dongsupark/gist:88709d9de4bba3178df272885225cf78

## gistfile1.txt
1. AWS IAM

Configure IAM in your AWS account. The IAM needs to allow the following roles.

a) ec2


```
AllocateAddress
AssociateAddress
AssociateRouteTable
AttachInternetGateway
AttachNetworkInterface
CreateEgressOnlyInternetGateway
CreateInternetGateway
CreateKeyPair
CreateLocalGatewayRouteTable
CreateLocalGatewayRouteTableVpcAssociation
CreateNatGateway
CreateNetworkInterface
CreateRoute
CreateRouteTable
CreateSubnet
CreateVpc
DeleteEgressOnlyInternetGateway
DeleteInternetGateway
DeleteKeyPair
DeleteLocalGatewayRouteTable
DeleteLocalGatewayRouteTableVpcAssociation
DeleteNatGateway
DeleteNetworkInterface
DeleteRoute
DeleteRouteTable
DeleteSubnet
DeleteVpc
DescribeAddresses
DescribeAvailabilityZones
DescribeEgressOnlyInternetGateways
DescribeInternetGateways
DescribeKeyPairs
DescribeLocalGatewayRouteTableVpcAssociation
DescribeLocalGatewayRouteTables
DescribeNatGateways
DescribeNetworkAcls
DescribeNetworkInterfaces
DescribeRouteTables
DescribeSubnets
DescribeVpcAttribute
DescribeVpcEndpoints
DescribeVpcPeeringConnections
DescribeVpcs
DescribeVpnConnections
DescribeVpnGateways
DetachInternetGateway
DetachNetworkInterface
DisssociateAddress
DisassociateRouteTable
ImportKeyPair
ModifyAvailabilityZoneGroup
ModifySubnetAttribute
ModifyVpcAttribute
ReleaseAddress
ReplaceRoute
```


b) elasticloadbalancing

```
AddTags
AttachLoadBalancerToSubnets
ConfigureHealthCheck
CreateLoadBalancer
DeleteLoadBalancer
DeregisterInstancesFromLoadBalancer
DescribeLoadBalancers
DescribeLoadBalancerAttributes
DescribeTags
DetachLoadBalancerFromSubnets
ModifyLoadBalancerAttributes
RegisterInstancesWithLoadBalancer
RemoveTags
```


c) secretsmanager

```
CreateSecret
DeleteSecret
DescribeSecret
GetSecretValue
ListSecretVersionIds
ListSecrets
PutSecretValue
TagResource
UpdateSecret
UpdateSecretVersionStage
ValidateResourcePolicy
UntagResource
```

d) s3

```
DeleteObject
GetBucketLocation
GetObject
PutObject
ListAllMyBuckets
ListBucket
```

1.1. Import a key pair

```
export AWS_REGION=eu-west-1
export AWS_CONTROL_PLANE_MACHINE_TYPE=t3.small
export AWS_NODE_MACHINE_TYPE=t3.small
export AWS_AMI_IMAGE_ORG="075585003325"
export AWS_AMI_IMAGE_BASEOS="flatcar-stable"
export AWS_SSH_KEY_NAME=my-cluster-api-test
export AWS_SECURE_SECRETS_BACKEND=s3-bucket
export AWS_ACCESS_KEY_ID=blah
export AWS_SECRET_ACCESS_KEY=blah

aws ec2 import-key-pair \
  --key-name test-key-name \
  --public-key-material "$(cat ~/.ssh/id_rsa.pub)"
```

2. Create a cluster.

a) management cluster

```
kind create cluster
```

check if it is up.

```
kubectl cluster-info
```

b) cloudformation stack

```
clusterawsadm bootstrap iam create-cloudformation-stack
export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
```

c) cluster API

```
clusterctl init --infrastructure aws
```

create a config with an AWS template for Flatcar.
It is to convert a given customized template into the actual manifest.

```
clusterctl config cluster capi-quickstart --kubernetes-version v1.18.15 --control-plane-machine-count=3 --worker-machine-count=3 --from=https://github.com/kinvolk/cluster-api-provider-aws/blob/template-image-flatcar/templates/cluster-template.yaml > capi-quickstart-aws.yaml
```

Please make sure that the result config file includes the following options in cloudInit, for both control plane and worker:

```
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
kind: AWSMachineTemplate
spec:
  template:
    spec:
      cloudInit:
        secureSecretsBackend: s3-bucket
```

Apply cert-manager config.

```
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
```

Apply the config to the management cluster.

```
kubectl apply -f capi-quickstart-aws.yaml

# check if the cluster was provisioned
kubectl describe awscluster/capi-quickstart
kubectl get cluster -A -w
kubectl get kubeadmcontrolplane -A -w

clusterctl get kubeconfig capi-quickstart > capi-quickstart.kubeconfig
kubectl --kubeconfig=./capi-quickstart.kubeconfig apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
```

2.1. Customizing development clusters

Following https://cluster-api.sigs.k8s.io/developer/tilt.html.


```
cd .../cluster-api-provider-aws

export REGISTRY=quay.io/myuser
export PROD_REGISTRY=quay.io/myuser
export STAGING_REGISTRY=quay.io/myuser

make docker-build
make docker-push


cd ../cluster-api
tee tilt-settings.json << EOF
{
  "default_registry": "quay.io/myuser",
  "provider_repos": ["../cluster-api-provider-aws"],
  "enable_providers": ["aws", "docker", "kubeadm-bootstrap", "kubeadm-control-plane"],
  "kustomize_substitutions": {
    "AWS_B64ENCODED_CREDENTIALS": "abcd..."
  }
}
EOF

tilt up
```


3. Cleaning up clusters

Delete tilt.

```
tilt down
```

Delete the workload clusters.

```
kubectl delete cluster capi-quickstart

curl -o ./delete_vpc.sh https://raw.githubusercontent.com/lianghong/delete_vpc/master/delete_vpc.sh
chmod +x ./delete_vpc.sh

aws elb delete-load-balancer --load-balancer-name=capi-quickstart-apiserver

export VPCID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=capi-quickstart-vpc" --query 'Vpcs[0].VpcId' | tr -d '"')

./delete_vpc.sh ${AWS_REGION} ${VPCID}

```

Delete the management cluster.

```
kind delete cluster
```
	1. AWS IAM

	Configure IAM in your AWS account. The IAM needs to allow the following roles.

	a) ec2


	```
	AllocateAddress
	AssociateAddress
	AssociateRouteTable
	AttachInternetGateway
	AttachNetworkInterface
	CreateEgressOnlyInternetGateway
	CreateInternetGateway
	CreateKeyPair
	CreateLocalGatewayRouteTable
	CreateLocalGatewayRouteTableVpcAssociation
	CreateNatGateway
	CreateNetworkInterface
	CreateRoute
	CreateRouteTable
	CreateSubnet
	CreateVpc
	DeleteEgressOnlyInternetGateway
	DeleteInternetGateway
	DeleteKeyPair
	DeleteLocalGatewayRouteTable
	DeleteLocalGatewayRouteTableVpcAssociation
	DeleteNatGateway
	DeleteNetworkInterface
	DeleteRoute
	DeleteRouteTable
	DeleteSubnet
	DeleteVpc
	DescribeAddresses
	DescribeAvailabilityZones
	DescribeEgressOnlyInternetGateways
	DescribeInternetGateways
	DescribeKeyPairs
	DescribeLocalGatewayRouteTableVpcAssociation
	DescribeLocalGatewayRouteTables
	DescribeNatGateways
	DescribeNetworkAcls
	DescribeNetworkInterfaces
	DescribeRouteTables
	DescribeSubnets
	DescribeVpcAttribute
	DescribeVpcEndpoints
	DescribeVpcPeeringConnections
	DescribeVpcs
	DescribeVpnConnections
	DescribeVpnGateways
	DetachInternetGateway
	DetachNetworkInterface
	DisssociateAddress
	DisassociateRouteTable
	ImportKeyPair
	ModifyAvailabilityZoneGroup
	ModifySubnetAttribute
	ModifyVpcAttribute
	ReleaseAddress
	ReplaceRoute
	```


	b) elasticloadbalancing

	```
	AddTags
	AttachLoadBalancerToSubnets
	ConfigureHealthCheck
	CreateLoadBalancer
	DeleteLoadBalancer
	DeregisterInstancesFromLoadBalancer
	DescribeLoadBalancers
	DescribeLoadBalancerAttributes
	DescribeTags
	DetachLoadBalancerFromSubnets
	ModifyLoadBalancerAttributes
	RegisterInstancesWithLoadBalancer
	RemoveTags
	```


	c) secretsmanager

	```
	CreateSecret
	DeleteSecret
	DescribeSecret
	GetSecretValue
	ListSecretVersionIds
	ListSecrets
	PutSecretValue
	TagResource
	UpdateSecret
	UpdateSecretVersionStage
	ValidateResourcePolicy
	UntagResource
	```

	d) s3

	```
	DeleteObject
	GetBucketLocation
	GetObject
	PutObject
	ListAllMyBuckets
	ListBucket
	```

	1.1. Import a key pair

	```
	export AWS_REGION=eu-west-1
	export AWS_CONTROL_PLANE_MACHINE_TYPE=t3.small
	export AWS_NODE_MACHINE_TYPE=t3.small
	export AWS_AMI_IMAGE_ORG="075585003325"
	export AWS_AMI_IMAGE_BASEOS="flatcar-stable"
	export AWS_SSH_KEY_NAME=my-cluster-api-test
	export AWS_SECURE_SECRETS_BACKEND=s3-bucket
	export AWS_ACCESS_KEY_ID=blah
	export AWS_SECRET_ACCESS_KEY=blah

	aws ec2 import-key-pair \
	--key-name test-key-name \
	--public-key-material "$(cat ~/.ssh/id_rsa.pub)"
	```

	2. Create a cluster.

	a) management cluster

	```
	kind create cluster
	```

	check if it is up.

	```
	kubectl cluster-info
	```

	b) cloudformation stack

	```
	clusterawsadm bootstrap iam create-cloudformation-stack
	export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
	```

	c) cluster API

	```
	clusterctl init --infrastructure aws
	```

	create a config with an AWS template for Flatcar.
	It is to convert a given customized template into the actual manifest.

	```
	clusterctl config cluster capi-quickstart --kubernetes-version v1.18.15 --control-plane-machine-count=3 --worker-machine-count=3 --from=https://github.com/kinvolk/cluster-api-provider-aws/blob/template-image-flatcar/templates/cluster-template.yaml > capi-quickstart-aws.yaml
	```

	Please make sure that the result config file includes the following options in cloudInit, for both control plane and worker:

	```
	apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
	kind: AWSMachineTemplate
	spec:
	template:
	spec:
	cloudInit:
	secureSecretsBackend: s3-bucket
	```

	Apply cert-manager config.

	```
	kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
	```

	Apply the config to the management cluster.

	```
	kubectl apply -f capi-quickstart-aws.yaml

	# check if the cluster was provisioned
	kubectl describe awscluster/capi-quickstart
	kubectl get cluster -A -w
	kubectl get kubeadmcontrolplane -A -w

	clusterctl get kubeconfig capi-quickstart > capi-quickstart.kubeconfig
	kubectl --kubeconfig=./capi-quickstart.kubeconfig apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
	```

	2.1. Customizing development clusters

	Following https://cluster-api.sigs.k8s.io/developer/tilt.html.


	```
	cd .../cluster-api-provider-aws

	export REGISTRY=quay.io/myuser
	export PROD_REGISTRY=quay.io/myuser
	export STAGING_REGISTRY=quay.io/myuser

	make docker-build
	make docker-push


	cd ../cluster-api
	tee tilt-settings.json << EOF
	{
	"default_registry": "quay.io/myuser",
	"provider_repos": ["../cluster-api-provider-aws"],
	"enable_providers": ["aws", "docker", "kubeadm-bootstrap", "kubeadm-control-plane"],
	"kustomize_substitutions": {
	"AWS_B64ENCODED_CREDENTIALS": "abcd..."
	}
	}
	EOF

	tilt up
	```


	3. Cleaning up clusters

	Delete tilt.

	```
	tilt down
	```

	Delete the workload clusters.

	```
	kubectl delete cluster capi-quickstart

	curl -o ./delete_vpc.sh https://raw.githubusercontent.com/lianghong/delete_vpc/master/delete_vpc.sh
	chmod +x ./delete_vpc.sh

	aws elb delete-load-balancer --load-balancer-name=capi-quickstart-apiserver

	export VPCID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=capi-quickstart-vpc" --query 'Vpcs[0].VpcId' \| tr -d '"')

	./delete_vpc.sh ${AWS_REGION} ${VPCID}

	```

	Delete the management cluster.

	```
	kind delete cluster
	```