aws

package
v3.0.0-...-d6c4d9c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 14, 2023 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Package aws contains the Amazon Web Services (AWS) cloud provider implementation.

This provider is responsible for managing a variety of resources in the AWS cloud, some of which can pre-exist, some are always created explicitly for a given usercluster. These resources are:

  • EC2: VPC A VPC must already exist. If the user doesn't specify a VPC, the provider chooses the default VPC for the given AWS account. If during reconciliation the VPC is not found, an error is raised and no further reconciliation can happen.

  • EC2: Route Table (RT) A usercluster can use its own RT, but if none is given by the user, the default RT for the VPC will be used (shared among many userclusters). KKP never creates or deletes route tables, it only tags them with the cluster tag.

  • EC2: Security Group (SG) This one can be specified by the user, but is otherwise created automatically. Every usercluster lives in its own SG and the SG is always tagged with the cluster tag.

  • EC2: Subnets The AWS CCM requires that all subnets are tagged with the cluster name, as documented in https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/deploy/subnet_discovery/. KKP does not create or remove subnets, but tags them, so that multiple userclusters can share the same subnets.

  • IAM: Control plane role This one can be specified by the user, but is otherwise created automatically. Every usercluster has its own control plan role. If the specified role does not exist, it is created.

  • IAM: Worker role & instance profile This one can be specified by the user, but is otherwise created automatically. Every usercluster has its own worker role/profile. If the specified profile does not exist, it is created.

During cluster deletion, KKP will try to clean up and remove unneeded resources again. However, if the user specified a given field (e.g. a SG ID), KKP does not remove the resource, assuming it is shared by either other userclusters or other things. To keep track of ownership, an owner tag is placed on all resources that KKP creates. The cluster tag for the AWS CCM is also removed, regardless whether the resource was created by KKP or not.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetAWSConfig

func GetAWSConfig(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, endpoint string) (aws.Config, error)

func GetCredentialsForCluster

func GetCredentialsForCluster(cloud kubermaticv1.CloudSpec, secretKeySelector provider.SecretKeySelectorValueFunc) (accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID string, err error)

GetCredentialsForCluster returns the credentials for the passed in cloud spec or an error.

func GetInstanceTypes

func GetInstanceTypes(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region string) ([]ec2types.InstanceTypeOffering, error)

GetInstanceTypes returns the list of instancetypes.

func GetSecurityGroups

func GetSecurityGroups(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpc string) ([]ec2types.SecurityGroup, error)

GetSecurityGroups returns the list of AWS Security Group.

func GetSecurityGroupsByVPC

func GetSecurityGroupsByVPC(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpcID string) ([]ec2types.SecurityGroup, error)

GetSecurityGroups returns the list of AWS Security Group filtered by VPC.

func GetSubnets

func GetSubnets(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpcID string) ([]ec2types.Subnet, error)

GetSubnets returns the list of subnets for a selected AWS VPC.

func GetVPCS

func GetVPCS(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region string) ([]ec2types.Vpc, error)

GetVPCS returns the list of AWS VPCs.

func ValidateCredentials

func ValidateCredentials(ctx context.Context, accessKeyID, secretAccessKey string) error

Types

type AmazonEC2

type AmazonEC2 struct {
	// contains filtered or unexported fields
}

func NewCloudProvider

func NewCloudProvider(dc *kubermaticv1.Datacenter, secretKeyGetter provider.SecretKeySelectorValueFunc) (*AmazonEC2, error)

NewCloudProvider returns a new AmazonEC2 provider.

func (*AmazonEC2) CleanUpCloudProvider

func (a *AmazonEC2) CleanUpCloudProvider(ctx context.Context, cluster *kubermaticv1.Cluster, updater provider.ClusterUpdater) (*kubermaticv1.Cluster, error)

func (*AmazonEC2) DefaultCloudSpec

func (a *AmazonEC2) DefaultCloudSpec(ctx context.Context, spec *kubermaticv1.ClusterSpec) error

func (*AmazonEC2) InitializeCloudProvider

func (a *AmazonEC2) InitializeCloudProvider(ctx context.Context, cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)

func (*AmazonEC2) ReconcileCluster

func (a *AmazonEC2) ReconcileCluster(ctx context.Context, cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)

func (*AmazonEC2) ValidateCloudSpec

func (a *AmazonEC2) ValidateCloudSpec(ctx context.Context, spec kubermaticv1.CloudSpec) error

ValidateCloudSpec validates the fields that the user can override while creating a cluster. We only check those that must pre-exist in the AWS account (i.e. the security group and VPC), because the others (like route table) will be created if they do not yet exist / are not explicitly specified. TL;DR: This validation does not need to be extended to cover more than VPC and SG.

func (*AmazonEC2) ValidateCloudSpecUpdate

func (a *AmazonEC2) ValidateCloudSpecUpdate(_ context.Context, oldSpec kubermaticv1.CloudSpec, newSpec kubermaticv1.CloudSpec) error

ValidateCloudSpecUpdate verifies whether an update of cloud spec is valid and permitted.

type ClientSet

type ClientSet struct {
	EC2 *ec2.Client
	EKS *eks.Client
	IAM *iam.Client
}

func GetClientSet

func GetClientSet(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region string) (*ClientSet, error)

Directories

Path Synopsis
Package data is separate from the regular AWS provider package because it initializes a large chunk of data that might not be relevant to everyone using the AWS provider code.
Package data is separate from the regular AWS provider package because it initializes a large chunk of data that might not be relevant to everyone using the AWS provider code.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL