-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/import clusters #696
Merged
Merged
Changes from all commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
3fb9400
refactoring to use imported clusters
shapirov103 baa3245
merge from main
shapirov103 381980a
refactoring to ICluster, fixing utils, examples
shapirov103 7d0280d
ImportCluster provider
shapirov103 7d8004e
merge conflict
shapirov103 63ddb4e
fixed doc on security group
shapirov103 416319e
Merge branch 'main' into feature/import-clusters
shapirov103 216ccbc
adding import cluster provider to global export
shapirov103 ccff59d
uprevved and fixed typo
shapirov103 cbb134c
Added version to the vpc cni addon
shapirov103 3628d10
fixes #745 adding export to the EBS CSI driver properties
shapirov103 5688a27
import cluster provider that supports auto configuration based on the…
shapirov103 66968b9
fixing version mapping
shapirov103 9808c16
changed role to irole
shapirov103 b06175a
import cluster provider new API to create
shapirov103 192dddd
renamed function name to describe cluster
shapirov103 5667df1
adding documentation for the PR
shapirov103 590ee7f
review feedback and known limitations
shapirov103 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
# Import Cluster Provider | ||
|
||
The `ImportClusterProvider` allows you to import an existing EKS cluster into your blueprint. Importing an existing cluster at present will allow adding certain add-ons and limited team capabilities. | ||
|
||
## Usage | ||
|
||
The framework provides a couple of convenience methods to instantiate the `ImportClusterProvider` by leveraging the SDK API call to describe the cluster. | ||
|
||
### Option 1 | ||
|
||
Recommended option is to get the cluster information through the `DescribeCluster` API (requires `eks:DescribeCluster` permission at build-time) and then use it to instantiate the `ImportClusterProvider` and **(very important)** to set up the blueprint VPC. | ||
|
||
Make sure VPC is set to the VPC of the imported cluster, otherwise the blueprint by default will create a new VPC, which will be redundant and cause problems with some of the add-ons. | ||
|
||
**Note:** `blueprints.describeCluster() is an asynchronous function, you should either use `await` or handle promise resolution chain. | ||
|
||
```typescript | ||
const clusterName = "quickstart-cluster"; | ||
const region = "us-east-2"; | ||
|
||
const sdkCluster = await blueprints.describeCluster(clusterName, region); // get cluster information using EKS APIs | ||
|
||
/** | ||
* Assumes the supplied role is registered in the target cluster for kubectl access. | ||
*/ | ||
const importClusterProvider = blueprints.ImportClusterProvider.fromClusterAttributes( | ||
sdkCluster, | ||
blueprints.getResource(context => new blueprints.LookupRoleProvider(kubectlRoleName).provide(context)) | ||
); | ||
|
||
const vpcId = sdkCluster.resourcesVpcConfig?.vpcId; | ||
|
||
blueprints.EksBlueprint.builder() | ||
.clusterProvider(importClusterProvider) | ||
.resourceProvider(blueprints.GlobalResources.Vpc, new blueprints.VpcProvider(vpcId)) // this is required with import cluster provider | ||
|
||
``` | ||
|
||
### Option 2 | ||
|
||
This option is convenient if you already know the VPC Id of the target cluster. It also requires `eks:DescribeCluster` permission at build-time: | ||
|
||
```typescript | ||
const clusterName = "quickstart-cluster"; | ||
const region = "us-east-2"; | ||
|
||
const kubectlRole: iam.IRole = blueprints.getNamedResource('my-role'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. addressed |
||
|
||
const importClusterProvider2 = await blueprints.ImportClusterProvider.fromClusterLookup(clusterName, region, kubectlRole); // note await here | ||
|
||
const vpcId = ...; // you can always get it with blueprints.describeCluster(clusterName, region); | ||
|
||
blueprints.EksBlueprint.builder() | ||
.clusterProvider(importClusterProvider2) | ||
.resourceProvider('my-role', new blueprints.LookupRoleProvider('my-role')) | ||
.resourceProvider(blueprints.GlobalResources.Vpc, new blueprints.VpcProvider(vpcId)) | ||
``` | ||
|
||
### Option 3 | ||
|
||
Unlike the other options, this one does not require any special permissions at build time, however it requires passing all the required information to the import cluster provider. | ||
OIDC provider is expected to be passed in as well if you are planning to leverage IRSA with your blueprint. The OIDC provider is expected to be registered in the imported cluster already, otherwise IRSA won't work. | ||
|
||
|
||
```typescript | ||
|
||
const importClusterProvider3 = new ImportClusterProvider({ | ||
clusterName: 'my-existing-cluster', | ||
version: KubernetesVersion.V1_26, | ||
clusterEndpoint: 'https://B792B88BC60999B1A37D.gr7.us-east-2.eks.amazonaws.com', | ||
openIdConnectProvider: getResource(context => | ||
new LookupOpenIdConnectProvider('https://oidc.eks.us-east-2.amazonaws.com/id/B792B88BC60999B1A37D').provide(context)), | ||
clusterCertificateAuthorityData: 'S0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCasdd234................', | ||
kubectlRoleArn: 'arn:...', | ||
}); | ||
|
||
const vpcId = ...; | ||
|
||
blueprints.EksBlueprint.builder() | ||
.clusterProvider(importClusterProvider3) | ||
.resourceProvider(blueprints.GlobalResources.Vpc, new blueprints.VpcProvider(vpcId)) | ||
``` | ||
|
||
## Configuration | ||
|
||
The `ImportClusterProvider` supports the following configuration options: | ||
|
||
| Prop | Description | | ||
|-----------------------|-------------| | ||
| clusterName | Cluster name | ||
| version | EKS version of the target cluster | ||
| clusterEndpoint | The API Server endpoint URL | ||
| openIdConnectProvider | An Open ID Connect provider for this cluster that can be used to configure service accounts. You can either import an existing provider using `LookupOpenIdConnectProvider`, or create a new provider using new custom resource provider to call `new eks.OpenIdConnectProvider` | ||
| clusterCertificateAuthorityData | The certificate-authority-data for your cluster. | ||
| kubectlRoleArn | An IAM role with cluster administrator and "system:masters" permissions. | ||
|
||
|
||
## Known Limitations | ||
|
||
The following add-ons will not work with the `ImportClusterProvider` due to the inability (at present) of the imported clusters to modify `aws-auth` ConfigMap and mutate cluster authentication: | ||
* `ClusterAutoScalerAddOn` | ||
* `AwsBatchAddOn` | ||
* `EmrEksAddOn` | ||
* `KarpenterAddOn` | ||
|
||
Teams can be added to the cluster and will perform all of the team functionality except cluster access due to the same inability to mutate cluster access. | ||
|
||
At the moment, there are no examples to add extra capacity to the imported clusters like node groups. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is
clusterName
a variable. If so we should also add that and show people of a sample populated value.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The downside of that is people mindlessly copying this to their env just to discover that it does not work, similar to what we had with the update-kubeconfig frm the blog post. But for consistency I will add sample data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed