-
Notifications
You must be signed in to change notification settings - Fork 0
/
2_configure_cluster.yml
99 lines (85 loc) · 3.41 KB
/
2_configure_cluster.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
---
#
# This playbook configures a clean cluster with an AWS ALB. It requires the passing of -e "env=COLOR" to properly set the right values. See vars/ for more details.
#
- hosts: localhost
gather_facts: false
vars:
ansible_pyton_interpreter: "{{ ansible_playbook_python }}"
kube_config: "~/.kube/config"
k8s_resource_dir: "../k8s_resources"
# Create -> "present" or delete "absent" deployment.
state: "present"
vars_files:
- "vars/{{ env }}.yml"
pre_tasks:
- name: Display Ansible Playbook Python Path.
debug:
msg: "Python Interperter at: {{ ansible_playbook_python }}"
- name: Get Current Cluster's Context.
shell: |
set -o pipefail && \
kubectl config get-contexts | cut -d\ -f2- | grep {{ cluster_name }} | awk '{print $1}'
register: context_result
changed_when: false
- name: Set Cluster Context Fact.
set_fact:
context: "{{ context_result.stdout }}"
- name: Print Context
debug:
msg: "Working on -> {{ context }}"
tasks:
- name: Install Associate-IAM-OIDC-Provider.
shell: |
eksctl utils associate-iam-oidc-provider \
--region "{{ aws_region }}" \
--cluster {{ cluster_name }} \
--approve
register: oidc_result
- name: Apply RBAC service account for ALB to cluster.
k8s:
apply: yes
kubeconfig: "{{ kube_config }}"
context: "{{ context }}"
state: "{{ state }}"
src: "{{ k8s_resource_dir }}/kube-system/rbac-role.yaml"
- name: Check/Create IAM Policy EKS-{{ cluster_name }}-ALBIngressControllerIAMPolicy.
iam_managed_policy:
policy_name: EKS-{{ cluster_name }}-ALBIngressControllerIAMPolicy
policy_description: "ALB Load Balancer Policy"
policy: "{{ lookup('file', '{{ k8s_resource_dir }}/iam_policies/alb_iam_policy.json') }}"
state: present
register: alb_iam_policy_result
- name: Capture ARN of EKS-{{ cluster_name }}-ALBIngressControllerIAMPolicy.
set_fact:
POLICY_ARN: "{{ alb_iam_policy_result.policy.arn }}"
- name: Display ARN of EKS-{{ cluster_name }}-ALBIngressControllerIAMPolicy.
debug:
var: POLICY_ARN
- name: Deploy ALB Ingress Controller with ENV substitution ($DEPLOY_COLOR={{ env }}).
shell: |
set -o pipefail && \
export EKS_CLUSTER_NAME={{ cluster_name }}
kubectl config use-context {{ context }}
cat {{ k8s_resource_dir }}/kube-system/alb-ingress-controller.yaml | envsubst | kubectl apply -f -
sleep 5
kubectl describe deploy alb-ingress-controller -n kube-system
register: alb_deployment_creation_result
- name: Display ALB Ingress Creation Output.
debug:
var: alb_deployment_creation_result.stdout_lines
# Create an IAM role for the ALB Ingress Controller and
# attach the role to the service account created in the previous step.
- name: Create IAM service account and attach it to ALB.
shell: |
kubectl config use-context {{ context }}
eksctl create iamserviceaccount \
--name alb-ingress-controller \
--namespace kube-system \
--cluster {{ cluster_name }} \
--region {{ aws_region }} \
--attach-policy-arn {{ POLICY_ARN }} \
--approve \
--override-existing-serviceaccounts
register: iam_service_account_result
ignore_errors: true