├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── README_PT-BR.md ├── eks_configs ├── cluster_{{cookiecutter.cluster_name}}_configs │ ├── cluster-template.yaml │ └── manifests │ │ ├── 00-aws-auth-nodes │ │ └── README.md │ │ ├── 02-kube2iam │ │ ├── 00-servicek2iam.yaml │ │ ├── 01-clusterrole.yaml │ │ └── 02-kube2iamDS.yaml │ │ ├── 03-alb-ingress-controller │ │ ├── alb-ingress-controller.yaml │ │ └── rbac-role.yaml │ │ ├── 04-metric-server │ │ ├── aggregated-metrics-reader.yaml │ │ ├── auth-delegator.yaml │ │ ├── auth-reader.yaml │ │ ├── metrics-apiservice.yaml │ │ ├── metrics-server-deployment.yaml │ │ ├── metrics-server-service.yaml │ │ └── resource-reader.yaml │ │ ├── 06-external-dns │ │ └── external-dns.yaml │ │ ├── 07-kubernetes-dashboard │ │ ├── eks-admin-service-account.yaml │ │ ├── kubernetes-dashboard-service.yaml │ │ └── kubernetes-dashboard.yaml │ │ └── 08-cluster-autoscaling │ │ ├── README.md │ │ └── cluster_autoscaler.yml └── cookiecutter.json ├── examples ├── cluster-creation │ ├── README.md │ ├── cluster.yaml │ └── manifests │ │ ├── 00-aws-auth-nodes │ │ └── aws-auth-cm.yaml │ │ ├── 02-kube2iam │ │ ├── 00-servicek2iam.yaml │ │ ├── 01-clusterrole.yaml │ │ └── 02-kube2iamDS.yaml │ │ ├── 03-alb-ingress-controller │ │ ├── alb-ingress-controller.yaml │ │ └── rbac-role.yaml │ │ ├── 04-metric-server │ │ ├── aggregated-metrics-reader.yaml │ │ ├── auth-delegator.yaml │ │ ├── auth-reader.yaml │ │ ├── metrics-apiservice.yaml │ │ ├── metrics-server-deployment.yaml │ │ ├── metrics-server-service.yaml │ │ └── resource-reader.yaml │ │ ├── 06-external-dns │ │ └── external-dns.yaml │ │ ├── 07-kubernetes-dashboard │ │ ├── eks-admin-service-account.yaml │ │ ├── kubernetes-dashboard-service.yaml │ │ └── kubernetes-dashboard.yaml │ │ └── 08-cluster-autoscaling │ │ └── cluster_autoscaler.yml └── java-application-example │ ├── .classpath │ ├── .project │ ├── .settings │ ├── org.eclipse.core.resources.prefs │ ├── org.eclipse.jdt.apt.core.prefs │ ├── org.eclipse.jdt.core.prefs │ └── org.eclipse.m2e.core.prefs │ ├── Dockerfile │ ├── HELP.md │ ├── README.md │ ├── README_PT-BR.md │ ├── docker-compose.yml │ ├── kubernetes │ ├── 01-configmap.yaml │ ├── 02-deployment.yaml │ ├── 03-service.yaml │ └── 05-hpa.yaml │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ └── src │ ├── main │ ├── java │ │ └── aws │ │ │ └── example │ │ │ └── k8spoc │ │ │ ├── K8spocApplication.java │ │ │ ├── controller │ │ │ └── S3Controller.java │ │ │ └── model │ │ │ ├── bean │ │ │ └── S3.java │ │ │ └── service │ │ │ └── S3Service.java │ └── resources │ │ └── application.properties │ └── test │ └── java │ └── aws │ └── example │ └── k8spoc │ └── K8spocApplicationTests.java ├── images ├── cluster_diagram.png └── policy-kube2iam.jpg └── infraestructure ├── .gitignore ├── README.md ├── app.py ├── cdk.json ├── infraestructure ├── __init__.py ├── iam_stack.py └── vpc_stack.py ├── requirements.txt ├── setup.py └── source.bat /.gitignore: -------------------------------------------------------------------------------- 1 | *-new_configs 2 | 3 | # Created by https://www.gitignore.io/api/java,java-web 4 | # Edit at https://www.gitignore.io/?templates=java,java-web 5 | 6 | ### Java ### 7 | # Compiled class file 8 | *.class 9 | 10 | # Log file 11 | *.log 12 | 13 | # BlueJ files 14 | *.ctxt 15 | 16 | # Mobile Tools for Java (J2ME) 17 | .mtj.tmp/ 18 | 19 | # Package Files # 20 | *.jar 21 | *.war 22 | *.nar 23 | *.ear 24 | *.zip 25 | *.tar.gz 26 | *.rar 27 | 28 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 29 | hs_err_pid* 30 | 31 | ### Java-Web ### 32 | ## ignoring target file 33 | target/ 34 | 35 | # End of https://www.gitignore.io/api/java,java-web 36 | 37 | 38 | # Created by https://www.gitignore.io/api/visualstudiocode 39 | # Edit at https://www.gitignore.io/?templates=visualstudiocode 40 | 41 | ### VisualStudioCode ### 42 | .vscode/* 43 | !.vscode/settings.json 44 | !.vscode/tasks.json 45 | !.vscode/launch.json 46 | !.vscode/extensions.json 47 | 48 | ### VisualStudioCode Patch ### 49 | # Ignore all local history of files 50 | .history 51 | 52 | # End of https://www.gitignore.io/api/visualstudiocode 53 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EKS Cluster Demo 2 | 3 | The purpose of this repository is to demonstrate the use of [eksclt](https://eksctl.io) to provision an EKS cluster in high availability in your AWS account with managed node groups. 4 | 5 | * This demo was tested in us-east-1 (Viginia) region. 6 | 7 | ## Prerequisites 8 | 9 | * Pre-configured AWS access credentials, [how to configure](https://docs.aws.amazon.com/pt_br/sdk-for-java/v1/developer-guide/setup-credentials.html) 10 | * [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 11 | * [eksctl](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html#installing-eksctl) 12 | * [aws-cli](https://docs.aws.amazon.com/pt_br/cli/latest/userguide/cli-chap-install.html) 13 | * [cookiecutter](https://cookiecutter.readthedocs.io/en/1.7.0/index.html) to generate the cluster.yaml required to create the cluster using eksclt 14 | * [aws cdk](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html) 15 | 16 | ## Creating the cluster prerequisites 17 | 18 | In this repository you are going to find an folder called [infraestructure](./infraestructure) and there you will find a CDK template that provision all the cluster needs as AWS IAM Roles and more. 19 | 20 | ```shell 21 | cdk deploy iam-stack vpc 22 | ``` 23 | 24 | This will create all the AWS components that your EKS cluster will need, eg: **VPC, IAM Roles** 25 | 26 | ### Outputs: 27 | 28 | ``` 29 | Outputs: 30 | iam-stack.eksrole = arn:aws:iam::xxxxxx:role/eksClusterRoleNew 31 | 32 | Outputs: 33 | vpc.VpcID = vpc-xxxxxxxx 34 | vpc.VpcCidr = 10.10.0.0/16 35 | vpc.AvailabilityZones = ['us-east-1a', 'us-east-1b'] 36 | vpc.Region = us-east-1 37 | vpc.PublicSubnetsIds = ['subnet-xxxxxxx', 'subnet-xxxxxxx'] 38 | vpc.PrivateSubnetsIds = ['subnet-xxxxxxx', 'subnet-xxxxxxx'] 39 | ``` 40 | 41 | The above outputs will be used to create you EKS cluster 42 | 43 | ## Creating your first cluster using eksctl 44 | 45 | Now it is time to create you eks cluster template that eksctl will use to create your Kubernetes stack. 46 | 47 | * Run the follow command so cookiecutter can create the eks.yaml template: 48 | ```shell 49 | cookiecutter eks_configs 50 | ``` 51 | 52 | * The following questions will be displayed, after filling them a folder will be created at the root of the repository with the name you defined for the cluster. 53 | 54 | ``` 55 | cluster_name [Your cluster name, eg: poc-cluster]: poc-cluster-test 56 | region [Region name to provision, ex: us-east-1]: us-east-1 57 | vpc_id [Your VPC id, eg: vpc-00000000]: vpc-00000000 58 | vpc_cidr [VPC CIDR, eg: 10.10.0.0/16]: 10.2.0.0/16 59 | availability_zone_1 [The first availability zone, eg: us-east-1a]: us-east-1a 60 | availability_zone_2 [The second availability zone, eg: us-east-1b]: us-east-1b 61 | subnet_priv_1a [O ID da primeira subnet privada, ex: subnet-00000000]: subnet-0000000 62 | subnet_priv_1a_cidr [The CIDR of the above subnet, eg: 10.10.2.0/24]: 10.2.2.0/24 63 | subnet_priv_1b [The second private subnet id [us-east-1b], ex: subnet-00000000]: subnet-0000000 64 | subnet_priv_1b_cidr [The CIDR of the above subnet, eg: 10.10.3.0/24]: 10.2.3.0/24 65 | subnet_pub_1a [The first public subnet id [us-east-1a], ex: subnet-00000000]: subnet-000000 66 | subnet_pub_1a_cidr [The CIDR of the above subnet, eg: 10.10.0.0/24]: 10.2.0.0/24 67 | subnet_pub_1b The second public subnet id [us-east-1b], ex: subnet-00000000]: subnet-000000 68 | subnet_pub_1b_cidr [The CIDR of the above subnet, eg: 10.10.1.0/24]: 10.2.1.0/24 69 | eks_service_role [The eks cluster role]: 70 | ``` 71 | 72 | **eks_service_role**: eks cluster role that CDK created before. 73 | 74 | * After the template creation it's time to create our cluster, so run the following command 75 | ```shell 76 | eksctl create cluster -f /cluster-template.yaml 77 | ``` 78 | It will take some time so be patient 79 | 80 | * After the cluster creation it's time to update your locally kubeconfig, run the following command 81 | ```shell 82 | aws eks --region update-kubeconfig --name 83 | ``` 84 | 85 | * Go to console and tag your subnets with public and private specific tags, those tags are used for provision public and private Loadbalancers. 86 | ``` 87 | Private Subnets - kubernetes.io/role/internal-elb: 1 88 | Public Subnets - kubernetes.io/role/elb: 1 89 | ``` 90 | 91 | ## Applying extra kubernetes manifest to create useful components 92 | 93 | This step is optional but we are going to add some useful features to our cluster, like: 94 | 95 | - [Cluster Autoscaler](https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html) 96 | - [Kube2Iam](https://github.com/jtblin/kube2iam) 97 | - [Metric Server](https://github.com/kubernetes-sigs/metrics-server) 98 | 99 | **TIP**: Every time when **** appears replace with the folder name that cookiecutter created 100 | 101 | **Metric Server** 102 | 103 | ```shell 104 | kubectl apply -f /manifests/04-metric-server 105 | ``` 106 | 107 | **Kube2Iam** 108 | ```shell 109 | kubectl apply -f /manifests/02-kube2iam 110 | ``` 111 | 112 | **Cluster Autoscaler** 113 | 114 | For Cluster autoscaling creation you need to do a few steps before creation since we are using kube2iam we need to grant permission to the role of the managed nodes. 115 | 116 | * Get the managed nodes role. 117 | 118 | Replace **** with your cluster name 119 | 120 | ```shell 121 | aws eks describe-nodegroup --cluster-name --nodegroup-name app-node-group | jq .nodegroup.nodeRole 122 | ``` 123 | 124 | Go to **/manifests/08-cluster-autoscaling/cluster_autoscaler.yaml** and replace **** in with the role arn that you get above 125 | 126 | Now go to AWS console and search for the IAM Role that you get above, go to **trust relashionship** click in **Edit trust relashionship** and place the following content: 127 | 128 | ```json 129 | { 130 | "Version": "2012-10-17", 131 | "Statement": [ 132 | { 133 | "Effect": "Allow", 134 | "Principal": { 135 | "Service": "ec2.amazonaws.com" 136 | }, 137 | "Action": "sts:AssumeRole" 138 | }, 139 | { 140 | "Sid": "", 141 | "Effect": "Allow", 142 | "Principal": { 143 | "AWS": "" 144 | }, 145 | "Action": "sts:AssumeRole" 146 | } 147 | ] 148 | } 149 | ``` 150 | 151 | This is how it will look like in console. 152 | 153 |

154 | 155 |

156 | 157 | * Finally apply the manifest 158 | 159 | ```shell 160 | kubectl apply -f /manifests/08-cluster-autoscaling 161 | ``` 162 | 163 | ## Cluster architecture that will be provisioned 164 | 165 |

166 | 167 |

168 | 169 | 170 | ## Examples 171 | 172 | The **examples/cluster-creation** folder was created to make it easier to understand what will be generated by the cookiecutter with the previously populated values. 173 | 174 | ## Example application 175 | 176 | A Java application has been developed so that we can test our previously provisioned cluster, this application makes the call to the AWS API using a role with permissions (Permission is done through Kube2Iam) where it lists the contents of a bucket. 177 | 178 | Follow the [README](examples/java-application-example/README.md) to provision it in the cluster 179 | 180 | ## References 181 | 182 | https://github.com/weaveworks/eksctl 183 | https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html 184 | https://github.com/jtblin/kube2iam 185 | https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html 186 | 187 | ## Security 188 | 189 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 190 | 191 | ## License 192 | 193 | This library is licensed under the MIT-0 License. See the LICENSE file. 194 | -------------------------------------------------------------------------------- /README_PT-BR.md: -------------------------------------------------------------------------------- 1 | # EKS Cluster Demo 2 | 3 | O objetivo desse repositório é demonstrar a utilização do [eksclt](https://eksctl.io) para provisionar um cluster EKS em alta disponibilidade dentro de uma rede VPC já existente em sua conta na AWS 4 | 5 | ## Pré-Requisitos 6 | 7 | * [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 8 | * [eksctl](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html#installing-eksctl) 9 | * [aws-cli](https://docs.aws.amazon.com/pt_br/cli/latest/userguide/cli-chap-install.html) 10 | * VPC previamente configurada, pode ser encontrada nesse [repositório](https://github.com/BRCentralSA/aws-brazil-edu-series/blob/master/utils/vpc-template.yaml), necessário minimo de duas Zonas de disponibilidade e 4 subnets, 2 públicas e 2 privadas 11 | * Credenciais de acesso a AWS previamente configuradas em **~/.aws/credentials** (https://docs.aws.amazon.com/pt_br/sdk-for-java/v1/developer-guide/setup-credentials.html) 12 | * [cookiecutter](https://cookiecutter.readthedocs.io/en/1.7.0/index.html) para gerar o cluster.yaml necessário para criar o cluster utilizando o eksclt 13 | 14 | ## Criando seu primeiro cluster 15 | 16 | * Criar Amazon EKS service role no console do IAM (https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#role-create), essa role será utilizada posteeriormente. 17 | 18 | * Execute o seguinte comando com o cookiecutter para gerar as configurações do seu cluster EKS: 19 | ```shell 20 | cookiecutter eks_configs 21 | ``` 22 | 23 | * As seguintes perguntas serão exibidas, após preenche-las uma pasta será criada na raiz do repositório com o nome que você definiu para o cluster, entre nela e siga os passos do README.md. 24 | 25 | ``` 26 | cluster_name [Nome do cluster, ex: poc-cluster]: poc-cluster-test 27 | region [Nome da reigião, ex: us-east-1]: us-east-1 28 | vpc_id [ID da VPC da sua conta, ex: vpc-00000000]: vpc-00000000 29 | vpc_cidr [CIDR da VPC, ex: 10.0.0.0/16]: 10.2.0.0/16 30 | availability_zone_1 [A primeira zona de disponibilidade, ex: us-east-1a]: us-east-1a 31 | availability_zone_2 [A segunda zona de disponibilidade, ex: us-east-1b]: us-east-1b 32 | subnet_priv_1a [O ID da primeira subnet privada, ex: subnet-00000000]: subnet-0000000 33 | subnet_priv_1a_cidr [O CIDR da primeira subnet privada, ex: 10.0.0.0/24]: 10.2.2.0/24 34 | subnet_priv_1b [O ID da segunda subnet privada, ex: subnet-00000000]: subnet-0000000 35 | subnet_priv_1b_cidr [O CIDR da segunda subnet privada: 10.1.0.0/24]: 10.2.3.0/24 36 | subnet_pub_1a [O ID da primeira subnet publica, ex: subnet-00000000]: subnet-000000 37 | subnet_pub_1a_cidr [O CIDR da primeira subnet publica, ex: 10.2.0.0/24]: 10.2.0.0/24 38 | subnet_pub_1b [O ID da segunda subnet publica, ex: subnet-00000000]: subnet-000000 39 | subnet_pub_1b_cidr [O CIDR da segunda subnet publica: 10.3.0.0/24]: 10.2.1.0/24 40 | eks_service_role [O ARN da role criada anteriormente]: 41 | ``` 42 | 43 | 44 | 45 | 46 | ## Arquitetura do cluster que será provisionado 47 | 48 |

49 | 50 |

51 | 52 | 53 | ## Exemplos 54 | 55 | A pasta **examples/cluster-creation** foi criada para facilitar o entendimento do que será gerado pelo cookiecutter com os valores previamente preenchidos. 56 | 57 | ## Aplicação Exemplo 58 | 59 | Foi desenvolvida uma aplicação Java para podermos testar o nosso cluster provisionado anteriormente, essa aplicação realiza a chamada para a API da AWS utilizando uma role com permissões (O permissionamento é feito através do Kube2Iam) onde lista o conteudo de um bucket. 60 | 61 | Siga as instruções do [README](examples/java-application-example/README.md) para provisiona-la no cluster 62 | 63 | ## Referências 64 | 65 | https://github.com/weaveworks/eksctl 66 | https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html 67 | https://github.com/jtblin/kube2iam 68 | https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/cluster-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: eksctl.io/v1alpha5 2 | kind: ClusterConfig 3 | 4 | metadata: 5 | name: {{cookiecutter.cluster_name}} 6 | region: {{cookiecutter.region}} 7 | 8 | vpc: # Existing Amazon VPC 9 | clusterEndpoints: 10 | publicAccess: true 11 | privateAccess: true 12 | id: "{{cookiecutter.vpc_id}}" 13 | cidr: "{{cookiecutter.vpc_cidr}}" 14 | subnets: # Definir todas as Subnets para que seus Masters possam estar alocados. 15 | private: # TODO: suporte para mais regiões 16 | {{cookiecutter.availability_zone_1}}: 17 | id: "{{cookiecutter.subnet_priv_1a}}" 18 | cidr: "{{cookiecutter.subnet_priv_1a_cidr}}" 19 | 20 | {{cookiecutter.availability_zone_2}}: 21 | id: "{{cookiecutter.subnet_priv_1b}}" 22 | cidr: "{{cookiecutter.subnet_priv_1b_cidr}}" 23 | 24 | public: 25 | {{cookiecutter.availability_zone_1}}: 26 | id: "{{cookiecutter.subnet_pub_1a}}" 27 | cidr: "{{cookiecutter.subnet_pub_1a_cidr}}" 28 | 29 | {{cookiecutter.availability_zone_2}}: 30 | id: "{{cookiecutter.subnet_pub_1b}}" 31 | cidr: "{{cookiecutter.subnet_pub_1b_cidr}}" 32 | 33 | iam: 34 | serviceRoleARN: "{{cookiecutter.eks_service_role}}" 35 | 36 | # Example with managed node group for Amazon EKS 37 | managedNodeGroups: 38 | - name: app-node-group 39 | instanceType: t2.medium 40 | minSize: 3 41 | desiredCapacity: 3 42 | maxSize: 10 43 | availabilityZones: ["{{cookiecutter.availability_zone_1}}", "{{cookiecutter.availability_zone_2}}"] 44 | volumeSize: 20 45 | privateNetworking: true # Provisionar as instâncias dos Nodes somente em subnets privadas 46 | 47 | ssh: 48 | allow: false # Se voce quiser habilitar SSH passe a chave publica que sera enviada para o servidor 49 | # publicKeyPath: ~/.ssh/ec2_id_rsa.pub 50 | # sourceSecurityGroupIds: [""] 51 | 52 | labels: {role: worker} # Labels que vão ser aplicadas a nivel do K8s 53 | tags: # Tags que serão aplicadas nas Ec2 54 | nodegroup-role: worker 55 | k8s.io/cluster-autoscaler/{{cookiecutter.cluster_name}}: owned 56 | k8s.io/cluster-autoscaler/enabled: "true" # Não pode ser booleano 57 | Name: {{cookiecutter.cluster_name}}-nodes 58 | 59 | 60 | # Você pode definir uma Role ou escolher que o eksctl crie as Policies para você 61 | iam: 62 | attachPolicyARNs: 63 | - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy 64 | - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly 65 | - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy 66 | # instanceRoleARN: "arn:aws:iam::00000:role/NodeInstanceRole" # Se voce quiser utilizar um Role ja existente 67 | withAddonPolicies: # Adiciona policies na role dos Nodes para controllers adicionais do cluster 68 | imageBuilder: false 69 | autoScaler: true 70 | externalDNS: true 71 | certManager: true 72 | appMesh: true 73 | ebs: true 74 | fsx: true 75 | efs: true 76 | albIngress: true 77 | xRay: true 78 | cloudWatch: true 79 | 80 | cloudWatch: # Configuração do export dos logs do ControlPlane para o Cloudtwatch 81 | clusterLogging: 82 | # enable specific types of cluster control plane logs 83 | enableTypes: ["audit", "authenticator", "controllerManager"] 84 | # all supported types: "api", "audit", "authenticator", "controllerManager", "scheduler" 85 | # supported special values: "*" and "all" 86 | 87 | # Those are old node groups, that are just ASG with specifc AMI for registration under K8S 88 | 89 | # nodeGroups: 90 | # - name: ng-1 91 | 92 | # instanceType: m5.large 93 | # desiredCapacity: 3 94 | # iam: 95 | # instanceProfileARN: "arn:aws:iam::11111:instance-profile/eks-nodes-base-role" 96 | # instanceRoleARN: "arn:aws:iam::1111:role/eks-nodes-base-role" 97 | # privateNetworking: true 98 | # securityGroups: 99 | # withShared: true 100 | # withLocal: true 101 | # attachIDs: ['sg-11111', 'sg-11112'] 102 | # ssh: 103 | # publicKeyName: 'my-instance-key' 104 | # tags: 105 | # 'environment:basedomain': 'example.org' -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/00-aws-auth-nodes/README.md: -------------------------------------------------------------------------------- 1 | # AWS Auth Nodes 2 | {% raw %} 3 | Quando você cria um cluster do Amazon EKS, o usuário ou a função da entidade do IAM, como um usuário federado que cria o cluster, recebe automaticamente sistema: permissões mestres na configuração do RBAC do cluster. Para conceder a usuários ou funções adicionais da AWS a capacidade de interagir com seu cluster, edite o ConfigMap do aws-auth no Kubernetes. 4 | 5 | Para conseguir o YAML execute o seguinte comando: 6 | 7 | ```shell 8 | kubectl describe configmap -n kube-system aws-auth 9 | ``` 10 | 11 | Ele retornará um YAML onde você conseguira realizar a adição de usuários e roles para administrar o cluster 12 | 13 | Exemplo: 14 | 15 | ```yaml 16 | apiVersion: v1 17 | kind: ConfigMap 18 | metadata: 19 | name: aws-auth 20 | namespace: kube-system 21 | data: 22 | mapRoles: | 23 | - rolearn: 24 | username: system:node:{{EC2PrivateDNSName}} 25 | groups: 26 | - system:bootstrappers 27 | - system:nodes 28 | mapUsers: | 29 | - userarn: IAM_USER_ARN 30 | username: MY_USER 31 | groups: 32 | - system:masters 33 | 34 | ``` 35 | {% endraw %} -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/02-kube2iam/00-servicek2iam.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: kube2iam 6 | namespace: default 7 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/02-kube2iam/01-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: kube2iam 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - namespaces 11 | - pods 12 | verbs: 13 | - get 14 | - watch 15 | - list 16 | --- 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: ClusterRoleBinding 19 | metadata: 20 | name: kube2iam 21 | subjects: 22 | - kind: ServiceAccount 23 | name: kube2iam 24 | namespace: default 25 | roleRef: 26 | kind: ClusterRole 27 | name: kube2iam 28 | apiGroup: rbac.authorization.k8s.io 29 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/02-kube2iam/02-kube2iamDS.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: kube2iam 6 | namespace: default 7 | labels: 8 | app: kube2iam 9 | spec: 10 | selector: 11 | matchLabels: 12 | name: kube2iam 13 | updateStrategy: 14 | type: RollingUpdate 15 | template: 16 | metadata: 17 | labels: 18 | name: kube2iam 19 | spec: 20 | serviceAccountName: kube2iam 21 | hostNetwork: true 22 | containers: 23 | - image: jtblin/kube2iam:0.10.7 24 | imagePullPolicy: Always 25 | name: kube2iam 26 | args: 27 | - "--auto-discover-base-arn" 28 | - "--auto-discover-default-role=true" 29 | - "--iptables=true" 30 | - "--host-ip=$(HOST_IP)" 31 | - "--node=$(NODE_NAME)" 32 | - "--host-interface=eni+" 33 | env: 34 | - name: HOST_IP 35 | valueFrom: 36 | fieldRef: 37 | fieldPath: status.podIP 38 | - name: NODE_NAME 39 | valueFrom: 40 | fieldRef: 41 | fieldPath: spec.nodeName 42 | ports: 43 | - containerPort: 8181 44 | hostPort: 8181 45 | name: http 46 | securityContext: 47 | privileged: true 48 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/03-alb-ingress-controller/alb-ingress-controller.yaml: -------------------------------------------------------------------------------- 1 | # Application Load Balancer (ALB) Ingress Controller Deployment Manifest. 2 | # This manifest details sensible defaults for deploying an ALB Ingress Controller. 3 | # GitHub: https://github.com/kubernetes-sigs/aws-alb-ingress-controller 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | labels: 8 | app.kubernetes.io/name: alb-ingress-controller 9 | name: alb-ingress-controller 10 | # Namespace the ALB Ingress Controller should run in. Does not impact which 11 | # namespaces it's able to resolve ingress resource for. For limiting ingress 12 | # namespace scope, see --watch-namespace. 13 | namespace: kube-system 14 | spec: 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/name: alb-ingress-controller 18 | template: 19 | metadata: 20 | labels: 21 | app.kubernetes.io/name: alb-ingress-controller 22 | spec: 23 | containers: 24 | - name: alb-ingress-controller 25 | args: 26 | # Limit the namespace where this ALB Ingress Controller deployment will 27 | # resolve ingress resources. If left commented, all namespaces are used. 28 | # - --watch-namespace=your-k8s-namespace 29 | 30 | # Setting the ingress-class flag below ensures that only ingress resources with the 31 | # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may 32 | # choose any class you'd like for this controller to respect. 33 | - --ingress-class=alb 34 | 35 | # REQUIRED 36 | # Name of your cluster. Used when naming resources created 37 | # by the ALB Ingress Controller, providing distinction between 38 | # clusters. 39 | - --cluster-name={{cookiecutter.cluster_name}} 40 | 41 | # AWS VPC ID this ingress controller will use to create AWS resources. 42 | # If unspecified, it will be discovered from ec2metadata. 43 | # - --aws-vpc-id=vpc-xxxxxx 44 | 45 | # AWS region this ingress controller will operate in. 46 | # If unspecified, it will be discovered from ec2metadata. 47 | # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region 48 | # - --aws-region=us-west-1 49 | 50 | # Enables logging on all outbound requests sent to the AWS API. 51 | # If logging is desired, set to true. 52 | # - --aws-api-debug 53 | # Maximum number of times to retry the aws calls. 54 | # defaults to 10. 55 | # - --aws-max-retries=10 56 | # env: 57 | # AWS key id for authenticating with the AWS API. 58 | # This is only here for examples. It's recommended you instead use 59 | # a project like kube2iam for granting access. 60 | #- name: AWS_ACCESS_KEY_ID 61 | # value: KEYVALUE 62 | 63 | # AWS key secret for authenticating with the AWS API. 64 | # This is only here for examples. It's recommended you instead use 65 | # a project like kube2iam for granting access. 66 | #- name: AWS_SECRET_ACCESS_KEY 67 | # value: SECRETVALUE 68 | # Repository location of the ALB Ingress Controller. 69 | image: docker.io/amazon/aws-alb-ingress-controller:v1.1.3 70 | serviceAccountName: alb-ingress-controller 71 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/03-alb-ingress-controller/rbac-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: alb-ingress-controller 7 | name: alb-ingress-controller 8 | rules: 9 | - apiGroups: 10 | - "" 11 | - extensions 12 | resources: 13 | - configmaps 14 | - endpoints 15 | - events 16 | - ingresses 17 | - ingresses/status 18 | - services 19 | verbs: 20 | - create 21 | - get 22 | - list 23 | - update 24 | - watch 25 | - patch 26 | - apiGroups: 27 | - "" 28 | - extensions 29 | resources: 30 | - nodes 31 | - pods 32 | - secrets 33 | - services 34 | - namespaces 35 | verbs: 36 | - get 37 | - list 38 | - watch 39 | --- 40 | apiVersion: rbac.authorization.k8s.io/v1 41 | kind: ClusterRoleBinding 42 | metadata: 43 | labels: 44 | app.kubernetes.io/name: alb-ingress-controller 45 | name: alb-ingress-controller 46 | roleRef: 47 | apiGroup: rbac.authorization.k8s.io 48 | kind: ClusterRole 49 | name: alb-ingress-controller 50 | subjects: 51 | - kind: ServiceAccount 52 | name: alb-ingress-controller 53 | namespace: kube-system 54 | --- 55 | apiVersion: v1 56 | kind: ServiceAccount 57 | metadata: 58 | labels: 59 | app.kubernetes.io/name: alb-ingress-controller 60 | name: alb-ingress-controller 61 | namespace: kube-system 62 | ... 63 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/aggregated-metrics-reader.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: system:aggregated-metrics-reader 5 | labels: 6 | rbac.authorization.k8s.io/aggregate-to-view: "true" 7 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 8 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 9 | rules: 10 | - apiGroups: ["metrics.k8s.io"] 11 | resources: ["pods", "nodes"] 12 | verbs: ["get", "list", "watch"] 13 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/auth-delegator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: metrics-server:system:auth-delegator 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: system:auth-delegator 10 | subjects: 11 | - kind: ServiceAccount 12 | name: metrics-server 13 | namespace: kube-system 14 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/auth-reader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: RoleBinding 4 | metadata: 5 | name: metrics-server-auth-reader 6 | namespace: kube-system 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: Role 10 | name: extension-apiserver-authentication-reader 11 | subjects: 12 | - kind: ServiceAccount 13 | name: metrics-server 14 | namespace: kube-system 15 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/metrics-apiservice.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiregistration.k8s.io/v1beta1 3 | kind: APIService 4 | metadata: 5 | name: v1beta1.metrics.k8s.io 6 | spec: 7 | service: 8 | name: metrics-server 9 | namespace: kube-system 10 | group: metrics.k8s.io 11 | version: v1beta1 12 | insecureSkipTLSVerify: true 13 | groupPriorityMinimum: 100 14 | versionPriority: 100 15 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/metrics-server-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: metrics-server 12 | namespace: kube-system 13 | labels: 14 | k8s-app: metrics-server 15 | spec: 16 | selector: 17 | matchLabels: 18 | k8s-app: metrics-server 19 | template: 20 | metadata: 21 | name: metrics-server 22 | labels: 23 | k8s-app: metrics-server 24 | spec: 25 | serviceAccountName: metrics-server 26 | volumes: 27 | # mount in tmp so we can safely use from-scratch images and/or read-only containers 28 | - name: tmp-dir 29 | emptyDir: {} 30 | containers: 31 | - name: metrics-server 32 | image: k8s.gcr.io/metrics-server-amd64:v0.3.5 33 | imagePullPolicy: Always 34 | command: 35 | - /metrics-server 36 | - --kubelet-preferred-address-types=InternalIP 37 | - --kubelet-insecure-tls 38 | volumeMounts: 39 | - name: tmp-dir 40 | mountPath: /tmp 41 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/metrics-server-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | labels: 8 | kubernetes.io/name: "Metrics-server" 9 | kubernetes.io/cluster-service: "true" 10 | spec: 11 | selector: 12 | k8s-app: metrics-server 13 | ports: 14 | - port: 443 15 | protocol: TCP 16 | targetPort: 443 17 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/04-metric-server/resource-reader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: system:metrics-server 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - pods 11 | - nodes 12 | - nodes/stats 13 | - namespaces 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: system:metrics-server 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: system:metrics-server 27 | subjects: 28 | - kind: ServiceAccount 29 | name: metrics-server 30 | namespace: kube-system 31 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/06-external-dns/external-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: external-dns 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1beta1 7 | kind: ClusterRole 8 | metadata: 9 | name: external-dns 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["services"] 13 | verbs: ["get","watch","list"] 14 | - apiGroups: [""] 15 | resources: ["pods"] 16 | verbs: ["get","watch","list"] 17 | - apiGroups: ["extensions"] 18 | resources: ["ingresses"] 19 | verbs: ["get","watch","list"] 20 | - apiGroups: [""] 21 | resources: ["nodes"] 22 | verbs: ["list"] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1beta1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: external-dns-viewer 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: external-dns 32 | subjects: 33 | - kind: ServiceAccount 34 | name: external-dns 35 | namespace: default 36 | --- 37 | apiVersion: apps/v1 38 | kind: Deployment 39 | metadata: 40 | name: external-dns 41 | spec: 42 | strategy: 43 | type: Recreate 44 | template: 45 | metadata: 46 | labels: 47 | app: external-dns 48 | spec: 49 | serviceAccountName: external-dns 50 | containers: 51 | - name: external-dns 52 | image: registry.opensource.zalan.do/teapot/external-dns:v0.5.9 53 | args: 54 | - --source=service 55 | - --source=ingress 56 | - --provider=aws 57 | - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization 58 | - --aws-zone-type= # only look at public hosted zones (valid values are public, private or no value for both) 59 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/07-kubernetes-dashboard/eks-admin-service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: eks-admin 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1beta1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: eks-admin 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: eks-admin 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/07-kubernetes-dashboard/kubernetes-dashboard-service.yaml: -------------------------------------------------------------------------------- 1 | # ------------------- Dashboard Service ------------------- # 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | annotations: 6 | service.beta.kubernetes.io/aws-load-balancer-internal: false 7 | labels: 8 | k8s-app: kubernetes-dashboard 9 | name: kubernetes-dashboard 10 | namespace: kube-system 11 | spec: 12 | ports: 13 | - port: 443 14 | targetPort: 9090 15 | type: LoadBalancer 16 | selector: 17 | k8s-app: kubernetes-dashboard 18 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/07-kubernetes-dashboard/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 The Kubernetes Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # ------------------- Dashboard Secret ------------------- # 16 | 17 | apiVersion: v1 18 | kind: Secret 19 | metadata: 20 | labels: 21 | k8s-app: kubernetes-dashboard 22 | name: kubernetes-dashboard-certs 23 | namespace: kube-system 24 | type: Opaque 25 | 26 | --- 27 | # ------------------- Dashboard Service Account ------------------- # 28 | 29 | apiVersion: v1 30 | kind: ServiceAccount 31 | metadata: 32 | labels: 33 | k8s-app: kubernetes-dashboard 34 | name: kubernetes-dashboard 35 | namespace: kube-system 36 | 37 | --- 38 | # ------------------- Dashboard Role & Role Binding ------------------- # 39 | 40 | kind: Role 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | metadata: 43 | name: kubernetes-dashboard-minimal 44 | namespace: kube-system 45 | rules: 46 | # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. 47 | - apiGroups: [""] 48 | resources: ["secrets"] 49 | verbs: ["create"] 50 | # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. 51 | - apiGroups: [""] 52 | resources: ["configmaps"] 53 | verbs: ["create"] 54 | # Allow Dashboard to get, update and delete Dashboard exclusive secrets. 55 | - apiGroups: [""] 56 | resources: ["secrets"] 57 | resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] 58 | verbs: ["get", "update", "delete"] 59 | # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. 60 | - apiGroups: [""] 61 | resources: ["configmaps"] 62 | resourceNames: ["kubernetes-dashboard-settings"] 63 | verbs: ["get", "update"] 64 | # Allow Dashboard to get metrics from heapster. 65 | - apiGroups: [""] 66 | resources: ["services"] 67 | resourceNames: ["heapster"] 68 | verbs: ["proxy"] 69 | - apiGroups: [""] 70 | resources: ["services/proxy"] 71 | resourceNames: ["heapster", "http:heapster:", "https:heapster:"] 72 | verbs: ["get"] 73 | 74 | --- 75 | apiVersion: rbac.authorization.k8s.io/v1 76 | kind: RoleBinding 77 | metadata: 78 | name: kubernetes-dashboard-minimal 79 | namespace: kube-system 80 | roleRef: 81 | apiGroup: rbac.authorization.k8s.io 82 | kind: Role 83 | name: kubernetes-dashboard-minimal 84 | subjects: 85 | - kind: ServiceAccount 86 | name: kubernetes-dashboard 87 | namespace: kube-system 88 | 89 | --- 90 | # ------------------- Dashboard Deployment ------------------- # 91 | 92 | kind: Deployment 93 | apiVersion: apps/v1 94 | metadata: 95 | labels: 96 | k8s-app: kubernetes-dashboard 97 | name: kubernetes-dashboard 98 | namespace: kube-system 99 | spec: 100 | replicas: 1 101 | revisionHistoryLimit: 10 102 | selector: 103 | matchLabels: 104 | k8s-app: kubernetes-dashboard 105 | template: 106 | metadata: 107 | labels: 108 | k8s-app: kubernetes-dashboard 109 | spec: 110 | containers: 111 | - name: kubernetes-dashboard 112 | image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 113 | ports: 114 | - name: htttp 115 | containerPort: 9090 116 | protocol: TCP 117 | args: 118 | - --enable-insecure-login 119 | # Uncomment the following line to manually specify Kubernetes API server Host 120 | # If not specified, Dashboard will attempt to auto discover the API server and connect 121 | # to it. Uncomment only if the default does not work. 122 | # - --apiserver-host=http://my-address:port 123 | volumeMounts: 124 | - name: kubernetes-dashboard-certs 125 | mountPath: /certs 126 | # Create on-disk volume to store exec logs 127 | - mountPath: /tmp 128 | name: tmp-volume 129 | livenessProbe: 130 | httpGet: 131 | scheme: HTTP 132 | path: / 133 | port: 9090 134 | initialDelaySeconds: 30 135 | timeoutSeconds: 30 136 | volumes: 137 | - name: kubernetes-dashboard-certs 138 | secret: 139 | secretName: kubernetes-dashboard-certs 140 | - name: tmp-volume 141 | emptyDir: {} 142 | serviceAccountName: kubernetes-dashboard 143 | # Comment the following tolerations if Dashboard must not be deployed on master 144 | tolerations: 145 | - key: node-role.kubernetes.io/master 146 | effect: NoSchedule 147 | -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/08-cluster-autoscaling/README.md: -------------------------------------------------------------------------------- 1 | # Cluster AutoScaler 2 | 3 | - Para que o Cluster Autoscaler funcione de maneira correta é necessário adicionar um policy na role criada pelo eksctl que permita com que o AutoScaler escale as máquinas baseado nas requisições dos deployments. (https://github.com/jtblin/kube2iam) 4 | 5 | Substituir no YAML 6 | 7 | ```yaml 8 | annotations: 9 | iam.amazonaws.com/role: arn:aws:iam::00000:role/eksctl-{{cookiecutter.cluster_name}}-nodegroup # Substituir com a sua role se estiver usando o Kube2iam 10 | ``` 11 | 12 | Pela role criada pelo eksctl conforme descrito acima -------------------------------------------------------------------------------- /eks_configs/cluster_{{cookiecutter.cluster_name}}_configs/manifests/08-cluster-autoscaling/cluster_autoscaler.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | labels: 5 | k8s-addon: cluster-autoscaler.addons.k8s.io 6 | k8s-app: cluster-autoscaler 7 | name: cluster-autoscaler 8 | namespace: kube-system 9 | --- 10 | apiVersion: rbac.authorization.k8s.io/v1beta1 11 | kind: ClusterRole 12 | metadata: 13 | name: cluster-autoscaler 14 | labels: 15 | k8s-addon: cluster-autoscaler.addons.k8s.io 16 | k8s-app: cluster-autoscaler 17 | rules: 18 | - apiGroups: [""] 19 | resources: ["events","endpoints"] 20 | verbs: ["create", "patch"] 21 | - apiGroups: [""] 22 | resources: ["pods/eviction"] 23 | verbs: ["create"] 24 | - apiGroups: [""] 25 | resources: ["pods/status"] 26 | verbs: ["update"] 27 | - apiGroups: [""] 28 | resources: ["endpoints"] 29 | resourceNames: ["cluster-autoscaler"] 30 | verbs: ["get","update"] 31 | - apiGroups: [""] 32 | resources: ["nodes"] 33 | verbs: ["watch","list","get","update"] 34 | - apiGroups: [""] 35 | resources: ["pods","services","replicationcontrollers","persistentvolumeclaims","persistentvolumes"] 36 | verbs: ["watch","list","get"] 37 | - apiGroups: ["extensions"] 38 | resources: ["replicasets","daemonsets"] 39 | verbs: ["watch","list","get"] 40 | - apiGroups: ["policy"] 41 | resources: ["poddisruptionbudgets"] 42 | verbs: ["watch","list"] 43 | - apiGroups: ["apps"] 44 | resources: ["statefulsets"] 45 | verbs: ["watch","list","get"] 46 | - apiGroups: ["storage.k8s.io"] 47 | resources: ["storageclasses"] 48 | verbs: ["watch","list","get"] 49 | 50 | --- 51 | apiVersion: rbac.authorization.k8s.io/v1beta1 52 | kind: Role 53 | metadata: 54 | name: cluster-autoscaler 55 | namespace: kube-system 56 | labels: 57 | k8s-addon: cluster-autoscaler.addons.k8s.io 58 | k8s-app: cluster-autoscaler 59 | rules: 60 | - apiGroups: [""] 61 | resources: ["configmaps"] 62 | verbs: ["create"] 63 | - apiGroups: [""] 64 | resources: ["configmaps"] 65 | resourceNames: ["cluster-autoscaler-status"] 66 | verbs: ["delete","get","update"] 67 | 68 | --- 69 | apiVersion: rbac.authorization.k8s.io/v1beta1 70 | kind: ClusterRoleBinding 71 | metadata: 72 | name: cluster-autoscaler 73 | labels: 74 | k8s-addon: cluster-autoscaler.addons.k8s.io 75 | k8s-app: cluster-autoscaler 76 | roleRef: 77 | apiGroup: rbac.authorization.k8s.io 78 | kind: ClusterRole 79 | name: cluster-autoscaler 80 | subjects: 81 | - kind: ServiceAccount 82 | name: cluster-autoscaler 83 | namespace: kube-system 84 | 85 | --- 86 | apiVersion: rbac.authorization.k8s.io/v1beta1 87 | kind: RoleBinding 88 | metadata: 89 | name: cluster-autoscaler 90 | namespace: kube-system 91 | labels: 92 | k8s-addon: cluster-autoscaler.addons.k8s.io 93 | k8s-app: cluster-autoscaler 94 | roleRef: 95 | apiGroup: rbac.authorization.k8s.io 96 | kind: Role 97 | name: cluster-autoscaler 98 | subjects: 99 | - kind: ServiceAccount 100 | name: cluster-autoscaler 101 | namespace: kube-system 102 | 103 | --- 104 | apiVersion: apps/v1 105 | kind: Deployment 106 | metadata: 107 | name: cluster-autoscaler 108 | namespace: kube-system 109 | annotations: 110 | iam.amazonaws.com/role: # Substituir com a sua role se estiver usando o Kube2iam 111 | labels: 112 | app: cluster-autoscaler 113 | spec: 114 | replicas: 1 115 | selector: 116 | matchLabels: 117 | app: cluster-autoscaler 118 | template: 119 | metadata: 120 | labels: 121 | app: cluster-autoscaler 122 | spec: 123 | serviceAccountName: cluster-autoscaler 124 | containers: 125 | - image: k8s.gcr.io/cluster-autoscaler:v1.2.2 126 | name: cluster-autoscaler 127 | resources: 128 | limits: 129 | cpu: 100m 130 | memory: 300Mi 131 | requests: 132 | cpu: 100m 133 | memory: 300Mi 134 | command: 135 | - ./cluster-autoscaler 136 | - --v=4 137 | - --stderrthreshold=info 138 | - --cloud-provider=aws 139 | - --skip-nodes-with-local-storage=false 140 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/{{cookiecutter.cluster_name}} 141 | - --balance-similar-node-groups 142 | - --skip-nodes-with-system-pods=false 143 | env: 144 | - name: AWS_REGION 145 | value: us-east-1 146 | volumeMounts: 147 | - name: ssl-certs 148 | mountPath: /etc/ssl/certs/ca-certificates.crt 149 | readOnly: true 150 | imagePullPolicy: "Always" 151 | volumes: 152 | - name: ssl-certs 153 | hostPath: 154 | path: "/etc/ssl/certs/ca-bundle.crt" 155 | -------------------------------------------------------------------------------- /eks_configs/cookiecutter.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_name": "Your cluster name, eg: poc-cluster", 3 | "region": "Region name to provision, ex: us-east-1", 4 | "vpc_id": "Your VPC id, eg: vpc-00000000", 5 | "vpc_cidr": "VPC CIDR, eg: 10.10.0.0/16", 6 | "availability_zone_1": "The first availability zone, eg: us-east-1a", 7 | "availability_zone_2": "The second availability zone, eg: us-east-1b", 8 | "subnet_priv_1a": "The first private subnet id [us-east-1a], eg: subnet-00000000", 9 | "subnet_priv_1a_cidr": "The CIDR of the above subnet, eg: 10.10.2.0/24", 10 | "subnet_priv_1b": "The second private subnet id [us-east-1b], ex: subnet-00000000", 11 | "subnet_priv_1b_cidr": "The CIDR of the above subnet, eg: 10.10.3.0/24", 12 | "subnet_pub_1a": "The first public subnet id [us-east-1a], eg: subnet-00000000", 13 | "subnet_pub_1a_cidr": "The CIDR of the above subnet, eg: 10.10.0.0/24", 14 | "subnet_pub_1b": "The second public subnet id [us-east-1b], ex: subnet-00000000", 15 | "subnet_pub_1b_cidr": "The CIDR of the above subnet, eg: 10.10.1.0/24", 16 | "eks_service_role": "The eks cluster role" 17 | } 18 | -------------------------------------------------------------------------------- /examples/cluster-creation/README.md: -------------------------------------------------------------------------------- 1 | ## Create Amazon EKS Cluster Step by Step 2 | 3 | - Create Amazon EKS service role in IAM console (https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#role-create) 4 | 5 | - Create a IAM Role for your managed workers nodes in AWS (https://docs.aws.amazon.com/eks/latest/userguide/worker_node_IAM_role.html) 6 | 7 | - Criar o cluster de EKS rodando o seguinte comando 8 | ```shell 9 | eksctl create cluster -f cluster.yaml 10 | ``` 11 | - Realizando o update de sua Kubeconfig localmente - aws eks --region YOUR_REGION update-kubeconfig --name YOUR_CLUSTER_NAME 12 | 13 | - Para que o Cluster Autoscaler funcione de maneira correta é necessário adicionar um policy na role criada pelo eksctl que permita com que o AutoScaler escale as máquinas baseado nas requisições dos deployments. (https://github.com/jtblin/kube2iam) 14 | 15 | - Aplicar os manifestos dos componentes adicionais do cluster de Kubernets 16 | ```shell 17 | kubectl apply -f manifests/ 18 | ``` 19 | 20 | - Adicionar as seguintes Tags nas suas subnets públicas e privadas para poder provisionar services externos e internos. 21 | ``` 22 | Private Subnets - kubernetes.io/role/internal-elb: 1 23 | Public Subnets - kubernetes.io/role/elb: 1 24 | ``` 25 | 26 | ## Realizar update do cluster após alterar alguma configuração 27 | 28 | - Dry Run 29 | ```shell 30 | eksctl update cluster --config-file=config.yaml 31 | ``` 32 | 33 | - Aplicar 34 | ```shell 35 | eksctl update cluster --config-file=cluster.yaml --approve 36 | ``` 37 | 38 | ## Referências 39 | 40 | LoadBalancer Service Annotations - https://gist.github.com/mgoodness/1a2926f3b02d8e8149c224d25cc57dc1 -------------------------------------------------------------------------------- /examples/cluster-creation/cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: eksctl.io/v1alpha5 2 | kind: ClusterConfig 3 | 4 | metadata: 5 | name: poc-cluster 6 | region: us-east-1 7 | 8 | vpc: # Existing Amazon VPC 9 | clusterEndpoints: 10 | publicAccess: true 11 | privateAccess: true 12 | id: "vpc-000000000" 13 | cidr: "10.2.0.0/16" 14 | subnets: # Definir todas as Subnets para que seus Masters possam estar alocados. 15 | private: 16 | us-east-1a: 17 | id: "subnet-0000000" 18 | cidr: "10.2.2.0/24" 19 | 20 | us-east-1b: 21 | id: "subnet-0000000" 22 | cidr: "10.2.3.0/24" 23 | 24 | public: 25 | us-east-1a: 26 | id: "subnet-0000000" 27 | cidr: "10.2.0.0/24" 28 | 29 | us-east-1b: 30 | id: "subnet-0000000" 31 | cidr: "10.2.1.0/24" 32 | 33 | iam: 34 | serviceRoleARN: "arn:aws:iam::ACCOUNT_ID:role/eksClusterRole" 35 | 36 | # Example with managed node group for Amazon EKS 37 | managedNodeGroups: 38 | - name: app-node-group 39 | instanceType: t2.medium 40 | minSize: 3 41 | desiredCapacity: 3 42 | maxSize: 10 43 | availabilityZones: ["us-east-1a", "us-east-1b"] 44 | volumeSize: 20 45 | privateNetworking: true # Provisionar as instâncias dos Nodes somente em subnets privadas 46 | 47 | ssh: 48 | allow: false 49 | # publicKeyPath: ~/.ssh/ec2_id_rsa.pub 50 | # sourceSecurityGroupIds: ["sg-09b2a55e337f21e5e"] 51 | 52 | labels: {role: worker} # Labels que vão ser aplicadas a nivel do K8s 53 | tags: # Tags que serão aplicadas nas Ec2 54 | nodegroup-role: worker 55 | k8s.io/cluster-autoscaler/poc-cluster: owned 56 | k8s.io/cluster-autoscaler/enabled: "true" # Não pode ser booleano 57 | Name: poc-cluster-nodes 58 | 59 | 60 | # Você pode definir uma Role ou escolher que o eksctl crie as Policies para você 61 | iam: 62 | attachPolicyARNs: 63 | - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy 64 | - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly 65 | - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy 66 | # instanceRoleARN: "arn:aws:iam::936068047509:role/NodeInstanceRole" 67 | withAddonPolicies: # Adiciona policies na role dos Nodes para controllers adicionais do cluster 68 | imageBuilder: false 69 | autoScaler: true 70 | externalDNS: true 71 | certManager: true 72 | appMesh: true 73 | ebs: true 74 | fsx: true 75 | efs: true 76 | albIngress: true 77 | xRay: true 78 | cloudWatch: true 79 | 80 | cloudWatch: # Configuração do export dos logs do ControlPlane para o Cloudtwatch 81 | clusterLogging: 82 | # enable specific types of cluster control plane logs 83 | enableTypes: ["audit", "authenticator", "controllerManager"] 84 | # all supported types: "api", "audit", "authenticator", "controllerManager", "scheduler" 85 | # supported special values: "*" and "all" 86 | 87 | # Those are old node groups, that are just ASG with specifc AMI for registration under K8S 88 | 89 | # nodeGroups: 90 | # - name: ng-1 91 | 92 | # instanceType: m5.large 93 | # desiredCapacity: 3 94 | # iam: 95 | # instanceProfileARN: "arn:aws:iam::11111:instance-profile/eks-nodes-base-role" 96 | # instanceRoleARN: "arn:aws:iam::1111:role/eks-nodes-base-role" 97 | # privateNetworking: true 98 | # securityGroups: 99 | # withShared: true 100 | # withLocal: true 101 | # attachIDs: ['sg-11111', 'sg-11112'] 102 | # ssh: 103 | # publicKeyName: 'my-instance-key' 104 | # tags: 105 | # 'environment:basedomain': 'example.org' -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/00-aws-auth-nodes/aws-auth-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: aws-auth 5 | namespace: kube-system 6 | data: 7 | mapRoles: | 8 | - rolearn: arn:aws:iam::ACCOUNT_ID:role/poc-cluster 9 | username: system:node:{{EC2PrivateDNSName}} 10 | groups: 11 | - system:bootstrappers 12 | - system:nodes 13 | mapUsers: | 14 | - userarn: IAM_USER_ARN 15 | username: MY_USER 16 | groups: 17 | - system:masters 18 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/02-kube2iam/00-servicek2iam.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: kube2iam 6 | namespace: default 7 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/02-kube2iam/01-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: kube2iam 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - namespaces 11 | - pods 12 | verbs: 13 | - get 14 | - watch 15 | - list 16 | --- 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: ClusterRoleBinding 19 | metadata: 20 | name: kube2iam 21 | subjects: 22 | - kind: ServiceAccount 23 | name: kube2iam 24 | namespace: default 25 | roleRef: 26 | kind: ClusterRole 27 | name: kube2iam 28 | apiGroup: rbac.authorization.k8s.io 29 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/02-kube2iam/02-kube2iamDS.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: kube2iam 6 | namespace: default 7 | labels: 8 | app: kube2iam 9 | spec: 10 | selector: 11 | matchLabels: 12 | name: kube2iam 13 | updateStrategy: 14 | type: RollingUpdate 15 | template: 16 | metadata: 17 | labels: 18 | name: kube2iam 19 | spec: 20 | serviceAccountName: kube2iam 21 | hostNetwork: true 22 | containers: 23 | - image: jtblin/kube2iam:0.10.7 24 | imagePullPolicy: Always 25 | name: kube2iam 26 | args: 27 | - "--auto-discover-base-arn" 28 | - "--auto-discover-default-role=true" 29 | - "--iptables=true" 30 | - "--host-ip=$(HOST_IP)" 31 | - "--node=$(NODE_NAME)" 32 | - "--host-interface=eni+" 33 | env: 34 | - name: HOST_IP 35 | valueFrom: 36 | fieldRef: 37 | fieldPath: status.podIP 38 | - name: NODE_NAME 39 | valueFrom: 40 | fieldRef: 41 | fieldPath: spec.nodeName 42 | ports: 43 | - containerPort: 8181 44 | hostPort: 8181 45 | name: http 46 | securityContext: 47 | privileged: true 48 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/03-alb-ingress-controller/alb-ingress-controller.yaml: -------------------------------------------------------------------------------- 1 | # Application Load Balancer (ALB) Ingress Controller Deployment Manifest. 2 | # This manifest details sensible defaults for deploying an ALB Ingress Controller. 3 | # GitHub: https://github.com/kubernetes-sigs/aws-alb-ingress-controller 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | labels: 8 | app.kubernetes.io/name: alb-ingress-controller 9 | name: alb-ingress-controller 10 | # Namespace the ALB Ingress Controller should run in. Does not impact which 11 | # namespaces it's able to resolve ingress resource for. For limiting ingress 12 | # namespace scope, see --watch-namespace. 13 | namespace: kube-system 14 | spec: 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/name: alb-ingress-controller 18 | template: 19 | metadata: 20 | labels: 21 | app.kubernetes.io/name: alb-ingress-controller 22 | spec: 23 | containers: 24 | - name: alb-ingress-controller 25 | args: 26 | # Limit the namespace where this ALB Ingress Controller deployment will 27 | # resolve ingress resources. If left commented, all namespaces are used. 28 | # - --watch-namespace=your-k8s-namespace 29 | 30 | # Setting the ingress-class flag below ensures that only ingress resources with the 31 | # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may 32 | # choose any class you'd like for this controller to respect. 33 | - --ingress-class=alb 34 | 35 | # REQUIRED 36 | # Name of your cluster. Used when naming resources created 37 | # by the ALB Ingress Controller, providing distinction between 38 | # clusters. 39 | - --cluster-name=poc-cluster 40 | 41 | # AWS VPC ID this ingress controller will use to create AWS resources. 42 | # If unspecified, it will be discovered from ec2metadata. 43 | # - --aws-vpc-id=vpc-xxxxxx 44 | 45 | # AWS region this ingress controller will operate in. 46 | # If unspecified, it will be discovered from ec2metadata. 47 | # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region 48 | # - --aws-region=us-west-1 49 | 50 | # Enables logging on all outbound requests sent to the AWS API. 51 | # If logging is desired, set to true. 52 | # - --aws-api-debug 53 | # Maximum number of times to retry the aws calls. 54 | # defaults to 10. 55 | # - --aws-max-retries=10 56 | # env: 57 | # AWS key id for authenticating with the AWS API. 58 | # This is only here for examples. It's recommended you instead use 59 | # a project like kube2iam for granting access. 60 | #- name: AWS_ACCESS_KEY_ID 61 | # value: KEYVALUE 62 | 63 | # AWS key secret for authenticating with the AWS API. 64 | # This is only here for examples. It's recommended you instead use 65 | # a project like kube2iam for granting access. 66 | #- name: AWS_SECRET_ACCESS_KEY 67 | # value: SECRETVALUE 68 | # Repository location of the ALB Ingress Controller. 69 | image: docker.io/amazon/aws-alb-ingress-controller:v1.1.3 70 | serviceAccountName: alb-ingress-controller 71 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/03-alb-ingress-controller/rbac-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: alb-ingress-controller 7 | name: alb-ingress-controller 8 | rules: 9 | - apiGroups: 10 | - "" 11 | - extensions 12 | resources: 13 | - configmaps 14 | - endpoints 15 | - events 16 | - ingresses 17 | - ingresses/status 18 | - services 19 | verbs: 20 | - create 21 | - get 22 | - list 23 | - update 24 | - watch 25 | - patch 26 | - apiGroups: 27 | - "" 28 | - extensions 29 | resources: 30 | - nodes 31 | - pods 32 | - secrets 33 | - services 34 | - namespaces 35 | verbs: 36 | - get 37 | - list 38 | - watch 39 | --- 40 | apiVersion: rbac.authorization.k8s.io/v1 41 | kind: ClusterRoleBinding 42 | metadata: 43 | labels: 44 | app.kubernetes.io/name: alb-ingress-controller 45 | name: alb-ingress-controller 46 | roleRef: 47 | apiGroup: rbac.authorization.k8s.io 48 | kind: ClusterRole 49 | name: alb-ingress-controller 50 | subjects: 51 | - kind: ServiceAccount 52 | name: alb-ingress-controller 53 | namespace: kube-system 54 | --- 55 | apiVersion: v1 56 | kind: ServiceAccount 57 | metadata: 58 | labels: 59 | app.kubernetes.io/name: alb-ingress-controller 60 | name: alb-ingress-controller 61 | namespace: kube-system 62 | ... 63 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/aggregated-metrics-reader.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: system:aggregated-metrics-reader 5 | labels: 6 | rbac.authorization.k8s.io/aggregate-to-view: "true" 7 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 8 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 9 | rules: 10 | - apiGroups: ["metrics.k8s.io"] 11 | resources: ["pods", "nodes"] 12 | verbs: ["get", "list", "watch"] 13 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/auth-delegator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: metrics-server:system:auth-delegator 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: system:auth-delegator 10 | subjects: 11 | - kind: ServiceAccount 12 | name: metrics-server 13 | namespace: kube-system 14 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/auth-reader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: RoleBinding 4 | metadata: 5 | name: metrics-server-auth-reader 6 | namespace: kube-system 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: Role 10 | name: extension-apiserver-authentication-reader 11 | subjects: 12 | - kind: ServiceAccount 13 | name: metrics-server 14 | namespace: kube-system 15 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/metrics-apiservice.