dongsupark · February 2, 2021 14:43
diff --git a/gistfile1.txt b/gistfile1.txt
 1. AWS IAM

 Configure IAM in your AWS account. The IAM needs to allow the following roles.

 a) ec2


 ```
 AllocateAddress
 AssociateAddress
 AssociateRouteTable
 AttachInternetGateway
 AttachNetworkInterface
 CreateEgressOnlyInternetGateway
 CreateInternetGateway
 CreateKeyPair
 CreateLocalGatewayRouteTable
 CreateLocalGatewayRouteTableVpcAssociation
 CreateNatGateway
 CreateNetworkInterface
 CreateRoute
 CreateRouteTable
 CreateSubnet
 CreateVpc
 DeleteEgressOnlyInternetGateway
 DeleteInternetGateway
 DeleteKeyPair
 DeleteLocalGatewayRouteTable
 DeleteLocalGatewayRouteTableVpcAssociation
 DeleteNatGateway
 DeleteNetworkInterface
 DeleteRoute
 DeleteRouteTable
 DeleteSubnet
 DeleteVpc
 DescribeAddresses
 DescribeAvailabilityZones
 DescribeEgressOnlyInternetGateways
 DescribeInternetGateways
 DescribeKeyPairs
 DescribeLocalGatewayRouteTableVpcAssociation
 DescribeLocalGatewayRouteTables
 DescribeNatGateways
 DescribeNetworkAcls
 DescribeNetworkInterfaces
 DescribeRouteTables
 DescribeSubnets
 DescribeVpcAttribute
 DescribeVpcEndpoints
 DescribeVpcPeeringConnections
 DescribeVpcs
 DescribeVpnConnections
 DescribeVpnGateways
 DetachInternetGateway
 DetachNetworkInterface
 DisssociateAddress
 DisassociateRouteTable
 ImportKeyPair
 ModifyAvailabilityZoneGroup
 ModifySubnetAttribute
 ModifyVpcAttribute
 ReleaseAddress
 ReplaceRoute
 ```


 b) elasticloadbalancing

 ```
 AddTags
 AttachLoadBalancerToSubnets
 ConfigureHealthCheck
 CreateLoadBalancer
 DeleteLoadBalancer
 DeregisterInstancesFromLoadBalancer
 DescribeLoadBalancers
 DescribeLoadBalancerAttributes
 DescribeTags
 DetachLoadBalancerFromSubnets
 ModifyLoadBalancerAttributes
 RegisterInstancesWithLoadBalancer
 RemoveTags
 ```


 c) secretsmanager

 ```
 CreateSecret
 DeleteSecret
 DescribeSecret
 GetSecretValue
 ListSecretVersionIds
 ListSecrets
 PutSecretValue
 TagResource
 UpdateSecret
 UpdateSecretVersionStage
 ValidateResourcePolicy
 UntagResource
 ```

 d) s3

 ```
 DeleteObject
 GetBucketLocation
 GetObject
 PutObject
 ListAllMyBuckets
 ListBucket
 ```

 1.1. Import a key pair

 ```
 export AWS_REGION=eu-west-1
 export AWS_CONTROL_PLANE_MACHINE_TYPE=t3.small
 export AWS_NODE_MACHINE_TYPE=t3.small
 export AWS_AMI_IMAGE_ORG="075585003325"
 export AWS_AMI_IMAGE_BASEOS="flatcar-stable"
 export AWS_SSH_KEY_NAME=my-cluster-api-test
 export AWS_SECURE_SECRETS_BACKEND=s3-bucket
 export AWS_ACCESS_KEY_ID=blah
 export AWS_SECRET_ACCESS_KEY=blah

 aws ec2 import-key-pair \
  --key-name test-key-name \
  --public-key-material "$(cat ~/.ssh/id_rsa.pub)"
 ```

 2. Create a cluster.

 a) management cluster

 ```
 kind create cluster
 ```

 check if it is up.

 ```
 kubectl cluster-info
 ```

 b) cloudformation stack

 ```
 clusterawsadm bootstrap iam create-cloudformation-stack
 export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
 ```

 c) cluster API

 ```
 clusterctl init --infrastructure aws
 ```

 create a config with an AWS template for Flatcar.
 It is to convert a given customized template into the actual manifest.

 ```
 clusterctl config cluster capi-quickstart --kubernetes-version v1.18.15 --control-plane-machine-count=3 --worker-machine-count=3 --from=https://github.com/kinvolk/cluster-api-provider-aws/blob/template-image-flatcar/templates/cluster-template.yaml > capi-quickstart-aws.yaml
 ```

