├── .drone.yml ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── pull_request_template.md ├── .gitignore ├── .rules └── .tflint.hcl ├── LICENSE ├── README.md ├── docs ├── COMPATIBILITY_MATRIX.md └── releases │ ├── v2.0.0.md │ ├── v2.1.0.md │ ├── v2.2.0.md │ ├── v3.0.0.md │ ├── v4.0.0.md │ ├── v4.1.0.md │ ├── v4.2.0.md │ ├── v4.2.1.md │ ├── v4.3.0.md │ └── v5.0.0.md ├── examples └── eks-addons │ ├── README.md │ ├── coredns.json │ ├── ebs.json │ ├── kube-proxy.json │ ├── main.auto.tfvars.dist │ ├── main.tf │ ├── snapshot-controller.json │ ├── variables.tf │ └── vpc-cni.json ├── katalog ├── cluster-autoscaler │ ├── MAINTENANCE.md │ ├── README.md │ ├── base │ │ ├── deploy.yaml │ │ └── kustomization.yaml │ ├── v1.29.x │ │ └── kustomization.yaml │ ├── v1.30.x │ │ └── kustomization.yaml │ ├── v1.31.x │ │ └── kustomization.yaml │ └── v1.32.x │ │ └── kustomization.yaml ├── load-balancer-controller │ ├── MAINTENANCE.md │ ├── README.md │ ├── deploy.yaml │ └── kustomization.yaml └── node-termination-handler │ ├── MAINTENANCE.md │ ├── README.md │ ├── deploy.yaml │ └── kustomization.yaml └── modules ├── eks-addons ├── README.md ├── coredns.tf ├── ebs_csi_driver.tf ├── kube_proxy.tf ├── main.tf ├── snapshot-controller.tf ├── variables.tf └── vpc_cni.tf ├── iam-for-cluster-autoscaler ├── README.md ├── iam.tf ├── outputs.tf ├── variables.tf └── versions.tf ├── iam-for-ebs-csi-driver ├── README.md ├── iam.tf ├── outputs.tf ├── variables.tf └── versions.tf └── iam-for-load-balancer-controller ├── README.md ├── iam.tf ├── outputs.tf ├── variables.tf └── versions.tf /.drone.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | name: license 6 | kind: pipeline 7 | type: docker 8 | 9 | steps: 10 | - name: check 11 | image: docker.io/library/golang:1.21 12 | pull: always 13 | commands: 14 | - go install github.com/google/addlicense@v1.1.1 15 | - addlicense -c "SIGHUP s.r.l" -v -l bsd --check . 16 | 17 | --- 18 | name: policeman 19 | kind: pipeline 20 | type: docker 21 | 22 | depends_on: 23 | - license 24 | 25 | platform: 26 | os: linux 27 | arch: amd64 28 | 29 | steps: 30 | - name: lint 31 | image: quay.io/sighup/policeman:v5.2.1 32 | pull: always 33 | environment: 34 | # Identifies false positives like missing 'selector'. 35 | # Doing this is valid for Kustomize patches 36 | VALIDATE_KUBERNETES_KUBEVAL: "false" 37 | # Some duplicated code is intended. 38 | VALIDATE_JSCPD: "false" 39 | # hadolint already validated dockerfiles 40 | VALIDATE_DOCKERFILE: "false" 41 | # Disable natural language checks 42 | VALIDATE_NATURAL_LANGUAGE: "false" 43 | # Exclude old release notes that were created before we introduced policeman 44 | FILTER_REGEX_EXCLUDE: (docs/releases/v1[.]15[.].*[.]md|\.github) 45 | # Exclude schemas for kubeconform 46 | KUBERNETES_KUBECONFORM_OPTIONS: "--ignore-missing-schemas" 47 | VALIDATE_TERRAFORM_TFLINT: "false" 48 | VALIDATE_TERRAFORM_FMT: "false" 49 | VALIDATE_TERRAFORM_TERRASCAN: "false" 50 | depends_on: 51 | - clone 52 | 53 | - name: render 54 | image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.21.12_3.8.7_4.21.1 55 | pull: always 56 | commands: 57 | - kustomize build katalog/cluster-autoscaler/base > cluster-autoscaler.yml 58 | - kustomize build katalog/load-balancer-controller > load-balancer-controller.yml 59 | - kustomize build katalog/node-termination-handler > node-termination-handler.yml 60 | 61 | 62 | - name: check-deprecated-apis 63 | image: us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 64 | pull: always 65 | depends_on: 66 | - render 67 | commands: 68 | # we use --ignore-deprecations because we don't want the CI to fail when the API has not been removed yet. 69 | - /pluto detect cluster-autoscaler.yml --ignore-deprecations --target-versions=k8s=v1.32.0 70 | - /pluto detect load-balancer-controller.yml --ignore-deprecations --target-versions=k8s=v1.29.0 71 | - /pluto detect node-termination-handler.yml --ignore-deprecations --target-versions=k8s=v1.29.0 72 | 73 | --- 74 | name: release 75 | kind: pipeline 76 | type: docker 77 | 78 | # Uncomment once we have e2e tests 79 | depends_on: 80 | - policeman 81 | # - e2e-kubernetes-1.20 82 | 83 | platform: 84 | os: linux 85 | arch: amd64 86 | 87 | trigger: 88 | ref: 89 | include: 90 | - refs/tags/** 91 | 92 | steps: 93 | - name: prepare-tar-gz 94 | image: alpine:latest 95 | pull: always 96 | depends_on: [clone] 97 | commands: 98 | - tar -zcvf kubernetes-fury-aws-${DRONE_TAG}.tar.gz katalog/ LICENSE README.md 99 | when: 100 | ref: 101 | include: 102 | - refs/tags/** 103 | 104 | - name: prepare-release-notes 105 | image: quay.io/sighup/fury-release-notes-plugin:3.7_2.8.4 106 | pull: always 107 | depends_on: [clone] 108 | settings: 109 | release_notes_file_path: release-notes.md 110 | when: 111 | ref: 112 | include: 113 | - refs/tags/** 114 | 115 | - name: publish-prerelease 116 | image: plugins/github-release 117 | pull: always 118 | depends_on: 119 | - prepare-tar-gz 120 | - prepare-release-notes 121 | settings: 122 | api_key: 123 | from_secret: github_token 124 | file_exists: overwrite 125 | files: 126 | - kubernetes-fury-aws-${DRONE_TAG}.tar.gz 127 | prerelease: true 128 | overwrite: true 129 | title: "Preview ${DRONE_TAG}" 130 | note: release-notes.md 131 | checksum: 132 | - md5 133 | - sha256 134 | when: 135 | ref: 136 | include: 137 | - refs/tags/v**-rc** 138 | 139 | - name: publish-stable 140 | image: plugins/github-release 141 | pull: always 142 | depends_on: 143 | - prepare-tar-gz 144 | - prepare-release-notes 145 | settings: 146 | api_key: 147 | from_secret: github_token 148 | file_exists: overwrite 149 | files: 150 | - kubernetes-fury-aws-${DRONE_TAG}.tar.gz 151 | prerelease: false 152 | overwrite: true 153 | title: "Release ${DRONE_TAG}" 154 | note: release-notes.md 155 | checksum: 156 | - md5 157 | - sha256 158 | when: 159 | ref: 160 | exclude: 161 | - refs/tags/v**-rc** 162 | include: 163 | - refs/tags/v** 164 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Kubernetes (please complete the following information):** 32 | - Kubernetes version: [e.g. 1.30.0] 33 | - OPA Gatekeeper version: [e.g. 3.18.0] 34 | 35 | **Additional context** 36 | Add any other context about the problem here. 37 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 15 | 16 | ### Summary 💡 17 | 18 | 19 | 20 | 25 | Closes: 26 | 27 | 28 | 29 | Relates: 30 | 31 | 32 | ### Description 📝 33 | 34 | 42 | 43 | ### Breaking Changes 💔 44 | 45 | 51 | 52 | ### Tests performed 🧪 53 | 54 | 63 | 64 | ### Future work 🔧 65 | 66 | 70 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .terraform 2 | *.tfstate 3 | *.backup 4 | packer/ami.json 5 | .envrc 6 | -------------------------------------------------------------------------------- /.rules/.tflint.hcl: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | config { 8 | ignore_module = { 9 | "./modules/eks-addons" = true 10 | "./examples/eks-addons" = true 11 | } 12 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2019, SIGHUP 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | 4 | 5 | Shows a black logo in light color mode and a white one in dark color mode. 6 |
7 | AWS Module 8 |

9 | 10 | ![Release](https://img.shields.io/badge/Latest%20Release-v5.0.0-blue) 11 | ![License](https://img.shields.io/github/license/sighupio/module-aws?label=License) 12 | ![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack) 13 | 14 | 15 | 16 | **AWS Module** provides support AWS packages for [SIGHUP Distribution (SD)][kfd-repo]. 17 | 18 | If you are new to SD please refer to the [official documentation][kfd-docs] on how to get started with SD. 19 | 20 | ## Overview 21 | 22 | **AWS Module** uses a collection of open source tools to make an EKS cluster on AWS production grade. 23 | 24 | ## Packages 25 | 26 | The following packages are included in AWS Module: 27 | 28 | | Package | Version | Description | 29 | | ------------------------------------------------------------------------------------- | --------------------------------- | ----------------------------------------------------------------------------------------------------------- | 30 | | [cluster-autoscaler](katalog/cluster-autoscaler) | `v1.29.0,v1.30.2,v1.31.0,v1.32.0` | A component that automatically adjusts the size of a Kubernetes Cluster | 31 | | [IAM role for cluster-autoscaler](modules/iam-for-cluster-autoscaler) | `-` | Terraform module to manage IAM role used by cluster-autoscaler | 32 | | [aws-node-termination-handler](katalog/node-termination-handler) | `v1.25.0` | Automatically manage graceful termination of pods in the event that one node is retired by AWS | 33 | | [aws-load-balancer-controller](katalog/load-balancer-controller) | `v2.12.0` | AWS Load Balancer Controller is a controller to help manage Elastic Load Balancers for a Kubernetes cluster | 34 | | [IAM role for aws-load-balancer-controller](modules/iam-for-load-balancer-controller) | `-` | Terraform module to manage IAM role used by aws-load-balancer-controller | 35 | | [IAM role for aws-ebs-csi-driver](modules/iam-for-ebs-csi-driver) | `-` | Terraform module to manage IAM role used by EBS CSI driver | 36 | | [EKS Addons](modules/eks-addons) | `-` | Terraform module to install the main EKS Addons (coredns, EBS CSI Driver, snapshot controller, VPC cni) | 37 | 38 | 39 | Click on each package to see its full documentation. 40 | 41 | ## Compatibility 42 | 43 | | Kubernetes Version | Compatibility | Notes | 44 | | ------------------ | :----------------: | --------------- | 45 | | `1.29.x` | :white_check_mark: | No known issues | 46 | | `1.30.x` | :white_check_mark: | No known issues | 47 | | `1.31.x` | :white_check_mark: | No known issues | 48 | | `1.32.x` | :white_check_mark: | No known issues | 49 | 50 | Check the [compatibility matrix][compatibility-matrix] for additional informations about previous releases of the modules. 51 | 52 | ## Usage 53 | 54 | ### Prerequisites 55 | 56 | | Tool | Version | Description | 57 | | --------------------------- |------------| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | 58 | | [furyctl][furyctl-repo] | `>=0.25.0` | The recommended tool to download and manage SD modules and their packages. To learn more about `furyctl` read the [official documentation][furyctl-repo]. | 59 | | [kustomize][kustomize-repo] | `>=3.5.3` | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. | 60 | | [terraform][terraform-repo] | `>=1.3.0` | Terraform is used to provision packages using modules. To learn how to use `terraform`, please refer to the [repository][terraform-repo]. | 61 | 62 | ### Deployment - furyctl Legacy 63 | 64 | 1. List the packages you want to deploy and their version in a `Furyfile.yml` 65 | 66 | ```yaml 67 | bases: 68 | - name: aws/cluster-autoscaler 69 | version: "v5.0.0" 70 | - name: aws/node-termination-handler 71 | version: "v5.0.0" 72 | - name: aws/load-balancer-controller 73 | version: "v5.0.0" 74 | 75 | ``` 76 | 77 | > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format. 78 | 79 | 2. Execute `furyctl legacy vendor -H` to download the packages 80 | 81 | 3. Inspect the download packages under `./vendor/katalog/aws`. 82 | 83 | 4. Define a `kustomization.yaml` that includes the `./vendor/katalog/aws` directory as resource. 84 | 85 | ```yaml 86 | resources: 87 | - ./vendor/katalog/aws/cluster-autoscaler/{v1.29.x,v1.30.x,v1.31.x,v1.32.x} 88 | - ./vendor/katalog/aws/node-termination-handler 89 | - ./vendor/katalog/aws/load-balancer-controller 90 | ``` 91 | 92 | > [!NOTE] 93 | > Some packages will not work out of the box because they need additional configuration (IAM roles, for example). 94 | > Refer to each package documentation for more details. 95 | 96 | 5. To deploy the packages to your cluster, execute: 97 | 98 | ```bash 99 | kustomize build . | kubectl apply -f - 100 | ``` 101 | 102 | 103 | 104 | [kfd-repo]: https://github.com/sighupio/distribution 105 | [furyctl-repo]: https://github.com/sighupio/furyctl 106 | [kustomize-repo]: https://github.com/kubernetes-sigs/kustomize 107 | [terraform-repo]: https://github.com/hashicorp/terraform 108 | [kfd-docs]: https://docs.sighup.io/docs/distribution/ 109 | [compatibility-matrix]: https://github.com/sighupio/module-aws/blob/master/docs/COMPATIBILITY_MATRIX.md 110 | 111 | 112 | 113 | 114 | 115 | ## Contributing 116 | 117 | Before contributing, please read first the [Contributing Guidelines](https://github.com/sighupio/distribution/docs/CONTRIBUTING.md). 118 | 119 | ### Reporting Issues 120 | 121 | In case you experience any problem with the module, please [open a new issue](https://github.com/sighupio/module-aws/issues/new/choose). 122 | 123 | ## License 124 | 125 | This module is open-source and it's released under the following [LICENSE](LICENSE). 126 | 127 | 128 | -------------------------------------------------------------------------------- /docs/COMPATIBILITY_MATRIX.md: -------------------------------------------------------------------------------- 1 | # Compatibility Matrix 2 | 3 | | Module Version / Kubernetes Version | 1.32.X | 1.31.X | 1.30.X | 1.29.X | 1.28.X | 1.27.X | 1.26.X | 1.25.X | 1.24.X | 1.23.X | 4 | | ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | 5 | | v5.0.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | 6 | | v4.3.0 | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | 7 | | v4.2.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 8 | | v4.1.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 9 | | v4.0.0 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | 10 | | v3.0.0 | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | 11 | | v2.2.0 | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | 12 | 13 | ## Legends 14 | 15 | - :white_check_mark: Compatible 16 | - :warning: Has issues 17 | - :x: Incompatible 18 | 19 | ## Warnings 20 | 21 | > [!WARNING] 22 | > Module has been completely repurposed on v2.0.0, breaking all compatbility with previous versions. 23 | -------------------------------------------------------------------------------- /docs/releases/v2.0.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 2.0.0 2 | 3 | Welcome to the latest release of `aws` module of the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | ⚠️ This is a major release including **breaking changes** removing modules to install Kubernetes on AWS using EC2. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | |-------------------------------|--------------------------------------------------------------------------------------------------------|------------------| 11 | | `cluster-austoscaler` | [`v1.23.1`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.23.1) | `Update` | 12 | | `ebs-csi-driver` | [`v1.11.2`](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/tag/v1.11.2) | `New component` | 13 | | `load-balancer-controller` | [`v2.4.3`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.3) | `New component` | 14 | | `node-termination-handler` | [`v1.17.1`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.17.1) | `Update` | 15 | 16 | > Please refer to the individual release notes to get detailed information on each release. 17 | 18 | ## New packages: Welcome EBS CSI Driver and AWS Load Balancer Controller! 📕 19 | 20 | This release adds two new packages, `ebs-csi-driver` and `load-balancer-controller`. The first one is a mandatory package to use EBS volumes in your EKS cluster, since from EKS version 1.23 the in-tree EBS volume plugin is deprecated. 21 | The second one is the official AWS controller to manage AWS Load Balancers, which is a mandatory package to use all the features provided from AWS on the Load Balancers, for example, enabling the proxy protocol on Network Load Balancers. 22 | 23 | ## Removals: Removed all the legacy terraform modules to install Kubernetes on EC2 🚮 24 | 25 | This release completely removes all the terraform modules used for the installation of a Kubernetes cluster using EC2. SIGHUP Distribution has deprecated support for EC2-based clusters in favour of EKS (managed) clusters. 26 | 27 | ## Update Guide 🦮 28 | 29 | There is no update guide since this release completeley changes the scope of this module, from a colleciton of packages to install a Kubernetes cluster on AWS to a collection of packages to install on top of an existing Kubernetes EKS/AWS cluster. 30 | 31 | 32 | -------------------------------------------------------------------------------- /docs/releases/v2.1.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 2.1.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a minor release adding support for Kubernets `v1.24.x`. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 11 | | `cluster-austoscaler` | [`v1.24.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.24.0) | `1.23.1` | 12 | | `ebs-csi-driver` | [`v1.11.2`](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/tag/v1.11.2) | no change | 13 | | `load-balancer-controller` | [`v2.4.3`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.3) | no change | 14 | | `node-termination-handler` | [`v1.17.1`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.17.1) | no change | 15 | 16 | > Please refer to the individual release notes to get detailed information on each release. 17 | 18 | ## Update Guide 🦮 19 | 20 | If you are upgrading Kubernetes together with the module, change your Kustomization file to use the right version of `cluster-autoscaler` and apply the manifests. 21 | 22 | There are no other changes needed. 23 | 24 | 25 | -------------------------------------------------------------------------------- /docs/releases/v2.2.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 2.2.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a minor release adding support for Kubernets `v1.25.x`. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 11 | | `cluster-austoscaler` | [`v1.25.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.25.0) | `1.24.0` | 12 | | `ebs-csi-driver` | [`v1.16.1`](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/tag/v1.16.1) | `1.12.2` | 13 | | `load-balancer-controller` | [`v2.4.7`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.7) | `2.4.3` | 14 | | `node-termination-handler` | [`v1.19.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0) | `1.17.1` | 15 | 16 | > Please refer to the individual release notes to get detailed information on each release. 17 | 18 | ## Update Guide 🦮 19 | 20 | If you are upgrading Kubernetes together with the module, change your Kustomization file to use the right version of `cluster-autoscaler` and apply the manifests. 21 | 22 | There are no other changes needed. 23 | 24 | 25 | -------------------------------------------------------------------------------- /docs/releases/v3.0.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 3.0.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a major release that upgrades terraform requirements to => 1.3. Components versions are unchanged. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 11 | | `cluster-austoscaler` | [`v1.25.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.25.0) | `No update` | 12 | | `ebs-csi-driver` | [`v1.16.1`](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/tag/v1.16.1) | `No update` | 13 | | `load-balancer-controller` | [`v2.4.7`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.7) | `No update` | 14 | | `node-termination-handler` | [`v1.19.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0) | `No update` | 15 | 16 | > Please refer to the individual release notes to get detailed information on each release. 17 | 18 | ## Update Guide 🦮 19 | 20 | Update your Terraform project and CLI to version >= 1.3 and rum `terraform init -upgrade` , then apply the new version. 21 | 22 | 23 | -------------------------------------------------------------------------------- /docs/releases/v4.0.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 4.0.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a major release that removes the ebs-csi-driver package in favor of EKS addons, and replaces it with the snapshot-controller, still needed by the EBS CSI driver. 6 | This release adds also support for Kubernetes 1.26. 7 | 8 | ## Component Images 🚢 9 | 10 | | Component | Supported Version | Previous Version | 11 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 12 | | `cluster-austoscaler` | [`v1.26.4`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.26.4) | `1.25.0` | 13 | | `snapshot-controller` | [`v6.2.1`](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v6.2.1) | `New Package` | 14 | | `load-balancer-controller` | [`v2.6.0`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.6.0) | `2.4.7` | 15 | | `node-termination-handler` | [`v1.19.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0) | `No Update` | 16 | 17 | > Please refer to the individual release notes to get detailed information on each release. 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/releases/v4.1.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 4.1.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a minor release that updates the packages `cluster-autoscaler` and `snapshot-controller`. 6 | This release adds also support for Kubernetes 1.27. 7 | 8 | ## Component Images 🚢 9 | 10 | | Component | Supported Version | Previous Version | 11 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 12 | | `cluster-austoscaler` | [`v1.27.2`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.27.2) | `1.26.4` | 13 | | `snapshot-controller` | [`v6.3.0`](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v6.3.0) | `v6.2.1` | 14 | | `load-balancer-controller` | [`v2.6.0`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.6.0) | `No Update` | 15 | | `node-termination-handler` | [`v1.19.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0) | `No Update` | 16 | 17 | > Please refer to the individual release notes to get detailed information on each release. 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/releases/v4.2.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 4.2.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a minor release that updates all the packages. 6 | This release adds also support for Kubernetes 1.28 and 1.29. 7 | 8 | ## Component Images 🚢 9 | 10 | | Component | Supported Version | Previous Version | 11 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 12 | | `cluster-austoscaler` | [`v1.29.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.29.0) | `1.27.2` | 13 | | `snapshot-controller` | [`v6.3.1`](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v6.3.0) | `v6.2.0` | 14 | | `load-balancer-controller` | [`v2.7.0`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.7.0) | `v2.6.0` | 15 | | `node-termination-handler` | [`v1.20.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.20.0) | `v1.19.0` | 16 | 17 | > Please refer to the individual release notes to get detailed information on each release. 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/releases/v4.2.1.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 4.2.1 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a minor release that adds override on the names of the IAM roles in the terraform modules. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | | -------------------------- | ----------------------------------------------------------------------------------------------- | ---------------- | 11 | | `cluster-austoscaler` | [`v1.29.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.29.0) | `No update` | 12 | | `snapshot-controller` | [`v6.3.1`](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v6.3.0) | `No update` | 13 | | `load-balancer-controller` | [`v2.7.0`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.7.0) | `No update` | 14 | | `node-termination-handler` | [`v1.20.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.20.0) | `No update` | 15 | 16 | > Please refer to the individual release notes to get detailed information on each release. 17 | 18 | 19 | -------------------------------------------------------------------------------- /docs/releases/v4.3.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release 4.3.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. 4 | 5 | This is a minor release that updates all packages and adds compatibility with Kubernetes 1.30 and 1.31. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | | -------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------- | 11 | | `cluster-austoscaler` | [`v1.31.0`/`1.30.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.31.0) | `1.29.0` | 12 | | `snapshot-controller` | [`v8.1.0`](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v8.1.0) | `v6.3.1` | 13 | | `load-balancer-controller` | [`v2.10.0`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.10.0) | `2.7.0` | 14 | | `node-termination-handler` | [`v1.22.1`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.22.1) | `v1.20.0` | 15 | 16 | > Please refer to the individual release notes to get detailed information on each release. 17 | 18 | 19 | -------------------------------------------------------------------------------- /docs/releases/v5.0.0.md: -------------------------------------------------------------------------------- 1 | # AWS Module Release v5.0.0 2 | 3 | Welcome to the latest release of the `aws` module for the [`SIGHUP Distribution`](https://github.com/sighupio/fury-distribution), maintained by team SIGHUP. 4 | 5 | This is a **major release** that updates all packages, adds compatibility with **Kubernetes 1.32** and moves the snapshot-controller management under EKS addons. 6 | 7 | ## Component Images 🚢 8 | 9 | | Component | Supported Version | Previous Version | 10 | | -------------------------- |---------------------------------------------------------------------------------------------------|------------------| 11 | | `cluster-austoscaler` | [`v1.32.0`](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.32.0) | `1.31.0` | 12 | | `snapshot-controller` | **REMOVED** | `v8.1.0` | 13 | | `load-balancer-controller` | [`v2.12.0`](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.12.0) | `2.10.0` | 14 | | `node-termination-handler` | [`v1.25.0`](https://github.com/aws/aws-node-termination-handler/releases/tag/v1.25.0) | `v1.22.1` | 15 | 16 | > **Note:** Please refer to the individual release notes for detailed information on each update. 