "" 190 | 191 | # The TCP port the Webhook server binds to. (default 9443) 192 | webhookBindPort: 193 | 194 | # webhookTLS specifies TLS cert/key for the webhook 195 | webhookTLS: 196 | caCert: 197 | cert: 198 | key: 199 | 200 | # array of namespace selectors for the webhook 201 | webhookNamespaceSelectors: 202 | # - key: elbv2.k8s.aws/pod-readiness-gate-inject 203 | # operator: In 204 | # values: 205 | # - enabled 206 | 207 | # keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade 208 | keepTLSSecret: true 209 | 210 | # Maximum number of concurrently running reconcile loops for service (default 3) 211 | serviceMaxConcurrentReconciles: 212 | 213 | # Maximum number of concurrently running reconcile loops for targetGroupBinding 214 | targetgroupbindingMaxConcurrentReconciles: 215 | 216 | # Maximum duration of exponential backoff for targetGroupBinding reconcile failures 217 | targetgroupbindingMaxExponentialBackoffDelay: 218 | 219 | # Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) 220 | syncPeriod: 221 | 222 | # Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. 223 | watchNamespace: 224 | 225 | # disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default 226 | disableIngressClassAnnotation: 227 | 228 | # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default 229 | disableIngressGroupNameAnnotation: 230 | 231 | # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners 232 | defaultSSLPolicy: 233 | 234 | # Liveness probe configuration for the controller 235 | livenessProbe: 236 | failureThreshold: 2 237 | httpGet: 238 | path: /healthz 239 | port: 61779 240 | scheme: HTTP 241 | initialDelaySeconds: 30 242 | timeoutSeconds: 10 243 | 244 | # Environment variables to set for aws-load-balancer-controller pod. 245 | # We strongly discourage programming access credentials in the controller environment. You should setup IRSA or 246 | # comparable solutions like kube2iam, kiam etc instead. 247 | env: 248 | # ENV_1: "" 249 | # ENV_2: "" 250 | 251 | # Specifies if aws-load-balancer-controller should be started in hostNetwork mode. 252 | # 253 | # This is required if using a custom CNI where the managed control plane nodes are unable to initiate 254 | # network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or 255 | # recommended if using the Amazon VPC CNI plugin. 256 | hostNetwork: false 257 | 258 | # Specifies the dnsPolicy that should be used for pods in the deployment 259 | # 260 | # This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI 261 | # with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` 262 | # is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy 263 | dnsPolicy: 264 | 265 | # extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster 266 | extraVolumeMounts: 267 | # - name: aws-iam-token 268 | # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount 269 | # readOnly: true 270 | 271 | # extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. 272 | extraVolumes: 273 | # - name: aws-iam-token 274 | # projected: 275 | # defaultMode: 420 276 | # sources: 277 | # - serviceAccountToken: 278 | # audience: sts.amazonaws.com 279 | # expirationSeconds: 86400 280 | # path: token 281 | 282 | # defaultTags are the tags to apply to all AWS resources managed by this controller 283 | defaultTags: {} 284 | # default_tag1: value1 285 | # default_tag2: value2 286 | 287 | # podDisruptionBudget specifies the disruption budget for the controller pods. 288 | # Disruption budget will be configured only when the replicaCount is greater than 1 289 | podDisruptionBudget: {} 290 | # maxUnavailable: 1 291 | 292 | # externalManagedTags is the list of tag keys on AWS resources that will be managed externally 293 | externalManagedTags: [] 294 | 295 | # enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) 296 | enableEndpointSlices: 297 | 298 | # enableBackendSecurityGroup enables shared security group for backend traffic (default true) 299 | enableBackendSecurityGroup: 300 | 301 | # backendSecurityGroup specifies backend security group id (default controller auto create backend security group) 302 | backendSecurityGroup: 303 | 304 | # disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic 305 | disableRestrictedSecurityGroupRules: 306 | 307 | # controllerConfig specifies controller configuration 308 | controllerConfig: 309 | # featureGates set of key: value pairs that describe AWS load balance controller features 310 | featureGates: {} 311 | # ListenerRulesTagging: true 312 | # WeightedTargetGroups: true 313 | # ServiceTypeLoadBalancerOnly: false 314 | # EndpointsFailOpen: true 315 | # EnableServiceController: true 316 | # EnableIPTargetType: true 317 | # SubnetsClusterTagCheck: true 318 | # NLBHealthCheckAdvancedConfig: true 319 | 320 | # objectSelector for webhook 321 | objectSelector: 322 | matchExpressions: 323 | # - key: 324 | # operator: 325 | # values: 326 | # - 327 | matchLabels: 328 | # key: value 329 | 330 | serviceMonitor: 331 | # Specifies whether a service monitor should be created 332 | enabled: false 333 | # Labels to add to the service account 334 | additionalLabels: {} 335 | # Prometheus scrape interval 336 | interval: 1m 337 | # Namespace to create the service monitor in 338 | namespace: 339 | 340 | # clusterSecretsPermissions lets you configure RBAC permissions for secret resources 341 | # Access to secrets resource is required only if you use the OIDC feature, and instead of 342 | # enabling access to all secrets, we recommend configuring namespaced role/rolebinding. 343 | # This option is for backwards compatibility only, and will potentially be deprecated in future. 344 | clusterSecretsPermissions: 345 | # allowAllSecrets allows the controller to access all secrets in the cluster. 346 | # This is to get backwards compatible behavior, but *NOT* recommended for security reasons 347 | allowAllSecrets: false 348 | 349 | # ingressClassConfig contains configurations specific to the ingress class 350 | ingressClassConfig: 351 | default: false 352 | 353 | # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer 354 | enableServiceMutatorWebhook: true 355 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/crds/crds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.11.1 6 | creationTimestamp: null 7 | name: ingressclassparams.elbv2.k8s.aws 8 | spec: 9 | group: elbv2.k8s.aws 10 | names: 11 | kind: IngressClassParams 12 | listKind: IngressClassParamsList 13 | plural: ingressclassparams 14 | singular: ingressclassparams 15 | scope: Cluster 16 | versions: 17 | - additionalPrinterColumns: 18 | - description: The Ingress Group name 19 | jsonPath: .spec.group.name 20 | name: GROUP-NAME 21 | type: string 22 | - description: The AWS Load Balancer scheme 23 | jsonPath: .spec.scheme 24 | name: SCHEME 25 | type: string 26 | - description: The AWS Load Balancer ipAddressType 27 | jsonPath: .spec.ipAddressType 28 | name: IP-ADDRESS-TYPE 29 | type: string 30 | - jsonPath: .metadata.creationTimestamp 31 | name: AGE 32 | type: date 33 | name: v1beta1 34 | schema: 35 | openAPIV3Schema: 36 | description: IngressClassParams is the Schema for the IngressClassParams API 37 | properties: 38 | apiVersion: 39 | description: 'APIVersion defines the versioned schema of this representation 40 | of an object. Servers should convert recognized schemas to the latest 41 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 42 | type: string 43 | kind: 44 | description: 'Kind is a string value representing the REST resource this 45 | object represents. Servers may infer this from the endpoint the client 46 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 47 | type: string 48 | metadata: 49 | type: object 50 | spec: 51 | description: IngressClassParamsSpec defines the desired state of IngressClassParams 52 | properties: 53 | group: 54 | description: Group defines the IngressGroup for all Ingresses that 55 | belong to IngressClass with this IngressClassParams. 56 | properties: 57 | name: 58 | description: Name is the name of IngressGroup. 59 | type: string 60 | required: 61 | - name 62 | type: object 63 | inboundCIDRs: 64 | description: InboundCIDRs specifies the CIDRs that are allowed to 65 | access the Ingresses that belong to IngressClass with this IngressClassParams. 66 | items: 67 | type: string 68 | type: array 69 | ipAddressType: 70 | description: IPAddressType defines the ip address type for all Ingresses 71 | that belong to IngressClass with this IngressClassParams. 72 | enum: 73 | - ipv4 74 | - dualstack 75 | type: string 76 | loadBalancerAttributes: 77 | description: LoadBalancerAttributes define the custom attributes to 78 | LoadBalancers for all Ingress that that belong to IngressClass with 79 | this IngressClassParams. 80 | items: 81 | description: Attributes defines custom attributes on resources. 82 | properties: 83 | key: 84 | description: The key of the attribute. 85 | type: string 86 | value: 87 | description: The value of the attribute. 88 | type: string 89 | required: 90 | - key 91 | - value 92 | type: object 93 | type: array 94 | namespaceSelector: 95 | description: NamespaceSelector restrict the namespaces of Ingresses 96 | that are allowed to specify the IngressClass with this IngressClassParams. 97 | * if absent or present but empty, it selects all namespaces. 98 | properties: 99 | matchExpressions: 100 | description: matchExpressions is a list of label selector requirements. 101 | The requirements are ANDed. 102 | items: 103 | description: A label selector requirement is a selector that 104 | contains values, a key, and an operator that relates the key 105 | and values. 106 | properties: 107 | key: 108 | description: key is the label key that the selector applies 109 | to. 110 | type: string 111 | operator: 112 | description: operator represents a key's relationship to 113 | a set of values. Valid operators are In, NotIn, Exists 114 | and DoesNotExist. 115 | type: string 116 | values: 117 | description: values is an array of string values. If the 118 | operator is In or NotIn, the values array must be non-empty. 119 | If the operator is Exists or DoesNotExist, the values 120 | array must be empty. This array is replaced during a strategic 121 | merge patch. 122 | items: 123 | type: string 124 | type: array 125 | required: 126 | - key 127 | - operator 128 | type: object 129 | type: array 130 | matchLabels: 131 | additionalProperties: 132 | type: string 133 | description: matchLabels is a map of {key,value} pairs. A single 134 | {key,value} in the matchLabels map is equivalent to an element 135 | of matchExpressions, whose key field is "key", the operator 136 | is "In", and the values array contains only "value". The requirements 137 | are ANDed. 138 | type: object 139 | type: object 140 | x-kubernetes-map-type: atomic 141 | scheme: 142 | description: Scheme defines the scheme for all Ingresses that belong 143 | to IngressClass with this IngressClassParams. 144 | enum: 145 | - internal 146 | - internet-facing 147 | type: string 148 | sslPolicy: 149 | description: SSLPolicy specifies the SSL Policy for all Ingresses 150 | that belong to IngressClass with this IngressClassParams. 151 | type: string 152 | subnets: 153 | description: Subnets defines the subnets for all Ingresses that belong 154 | to IngressClass with this IngressClassParams. 155 | properties: 156 | ids: 157 | description: IDs specify the resource IDs of subnets. Exactly 158 | one of this or `tags` must be specified. 159 | items: 160 | description: SubnetID specifies a subnet ID. 161 | pattern: subnet-[0-9a-f]+ 162 | type: string 163 | minItems: 1 164 | type: array 165 | tags: 166 | additionalProperties: 167 | items: 168 | type: string 169 | type: array 170 | description: Tags specifies subnets in the load balancer's VPC 171 | where each tag specified in the map key contains one of the 172 | values in the corresponding value list. Exactly one of this 173 | or `ids` must be specified. 174 | type: object 175 | type: object 176 | tags: 177 | description: Tags defines list of Tags on AWS resources provisioned 178 | for Ingresses that belong to IngressClass with this IngressClassParams. 179 | items: 180 | description: Tag defines a AWS Tag on resources. 181 | properties: 182 | key: 183 | description: The key of the tag. 184 | type: string 185 | value: 186 | description: The value of the tag. 187 | type: string 188 | required: 189 | - key 190 | - value 191 | type: object 192 | type: array 193 | type: object 194 | type: object 195 | served: true 196 | storage: true 197 | subresources: {} 198 | --- 199 | apiVersion: apiextensions.k8s.io/v1 200 | kind: CustomResourceDefinition 201 | metadata: 202 | annotations: 203 | controller-gen.kubebuilder.io/version: v0.11.1 204 | creationTimestamp: null 205 | name: targetgroupbindings.elbv2.k8s.aws 206 | spec: 207 | group: elbv2.k8s.aws 208 | names: 209 | kind: TargetGroupBinding 210 | listKind: TargetGroupBindingList 211 | plural: targetgroupbindings 212 | singular: targetgroupbinding 213 | scope: Namespaced 214 | versions: 215 | - additionalPrinterColumns: 216 | - description: The Kubernetes Service's name 217 | jsonPath: .spec.serviceRef.name 218 | name: SERVICE-NAME 219 | type: string 220 | - description: The Kubernetes Service's port 221 | jsonPath: .spec.serviceRef.port 222 | name: SERVICE-PORT 223 | type: string 224 | - description: The AWS TargetGroup's TargetType 225 | jsonPath: .spec.targetType 226 | name: TARGET-TYPE 227 | type: string 228 | - description: The AWS TargetGroup's Amazon Resource Name 229 | jsonPath: .spec.targetGroupARN 230 | name: ARN 231 | priority: 1 232 | type: string 233 | - jsonPath: .metadata.creationTimestamp 234 | name: AGE 235 | type: date 236 | name: v1alpha1 237 | schema: 238 | openAPIV3Schema: 239 | description: TargetGroupBinding is the Schema for the TargetGroupBinding API 240 | properties: 241 | apiVersion: 242 | description: 'APIVersion defines the versioned schema of this representation 243 | of an object. Servers should convert recognized schemas to the latest 244 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 245 | type: string 246 | kind: 247 | description: 'Kind is a string value representing the REST resource this 248 | object represents. Servers may infer this from the endpoint the client 249 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 250 | type: string 251 | metadata: 252 | type: object 253 | spec: 254 | description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding 255 | properties: 256 | networking: 257 | description: networking provides the networking setup for ELBV2 LoadBalancer 258 | to access targets in TargetGroup. 259 | properties: 260 | ingress: 261 | description: List of ingress rules to allow ELBV2 LoadBalancer 262 | to access targets in TargetGroup. 263 | items: 264 | properties: 265 | from: 266 | description: List of peers which should be able to access 267 | the targets in TargetGroup. At least one NetworkingPeer 268 | should be specified. 269 | items: 270 | description: NetworkingPeer defines the source/destination 271 | peer for networking rules. 272 | properties: 273 | ipBlock: 274 | description: IPBlock defines an IPBlock peer. If specified, 275 | none of the other fields can be set. 276 | properties: 277 | cidr: 278 | description: CIDR is the network CIDR. Both IPV4 279 | or IPV6 CIDR are accepted. 280 | type: string 281 | required: 282 | - cidr 283 | type: object 284 | securityGroup: 285 | description: SecurityGroup defines a SecurityGroup 286 | peer. If specified, none of the other fields can 287 | be set. 288 | properties: 289 | groupID: 290 | description: GroupID is the EC2 SecurityGroupID. 291 | type: string 292 | required: 293 | - groupID 294 | type: object 295 | type: object 296 | type: array 297 | ports: 298 | description: List of ports which should be made accessible 299 | on the targets in TargetGroup. If ports is empty or unspecified, 300 | it defaults to all ports with TCP. 301 | items: 302 | properties: 303 | port: 304 | anyOf: 305 | - type: integer 306 | - type: string 307 | description: The port which traffic must match. When 308 | NodePort endpoints(instance TargetType) is used, 309 | this must be a numerical port. When Port endpoints(ip 310 | TargetType) is used, this can be either numerical 311 | or named port on pods. if port is unspecified, it 312 | defaults to all ports. 313 | x-kubernetes-int-or-string: true 314 | protocol: 315 | description: The protocol which traffic must match. 316 | If protocol is unspecified, it defaults to TCP. 317 | enum: 318 | - TCP 319 | - UDP 320 | type: string 321 | type: object 322 | type: array 323 | required: 324 | - from 325 | - ports 326 | type: object 327 | type: array 328 | type: object 329 | serviceRef: 330 | description: serviceRef is a reference to a Kubernetes Service and 331 | ServicePort. 332 | properties: 333 | name: 334 | description: Name is the name of the Service. 335 | type: string 336 | port: 337 | anyOf: 338 | - type: integer 339 | - type: string 340 | description: Port is the port of the ServicePort. 341 | x-kubernetes-int-or-string: true 342 | required: 343 | - name 344 | - port 345 | type: object 346 | targetGroupARN: 347 | description: targetGroupARN is the Amazon Resource Name (ARN) for 348 | the TargetGroup. 349 | type: string 350 | targetType: 351 | description: targetType is the TargetType of TargetGroup. If unspecified, 352 | it will be automatically inferred. 353 | enum: 354 | - instance 355 | - ip 356 | type: string 357 | required: 358 | - serviceRef 359 | - targetGroupARN 360 | type: object 361 | status: 362 | description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding 363 | properties: 364 | observedGeneration: 365 | description: The generation observed by the TargetGroupBinding controller. 366 | format: int64 367 | type: integer 368 | type: object 369 | type: object 370 | served: true 371 | storage: false 372 | subresources: 373 | status: {} 374 | - additionalPrinterColumns: 375 | - description: The Kubernetes Service's name 376 | jsonPath: .spec.serviceRef.name 377 | name: SERVICE-NAME 378 | type: string 379 | - description: The Kubernetes Service's port 380 | jsonPath: .spec.serviceRef.port 381 | name: SERVICE-PORT 382 | type: string 383 | - description: The AWS TargetGroup's TargetType 384 | jsonPath: .spec.targetType 385 | name: TARGET-TYPE 386 | type: string 387 | - description: The AWS TargetGroup's Amazon Resource Name 388 | jsonPath: .spec.targetGroupARN 389 | name: ARN 390 | priority: 1 391 | type: string 392 | - jsonPath: .metadata.creationTimestamp 393 | name: AGE 394 | type: date 395 | name: v1beta1 396 | schema: 397 | openAPIV3Schema: 398 | description: TargetGroupBinding is the Schema for the TargetGroupBinding API 399 | properties: 400 | apiVersion: 401 | description: 'APIVersion defines the versioned schema of this representation 402 | of an object. Servers should convert recognized schemas to the latest 403 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 404 | type: string 405 | kind: 406 | description: 'Kind is a string value representing the REST resource this 407 | object represents. Servers may infer this from the endpoint the client 408 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 409 | type: string 410 | metadata: 411 | type: object 412 | spec: 413 | description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding 414 | properties: 415 | ipAddressType: 416 | description: ipAddressType specifies whether the target group is of 417 | type IPv4 or IPv6. If unspecified, it will be automatically inferred. 418 | enum: 419 | - ipv4 420 | - ipv6 421 | type: string 422 | networking: 423 | description: networking defines the networking rules to allow ELBV2 424 | LoadBalancer to access targets in TargetGroup. 425 | properties: 426 | ingress: 427 | description: List of ingress rules to allow ELBV2 LoadBalancer 428 | to access targets in TargetGroup. 