@pulumi/eks 2.8.1 → 2.9.0-alpha.1727304793
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/addon.d.ts +61 -13
- package/addon.js +45 -18
- package/addon.js.map +1 -1
- package/cluster.d.ts +291 -585
- package/cluster.js +120 -947
- package/cluster.js.map +1 -1
- package/clusterCreationRoleProvider.d.ts +28 -0
- package/clusterCreationRoleProvider.js +47 -0
- package/clusterCreationRoleProvider.js.map +1 -0
- package/clusterMixins.d.ts +71 -0
- package/clusterMixins.js +107 -0
- package/clusterMixins.js.map +1 -0
- package/index.d.ts +31 -7
- package/index.js +80 -34
- package/index.js.map +1 -1
- package/managedNodeGroup.d.ts +221 -0
- package/managedNodeGroup.js +81 -0
- package/managedNodeGroup.js.map +1 -0
- package/nodeGroup.d.ts +273 -0
- package/nodeGroup.js +93 -0
- package/nodeGroup.js.map +1 -0
- package/nodeGroupSecurityGroup.d.ts +51 -0
- package/nodeGroupSecurityGroup.js +60 -0
- package/nodeGroupSecurityGroup.js.map +1 -0
- package/nodeGroupV2.d.ts +280 -0
- package/nodeGroupV2.js +90 -0
- package/nodeGroupV2.js.map +1 -0
- package/nodegroupMixins.d.ts +203 -0
- package/{securitygroup.js → nodegroupMixins.js} +25 -36
- package/nodegroupMixins.js.map +1 -0
- package/package.json +8 -36
- package/provider.d.ts +21 -0
- package/provider.js +38 -0
- package/provider.js.map +1 -0
- package/{storageclass.js → storageclassMixins.js} +1 -14
- package/storageclassMixins.js.map +1 -0
- package/types/enums/index.d.ts +170 -0
- package/types/enums/index.js +145 -0
- package/types/enums/index.js.map +1 -0
- package/types/index.d.ts +4 -0
- package/types/index.js +13 -0
- package/types/index.js.map +1 -0
- package/types/input.d.ts +745 -0
- package/types/input.js +30 -0
- package/types/input.js.map +1 -0
- package/types/output.d.ts +422 -0
- package/types/output.js +5 -0
- package/types/output.js.map +1 -0
- package/utilities.d.ts +8 -1
- package/utilities.js +90 -17
- package/utilities.js.map +1 -1
- package/vpcCniAddon.d.ts +175 -0
- package/vpcCniAddon.js +88 -0
- package/vpcCniAddon.js.map +1 -0
- package/LICENSE +0 -202
- package/README.md +0 -77
- package/authenticationMode.d.ts +0 -24
- package/authenticationMode.js +0 -172
- package/authenticationMode.js.map +0 -1
- package/authenticationMode.test.d.ts +0 -1
- package/authenticationMode.test.js +0 -208
- package/authenticationMode.test.js.map +0 -1
- package/cert-thumprint.d.ts +0 -16
- package/cert-thumprint.js +0 -113
- package/cert-thumprint.js.map +0 -1
- package/cmd/provider/addon.d.ts +0 -1
- package/cmd/provider/addon.js +0 -40
- package/cmd/provider/addon.js.map +0 -1
- package/cmd/provider/cluster.d.ts +0 -1
- package/cmd/provider/cluster.js +0 -71
- package/cmd/provider/cluster.js.map +0 -1
- package/cmd/provider/cni.d.ts +0 -2
- package/cmd/provider/cni.js +0 -291
- package/cmd/provider/cni.js.map +0 -1
- package/cmd/provider/index.d.ts +0 -1
- package/cmd/provider/index.js +0 -171
- package/cmd/provider/index.js.map +0 -1
- package/cmd/provider/nodegroup.d.ts +0 -1
- package/cmd/provider/nodegroup.js +0 -89
- package/cmd/provider/nodegroup.js.map +0 -1
- package/cmd/provider/randomSuffix.d.ts +0 -1
- package/cmd/provider/randomSuffix.js +0 -52
- package/cmd/provider/randomSuffix.js.map +0 -1
- package/cmd/provider/schema.json +0 -1909
- package/cmd/provider/securitygroup.d.ts +0 -1
- package/cmd/provider/securitygroup.js +0 -41
- package/cmd/provider/securitygroup.js.map +0 -1
- package/cni/README.md +0 -6
- package/cni/aws-k8s-cni.yaml +0 -602
- package/cni.d.ts +0 -177
- package/cni.js +0 -64
- package/cni.js.map +0 -1
- package/dashboard/heapster-rbac.yaml +0 -12
- package/dashboard/heapster.yaml +0 -46
- package/dashboard/influxdb.yaml +0 -40
- package/dashboard/kubernetes-dashboard.yaml +0 -167
- package/dashboard.d.ts +0 -5
- package/dashboard.js +0 -58
- package/dashboard.js.map +0 -1
- package/dependencies.d.ts +0 -2
- package/dependencies.js +0 -81
- package/dependencies.js.map +0 -1
- package/dependencies.test.d.ts +0 -1
- package/dependencies.test.js +0 -133
- package/dependencies.test.js.map +0 -1
- package/nodegroup.d.ts +0 -515
- package/nodegroup.js +0 -1152
- package/nodegroup.js.map +0 -1
- package/nodegroup.test.d.ts +0 -1
- package/nodegroup.test.js +0 -336
- package/nodegroup.test.js.map +0 -1
- package/package.json.dev +0 -67
- package/randomSuffix.d.ts +0 -1
- package/randomSuffix.js +0 -51
- package/randomSuffix.js.map +0 -1
- package/securitygroup.d.ts +0 -52
- package/securitygroup.js.map +0 -1
- package/servicerole.d.ts +0 -43
- package/servicerole.js +0 -72
- package/servicerole.js.map +0 -1
- package/storageclass.js.map +0 -1
- package/utils.d.ts +0 -23
- package/utils.js +0 -16
- package/utils.js.map +0 -1
- /package/{storageclass.d.ts → storageclassMixins.d.ts} +0 -0
package/cluster.d.ts
CHANGED
|
@@ -1,489 +1,352 @@
|
|
|
1
|
-
import * as aws from "@pulumi/aws";
|
|
2
|
-
import * as k8s from "@pulumi/kubernetes";
|
|
3
1
|
import * as pulumi from "@pulumi/pulumi";
|
|
4
|
-
import
|
|
5
|
-
import
|
|
6
|
-
import
|
|
7
|
-
import
|
|
2
|
+
import * as inputs from "./types/input";
|
|
3
|
+
import * as outputs from "./types/output";
|
|
4
|
+
import * as enums from "./types/enums";
|
|
5
|
+
import * as pulumiAws from "@pulumi/aws";
|
|
8
6
|
/**
|
|
9
|
-
*
|
|
7
|
+
* Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
|
|
8
|
+
*
|
|
9
|
+
* ## Example Usage
|
|
10
|
+
*
|
|
11
|
+
* ### Provisioning a New EKS Cluster
|
|
12
|
+
*
|
|
13
|
+
* <!--Start PulumiCodeChooser -->
|
|
14
|
+
* ```typescript
|
|
15
|
+
* import * as pulumi from "@pulumi/pulumi";
|
|
16
|
+
* import * as eks from "@pulumi/eks";
|
|
17
|
+
*
|
|
18
|
+
* // Create an EKS cluster with the default configuration.
|
|
19
|
+
* const cluster = new eks.Cluster("cluster", {});
|
|
20
|
+
*
|
|
21
|
+
* // Export the cluster's kubeconfig.
|
|
22
|
+
* export const kubeconfig = cluster.kubeconfig;
|
|
23
|
+
* ```
|
|
24
|
+
* <!--End PulumiCodeChooser -->
|
|
10
25
|
*/
|
|
11
|
-
export
|
|
26
|
+
export declare class Cluster extends pulumi.ComponentResource {
|
|
12
27
|
/**
|
|
13
|
-
*
|
|
28
|
+
* Returns true if the given object is an instance of Cluster. This is designed to work even
|
|
29
|
+
* when multiple copies of the Pulumi SDK have been loaded into the same process.
|
|
14
30
|
*/
|
|
15
|
-
|
|
31
|
+
static isInstance(obj: any): obj is Cluster;
|
|
16
32
|
/**
|
|
17
|
-
* The
|
|
33
|
+
* The AWS resource provider.
|
|
18
34
|
*/
|
|
19
|
-
|
|
35
|
+
readonly awsProvider: pulumi.Output<pulumiAws.Provider>;
|
|
20
36
|
/**
|
|
21
|
-
*
|
|
37
|
+
* The security group for the EKS cluster.
|
|
22
38
|
*/
|
|
23
|
-
|
|
24
|
-
}
|
|
25
|
-
/**
|
|
26
|
-
* UserMapping describes a mapping from an AWS IAM user to a Kubernetes user and groups.
|
|
27
|
-
*/
|
|
28
|
-
export interface UserMapping {
|
|
39
|
+
readonly clusterSecurityGroup: pulumi.Output<pulumiAws.ec2.SecurityGroup>;
|
|
29
40
|
/**
|
|
30
|
-
* The
|
|
41
|
+
* The EKS cluster and its dependencies.
|
|
31
42
|
*/
|
|
32
|
-
|
|
43
|
+
readonly core: pulumi.Output<outputs.CoreData>;
|
|
33
44
|
/**
|
|
34
|
-
* The
|
|
45
|
+
* The default Node Group configuration, or undefined if `skipDefaultNodeGroup` was specified.
|
|
35
46
|
*/
|
|
36
|
-
|
|
47
|
+
readonly defaultNodeGroup: pulumi.Output<outputs.NodeGroupData | undefined>;
|
|
37
48
|
/**
|
|
38
|
-
*
|
|
49
|
+
* The EKS cluster.
|
|
39
50
|
*/
|
|
40
|
-
|
|
41
|
-
}
|
|
42
|
-
/**
|
|
43
|
-
* CreationRoleProvider is a component containing the AWS Role and Provider necessary to override the `[system:master]`
|
|
44
|
-
* entity ARN. This is an optional argument used in `ClusterOptions`. Read more: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
|
|
45
|
-
*/
|
|
46
|
-
export interface CreationRoleProvider {
|
|
47
|
-
role: aws.iam.Role;
|
|
48
|
-
provider: pulumi.ProviderResource;
|
|
49
|
-
}
|
|
50
|
-
/**
|
|
51
|
-
* KubeconfigOptions represents the AWS credentials to scope a given kubeconfig
|
|
52
|
-
* when using a non-default credential chain.
|
|
53
|
-
*
|
|
54
|
-
* The options can be used independently, or additively.
|
|
55
|
-
*
|
|
56
|
-
* A scoped kubeconfig is necessary for certain auth scenarios. For example:
|
|
57
|
-
* 1. Assume a role on the default account caller,
|
|
58
|
-
* 2. Use an AWS creds profile instead of the default account caller,
|
|
59
|
-
* 3. Use an AWS creds creds profile instead of the default account caller,
|
|
60
|
-
* and then assume a given role on the profile. This scenario is also
|
|
61
|
-
* possible by only using a profile, iff the profile includes a role to
|
|
62
|
-
* assume in its settings.
|
|
63
|
-
*
|
|
64
|
-
* See for more details:
|
|
65
|
-
* - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
|
|
66
|
-
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
|
|
67
|
-
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
|
|
68
|
-
*/
|
|
69
|
-
export interface KubeconfigOptions {
|
|
51
|
+
readonly eksCluster: pulumi.Output<pulumiAws.eks.Cluster>;
|
|
70
52
|
/**
|
|
71
|
-
*
|
|
72
|
-
*
|
|
73
|
-
* The role is passed to kubeconfig as an authentication exec argument.
|
|
53
|
+
* The ingress rule that gives node group access to cluster API server.
|
|
74
54
|
*/
|
|
75
|
-
|
|
55
|
+
readonly eksClusterIngressRule: pulumi.Output<pulumiAws.ec2.SecurityGroupRule>;
|
|
76
56
|
/**
|
|
77
|
-
*
|
|
78
|
-
* default AWS credential provider chain.
|
|
79
|
-
*
|
|
80
|
-
* The profile is passed to kubeconfig as an authentication environment
|
|
81
|
-
* setting.
|
|
57
|
+
* The service roles used by the EKS cluster. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
|
|
82
58
|
*/
|
|
83
|
-
|
|
84
|
-
}
|
|
85
|
-
/**
|
|
86
|
-
* CoreData defines the core set of data associated with an EKS cluster, including the network in which it runs.
|
|
87
|
-
*/
|
|
88
|
-
export interface CoreData {
|
|
89
|
-
cluster: aws.eks.Cluster;
|
|
90
|
-
vpcId: pulumi.Output<string>;
|
|
91
|
-
subnetIds: pulumi.Output<string[]>;
|
|
92
|
-
endpoint: pulumi.Output<string>;
|
|
93
|
-
clusterSecurityGroup: aws.ec2.SecurityGroup;
|
|
94
|
-
provider: k8s.Provider;
|
|
95
|
-
instanceRoles: pulumi.Output<aws.iam.Role[]>;
|
|
96
|
-
nodeGroupOptions: ClusterNodeGroupOptions;
|
|
97
|
-
awsProvider?: pulumi.ProviderResource;
|
|
98
|
-
publicSubnetIds?: pulumi.Output<string[]>;
|
|
99
|
-
privateSubnetIds?: pulumi.Output<string[]>;
|
|
100
|
-
eksNodeAccess?: k8s.core.v1.ConfigMap;
|
|
101
|
-
storageClasses?: UserStorageClasses;
|
|
102
|
-
kubeconfig?: pulumi.Output<any>;
|
|
103
|
-
vpcCni?: VpcCni;
|
|
104
|
-
tags?: InputTags;
|
|
105
|
-
nodeSecurityGroupTags?: InputTags;
|
|
106
|
-
fargateProfile: pulumi.Output<aws.eks.FargateProfile | undefined>;
|
|
107
|
-
oidcProvider?: aws.iam.OpenIdConnectProvider;
|
|
108
|
-
encryptionConfig?: pulumi.Output<aws.types.output.eks.ClusterEncryptionConfig>;
|
|
109
|
-
clusterIamRole: pulumi.Output<aws.iam.Role>;
|
|
110
|
-
accessEntries?: pulumi.Output<aws.eks.AccessEntry[]>;
|
|
111
|
-
}
|
|
112
|
-
export interface ClusterCreationRoleProviderOptions {
|
|
113
|
-
region?: pulumi.Input<aws.Region>;
|
|
114
|
-
profile?: pulumi.Input<string>;
|
|
115
|
-
}
|
|
116
|
-
/**
|
|
117
|
-
* ClusterCreationRoleProvider is a component that wraps creating a role provider that can be passed to
|
|
118
|
-
* `new eks.Cluster("test", { creationRoleProvider: ... })`. This can be used to provide a
|
|
119
|
-
* specific role to use for the creation of the EKS cluster different from the role being used
|
|
120
|
-
* to run the Pulumi deployment.
|
|
121
|
-
*/
|
|
122
|
-
export declare class ClusterCreationRoleProvider extends pulumi.ComponentResource implements CreationRoleProvider {
|
|
123
|
-
readonly role: aws.iam.Role;
|
|
124
|
-
readonly provider: pulumi.ProviderResource;
|
|
59
|
+
readonly instanceRoles: pulumi.Output<pulumiAws.iam.Role[]>;
|
|
125
60
|
/**
|
|
126
|
-
*
|
|
127
|
-
* This can be used to provide a specific role to use for the creation of the EKS cluster different from
|
|
128
|
-
* the role being used to run the Pulumi deployment.
|
|
129
|
-
*
|
|
130
|
-
* @param name The _unique_ name of this component.
|
|
131
|
-
* @param args The arguments for this component.
|
|
132
|
-
* @param opts A bag of options that control this component's behavior.
|
|
61
|
+
* A kubeconfig that can be used to connect to the EKS cluster.
|
|
133
62
|
*/
|
|
134
|
-
|
|
135
|
-
}
|
|
136
|
-
/**
|
|
137
|
-
* getRoleProvider creates a role provider that can be passed to `new eks.Cluster("test", {
|
|
138
|
-
* creationRoleProvider: ... })`. This can be used to provide a specific role to use for the
|
|
139
|
-
* creation of the EKS cluster different from the role being used to run the Pulumi deployment.
|
|
140
|
-
*/
|
|
141
|
-
export declare function getRoleProvider(name: string, region?: pulumi.Input<aws.Region>, profile?: pulumi.Input<string>, parent?: pulumi.ComponentResource, provider?: pulumi.ProviderResource): CreationRoleProvider;
|
|
142
|
-
/**
|
|
143
|
-
* Create the core components and settings required for the EKS cluster.
|
|
144
|
-
*/
|
|
145
|
-
export declare function createCore(name: string, rawArgs: ClusterOptions, parent: pulumi.ComponentResource, provider?: pulumi.ProviderResource): CoreData;
|
|
146
|
-
/**
|
|
147
|
-
* ClusterOptions describes the configuration options accepted by an EKSCluster component.
|
|
148
|
-
*/
|
|
149
|
-
export interface ClusterOptions {
|
|
63
|
+
readonly kubeconfig: pulumi.Output<any>;
|
|
150
64
|
/**
|
|
151
|
-
*
|
|
152
|
-
* default VPC.
|
|
65
|
+
* A kubeconfig that can be used to connect to the EKS cluster as a JSON string.
|
|
153
66
|
*/
|
|
154
|
-
|
|
67
|
+
readonly kubeconfigJson: pulumi.Output<string>;
|
|
155
68
|
/**
|
|
156
|
-
* The
|
|
157
|
-
* groups on the EKS cluster. These subnets are automatically tagged by EKS
|
|
158
|
-
* for Kubernetes purposes.
|
|
159
|
-
*
|
|
160
|
-
* If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
|
|
161
|
-
*
|
|
162
|
-
* If the list of subnets includes both public and private subnets, the worker
|
|
163
|
-
* nodes will only be attached to the private subnets, and the public
|
|
164
|
-
* subnets will be used for internet-facing load balancers.
|
|
165
|
-
*
|
|
166
|
-
* See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
|
|
167
|
-
*
|
|
168
|
-
* Note: The use of `subnetIds`, along with `publicSubnetIds`
|
|
169
|
-
* and/or `privateSubnetIds` is mutually exclusive. The use of
|
|
170
|
-
* `publicSubnetIds` and `privateSubnetIds` is encouraged.
|
|
69
|
+
* The security group for the cluster's nodes.
|
|
171
70
|
*/
|
|
172
|
-
|
|
71
|
+
readonly nodeSecurityGroup: pulumi.Output<pulumiAws.ec2.SecurityGroup>;
|
|
173
72
|
/**
|
|
174
|
-
*
|
|
175
|
-
* These subnets are automatically tagged by EKS for Kubernetes purposes.
|
|
176
|
-
*
|
|
177
|
-
* If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
|
|
178
|
-
*
|
|
179
|
-
* Worker network architecture options:
|
|
180
|
-
* - Private-only: Only set `privateSubnetIds`.
|
|
181
|
-
* - Default workers to run in a private subnet. In this setting, Kubernetes
|
|
182
|
-
* cannot create public, internet-facing load balancers for your pods.
|
|
183
|
-
* - Public-only: Only set `publicSubnetIds`.
|
|
184
|
-
* - Default workers to run in a public subnet.
|
|
185
|
-
* - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
|
|
186
|
-
* - Default all worker nodes to run in private subnets, and use the public subnets
|
|
187
|
-
* for internet-facing load balancers.
|
|
188
|
-
*
|
|
189
|
-
* See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
|
|
73
|
+
* Create a Cluster resource with the given unique name, arguments, and options.
|
|
190
74
|
*
|
|
191
|
-
*
|
|
192
|
-
*
|
|
193
|
-
*
|
|
75
|
+
* @param name The _unique_ name of the resource.
|
|
76
|
+
* @param args The arguments to use to populate this resource's properties.
|
|
77
|
+
* @param opts A bag of options that control this resource's behavior.
|
|
194
78
|
*/
|
|
195
|
-
|
|
79
|
+
constructor(name: string, args?: ClusterArgs, opts?: pulumi.ComponentResourceOptions);
|
|
196
80
|
/**
|
|
197
|
-
*
|
|
198
|
-
* These subnets are automatically tagged by EKS for Kubernetes purposes.
|
|
199
|
-
*
|
|
200
|
-
* If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
|
|
81
|
+
* Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in `KubeconfigOptions`.
|
|
201
82
|
*
|
|
202
|
-
*
|
|
203
|
-
* - Private-only: Only set `privateSubnetIds`.
|
|
204
|
-
* - Default workers to run in a private subnet. In this setting, Kubernetes
|
|
205
|
-
* cannot create public, internet-facing load balancers for your pods.
|
|
206
|
-
* - Public-only: Only set `publicSubnetIds`.
|
|
207
|
-
* - Default workers to run in a public subnet.
|
|
208
|
-
* - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
|
|
209
|
-
* - Default all worker nodes to run in private subnets, and use the public subnets
|
|
210
|
-
* for internet-facing load balancers.
|
|
83
|
+
* The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.
|
|
211
84
|
*
|
|
212
|
-
* See for more details:
|
|
213
|
-
*
|
|
214
|
-
*
|
|
215
|
-
*
|
|
216
|
-
* `publicSubnetIds` and `privateSubnetIds` is encouraged.
|
|
217
|
-
*
|
|
218
|
-
* Also consider setting `nodeAssociatePublicIpAddress: false` for
|
|
219
|
-
* fully private workers.
|
|
220
|
-
*/
|
|
221
|
-
privateSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
|
|
222
|
-
/**
|
|
223
|
-
* The common configuration settings for NodeGroups.
|
|
85
|
+
* See for more details:
|
|
86
|
+
* - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
|
|
87
|
+
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
|
|
88
|
+
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
|
|
224
89
|
*/
|
|
225
|
-
|
|
90
|
+
getKubeconfig(args?: Cluster.GetKubeconfigArgs): pulumi.Output<Cluster.GetKubeconfigResult>;
|
|
91
|
+
}
|
|
92
|
+
/**
|
|
93
|
+
* The set of arguments for constructing a Cluster resource.
|
|
94
|
+
*/
|
|
95
|
+
export interface ClusterArgs {
|
|
226
96
|
/**
|
|
227
|
-
*
|
|
228
|
-
*
|
|
229
|
-
*
|
|
230
|
-
*
|
|
97
|
+
* Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.
|
|
98
|
+
*
|
|
99
|
+
* See for more details:
|
|
100
|
+
* https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
|
|
231
101
|
*/
|
|
232
|
-
|
|
102
|
+
accessEntries?: {
|
|
103
|
+
[key: string]: inputs.AccessEntryArgs;
|
|
104
|
+
};
|
|
233
105
|
/**
|
|
234
|
-
*
|
|
235
|
-
*
|
|
106
|
+
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`.
|
|
107
|
+
*
|
|
108
|
+
* See for more details:
|
|
109
|
+
* https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
236
110
|
*/
|
|
237
|
-
|
|
111
|
+
authenticationMode?: enums.AuthenticationMode;
|
|
238
112
|
/**
|
|
239
|
-
*
|
|
240
|
-
*
|
|
113
|
+
* The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
|
|
114
|
+
*
|
|
115
|
+
* Note: The security group resource should not contain any inline ingress or egress rules.
|
|
241
116
|
*/
|
|
242
|
-
|
|
117
|
+
clusterSecurityGroup?: pulumi.Input<pulumiAws.ec2.SecurityGroup>;
|
|
243
118
|
/**
|
|
244
|
-
* The
|
|
245
|
-
* for the VpcCniOptions type.
|
|
119
|
+
* The tags to apply to the cluster security group.
|
|
246
120
|
*/
|
|
247
|
-
|
|
121
|
+
clusterSecurityGroupTags?: pulumi.Input<{
|
|
122
|
+
[key: string]: pulumi.Input<string>;
|
|
123
|
+
}>;
|
|
248
124
|
/**
|
|
249
|
-
*
|
|
125
|
+
* The tags to apply to the EKS cluster.
|
|
250
126
|
*/
|
|
251
|
-
|
|
127
|
+
clusterTags?: pulumi.Input<{
|
|
128
|
+
[key: string]: pulumi.Input<string>;
|
|
129
|
+
}>;
|
|
252
130
|
/**
|
|
253
|
-
*
|
|
131
|
+
* Options for managing the `coredns` addon.
|
|
254
132
|
*/
|
|
255
|
-
|
|
133
|
+
corednsAddonOptions?: inputs.CoreDnsAddonOptionsArgs;
|
|
256
134
|
/**
|
|
257
|
-
*
|
|
258
|
-
* instance role with the cluster, that is required to be shared by
|
|
259
|
-
* *all* node groups in their instance profiles.
|
|
135
|
+
* Indicates whether an IAM OIDC Provider is created for the EKS cluster.
|
|
260
136
|
*
|
|
261
|
-
*
|
|
137
|
+
* The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.
|
|
138
|
+
*
|
|
139
|
+
* See for more details:
|
|
140
|
+
* - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
|
|
141
|
+
* - https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
|
|
142
|
+
* - https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
|
|
143
|
+
* - https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts
|
|
262
144
|
*/
|
|
263
|
-
|
|
145
|
+
createOidcProvider?: pulumi.Input<boolean>;
|
|
264
146
|
/**
|
|
265
|
-
* The
|
|
147
|
+
* The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given `[system:masters]` permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
|
|
148
|
+
*
|
|
149
|
+
* Note: This option is only supported with Pulumi nodejs programs. Please use `ProviderCredentialOpts` as an alternative instead.
|
|
266
150
|
*/
|
|
267
|
-
|
|
151
|
+
creationRoleProvider?: inputs.CreationRoleProviderArgs;
|
|
268
152
|
/**
|
|
269
|
-
*
|
|
153
|
+
* List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.
|
|
270
154
|
*/
|
|
271
|
-
|
|
155
|
+
defaultAddonsToRemove?: pulumi.Input<pulumi.Input<string>[]>;
|
|
272
156
|
/**
|
|
273
|
-
* The
|
|
274
|
-
* permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
|
|
157
|
+
* The number of worker nodes that should be running in the cluster. Defaults to 2.
|
|
275
158
|
*/
|
|
276
|
-
|
|
159
|
+
desiredCapacity?: pulumi.Input<number>;
|
|
277
160
|
/**
|
|
278
|
-
*
|
|
279
|
-
* with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
|
|
280
|
-
* Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
|
|
161
|
+
* Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.
|
|
281
162
|
*
|
|
282
|
-
*
|
|
163
|
+
* Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true.
|
|
164
|
+
* https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs
|
|
283
165
|
*/
|
|
284
|
-
|
|
166
|
+
enableConfigMapMutable?: pulumi.Input<boolean>;
|
|
285
167
|
/**
|
|
286
|
-
*
|
|
287
|
-
*
|
|
288
|
-
* @deprecated This option has been replaced with the use of
|
|
289
|
-
* `instanceRole` or `instanceRoles`. The role provided to either option
|
|
290
|
-
* should already include all required policies.
|
|
168
|
+
* Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.
|
|
291
169
|
*/
|
|
292
|
-
|
|
170
|
+
enabledClusterLogTypes?: pulumi.Input<pulumi.Input<string>[]>;
|
|
293
171
|
/**
|
|
294
|
-
*
|
|
295
|
-
*
|
|
296
|
-
* Defaults to the latest recommended EKS Optimized Linux AMI from the
|
|
297
|
-
* AWS Systems Manager Parameter Store.
|
|
298
|
-
*
|
|
299
|
-
* Note: `nodeAmiId` and `gpu` are mutually exclusive.
|
|
172
|
+
* KMS Key ARN to use with the encryption configuration for the cluster.
|
|
300
173
|
*
|
|
174
|
+
* Only available on Kubernetes 1.13+ clusters created after March 6, 2020.
|
|
301
175
|
* See for more details:
|
|
302
|
-
* - https://
|
|
176
|
+
* - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
|
|
303
177
|
*/
|
|
304
|
-
|
|
178
|
+
encryptionConfigKeyArn?: pulumi.Input<string>;
|
|
179
|
+
/**
|
|
180
|
+
* Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is `false`.
|
|
181
|
+
*/
|
|
182
|
+
endpointPrivateAccess?: pulumi.Input<boolean>;
|
|
183
|
+
/**
|
|
184
|
+
* Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is `true`.
|
|
185
|
+
*/
|
|
186
|
+
endpointPublicAccess?: pulumi.Input<boolean>;
|
|
305
187
|
/**
|
|
306
|
-
*
|
|
307
|
-
|
|
188
|
+
* Add support for launching pods in Fargate. Defaults to launching pods in the `default` namespace. If specified, the default node group is skipped as though `skipDefaultNodeGroup: true` had been passed.
|
|
189
|
+
*/
|
|
190
|
+
fargate?: pulumi.Input<boolean | inputs.FargateProfileArgs>;
|
|
191
|
+
/**
|
|
192
|
+
* Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
|
|
308
193
|
*
|
|
309
194
|
* Defaults to false.
|
|
310
195
|
*
|
|
311
196
|
* Note: `gpu` and `nodeAmiId` are mutually exclusive.
|
|
312
197
|
*
|
|
313
198
|
* See for more details:
|
|
314
|
-
* - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
|
|
199
|
+
* - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
|
|
315
200
|
* - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
|
|
316
201
|
*/
|
|
317
202
|
gpu?: pulumi.Input<boolean>;
|
|
318
203
|
/**
|
|
319
|
-
*
|
|
320
|
-
* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
|
|
321
|
-
* If not provided, no SSH access is enabled on VMs.
|
|
322
|
-
*/
|
|
323
|
-
nodePublicKey?: pulumi.Input<string>;
|
|
324
|
-
/**
|
|
325
|
-
* The subnets to use for worker nodes. Defaults to the value of subnetIds.
|
|
204
|
+
* The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
|
|
326
205
|
*/
|
|
327
|
-
|
|
206
|
+
instanceProfileName?: pulumi.Input<string>;
|
|
328
207
|
/**
|
|
329
|
-
*
|
|
330
|
-
* with full internet egress and ingress from node groups.
|
|
208
|
+
* This enables the simple case of only registering a *single* IAM instance role with the cluster, that is required to be shared by *all* node groups in their instance profiles.
|
|
331
209
|
*
|
|
332
|
-
* Note:
|
|
333
|
-
*/
|
|
334
|
-
clusterSecurityGroup?: aws.ec2.SecurityGroup;
|
|
335
|
-
/**
|
|
336
|
-
* The tags to apply to the cluster security group.
|
|
337
|
-
*/
|
|
338
|
-
clusterSecurityGroupTags?: InputTags;
|
|
339
|
-
/**
|
|
340
|
-
* Encrypt the root block device of the nodes in the node group.
|
|
210
|
+
* Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
|
|
341
211
|
*/
|
|
342
|
-
|
|
212
|
+
instanceRole?: pulumi.Input<pulumiAws.iam.Role>;
|
|
343
213
|
/**
|
|
344
|
-
*
|
|
214
|
+
* This enables the advanced case of registering *many* IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
|
|
345
215
|
*
|
|
346
|
-
* Note:
|
|
347
|
-
* `nodeSecurityGroup` are mutually exclusive.
|
|
216
|
+
* Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
|
|
348
217
|
*/
|
|
349
|
-
|
|
218
|
+
instanceRoles?: pulumi.Input<pulumi.Input<pulumiAws.iam.Role>[]>;
|
|
350
219
|
/**
|
|
351
|
-
* The
|
|
220
|
+
* The instance type to use for the cluster's nodes. Defaults to "t3.medium".
|
|
352
221
|
*/
|
|
353
|
-
|
|
222
|
+
instanceType?: pulumi.Input<string>;
|
|
354
223
|
/**
|
|
355
|
-
*
|
|
356
|
-
*
|
|
357
|
-
* critically it must begin with an interpreter directive (i.e. a `#!`).
|
|
224
|
+
* The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`.
|
|
225
|
+
* You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.
|
|
358
226
|
*/
|
|
359
|
-
|
|
227
|
+
ipFamily?: pulumi.Input<string>;
|
|
360
228
|
/**
|
|
361
|
-
*
|
|
229
|
+
* Options for managing the `kube-proxy` addon.
|
|
362
230
|
*/
|
|
363
|
-
|
|
231
|
+
kubeProxyAddonOptions?: inputs.KubeProxyAddonOptionsArgs;
|
|
364
232
|
/**
|
|
365
|
-
* The
|
|
233
|
+
* The CIDR block to assign Kubernetes service IP addresses from. If you don't
|
|
234
|
+
* specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or
|
|
235
|
+
* 172.20.0.0/16 CIDR blocks. This setting only applies to IPv4 clusters. We recommend that you specify a block
|
|
236
|
+
* that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify
|
|
237
|
+
* a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.
|
|
238
|
+
*
|
|
239
|
+
* The block must meet the following requirements:
|
|
240
|
+
* - Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
|
|
241
|
+
* - Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
|
|
242
|
+
* - Between /24 and /12.
|
|
366
243
|
*/
|
|
367
|
-
|
|
244
|
+
kubernetesServiceIpAddressRange?: pulumi.Input<string>;
|
|
368
245
|
/**
|
|
369
246
|
* The maximum number of worker nodes running in the cluster. Defaults to 2.
|
|
370
247
|
*/
|
|
371
248
|
maxSize?: pulumi.Input<number>;
|
|
372
249
|
/**
|
|
373
|
-
*
|
|
374
|
-
* a single StorageClass will be created for that volume type.
|
|
375
|
-
*
|
|
376
|
-
* Note: As of Kubernetes v1.11+ on EKS, a default `gp2` storage class will
|
|
377
|
-
* always be created automatically for the cluster by the EKS service. See
|
|
378
|
-
* https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
|
|
379
|
-
*/
|
|
380
|
-
storageClasses?: {
|
|
381
|
-
[name: string]: StorageClass;
|
|
382
|
-
} | EBSVolumeType;
|
|
383
|
-
/**
|
|
384
|
-
* If this toggle is set to true, the EKS cluster will be created without node group attached.
|
|
385
|
-
* Defaults to false, unless `fargate` input is provided.
|
|
250
|
+
* The minimum number of worker nodes running in the cluster. Defaults to 1.
|
|
386
251
|
*/
|
|
387
|
-
|
|
252
|
+
minSize?: pulumi.Input<number>;
|
|
388
253
|
/**
|
|
389
|
-
*
|
|
390
|
-
* accessed as follows:
|
|
391
|
-
*
|
|
392
|
-
* 1. Retrieve an authentication token for the dashboard by running the following and copying the value of `token`
|
|
393
|
-
* from the output of the last command:
|
|
394
|
-
*
|
|
395
|
-
* $ kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}'
|
|
396
|
-
* $ kubectl -n kube-system describe secret <output from previous command>
|
|
254
|
+
* The cluster's physical resource name.
|
|
397
255
|
*
|
|
398
|
-
*
|
|
256
|
+
* If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format `${name}-eksCluster-0123abcd`.
|
|
399
257
|
*
|
|
400
|
-
*
|
|
258
|
+
* See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming
|
|
259
|
+
*/
|
|
260
|
+
name?: pulumi.Input<string>;
|
|
261
|
+
/**
|
|
262
|
+
* The AMI ID to use for the worker nodes.
|
|
401
263
|
*
|
|
402
|
-
*
|
|
403
|
-
* web browser.
|
|
404
|
-
* 4. Choose `Token` authentication, paste the token retrieved earlier into the `Token` field, and sign in.
|
|
264
|
+
* Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
|
|
405
265
|
*
|
|
406
|
-
*
|
|
266
|
+
* Note: `nodeAmiId` and `gpu` are mutually exclusive.
|
|
407
267
|
*
|
|
408
|
-
*
|
|
409
|
-
*
|
|
410
|
-
* using it for security concerns. If you'd like alternatives to deploy the
|
|
411
|
-
* dashboard, consider writing it in Pulumi, or using the Helm chart.
