Skip to content

Instantly share code, notes, and snippets.

@k1ng440

k1ng440/albIngressController.ts Secret

Created August 21, 2022 16:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save k1ng440/659ed27864d2fec876f90d6a95021752 to your computer and use it in GitHub Desktop.
Save k1ng440/659ed27864d2fec876f90d6a95021752 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
albIngressController.ts
import { ComponentResource, ComponentResourceOptions, Input, CustomResourceOptions } from "@pulumi/pulumi";
import * as eks from '@pulumi/eks';
import * as k8s from '@pulumi/kubernetes';
import * as aws from '@pulumi/aws';
import * as fs from 'fs';
import * as path from 'node:path'
import * as pulumi from '@pulumi/pulumi'
interface albIngressControllerArgs {
cluster: eks.Cluster
enableShield?: Input<boolean>
vpcId: Input<string>
}
export class AlbIngressController extends ComponentResource {
constructor(name: string, args: albIngressControllerArgs, opts?: ComponentResourceOptions) {
super('custom:resource:AlbIngressController', name, args, opts)
const { cluster } = args
const provider = opts?.provider as aws.Provider
const namespace = new k8s.core.v1.Namespace(`${name}-alb-namespace`, {
metadata: {
name: 'aws-lb-controller',
labels: {
'app.kubernetes.io/name': 'aws-load-balancer-controller',
}
}
}, { provider: cluster.provider, parent: this })
const iamRole = new aws.iam.Role(`${name}-aws-loadbalancer-controller-role`, {
assumeRolePolicy: pulumi
.all([namespace.metadata, cluster.core.oidcProvider?.arn, cluster.core.oidcProvider?.url])
.apply(([namespaceMetadata, arn, url]) => {
const stringEquals: any = {}
stringEquals[`${url}:sub`] = `system:serviceaccount:${namespaceMetadata.name}:${name}-serviceaccount`
return {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Principal: { 'Federated': arn },
Action: 'sts:AssumeRoleWithWebIdentity',
Condition: { 'StringEquals': stringEquals },
}]
}
}) as Input<aws.iam.PolicyDocument>
}, { provider: opts?.provider, parent: this })
const policy = new aws.iam.Policy(`${name}-ingress-controller-iam-policy`, {
policy: fs.readFileSync(path.resolve(__dirname, 'files', 'iam_policy.json'), 'utf8')
}, { provider: opts?.provider, parent: this})
new aws.iam.RolePolicyAttachment(`${name}-eks-nodeInstanceRole-policy-attach`, {
role: iamRole,
policyArn: policy.arn,
}, { provider: provider, parent: this })
const serviceaccount = new k8s.core.v1.ServiceAccount(`${name}-serviceaccount`, {
metadata: {
name: `${name}-serviceaccount`,
namespace: namespace.metadata.apply(m => m.name),
labels: {
'app.kubernetes.io/name': 'aws-loadbalancer-controller',
'app.kubernetes.io/instance': name,
},
annotations: {
'eks.amazonaws.com/role-arn': iamRole.arn
}
}
}, { provider: cluster.provider, parent: this })
new k8s.helm.v3.Release(`${name}-alb`, {
chart: 'aws-load-balancer-controller',
version: '1.4.4',
namespace: namespace.metadata.apply(m => m.name),
repositoryOpts: {
repo: 'https://aws.github.io/eks-charts',
},
values: {
region: provider?.region,
enableShield: args.enableShield ? 'true' : 'false',
vpcId: args.vpcId,
clusterName: cluster.eksCluster.name,
serviceaccount: {
name: serviceaccount.metadata.apply(m => m.name),
create: 'false',
},
},
}, { provider: cluster.provider, parent: this })
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment