cloud-images

Bug #2049611
Comment #2

Comment 2 for bug 2049611

Revision history for this message

Gracjan Grabowski (gracjan-grabowski) wrote on 2024-01-17:

We use CloudFormation to set up the cluster. The AMI and Kubernetes version are specified in the CloudFormation parameters, and we just update the CloudFormation stack.
The master plane updates automatically during stack deployment. To change the worker nodes' AMI, we manually update the Launch Template version in the AWS EKS console.

We use also UserData script for WorkerNodes:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/x-shellscript; charset="us-ascii"
    #!/bin/bash
    # retrieve current region
    TOKEN=`curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 3600"`
    region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/$.*$[a-z]/\1/')
    secret_arn=$(aws --region $region ssm get-parameter --name /proxy/paas/secret/arn/${ProxyId} --query 'Parameter.Value' | xargs)
    credentials=$(aws --region $region secretsmanager get-secret-value --secret-id $secret_arn --query 'SecretString' --output text)
    username=$(echo $credentials | grep -o '\"username\":\"[a-zA-Z0-9+-]\{0,\}\"' | awk -F":" '{ print $2 }' | xargs)
    password=$(echo $credentials | grep -o '\"password\":\"[a-zA-Z0-9+-]\{0,\}\"' | awk -F":" '{ print $2 }' | xargs)
    # build HTTP proxy url
    proxy_http="http://$username:$password@**blurred**:8080"
    # build HTTPS proxy url
    proxy_https="https://$username:$password@**blurred**:8443"
    no_proxy=localhost,127.0.0.1,169.254.169.254,.internal,s3.amazonaws.com,.$region.amazonaws.com,ec2.$region.amazonaws.com
    NO_PROXY=localhost,127.0.0.1,169.254.169.254,.internal,s3.amazonaws.com,.$region.amazonaws.com,ec2.$region.amazonaws.com
    /bin/echo "export http_proxy=$proxy_http" > /etc/profile.d/proxy.sh
    /bin/echo "export https_proxy=$proxy_https" >> /etc/profile.d/proxy.sh
    /bin/echo "export HTTP_PROXY=$proxy_http" >> /etc/profile.d/proxy.sh
    /bin/echo "export HTTPS_PROXY=$proxy_https" >> /etc/profile.d/proxy.sh
    /bin/echo "export no_proxy=$no_proxy" >> /etc/profile.d/proxy.sh
    /bin/echo "export NO_PROXY=$no_proxy" >> /etc/profile.d/proxy.sh
    source /etc/profile
    # add apt setup script
    /bin/echo "# Making Apt Outbound Proxy aware" >> /etc/apt/apt.conf.d/proxy.conf
    /bin/echo "Acquire::http::Proxy \"socks5h://$username:$password@**blurred**:8000\";" >> /etc/apt/apt.conf.d/proxy.conf
    /bin/echo "Acquire::https::Proxy \"socks5h://$username:$password@**blurred**:8000\";" >> /etc/apt/apt.conf.d/proxy.conf
    # join the cluster
    B64_CLUSTER_CA=${EksCluster.CertificateAuthorityData}
    API_SERVER_URL=${EksCluster.Endpoint}
    K8S_CLUSTER_DNS_IP=10.100.0.10
    /etc/eks/bootstrap.sh ${EksCluster} --kubelet-extra-args '--max-pods=110' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL --dns-cluster-ip $K8S_CLUSTER_DNS_IP --use-max-pods false
--//