@pulumi/eks 2.8.1 → 2.9.0-alpha.1727304793
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/addon.d.ts +61 -13
- package/addon.js +45 -18
- package/addon.js.map +1 -1
- package/cluster.d.ts +291 -585
- package/cluster.js +120 -947
- package/cluster.js.map +1 -1
- package/clusterCreationRoleProvider.d.ts +28 -0
- package/clusterCreationRoleProvider.js +47 -0
- package/clusterCreationRoleProvider.js.map +1 -0
- package/clusterMixins.d.ts +71 -0
- package/clusterMixins.js +107 -0
- package/clusterMixins.js.map +1 -0
- package/index.d.ts +31 -7
- package/index.js +80 -34
- package/index.js.map +1 -1
- package/managedNodeGroup.d.ts +221 -0
- package/managedNodeGroup.js +81 -0
- package/managedNodeGroup.js.map +1 -0
- package/nodeGroup.d.ts +273 -0
- package/nodeGroup.js +93 -0
- package/nodeGroup.js.map +1 -0
- package/nodeGroupSecurityGroup.d.ts +51 -0
- package/nodeGroupSecurityGroup.js +60 -0
- package/nodeGroupSecurityGroup.js.map +1 -0
- package/nodeGroupV2.d.ts +280 -0
- package/nodeGroupV2.js +90 -0
- package/nodeGroupV2.js.map +1 -0
- package/nodegroupMixins.d.ts +203 -0
- package/{securitygroup.js → nodegroupMixins.js} +25 -36
- package/nodegroupMixins.js.map +1 -0
- package/package.json +8 -36
- package/provider.d.ts +21 -0
- package/provider.js +38 -0
- package/provider.js.map +1 -0
- package/{storageclass.js → storageclassMixins.js} +1 -14
- package/storageclassMixins.js.map +1 -0
- package/types/enums/index.d.ts +170 -0
- package/types/enums/index.js +145 -0
- package/types/enums/index.js.map +1 -0
- package/types/index.d.ts +4 -0
- package/types/index.js +13 -0
- package/types/index.js.map +1 -0
- package/types/input.d.ts +745 -0
- package/types/input.js +30 -0
- package/types/input.js.map +1 -0
- package/types/output.d.ts +422 -0
- package/types/output.js +5 -0
- package/types/output.js.map +1 -0
- package/utilities.d.ts +8 -1
- package/utilities.js +90 -17
- package/utilities.js.map +1 -1
- package/vpcCniAddon.d.ts +175 -0
- package/vpcCniAddon.js +88 -0
- package/vpcCniAddon.js.map +1 -0
- package/LICENSE +0 -202
- package/README.md +0 -77
- package/authenticationMode.d.ts +0 -24
- package/authenticationMode.js +0 -172
- package/authenticationMode.js.map +0 -1
- package/authenticationMode.test.d.ts +0 -1
- package/authenticationMode.test.js +0 -208
- package/authenticationMode.test.js.map +0 -1
- package/cert-thumprint.d.ts +0 -16
- package/cert-thumprint.js +0 -113
- package/cert-thumprint.js.map +0 -1
- package/cmd/provider/addon.d.ts +0 -1
- package/cmd/provider/addon.js +0 -40
- package/cmd/provider/addon.js.map +0 -1
- package/cmd/provider/cluster.d.ts +0 -1
- package/cmd/provider/cluster.js +0 -71
- package/cmd/provider/cluster.js.map +0 -1
- package/cmd/provider/cni.d.ts +0 -2
- package/cmd/provider/cni.js +0 -291
- package/cmd/provider/cni.js.map +0 -1
- package/cmd/provider/index.d.ts +0 -1
- package/cmd/provider/index.js +0 -171
- package/cmd/provider/index.js.map +0 -1
- package/cmd/provider/nodegroup.d.ts +0 -1
- package/cmd/provider/nodegroup.js +0 -89
- package/cmd/provider/nodegroup.js.map +0 -1
- package/cmd/provider/randomSuffix.d.ts +0 -1
- package/cmd/provider/randomSuffix.js +0 -52
- package/cmd/provider/randomSuffix.js.map +0 -1
- package/cmd/provider/schema.json +0 -1909
- package/cmd/provider/securitygroup.d.ts +0 -1
- package/cmd/provider/securitygroup.js +0 -41
- package/cmd/provider/securitygroup.js.map +0 -1
- package/cni/README.md +0 -6
- package/cni/aws-k8s-cni.yaml +0 -602
- package/cni.d.ts +0 -177
- package/cni.js +0 -64
- package/cni.js.map +0 -1
- package/dashboard/heapster-rbac.yaml +0 -12
- package/dashboard/heapster.yaml +0 -46
- package/dashboard/influxdb.yaml +0 -40
- package/dashboard/kubernetes-dashboard.yaml +0 -167
- package/dashboard.d.ts +0 -5
- package/dashboard.js +0 -58
- package/dashboard.js.map +0 -1
- package/dependencies.d.ts +0 -2
- package/dependencies.js +0 -81
- package/dependencies.js.map +0 -1
- package/dependencies.test.d.ts +0 -1
- package/dependencies.test.js +0 -133
- package/dependencies.test.js.map +0 -1
- package/nodegroup.d.ts +0 -515
- package/nodegroup.js +0 -1152
- package/nodegroup.js.map +0 -1
- package/nodegroup.test.d.ts +0 -1
- package/nodegroup.test.js +0 -336
- package/nodegroup.test.js.map +0 -1
- package/package.json.dev +0 -67
- package/randomSuffix.d.ts +0 -1
- package/randomSuffix.js +0 -51
- package/randomSuffix.js.map +0 -1
- package/securitygroup.d.ts +0 -52
- package/securitygroup.js.map +0 -1
- package/servicerole.d.ts +0 -43
- package/servicerole.js +0 -72
- package/servicerole.js.map +0 -1
- package/storageclass.js.map +0 -1
- package/utils.d.ts +0 -23
- package/utils.js +0 -16
- package/utils.js.map +0 -1
- /package/{storageclass.d.ts → storageclassMixins.d.ts} +0 -0
package/cluster.js
CHANGED
|
@@ -1,832 +1,133 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
//
|
|
3
|
-
//
|
|
4
|
-
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
5
|
-
// you may not use this file except in compliance with the License.
|
|
6
|
-
// You may obtain a copy of the License at
|
|
7
|
-
//
|
|
8
|
-
// http://www.apache.org/licenses/LICENSE-2.0
|
|
9
|
-
//
|
|
10
|
-
// Unless required by applicable law or agreed to in writing, software
|
|
11
|
-
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
12
|
-
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
13
|
-
// See the License for the specific language governing permissions and
|
|
14
|
-
// limitations under the License.
|
|
15
|
-
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
16
|
-
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
17
|
-
return new (P || (P = Promise))(function (resolve, reject) {
|
|
18
|
-
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
19
|
-
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
20
|
-
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
21
|
-
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
22
|
-
});
|
|
23
|
-
};
|
|
2
|
+
// *** WARNING: this file was generated by pulumi-gen-eks. ***
|
|
3
|
+
// *** Do not edit by hand unless you're certain you know what you are doing! ***
|
|
24
4
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
25
|
-
exports.
