Skip to content

Instantly share code, notes, and snippets.

@benjick

benjick/cluster.ts Secret

Last active May 29, 2020 00:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save benjick/7c096f5634b34f022adf81469d440d4a to your computer and use it in GitHub Desktop.
Save benjick/7c096f5634b34f022adf81469d440d4a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cluster.ts
import * as pulumi from '@pulumi/pulumi';
import * as eks from '@pulumi/eks';
import * as aws from '@pulumi/aws';
import * as awsx from '@pulumi/awsx';
import { vpc, sg } from './vpc';
const config = new pulumi.Config();
const instanceType: aws.ec2.InstanceType = config.require('k8sinstancetype');
export const cluster = new eks.Cluster(
'k8s-pulumi',
{
version: '1.16',
vpcId: vpc.id,
privateSubnetIds: vpc.privateSubnetIds,
publicSubnetIds: vpc.publicSubnetIds,
clusterSecurityGroup: sg.securityGroup,
instanceType,
desiredCapacity: 3,
minSize: 1,
maxSize: 4,
createOidcProvider: true,
},
{
dependsOn: vpc,
customTimeouts: {
create: '20m',
update: '20m',
delete: '20m',
},
},
);
Raw
external-dns.ts
import * as k8s from '@pulumi/kubernetes';
import { cluster } from './cluster';
import { updateRoute53Role } from './roles';
export const externalDnsChart = new k8s.helm.v2.Chart(
'external-dns',
{
chart: 'external-dns',
version: '3.1.0',
values: {
txtOwnerId: 'safira-external-dns-pulumi',
domainFilters: ['aws2.safiraqa.com'],
aws: {
zoneType: 'public',
assumeRoleArn: updateRoute53Role.arn,
},
podSecurityContext: {
fsGroup: 65534,
},
serviceAccount: {
name: updateRoute53Role.name,
// create: false,
annotations: {
'eks.amazonaws.com/role-arn': updateRoute53Role.arn,
},
},
},
fetchOpts: {
repo: 'https://charts.bitnami.com/bitnami',
},
},
{
dependsOn: [cluster, updateRoute53Role],
provider: cluster.provider,
},
);
Raw
roles.ts
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import { cluster } from './cluster';
const current = pulumi.output(aws.getCallerIdentity({ async: true }));
export const accountId = current.accountId;
export const oidcProvider = cluster.core.oidcProvider;
const name = 'update-route53-test';
export const updateRoute53Role = new aws.iam.Role(
`${name}`,
{
name,
assumeRolePolicy: pulumi.interpolate`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "${oidcProvider!.id}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${oidcProvider!.url}:sub": "system:serviceaccount:default:${name}"
}
}
}
]
}
`,
tags: {
clusterAccess: `${name}-usr`,
},
},
{
dependsOn: cluster,
},
);
export const policy = new aws.iam.Policy('AllowExternalDNSUpdates', {
description: 'This policy allows external-dns to update route53',
path: '/',
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['route53:ChangeResourceRecordSets'],
Resource: ['arn:aws:route53:::hostedzone/*'],
},
{
Effect: 'Allow',
Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'],
Resource: ['*'],
},
],
}),
});
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment(
'update-route53',
{
role: updateRoute53Role,
policyArn: policy.arn,
},
);
const policyAttachment = new aws.iam.PolicyAttachment('update-route53', {
roles: [updateRoute53Role],
policyArn: policy.arn,
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment