diff --git a/bin/main.ts b/bin/main.ts index 45c94f953..bf34c2d0f 100644 --- a/bin/main.ts +++ b/bin/main.ts @@ -1,18 +1,22 @@ #!/usr/bin/env node +import * as cdk from '@aws-cdk/core'; import { InstanceType, IVpc } from '@aws-cdk/aws-ec2'; import { Cluster, FargateProfileOptions, KubernetesVersion, MachineImageType, NodegroupAmiType } from '@aws-cdk/aws-eks'; -import * as cdk from '@aws-cdk/core'; -import { AppMeshAddon } from '../lib/addons/appmesh/appMeshAddon'; -import { ArgoCDAddOn } from '../lib/addons/argocd/argoCDAddon'; -import { CalicoNetworkPolicyAddon } from '../lib/addons/calico/calicoAddon'; -import { ContainerInsightsAddOn } from '../lib/addons/cloudwatch/containerInsightsAddon'; -import { ClusterAutoScaler } from '../lib/addons/cluster-autoscaler/clusterAutoscalerAddon'; -import { MetricsServerAddon } from '../lib/addons/metrics-server/metricsServerAddon'; -import { NginxAddon } from '../lib/addons/nginx/nginxAddon'; -import { EC2ClusterProvider, EC2ProviderClusterProps } from '../lib/ec2-cluster-provider'; + +// Blueprint import { CdkEksBlueprintStack, ClusterAddOn, ClusterInfo, ClusterProvider, TeamSetup } from '../lib/eksBlueprintStack'; + +// Addons +import * as addon from '../lib/addons' + +// Cluster Providers import { FargateClusterProvider } from '../lib/fargate-cluster-provider'; +import { EC2ClusterProvider, EC2ProviderClusterProps } from '../lib/ec2-cluster-provider'; + +// Pipeline import { PipelineStack } from '../lib/pipelineStack'; + +// Teams import { TeamBurnhamSetup } from '../lib/teams/team-burnham/setup'; import { TeamRikerSetup } from '../lib/teams/team-riker/setup'; import { TeamTroiSetup } from '../lib/teams/team-troi/setup'; @@ -20,12 +24,12 @@ import { TeamTroiSetup } from '../lib/teams/team-troi/setup'; const app = new cdk.App(); const addOns: Array = [ - new CalicoNetworkPolicyAddon, - new MetricsServerAddon, - new ClusterAutoScaler, - new ContainerInsightsAddOn, - new NginxAddon, - new ArgoCDAddOn + new addon.CalicoAddon, + new addon.MetricsServerAddon, + new addon.ClusterAutoScalerAddon, + new addon.ContainerInsightsAddOn, + new addon.NginxAddon, + new addon.ArgoCDAddon ]; const allTeams: Array = [ @@ -53,7 +57,7 @@ new CdkEksBlueprintStack(app, { id: 'west-dev', addOns: addOns, teams: allTeams }, }); -new CdkEksBlueprintStack(app, { id: 'east-test-main', addOns: [new MetricsServerAddon, new ClusterAutoScaler, new ContainerInsightsAddOn, new AppMeshAddon] }, { +new CdkEksBlueprintStack(app, { id: 'east-test-main', addOns: addOns }, { env: { account: '929819487611', region: 'us-east-1', diff --git a/lib/addons/appmesh/appMeshAddon.ts b/lib/addons/appmesh/index.ts similarity index 50% rename from lib/addons/appmesh/appMeshAddon.ts rename to lib/addons/appmesh/index.ts index 9edc5ed28..c1d7f7b6a 100644 --- a/lib/addons/appmesh/appMeshAddon.ts +++ b/lib/addons/appmesh/index.ts @@ -1,25 +1,35 @@ -import { CdkEksBlueprintStack, ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; import { ManagedPolicy } from "@aws-cdk/aws-iam"; +import { ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack" + export class AppMeshAddon implements ClusterAddOn { deploy(clusterInfo: ClusterInfo): void { const cluster = clusterInfo.cluster; - const appmeshNs = cluster.addManifest('appmesh-ns', { + // App Mesh service account. + const opts = { name: 'appmesh-controller', namespace: "appmesh-system" } + const sa = cluster.addServiceAccount('appmesh-controller', opts); + + // Cloud Map Full Access policy. + const cloudMapPolicy = ManagedPolicy.fromAwsManagedPolicyName("AWSCloudMapFullAccess") + sa.role.addManagedPolicy(cloudMapPolicy); + + // App Mesh Full Access policy. + const appMeshPolicy = ManagedPolicy.fromAwsManagedPolicyName("AWSAppMeshFullAccess") + sa.role.addManagedPolicy(appMeshPolicy); + + // App Mesh Namespace + const appMeshNS = cluster.addManifest('appmesh-ns', { apiVersion: 'v1', kind: 'Namespace', metadata: { name: 'appmesh-system' } }); + sa.node.addDependency(appMeshNS); - const sa = cluster.addServiceAccount('appmesh-controller', { name: 'appmesh-controller', namespace: "appmesh-system" }); - sa.node.addDependency(appmeshNs); - sa.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AWSCloudMapFullAccess")); - sa.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AWSAppMeshFullAccess")); - - - const chart = cluster.addHelmChart("appmesh-controller", { + // App Mesh Controller + const chart = cluster.addHelmChart("AppMeshAddon", { chart: "appmesh-controller", repository: "https://aws.github.io/eks-charts", release: "appm-release", @@ -30,7 +40,6 @@ export class AppMeshAddon implements ClusterAddOn { "serviceAccount.name": "appmesh-controller" } }); - chart.node.addDependency(sa); } } \ No newline at end of file diff --git a/lib/addons/argocd/argoCDAddon.ts b/lib/addons/argocd/argoCDAddon.ts deleted file mode 100644 index 37bd0be8c..000000000 --- a/lib/addons/argocd/argoCDAddon.ts +++ /dev/null @@ -1,24 +0,0 @@ -import { KubernetesManifest } from "@aws-cdk/aws-eks"; -import { ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; -import { loadYaml, readYamlDocument } from "../../utils/yamlUtils"; - -export class ArgoCDAddOn implements ClusterAddOn { - - deploy(clusterInfo: ClusterInfo): void { - const cluster = clusterInfo.cluster; - - const argons = cluster.addManifest('argocd', { - apiVersion: 'v1', - kind: 'Namespace', - metadata: { name: 'argocd' } - }); - let doc = readYamlDocument(__dirname + '/install.yaml'); - let docArray = doc.split("---").map(e => loadYaml(e)); - docArray.forEach(e => e['metadata']['namespace'] = "argocd"); - let manifest = new KubernetesManifest(cluster.stack, "argocd", { - cluster, - manifest: docArray - }); - manifest.node.addDependency(argons); - } -} \ No newline at end of file diff --git a/lib/addons/argocd/index.ts b/lib/addons/argocd/index.ts new file mode 100644 index 000000000..649206dd7 --- /dev/null +++ b/lib/addons/argocd/index.ts @@ -0,0 +1,14 @@ +import { KubernetesManifest } from "@aws-cdk/aws-eks"; +import { ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; +import { loadYaml, readYamlDocument } from "../../utils/yamlUtils"; + +export class ArgoCDAddon implements ClusterAddOn { + + deploy(clusterInfo: ClusterInfo): void { + clusterInfo.cluster.addHelmChart("argocd-addon", { + chart: "argo-cd", + repository: "https://argoproj.github.io/argo-helm", + namespace: "argo-cd" + }); + } +} \ No newline at end of file diff --git a/lib/addons/argocd/install.yaml b/lib/addons/argocd/install.yaml deleted file mode 100644 index aa717676a..000000000 --- a/lib/addons/argocd/install.yaml +++ /dev/null @@ -1,2792 +0,0 @@ -# This is an auto-generated file. DO NOT EDIT -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applications.argoproj.io - app.kubernetes.io/part-of: argocd - name: applications.argoproj.io -spec: - group: argoproj.io - names: - kind: Application - listKind: ApplicationList - plural: applications - shortNames: - - app - - apps - singular: application - scope: Namespaced - validation: - openAPIV3Schema: - description: Application is a definition of Application resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - operation: - description: Operation contains requested operation parameters. - properties: - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: OperationInitiator holds information about the operation - initiator - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Name of a user who started operation. - type: string - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff is a backoff strategy - properties: - duration: - description: Duration is the amount to back off. Default unit - is seconds, but could also be a duration (e.g. "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time allowed - for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts when retrying - a container - format: int64 - type: integer - type: object - sync: - description: SyncOperation contains sync operation details. - properties: - dryRun: - description: DryRun will perform a `kubectl apply --dry-run` without - actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides sync - source with a local directory for development - items: - type: string - type: array - prune: - description: Prune deletes resources that are no longer tracked - in git - type: boolean - resources: - description: Resources describes which resources to sync - items: - description: SyncOperationResource contains resources to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision in which to sync the application - to. If omitted, will use the revision specified in app spec. - type: string - source: - description: Source overrides the source definition set in the application. - This is typically set in a Rollback operation and nil during a - Sync operation - properties: - chart: - description: Chart is a Helm chart name - type: string - directory: - description: Directory holds path/directory specific options - properties: - jsonnet: - description: ApplicationSourceJsonnet holds jsonnet specific - options - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter to - a helm template - properties: - name: - description: Name is the name of the helm parameter - type: string - path: - description: Path is the path value for the helm parameter - type: string - type: object - type: array - parameters: - description: Parameters are parameters to the helm template - items: - description: HelmParameter is a parameter to a helm template - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the helm parameter - type: string - value: - description: Value is the value for the helm parameter - type: string - type: object - type: array - releaseName: - description: The Helm release name. If omitted it will use - the application name - type: string - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values is Helm values, typically defined as - a block - type: string - type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonLabels: - additionalProperties: - type: string - description: CommonLabels adds additional kustomize commonLabels - type: object - images: - description: Images are kustomize image overrides - items: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for kustomize apps - type: string - version: - description: Version contains optional Kustomize version - type: string - type: object - path: - description: Path is a directory path within the Git repository - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - items: - properties: - name: - description: the name, usually uppercase - type: string - value: - description: the value - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the repository URL of the application - manifests - type: string - targetRevision: - description: TargetRevision defines the commit, tag, or branch - in which to sync the application to. If omitted, will sync - to HEAD - type: string - required: - - repoURL - type: object - syncOptions: - description: SyncOptions provide per-sync sync-options, e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the sync - properties: - apply: - description: Apply wil perform a `kubectl apply` to perform - the sync. - properties: - force: - description: Force indicates whether or not to supply the - --force flag to `kubectl apply`. The --force flag deletes - and re-create the resource, when PATCH encounters conflict - and has retried for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources to perform - the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to supply the - --force flag to `kubectl apply`. The --force flag deletes - and re-create the resource, when PATCH encounters conflict - and has retried for 5 times. - type: boolean - type: object - type: object - type: object - type: object - spec: - description: ApplicationSpec represents desired application state. Contains - link to repository with application definition and additional parameters - link definition revision. - properties: - destination: - description: Destination overrides the kubernetes server and namespace - defined in the environment ksonnet app.yaml - properties: - name: - description: Name of the destination cluster which can be used instead - of server (url) field - type: string - namespace: - description: Namespace overrides the environment namespace value - in the ksonnet app.yaml - type: string - server: - description: Server overrides the environment server value in the - ksonnet app.yaml - type: string - type: object - ignoreDifferences: - description: IgnoreDifferences controls resources fields which should - be ignored during comparison - items: - description: ResourceIgnoreDifferences contains resource filter and - list of json paths which should be ignored during comparison with - live state. - properties: - group: - type: string - jsonPointers: - items: - type: string - type: array - kind: - type: string - name: - type: string - namespace: - type: string - required: - - jsonPointers - - kind - type: object - type: array - info: - description: Infos contains a list of useful information (URLs, email - addresses, and plain text) that relates to the application - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - description: Project is a application project name. Empty name means - that application belongs to 'default' project. - type: string - revisionHistoryLimit: - description: This limits this number of items kept in the apps revision - history. This should only be changed in exceptional circumstances. - Setting to zero will store no history. This will reduce storage used. - Increasing will increase the space used to store the history, so we - do not recommend increasing it. Default is 10. - format: int64 - type: integer - source: - description: Source is a reference to the location ksonnet application - definition - properties: - chart: - description: Chart is a Helm chart name - type: string - directory: - description: Directory holds path/directory specific options - properties: - jsonnet: - description: ApplicationSourceJsonnet holds jsonnet specific - options - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter to a helm - template - properties: - name: - description: Name is the name of the helm parameter - type: string - path: - description: Path is the path value for the helm parameter - type: string - type: object - type: array - parameters: - description: Parameters are parameters to the helm template - items: - description: HelmParameter is a parameter to a helm template - properties: - forceString: - description: ForceString determines whether to tell Helm - to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the helm parameter - type: string - value: - description: Value is the value for the helm parameter - type: string - type: object - type: array - releaseName: - description: The Helm release name. If omitted it will use the - application name - type: string - valueFiles: - description: ValuesFiles is a list of Helm value files to use - when generating a template - items: - type: string - type: array - values: - description: Values is Helm values, typically defined as a block - type: string - type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component parameter - override values - items: - description: KsonnetParameter is a ksonnet component parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonLabels: - additionalProperties: - type: string - description: CommonLabels adds additional kustomize commonLabels - type: object - images: - description: Images are kustomize image overrides - items: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources for - kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources for - kustomize apps - type: string - version: - description: Version contains optional Kustomize version - type: string - type: object - path: - description: Path is a directory path within the Git repository - type: string - plugin: - description: ConfigManagementPlugin holds config management plugin - specific options - properties: - env: - items: - properties: - name: - description: the name, usually uppercase - type: string - value: - description: the value - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the repository URL of the application manifests - type: string - targetRevision: - description: TargetRevision defines the commit, tag, or branch in - which to sync the application to. If omitted, will sync to HEAD - type: string - required: - - repoURL - type: object - syncPolicy: - description: SyncPolicy controls when a sync will be performed - properties: - automated: - description: Automated will keep an application synced to the target - revision - properties: - prune: - description: 'Prune will prune resources automatically as part - of automated sync (default: false)' - type: boolean - selfHeal: - description: 'SelfHeal enables auto-syncing if (default: false)' - type: boolean - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff is a backoff strategy - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. "2m", - "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time allowed - for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts when retrying - a container - format: int64 - type: integer - type: object - syncOptions: - description: Options allow you to specify whole app sync-options - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - status: - description: ApplicationStatus contains information about application sync, - health status - properties: - conditions: - items: - description: ApplicationCondition contains details about current application - condition - properties: - lastTransitionTime: - description: LastTransitionTime is the time the condition was - first observed. - format: date-time - type: string - message: - description: Message contains human-readable message indicating - details about condition - type: string - type: - description: Type is an application condition type - type: string - required: - - message - - type - type: object - type: array - health: - properties: - message: - type: string - status: - description: Represents resource health status - type: string - type: object - history: - description: RevisionHistories is a array of history, oldest first and - newest last - items: - description: RevisionHistory contains information relevant to an application - deployment - properties: - deployStartedAt: - description: DeployStartedAt holds the time the deployment started - format: date-time - type: string - deployedAt: - description: DeployedAt holds the time the deployment completed - format: date-time - type: string - id: - description: ID is an auto incrementing identifier of the RevisionHistory - format: int64 - type: integer - revision: - description: Revision holds the revision of the sync - type: string - source: - description: ApplicationSource contains information about github - repository, path within repository and target application environment. - properties: - chart: - description: Chart is a Helm chart name - type: string - directory: - description: Directory holds path/directory specific options - properties: - jsonnet: - description: ApplicationSourceJsonnet holds jsonnet specific - options - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter to - a helm template - properties: - name: - description: Name is the name of the helm parameter - type: string - path: - description: Path is the path value for the helm - parameter - type: string - type: object - type: array - parameters: - description: Parameters are parameters to the helm template - items: - description: HelmParameter is a parameter to a helm - template - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the helm parameter - type: string - value: - description: Value is the value for the helm parameter - type: string - type: object - type: array - releaseName: - description: The Helm release name. If omitted it will - use the application name - type: string - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values is Helm values, typically defined - as a block - type: string - type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonLabels: - additionalProperties: - type: string - description: CommonLabels adds additional kustomize commonLabels - type: object - images: - description: Images are kustomize image overrides - items: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for kustomize apps - type: string - version: - description: Version contains optional Kustomize version - type: string - type: object - path: - description: Path is a directory path within the Git repository - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - items: - properties: - name: - description: the name, usually uppercase - type: string - value: - description: the value - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the repository URL of the application - manifests - type: string - targetRevision: - description: TargetRevision defines the commit, tag, or branch - in which to sync the application to. If omitted, will sync - to HEAD - type: string - required: - - repoURL - type: object - required: - - deployedAt - - id - - revision - type: object - type: array - observedAt: - description: 'ObservedAt indicates when the application state was updated - without querying latest git state Deprecated: controller no longer - updates ObservedAt field' - format: date-time - type: string - operationState: - description: OperationState contains information about state of currently - performing operation on application. - properties: - finishedAt: - description: FinishedAt contains time of operation completion - format: date-time - type: string - message: - description: Message hold any pertinent messages when attempting - to perform operation (typically errors). - type: string - operation: - description: Operation is the original requested operation - properties: - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: OperationInitiator holds information about the - operation initiator - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Name of a user who started operation. - type: string - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff is a backoff strategy - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base - duration after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time - allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts when - retrying a container - format: int64 - type: integer - type: object - sync: - description: SyncOperation contains sync operation details. - properties: - dryRun: - description: DryRun will perform a `kubectl apply --dry-run` - without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides - sync source with a local directory for development - items: - type: string - type: array - prune: - description: Prune deletes resources that are no longer - tracked in git - type: boolean - resources: - description: Resources describes which resources to sync - items: - description: SyncOperationResource contains resources - to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision in which to sync the - application to. If omitted, will use the revision specified - in app spec. - type: string - source: - description: Source overrides the source definition set - in the application. This is typically set in a Rollback - operation and nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name - type: string - directory: - description: Directory holds path/directory specific - options - properties: - jsonnet: - description: ApplicationSourceJsonnet holds jsonnet - specific options - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - to a helm template - properties: - name: - description: Name is the name of the helm - parameter - type: string - path: - description: Path is the path value for the - helm parameter - type: string - type: object - type: array - parameters: - description: Parameters are parameters to the helm - template - items: - description: HelmParameter is a parameter to a - helm template - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the helm - parameter - type: string - value: - description: Value is the value for the helm - parameter - type: string - type: object - type: array - releaseName: - description: The Helm release name. If omitted it - will use the application name - type: string - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values is Helm values, typically defined - as a block - type: string - type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application - environment name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonLabels: - additionalProperties: - type: string - description: CommonLabels adds additional kustomize - commonLabels - type: object - images: - description: Images are kustomize image overrides - items: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for kustomize apps - type: string - version: - description: Version contains optional Kustomize - version - type: string - type: object - path: - description: Path is a directory path within the Git - repository - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - items: - properties: - name: - description: the name, usually uppercase - type: string - value: - description: the value - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the repository URL of the application - manifests - type: string - targetRevision: - description: TargetRevision defines the commit, tag, - or branch in which to sync the application to. If - omitted, will sync to HEAD - type: string - required: - - repoURL - type: object - syncOptions: - description: SyncOptions provide per-sync sync-options, - e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the sync - properties: - apply: - description: Apply wil perform a `kubectl apply` to - perform the sync. - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force - flag deletes and re-create the resource, when - PATCH encounters conflict and has retried for - 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources - to perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force - flag deletes and re-create the resource, when - PATCH encounters conflict and has retried for - 5 times. - type: boolean - type: object - type: object - type: object - type: object - phase: - description: Phase is the current phase of the operation - type: string - retryCount: - description: RetryCount contains time of operation retries - format: int64 - type: integer - startedAt: - description: StartedAt contains time of operation start - format: date-time - type: string - syncResult: - description: SyncResult is the result of a Sync operation - properties: - resources: - description: Resources holds the sync result of each individual - resource - items: - description: ResourceResult holds the operation result details - of a specific resource - properties: - group: - type: string - hookPhase: - description: 'the state of any operation associated with - this resource OR hook note: can contain values for non-hook - resources' - type: string - hookType: - description: the type of the hook, empty for non-hook - resources - type: string - kind: - type: string - message: - description: message for the last sync OR operation - type: string - name: - type: string - namespace: - type: string - status: - description: the final result of the sync, this is be - empty if the resources is yet to be applied/pruned and - is always zero-value for hooks - type: string - syncPhase: - description: indicates the particular phase of the sync - that this is for - type: string - version: - type: string - required: - - group - - kind - - name - - namespace - - version - type: object - type: array - revision: - description: Revision holds the revision of the sync - type: string - source: - description: Source records the application source information - of the sync, used for comparing auto-sync - properties: - chart: - description: Chart is a Helm chart name - type: string - directory: - description: Directory holds path/directory specific options - properties: - jsonnet: - description: ApplicationSourceJsonnet holds jsonnet - specific options - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - to a helm template - properties: - name: - description: Name is the name of the helm parameter - type: string - path: - description: Path is the path value for the helm - parameter - type: string - type: object - type: array - parameters: - description: Parameters are parameters to the helm template - items: - description: HelmParameter is a parameter to a helm - template - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the helm parameter - type: string - value: - description: Value is the value for the helm parameter - type: string - type: object - type: array - releaseName: - description: The Helm release name. If omitted it will - use the application name - type: string - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values is Helm values, typically defined - as a block - type: string - type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonLabels: - additionalProperties: - type: string - description: CommonLabels adds additional kustomize - commonLabels - type: object - images: - description: Images are kustomize image overrides - items: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for kustomize apps - type: string - version: - description: Version contains optional Kustomize version - type: string - type: object - path: - description: Path is a directory path within the Git repository - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - items: - properties: - name: - description: the name, usually uppercase - type: string - value: - description: the value - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the repository URL of the application - manifests - type: string - targetRevision: - description: TargetRevision defines the commit, tag, or - branch in which to sync the application to. If omitted, - will sync to HEAD - type: string - required: - - repoURL - type: object - required: - - revision - type: object - required: - - operation - - phase - - startedAt - type: object - reconciledAt: - description: ReconciledAt indicates when the application state was reconciled - using the latest git version - format: date-time - type: string - resources: - items: - description: ResourceStatus holds the current sync and health status - of a resource - properties: - group: - type: string - health: - properties: - message: - type: string - status: - description: Represents resource health status - type: string - type: object - hook: - type: boolean - kind: - type: string - name: - type: string - namespace: - type: string - requiresPruning: - type: boolean - status: - description: SyncStatusCode is a type which represents possible - comparison results - type: string - version: - type: string - type: object - type: array - sourceType: - type: string - summary: - properties: - externalURLs: - description: ExternalURLs holds all external URLs of application - child resources. - items: - type: string - type: array - images: - description: Images holds all images of application child resources. - items: - type: string - type: array - type: object - sync: - description: SyncStatus is a comparison result of application spec and - deployed application. - properties: - comparedTo: - description: ComparedTo contains application source and target which - was used for resources comparison - properties: - destination: - description: ApplicationDestination contains deployment destination - information - properties: - name: - description: Name of the destination cluster which can be - used instead of server (url) field - type: string - namespace: - description: Namespace overrides the environment namespace - value in the ksonnet app.yaml - type: string - server: - description: Server overrides the environment server value - in the ksonnet app.yaml - type: string - type: object - source: - description: ApplicationSource contains information about github - repository, path within repository and target application - environment. - properties: - chart: - description: Chart is a Helm chart name - type: string - directory: - description: Directory holds path/directory specific options - properties: - jsonnet: - description: ApplicationSourceJsonnet holds jsonnet - specific options - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar is a jsonnet variable - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - to a helm template - properties: - name: - description: Name is the name of the helm parameter - type: string - path: - description: Path is the path value for the helm - parameter - type: string - type: object - type: array - parameters: - description: Parameters are parameters to the helm template - items: - description: HelmParameter is a parameter to a helm - template - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the helm parameter - type: string - value: - description: Value is the value for the helm parameter - type: string - type: object - type: array - releaseName: - description: The Helm release name. If omitted it will - use the application name - type: string - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values is Helm values, typically defined - as a block - type: string - type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonLabels: - additionalProperties: - type: string - description: CommonLabels adds additional kustomize - commonLabels - type: object - images: - description: Images are kustomize image overrides - items: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for kustomize apps - type: string - version: - description: Version contains optional Kustomize version - type: string - type: object - path: - description: Path is a directory path within the Git repository - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - items: - properties: - name: - description: the name, usually uppercase - type: string - value: - description: the value - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the repository URL of the application - manifests - type: string - targetRevision: - description: TargetRevision defines the commit, tag, or - branch in which to sync the application to. If omitted, - will sync to HEAD - type: string - required: - - repoURL - type: object - required: - - destination - - source - type: object - revision: - type: string - status: - description: SyncStatusCode is a type which represents possible - comparison results - type: string - required: - - status - type: object - type: object - required: - - metadata - - spec - type: object - version: v1alpha1 - versions: - - name: v1alpha1 - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: appprojects.argoproj.io - app.kubernetes.io/part-of: argocd - name: appprojects.argoproj.io -spec: - group: argoproj.io - names: - kind: AppProject - listKind: AppProjectList - plural: appprojects - shortNames: - - appproj - - appprojs - singular: appproject - scope: Namespaced - validation: - openAPIV3Schema: - description: 'AppProject provides a logical grouping of applications, providing - controls for: * where the apps may deploy to (cluster whitelist) * what may - be deployed (repository whitelist, resource whitelist/blacklist) * who can - access these applications (roles, OIDC group claims bindings) * and what they - can do (RBAC policies) * automation access to these roles (JWT tokens)' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AppProjectSpec is the specification of an AppProject - properties: - clusterResourceBlacklist: - description: ClusterResourceBlacklist contains list of blacklisted cluster - level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - clusterResourceWhitelist: - description: ClusterResourceWhitelist contains list of whitelisted cluster - level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - description: - description: Description contains optional project description - type: string - destinations: - description: Destinations contains list of destinations available for - deployment - items: - description: ApplicationDestination contains deployment destination - information - properties: - name: - description: Name of the destination cluster which can be used - instead of server (url) field - type: string - namespace: - description: Namespace overrides the environment namespace value - in the ksonnet app.yaml - type: string - server: - description: Server overrides the environment server value in - the ksonnet app.yaml - type: string - type: object - type: array - namespaceResourceBlacklist: - description: NamespaceResourceBlacklist contains list of blacklisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - namespaceResourceWhitelist: - description: NamespaceResourceWhitelist contains list of whitelisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - orphanedResources: - description: OrphanedResources specifies if controller should monitor - orphaned resources of apps in this project - properties: - ignore: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - type: object - type: array - warn: - description: Warn indicates if warning condition should be created - for apps which have orphaned resources - type: boolean - type: object - roles: - description: Roles are user defined RBAC roles associated with this - project - items: - description: ProjectRole represents a role that has access to a project - properties: - description: - description: Description is a description of the role - type: string - groups: - description: Groups are a list of OIDC group claims bound to this - role - items: - type: string - type: array - jwtTokens: - description: JWTTokens are a list of generated JWT tokens bound - to this role - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - name: - description: Name is a name for this role - type: string - policies: - description: Policies Stores a list of casbin formated strings - that define access policies for the role in the project - items: - type: string - type: array - required: - - name - type: object - type: array - signatureKeys: - description: List of PGP key IDs that commits to be synced to must be - signed with - items: - description: SignatureKey is the specification of a key required to - verify commit signatures with - properties: - keyID: - description: The ID of the key in hexadecimal notation - type: string - required: - - keyID - type: object - type: array - sourceRepos: - description: SourceRepos contains list of repository URLs which can - be used for deployment - items: - type: string - type: array - syncWindows: - description: SyncWindows controls when syncs can be run for apps in - this project - items: - description: SyncWindow contains the kind, time, duration and attributes - that are used to assign the syncWindows to apps - properties: - applications: - description: Applications contains a list of applications that - the window will apply to - items: - type: string - type: array - clusters: - description: Clusters contains a list of clusters that the window - will apply to - items: - type: string - type: array - duration: - description: Duration is the amount of time the sync window will - be open - type: string - kind: - description: Kind defines if the window allows or blocks syncs - type: string - manualSync: - description: ManualSync enables manual syncs when they would otherwise - be blocked - type: boolean - namespaces: - description: Namespaces contains a list of namespaces that the - window will apply to - items: - type: string - type: array - schedule: - description: Schedule is the time the window will begin, specified - in cron format - type: string - type: object - type: array - type: object - required: - - metadata - - spec - type: object - version: v1alpha1 - versions: - - name: v1alpha1 - served: true - storage: true ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - create - - get - - list - - watch - - update - - delete - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -- nonResourceURLs: - - '*' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - delete - - get - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-application-controller -subjects: -- kind: ServiceAccount - name: argocd-application-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-dex-server -subjects: -- kind: ServiceAccount - name: argocd-dex-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-server -subjects: -- kind: ServiceAccount - name: argocd-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-application-controller -subjects: -- kind: ServiceAccount - name: argocd-application-controller - namespace: argocd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-server -subjects: -- kind: ServiceAccount - name: argocd-server - namespace: argocd ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-cm - app.kubernetes.io/part-of: argocd - name: argocd-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-gpg-keys-cm - app.kubernetes.io/part-of: argocd - name: argocd-gpg-keys-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-rbac-cm - app.kubernetes.io/part-of: argocd - name: argocd-rbac-cm ---- -apiVersion: v1 -data: - ssh_known_hosts: | - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-ssh-known-hosts-cm - app.kubernetes.io/part-of: argocd - name: argocd-ssh-known-hosts-cm ---- -apiVersion: v1 -data: null -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-tls-certs-cm - app.kubernetes.io/part-of: argocd - name: argocd-tls-certs-cm ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/name: argocd-secret - app.kubernetes.io/part-of: argocd - name: argocd-secret -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -spec: - ports: - - name: http - port: 5556 - protocol: TCP - targetPort: 5556 - - name: grpc - port: 5557 - protocol: TCP - targetPort: 5557 - - name: metrics - port: 5558 - protocol: TCP - targetPort: 5558 - selector: - app.kubernetes.io/name: argocd-dex-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: metrics - app.kubernetes.io/name: argocd-metrics - app.kubernetes.io/part-of: argocd - name: argocd-metrics -spec: - ports: - - name: metrics - port: 8082 - protocol: TCP - targetPort: 8082 - selector: - app.kubernetes.io/name: argocd-application-controller ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: redis - app.kubernetes.io/name: argocd-redis - app.kubernetes.io/part-of: argocd - name: argocd-redis -spec: - ports: - - name: tcp-redis - port: 6379 - targetPort: 6379 - selector: - app.kubernetes.io/name: argocd-redis ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: repo-server - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/part-of: argocd - name: argocd-repo-server -spec: - ports: - - name: server - port: 8081 - protocol: TCP - targetPort: 8081 - - name: metrics - port: 8084 - protocol: TCP - targetPort: 8084 - selector: - app.kubernetes.io/name: argocd-repo-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server-metrics - app.kubernetes.io/part-of: argocd - name: argocd-server-metrics -spec: - ports: - - name: metrics - port: 8083 - protocol: TCP - targetPort: 8083 - selector: - app.kubernetes.io/name: argocd-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8080 - selector: - app.kubernetes.io/name: argocd-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: argocd-application-controller - spec: - containers: - - command: - - argocd-application-controller - - --status-processors - - "20" - - --operation-processors - - "10" - image: argoproj/argocd:v1.7.6 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8082 - initialDelaySeconds: 5 - periodSeconds: 10 - name: argocd-application-controller - ports: - - containerPort: 8082 - readinessProbe: - httpGet: - path: /healthz - port: 8082 - initialDelaySeconds: 5 - periodSeconds: 10 - serviceAccountName: argocd-application-controller ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-dex-server - template: - metadata: - labels: - app.kubernetes.io/name: argocd-dex-server - spec: - containers: - - command: - - /shared/argocd-util - - rundex - image: quay.io/dexidp/dex:v2.22.0 - imagePullPolicy: Always - name: dex - ports: - - containerPort: 5556 - - containerPort: 5557 - - containerPort: 5558 - volumeMounts: - - mountPath: /shared - name: static-files - initContainers: - - command: - - cp - - -n - - /usr/local/bin/argocd-util - - /shared - image: argoproj/argocd:v1.7.6 - imagePullPolicy: Always - name: copyutil - volumeMounts: - - mountPath: /shared - name: static-files - serviceAccountName: argocd-dex-server - volumes: - - emptyDir: {} - name: static-files ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: redis - app.kubernetes.io/name: argocd-redis - app.kubernetes.io/part-of: argocd - name: argocd-redis -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-redis - template: - metadata: - labels: - app.kubernetes.io/name: argocd-redis - spec: - containers: - - args: - - --save - - "" - - --appendonly - - "no" - image: redis:5.0.8 - imagePullPolicy: Always - name: redis - ports: - - containerPort: 6379 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: repo-server - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/part-of: argocd - name: argocd-repo-server -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - template: - metadata: - labels: - app.kubernetes.io/name: argocd-repo-server - spec: - automountServiceAccountToken: false - containers: - - command: - - uid_entrypoint.sh - - argocd-repo-server - - --redis - - argocd-redis:6379 - image: argoproj/argocd:v1.7.6 - imagePullPolicy: Always - name: argocd-repo-server - ports: - - containerPort: 8081 - - containerPort: 8084 - readinessProbe: - initialDelaySeconds: 5 - periodSeconds: 10 - tcpSocket: - port: 8081 - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/gpg/source - name: gpg-keys - - mountPath: /app/config/gpg/keys - name: gpg-keyring - volumes: - - configMap: - name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - - configMap: - name: argocd-tls-certs-cm - name: tls-certs - - configMap: - name: argocd-gpg-keys-cm - name: gpg-keys - - emptyDir: {} - name: gpg-keyring ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-server - template: - metadata: - labels: - app.kubernetes.io/name: argocd-server - spec: - containers: - - command: - - argocd-server - - --staticassets - - /shared/app - image: argoproj/argocd:v1.7.6 - imagePullPolicy: Always - name: argocd-server - ports: - - containerPort: 8080 - - containerPort: 8083 - readinessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 30 - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - serviceAccountName: argocd-server - volumes: - - emptyDir: {} - name: static-files - - configMap: - name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - - configMap: - name: argocd-tls-certs-cm - name: tls-certs diff --git a/lib/addons/calico/calico-1.7.1.yaml b/lib/addons/calico/calico-1.7.1.yaml deleted file mode 100644 index d17194c13..000000000 --- a/lib/addons/calico/calico-1.7.1.yaml +++ /dev/null @@ -1,760 +0,0 @@ ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: calico-node - namespace: kube-system - labels: - k8s-app: calico-node -spec: - selector: - matchLabels: - k8s-app: calico-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - k8s-app: calico-node - spec: - priorityClassName: system-node-critical - nodeSelector: - beta.kubernetes.io/os: linux - hostNetwork: true - serviceAccountName: calico-node - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 0 - containers: - # Runs calico/node container on each Kubernetes node. This - # container programs network policy and routes on each - # host. - - name: calico-node - image: quay.io/calico/node:v3.15.1 - env: - # Use Kubernetes API as the backing datastore. - - name: DATASTORE_TYPE - value: "kubernetes" - # Use eni not cali for interface prefix - - name: FELIX_INTERFACEPREFIX - value: "eni" - # Enable felix info logging. - - name: FELIX_LOGSEVERITYSCREEN - value: "info" - # Don't enable BGP. - - name: CALICO_NETWORKING_BACKEND - value: "none" - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE - value: "k8s,ecs" - # Disable file logging so `kubectl logs` works. - - name: CALICO_DISABLE_FILE_LOGGING - value: "true" - - name: FELIX_TYPHAK8SSERVICENAME - value: "calico-typha" - # Set Felix endpoint to host default action to ACCEPT. - - name: FELIX_DEFAULTENDPOINTTOHOSTACTION - value: "ACCEPT" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return - # Disable IPV6 on Kubernetes. - - name: FELIX_IPV6SUPPORT - value: "false" - # Wait for the datastore. - - name: WAIT_FOR_DATASTORE - value: "true" - - name: FELIX_LOGSEVERITYSYS - value: "none" - - name: FELIX_PROMETHEUSMETRICSENABLED - value: "true" - - name: FELIX_ROUTESOURCE - value: "WorkloadIPs" - - name: NO_DEFAULT_POOLS - value: "true" - # Set based on the k8s node name. - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # No IP address needed. - - name: IP - value: "" - - name: FELIX_HEALTHENABLED - value: "true" - securityContext: - privileged: true - livenessProbe: - exec: - command: - - /bin/calico-node - - -felix-live - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - readinessProbe: - exec: - command: - - /bin/calico-node - - -felix-ready - periodSeconds: 10 - volumeMounts: - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - mountPath: /var/lib/calico - name: var-lib-calico - readOnly: false - volumes: - # Used to ensure proper kmods are installed. - - name: lib-modules - hostPath: - path: /lib/modules - - name: var-run-calico - hostPath: - path: /var/run/calico - - name: var-lib-calico - hostPath: - path: /var/lib/calico - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - tolerations: - # Make sure calico/node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - ---- - -# Create all the CustomResourceDefinitions needed for -# Calico policy-only mode. - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: felixconfigurations.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: FelixConfiguration - plural: felixconfigurations - singular: felixconfiguration - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ipamblocks.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: IPAMBlock - plural: ipamblocks - singular: ipamblock - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: blockaffinities.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: BlockAffinity - plural: blockaffinities - singular: blockaffinity - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: bgpconfigurations.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: BGPConfiguration - plural: bgpconfigurations - singular: bgpconfiguration - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: bgppeers.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: BGPPeer - plural: bgppeers - singular: bgppeer ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: IPPool - plural: ippools - singular: ippool - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: hostendpoints.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: HostEndpoint - plural: hostendpoints - singular: hostendpoint - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: clusterinformations.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: ClusterInformation - plural: clusterinformations - singular: clusterinformation - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: globalnetworkpolicies.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: GlobalNetworkPolicy - plural: globalnetworkpolicies - singular: globalnetworkpolicy - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: globalnetworksets.crd.projectcalico.org -spec: - scope: Cluster - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: GlobalNetworkSet - plural: globalnetworksets - singular: globalnetworkset - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.projectcalico.org -spec: - scope: Namespaced - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: NetworkPolicy - plural: networkpolicies - singular: networkpolicy - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: networksets.crd.projectcalico.org -spec: - scope: Namespaced - group: crd.projectcalico.org - versions: - - name: v1 - served: true - storage: true - names: - kind: NetworkSet - plural: networksets - singular: networkset - ---- - -# Create the ServiceAccount and roles necessary for Calico. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-node - namespace: kube-system - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-node -rules: - # The CNI plugin needs to get pods, nodes, configmaps and namespaces. - - apiGroups: [""] - resources: - - pods - - nodes - - configmaps - - namespaces - verbs: - - get - - apiGroups: [""] - resources: - - endpoints - - services - verbs: - # Used to discover service IPs for advertisement. - - watch - - list - # Used to discover Typhas. - - get - - apiGroups: [""] - resources: - - nodes/status - verbs: - # Needed for clearing NodeNetworkUnavailable flag. - - patch - # Calico stores some configuration information in node annotations. - - update - # Watch for changes to Kubernetes NetworkPolicies. - - apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: - - watch - - list - # Used by Calico for policy information. - - apiGroups: [""] - resources: - - pods - - namespaces - - serviceaccounts - verbs: - - list - - watch - # The CNI plugin patches pods/status. - - apiGroups: [""] - resources: - - pods/status - verbs: - - patch - # Calico monitors various CRDs for config. - - apiGroups: ["crd.projectcalico.org"] - resources: - - globalfelixconfigs - - felixconfigurations - - bgppeers - - globalbgpconfigs - - bgpconfigurations - - ippools - - ipamblocks - - globalnetworkpolicies - - globalnetworksets - - networkpolicies - - networksets - - clusterinformations - - hostendpoints - - blockaffinities - verbs: - - get - - list - - watch - # Calico must create and update some CRDs on startup. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ippools - - felixconfigurations - - clusterinformations - verbs: - - create - - update - # Calico stores some configuration information on the node. - - apiGroups: [""] - resources: - - nodes - verbs: - - get - - list - - watch - # These permissions are only requried for upgrade from v2.6, and can - # be removed after upgrade or on fresh installations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - bgpconfigurations - - bgppeers - verbs: - - create - - update - # These permissions are required for Calico CNI to perform IPAM allocations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - - apiGroups: ["crd.projectcalico.org"] - resources: - - ipamconfigs - verbs: - - get - # Block affinities must also be watchable by confd for route aggregation. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - verbs: - - watch - # The Calico IPAM migration needs to get daemonsets. These permissions can be - # removed if not upgrading from an installation using host-local IPAM. - - apiGroups: ["apps"] - resources: - - daemonsets - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: - - kind: ServiceAccount - name: calico-node - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: calico-typha - namespace: kube-system - labels: - k8s-app: calico-typha -spec: - revisionHistoryLimit: 2 - selector: - matchLabels: - k8s-app: calico-typha - template: - metadata: - labels: - k8s-app: calico-typha - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' - spec: - priorityClassName: system-cluster-critical - nodeSelector: - beta.kubernetes.io/os: linux - tolerations: - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - hostNetwork: true - serviceAccountName: calico-node - # fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573 - securityContext: - fsGroup: 65534 - containers: - - image: quay.io/calico/typha:v3.15.1 - name: calico-typha - ports: - - containerPort: 5473 - name: calico-typha - protocol: TCP - env: - # Use eni not cali for interface prefix - - name: FELIX_INTERFACEPREFIX - value: "eni" - - name: TYPHA_LOGFILEPATH - value: "none" - - name: TYPHA_LOGSEVERITYSYS - value: "none" - - name: TYPHA_LOGSEVERITYSCREEN - value: "info" - - name: TYPHA_PROMETHEUSMETRICSENABLED - value: "true" - - name: TYPHA_CONNECTIONREBALANCINGMODE - value: "kubernetes" - - name: TYPHA_PROMETHEUSMETRICSPORT - value: "9093" - - name: TYPHA_DATASTORETYPE - value: "kubernetes" - - name: TYPHA_MAXCONNECTIONSLOWERLIMIT - value: "1" - - name: TYPHA_HEALTHENABLED - value: "true" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return - livenessProbe: - httpGet: - path: /liveness - port: 9098 - host: localhost - periodSeconds: 30 - initialDelaySeconds: 30 - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - readinessProbe: - httpGet: - path: /readiness - port: 9098 - host: localhost - periodSeconds: 10 - ---- - -# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: calico-typha - namespace: kube-system - labels: - k8s-app: calico-typha -spec: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: calico-typha - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: typha-cpha -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: typha-cpha -subjects: - - kind: ServiceAccount - name: typha-cpha - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: typha-cpha -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["watch", "list"] - ---- - -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-typha-horizontal-autoscaler - namespace: kube-system -data: - ladder: |- - { - "coresToReplicas": [], - "nodesToReplicas": - [ - [1, 1], - [10, 2], - [100, 3], - [250, 4], - [500, 5], - [1000, 6], - [1500, 7], - [2000, 8] - ] - } - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: calico-typha-horizontal-autoscaler - namespace: kube-system - labels: - k8s-app: calico-typha-autoscaler -spec: - selector: - matchLabels: - k8s-app: calico-typha-autoscaler - replicas: 1 - template: - metadata: - labels: - k8s-app: calico-typha-autoscaler - spec: - priorityClassName: system-cluster-critical - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.7.1 - name: autoscaler - command: - - /cluster-proportional-autoscaler - - --namespace=kube-system - - --configmap=calico-typha-horizontal-autoscaler - - --target=deployment/calico-typha - - --logtostderr=true - - --v=2 - resources: - requests: - cpu: 10m - limits: - cpu: 10m - serviceAccountName: typha-cpha - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: typha-cpha - namespace: kube-system -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - - apiGroups: ["extensions", "apps"] - resources: ["deployments/scale"] - verbs: ["get", "update"] - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: typha-cpha - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: typha-cpha - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: typha-cpha -subjects: - - kind: ServiceAccount - name: typha-cpha - namespace: kube-system - ---- - -apiVersion: v1 -kind: Service -metadata: - name: calico-typha - namespace: kube-system - labels: - k8s-app: calico-typha -spec: - ports: - - port: 5473 - protocol: TCP - targetPort: calico-typha - name: calico-typha - selector: - k8s-app: calico-typha diff --git a/lib/addons/calico/calicoAddon.ts b/lib/addons/calico/calicoAddon.ts deleted file mode 100644 index 384e1d157..000000000 --- a/lib/addons/calico/calicoAddon.ts +++ /dev/null @@ -1,17 +0,0 @@ -import { KubernetesManifest } from "@aws-cdk/aws-eks"; -import { ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; -import { loadYaml, readYamlDocument } from "../../utils/yamlUtils"; - -export class CalicoNetworkPolicyAddon implements ClusterAddOn { - - deploy(clusterInfo: ClusterInfo): void { - const cluster = clusterInfo.cluster; - - let doc = readYamlDocument(__dirname + '/calico-1.7.1.yaml'); - let docArray = doc.split("---").map(e => loadYaml(e)); - let manifest = new KubernetesManifest(cluster.stack, "calico-network-policy", { - cluster, - manifest: docArray - }); - } -} \ No newline at end of file diff --git a/lib/addons/calico/index.ts b/lib/addons/calico/index.ts new file mode 100644 index 000000000..9ef28fce4 --- /dev/null +++ b/lib/addons/calico/index.ts @@ -0,0 +1,13 @@ +import { ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; + +export class CalicoAddon implements ClusterAddOn { + + deploy(clusterInfo: ClusterInfo): void { + clusterInfo.cluster.addHelmChart("calico-addon", { + chart: "aws-calico", + release: "aws-calico", + repository: "https://aws.github.io/eks-charts", + namespace: "kube-system" + }); + } +} \ No newline at end of file diff --git a/lib/addons/cloudwatch/containerInsightsAddon.ts b/lib/addons/cloudwatch/index.ts similarity index 56% rename from lib/addons/cloudwatch/containerInsightsAddon.ts rename to lib/addons/cloudwatch/index.ts index a82ac340e..70801d429 100644 --- a/lib/addons/cloudwatch/containerInsightsAddon.ts +++ b/lib/addons/cloudwatch/index.ts @@ -5,18 +5,18 @@ import { loadYaml, readYamlDocument } from "../../utils/yamlUtils"; export class ContainerInsightsAddOn implements ClusterAddOn { - deploy(clusterInfo: ClusterInfo): void { - const cluster = clusterInfo.cluster; - console.assert(clusterInfo.nodeGroup || clusterInfo.autoscalingGroup, "ContainerInsightsAddon can only be used with EKS EC2 at the moment. " - + "If using customer cluster provider, make sure you return the node group"); - - const nodeGroup = clusterInfo.nodeGroup || clusterInfo.autoscalingGroup; - nodeGroup!.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('CloudWatchAgentServerPolicy')); + deploy(clusterInfo: ClusterInfo): void { + const cluster = clusterInfo.cluster; + console.assert(clusterInfo.nodeGroup || clusterInfo.autoscalingGroup, "ContainerInsightsAddon can only be used with EKS EC2 at the moment. " + + "If using customer cluster provider, make sure you return the node group"); + + const nodeGroup = clusterInfo.nodeGroup || clusterInfo.autoscalingGroup; + nodeGroup!.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('CloudWatchAgentServerPolicy')); let doc = readYamlDocument(__dirname + '/cwagent-fluentd-quickstart.yaml'); let docArray = doc.replace(/{{cluster_name}}/g, cluster.clusterName).replace(/{{region_name}}/g, cluster.stack.region).split("---").map(e => loadYaml(e)); new KubernetesManifest(cluster.stack, "cluster-insights", { cluster, manifest: docArray }); - } + } } \ No newline at end of file diff --git a/lib/addons/cluster-autoscaler/clusterAutoscalerAddon.ts b/lib/addons/cluster-autoscaler/clusterAutoscalerAddon.ts deleted file mode 100644 index 2efbeeee9..000000000 --- a/lib/addons/cluster-autoscaler/clusterAutoscalerAddon.ts +++ /dev/null @@ -1,303 +0,0 @@ -import * as eks from "@aws-cdk/aws-eks"; -import { KubernetesVersion } from "@aws-cdk/aws-eks"; -import * as iam from "@aws-cdk/aws-iam"; -import { CfnJson, Tags } from "@aws-cdk/core"; -import { CdkEksBlueprintStack, ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; - -export class ClusterAutoScaler implements ClusterAddOn { - - private versionField?: string; - - constructor( version?: string) { - this.versionField = version; - } - - /** - * Version of the autoscaler, controls the image tag - */ - readonly versionMap = new Map([ - [KubernetesVersion.V1_19, "v1.19.1"], - [KubernetesVersion.V1_18, "v1.18.3"], - [KubernetesVersion.V1_17, "v1.17.4"] - ]); - - deploy(clusterInfo: ClusterInfo) { - - const version = this.versionField?? this.versionMap.get(clusterInfo.version); - const cluster = clusterInfo.cluster; - - console.assert(clusterInfo.nodeGroup || clusterInfo.autoscalingGroup, "Cluster autoscaler is supported with EKS EC2 only"); - - const ng = clusterInfo.nodeGroup || clusterInfo.autoscalingGroup!; - - - const autoscalerStmt = new iam.PolicyStatement(); - autoscalerStmt.addResources("*"); - autoscalerStmt.addActions( - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:DescribeLaunchTemplateVersions" - ); - const autoscalerPolicy = new iam.Policy(cluster.stack, "cluster-autoscaler-policy", { - policyName: "ClusterAutoscalerPolicy", - statements: [autoscalerStmt], - }); - autoscalerPolicy.attachToRole(ng.role); - - const clusterName = new CfnJson(cluster.stack, "clusterName", { - value: cluster.clusterName, - }); - Tags.of(ng).add(`k8s.io/cluster-autoscaler/${clusterName}`, "owned", { applyToLaunchedInstances: true }); - Tags.of(ng).add("k8s.io/cluster-autoscaler/enabled", "true", { applyToLaunchedInstances: true }); - - new eks.KubernetesManifest(cluster.stack, "cluster-autoscaler", { - cluster, - manifest: [ - { - apiVersion: "v1", - kind: "ServiceAccount", - metadata: { - name: "cluster-autoscaler", - namespace: "kube-system", - labels: { - "k8s-addon": "cluster-autoscaler.addons.k8s.io", - "k8s-app": "cluster-autoscaler", - }, - }, - }, - { - apiVersion: "rbac.authorization.k8s.io/v1", - kind: "ClusterRole", - metadata: { - name: "cluster-autoscaler", - namespace: "kube-system", - labels: { - "k8s-addon": "cluster-autoscaler.addons.k8s.io", - "k8s-app": "cluster-autoscaler", - }, - }, - rules: [ - { - apiGroups: [""], - resources: ["events", "endpoints"], - verbs: ["create", "patch"], - }, - { - apiGroups: [""], - resources: ["pods/eviction"], - verbs: ["create"], - }, - { - apiGroups: [""], - resources: ["pods/status"], - verbs: ["update"], - }, - { - apiGroups: [""], - resources: ["endpoints"], - resourceNames: ["cluster-autoscaler"], - verbs: ["get", "update"], - }, - { - apiGroups: ["coordination.k8s.io"], - resources: ["leases"], - verbs: ["watch", "list", "get", "patch", "create", "update"], - }, - { - apiGroups: [""], - resources: ["nodes"], - verbs: ["watch", "list", "get", "update"], - }, - { - apiGroups: [""], - resources: ["pods", "services", "replicationcontrollers", "persistentvolumeclaims", "persistentvolumes"], - verbs: ["watch", "list", "get"], - }, - { - apiGroups: ["extensions"], - resources: ["replicasets", "daemonsets"], - verbs: ["watch", "list", "get"], - }, - { - apiGroups: ["policy"], - resources: ["poddisruptionbudgets"], - verbs: ["watch", "list"], - }, - { - apiGroups: ["apps"], - resources: ["statefulsets", "replicasets", "daemonsets"], - verbs: ["watch", "list", "get"], - }, - { - apiGroups: ["storage.k8s.io"], - resources: ["storageclasses", "csinodes"], - verbs: ["watch", "list", "get"], - }, - { - apiGroups: ["batch", "extensions"], - resources: ["jobs"], - verbs: ["get", "list", "watch", "patch"], - }, - ], - }, - { - apiVersion: "rbac.authorization.k8s.io/v1", - kind: "Role", - metadata: { - name: "cluster-autoscaler", - namespace: "kube-system", - labels: { - "k8s-addon": "cluster-autoscaler.addons.k8s.io", - "k8s-app": "cluster-autoscaler", - }, - }, - rules: [ - { - apiGroups: [""], - resources: ["configmaps"], - verbs: ["create", "list", "watch"], - }, - { - apiGroups: [""], - resources: ["configmaps"], - resourceNames: ["cluster-autoscaler-status", "cluster-autoscaler-priority-expander"], - verbs: ["delete", "get", "update", "watch"], - }, - ], - }, - { - apiVersion: "rbac.authorization.k8s.io/v1", - kind: "ClusterRoleBinding", - metadata: { - name: "cluster-autoscaler", - namespace: "kube-system", - labels: { - "k8s-addon": "cluster-autoscaler.addons.k8s.io", - "k8s-app": "cluster-autoscaler", - }, - }, - roleRef: { - apiGroup: "rbac.authorization.k8s.io", - kind: "ClusterRole", - name: "cluster-autoscaler", - }, - subjects: [ - { - kind: "ServiceAccount", - name: "cluster-autoscaler", - namespace: "kube-system", - }, - ], - }, - { - apiVersion: "rbac.authorization.k8s.io/v1", - kind: "RoleBinding", - metadata: { - name: "cluster-autoscaler", - namespace: "kube-system", - labels: { - "k8s-addon": "cluster-autoscaler.addons.k8s.io", - "k8s-app": "cluster-autoscaler", - }, - }, - roleRef: { - apiGroup: "rbac.authorization.k8s.io", - kind: "Role", - name: "cluster-autoscaler", - }, - subjects: [ - { - kind: "ServiceAccount", - name: "cluster-autoscaler", - namespace: "kube-system", - }, - ], - }, - { - apiVersion: "apps/v1", - kind: "Deployment", - metadata: { - name: "cluster-autoscaler", - namespace: "kube-system", - labels: { - app: "cluster-autoscaler", - }, - annotations: { - "cluster-autoscaler.kubernetes.io/safe-to-evict": "false", - }, - }, - spec: { - replicas: 1, - selector: { - matchLabels: { - app: "cluster-autoscaler", - }, - }, - template: { - metadata: { - labels: { - app: "cluster-autoscaler", - }, - annotations: { - "prometheus.io/scrape": "true", - "prometheus.io/port": "8085", - }, - }, - spec: { - serviceAccountName: "cluster-autoscaler", - containers: [ - { - image: "k8s.gcr.io/autoscaling/cluster-autoscaler:" + version, - name: "cluster-autoscaler", - resources: { - limits: { - cpu: "100m", - memory: "300Mi", - }, - requests: { - cpu: "100m", - memory: "300Mi", - }, - }, - command: [ - "./cluster-autoscaler", - "--v=4", - "--stderrthreshold=info", - "--cloud-provider=aws", - "--skip-nodes-with-local-storage=false", - "--expander=least-waste", - "--node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/" + - cluster.clusterName, - "--balance-similar-node-groups", - "--skip-nodes-with-system-pods=false", - ], - volumeMounts: [ - { - name: "ssl-certs", - mountPath: "/etc/ssl/certs/ca-certificates.crt", - readOnly: true, - }, - ], - imagePullPolicy: "Always", - }, - ], - volumes: [ - { - name: "ssl-certs", - hostPath: { - path: "/etc/ssl/certs/ca-bundle.crt", - }, - }, - ], - }, - }, - }, - }, - ], - }); - } -} \ No newline at end of file diff --git a/lib/addons/cluster-autoscaler/index.ts b/lib/addons/cluster-autoscaler/index.ts new file mode 100644 index 000000000..974866476 --- /dev/null +++ b/lib/addons/cluster-autoscaler/index.ts @@ -0,0 +1,303 @@ +import * as eks from "@aws-cdk/aws-eks"; +import { KubernetesVersion } from "@aws-cdk/aws-eks"; +import * as iam from "@aws-cdk/aws-iam"; +import { CfnJson, Tags } from "@aws-cdk/core"; +import { CdkEksBlueprintStack, ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; + +export class ClusterAutoScalerAddon implements ClusterAddOn { + + private versionField?: string; + + constructor(version?: string) { + this.versionField = version; + } + + /** + * Version of the autoscaler, controls the image tag + */ + readonly versionMap = new Map([ + [KubernetesVersion.V1_19, "v1.19.1"], + [KubernetesVersion.V1_18, "v1.18.3"], + [KubernetesVersion.V1_17, "v1.17.4"] + ]); + + deploy(clusterInfo: ClusterInfo) { + + const version = this.versionField ?? this.versionMap.get(clusterInfo.version); + const cluster = clusterInfo.cluster; + + console.assert(clusterInfo.nodeGroup || clusterInfo.autoscalingGroup, "Cluster autoscaler is supported with EKS EC2 only"); + + const ng = clusterInfo.nodeGroup || clusterInfo.autoscalingGroup!; + + + const autoscalerStmt = new iam.PolicyStatement(); + autoscalerStmt.addResources("*"); + autoscalerStmt.addActions( + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "ec2:DescribeLaunchTemplateVersions" + ); + const autoscalerPolicy = new iam.Policy(cluster.stack, "cluster-autoscaler-policy", { + policyName: "ClusterAutoscalerPolicy", + statements: [autoscalerStmt], + }); + autoscalerPolicy.attachToRole(ng.role); + + const clusterName = new CfnJson(cluster.stack, "clusterName", { + value: cluster.clusterName, + }); + Tags.of(ng).add(`k8s.io/cluster-autoscaler/${clusterName}`, "owned", { applyToLaunchedInstances: true }); + Tags.of(ng).add("k8s.io/cluster-autoscaler/enabled", "true", { applyToLaunchedInstances: true }); + + new eks.KubernetesManifest(cluster.stack, "cluster-autoscaler", { + cluster, + manifest: [ + { + apiVersion: "v1", + kind: "ServiceAccount", + metadata: { + name: "cluster-autoscaler", + namespace: "kube-system", + labels: { + "k8s-addon": "cluster-autoscaler.addons.k8s.io", + "k8s-app": "cluster-autoscaler", + }, + }, + }, + { + apiVersion: "rbac.authorization.k8s.io/v1", + kind: "ClusterRole", + metadata: { + name: "cluster-autoscaler", + namespace: "kube-system", + labels: { + "k8s-addon": "cluster-autoscaler.addons.k8s.io", + "k8s-app": "cluster-autoscaler", + }, + }, + rules: [ + { + apiGroups: [""], + resources: ["events", "endpoints"], + verbs: ["create", "patch"], + }, + { + apiGroups: [""], + resources: ["pods/eviction"], + verbs: ["create"], + }, + { + apiGroups: [""], + resources: ["pods/status"], + verbs: ["update"], + }, + { + apiGroups: [""], + resources: ["endpoints"], + resourceNames: ["cluster-autoscaler"], + verbs: ["get", "update"], + }, + { + apiGroups: ["coordination.k8s.io"], + resources: ["leases"], + verbs: ["watch", "list", "get", "patch", "create", "update"], + }, + { + apiGroups: [""], + resources: ["nodes"], + verbs: ["watch", "list", "get", "update"], + }, + { + apiGroups: [""], + resources: ["pods", "services", "replicationcontrollers", "persistentvolumeclaims", "persistentvolumes"], + verbs: ["watch", "list", "get"], + }, + { + apiGroups: ["extensions"], + resources: ["replicasets", "daemonsets"], + verbs: ["watch", "list", "get"], + }, + { + apiGroups: ["policy"], + resources: ["poddisruptionbudgets"], + verbs: ["watch", "list"], + }, + { + apiGroups: ["apps"], + resources: ["statefulsets", "replicasets", "daemonsets"], + verbs: ["watch", "list", "get"], + }, + { + apiGroups: ["storage.k8s.io"], + resources: ["storageclasses", "csinodes"], + verbs: ["watch", "list", "get"], + }, + { + apiGroups: ["batch", "extensions"], + resources: ["jobs"], + verbs: ["get", "list", "watch", "patch"], + }, + ], + }, + { + apiVersion: "rbac.authorization.k8s.io/v1", + kind: "Role", + metadata: { + name: "cluster-autoscaler", + namespace: "kube-system", + labels: { + "k8s-addon": "cluster-autoscaler.addons.k8s.io", + "k8s-app": "cluster-autoscaler", + }, + }, + rules: [ + { + apiGroups: [""], + resources: ["configmaps"], + verbs: ["create", "list", "watch"], + }, + { + apiGroups: [""], + resources: ["configmaps"], + resourceNames: ["cluster-autoscaler-status", "cluster-autoscaler-priority-expander"], + verbs: ["delete", "get", "update", "watch"], + }, + ], + }, + { + apiVersion: "rbac.authorization.k8s.io/v1", + kind: "ClusterRoleBinding", + metadata: { + name: "cluster-autoscaler", + namespace: "kube-system", + labels: { + "k8s-addon": "cluster-autoscaler.addons.k8s.io", + "k8s-app": "cluster-autoscaler", + }, + }, + roleRef: { + apiGroup: "rbac.authorization.k8s.io", + kind: "ClusterRole", + name: "cluster-autoscaler", + }, + subjects: [ + { + kind: "ServiceAccount", + name: "cluster-autoscaler", + namespace: "kube-system", + }, + ], + }, + { + apiVersion: "rbac.authorization.k8s.io/v1", + kind: "RoleBinding", + metadata: { + name: "cluster-autoscaler", + namespace: "kube-system", + labels: { + "k8s-addon": "cluster-autoscaler.addons.k8s.io", + "k8s-app": "cluster-autoscaler", + }, + }, + roleRef: { + apiGroup: "rbac.authorization.k8s.io", + kind: "Role", + name: "cluster-autoscaler", + }, + subjects: [ + { + kind: "ServiceAccount", + name: "cluster-autoscaler", + namespace: "kube-system", + }, + ], + }, + { + apiVersion: "apps/v1", + kind: "Deployment", + metadata: { + name: "cluster-autoscaler", + namespace: "kube-system", + labels: { + app: "cluster-autoscaler", + }, + annotations: { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "false", + }, + }, + spec: { + replicas: 1, + selector: { + matchLabels: { + app: "cluster-autoscaler", + }, + }, + template: { + metadata: { + labels: { + app: "cluster-autoscaler", + }, + annotations: { + "prometheus.io/scrape": "true", + "prometheus.io/port": "8085", + }, + }, + spec: { + serviceAccountName: "cluster-autoscaler", + containers: [ + { + image: "k8s.gcr.io/autoscaling/cluster-autoscaler:" + version, + name: "cluster-autoscaler", + resources: { + limits: { + cpu: "100m", + memory: "300Mi", + }, + requests: { + cpu: "100m", + memory: "300Mi", + }, + }, + command: [ + "./cluster-autoscaler", + "--v=4", + "--stderrthreshold=info", + "--cloud-provider=aws", + "--skip-nodes-with-local-storage=false", + "--expander=least-waste", + "--node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/" + + cluster.clusterName, + "--balance-similar-node-groups", + "--skip-nodes-with-system-pods=false", + ], + volumeMounts: [ + { + name: "ssl-certs", + mountPath: "/etc/ssl/certs/ca-certificates.crt", + readOnly: true, + }, + ], + imagePullPolicy: "Always", + }, + ], + volumes: [ + { + name: "ssl-certs", + hostPath: { + path: "/etc/ssl/certs/ca-bundle.crt", + }, + }, + ], + }, + }, + }, + }, + ], + }); + } +} \ No newline at end of file diff --git a/lib/addons/index.ts b/lib/addons/index.ts new file mode 100644 index 000000000..b7467903a --- /dev/null +++ b/lib/addons/index.ts @@ -0,0 +1,7 @@ +export { AppMeshAddon } from './appmesh' +export { ArgoCDAddon } from './argocd' +export { CalicoAddon } from './calico' +export { ContainerInsightsAddOn } from './cloudwatch' +export { ClusterAutoScalerAddon } from './cluster-autoscaler' +export { MetricsServerAddon } from './metrics-server' +export { NginxAddon } from './nginx' \ No newline at end of file diff --git a/lib/addons/metrics-server/index.ts b/lib/addons/metrics-server/index.ts new file mode 100644 index 000000000..a832e9867 --- /dev/null +++ b/lib/addons/metrics-server/index.ts @@ -0,0 +1,17 @@ +import { CdkEksBlueprintStack, ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; +import { loadExternalYaml } from "../../utils/yamlUtils"; + +export class MetricsServerAddon implements ClusterAddOn { + + version: string; + + constructor(version?: string) { + this.version = version ?? "v0.4.1"; + } + + deploy(clusterInfo: ClusterInfo): void { + const manifestUrl = `https://github.com/kubernetes-sigs/metrics-server/releases/download/${this.version}/components.yaml`; + const manifest = loadExternalYaml(manifestUrl); + clusterInfo.cluster.addManifest('my-resource', ...manifest); + } +} \ No newline at end of file diff --git a/lib/addons/metrics-server/metricsServerAddon.ts b/lib/addons/metrics-server/metricsServerAddon.ts deleted file mode 100644 index 353772e09..000000000 --- a/lib/addons/metrics-server/metricsServerAddon.ts +++ /dev/null @@ -1,17 +0,0 @@ -import { CdkEksBlueprintStack, ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; -import { loadExternalYaml } from "../../utils/yamlUtils"; - -export class MetricsServerAddon implements ClusterAddOn { - - version: string; - - constructor(version?: string) { - this.version = version ?? "v0.4.1"; - } - - deploy(clusterInfo :ClusterInfo): void { - const manifestUrl = `https://github.com/kubernetes-sigs/metrics-server/releases/download/${this.version}/components.yaml`; - const manifest = loadExternalYaml(manifestUrl); - clusterInfo.cluster.addManifest('my-resource', ...manifest); - } -} \ No newline at end of file diff --git a/lib/addons/nginx/nginxAddon.ts b/lib/addons/nginx/index.ts similarity index 70% rename from lib/addons/nginx/nginxAddon.ts rename to lib/addons/nginx/index.ts index de64edcd7..8542cd571 100644 --- a/lib/addons/nginx/nginxAddon.ts +++ b/lib/addons/nginx/index.ts @@ -2,11 +2,11 @@ import { ClusterAddOn, ClusterInfo } from "../../eksBlueprintStack"; export class NginxAddon implements ClusterAddOn { - deploy(clusterInfo: ClusterInfo): void { - clusterInfo.cluster.addHelmChart("ngninx-ingress", { + deploy(clusterInfo: ClusterInfo): void { + clusterInfo.cluster.addHelmChart("ngninx-addon", { chart: "nginx-ingress", repository: "https://helm.nginx.com/stable", namespace: "kube-system" }); - } + } } \ No newline at end of file diff --git a/lib/ec2-cluster-provider.ts b/lib/ec2-cluster-provider.ts index 835abe984..96bc7632f 100644 --- a/lib/ec2-cluster-provider.ts +++ b/lib/ec2-cluster-provider.ts @@ -1,50 +1,50 @@ +import { Construct } from "@aws-cdk/core"; import { InstanceType, IVpc, SubnetSelection, Vpc } from "@aws-cdk/aws-ec2"; import { Cluster, CommonClusterOptions, KubernetesVersion, NodegroupAmiType } from "@aws-cdk/aws-eks"; -import { Construct } from "@aws-cdk/core"; -import { ClusterInfo, ClusterProvider } from "./eksBlueprintStack"; +import { ClusterInfo, ClusterProvider } from "./eksBlueprintStack"; export interface EC2ProviderClusterProps extends CommonClusterOptions { - instanceType?: InstanceType; // m5.large + instanceType?: InstanceType; // m5.large + + minSize?: number; + + maxSize?: number; - minSize? : number; - - maxSize? : number; - - amiType?: NodegroupAmiType.AL2_X86_64; + amiType?: NodegroupAmiType.AL2_X86_64; - vpcSubnets?: SubnetSelection[]; + vpcSubnets?: SubnetSelection[]; } export class EC2ClusterProvider implements ClusterProvider { - readonly providerOptions: EC2ProviderClusterProps; + readonly providerOptions: EC2ProviderClusterProps; - constructor(options? : EC2ProviderClusterProps) { - this.providerOptions = options ?? {version: KubernetesVersion.V1_19}; - } + constructor(options?: EC2ProviderClusterProps) { + this.providerOptions = options ?? { version: KubernetesVersion.V1_19 }; + } - createCluster(scope: Construct, vpc: IVpc, version: KubernetesVersion): ClusterInfo { + createCluster(scope: Construct, vpc: IVpc, version: KubernetesVersion): ClusterInfo { - const id = scope.node.id; + const id = scope.node.id; - const cluster = new Cluster(scope, id, { - vpc: vpc, - clusterName: id, - outputClusterName: true, - defaultCapacity: 0, // we want to manage capacity ourselves - version: this.providerOptions.version, - vpcSubnets: this.providerOptions.vpcSubnets, - }); + const cluster = new Cluster(scope, id, { + vpc: vpc, + clusterName: id, + outputClusterName: true, + defaultCapacity: 0, // we want to manage capacity ourselves + version: this.providerOptions.version, + vpcSubnets: this.providerOptions.vpcSubnets, + }); - const nodeGroup = cluster.addNodegroupCapacity(id + "-ng", { - instanceType: this.providerOptions.instanceType, - amiType: this.providerOptions.amiType, - minSize: this.providerOptions.minSize, - maxSize: this.providerOptions.maxSize - }); + const nodeGroup = cluster.addNodegroupCapacity(id + "-ng", { + instanceType: this.providerOptions.instanceType, + amiType: this.providerOptions.amiType, + minSize: this.providerOptions.minSize, + maxSize: this.providerOptions.maxSize + }); - return { cluster: cluster, nodeGroup: nodeGroup, version: version }; - } + return { cluster: cluster, nodeGroup: nodeGroup, version: version }; + } } \ No newline at end of file diff --git a/lib/eksBlueprintStack.ts b/lib/eksBlueprintStack.ts index ca55dde1b..1e57b01da 100644 --- a/lib/eksBlueprintStack.ts +++ b/lib/eksBlueprintStack.ts @@ -2,10 +2,11 @@ import * as cdk from '@aws-cdk/core'; import * as ec2 from "@aws-cdk/aws-ec2"; import { StackProps } from '@aws-cdk/core'; -import { IVpc} from '@aws-cdk/aws-ec2'; +import { IVpc } from '@aws-cdk/aws-ec2'; +import { AutoScalingGroup } from '@aws-cdk/aws-autoscaling'; import { Cluster, KubernetesVersion, Nodegroup } from '@aws-cdk/aws-eks'; + import { EC2ClusterProvider } from './ec2-cluster-provider'; -import { AutoScalingGroup } from '@aws-cdk/aws-autoscaling'; export class EksBlueprintProps { @@ -34,7 +35,7 @@ export class EksBlueprintProps { /** * Kubernetes version (must be initialized for addons to work properly) */ - readonly version ? : KubernetesVersion = KubernetesVersion.V1_19; + readonly version?: KubernetesVersion = KubernetesVersion.V1_19; } @@ -51,7 +52,7 @@ export class CdkEksBlueprintStack extends cdk.Stack { const clusterProvider = blueprintProps.clusterProvider ?? new EC2ClusterProvider; const clusterInfo = clusterProvider.createCluster(this, vpc, blueprintProps.version ?? KubernetesVersion.V1_19); - + for (let addOn of (blueprintProps.addOns ?? [])) { // must iterate in the strict order addOn.deploy(clusterInfo); } @@ -60,7 +61,7 @@ export class CdkEksBlueprintStack extends cdk.Stack { } } - initializeVpc(vpcId: string) :IVpc { + initializeVpc(vpcId: string): IVpc { const id = this.node.id; let vpc = undefined; @@ -90,15 +91,15 @@ export interface ClusterProvider { } export interface ClusterAddOn { - deploy(clusterInfo : ClusterInfo): void; + deploy(clusterInfo: ClusterInfo): void; } export interface TeamSetup { - setup(clusterInfo : ClusterInfo): void; + setup(clusterInfo: ClusterInfo): void; } export interface ClusterInfo { - + readonly cluster: Cluster; /** @@ -106,7 +107,7 @@ export interface ClusterInfo { */ readonly nodeGroup?: Nodegroup; - readonly autoscalingGroup? : AutoScalingGroup; + readonly autoscalingGroup?: AutoScalingGroup; readonly version: KubernetesVersion; } diff --git a/lib/fargate-cluster-provider.ts b/lib/fargate-cluster-provider.ts index ddb0ba98b..5eda3c3ed 100644 --- a/lib/fargate-cluster-provider.ts +++ b/lib/fargate-cluster-provider.ts @@ -1,40 +1,41 @@ -import { InstanceType, IVpc, Vpc } from "@aws-cdk/aws-ec2"; -import { FargateCluster, ClusterProps, KubernetesVersion, FargateProfileOptions, CommonClusterOptions } from "@aws-cdk/aws-eks"; import { Construct } from "@aws-cdk/core"; -import { CdkEksBlueprintStack, ClusterInfo, ClusterProvider } from "./eksBlueprintStack"; +import { IVpc } from "@aws-cdk/aws-ec2"; +import { FargateCluster, KubernetesVersion, FargateProfileOptions, CommonClusterOptions } from "@aws-cdk/aws-eks"; + +import { ClusterInfo, ClusterProvider } from "./eksBlueprintStack"; export class FargateClusterProvider implements ClusterProvider { - readonly profiles: Map; - - clusterOptions? : CommonClusterOptions; //TODO: integrate into cluster creation + readonly profiles: Map; - constructor(inProfiles? : Map, clusterOptions? : CommonClusterOptions ) { - this.profiles = inProfiles ?? new Map(); - this.clusterOptions = clusterOptions; - } + clusterOptions?: CommonClusterOptions; //TODO: integrate into cluster creation - createCluster(scope: Construct, vpc: IVpc, version: KubernetesVersion): ClusterInfo { + constructor(inProfiles?: Map, clusterOptions?: CommonClusterOptions) { + this.profiles = inProfiles ?? new Map(); + this.clusterOptions = clusterOptions; + } - // TODO: fix configuration so that it does not always come from context but could be injected - const vpcSubnets = scope.node.tryGetContext("vpcSubnets"); + createCluster(scope: Construct, vpc: IVpc, version: KubernetesVersion): ClusterInfo { - const id = scope.node.id; + // TODO: fix configuration so that it does not always come from context but could be injected + const vpcSubnets = scope.node.tryGetContext("vpcSubnets"); - const cluster = new FargateCluster(scope, id, { - vpc: vpc, - clusterName: id, - outputClusterName: true, - version: version, - vpcSubnets: vpcSubnets, - - }); + const id = scope.node.id; - for(const [id, options] of this.profiles) { - cluster.addFargateProfile(id, options); - } + const cluster = new FargateCluster(scope, id, { + vpc: vpc, + clusterName: id, + outputClusterName: true, + version: version, + vpcSubnets: vpcSubnets, - return { cluster: cluster, version: version}; - } + }); + + for (const [id, options] of this.profiles) { + cluster.addFargateProfile(id, options); + } + + return { cluster: cluster, version: version }; + } } \ No newline at end of file diff --git a/lib/index.ts b/lib/index.ts index ada6a9bcd..066eca06e 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -1,8 +1,3 @@ export * from './eksBlueprintStack'; -export * from './addons/appmesh/appMeshAddon'; -export * from './addons/argocd/argoCDAddon'; -export * from './addons/calico/calicoAddon'; -export * from './addons/cloudwatch/containerInsightsAddon'; -export * from './addons/cluster-autoscaler/clusterAutoscalerAddon'; -export * from './addons/metrics-server/metricsServerAddon'; -export * from './addons/nginx/nginxAddon'; +export * as Addons from './addons'; + diff --git a/lib/pipelineStack.ts b/lib/pipelineStack.ts index 66aba1876..a75236359 100644 --- a/lib/pipelineStack.ts +++ b/lib/pipelineStack.ts @@ -7,7 +7,7 @@ import * as actions from '@aws-cdk/aws-codepipeline-actions'; export class FactoryApplication extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); - const eksBlueprintStack = new CdkEksBlueprintStack(this, {id: 'eks'}); + const eksBlueprintStack = new CdkEksBlueprintStack(this, { id: 'eks' }); } }