@pulumi/eks 2.6.0-alpha.1717448271 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/authenticationMode.d.ts +24 -0
- package/authenticationMode.js +142 -0
- package/authenticationMode.js.map +1 -0
- package/cluster.d.ts +101 -0
- package/cluster.js +87 -70
- package/cluster.js.map +1 -1
- package/cmd/provider/schema.json +187 -58
- package/index.d.ts +1 -1
- package/index.js +3 -1
- package/index.js.map +1 -1
- package/nodegroup.js +5 -3
- package/nodegroup.js.map +1 -1
- package/package.json +2 -2
- package/package.json.dev +2 -2
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import * as aws from "@pulumi/aws";
|
|
2
|
+
import * as pulumi from "@pulumi/pulumi";
|
|
3
|
+
import { AccessEntry, ClusterOptions, RoleMapping, UserMapping } from "./cluster";
|
|
4
|
+
export declare const CONFIG_MAP = "CONFIG_MAP";
|
|
5
|
+
export declare const API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP";
|
|
6
|
+
export declare const API = "API";
|
|
7
|
+
export declare function validateAuthenticationMode(args: ClusterOptions): void;
|
|
8
|
+
export declare function supportsConfigMap(authenticationMode: string | undefined): boolean;
|
|
9
|
+
export declare function supportsAccessEntries(authenticationMode: string | undefined): boolean;
|
|
10
|
+
/**
|
|
11
|
+
* Creates the AWS authentication data for the aws-auth ConfigMap.
|
|
12
|
+
*
|
|
13
|
+
* @param instanceRoles - The instance roles to be mapped.
|
|
14
|
+
* @param roleMappings - The IAM role mappings to be included.
|
|
15
|
+
* @param userMappings - The IAM user mappings to be included.
|
|
16
|
+
* @returns The AWS authentication data for the aws-auth ConfigMap.
|
|
17
|
+
* @throws Error if the IAM role mappings or user mappings are invalid or cannot be serialized to YAML.
|
|
18
|
+
*/
|
|
19
|
+
export declare function createAwsAuthData(instanceRoles: pulumi.Output<aws.iam.Role[]>, roleMappings: pulumi.Input<pulumi.Input<RoleMapping>[]> | undefined, userMappings: pulumi.Input<pulumi.Input<UserMapping>[]> | undefined): pulumi.Input<{
|
|
20
|
+
[key: string]: pulumi.Input<string>;
|
|
21
|
+
}>;
|
|
22
|
+
export declare function createAccessEntries(componentName: string, clusterName: pulumi.Input<string>, accessEntries: {
|
|
23
|
+
[key: string]: AccessEntry;
|
|
24
|
+
}, opts: pulumi.CustomResourceOptions): aws.eks.AccessEntry[];
|
|
@@ -0,0 +1,142 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
// Copyright 2016-2024, Pulumi Corporation.
|
|
3
|
+
//
|
|
4
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
5
|
+
// you may not use this file except in compliance with the License.
|
|
6
|
+
// You may obtain a copy of the License at
|
|
7
|
+
//
|
|
8
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
9
|
+
//
|
|
10
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
11
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
12
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
13
|
+
// See the License for the specific language governing permissions and
|
|
14
|
+
// limitations under the License.
|
|
15
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
16
|
+
exports.createAccessEntries = exports.createAwsAuthData = exports.supportsAccessEntries = exports.supportsConfigMap = exports.validateAuthenticationMode = exports.API = exports.API_AND_CONFIG_MAP = exports.CONFIG_MAP = void 0;
|
|
17
|
+
const aws = require("@pulumi/aws");
|
|
18
|
+
const pulumi = require("@pulumi/pulumi");
|
|
19
|
+
const jsyaml = require("js-yaml");
|
|
20
|
+
exports.CONFIG_MAP = "CONFIG_MAP";
|
|
21
|
+
exports.API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP";
|
|
22
|
+
exports.API = "API";
|
|
23
|
+
function validateAuthenticationMode(args) {
|
|
24
|
+
if (args.authenticationMode &&
|
|
25
|
+
args.authenticationMode !== exports.CONFIG_MAP &&
|
|
26
|
+
args.authenticationMode !== exports.API_AND_CONFIG_MAP &&
|
|
27
|
+
args.authenticationMode !== exports.API) {
|
|
28
|
+
throw new Error(`Invalid value for authenticationMode: ${args.authenticationMode}. Allowed values are: ${exports.CONFIG_MAP}, ${exports.API_AND_CONFIG_MAP}, ${exports.API}.`);
|
|
29
|
+
}
|
|
30
|
+
const configMapOnlyProperties = [
|
|
31
|
+
"roleMappings",
|
|
32
|
+
"userMappings",
|
|
33
|
+
"instanceRoles",
|
|
34
|
+
];
|
|
35
|
+
const apiOnlyProperties = ["accessEntries"];
|
|
36
|
+
if (!supportsConfigMap(args.authenticationMode)) {
|
|
37
|
+
configMapOnlyProperties.forEach((prop) => {
|
|
38
|
+
if (args[prop]) {
|
|
39
|
+
throw new Error(`The '${prop}' property is not supported when 'authenticationMode' is set to '${args.authenticationMode}'.`);
|
|
40
|
+
}
|
|
41
|
+
});
|
|
42
|
+
}
|
|
43
|
+
if (!supportsAccessEntries(args.authenticationMode)) {
|
|
44
|
+
apiOnlyProperties.forEach((prop) => {
|
|
45
|
+
if (args[prop]) {
|
|
46
|
+
const errorMsg = args.authenticationMode != null
|
|
47
|
+
? `set to '${args.authenticationMode}'`
|
|
48
|
+
: "not set";
|
|
49
|
+
throw new Error(`The '${prop}' property is not supported when 'authenticationMode' is ${errorMsg}.`);
|
|
50
|
+
}
|
|
51
|
+
});
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
exports.validateAuthenticationMode = validateAuthenticationMode;
|
|
55
|
+
function supportsConfigMap(authenticationMode) {
|
|
56
|
+
// If authenticationMode is not provided, it defaults to CONFIG_MAP
|
|
57
|
+
return (!authenticationMode ||
|
|
58
|
+
authenticationMode === exports.CONFIG_MAP ||
|
|
59
|
+
authenticationMode === exports.API_AND_CONFIG_MAP);
|
|
60
|
+
}
|
|
61
|
+
exports.supportsConfigMap = supportsConfigMap;
|
|
62
|
+
function supportsAccessEntries(authenticationMode) {
|
|
63
|
+
return authenticationMode === exports.API || authenticationMode === exports.API_AND_CONFIG_MAP;
|
|
64
|
+
}
|
|
65
|
+
exports.supportsAccessEntries = supportsAccessEntries;
|
|
66
|
+
/**
|
|
67
|
+
* Creates the AWS authentication data for the aws-auth ConfigMap.
|
|
68
|
+
*
|
|
69
|
+
* @param instanceRoles - The instance roles to be mapped.
|
|
70
|
+
* @param roleMappings - The IAM role mappings to be included.
|
|
71
|
+
* @param userMappings - The IAM user mappings to be included.
|
|
72
|
+
* @returns The AWS authentication data for the aws-auth ConfigMap.
|
|
73
|
+
* @throws Error if the IAM role mappings or user mappings are invalid or cannot be serialized to YAML.
|
|
74
|
+
*/
|
|
75
|
+
function createAwsAuthData(instanceRoles, roleMappings, userMappings) {
|
|
76
|
+
const instanceRoleMappings = instanceRoles.apply((roles) => roles.map((role) => createInstanceRoleMapping(role.arn)));
|
|
77
|
+
const mapRoles = pulumi
|
|
78
|
+
.all([pulumi.output(roleMappings || []), instanceRoleMappings])
|
|
79
|
+
.apply(([mappings, instanceMappings]) => {
|
|
80
|
+
let mappingYaml = "";
|
|
81
|
+
try {
|
|
82
|
+
mappingYaml = jsyaml.dump([...mappings, ...instanceMappings].map((m) => ({
|
|
83
|
+
rolearn: m.roleArn,
|
|
84
|
+
username: m.username,
|
|
85
|
+
groups: m.groups,
|
|
86
|
+
})));
|
|
87
|
+
}
|
|
88
|
+
catch (e) {
|
|
89
|
+
throw new Error(`The IAM role mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
|
|
90
|
+
}
|
|
91
|
+
return mappingYaml;
|
|
92
|
+
});
|
|
93
|
+
const nodeAccessData = {
|
|
94
|
+
mapRoles: mapRoles,
|
|
95
|
+
};
|
|
96
|
+
if (userMappings) {
|
|
97
|
+
nodeAccessData.mapUsers = pulumi.output(userMappings).apply((mappings) => {
|
|
98
|
+
let mappingYaml = "";
|
|
99
|
+
try {
|
|
100
|
+
mappingYaml = jsyaml.dump(mappings.map((m) => ({
|
|
101
|
+
userarn: m.userArn,
|
|
102
|
+
username: m.username,
|
|
103
|
+
groups: m.groups,
|
|
104
|
+
})));
|
|
105
|
+
}
|
|
106
|
+
catch (e) {
|
|
107
|
+
throw new Error(`The IAM user mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
|
|
108
|
+
}
|
|
109
|
+
return mappingYaml;
|
|
110
|
+
});
|
|
111
|
+
}
|
|
112
|
+
return nodeAccessData;
|
|
113
|
+
}
|
|
114
|
+
exports.createAwsAuthData = createAwsAuthData;
|
|
115
|
+
function createAccessEntries(componentName, clusterName, accessEntries, opts) {
|
|
116
|
+
return Object.entries(accessEntries).map(([name, accessEntry]) => {
|
|
117
|
+
const entry = new aws.eks.AccessEntry(`${componentName}-${name}`, Object.assign(Object.assign({}, accessEntry), { clusterName, userName: accessEntry.username }), opts);
|
|
118
|
+
Object.entries(accessEntry.accessPolicies || {}).map(([associationName, association]) => {
|
|
119
|
+
const associationOutput = pulumi.output(association);
|
|
120
|
+
const policyAssociation = new aws.eks.AccessPolicyAssociation(`${componentName}-${name}-${associationName}`, {
|
|
121
|
+
accessScope: associationOutput.accessScope,
|
|
122
|
+
principalArn: accessEntry.principalArn,
|
|
123
|
+
policyArn: associationOutput.policyArn,
|
|
124
|
+
clusterName,
|
|
125
|
+
}, Object.assign(Object.assign({}, opts), { parent: entry, dependsOn: [entry] }));
|
|
126
|
+
});
|
|
127
|
+
return entry;
|
|
128
|
+
});
|
|
129
|
+
}
|
|
130
|
+
exports.createAccessEntries = createAccessEntries;
|
|
131
|
+
/**
|
|
132
|
+
* Enable access to the EKS cluster for worker nodes, by creating an
|
|
133
|
+
* instance role mapping to the k8s username and groups of aws-auth.
|
|
134
|
+
*/
|
|
135
|
+
function createInstanceRoleMapping(arn) {
|
|
136
|
+
return {
|
|
137
|
+
roleArn: arn,
|
|
138
|
+
username: "system:node:{{EC2PrivateDNSName}}",
|
|
139
|
+
groups: ["system:bootstrappers", "system:nodes"],
|
|
140
|
+
};
|
|
141
|
+
}
|
|
142
|
+
//# sourceMappingURL=authenticationMode.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authenticationMode.js","sourceRoot":"","sources":["../authenticationMode.ts"],"names":[],"mappings":";AAAA,2CAA2C;AAC3C,EAAE;AACF,kEAAkE;AAClE,mEAAmE;AACnE,0CAA0C;AAC1C,EAAE;AACF,iDAAiD;AACjD,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AACpE,2EAA2E;AAC3E,sEAAsE;AACtE,iCAAiC;;;AAEjC,mCAAmC;AACnC,yCAAyC;AAEzC,kCAAkC;AAGrB,QAAA,UAAU,GAAG,YAAY,CAAC;AAC1B,QAAA,kBAAkB,GAAG,oBAAoB,CAAC;AAC1C,QAAA,GAAG,GAAG,KAAK,CAAC;AAEzB,SAAgB,0BAA0B,CAAC,IAAoB;IAC3D,IACI,IAAI,CAAC,kBAAkB;QACvB,IAAI,CAAC,kBAAkB,KAAK,kBAAU;QACtC,IAAI,CAAC,kBAAkB,KAAK,0BAAkB;QAC9C,IAAI,CAAC,kBAAkB,KAAK,WAAG,EACjC;QACE,MAAM,IAAI,KAAK,CACX,yCAAyC,IAAI,CAAC,kBAAkB,yBAAyB,kBAAU,KAAK,0BAAkB,KAAK,WAAG,GAAG,CACxI,CAAC;KACL;IAED,MAAM,uBAAuB,GAA6B;QACtD,cAAc;QACd,cAAc;QACd,eAAe;KAClB,CAAC;IACF,MAAM,iBAAiB,GAA6B,CAAC,eAAe,CAAC,CAAC;IAEtE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE;QAC7C,uBAAuB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACrC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE;gBACZ,MAAM,IAAI,KAAK,CACX,QAAQ,IAAI,oEAAoE,IAAI,CAAC,kBAAkB,IAAI,CAC9G,CAAC;aACL;QACL,CAAC,CAAC,CAAC;KACN;IAED,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE;QACjD,iBAAiB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE;gBACZ,MAAM,QAAQ,GACV,IAAI,CAAC,kBAAkB,IAAI,IAAI;oBAC3B,CAAC,CAAC,WAAW,IAAI,CAAC,kBAAkB,GAAG;oBACvC,CAAC,CAAC,SAAS,CAAC;gBACpB,MAAM,IAAI,KAAK,CACX,QAAQ,IAAI,4DAA4D,QAAQ,GAAG,CACtF,CAAC;aACL;QACL,CAAC,CAAC,CAAC;KACN;AACL,CAAC;AA1CD,gEA0CC;AAED,SAAgB,iBAAiB,CAAC,kBAAsC;IACpE,mEAAmE;IACnE,OAAO,CACH,CAAC,kBAAkB;QACnB,kBAAkB,KAAK,kBAAU;QACjC,kBAAkB,KAAK,0BAAkB,CAC5C,CAAC;AACN,CAAC;AAPD,8CAOC;AAED,SAAgB,qBAAqB,CAAC,kBAAsC;IACxE,OAAO,kBAAkB,KAAK,WAAG,IAAI,kBAAkB,KAAK,0BAAkB,CAAC;AACnF,CAAC;AAFD,sDAEC;AAED;;;;;;;;GAQG;AACH,SAAgB,iBAAiB,CAC7B,aAA4C,EAC5C,YAAmE,EACnE,YAAmE;IAEnE,MAAM,oBAAoB,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CACvD,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAC3D,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM;SAClB,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,oBAAoB,CAAC,CAAC;SAC9D,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,EAAE;QACpC,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI;YACA,WAAW,GAAG,MAAM,CAAC,IAAI,CACrB,CAAC,GAAG,QAAQ,EAAE,GAAG,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC3C,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;aACnB,CAAC,CAAC,CACN,CAAC;SACL;QAAC,OAAO,CAAC,EAAE;YACR,MAAM,IAAI,KAAK,CACX,oGAAoG,CACvG,CAAC;SACL;QACD,OAAO,WAAW,CAAC;IACvB,CAAC,CAAC,CAAC;IAEP,MAAM,cAAc,GAAQ;QACxB,QAAQ,EAAE,QAAQ;KACrB,CAAC;IACF,IAAI,YAAY,EAAE;QACd,cAAc,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE;YACrE,IAAI,WAAW,GAAG,EAAE,CAAC;YACrB,IAAI;gBACA,WAAW,GAAG,MAAM,CAAC,IAAI,CACrB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACjB,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;iBACnB,CAAC,CAAC,CACN,CAAC;aACL;YAAC,OAAO,CAAC,EAAE;gBACR,MAAM,IAAI,KAAK,CACX,oGAAoG,CACvG,CAAC;aACL;YACD,OAAO,WAAW,CAAC;QACvB,CAAC,CAAC,CAAC;KACN;IACD,OAAO,cAAc,CAAC;AAC1B,CAAC;AApDD,8CAoDC;AAED,SAAgB,mBAAmB,CAC/B,aAAqB,EACrB,WAAiC,EACjC,aAA6C,EAC7C,IAAkC;IAElC,OAAO,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,WAAW,CACjC,GAAG,aAAa,IAAI,IAAI,EAAE,kCAEnB,WAAW,KACd,WAAW,EACX,QAAQ,EAAE,WAAW,CAAC,QAAQ,KAElC,IAAI,CACP,CAAC;QAEF,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,EAAE,EAAE;YACpF,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACrD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,uBAAuB,CACzD,GAAG,aAAa,IAAI,IAAI,IAAI,eAAe,EAAE,EAC7C;gBACI,WAAW,EAAE,iBAAiB,CAAC,WAAW;gBAC1C,YAAY,EAAE,WAAW,CAAC,YAAY;gBACtC,SAAS,EAAE,iBAAiB,CAAC,SAAS;gBACtC,WAAW;aACd,kCAEM,IAAI,KACP,MAAM,EAAE,KAAK,EACb,SAAS,EAAE,CAAC,KAAK,CAAC,IAEzB,CAAC;QACN,CAAC,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACjB,CAAC,CAAC,CAAC;AACP,CAAC;AArCD,kDAqCC;AAED;;;GAGG;AACH,SAAS,yBAAyB,CAAC,GAAyB;IACxD,OAAO;QACH,OAAO,EAAE,GAAG;QACZ,QAAQ,EAAE,mCAAmC;QAC7C,MAAM,EAAE,CAAC,sBAAsB,EAAE,cAAc,CAAC;KACnD,CAAC;AACN,CAAC"}
|
package/cluster.d.ts
CHANGED
|
@@ -107,6 +107,7 @@ export interface CoreData {
|
|
|
107
107
|
oidcProvider?: aws.iam.OpenIdConnectProvider;
|
|
108
108
|
encryptionConfig?: pulumi.Output<aws.types.output.eks.ClusterEncryptionConfig>;
|
|
109
109
|
clusterIamRole: pulumi.Output<aws.iam.Role>;
|
|
110
|
+
accessEntries?: pulumi.Output<aws.eks.AccessEntry[]>;
|
|
110
111
|
}
|
|
111
112
|
export interface ClusterCreationRoleProviderOptions {
|
|
112
113
|
region?: pulumi.Input<aws.Region>;
|
|
@@ -231,10 +232,12 @@ export interface ClusterOptions {
|
|
|
231
232
|
nodeAssociatePublicIpAddress?: boolean;
|
|
232
233
|
/**
|
|
233
234
|
* Optional mappings from AWS IAM roles to Kubernetes users and groups.
|
|
235
|
+
* Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
|
|
234
236
|
*/
|
|
235
237
|
roleMappings?: pulumi.Input<pulumi.Input<RoleMapping>[]>;
|
|
236
238
|
/**
|
|
237
239
|
* Optional mappings from AWS IAM users to Kubernetes users and groups.
|
|
240
|
+
* Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
|
|
238
241
|
*/
|
|
239
242
|
userMappings?: pulumi.Input<pulumi.Input<UserMapping>[]>;
|
|
240
243
|
/**
|
|
@@ -274,6 +277,7 @@ export interface ClusterOptions {
|
|
|
274
277
|
/**
|
|
275
278
|
* This enables the advanced case of registering *many* IAM instance roles
|
|
276
279
|
* with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
|
|
280
|
+
* Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
|
|
277
281
|
*
|
|
278
282
|
* Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
|
|
279
283
|
*/
|
|
@@ -541,6 +545,20 @@ export interface ClusterOptions {
|
|
|
541
545
|
* a new cluster to be created.
|
|
542
546
|
*/
|
|
543
547
|
ipFamily?: pulumi.Input<string>;
|
|
548
|
+
/**
|
|
549
|
+
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
|
|
550
|
+
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
551
|
+
*/
|
|
552
|
+
authenticationMode?: AuthenticationMode;
|
|
553
|
+
/**
|
|
554
|
+
* Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster.
|
|
555
|
+
* Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.
|
|
556
|
+
*
|
|
557
|
+
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
|
|
558
|
+
*/
|
|
559
|
+
accessEntries?: {
|
|
560
|
+
[key: string]: AccessEntry;
|
|
561
|
+
};
|
|
544
562
|
}
|
|
545
563
|
/**
|
|
546
564
|
* FargateProfile defines how Kubernetes pods are executed in Fargate. See
|
|
@@ -568,6 +586,89 @@ export interface FargateProfile {
|
|
|
568
586
|
*/
|
|
569
587
|
export interface ClusterNodeGroupOptions extends NodeGroupBaseOptions {
|
|
570
588
|
}
|
|
589
|
+
export interface AccessEntry {
|
|
590
|
+
/**
|
|
591
|
+
* The IAM Principal ARN which requires Authentication access to the EKS cluster.
|
|
592
|
+
*/
|
|
593
|
+
principalArn: pulumi.Input<string>;
|
|
594
|
+
/**
|
|
595
|
+
* Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
|
|
596
|
+
*/
|
|
597
|
+
username?: pulumi.Input<string>;
|
|
598
|
+
/**
|
|
599
|
+
* A list of groups within Kubernetes to which the IAM principal is mapped to.
|
|
600
|
+
*/
|
|
601
|
+
kubernetesGroups?: pulumi.Input<pulumi.Input<string>[]>;
|
|
602
|
+
/**
|
|
603
|
+
* The access policies to associate to the access entry.
|
|
604
|
+
*/
|
|
605
|
+
accessPolicies?: {
|
|
606
|
+
[key: string]: pulumi.Input<AccessPolicyAssociation>;
|
|
607
|
+
};
|
|
608
|
+
/**
|
|
609
|
+
* The tags to apply to the AccessEntry.
|
|
610
|
+
*/
|
|
611
|
+
tags?: InputTags;
|
|
612
|
+
/**
|
|
613
|
+
* The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.
|
|
614
|
+
*
|
|
615
|
+
* Defaults to STANDARD which provides the standard workflow. EC2_LINUX and EC2_WINDOWS types disallow users
|
|
616
|
+
* to input a kubernetesGroup, and prevent associating access policies..
|
|
617
|
+
*/
|
|
618
|
+
type?: pulumi.Input<AccessEntryType>;
|
|
619
|
+
}
|
|
620
|
+
export interface AccessPolicyAssociation {
|
|
621
|
+
/**
|
|
622
|
+
* The ARN of the access policy to associate with the principal
|
|
623
|
+
*/
|
|
624
|
+
policyArn: pulumi.Input<string>;
|
|
625
|
+
/**
|
|
626
|
+
* The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace.
|
|
627
|
+
*/
|
|
628
|
+
accessScope: aws.types.input.eks.AccessPolicyAssociationAccessScope;
|
|
629
|
+
}
|
|
630
|
+
export declare const AuthenticationMode: {
|
|
631
|
+
/**
|
|
632
|
+
* Only Access Entries will be used for authenticating to the Kubernetes API.
|
|
633
|
+
*/
|
|
634
|
+
readonly API: "API";
|
|
635
|
+
/**
|
|
636
|
+
* Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
|
|
637
|
+
*/
|
|
638
|
+
readonly CONFIG_MAP: "CONFIG_MAP";
|
|
639
|
+
/**
|
|
640
|
+
* Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
|
|
641
|
+
*/
|
|
642
|
+
readonly API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP";
|
|
643
|
+
};
|
|
644
|
+
/**
|
|
645
|
+
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
|
|
646
|
+
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
647
|
+
*/
|
|
648
|
+
export type AuthenticationMode = (typeof AuthenticationMode)[keyof typeof AuthenticationMode];
|
|
649
|
+
export declare const AccessEntryType: {
|
|
650
|
+
/**
|
|
651
|
+
* Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
|
|
652
|
+
*/
|
|
653
|
+
readonly STANDARD: "STANDARD";
|
|
654
|
+
/**
|
|
655
|
+
* For IAM roles used with AWS Fargate profiles.
|
|
656
|
+
*/
|
|
657
|
+
readonly FARGATE_LINUX: "FARGATE_LINUX";
|
|
658
|
+
/**
|
|
659
|
+
* For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
|
|
660
|
+
*/
|
|
661
|
+
readonly EC2_LINUX: "EC2_LINUX";
|
|
662
|
+
/**
|
|
663
|
+
* For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
|
|
664
|
+
*/
|
|
665
|
+
readonly EC2_WINDOWS: "EC2_WINDOWS";
|
|
666
|
+
};
|
|
667
|
+
/**
|
|
668
|
+
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
|
|
669
|
+
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
670
|
+
*/
|
|
671
|
+
export type AccessEntryType = (typeof AccessEntryType)[keyof typeof AccessEntryType];
|
|
571
672
|
/**
|
|
572
673
|
* Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
|
|
573
674
|
* nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
|
package/cluster.js
CHANGED
|
@@ -22,7 +22,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
22
22
|
});
|
|
23
23
|
};
|
|
24
24
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
25
|
-
exports.ClusterInternal = exports.createCluster = exports.Cluster = exports.createCore = exports.getRoleProvider = exports.ClusterCreationRoleProvider = exports.generateKubeconfig = void 0;
|
|
25
|
+
exports.ClusterInternal = exports.createCluster = exports.Cluster = exports.AccessEntryType = exports.AuthenticationMode = exports.createCore = exports.getRoleProvider = exports.ClusterCreationRoleProvider = exports.generateKubeconfig = void 0;
|
|
26
26
|
const aws = require("@pulumi/aws");
|
|
27
27
|
const k8s = require("@pulumi/kubernetes");
|
|
28
28
|
const pulumi = require("@pulumi/pulumi");
|
|
@@ -30,10 +30,10 @@ const childProcess = require("child_process");
|
|
|
30
30
|
const fs = require("fs");
|
|
31
31
|
const https = require("https");
|
|
32
32
|
const HttpsProxyAgent = require("https-proxy-agent");
|
|
33
|
-
const jsyaml = require("js-yaml");
|
|
34
33
|
const process = require("process");
|
|
35
34
|
const tmp = require("tmp");
|
|
36
35
|
const url = require("url");
|
|
36
|
+
const authenticationMode_1 = require("./authenticationMode");
|
|
37
37
|
const cert_thumprint_1 = require("./cert-thumprint");
|
|
38
38
|
const cni_1 = require("./cni");
|
|
39
39
|
const dashboard_1 = require("./dashboard");
|
|
@@ -206,6 +206,7 @@ function createCore(name, args, parent, provider) {
|
|
|
206
206
|
// Check to ensure that a compatible kubectl is installed, as we'll need it in order to deploy
|
|
207
207
|
// k8s resources later.
|
|
208
208
|
(0, dependencies_1.assertCompatibleKubectlVersionExists)();
|
|
209
|
+
(0, authenticationMode_1.validateAuthenticationMode)(args);
|
|
209
210
|
if (args.instanceRole && args.instanceRoles) {
|
|
210
211
|
throw new Error("instanceRole and instanceRoles are mutually exclusive, and cannot both be set.");
|
|
211
212
|
}
|
|
@@ -346,6 +347,15 @@ function createCore(name, args, parent, provider) {
|
|
|
346
347
|
tags: pulumi.all([args.tags, args.clusterTags]).apply(([tags, clusterTags]) => (Object.assign(Object.assign({ Name: `${name}-eksCluster` }, clusterTags), tags))),
|
|
347
348
|
encryptionConfig,
|
|
348
349
|
kubernetesNetworkConfig,
|
|
350
|
+
accessConfig: args.authenticationMode
|
|
351
|
+
? {
|
|
352
|
+
authenticationMode: args.authenticationMode,
|
|
353
|
+
// Explicitely grants the principal creating the cluster admin access to the cluster.
|
|
354
|
+
// This is the default behavior of EKS when no accessConfig is provided.
|
|
355
|
+
// It is required for this component because it deploys charts to the cluster.
|
|
356
|
+
bootstrapClusterCreatorAdminPermissions: true,
|
|
357
|
+
}
|
|
358
|
+
: undefined,
|
|
349
359
|
}, {
|
|
350
360
|
parent,
|
|
351
361
|
provider: args.creationRoleProvider ? args.creationRoleProvider.provider : provider,
|
|
@@ -450,13 +460,10 @@ function createCore(name, args, parent, provider) {
|
|
|
450
460
|
if (!args.useDefaultVpcCni) {
|
|
451
461
|
vpcCni = new cni_1.VpcCni(`${name}-vpc-cni`, kubeconfig.apply(JSON.stringify), args.vpcCniOptions, { parent });
|
|
452
462
|
}
|
|
453
|
-
let instanceRoleMappings;
|
|
454
463
|
let instanceRoles;
|
|
464
|
+
let defaultInstanceRole;
|
|
455
465
|
// Create role mappings of the instance roles specified for aws-auth.
|
|
456
466
|
if (args.instanceRoles) {
|
|
457
|
-
instanceRoleMappings = pulumi
|
|
458
|
-
.output(args.instanceRoles)
|
|
459
|
-
.apply((roles) => roles.map((role) => createInstanceRoleMapping(role.arn)));
|
|
460
467
|
instanceRoles = pulumi.output(args.instanceRoles);
|
|
461
468
|
}
|
|
462
469
|
else if (args.instanceRole) {
|
|
@@ -464,10 +471,8 @@ function createCore(name, args, parent, provider) {
|
|
|
464
471
|
if (!skipDefaultNodeGroup) {
|
|
465
472
|
nodeGroupOptions.instanceProfile = createOrGetInstanceProfile(name, parent, args.instanceRole, args.instanceProfileName);
|
|
466
473
|
}
|
|
467
|
-
instanceRoleMappings = pulumi
|
|
468
|
-
.output(args.instanceRole)
|
|
469
|
-
.apply((instanceRole) => [createInstanceRoleMapping(instanceRole.arn)]);
|
|
470
474
|
instanceRoles = pulumi.output([args.instanceRole]);
|
|
475
|
+
defaultInstanceRole = pulumi.output(args.instanceRole);
|
|
471
476
|
}
|
|
472
477
|
else {
|
|
473
478
|
const instanceRole = new servicerole_1.ServiceRole(`${name}-instanceRole`, {
|
|
@@ -487,6 +492,7 @@ function createCore(name, args, parent, provider) {
|
|
|
487
492
|
},
|
|
488
493
|
],
|
|
489
494
|
}, { parent, provider }).role;
|
|
495
|
+
defaultInstanceRole = instanceRole;
|
|
490
496
|
instanceRoles = pulumi.output([instanceRole]);
|
|
491
497
|
// Create a new policy for the role, if specified.
|
|
492
498
|
if (args.customInstanceRolePolicy) {
|
|
@@ -500,57 +506,44 @@ function createCore(name, args, parent, provider) {
|
|
|
500
506
|
if (!skipDefaultNodeGroup) {
|
|
501
507
|
nodeGroupOptions.instanceProfile = createOrGetInstanceProfile(name, parent, instanceRole, args.instanceProfileName);
|
|
502
508
|
}
|
|
503
|
-
instanceRoleMappings = pulumi
|
|
504
|
-
.output(instanceRole)
|
|
505
|
-
.apply((role) => [createInstanceRoleMapping(role.arn)]);
|
|
506
|
-
}
|
|
507
|
-
const roleMappings = pulumi
|
|
508
|
-
.all([pulumi.output(args.roleMappings || []), instanceRoleMappings])
|
|
509
|
-
.apply(([mappings, instanceMappings]) => {
|
|
510
|
-
let mappingYaml = "";
|
|
511
|
-
try {
|
|
512
|
-
mappingYaml = jsyaml.dump([...mappings, ...instanceMappings].map((m) => ({
|
|
513
|
-
rolearn: m.roleArn,
|
|
514
|
-
username: m.username,
|
|
515
|
-
groups: m.groups,
|
|
516
|
-
})));
|
|
517
|
-
}
|
|
518
|
-
catch (e) {
|
|
519
|
-
throw new Error(`The IAM role mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
|
|
520
|
-
}
|
|
521
|
-
return mappingYaml;
|
|
522
|
-
});
|
|
523
|
-
const nodeAccessData = {
|
|
524
|
-
mapRoles: roleMappings,
|
|
525
|
-
};
|
|
526
|
-
if (args.userMappings) {
|
|
527
|
-
nodeAccessData.mapUsers = pulumi.output(args.userMappings).apply((mappings) => {
|
|
528
|
-
let mappingYaml = "";
|
|
529
|
-
try {
|
|
530
|
-
mappingYaml = jsyaml.dump(mappings.map((m) => ({
|
|
531
|
-
userarn: m.userArn,
|
|
532
|
-
username: m.username,
|
|
533
|
-
groups: m.groups,
|
|
534
|
-
})));
|
|
535
|
-
}
|
|
536
|
-
catch (e) {
|
|
537
|
-
throw new Error(`The IAM user mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
|
|
538
|
-
}
|
|
539
|
-
return mappingYaml;
|
|
540
|
-
});
|
|
541
509
|
}
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
|
|
545
|
-
|
|
546
|
-
|
|
547
|
-
|
|
548
|
-
|
|
549
|
-
|
|
510
|
+
let eksNodeAccess = undefined;
|
|
511
|
+
if ((0, authenticationMode_1.supportsConfigMap)(args.authenticationMode)) {
|
|
512
|
+
// Create the aws-auth ConfigMap if the authentication mode supports it. This maps instance roles, regular IAM roles, and IAM users to
|
|
513
|
+
// Kubernetes RBAC users and groups.
|
|
514
|
+
const nodeAccessData = (0, authenticationMode_1.createAwsAuthData)(instanceRoles, args.roleMappings, args.userMappings);
|
|
515
|
+
eksNodeAccess = new k8s.core.v1.ConfigMap(`${name}-nodeAccess`, {
|
|
516
|
+
apiVersion: "v1",
|
|
517
|
+
immutable: false,
|
|
518
|
+
metadata: {
|
|
519
|
+
name: `aws-auth`,
|
|
520
|
+
namespace: "kube-system",
|
|
521
|
+
annotations: {
|
|
522
|
+
"pulumi.com/patchForce": "true",
|
|
523
|
+
},
|
|
550
524
|
},
|
|
551
|
-
|
|
552
|
-
|
|
553
|
-
}
|
|
525
|
+
data: nodeAccessData,
|
|
526
|
+
}, { parent, provider: k8sProvider });
|
|
527
|
+
}
|
|
528
|
+
// Create the access entries if the authentication mode supports it.
|
|
529
|
+
let accessEntries = undefined;
|
|
530
|
+
if ((0, authenticationMode_1.supportsAccessEntries)(args.authenticationMode)) {
|
|
531
|
+
let createdAccessEntries = [];
|
|
532
|
+
// This additionally maps the defaultInstanceRole to a EC2_LINUX access entry which allows the nodes to register & communicate with the EKS control plane.
