From: Utkarsh Date: Wed, 23 Oct 2024 14:03:04 +0000 (+0000) Subject: Add manifests for EBS EKS addon and fix minor fixes in labels X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=36a2a79de653143011c2d5ef50ee213d581537f1;p=osm%2Fdevops.git Add manifests for EBS EKS addon and fix minor fixes in labels Change-Id: I0a8c80f278d6a04ae8e6416d507dfb4e417fecdf Signed-off-by: Utkarsh --- diff --git a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/addons/ebs-csi-addon.yaml b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/addons/ebs-csi-addon.yaml new file mode 100644 index 00000000..b3a02750 --- /dev/null +++ b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/addons/ebs-csi-addon.yaml @@ -0,0 +1,46 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: eks.aws.upbound.io/v1beta1 +kind: Addon +metadata: + name: ${cluster_resource_name}-cluster + annotations: + crossplane.io/external-name: ${cluster_resource_name}-ebs-csi-driver + labels: + provider: aws + cluster: ${cluster_resource_name} + type: addon +spec: + forProvider: + region: ${cluster_location} + addonName: aws-ebs-csi-driver + addonVersion: v1.33.0-eksbuild.1 + resolveConflicts: OVERWRITE + clusterNameSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + serviceAccountRoleArnSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + providerConfigRef: + name: ${providerconfig_name} diff --git a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/policy.yaml b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/policy.yaml new file mode 100644 index 00000000..a65eac83 --- /dev/null +++ b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/policy.yaml @@ -0,0 +1,167 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Policy +metadata: + name: ${cluster_resource_name}-addon-policy + annotations: + crossplane.io/external-name: ${cluster_name}-ebs-csi-addon-policy + labels: + provider: aws + cluster: ${cluster_resource_name} + type: addon +spec: + forProvider: + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSnapshot", + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + "ec2:EnableFastSnapshotRestores" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringLike": { + "aws:RequestTag/CSIVolumeName": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "arn:aws:ec2:*:*:snapshot/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/CSIVolumeName": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteSnapshot" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteSnapshot" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + } + } + ] + } + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml index 3e61f818..00181d2a 100644 --- a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml +++ b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml @@ -134,3 +134,27 @@ spec: # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) providerConfigRef: name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-addon + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArnSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: addon + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/roles.yaml b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/roles.yaml index 03ae559b..927e5687 100644 --- a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/roles.yaml +++ b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/iam/roles.yaml @@ -24,7 +24,7 @@ metadata: crossplane.io/external-name: ${cluster_name}-masterRole labels: provider: aws - cluster: eks + cluster: ${cluster_resource_name} type: cluster spec: forProvider: @@ -58,7 +58,7 @@ metadata: crossplane.io/external-name: ${cluster_name}-nodeRole labels: provider: aws - cluster: eks + cluster: ${cluster_resource_name} type: ec2 spec: forProvider: diff --git a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/subnets.yaml b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/subnets.yaml index bffbfc3e..d6da2a05 100644 --- a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/subnets.yaml +++ b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/subnets.yaml @@ -95,7 +95,7 @@ spec: tags: kubernetes.io/role/elb: "1" Name: ${cluster_name}-private-subnet-${cluster_location}a - kubernetes.io/cluster/{cluster_name}: shared + kubernetes.io/cluster/${cluster_name}: shared # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) providerConfigRef: name: ${providerconfig_name} @@ -124,7 +124,7 @@ spec: tags: kubernetes.io/role/elb: "1" Name: ${cluster_name}-private-subnet-${cluster_location}b - kubernetes.io/cluster/{cluster_name}: shared + kubernetes.io/cluster/${cluster_name}: shared # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) providerConfigRef: name: ${providerconfig_name} diff --git a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/vpc.yaml b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/vpc.yaml index b643ba37..d990d26b 100644 --- a/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/vpc.yaml +++ b/installers/mgmt-cluster/flux/templates/sw-catalogs/cloud-resources/eks/manifests/network/vpc.yaml @@ -22,7 +22,7 @@ metadata: name: ${cluster_resource_name}-vpc labels: provider: aws - cluster: eks + cluster: ${cluster_resource_name} spec: forProvider: region: ${cluster_location}