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiregistration.k8s.io/v1beta1 3 | kind: APIService 4 | metadata: 5 | name: v1beta1.metrics.k8s.io 6 | spec: 7 | service: 8 | name: metrics-server 9 | namespace: kube-system 10 | group: metrics.k8s.io 11 | version: v1beta1 12 | insecureSkipTLSVerify: true 13 | groupPriorityMinimum: 100 14 | versionPriority: 100 15 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/metrics-server-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: metrics-server 12 | namespace: kube-system 13 | labels: 14 | k8s-app: metrics-server 15 | spec: 16 | selector: 17 | matchLabels: 18 | k8s-app: metrics-server 19 | template: 20 | metadata: 21 | name: metrics-server 22 | labels: 23 | k8s-app: metrics-server 24 | spec: 25 | serviceAccountName: metrics-server 26 | volumes: 27 | # mount in tmp so we can safely use from-scratch images and/or read-only containers 28 | - name: tmp-dir 29 | emptyDir: {} 30 | containers: 31 | - name: metrics-server 32 | image: k8s.gcr.io/metrics-server-amd64:v0.3.5 33 | imagePullPolicy: Always 34 | command: 35 | - /metrics-server 36 | - --kubelet-preferred-address-types=InternalIP 37 | - --kubelet-insecure-tls 38 | volumeMounts: 39 | - name: tmp-dir 40 | mountPath: /tmp 41 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/metrics-server-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | labels: 8 | kubernetes.io/name: "Metrics-server" 9 | kubernetes.io/cluster-service: "true" 10 | spec: 11 | selector: 12 | k8s-app: metrics-server 13 | ports: 14 | - port: 443 15 | protocol: TCP 16 | targetPort: 443 17 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/04-metric-server/resource-reader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: system:metrics-server 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - pods 11 | - nodes 12 | - nodes/stats 13 | - namespaces 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: system:metrics-server 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: system:metrics-server 27 | subjects: 28 | - kind: ServiceAccount 29 | name: metrics-server 30 | namespace: kube-system 31 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/06-external-dns/external-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: external-dns 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1beta1 7 | kind: ClusterRole 8 | metadata: 9 | name: external-dns 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["services"] 13 | verbs: ["get","watch","list"] 14 | - apiGroups: [""] 15 | resources: ["pods"] 16 | verbs: ["get","watch","list"] 17 | - apiGroups: ["extensions"] 18 | resources: ["ingresses"] 19 | verbs: ["get","watch","list"] 20 | - apiGroups: [""] 21 | resources: ["nodes"] 22 | verbs: ["list"] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1beta1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: external-dns-viewer 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: external-dns 32 | subjects: 33 | - kind: ServiceAccount 34 | name: external-dns 35 | namespace: default 36 | --- 37 | apiVersion: apps/v1 38 | kind: Deployment 39 | metadata: 40 | name: external-dns 41 | spec: 42 | strategy: 43 | type: Recreate 44 | template: 45 | metadata: 46 | labels: 47 | app: external-dns 48 | spec: 49 | serviceAccountName: external-dns 50 | containers: 51 | - name: external-dns 52 | image: registry.opensource.zalan.do/teapot/external-dns:v0.5.9 53 | args: 54 | - --source=service 55 | - --source=ingress 56 | - --provider=aws 57 | - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization 58 | - --aws-zone-type= # only look at public hosted zones (valid values are public, private or no value for both) 59 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/07-kubernetes-dashboard/eks-admin-service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: eks-admin 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1beta1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: eks-admin 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: eks-admin 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/07-kubernetes-dashboard/kubernetes-dashboard-service.yaml: -------------------------------------------------------------------------------- 1 | # ------------------- Dashboard Service ------------------- # 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | annotations: 6 | service.beta.kubernetes.io/aws-load-balancer-internal: false 7 | labels: 8 | k8s-app: kubernetes-dashboard 9 | name: kubernetes-dashboard 10 | namespace: kube-system 11 | spec: 12 | ports: 13 | - port: 443 14 | targetPort: 9090 15 | type: LoadBalancer 16 | selector: 17 | k8s-app: kubernetes-dashboard 18 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/07-kubernetes-dashboard/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 The Kubernetes Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # ------------------- Dashboard Secret ------------------- # 16 | 17 | apiVersion: v1 18 | kind: Secret 19 | metadata: 20 | labels: 21 | k8s-app: kubernetes-dashboard 22 | name: kubernetes-dashboard-certs 23 | namespace: kube-system 24 | type: Opaque 25 | 26 | --- 27 | # ------------------- Dashboard Service Account ------------------- # 28 | 29 | apiVersion: v1 30 | kind: ServiceAccount 31 | metadata: 32 | labels: 33 | k8s-app: kubernetes-dashboard 34 | name: kubernetes-dashboard 35 | namespace: kube-system 36 | 37 | --- 38 | # ------------------- Dashboard Role & Role Binding ------------------- # 39 | 40 | kind: Role 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | metadata: 43 | name: kubernetes-dashboard-minimal 44 | namespace: kube-system 45 | rules: 46 | # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. 47 | - apiGroups: [""] 48 | resources: ["secrets"] 49 | verbs: ["create"] 50 | # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. 51 | - apiGroups: [""] 52 | resources: ["configmaps"] 53 | verbs: ["create"] 54 | # Allow Dashboard to get, update and delete Dashboard exclusive secrets. 55 | - apiGroups: [""] 56 | resources: ["secrets"] 57 | resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] 58 | verbs: ["get", "update", "delete"] 59 | # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. 60 | - apiGroups: [""] 61 | resources: ["configmaps"] 62 | resourceNames: ["kubernetes-dashboard-settings"] 63 | verbs: ["get", "update"] 64 | # Allow Dashboard to get metrics from heapster. 65 | - apiGroups: [""] 66 | resources: ["services"] 67 | resourceNames: ["heapster"] 68 | verbs: ["proxy"] 69 | - apiGroups: [""] 70 | resources: ["services/proxy"] 71 | resourceNames: ["heapster", "http:heapster:", "https:heapster:"] 72 | verbs: ["get"] 73 | 74 | --- 75 | apiVersion: rbac.authorization.k8s.io/v1 76 | kind: RoleBinding 77 | metadata: 78 | name: kubernetes-dashboard-minimal 79 | namespace: kube-system 80 | roleRef: 81 | apiGroup: rbac.authorization.k8s.io 82 | kind: Role 83 | name: kubernetes-dashboard-minimal 84 | subjects: 85 | - kind: ServiceAccount 86 | name: kubernetes-dashboard 87 | namespace: kube-system 88 | 89 | --- 90 | # ------------------- Dashboard Deployment ------------------- # 91 | 92 | kind: Deployment 93 | apiVersion: apps/v1 94 | metadata: 95 | labels: 96 | k8s-app: kubernetes-dashboard 97 | name: kubernetes-dashboard 98 | namespace: kube-system 99 | spec: 100 | replicas: 1 101 | revisionHistoryLimit: 10 102 | selector: 103 | matchLabels: 104 | k8s-app: kubernetes-dashboard 105 | template: 106 | metadata: 107 | labels: 108 | k8s-app: kubernetes-dashboard 109 | spec: 110 | containers: 111 | - name: kubernetes-dashboard 112 | image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 113 | ports: 114 | - name: htttp 115 | containerPort: 9090 116 | protocol: TCP 117 | args: 118 | - --enable-insecure-login 119 | # Uncomment the following line to manually specify Kubernetes API server Host 120 | # If not specified, Dashboard will attempt to auto discover the API server and connect 121 | # to it. Uncomment only if the default does not work. 122 | # - --apiserver-host=http://my-address:port 123 | volumeMounts: 124 | - name: kubernetes-dashboard-certs 125 | mountPath: /certs 126 | # Create on-disk volume to store exec logs 127 | - mountPath: /tmp 128 | name: tmp-volume 129 | livenessProbe: 130 | httpGet: 131 | scheme: HTTP 132 | path: / 133 | port: 9090 134 | initialDelaySeconds: 30 135 | timeoutSeconds: 30 136 | volumes: 137 | - name: kubernetes-dashboard-certs 138 | secret: 139 | secretName: kubernetes-dashboard-certs 140 | - name: tmp-volume 141 | emptyDir: {} 142 | serviceAccountName: kubernetes-dashboard 143 | # Comment the following tolerations if Dashboard must not be deployed on master 144 | tolerations: 145 | - key: node-role.kubernetes.io/master 146 | effect: NoSchedule 147 | -------------------------------------------------------------------------------- /examples/cluster-creation/manifests/08-cluster-autoscaling/cluster_autoscaler.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | labels: 5 | k8s-addon: cluster-autoscaler.addons.k8s.io 6 | k8s-app: cluster-autoscaler 7 | name: cluster-autoscaler 8 | namespace: kube-system 9 | --- 10 | apiVersion: rbac.authorization.k8s.io/v1beta1 11 | kind: ClusterRole 12 | metadata: 13 | name: cluster-autoscaler 14 | labels: 15 | k8s-addon: cluster-autoscaler.addons.k8s.io 16 | k8s-app: cluster-autoscaler 17 | rules: 18 | - apiGroups: [""] 19 | resources: ["events","endpoints"] 20 | verbs: ["create", "patch"] 21 | - apiGroups: [""] 22 | resources: ["pods/eviction"] 23 | verbs: ["create"] 24 | - apiGroups: [""] 25 | resources: ["pods/status"] 26 | verbs: ["update"] 27 | - apiGroups: [""] 28 | resources: ["endpoints"] 29 | resourceNames: ["cluster-autoscaler"] 30 | verbs: ["get","update"] 31 | - apiGroups: [""] 32 | resources: ["nodes"] 33 | verbs: ["watch","list","get","update"] 34 | - apiGroups: [""] 35 | resources: ["pods","services","replicationcontrollers","persistentvolumeclaims","persistentvolumes"] 36 | verbs: ["watch","list","get"] 37 | - apiGroups: ["extensions"] 38 | resources: ["replicasets","daemonsets"] 39 | verbs: ["watch","list","get"] 40 | - apiGroups: ["policy"] 41 | resources: ["poddisruptionbudgets"] 42 | verbs: ["watch","list"] 43 | - apiGroups: ["apps"] 44 | resources: ["statefulsets"] 45 | verbs: ["watch","list","get"] 46 | - apiGroups: ["storage.k8s.io"] 47 | resources: ["storageclasses"] 48 | verbs: ["watch","list","get"] 49 | 50 | --- 51 | apiVersion: rbac.authorization.k8s.io/v1beta1 52 | kind: Role 53 | metadata: 54 | name: cluster-autoscaler 55 | namespace: kube-system 56 | labels: 57 | k8s-addon: cluster-autoscaler.addons.k8s.io 58 | k8s-app: cluster-autoscaler 59 | rules: 60 | - apiGroups: [""] 61 | resources: ["configmaps"] 62 | verbs: ["create"] 63 | - apiGroups: [""] 64 | resources: ["configmaps"] 65 | resourceNames: ["cluster-autoscaler-status"] 66 | verbs: ["delete","get","update"] 67 | 68 | --- 69 | apiVersion: rbac.authorization.k8s.io/v1beta1 70 | kind: ClusterRoleBinding 71 | metadata: 72 | name: cluster-autoscaler 73 | labels: 74 | k8s-addon: cluster-autoscaler.addons.k8s.io 75 | k8s-app: cluster-autoscaler 76 | roleRef: 77 | apiGroup: rbac.authorization.k8s.io 78 | kind: ClusterRole 79 | name: cluster-autoscaler 80 | subjects: 81 | - kind: ServiceAccount 82 | name: cluster-autoscaler 83 | namespace: kube-system 84 | 85 | --- 86 | apiVersion: rbac.authorization.k8s.io/v1beta1 87 | kind: RoleBinding 88 | metadata: 89 | name: cluster-autoscaler 90 | namespace: kube-system 91 | labels: 92 | k8s-addon: cluster-autoscaler.addons.k8s.io 93 | k8s-app: cluster-autoscaler 94 | roleRef: 95 | apiGroup: rbac.authorization.k8s.io 96 | kind: Role 97 | name: cluster-autoscaler 98 | subjects: 99 | - kind: ServiceAccount 100 | name: cluster-autoscaler 101 | namespace: kube-system 102 | 103 | --- 104 | apiVersion: apps/v1 105 | kind: Deployment 106 | metadata: 107 | name: cluster-autoscaler 108 | namespace: kube-system 109 | annotations: 110 | iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME # Substituir com a sua role se estiver usando o Kube2iam 111 | labels: 112 | app: cluster-autoscaler 113 | spec: 114 | replicas: 1 115 | selector: 116 | matchLabels: 117 | app: cluster-autoscaler 118 | template: 119 | metadata: 120 | labels: 121 | app: cluster-autoscaler 122 | spec: 123 | serviceAccountName: cluster-autoscaler 124 | containers: 125 | - image: k8s.gcr.io/cluster-autoscaler:v1.2.2 126 | name: cluster-autoscaler 127 | resources: 128 | limits: 129 | cpu: 100m 130 | memory: 300Mi 131 | requests: 132 | cpu: 100m 133 | memory: 300Mi 134 | command: 135 | - ./cluster-autoscaler 136 | - --v=4 137 | - --stderrthreshold=info 138 | - --cloud-provider=aws 139 | - --skip-nodes-with-local-storage=false 140 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/poc-cluster 141 | - --balance-similar-node-groups 142 | - --skip-nodes-with-system-pods=false 143 | env: 144 | - name: AWS_REGION 145 | value: us-east-1 146 | volumeMounts: 147 | - name: ssl-certs 148 | mountPath: /etc/ssl/certs/ca-certificates.crt 149 | readOnly: true 150 | imagePullPolicy: "Always" 151 | volumes: 152 | - name: ssl-certs 153 | hostPath: 154 | path: "/etc/ssl/certs/ca-bundle.crt" 155 | -------------------------------------------------------------------------------- /examples/java-application-example/.classpath: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /examples/java-application-example/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | k8spoc 4 | 5 | 6 | 7 | 8 | 9 | org.eclipse.jdt.core.javabuilder 10 | 11 | 12 | 13 | 14 | org.eclipse.m2e.core.maven2Builder 15 | 16 | 17 | 18 | 19 | 20 | org.eclipse.jdt.core.javanature 21 | org.eclipse.m2e.core.maven2Nature 22 | 23 | 24 | -------------------------------------------------------------------------------- /examples/java-application-example/.settings/org.eclipse.core.resources.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | encoding//src/main/java=UTF-8 3 | encoding//src/main/resources=UTF-8 4 | encoding//src/test/java=UTF-8 5 | encoding/=UTF-8 6 | -------------------------------------------------------------------------------- /examples/java-application-example/.settings/org.eclipse.jdt.apt.core.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | org.eclipse.jdt.apt.aptEnabled=false 3 | -------------------------------------------------------------------------------- /examples/java-application-example/.settings/org.eclipse.jdt.core.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | org.eclipse.jdt.core.compiler.codegen.methodParameters=generate 3 | org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8 4 | org.eclipse.jdt.core.compiler.compliance=1.8 5 | org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled 6 | org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning 7 | org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore 8 | org.eclipse.jdt.core.compiler.processAnnotations=disabled 9 | org.eclipse.jdt.core.compiler.release=disabled 10 | org.eclipse.jdt.core.compiler.source=1.8 11 | -------------------------------------------------------------------------------- /examples/java-application-example/.settings/org.eclipse.m2e.core.prefs: -------------------------------------------------------------------------------- 1 | activeProfiles= 2 | eclipse.preferences.version=1 3 | resolveWorkspaceProjects=true 4 | version=1 5 | -------------------------------------------------------------------------------- /examples/java-application-example/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM zenika/alpine-maven:3-jdk-8 AS build 2 | COPY src /app/src 3 | COPY pom.xml /app/ 4 | RUN mvn -f /app/pom.xml clean package -DskipTests 5 | 6 | FROM openjdk:8-jre-alpine 7 | COPY --from=build /app/target/k8spoc-0.0.1-SNAPSHOT.jar /app/k8spoc-0.0.1-SNAPSHOT.jar 8 | WORKDIR /app 9 | EXPOSE 8080 10 | ENTRYPOINT ["/usr/bin/java"] 11 | CMD ["-jar", "/app/k8spoc-0.0.1-SNAPSHOT.jar"] -------------------------------------------------------------------------------- /examples/java-application-example/HELP.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | ### Reference Documentation 4 | For further reference, please consider the following sections: 5 | 6 | * [Official Apache Maven documentation](https://maven.apache.org/guides/index.html) 7 | * [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/maven-plugin/reference/html/) 8 | * [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/maven-plugin/reference/html/#build-image) 9 | * [Spring Boot DevTools](https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/reference/htmlsingle/#using-boot-devtools) 10 | * [Spring Web](https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/reference/htmlsingle/#boot-features-developing-web-applications) 11 | * [Spring Data JPA](https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/reference/htmlsingle/#boot-features-jpa-and-spring-data) 12 | 13 | ### Guides 14 | The following guides illustrate how to use some features concretely: 15 | 16 | * [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/) 17 | * [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/) 18 | * [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/) 19 | * [Accessing Data with JPA](https://spring.io/guides/gs/accessing-data-jpa/) 20 | 21 | -------------------------------------------------------------------------------- /examples/java-application-example/README.md: -------------------------------------------------------------------------------- 1 | # Java Application Example 2 | 3 | ## Prerequisites 4 | 5 | - [ECR repository created in the account](https://docs.aws.amazon.com/pt_br/AmazonECR/latest/userguide/repository-create.html) with the name java-application-example. 6 | - Bucket that will be used to list objects by our application. 7 | - Role with permission to access the S3 bucket, as we are using kube2iam it is necessary to change the Trust Relationship, consult (https://github.com/jtblin/kube2iam) 8 | 9 | ## Deploying 10 | 11 | ### Building and sending the image to the ECR 12 | 13 | - Login to the ECR repository (ECR login command needs aws cli v2) 14 | 15 | ```shell 16 | aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com 17 | ``` 18 | 19 | - At the root of this folder, execute the following command to build the container. 20 | 21 | ```shell 22 | docker build -t java-application-example . 23 | ``` 24 | 25 | - Tagging the image built locally to prepare to send it to the repository 26 | 27 | ```shell 28 | docker tag java-application-example:latest ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/java-application-example:latest 29 | ``` 30 | 31 | - Push the image to the ECR repository 32 | 33 | ```shell 34 | docker push ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/java-application-example:latest 35 | ``` 36 | 37 | ### Changing manifests to deploy the application on EKS 38 | 39 | **kubernetes/01-configmap.yaml** 40 | 41 | ```yaml 42 | BUCKET_NAME: 43 | REGION_NAME: 44 | ``` 45 | 46 | **kubernetes/02-deployment.yaml** 47 | 48 | ```yaml 49 | metadata: 50 | annotations: 51 | iam.amazonaws.com/role: 52 | ... 53 | - image: 54 | ``` 55 | 56 | ### Applying manifests 57 | 58 | - Before applying it is necessary to create the namespace for our application, in this demonstration we are using the namespace prd, so execute the following command: 59 | 60 | ```shell 61 | kubectl create namespace prd 62 | ``` 63 | 64 | - Then after everything is changed and configured, execute the following command 65 | 66 | ```shell 67 | kubectl apply -f kubernetes/ 68 | ``` 69 | 70 | - So your application will be provisioned within the cluster in the PRD namespace. 71 | 72 | ### Testing the application 73 | 74 | - We need the endpoint of the public load balancer provided by Kubernetes, to do this run the following command 75 | 76 | ```shell 77 | kubectl get svc -nprd | awk '{print $4}' | grep -vi external 78 | ``` 79 | 80 | - Access the endpoint result of the above command in path **/api/listarObjetos/** 81 | 82 | - It will display the list of objects present in the Bucket using the permissions of the role created before 83 | -------------------------------------------------------------------------------- /examples/java-application-example/README_PT-BR.md: -------------------------------------------------------------------------------- 1 | # Java Application Example 2 | 3 | ## Pré-Requisitos 4 | 5 | - [Repositório ECR criado na conta](https://docs.aws.amazon.com/pt_br/AmazonECR/latest/userguide/repository-create.html) com o nome java-application-example. 6 | - Bucket que será utilizado para listar os objetos pela nossa aplicação. 7 | - Role com permissão de acesso ao bucket S3, como estamos utilizando o kube2iam é necessário alterar a Trust Relationship, consultar (https://github.com/jtblin/kube2iam) 8 | 9 | ## Realizando o Deploy 10 | 11 | ### Buildando e enviado a imagem para o ECR 12 | 13 | - Realizar Login no repositório do ECR (Comando de login do ECR precisa do aws cli v2) 14 | 15 | ```shell 16 | aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com 17 | ``` 18 | 19 | - Na raiz desta pasta executar o comando a seguir para buildar o container. 20 | 21 | ```shell 22 | docker build -t java-application-example . 23 | ``` 24 | 25 | - Realizar o tagging da imagem buildada localmente para preparar para envia-la para o repositório 26 | 27 | ```shell 28 | docker tag java-application-example:latest ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/java-application-example:latest 29 | ``` 30 | 31 | - Realizar o Push da imagem para o repositório ECR 32 | 33 | ```shell 34 | docker push ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/java-application-example:latest 35 | ``` 36 | 37 | ### Alterando manifestos para realizar deploy da aplicação no EKS 38 | 39 | **kubernetes/01-configmap.yaml** 40 | 41 | ```yaml 42 | BUCKET_NAME: 43 | REGION_NAME: 44 | ``` 45 | 46 | **kubernetes/02-deployment.yaml** 47 | 48 | ```yaml 49 | metadata: 50 | annotations: 51 | iam.amazonaws.com/role: 52 | ... 53 | - image: 54 | ``` 55 | 56 | ### Aplicando manifestos 57 | 58 | - Antes de aplicar é necessário criar o namespace para nossa aplicação, nessa demonstração estamos utilizando o namespace prd, então execute o seguinte comando: 59 | 60 | ```shell 61 | kubectl create namespace prd 62 | ``` 63 | 64 | - Então depois de tudo alterado e configurado execute o seguinte comando 65 | 66 | ```shell 67 | kubectl apply -f kubernetes/ 68 | ``` 69 | 70 | - Assim a sua aplicação será provisionada dentro do cluster no namespace PRD. 71 | 72 | ### Testando a aplicação 73 | 74 | - Precisamos do endpoint do balanceador público provisionado pelo Kubernetes, para isso execute o seguinte comando 75 | 76 | ```shell 77 | kubectl get svc -nprd | awk '{print $4}' | grep -vi external 78 | ``` 79 | 80 | - Acesse o endpoint resultado do comando acima no path **/api/listarObjetos/** 81 | 82 | - Ele exibira a lista de objetos presentes no seu Bucket utilizando as permissões da role criada acessando sua conta na AWS de maneira segura 83 | -------------------------------------------------------------------------------- /examples/java-application-example/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.3' 2 | services: 3 | apiso: 4 | build: . 5 | networks: 6 | - project-network 7 | ports: 8 | - "8080:8080" 9 | restart: always 10 | environment: 11 | BUCKET_NAME: 12 | REGION_NAME: 13 | networks: 14 | project-network: 15 | driver: bridge 16 | -------------------------------------------------------------------------------- /examples/java-application-example/kubernetes/01-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | BUCKET_NAME: 4 | REGION_NAME: 5 | kind: ConfigMap 6 | metadata: 7 | name: placeholder-app 8 | namespace: prd -------------------------------------------------------------------------------- /examples/java-application-example/kubernetes/02-deployment.yaml: -------------------------------------------------------------------------------- 1 | #Manifesto de deployment da aplicacao 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: placeholder-app 6 | namespace: prd 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: placeholder-app 12 | strategy: 13 | rollingUpdate: 14 | maxSurge: 25% 15 | maxUnavailable: 0% 16 | type: RollingUpdate 17 | template: 18 | metadata: 19 | annotations: 20 | iam.amazonaws.com/role: 21 | labels: 22 | app: placeholder-app 23 | spec: 24 | containers: 25 | - image: 26 | name: placeholder-app 27 | resources: 28 | requests: 29 | memory: "512Mi" 30 | cpu: "158m" 31 | ports: 32 | - containerPort: 8080 33 | name: placeholder-app 34 | livenessProbe: 35 | httpGet: 36 | path: /api/health/ 37 | port: 8080 38 | initialDelaySeconds: 5 39 | periodSeconds: 5 40 | timeoutSeconds: 10 41 | failureThreshold: 5 42 | readinessProbe: 43 | httpGet: 44 | path: /api/health/ 45 | port: 8080 46 | initialDelaySeconds: 20 47 | envFrom: 48 | - configMapRef: 49 | name: placeholder-app -------------------------------------------------------------------------------- /examples/java-application-example/kubernetes/03-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: placeholder-app-service 5 | namespace: prd 6 | annotations: 7 | service.beta.kubernetes.io/aws-load-balancer-internal: false 8 | labels: 9 | app: placeholder-app 10 | spec: 11 | type: LoadBalancer 12 | ports: 13 | # Inside the cluster, what port does the service expose? 14 | - port: 80 15 | targetPort: 8080 16 | protocol: TCP 17 | selector: 18 | app: placeholder-app 19 | -------------------------------------------------------------------------------- /examples/java-application-example/kubernetes/05-hpa.yaml: -------------------------------------------------------------------------------- 1 | #Escala a aplicacao baseado em CPU 2 | apiVersion: autoscaling/v1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: placeholder-app 6 | namespace: prd 7 | spec: 8 | maxReplicas: 2 9 | minReplicas: 1 10 | scaleTargetRef: 11 | apiVersion: apps/v1 12 | kind: Deployment 13 | name: placeholder-app 14 | targetCPUUtilizationPercentage: 70 15 | -------------------------------------------------------------------------------- /examples/java-application-example/mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # https://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Maven Start Up Batch script 23 | # 24 | # Required ENV vars: 25 | # ------------------ 26 | # JAVA_HOME - location of a JDK home dir 27 | # 28 | # Optional ENV vars 29 | # ----------------- 30 | # M2_HOME - location of maven2's installed home dir 31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven 32 | # e.g. to debug Maven itself, use 33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files 35 | # ---------------------------------------------------------------------------- 36 | 37 | if [ -z "$MAVEN_SKIP_RC" ] ; then 38 | 39 | if [ -f /etc/mavenrc ] ; then 40 | . /etc/mavenrc 41 | fi 42 | 43 | if [ -f "$HOME/.mavenrc" ] ; then 44 | . "$HOME/.mavenrc" 45 | fi 46 | 47 | fi 48 | 49 | # OS specific support. $var _must_ be set to either true or false. 50 | cygwin=false; 51 | darwin=false; 52 | mingw=false 53 | case "`uname`" in 54 | CYGWIN*) cygwin=true ;; 55 | MINGW*) mingw=true;; 56 | Darwin*) darwin=true 57 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home 58 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html 59 | if [ -z "$JAVA_HOME" ]; then 60 | if [ -x "/usr/libexec/java_home" ]; then 61 | export JAVA_HOME="`/usr/libexec/java_home`" 62 | else 63 | export JAVA_HOME="/Library/Java/Home" 64 | fi 65 | fi 66 | ;; 67 | esac 68 | 69 | if [ -z "$JAVA_HOME" ] ; then 70 | if [ -r /etc/gentoo-release ] ; then 71 | JAVA_HOME=`java-config --jre-home` 72 | fi 73 | fi 74 | 75 | if [ -z "$M2_HOME" ] ; then 76 | ## resolve links - $0 may be a link to maven's home 77 | PRG="$0" 78 | 79 | # need this for relative symlinks 80 | while [ -h "$PRG" ] ; do 81 | ls=`ls -ld "$PRG"` 82 | link=`expr "$ls" : '.*-> \(.*\)$'` 83 | if expr "$link" : '/.*' > /dev/null; then 84 | PRG="$link" 85 | else 86 | PRG="`dirname "$PRG"`/$link" 87 | fi 88 | done 89 | 90 | saveddir=`pwd` 91 | 92 | M2_HOME=`dirname "$PRG"`/.. 93 | 94 | # make it fully qualified 95 | M2_HOME=`cd "$M2_HOME" && pwd` 96 | 97 | cd "$saveddir" 98 | # echo Using m2 at $M2_HOME 99 | fi 100 | 101 | # For Cygwin, ensure paths are in UNIX format before anything is touched 102 | if $cygwin ; then 103 | [ -n "$M2_HOME" ] && 104 | M2_HOME=`cygpath --unix "$M2_HOME"` 105 | [ -n "$JAVA_HOME" ] && 106 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"` 107 | [ -n "$CLASSPATH" ] && 108 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"` 109 | fi 110 | 111 | # For Mingw, ensure paths are in UNIX format before anything is touched 112 | if $mingw ; then 113 | [ -n "$M2_HOME" ] && 114 | M2_HOME="`(cd "$M2_HOME"; pwd)`" 115 | [ -n "$JAVA_HOME" ] && 116 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" 117 | fi 118 | 119 | if [ -z "$JAVA_HOME" ]; then 120 | javaExecutable="`which javac`" 121 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then 122 | # readlink(1) is not available as standard on Solaris 10. 123 | readLink=`which readlink` 124 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then 125 | if $darwin ; then 126 | javaHome="`dirname \"$javaExecutable\"`" 127 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" 128 | else 129 | javaExecutable="`readlink -f \"$javaExecutable\"`" 130 | fi 131 | javaHome="`dirname \"$javaExecutable\"`" 132 | javaHome=`expr "$javaHome" : '\(.