|
|
533
|
+
if (defaultInstanceRole) {
|
|
534
|
+
createdAccessEntries = (0, authenticationMode_1.createAccessEntries)(name, eksCluster.name, {
|
|
535
|
+
defaultNodeGroupInstanceRole: {
|
|
536
|
+
principalArn: defaultInstanceRole.arn,
|
|
537
|
+
type: exports.AccessEntryType.EC2_LINUX,
|
|
538
|
+
},
|
|
539
|
+
}, { parent, provider });
|
|
540
|
+
}
|
|
541
|
+
createdAccessEntries = createdAccessEntries.concat((0, authenticationMode_1.createAccessEntries)(name, eksCluster.name, args.accessEntries || {}, {
|
|
542
|
+
parent,
|
|
543
|
+
provider,
|
|
544
|
+
}));
|
|
545
|
+
accessEntries = pulumi.output(createdAccessEntries);
|
|
546
|
+
}
|
|
554
547
|
const fargateProfile = pulumi
|
|
555
548
|
.output(args.fargate)
|
|
556
549
|
.apply((argsFargate) => {
|
|
@@ -597,7 +590,7 @@ function createCore(name, args, parent, provider) {
|
|
|
597
590
|
return (0, nodegroup_1.computeWorkerSubnets)(parent, subnets);
|
|
598
591
|
}
|
|
599
592
|
}),
|
|
600
|
-
}, { parent, dependsOn: [eksNodeAccess], provider });
|
|
593
|
+
}, { parent, dependsOn: eksNodeAccess ? [eksNodeAccess] : undefined, provider });
|
|
601
594
|
// Once the FargateProfile has been created, try to patch/remove the CoreDNS computeType annotation. See
|
|
602
595
|
// https://docs.aws.amazon.com/eks/latest/userguide/fargate-getting-started.html#fargate-gs-coredns.
|
|
603
596
|
pulumi.all([result.id, selectors, kubeconfig]).apply(([_, sels, kconfig]) => {
|
|
@@ -680,20 +673,10 @@ function createCore(name, args, parent, provider) {
|
|
|
680
673
|
oidcProvider: oidcProvider,
|
|
681
674
|
encryptionConfig: encryptionConfig,
|
|
682
675
|
clusterIamRole: eksRole,
|
|
676
|
+
accessEntries: accessEntries,
|
|
683
677
|
};
|
|
684
678
|
}
|
|
685
679
|
exports.createCore = createCore;
|
|
686
|
-
/**
|
|
687
|
-
* Enable access to the EKS cluster for worker nodes, by creating an
|
|
688
|
-
* instance role mapping to the k8s username and groups of aws-auth.
|
|
689
|
-
*/
|
|
690
|
-
function createInstanceRoleMapping(arn) {
|
|
691
|
-
return {
|
|
692
|
-
roleArn: arn,
|
|
693
|
-
username: "system:node:{{EC2PrivateDNSName}}",
|
|
694
|
-
groups: ["system:bootstrappers", "system:nodes"],
|
|
695
|
-
};
|
|
696
|
-
}
|
|
697
680
|
/**
|
|
698
681
|
* Create an HTTP Agent for use with HTTP(S) requests.
|
|
699
682
|
* Using a proxy is supported.
|
|
@@ -732,6 +715,40 @@ function createHttpAgent(proxy) {
|
|
|
732
715
|
maxCachedSessions: 0,
|
|
733
716
|
});
|
|
734
717
|
}
|
|
718
|
+
/* tslint:disable-next-line */ // Generating the enum object for AuthenticationMode like codegen does
|
|
719
|
+
exports.AuthenticationMode = {
|
|
720
|
+
/**
|
|
721
|
+
* Only Access Entries will be used for authenticating to the Kubernetes API.
|
|
722
|
+
*/
|
|
723
|
+
API: "API",
|
|
724
|
+
/**
|
|
725
|
+
* Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
|
|
726
|
+
*/
|
|
727
|
+
CONFIG_MAP: "CONFIG_MAP",
|
|
728
|
+
/**
|
|
729
|
+
* Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
|
|
730
|
+
*/
|
|
731
|
+
API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP",
|
|
732
|
+
};
|
|
733
|
+
/* tslint:disable-next-line */ // Generating the enum object for AccessEntryType like codegen does
|
|
734
|
+
exports.AccessEntryType = {
|
|
735
|
+
/**
|
|
736
|
+
* Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
|
|
737
|
+
*/
|
|
738
|
+
STANDARD: "STANDARD",
|
|
739
|
+
/**
|
|
740
|
+
* For IAM roles used with AWS Fargate profiles.
|
|
741
|
+
*/
|
|
742
|
+
FARGATE_LINUX: "FARGATE_LINUX",
|
|
743
|
+
/**
|
|
744
|
+
* For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
|
|
745
|
+
*/
|
|
746
|
+
EC2_LINUX: "EC2_LINUX",
|
|
747
|
+
/**
|
|
748
|
+
* For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
|
|
749
|
+
*/
|
|
750
|
+
EC2_WINDOWS: "EC2_WINDOWS",
|
|
751
|
+
};
|
|
735
752
|
/**
|
|
736
753
|
* Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
|
|
737
754
|
* nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
|