This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
------------------------------------------------------------ | |
-- Script Postgre | |
------------------------------------------------------------ | |
------------------------------------------------------------ | |
-- Table: personality | |
------------------------------------------------------------ | |
CREATE TABLE public.personality( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yum update -y | |
yum upgrade -y | |
yum install git wget curl zsh jq htop python3 gcc python3-devel -y | |
amazon-linux-extras install docker epel nginx1 -y | |
systemctl enable nginx --now | |
systemctl enable docker --now | |
usermod -aG docker ec2-user | |
wget https://nodejs.org/dist/v14.15.4/node-v14.15.4-linux-arm64.tar.xz -O /tmp/nodejs.tar.xz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### | |
# Variables | |
### | |
variable "vpc_id" { | |
type = string | |
description = "ID of the VPC in which is located the db" | |
} | |
variable "subnet_ids" { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sudo yum update -y | |
# Configure iptables to see bridged traffic | |
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf | |
br_netfilter | |
EOF | |
sudo modprobe overlay | |
sudo modprobe br_netfilter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create the trust policy for the role associated to the app | |
data "aws_iam_policy_document" "my_pod_role_trusted_identities" { | |
statement { | |
# Allow through AssumeRoleWithWebIdentity | |
actions = ["sts:AssumeRoleWithWebIdentity"] | |
effect = "Allow" | |
# Only if the requester is authenticated with the service-account "my-serviceaccount" in the namespace "default" | |
condition { | |
test = "StringEquals" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get EKS cluster certificate thumbprint | |
data "tls_certificate" "eks_cluster" { | |
url = aws_eks_cluster.main.identity[0].oidc[0].issuer | |
} | |
# Create the OIDC provider | |
resource "aws_iam_openid_connect_provider" "eks_cluster" { | |
client_id_list = ["sts.amazonaws.com"] | |
thumbprint_list = [data.tls_certificate.eks_cluster.certificates[0].sha1_fingerprint] | |
url = aws_eks_cluster.main.identity[0].oidc[0].issuer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
annotations: | |
eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT_ID:role/my-pod-role" | |
name: my-serviceaccount | |
namespace: default |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: my-pod | |
labels: | |
app: my-pod | |
spec: | |
serviceAccountName: my-serviceaccount | |
containers: | |
- image: ghcr.io/samuelbagattin/eks-irsa-example:master |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: admissionregistration.k8s.io/v1 | |
kind: MutatingWebhookConfiguration | |
metadata: | |
name: pod-identity-webhook | |
webhooks: | |
- admissionReviewVersions: | |
- v1beta1 | |
clientConfig: | |
caBundle: REDACTED | |
url: https://127.0.0.1:23443/mutate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Session creation | |
sess := session.Must(session.NewSession()) | |
// Create a new STS client to get temporary credentials | |
initStsClient := sts.New(sess) | |
// Get the SA token | |
awsWebIdentityTokenFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") | |
awsWebIdentityToken, err := ioutil.ReadFile(awsWebIdentityTokenFile) |
OlderNewer