 Please make sure that the result config file includes the following options in cloudInit, for both control plane and worker:

 ```
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
 kind: AWSMachineTemplate
 spec:
  template:
    spec:
      cloudInit:
        secureSecretsBackend: s3-bucket
 ```

 Apply cert-manager config.

 ```
 kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
 ```

 Apply the config to the management cluster.

 ```
 kubectl apply -f capi-quickstart-aws.yaml

 # check if the cluster was provisioned
 kubectl describe awscluster/capi-quickstart
 kubectl get cluster -A -w
 kubectl get kubeadmcontrolplane -A -w

 clusterctl get kubeconfig capi-quickstart > capi-quickstart.kubeconfig
 kubectl --kubeconfig=./capi-quickstart.kubeconfig apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
 ```

 2.1. Customizing development clusters

 Following https://cluster-api.sigs.k8s.io/developer/tilt.html.


 ```
 cd .../cluster-api-provider-aws

 export REGISTRY=quay.io/myuser
 export PROD_REGISTRY=quay.io/myuser
 export STAGING_REGISTRY=quay.io/myuser

 make docker-build
 make docker-push


 cd ../cluster-api
 tee tilt-settings.json << EOF
 {
  "default_registry": "quay.io/myuser",
  "provider_repos": ["../cluster-api-provider-aws"],
  "enable_providers": ["aws", "docker", "kubeadm-bootstrap", "kubeadm-control-plane"],
  "kustomize_substitutions": {
    "AWS_B64ENCODED_CREDENTIALS": "abcd..."
  }
 }
 EOF

 tilt up
 ```


 3. Cleaning up clusters

 Delete tilt.

 ```
 tilt down
 ```

 Delete the workload clusters.

 ```
 kubectl delete cluster capi-quickstart

 curl -o ./delete_vpc.sh https://raw.githubusercontent.com/lianghong/delete_vpc/master/delete_vpc.sh
 chmod +x ./delete_vpc.sh

 aws elb delete-load-balancer --load-balancer-name=capi-quickstart-apiserver

 export VPCID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=capi-quickstart-vpc" --query 'Vpcs[0].VpcId' | tr -d '"')

 ./delete_vpc.sh ${AWS_REGION} ${VPCID}

 ```

 Delete the management cluster.

 ```
 kind delete cluster
 ```
	1. AWS IAM

	Configure IAM in your AWS account. The IAM needs to allow the following roles.

	a) ec2


	```
	AllocateAddress
	AssociateAddress
	AssociateRouteTable
	AttachInternetGateway
	AttachNetworkInterface
	CreateEgressOnlyInternetGateway
	CreateInternetGateway
	CreateKeyPair
	CreateLocalGatewayRouteTable
	CreateLocalGatewayRouteTableVpcAssociation
	CreateNatGateway
	CreateNetworkInterface
	CreateRoute
	CreateRouteTable
	CreateSubnet
	CreateVpc
	DeleteEgressOnlyInternetGateway
	DeleteInternetGateway
	DeleteKeyPair
	DeleteLocalGatewayRouteTable
	DeleteLocalGatewayRouteTableVpcAssociation
	DeleteNatGateway
	DeleteNetworkInterface
	DeleteRoute
	DeleteRouteTable
	DeleteSubnet
	DeleteVpc
	DescribeAddresses
	DescribeAvailabilityZones
	DescribeEgressOnlyInternetGateways
	DescribeInternetGateways
	DescribeKeyPairs
	DescribeLocalGatewayRouteTableVpcAssociation
	DescribeLocalGatewayRouteTables
	DescribeNatGateways
	DescribeNetworkAcls
	DescribeNetworkInterfaces
	DescribeRouteTables
	DescribeSubnets
	DescribeVpcAttribute
	DescribeVpcEndpoints
	DescribeVpcPeeringConnections
	DescribeVpcs
	DescribeVpnConnections
	DescribeVpnGateways
	DetachInternetGateway
	DetachNetworkInterface
	DisssociateAddress
	DisassociateRouteTable
	ImportKeyPair
	ModifyAvailabilityZoneGroup
	ModifySubnetAttribute
	ModifyVpcAttribute
	ReleaseAddress
	ReplaceRoute
	```


	b) elasticloadbalancing

	```
	AddTags
	AttachLoadBalancerToSubnets
	ConfigureHealthCheck
	CreateLoadBalancer
	DeleteLoadBalancer
	DeregisterInstancesFromLoadBalancer
	DescribeLoadBalancers
	DescribeLoadBalancerAttributes
	DescribeTags
	DetachLoadBalancerFromSubnets
	ModifyLoadBalancerAttributes
	RegisterInstancesWithLoadBalancer
	RemoveTags
	```


	c) secretsmanager

	```
	CreateSecret
	DeleteSecret
	DescribeSecret
	GetSecretValue
	ListSecretVersionIds
	ListSecrets
	PutSecretValue
	TagResource
	UpdateSecret
	UpdateSecretVersionStage
	ValidateResourcePolicy
	UntagResource
	```

	d) s3

	```
	DeleteObject
	GetBucketLocation
	GetObject
	PutObject
	ListAllMyBuckets
	ListBucket
	```

	1.1. Import a key pair

	```
	export AWS_REGION=eu-west-1
	export AWS_CONTROL_PLANE_MACHINE_TYPE=t3.small
	export AWS_NODE_MACHINE_TYPE=t3.small
	export AWS_AMI_IMAGE_ORG="075585003325"
	export AWS_AMI_IMAGE_BASEOS="flatcar-stable"
	export AWS_SSH_KEY_NAME=my-cluster-api-test
	export AWS_SECURE_SECRETS_BACKEND=s3-bucket
	export AWS_ACCESS_KEY_ID=blah
	export AWS_SECRET_ACCESS_KEY=blah

	aws ec2 import-key-pair \
	--key-name test-key-name \
	--public-key-material "$(cat ~/.ssh/id_rsa.pub)"
	```

	2. Create a cluster.

	a) management cluster

	```
	kind create cluster
	```

	check if it is up.

	```
	kubectl cluster-info
	```

	b) cloudformation stack

	```
	clusterawsadm bootstrap iam create-cloudformation-stack
	export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
	```

	c) cluster API

	```
	clusterctl init --infrastructure aws
	```

	create a config with an AWS template for Flatcar.
	It is to convert a given customized template into the actual manifest.

	```
	clusterctl config cluster capi-quickstart --kubernetes-version v1.18.15 --control-plane-machine-count=3 --worker-machine-count=3 --from=https://github.com/kinvolk/cluster-api-provider-aws/blob/template-image-flatcar/templates/cluster-template.yaml > capi-quickstart-aws.yaml
	```

	Please make sure that the result config file includes the following options in cloudInit, for both control plane and worker:

	```
	apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
	kind: AWSMachineTemplate
	spec:
	template:
	spec:
	cloudInit:
	secureSecretsBackend: s3-bucket
	```

	Apply cert-manager config.

	```
	kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
	```

	Apply the config to the management cluster.

	```
	kubectl apply -f capi-quickstart-aws.yaml

	# check if the cluster was provisioned
	kubectl describe awscluster/capi-quickstart
	kubectl get cluster -A -w
	kubectl get kubeadmcontrolplane -A -w

	clusterctl get kubeconfig capi-quickstart > capi-quickstart.kubeconfig
	kubectl --kubeconfig=./capi-quickstart.kubeconfig apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
	```

	2.1. Customizing development clusters

	Following https://cluster-api.sigs.k8s.io/developer/tilt.html.


	```
	cd .../cluster-api-provider-aws

	export REGISTRY=quay.io/myuser
	export PROD_REGISTRY=quay.io/myuser
	export STAGING_REGISTRY=quay.io/myuser

	make docker-build
	make docker-push


	cd ../cluster-api
	tee tilt-settings.json << EOF
	{
	"default_registry": "quay.io/myuser",
	"provider_repos": ["../cluster-api-provider-aws"],
	"enable_providers": ["aws", "docker", "kubeadm-bootstrap", "kubeadm-control-plane"],
	"kustomize_substitutions": {
	"AWS_B64ENCODED_CREDENTIALS": "abcd..."
	}
	}
	EOF

	tilt up
	```


	3. Cleaning up clusters

	Delete tilt.

	```
	tilt down
	```

	Delete the workload clusters.

	```
	kubectl delete cluster capi-quickstart

	curl -o ./delete_vpc.sh https://raw.githubusercontent.com/lianghong/delete_vpc/master/delete_vpc.sh
	chmod +x ./delete_vpc.sh

	aws elb delete-load-balancer --load-balancer-name=capi-quickstart-apiserver

	export VPCID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=capi-quickstart-vpc" --query 'Vpcs[0].VpcId' \| tr -d '"')

	./delete_vpc.sh ${AWS_REGION} ${VPCID}

	```

	Delete the management cluster.

	```
	kind delete cluster
	```