스크립트를 실행할 PC에서 아래 작업들이 모두 해결되었다는 가정 하에 진행한다.
#!/bin/bash
echo 'Initialize EKS Cluster Environtment Values'
NG_ROLE=`kubectl -n kube-system describe configmap aws-auth | grep rolearn`
ACCOUNT=`aws sts get-caller-identity --query "Account" --output text` # ${NG_ROLE:24:12}로 해도 무방함
WN_ROLE=${NG_ROLE:42}
CLUSTER_NAME='green-cluster' # write your's cluster name
AWS_REGION='ap-northeast-2' # write cluster's region
VPC_ID=`eksctl get cluster --name ${CLUSTER_NAME} --region ${AWS_REGION} --output json | jq -r '.[0].ResourcesVpcConfig.VpcId'`
echo "NG_ROLE : $NG_ROLE"
echo "WN_ROLE : $WN_ROLE"
echo "ACCOUNT : $ACCOUNT"
echo "CLUSTER_NAME : $CLUSTER_NAME"
echo "AWS_REGION : $AWS_REGION"
echo "VPC_ID : $VPC_ID"
echo ''
echo '>>> CREATE IAM Roles and IAM Policies'
aws iam create-policy \\
--policy-name AWSLoadBalancerControllerIAMPolicy \\
--policy-document <https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json>
oidc_id=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.identity.oidc.issuer" --region ${AWS_REGION} --output text | cut -d '/' -f 5)
oidc_providers=$(aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4)
if [[ -z $oidc_providers ]]; then
echo '>>> CREATE IAM OIDC ID Providers'
eksctl utils associate-iam-oidc-provider --cluster ${CLUSTER_NAME} --approve --region ap-northeast-2
fi
cat >load-balancer-role-trust-policy.json <<EOF!!
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT}:oidc-provider/oidc.eks.${AWS_REGION}.amazonaws.com/id/${oidc_id}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.${AWS_REGION}.amazonaws.com/id/${oidc_id}:aud": "sts.amazonaws.com",
"oidc.eks.${AWS_REGION}.amazonaws.com/id/${oidc_id}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
}
}
}
]
}
EOF!!
aws iam create-role \\
--role-name AmazonEKSLoadBalancerControllerRole \\
--assume-role-policy-document file://"load-balancer-role-trust-policy.json"
aws iam attach-role-policy \\
--policy-arn arn:aws:iam::${ACCOUNT}:policy/AWSLoadBalancerControllerIAMPolicy \\
--role-name AmazonEKSLoadBalancerControllerRole
cat >aws-load-balancer-controller-service-account.yaml <<EOF!!
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: aws-load-balancer-controller
name: aws-load-balancer-controller
namespace: kube-system
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT}:role/AmazonEKSLoadBalancerControllerRole
EOF!!
kubectl apply -f aws-load-balancer-controller-service-account.yaml
echo ''
echo '>>> Checking already installed old AWS ALB Ingress Controller'
IS_OLD_CONTROLLER_EXIST=`kubectl get deployment -n kube-system alb-ingress-controller --ignore-not-found`
if [[ -z $IS_OLD_CONTROLLER_EXIST ]]; then
echo "Old AWS ALB Ingress Controller is Not Found"
else
echo "Found it : REMOVing Old AWS ALB Ingress Controller..."
kubectl delete -f <https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/alb-ingress-controller.yaml>
kubectl delete -f <https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml>
fi
echo ''
echo ">>> Connecting Additional IAM Policy to IAM Role"
curl -O <https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy_v1_to_v2_additional.json>
aws iam create-policy \\
--policy-name AWSLoadBalancerControllerAdditionalIAMPolicy \\
--policy-document file://iam_policy_v1_to_v2_additional.json
aws iam attach-role-policy \\
--role-name AmazonEKSLoadBalancerControllerRole \\
--policy-arn arn:aws:iam::${ACCOUNT}:policy/AWSLoadBalancerControllerAdditionalIAMPolicy
echo ''
echo ">>> Deploy AWS Load Balancer Controller"
kubectl apply \\
--validate=false \\
-f <https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml>
kubectl wait \\
--request-timeout=30s \\
-n cert-manager \\
--for=condition=Available deployment/cert-manager-webhook
curl -Lo v2_4_7_full.yaml <https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.7/v2_4_7_full.yaml>
sed -i.bak -e '561,569d' ./v2_4_7_full.yaml
sed -i.bak -e "s|your-cluster-name|${CLUSTER_NAME}|" ./v2_4_7_full.yaml
sed -i "806 i \\ \\ - --aws-vpc-id=${VPC_ID}" ./v2_4_7_full.yaml
sed -i "807 i \\ \\ - --aws-region=${AWS_REGION}" ./v2_4_7_full.yaml
# 만약 aws-load-balancer-controller 이미지를 퍼블릭 ECR에서 받아오지 못할 때 사용할 것.
# sed -i.bak -e "s|public.ecr.aws/eks/aws-load-balancer-controller|${ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/eks/aws-load-balancer-controller|" ./v2_4_7_full.yaml
kubectl apply -f v2_4_7_full.yaml
curl -Lo v2_4_7_ingclass.yaml <https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.7/v2_4_7_ingclass.yaml>
kubectl apply -f v2_4_7_ingclass.yaml
echo ''
echo ">>> Checking Created New AWS Load Balancer Controller"
kubectl get deployment -n kube-system aws-load-balancer-controller
참고 링크
#/bin/bash
echo '>>> CREATE ALBIngressControllerIAMPolicy '
aws iam create-policy \\
--policy-name ALBIngressControllerIAMPolicy \\
--policy-document <https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.3/docs/examples/iam-policy.json>
echo ''
echo '>>> Connecting ALBIngressControllerIAMPolicy To WorkerNode Role'
NG_ROLE=`kubectl -n kube-system describe configmap aws-auth | grep rolearn`
ACCOUNT=${NG_ROLE:24:12}
WN_ROLE=${NG_ROLE:42}
echo "ACCOUNT : $ACCOUNT"
echo "WORKER NODE ROLE : $WN_ROLE"
echo "NODE GROUP ROLE : $NG_ROLE"
aws iam attach-role-policy \\
--policy-arn arn:aws:iam::${ACCOUNT}:policy/ALBIngressControllerIAMPolicy \\
--role-name ${WN_ROLE}
echo ''
echo '>>> Create ClusterRole for ALB Ingress Controller'
kubectl apply -f <https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.3/docs/examples/rbac-role.yaml>
echo ''
echo '>>> Create ALB Ingress Controller'
CLUSTER_NAME='eks-cluster' # write your's cluster name
AWS_REGION='ap-northeast-2' # write cluster's region
VPC_ID=`eksctl get cluster --name ${CLUSTER_NAME} --region ${AWS_REGION} --output json | jq -r '.[0].ResourcesVpcConfig.VpcId'`
echo "CLUSTER NAME : $CLUSTER_NAME"
echo "VPC ID : $VPC_ID"
echo "AWS REGION : $AWS_REGION"
echo ''
echo '>>> Remove Old alb-ingress-controller.yaml file && New alb-ingress-controller.yaml file Download'
rm -rf alb-ingress-controller.yaml* &&
curl -O <https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.3/docs/examples/alb-ingress-controller.yaml> &&
# alb-ingress-controller.yaml
sed -i -e "s/# - --cluster-name=devCluster/- --cluster-name=$CLUSTER_NAME/g" alb-ingress-controller.yaml &&
sed -i -e "s/# - --aws-vpc-id=vpc-xxxxxx/- --aws-vpc-id=$VPC_ID/g" alb-ingress-controller.yaml &&
sed -i -e "s/# - --aws-region=us-west-1/- --aws-region=$AWS_REGION/g" alb-ingress-controller.yaml &&
kubectl apply -f ./alb-ingress-controller.yaml
echo '>>> FINISH'
sleep 5
echo '>>> Checking Create ALB Ingress Controller'
kubectl get pods -n kube-system | grep alb