gitadmin/gitops-ack-kro-argocd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit from kro/examples/aws/eks-cluster-mgmt

Browse Source
This commit is contained in:
joaogac
2026-04-21 09:55:53 -03:00
parent 0585444299
commit 7d11fd5889
66 changed files with 3667 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
charts/application-sets/.helmignore
+23
View File
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
charts/application-sets/Chart.yaml
+24
View File
@@ -0,0 +1,24 @@
apiVersion: v2
name: application-sets
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
charts/application-sets/templates/_application_set.tpl
+58
View File
@@ -0,0 +1,58 @@
{{/*
Template to generate additional resources configuration
*/}}
{{- define "application-sets.additionalResources" -}}
{{- $chartName := .chartName -}}
{{- $chartConfig := .chartConfig -}}
{{- $valueFiles := .valueFiles -}}
{{- $additionalResourcesType := .additionalResourcesType -}}
{{- $additionalResourcesPath := .path -}}
{{- $values := .values -}}
{{- if $chartConfig.additionalResources.path }}
- repoURL: {{ $values.repoURLGit | squote }}
targetRevision: {{ $values.repoURLGitRevision | squote }}
path: {{- if eq $additionalResourcesType "manifests" }}
'{{ $values.repoURLGitBasePath }}{{ if $values.useValuesFilePrefix }}{{ $values.valuesFilePrefix }}{{ end }}clusters/{{`{{.nameNormalized}}`}}/{{ $chartConfig.additionalResources.manifestPath }}'
{{- else }}
{{ $chartConfig.additionalResources.path | squote }}
{{- end}}
{{- end }}
{{- if $chartConfig.additionalResources.chart }}
- repoURL: '{{$chartConfig.additionalResources.repoURL}}'
chart: '{{$chartConfig.additionalResources.chart}}'
targetRevision: '{{$chartConfig.additionalResources.chartVersion }}'
{{- end }}
{{- if $chartConfig.additionalResources.helm }}
helm:
releaseName: '{{`{{ .name }}`}}-{{ $chartConfig.additionalResources.helm.releaseName }}'
{{- if $chartConfig.additionalResources.helm.valuesObject }}
valuesObject:
{{- $chartConfig.additionalResources.helm.valuesObject | toYaml | nindent 6 }}
{{- end }}
ignoreMissingValueFiles: true
valueFiles:
{{- include "application-sets.valueFiles" (dict
"nameNormalize" $chartName
"valueFiles" $valueFiles
"values" $values
"chartType" $additionalResourcesType) | nindent 6 }}
{{- end }}
{{- end }}
{{/*
Define the values path for reusability
*/}}
{{- define "application-sets.valueFiles" -}}
{{- $nameNormalize := .nameNormalize -}}
{{- $chartConfig := .chartConfig -}}
{{- $valueFiles := .valueFiles -}}
{{- $chartType := .chartType -}}
{{- $values := .values -}}
{{- with .valueFiles }}
{{- range . }}
- $values/{{ $values.repoURLGitBasePath }}{{ . }}/{{ $nameNormalize }}{{ if $chartType }}/{{ $chartType }}{{ end }}/{{ if $chartConfig.valuesFileName }}{{ $chartConfig.valuesFileName }}{{ else }}values.yaml{{ end }}
- $values/{{ $values.repoURLGitBasePath }}{{ if $values.useValuesFilePrefix }}{{ $values.valuesFilePrefix }}{{ end }}{{ . }}/{{ $nameNormalize }}{{ if $chartType }}/{{ $chartType }}{{ end }}/{{ if $chartConfig.valuesFileName }}{{ $chartConfig.valuesFileName }}{{ else }}values.yaml{{ end }}
{{- end }}
{{- end }}
{{- end }}
charts/application-sets/templates/_git_matrix.tpl
+37
View File
@@ -0,0 +1,37 @@
# {{/*
# Template creating git matrix generator
# */}}
# {{- define "application-sets.git-matrix" -}}
# {{- $chartName := .chartName -}}
# {{- $chartConfig := .chartConfig -}}
# {{- $repoURLGit := .repoURLGit -}}
# {{- $repoURLGitRevision := .repoURLGitRevision -}}
# {{- $selectors := .selectors -}}
# {{- $useSelectors := .useSelectors -}}
# generators:
# - matrix:
# generators:
# - clusters:
# selector:
# matchLabels:
# argocd.argoproj.io/secret-type: cluster
# {{- if $selectors }}
# {{- toYaml $selectors | nindent 16 }}
# - key: fleet_member
# operator: NotIn
# values: ['control-plane']
# {{- end }}
# {{- if $chartConfig.selectorMatchLabels }}
# {{- toYaml $chartConfig.selectorMatchLabels | nindent 18 }}
# {{- end }}
# {{- if and $chartConfig.selector $useSelectors }}
# {{- toYaml $chartConfig.selector | nindent 16 }}
# {{- end }}
# values:
# chart: {{ $chartConfig.chartName | default $chartName | quote }}
# - git:
# repoURL: {{ $repoURLGit | squote }}
# revision: {{ $repoURLGitRevision | squote }}
# files:
# - path: {{ $chartConfig.matrixPath | squote }}
# {{- end }}
charts/application-sets/templates/_helpers.tpl
+48
View File
@@ -0,0 +1,48 @@
{{/*
Expand the name of the chart. Defaults to `.Chart.Name` or `nameOverride`.
*/}}
{{- define "application-sets.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Generate a fully qualified app name.
If `fullnameOverride` is defined, it uses that; otherwise, it constructs the name based on `Release.Name` and chart name.
*/}}
{{- define "application-sets.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name (default .Chart.Name .Values.nameOverride) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{/*
Create chart name and version, useful for labels.
*/}}
{{- define "application-sets.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels for the ApplicationSet, including version and managed-by labels.
*/}}
{{- define "application-sets.labels" -}}
helm.sh/chart: {{ include "application-sets.chart" . }}
app.kubernetes.io/name: {{ include "application-sets.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Common Helm and Kubernetes Annotations
*/}}
{{- define "application-sets.annotations" -}}
helm.sh/chart: {{ include "application-sets.chart" . }}
{{- if .Values.annotations }}
{{ toYaml .Values.annotations }}
{{- end }}
{{- end }}
charts/application-sets/templates/_pod_identity.tpl
+27
View File
@@ -0,0 +1,27 @@
{{/*
Template to generate pod-identity configuration
*/}}
{{- define "application-sets.pod-identity" -}}
{{- $chartName := .chartName -}}
{{- $chartConfig := .chartConfig -}}
{{- $valueFiles := .valueFiles -}}
{{- $values := .values -}}
- repoURL: '{{ $values.repoURLGit }}'
targetRevision: '{{ $values.repoURLGitRevision }}'
path: 'charts/pod-identity'
helm:
releaseName: '{{`{{ .name }}`}}-{{ $chartConfig.chartName | default $chartName }}'
valuesObject:
create: '{{`{{default "`}}{{ $chartConfig.enableACK }}{{`" (index .metadata.annotations "ack_create")}}`}}'
region: '{{`{{ .metadata.annotations.aws_region }}`}}'
accountId: '{{`{{ .metadata.annotations.aws_account_id}}`}}'
podIdentityAssociation:
clusterName: '{{`{{ .name }}`}}'
namespace: '{{ default $chartConfig.namespace .namespace }}'
ignoreMissingValueFiles: true
valueFiles:
{{- include "application-sets.valueFiles" (dict
"nameNormalize" $chartName
"valueFiles" $valueFiles
"values" $values "chartType" "pod-identity") | nindent 6 }}
{{- end }}
charts/application-sets/templates/application-set.yaml
+177
View File
@@ -0,0 +1,177 @@
{{- $values := .Values }}
{{- $chartType := .Values.chartType }}
{{- $namespace := .Values.namespace }}
{{- $syncPolicy := .Values.syncPolicy -}}
{{- $syncPolicyAppSet := .Values.syncPolicyAppSet -}}
{{- $goTemplateOptions := .Values.goTemplateOptions -}}
{{- $repoURLGit := .Values.repoURLGit -}}
{{- $repoURLGitRevision := .Values.repoURLGitRevision -}}
{{- $repoURLGitBasePath := .Values.repoURLGitBasePath -}}
{{- $valueFiles := .Values.valueFiles -}}
{{- $valuesFilePrefix := .Values.valuesFilePrefix -}}
{{- $useValuesFilePrefix := (default false .Values.useValuesFilePrefix ) -}}
{{- $useSelectors:= .Values.useSelectors -}}
{{- $globalSelectors := .Values.globalSelectors -}}
{{- range $chartName, $chartConfig := .Values }}
{{- if and (kindIs "map" $chartConfig) (hasKey $chartConfig "enabled") }}
{{- if eq (toString $chartConfig.enabled) "true" }}
{{- $nameNormalize := printf "%s" $chartName | replace "_" "-" | trunc 63 | trimSuffix "-" -}}
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: {{ $nameNormalize }}
namespace: {{ default "argocd" $namespace }}
annotations:
{{- include "application-sets.annotations" $ | nindent 4 }}
{{- if $chartConfig.annotationsAppSet }}{{- toYaml $chartConfig.annotationsAppSet | nindent 4 }}{{- end }}
labels:
{{- include "application-sets.labels" $ | nindent 4 }}
{{- if $chartConfig.labelsAppSet }}{{- toYaml $chartConfig.labelsAppSet | nindent 4 }}{{- end }}
spec:
goTemplate: true
{{- if $chartConfig.goTemplateOptions }}
goTemplateOptions:
{{ toYaml $chartConfig.goTemplateOptions | nindent 2 }}
{{- else }}
goTemplateOptions: {{ default (list "missingkey=error") $goTemplateOptions }}
{{- end }}
{{- if $chartConfig.syncPolicyAppSet }}
syncPolicy:
{{- toYaml $chartConfig.syncPolicyAppSet | nindent 4 }}
{{- else }}
syncPolicy:
{{- toYaml $syncPolicyAppSet | nindent 4 }}
{{- end }}
{{- if $chartConfig.gitMatrix }}
{{ include "application-sets.git-matrix" (dict
"chartName" $nameNormalize "chartConfig" $chartConfig
"repoURLGit" $repoURLGit "repoURLGitRevision" $repoURLGitRevision
"selectors" $globalSelectors "useSelectors" $useSelectors
) | nindent 2 }}
{{- else }}
generators:
{{- if $chartConfig.environments }}
- merge:
mergeKeys: [server]
generators:
{{- end }}
- clusters:
selector:
matchLabels:
argocd.argoproj.io/secret-type: cluster
{{- if $globalSelectors }}
{{- toYaml $globalSelectors | nindent 18 }}
{{- end }}
{{- if $chartConfig.selectorMatchLabels }}
{{- toYaml $chartConfig.selectorMatchLabels | nindent 18 }}
{{- end }}
{{- if and $chartConfig.selector $useSelectors }}
{{- toYaml $chartConfig.selector | nindent 16 }}
# If you want you can excluste some clusters based on their membership
# - key: fleet_member
# operator: NotIn
# values: ['control-plane']
{{- end }}
{{- if not $chartConfig.resourceGroup }}
values:
addonChart: {{ $chartConfig.chartName | default $nameNormalize | quote }}
{{- if $chartConfig.defaultVersion }}
addonChartVersion: {{ $chartConfig.defaultVersion | quote }}
{{- end }}
{{- if $chartConfig.chartRepository }}
addonChartRepository: {{ $chartConfig.chartRepository | quote }}
{{- end }}
{{- if $chartConfig.chartNamespace }}
addonChartRepositoryNamespace: {{ $chartConfig.chartNamespace | quote }}
chart: {{ printf "%s/%s" $chartConfig.chartNamespace ($chartConfig.chartName | default $nameNormalize) | quote }}
{{- else }}
chart: {{ $chartConfig.chartName | default $nameNormalize | quote }}
{{- end }}
{{- end }}
{{- if $chartConfig.environments }}
{{- range $chartConfig.environments }}
- clusters:
selector:
matchLabels:
{{- toYaml .selector | nindent 18 }}
values:
addonChartVersion: {{ .chartVersion | default $chartConfig.defaultVersion | quote }}
{{- end }}
{{- end }}
{{- end }}
template:
metadata:
{{- if $chartConfig.appSetName }}
name: {{ $chartConfig.appSetName }}
{{- else }}
name: '{{ $nameNormalize }}-{{`{{ .name }}`}}'
{{- end }}
spec:
project: default
sources:
- repoURL: {{ $repoURLGit | squote}}
targetRevision: {{ $repoURLGitRevision | squote }}
ref: values
{{- if eq (toString $chartConfig.enableACK ) "true" }}
{{ include "application-sets.pod-identity" (dict
"chartName" ($chartConfig.chartName | default $nameNormalize)
"valueFiles" $valueFiles
"chartConfig" $chartConfig "values" $values ) | nindent 6 }}
{{- end }}
{{- if $chartConfig.path }}
- repoURL: {{ $repoURLGit | squote }}
path: {{$chartConfig.path | squote }}
targetRevision: {{ $repoURLGitRevision | squote }}
{{- else }}
- repoURL: '{{`{{ .values.addonChartRepository }}`}}'
chart: '{{`{{ .values.chart }}`}}'
targetRevision: '{{`{{.values.addonChartVersion }}`}}'
{{- end }}
{{- if ne (default "" $chartConfig.type) "manifest" }}
helm:
releaseName: {{ default "{{ .values.addonChart }}" $chartConfig.releaseName | squote }}
ignoreMissingValueFiles: true
{{- if $chartConfig.valuesObject }}
valuesObject:
{{- $chartConfig.valuesObject | toYaml | nindent 12 }}
{{- end }}
{{- if $valueFiles }}
valueFiles:
{{- include "application-sets.valueFiles" (dict
"nameNormalize" ($chartConfig.chartName | default $nameNormalize)
"chartConfig" $chartConfig
"valueFiles" $valueFiles "values" $values) | nindent 12 }}
{{- end }}
{{- if $chartConfig.additionalResources}}
{{ include "application-sets.additionalResources" (dict
"chartName" ($chartConfig.chartName | default $nameNormalize)
"valueFiles" $valueFiles
"chartConfig" $chartConfig
"values" $values
"additionalResourcesType" $chartConfig.additionalResources.type
"additionalResourcesPath" $chartConfig.additionalResources.path ) | nindent 6 }}
{{- end}}
{{- end }}
destination:
namespace: '{{ $chartConfig.namespace }}'
name: '{{`{{ .name }}`}}'
{{- if $chartConfig.syncPolicy }}
syncPolicy:
{{- toYaml $chartConfig.syncPolicy | nindent 8 }}
{{ else }}
syncPolicy:
{{- toYaml $syncPolicy | nindent 8 }}
{{- end }}
{{- with $chartConfig.ignoreDifferences }}
ignoreDifferences:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if $chartConfig.ignoreDifferences}}
ignoreDifferences:
{{- $chartConfig.ignoreDifferences | toYaml | nindent 8 }}
{{- end }}
---
{{- end }}
{{- end }}
{{- end }}
charts/kro-clusters/Chart.yaml
+6
View File
@@ -0,0 +1,6 @@
apiVersion: v2
name: eks-fleet-clusters
description: A Helm chart for managing EKS Fleet clusters
type: application
version: 0.1.0
appVersion: "1.0.0"
charts/kro-clusters/templates/NOTES.txt
+21
View File
@@ -0,0 +1,21 @@
Thank you for installing {{ .Chart.Name }}.
Your EKS Fleet clusters have been configured with the following details:
{{- range $name, $cluster := .Values.clusters }}
Cluster: {{ $name }}
- Tenant: {{ $cluster.tenant }}
- K8s Version: {{ $cluster.k8sVersion }}
- Domain: {{ $cluster.domainName }}
{{- end }}
To manage your clusters:
1. Edit the values.yaml file to add, modify, or remove cluster configurations
2. Use helm upgrade to apply changes:
helm upgrade <release-name> ./chart
To verify the cluster resources:
kubectl get eksclusterwithvpc
For more information about the chart and available configuration options,
please refer to the chart's documentation.
charts/kro-clusters/templates/clusters.yaml
+42
View File
@@ -0,0 +1,42 @@
{{- range $name, $cluster := .Values.clusters }}
---
apiVersion: kro.run/v1alpha1
kind: EksCluster
metadata:
name: {{ $name }}
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
spec:
name: {{ $name }}
tenant: {{ $cluster.tenant | default "tenant1" | quote }}
environment: {{ $cluster.environment | default "staging" | quote }}
region: {{ $cluster.region | default "us-west-2" | quote }}
k8sVersion: {{ $cluster.k8sVersion | default "1.32" | quote }}
accountId: {{ $cluster.accountId | quote }}
managementAccountId: {{ $cluster.managementAccountId | quote }}
adminRoleName: {{ $cluster.adminRoleName | default "Admin" | quote }}
fleetSecretManagerSecretNameSuffix: {{ $cluster.fleetSecretManagerSecretNameSuffix | default "argocd-secret" | quote }}
domainName: {{ $cluster.domainName | default "" | quote }}
workloads: {{ $cluster.workloads | default "false" | quote }}
{{- if $cluster.subHostedZone | quote }}
subHostedZone:
{{- toYaml $cluster.subHostedZone | nindent 4 }}
{{- end }}
{{- if $cluster.vpc | quote}}
vpc:
{{- toYaml $cluster.vpc | nindent 4 }}
{{- end }}
{{- if $cluster.gitops }}
gitops:
{{- toYaml $cluster.gitops | nindent 4 }}
{{- else }}
gitops: {}
{{- end }}
{{- if $cluster.addons }}
addons:
{{- toYaml $cluster.addons | nindent 4 }}
{{- else }}
addons: {}
{{- end }}
{{- end }}
charts/kro/instances/pod-identity/.helmignore
+23
View File
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
charts/kro/instances/pod-identity/Chart.yaml
+24
View File
@@ -0,0 +1,24 @@
apiVersion: v2
name: kro-pi-instance
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
charts/kro/instances/pod-identity/templates/_helpers.tpl
+62
View File
@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kro-pi-instance.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kro-pi-instance.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kro-pi-instance.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kro-pi-instance.labels" -}}
helm.sh/chart: {{ include "kro-pi-instance.chart" . }}
{{ include "kro-pi-instance.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kro-pi-instance.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kro-pi-instance.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kro-pi-instance.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kro-pi-instance.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
charts/kro/instances/pod-identity/templates/instance.yaml
+63
View File
@@ -0,0 +1,63 @@
{{- $cluster := .Values.clusterName -}}
{{- $namespace := .Values.piNamespace -}}
{{- $name := .Values.name -}}
{{- $root := . -}}
{{- $serviceAccounts := .Values.serviceAccounts -}}
{{- $policyDocument := .Values.policyDocument -}}
{{- range $serviceAccounts }}
apiVersion: kro.run/v1alpha1
kind: PodIdentity
metadata:
name: "{{ include "kro-pi-instance.name" $root }}-{{ . }}"
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "-5"
spec:
name: {{$name}}
values:
aws:
clusterName: {{ $cluster }}
policy:
policyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{{- range $index, $policy := $policyDocument }}
{
"Effect": "Allow",
"Action": [
{{- range $i, $action := $policy.actions }}
"{{ $action }}"{{ if not (eq (add $i 1) (len $policy.actions)) }},{{ end }}
{{- end }}
],
"Resource": [
{{- if $policy.customArn }}
"{{ $policy.customArn }}"
{{- else if eq $policy.resourceName "*" }}
"*"
{{- else }}
"arn:aws:{{ $policy.resourceType }}:{{ $.Values.region }}:{{ $.Values.accountId }}:{{ $policy.resourceName }}"
{{- end }}
]
{{- if $policy.conditions }}
,"Condition": {
{{- range $j, $condition := $policy.conditions }}
"{{ $condition.test }}": {
"{{ $condition.variable }}": [
{{- range $k, $value := $condition.values }}
"{{ $value }}"{{ if not (eq (add $k 1) (len $condition.values)) }},{{ end }}
{{- end }}
]
}
{{- end }}
}
{{- end }}
}{{ if not (eq (add $index 1) (len $.Values.policyDocument)) }},{{ end }}
{{- end }}
]
}
piAssociation:
serviceAccount: {{ . }}
piNamespace: {{ $namespace }}
---
{{- end}}
charts/kro/instances/pod-identity/values.yaml
+12
View File
@@ -0,0 +1,12 @@
# region: eu-west-2
# name: myname
# serviceAccounts:
# - "test"
# - "test2"
# piNamespace: "default"
# clusterName: "spoke-workload2"
# policyDocument:
# - resourceType: ssm
# resourceName: "*"
# actions:
# - "ssm:DescribeParameters"
charts/kro/resource-groups/efs/Chart.yaml
View File
charts/kro/resource-groups/efs/templates/rg-efs.yaml
+1
View File
@@ -0,0 +1 @@
# TODO: rg that creates EFS file system (using ACK EFS controller) and corresponding StorageClass
charts/kro/resource-groups/efs/values.yaml
View File
charts/kro/resource-groups/eks/rg-addons-iam.yaml
View File
charts/kro/resource-groups/eks/rg-eks-basic.yaml
+342
View File
@@ -0,0 +1,342 @@
# yamllint disable rule:line-length
---
apiVersion: kro.run/v1alpha1
kind: ResourceGraphDefinition
metadata:
name: eksclusterbasic.kro.run
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "-1"
spec:
schema:
apiVersion: v1alpha1
kind: EksClusterBasic
spec:
name: string
tenant: string
environment: string
region: string
accountId: string
managementAccountId: string
k8sVersion: string
adminRoleName: string
fleetSecretManagerSecretNameSuffix: string
domainName: string
aws_partition: string | default="aws"
aws_dns_suffix: string | default="amazonaws.com"
network:
vpcID: string
subnets:
controlplane:
subnet1ID: string
subnet2ID: string
workers:
subnet1ID: string
subnet2ID: string
workloads: string # Define if we want to deploy workloads application
gitops:
addonsRepoBasePath: string
addonsRepoPath: string
addonsRepoRevision: string
addonsRepoUrl: string
fleetRepoBasePath: string
fleetRepoPath: string
fleetRepoRevision: string
fleetRepoUrl: string
addons:
enable_external_secrets: string
external_secrets_namespace: string
external_secrets_service_account: string
status:
clusterARN: ${ekscluster.status.ackResourceMetadata.arn}
cdata: ${ekscluster.status.certificateAuthority.data}
endpoint: ${ekscluster.status.endpoint}
clusterState: ${ekscluster.status.status}
resources:
###########################################################
# EKS Cluster
###########################################################
- id: clusterRole
template:
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
namespace: "${schema.spec.name}"
name: "${schema.spec.name}-cluster-role"
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
name: "${schema.spec.name}-cluster-role"
policies:
- arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
- arn:aws:iam::aws:policy/AmazonEKSComputePolicy
- arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy
- arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy
- arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
- id: nodeRole
template:
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
namespace: "${schema.spec.name}"
name: "${schema.spec.name}-cluster-node-role"
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
name: "${schema.spec.name}-cluster-node-role"
policies:
- arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
# https://aws-controllers-k8s.github.io/community/reference/eks/v1alpha1/cluster/
- id: ekscluster
readyWhen:
- ${ekscluster.status.status == "ACTIVE"}
template:
apiVersion: eks.services.k8s.aws/v1alpha1
kind: Cluster
metadata:
namespace: "${schema.spec.name}"
name: "${schema.spec.name}"
# implicit dependencies with roles
annotations:
clusterRoleArn: "${clusterRole.status.ackResourceMetadata.arn}"
nodeRoleArn: "${nodeRole.status.ackResourceMetadata.arn}"
services.k8s.aws/region: ${schema.spec.region}
spec:
name: "${schema.spec.name}"
roleARN: "${clusterRole.status.ackResourceMetadata.arn}"
version: "${schema.spec.k8sVersion}"
accessConfig:
authenticationMode: "API_AND_CONFIG_MAP"
bootstrapClusterCreatorAdminPermissions: true
computeConfig:
enabled: true
nodeRoleARN: ${nodeRole.status.ackResourceMetadata.arn}
nodePools:
- system
- general-purpose
kubernetesNetworkConfig:
ipFamily: ipv4
elasticLoadBalancing:
enabled: true
logging:
clusterLogging:
- enabled: true
types:
- api
- audit
- authenticator
- controllerManager
- scheduler
storageConfig:
blockStorage:
enabled: true
resourcesVPCConfig:
endpointPrivateAccess: true
endpointPublicAccess: true
subnetIDs:
- ${schema.spec.network.subnets.controlplane.subnet1ID}
- ${schema.spec.network.subnets.controlplane.subnet2ID}
zonalShiftConfig:
enabled: true
tags:
kro-management: ${schema.spec.name}
tenant: ${schema.spec.tenant}
environment: ${schema.spec.environment}
- id: podIdentityAddon
template:
apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
name: eks-pod-identity-agent
namespace: "${schema.spec.name}"
annotations:
clusterArn: "${ekscluster.status.ackResourceMetadata.arn}"
services.k8s.aws/region: ${schema.spec.region}
spec:
name: eks-pod-identity-agent
addonVersion: v1.3.4-eksbuild.1
clusterName: "${schema.spec.name}"
###########################################################
# ArgoCD Integration
###########################################################
- id: argocdSecret
template:
apiVersion: v1
kind: Secret
metadata:
name: "${schema.spec.name}"
namespace: argocd
labels:
argocd.argoproj.io/secret-type: cluster
# Compatible fleet-management
fleet_member: spoke
tenant: "${schema.spec.tenant}"
environment: "${schema.spec.environment}"
aws_cluster_name: "${schema.spec.name}"
workloads: "${schema.spec.workloads}"
#using : useSelector: true for centralized mode
enable_external_secrets: "${schema.spec.addons.enable_external_secrets}"
annotations:
# GitOps Bridge
accountId: "${schema.spec.accountId}"
aws_account_id: "${schema.spec.accountId}"
region: "${schema.spec.region}"
aws_region: "${schema.spec.region}"
aws_central_region: "${schema.spec.region}" # used in fleet-management gitops
oidcProvider: "${ekscluster.status.identity.oidc.issuer}"
aws_cluster_name: "${schema.spec.name}"
aws_vpc_id: "${schema.spec.network.vpcID}"
# GitOps Configuration
addons_repo_basepath: "${schema.spec.gitops.addonsRepoBasePath}"
addons_repo_path: "${schema.spec.gitops.addonsRepoPath}"
addons_repo_revision: "${schema.spec.gitops.addonsRepoRevision}"
addons_repo_url: "${schema.spec.gitops.addonsRepoUrl}"
fleet_repo_basepath: "${schema.spec.gitops.fleetRepoBasePath}"
fleet_repo_path: "${schema.spec.gitops.fleetRepoPath}"
fleet_repo_revision: "${schema.spec.gitops.fleetRepoRevision}"
fleet_repo_url: "${schema.spec.gitops.fleetRepoUrl}"
# Generic
external_secrets_namespace: "${schema.spec.addons.external_secrets_namespace}"
external_secrets_service_account: "${schema.spec.addons.external_secrets_service_account}"
access_entry_arn: "${accessEntry.status.ackResourceMetadata.arn}"
