MarkArts/k8sdns.ts

## k8sdns.ts
import * as aws from "@pulumi/aws";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

export type SetupRoute53ZoneArgs = {
  zone: aws.route53.Zone;
  zoneUserKey: aws.iam.AccessKey;
  namespace: string;
  domain: string;
};

export const SetupDNSController = (
  prefix: string,
  args: SetupRoute53ZoneArgs,
  opts?: pulumi.ComponentResourceOptions
) => {
  const dnsSecret = new k8s.core.v1.Secret(
    `${prefix}-secret`,
    {
      metadata: {
        name: `${prefix}-secret`,
        namespace: args.namespace,
      },
      stringData: {
        AWS_ACCESS_KEY_ID: args.zoneUserKey.id,
        AWS_SECRET_ACCESS_KEY: args.zoneUserKey.secret,
      },
    },
    opts
  );

  const dnsController = new k8s.helm.v3.Chart(
    `${prefix}-dns-controller`,
    {
      fetchOpts: {
        repo: "https://kubernetes-sigs.github.io/external-dns/",
      },
      chart: "external-dns",
      namespace: args.namespace,
      values: {
        provider: "aws",
        sources: ["ingress", "service"],
        logLevel: "debug",
        domainFilters: [args.domain],
        env: [
          {
            name: "AWS_ACCESS_KEY_ID",
            valueFrom: {
              secretKeyRef: {
                name: dnsSecret.metadata.name,
                key: "AWS_ACCESS_KEY_ID",
              },
            },
          },
          {
            name: "AWS_SECRET_ACCESS_KEY",
            valueFrom: {
              secretKeyRef: {
                name: dnsSecret.metadata.name,
                key: "AWS_SECRET_ACCESS_KEY",
              },
            },
          },
        ],
      },
    },
    opts
  );

  return {
    dnsSecret,
    dnsController,
  };
};

export const SetupRoute53Zone = (
  prefix: string,
  domain: string,
  opts?: pulumi.CustomResourceOptions
) => {
  const zone = new aws.route53.Zone(
    `${prefix}-zone`,
    {
      name: domain,
    },
    opts
  );

  const zoneUser = new aws.iam.User(`${prefix}-zone-user`, {}, opts);

  const zoneUserKey = new aws.iam.AccessKey(
    `${prefix}-zone-key`,
    { user: zoneUser.name },
    opts
  );

  const zonePolicy = new aws.iam.UserPolicy(
    `${prefix}-zone-policy`,
    {
      user: zoneUser.name,
      policy: {
        Version: "2012-10-17",
        Statement: [
          {
            Effect: "Allow",
            Action: ["route53:ChangeResourceRecordSets"],
            Resource: [
              pulumi.interpolate`arn:aws:route53:::hostedzone/${zone.zoneId}`,
            ],
          },
          {
            Effect: "Allow",
            Action: [
              "route53:ListHostedZones",
              "route53:ListResourceRecordSets",
            ],
            Resource: ["*"],
          },
        ],
      },
    },
    opts
  );

  return {
    zone,
    zoneUser,
    zoneUserKey,
    zonePolicy,
  };
};
	import * as aws from "@pulumi/aws";
	import * as k8s from "@pulumi/kubernetes";
	import * as pulumi from "@pulumi/pulumi";

	export type SetupRoute53ZoneArgs = {
	zone: aws.route53.Zone;
	zoneUserKey: aws.iam.AccessKey;
	namespace: string;
	domain: string;
	};

	export const SetupDNSController = (
	prefix: string,
	args: SetupRoute53ZoneArgs,
	opts?: pulumi.ComponentResourceOptions
	) => {
	const dnsSecret = new k8s.core.v1.Secret(
	`${prefix}-secret`,
	{
	metadata: {
	name: `${prefix}-secret`,
	namespace: args.namespace,
	},
	stringData: {
	AWS_ACCESS_KEY_ID: args.zoneUserKey.id,
	AWS_SECRET_ACCESS_KEY: args.zoneUserKey.secret,
	},
	},
	opts
	);

	const dnsController = new k8s.helm.v3.Chart(
	`${prefix}-dns-controller`,
	{
	fetchOpts: {
	repo: "https://kubernetes-sigs.github.io/external-dns/",
	},
	chart: "external-dns",
	namespace: args.namespace,
	values: {
	provider: "aws",
	sources: ["ingress", "service"],
	logLevel: "debug",
	domainFilters: [args.domain],
	env: [
	{
	name: "AWS_ACCESS_KEY_ID",
	valueFrom: {
	secretKeyRef: {
	name: dnsSecret.metadata.name,
	key: "AWS_ACCESS_KEY_ID",
	},
	},
	},
	{
	name: "AWS_SECRET_ACCESS_KEY",
	valueFrom: {
	secretKeyRef: {
	name: dnsSecret.metadata.name,
	key: "AWS_SECRET_ACCESS_KEY",
	},
	},
	},
	],
	},
	},
	opts
	);

	return {
	dnsSecret,
	dnsController,
	};
	};

	export const SetupRoute53Zone = (
	prefix: string,
	domain: string,
	opts?: pulumi.CustomResourceOptions
	) => {
	const zone = new aws.route53.Zone(
	`${prefix}-zone`,
	{
	name: domain,
	},
	opts
	);

	const zoneUser = new aws.iam.User(`${prefix}-zone-user`, {}, opts);

	const zoneUserKey = new aws.iam.AccessKey(
	`${prefix}-zone-key`,
	{ user: zoneUser.name },
	opts
	);

	const zonePolicy = new aws.iam.UserPolicy(
	`${prefix}-zone-policy`,
	{
	user: zoneUser.name,
	policy: {
	Version: "2012-10-17",
	Statement: [
	{
	Effect: "Allow",
	Action: ["route53:ChangeResourceRecordSets"],
	Resource: [
	pulumi.interpolate`arn:aws:route53:::hostedzone/${zone.zoneId}`,
	],
	},
	{
	Effect: "Allow",
	Action: [
	"route53:ListHostedZones",
	"route53:ListResourceRecordSets",
	],
	Resource: ["*"],
	},
	],
	},
	},
	opts
	);

	return {
	zone,
	zoneUser,
	zoneUserKey,
	zonePolicy,
	};
	};