|
|
26
|
-
const aws = require("@pulumi/aws");
|
|
27
|
-
const k8s = require("@pulumi/kubernetes");
|
|
5
|
+
exports.Cluster = void 0;
|
|
28
6
|
const pulumi = require("@pulumi/pulumi");
|
|
29
|
-
const
|
|
30
|
-
const
|
|
31
|
-
const https = require("https");
|
|
32
|
-
const HttpsProxyAgent = require("https-proxy-agent");
|
|
33
|
-
const process = require("process");
|
|
34
|
-
const tmp = require("tmp");
|
|
35
|
-
const url = require("url");
|
|
36
|
-
const authenticationMode_1 = require("./authenticationMode");
|
|
37
|
-
const cert_thumprint_1 = require("./cert-thumprint");
|
|
38
|
-
const cni_1 = require("./cni");
|
|
39
|
-
const dashboard_1 = require("./dashboard");
|
|
40
|
-
const dependencies_1 = require("./dependencies");
|
|
41
|
-
const nodegroup_1 = require("./nodegroup");
|
|
42
|
-
const securitygroup_1 = require("./securitygroup");
|
|
43
|
-
const servicerole_1 = require("./servicerole");
|
|
44
|
-
const storageclass_1 = require("./storageclass");
|
|
45
|
-
function createOrGetInstanceProfile(name, parent, instanceRoleName, instanceProfileName, provider) {
|
|
46
|
-
let instanceProfile;
|
|
47
|
-
if (instanceProfileName) {
|
|
48
|
-
instanceProfile = aws.iam.InstanceProfile.get(`${name}-instanceProfile`, instanceProfileName, undefined, { parent, provider });
|
|
49
|
-
}
|
|
50
|
-
else {
|
|
51
|
-
instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
|
|
52
|
-
role: instanceRoleName,
|
|
53
|
-
}, { parent, provider });
|
|
54
|
-
}
|
|
55
|
-
return instanceProfile;
|
|
56
|
-
}
|
|
57
|
-
/** @internal */
|
|
58
|
-
function generateKubeconfig(clusterName, clusterEndpoint, includeProfile, certData, opts) {
|
|
59
|
-
let args = ["eks", "get-token", "--cluster-name", clusterName, "--output", "json"];
|
|
60
|
-
const env = [
|
|
61
|
-
{
|
|
62
|
-
name: "KUBERNETES_EXEC_INFO",
|
|
63
|
-
value: `{"apiVersion": "client.authentication.k8s.io/v1beta1"}`,
|
|
64
|
-
},
|
|
65
|
-
];
|
|
66
|
-
if (opts === null || opts === void 0 ? void 0 : opts.roleArn) {
|
|
67
|
-
args = [...args, "--role", opts.roleArn];
|
|
68
|
-
}
|
|
69
|
-
if (includeProfile && (opts === null || opts === void 0 ? void 0 : opts.profileName)) {
|
|
70
|
-
env.push({ name: "AWS_PROFILE", value: opts.profileName });
|
|
71
|
-
}
|
|
72
|
-
return pulumi.all([args, env]).apply(([tokenArgs, envvars]) => {
|
|
73
|
-
return {
|
|
74
|
-
apiVersion: "v1",
|
|
75
|
-
clusters: [
|
|
76
|
-
{
|
|
77
|
-
cluster: {
|
|
78
|
-
server: clusterEndpoint,
|
|
79
|
-
"certificate-authority-data": certData,
|
|
80
|
-
},
|
|
81
|
-
name: "kubernetes",
|
|
82
|
-
},
|
|
83
|
-
],
|
|
84
|
-
contexts: [
|
|
85
|
-
{
|
|
86
|
-
context: {
|
|
87
|
-
cluster: "kubernetes",
|
|
88
|
-
user: "aws",
|
|
89
|
-
},
|
|
90
|
-
name: "aws",
|
|
91
|
-
},
|
|
92
|
-
],
|
|
93
|
-
"current-context": "aws",
|
|
94
|
-
kind: "Config",
|
|
95
|
-
users: [
|
|
96
|
-
{
|
|
97
|
-
name: "aws",
|
|
98
|
-
user: {
|
|
99
|
-
exec: {
|
|
100
|
-
apiVersion: "client.authentication.k8s.io/v1beta1",
|
|
101
|
-
command: "aws",
|
|
102
|
-
args: tokenArgs,
|
|
103
|
-
env: envvars,
|
|
104
|
-
},
|
|
105
|
-
},
|
|
106
|
-
},
|
|
107
|
-
],
|
|
108
|
-
};
|
|
109
|
-
});
|
|
110
|
-
}
|
|
111
|
-
exports.generateKubeconfig = generateKubeconfig;
|
|
7
|
+
const inputs = require("./types/input");
|
|
8
|
+
const utilities = require("./utilities");
|
|
112
9
|
/**
|
|
113
|
-
*
|
|
114
|
-
*
|
|
115
|
-
*
|
|
116
|
-
*
|
|
10
|
+
* Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
|
|
11
|
+
*
|
|
12
|
+
* ## Example Usage
|
|
13
|
+
*
|
|
14
|
+
* ### Provisioning a New EKS Cluster
|
|
15
|
+
*
|
|
16
|
+
* <!--Start PulumiCodeChooser -->
|
|
17
|
+
* ```typescript
|
|
18
|
+
* import * as pulumi from "@pulumi/pulumi";
|
|
19
|
+
* import * as eks from "@pulumi/eks";
|
|
20
|
+
*
|
|
21
|
+
* // Create an EKS cluster with the default configuration.
|
|
22
|
+
* const cluster = new eks.Cluster("cluster", {});
|
|
23
|
+
*
|
|
24
|
+
* // Export the cluster's kubeconfig.
|
|
25
|
+
* export const kubeconfig = cluster.kubeconfig;
|
|
26
|
+
* ```
|
|
27
|
+
* <!--End PulumiCodeChooser -->
|
|
117
28
|
*/
|
|
118
|
-
class
|
|
29
|
+
class Cluster extends pulumi.ComponentResource {
|
|
119
30
|
/**
|
|
120
|
-
*
|
|
121
|
-
*
|
|
122
|
-
* the role being used to run the Pulumi deployment.
|
|
123
|
-
*
|
|
124
|
-
* @param name The _unique_ name of this component.
|
|
125
|
-
* @param args The arguments for this component.
|
|
126
|
-
* @param opts A bag of options that control this component's behavior.
|
|
31
|
+
* Returns true if the given object is an instance of Cluster. This is designed to work even
|
|
32
|
+
* when multiple copies of the Pulumi SDK have been loaded into the same process.
|
|
127
33
|
*/
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
this.role = result.role;
|
|
132
|
-
this.provider = result.provider;
|
|
133
|
-
this.registerOutputs(undefined);
|
|
134
|
-
}
|
|
135
|
-
}
|
|
136
|
-
exports.ClusterCreationRoleProvider = ClusterCreationRoleProvider;
|
|
137
|
-
/**
|
|
138
|
-
* getRoleProvider creates a role provider that can be passed to `new eks.Cluster("test", {
|
|
139
|
-
* creationRoleProvider: ... })`. This can be used to provide a specific role to use for the
|
|
140
|
-
* creation of the EKS cluster different from the role being used to run the Pulumi deployment.
|
|
141
|
-
*/
|
|
142
|
-
function getRoleProvider(name, region, profile, parent, provider) {
|
|
143
|
-
const partition = aws.getPartitionOutput({}, { parent }).partition;
|
|
144
|
-
const accountId = pulumi.output(aws.getCallerIdentity({}, { parent })).accountId;
|
|
145
|
-
const iamRole = new aws.iam.Role(`${name}-eksClusterCreatorRole`, {
|
|
146
|
-
assumeRolePolicy: pulumi.interpolate `{
|
|
147
|
-
"Version": "2012-10-17",
|
|
148
|
-
"Statement": [
|
|
149
|
-
{
|
|
150
|
-
"Effect": "Allow",
|
|
151
|
-
"Principal": {
|
|
152
|
-
"AWS": "arn:${partition}:iam::${accountId}:root"
|
|
153
|
-
},
|
|
154
|
-
"Action": "sts:AssumeRole"
|
|
155
|
-
}
|
|
156
|
-
]
|
|
157
|
-
}`,
|
|
158
|
-
description: `Admin access to eks-${name}`,
|
|
159
|
-
}, { parent, provider });
|
|
160
|
-
// `eks:*` is needed to create/read/update/delete the EKS cluster, `iam:PassRole` is needed to pass the EKS service role to the cluster
|
|
161
|
-
// https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
|
|
162
|
-
const rolePolicy = new aws.iam.RolePolicy(`${name}-eksClusterCreatorPolicy`, {
|
|
163
|
-
role: iamRole,
|
|
164
|
-
policy: {
|
|
165
|
-
Version: "2012-10-17",
|
|
166
|
-
Statement: [
|
|
167
|
-
{
|
|
168
|
-
Effect: "Allow",
|
|
169
|
-
Action: "eks:*",
|
|
170
|
-
Resource: "*",
|
|
171
|
-
},
|
|
172
|
-
{
|
|
173
|
-
Effect: "Allow",
|
|
174
|
-
Action: "iam:PassRole",
|
|
175
|
-
Resource: "*",
|
|
176
|
-
},
|
|
177
|
-
],
|
|
178
|
-
},
|
|
179
|
-
}, { parent: iamRole, provider });
|
|
180
|
-
const creatorProvider = new aws.Provider(`${name}-eksClusterCreatorEntity`, {
|
|
181
|
-
region: region,
|
|
182
|
-
profile: profile,
|
|
183
|
-
assumeRole: {
|
|
184
|
-
roleArn: iamRole.arn.apply((arn) => __awaiter(this, void 0, void 0, function* () {
|
|
185
|
-
// wait 30 seconds to assume the IAM Role https://github.com/pulumi/pulumi-aws/issues/673
|
|
186
|
-
if (!pulumi.runtime.isDryRun()) {
|
|
187
|
-
yield new Promise((resolve) => setTimeout(resolve, 30 * 1000));
|
|
188
|
-
}
|
|
189
|
-
return arn;
|
|
190
|
-
})),
|
|
191
|
-
},
|
|
192
|
-
}, { parent: iamRole, provider });
|
|
193
|
-
return {
|
|
194
|
-
role: iamRole,
|
|
195
|
-
provider: creatorProvider,
|
|
196
|
-
};
|
|
197
|
-
}
|
|
198
|
-
exports.getRoleProvider = getRoleProvider;
|
|
199
|
-
/**
|
|
200
|
-
* Create the core components and settings required for the EKS cluster.
|
|
201
|
-
*/
|
|
202
|
-
function createCore(name, rawArgs, parent, provider) {
|
|
203
|
-
// Check to ensure that a compatible version of aws CLI is installed, as we'll need it in order
|
|
204
|
-
// to retrieve a token to login to the EKS cluster later.
|
|
205
|
-
(0, dependencies_1.assertCompatibleAWSCLIExists)();
|
|
206
|
-
// Check to ensure that a compatible kubectl is installed, as we'll need it in order to deploy
|
|
207
|
-
// k8s resources later.
|
|
208
|
-
(0, dependencies_1.assertCompatibleKubectlVersionExists)();
|
|
209
|
-
const args = (0, authenticationMode_1.validateAuthenticationMode)(rawArgs);
|
|
210
|
-
if (args.instanceRole && args.instanceRoles) {
|
|
211
|
-
throw new Error("instanceRole and instanceRoles are mutually exclusive, and cannot both be set.");
|
|
212
|
-
}
|
|
213
|
-
if (args.subnetIds && (args.publicSubnetIds || args.privateSubnetIds)) {
|
|
214
|
-
throw new Error("subnetIds, and the use of publicSubnetIds and/or privateSubnetIds are mutually exclusive. Choose a single approach.");
|
|
215
|
-
}
|
|
216
|
-
if (args.nodeGroupOptions &&
|
|
217
|
-
(args.nodeSubnetIds ||
|
|
218
|
-
args.nodeAssociatePublicIpAddress ||
|
|
219
|
-
args.instanceType ||
|
|
220
|
-
args.instanceProfileName ||
|
|
221
|
-
args.nodePublicKey ||
|
|
222
|
-
args.nodeRootVolumeSize ||
|
|
223
|
-
args.nodeUserData ||
|
|
224
|
-
args.minSize ||
|
|
225
|
-
args.maxSize ||
|
|
226
|
-
args.desiredCapacity ||
|
|
227
|
-
args.nodeAmiId ||
|
|
228
|
-
args.gpu)) {
|
|
229
|
-
throw new Error("Setting nodeGroupOptions, and any set of singular node group option(s) on the cluster, is mutually exclusive. Choose a single approach.");
|
|
230
|
-
}
|
|
231
|
-
// Configure the node group options.
|
|
232
|
-
const nodeGroupOptions = args.nodeGroupOptions || {
|
|
233
|
-
nodeSubnetIds: args.nodeSubnetIds,
|
|
234
|
-
nodeAssociatePublicIpAddress: args.nodeAssociatePublicIpAddress,
|
|
235
|
-
instanceType: args.instanceType,
|
|
236
|
-
nodePublicKey: args.nodePublicKey,
|
|
237
|
-
nodeRootVolumeEncrypted: args.nodeRootVolumeEncrypted,
|
|
238
|
-
nodeRootVolumeSize: args.nodeRootVolumeSize,
|
|
239
|
-
nodeUserData: args.nodeUserData,
|
|
240
|
-
minSize: args.minSize,
|
|
241
|
-
maxSize: args.maxSize,
|
|
242
|
-
desiredCapacity: args.desiredCapacity,
|
|
243
|
-
amiId: args.nodeAmiId,
|
|
244
|
-
gpu: args.gpu,
|
|
245
|
-
version: args.version,
|
|
246
|
-
};
|
|
247
|
-
const { partition, dnsSuffix } = aws.getPartitionOutput({}, { parent });
|
|
248
|
-
// Configure default networking architecture.
|
|
249
|
-
let vpcId = args.vpcId;
|
|
250
|
-
let clusterSubnetIds = [];
|
|
251
|
-
// If no VPC is set, use the default VPC's subnets.
|
|
252
|
-
if (!args.vpcId) {
|
|
253
|
-
const invokeOpts = { parent, async: true };
|
|
254
|
-
const vpc = aws.ec2.getVpc({ default: true }, invokeOpts);
|
|
255
|
-
vpcId = vpc.then((v) => v.id);
|
|
256
|
-
clusterSubnetIds = vpc
|
|
257
|
-
.then((v) => aws.ec2.getSubnets({ filters: [{ name: "vpc-id", values: [v.id] }] }, invokeOpts))
|
|
258
|
-
.then((subnets) => subnets.ids);
|
|
259
|
-
}
|
|
260
|
-
// Form the subnetIds to use on the cluster from either:
|
|
261
|
-
// - subnetIds
|
|
262
|
-
// - A combination of privateSubnetIds and/or publicSubnetIds.
|
|
263
|
-
if (args.subnetIds !== undefined) {
|
|
264
|
-
clusterSubnetIds = args.subnetIds;
|
|
265
|
-
}
|
|
266
|
-
else if (args.publicSubnetIds !== undefined || args.privateSubnetIds !== undefined) {
|
|
267
|
-
clusterSubnetIds = pulumi
|
|
268
|
-
.all([args.publicSubnetIds || [], args.privateSubnetIds || []])
|
|
269
|
-
.apply(([publicIds, privateIds]) => {
|
|
270
|
-
return [...publicIds, ...privateIds];
|
|
271
|
-
});
|
|
272
|
-
}
|
|
273
|
-
// Create the EKS service role
|
|
274
|
-
let eksRole;
|
|
275
|
-
if (args.serviceRole) {
|
|
276
|
-
eksRole = pulumi.output(args.serviceRole);
|
|
277
|
-
}
|
|
278
|
-
else {
|
|
279
|
-
eksRole = new servicerole_1.ServiceRole(`${name}-eksRole`, {
|
|
280
|
-
service: "eks.amazonaws.com",
|
|
281
|
-
description: "Allows EKS to manage clusters on your behalf.",
|
|
282
|
-
managedPolicyArns: [
|
|
283
|
-
{
|
|
284
|
-
id: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
|
|
285
|
-
arn: pulumi.interpolate `arn:${partition}:iam::aws:policy/AmazonEKSClusterPolicy`,
|
|
286
|
-
},
|
|
287
|
-
],
|
|
288
|
-
tags: args.tags,
|
|
289
|
-
}, { parent, provider }).role;
|
|
290
|
-
}
|
|
291
|
-
// Create the EKS cluster security group
|
|
292
|
-
let eksClusterSecurityGroup;
|
|
293
|
-
if (args.clusterSecurityGroup) {
|
|
294
|
-
eksClusterSecurityGroup = args.clusterSecurityGroup;
|
|
295
|
-
}
|
|
296
|
-
else {
|
|
297
|
-
eksClusterSecurityGroup = new aws.ec2.SecurityGroup(`${name}-eksClusterSecurityGroup`, {
|
|
298
|
-
vpcId: vpcId,
|
|
299
|
-
revokeRulesOnDelete: true,
|
|
300
|
-
tags: pulumi.all([args.tags, args.clusterSecurityGroupTags]).apply(([tags, clusterSecurityGroupTags]) => (Object.assign(Object.assign({ Name: `${name}-eksClusterSecurityGroup` }, clusterSecurityGroupTags), tags))),
|
|
301
|
-
}, { parent, provider });
|
|
302
|
-
const eksClusterInternetEgressRule = new aws.ec2.SecurityGroupRule(`${name}-eksClusterInternetEgressRule`, {
|
|
303
|
-
description: "Allow internet access.",
|
|
304
|
-
type: "egress",
|
|
305
|
-
fromPort: 0,
|
|
306
|
-
toPort: 0,
|
|
307
|
-
protocol: "-1",
|
|
308
|
-
cidrBlocks: ["0.0.0.0/0"],
|
|
309
|
-
securityGroupId: eksClusterSecurityGroup.id,
|
|
310
|
-
}, { parent, provider });
|
|
311
|
-
}
|
|
312
|
-
// Create the cluster encryption provider for using envelope encryption on
|
|
313
|
-
// Kubernetes secrets.
|
|
314
|
-
let encryptionProvider;
|
|
315
|
-
let encryptionConfig;
|
|
316
|
-
if (args.encryptionConfigKeyArn) {
|
|
317
|
-
encryptionProvider = pulumi.output(args.encryptionConfigKeyArn).apply((keyArn) => ({
|
|
318
|
-
keyArn,
|
|
319
|
-
}));
|
|
320
|
-
encryptionConfig = encryptionProvider.apply((ep) => ({
|
|
321
|
-
provider: ep,
|
|
322
|
-
resources: ["secrets"], // Only valid values are: "secrets"
|
|
323
|
-
}));
|
|
324
|
-
}
|
|
325
|
-
let kubernetesNetworkConfig;
|
|
326
|
-
if (args.kubernetesServiceIpAddressRange || args.ipFamily) {
|
|
327
|
-
kubernetesNetworkConfig = pulumi
|
|
328
|
-
.all([args.kubernetesServiceIpAddressRange, args.ipFamily])
|
|
329
|
-
.apply(([serviceIpv4Cidr, ipFamily = "ipv4"]) => ({
|
|
330
|
-
serviceIpv4Cidr: ipFamily === "ipv4" ? serviceIpv4Cidr : undefined,
|
|
331
|
-
ipFamily: ipFamily,
|
|
332
|
-
}));
|
|
333
|
-
}
|
|
334
|
-
// Create the EKS cluster
|
|
335
|
-
const eksCluster = new aws.eks.Cluster(`${name}-eksCluster`, {
|
|
336
|
-
name: args.name,
|
|
337
|
-
roleArn: eksRole.apply((r) => r.arn),
|
|
338
|
-
vpcConfig: {
|
|
339
|
-
securityGroupIds: [eksClusterSecurityGroup.id],
|
|
340
|
-
subnetIds: clusterSubnetIds,
|
|
341
|
-
endpointPrivateAccess: args.endpointPrivateAccess,
|
|
342
|
-
endpointPublicAccess: args.endpointPublicAccess,
|
|
343
|
-
publicAccessCidrs: args.publicAccessCidrs,
|
|
344
|
-
},
|
|
345
|
-
version: args.version,
|
|
346
|
-
enabledClusterLogTypes: args.enabledClusterLogTypes,
|
|
347
|
-
defaultAddonsToRemoves: args.defaultAddonsToRemove,
|
|
348
|
-
tags: pulumi.all([args.tags, args.clusterTags]).apply(([tags, clusterTags]) => (Object.assign(Object.assign({ Name: `${name}-eksCluster` }, clusterTags), tags))),
|
|
349
|
-
encryptionConfig,
|
|
350
|
-
kubernetesNetworkConfig,
|
|
351
|
-
accessConfig: args.authenticationMode
|
|
352
|
-
? {
|
|
353
|
-
authenticationMode: args.authenticationMode,
|
|
354
|
-
// Explicitely grants the principal creating the cluster admin access to the cluster.
|
|
355
|
-
// This is the default behavior of EKS when no accessConfig is provided.
|
|
356
|
-
// It is required for this component because it deploys charts to the cluster.
|
|
357
|
-
bootstrapClusterCreatorAdminPermissions: true,
|
|
358
|
-
}
|
|
359
|
-
: undefined,
|
|
360
|
-
}, {
|
|
361
|
-
parent,
|
|
362
|
-
provider: args.creationRoleProvider ? args.creationRoleProvider.provider : provider,
|
|
363
|
-
// ignore changes to the bootstrapClusterCreatorAdminPermissions field because it has bi-modal default behavior
|
|
364
|
-
// in upstream and would cause replacements for users upgrading from older versions of the EKS provider (<=2.7.3).
|
|
365
|
-
// See https://github.com/pulumi/pulumi-aws/issues/3997#issuecomment-2223201333 for more details.
|
|
366
|
-
ignoreChanges: ["accessConfig.bootstrapClusterCreatorAdminPermissions"],
|
|
367
|
-
});
|
|
368
|
-
// Instead of using the kubeconfig directly, we also add a wait of up to 5 minutes or until we
|
|
369
|
-
// can reach the API server for the Output that provides access to the kubeconfig string so that
|
|
370
|
-
// there is time for the cluster API server to become completely available. Ideally we
|
|
371
|
-
// would rely on the EKS API only returning once this was available, but we have seen frequent
|
|
372
|
-
// cases where it is not yet available immediately after provisioning - possibly due to DNS
|
|
373
|
-
// propagation delay or other non-deterministic factors.
|
|
374
|
-
const endpoint = eksCluster.endpoint.apply((clusterEndpoint) => __awaiter(this, void 0, void 0, function* () {
|
|
375
|
-
if (!pulumi.runtime.isDryRun() && args.endpointPublicAccess) {
|
|
376
|
-
// For up to 300 seconds, try to contact the API cluster healthz
|
|
377
|
-
// endpoint, and verify that it is reachable.
|
|
378
|
-
const healthz = `${clusterEndpoint}/healthz`;
|
|
379
|
-
const agent = createHttpAgent(args.proxy);
|
|
380
|
-
const maxRetries = 60;
|
|
381
|
-
const reqTimeoutMilliseconds = 1000; // HTTPS request timeout
|
|
382
|
-
const timeoutMilliseconds = 5000; // Retry timeout
|
|
383
|
-
for (let i = 0; i < maxRetries; i++) {
|
|
384
|
-
try {
|
|
385
|
-
yield new Promise((resolve, reject) => {
|
|
386
|
-
const options = Object.assign(Object.assign({}, url.parse(healthz)), { rejectUnauthorized: false, agent: agent, timeout: reqTimeoutMilliseconds });
|
|
387
|
-
const req = https.request(options, (res) => {
|
|
388
|
-
res.statusCode === 200 ? resolve(undefined) : reject(); // Verify healthz returns 200
|
|
389
|
-
});
|
|
390
|
-
req.on("timeout", reject);
|
|
391
|
-
req.on("error", reject);
|
|
392
|
-
req.end();
|
|
393
|
-
});
|
|
394
|
-
pulumi.log.info(`Cluster is ready`, eksCluster, undefined, true);
|
|
395
|
-
break;
|
|
396
|
-
}
|
|
397
|
-
catch (e) {
|
|
398
|
-
const retrySecondsLeft = ((maxRetries - i) * timeoutMilliseconds) / 1000;
|
|
399
|
-
pulumi.log.info(`Waiting up to (${retrySecondsLeft}) more seconds for cluster readiness...`, eksCluster, undefined, true);
|
|
400
|
-
}
|
|
401
|
-
yield new Promise((resolve) => setTimeout(resolve, timeoutMilliseconds));
|
|
402
|
-
}
|
|
403
|
-
}
|
|
404
|
-
return clusterEndpoint;
|
|
405
|
-
}));
|
|
406
|
-
// Compute the required kubeconfig. Note that we do not export this value: we want the exported config to
|
|
407
|
-
// depend on the autoscaling group we'll create later so that nothing attempts to use the EKS cluster before
|
|
408
|
-
// its worker nodes have come up.
|
|
409
|
-
const genKubeconfig = (useProfileName) => {
|
|
410
|
-
const kubeconfig = pulumi
|
|
411
|
-
.all([
|
|
412
|
-
eksCluster.name,
|
|
413
|
-
endpoint,
|
|
414
|
-
eksCluster.certificateAuthority,
|
|
415
|
-
args.providerCredentialOpts,
|
|
416
|
-
])
|
|
417
|
-
.apply(([clusterName, clusterEndpoint, clusterCertificateAuthority, providerCredentialOpts,]) => {
|
|
418
|
-
let config = {};
|
|
419
|
-
if (args.creationRoleProvider) {
|
|
420
|
-
config = args.creationRoleProvider.role.arn.apply((arn) => {
|
|
421
|
-
const opts = { roleArn: arn };
|
|
422
|
-
return generateKubeconfig(clusterName, clusterEndpoint, useProfileName, clusterCertificateAuthority === null || clusterCertificateAuthority === void 0 ? void 0 : clusterCertificateAuthority.data, opts);
|
|
423
|
-
});
|
|
424
|
-
}
|
|
425
|
-
else if (providerCredentialOpts) {
|
|
426
|
-
config = generateKubeconfig(clusterName, clusterEndpoint, useProfileName, clusterCertificateAuthority === null || clusterCertificateAuthority === void 0 ? void 0 : clusterCertificateAuthority.data, providerCredentialOpts);
|
|
427
|
-
}
|
|
428
|
-
else {
|
|
429
|
-
config = generateKubeconfig(clusterName, clusterEndpoint, useProfileName, clusterCertificateAuthority === null || clusterCertificateAuthority === void 0 ? void 0 : clusterCertificateAuthority.data);
|
|
430
|
-
}
|
|
431
|
-
return config;
|
|
432
|
-
});
|
|
433
|
-
return kubeconfig;
|
|
434
|
-
};
|
|
435
|
-
// We need 2 forms of kubeconfig, one with the profile name and one without. The one with the profile name
|
|
436
|
-
// is required to interact with the cluster by this provider. The one without is used by the user to interact
|
|
437
|
-
// with the cluster and enable multi-user access.
|
|
438
|
-
const kubeconfig = genKubeconfig(true);
|
|
439
|
-
const kubeconfigWithoutProfile = genKubeconfig(false);
|
|
440
|
-
const k8sProvider = new k8s.Provider(`${name}-eks-k8s`, {
|
|
441
|
-
kubeconfig: kubeconfig.apply(JSON.stringify),
|
|
442
|
-
enableConfigMapMutable: args.enableConfigMapMutable,
|
|
443
|
-
}, { parent: parent });
|
|
444
|
-
const skipDefaultNodeGroup = args.skipDefaultNodeGroup || args.fargate;
|
|
445
|
-
let instanceRoles;
|
|
446
|
-
let defaultInstanceRole;
|
|
447
|
-
// Create role mappings of the instance roles specified for aws-auth.
|
|
448
|
-
if (args.instanceRoles) {
|
|
449
|
-
instanceRoles = pulumi.output(args.instanceRoles);
|
|
450
|
-
}
|
|
451
|
-
else if (args.instanceRole) {
|
|
452
|
-
// Create an instance profile if using a default node group
|
|
453
|
-
if (!skipDefaultNodeGroup) {
|
|
454
|
-
nodeGroupOptions.instanceProfile = createOrGetInstanceProfile(name, parent, args.instanceRole, args.instanceProfileName);
|
|
455
|
-
}
|
|
456
|
-
instanceRoles = pulumi.output([args.instanceRole]);
|
|
457
|
-
defaultInstanceRole = pulumi.output(args.instanceRole);
|
|
458
|
-
}
|
|
459
|
-
else {
|
|
460
|
-
const instanceRole = new servicerole_1.ServiceRole(`${name}-instanceRole`, {
|
|
461
|
-
service: pulumi.interpolate `ec2.${dnsSuffix}`,
|
|
462
|
-
managedPolicyArns: [
|
|
463
|
-
{
|
|
464
|
-
id: "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
|
|
465
|
-
arn: pulumi.interpolate `arn:${partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy`,
|
|
466
|
-
},
|
|
467
|
-
{
|
|
468
|
-
id: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
|
|
469
|
-
arn: pulumi.interpolate `arn:${partition}:iam::aws:policy/AmazonEKS_CNI_Policy`,
|
|
470
|
-
},
|
|
471
|
-
{
|
|
472
|
-
id: "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
|
|
473
|
-
arn: pulumi.interpolate `arn:${partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly`,
|
|
474
|
-
},
|
|
475
|
-
],
|
|
476
|
-
tags: args.tags,
|
|
477
|
-
}, { parent, provider }).role;
|
|
478
|
-
defaultInstanceRole = instanceRole;
|
|
479
|
-
instanceRoles = pulumi.output([instanceRole]);
|
|
480
|
-
// Create a new policy for the role, if specified.
|
|
481
|
-
if (args.customInstanceRolePolicy) {
|
|
482
|
-
pulumi.log.warn("Option `customInstanceRolePolicy` has been deprecated. Please use `instanceRole` or `instanceRoles`. The role provided to either option should already include all required policies.", eksCluster);
|
|
483
|
-
const customRolePolicy = new aws.iam.RolePolicy(`${name}-EKSWorkerCustomPolicy`, {
|
|
484
|
-
role: instanceRole,
|
|
485
|
-
policy: args.customInstanceRolePolicy,
|
|
486
|
-
}, { parent, provider });
|
|
487
|
-
}
|
|
488
|
-
// Create an instance profile if using a default node group
|
|
489
|
-
if (!skipDefaultNodeGroup) {
|
|
490
|
-
nodeGroupOptions.instanceProfile = createOrGetInstanceProfile(name, parent, instanceRole, args.instanceProfileName);
|
|
491
|
-
}
|
|
492
|
-
}
|
|
493
|
-
let eksNodeAccess = undefined;
|
|
494
|
-
if ((0, authenticationMode_1.supportsConfigMap)(args.authenticationMode)) {
|
|
495
|
-
// Create the aws-auth ConfigMap if the authentication mode supports it. This maps instance roles, regular IAM roles, and IAM users to
|
|
496
|
-
// Kubernetes RBAC users and groups.
|
|
497
|
-
const nodeAccessData = (0, authenticationMode_1.createAwsAuthData)(instanceRoles, args.roleMappings, args.userMappings);
|
|
498
|
-
eksNodeAccess = new k8s.core.v1.ConfigMap(`${name}-nodeAccess`, {
|
|
499
|
-
apiVersion: "v1",
|
|
500
|
-
immutable: false,
|
|
501
|
-
metadata: {
|
|
502
|
-
name: `aws-auth`,
|
|
503
|
-
namespace: "kube-system",
|
|
504
|
-
annotations: {
|
|
505
|
-
"pulumi.com/patchForce": "true",
|
|
506
|
-
},
|
|
507
|
-
},
|
|
508
|
-
data: nodeAccessData,
|
|
509
|
-
}, { parent, provider: k8sProvider });
|
|
510
|
-
}
|
|
511
|
-
// Create the access entries if the authentication mode supports it.
|
|
512
|
-
let accessEntries = undefined;
|
|
513
|
-
if ((0, authenticationMode_1.supportsAccessEntries)(args.authenticationMode)) {
|
|
514
|
-
// This additionally maps the defaultInstanceRole to a EC2_LINUX access entry which allows the nodes to register & communicate with the EKS control plane.
|
|
515
|
-
if (defaultInstanceRole) {
|
|
516
|
-
accessEntries = (0, authenticationMode_1.createAccessEntries)(name, eksCluster.name, {
|
|
517
|
-
defaultNodeGroupInstanceRole: {
|
|
518
|
-
principalArn: defaultInstanceRole.arn,
|
|
519
|
-
type: exports.AccessEntryType.EC2_LINUX,
|
|
520
|
-
},
|
|
521
|
-
}, { parent, provider, dependsOn: [eksCluster] });
|
|
522
|
-
}
|
|
523
|
-
accessEntries = (accessEntries || []).concat((0, authenticationMode_1.createAccessEntries)(name, eksCluster.name, args.accessEntries || {}, {
|
|
524
|
-
parent,
|
|
525
|
-
provider,
|
|
526
|
-
dependsOn: [eksCluster],
|
|
527
|
-
}));
|
|
528
|
-
}
|
|
529
|
-
const authDependencies = [
|
|
530
|
-
...(accessEntries ? accessEntries : []),
|
|
531
|
-
...(eksNodeAccess ? [eksNodeAccess] : []),
|
|
532
|
-
];
|
|
533
|
-
// Add any requested StorageClasses.
|
|
534
|
-
const storageClasses = args.storageClasses || {};
|
|
535
|
-
const userStorageClasses = {};
|
|
536
|
-
if (typeof storageClasses === "string") {
|
|
537
|
-
const storageClass = { type: storageClasses, default: true };
|
|
538
|
-
userStorageClasses[storageClasses] = pulumi.output((0, storageclass_1.createStorageClass)(`${name.toLowerCase()}-${storageClasses}`, storageClass, {
|
|
539
|
-
parent,
|
|
540
|
-
provider: k8sProvider,
|
|
541
|
-
dependsOn: authDependencies,
|
|
542
|
-
}));
|
|
543
|
-
}
|
|
544
|
-
else {
|
|
545
|
-
for (const key of Object.keys(storageClasses)) {
|
|
546
|
-
userStorageClasses[key] = pulumi.output((0, storageclass_1.createStorageClass)(`${name.toLowerCase()}-${key}`, storageClasses[key], {
|
|
547
|
-
parent,
|
|
548
|
-
provider: k8sProvider,
|
|
549
|
-
dependsOn: authDependencies,
|
|
550
|
-
}));
|
|
551
|
-
}
|
|
552
|
-
}
|
|
553
|
-
// Create the VPC CNI management resource.
|
|
554
|
-
let vpcCni;
|
|
555
|
-
if (!args.useDefaultVpcCni) {
|
|
556
|
-
vpcCni = new cni_1.VpcCni(`${name}-vpc-cni`, kubeconfig.apply(JSON.stringify), args.vpcCniOptions, { parent, dependsOn: authDependencies });
|
|
557
|
-
}
|
|
558
|
-
const fargateProfile = pulumi
|
|
559
|
-
.output(args.fargate)
|
|
560
|
-
.apply((argsFargate) => {
|
|
561
|
-
let result;
|
|
562
|
-
if (argsFargate) {
|
|
563
|
-
const fargate = argsFargate !== true ? argsFargate : {};
|
|
564
|
-
const podExecutionRoleArn = fargate.podExecutionRoleArn ||
|
|
565
|
-
new servicerole_1.ServiceRole(`${name}-podExecutionRole`, {
|
|
566
|
-
service: "eks-fargate-pods.amazonaws.com",
|
|
567
|
-
managedPolicyArns: [
|
|
568
|
-
{
|
|
569
|
-
id: "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy",
|
|
570
|
-
arn: pulumi.interpolate `arn:${partition}:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy`,
|
|
571
|
-
},
|
|
572
|
-
],
|
|
573
|
-
tags: args.tags,
|
|
574
|
-
}, { parent, provider }).role.apply((r) => r.arn);
|
|
575
|
-
const selectors = fargate.selectors || [
|
|
576
|
-
// For `fargate: true`, default to including the `default` namespaces and
|
|
577
|
-
// `kube-system` namespaces so that all pods by default run in Fargate.
|
|
578
|
-
{ namespace: "default" },
|
|
579
|
-
{ namespace: "kube-system" },
|
|
580
|
-
];
|
|
581
|
-
const reservedAwsPrefix = "eks";
|
|
582
|
-
let fargateProfileName = name;
|
|
583
|
-
const profileNameRegex = new RegExp("^" + reservedAwsPrefix + "-", "i"); // starts with (^) 'eks-', (i)gnore casing
|
|
584
|
-
if (fargateProfileName === reservedAwsPrefix || profileNameRegex.test(name)) {
|
|
585
|
-
fargateProfileName = fargateProfileName.replace("-", "_");
|
|
586
|
-
fargateProfileName = `${fargateProfileName}fargateProfile`;
|
|
587
|
-
}
|
|
588
|
-
else {
|
|
589
|
-
// default, and to maintain backwards compat for existing cluster fargate profiles.
|
|
590
|
-
fargateProfileName = `${fargateProfileName}-fargateProfile`;
|
|
591
|
-
}
|
|
592
|
-
result = new aws.eks.FargateProfile(fargateProfileName, {
|
|
593
|
-
clusterName: eksCluster.name,
|
|
594
|
-
podExecutionRoleArn: podExecutionRoleArn,
|
|
595
|
-
selectors: selectors,
|
|
596
|
-
subnetIds: pulumi.output(clusterSubnetIds).apply((subnets) => {
|
|
597
|
-
var _a;
|
|
598
|
-
if (((_a = fargate.subnetIds) === null || _a === void 0 ? void 0 : _a.length) && fargate.subnetIds.length > 0) {
|
|
599
|
-
return (0, nodegroup_1.computeWorkerSubnets)(parent, fargate.subnetIds);
|
|
600
|
-
}
|
|
601
|
-
else {
|
|
602
|
-
return (0, nodegroup_1.computeWorkerSubnets)(parent, subnets);
|
|
603
|
-
}
|
|
604
|
-
}),
|
|
605
|
-
}, { parent, dependsOn: eksNodeAccess ? [eksNodeAccess] : undefined, provider });
|
|
606
|
-
// Once the FargateProfile has been created, try to patch/remove the CoreDNS computeType annotation. See
|
|
607
|
-
// https://docs.aws.amazon.com/eks/latest/userguide/fargate-getting-started.html#fargate-gs-coredns.
|
|
608
|
-
pulumi.all([result.id, selectors, kubeconfig]).apply(([_, sels, kconfig]) => {
|
|
609
|
-
// Only patch CoreDNS if there is a selector in the FargateProfile which causes
|
|
610
|
-
// `kube-system` pods to launch in Fargate.
|
|
611
|
-
if (sels.findIndex((s) => s.namespace === "kube-system") !== -1) {
|
|
612
|
-
// Only do the imperative patching during deployments, not previews.
|
|
613
|
-
if (!pulumi.runtime.isDryRun()) {
|
|
614
|
-
// Write the kubeconfig to a tmp file and use it to patch the `coredns`
|
|
615
|
-
// deployment that AWS deployed already as part of cluster creation.
|
|
616
|
-
const tmpKubeconfig = tmp.fileSync();
|
|
617
|
-
fs.writeFileSync(tmpKubeconfig.fd, JSON.stringify(kconfig));
|
|
618
|
-
// Determine if the CoreDNS deployment has a computeType annotation.
|
|
619
|
-
const cmdGetAnnos = `kubectl get deployment coredns -n kube-system -o jsonpath='{.spec.template.metadata.annotations}'`;
|
|
620
|
-
const getAnnosOutput = childProcess.execSync(cmdGetAnnos, {
|
|
621
|
-
env: Object.assign(Object.assign({}, process.env), { KUBECONFIG: tmpKubeconfig.name }),
|
|
622
|
-
});
|
|
623
|
-
const getAnnosOutputStr = getAnnosOutput.toString();
|
|
624
|
-
// See if getAnnosOutputStr contains the annotation we're looking for.
|
|
625
|
-
if (!getAnnosOutputStr.includes("eks.amazonaws.com/compute-type")) {
|
|
626
|
-
// No need to patch the deployment object since the annotation is not present. However, we need to re-create the CoreDNS pods since
|
|
627
|
-
// the existing pods were created before the FargateProfile was created, and therefore will not have been scheduled by fargate-scheduler.
|
|
628
|
-
// See: https://github.com/pulumi/pulumi-eks/issues/1030.
|
|
629
|
-
const cmd = `kubectl rollout restart deployment coredns -n kube-system`;
|
|
630
|
-
childProcess.execSync(cmd, {
|
|
631
|
-
env: Object.assign(Object.assign({}, process.env), { KUBECONFIG: tmpKubeconfig.name }),
|
|
632
|
-
});
|
|
633
|
-
return;
|
|
634
|
-
}
|
|
635
|
-
const patch = [
|
|
636
|
-
{
|
|
637
|
-
op: "remove",
|
|
638
|
-
path: "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type",
|
|
639
|
-
},
|
|
640
|
-
];
|
|
641
|
-
const cmd = `kubectl patch deployment coredns -n kube-system --type json -p='${JSON.stringify(patch)}'`;
|
|
642
|
-
childProcess.execSync(cmd, {
|
|
643
|
-
env: Object.assign(Object.assign({}, process.env), { KUBECONFIG: tmpKubeconfig.name }),
|
|
644
|
-
});
|
|
645
|
-
}
|
|
646
|
-
}
|
|
647
|
-
});
|
|
34
|
+
static isInstance(obj) {
|
|
35
|
+
if (obj === undefined || obj === null) {
|
|
36
|
+
return false;
|
|
648
37
|
}
|
|
649
|
-
return
|
|
650
|
-
});
|
|
651
|
-
// Setup OIDC provider to leverage IAM roles for k8s service accounts.
|
|
652
|
-
let oidcProvider;
|
|
653
|
-
if (args.createOidcProvider) {
|
|
654
|
-
// Retrieve the OIDC provider URL's intermediate root CA fingerprint.
|
|
655
|
-
const awsRegionName = pulumi.output(aws.getRegion({}, { parent, async: true })).name;
|
|
656
|
-
const eksOidcProviderUrl = pulumi.interpolate `https://oidc.eks.${awsRegionName}.${dnsSuffix}`;
|
|
657
|
-
const agent = createHttpAgent(args.proxy);
|
|
658
|
-
const fingerprint = (0, cert_thumprint_1.getIssuerCAThumbprint)(eksOidcProviderUrl, agent);
|
|
659
|
-
// Create the OIDC provider for the cluster.
|
|
660
|
-
oidcProvider = new aws.iam.OpenIdConnectProvider(`${name}-oidcProvider`, {
|
|
661
|
-
clientIdLists: ["sts.amazonaws.com"],
|
|
662
|
-
url: eksCluster.identities[0].oidcs[0].issuer,
|
|
663
|
-
thumbprintLists: [fingerprint],
|
|
664
|
-
}, { parent, provider });
|
|
38
|
+
return obj['__pulumiType'] === Cluster.__pulumiType;
|
|
665
39
|
}
|
|
666
|
-
return {
|
|
667
|
-
vpcId: pulumi.output(vpcId),
|
|
668
|
-
subnetIds: args.subnetIds ? pulumi.output(args.subnetIds) : pulumi.output(clusterSubnetIds),
|
|
669
|
-
publicSubnetIds: args.publicSubnetIds ? pulumi.output(args.publicSubnetIds) : undefined,
|
|
670
|
-
privateSubnetIds: args.privateSubnetIds ? pulumi.output(args.privateSubnetIds) : undefined,
|
|
671
|
-
clusterSecurityGroup: eksClusterSecurityGroup,
|
|
672
|
-
cluster: eksCluster,
|
|
673
|
-
endpoint: endpoint,
|
|
674
|
-
nodeGroupOptions: nodeGroupOptions,
|
|
675
|
-
kubeconfig: kubeconfigWithoutProfile,
|
|
676
|
-
provider: k8sProvider,
|
|
677
|
-
awsProvider: provider,
|
|
678
|
-
vpcCni: vpcCni,
|
|
679
|
-
instanceRoles: instanceRoles,
|
|
680
|
-
eksNodeAccess: eksNodeAccess,
|
|
681
|
-
tags: args.tags,
|
|
682
|
-
nodeSecurityGroupTags: args.nodeSecurityGroupTags,
|
|
683
|
-
storageClasses: userStorageClasses,
|
|
684
|
-
fargateProfile: fargateProfile,
|
|
685
|
-
oidcProvider: oidcProvider,
|
|
686
|
-
encryptionConfig: encryptionConfig,
|
|
687
|
-
clusterIamRole: eksRole,
|
|
688
|
-
accessEntries: accessEntries ? pulumi.output(accessEntries) : undefined,
|
|
689
|
-
};
|
|
690
|
-
}
|
|
691
|
-
exports.createCore = createCore;
|
|
692
|
-
/**
|
|
693
|
-
* Create an HTTP Agent for use with HTTP(S) requests.
|
|
694
|
-
* Using a proxy is supported.
|
|
695
|
-
*/
|
|
696
|
-
function createHttpAgent(proxy) {
|
|
697
|
-
if (!proxy) {
|
|
698
|
-
// Attempt to default to the proxy env vars.
|
|
699
|
-
//
|
|
700
|
-
// Note: Envars used are a convention that were based on:
|
|
701
|
-
// - curl: https://curl.haxx.se/docs/manual.html
|
|
702
|
-
// - wget: https://www.gnu.org/software/wget/manual/html_node/Proxies.html
|
|
703
|
-
proxy =
|
|
704
|
-
process.env.HTTPS_PROXY ||
|
|
705
|
-
process.env.https_proxy ||
|
|
706
|
-
process.env.HTTP_PROXY ||
|
|
707
|
-
process.env.http_proxy;
|
|
708
|
-
}
|
|
709
|
-
if (proxy) {
|
|
710
|
-
/**
|
|
711
|
-
* Create an HTTP(s) proxy agent with the given options.
|
|
712
|
-
*
|
|
713
|
-
* The agent connects to the proxy and issues a HTTP CONNECT
|
|
714
|
-
* method to the proxy, which connects to the dest.
|
|
715
|
-
*
|
|
716
|
-
* Note: CONNECT is not cacheable.
|
|
717
|
-
*
|
|
718
|
-
* See for more details:
|
|
719
|
-
* - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
|
|
720
|
-
* - https://www.npmjs.com/package/https-proxy-agent
|
|
721
|
-
*/
|
|
722
|
-
return HttpsProxyAgent(Object.assign(Object.assign({}, url.parse(proxy)), { rejectUnauthorized: false }));
|
|
723
|
-
}
|
|
724
|
-
return new https.Agent({
|
|
725
|
-
// Cached sessions can result in the certificate not being
|
|
726
|
-
// available since its already been "accepted." Disable caching.
|
|
727
|
-
maxCachedSessions: 0,
|
|
728
|
-
});
|
|
729
|
-
}
|
|
730
|
-
/* tslint:disable-next-line */ // Generating the enum object for AuthenticationMode like codegen does
|
|
731
|
-
exports.AuthenticationMode = {
|
|
732
|
-
/**
|
|
733
|
-
* Only Access Entries will be used for authenticating to the Kubernetes API.
|
|
734
|
-
*/
|
|
735
|
-
API: "API",
|
|
736
|
-
/**
|
|
737
|
-
* Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
|
|
738
|
-
*
|
|
739
|
-
* @deprecated The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.
|
|
740
|
-
* For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
|
|
741
|
-
*/
|
|
742
|
-
CONFIG_MAP: "CONFIG_MAP",
|
|
743
|
-
/**
|
|
744
|
-
* Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
|
|
745
|
-
*
|
|
746
|
-
* @deprecated The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.
|
|
747
|
-
* For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
|
|
748
|
-
*/
|
|
749
|
-
API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP",
|
|
750
|
-
};
|
|
751
|
-
/* tslint:disable-next-line */ // Generating the enum object for AccessEntryType like codegen does
|
|
752
|
-
exports.AccessEntryType = {
|
|
753
|
-
/**
|
|
754
|
-
* Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
|
|
755
|
-
*/
|
|
756
|
-
STANDARD: "STANDARD",
|
|
757
|
-
/**
|
|
758
|
-
* For IAM roles used with AWS Fargate profiles.
|
|
759
|
-
*/
|
|
760
|
-
FARGATE_LINUX: "FARGATE_LINUX",
|
|
761
|
-
/**
|
|
762
|
-
* For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
|
|
763
|
-
*/
|
|
764
|
-
EC2_LINUX: "EC2_LINUX",
|
|
765
|
-
/**
|
|
766
|
-
* For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
|
|
767
|
-
*/
|
|
768
|
-
EC2_WINDOWS: "EC2_WINDOWS",
|
|
769
|
-
};
|
|
770
|
-
/**
|
|
771
|
-
* Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
|
|
772
|
-
* nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
|
|
773
|
-
*/
|
|
774
|
-
class Cluster extends pulumi.ComponentResource {
|
|
775
40
|
/**
|
|
776
|
-
* Create a
|
|
777
|
-
* requested.
|
|
41
|
+
* Create a Cluster resource with the given unique name, arguments, and options.
|
|
778
42
|
*
|
|
779
|
-
* @param name The _unique_ name of
|
|
780
|
-
* @param args The arguments
|
|
781
|
-
* @param opts A bag of options that control this
|
|
43
|
+
* @param name The _unique_ name of the resource.
|
|
44
|
+
* @param args The arguments to use to populate this resource's properties.
|
|
45
|
+
* @param opts A bag of options that control this resource's behavior.
