-
Notifications
You must be signed in to change notification settings - Fork 3.9k
/
k8s-manifest.ts
215 lines (188 loc) · 6.69 KB
/
k8s-manifest.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
import { Construct, Node } from 'constructs';
import { AlbScheme } from './alb-controller';
import { ICluster } from './cluster';
import { KubectlProvider } from './kubectl-provider';
import { CustomResource, Stack } from '../../core';
const PRUNE_LABEL_PREFIX = 'aws.cdk.eks/prune-';
/**
* Options for `KubernetesManifest`.
*/
export interface KubernetesManifestOptions {
/**
* When a resource is removed from a Kubernetes manifest, it no longer appears
* in the manifest, and there is no way to know that this resource needs to be
* deleted. To address this, `kubectl apply` has a `--prune` option which will
* query the cluster for all resources with a specific label and will remove
* all the labeld resources that are not part of the applied manifest. If this
* option is disabled and a resource is removed, it will become "orphaned" and
* will not be deleted from the cluster.
*
* When this option is enabled (default), the construct will inject a label to
* all Kubernetes resources included in this manifest which will be used to
* prune resources when the manifest changes via `kubectl apply --prune`.
*
* The label name will be `aws.cdk.eks/prune-<ADDR>` where `<ADDR>` is the
* 42-char unique address of this construct in the construct tree. Value is
* empty.
*
* @see
* https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune-l-your-label
*
* @default - based on the prune option of the cluster, which is `true` unless
* otherwise specified.
*/
readonly prune?: boolean;
/**
* A flag to signify if the manifest validation should be skipped
*
* @default false
*/
readonly skipValidation?: boolean;
/**
* Automatically detect `Ingress` resources in the manifest and annotate them so they
* are picked up by an ALB Ingress Controller.
*
* @default false
*/
readonly ingressAlb?: boolean;
/**
* Specify the ALB scheme that should be applied to `Ingress` resources.
* Only applicable if `ingressAlb` is set to `true`.
*
* @default AlbScheme.INTERNAL
*/
readonly ingressAlbScheme?: AlbScheme;
}
/**
* Properties for KubernetesManifest
*/
export interface KubernetesManifestProps extends KubernetesManifestOptions {
/**
* The EKS cluster to apply this manifest to.
*
* [disable-awslint:ref-via-interface]
*/
readonly cluster: ICluster;
/**
* The manifest to apply.
*
* Consists of any number of child resources.
*
* When the resources are created/updated, this manifest will be applied to the
* cluster through `kubectl apply` and when the resources or the stack is
* deleted, the resources in the manifest will be deleted through `kubectl delete`.
*
* @example
*
* [{
* apiVersion: 'v1',
* kind: 'Pod',
* metadata: { name: 'mypod' },
* spec: {
* containers: [ { name: 'hello', image: 'paulbouwer/hello-kubernetes:1.5', ports: [ { containerPort: 8080 } ] } ]
* }
* }]
*
*/
readonly manifest: Record<string, any>[];
/**
* Overwrite any existing resources.
*
* If this is set, we will use `kubectl apply` instead of `kubectl create`
* when the resource is created. Otherwise, if there is already a resource
* in the cluster with the same name, the operation will fail.
*
* @default false
*/
readonly overwrite?: boolean;
}
/**
* Represents a manifest within the Kubernetes system.
*
* Alternatively, you can use `cluster.addManifest(resource[, resource, ...])`
* to define resources on this cluster.
*
* Applies/deletes the manifest using `kubectl`.
*/
export class KubernetesManifest extends Construct {
/**
* The CloudFormation reosurce type.
*/
public static readonly RESOURCE_TYPE = 'Custom::AWSCDK-EKS-KubernetesResource';
constructor(scope: Construct, id: string, props: KubernetesManifestProps) {
super(scope, id);
const stack = Stack.of(this);
const provider = KubectlProvider.getOrCreate(this, props.cluster);
const prune = props.prune ?? props.cluster.prune;
const pruneLabel = prune
? this.injectPruneLabel(props.manifest)
: undefined;
if (props.ingressAlb ?? false) {
this.injectIngressAlbAnnotations(props.manifest, props.ingressAlbScheme ?? AlbScheme.INTERNAL);
}
const customResource = new CustomResource(this, 'Resource', {
serviceToken: provider.serviceToken,
resourceType: KubernetesManifest.RESOURCE_TYPE,
properties: {
// `toJsonString` enables embedding CDK tokens in the manifest and will
// render a CloudFormation-compatible JSON string (similar to
// StepFunctions, CloudWatch Dashboards etc).
Manifest: stack.toJsonString(props.manifest),
ClusterName: props.cluster.clusterName,
RoleArn: provider.roleArn, // TODO: bake into provider's environment
PruneLabel: pruneLabel,
Overwrite: props.overwrite,
SkipValidation: props.skipValidation,
},
});
this.node.defaultChild = customResource.node.defaultChild;
}
/**
* Injects a generated prune label to all resources in this manifest. The
* label name will be `awscdk.eks/manifest-ADDR` where `ADDR` is the address
* of the construct in the construct tree.
*
* @returns the label name
*/
private injectPruneLabel(manifest: Record<string, any>[]): string {
// max label name is 64 chars and addrs is always 42.
const pruneLabel = PRUNE_LABEL_PREFIX + Node.of(this).addr;
for (const resource of manifest) {
// skip resource if it's not an object or if it does not have a "kind"
if (typeof(resource) !== 'object' || !resource.kind) {
continue;
}
if (!resource.metadata) {
resource.metadata = {};
}
if (!resource.metadata.labels) {
resource.metadata.labels = {};
}
resource.metadata.labels = {
[pruneLabel]: '',
...resource.metadata.labels,
};
}
return pruneLabel;
}
/**
* Inject the necessary ingress annontations if possible (and requested).
*
* @see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/
*/
private injectIngressAlbAnnotations(manifest: Record<string, any>[], scheme: AlbScheme) {
for (const resource of manifest) {
// skip resource if it's not an object or if it does not have a "kind"
if (typeof(resource) !== 'object' || !resource.kind) {
continue;
}
if (resource.kind === 'Ingress') {
resource.metadata.annotations = {
'kubernetes.io/ingress.class': 'alb',
'alb.ingress.kubernetes.io/scheme': scheme,
...resource.metadata.annotations,
};
}
}
}
}