Information related to this gist is avaiable on my personal page.
Last active
September 18, 2022 02:44
-
-
Save boris/50adea438e6026f7b1b615862f73fa4c to your computer and use it in GitHub Desktop.
Nomad CSI on AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
job "plugin-aws-csi-controller" { | |
datacenters = ["dc1"] | |
group "controller" { | |
task "plugin" { | |
driver = "docker" | |
config { | |
image = "amazon/aws-ebs-csi-driver:v0.10.1" | |
args = [ | |
"controller", | |
"--endpoint=unix://csi/csi.sock", | |
"--logtostderr", | |
"--v=5", | |
] | |
} | |
csi_plugin { | |
id = "aws-ebs0" | |
type = "controller" | |
mount_dir = "/csi" | |
} | |
resources { | |
cpu = 500 | |
memory = 256 | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "aws" { | |
region = "us-east-1" | |
} | |
resource "aws_iam_instance_profile" "demoCSI" { | |
name = "demoCSI_profile" | |
role = aws_iam_role.demoCSI.name | |
} | |
resource "aws_iam_role" "demoCSI" { | |
name = "demoCSI" | |
path = "/" | |
description = "Allows EC2 instances to call AWS services on your behalf." | |
assume_role_policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Action = "sts:AssumeRole" | |
Effect = "Allow" | |
Principal = { | |
Service = "ec2.amazonaws.com" | |
} | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
} | |
resource "aws_iam_role_policy" "mount_ebs_volumes" { | |
name = "mount-ebs-volumes" | |
role = aws_iam_role.demoCSI.id | |
policy = data.aws_iam_policy_document.mount_ebs_volumes.json | |
} | |
data "aws_iam_policy_document" "mount_ebs_volumes" { | |
statement { | |
effect = "Allow" | |
actions = [ | |
"ec2:DescribeInstances", | |
"ec2:DescribeTags", | |
"ec2:DescribeVolumes", | |
"ec2:AttachVolume", | |
"ec2:DetachVolume", | |
] | |
resources = ["*"] | |
} | |
statement { | |
effect = "Allow" | |
actions = [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:DescribeKey", | |
] | |
resources = ["*"] | |
} | |
} | |
resource "aws_ebs_volume" "demo_csi" { | |
availability_zone = "us-east-1f" | |
size = 40 | |
} | |
output "ebs_volume" { | |
value = <<EOM | |
# volume registration | |
type = "csi" | |
id = "demo_csi" | |
name = "demo_csi" | |
external_id = "${aws_ebs_volume.demo_csi.id}" | |
plugin_id = "aws-ebs0" | |
capability { | |
access_mode = "single-node-writer" | |
attachment_mode = "file-system" | |
} | |
EOM | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
job "plugin-aws-csi-nodes" { | |
datacenters = ["dc1"] | |
# you can run node plugins as service jobs as well, but this ensures | |
# that all nodes in the DC have a copy. | |
type = "system" | |
group "nodes" { | |
task "plugin" { | |
driver = "docker" | |
config { | |
image = "amazon/aws-ebs-csi-driver:v0.10.1" | |
args = [ | |
"node", | |
"--endpoint=unix://csi/csi.sock", | |
"--logtostderr", | |
"--v=5", | |
] | |
# node plugins must run as privileged jobs because they | |
# mount disks to the host | |
privileged = true | |
} | |
csi_plugin { | |
id = "aws-ebs0" | |
type = "node" | |
mount_dir = "/csi" | |
} | |
resources { | |
cpu = 500 | |
memory = 256 | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
type = "csi" | |
id = "demo_csi" | |
name = "demo_csi" | |
external_id = "vol-0f42ee17f72114529" | |
plugin_id = "aws-ebs0" | |
capability { | |
access_mode = "single-node-writer" | |
attachment_mode = "file-system" | |
} | |
mount_options { | |
fs_type = "ext4" | |
mount_flags = ["noatime"] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment