Merge pull request #60 from kiranmeduri/irsa

Update README with steps to use EKS IAM Roles for Service Account
aws · Feb 25, 2020 · 009c46e · 009c46e
2 parents 3515065 + 993ffad
commit 009c46e
Showing 1 changed file with 81 additions and 4 deletions.
diff --git a/stable/appmesh-controller/README.md b/stable/appmesh-controller/README.md
@@ -20,6 +20,8 @@ App Mesh controller Helm chart for Kubernetes
                 "servicediscovery:RegisterInstance",
                 "servicediscovery:DeregisterInstance",
                 "servicediscovery:ListInstances",
+                "servicediscovery:ListNamespaces",
+                "servicediscovery:ListServices",
                 "route53:GetHealthCheck",
                 "route53:CreateHealthCheck",
                 "route53:UpdateHealthCheck",
@@ -48,13 +50,91 @@ kubectl apply -k github.com/aws/eks-charts/stable/appmesh-controller//crds?ref=m
 
 Install the App Mesh CRD controller:
 
+### Regular Kubernetes distribution
+
 ```sh
 helm upgrade -i appmesh-controller eks/appmesh-controller \
---namespace appmesh-system
+    --namespace appmesh-system
 ```
 
 The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
+### EKS on Fargate
+
+```
+export CLUSTER_NAME=<eks-cluster-name>
+export AWS_REGION=<aws-region e.g. us-east-1>
+```
+
+Create namespace
+```sh
+kubectl create ns appmesh-system
+```
+
+Setup fargate-profile
+```sh
+eksctl create fargateprofile --cluster $CLUSTER_NAME --namespace appmesh-system
+```
+
+Enable IAM OIDC provider
+```sh
+eksctl utils associate-iam-oidc-provider --region=$AWS_REGION --cluster=$CLUSTER_NAME --approve
+```
+
+Create IRSA for appmesh-controller
+```sh
+eksctl create iamserviceaccount --cluster $CLUSTER_NAME \
+        --namespace appmesh-system \
+        --name appmesh-controller \
+        --attach-policy-arn  arn:aws:iam::aws:policy/AWSCloudMapFullAccess,arn:aws:iam::aws:policy/AWSAppMeshFullAccess \
+        --override-existing-serviceaccounts \
+        --approve
+```
+
+Deploy appmesh-controller
+```sh
+helm upgrade -i appmesh-controller eks/appmesh-controller \
+    --namespace appmesh-system \
+    --set region=$AWS_REGION \
+    --set serviceAccount.create=false \
+    --set serviceAccount.name=appmesh-controller
+```
+
+### EKS with IAM Roles for Service Account
+
+```
+export CLUSTER_NAME=<eks-cluster-name>
+export AWS_REGION=<aws-region e.g. us-east-1>
+```
+
+Create namespace
+```sh
+kubectl create ns appmesh-system
+```
+
+Create IRSA for appmesh-controller
+```sh
+eksctl utils associate-iam-oidc-provider --region=$AWS_REGION \
+    --cluster=$CLUSTER_NAME \
+    --approve
+
+eksctl create iamserviceaccount --cluster $CLUSTER_NAME \
+    --namespace appmesh-system \
+    --name appmesh-controller \
+    --attach-policy-arn  arn:aws:iam::aws:policy/AWSCloudMapFullAccess,arn:aws:iam::aws:policy/AWSAppMeshFullAccess \
+    --override-existing-serviceaccounts \
+    --approve
+```
+
+Deploy appmesh-controller
+```sh
+helm upgrade -i appmesh-controller eks/appmesh-controller \
+    --namespace appmesh-system \
+    --set region=$AWS_REGION \
+    --set serviceAccount.create=false \
+    --set serviceAccount.name=appmesh-controller
+```
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `appmesh-controller` deployment:
@@ -87,6 +167,3 @@ Parameter | Description | Default
 `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy | `false`
 `serviceAccount.create` | If `true`, create a new service account | `true`
 `serviceAccount.name` | Service account to be used | None
-
-
-