# Cookbook Name:: mu-tools # Recipe:: eks # # Copyright:: Copyright (c) 2018 eGlobalTech, Inc., all rights reserved # # Licensed under the BSD-3 license (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License in the root of the project or at # # http://egt-labs.com/mu/LICENSE.html # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Client-side behavior for interfacing with Amazon Elastic File System if node['deployment'].has_key?('container_clusters') cluster_short_name = node['service_name'].sub(/-?workers$/, "") region = node['deployment']['container_clusters'][cluster_short_name]['region'] cluster = node['deployment']['container_clusters'][cluster_short_name]['name'] max_pods = node['deployment']['container_clusters'][cluster_short_name]['max_pods'] ca = node['deployment']['container_clusters'][cluster_short_name]['certificate_authority']['data'] endpoint = node['deployment']['container_clusters'][cluster_short_name]['endpoint'] # admin_role = node['deployment']['container_clusters'][cluster_short_name]['k8s_admin_role'] if platform_family?("rhel") and node['platform_version'].to_i >= 7 execute "rpm --import https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg" file "/etc/yum.repos.d/kubernetes.repo" do content "[kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg " end execute "yum -q makecache -y --disablerepo='*' --enablerepo=kubernetes" package "docker" package "awscli" package "kubeadm" package "kubelet" package "kubectl" elsif platform_family?("debian") package "apt-transport-https" package "ca-certificates" package "software-properties-common" package "curl" bash "install docker" do code < get_first_nameserver(), :node_ip => get_aws_metadata("meta-data/local-ipv4") ) notifies :run, "execute[systemctl daemon-reload]", :immediately notifies :restart, "service[kubelet]", :delayed end directory "/root/.kube" remote_file "/usr/bin/aws-iam-authenticator" do source "https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator" mode 0755 not_if "test -f /usr/bin/aws-iam-authenticator" end ["/var/lib/kubelet/kubeconfig", "/root/.kube/config"].each { |kubecfg| template kubecfg do source "kubeconfig.erb" variables( :endpoint => endpoint, :cluster => cluster, :cacert => ca, :rolearn => node['ec2']['iam_instance_profile']['arn'].sub(/:instance-profile\//, ":role/") ) end } master_ips = get_mu_master_ips opento = master_ips.map { |x| "#{x}/32"} opento.uniq.each { |src| [:tcp, :udp, :icmp].each { |proto| execute "iptables -I INPUT -p #{proto} -s #{src}" do not_if "iptables -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null" end } } execute "/usr/sbin/sysctl -w net.ipv4.ip_forward=1" execute "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf" do not_if "grep ^net.ipv4.ip_forward /etc/sysctl.conf" end bash "Allow DockerD to forward traffic outside" do code <