dave/site
1
0
Fork 0
mirror of https://github.com/davegallant/davegallant.github.io.git synced 2025-08-07 00:58:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

deploy: bdd3648e73df6e36d57b14c1a5d07e8fd79bbe46

Browse Source
This commit is contained in:
davegallant
2024-04-08 12:53:11 +00:00
parent a07e9205e0
commit b9102048a3
73 changed files with 75 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
js/flexsearch.4de30be52a726256f045e2f3dbef1aaba4ad9ddcf2657f4190473a382e19b36f313e897dc449218cfc473ec8d80473081225e009985d9f1a81de6c46b844f9d4.js → js/flexsearch.95f8339f006f50d03b13d2990a2d82bfebb8ff305eb82244913e22ae43e3d6d28dc5fcfc69cb344bcc7824e30c6f1bbf6af6c2e49d8878378fc6040e70a51571.js
View File

@@ -3,7 +3,7 @@
The Amazon EBS CSI driver docs mention that the following are needed:
an existing EKS cluster IAM role (that allows communication to the EC2 API) EKS add-on (aws-ebs-csi-driver) OIDC provider This sounded simple enough but I was unable to find a “grab-and-go” terraform example that followed the recommendations in the docs. I saw some suggestions about attaching an AmazonEBSCSIDriverPolicy policy to the node groups but did not think this was the best idea since this would allow many pods to potentially have access to the EC2 API.
After a few minutes of LLM prompting, I was unimpressed with the results. I began to piece together the config myself, and after some trial and error, this is the terraform that I came up with:
# TLS needed for the thumbprint provider "tls" {} data "tls_certificate" "oidc" { url = aws_eks_cluster.main.identity[0].oidc[0].issuer } # EKS addon resource "aws_eks_addon" "ebs_csi_driver" { cluster_name = aws_eks_cluster.main.name addon_name = "aws-ebs-csi-driver" addon_version = "v1.29.1-eksbuild.1" service_account_role_arn = aws_iam_role.ebs_csi_driver.arn } # AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider resource "aws_iam_openid_connect_provider" "eks" { url = aws_eks_cluster.main.identity.0.oidc.0.issuer client_id_list = ["sts.amazonaws.com"] thumbprint_list = [data.tls_certificate.oidc.certificates[0].sha1_fingerprint] } # IAM resource "aws_iam_role" "ebs_csi_driver" { name = "\${var.environment_name}-ebs-csi-driver" assume_role_policy = data.aws_iam_policy_document.ebs_csi_driver_assume_role.json } data "aws_iam_policy_document" "ebs_csi_driver_assume_role" { statement { effect = "Allow" principals { type = "Federated" identifiers = [aws_iam_openid_connect_provider.eks.arn] } actions = [ "sts:AssumeRoleWithWebIdentity", ] condition { test = "StringEquals" variable = "\${aws_iam_openid_connect_provider.eks.url}:aud" values = ["sts.amazonaws.com"] } condition { test = "StringEquals" variable = "\${aws_iam_openid_connect_provider.eks.url}:sub" values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] } } } resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" role = aws_iam_role.ebs_csi_driver.name } The above configuration follows the docs, binding an IAM role to the service account kube-system/ebs-csi-controller-sa using an OpenID connect provider.
# TLS needed for the thumbprint provider "tls" {} data "tls_certificate" "oidc" { url = aws_eks_cluster.main.identity[0].oidc[0].issuer } # EKS addon resource "aws_eks_addon" "ebs_csi_driver" { cluster_name = aws_eks_cluster.main.name addon_name = "aws-ebs-csi-driver" addon_version = "v1.29.1-eksbuild.1" service_account_role_arn = aws_iam_role.ebs_csi_driver.arn } # AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider resource "aws_iam_openid_connect_provider" "eks" { url = aws_eks_cluster.main.identity.0.oidc.0.issuer client_id_list = ["sts.amazonaws.com"] thumbprint_list = [data.tls_certificate.oidc.certificates[0].sha1_fingerprint] } # IAM resource "aws_iam_role" "ebs_csi_driver" { name = "ebs-csi-driver" assume_role_policy = data.aws_iam_policy_document.ebs_csi_driver_assume_role.json } data "aws_iam_policy_document" "ebs_csi_driver_assume_role" { statement { effect = "Allow" principals { type = "Federated" identifiers = [aws_iam_openid_connect_provider.eks.arn] } actions = [ "sts:AssumeRoleWithWebIdentity", ] condition { test = "StringEquals" variable = "\${aws_iam_openid_connect_provider.eks.url}:aud" values = ["sts.amazonaws.com"] } condition { test = "StringEquals" variable = "\${aws_iam_openid_connect_provider.eks.url}:sub" values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] } } } resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" role = aws_iam_role.ebs_csi_driver.name } The above configuration follows the docs, binding an IAM role to the service account kube-system/ebs-csi-controller-sa using an OpenID connect provider.
After applying the changes above, I deployed the sample application and noticed that the persistent volume claims were bound to EBS volumes.
`}).add({id:1,href:"/blog/setting-up-gitea-actions-with-tailscale/",title:"Setting up Gitea Actions with Tailscale",description:`In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
`,content:`In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.