README
¶
Vibe-io CDK-Extensions EC2 Construct Library
The cdk-extensions/eks-patterns module contains higher-level Amazon EKS constructs which follow common architectural patterns. It constains:
- Cluster Integrated with Common AWS Services
Cluster Integrated with Common AWS Services
To define an EKS cluster that comes pre-installed with common services many Kubernetes clusters running on AWS will use, instantiate one of the following:
- AwsIntegratedFargateCluster
declare const vpc: ec2.Vpc;
const cluster = new eks_patterns.AwsIntegratedFargateCluster(this, 'cluster', {
version: eks.KubernetesVersion.V1_21,
vpc: vpc,
vpcSubnets: [
{
onePerAz: true,
subnetGroupName: 'private'
}
]
});
Integrated Services
Route 53
Route 53 integration is provided by means of the External DNS Kubernetes Add-on. Services and ingresses in the cluster can be discovered and External DNS will manage appropriate DNS records in Route 53.
External DNS is enabled by default and must be explicitly disabled using:
const cluster = new eks_patterns.AwsIntegratedFargateCluster(this, 'cluster', {
externalDnsOptions: {
enabled: false,
},
version: eks.KubernetesVersion.V1_21,
});
Container Insights
Integration with Container Insights is implemented using AWS Distro for OpenTelemetry as described in this AWS blog post.
This help you collect, aggregate, and visualize advanced metrics from your services running on EKS and Fargate.
Container Insights is enabled by default and must be explicitly disabled using:
const cluster = new eks_patterns.AwsIntegratedFargateCluster(this, 'cluster', {
cloudWatchMonitoringOptions: {
enabled: false,
},
version: eks.KubernetesVersion.V1_21,
});
CloudWatch Logs
CloudWatch Logs integration is provided using the built-in log router provided by Fargate.
Currently this will ship logs for all containers to a CloudWatch log group that can be filtered to find the pods for specific pods and services.
We plan to expand the functionality of this resource to expand log destinations and provide more advanced log filtering.
Container Insights is enabled by default and must be explicitly disabled using:
const cluster = new eks_patterns.AwsIntegratedFargateCluster(this, 'cluster', {
fargateLogger: {
enabled: false,
},
version: eks.KubernetesVersion.V1_21,
});
Secrets Manager
Integration to Secrets Manager is provided using the External Secrets Operatore Kubernetes operator.
You can use it to configure links between Secrets Manager secrets (such as those created for RDS instances) and Kubernetes secrets which can be exposed to your pods as environment variables. Changes to the secret in Secrets Manager will automatically be synchronized into the secret in the EKS cluster.
Secrets Manager integration is enabled by default and must be explicitly disabled using:
const cluster = new eks_patterns.AwsIntegratedFargateCluster(this, 'cluster', {
externalSecretsOptions: {
enabled: false,
},
version: eks.KubernetesVersion.V1_21,
});
Documentation
¶
Index ¶
- func AwsIntegratedFargateCluster_IsConstruct(x interface{}) *bool
- func AwsIntegratedFargateCluster_IsOwnedResource(construct constructs.IConstruct) *bool
- func AwsIntegratedFargateCluster_IsResource(construct constructs.IConstruct) *bool
- func NewAwsIntegratedFargateCluster_Override(a AwsIntegratedFargateCluster, scope constructs.Construct, id *string, ...)
- type AwsIntegratedFargateCluster
- type AwsIntegratedFargateClusterProps
- type ClusterFargateLoggingOptions
- type ClusterPrometheusOptions
- type ClusterRoute53DnsOptions
- type ContainerInsightsOptions
- type ExternalSecretsOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AwsIntegratedFargateCluster_IsConstruct ¶
func AwsIntegratedFargateCluster_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func AwsIntegratedFargateCluster_IsOwnedResource ¶
func AwsIntegratedFargateCluster_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func AwsIntegratedFargateCluster_IsResource ¶
func AwsIntegratedFargateCluster_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func NewAwsIntegratedFargateCluster_Override ¶
func NewAwsIntegratedFargateCluster_Override(a AwsIntegratedFargateCluster, scope constructs.Construct, id *string, props *AwsIntegratedFargateClusterProps)
Types ¶
type AwsIntegratedFargateCluster ¶
type AwsIntegratedFargateCluster interface {
awscdk.Resource
AdotCollector() k8saws.AdotCollector
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
ExternalSecrets() k8saws.ExternalSecretsOperator
FargateLogger() k8saws.FargateLogger
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
PrometheusService() k8sfargate.Prometheus
PrometheusWorkspace() aps.IWorkspace
Resource() awseks.FargateCluster
Route53Dns() k8saws.Route53Dns
// The stack in which this resource is defined.
Stack() awscdk.Stack
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
RegisterSecretsManagerSecret(id *string, secret awssecretsmanager.ISecret, options *k8saws.NamespacedExternalSecretOptions) k8saws.ExternalSecret
RegisterSsmParameterSecret(id *string, parameter awsssm.IParameter, options *k8saws.NamespacedExternalSecretOptions) k8saws.ExternalSecret
// Returns a string representation of this construct.
ToString() *string
}
func NewAwsIntegratedFargateCluster ¶
func NewAwsIntegratedFargateCluster(scope constructs.Construct, id *string, props *AwsIntegratedFargateClusterProps) AwsIntegratedFargateCluster
type AwsIntegratedFargateClusterProps ¶
type AwsIntegratedFargateClusterProps struct {
// The Kubernetes version to run in the cluster.
Version awseks.KubernetesVersion `field:"required" json:"version" yaml:"version"`
// Name for the cluster.
// Default: - Automatically generated name.
//
ClusterName *string `field:"optional" json:"clusterName" yaml:"clusterName"`
// Determines whether a CloudFormation output with the name of the cluster will be synthesized.
// Default: false.
//
OutputClusterName *bool `field:"optional" json:"outputClusterName" yaml:"outputClusterName"`
// Determines whether a CloudFormation output with the `aws eks update-kubeconfig` command will be synthesized.
//
// This command will include
// the cluster name and, if applicable, the ARN of the masters IAM role.
// Default: true.
//
OutputConfigCommand *bool `field:"optional" json:"outputConfigCommand" yaml:"outputConfigCommand"`
// Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.
// Default: - A role is automatically created for you.
//
Role awsiam.IRole `field:"optional" json:"role" yaml:"role"`
// Security Group to use for Control Plane ENIs.
// Default: - A security group is automatically created.
//
SecurityGroup awsec2.ISecurityGroup `field:"optional" json:"securityGroup" yaml:"securityGroup"`
// The VPC in which to create the Cluster.
// Default: - a VPC with default configuration will be created and can be accessed through `cluster.vpc`.
//
Vpc awsec2.IVpc `field:"optional" json:"vpc" yaml:"vpc"`
// Where to place EKS Control Plane ENIs.
//
// For example, to only select private subnets, supply the following:
//
// `vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`
// Default: - All public and private subnets.
//
VpcSubnets *[]*awsec2.SubnetSelection `field:"optional" json:"vpcSubnets" yaml:"vpcSubnets"`
// Install the AWS Load Balancer Controller onto the cluster.
// See: https://kubernetes-sigs.github.io/aws-load-balancer-controller
//
// Default: - The controller is not installed.
//
AlbController *awseks.AlbControllerOptions `field:"optional" json:"albController" yaml:"albController"`
// An AWS Lambda layer that contains the `aws` CLI.
//
// The handler expects the layer to include the following executables:
//
// “`
// /opt/awscli/aws
// “`.
// Default: - a default layer with the AWS CLI 1.x
//
AwscliLayer awslambda.ILayerVersion `field:"optional" json:"awscliLayer" yaml:"awscliLayer"`
// Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle.
// Default: - No environment variables.
//
ClusterHandlerEnvironment *map[string]*string `field:"optional" json:"clusterHandlerEnvironment" yaml:"clusterHandlerEnvironment"`
// A security group to associate with the Cluster Handler's Lambdas.
//
// The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
//
// Requires `placeClusterHandlerInVpc` to be set to true.
// Default: - No security group.
//
ClusterHandlerSecurityGroup awsec2.ISecurityGroup `field:"optional" json:"clusterHandlerSecurityGroup" yaml:"clusterHandlerSecurityGroup"`
// The cluster log types which you want to enable.
// Default: - none.
//
ClusterLogging *[]awseks.ClusterLoggingTypes `field:"optional" json:"clusterLogging" yaml:"clusterLogging"`
// Controls the "eks.amazonaws.com/compute-type" annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS.
// Default: CoreDnsComputeType.EC2 (for `FargateCluster` the default is FARGATE)
//
CoreDnsComputeType awseks.CoreDnsComputeType `field:"optional" json:"coreDnsComputeType" yaml:"coreDnsComputeType"`
// Configure access to the Kubernetes API server endpoint..
// See: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
//
// Default: EndpointAccess.PUBLIC_AND_PRIVATE
//
EndpointAccess awseks.EndpointAccess `field:"optional" json:"endpointAccess" yaml:"endpointAccess"`
// Specify which IP family is used to assign Kubernetes pod and service IP addresses.
// See: https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily
//
// Default: - IpFamily.IP_V4
//
IpFamily awseks.IpFamily `field:"optional" json:"ipFamily" yaml:"ipFamily"`
// Environment variables for the kubectl execution.
//
// Only relevant for kubectl enabled clusters.
// Default: - No environment variables.
//
KubectlEnvironment *map[string]*string `field:"optional" json:"kubectlEnvironment" yaml:"kubectlEnvironment"`
// An AWS Lambda Layer which includes `kubectl` and Helm.
//
// This layer is used by the kubectl handler to apply manifests and install
// helm charts. You must pick an appropriate releases of one of the
// `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
// Kubernetes you have chosen. If you don't supply this value `kubectl`
// 1.20 will be used, but that version is most likely too old.
//
// The handler expects the layer to include the following executables:
//
// “`
// /opt/helm/helm
// /opt/kubectl/kubectl
// “`.
// Default: - a default layer with Kubectl 1.20.
//
KubectlLayer awslambda.ILayerVersion `field:"optional" json:"kubectlLayer" yaml:"kubectlLayer"`
// Amount of memory to allocate to the provider's lambda function.
// Default: Size.gibibytes(1)
//
KubectlMemory awscdk.Size `field:"optional" json:"kubectlMemory" yaml:"kubectlMemory"`
// An IAM role that will be added to the `system:masters` Kubernetes RBAC group.
// See: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
//
// Default: - no masters role.
//
MastersRole awsiam.IRole `field:"optional" json:"mastersRole" yaml:"mastersRole"`
// An AWS Lambda Layer which includes the NPM dependency `proxy-agent`.
//
// This layer
// is used by the onEvent handler to route AWS SDK requests through a proxy.
//
// By default, the provider will use the layer included in the
// "aws-lambda-layer-node-proxy-agent" SAR application which is available in all
// commercial regions.
//
// To deploy the layer locally define it in your app as follows:
//
// “`ts
// const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', {
// code: lambda.Code.fromAsset(`${__dirname}/layer.zip`),
// compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST],
// });
// “`.
// Default: - a layer bundled with this module.
//
OnEventLayer awslambda.ILayerVersion `field:"optional" json:"onEventLayer" yaml:"onEventLayer"`
// Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if `mastersRole` is specified).
// Default: false.
//
OutputMastersRoleArn *bool `field:"optional" json:"outputMastersRoleArn" yaml:"outputMastersRoleArn"`
// If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the `vpcSubnets` selection strategy.
// Default: false.
//
PlaceClusterHandlerInVpc *bool `field:"optional" json:"placeClusterHandlerInVpc" yaml:"placeClusterHandlerInVpc"`
// Indicates whether Kubernetes resources added through `addManifest()` can be automatically pruned.
//
// When this is enabled (default), prune labels will be
// allocated and injected to each resource. These labels will then be used
// when issuing the `kubectl apply` operation with the `--prune` switch.
// Default: true.
//
Prune *bool `field:"optional" json:"prune" yaml:"prune"`
// KMS secret for envelope encryption for Kubernetes secrets.