|
|
782
46
|
*/
|
|
783
47
|
constructor(name, args, opts) {
|
|
784
|
-
|
|
785
|
-
|
|
786
|
-
|
|
787
|
-
|
|
788
|
-
|
|
789
|
-
|
|
790
|
-
|
|
791
|
-
|
|
48
|
+
let resourceInputs = {};
|
|
49
|
+
opts = opts || {};
|
|
50
|
+
if (!opts.id) {
|
|
51
|
+
resourceInputs["accessEntries"] = args ? args.accessEntries : undefined;
|
|
52
|
+
resourceInputs["authenticationMode"] = args ? args.authenticationMode : undefined;
|
|
53
|
+
resourceInputs["clusterSecurityGroup"] = args ? args.clusterSecurityGroup : undefined;
|
|
54
|
+
resourceInputs["clusterSecurityGroupTags"] = args ? args.clusterSecurityGroupTags : undefined;
|
|
55
|
+
resourceInputs["clusterTags"] = args ? args.clusterTags : undefined;
|
|
56
|
+
resourceInputs["corednsAddonOptions"] = args ? (args.corednsAddonOptions ? inputs.coreDnsAddonOptionsArgsProvideDefaults(args.corednsAddonOptions) : undefined) : undefined;
|
|
57
|
+
resourceInputs["createOidcProvider"] = args ? args.createOidcProvider : undefined;
|
|
58
|
+
resourceInputs["creationRoleProvider"] = args ? args.creationRoleProvider : undefined;
|
|
59
|
+
resourceInputs["defaultAddonsToRemove"] = args ? args.defaultAddonsToRemove : undefined;
|
|
60
|
+
resourceInputs["desiredCapacity"] = args ? args.desiredCapacity : undefined;
|
|
61
|
+
resourceInputs["enableConfigMapMutable"] = args ? args.enableConfigMapMutable : undefined;
|
|
62
|
+
resourceInputs["enabledClusterLogTypes"] = args ? args.enabledClusterLogTypes : undefined;
|
|
63
|
+
resourceInputs["encryptionConfigKeyArn"] = args ? args.encryptionConfigKeyArn : undefined;
|
|
64
|
+
resourceInputs["endpointPrivateAccess"] = args ? args.endpointPrivateAccess : undefined;
|
|
65
|
+
resourceInputs["endpointPublicAccess"] = args ? args.endpointPublicAccess : undefined;
|
|
66
|
+
resourceInputs["fargate"] = args ? args.fargate : undefined;
|
|
67
|
+
resourceInputs["gpu"] = args ? args.gpu : undefined;
|
|
68
|
+
resourceInputs["instanceProfileName"] = args ? args.instanceProfileName : undefined;
|
|
69
|
+
resourceInputs["instanceRole"] = args ? args.instanceRole : undefined;
|
|
70
|
+
resourceInputs["instanceRoles"] = args ? args.instanceRoles : undefined;
|
|
71
|
+
resourceInputs["instanceType"] = args ? args.instanceType : undefined;
|
|
72
|
+
resourceInputs["ipFamily"] = args ? args.ipFamily : undefined;
|
|
73
|
+
resourceInputs["kubeProxyAddonOptions"] = args ? (args.kubeProxyAddonOptions ? inputs.kubeProxyAddonOptionsArgsProvideDefaults(args.kubeProxyAddonOptions) : undefined) : undefined;
|
|
74
|
+
resourceInputs["kubernetesServiceIpAddressRange"] = args ? args.kubernetesServiceIpAddressRange : undefined;
|
|
75
|
+
resourceInputs["maxSize"] = args ? args.maxSize : undefined;
|
|
76
|
+
resourceInputs["minSize"] = args ? args.minSize : undefined;
|
|
77
|
+
resourceInputs["name"] = args ? args.name : undefined;
|
|
78
|
+
resourceInputs["nodeAmiId"] = args ? args.nodeAmiId : undefined;
|
|
79
|
+
resourceInputs["nodeAssociatePublicIpAddress"] = args ? args.nodeAssociatePublicIpAddress : undefined;
|
|
80
|
+
resourceInputs["nodeGroupOptions"] = args ? args.nodeGroupOptions : undefined;
|
|
81
|
+
resourceInputs["nodePublicKey"] = args ? args.nodePublicKey : undefined;
|
|
82
|
+
resourceInputs["nodeRootVolumeEncrypted"] = args ? args.nodeRootVolumeEncrypted : undefined;
|
|
83
|
+
resourceInputs["nodeRootVolumeSize"] = args ? args.nodeRootVolumeSize : undefined;
|
|
84
|
+
resourceInputs["nodeSecurityGroupTags"] = args ? args.nodeSecurityGroupTags : undefined;
|
|
85
|
+
resourceInputs["nodeSubnetIds"] = args ? args.nodeSubnetIds : undefined;
|
|
86
|
+
resourceInputs["nodeUserData"] = args ? args.nodeUserData : undefined;
|
|
87
|
+
resourceInputs["privateSubnetIds"] = args ? args.privateSubnetIds : undefined;
|
|
88
|
+
resourceInputs["providerCredentialOpts"] = args ? args.providerCredentialOpts : undefined;
|
|
89
|
+
resourceInputs["proxy"] = args ? args.proxy : undefined;
|
|
90
|
+
resourceInputs["publicAccessCidrs"] = args ? args.publicAccessCidrs : undefined;
|
|
91
|
+
resourceInputs["publicSubnetIds"] = args ? args.publicSubnetIds : undefined;
|
|
92
|
+
resourceInputs["roleMappings"] = args ? args.roleMappings : undefined;
|
|
93
|
+
resourceInputs["serviceRole"] = args ? args.serviceRole : undefined;
|
|
94
|
+
resourceInputs["skipDefaultNodeGroup"] = args ? args.skipDefaultNodeGroup : undefined;
|
|
95
|
+
resourceInputs["storageClasses"] = args ? args.storageClasses : undefined;
|
|
96
|
+
resourceInputs["subnetIds"] = args ? args.subnetIds : undefined;
|
|
97
|
+
resourceInputs["tags"] = args ? args.tags : undefined;
|
|
98
|
+
resourceInputs["useDefaultVpcCni"] = args ? args.useDefaultVpcCni : undefined;
|
|
99
|
+
resourceInputs["userMappings"] = args ? args.userMappings : undefined;
|
|
100
|
+
resourceInputs["version"] = args ? args.version : undefined;
|
|
101
|
+
resourceInputs["vpcCniOptions"] = args ? (args.vpcCniOptions ? inputs.vpcCniOptionsArgsProvideDefaults(args.vpcCniOptions) : undefined) : undefined;
|
|
102
|
+
resourceInputs["vpcId"] = args ? args.vpcId : undefined;
|
|
103
|
+
resourceInputs["awsProvider"] = undefined /*out*/;
|
|
104
|
+
resourceInputs["core"] = undefined /*out*/;
|
|
105
|
+
resourceInputs["defaultNodeGroup"] = undefined /*out*/;
|
|
106
|
+
resourceInputs["eksCluster"] = undefined /*out*/;
|
|
107
|
+
resourceInputs["eksClusterIngressRule"] = undefined /*out*/;
|
|
108
|
+
resourceInputs["kubeconfig"] = undefined /*out*/;
|
|
109
|
+
resourceInputs["kubeconfigJson"] = undefined /*out*/;
|
|
110
|
+
resourceInputs["nodeSecurityGroup"] = undefined /*out*/;
|
|
792
111
|
}
|
|
793
|
-
|
|
794
|
-
|
|
795
|
-
|
|
796
|
-
|
|
797
|
-
|
|
798
|
-
|
|
799
|
-
|
|
800
|
-
|
|
801
|
-
|
|
802
|
-
|
|
803
|
-
|
|
804
|
-
|
|
805
|
-
|
|
806
|
-
|
|
807
|
-
eksCluster: this.eksCluster,
|
|
808
|
-
});
|
|
809
|
-
}
|
|
810
|
-
/**
|
|
811
|
-
* Create a self-managed node group using CloudFormation and an ASG.
|
|
812
|
-
*
|
|
813
|
-
* See for more details:
|
|
814
|
-
* https://docs.aws.amazon.com/eks/latest/userguide/worker.html
|
|
815
|
-
*/
|
|
816
|
-
createNodeGroup(name, args) {
|
|
817
|
-
const awsProvider = this.core.awsProvider ? { aws: this.core.awsProvider } : undefined;
|
|
818
|
-
return new nodegroup_1.NodeGroup(name, Object.assign(Object.assign({}, args), { cluster: this.core, nodeSecurityGroup: this.core.nodeGroupOptions.nodeSecurityGroup, clusterIngressRule: this.core.nodeGroupOptions.clusterIngressRule }), {
|
|
819
|
-
parent: this,
|
|
820
|
-
providers: Object.assign(Object.assign({}, awsProvider), { kubernetes: this.provider }),
|
|
821
|
-
});
|
|
112
|
+
else {
|
|
113
|
+
resourceInputs["awsProvider"] = undefined /*out*/;
|
|
114
|
+
resourceInputs["clusterSecurityGroup"] = undefined /*out*/;
|
|
115
|
+
resourceInputs["core"] = undefined /*out*/;
|
|
116
|
+
resourceInputs["defaultNodeGroup"] = undefined /*out*/;
|
|
117
|
+
resourceInputs["eksCluster"] = undefined /*out*/;
|
|
118
|
+
resourceInputs["eksClusterIngressRule"] = undefined /*out*/;
|
|
119
|
+
resourceInputs["instanceRoles"] = undefined /*out*/;
|
|
120
|
+
resourceInputs["kubeconfig"] = undefined /*out*/;
|
|
121
|
+
resourceInputs["kubeconfigJson"] = undefined /*out*/;
|
|
122
|
+
resourceInputs["nodeSecurityGroup"] = undefined /*out*/;
|
|
123
|
+
}
|
|
124
|
+
opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
|
|
125
|
+
super(Cluster.__pulumiType, name, resourceInputs, opts, true /*remote*/);
|
|
822
126
|
}
|
|
823
127
|
/**
|
|
824
|
-
* Generate a kubeconfig for cluster authentication that does not use the
|
|
825
|
-
* default AWS credential provider chain, and instead is scoped to
|
|
826
|
-
* the supported options in `KubeconfigOptions`.
|
|
128
|
+
* Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in `KubeconfigOptions`.
|
|
827
129
|
*
|
|
828
|
-
* The kubeconfig generated is automatically stringified for ease of use
|
|
829
|
-
* with the pulumi/kubernetes provider.
|
|
130
|
+
* The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.
|
|
830
131
|
*
|
|
831
132
|
* See for more details:
|
|
832
133
|
* - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
|
|
@@ -834,143 +135,15 @@ class Cluster extends pulumi.ComponentResource {
|
|
|
834
135
|
* - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
|
|
835
136
|
*/
|
|
836
137
|
getKubeconfig(args) {
|
|
837
|
-
|
|
838
|
-
|
|
839
|
-
|
|
138
|
+
args = args || {};
|
|
139
|
+
return pulumi.runtime.call("eks:index:Cluster/getKubeconfig", {
|
|
140
|
+
"__self__": this,
|
|
141
|
+
"profileName": args.profileName,
|
|
142
|
+
"roleArn": args.roleArn,
|
|
143
|
+
}, this);
|
|
840
144
|
}
|
|
841
145
|
}
|
|
842
146
|
exports.Cluster = Cluster;
|
|
843
147
|
/** @internal */
|
|
844
|
-
|
|
845
|
-
args = args || {};
|
|
846
|
-
// Check that AWS provider credential options are set for the kubeconfig
|
|
847
|
-
// to use with the given auth method.
|
|
848
|
-
if ((opts === null || opts === void 0 ? void 0 : opts.provider) && !args.providerCredentialOpts) {
|
|
849
|
-
throw new Error("It looks like you're using an explicit AWS provider. Please specify this provider in providerCredentialOpts.");
|
|
850
|
-
}
|
|
851
|
-
if (process.env.AWS_PROFILE && !args.providerCredentialOpts) {
|
|
852
|
-
args.providerCredentialOpts = {
|
|
853
|
-
profileName: process.env.AWS_PROFILE,
|
|
854
|
-
};
|
|
855
|
-
}
|
|
856
|
-
const awsConfig = new pulumi.Config("aws");
|
|
857
|
-
const awsProfile = awsConfig.get("profile");
|
|
858
|
-
if (awsProfile && !args.providerCredentialOpts) {
|
|
859
|
-
args.providerCredentialOpts = {
|
|
860
|
-
profileName: awsProfile,
|
|
861
|
-
};
|
|
862
|
-
}
|
|
863
|
-
// Create the core resources required by the cluster.
|
|
864
|
-
const core = createCore(name, args, self, opts === null || opts === void 0 ? void 0 : opts.provider);
|
|
865
|
-
// Create default node group security group and cluster ingress rule.
|
|
866
|
-
const [nodeSecurityGroup, eksClusterIngressRule] = (0, securitygroup_1.createNodeGroupSecurityGroup)(name, {
|
|
867
|
-
vpcId: core.vpcId,
|
|
868
|
-
clusterSecurityGroup: core.clusterSecurityGroup,
|
|
869
|
-
eksCluster: core.cluster,
|
|
870
|
-
tags: pulumi.all([args.tags, args.nodeSecurityGroupTags]).apply(([tags, nodeSecurityGroupTags]) => (Object.assign(Object.assign({}, nodeSecurityGroupTags), tags))),
|
|
871
|
-
}, self);
|
|
872
|
-
core.nodeGroupOptions.nodeSecurityGroup = nodeSecurityGroup;
|
|
873
|
-
core.nodeGroupOptions.clusterIngressRule = eksClusterIngressRule;
|
|
874
|
-
const skipDefaultNodeGroup = args.skipDefaultNodeGroup || args.fargate;
|
|
875
|
-
// Create the default worker node group and grant the workers access to the API server.
|
|
876
|
-
const configDeps = [core.kubeconfig];
|
|
877
|
-
let defaultNodeGroup = undefined;
|
|
878
|
-
if (!skipDefaultNodeGroup) {
|
|
879
|
-
defaultNodeGroup = (0, nodegroup_1.createNodeGroup)(name, Object.assign({ cluster: core }, core.nodeGroupOptions), self);
|
|
880
|
-
if (defaultNodeGroup.cfnStack) {
|
|
881
|
-
configDeps.push(defaultNodeGroup.cfnStack.id);
|
|
882
|
-
}
|
|
883
|
-
}
|
|
884
|
-
// Export the cluster's kubeconfig with a dependency upon the cluster's autoscaling group. This will help
|
|
885
|
-
// ensure that the cluster's consumers do not attempt to use the cluster until its workers are attached.
|
|
886
|
-
const kubeconfig = pulumi.all(configDeps).apply(([kc]) => kc);
|
|
887
|
-
const kubeconfigJson = kubeconfig.apply(JSON.stringify);
|
|
888
|
-
// Export a k8s provider with the above kubeconfig. Note that we do not export the provider we created earlier
|
|
889
|
-
// in order to help ensure that worker nodes are available before the provider can be used.
|
|
890
|
-
const provider = new k8s.Provider(`${name}-provider`, {
|
|
891
|
-
kubeconfig: kubeconfigJson,
|
|
892
|
-
}, { parent: self });
|
|
893
|
-
// If we need to deploy the Kubernetes dashboard, do so now.
|
|
894
|
-
if (args.deployDashboard) {
|
|
895
|
-
pulumi.log.warn("Option `deployDashboard` has been deprecated. Please consider using the Helm chart, or writing the dashboard directly in Pulumi.", core.cluster);
|
|
896
|
-
(0, dashboard_1.createDashboard)(name, {}, self, provider);
|
|
897
|
-
}
|
|
898
|
-
return {
|
|
899
|
-
core,
|
|
900
|
-
clusterSecurityGroup: core.clusterSecurityGroup,
|
|
901
|
-
eksCluster: core.cluster,
|
|
902
|
-
instanceRoles: core.instanceRoles,
|
|
903
|
-
awsProvider: core.awsProvider,
|
|
904
|
-
nodeSecurityGroup,
|
|
905
|
-
eksClusterIngressRule,
|
|
906
|
-
defaultNodeGroup,
|
|
907
|
-
kubeconfig,
|
|
908
|
-
kubeconfigJson,
|
|
909
|
-
provider,
|
|
910
|
-
};
|
|
911
|
-
}
|
|
912
|
-
exports.createCluster = createCluster;
|
|
913
|
-
/**
|
|
914
|
-
* This is a variant of `Cluster` that is used for the MLC `Cluster`. We don't just use `Cluster`,
|
|
915
|
-
* because not all of its output properties are typed as `Output<T>`, which prevents it from being
|
|
916
|
-
* able to be correctly "rehydrated" from a resource reference. So we use this copy instead rather
|
|
917
|
-
* than modifying the public surface area of the existing `Cluster` class, which is still being
|
|
918
|
-
* used directly by users using the Node.js SDK. Once we move Node.js over to the generated MLC SDK,
|
|
919
|
-
* we can clean all this up. Internally, this leverages the same `createCluster` helper method that
|
|
920
|
-
* `Cluster` uses.
|
|
921
|
-
*
|
|
922
|
-
* @internal
|
|
923
|
-
*/
|
|
924
|
-
class ClusterInternal extends pulumi.ComponentResource {
|
|
925
|
-
constructor(name, args, opts) {
|
|
926
|
-
var _a;
|
|
927
|
-
const type = "eks:index:Cluster";
|
|
928
|
-
if (opts === null || opts === void 0 ? void 0 : opts.urn) {
|
|
929
|
-
const props = {
|
|
930
|
-
clusterSecurityGroup: undefined,
|
|
931
|
-
core: undefined,
|
|
932
|
-
defaultNodeGroup: undefined,
|
|
933
|
-
eksCluster: undefined,
|
|
934
|
-
eksClusterIngressRule: undefined,
|
|
935
|
-
instanceRoles: undefined,
|
|
936
|
-
kubeconfig: undefined,
|
|
937
|
-
kubeconfigJson: undefined,
|
|
938
|
-
nodeSecurityGroup: undefined,
|
|
939
|
-
};
|
|
940
|
-
super(type, name, props, opts);
|
|
941
|
-
return;
|
|
942
|
-
}
|
|
943
|
-
super(type, name, args, opts);
|
|
944
|
-
if ((_a = args === null || args === void 0 ? void 0 : args.creationRoleProvider) === null || _a === void 0 ? void 0 : _a.provider) {
|
|
945
|
-
throw new Error("The `creationRoleProvider.provider` option is not supported in non-nodejs Pulumi programs. Please use the `providerCredentialOpts` option instead.");
|
|
946
|
-
}
|
|
947
|
-
const cluster = createCluster(name, this, args, opts);
|
|
948
|
-
this.kubeconfig = cluster.kubeconfig;
|
|
949
|
-
this.kubeconfigJson = cluster.kubeconfigJson;
|
|
950
|
-
this.clusterSecurityGroup = pulumi.output(cluster.clusterSecurityGroup);
|
|
951
|
-
this.instanceRoles = cluster.instanceRoles;
|
|
952
|
-
this.nodeSecurityGroup = pulumi.output(cluster.nodeSecurityGroup);
|
|
953
|
-
this.eksClusterIngressRule = pulumi.output(cluster.eksClusterIngressRule);
|
|
954
|
-
this.defaultNodeGroup = pulumi.output(cluster.defaultNodeGroup);
|
|
955
|
-
this.eksCluster = pulumi.output(cluster.eksCluster);
|
|
956
|
-
this.core = pulumi.output(cluster.core);
|
|
957
|
-
this.registerOutputs({
|
|
958
|
-
clusterSecurityGroup: this.clusterSecurityGroup,
|
|
959
|
-
core: this.core,
|
|
960
|
-
defaultNodeGroup: this.defaultNodeGroup,
|
|
961
|
-
eksCluster: this.eksCluster,
|
|
962
|
-
eksClusterIngressRule: this.eksClusterIngressRule,
|
|
963
|
-
instanceRoles: this.instanceRoles,
|
|
964
|
-
kubeconfig: this.kubeconfig,
|
|
965
|
-
kubeconfigJson: this.kubeconfigJson,
|
|
966
|
-
nodeSecurityGroup: this.nodeSecurityGroup,
|
|
967
|
-
});
|
|
968
|
-
}
|
|
969
|
-
getKubeconfig(args) {
|
|
970
|
-
var _a;
|
|
971
|
-
const kc = generateKubeconfig(this.eksCluster.name, this.eksCluster.endpoint, true, (_a = this.eksCluster.certificateAuthority) === null || _a === void 0 ? void 0 : _a.data, args);
|
|
972
|
-
return pulumi.output(kc).apply(JSON.stringify);
|
|
973
|
-
}
|
|
974
|
-
}
|
|
975
|
-
exports.ClusterInternal = ClusterInternal;
|
|
148
|
+
Cluster.__pulumiType = 'eks:index:Cluster';
|
|
976
149
|
//# sourceMappingURL=cluster.js.map
|