43탄-1.테라폼-Amazon EKS클러스터 생성1
목표
클라우드 포메이션으로 명령서버 1대 생성
명령서버 로그온해서 테라폼으로 EKS 생성하기
참고 사이트
테라폼으로 Amazon EKS 생성 매뉴얼
https://developer.hashicorp.com/terraform/tutorials/kubernetes/eks
<1> AWS = 클라우드포메이션으로 테라폼 cli설치된 EC2 1대 생성
<2> EC2 로그인해서 Amazon EKS 테라폼 파일 받기, 테라폼 초기화
<3> EKS 테라폼 파일 내용 보기
<4> EKS 테라폼 적용하여 생성하기 , 1.27버전
<1> AWS = 클라우드포메이션으로 테라폼 cli설치
1
사전 준비
ec2 keypair 생성 필요 = 명령 EC2 서버 로그인을 위해 필요
access-key / secret-key 생성 필요 = AWS 리소스를 만들 수 있는 권한이 필요하다.
2
아래 클라우드포메이션 파일로 테라폼 명령서버 만들자.
3
클라우드 포메이션으로 생성되는 리소스?
vpc1개
public subnet 1개
ec2 1개 = 명령서버 만들어질 때 aws cli , 테라폼이 모두 설치가 된다.
<2> EC2 로그인해서 Amazon EKS 테라폼 파일 받기, 테라폼 초기화
1
테라폼으로 Amazon EKS 생성 매뉴얼
https://developer.hashicorp.com/terraform/tutorials/kubernetes/eks
2
EC2 로그인
3
테라폼 git에서 tf파일 다운로드
git clone https://github.com/hashicorp/learn-terraform-provision-eks-cluster
cd learn-terraform-provision-eks-cluster
[root@myeks2-bastion-EC2 learn-terraform-provision-eks-cluster]# ls
LICENSE main.tf outputs.tf README.md terraform.tf variables.tf
4
4개의 tf파일
main.tf
outputs.tf
terraform.tf
variables.tf
5
terraform.tf 파일에서 주석 처리하기
learn-terraform-provision-eks-cluster]# vi terraform.tf
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
terraform {
/*
cloud {
workspaces {
name = "learn-terraform-eks"
}
}
*/
required_providers {
aws = {
6
테라폼 사용을 위한 초기화
terraform init
Initializing the backend...
Initializing modules...
Initializing provider plugins...
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/kubernetes from the dependency lock file
- Reusing previous version of hashicorp/time from the dependency lock file
- Reusing previous version of hashicorp/tls from the dependency lock file
- Reusing previous version of hashicorp/cloudinit from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v5.7.0...
- Installed hashicorp/aws v5.7.0 (signed by HashiCorp)
- Installing hashicorp/random v3.5.1...
- Installed hashicorp/random v3.5.1 (signed by HashiCorp)
- Installing hashicorp/kubernetes v2.21.1...
- Installed hashicorp/kubernetes v2.21.1 (signed by HashiCorp)
- Installing hashicorp/time v0.9.1...
- Installed hashicorp/time v0.9.1 (signed by HashiCorp)
- Installing hashicorp/tls v4.0.4...
- Installed hashicorp/tls v4.0.4 (signed by HashiCorp)
- Installing hashicorp/cloudinit v2.3.2...
- Installed hashicorp/cloudinit v2.3.2 (signed by HashiCorp)
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
<3> EKS 테라폼 파일 내용 보기
learn-terraform-provision-eks-cluster]# more *.tf
1
::::::::::::::
main.tf
::::::::::::::
# 프로바이더는 AWS 프로바이더이다
provider "aws" {
region = var.region
}
# 가용 영역, data로 지정한다.
# Filter out local zones, which are not currently supported
# with managed node groups
data "aws_availability_zones" "available" {
filter {
name = "opt-in-status"
values = ["opt-in-not-required"]
}
}
# EKS 클러스터 이름 = education-eks-xxxxxxxxxxxxxxxx
locals {
cluster_name = "education-eks-${random_string.suffix.result}"
}
# 랜덤 리소스 생성
resource "random_string" "suffix" {
length = 8
special = false
}
# VPC 네트워크 쪽은 모듈로 처리한다!!!!
# 모듈은 소스를 지정한다!!! = "terraform-aws-modules/vpc/aws"
# 서브넷은 slice 0 1 2로 지정한다. = slice(data.aws_availability_zones.available.names, 0, 3)
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.0.0"
name = "education-vpc"
cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = 1
}
private_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = 1
}
}
# EKS도 모듈로 처리한다.
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "19.15.3"
cluster_name = local.cluster_name
cluster_version = "1.27"
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
cluster_endpoint_public_access = true
eks_managed_node_group_defaults = {
ami_type = "AL2_x86_64"
}
eks_managed_node_groups = {
one = {
name = "node-group-1"
instance_types = ["t3.small"]
min_size = 1
max_size = 3
desired_size = 2
}
two = {
name = "node-group-2"
instance_types = ["t3.small"]
min_size = 1
max_size = 2
desired_size = 1
}
}
}
클러스터 이름, cluster_name = local.cluster_name
# https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/
# ebs_csi 사용하기 위한 정책, IRSA
컨테이너 인스턴스 스토리지 드라이버 ( CSI )
data "aws_iam_policy" "ebs_csi_policy" {
arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
}
module "irsa-ebs-csi" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.7.0"
create_role = true
role_name = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}"
provider_url = module.eks.oidc_provider
role_policy_arns = [data.aws_iam_policy.ebs_csi_policy.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
}
resource "aws_eks_addon" "ebs-csi" {
cluster_name = module.eks.cluster_name
addon_name = "aws-ebs-csi-driver"
addon_version = "v1.20.0-eksbuild.1"
service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
tags = {
"eks_addon" = "ebs-csi"
"terraform" = "true"
}
}
2
::::::::::::::
outputs.tf
::::::::::::::
# 출력은 4가지 확인한다.
output "cluster_endpoint" {
description = "Endpoint for EKS control plane"
value = module.eks.cluster_endpoint
}
output "cluster_security_group_id" {
description = "Security group ids attached to the cluster control plane"
value = module.eks.cluster_security_group_id
}
output "region" {
description = "AWS region"
value = var.region
}
output "cluster_name" {
description = "Kubernetes Cluster Name"
value = module.eks.cluster_name
}
3
::::::::::::::
terraform.tf
::::::::::::::
# workspaces
프로바이더 지정
radom
terraform {
/*
cloud {
workspaces {
name = "learn-terraform-eks"
}
}
*/
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.7.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5.1"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0.4"
}
cloudinit = {
source = "hashicorp/cloudinit"
version = "~> 2.3.2"
}
}
required_version = "~> 1.3"
}
4
::::::::::::::
variables.tf
::::::::::::::
#변수는 리전만 한다.
variable "region" {
description = "AWS region"
type = string
default = "us-east-2"
}
# 서울리전으로 변경시
vi variables.tf
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
variable "region" {
description = "AWS region"
type = string
default = "ap-northeast-2"
}
1-1
vpc 모듈
pwd
/root/learn-terraform-provision-eks-cluster/.terraform/modules/vpc/modules/vpc-endpoints
ls -al
-rw-r--r-- 1 root root 1914 Dec 29 08:19 main.tf
-rw-r--r-- 1 root root 162 Dec 29 08:19 outputs.tf
-rw-r--r-- 1 root root 3488 Dec 29 08:19 README.md
-rw-r--r-- 1 root root 1049 Dec 29 08:19 variables.tf
-rw-r--r-- 1 root root 147 Dec 29 08:19 versions.tf
<4> EKS 테라폼 적용하여 생성하기 , 1.27버전
1
terraform apply -auto-approve
또는
terraform apply
module.irsa-ebs-csi.data.aws_partition.current: Reading...
module.eks.data.aws_caller_identity.current: Reading...
data.aws_iam_policy.ebs_csi_policy: Reading...
module.eks.module.kms.data.aws_caller_identity.current: Reading...
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
random_string.suffix: Creating...
random_string.suffix: Creation complete after 0s [id=9kYKrjZB]
aws_eks_addon.ebs-csi: Creation complete after 15m15s [id=education-eks-9kYKrjZB:aws-ebs-csi-driver]
Apply complete! Resources: 63 added, 0 changed, 0 destroyed.
Outputs:
cluster_endpoint = "https://AA49B331E646740E1F6FB99B540B6E70.yl4.us-east-2.eks.amazonaws.com"
cluster_name = "education-eks-9kYKrjZB"
cluster_security_group_id = "sg-09f55ad884f013406"
region = "us-east-2"
[root@myeks2-bastion-EC2 learn-terraform-provision-eks-cluster]# ls
LICENSE main.tf outputs.tf README.md terraform.tf terraform.tfstate variables.tf
20분 걸림
https://vclock.kr/timer/#countdown=00:15:00&date=2023-12-29T13:46:02&sound=xylophone&loop=1
2 권한
aws eks --region $(terraform output -raw region) update-kubeconfig \
--name $(terraform output -raw cluster_name)
Added new context arn:aws:eks:us-east-2:476286675138:cluster/education-eks-9kYKrjZB to /root/.kube/config
kubectl cluster-info
Kubernetes control plane is running at https://AA49B331E646740E1F6FB99B540B6E70.yl4.us-east-2.eks.amazonaws.com
CoreDNS is running at https://AA49B331E646740E1F6FB99B540B6E70.yl4.us-east-2.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-1-124.us-east-2.compute.internal Ready <none> 29m v1.27.7-eks-e71965b
ip-10-0-1-30.us-east-2.compute.internal Ready <none> 22m v1.27.7-eks-e71965b
ip-10-0-2-251.us-east-2.compute.internal Ready <none> 22m v1.27.7-eks-e71965b
k ns default
Context "arn:aws:eks:us-east-2:476286675138:cluster/education-eks-9kYKrjZB" modified.
Active namespace is "default".
목표 완료?
클라우드 포메이션으로 명령서버 1대 생성
명령서버 로그온해서 테라폼으로 EKS 생성하기
삭제
terraform destroy -auto-approve
다음 공부
https://brunch.co.kr/@topasvga/3586
감사합니다.