type: Opaque
# TODO bug in KRO, it always see some drifts..
stringData:
name: "${schema.spec.name}"
server: "${ekscluster.status.ackResourceMetadata.arn}"
project: "default"
- id: accessEntry
readyWhen:
- ${accessEntry.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")} #check on ACK condition
template:
apiVersion: eks.services.k8s.aws/v1alpha1
kind: AccessEntry
metadata:
namespace: "${schema.spec.name}"
name: "${schema.spec.name}-access-entry"
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
clusterName: "${schema.spec.name}"
accessPolicies:
- accessScope:
type: "cluster"
policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
principalARN: "arn:aws:iam::${schema.spec.managementAccountId}:role/hub-cluster-argocd-controller"
type: STANDARD
- id: accessEntryAdmin
template:
apiVersion: eks.services.k8s.aws/v1alpha1
kind: AccessEntry
metadata:
namespace: "${schema.spec.name}"
name: "${schema.spec.name}-access-entry-admin"
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
clusterName: "${schema.spec.name}"
accessPolicies:
- accessScope:
type: "cluster"
policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
principalARN: "arn:aws:iam::${schema.spec.accountId}:role/${schema.spec.adminRoleName}"
type: STANDARD
###########################################################
# External Secrets AddOn Pod Identity
###########################################################
- id: externalSecretsRole
template:
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
namespace: "${schema.spec.name}"
name: "${schema.spec.name}-external-secrets-role"
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
name: "${schema.spec.name}-external-secrets-role"
policies:
- arn:aws:iam::aws:policy/SecretsManagerReadWrite
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
- id: externalSecretsPodIdentityAssociation
readyWhen:
- ${externalSecretsPodIdentityAssociation.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")} #check on ACK condition
template:
apiVersion: eks.services.k8s.aws/v1alpha1
kind: PodIdentityAssociation
metadata:
name: "${schema.spec.name}-external-secrets"
namespace: "${schema.spec.name}"
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
clusterName: "${schema.spec.name}"
namespace: argocd
roleARN: "${externalSecretsRole.status.ackResourceMetadata.arn}"
serviceAccount: external-secrets-sa
tags:
environment: "${schema.spec.environment}"
managedBy: ACK
application: external-secrets
charts/kro/resource-groups/eks/rg-eks.yaml
+175
View File
@@ -0,0 +1,175 @@
apiVersion: kro.run/v1alpha1
kind: ResourceGraphDefinition
metadata:
name: ekscluster.kro.run
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "0"
spec:
schema:
apiVersion: v1alpha1
kind: EksCluster
spec:
name: string
tenant: string | default="auto1"
environment: string | default="staging"
region: string | default="us-west-2"
k8sVersion: string | default="1.34"
accountId: string
managementAccountId: string
adminRoleName: string | default="Admin"
fleetSecretManagerSecretNameSuffix: string | default="argocd-secret"
domainName: string | default="cluster.example.com"
vpc:
create: boolean | default=true
vpcCidr: string | default="10.0.0.0/16"
publicSubnet1Cidr: string | default="10.0.1.0/24"
publicSubnet2Cidr: string | default="10.0.2.0/24"
privateSubnet1Cidr: string | default="10.0.11.0/24"
privateSubnet2Cidr: string | default="10.0.12.0/24"
vpcId: string | default=""
publicSubnet1Id: string | default=""
publicSubnet2Id: string | default=""
privateSubnet1Id: string | default=""
privateSubnet2Id: string | default=""
workloads: string | default="false" # Define if we want to deploy workloads application
gitops:
addonsRepoBasePath: string | default="addons/"
addonsRepoPath: string | default="bootstrap"
addonsRepoRevision: string | default="main"
addonsRepoUrl: string | default="https://github.com/allamand/eks-cluster-mgmt"
fleetRepoBasePath: string | default="fleet/"
fleetRepoPath: string | default="bootstrap"
fleetRepoRevision: string | default="main"
fleetRepoUrl: string | default="https://github.com/allamand/eks-cluster-mgmt"
addons:
enable_external_secrets: string | default="true"
external_secrets_namespace: string | default="external-secrets"
external_secrets_service_account: string | default="external-secrets-sa"
resources:
- id: vpc
includeWhen:
- ${schema.spec.vpc.create}
readyWhen:
- ${vpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions
template:
apiVersion: kro.run/v1alpha1
kind: Vpc
metadata:
name: ${schema.spec.name}
namespace: ${schema.spec.name}
labels:
app.kubernetes.io/instance: ${schema.spec.name}
annotations:
argocd.argoproj.io/tracking-id: clusters:kro.run/Vpc:${schema.spec.name}/${schema.spec.name}
spec:
name: ${schema.spec.name}
region: ${schema.spec.region}
cidr:
vpcCidr: ${schema.spec.vpc.vpcCidr}
publicSubnet1Cidr: ${schema.spec.vpc.publicSubnet1Cidr}
publicSubnet2Cidr: ${schema.spec.vpc.publicSubnet2Cidr}
privateSubnet1Cidr: ${schema.spec.vpc.privateSubnet1Cidr}
privateSubnet2Cidr: ${schema.spec.vpc.privateSubnet2Cidr}
- id: eksWithVpc
includeWhen:
- ${schema.spec.vpc.create}
readyWhen:
- ${eksWithVpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions
template:
apiVersion: kro.run/v1alpha1
kind: EksClusterBasic
metadata:
name: ${schema.spec.name}
namespace: ${schema.spec.name}
labels:
app.kubernetes.io/instance: ${schema.spec.name}
annotations:
argocd.argoproj.io/tracking-id: clusters:kro.run/EksCluster:${schema.spec.name}/${schema.spec.name}
spec:
name: ${schema.spec.name}
tenant: ${schema.spec.tenant}
environment: ${schema.spec.environment}
region: ${schema.spec.region}
accountId: ${schema.spec.accountId}
managementAccountId: ${schema.spec.managementAccountId}
k8sVersion: ${schema.spec.k8sVersion}
adminRoleName: ${schema.spec.adminRoleName}
fleetSecretManagerSecretNameSuffix: ${schema.spec.fleetSecretManagerSecretNameSuffix}
domainName: ${schema.spec.domainName}
network:
vpcID: "${vpc.status.vpcID}"
subnets:
controlplane:
subnet1ID: "${vpc.status.privateSubnet1ID}"
subnet2ID: "${vpc.status.privateSubnet2ID}"
workers:
subnet1ID: "${vpc.status.privateSubnet1ID}"
subnet2ID: "${vpc.status.privateSubnet2ID}"
workloads: ${schema.spec.workloads}
gitops:
addonsRepoBasePath: ${schema.spec.gitops.addonsRepoBasePath}
addonsRepoPath: ${schema.spec.gitops.addonsRepoPath}
addonsRepoRevision: ${schema.spec.gitops.addonsRepoRevision}
addonsRepoUrl: ${schema.spec.gitops.addonsRepoUrl}
fleetRepoBasePath: ${schema.spec.gitops.fleetRepoBasePath}
fleetRepoPath: ${schema.spec.gitops.fleetRepoPath}
fleetRepoRevision: ${schema.spec.gitops.fleetRepoRevision}
fleetRepoUrl: ${schema.spec.gitops.fleetRepoUrl}
addons:
enable_external_secrets: ${schema.spec.addons.enable_external_secrets}
external_secrets_namespace: ${schema.spec.addons.external_secrets_namespace}
external_secrets_service_account: ${schema.spec.addons.external_secrets_service_account}
- id: eksExistingVpc
includeWhen:
- ${!schema.spec.vpc.create}
readyWhen:
- ${eksExistingVpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions
template:
apiVersion: kro.run/v1alpha1
kind: EksClusterBasic
metadata:
name: ${schema.spec.name}
namespace: ${schema.spec.name}
labels:
app.kubernetes.io/instance: ${schema.spec.name}
annotations:
argocd.argoproj.io/tracking-id: clusters:kro.run/EksCluster:${schema.spec.name}/${schema.spec.name}
spec:
name: ${schema.spec.name}
tenant: ${schema.spec.tenant}
environment: ${schema.spec.environment}
region: ${schema.spec.region}
accountId: ${schema.spec.accountId}
managementAccountId: ${schema.spec.managementAccountId}
k8sVersion: ${schema.spec.k8sVersion}
adminRoleName: ${schema.spec.adminRoleName}
fleetSecretManagerSecretNameSuffix: ${schema.spec.fleetSecretManagerSecretNameSuffix}
domainName: ${schema.spec.domainName}
network:
vpcID: "${schema.spec.vpc.vpcId}"
subnets:
controlplane:
subnet1ID: "${schema.spec.vpc.privateSubnet1Id}"
subnet2ID: "${schema.spec.vpc.privateSubnet2Id}"
workers:
subnet1ID: "${schema.spec.vpc.privateSubnet1Id}"
subnet2ID: "${schema.spec.vpc.privateSubnet2Id}"
workloads: ${schema.spec.workloads}
gitops:
addonsRepoBasePath: ${schema.spec.gitops.addonsRepoBasePath}
addonsRepoPath: ${schema.spec.gitops.addonsRepoPath}
addonsRepoRevision: ${schema.spec.gitops.addonsRepoRevision}
addonsRepoUrl: ${schema.spec.gitops.addonsRepoUrl}
fleetRepoBasePath: ${schema.spec.gitops.fleetRepoBasePath}
fleetRepoPath: ${schema.spec.gitops.fleetRepoPath}
fleetRepoRevision: ${schema.spec.gitops.fleetRepoRevision}
fleetRepoUrl: ${schema.spec.gitops.fleetRepoUrl}
addons:
enable_external_secrets: ${schema.spec.addons.enable_external_secrets}
external_secrets_namespace: ${schema.spec.addons.external_secrets_namespace}
external_secrets_service_account: ${schema.spec.addons.external_secrets_service_account}
charts/kro/resource-groups/eks/rg-vpc.yaml
+247
View File
@@ -0,0 +1,247 @@
apiVersion: kro.run/v1alpha1
kind: ResourceGraphDefinition
metadata:
name: vpc.kro.run
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "-1"
spec:
schema:
apiVersion: v1alpha1
kind: Vpc
spec:
name: string
region: string
cidr:
vpcCidr: string | default="10.0.0.0/16"
publicSubnet1Cidr: string | default="10.0.1.0/24"
publicSubnet2Cidr: string | default="10.0.2.0/24"
privateSubnet1Cidr: string | default="10.0.11.0/24"
privateSubnet2Cidr: string | default="10.0.12.0/24"
status:
vpcID: ${vpc.status.vpcID}
publicSubnet1ID: ${publicSubnet1.status.subnetID}
publicSubnet2ID: ${publicSubnet2.status.subnetID}
privateSubnet1ID: ${privateSubnet1.status.subnetID}
privateSubnet2ID: ${privateSubnet2.status.subnetID}
resources: # how to publish a field in the RG claim e.g. vpcID
- id: vpc
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: VPC
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-vpc
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
cidrBlocks:
- ${schema.spec.cidr.vpcCidr}
enableDNSSupport: true
enableDNSHostnames: true
tags:
- key: "Name"
value: ${schema.spec.name}-vpc
- id: internetGateway
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: InternetGateway
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-igw
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
vpc: ${vpc.status.vpcID}
tags:
- key: "Name"
value: ${schema.spec.name}-igw
- id: natGateway1
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: NATGateway
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-nat-gateway1
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
subnetID: ${publicSubnet1.status.subnetID}
allocationID: ${eip1.status.allocationID}
tags:
- key: "Name"
value: ${schema.spec.name}-nat-gateway1
- id: natGateway2
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: NATGateway
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-nat-gateway2
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
subnetID: ${publicSubnet2.status.subnetID}
allocationID: ${eip2.status.allocationID}
tags:
- key: "Name"
value: ${schema.spec.name}-nat-gateway2
- id: eip1
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: ElasticIPAddress
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-eip1
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
tags:
- key: "Name"
value: ${schema.spec.name}-eip1
- id: eip2
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: ElasticIPAddress
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-eip2
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
tags:
- key: "Name"
value: ${schema.spec.name}-eip2
- id: publicRoutetable
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: RouteTable
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-public-routetable
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
vpcID: ${vpc.status.vpcID}
routes:
- destinationCIDRBlock: 0.0.0.0/0
gatewayID: ${internetGateway.status.internetGatewayID}
tags:
- key: "Name"
value: ${schema.spec.name}-public-routetable
- id: privateRoutetable1
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: RouteTable
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-private-routetable1
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
vpcID: ${vpc.status.vpcID}
routes:
- destinationCIDRBlock: 0.0.0.0/0
natGatewayID: ${natGateway1.status.natGatewayID}
tags:
- key: "Name"
value: ${schema.spec.name}-private-routetable1
- id: privateRoutetable2
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: RouteTable
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-private-routetable2
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
vpcID: ${vpc.status.vpcID}
routes:
- destinationCIDRBlock: 0.0.0.0/0
natGatewayID: ${natGateway2.status.natGatewayID}
tags:
- key: "Name"
value: ${schema.spec.name}-private-routetable2
- id: publicSubnet1
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: Subnet
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-public-subnet1
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
availabilityZone: ${schema.spec.region}a
cidrBlock: ${schema.spec.cidr.publicSubnet1Cidr}
mapPublicIPOnLaunch: true
vpcID: ${vpc.status.vpcID}
routeTables:
- ${publicRoutetable.status.routeTableID}
tags:
- key: "Name"
value: ${schema.spec.name}-public-subnet1
- key: kubernetes.io/role/elb
value: '1'
- id: publicSubnet2
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: Subnet
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-public-subnet2
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
availabilityZone: ${schema.spec.region}b
cidrBlock: ${schema.spec.cidr.publicSubnet2Cidr}
mapPublicIPOnLaunch: true
vpcID: ${vpc.status.vpcID}
routeTables:
- ${publicRoutetable.status.routeTableID}
tags:
- key: "Name"
value: ${schema.spec.name}-public-subnet2
- key: kubernetes.io/role/elb
value: '1'
- id: privateSubnet1
