@@ -18,29 +18,80 @@ function toggle_windows_scheduling(){
1818 done
1919}
2020
21- echo " Cordon off windows nodes"
21+ TEST_ID=$( date +%s)
22+ echo " TEST_ID: $TEST_ID "
23+ ROLE_NAME=" aws-load-balancer-controller-$TEST_ID "
24+
25+ function cleanUp(){
26+ # Need to recreae aws-load-balancer controller if we are updating SA
27+ echo " delete aws-load-balancer-controller if exists"
28+ helm delete aws-load-balancer-controller -n kube-system --timeout=10m || true
29+
30+ echo " delete service account if exists"
31+ kubectl delete serviceaccount aws-load-balancer-controller -n kube-system --timeout 10m || true
32+
33+ # IAM role and polcies are AWS Account specific, so need to clean them up if any from previous run
34+ echo " detach IAM policy if it exists"
35+ aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::$ACCOUNT_ID :policy/AWSLoadBalancerControllerIAMPolicy || true
36+
37+ echo " delete $ROLE_NAME if it exists"
38+ aws iam delete-role --role-name $ROLE_NAME || true
39+
40+ # Need to do this as last step
41+ echo " delete AWSLoadBalancerControllerIAMPolicy if it exists"
42+ aws iam delete-policy --policy-arn arn:aws:iam::$ACCOUNT_ID :policy/AWSLoadBalancerControllerIAMPolicy || true
43+ }
44+
45+ echo " cordon off windows nodes"
2246toggle_windows_scheduling " cordon"
2347
24- eksctl utils associate-iam-oidc-provider \
25- --region $REGION \
26- --cluster $CLUSTER_NAME \
27- --approve
48+ echo " fetch OIDC provider"
49+ OIDC_PROVIDER=$( echo $CLUSTER_INFO | jq -r ' .cluster.identity.oidc.issuer' | sed -e " s/^https:\/\///" )
50+ echo " OIDC Provider: $OIDC_PROVIDER "
51+
52+ echo " create IAM policy document file"
53+ cat << EOF > trust.json
54+ {
55+ "Version": "2012-10-17",
56+ "Statement": [
57+ {
58+ "Effect": "Allow",
59+ "Principal": {
60+ "Federated": "arn:aws:iam::${ACCOUNT_ID} :oidc-provider/${OIDC_PROVIDER} "
61+ },
62+ "Action": "sts:AssumeRoleWithWebIdentity",
63+ "Condition": {
64+ "StringEquals": {
65+ "${OIDC_PROVIDER} :aud": "sts.amazonaws.com",
66+ "${OIDC_PROVIDER} :sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
67+ }
68+ }
69+ }
70+ ]
71+ }
72+ EOF
73+
74+ echo " cleanup any stale resources from previous run"
75+ cleanUp
2876
29- echo " Creating AWSLoadbalancerController IAM Policy"
77+ echo " create Role with above policy document"
78+ aws iam create-role --role-name $ROLE_NAME --assume-role-policy-document file://trust.json --description " IAM Role to be used by aws-load-balancer-controller SA" || true
79+
80+ echo " creating AWSLoadbalancerController IAM Policy"
3081aws iam create-policy \
3182 --policy-name AWSLoadBalancerControllerIAMPolicy \
3283 --policy-document file://" $SCRIPT_DIR " || true
3384
34- echo " Creating IAM serviceaccount "
35- eksctl create iamserviceaccount \
36- --cluster= $CLUSTER_NAME \
37- --namespace=kube-system \
38- --name= aws-load-balancer-controller \
39- --attach-policy-arn=arn:aws:iam:: $ACCOUNT_ID :policy/AWSLoadBalancerControllerIAMPolicy \
40- --override-existing-serviceaccounts \
41- --approve || true
85+ echo " attaching AWSLoadbalancerController IAM Policy to $ROLE_NAME "
86+ aws iam attach-role-policy --policy-arn arn:aws:iam:: $ACCOUNT_ID :policy/AWSLoadBalancerControllerIAMPolicy --role-name $ROLE_NAME || true
87+
88+ echo " create service account "
89+ kubectl create serviceaccount aws-load-balancer-controller -n kube-system || true
90+
91+ echo " annotate service account with $ROLE_NAME "
92+ kubectl annotate serviceaccount -n kube-system aws-load-balancer-controller eks.amazonaws.com/role-arn=arn:aws:iam:: " $ACCOUNT_ID " :role/ " $ROLE_NAME " --overwrite=true || true
4293
43- echo " Update helm repo eks"
94+ echo " update helm repo eks"
4495helm repo add eks https://aws.github.io/eks-charts
4596
4697helm repo update
@@ -97,20 +148,13 @@ run_ginkgo_test
97148echo " Fetch most recent aws-load-balancer-controller logs"
98149kubectl logs -l app.kubernetes.io/name=aws-load-balancer-controller --container aws-load-balancer-controller --tail=-1 -n kube-system
99150
100- echo " Delete aws-load-balancer-controller"
101- helm delete aws-load-balancer-controller -n kube-system --timeout=10m || true
102-
103- echo " Delete iamserviceaccount"
104- eksctl delete iamserviceaccount --name aws-load-balancer-controller --namespace kube-system --cluster $CLUSTER_NAME --timeout=10m || true
105-
106- echo " Delete TargetGroupBinding CRDs"
107- kubectl delete -k " github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" || true
108-
109151echo " Uncordon windows nodes"
110152toggle_windows_scheduling " uncordon"
111153
112- # Need to do this as last step
113- echo " Delete IAM Policy"
114- aws iam delete-policy --policy-arn arn:aws:iam::$ACCOUNT_ID :policy/AWSLoadBalancerControllerIAMPolicy || true
154+ echo " clean up resources from current run"
155+ cleanUp
156+
157+ echo " Delete TargetGroupBinding CRDs if exists"
158+ kubectl delete -k " github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" || true
115159
116160echo " Successfully finished the test suite $(( $SECONDS / 60 )) $(( $SECONDS % 60 )) "
0 commit comments