-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
32dfe4d
commit a090e74
Showing
1 changed file
with
198 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,198 @@ | ||
#!/bin/bash | ||
|
||
#################################################################################################### | ||
# Script: kube-setup-s3-csi-driver.sh | ||
# | ||
# Description: | ||
# This script sets up the Mountpoint for Amazon S3 CSI driver in an EKS cluster. | ||
# It creates necessary IAM policies and roles. | ||
# | ||
# Usage: | ||
# gen3 kube-setup-s3-csi-driver [<bucket_name>] | ||
# | ||
#################################################################################################### | ||
|
||
source "${GEN3_HOME}/gen3/lib/utils.sh" | ||
gen3_load "gen3/lib/kube-setup-init" | ||
|
||
account_id=$(aws sts get-caller-identity --query "Account" --output text) | ||
vpc_name="$(gen3 api environment)" | ||
namespace="$(gen3 db namespace)" | ||
default_bucket_name_encrypted="gen3-db-backups-encrypted-${account_id}" | ||
bucket_name=${1:-$default_bucket_name_encrypted} | ||
|
||
cluster_arn=$(kubectl config current-context) | ||
eks_cluster=$(echo "$cluster_arn" | awk -F'/' '{print $2}') | ||
|
||
gen3_log_info "account_id: $account_id" | ||
gen3_log_info "vpc_name: $vpc_name" | ||
gen3_log_info "namespace: $namespace" | ||
gen3_log_info "bucket_name: $bucket_name" | ||
gen3_log_info "eks_cluster: $eks_cluster" | ||
|
||
# Create policy for Mountpoint for Amazon S3 CSI driver | ||
create_s3_csi_policy() { | ||
policy_name="AmazonS3CSIDriverPolicy" | ||
policy_arn=$(aws iam list-policies --query "Policies[?PolicyName == '$policy_name'].[Arn]" --output text) | ||
if [ -z "$policy_arn" ]; then | ||
cat <<EOF > /tmp/s3-csi-policy.json | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "MountpointFullBucketAccess", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket" | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::${bucket_name}" | ||
] | ||
}, | ||
{ | ||
"Sid": "MountpointFullObjectAccess", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetObject", | ||
"s3:PutObject", | ||
"s3:AbortMultipartUpload", | ||
"s3:DeleteObject" | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::${bucket_name}/*" | ||
] | ||
} | ||
] | ||
} | ||
EOF | ||
policy_arn=$(aws iam create-policy --policy-name "$policy_name" --policy-document file:///tmp/s3-csi-policy.json --query "Policy.Arn" --output text) | ||
fi | ||
gen3_log_info "Created or found policy with ARN: $policy_arn" | ||
echo $policy_arn | ||
} | ||
|
||
# Create the trust policy for Mountpoint for Amazon S3 CSI driver | ||
create_s3_csi_trust_policy() { | ||
oidc_url=$(aws eks describe-cluster --name $eks_cluster --query 'cluster.identity.oidc.issuer' --output text | sed -e 's/^https:\/\///') | ||
cat <<EOF > /tmp/aws-s3-csi-driver-trust-policy.json | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_url}" | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringLike": { | ||
"${oidc_url}:aud": "sts.amazonaws.com", | ||
"${oidc_url}:sub": "system:serviceaccount:*:s3-csi-*" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
# Create the IAM role for Mountpoint for Amazon S3 CSI driver | ||
create_s3_csi_role() { | ||
role_name="AmazonEKS_S3_CSI_DriverRole" | ||
if ! aws iam get-role --role-name $role_name 2>/dev/null; then | ||
aws iam create-role --role-name $role_name --assume-role-policy-document file:///tmp/aws-s3-csi-driver-trust-policy.json | ||
fi | ||
gen3_log_info "Created or found role: $role_name" | ||
echo $role_name | ||
} | ||
|
||
# Attach the policies to the IAM role | ||
attach_s3_csi_policies() { | ||
role_name=$1 | ||
policy_arn=$2 | ||
eks_policy_name="eks-s3-csi-policy" | ||
gen3_log_info "Attaching S3 CSI policy with ARN: $policy_arn to role: $role_name" | ||
eks_policy_arn=$(aws iam list-policies --query "Policies[?PolicyName == '$eks_policy_name'].Arn" --output text) | ||
if [ -z "$eks_policy_arn" ]; then | ||
cat <<EOF > /tmp/eks-s3-csi-policy.json | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket", | ||
"s3:GetObject", | ||
"s3:PutObject", | ||
"s3:DeleteObject" | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::${bucket_name}", | ||
"arn:aws:s3:::${bucket_name}/*" | ||
] | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"kms:Decrypt", | ||
"kms:Encrypt", | ||
"kms:GenerateDataKey" | ||
], | ||
"Resource": "*" | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"eks:DescribeCluster" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
EOF | ||
eks_policy_arn=$(aws iam create-policy --policy-name "$eks_policy_name" --policy-document file:///tmp/eks-s3-csi-policy.json --query "Policy.Arn" --output text) | ||
fi | ||
aws iam attach-role-policy --role-name $role_name --policy-arn $policy_arn | ||
aws iam attach-role-policy --role-name $role_name --policy-arn $eks_policy_arn | ||
} | ||
|
||
# Create or update the CSI driver and its resources | ||
setup_csi_driver() { | ||
create_s3_csi_policy | ||
policy_arn=$(aws iam list-policies --query "Policies[?PolicyName == 'AmazonS3CSIDriverPolicy'].[Arn]" --output text) | ||
create_s3_csi_trust_policy | ||
create_s3_csi_role | ||
role_name=AmazonEKS_S3_CSI_DriverRole | ||
attach_s3_csi_policies $role_name $policy_arn | ||
|
||
# Install CSI driver | ||
gen3_log_info "eks cluster name: $eks_cluster" | ||
|
||
# Capture the output of the command and prevent it from exiting the script | ||
csi_driver_check=$(aws eks describe-addon --cluster-name $eks_cluster --addon-name aws-mountpoint-s3-csi-driver --query 'addon.addonName' --output text 2>&1 || true) | ||
|
||
if echo "$csi_driver_check" | grep -q "ResourceNotFoundException"; then | ||
gen3_log_info "CSI driver not found, installing..." | ||
aws eks create-addon --cluster-name $eks_cluster --addon-name aws-mountpoint-s3-csi-driver --service-account-role-arn arn:aws:iam::${account_id}:role/AmazonEKS_S3_CSI_DriverRole | ||
csi_status="CREATING" | ||
retries=0 | ||
while [ "$csi_status" != "ACTIVE" ] && [ $retries -lt 12 ]; do | ||
gen3_log_info "Waiting for CSI driver to become active... (attempt $((retries+1)))" | ||
sleep 10 | ||
csi_status=$(aws eks describe-addon --cluster-name $eks_cluster --addon-name aws-mountpoint-s3-csi-driver --query 'addon.status' --output text || echo "CREATING") | ||
retries=$((retries+1)) | ||
done | ||
if [ "$csi_status" == "ACTIVE" ]; then | ||
gen3_log_info "CSI driver successfully installed and active." | ||
else | ||
gen3_log_error "CSI driver installation failed or not active. Current status: $csi_status" | ||
fi | ||
elif echo "$csi_driver_check" | grep -q "aws-mountpoint-s3-csi-driver"; then | ||
gen3_log_info "CSI driver already exists, skipping installation." | ||
else | ||
gen3_log_info "Unexpected error occurred: $csi_driver_check" | ||
exit 1 | ||
fi | ||
} | ||
|
||
setup_csi_driver |