Basic EKS lab to setup an new cluster

aws-eks-lab.sh

#!/bin/bash

# Basic EKS client Setup and management
# Doc: https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html

OS_NAME=linux
OS_ARCH=amd64
OS_DIST=$(cat /etc/os-release |grep ^NAME |awk -F'=' '{print$2}')

KUBECTL_URL=https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/${OS_NAME}/${OS_ARCH}/kubectl
KUBECTL_PATH=~/bin/kubectl

IAM_AUTH_URL=https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/${OS_NAME}/${OS_ARCH}/aws-iam-authenticator
IAM_AUTH_PATH=~/bin/aws-iam-authenticator

if [ "${OS_DIST}" == "Fedora" ];then
  OSSL_CMD_SHA=dgst
else
  OSSL_CMD_SHA=sha
fi


EKS_CLUSTER_NAME=eks-dev
export KUBECONFIG=$KUBECONFIG:~/.kube/config-${EKS_CLUSTER_NAME}

###########################
# Amazon EKS clusters require kubectl and kubelet binaries and the AWS IAM
# Authenticator for Kubernetes to allow IAM authentication for your Kubernetes
# cluster. Beginning with Kubernetes version 1.10, you can configure the stock
# kubectl client to work with Amazon EKS by installing the AWS IAM Authenticator
# for Kubernetes and modifying your kubectl configuration file to use it for
# authentication.
function install_kubectl() {
  if [ -f ${KUBECTL_PATH} ]; then
    T=$(date +%Y%m%d%H%M%S)
    echo "Backing up current kubectl to ${KUBECTL_PATH}.${T}"
    mv ${KUBECTL_PATH} ${KUBECTL_PATH}.${T}
  fi
  curl -o ${KUBECTL_PATH} ${KUBECTL_URL}
  curl -o ${KUBECTL_PATH}.sha256 ${KUBECTL_URL}.sha256
  openssl ${OSSL_CMD_SHA} -sha256 ${KUBECTL_PATH}
  chmod +x ${KUBECTL_PATH}
  ${KUBECTL_PATH} version --short --client
}


function install_iam_authenticator() {
  if [ -f ${IAM_AUTH_PATH} ]; then
    T=$(date +%Y%m%d%H%M%S)
    echo "Backing up current IAM AUTH to ${IAM_AUTH_PATH}.${T}"
    mv ${IAM_AUTH_PATH} ${IAM_AUTH_PATH}.${T}
  fi
  curl -o ${IAM_AUTH_PATH} ${IAM_AUTH_URL}
  curl -o ${IAM_AUTH_PATH}.sha256 ${URL_KUBECTL_URL}.sha256
  openssl ${OSSL_CMD_SHA} -sha256 ${IAM_AUTH_PATH}
  chmod +x ${IAM_AUTH_PATH}
}


# mazon EKS requires at least version 1.15.32 of the AWS CLI.
function install_awscli() {
  pip install --upgrade awscli
}


function test_aws_auth() {
  aws sts get-caller-identity
}


function eks_cluster_endpoint() {
  aws eks describe-cluster --name ${EKS_CLUSTER_NAME} --query cluster.endpoint --output text
}

function eks_cluster_CA() {
  aws eks describe-cluster --name ${EKS_CLUSTER_NAME} --query cluster.certificateAuthority.data --output text
}

# AWS EKS discovery it's workers by Instance IAM Role, so let's create CM to
# AWS authenticator add workers to the node
function gen_kubeconfig() {
  mkdir -p ~/.kube |true
  CLUSTER_ENDPOINT=`eks_cluster_endpoint`
  CLUSTER_CA=`eks_cluster_CA`

cat <<EOF>> ~/.kube/config-${EKS_CLUSTER_NAME}
apiVersion: v1
clusters:
- cluster:
    server: ${CLUSTER_ENDPOINT}
    certificate-authority-data: ${CLUSTER_CA}
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: aws
  name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-iam-authenticator
      args:
        - "token"
        - "-i"
        - "${EKS_CLUSTER_NAME}"
        # - "-r"
        # - "<role-arn>"
      # env:
        # - name: AWS_PROFILE
        #   value: "<aws-profile>"
EOF

  export KUBECONFIG=$KUBECONFIG:~/.kube/config-${EKS_CLUSTER_NAME}

}

function gen_cm_aws_auth_workers() {
  # curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2018-08-30/aws-auth-cm.yaml
  mkdir -p ~/.kube/eks-dev/ |true
cat <<EOF>> ~/.kube/eks-dev/cm-aws-auth.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: "arn:aws:iam:::role/eks-dev-worker-nodes-NodeInstanceRole-14V2QRNEQFR0P"
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
EOF

  ${KUBECTL_PATH} apply -f ~/.kube/eks-dev/cm-aws-auth.yaml
  ${KUBECTL_PATH} get nodes --watch

}


function kube_show_services() {
  kubectl get svc
}


function kube_launch_app() {
  echo "#> Create the Redis master replication controller."
  ${KUBECTL_PATH} apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/v1.10.3/examples/guestbook-go/redis-master-controller.json

  echo "#> Create the Redis master service."
  ${KUBECTL_PATH} apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/v1.10.3/examples/guestbook-go/redis-master-service.json

  echo "#> Create the Redis slave replication controller."
  ${KUBECTL_PATH} apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/v1.10.3/examples/guestbook-go/redis-slave-controller.json

  echo "#> Create the Redis slave service."
  ${KUBECTL_PATH} apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/v1.10.3/examples/guestbook-go/redis-slave-service.json

  echo "#> Create the guestbook replication controller."
  ${KUBECTL_PATH} apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/v1.10.3/examples/guestbook-go/guestbook-controller.json

  echo "#> Create the guestbook service."
  ${KUBECTL_PATH} apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/v1.10.3/examples/guestbook-go/guestbook-service.json

  echo "#> Query the services in your cluster and wait until the External IP column for the guestbook service is populated."
  ${KUBECTL_PATH} get services -o wide
}


function kube_clean_app() {
  ${KUBECTL_PATH} delete rc/redis-master rc/redis-slave rc/guestbook svc/redis-master svc/redis-slave svc/guestbook
}

case $1 in
  "install_iam") install_iam_authenticator;;
  "install_kubectl") install_kubectl;;
  "install_awscli") install_awscli;;
  "test_auth") test_aws_auth;;
  "kubeconfig") gen_kubeconfig;;
  "show_svc") kube_show_services;;
  "cm_aws_auth") gen_cm_aws_auth_workers;;
  "launch_app") kube_launch_app;;
  "clean_app") kube_clean_app;;
  *) echo "Please use: $0 [install_iam|install_kubectl|test_auth]"
esac