17 | 18 | ## Breaking Changes 🚨 19 | 20 | In this release, the **Snapshot Controller** has been migrated from **Katalog** (Kubernetes manifests managed with Kustomize) to **AWS EKS Addon** (using Terraform modules). 21 | 22 | ### 🔑 Key Changes 23 | 24 | - The **Snapshot Controller** is no longer deployed using Kustomize within Katalog. 25 | - Instead, it is now managed as an **AWS EKS Addon**, simplifying lifecycle management and ensuring better integration with AWS services. 26 | - This change improves maintainability, reduces manual updates, and leverages AWS-managed updates for security and stability. 27 | 28 | ### ⚠️ Impact & Considerations 29 | 30 | - Existing snapshot functionality should remain unaffected. 31 | - Users should ensure that the **AWS EKS Addon** for the Snapshot Controller is enabled in their cluster. 32 | - If any custom configurations were applied via Kustomize, they should be reviewed and adapted to the AWS EKS Addon settings. 33 | 34 | ## Update Guide 🛠️ 35 | 36 | Delete the existing snapshot-controller: 37 | 38 | ```shell 39 | kustomize build katalog/snapshot-controller | kubectl delete -f - 40 | ``` 41 | 42 | Apply the updated terraform module included in this release. 43 | 44 | 45 | -------------------------------------------------------------------------------- /examples/eks-addons/README.md: -------------------------------------------------------------------------------- 1 | # SIGHUP Distribution AWS Module - EKS Add-ons Example 2 | 3 | This folder contains working examples of the terraform module `eks-addons`. 4 | 5 | In order to test it, you follow the instructions below. 6 | 7 | > [!NOTE] 8 | > All comments starting with `TASK:` require you to run some manual action on your computer 9 | that cannot be automated with the following script. 10 | 11 | This module requires an existing EKS cluster to be executed. 12 | You may want to have a look at this [example](https://github.com/sighupio/installer-eks/blob/main/examples/README.md). 13 | 14 | ```bash 15 | # First of all, export the needed env vars for the aws provider to work 16 | export AWS_ACCESS_KEY_ID= 17 | export AWS_SECRET_ACCESS_KEY= 18 | export AWS_REGION= 19 | 20 | # Bring up the addons 21 | cd examples/eks-addons 22 | cp main.auto.tfvars.dist main.auto.tfvars 23 | # TASK: fill in main.auto.tfvars with your data 24 | terraform init 25 | terraform apply 26 | ``` 27 | -------------------------------------------------------------------------------- /examples/eks-addons/coredns.json: -------------------------------------------------------------------------------- 1 | { 2 | "tolerations": [ 3 | { 4 | "key": "node.kubernetes.io/role", 5 | "value": "infra", 6 | "effect": "NoSchedule" 7 | } 8 | ], 9 | "nodeSelector": { 10 | "node.kubernetes.io/role" : "app" 11 | } 12 | } -------------------------------------------------------------------------------- /examples/eks-addons/ebs.json: -------------------------------------------------------------------------------- 1 | { 2 | "controller": { 3 | "tolerations": [ 4 | { 5 | "key": "node.kubernetes.io/role", 6 | "value": "app", 7 | "effect": "NoSchedule" 8 | } 9 | ], 10 | "nodeSelector": { 11 | "node.kubernetes.io/role": "app" 12 | } 13 | } 14 | } -------------------------------------------------------------------------------- /examples/eks-addons/kube-proxy.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "requests": { 4 | "cpu": "100m" 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /examples/eks-addons/main.auto.tfvars.dist: -------------------------------------------------------------------------------- 1 | cluster_name = fury-public-example -------------------------------------------------------------------------------- /examples/eks-addons/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | terraform { 8 | required_version = "~> 1.4" 9 | required_providers { 10 | local = "~> 2.4.0" 11 | null = "~> 3.2.1" 12 | aws = "~> 4.67.0" 13 | external = "~> 2.3.1" 14 | } 15 | } 16 | 17 | module "addons" { 18 | source = "../../modules/eks-addons" 19 | cluster_name = var.cluster_name 20 | ebs_csi_driver = { 21 | enabled = true 22 | version = "v1.40.1-eksbuild.1" 23 | configuration_values = file("ebs.json") 24 | } 25 | snapshot_controller = { 26 | enabled = true 27 | version = "v8.2.0-eksbuild.1" 28 | configuration_values = file("snapshot-controller.json") 29 | } 30 | coredns = { 31 | enabled = true 32 | version = "v1.11.4-eksbuild.2" 33 | configuration_values = file("coredns.json") 34 | } 35 | kube_proxy = { 36 | enabled = true 37 | version = "v1.31.3-eksbuild.2" 38 | configuration_values = file("kube-proxy.json") 39 | } 40 | vpc_cni = { 41 | enabled = true 42 | version = "v1.19.3-eksbuild.1" 43 | configuration_values = file("vpc-cni.json") 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /examples/eks-addons/snapshot-controller.json: -------------------------------------------------------------------------------- 1 | { 2 | "tolerations": [ 3 | { 4 | "key": "node.kubernetes.io/role", 5 | "value": "infra", 6 | "effect": "NoSchedule" 7 | } 8 | ], 9 | "nodeSelector": { 10 | "node.kubernetes.io/role" : "app" 11 | } 12 | } -------------------------------------------------------------------------------- /examples/eks-addons/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | variable "cluster_name" { 8 | type = string 9 | description = "Unique cluster name. Used in multiple resources to identify your cluster resources" 10 | } 11 | -------------------------------------------------------------------------------- /examples/eks-addons/vpc-cni.json: -------------------------------------------------------------------------------- 1 | { 2 | "env": { 3 | "ANNOTATE_POD_IP": "false", 4 | "AWS_VPC_CNI_NODE_PORT_SUPPORT": "true", 5 | "AWS_VPC_ENI_MTU": "9001" 6 | }, 7 | "init": { 8 | "env": { 9 | "DISABLE_TCP_EARLY_DEMUX": "false" 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/MAINTENANCE.md: -------------------------------------------------------------------------------- 1 | # Cluster Autoscaler maintenance 2 | 3 | To maintain the clusterautoscaler package, you should follow these steps. 4 | 5 | Build the new helm template with the following command: 6 | 7 | ```bash 8 | helm repo add autoscaler https://kubernetes.github.io/autoscaler 9 | 10 | helm template cluster-autoscaler autoscaler/cluster-autoscaler -n kube-system \ 11 | --set cloudProvider=aws \ 12 | --set 'autoDiscovery.clusterName'=changeme \ 13 | --set fullnameOverride=cluster-autoscaler \ 14 | --set awsRegion=eu-west-1 > built.yaml 15 | ``` 16 | 17 | Check the differences with `base/deploy.yaml` file and change accordingly. 18 | 19 | What was changed: 20 | 21 | - Removed unnecessary helm tags from the manifests and replaced with `app: cluster-autoscaler` when applicable, to maintain compatibility with older cluster-autoscaler package versions. 22 | - cluster-autoscaler command changed to: 23 | 24 | ```yaml 25 | command: 26 | - ./cluster-autoscaler 27 | - --cloud-provider=aws 28 | - --namespace=kube-system 29 | - --logtostderr=true 30 | - --stderrthreshold=info 31 | - --v=4 32 | - --scale-up-from-zero 33 | - --skip-nodes-with-local-storage=false 34 | - --expander=least-waste 35 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/$(CLUSTER_NAME) 36 | ``` 37 | 38 | - Added env var `CLUSTER_NAME` to the deployment, to simplify patching 39 | - Added requests and limits 40 | - Removed PodDisruptionBudget 41 | 42 | Add the new EKS version folder like the existing v1.23.x, v1.24.x, v1.25.x, etc. if needed. -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/README.md: -------------------------------------------------------------------------------- 1 | # Cluster Autoscaler 2 | 3 | 4 | 5 | A component that automatically adjusts the size of a Kubernetes Cluster so that all pods have a place to run and there are no unneeded nodes. Supports several public cloud providers. Version 1.0 (GA) was released with Kubernetes 1.8. 6 | 7 | ## Requirements 8 | 9 | - Kubernetes >= `1.28.0` 10 | - Kustomize = `v3.5.3` 11 | 12 | ## Image repository and tag 13 | 14 | - Cluster autoscaler image: `registry.sighup.io/autoscaling/cluster-autoscaler:v1.29.0,v1.30.2,v1.31.0,v1.32.0` 15 | - Cluster autoscaler repo: [Cluster autoscaler at Github][ca-github] 16 | 17 | ## Deployment 18 | 19 | You can deploy cluster autoscaler in your EKS cluster by including the package in your Kustomize project: 20 | 21 | `kustomization.yaml` file extract: 22 | 23 | ```yaml 24 | ... 25 | 26 | resources: 27 | - katalog/cluster-autoscaler/{v1.29.x,v1.30.x,v1.31.x,v1.32.0} 28 | 29 | ... 30 | ``` 31 | 32 | Refer to the Terraform module [iam-for-cluster-autoscaler](../../modules/iam-for-cluster-autoscaler) to create the IAM role and the required kustomize patches automatically. 33 | 34 | If still you want to create everything manually without using our Terraform Module, you need to patch the service account, the cluster name (for example `mycluster`) and the region (for example `eu-west-1`) as follows: 35 | 36 | `sa-patch.yaml` 37 | 38 | ```yaml 39 | --- 40 | apiVersion: v1 41 | kind: ServiceAccount 42 | metadata: 43 | annotations: 44 | eks.amazonaws.com/role-arn: arn:aws:iam::123456789123:role/your-role-name 45 | name: cluster-autoscaler 46 | namespace: kube-system 47 | ``` 48 | 49 | `cluster-autoscaler-patch.yaml` 50 | 51 | ```yaml 52 | apiVersion: apps/v1 53 | kind: Deployment 54 | metadata: 55 | labels: 56 | app: cluster-autoscaler 57 | name: cluster-autoscaler 58 | namespace: kube-system 59 | spec: 60 | template: 61 | spec: 62 | containers: 63 | - name: aws-cluster-autoscaler 64 | env: 65 | - name: AWS_REGION 66 | value: "eu-west-1" 67 | - name: CLUSTER_NAME 68 | value: mycluster 69 | ``` 70 | 71 | and then add on the `kustomization.yaml` file the patches: 72 | 73 | `kustomization.yaml` file extract: 74 | 75 | ```yaml 76 | ... 77 | 78 | patchesStrategicMerge: 79 | - sa-patch.yaml 80 | - cluster-autoscaler-patch.yaml 81 | 82 | ... 83 | ``` 84 | 85 | You can then apply your kustomize project by running the following command: 86 | 87 | ```bash 88 | kustomize build | kubectl apply -f - 89 | ``` 90 | 91 | 92 | 93 | [ca-github]: https://github.com/kubernetes/autoscaler 94 | 95 | 96 | 97 | ## License 98 | 99 | For license details please see [LICENSE](../../LICENSE) 100 | -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/base/deploy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | # Source: cluster-autoscaler/templates/serviceaccount.yaml 7 | apiVersion: v1 8 | kind: ServiceAccount 9 | metadata: 10 | labels: 11 | app: cluster-autoscaler 12 | name: cluster-autoscaler 13 | namespace: kube-system 14 | automountServiceAccountToken: true 15 | --- 16 | # Source: cluster-autoscaler/templates/clusterrole.yaml 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: ClusterRole 19 | metadata: 20 | labels: 21 | app: cluster-autoscaler 22 | name: cluster-autoscaler 23 | rules: 24 | - apiGroups: 25 | - "" 26 | resources: 27 | - events 28 | - endpoints 29 | verbs: 30 | - create 31 | - patch 32 | - apiGroups: 33 | - "" 34 | resources: 35 | - pods/eviction 36 | verbs: 37 | - create 38 | - apiGroups: 39 | - "" 40 | resources: 41 | - pods/status 42 | verbs: 43 | - update 44 | - apiGroups: 45 | - "" 46 | resources: 47 | - endpoints 48 | resourceNames: 49 | - cluster-autoscaler 50 | verbs: 51 | - get 52 | - update 53 | - apiGroups: 54 | - "" 55 | resources: 56 | - nodes 57 | verbs: 58 | - watch 59 | - list 60 | - create 61 | - delete 62 | - get 63 | - update 64 | - apiGroups: 65 | - "" 66 | resources: 67 | - namespaces 68 | - pods 69 | - services 70 | - replicationcontrollers 71 | - persistentvolumeclaims 72 | - persistentvolumes 73 | verbs: 74 | - watch 75 | - list 76 | - get 77 | - apiGroups: 78 | - batch 79 | resources: 80 | - jobs 81 | - cronjobs 82 | verbs: 83 | - watch 84 | - list 85 | - get 86 | - apiGroups: 87 | - batch 88 | - extensions 89 | resources: 90 | - jobs 91 | verbs: 92 | - get 93 | - list 94 | - patch 95 | - watch 96 | - apiGroups: 97 | - extensions 98 | resources: 99 | - replicasets 100 | - daemonsets 101 | verbs: 102 | - watch 103 | - list 104 | - get 105 | - apiGroups: 106 | - policy 107 | resources: 108 | - poddisruptionbudgets 109 | verbs: 110 | - watch 111 | - list 112 | - apiGroups: 113 | - apps 114 | resources: 115 | - daemonsets 116 | - replicasets 117 | - statefulsets 118 | verbs: 119 | - watch 120 | - list 121 | - get 122 | - apiGroups: 123 | - storage.k8s.io 124 | resources: 125 | - storageclasses 126 | - csinodes 127 | - csidrivers 128 | - csistoragecapacities 129 | - volumeattachments 130 | verbs: 131 | - watch 132 | - list 133 | - get 134 | - apiGroups: 135 | - "" 136 | resources: 137 | - configmaps 138 | verbs: 139 | - list 140 | - watch 141 | - get 142 | - apiGroups: 143 | - coordination.k8s.io 144 | resources: 145 | - leases 146 | verbs: 147 | - create 148 | - apiGroups: 149 | - coordination.k8s.io 150 | resourceNames: 151 | - cluster-autoscaler 152 | resources: 153 | - leases 154 | verbs: 155 | - get 156 | - update 157 | --- 158 | # Source: cluster-autoscaler/templates/clusterrolebinding.yaml 159 | apiVersion: rbac.authorization.k8s.io/v1 160 | kind: ClusterRoleBinding 161 | metadata: 162 | labels: 163 | app: cluster-autoscaler 164 | name: cluster-autoscaler 165 | roleRef: 166 | apiGroup: rbac.authorization.k8s.io 167 | kind: ClusterRole 168 | name: cluster-autoscaler 169 | subjects: 170 | - kind: ServiceAccount 171 | name: cluster-autoscaler 172 | namespace: kube-system 173 | --- 174 | # Source: cluster-autoscaler/templates/role.yaml 175 | apiVersion: rbac.authorization.k8s.io/v1 176 | kind: Role 177 | metadata: 178 | labels: 179 | app: cluster-autoscaler 180 | name: cluster-autoscaler 181 | namespace: kube-system 182 | rules: 183 | - apiGroups: 184 | - "" 185 | resources: 186 | - configmaps 187 | verbs: 188 | - create 189 | - apiGroups: 190 | - "" 191 | resources: 192 | - configmaps 193 | resourceNames: 194 | - cluster-autoscaler-status 195 | verbs: 196 | - delete 197 | - get 198 | - update 199 | --- 200 | # Source: cluster-autoscaler/templates/rolebinding.yaml 201 | apiVersion: rbac.authorization.k8s.io/v1 202 | kind: RoleBinding 203 | metadata: 204 | labels: 205 | app: cluster-autoscaler 206 | name: cluster-autoscaler 207 | namespace: kube-system 208 | roleRef: 209 | apiGroup: rbac.authorization.k8s.io 210 | kind: Role 211 | name: cluster-autoscaler 212 | subjects: 213 | - kind: ServiceAccount 214 | name: cluster-autoscaler 215 | namespace: kube-system 216 | --- 217 | # Source: cluster-autoscaler/templates/service.yaml 218 | apiVersion: v1 219 | kind: Service 220 | metadata: 221 | labels: 222 | app: cluster-autoscaler 223 | name: cluster-autoscaler 224 | namespace: kube-system 225 | spec: 226 | ports: 227 | - port: 8085 228 | protocol: TCP 229 | targetPort: 8085 230 | name: http 231 | selector: 232 | app: cluster-autoscaler 233 | type: "ClusterIP" 234 | --- 235 | # Source: cluster-autoscaler/templates/deployment.yaml 236 | apiVersion: apps/v1 237 | kind: Deployment 238 | metadata: 239 | labels: 240 | app: cluster-autoscaler 241 | name: cluster-autoscaler 242 | namespace: kube-system 243 | spec: 244 | replicas: 1 245 | revisionHistoryLimit: 10 246 | selector: 247 | matchLabels: 248 | app: cluster-autoscaler 249 | template: 250 | metadata: 251 | labels: 252 | app: cluster-autoscaler 253 | spec: 254 | priorityClassName: "system-cluster-critical" 255 | dnsPolicy: "ClusterFirst" 256 | containers: 257 | - name: aws-cluster-autoscaler 258 | image: "cluster-autoscaler" 259 | imagePullPolicy: "IfNotPresent" 260 | command: 261 | - ./cluster-autoscaler 262 | - --cloud-provider=aws 263 | - --namespace=kube-system 264 | - --logtostderr=true 265 | - --stderrthreshold=info 266 | - --v=4 267 | - --scale-up-from-zero 268 | - --skip-nodes-with-local-storage=false 269 | - --expander=least-waste 270 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/$(CLUSTER_NAME) 271 | env: 272 | - name: POD_NAMESPACE 273 | valueFrom: 274 | fieldRef: 275 | fieldPath: metadata.namespace 276 | - name: SERVICE_ACCOUNT 277 | valueFrom: 278 | fieldRef: 279 | fieldPath: spec.serviceAccountName 280 | - name: AWS_REGION 281 | value: "eu-west-1" 282 | - name: CLUSTER_NAME 283 | value: "mycluster" 284 | livenessProbe: 285 | httpGet: 286 | path: /health-check 287 | port: 8085 288 | ports: 289 | - containerPort: 8085 290 | resources: 291 | limits: 292 | cpu: "1" 293 | memory: 800Mi 294 | requests: 295 | cpu: 100m 296 | memory: 300Mi 297 | serviceAccountName: cluster-autoscaler 298 | -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - deploy.yaml 13 | 14 | images: 15 | - name: cluster-autoscaler # k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0 16 | newName: registry.sighup.io/fury/autoscaling/cluster-autoscaler 17 | -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/v1.29.x/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - ../base 13 | 14 | images: 15 | - name: registry.sighup.io/fury/autoscaling/cluster-autoscaler 16 | newTag: v1.29.0 -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/v1.30.x/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - ../base 13 | 14 | images: 15 | - name: registry.sighup.io/fury/autoscaling/cluster-autoscaler 16 | newTag: v1.30.2 17 | -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/v1.31.x/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - ../base 13 | 14 | images: 15 | - name: registry.sighup.io/fury/autoscaling/cluster-autoscaler 16 | newTag: v1.31.0 17 | -------------------------------------------------------------------------------- /katalog/cluster-autoscaler/v1.32.x/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - ../base 13 | 14 | images: 15 | - name: registry.sighup.io/fury/autoscaling/cluster-autoscaler 16 | newTag: v1.32.0 17 | -------------------------------------------------------------------------------- /katalog/load-balancer-controller/MAINTENANCE.md: -------------------------------------------------------------------------------- 1 | # Load Balancer controller maintenance 2 | 3 | To maintain the AWS load balancer controller package, you should follow these steps. 4 | 5 | Go to and follow the steps for 6 | the non-helm installation. 7 | 8 | Get the yaml file, for example 9 | and compare it with `deploy.yaml` file. 10 | 11 | You should also update the `modules/iam-for-load-balancer-controller/iam.tf` file with the policy provided in the release, for example: . 12 | 13 | What was changed: 14 | 15 | - Moved cluster name to an environment variable `CLUSTER_NAME` 16 | -------------------------------------------------------------------------------- /katalog/load-balancer-controller/README.md: -------------------------------------------------------------------------------- 1 | # AWS Load Balancer controller 2 | 3 | 4 | 5 | AWS Load Balancer Controller is a controller to help manage Elastic Load Balancers for a Kubernetes cluster. 6 | 7 | - It satisfies Kubernetes Ingress resources by provisioning Application Load Balancers. 8 | - It satisfies Kubernetes Service resources by provisioning Network Load Balancers. 9 | 10 | ## Requirements 11 | 12 | - Kubernetes >= `1.22.0` 13 | - Kustomize >= `v3.5.3` 14 | - [cert-manager][cert-manager] 15 | 16 | ## Image repositories 17 | 18 | - AWS Load Balancer controller image: `registry.sighup.io/fury/amazon/aws-alb-ingress-controller` 19 | - AWS Load Balancer controller repo: [AWS Load Balancer controller at Github][github] 20 | 21 | ## Deployment 22 | 23 | You can deploy AWS Load Balancer controller in your EKS cluster by including the package in your kustomize project: 24 | 25 | `kustomization.yaml` file extract: 26 | 27 | ```yaml 28 | ... 29 | 30 | resources: 31 | - katalog/load-balancer-controller 32 | 33 | ... 34 | ``` 35 | 36 | Refer to the Terraform module [iam-for-load-balancer-controller](../../modules/iam-for-load-balancer-controller) to create the IAM role and the required kustomize patches automatically. 37 | 38 | If still you want to create everything manually without using our Terraform Module, you need then to patch the service account and the cluster name (for example `mycluster`) as follows: 39 | 40 | `sa-patch.yaml` 41 | 42 | ```yaml 43 | --- 44 | kind: ServiceAccount 45 | metadata: 46 | annotations: 47 | eks.amazonaws.com/role-arn: arn:aws:iam::123456789123:role/your-role-name 48 | name: aws-load-balancer-controller 49 | namespace: kube-system 50 | ``` 51 | 52 | `load-balancer-controller-patch.yaml` 53 | 54 | ```yaml 55 | apiVersion: apps/v1 56 | kind: Deployment 57 | metadata: 58 | labels: 59 | app.kubernetes.io/component: controller 60 | app.kubernetes.io/name: aws-load-balancer-controller 61 | name: aws-load-balancer-controller 62 | namespace: kube-system 63 | spec: 64 | 65 | template: 66 | 67 | spec: 68 | containers: 69 | - name: controller 70 | env: 71 | - name: CLUSTER_NAME 72 | value: mycluster 73 | ``` 74 | 75 | and then add on the `kustomization.yaml` file the patches: 76 | 77 | `kustomization.yaml` file extract: 78 | 79 | ```yaml 80 | ... 81 | 82 | patchesStrategicMerge: 83 | - sa-patch.yaml 84 | - load-balancer-controller-patch.yaml 85 | 86 | ... 87 | ``` 88 | 89 | You can then apply your kustomize project by running the following command: 90 | 91 | ```bash 92 | kustomize build | kubectl apply -f - 93 | ``` 94 | 95 | 96 | 97 | [cert-manager]: https://github.com/sighupio/fury-kubernetes-ingress/tree/master/katalog/cert-manager 98 | [github]: https://github.com/kubernetes-sigs/aws-load-balancer-controller/ 99 | 100 | 101 | 102 | ## License 103 | 104 | For license details please see [LICENSE](../../LICENSE) 105 | -------------------------------------------------------------------------------- /katalog/load-balancer-controller/deploy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: apiextensions.k8s.io/v1 7 | kind: CustomResourceDefinition 8 | metadata: 9 | annotations: 10 | controller-gen.kubebuilder.io/version: v0.14.0 11 | labels: 12 | app.kubernetes.io/name: aws-load-balancer-controller 13 | name: ingressclassparams.elbv2.k8s.aws 14 | spec: 15 | group: elbv2.k8s.aws 16 | names: 17 | kind: IngressClassParams 18 | listKind: IngressClassParamsList 19 | plural: ingressclassparams 20 | singular: ingressclassparams 21 | scope: Cluster 22 | versions: 23 | - additionalPrinterColumns: 24 | - description: The Ingress Group name 25 | jsonPath: .spec.group.name 26 | name: GROUP-NAME 27 | type: string 28 | - description: The AWS Load Balancer scheme 29 | jsonPath: .spec.scheme 30 | name: SCHEME 31 | type: string 32 | - description: The AWS Load Balancer ipAddressType 33 | jsonPath: .spec.ipAddressType 34 | name: IP-ADDRESS-TYPE 35 | type: string 36 | - jsonPath: .metadata.creationTimestamp 37 | name: AGE 38 | type: date 39 | name: v1beta1 40 | schema: 41 | openAPIV3Schema: 42 | description: IngressClassParams is the Schema for the IngressClassParams API 43 | properties: 44 | apiVersion: 45 | description: |- 46 | APIVersion defines the versioned schema of this representation of an object. 47 | Servers should convert recognized schemas to the latest internal value, and 48 | may reject unrecognized values. 49 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 50 | type: string 51 | kind: 52 | description: |- 53 | Kind is a string value representing the REST resource this object represents. 54 | Servers may infer this from the endpoint the client submits requests to. 55 | Cannot be updated. 56 | In CamelCase. 57 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 58 | type: string 59 | metadata: 60 | type: object 61 | spec: 62 | description: IngressClassParamsSpec defines the desired state of IngressClassParams 63 | properties: 64 | certificateArn: 65 | description: CertificateArn specifies the ARN of the certificates 66 | for all Ingresses that belong to IngressClass with this IngressClassParams. 67 | items: 68 | type: string 69 | type: array 70 | group: 71 | description: Group defines the IngressGroup for all Ingresses that 72 | belong to IngressClass with this IngressClassParams. 73 | properties: 74 | name: 75 | description: Name is the name of IngressGroup. 76 | type: string 77 | required: 78 | - name 79 | type: object 80 | inboundCIDRs: 81 | description: InboundCIDRs specifies the CIDRs that are allowed to 82 | access the Ingresses that belong to IngressClass with this IngressClassParams. 83 | items: 84 | type: string 85 | type: array 86 | ipAddressType: 87 | description: IPAddressType defines the ip address type for all Ingresses 88 | that belong to IngressClass with this IngressClassParams. 89 | enum: 90 | - ipv4 91 | - dualstack 92 | - dualstack-without-public-ipv4 93 | type: string 94 | ipamConfiguration: 95 | description: IPAMConfiguration defines the IPAM settings for a Load 96 | Balancer. 97 | properties: 98 | ipv4IPAMPoolId: 99 | description: IPv4IPAMPoolId defines the IPAM pool ID used for 100 | IPv4 Addresses on the ALB. 101 | type: string 102 | type: object 103 | listeners: 104 | description: Listeners define a list of listeners with their protocol, 105 | port and attributes. 106 | items: 107 | properties: 108 | listenerAttributes: 109 | description: The attributes of the listener 110 | items: 111 | description: Attributes defines custom attributes on resources. 112 | properties: 113 | key: 114 | description: The key of the attribute. 115 | type: string 116 | value: 117 | description: The value of the attribute. 118 | type: string 119 | required: 120 | - key 121 | - value 122 | type: object 123 | type: array 124 | port: 125 | description: The port of the listener 126 | format: int32 127 | type: integer 128 | protocol: 129 | description: The protocol of the listener 130 | type: string 131 | type: object 132 | type: array 133 | loadBalancerAttributes: 134 | description: LoadBalancerAttributes define the custom attributes to 135 | LoadBalancers for all Ingress that that belong to IngressClass with 136 | this IngressClassParams. 137 | items: 138 | description: Attributes defines custom attributes on resources. 139 | properties: 140 | key: 141 | description: The key of the attribute. 142 | type: string 143 | value: 144 | description: The value of the attribute. 145 | type: string 146 | required: 147 | - key 148 | - value 149 | type: object 150 | type: array 151 | minimumLoadBalancerCapacity: 152 | description: MinimumLoadBalancerCapacity define the capacity reservation 153 | for LoadBalancers for all Ingress that belong to IngressClass with 154 | this IngressClassParams. 155 | properties: 156 | capacityUnits: 157 | description: The Capacity Units Value. 158 | format: int32 159 | type: integer 160 | required: 161 | - capacityUnits 162 | type: object 163 | namespaceSelector: 164 | description: |- 165 | NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. 166 | * if absent or present but empty, it selects all namespaces. 167 | properties: 168 | matchExpressions: 169 | description: matchExpressions is a list of label selector requirements. 170 | The requirements are ANDed. 171 | items: 172 | description: |- 173 | A label selector requirement is a selector that contains values, a key, and an operator that 174 | relates the key and values. 175 | properties: 176 | key: 177 | description: key is the label key that the selector applies 178 | to. 179 | type: string 180 | operator: 181 | description: |- 182 | operator represents a key's relationship to a set of values. 183 | Valid operators are In, NotIn, Exists and DoesNotExist. 184 | type: string 185 | values: 186 | description: |- 187 | values is an array of string values. If the operator is In or NotIn, 188 | the values array must be non-empty. If the operator is Exists or DoesNotExist, 189 | the values array must be empty. This array is replaced during a strategic 190 | merge patch. 191 | items: 192 | type: string 193 | type: array 194 | x-kubernetes-list-type: atomic 195 | required: 196 | - key 197 | - operator 198 | type: object 199 | type: array 200 | x-kubernetes-list-type: atomic 201 | matchLabels: 202 | additionalProperties: 203 | type: string 204 | description: |- 205 | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 206 | map is equivalent to an element of matchExpressions, whose key field is "key", the 207 | operator is "In", and the values array contains only "value". The requirements are ANDed. 208 | type: object 209 | type: object 210 | x-kubernetes-map-type: atomic 211 | scheme: 212 | description: Scheme defines the scheme for all Ingresses that belong 213 | to IngressClass with this IngressClassParams. 214 | enum: 215 | - internal 216 | - internet-facing 217 | type: string 218 | sslPolicy: 219 | description: SSLPolicy specifies the SSL Policy for all Ingresses 220 | that belong to IngressClass with this IngressClassParams. 221 | type: string 222 | subnets: 223 | description: Subnets defines the subnets for all Ingresses that belong 224 | to IngressClass with this IngressClassParams. 225 | properties: 226 | ids: 227 | description: IDs specify the resource IDs of subnets. Exactly 228 | one of this or `tags` must be specified. 229 | items: 230 | description: SubnetID specifies a subnet ID. 231 | pattern: subnet-[0-9a-f]+ 232 | type: string 233 | minItems: 1 234 | type: array 235 | tags: 236 | additionalProperties: 237 | items: 238 | type: string 239 | type: array 240 | description: |- 241 | Tags specifies subnets in the load balancer's VPC where each 242 | tag specified in the map key contains one of the values in the corresponding 243 | value list. 244 | Exactly one of this or `ids` must be specified. 245 | type: object 246 | type: object 247 | tags: 248 | description: Tags defines list of Tags on AWS resources provisioned 249 | for Ingresses that belong to IngressClass with this IngressClassParams. 250 | items: 251 | description: Tag defines a AWS Tag on resources. 252 | properties: 253 | key: 254 | description: The key of the tag. 255 | type: string 256 | value: 257 | description: The value of the tag. 258 | type: string 259 | required: 260 | - key 261 | - value 262 | type: object 263 | type: array 264 | type: object 265 | type: object 266 | served: true 267 | storage: true 268 | subresources: {} 269 | --- 270 | apiVersion: apiextensions.k8s.io/v1 271 | kind: CustomResourceDefinition 272 | metadata: 273 | annotations: 274 | controller-gen.kubebuilder.io/version: v0.14.0 275 | labels: 276 | app.kubernetes.io/name: aws-load-balancer-controller 277 | name: targetgroupbindings.elbv2.k8s.aws 278 | spec: 279 | group: elbv2.k8s.aws 280 | names: 281 | kind: TargetGroupBinding 282 | listKind: TargetGroupBindingList 283 | plural: targetgroupbindings 284 | singular: targetgroupbinding 285 | scope: Namespaced 286 | versions: 287 | - additionalPrinterColumns: 288 | - description: The Kubernetes Service's name 289 | jsonPath: .spec.serviceRef.name 290 | name: SERVICE-NAME 291 | type: string 292 | - description: The Kubernetes Service's port 293 | jsonPath: .spec.serviceRef.port 294 | name: SERVICE-PORT 295 | type: string 296 | - description: The AWS TargetGroup's TargetType 297 | jsonPath: .spec.targetType 298 | name: TARGET-TYPE 299 | type: string 300 | - description: The AWS TargetGroup's Amazon Resource Name 301 | jsonPath: .spec.targetGroupARN 302 | name: ARN 303 | priority: 1 304 | type: string 305 | - description: The AWS TargetGroup's Name 306 | jsonPath: .spec.targetGroupName 307 | name: NAME 308 | priority: 2 309 | type: string 310 | - jsonPath: .metadata.creationTimestamp 311 | name: AGE 312 | type: date 313 | name: v1alpha1 314 | schema: 315 | openAPIV3Schema: 316 | description: TargetGroupBinding is the Schema for the TargetGroupBinding API 317 | properties: 318 | apiVersion: 319 | description: |- 320 | APIVersion defines the versioned schema of this representation of an object. 321 | Servers should convert recognized schemas to the latest internal value, and 322 | may reject unrecognized values. 323 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 324 | type: string 325 | kind: 326 | description: |- 327 | Kind is a string value representing the REST resource this object represents. 328 | Servers may infer this from the endpoint the client submits requests to. 329 | Cannot be updated. 330 | In CamelCase. 331 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 332 | type: string 333 | metadata: 334 | type: object 335 | spec: 336 | description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding 337 | properties: 338 | assumeRoleExternalId: 339 | description: IAM Role ARN to assume when calling AWS APIs. Needed 340 | to assume a role in another account and prevent the confused deputy 341 | problem. https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html 342 | type: string 343 | iamRoleArnToAssume: 344 | description: IAM Role ARN to assume when calling AWS APIs. Useful 345 | if the target group is in a different AWS account 346 | type: string 347 | multiClusterTargetGroup: 348 | description: MultiClusterTargetGroup Denotes if the TargetGroup is 349 | shared among multiple clusters 350 | type: boolean 351 | networking: 352 | description: networking provides the networking setup for ELBV2 LoadBalancer 353 | to access targets in TargetGroup. 354 | properties: 355 | ingress: 356 | description: List of ingress rules to allow ELBV2 LoadBalancer 357 | to access targets in TargetGroup. 358 | items: 359 | properties: 360 | from: 361 | description: |- 362 | List of peers which should be able to access the targets in TargetGroup. 363 | At least one NetworkingPeer should be specified. 364 | items: 365 | description: NetworkingPeer defines the source/destination 366 | peer for networking rules. 367 | properties: 368 | ipBlock: 369 | description: |- 370 | IPBlock defines an IPBlock peer. 371 | If specified, none of the other fields can be set. 372 | properties: 373 | cidr: 374 | description: |- 375 | CIDR is the network CIDR. 376 | Both IPV4 or IPV6 CIDR are accepted. 377 | type: string 378 | required: 379 | - cidr 380 | type: object 381 | securityGroup: 382 | description: |- 383 | SecurityGroup defines a SecurityGroup peer. 384 | If specified, none of the other fields can be set. 385 | properties: 386 | groupID: 387 | description: GroupID is the EC2 SecurityGroupID. 388 | type: string 389 | required: 390 | - groupID 391 | type: object 392 | type: object 393 | type: array 394 | ports: 395 | description: |- 396 | List of ports which should be made accessible on the targets in TargetGroup. 397 | If ports is empty or unspecified, it defaults to all ports with TCP. 398 | items: 399 | properties: 400 | port: 401 | anyOf: 402 | - type: integer 403 | - type: string 404 | description: |- 405 | The port which traffic must match. 406 | When NodePort endpoints(instance TargetType) is used, this must be a numerical port. 407 | When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. 408 | if port is unspecified, it defaults to all ports. 409 | x-kubernetes-int-or-string: true 410 | protocol: 411 | description: |- 412 | The protocol which traffic must match. 413 | If protocol is unspecified, it defaults to TCP. 414 | enum: 415 | - TCP 416 | - UDP 417 | type: string 418 | type: object 419 | type: array 420 | required: 421 | - from 422 | - ports 423 | type: object 424 | type: array 425 | type: object 426 | serviceRef: 427 | description: serviceRef is a reference to a Kubernetes Service and 428 | ServicePort. 429 | properties: 430 | name: 431 | description: Name is the name of the Service. 432 | type: string 433 | port: 434 | anyOf: 435 | - type: integer 436 | - type: string 437 | description: Port is the port of the ServicePort. 438 | x-kubernetes-int-or-string: true 439 | required: 440 | - name 441 | - port 442 | type: object 443 | targetGroupARN: 444 | description: targetGroupARN is the Amazon Resource Name (ARN) for 445 | the TargetGroup. 446 | type: string 447 | targetGroupName: 448 | description: targetGroupName is the Name of the TargetGroup. 449 | type: string 450 | targetType: 451 | description: targetType is the TargetType of TargetGroup. If unspecified, 452 | it will be automatically inferred. 453 | enum: 454 | - instance 455 | - ip 456 | type: string 457 | required: 458 | - serviceRef 459 | type: object 460 | status: 461 | description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding 462 | properties: 463 | observedGeneration: 464 | description: The generation observed by the TargetGroupBinding controller. 465 | format: int64 466 | type: integer 467 | type: object 468 | type: object 469 | served: true 470 | storage: false 471 | subresources: 472 | status: {} 473 | - additionalPrinterColumns: 474 | - description: The Kubernetes Service's name 475 | jsonPath: .spec.serviceRef.name 476 | name: SERVICE-NAME 477 | type: string 478 | - description: The Kubernetes Service's port 479 | jsonPath: .spec.serviceRef.port 480 | name: SERVICE-PORT 481 | type: string 482 | - description: The AWS TargetGroup's TargetType 483 | jsonPath: .spec.targetType 484 | name: TARGET-TYPE 485 | type: string 486 | - description: The AWS TargetGroup's Amazon Resource Name 487 | jsonPath: .spec.targetGroupARN 488 | name: ARN 489 | priority: 1 490 | type: string 491 | - description: The AWS TargetGroup's Name 492 | jsonPath: .spec.targetGroupName 493 | name: NAME 494 | priority: 2 495 | type: string 496 | - jsonPath: .metadata.creationTimestamp 497 | name: AGE 498 | type: date 499 | name: v1beta1 500 | schema: 501 | openAPIV3Schema: 502 | description: TargetGroupBinding is the Schema for the TargetGroupBinding API 503 | properties: 504 | apiVersion: 505 | description: |- 506 | APIVersion defines the versioned schema of this representation of an object. 507 | Servers should convert recognized schemas to the latest internal value, and 508 | may reject unrecognized values. 509 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 510 | type: string 511 | kind: 512 | description: |- 513 | Kind is a string value representing the REST resource this object represents. 514 | Servers may infer this from the endpoint the client submits requests to. 515 | Cannot be updated. 516 | In CamelCase. 517 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 518 | type: string 519 | metadata: 520 | type: object 521 | spec: 522 | description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding 523 | properties: 524 | assumeRoleExternalId: 525 | description: IAM Role ARN to assume when calling AWS APIs. Needed 526 | to assume a role in another account and prevent the confused deputy 527 | problem. https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html 528 | type: string 529 | iamRoleArnToAssume: 530 | description: IAM Role ARN to assume when calling AWS APIs. Useful 531 | if the target group is in a different AWS account 532 | type: string 533 | ipAddressType: 534 | description: ipAddressType specifies whether the target group is of 535 | type IPv4 or IPv6. If unspecified, it will be automatically inferred. 536 | enum: 537 | - ipv4 538 | - ipv6 539 | type: string 540 | multiClusterTargetGroup: 541 | description: MultiClusterTargetGroup Denotes if the TargetGroup is 542 | shared among multiple clusters 543 | type: boolean 544 | networking: 545 | description: networking defines the networking rules to allow ELBV2 546 | LoadBalancer to access targets in TargetGroup. 547 | properties: 548 | ingress: 549 | description: List of ingress rules to allow ELBV2 LoadBalancer 550 | to access targets in TargetGroup. 551 | items: 552 | description: NetworkingIngressRule defines a particular set 553 | of traffic that is allowed to access TargetGroup's targets. 554 | properties: 555 | from: 556 | description: |- 557 | List of peers which should be able to access the targets in TargetGroup. 558 | At least one NetworkingPeer should be specified. 559 | items: 560 | description: NetworkingPeer defines the source/destination 561 | peer for networking rules. 562 | properties: 563 | ipBlock: 564 | description: |- 565 | IPBlock defines an IPBlock peer. 566 | If specified, none of the other fields can be set. 567 | properties: 568 | cidr: 569 | description: |- 570 | CIDR is the network CIDR. 571 | Both IPV4 or IPV6 CIDR are accepted. 572 | type: string 573 | required: 574 | - cidr 575 | type: object 576 | securityGroup: 577 | description: |- 578 | SecurityGroup defines a SecurityGroup peer. 579 | If specified, none of the other fields can be set. 580 | properties: 581 | groupID: 582 | description: GroupID is the EC2 SecurityGroupID. 583 | type: string 584 | required: 585 | - groupID 586 | type: object 587 | type: object 588 | type: array 589 | ports: 590 | description: |- 591 | List of ports which should be made accessible on the targets in TargetGroup. 592 | If ports is empty or unspecified, it defaults to all ports with TCP. 593 | items: 594 | description: NetworkingPort defines the port and protocol 595 | for networking rules. 596 | properties: 597 | port: 598 | anyOf: 599 | - type: integer 600 | - type: string 601 | description: |- 602 | The port which traffic must match. 603 | When NodePort endpoints(instance TargetType) is used, this must be a numerical port. 604 | When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. 605 | if port is unspecified, it defaults to all ports. 606 | x-kubernetes-int-or-string: true 607 | protocol: 608 | description: |- 609 | The protocol which traffic must match. 610 | If protocol is unspecified, it defaults to TCP. 611 | enum: 612 | - TCP 613 | - UDP 614 | type: string 615 | type: object 616 | type: array 617 | required: 618 | - from 619 | - ports 620 | type: object 621 | type: array 622 | type: object 623 | nodeSelector: 624 | description: node selector for instance type target groups to only 625 | register certain nodes 626 | properties: 627 | matchExpressions: 628 | description: matchExpressions is a list of label selector requirements. 629 | The requirements are ANDed. 630 | items: 631 | description: |- 632 | A label selector requirement is a selector that contains values, a key, and an operator that 633 | relates the key and values. 634 | properties: 635 | key: 636 | description: key is the label key that the selector applies 637 | to. 638 | type: string 639 | operator: 640 | description: |- 641 | operator represents a key's relationship to a set of values. 642 | Valid operators are In, NotIn, Exists and DoesNotExist. 643 | type: string 644 | values: 645 | description: |- 646 | values is an array of string values. If the operator is In or NotIn, 647 | the values array must be non-empty. If the operator is Exists or DoesNotExist, 648 | the values array must be empty. This array is replaced during a strategic 649 | merge patch. 650 | items: 651 | type: string 652 | type: array 653 | x-kubernetes-list-type: atomic 654 | required: 655 | - key 656 | - operator 657 | type: object 658 | type: array 659 | x-kubernetes-list-type: atomic 660 | matchLabels: 661 | additionalProperties: 662 | type: string 663 | description: |- 664 | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 665 | map is equivalent to an element of matchExpressions, whose key field is "key", the 666 | operator is "In", and the values array contains only "value". The requirements are ANDed. 667 | type: object 668 | type: object 669 | x-kubernetes-map-type: atomic 670 | serviceRef: 671 | description: serviceRef is a reference to a Kubernetes Service and 672 | ServicePort. 673 | properties: 674 | name: 675 | description: Name is the name of the Service. 676 | type: string 677 | port: 678 | anyOf: 679 | - type: integer 680 | - type: string 681 | description: Port is the port of the ServicePort. 682 | x-kubernetes-int-or-string: true 683 | required: 684 | - name 685 | - port 686 | type: object 687 | targetGroupARN: 688 | description: targetGroupARN is the Amazon Resource Name (ARN) for 689 | the TargetGroup. 690 | type: string 691 | targetGroupName: 692 | description: targetGroupName is the Name of the TargetGroup. 693 | type: string 694 | targetType: 695 | description: targetType is the TargetType of TargetGroup. If unspecified, 696 | it will be automatically inferred. 697 | enum: 698 | - instance 699 | - ip 700 | type: string 701 | vpcID: 702 | description: VpcID is the VPC of the TargetGroup. If unspecified, 703 | it will be automatically inferred. 704 | type: string 705 | required: 706 | - serviceRef 707 | type: object 708 | status: 709 | description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding 710 | properties: 711 | observedGeneration: 712 | description: The generation observed by the TargetGroupBinding controller. 713 | format: int64 714 | type: integer 715 | type: object 716 | type: object 717 | served: true 718 | storage: true 719 | subresources: 720 | status: {} 721 | --- 722 | apiVersion: v1 723 | kind: ServiceAccount 724 | metadata: 725 | labels: 726 | app.kubernetes.io/component: controller 727 | app.kubernetes.io/name: aws-load-balancer-controller 728 | name: aws-load-balancer-controller 729 | namespace: kube-system 730 | --- 731 | apiVersion: rbac.authorization.k8s.io/v1 732 | kind: Role 733 | metadata: 734 | labels: 735 | app.kubernetes.io/name: aws-load-balancer-controller 736 | name: aws-load-balancer-controller-leader-election-role 737 | namespace: kube-system 738 | rules: 739 | - apiGroups: 740 | - "" 741 | resources: 742 | - configmaps 743 | verbs: 744 | - create 745 | - apiGroups: 746 | - "" 747 | resourceNames: 748 | - aws-load-balancer-controller-leader 749 | resources: 750 | - configmaps 751 | verbs: 752 | - get 753 | - update 754 | - patch 755 | - apiGroups: 756 | - coordination.k8s.io 757 | resources: 758 | - leases 759 | verbs: 760 | - create 761 | - apiGroups: 762 | - coordination.k8s.io 763 | resourceNames: 764 | - aws-load-balancer-controller-leader 765 | resources: 766 | - leases 767 | verbs: 768 | - get 769 | - update 770 | - patch 771 | --- 772 | apiVersion: rbac.authorization.k8s.io/v1 773 | kind: ClusterRole 774 | metadata: 775 | labels: 776 | app.kubernetes.io/name: aws-load-balancer-controller 777 | name: aws-load-balancer-controller-role 778 | rules: 779 | - apiGroups: 780 | - "" 781 | resources: 782 | - configmaps 783 | verbs: 784 | - create 785 | - delete 786 | - get 787 | - update 788 | - apiGroups: 789 | - "" 790 | resources: 791 | - endpoints 792 | verbs: 793 | - get 794 | - list 795 | - watch 796 | - apiGroups: 797 | - "" 798 | resources: 799 | - events 800 | verbs: 801 | - create 802 | - patch 803 | - apiGroups: 804 | - "" 805 | resources: 806 | - namespaces 807 | verbs: 808 | - get 809 | - list 810 | - watch 811 | - apiGroups: 812 | - "" 813 | resources: 814 | - nodes 815 | verbs: 816 | - get 817 | - list 818 | - watch 819 | - apiGroups: 820 | - "" 821 | resources: 822 | - pods 823 | verbs: 824 | - get 825 | - list 826 | - watch 827 | - apiGroups: 828 | - "" 829 | resources: 830 | - pods/status 831 | verbs: 832 | - patch 833 | - update 834 | - apiGroups: 835 | - "" 836 | resources: 837 | - services 838 | verbs: 839 | - get 840 | - list 841 | - patch 842 | - update 843 | - watch 844 | - apiGroups: 845 | - "" 846 | resources: 847 | - services/status 848 | verbs: 849 | - patch 850 | - update 851 | - apiGroups: 852 | - discovery.k8s.io 853 | resources: 854 | - endpointslices 855 | verbs: 856 | - get 857 | - list 858 | - watch 859 | - apiGroups: 860 | - elbv2.k8s.aws 861 | resources: 862 | - ingressclassparams 863 | verbs: 864 | - get 865 | - list 866 | - watch 867 | - apiGroups: 868 | - elbv2.k8s.aws 869 | resources: 870 | - targetgroupbindings 871 | verbs: 872 | - create 873 | - delete 874 | - get 875 | - list 876 | - patch 877 | - update 878 | - watch 879 | - apiGroups: 880 | - elbv2.k8s.aws 881 | resources: 882 | - targetgroupbindings/status 883 | verbs: 884 | - patch 885 | - update 886 | - apiGroups: 887 | - extensions 888 | resources: 889 | - ingresses 890 | verbs: 891 | - get 892 | - list 893 | - patch 894 | - update 895 | - watch 896 | - apiGroups: 897 | - extensions 898 | resources: 899 | - ingresses/status 900 | verbs: 901 | - patch 902 | - update 903 | - apiGroups: 904 | - networking.k8s.io 905 | resources: 906 | - ingressclasses 907 | verbs: 908 | - get 909 | - list 910 | - watch 911 | - apiGroups: 912 | - networking.k8s.io 913 | resources: 914 | - ingresses 915 | verbs: 916 | - get 917 | - list 918 | - patch 919 | - update 920 | - watch 921 | - apiGroups: 922 | - networking.k8s.io 923 | resources: 924 | - ingresses/status 925 | verbs: 926 | - patch 927 | - update 928 | --- 929 | apiVersion: rbac.authorization.k8s.io/v1 930 | kind: RoleBinding 931 | metadata: 932 | labels: 933 | app.kubernetes.io/name: aws-load-balancer-controller 934 | name: aws-load-balancer-controller-leader-election-rolebinding 935 | namespace: kube-system 936 | roleRef: 937 | apiGroup: rbac.authorization.k8s.io 938 | kind: Role 939 | name: aws-load-balancer-controller-leader-election-role 940 | subjects: 941 | - kind: ServiceAccount 942 | name: aws-load-balancer-controller 943 | namespace: kube-system 944 | --- 945 | apiVersion: rbac.authorization.k8s.io/v1 946 | kind: ClusterRoleBinding 947 | metadata: 948 | labels: 949 | app.kubernetes.io/name: aws-load-balancer-controller 950 | name: aws-load-balancer-controller-rolebinding 951 | roleRef: 952 | apiGroup: rbac.authorization.k8s.io 953 | kind: ClusterRole 954 | name: aws-load-balancer-controller-role 955 | subjects: 956 | - kind: ServiceAccount 957 | name: aws-load-balancer-controller 958 | namespace: kube-system 959 | --- 960 | apiVersion: v1 961 | kind: Service 962 | metadata: 963 | labels: 964 | app.kubernetes.io/name: aws-load-balancer-controller 965 | name: aws-load-balancer-webhook-service 966 | namespace: kube-system 967 | spec: 968 | ports: 969 | - port: 443 970 | targetPort: 9443 971 | selector: 972 | app.kubernetes.io/component: controller 973 | app.kubernetes.io/name: aws-load-balancer-controller 974 | --- 975 | apiVersion: apps/v1 976 | kind: Deployment 977 | metadata: 978 | labels: 979 | app.kubernetes.io/component: controller 980 | app.kubernetes.io/name: aws-load-balancer-controller 981 | name: aws-load-balancer-controller 982 | namespace: kube-system 983 | spec: 984 | replicas: 1 985 | selector: 986 | matchLabels: 987 | app.kubernetes.io/component: controller 988 | app.kubernetes.io/name: aws-load-balancer-controller 989 | template: 990 | metadata: 991 | labels: 992 | app.kubernetes.io/component: controller 993 | app.kubernetes.io/name: aws-load-balancer-controller 994 | spec: 995 | containers: 996 | - args: 997 | - --cluster-name=$(CLUSTER_NAME) 998 | - --ingress-class=alb 999 | image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0 1000 | env: 1001 | - name: CLUSTER_NAME 1002 | value: changeme 1003 | livenessProbe: 1004 | failureThreshold: 2 1005 | httpGet: 1006 | path: /healthz 1007 | port: 61779 1008 | scheme: HTTP 1009 | initialDelaySeconds: 30 1010 | timeoutSeconds: 10 1011 | name: controller 1012 | ports: 1013 | - containerPort: 9443 1014 | name: webhook-server 1015 | protocol: TCP 1016 | resources: 1017 | limits: 1018 | cpu: 200m 1019 | memory: 500Mi 1020 | requests: 1021 | cpu: 100m 1022 | memory: 200Mi 1023 | securityContext: 1024 | allowPrivilegeEscalation: false 1025 | readOnlyRootFilesystem: true 1026 | runAsNonRoot: true 1027 | volumeMounts: 1028 | - mountPath: /tmp/k8s-webhook-server/serving-certs 1029 | name: cert 1030 | readOnly: true 1031 | priorityClassName: system-cluster-critical 1032 | securityContext: 1033 | fsGroup: 1337 1034 | serviceAccountName: aws-load-balancer-controller 1035 | terminationGracePeriodSeconds: 10 1036 | volumes: 1037 | - name: cert 1038 | secret: 1039 | defaultMode: 420 1040 | secretName: aws-load-balancer-webhook-tls 1041 | --- 1042 | apiVersion: cert-manager.io/v1 1043 | kind: Certificate 1044 | metadata: 1045 | labels: 1046 | app.kubernetes.io/name: aws-load-balancer-controller 1047 | name: aws-load-balancer-serving-cert 1048 | namespace: kube-system 1049 | spec: 1050 | dnsNames: 1051 | - aws-load-balancer-webhook-service.kube-system.svc 1052 | - aws-load-balancer-webhook-service.kube-system.svc.cluster.local 1053 | issuerRef: 1054 | kind: Issuer 1055 | name: aws-load-balancer-selfsigned-issuer 1056 | secretName: aws-load-balancer-webhook-tls 1057 | --- 1058 | apiVersion: cert-manager.io/v1 1059 | kind: Issuer 1060 | metadata: 1061 | labels: 1062 | app.kubernetes.io/name: aws-load-balancer-controller 1063 | name: aws-load-balancer-selfsigned-issuer 1064 | namespace: kube-system 1065 | spec: 1066 | selfSigned: {} 1067 | --- 1068 | apiVersion: admissionregistration.k8s.io/v1 1069 | kind: MutatingWebhookConfiguration 1070 | metadata: 1071 | annotations: 1072 | cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert 1073 | labels: 1074 | app.kubernetes.io/name: aws-load-balancer-controller 1075 | name: aws-load-balancer-webhook 1076 | webhooks: 1077 | - admissionReviewVersions: 1078 | - v1beta1 1079 | clientConfig: 1080 | service: 1081 | name: aws-load-balancer-webhook-service 1082 | namespace: kube-system 1083 | path: /mutate-v1-service 1084 | failurePolicy: Fail 1085 | name: mservice.elbv2.k8s.aws 1086 | objectSelector: 1087 | matchExpressions: 1088 | - key: app.kubernetes.io/name 1089 | operator: NotIn 1090 | values: 1091 | - aws-load-balancer-controller 1092 | rules: 1093 | - apiGroups: 1094 | - "" 1095 | apiVersions: 1096 | - v1 1097 | operations: 1098 | - CREATE 1099 | resources: 1100 | - services 1101 | sideEffects: None 1102 | - admissionReviewVersions: 1103 | - v1beta1 1104 | clientConfig: 1105 | service: 1106 | name: aws-load-balancer-webhook-service 1107 | namespace: kube-system 1108 | path: /mutate-v1-pod 1109 | failurePolicy: Ignore 1110 | name: mpod.elbv2.k8s.aws 1111 | namespaceSelector: 1112 | matchExpressions: 1113 | - key: elbv2.k8s.aws/pod-readiness-gate-inject 1114 | operator: In 1115 | values: 1116 | - enabled 1117 | objectSelector: 1118 | matchExpressions: 1119 | - key: app.kubernetes.io/name 1120 | operator: NotIn 1121 | values: 1122 | - aws-load-balancer-controller 1123 | rules: 1124 | - apiGroups: 1125 | - "" 1126 | apiVersions: 1127 | - v1 1128 | operations: 1129 | - CREATE 1130 | resources: 1131 | - pods 1132 | sideEffects: None 1133 | - admissionReviewVersions: 1134 | - v1beta1 1135 | clientConfig: 1136 | service: 1137 | name: aws-load-balancer-webhook-service 1138 | namespace: kube-system 1139 | path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding 1140 | failurePolicy: Fail 1141 | name: mtargetgroupbinding.elbv2.k8s.aws 1142 | rules: 1143 | - apiGroups: 1144 | - elbv2.k8s.aws 1145 | apiVersions: 1146 | - v1beta1 1147 | operations: 1148 | - CREATE 1149 | - UPDATE 1150 | resources: 1151 | - targetgroupbindings 1152 | sideEffects: None 1153 | --- 1154 | apiVersion: admissionregistration.k8s.io/v1 1155 | kind: ValidatingWebhookConfiguration 1156 | metadata: 1157 | annotations: 1158 | cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert 1159 | labels: 1160 | app.kubernetes.io/name: aws-load-balancer-controller 1161 | name: aws-load-balancer-webhook 1162 | webhooks: 1163 | - admissionReviewVersions: 1164 | - v1beta1 1165 | clientConfig: 1166 | service: 1167 | name: aws-load-balancer-webhook-service 1168 | namespace: kube-system 1169 | path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams 1170 | failurePolicy: Fail 1171 | name: vingressclassparams.elbv2.k8s.aws 1172 | objectSelector: 1173 | matchExpressions: 1174 | - key: app.kubernetes.io/name 1175 | operator: NotIn 1176 | values: 1177 | - aws-load-balancer-controller 1178 | rules: 1179 | - apiGroups: 1180 | - elbv2.k8s.aws 1181 | apiVersions: 1182 | - v1beta1 1183 | operations: 1184 | - CREATE 1185 | - UPDATE 1186 | resources: 1187 | - ingressclassparams 1188 | sideEffects: None 1189 | - admissionReviewVersions: 1190 | - v1beta1 1191 | clientConfig: 1192 | service: 1193 | name: aws-load-balancer-webhook-service 1194 | namespace: kube-system 1195 | path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding 1196 | failurePolicy: Fail 1197 | name: vtargetgroupbinding.elbv2.k8s.aws 1198 | rules: 1199 | - apiGroups: 1200 | - elbv2.k8s.aws 1201 | apiVersions: 1202 | - v1beta1 1203 | operations: 1204 | - CREATE 1205 | - UPDATE 1206 | resources: 1207 | - targetgroupbindings 1208 | sideEffects: None 1209 | - admissionReviewVersions: 1210 | - v1beta1 1211 | clientConfig: 1212 | service: 1213 | name: aws-load-balancer-webhook-service 1214 | namespace: kube-system 1215 | path: /validate-networking-v1-ingress 1216 | failurePolicy: Fail 1217 | matchPolicy: Equivalent 1218 | name: vingress.elbv2.k8s.aws 1219 | rules: 1220 | - apiGroups: 1221 | - networking.k8s.io 1222 | apiVersions: 1223 | - v1 1224 | operations: 1225 | - CREATE 1226 | - UPDATE 1227 | resources: 1228 | - ingresses 1229 | sideEffects: None 1230 | -------------------------------------------------------------------------------- /katalog/load-balancer-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - deploy.yaml 13 | 14 | images: 15 | - name: public.ecr.aws/eks/aws-load-balancer-controller # public.ecr.aws/eks/aws-load-balancer-controller:v2.4.7 16 | newName: registry.sighup.io/fury/amazon/aws-alb-ingress-controller 17 | newTag: v2.12.0 18 | -------------------------------------------------------------------------------- /katalog/node-termination-handler/MAINTENANCE.md: -------------------------------------------------------------------------------- 1 | # aws-node-termination-handler maintenance 2 | 3 | To maintain the aws-node-termination-handler package, you should follow these steps. 4 | 5 | Build the new helm template with the following command: 6 | 7 | ```bash 8 | aws ecr-public get-login-password \ 9 | --region us-east-1 | helm registry login \ 10 | --username AWS \ 11 | --password-stdin public.ecr.aws 12 | 13 | helm template aws-node-termination-handler \ 14 | --namespace kube-system \ 15 | --set enableSpotInterruptionDraining="true" \ 16 | --set enableRebalanceMonitoring="true" \ 17 | --set enableScheduledEventDraining="false" \ 18 | --set enablePrometheusServer="true" \ 19 | --set podMonitor.create="true" \ 20 | oci://public.ecr.aws/aws-ec2/helm/aws-node-termination-handler > built.yaml 21 | ``` 22 | 23 | Check the differences with `deploy.yaml` file and change accordingly. 24 | 25 | What was changed: 26 | 27 | - Removed unnecessary helm tags from the manifests and replaced with `app: aws-node-termination-handler` when applicable to maintain compatibility with older aws-node-termination-handler package versions. 28 | - Changed the image in the manifest as `aws-node-termination-handler`, since the image is managed on the kustomization.yaml file 29 | - Removed PodSecurityPolicy from the generated manifest 30 | -------------------------------------------------------------------------------- /katalog/node-termination-handler/README.md: -------------------------------------------------------------------------------- 1 | # AWS node termination handler 2 | 3 | 4 | 5 | This package ensures that the Kubernetes control plane responds appropriately to events that can cause your EC2 instance to become unavailable, such as EC2 maintenance events, EC2 Spot interruptions, ASG Scale-In, ASG AZ Rebalance, and EC2 Instance Termination via the API or Console. 6 | If not handled, your application code may not stop gracefully, take longer to recover full availability, or accidentally schedule work to nodes that are going down. 7 | 8 | This package is deployed as Instance Metadata Service Processor to monitor: 9 | 10 | - EC2 Metadata for Scheduled Maintenance Events 11 | - EC2 Metadata for Spot Instance Termination Notifications 12 | - EC2 Metadata for Rebalance Recommendation Notifications 13 | 14 | ## Requirements 15 | 16 | - Kubernetes >= `1.21.0` 17 | - Kustomize >= `v3.5.3` 18 | 19 | ## Image repository and tag 20 | 21 | - AWS node termination handler image: `registry.sighup.io/fury/aws-ec2/aws-node-termination-handler` 22 | - AWS node termination handler repo: [AWS node termination handler at Github][github] 23 | 24 | ## Deployment 25 | 26 | You can deploy AWS node termination handler by running the following command: 27 | 28 | ```bash 29 | kustomize build | kubectl apply -f - 30 | ``` 31 | 32 | 33 | 34 | [github]: https://github.com/aws/aws-node-termination-handler 35 | 36 | 37 | 38 | ## License 39 | 40 | For license details please see [LICENSE](../../LICENSE) 41 | 42 | 43 | -------------------------------------------------------------------------------- /katalog/node-termination-handler/deploy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | # Source: aws-node-termination-handler/templates/serviceaccount.yaml 7 | apiVersion: v1 8 | kind: ServiceAccount 9 | metadata: 10 | name: aws-node-termination-handler 11 | namespace: kube-system 12 | labels: 13 | app: aws-node-termination-handler 14 | --- 15 | # Source: aws-node-termination-handler/templates/clusterrole.yaml 16 | kind: ClusterRole 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: aws-node-termination-handler 20 | labels: 21 | app: aws-node-termination-handler 22 | rules: 23 | - apiGroups: 24 | - "" 25 | resources: 26 | - nodes 27 | verbs: 28 | - get 29 | - list 30 | - patch 31 | - update 32 | - apiGroups: 33 | - "" 34 | resources: 35 | - pods 36 | verbs: 37 | - list 38 | - get 39 | - apiGroups: 40 | - "" 41 | resources: 42 | - pods/eviction 43 | verbs: 44 | - create 45 | - apiGroups: 46 | - extensions 47 | resources: 48 | - daemonsets 49 | verbs: 50 | - get 51 | - apiGroups: 52 | - apps 53 | resources: 54 | - daemonsets 55 | verbs: 56 | - get 57 | --- 58 | # Source: aws-node-termination-handler/templates/clusterrolebinding.yaml 59 | kind: ClusterRoleBinding 60 | apiVersion: rbac.authorization.k8s.io/v1 61 | metadata: 62 | name: aws-node-termination-handler 63 | labels: 64 | app: aws-node-termination-handler 65 | roleRef: 66 | apiGroup: rbac.authorization.k8s.io 67 | kind: ClusterRole 68 | name: aws-node-termination-handler 69 | subjects: 70 | - kind: ServiceAccount 71 | name: aws-node-termination-handler 72 | namespace: kube-system 73 | --- 74 | # Source: aws-node-termination-handler/templates/daemonset.linux.yaml 75 | apiVersion: apps/v1 76 | kind: DaemonSet 77 | metadata: 78 | name: aws-node-termination-handler 79 | namespace: kube-system 80 | labels: 81 | app: aws-node-termination-handler 82 | spec: 83 | updateStrategy: 84 | rollingUpdate: 85 | maxUnavailable: 25% 86 | type: RollingUpdate 87 | selector: 88 | matchLabels: 89 | app: aws-node-termination-handler 90 | template: 91 | metadata: 92 | labels: 93 | app: aws-node-termination-handler 94 | spec: 95 | serviceAccountName: aws-node-termination-handler 96 | securityContext: 97 | fsGroup: 1000 98 | priorityClassName: system-node-critical 99 | hostNetwork: true 100 | dnsPolicy: ClusterFirstWithHostNet 101 | containers: 102 | - name: aws-node-termination-handler 103 | securityContext: 104 | allowPrivilegeEscalation: false 105 | readOnlyRootFilesystem: true 106 | runAsGroup: 1000 107 | runAsNonRoot: true 108 | runAsUser: 1000 109 | image: aws-node-termination-handler 110 | imagePullPolicy: IfNotPresent 111 | env: 112 | - name: NODE_NAME 113 | valueFrom: 114 | fieldRef: 115 | fieldPath: spec.nodeName 116 | - name: POD_NAME 117 | valueFrom: 118 | fieldRef: 119 | fieldPath: metadata.name 120 | - name: NAMESPACE 121 | valueFrom: 122 | fieldRef: 123 | fieldPath: metadata.namespace 124 | - name: ENABLE_PROBES_SERVER 125 | value: "false" 126 | - name: PROBES_SERVER_PORT 127 | value: "8080" 128 | - name: PROBES_SERVER_ENDPOINT 129 | value: "/healthz" 130 | - name: LOG_LEVEL 131 | value: "info" 132 | - name: JSON_LOGGING 133 | value: "false" 134 | - name: LOG_FORMAT_VERSION 135 | value: "1" 136 | - name: ENABLE_PROMETHEUS_SERVER 137 | value: "true" 138 | - name: PROMETHEUS_SERVER_PORT 139 | value: "9092" 140 | - name: METADATA_TRIES 141 | value: "3" 142 | - name: DRY_RUN 143 | value: "false" 144 | - name: CORDON_ONLY 145 | value: "false" 146 | - name: TAINT_NODE 147 | value: "false" 148 | - name: ENABLE_OUT_OF_SERVICE_TAINT 149 | value: "false" 150 | - name: EXCLUDE_FROM_LOAD_BALANCERS 151 | value: "false" 152 | - name: DELETE_LOCAL_DATA 153 | value: "true" 154 | - name: IGNORE_DAEMON_SETS 155 | value: "true" 156 | - name: POD_TERMINATION_GRACE_PERIOD 157 | value: "-1" 158 | - name: NODE_TERMINATION_GRACE_PERIOD 159 | value: "120" 160 | - name: EMIT_KUBERNETES_EVENTS 161 | value: "false" 162 | - name: ENABLE_SPOT_INTERRUPTION_DRAINING 163 | value: "true" 164 | - name: ENABLE_ASG_LIFECYCLE_DRAINING 165 | value: "true" 166 | - name: ENABLE_SCHEDULED_EVENT_DRAINING 167 | value: "false" 168 | - name: ENABLE_REBALANCE_MONITORING 169 | value: "true" 170 | - name: ENABLE_REBALANCE_DRAINING 171 | value: "false" 172 | - name: ENABLE_SQS_TERMINATION_DRAINING 173 | value: "false" 174 | - name: UPTIME_FROM_FILE 175 | value: "/proc/uptime" 176 | ports: 177 | - name: http-metrics 178 | protocol: TCP 179 | containerPort: 9092 180 | volumeMounts: 181 | - name: uptime 182 | mountPath: /proc/uptime 183 | readOnly: true 184 | volumes: 185 | - name: uptime 186 | hostPath: 187 | path: /proc/uptime 188 | nodeSelector: 189 | kubernetes.io/os: linux 190 | affinity: 191 | nodeAffinity: 192 | requiredDuringSchedulingIgnoredDuringExecution: 193 | nodeSelectorTerms: 194 | - matchExpressions: 195 | - key: eks.amazonaws.com/compute-type 196 | operator: NotIn 197 | values: 198 | - fargate 199 | tolerations: 200 | - operator: Exists 201 | --- 202 | # Source: aws-node-termination-handler/templates/podmonitor.yaml 203 | apiVersion: monitoring.coreos.com/v1 204 | kind: PodMonitor 205 | metadata: 206 | name: aws-node-termination-handler 207 | namespace: kube-system 208 | labels: 209 | app: aws-node-termination-handler 210 | spec: 211 | jobLabel: app.kubernetes.io/name 212 | namespaceSelector: 213 | matchNames: 214 | - kube-system 215 | podMetricsEndpoints: 216 | - port: http-metrics 217 | path: /metrics 218 | interval: 30s 219 | sampleLimit: 5000 220 | selector: 221 | matchLabels: 222 | app: aws-node-termination-handler 223 | -------------------------------------------------------------------------------- /katalog/node-termination-handler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 2 | # Use of this source code is governed by a BSD-style 3 | # license that can be found in the LICENSE file. 4 | 5 | --- 6 | apiVersion: kustomize.config.k8s.io/v1beta1 7 | kind: Kustomization 8 | 9 | namespace: kube-system 10 | 11 | resources: 12 | - deploy.yaml 13 | 14 | images: 15 | - name: aws-node-termination-handler 16 | newName: registry.sighup.io/fury/aws-ec2/aws-node-termination-handler 17 | newTag: v1.25.0 18 | -------------------------------------------------------------------------------- /modules/eks-addons/README.md: -------------------------------------------------------------------------------- 1 | # EKS addons module 2 | 3 | This terraform module provides an easy way to install addons on an existing EKS cluster. 4 | 5 | ## Requirements 6 | 7 | | Name | Version | 8 | | --------- | ----------- | 9 | | terraform | `>= 1.3` | 10 | | aws | `>= 2.13` | 11 | 12 | ## Providers 13 | 14 | | Name | Version | 15 | | ---- | -------- | 16 | | aws | `~> 4.76` | 17 | 18 | ## Inputs 19 | 20 | | Name | Description | Type | Default | Required | 21 | | -------------------- | --------------------------------------------------------------- | -------- | ----------------- | :------: | 22 | | cluster\_name | The EKS cluster name | `string` | n/a | yes | 23 | | ebs\_csi\_driver | An object list defining EBS CSI Driver addon configuration | `object` | `{enabled=false}` | no | 24 | | snapshot\_controller | An object list defining Snapshot Controller addon configuration | `object` | `{enabled=false}` | no | 25 | | coredns | An object list defining coredns addon configuration | `object` | `{enabled=false}` | no | 26 | | kube\_proxy | An object list defining kube-proxy addon configuration | `object` | `{enabled=false}` | no | 27 | | vpc\_cni | An object list defining VPC CNI addon configuration | `object` | `{enabled=false}` | no | 28 | 29 | Each object can be configured with the following parameters: 30 | 31 | | Name | Description | Type | Default | Required | 32 | | ------- | ------------------------------------------------------------------------------------------------------ | -------- | ----------- | -------- | 33 | | enabled | Whether to enable the addon or not. | `bool` | `false` | No | 34 | | version | The addon version. | `string` | latest | No | 35 | | resolve_conflicts | How to resolve conflicts when migrating from self-managed add-ons. Can be NONE or OVERWRITE. | `string` | `OVERWRITE` | No | 36 | | configuration_values | How to modify the default addon configuration. See [below](#advanced-configuration) for further details. | `string` | N/A | No 37 | 38 | Moreover, `ebs_csi_driver` and `vpc_cni` have the following parameter: 39 | 40 | | Name | Description | Type | Default | Required | 41 | | ------------------------ | ------------------------------------------------------------------------------------------------------ | -------- | ----------- | -------- | 42 | | service_account_role_arn | The ARN of an existing IAM role to bind to the add-on's service account | `string` | n/a | No | 43 | 44 | ## Usage 45 | 46 | ```hcl 47 | module "addons" { 48 | source = "../vendor/modules/aws/eks-addons" 49 | cluster_name = "myekscluster" 50 | ebs_csi_driver = { 51 | enabled = true 52 | version = "v1.19.0-eksbuild.2" 53 | } 54 | snapshot_controller = { 55 | enabled = true 56 | version = "v8.2.0-eksbuild.1" 57 | configuration_values = file("snapshot-controller.json") 58 | } 59 | coredns = { 60 | enabled = true 61 | resolve_conflicts = "NONE" 62 | } 63 | kube_proxy = { 64 | enabled = true 65 | } 66 | vpc_cni = { 67 | enabled = true 68 | configuration_values = file("coredns.json") 69 | } 70 | } 71 | 72 | ``` 73 | 74 | ## Check the correct version 75 | 76 | To understand which is the correct addon version based on EKS version, use the following command: 77 | 78 | ```bash 79 | aws eks describe-addon-versions \ 80 | --kubernetes-version \ 81 | --addon-name 82 | 83 | # Example - list all the available versions 84 | 85 | aws eks describe-addon-versions \ 86 | --kubernetes-version 1.25 \ 87 | --addon-name kube-proxy 88 | 89 | # Example - get the default version 90 | aws eks describe-addon-versions \ 91 | --kubernetes-version 1.25 \ 92 | --addon-name kube-proxy \ 93 | | jq -r '.addons[].addonVersions[] | select(.compatibilities[0].defaultVersion) | .addonVersion' 94 | ``` 95 | 96 | ## Advanced configuration 97 | 98 | EKS addons can be configured to behave differently from the default. 99 | 100 | Custom configurations include: 101 | 102 | - Tolerations 103 | - Node selectors 104 | - Environment variables 105 | - Limits and requests 106 | 107 | To specify your needed configuration do the following: 108 | 109 | 1. Retrieve the correct json schema for your target addon and version 110 | 111 | Use this command: 112 | 113 | ```bash 114 | aws eks describe-addon-configuration \ 115 | --addon-name \ 116 | --addon-version | jq -r '.configurationSchema' > addon-config.json 117 | 118 | # Example 119 | 120 | aws eks describe-addon-configuration \ 121 | --addon-name kube-proxy \ 122 | --addon-version v1.25.6-eksbuild.1 | jq -r '.configurationSchema' > kube-proxy-config.json 123 | 124 | ``` 125 | 126 | 2. Create your custom configuration files. 127 | 128 | See the [blog](https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/) for further details. 129 | See also the [example](../../examples/eks-addons/README.md) for some references. 130 | 131 | You can also validate your json against the schema from the step 1: 132 | 133 | ```bash 134 | jsonschema -i my-custom-config.json addon-config.json 135 | ``` 136 | -------------------------------------------------------------------------------- /modules/eks-addons/coredns.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | resource "aws_eks_addon" "coredns" { 8 | cluster_name = var.cluster_name 9 | addon_name = "coredns" 10 | addon_version = data.aws_eks_addon_version.latest_coredns.version 11 | resolve_conflicts = var.coredns.resolve_conflicts 12 | tags = var.tags 13 | count = var.coredns.enabled ? 1 : 0 14 | configuration_values = var.coredns.configuration_values != null ? var.coredns.configuration_values : < ⚠️ **Warning**: this module uses ["IAM Roles for ServiceAccount"](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to inject AWS credentials inside cluster autoscaler pods 6 | 7 | ## Requirements 8 | 9 | | Name | Version | 10 | | --------- | ----------- | 11 | | terraform | `>= 1.3` | 12 | | aws | `~> 3.76` | 13 | 14 | ## Providers 15 | 16 | | Name | Version | 17 | | ---- | -------- | 18 | | aws | `~> 3.76` | 19 | 20 | ## Inputs 21 | 22 | | Name | Description | Type | Default | Required | 23 | | -------------------- | ------------------------------------- | ------------- | ------- | :------: | 24 | | cluster_name | The EKS cluster name | `string` | n/a | yes | 25 | | region | The region where the cluster is | `string` | n/a | yes | 26 | 27 | ## Outputs 28 | 29 | | Name | Description | 30 | | ---------------------------------- | --------------------------------------- | 31 | | cluster\_autoscaler\_patches | Cluster autoscaler SA Kustomize patch | 32 | | cluster\_autoscaler\_iam\_role\_arn | Cluster autoscaler IAM role arn | 33 | 34 | ## Usage 35 | 36 | ```hcl 37 | module "cluster_autoscaler_iam_role" { 38 | source = "../vendor/modules/aws/iam-for-cluster-autoscaler" 39 | cluster_name = "myekscluster" 40 | region = "eu-west-1" 41 | } 42 | ``` 43 | -------------------------------------------------------------------------------- /modules/iam-for-cluster-autoscaler/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | data "aws_eks_cluster" "this" { 8 | name = var.cluster_name 9 | } 10 | 11 | data "aws_iam_policy_document" "cluster_autoscaler" { 12 | statement { 13 | effect = "Allow" 14 | 15 | actions = [ 16 | "autoscaling:DescribeAutoScalingGroups", 17 | "autoscaling:DescribeAutoScalingInstances", 18 | "autoscaling:DescribeLaunchConfigurations", 19 | "autoscaling:DescribeTags", 20 | "ec2:DescribeLaunchTemplateVersions", 21 | "ec2:DescribeInstanceTypes", 22 | "ec2:DescribeImages", 23 | "ec2:GetInstanceTypesFromInstanceRequirements", 24 | "eks:DescribeNodegroup" 25 | ] 26 | 27 | resources = [ 28 | "*", 29 | ] 30 | } 31 | 32 | statement { 33 | effect = "Allow" 34 | 35 | actions = [ 36 | "autoscaling:SetDesiredCapacity", 37 | "autoscaling:TerminateInstanceInAutoScalingGroup", 38 | ] 39 | 40 | resources = [ 41 | "*", 42 | ] 43 | 44 | condition { 45 | test = "StringEquals" 46 | variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${var.cluster_name}" 47 | values = [ 48 | "owned", 49 | ] 50 | } 51 | 52 | condition { 53 | test = "StringEquals" 54 | variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" 55 | values = [ 56 | "true", 57 | ] 58 | } 59 | } 60 | } 61 | 62 | resource "aws_iam_policy" "cluster_autoscaler" { 63 | name = "${var.cluster_name}-cluster-autoscaler" 64 | description = "EKS cluster-autoscaler IAM policy for cluster ${var.cluster_name}" 65 | policy = data.aws_iam_policy_document.cluster_autoscaler.json 66 | } 67 | 68 | module "cluster_autoscaler_iam_assumable_role" { 69 | source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" 70 | version = "v3.16.0" 71 | create_role = true 72 | role_name = coalesce(var.autoscaler_iam_role_name_override, "${var.cluster_name}-cluster-autoscaler") 73 | provider_url = replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "") 74 | role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] 75 | oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:cluster-autoscaler"] 76 | } 77 | -------------------------------------------------------------------------------- /modules/iam-for-cluster-autoscaler/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | output "cluster_autoscaler_patches" { 8 | description = "cluster-autoscaler Kubernetes resources patches" 9 | value = < ⚠️ **Warning**: this module uses ["IAM Roles for ServiceAccount"](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to inject AWS credentials inside cluster autoscaler pods 6 | 7 | ## Requirements 8 | 9 | | Name | Version | 10 | | --------- | ----------- | 11 | | terraform | `>= 1.3` | 12 | | aws | `~> 3.76` | 13 | 14 | ## Providers 15 | 16 | | Name | Version | 17 | | ---- | -------- | 18 | | aws | `~> 3.76` | 19 | 20 | ## Inputs 21 | 22 | | Name | Description | Type | Default | Required | 23 | | -------------------- | ------------------------------------- | ------------- | ------- | :------: | 24 | | cluster_name | The EKS cluster name | `string` | n/a | yes | 25 | 26 | ## Outputs 27 | 28 | | Name | Description | 29 | | ---------------------------------- | --------------------------------------- | 30 | | ebs\_csi\_driver\_iam\_role\_arn | EBS CSI driver IAM role arn | 31 | 32 | 33 | ## Usage 34 | 35 | ```hcl 36 | module "ebs_csi_driver_iam_role" { 37 | source = "../vendor/modules/aws/iam-for-ebs-csi-driver" 38 | cluster_name = "myekscluster" 39 | } 40 | ``` 41 | -------------------------------------------------------------------------------- /modules/iam-for-ebs-csi-driver/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | data "aws_eks_cluster" "this" { 8 | name = var.cluster_name 9 | } 10 | 11 | resource "aws_iam_policy" "aws_ebs_csi_driver" { 12 | name = "${var.cluster_name}-aws-ebs-csi-driver" 13 | description = "EKS EBS CSI driver IAM policy for cluster ${var.cluster_name}" 14 | policy = < ⚠️ **Warning**: this module uses ["IAM Roles for ServiceAccount"](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to inject AWS credentials inside cluster autoscaler pods 6 | 7 | ## Requirements 8 | 9 | | Name | Version | 10 | | --------- | ----------- | 11 | | terraform | `>= 1.3` | 12 | | aws | `~> 3.76` | 13 | 14 | ## Providers 15 | 16 | | Name | Version | 17 | | ---- | -------- | 18 | | aws | `~> 3.76` | 19 | 20 | ## Inputs 21 | 22 | | Name | Description | Type | Default | Required | 23 | | -------------------- | ------------------------------------- | ------------- | ------- | :------: | 24 | | cluster_name | The EKS cluster name | `string` | n/a | yes | 25 | 26 | ## Outputs 27 | 28 | | Name | Description | 29 | | -------------------------------------------- | -------------------------------------------- | 30 | | load\_balancer\_controller\_patches | Load Balancer controller SA Kustomize patch | 31 | | load\_balancer\_controller\_iam\_role\_arn | Load Balancer controller IAM role arn | 32 | 33 | 34 | ## Usage 35 | 36 | ```hcl 37 | module "load_balancer_controller_iam_role" { 38 | source = "../vendor/modules/aws/iam-for-load-balancer-controller" 39 | cluster_name = "myekscluster" 40 | } 41 | ``` 42 | -------------------------------------------------------------------------------- /modules/iam-for-load-balancer-controller/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. 3 | * Use of this source code is governed by a BSD-style 4 | * license that can be found in the LICENSE file. 5 | */ 6 | 7 | data "aws_eks_cluster" "this" { 8 | name = var.cluster_name 9 | } 10 | 11 | resource "aws_iam_policy" "aws_alb_controller" { 12 | name = "${var.cluster_name}-aws-alb-controller" 13 | description = "EKS AWS load balancer controller IAM policy for cluster ${var.cluster_name}" 14 | policy = <