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: Subnet
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-private-subnet1
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
availabilityZone: ${schema.spec.region}a
cidrBlock: ${schema.spec.cidr.privateSubnet1Cidr}
vpcID: ${vpc.status.vpcID}
routeTables:
- ${privateRoutetable1.status.routeTableID}
tags:
- key: "Name"
value: ${schema.spec.name}-private-subnet1
- key: kubernetes.io/role/internal-elb
value: '1'
- id: privateSubnet2
template:
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: Subnet
metadata:
namespace: ${schema.spec.name}
name: ${schema.spec.name}-private-subnet2
annotations:
services.k8s.aws/region: ${schema.spec.region}
spec:
availabilityZone: ${schema.spec.region}b
cidrBlock: ${schema.spec.cidr.privateSubnet2Cidr}
vpcID: ${vpc.status.vpcID}
routeTables:
- ${privateRoutetable2.status.routeTableID}
tags:
- key: "Name"
value: ${schema.spec.name}-private-subnet2
- key: kubernetes.io/role/internal-elb
value: '1'
charts/kro/resource-groups/iam/Chart.yaml
View File
charts/kro/resource-groups/iam/templates/rg-iam.yaml
+1
View File
@@ -0,0 +1 @@
# TODO: rgi for creating IAM role/policy, ServiceAccount, and EKS pod identity association
charts/kro/resource-groups/iam/values.yaml
View File
charts/kro/resource-groups/pod-identity/pod-identity.yaml
+80
View File
@@ -0,0 +1,80 @@
apiVersion: kro.run/v1alpha1
kind: ResourceGroup
metadata:
name: podidentity.kro.run
annotations:
argocd.argoproj.io/sync-wave: "-5"
spec:
schema:
apiVersion: v1alpha1
kind: PodIdentity
spec:
name: string | default="pod-identity"
values:
aws:
clusterName: string
policy:
description: 'string | default="Test Description"'
path: 'string | default="/"'
policyDocument: string | default=""
piAssociation:
serviceAccount: string
piNamespace: string
status:
policyStatus: ${podpolicy.status.conditions}
roleStatus: ${podrole.status.conditions}
resources:
- id: podpolicy
readyWhen:
- ${podpolicy.status.conditions[0].status == "True"}
template:
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
name: ${schema.spec.name}-pod-policy
spec:
name: ${schema.spec.name}-pod-policy
description: ${schema.spec.values.policy.description}
path: ${schema.spec.values.policy.path}
policyDocument: ${schema.spec.values.policy.policyDocument}
- id: podrole
readyWhen:
- ${podrole.status.conditions[0].status == "True"}
template:
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
name: ${schema.spec.name}-role
spec:
name: ${schema.spec.name}-role
policies:
- ${podpolicy.status.ackResourceMetadata.arn}
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:TagSession",
"sts:AssumeRole"
]
}
]
}
- id: piAssociation
readyWhen:
- ${piAssociation.status.conditions[0].status == "True"}
template:
apiVersion: eks.services.k8s.aws/v1alpha1
kind: PodIdentityAssociation
metadata:
name: ${schema.spec.name}-pod-association-${schema.spec.values.piAssociation.serviceAccount}
spec:
clusterName: ${schema.spec.values.aws.clusterName}
roleARN: ${podrole.status.ackResourceMetadata.arn}
serviceAccount: ${schema.spec.values.piAssociation.serviceAccount}
namespace: ${schema.spec.values.piAssociation.piNamespace}
charts/multi-acct/Chart.yaml
+19
View File
@@ -0,0 +1,19 @@
apiVersion: v2
name: ack-multi-account
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
charts/multi-acct/templates/iam-role-selector.yaml
+12
View File
@@ -0,0 +1,12 @@
{{- range $key, $value := .Values.clusters }}
---
apiVersion: services.k8s.aws/v1alpha1
kind: IAMRoleSelector
metadata:
name: {{ $key }}-namespace-config
spec:
arn: arn:aws:iam::{{ $value }}:role/ack
namespaceSelector:
names:
- {{ $key }}
{{- end }}
charts/multi-acct/templates/namespace.yaml
+7
View File
@@ -0,0 +1,7 @@
{{- range $key, $value := .Values.clusters }}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ $key }}
{{- end }}
charts/pod-identity/.helmignore
+23
View File
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
charts/pod-identity/Chart.yaml
+24
View File
@@ -0,0 +1,24 @@
apiVersion: v2
name: pod-identity
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
charts/pod-identity/templates/_helpers.tpl
+74
View File
@@ -0,0 +1,74 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "pod-identity.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "pod-identity.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "pod-identity.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "pod-identity.labels" -}}
helm.sh/chart: {{ include "pod-identity.chart" . }}
{{ include "pod-identity.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "pod-identity.selectorLabels" -}}
app.kubernetes.io/name: {{ include "pod-identity.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "pod-identity.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "pod-identity.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Construct a dynamic ARN based on the values passed from ArgoCD or values.yaml.
*/}}
{{- define "pod-identity.resourceArn" -}}
arn:aws:{{ .resourceType }}:{{ .region }}:{{ .accountId }}:{{ .resourceName }}
{{- end }}
{{- define "pod-identity.accountID" -}}
{{ .accountId }}
{{- end }}
{{- define "pod-identity.region" -}}
{{ .region }}
{{- end }}
charts/pod-identity/templates/pod-identity-association.yaml
+27
View File
@@ -0,0 +1,27 @@
{{- if .Values.create | default false }}
{{- $cluster := .Values.podIdentityAssociation.clusterName -}}
{{- $namespace := .Values.podIdentityAssociation.namespace -}}
{{- $tags := .Values.podIdentityAssociation.tags -}}
{{- $root := . -}}
{{- $serviceAccounts := .Values.podIdentityAssociation.serviceAccounts -}}
{{- range $serviceAccounts }}
apiVersion: eks.services.k8s.aws/v1alpha1
kind: PodIdentityAssociation
metadata:
name: "{{ include "pod-identity.fullname" $root }}-{{ . }}"
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
clusterName: {{ $cluster }}
roleRef:
from:
name: "{{ include "pod-identity.fullname" $root }}"
namespace: {{ $namespace }}
serviceAccount: {{ . }}
{{- if $tags}}
tags:
{{- $tags| toYaml | nindent 10 }}
{{- end }}
---
{{- end }}
{{- end }}
charts/pod-identity/templates/pod-identity-policy.yaml
+56
View File
@@ -0,0 +1,56 @@
{{- if and (.Values.create | default false) (.Values.podIdentityPolicyCreate | default false) }}
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
name: {{ include "pod-identity.fullname" . }}
annotations:
argocd.argoproj.io/sync-wave: "-3"
spec:
name: {{ include "pod-identity.fullname" . }}
description: {{ .Values.podIdentityPolicy.description }}
{{- if .Values.podIdentityPolicy.path }}
path: {{ .Values.podIdentityPolicy.path }}
{{- end }}
policyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{{- range $index, $policy := .Values.podIdentityPolicy.policies }}
{
"Effect": "Allow",
"Action": [
{{- range $i, $action := $policy.actions }}
"{{ $action }}"{{ if not (eq (add $i 1) (len $policy.actions)) }},{{ end }}
{{- end }}
],
"Resource": [
{{- if $policy.customArn }}
"{{ $policy.customArn }}"
{{- else if eq $policy.resourceName "*" }}
"*"
{{- else }}
"arn:aws:{{ $policy.resourceType }}:{{ $.Values.region }}:{{ $.Values.accountId }}:{{ $policy.resourceName }}"
{{- end }}
]
{{- if $policy.conditions }}
,"Condition": {
{{- range $j, $condition := $policy.conditions }}
"{{ $condition.test }}": {
"{{ $condition.variable }}": [
{{- range $k, $value := $condition.values }}
"{{ $value }}"{{ if not (eq (add $k 1) (len $condition.values)) }},{{ end }}
{{- end }}
]
}
{{- end }}
}
{{- end }}
}{{ if not (eq (add $index 1) (len $.Values.podIdentityPolicy.policies)) }},{{ end }}
{{- end }}
]
}
{{- if .Values.podIdentityPolicy.tags }}
tags:
{{- .Values.podIdentityPolicy.tags | toYaml | nindent 10 }}
{{- end }}
{{- end }}
charts/pod-identity/templates/pod-identity-role.yaml
+66
View File
@@ -0,0 +1,66 @@
{{- if .Values.create | default false }}
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
name: {{ include "pod-identity.fullname" . }}
annotations:
argocd.argoproj.io/sync-wave: "-2"
spec:
name: {{ include "pod-identity.fullname" . }}
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:TagSession",
"sts:AssumeRole"
]
}
]
}
description: {{ .Values.podIdentityRole.description }}
{{- if .Values.podIdentityRole.managedPolicies }}
policies:
{{- if and (.Values.podIdentityPolicyCreate | default false) .Values.podIdentityRole.managedPolicies }}
- "arn:aws:iam::{{ $.Values.accountId }}:policy/{{ include "pod-identity.fullname" . }}"
{{- end }}
{{- range .Values.podIdentityRole.managedPolicies }}
- "{{ . }}"
{{- end }}
{{- else if .Values.podIdentityRole.policyRefs }}
policyRefs:
{{- if .Values.podIdentityPolicyCreate | default true }}
- from:
name: "{{ include "pod-identity.fullname" . }}"
{{- end }}
{{- range .Values.podIdentityRole.policyRefs }}
- from:
name: "{{ .name }}"
{{- if .namespace }}
namespace: "{{ .namespace }}"
{{- end }}
{{- end }}
{{- else }}
policyRefs:
- from:
name: "{{ include "pod-identity.fullname" . }}"
{{- end }}
{{- if .Values.podIdentityRole.inlinePolicies }}
inlinePolicies:
{{ .Values.podIdentityRole.inlinePolicies | toYaml | nindent 4 }}
{{- end }}
{{- if .Values.podIdentityRole.tags }}
tags:
{{ .Values.podIdentityRole.tags | toYaml | nindent 4 }}
{{- end }}
{{- end }}
charts/pod-identity/values.yaml
+61
View File
@@ -0,0 +1,61 @@
# region: us-west-2
# accountId: "471112582304"
# create: true
# podIdentityPolicyCreate: false
# podIdentityRole:
# description: "Test"
# # Only one of the two can be true Managed Policy or Policy Refs
# # If Policy is created it will automatically add it on managed Policies or PolicyRefs
# managedPolicies:
# - "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
# - "arn:aws:iam::aws:policy/Admin"
# policyRefs:
# - name: "custom-policy-1"
# namespace: kube-system
# - name: "AmazonSSMReadOnlyAccess"
# namespace: kube-system
# podIdentityAssociation:
# clusterName: control-plane
# namespace: default
# serviceAccounts:
# - serviceAccount1
# - serviceAccount2
# podIdentityPolicy:
# description: "Test"
# policies:
# - resourceType: ssm
# resourceName: "*"
# actions:
# - "ssm:DescribeParameters"
# - resourceType: ssm
# resourceName: parameter/*
# actions:
# - "ssm:GetParameter"
# - "ssm:GetParameters"
# - resourceType: secretsmanager
# resourceName: secret:*
# actions:
# - "secretsmanager:GetResourcePolicy"
# - "secretsmanager:GetSecretValue"
# - "secretsmanager:DescribeSecret"
# - "secretsmanager:ListSecretVersionIds"
# - "secretsmanager:CreateSecret"
# - "secretsmanager:PutSecretValue"
# - "secretsmanager:TagResource"
# - resourceType: secretsmanager
# resourceName: secret:*
# actions:
# - "secretsmanager:DeleteSecret"
# conditions:
# - test: "StringEquals"
# variable: "secretsmanager:ResourceTag/managed-by"
# values:
# - "external-secrets"
# - resourceType: kms
# resourceName: "key/*"
# actions:
# - "kms:Decrypt"
# - resourceType: ecr
# resourceName: "*"
# actions:
# - "ecr:GetAuthorizationToken"
charts/storageclass-resources/.helmignore
+23
View File
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
charts/storageclass-resources/Chart.yaml
+24
View File
@@ -0,0 +1,24 @@
apiVersion: v2
name: efs-classes
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
charts/storageclass-resources/templates/_helpers.tpl
+62
View File
@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "efs-classes.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "efs-classes.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "efs-classes.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "efs-classes.labels" -}}
helm.sh/chart: {{ include "efs-classes.chart" . }}
{{ include "efs-classes.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "efs-classes.selectorLabels" -}}
app.kubernetes.io/name: {{ include "efs-classes.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "efs-classes.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "efs-classes.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
charts/storageclass-resources/templates/storageclass.yaml
+39
View File
@@ -0,0 +1,39 @@
{{- $fileSystemId := "" -}}
{{- if .Values.storageClasses.efs }}
{{- $fileSystemId = .Values.storageClasses.efs.fileSystemId | default "" -}}
{{- end }}
{{- range $storageClassType, $storageClasses := .Values.storageClasses }}
{{- range $storageClassName, $storageClass := $storageClasses }}
{{- if ne $storageClassName "fileSystemId" }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{ $storageClassName }}
annotations:
storageclass.kubernetes.io/is-default-class: "false"
provisioner: {{ if eq $storageClassType "efs" }}efs.csi.aws.com{{ else }}ebs.csi.aws.com{{ end }}
{{- if and (eq $storageClassType "efs") $fileSystemId }}
parameters:
fileSystemId: {{ $fileSystemId }}
directoryPerms: "{{ $storageClass.directoryPerms | default "700" }}"
provisioningMode: {{ $storageClass.provisioningMode | default "efs-ap" }}
basePath: {{ $storageClass.basePath | default "/" }}
mountOptions:
{{- range $storageClass.mountOptions }}
- {{ . }}
{{- end }}
{{- else if eq $storageClassType "ebs" }}
parameters:
type: {{ $storageClass.volumeType }}
fsType: ext4
iopsPerGiB: "{{ $storageClass.iops | default "3000" }}"
throughput: "{{ $storageClass.throughput | default "125" }}"
{{- end }}
reclaimPolicy: {{ $storageClass.reclaimPolicy | default "Delete" }}
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
{{- end }}
{{- end }}
{{- end }}
charts/storageclass-resources/values.yaml
+17
View File
@@ -0,0 +1,17 @@
storageClasses:
# efs:
# fileSystemId: fs-12345678
# efs-sc:
# reclaimPolicy: Delete
# directoryPerms: "700"
# basePath: /data
# mountOptions:
# - nfsvers=4.1
ebs:
ebs-sc-gp3:
reclaimPolicy: Retain
volumeType: gp3
size: 20Gi
iops: 3000
throughput: 125