*\)/bin'` 133 | JAVA_HOME="$javaHome" 134 | export JAVA_HOME 135 | fi 136 | fi 137 | fi 138 | 139 | if [ -z "$JAVACMD" ] ; then 140 | if [ -n "$JAVA_HOME" ] ; then 141 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 142 | # IBM's JDK on AIX uses strange locations for the executables 143 | JAVACMD="$JAVA_HOME/jre/sh/java" 144 | else 145 | JAVACMD="$JAVA_HOME/bin/java" 146 | fi 147 | else 148 | JAVACMD="`which java`" 149 | fi 150 | fi 151 | 152 | if [ ! -x "$JAVACMD" ] ; then 153 | echo "Error: JAVA_HOME is not defined correctly." >&2 154 | echo " We cannot execute $JAVACMD" >&2 155 | exit 1 156 | fi 157 | 158 | if [ -z "$JAVA_HOME" ] ; then 159 | echo "Warning: JAVA_HOME environment variable is not set." 160 | fi 161 | 162 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher 163 | 164 | # traverses directory structure from process work directory to filesystem root 165 | # first directory with .mvn subdirectory is considered project base directory 166 | find_maven_basedir() { 167 | 168 | if [ -z "$1" ] 169 | then 170 | echo "Path not specified to find_maven_basedir" 171 | return 1 172 | fi 173 | 174 | basedir="$1" 175 | wdir="$1" 176 | while [ "$wdir" != '/' ] ; do 177 | if [ -d "$wdir"/.mvn ] ; then 178 | basedir=$wdir 179 | break 180 | fi 181 | # workaround for JBEAP-8937 (on Solaris 10/Sparc) 182 | if [ -d "${wdir}" ]; then 183 | wdir=`cd "$wdir/.."; pwd` 184 | fi 185 | # end of workaround 186 | done 187 | echo "${basedir}" 188 | } 189 | 190 | # concatenates all lines of a file 191 | concat_lines() { 192 | if [ -f "$1" ]; then 193 | echo "$(tr -s '\n' ' ' < "$1")" 194 | fi 195 | } 196 | 197 | BASE_DIR=`find_maven_basedir "$(pwd)"` 198 | if [ -z "$BASE_DIR" ]; then 199 | exit 1; 200 | fi 201 | 202 | ########################################################################################## 203 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 204 | # This allows using the maven wrapper in projects that prohibit checking in binary data. 205 | ########################################################################################## 206 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then 207 | if [ "$MVNW_VERBOSE" = true ]; then 208 | echo "Found .mvn/wrapper/maven-wrapper.jar" 209 | fi 210 | else 211 | if [ "$MVNW_VERBOSE" = true ]; then 212 | echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." 213 | fi 214 | if [ -n "$MVNW_REPOURL" ]; then 215 | jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" 216 | else 217 | jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" 218 | fi 219 | while IFS="=" read key value; do 220 | case "$key" in (wrapperUrl) jarUrl="$value"; break ;; 221 | esac 222 | done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" 223 | if [ "$MVNW_VERBOSE" = true ]; then 224 | echo "Downloading from: $jarUrl" 225 | fi 226 | wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" 227 | if $cygwin; then 228 | wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"` 229 | fi 230 | 231 | if command -v wget > /dev/null; then 232 | if [ "$MVNW_VERBOSE" = true ]; then 233 | echo "Found wget ... using wget" 234 | fi 235 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 236 | wget "$jarUrl" -O "$wrapperJarPath" 237 | else 238 | wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" 239 | fi 240 | elif command -v curl > /dev/null; then 241 | if [ "$MVNW_VERBOSE" = true ]; then 242 | echo "Found curl ... using curl" 243 | fi 244 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 245 | curl -o "$wrapperJarPath" "$jarUrl" -f 246 | else 247 | curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f 248 | fi 249 | 250 | else 251 | if [ "$MVNW_VERBOSE" = true ]; then 252 | echo "Falling back to using Java to download" 253 | fi 254 | javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" 255 | # For Cygwin, switch paths to Windows format before running javac 256 | if $cygwin; then 257 | javaClass=`cygpath --path --windows "$javaClass"` 258 | fi 259 | if [ -e "$javaClass" ]; then 260 | if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 261 | if [ "$MVNW_VERBOSE" = true ]; then 262 | echo " - Compiling MavenWrapperDownloader.java ..." 263 | fi 264 | # Compiling the Java class 265 | ("$JAVA_HOME/bin/javac" "$javaClass") 266 | fi 267 | if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 268 | # Running the downloader 269 | if [ "$MVNW_VERBOSE" = true ]; then 270 | echo " - Running MavenWrapperDownloader.java ..." 271 | fi 272 | ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") 273 | fi 274 | fi 275 | fi 276 | fi 277 | ########################################################################################## 278 | # End of extension 279 | ########################################################################################## 280 | 281 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} 282 | if [ "$MVNW_VERBOSE" = true ]; then 283 | echo $MAVEN_PROJECTBASEDIR 284 | fi 285 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" 286 | 287 | # For Cygwin, switch paths to Windows format before running java 288 | if $cygwin; then 289 | [ -n "$M2_HOME" ] && 290 | M2_HOME=`cygpath --path --windows "$M2_HOME"` 291 | [ -n "$JAVA_HOME" ] && 292 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` 293 | [ -n "$CLASSPATH" ] && 294 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"` 295 | [ -n "$MAVEN_PROJECTBASEDIR" ] && 296 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` 297 | fi 298 | 299 | # Provide a "standardized" way to retrieve the CLI args that will 300 | # work with both Windows and non-Windows executions. 301 | MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@" 302 | export MAVEN_CMD_LINE_ARGS 303 | 304 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 305 | 306 | exec "$JAVACMD" \ 307 | $MAVEN_OPTS \ 308 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ 309 | "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ 310 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" 311 | -------------------------------------------------------------------------------- /examples/java-application-example/mvnw.cmd: -------------------------------------------------------------------------------- 1 | @REM ---------------------------------------------------------------------------- 2 | @REM Licensed to the Apache Software Foundation (ASF) under one 3 | @REM or more contributor license agreements. See the NOTICE file 4 | @REM distributed with this work for additional information 5 | @REM regarding copyright ownership. The ASF licenses this file 6 | @REM to you under the Apache License, Version 2.0 (the 7 | @REM "License"); you may not use this file except in compliance 8 | @REM with the License. You may obtain a copy of the License at 9 | @REM 10 | @REM https://www.apache.org/licenses/LICENSE-2.0 11 | @REM 12 | @REM Unless required by applicable law or agreed to in writing, 13 | @REM software distributed under the License is distributed on an 14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | @REM KIND, either express or implied. See the License for the 16 | @REM specific language governing permissions and limitations 17 | @REM under the License. 18 | @REM ---------------------------------------------------------------------------- 19 | 20 | @REM ---------------------------------------------------------------------------- 21 | @REM Maven Start Up Batch script 22 | @REM 23 | @REM Required ENV vars: 24 | @REM JAVA_HOME - location of a JDK home dir 25 | @REM 26 | @REM Optional ENV vars 27 | @REM M2_HOME - location of maven2's installed home dir 28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands 29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending 30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven 31 | @REM e.g. to debug Maven itself, use 32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files 34 | @REM ---------------------------------------------------------------------------- 35 | 36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' 37 | @echo off 38 | @REM set title of command window 39 | title %0 40 | @REM enable echoing by setting MAVEN_BATCH_ECHO to 'on' 41 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% 42 | 43 | @REM set %HOME% to equivalent of $HOME 44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") 45 | 46 | @REM Execute a user defined script before this one 47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre 48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending 49 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" 50 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" 51 | :skipRcPre 52 | 53 | @setlocal 54 | 55 | set ERROR_CODE=0 56 | 57 | @REM To isolate internal variables from possible post scripts, we use another setlocal 58 | @setlocal 59 | 60 | @REM ==== START VALIDATION ==== 61 | if not "%JAVA_HOME%" == "" goto OkJHome 62 | 63 | echo. 64 | echo Error: JAVA_HOME not found in your environment. >&2 65 | echo Please set the JAVA_HOME variable in your environment to match the >&2 66 | echo location of your Java installation. >&2 67 | echo. 68 | goto error 69 | 70 | :OkJHome 71 | if exist "%JAVA_HOME%\bin\java.exe" goto init 72 | 73 | echo. 74 | echo Error: JAVA_HOME is set to an invalid directory. >&2 75 | echo JAVA_HOME = "%JAVA_HOME%" >&2 76 | echo Please set the JAVA_HOME variable in your environment to match the >&2 77 | echo location of your Java installation. >&2 78 | echo. 79 | goto error 80 | 81 | @REM ==== END VALIDATION ==== 82 | 83 | :init 84 | 85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn". 86 | @REM Fallback to current working directory if not found. 87 | 88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% 89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir 90 | 91 | set EXEC_DIR=%CD% 92 | set WDIR=%EXEC_DIR% 93 | :findBaseDir 94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound 95 | cd .. 96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound 97 | set WDIR=%CD% 98 | goto findBaseDir 99 | 100 | :baseDirFound 101 | set MAVEN_PROJECTBASEDIR=%WDIR% 102 | cd "%EXEC_DIR%" 103 | goto endDetectBaseDir 104 | 105 | :baseDirNotFound 106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR% 107 | cd "%EXEC_DIR%" 108 | 109 | :endDetectBaseDir 110 | 111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig 112 | 113 | @setlocal EnableExtensions EnableDelayedExpansion 114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a 115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% 116 | 117 | :endReadAdditionalConfig 118 | 119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" 120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" 121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 122 | 123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" 124 | 125 | FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( 126 | IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 127 | ) 128 | 129 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 130 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data. 131 | if exist %WRAPPER_JAR% ( 132 | if "%MVNW_VERBOSE%" == "true" ( 133 | echo Found %WRAPPER_JAR% 134 | ) 135 | ) else ( 136 | if not "%MVNW_REPOURL%" == "" ( 137 | SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" 138 | ) 139 | if "%MVNW_VERBOSE%" == "true" ( 140 | echo Couldn't find %WRAPPER_JAR%, downloading it ... 141 | echo Downloading from: %DOWNLOAD_URL% 142 | ) 143 | 144 | powershell -Command "&{"^ 145 | "$webclient = new-object System.Net.WebClient;"^ 146 | "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ 147 | "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ 148 | "}"^ 149 | "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^ 150 | "}" 151 | if "%MVNW_VERBOSE%" == "true" ( 152 | echo Finished downloading %WRAPPER_JAR% 153 | ) 154 | ) 155 | @REM End of extension 156 | 157 | @REM Provide a "standardized" way to retrieve the CLI args that will 158 | @REM work with both Windows and non-Windows executions. 159 | set MAVEN_CMD_LINE_ARGS=%* 160 | 161 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* 162 | if ERRORLEVEL 1 goto error 163 | goto end 164 | 165 | :error 166 | set ERROR_CODE=1 167 | 168 | :end 169 | @endlocal & set ERROR_CODE=%ERROR_CODE% 170 | 171 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost 172 | @REM check for post script, once with legacy .bat ending and once with .cmd ending 173 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" 174 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" 175 | :skipRcPost 176 | 177 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' 178 | if "%MAVEN_BATCH_PAUSE%" == "on" pause 179 | 180 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% 181 | 182 | exit /B %ERROR_CODE% 183 | -------------------------------------------------------------------------------- /examples/java-application-example/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.3.0.RELEASE 9 | 10 | 11 | aws.example 12 | k8spoc 13 | 0.0.1-SNAPSHOT 14 | k8spoc 15 | Demo Project for access AWS resources using Java 16 | 17 | 18 | 1.8 19 | 20 | 21 | 22 | 23 | org.springframework.boot 24 | spring-boot-starter-web 25 | 26 | 27 | com.amazonaws 28 | aws-java-sdk 29 | 1.11.327 30 | 31 | 32 | org.springframework.boot 33 | spring-boot-devtools 34 | runtime 35 | true 36 | 37 | 38 | org.springframework.boot 39 | spring-boot-starter-test 40 | test 41 | 42 | 43 | org.junit.vintage 44 | junit-vintage-engine 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | org.springframework.boot 54 | spring-boot-maven-plugin 55 | 56 | 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /examples/java-application-example/src/main/java/aws/example/k8spoc/K8spocApplication.java: -------------------------------------------------------------------------------- 1 | package aws.example.k8spoc; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class K8spocApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(K8spocApplication.class, args); 11 | } 12 | 13 | } -------------------------------------------------------------------------------- /examples/java-application-example/src/main/java/aws/example/k8spoc/controller/S3Controller.java: -------------------------------------------------------------------------------- 1 | package aws.example.k8spoc.controller; 2 | 3 | import org.springframework.beans.factory.annotation.Autowired; 4 | import org.springframework.http.HttpStatus; 5 | import org.springframework.http.ResponseEntity; 6 | import org.springframework.web.bind.annotation.GetMapping; 7 | import org.springframework.web.bind.annotation.RequestMapping; 8 | import org.springframework.web.bind.annotation.RestController; 9 | 10 | import aws.example.k8spoc.model.bean.S3; 11 | import aws.example.k8spoc.model.service.S3Service; 12 | 13 | @RestController 14 | @RequestMapping("/api") 15 | public class S3Controller { 16 | 17 | @Autowired 18 | private S3Service s3Service; 19 | 20 | @GetMapping("/listarObjetos/") 21 | public ResponseEntity listarObjetos() { 22 | 23 | String bucketName = System.getenv("BUCKET_NAME"); 24 | String bucketRegion = System.getenv("REGION_NAME"); 25 | 26 | S3 s3 = new S3(bucketName, bucketRegion); 27 | 28 | return s3Service.listarObjetos(s3); 29 | } 30 | 31 | @GetMapping("/health/") 32 | public ResponseEntity healthCheck() { 33 | 34 | return new ResponseEntity("OK", HttpStatus.OK); 35 | } 36 | } -------------------------------------------------------------------------------- /examples/java-application-example/src/main/java/aws/example/k8spoc/model/bean/S3.java: -------------------------------------------------------------------------------- 1 | package aws.example.k8spoc.model.bean; 2 | 3 | import java.util.Objects; 4 | 5 | import org.springframework.stereotype.Component; 6 | 7 | @Component 8 | public class S3 { 9 | 10 | private String bucketName; 11 | private String bucketRegion; 12 | 13 | 14 | public S3() { 15 | } 16 | 17 | public S3(String bucketName, String bucketRegion) { 18 | this.bucketName = bucketName; 19 | this.bucketRegion = bucketRegion; 20 | } 21 | 22 | public String getBucketName() { 23 | return this.bucketName; 24 | } 25 | 26 | public void setBucketName(String bucketName) { 27 | this.bucketName = bucketName; 28 | } 29 | 30 | public String getBucketRegion() { 31 | return this.bucketRegion; 32 | } 33 | 34 | public void setBucketRegion(String bucketRegion) { 35 | this.bucketRegion = bucketRegion; 36 | } 37 | 38 | public S3 bucketName(String bucketName) { 39 | this.bucketName = bucketName; 40 | return this; 41 | } 42 | 43 | public S3 bucketRegion(String bucketRegion) { 44 | this.bucketRegion = bucketRegion; 45 | return this; 46 | } 47 | 48 | @Override 49 | public boolean equals(Object o) { 50 | if (o == this) 51 | return true; 52 | if (!(o instanceof S3)) { 53 | return false; 54 | } 55 | S3 s3 = (S3) o; 56 | return Objects.equals(bucketName, s3.bucketName) && Objects.equals(bucketRegion, s3.bucketRegion); 57 | } 58 | 59 | @Override 60 | public String toString() { 61 | return "{" + 62 | " bucketName='" + getBucketName() + "'" + 63 | ", bucketRegion='" + getBucketRegion() + "'" + 64 | "}"; 65 | } 66 | 67 | } -------------------------------------------------------------------------------- /examples/java-application-example/src/main/java/aws/example/k8spoc/model/service/S3Service.java: -------------------------------------------------------------------------------- 1 | package aws.example.k8spoc.model.service; 2 | 3 | import org.springframework.http.HttpStatus; 4 | import org.springframework.http.ResponseEntity; 5 | import org.springframework.stereotype.Service; 6 | import aws.example.k8spoc.model.bean.S3; 7 | 8 | import com.amazonaws.services.s3.AmazonS3; 9 | import com.amazonaws.services.s3.AmazonS3ClientBuilder; 10 | import com.amazonaws.services.s3.model.ListObjectsV2Result; 11 | import com.amazonaws.services.s3.model.S3ObjectSummary; 12 | 13 | import java.util.List; 14 | 15 | @Service 16 | public class S3Service { 17 | 18 | public S3Service() { 19 | } 20 | 21 | public ResponseEntity listarObjetos(S3 bucket) { 22 | 23 | System.out.format("Objects in S3 bucket %s:\n", bucket.getBucketName()); 24 | final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(bucket.getBucketRegion()).build(); 25 | 26 | ListObjectsV2Result result = s3.listObjectsV2(bucket.getBucketName()); 27 | List objects = result.getObjectSummaries(); 28 | 29 | 30 | for (S3ObjectSummary os : objects) { 31 | System.out.println("* " + os.getKey()); 32 | } 33 | 34 | return new ResponseEntity(objects, HttpStatus.OK); 35 | } 36 | 37 | 38 | } -------------------------------------------------------------------------------- /examples/java-application-example/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /examples/java-application-example/src/test/java/aws/example/k8spoc/K8spocApplicationTests.java: -------------------------------------------------------------------------------- 1 | package aws.example.k8spoc; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class K8spocApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /images/cluster_diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/eksctl-cluster-provision/c87570856a29e3ef611e7cadee0d9cf5152a9f4a/images/cluster_diagram.png -------------------------------------------------------------------------------- /images/policy-kube2iam.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/eksctl-cluster-provision/c87570856a29e3ef611e7cadee0d9cf5152a9f4a/images/policy-kube2iam.jpg -------------------------------------------------------------------------------- /infraestructure/.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | package-lock.json 3 | __pycache__ 4 | .pytest_cache 5 | .env 6 | *.egg-info 7 | 8 | # CDK asset staging directory 9 | .cdk.staging 10 | cdk.out 11 | -------------------------------------------------------------------------------- /infraestructure/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Welcome to your CDK Python project! 3 | 4 | This is a blank project for Python development with CDK. 5 | 6 | The `cdk.json` file tells the CDK Toolkit how to execute your app. 7 | 8 | This project is set up like a standard Python project. The initialization 9 | process also creates a virtualenv within this project, stored under the .env 10 | directory. To create the virtualenv it assumes that there is a `python3` 11 | (or `python` for Windows) executable in your path with access to the `venv` 12 | package. If for any reason the automatic creation of the virtualenv fails, 13 | you can create the virtualenv manually. 14 | 15 | To manually create a virtualenv on MacOS and Linux: 16 | 17 | ``` 18 | $ python3 -m venv .env 19 | ``` 20 | 21 | After the init process completes and the virtualenv is created, you can use the following 22 | step to activate your virtualenv. 23 | 24 | ``` 25 | $ source .env/bin/activate 26 | ``` 27 | 28 | If you are a Windows platform, you would activate the virtualenv like this: 29 | 30 | ``` 31 | % .env\Scripts\activate.bat 32 | ``` 33 | 34 | Once the virtualenv is activated, you can install the required dependencies. 35 | 36 | ``` 37 | $ pip install -r requirements.txt 38 | ``` 39 | 40 | At this point you can now synthesize the CloudFormation template for this code. 41 | 42 | ``` 43 | $ cdk synth 44 | ``` 45 | 46 | To add additional dependencies, for example other CDK libraries, just add 47 | them to your `setup.py` file and rerun the `pip install -r requirements.txt` 48 | command. 49 | 50 | ## Useful commands 51 | 52 | * `cdk ls` list all stacks in the app 53 | * `cdk synth` emits the synthesized CloudFormation template 54 | * `cdk deploy` deploy this stack to your default AWS account/region 55 | * `cdk diff` compare deployed stack with current state 56 | * `cdk docs` open CDK documentation 57 | 58 | Enjoy! 59 | -------------------------------------------------------------------------------- /infraestructure/app.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from aws_cdk import core 4 | 5 | from infraestructure.vpc_stack import VpcStack 6 | from infraestructure.iam_stack import IamStack 7 | 8 | 9 | # Constants, default region 10 | region_name = "us-east-1" 11 | env_US = core.Environment(region=region_name) 12 | app = core.App() 13 | 14 | # Declare stacks using CDK 15 | vpc_stack = VpcStack(app, "vpc") 16 | iam_stack = IamStack(app, "iam-stack") 17 | 18 | app.synth() 19 | -------------------------------------------------------------------------------- /infraestructure/cdk.json: -------------------------------------------------------------------------------- 1 | { 2 | "app": "python3 app.py", 3 | "context": { 4 | "@aws-cdk/core:enableStackNameDuplicates": "true", 5 | "aws-cdk:enableDiffNoFail": "true" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /infraestructure/infraestructure/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/eksctl-cluster-provision/c87570856a29e3ef611e7cadee0d9cf5152a9f4a/infraestructure/infraestructure/__init__.py -------------------------------------------------------------------------------- /infraestructure/infraestructure/iam_stack.py: -------------------------------------------------------------------------------- 1 | from aws_cdk import core 2 | import aws_cdk.aws_iam as iam 3 | 4 | 5 | # Infraestructure definition using CDK 6 | 7 | class IamStack(core.Stack): 8 | 9 | def __init__(self, scope: core.Construct, id: str, **kwargs): 10 | super().__init__(scope, id, **kwargs) 11 | self.create_iam_roles() 12 | 13 | 14 | def create_iam_roles(self): 15 | # Creating Amazon EKS Cluster Role 16 | managed_policy = iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEKSClusterPolicy") 17 | role_arn = iam.Role(self, "eksClusterRole", assumed_by=iam.ServicePrincipal("eks.amazonaws.com"), 18 | managed_policies = [managed_policy], role_name="eksClusterRoleNew") 19 | 20 | # Uses self here that car re-use Later 21 | 22 | core.CfnOutput(self, "eks_role", value=role_arn.role_arn) 23 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /infraestructure/infraestructure/vpc_stack.py: -------------------------------------------------------------------------------- 1 | from aws_cdk import core 2 | import aws_cdk.aws_ec2 as ec2 3 | 4 | 5 | # Infraestructure definition using CDK 6 | # TODO: Get Subnet CIDR 7 | class VpcStack(core.Stack): 8 | 9 | def __init__(self, scope: core.Construct, id: str, **kwargs): 10 | super().__init__(scope, id, **kwargs) 11 | self.vpc_info = None 12 | self.create_vpc() 13 | 14 | 15 | def create_vpc(self): 16 | # Uses self here that car re-use Later 17 | self.vpc_info = ec2.Vpc(self, "VPC", 18 | max_azs=2, 19 | cidr="10.10.0.0/16", 20 | # configuration will create 3 groups in 2 AZs = 6 subnets. 21 | subnet_configuration=[ec2.SubnetConfiguration( 22 | subnet_type=ec2.SubnetType.PUBLIC, 23 | name="Public", 24 | cidr_mask=24 25 | ), ec2.SubnetConfiguration( 26 | subnet_type=ec2.SubnetType.PRIVATE, 27 | name="Private", 28 | cidr_mask=24 29 | ) 30 | ], 31 | # nat_gateway_provider=ec2.NatProvider.gateway(), 32 | nat_gateways=2, 33 | ) 34 | 35 | private_subnets = self.vpc_info.select_subnets( 36 | subnet_type=ec2.SubnetType.PRIVATE 37 | ) 38 | 39 | public_subnets = self.vpc_info.select_subnets( 40 | subnet_type=ec2.SubnetType.PUBLIC 41 | ) 42 | 43 | core.CfnOutput(self, "Region", value="us-east-1") 44 | core.CfnOutput(self, "VpcID", value=self.vpc_info.vpc_id) 45 | core.CfnOutput(self, "VpcCidr", value="10.10.0.0/16") 46 | core.CfnOutput(self, "PrivateSubnetsIds", value=str(private_subnets.subnet_ids)) 47 | core.CfnOutput(self, "PublicSubnetsIds", value=str(public_subnets.subnet_ids)) 48 | core.CfnOutput(self, "AvailabilityZones", value=str(public_subnets.availability_zones)) 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /infraestructure/requirements.txt: -------------------------------------------------------------------------------- 1 | attrs==19.3.0 2 | aws-cdk.aws-cloudwatch==1.44.0 3 | aws-cdk.aws-ec2==1.44.0 4 | aws-cdk.aws-events==1.44.0 5 | aws-cdk.aws-iam==1.44.0 6 | aws-cdk.aws-kms==1.44.0 7 | aws-cdk.aws-logs==1.44.0 8 | aws-cdk.aws-s3==1.44.0 9 | aws-cdk.aws-ssm==1.44.0 10 | aws-cdk.cdk-assets-schema==1.44.0 11 | aws-cdk.cloud-assembly-schema==1.44.0 12 | aws-cdk.core==1.44.0 13 | aws-cdk.cx-api==1.44.0 14 | aws-cdk.region-info==1.44.0 15 | cattrs==1.0.0 16 | constructs==3.0.3 17 | -e git+git@github.com:BRCentralSA/amazon-eks-demo.git@574e337770b8889e177d361ba619f382c56d732b#egg=infraestructure&subdirectory=infraestructure 18 | jsii==1.6.0 19 | publication==0.0.3 20 | python-dateutil==2.8.1 21 | six==1.15.0 22 | typing-extensions==3.7.4.2 23 | -------------------------------------------------------------------------------- /infraestructure/setup.py: -------------------------------------------------------------------------------- 1 | import setuptools 2 | 3 | 4 | with open("README.md") as fp: 5 | long_description = fp.read() 6 | 7 | 8 | setuptools.setup( 9 | name="infraestructure", 10 | version="0.0.1", 11 | 12 | description="An empty CDK Python app", 13 | long_description=long_description, 14 | long_description_content_type="text/markdown", 15 | 16 | author="author", 17 | 18 | package_dir={"": "infraestructure"}, 19 | packages=setuptools.find_packages(where="infraestructure"), 20 | 21 | install_requires=[ 22 | "aws-cdk.core==1.44.0", 23 | ], 24 | 25 | python_requires=">=3.6", 26 | 27 | classifiers=[ 28 | "Development Status :: 4 - Beta", 29 | 30 | "Intended Audience :: Developers", 31 | 32 | "License :: OSI Approved :: Apache Software License", 33 | 34 | "Programming Language :: JavaScript", 35 | "Programming Language :: Python :: 3 :: Only", 36 | "Programming Language :: Python :: 3.6", 37 | "Programming Language :: Python :: 3.7", 38 | "Programming Language :: Python :: 3.8", 39 | 40 | "Topic :: Software Development :: Code Generators", 41 | "Topic :: Utilities", 42 | 43 | "Typing :: Typed", 44 | ], 45 | ) 46 | -------------------------------------------------------------------------------- /infraestructure/source.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | rem The sole purpose of this script is to make the command 4 | rem 5 | rem source .env/bin/activate 6 | rem 7 | rem (which activates a Python virtualenv on Linux or Mac OS X) work on Windows. 8 | rem On Windows, this command just runs this batch file (the argument is ignored). 9 | rem 10 | rem Now we don't need to document a Windows command for activating a virtualenv. 11 | 12 | echo Executing .env\Scripts\activate.bat for you 13 | .env\Scripts\activate.bat 14 | --------------------------------------------------------------------------------