429 | items: 430 | description: NetworkingIngressRule defines a particular set 431 | of traffic that is allowed to access TargetGroup's targets. 432 | properties: 433 | from: 434 | description: List of peers which should be able to access 435 | the targets in TargetGroup. At least one NetworkingPeer 436 | should be specified. 437 | items: 438 | description: NetworkingPeer defines the source/destination 439 | peer for networking rules. 440 | properties: 441 | ipBlock: 442 | description: IPBlock defines an IPBlock peer. If specified, 443 | none of the other fields can be set. 444 | properties: 445 | cidr: 446 | description: CIDR is the network CIDR. Both IPV4 447 | or IPV6 CIDR are accepted. 448 | type: string 449 | required: 450 | - cidr 451 | type: object 452 | securityGroup: 453 | description: SecurityGroup defines a SecurityGroup 454 | peer. If specified, none of the other fields can 455 | be set. 456 | properties: 457 | groupID: 458 | description: GroupID is the EC2 SecurityGroupID. 459 | type: string 460 | required: 461 | - groupID 462 | type: object 463 | type: object 464 | type: array 465 | ports: 466 | description: List of ports which should be made accessible 467 | on the targets in TargetGroup. If ports is empty or unspecified, 468 | it defaults to all ports with TCP. 469 | items: 470 | description: NetworkingPort defines the port and protocol 471 | for networking rules. 472 | properties: 473 | port: 474 | anyOf: 475 | - type: integer 476 | - type: string 477 | description: The port which traffic must match. When 478 | NodePort endpoints(instance TargetType) is used, 479 | this must be a numerical port. When Port endpoints(ip 480 | TargetType) is used, this can be either numerical 481 | or named port on pods. if port is unspecified, it 482 | defaults to all ports. 483 | x-kubernetes-int-or-string: true 484 | protocol: 485 | description: The protocol which traffic must match. 486 | If protocol is unspecified, it defaults to TCP. 487 | enum: 488 | - TCP 489 | - UDP 490 | type: string 491 | type: object 492 | type: array 493 | required: 494 | - from 495 | - ports 496 | type: object 497 | type: array 498 | type: object 499 | nodeSelector: 500 | description: node selector for instance type target groups to only 501 | register certain nodes 502 | properties: 503 | matchExpressions: 504 | description: matchExpressions is a list of label selector requirements. 505 | The requirements are ANDed. 506 | items: 507 | description: A label selector requirement is a selector that 508 | contains values, a key, and an operator that relates the key 509 | and values. 510 | properties: 511 | key: 512 | description: key is the label key that the selector applies 513 | to. 514 | type: string 515 | operator: 516 | description: operator represents a key's relationship to 517 | a set of values. Valid operators are In, NotIn, Exists 518 | and DoesNotExist. 519 | type: string 520 | values: 521 | description: values is an array of string values. If the 522 | operator is In or NotIn, the values array must be non-empty. 523 | If the operator is Exists or DoesNotExist, the values 524 | array must be empty. This array is replaced during a strategic 525 | merge patch. 526 | items: 527 | type: string 528 | type: array 529 | required: 530 | - key 531 | - operator 532 | type: object 533 | type: array 534 | matchLabels: 535 | additionalProperties: 536 | type: string 537 | description: matchLabels is a map of {key,value} pairs. A single 538 | {key,value} in the matchLabels map is equivalent to an element 539 | of matchExpressions, whose key field is "key", the operator 540 | is "In", and the values array contains only "value". The requirements 541 | are ANDed. 542 | type: object 543 | type: object 544 | x-kubernetes-map-type: atomic 545 | serviceRef: 546 | description: serviceRef is a reference to a Kubernetes Service and 547 | ServicePort. 548 | properties: 549 | name: 550 | description: Name is the name of the Service. 551 | type: string 552 | port: 553 | anyOf: 554 | - type: integer 555 | - type: string 556 | description: Port is the port of the ServicePort. 557 | x-kubernetes-int-or-string: true 558 | required: 559 | - name 560 | - port 561 | type: object 562 | targetGroupARN: 563 | description: targetGroupARN is the Amazon Resource Name (ARN) for 564 | the TargetGroup. 565 | minLength: 1 566 | type: string 567 | targetType: 568 | description: targetType is the TargetType of TargetGroup. If unspecified, 569 | it will be automatically inferred. 570 | enum: 571 | - instance 572 | - ip 573 | type: string 574 | required: 575 | - serviceRef 576 | - targetGroupARN 577 | type: object 578 | status: 579 | description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding 580 | properties: 581 | observedGeneration: 582 | description: The generation observed by the TargetGroupBinding controller. 583 | format: int64 584 | type: integer 585 | type: object 586 | type: object 587 | served: true 588 | storage: true 589 | subresources: 590 | status: {} 591 | -------------------------------------------------------------------------------- /k8s/helm-charts/aws-load-balancer-controller/README.md: -------------------------------------------------------------------------------- 1 | # AWS Load Balancer Controller 2 | 3 | AWS Load Balancer controller Helm chart for Kubernetes 4 | 5 | ## TL;DR: 6 | ```sh 7 | helm repo add eks https://aws.github.io/eks-charts 8 | # If using IAM Roles for service account install as follows - NOTE: you need to specify both of the chart values `serviceAccount.create=false` and `serviceAccount.name=aws-load-balancer-controller` 9 | helm install aws-load-balancer-controller eks/aws-load-balancer-controller --set clusterName=my-cluster -n kube-system --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller 10 | # If not using IAM Roles for service account 11 | helm install aws-load-balancer-controller eks/aws-load-balancer-controller --set clusterName=my-cluster -n kube-system 12 | ``` 13 | 14 | ## Introduction 15 | AWS Load Balancer controller manages the following AWS resources 16 | - Application Load Balancers to satisfy Kubernetes ingress objects 17 | - Network Load Balancers to satisfy Kubernetes service objects of type LoadBalancer with appropriate annotations 18 | 19 | ## Security updates 20 | **Note**: Deployed chart does not receive security updates automatically. You need to manually upgrade to a newer chart. 21 | #### Node isolation 22 | As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). 23 | 24 | ## Prerequisites 25 | - Supported Kubernetes Versions 26 | - Chart version v1.5.0+ requires Kubernetes 1.22+ 27 | - Chart version v1.4.0+ requires Kubernetes 1.19+ 28 | - Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21 29 | - Chart version v1.1.6 and before supports Kubernetes 1.15 30 | - IAM permissions 31 | - Helm v3 32 | - Optional dependencies 33 | - cert-manager 34 | - Prometheus Operator 35 | 36 | The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. The 37 | IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles. 38 | 39 | #### Setup IAM for ServiceAccount 40 | 1. Create IAM OIDC provider 41 | ``` 42 | eksctl utils associate-iam-oidc-provider \ 43 | --region \ 44 | --cluster \ 45 | --approve 46 | ``` 47 | 1. Download IAM policy for the AWS Load Balancer Controller 48 | ``` 49 | curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json 50 | ``` 51 | 1. Create an IAM policy called AWSLoadBalancerControllerIAMPolicy 52 | ``` 53 | aws iam create-policy \ 54 | --policy-name AWSLoadBalancerControllerIAMPolicy \ 55 | --policy-document file://iam-policy.json 56 | ``` 57 | Take note of the policy ARN that is returned 58 | 59 | 1. Create a IAM role and ServiceAccount for the Load Balancer controller, use the ARN from the step above 60 | ``` 61 | eksctl create iamserviceaccount \ 62 | --cluster= \ 63 | --namespace=kube-system \ 64 | --name=aws-load-balancer-controller \ 65 | --attach-policy-arn=arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \ 66 | --approve 67 | ``` 68 | #### Setup IAM manually 69 | If not setting up IAM for ServiceAccount, apply the IAM policies from the following URL at minimum. 70 | ``` 71 | https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/main/docs/install/iam_policy.json 72 | ``` 73 | 74 | #### Upgrading from ALB ingress controller 75 | If migrating from ALB ingress controller, grant [additional IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_v1_to_v2_additional.json). 76 | 77 | #### Upgrading from AWS Load Balancer controller v2.1.3 and earlier 78 | - Additional IAM permissions required, ensure you have granted the [required IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). 79 | - CRDs need to be updated as follows 80 | ```shell script 81 | kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" 82 | ``` 83 | - you can run helm upgrade without uninstalling the old chart completely 84 | 85 | #### Installing cert-manager 86 | 87 | If you are setting `enableCertManager: true` you need to have installed cert-manager and it's CRDs before installing this chart; to install [cert-manager](https://artifacthub.io/packages/helm/cert-manager/cert-manager) follow the installation guide. 88 | 89 | The controller helm chart requires the cert-manager with apiVersion `cert-manager.io/v1`. 90 | 91 | Set `cluster.dnsDomain` (default: `cluster.local`) to the actual DNS domain of your cluster to include the FQDN in requested TLS certificates. 92 | 93 | #### Installing the Prometheus Operator 94 | 95 | If you are setting `serviceMonitor.enabled: true` you need to have installed the Prometheus Operator ServiceMonitor CRD before installing this chart and have the operator running to collect the metrics. The easiest way to do this is to install the [kube-prometheus-stack](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack) Helm chart using the installation guide. 96 | 97 | ## Installing the Chart 98 | **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed. 99 | **Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)]. 100 | 101 | Add the EKS repository to Helm: 102 | ```shell script 103 | helm repo add eks https://aws.github.io/eks-charts 104 | ``` 105 | 106 | Install the TargetGroupBinding CRDs: 107 | 108 | ```shell script 109 | kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" 110 | ``` 111 | 112 | Install the AWS Load Balancer controller, if using iamserviceaccount 113 | ```shell script 114 | # NOTE: The clusterName value must be set either via the values.yaml or the Helm command line. The in the command 115 | # below should be replaced with name of your k8s cluster before running it. 116 | helm upgrade -i aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName= --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller 117 | ``` 118 | 119 | Install the AWS Load Balancer controller, if not using iamserviceaccount 120 | ```shell script 121 | helm upgrade -i aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName= 122 | ``` 123 | 124 | ## Upgrade 125 | The new controller is backwards compatible with the existing ingress objects. However, it will not coexist with the older aws-alb-ingress-controller. 126 | The old controller must be uninstalled completely before installing the new version. 127 | ### Kubectl installation 128 | If you had installed the previous version via kubectl, uninstall as follows 129 | ```shell script 130 | $ kubectl delete deployment -n kube-system alb-ingress-controller 131 | $ kubectl delete clusterRole alb-ingress-controller 132 | $ kubectl delete ClusterRoleBinding alb-ingress-controller 133 | $ kubectl delete ServiceAccount -n kube-system alb-ingress-controller 134 | 135 | # Alternatively you can find the version of the controller and delete as follows 136 | $ kubectl describe deployment -n kube-system alb-ingress-controller |grep Image 137 | Image: docker.io/amazon/aws-alb-ingress-controller:v1.1.8 138 | # You can delete the deployment now 139 | $ kubectl delete deployment -n kube-system alb-ingress-controller 140 | # In this case, the version is v1.1.8, the rbac roles can be removed as follows 141 | $ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml 142 | ``` 143 | ### Helm installation 144 | If you had installed the incubator/aws-alb-ingress-controller Helm chart, uninstall as follows 145 | ```shell script 146 | # NOTE: If installed under a different chart name and namespace, please specify as appropriate 147 | $ helm delete aws-alb-ingress-controller -n kube-system 148 | ``` 149 | 150 | If you had installed the 0.1.x version of eks-charts/aws-load-balancer-controller chart earlier, the upgrade to chart version 1.0.0 will 151 | not work due to incompatibility of the webhook api version, uninstall as follows 152 | ```shell script 153 | $ helm delete aws-load-balancer-controller -n kube-system 154 | ``` 155 | 156 | ## Uninstalling the Chart 157 | ```sh 158 | helm delete aws-load-balancer-controller -n kube-system 159 | ``` 160 | 161 | If you setup IAM Roles for ServiceAccount, you can cleanup as follows 162 | ``` 163 | eksctl delete iamserviceaccount --cluster --namespace kube-system --name aws-load-balancer-controller 164 | ``` 165 | 166 | ## HA configuration 167 | Chart release v1.2.0 and later enables high availability configuration by default. 168 | - The default number of replicas is 2. You can pass`--set replicaCount=1` flag during chart installation to disable this. Due to leader election, only one controller will actively reconcile resources. 169 | - The default priority class for the controller pods is `system-cluster-critical` 170 | - Soft pod anti-affinity is enabled for controller pods with `topologyKey: kubernetes.io/hostname` if you don't configure custom affinity and set `configureDefaultAffinity` to `true` 171 | - Pod disruption budget (PDB) has not been set by default. If you plan on running at least 2 controller pods, you can pass `--set podDisruptionBudget.maxUnavailable=1` flag during chart installation 172 | 173 | ## Configuration 174 | 175 | The following tables lists the configurable parameters of the chart and their default values. 176 | The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). 177 | 178 | | Parameter | Description | Default | 179 | |------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| 180 | | `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | 181 | | `image.tag` | image tag | `` | 182 | | `image.pullPolicy` | image pull policy | `IfNotPresent` | 183 | | `clusterName` | Kubernetes cluster name | None | 184 | | `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | 185 | | `securityContext` | Set to security context for pod | `{}` | 186 | | `resources` | Controller pod resource requests & limits | `{}` | 187 | | `priorityClassName` | Controller pod priority class | system-cluster-critical | 188 | | `nodeSelector` | Node labels for controller pod assignment | `{}` | 189 | | `tolerations` | Controller pod toleration for taints | `{}` | 