// Default: - By default, Kubernetes stores all secret object data within etcd and
// all etcd volumes used by Amazon EKS are encrypted at the disk-level
// using AWS-Managed encryption keys.
//
SecretsEncryptionKey awskms.IKey `field:"optional" json:"secretsEncryptionKey" yaml:"secretsEncryptionKey"`
// The CIDR block to assign Kubernetes service IP addresses from.
// See: https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-serviceIpv4Cidr
//
// Default: - Kubernetes assigns addresses from either the
// 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
//
ServiceIpv4Cidr *string `field:"optional" json:"serviceIpv4Cidr" yaml:"serviceIpv4Cidr"`
// Fargate Profile to create along with the cluster.
// Default: - A profile called "default" with 'default' and 'kube-system'
// selectors will be created if this is left undefined.
//
DefaultProfile *awseks.FargateProfileOptions `field:"optional" json:"defaultProfile" yaml:"defaultProfile"`
ContainerInsightsOptions *ContainerInsightsOptions `field:"optional" json:"containerInsightsOptions" yaml:"containerInsightsOptions"`
ExternalDnsOptions *ClusterRoute53DnsOptions `field:"optional" json:"externalDnsOptions" yaml:"externalDnsOptions"`
ExternalSecretsOptions *ExternalSecretsOptions `field:"optional" json:"externalSecretsOptions" yaml:"externalSecretsOptions"`
LoggingOptions *ClusterFargateLoggingOptions `field:"optional" json:"loggingOptions" yaml:"loggingOptions"`
PrometheusOptions *ClusterPrometheusOptions `field:"optional" json:"prometheusOptions" yaml:"prometheusOptions"`
}
type ClusterFargateLoggingOptions ¶ added in v0.0.33
type ClusterFargateLoggingOptions struct {
// A default list of Fargate profiles that should have permissions configured.
//
// Alternatively profiles can be added at any time by calling
// `addProfile`.
FargateProfiles *[]awseks.FargateProfile `field:"optional" json:"fargateProfiles" yaml:"fargateProfiles"`
// The filters that should be applied to logs being processed.
Filters *[]k8saws.IFluentBitFilterPlugin `field:"optional" json:"filters" yaml:"filters"`
// The CloudWatch log group where Farget container logs will be sent.
LogGroup awslogs.ILogGroup `field:"optional" json:"logGroup" yaml:"logGroup"`
// The output destinations where logs should be written.
Outputs *[]k8saws.IFluentBitOutputPlugin `field:"optional" json:"outputs" yaml:"outputs"`
// The parsers to be used when reading log files.
Parsers *[]k8saws.IFluentBitParserPlugin `field:"optional" json:"parsers" yaml:"parsers"`
// Controls whether logging will be set up for pods using the default Fargate provide on the EKS cluster.
// Default: true.
//
Enabled *bool `field:"optional" json:"enabled" yaml:"enabled"`
}
Configuration options for enabling persistent logging for Fargate containers on the cluster.
type ClusterPrometheusOptions ¶ added in v0.0.45
type ClusterPrometheusOptions struct {
// The Kubernetes namespace where the service should be deployed.
Namespace *string `field:"optional" json:"namespace" yaml:"namespace"`
// Configures the queue used to write to Amazon Managed Service for Prometheus.
QueueConfiguration *k8sfargate.QueueConfiguration `field:"optional" json:"queueConfiguration" yaml:"queueConfiguration"`
// Name of the Kubernetes service account that should be created and used by Prometheus.
ServiceAccountName *string `field:"optional" json:"serviceAccountName" yaml:"serviceAccountName"`
Enabled *bool `field:"optional" json:"enabled" yaml:"enabled"`
Workspace aps.IWorkspace `field:"optional" json:"workspace" yaml:"workspace"`
}
type ClusterRoute53DnsOptions ¶ added in v0.0.33
type ClusterRoute53DnsOptions struct {
// Maximum number of retries for AWS API calls before giving up.
// Default: 3.
//
ApiRetries *float64 `field:"optional" json:"apiRetries" yaml:"apiRetries"`
// Set the maximum number of changes that will be applied in each batch.
// Default: 1000.
//
BatchChangeSize *float64 `field:"optional" json:"batchChangeSize" yaml:"batchChangeSize"`
// Limits possible target zones by domain suffixes.
DomainFilter *[]*string `field:"optional" json:"domainFilter" yaml:"domainFilter"`
// Sets a flag determining whether the health of the backend service should be evaluated when determining DNS routing.
EvaluateTargetHealth *bool `field:"optional" json:"evaluateTargetHealth" yaml:"evaluateTargetHealth"`
// Sets the output format external dns will use when generating logs.
// Default: {@link ExternalDnsLogLevel.JSON }
//
LogFormat k8saws.ExternalDnsLogFormat `field:"optional" json:"logFormat" yaml:"logFormat"`
// Controls the verbosity of logs generated using the external-dns service.
// Default: {@link ExternalDnsLogLevel.INFO }
//
LogLevel k8saws.ExternalDnsLogLevel `field:"optional" json:"logLevel" yaml:"logLevel"`
// The Kubernetes namespace where the service should be deployed.
// Default: 'kube-system'.
//
Namespace *string `field:"optional" json:"namespace" yaml:"namespace"`
// When true, alias records will be avoided and CNAME records will be used instead.
// Default: false.
//
PreferCname *bool `field:"optional" json:"preferCname" yaml:"preferCname"`
// Registry specifying how ExternalDNS should track record ownership.
//
// Without a registry to track record ownership, External has no way to know
// which records it owns and manages and which are owned and managed by a
// different service.
//
// This can cause conflicts if there are multiple instances of External DNS
// running or if there are other services managing DNS records in similar
// zones as the different services could try to make conflicting changes due
// to lacking a shared state.
// Default: A TXT registry configured with defaults.
//
RecordOwnershipRegistry k8saws.IExternalDnsRegistry `field:"optional" json:"recordOwnershipRegistry" yaml:"recordOwnershipRegistry"`
// Override the default region external-dns uses when calling AWS API's.
Region *string `field:"optional" json:"region" yaml:"region"`
// Desired number of ExternalDNS replicas.
// Default: 1.
//
ReplicaCount *float64 `field:"optional" json:"replicaCount" yaml:"replicaCount"`
// Controls the operations ExternalDNS will perform on the records it manages.
// Default: {@link ExternalDnsSyncPolicy.SYNC }
//
SyncPolicy k8saws.ExternalDnsSyncPolicy `field:"optional" json:"syncPolicy" yaml:"syncPolicy"`
// A set of tags that can be used to restrict which hosted zones external DNS will make changes to.
ZoneTags *[]*k8saws.ExternalDnsZoneTag `field:"optional" json:"zoneTags" yaml:"zoneTags"`
// Controls the types of hosted zones external-dns will create records for.
// Default: ExternalDnsZoneType.ALL
//
ZoneType k8saws.ExternalDnsZoneType `field:"optional" json:"zoneType" yaml:"zoneType"`
Enabled *bool `field:"optional" json:"enabled" yaml:"enabled"`
}
type ContainerInsightsOptions ¶ added in v0.0.33
type ContainerInsightsOptions struct {
// Flag that controls whether CloudWatch Monitoring should be enabled or not.
// Default: true.
//
Enabled *bool `field:"optional" json:"enabled" yaml:"enabled"`
// The Kubernetes namespace where resources related to the the configuration of Container Insights will be created.
// Default: {@link AdotCollector.DEFAULT_NAMESPACE }
//
Namespace *string `field:"optional" json:"namespace" yaml:"namespace"`
}
Configuration options for enabling CloudWatch monitoring on the cluster.
type ExternalSecretsOptions ¶
type ExternalSecretsOptions struct {
CreateNamespace *bool `field:"optional" json:"createNamespace" yaml:"createNamespace"`
Enabled *bool `field:"optional" json:"enabled" yaml:"enabled"`
Name *string `field:"optional" json:"name" yaml:"name"`
Namespace *string `field:"optional" json:"namespace" yaml:"namespace"`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.