|
|
412
|
-
*/
|
|
413
|
-
deployDashboard?: boolean;
|
|
414
|
-
/**
|
|
415
|
-
* Key-value mapping of tags that are automatically applied to all AWS
|
|
416
|
-
* resources directly under management with this cluster, which support tagging.
|
|
268
|
+
* See for more details:
|
|
269
|
+
* - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
|
|
417
270
|
*/
|
|
418
|
-
|
|
271
|
+
nodeAmiId?: pulumi.Input<string>;
|
|
419
272
|
/**
|
|
420
|
-
*
|
|
273
|
+
* Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
|
|
421
274
|
*/
|
|
422
|
-
|
|
275
|
+
nodeAssociatePublicIpAddress?: boolean;
|
|
423
276
|
/**
|
|
424
|
-
*
|
|
425
|
-
* Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"].
|
|
426
|
-
* By default it is off.
|
|
277
|
+
* The common configuration settings for NodeGroups.
|
|
427
278
|
*/
|
|
428
|
-
|
|
279
|
+
nodeGroupOptions?: inputs.ClusterNodeGroupOptionsArgs;
|
|
429
280
|
/**
|
|
430
|
-
*
|
|
431
|
-
*
|
|
432
|
-
*
|
|
281
|
+
* Public key material for SSH access to worker nodes. See allowed formats at:
|
|
282
|
+
* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
|
|
283
|
+
* If not provided, no SSH access is enabled on VMs.
|
|
433
284
|
*/
|
|
434
|
-
|
|
285
|
+
nodePublicKey?: pulumi.Input<string>;
|
|
435
286
|
/**
|
|
436
|
-
*
|
|
287
|
+
* Encrypt the root block device of the nodes in the node group.
|
|
437
288
|
*/
|
|
438
|
-
|
|
289
|
+
nodeRootVolumeEncrypted?: pulumi.Input<boolean>;
|
|
439
290
|
/**
|
|
440
|
-
*
|
|
291
|
+
* The size in GiB of a cluster node's root volume. Defaults to 20.
|
|
441
292
|
*/
|
|
442
|
-
|
|
293
|
+
nodeRootVolumeSize?: pulumi.Input<number>;
|
|
443
294
|
/**
|
|
444
|
-
*
|
|
295
|
+
* The tags to apply to the default `nodeSecurityGroup` created by the cluster.
|
|
296
|
+
*
|
|
297
|
+
* Note: The `nodeSecurityGroupTags` option and the node group option `nodeSecurityGroup` are mutually exclusive.
|
|
445
298
|
*/
|
|
446
|
-
|
|
299
|
+
nodeSecurityGroupTags?: pulumi.Input<{
|
|
300
|
+
[key: string]: pulumi.Input<string>;
|
|
301
|
+
}>;
|
|
447
302
|
/**
|
|
448
|
-
*
|
|
449
|
-
* namespace. If specified, the default node group is skipped as though `skipDefaultNodeGroup:
|
|
450
|
-
* true` had been passed.
|
|
303
|
+
* The subnets to use for worker nodes. Defaults to the value of subnetIds.
|
|
451
304
|
*/
|
|
452
|
-
|
|
305
|
+
nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
|
|
453
306
|
/**
|
|
454
|
-
*
|
|
307
|
+
* Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`).
|
|
455
308
|
*/
|
|
456
|
-
|
|
309
|
+
nodeUserData?: pulumi.Input<string>;
|
|
457
310
|
/**
|
|
458
|
-
*
|
|
311
|
+
* The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
|
|
459
312
|
*
|
|
460
|
-
*
|
|
461
|
-
* Service Account annotations to provide IAM roles at the k8s Pod level.
|
|
313
|
+
* If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
|
|
462
314
|
*
|
|
463
|
-
*
|
|
464
|
-
* -
|
|
465
|
-
*
|
|
466
|
-
* -
|
|
467
|
-
*
|
|
315
|
+
* Worker network architecture options:
|
|
316
|
+
* - Private-only: Only set `privateSubnetIds`.
|
|
317
|
+
* - Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
|
|
318
|
+
* - Public-only: Only set `publicSubnetIds`.
|
|
319
|
+
* - Default workers to run in a public subnet.
|
|
320
|
+
* - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
|
|
321
|
+
* - Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.
|
|
322
|
+
*
|
|
323
|
+
* See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.
|
|
324
|
+
*
|
|
325
|
+
* Also consider setting `nodeAssociatePublicIpAddress: false` for fully private workers.
|
|
468
326
|
*/
|
|
469
|
-
|
|
327
|
+
privateSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
|
|
470
328
|
/**
|
|
471
|
-
* The cluster's
|
|
329
|
+
* The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.
|
|
472
330
|
*
|
|
473
|
-
*
|
|
474
|
-
*
|
|
331
|
+
* This is required for certain auth scenarios. For example:
|
|
332
|
+
* - Creating and using a new AWS provider instance, or
|
|
333
|
+
* - Setting the AWS_PROFILE environment variable, or
|
|
334
|
+
* - Using a named profile configured on the AWS provider via:
|
|
335
|
+
* `pulumi config set aws:profile <profileName>`
|
|
475
336
|
*
|
|
476
337
|
* See for more details:
|
|
477
|
-
* https://www.pulumi.com/
|
|
338
|
+
* - https://www.pulumi.com/registry/packages/aws/api-docs/provider/
|
|
339
|
+
* - https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
|
|
340
|
+
* - https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
|
|
341
|
+
* - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
|
|
478
342
|
*/
|
|
479
|
-
|
|
343
|
+
providerCredentialOpts?: pulumi.Input<inputs.KubeconfigOptionsArgs>;
|
|
480
344
|
/**
|
|
481
345
|
* The HTTP(S) proxy to use within a proxied environment.
|
|
482
346
|
*
|
|
483
|
-
*
|
|
347
|
+
* The proxy is used during cluster creation, and OIDC configuration.
|
|
484
348
|
*
|
|
485
|
-
* This is an alternative option to setting the proxy environment variables:
|
|
486
|
-
* HTTP(S)_PROXY and/or http(s)_proxy.
|
|
349
|
+
* This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.
|
|
487
350
|
*
|
|
488
351
|
* This option is required iff the proxy environment variables are not set.
|
|
489
352
|
*
|
|
@@ -497,266 +360,109 @@ export interface ClusterOptions {
|
|
|
497
360
|
*/
|
|
498
361
|
proxy?: string;
|
|
499
362
|
/**
|
|
500
|
-
*
|
|
501
|
-
* authentication when using a non-default credential chain.
|
|
502
|
-
*
|
|
503
|
-
* This is required for certain auth scenarios. For example:
|
|
504
|
-
* - Creating and using a new AWS provider instance, or
|
|
505
|
-
* - Setting the AWS_PROFILE environment variable, or
|
|
506
|
-
* - Using a named profile configured on the AWS provider via:
|
|
507
|
-
* `pulumi config set aws:profile <profileName>`
|
|
508
|
-
*
|
|
509
|
-
* See for more details:
|
|
510
|
-
* - https://www.pulumi.com/registry/packages/aws/api-docs/provider/
|
|
511
|
-
* - https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
|
|
512
|
-
* - https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
|
|
513
|
-
* - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
|
|
514
|
-
*/
|
|
515
|
-
providerCredentialOpts?: pulumi.Input<KubeconfigOptions>;
|
|
516
|
-
/**
|
|
517
|
-
* Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.
|
|
518
|
-
* Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true.
|
|
519
|
-
* https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs
|
|
363
|
+
* Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
|
|
520
364
|
*/
|
|
521
|
-
|
|
365
|
+
publicAccessCidrs?: pulumi.Input<pulumi.Input<string>[]>;
|
|
522
366
|
/**
|
|
523
|
-
*
|
|
367
|
+
* The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
|
|
524
368
|
*
|
|
525
|
-
*
|
|
526
|
-
* See for more details:
|
|
527
|
-
* - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
|
|
528
|
-
*/
|
|
529
|
-
encryptionConfigKeyArn?: pulumi.Input<string>;
|
|
530
|
-
/**
|
|
531
|
-
* The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns
|
|
532
|
-
* addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that
|
|
533
|
-
* does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify
|
|
534
|
-
* a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.
|
|
369
|
+
* If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
|
|
535
370
|
*
|
|
536
|
-
*
|
|
537
|
-
* -
|
|
538
|
-
*
|
|
539
|
-
* -
|
|
540
|
-
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
* The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6.
|
|
544
|
-
* You can only specify an IP family when you create a cluster, changing this value will force
|
|
545
|
-
* a new cluster to be created.
|
|
546
|
-
*/
|
|
547
|
-
ipFamily?: pulumi.Input<string>;
|
|
548
|
-
/**
|
|
549
|
-
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
|
|
550
|
-
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
551
|
-
*/
|
|
552
|
-
authenticationMode?: AuthenticationMode;
|
|
553
|
-
/**
|
|
554
|
-
* Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster.
|
|
555
|
-
* Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.
|
|
371
|
+
* Worker network architecture options:
|
|
372
|
+
* - Private-only: Only set `privateSubnetIds`.
|
|
373
|
+
* - Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
|
|
374
|
+
* - Public-only: Only set `publicSubnetIds`.
|
|
375
|
+
* - Default workers to run in a public subnet.
|
|
376
|
+
* - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
|
|
377
|
+
* - Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.
|
|
556
378
|
*
|
|
557
|
-
* See for more details
|
|
558
|
-
*/
|
|
559
|
-
accessEntries?: {
|
|
560
|
-
[key: string]: AccessEntry;
|
|
561
|
-
};
|
|
562
|
-
}
|
|
563
|
-
/**
|
|
564
|
-
* FargateProfile defines how Kubernetes pods are executed in Fargate. See
|
|
565
|
-
* aws.eks.FargateProfileArgs for reference.
|
|
566
|
-
*/
|
|
567
|
-
export interface FargateProfile {
|
|
568
|
-
/**
|
|
569
|
-
* Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role
|
|
570
|
-
* with the `arn:[partition]:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy` policy attached.
|
|
571
|
-
*/
|
|
572
|
-
podExecutionRoleArn?: pulumi.Input<string>;
|
|
573
|
-
/**
|
|
574
|
-
* Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private
|
|
575
|
-
* subnets associated with the cluster.
|
|
576
|
-
*/
|
|
577
|
-
subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
|
|
578
|
-
/**
|
|
579
|
-
* Specify the namespace and label selectors to use for launching pods into Fargate.
|
|
379
|
+
* See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.
|
|
580
380
|
*/
|
|
581
|
-
|
|
582
|
-
}
|
|
583
|
-
/**
|
|
584
|
-
* ClusterNodeGroupOptions describes the configuration options accepted by a cluster
|
|
585
|
-
* to create its own node groups. It's a subset of NodeGroupOptions.
|
|
586
|
-
*/
|
|
587
|
-
export interface ClusterNodeGroupOptions extends NodeGroupBaseOptions {
|
|
588
|
-
}
|
|
589
|
-
export interface AccessEntry {
|
|
381
|
+
publicSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
|
|
590
382
|
/**
|
|
591
|
-
*
|
|
383
|
+
* Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`
|
|
592
384
|
*/
|
|
593
|
-
|
|
385
|
+
roleMappings?: pulumi.Input<pulumi.Input<inputs.RoleMappingArgs>[]>;
|
|
594
386
|
/**
|
|
595
|
-
*
|
|
387
|
+
* IAM Service Role for EKS to use to manage the cluster.
|
|
596
388
|
*/
|
|
597
|
-
|
|
389
|
+
serviceRole?: pulumi.Input<pulumiAws.iam.Role>;
|
|
598
390
|
/**
|
|
599
|
-
*
|
|
391
|
+
* If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless `fargate` input is provided.
|
|
600
392
|
*/
|
|
601
|
-
|
|
393
|
+
skipDefaultNodeGroup?: boolean;
|
|
602
394
|
/**
|
|
603
|
-
*
|
|
395
|
+
* An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.
|
|
396
|
+
*
|
|
397
|
+
* Note: As of Kubernetes v1.11+ on EKS, a default `gp2` storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
|
|
604
398
|
*/
|
|
605
|
-
|
|
606
|
-
[key: string]:
|
|
399
|
+
storageClasses?: string | {
|
|
400
|
+
[key: string]: inputs.StorageClassArgs;
|
|
607
401
|
};
|
|
608
402
|
/**
|
|
609
|
-
* The
|
|
610
|
-
*/
|
|
611
|
-
tags?: InputTags;
|
|
612
|
-
/**
|
|
613
|
-
* The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.
|
|
403
|
+
* The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
|
|
614
404
|
*
|
|
615
|
-
*
|
|
616
|
-
* to input a kubernetesGroup, and prevent associating access policies..
|
|
617
|
-
*/
|
|
618
|
-
type?: pulumi.Input<AccessEntryType>;
|
|
619
|
-
}
|
|
620
|
-
export interface AccessPolicyAssociation {
|
|
621
|
-
/**
|
|
622
|
-
* The ARN of the access policy to associate with the principal
|
|
623
|
-
*/
|
|
624
|
-
policyArn: pulumi.Input<string>;
|
|
625
|
-
/**
|
|
626
|
-
* The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace.
|
|
627
|
-
*/
|
|
628
|
-
accessScope: aws.types.input.eks.AccessPolicyAssociationAccessScope;
|
|
629
|
-
}
|
|
630
|
-
export declare const AuthenticationMode: {
|
|
631
|
-
/**
|
|
632
|
-
* Only Access Entries will be used for authenticating to the Kubernetes API.
|
|
633
|
-
*/
|
|
634
|
-
readonly API: "API";
|
|
635
|
-
/**
|
|
636
|
-
* Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
|
|
405
|
+
* If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
|
|
637
406
|
*
|
|
638
|
-
*
|
|
639
|
-
* For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
|
|
640
|
-
*/
|
|
641
|
-
readonly CONFIG_MAP: "CONFIG_MAP";
|
|
642
|
-
/**
|
|
643
|
-
* Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
|
|
407
|
+
* If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.
|
|
644
408
|
*
|
|
645
|
-
*
|
|
646
|
-
* For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
|
|
647
|
-
*/
|
|
648
|
-
readonly API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP";
|
|
649
|
-
};
|
|
650
|
-
/**
|
|
651
|
-
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
|
|
652
|
-
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
653
|
-
*/
|
|
654
|
-
export type AuthenticationMode = (typeof AuthenticationMode)[keyof typeof AuthenticationMode];
|
|
655
|
-
export declare const AccessEntryType: {
|
|
656
|
-
/**
|
|
657
|
-
* Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
|
|
658
|
-
*/
|
|
659
|
-
readonly STANDARD: "STANDARD";
|
|
660
|
-
/**
|
|
661
|
-
* For IAM roles used with AWS Fargate profiles.
|
|
662
|
-
*/
|
|
663
|
-
readonly FARGATE_LINUX: "FARGATE_LINUX";
|
|
664
|
-
/**
|
|
665
|
-
* For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
|
|
666
|
-
*/
|
|
667
|
-
readonly EC2_LINUX: "EC2_LINUX";
|
|
668
|
-
/**
|
|
669
|
-
* For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
|
|
670
|
-
*/
|
|
671
|
-
readonly EC2_WINDOWS: "EC2_WINDOWS";
|
|
672
|
-
};
|
|
673
|
-
/**
|
|
674
|
-
* The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
|
|
675
|
-
* See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
|
|
676
|
-
*/
|
|
677
|
-
export type AccessEntryType = (typeof AccessEntryType)[keyof typeof AccessEntryType];
|
|
678
|
-
/**
|
|
679
|
-
* Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
|
|
680
|
-
* nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
|
|
681
|
-
*/
|
|
682
|
-
export declare class Cluster extends pulumi.ComponentResource {
|
|
683
|
-
/**
|
|
684
|
-
* A kubeconfig that can be used to connect to the EKS cluster.
|
|
685
|
-
*/
|
|
686
|
-
readonly kubeconfig: pulumi.Output<any>;
|
|
687
|
-
/**
|
|
688
|
-
* A kubeconfig that can be used to connect to the EKS cluster as a JSON string.
|
|
689
|
-
*/
|
|
690
|
-
readonly kubeconfigJson: pulumi.Output<string>;
|
|
691
|
-
/**
|
|
692
|
-
* The AWS resource provider.
|
|
693
|
-
*/
|
|
694
|
-
readonly awsProvider: pulumi.ProviderResource;
|
|
695
|
-
/**
|
|
696
|
-
* A Kubernetes resource provider that can be used to deploy into this cluster. For example, the code below will
|
|
697
|
-
* create a new Pod in the EKS cluster.
|
|
698
|
-
*
|
|
699
|
-
* let eks = new Cluster("eks");
|
|
700
|
-
* let pod = new kubernetes.core.v1.Pod("pod", { ... }, { provider: eks.provider });
|
|
409
|
+
* See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
|
|
701
410
|
*
|
|
411
|
+
* Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.
|
|
702
412
|
*/
|
|
703
|
-
|
|
704
|
-
/**
|
|
705
|
-
* The security group for the EKS cluster.
|
|
706
|
-
*/
|
|
707
|
-
readonly clusterSecurityGroup: aws.ec2.SecurityGroup;
|
|
708
|
-
/**
|
|
709
|
-
* The service roles used by the EKS cluster.
|
|
710
|
-
*/
|
|
711
|
-
readonly instanceRoles: pulumi.Output<aws.iam.Role[]>;
|
|
712
|
-
/**
|
|
713
|
-
* The security group for the cluster's nodes.
|
|
714
|
-
*/
|
|
715
|
-
readonly nodeSecurityGroup: aws.ec2.SecurityGroup;
|
|
716
|
-
/**
|
|
717
|
-
* The ingress rule that gives node group access to cluster API server
|
|
718
|
-
*/
|
|
719
|
-
readonly eksClusterIngressRule: aws.ec2.SecurityGroupRule;
|
|
413
|
+
subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
|
|
720
414
|
/**
|
|
721
|
-
*
|
|
415
|
+
* Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
|
|
722
416
|
*/
|
|
723
|
-
|
|
417
|
+
tags?: pulumi.Input<{
|
|
418
|
+
[key: string]: pulumi.Input<string>;
|
|
419
|
+
}>;
|
|
724
420
|
/**
|
|
725
|
-
*
|
|
421
|
+
* Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with `vpcCniOptions`.
|
|
726
422
|
*/
|
|
727
|
-
|
|
423
|
+
useDefaultVpcCni?: boolean;
|
|
728
424
|
/**
|
|
729
|
-
*
|
|
425
|
+
* Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
|
|
730
426
|
*/
|
|
731
|
-
|
|
427
|
+
userMappings?: pulumi.Input<pulumi.Input<inputs.UserMappingArgs>[]>;
|
|
732
428
|
/**
|
|
733
|
-
*
|
|
734
|
-
* requested.
|
|
735
|
-
*
|
|
736
|
-
* @param name The _unique_ name of this component.
|
|
737
|
-
* @param args The arguments for this cluster.
|
|
738
|
-
* @param opts A bag of options that control this component's behavior.
|
|
429
|
+
* Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
|
|
739
430
|
*/
|
|
740
|
-
|
|
431
|
+
version?: pulumi.Input<string>;
|
|
741
432
|
/**
|
|
742
|
-
*
|
|
743
|
-
*
|
|
744
|
-
* See for more details:
|
|
745
|
-
* https://docs.aws.amazon.com/eks/latest/userguide/worker.html
|
|
433
|
+
* The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
|
|
746
434
|
*/
|
|
747
|
-
|
|
435
|
+
vpcCniOptions?: inputs.VpcCniOptionsArgs;
|
|
748
436
|
/**
|
|
749
|
-
*
|
|
750
|
-
* default AWS credential provider chain, and instead is scoped to
|
|
751
|
-
* the supported options in `KubeconfigOptions`.
|
|
752
|
-
*
|
|
753
|
-
* The kubeconfig generated is automatically stringified for ease of use
|
|
754
|
-
* with the pulumi/kubernetes provider.
|
|
755
|
-
*
|
|
756
|
-
* See for more details:
|
|
757
|
-
* - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
|
|
758
|
-
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
|
|
759
|
-
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
|
|
437
|
+
* The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.
|
|
760
438
|
*/
|
|
761
|
-
|
|
439
|
+
vpcId?: pulumi.Input<string>;
|
|
440
|
+
}
|
|
441
|
+
export declare namespace Cluster {
|
|
442
|
+
/**
|
|
443
|
+
* The set of arguments for the Cluster.getKubeconfig method.
|
|
444
|
+
*/
|
|
445
|
+
interface GetKubeconfigArgs {
|
|
446
|
+
/**
|
|
447
|
+
* AWS credential profile name to always use instead of the default AWS credential provider chain.
|
|
448
|
+
*
|
|
449
|
+
* The profile is passed to kubeconfig as an authentication environment setting.
|
|
450
|
+
*/
|
|
451
|
+
profileName?: pulumi.Input<string>;
|
|
452
|
+
/**
|
|
453
|
+
* Role ARN to assume instead of the default AWS credential provider chain.
|
|
454
|
+
*
|
|
455
|
+
* The role is passed to kubeconfig as an authentication exec argument.
|
|
456
|
+
*/
|
|
457
|
+
roleArn?: pulumi.Input<string>;
|
|
458
|
+
}
|
|
459
|
+
/**
|
|
460
|
+
* The results of the Cluster.getKubeconfig method.
|
|
461
|
+
*/
|
|
462
|
+
interface GetKubeconfigResult {
|
|
463
|
+
/**
|
|
464
|
+
* The kubeconfig for the cluster.
|
|
465
|
+
*/
|
|
466
|
+
readonly result: string;
|
|
467
|
+
}
|
|
762
468
|
}
|