190 | | `affinity` | Affinity for pod assignment | `{}` | 191 | | `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | 192 | | `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | 193 | | `deploymentAnnotations` | Annotations to add to deployment | `{}` | 194 | | `podAnnotations` | Annotations to add to each pod | `{}` | 195 | | `podLabels` | Labels to add to each pod | `{}` | 196 | | `additionalLabels` | Labels to add to all components | `{}` | 197 | | `rbac.create` | if `true`, create and use RBAC resources | `true` | 198 | | `serviceAccount.annotations` | optional annotations to add to service account | None | 199 | | `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | 200 | | `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | 201 | | `serviceAccount.create` | If `true`, create a new service account | `true` | 202 | | `serviceAccount.name` | Service account to be used | None | 203 | | `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | 204 | | `ingressClass` | The ingress class to satisfy | alb | 205 | | `createIngressClassResource` | Create ingressClass resource | true | 206 | | `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | 207 | | `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | 208 | | `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | 209 | | `region` | The AWS region for the kubernetes cluster | None | 210 | | `vpcId` | The VPC ID for the Kubernetes cluster | None | 211 | | `awsApiEndpoints` | Custom AWS API Endpoints | None | 212 | | `awsApiThrottle` | Custom AWS API throttle settings | None | 213 | | `awsMaxRetries` | Maximum retries for AWS APIs | None | 214 | | `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | 215 | | `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | 216 | | `enableShield` | Enable Shield addon for ALB | None | 217 | | `enableWaf` | Enable WAF addon for ALB | None | 218 | | `enableWafv2` | Enable WAF V2 addon for ALB | None | 219 | | `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | 220 | | `logLevel` | Set the controller log level - info, debug | None | 221 | | `metricsBindAddr` | The address the metric endpoint binds to | "" | 222 | | `webhookBindPort` | The TCP port the Webhook server binds to | None | 223 | | `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | 224 | | `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | 225 | | `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | 226 | | `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | 227 | | `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | 228 | | `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | 229 | | `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | 230 | | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | 231 | | `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | 232 | | `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | 233 | | `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | 234 | | `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | 235 | | `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | 236 | | `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | 237 | | `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | 238 | | `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | 239 | | `env` | Environment variables to set for aws-load-balancer-controller pod | None | 240 | | `hostNetwork` | If `true`, use hostNetwork | `false` | 241 | | `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | 242 | | `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | 243 | | `extraVolumes` | Extra volumes for the pod | `[]` | 244 | | `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | 245 | | `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | 246 | | `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | 247 | | `updateStrategy` | Defines the update strategy for the deployment | `{}` | 248 | | `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | 249 | | `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | 250 | | `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | 251 | | `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | 252 | | `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | 253 | | `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | 254 | | `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | 255 | | `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | 256 | | `serviceMonitor.additionalLabels` | Labels to add to the service account | `{}` | 257 | | `serviceMonitor.interval` | Prometheus scrape interval | `1m` | 258 | | `serviceMonitor.namespace` | Namespace in which Prometheus is running | None | 259 | | `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | 260 | | `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | 261 | | `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | 262 | | `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | 263 | --------------------------------------------------------------------------------