eks_cli 0.1.0

data/lib/eks_cli/cloudformation/stack.rb

@@ -0,0 +1,113 @@
+require 'cloudformation/client'
+require 'log'
+
+module EksCli
+  module CloudFormation
+    class Stack
+
+      def self.create(cluster_name, config)
+        Log.info "creating cloudformation stack #{config[:stack_name]}"
+        begin
+          stack_id = client(cluster_name).create_stack(config).stack_id
+        rescue Aws::CloudFormation::Errors::AlreadyExistsException => e
+          Log.warn "stack #{config[:stack_name]} already exists"
+          stack_id = Aws::CloudFormation::Stack.new(config[:stack_name], client: client(cluster_name)).stack_id
+        end
+        new(cluster_name, stack_id)
+      end
+
+      def self.await(stacks)
+        while pending(stacks) > 0 do
+          Log.info "#{pending(stacks)} stacks out of #{stacks.count} are still being created"
+          sleep 10
+        end
+        stacks
+      end
+
+      def self.find(cluster_name, name)
+        new(cluster_name, Aws::CloudFormation::Stack.new(name, client: client(cluster_name)).stack_id)
+      end
+
+      def initialize(cluster_name, stack_id)
+        @cluster_name = cluster_name
+        @id = stack_id
+      end
+
+      def delete
+        Log.info "deleting stack #{id} from cloudformation"
+        client.delete_stack(stack_name: id)
+      end
+
+      def id; @id; end
+
+      def pending?
+        status == "CREATE_IN_PROGRESS"
+      end
+
+      def eks_worker?
+        !worker_tag.empty?
+      end
+
+      def node_instance_role_arn
+        output("NodeInstanceRole")
+      end
+
+      def node_instance_role_name
+        node_instance_role_arn.split("/")[1]
+      end
+
+      def status
+        stack(reload: true).stack_status
+      end
+
+      def reload
+        stack(reload: true)
+        self
+      end
+
+      def output(key)
+        stack.outputs.select {|a| a.output_key == key}.first.output_value
+      end
+
+      def outputs
+        stack.outputs
+      end
+
+      private
+
+      def self.pending(stacks)
+        stacks.select(&:pending?).count
+      end
+
+      def self.client(cluster_name)
+        CloudFormation::Client.get(cluster_name)
+      end
+
+      def client
+        self.class.client(@cluster_name)
+      end
+
+      def stack(reload: false)
+        if reload
+          @stack = fetch
+        else
+          @stack ||= fetch
+        end
+      end
+      
+      def fetch
+        client.describe_stacks(stack_name: @id).stacks.first
+      end
+
+      def worker_tag
+        stack.tags.select {|t| worker_tag?(t)}
+      end
+
+      def worker_tag?(tag)
+        tag.key == "eks-nodegroup"
+      end
+
+    end
+
+  end
+end

data/lib/eks_cli/cloudformation/vpc.rb

@@ -0,0 +1,33 @@
+require 'cloudformation/stack'
+require 'log'
+
+module EksCli
+  module CloudFormation
+    class VPC
+
+      def self.create(cluster_name)
+        Log.info "creating VPC stack for #{cluster_name}"
+        s = Stack.create(cluster_name, config(cluster_name))
+        Stack.await([s])
+        s.reload
+        puts "Outputs are:
+          SecurityGroups: #{s.output("SecurityGroups")}
+          VpcId: #{s.output("VpcId")}
+          SubnetIds: #{s.output("SubnetIds")}
+        "
+        {control_plane_sg_id: s.output("SecurityGroups"),
+         vpc_id: s.output("VpcId"),
+         subnets: s.output("SubnetIds").split(",")}
+      end
+
+      private
+
+      def self.config(cluster_name)
+        {stack_name: "EKS-VPC-#{cluster_name}",
+         template_url: "https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2018-08-30/amazon-eks-vpc-sample.yaml",
+         tags: [{key: "eks-cluster", value: cluster_name.to_s}]}
+      end
+
+    end
+  end
+end

data/lib/eks_cli/config.rb

@@ -0,0 +1,117 @@
+require 'json'
+require_relative 'log'
+require 'active_support/core_ext/hash'
+require 'fileutils'
+module EksCli
+  class Config
+    class << self
+      def [](cluster_name)
+        new(cluster_name)
+      end
+
+    end
+
+    def initialize(cluster_name)
+      @cluster_name = cluster_name
+    end
+
+    def read_from_disk
+      base = read(config_path)
+      base["cluster_name"] = @cluster_name
+      base = base.merge(read(state_path)).merge(read(groups_path))
+      base
+    end
+
+    def [](k)
+      read_from_disk[k]
+    end
+
+    def for_group(group_name)
+      all = read_from_disk
+      group = group_defaults
+        .merge(all["groups"][group_name])
+        .merge(all.slice("cluster_name", "control_plane_sg_id", "nodes_sg_id", "vpc_id"))
+      group["subnets"] = all["subnets"][0..(group["num_subnets"]-1)].join(",")
+      group
+    end
+
+    def write(attrs, to = :state)
+      to_path = resolve_config_file(to)
+      Log.info "updating configuration file #{to_path}:\n#{attrs}"
+      attrs = attrs.inject({}) {|h,(k,v)| h[k.to_s] = v; h}
+      current = read(to_path)
+      updated = current.deep_merge(attrs)
+      write_to_file(updated, to_path)
+    end
+
+    def bootstrap(attrs)
+      write_to_file(attrs, config_path)
+      write_to_file({}, state_path)
+      write_to_file({}, groups_path)
+      Log.info "written configuration files to:\n#{config_path}\n#{state_path}\n#{groups_path}"
+    end
+
+    def set_iam_policies(policies)
+      write({iam_policies: policies}, :groups)
+    end
+
+    def update_nodegroup(options)
+      options = options.slice(:ami, :group_name, :instance_type, :num_subnets, :ssh_key_name, :taints, :min, :max)
+      write({groups: { options[:group_name] => options }}, :groups)
+    end
+
+    private
+
+    def resolve_config_file(sym)
+      case sym
+      when :state
+        state_path
+      when :config
+        config_path
+      when :groups
+        groups_path
+      else raise "no such config #{sym}"
+      end
+    end
+
+    def write_to_file(attrs, path)
+      File.open(path, 'w') {|file| file.write(attrs.to_json)}
+    end
+
+    def read(path)
+      f = File.read(path)
+      JSON.parse(f)
+    end
+
+    def groups_path
+      with_config_dir { |dir| "#{dir}/groups.json" }
+    end
+
+    def state_path
+      with_config_dir { |dir| "#{dir}/state.json" }
+    end
+
+    def config_path
+      with_config_dir { |dir| "#{dir}/config.json" }
+    end
+
+    def dir
+      "#{ENV['HOME']}/.eks/#{@cluster_name}"
+    end
+
+    def with_config_dir
+      FileUtils.mkdir_p(dir)
+      yield dir
+    end
+
+    def group_defaults
+      {"group_name" => "Workers",
+       "ami" => "ami-0a54c984b9f908c81",
+       "instance_type" => "m5.xlarge",
+       "max" => 1,
+       "min" =>  1,
+       "num_subnets" =>  3,
+       "volume_size" => 100}
+    end
+  end
+end

data/lib/eks_cli/ec2/security_group.rb

@@ -0,0 +1,53 @@
+require 'aws-sdk-ec2'
+require 'log'
+require 'config'
+module EksCli
+  module EC2
+    class SecurityGroup
+
+      def initialize(cluster_name, open_ports)
+        @cluster_name = cluster_name
+        @open_ports = open_ports
+      end
+
+      def create
+        Log.info "creating security group for in-cluster communication for #{@cluster_name}"
+        gid = client.create_security_group(description: "Security group for in-cluster communication on #{@cluster_name}", 
+                                           group_name: "#{@cluster_name}-SG", 
+                                           vpc_id: vpc_id).group_id
+
+        Log.info "created security group #{gid}, setting ingress/egress rules"
+
+        client.authorize_security_group_ingress(group_id: gid,
+                                                ip_permissions: [{from_port: -1,
+                                                                  ip_protocol: "-1",
+                                                                  to_port: -1,
+                                                                  user_id_group_pairs: [{description: "in-cluster communication for #{@cluster_name}", 
+                                                                                         group_id: gid}]}])
+
+        @open_ports.each do |port|
+
+          client.authorize_security_group_ingress(group_id: gid,
+                                                  ip_permissions: [{from_port: port,
+                                                                    to_port: port,
+                                                                    ip_protocol: "tcp",
+                                                                    ip_ranges: [{cidr_ip: "0.0.0.0/0",
+                                                                                 description: "EKS cluster allow access on port #{port}"}]}])
+        end
+
+        Log.info "done"
+        gid
+      end
+
+      private
+
+      def vpc_id
+        Config[@cluster_name]["vpc_id"]
+      end
+
+      def client
+        @client ||= Aws::EC2::Client.new(region: Config[@cluster_name]["region"])
+      end
+    end
+  end
+end

data/lib/eks_cli/eks/client.rb

@@ -0,0 +1,11 @@
+require 'aws-sdk-eks'
+require 'config'
+module EksCli
+  module EKS
+    class Client
+      def self.get(cluster_name)
+        @client ||= Aws::EKS::Client.new(region: Config[cluster_name]["region"])
+      end
+    end
+  end
+end

data/lib/eks_cli/eks/cluster.rb

@@ -0,0 +1,61 @@
+require 'aws-sdk-eks'
+require 'eks/client'
+require 'config'
+require 'log'
+
+module EksCli
+  module EKS
+    class Cluster
+
+      def initialize(cluster_name)
+        @cluster_name = cluster_name
+      end
+
+      def create
+        Log.info "creating cluster #{@cluster_name}"
+        Log.debug config
+        resp = client.create_cluster(config)
+        Log.info "response: #{resp.cluster}"
+        self
+      end
+
+      def config
+        {name: @cluster_name,
+         role_arn: Config[@cluster_name]["eks_role_arn"],
+         resources_vpc_config: {
+           subnet_ids: Config[@cluster_name]["subnets"],
+           security_group_ids:  [Config[@cluster_name]["control_plane_sg_id"]]}}
+      end
+
+      def await
+        while status == "CREATING" do
+          Log.info "waiting for cluster #{@cluster_name} to finish creation (#{status})"
+          sleep 10
+        end
+        Log.info "cluster #{@cluster_name} created with status #{status}"
+      end
+
+      def status
+        cluster.status
+      end
+
+      def cluster
+        client.describe_cluster(name: @cluster_name).cluster
+      end
+
+      def arn
+        cluster.arn
+      end
+
+      def client
+        Client.get(@cluster_name)
+      end
+
+      def update_kubeconfig
+        Log.info "updating kubeconfig for cluster #{@cluster_name}"
+        Log.info `aws eks update-kubeconfig --name=#{@cluster_name} --region=#{Config[@cluster_name]["region"]}`
+      end
+
+    end
+  end
+end

data/lib/eks_cli/iam/client.rb

@@ -0,0 +1,84 @@
+require 'aws-sdk-iam'
+require 'config'
+module EksCli
+  module IAM
+    class Client
+
+      EKS_CLUSTER_POLICIES = ["AmazonEKSClusterPolicy", "AmazonEKSServicePolicy"]
+      ASSUME_ROLE = {
+        "Version" => "2012-10-17",
+        "Statement" => [
+          {
+            "Effect" => "Allow",
+            "Principal" => {
+              "Service" => "eks.amazonaws.com"
+            },
+            "Action" => "sts:AssumeRole"
+          }
+        ]
+      }
+
+      def initialize(cluster_name)
+        @cluster_name = cluster_name
+      end
+
+      def client
+        @client ||= Aws::IAM::Client.new(region: config["region"])
+      end
+
+      def config
+        @config ||= Config[@cluster_name]
+      end
+
+      def create_eks_role
+        Log.info "creating IAM cluster role for #{@cluster_name}"
+        begin 
+          role = client.get_role(role_name: role_name).role
+        rescue Aws::IAM::Errors::NoSuchEntity => e
+          role = client.create_role(role_name: role_name,
+                                    description: "created by eks cli for #{@cluster_name}",
+                                    assume_role_policy_document: ASSUME_ROLE.to_json).role
+          attach_policies(role.role_name, EKS_CLUSTER_POLICIES)
+        end
+        Log.info "created role #{role}"
+        role
+      end
+
+      def attach_node_policies(role_name)
+        attach_policies(role_name, node_policies)
+      end
+
+      def detach_node_policies(role_name)
+        detach_policies(role_name, node_policies)
+      end
+
+      def attach_policies(role_name, policies)
+        Log.info "attaching IAM policies to #{role_name}"
+        policies.each do |p|
+          client.attach_role_policy(policy_arn: arn(p),
+                                    role_name: role_name)
+        end
+      end
+
+      def detach_policies(role_name, policies)
+        Log.info "detaching IAM policies to #{role_name}"
+        policies.each do |p|
+          client.detach_role_policy(policy_arn: arn(p),
+                                    role_name: role_name)
+        end
+      end
+
+      def node_policies
+        config["iam_policies"]
+      end
+
+      def arn(p)
+        "arn:aws:iam::aws:policy/#{p}"
+      end
+
+      def role_name
+        "#{@cluster_name}-EKS-Role"
+      end
+    end
+  end
+end

data/lib/eks_cli/k8s/auth.rb

@@ -0,0 +1,53 @@
+require 'k8s/configmap_builder'
+require 'k8s/client'
+require 'cloudformation/client'
+require 'cloudformation/stack'
+require 'log'
+
+module EksCli
+  module K8s
+    class Auth
+
+      def initialize(cluster_name)
+        @cluster_name = cluster_name
+      end
+
+      def update
+        Log.info "updating auth configmap on kubernetes"
+        begin
+          k8s_client.get_config_map("aws-auth", "kube-system")
+          k8s_client.update_config_map(configmap)
+        rescue KubeException => e
+          Log.debug "exception updating configmap: #{e}"
+          k8s_client.create_config_map(configmap)
+        end
+        Log.info "done"
+      end
+
+      private
+      
+      def k8s_client
+        @k8s_client ||= K8s::Client.new(@cluster_name)
+      end
+
+      def client
+        CloudFormation::Client.get(@cluster_name)
+      end
+
+      def arns
+        client
+          .list_stacks(stack_status_filter: ["CREATE_COMPLETE"])
+          .stack_summaries
+          .map(&:stack_id)
+          .map {|id| CloudFormation::Stack.new(@cluster_name, id)}
+          .select {|stack| stack.eks_worker?}
+          .map {|stack| stack.node_instance_role_arn}
+      end
+
+      def configmap
+        ConfigmapBuilder.build(arns)
+      end
+
+    end
+  end
+end

data/lib/eks_cli/k8s/client.rb

@@ -0,0 +1,95 @@
+require 'yaml'
+require 'kubeclient'
+require_relative '../log'
+require_relative '../config'
+
+module EksCli
+  module K8s
+    class Client
+
+      def initialize(cluster_name)
+        @cluster_name = cluster_name
+      end
+
+      def get_elb(service_name, ns = "default")
+        self.get_service(service_name, ns).status.loadBalancer.ingress.first.hostname
+      end
+
+      def enable_gpu
+        self.create_daemon_set(resource_from_yaml("nvidia_device_plugin.yaml"))
+      end
+
+      def set_docker_registry_credentials(user, password, email)
+        Log.info "setting docker registry credentials"
+        Log.info `kubectl config use-context #{config["cluster_arn"]} &&
+         kubectl create secret docker-registry registrykey --docker-server=https://index.docker.io/v1/ --docker-username=#{user} --docker-password=#{password} --docker-email=#{email} &&
+         kubectl --namespace=kube-system create secret docker-registry registrykey --docker-server=https://index.docker.io/v1/ --docker-username=#{user} --docker-password=#{password} --docker-email=#{email}`
+
+        Log.info client.patch_service_account("default", {imagePullSecrets: [{name: "registrykey"}]}, "default")
+        Log.info client.patch_service_account("default", {imagePullSecrets: [{name: "registrykey"}]}, "kube-system")
+      end
+
+      def create_default_storage_class
+        Log.info "creating default storage class"
+        Log.info self.create_storage_class(resource_from_yaml("default_storage_class.yaml"))
+      end
+
+      private
+
+      def resource_from_yaml(filename)
+        yaml = YAML.load_file(File.join($root_dir, "/assets/#{filename}"))
+        Kubeclient::Resource.new(yaml)
+      end
+
+      def method_missing(method, *args, &block)
+        if v1_client.respond_to?(method)
+          v1_client.send(method, *args, &block)
+        elsif apps_client.respond_to?(method)
+          apps_client.send(method, *args, &block)
+        elsif storage_client.respond_to?(method)
+          storage_client.send(method, *args, &block)
+        else
+          raise "unknown method #{method}"
+        end
+      end
+
+      def apps_client
+        @apps_client ||= client("/apis/apps")
+      end
+
+      def v1_client
+        @v1_client ||= client
+      end
+
+      def storage_client
+        @storage_client ||= client("/apis/storage.k8s.io")
+      end
+
+      def client(suffix = "")
+        Kubeclient::Client.new(
+          [context.api_endpoint, suffix].join,
+          context.api_version,
+          ssl_options: context.ssl_options,
+          auth_options: {bearer_token: token})
+      end
+
+      def config
+        @config ||= Config[@cluster_name]
+      end
+
+      def token
+        JSON.parse(`aws-iam-authenticator token -i #{config["cluster_name"]}`)["status"]["token"]
+      end
+
+      def kube_config
+        @kube_config ||= Kubeclient::Config.read("#{ENV['HOME']}/.kube/config")
+      end
+
+      def context
+        kube_config.context(config["cluster_arn"])
+      end
+
+
+    end
+  end
+end

data/lib/eks_cli/k8s/configmap_builder.rb

@@ -0,0 +1,30 @@
+require 'yaml'
+require 'kubeclient'
+
+module EksCli
+  module K8s
+    class ConfigmapBuilder
+      class << self
+        def build(arns)
+          cm = Kubeclient::Resource.new
+          cm.metadata={}
+          cm.metadata.name = "aws-auth"
+          cm.metadata.namespace = "kube-system"
+          cm.data = {}
+          cm.data.mapRoles = map_roles(arns)
+          cm
+        end
+
+        def map_roles(arns)
+          arns.map {|a| map_role(a)}.to_yaml.sub("---\n","")
+        end
+
+        def map_role(stack_arn)
+          {"rolearn" => stack_arn,
+           "username" => "system:node:{{EC2PrivateDNSName}}",
+           "groups" => ["system:bootstrappers", "system:nodes"]}
+        end
+      end
+    end
+  end
+end

data/lib/eks_cli/log.rb

@@ -0,0 +1,26 @@
+require 'logger'
+module EksCli
+  class Log
+    def self.info(str)
+      self.logger.info str
+    end
+
+    def self.error(str)
+      self.logger.error str
+    end
+
+    def self.debug(str)
+      self.logger.debug str
+    end
+
+    def self.warn(str)
+      self.logger.warn str
+    end
+
+    private
+
+    def self.logger
+      @logger ||= Logger.new(STDOUT)
+    end
+  end
+end