我正在使用Kuberbetes提供程序和Terraform eks模块创建一个eks集群。问题是我使用Terraform Enterprise工作区来创建它,所以我无法从IAM角色编辑aws配置映射。如何通过terraform编辑configmap,以便它将所需的角色和用户添加到生成的was-auth-configmap中?
在创建eks集群后应用身份验证。您可以按照以下步骤操作。创建一个包含类似内容的模板文件,并在变量文件中传递值。(我提供的只是一个非常高级别的样本,在下面声明资源/数据地形时,一些值没有在这里分配(
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
${indent(4, worker_roles_yaml)}
%{if iam_roles_yaml != "[]" }
${indent(4, iam_roles_yaml)}
%{ endif }
%{if iam_users_yaml != "[]" }
mapUsers: |
${indent(4, iam_users_yaml)}
%{ endif }
%{if aws_accounts_yaml != "[]" }
mapAccounts: |
${indent(4, aws_accounts_yaml)}
%{ endif }
使用上述模板文件创建数据
data "template_file" "configmap_auth" {
template = file(local.configmap_auth_template_file)
##pass all variables, i am giving samples only.
vars = {
iam_users_yaml=var.iam_users_yaml
iam_users_yaml=var.iam_users_yaml
}
}
然后渲染文件
resource "local_file" "configmap_auth" {
content = join("", data.template_file.configmap_auth.*.rendered)
filename = var.configmap_auth_file
}
创建具有触发器的null_resource,并使用本地exec provisioner应用身份验证文件
resource "null_resource" "apply_configmap_auth" {
##i am using cluster health/status and file content changes
triggers = {
cluster_updated = join("", aws_eks_cluster.default.*.id)
worker_roles_updated = var.worker_roles_yaml
additional_roles_updated = var.iam_roles_yaml
additional_users_updated = var.iam_users_yaml
additional_aws_accounts_updated = var.aws_accounts_yaml
configmap_auth_file_content_changed = join("", var.configmap_auth.*.content)
configmap_auth_file_id_changed = join("", var.configmap_auth.*.id)
}
depends_on = [aws_eks_cluster.default, local_file.configmap_auth]
provisioner "local-exec" {
command = <<EOT
sleep 240
set -e
aws eks update-kubeconfig --name= --region= --kubeconfig=abc
kubectl apply -f ${var.configmap_auth_file} --kubeconfig abc
}
}