add customize cluster dns example

Author: VardyNg

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/README.md

@@ -0,0 +1,25 @@
+## This template illustrate the use of custom launch template in Managed Node Group
+
+Key configuration `clusterDomain`: 
+```
+Content-Type: multipart/mixed; boundary="BOUNDARY"
+MIME-Version: 1.0
+
+--BOUNDARY
+Content-Transfer-Encoding: 7bit
+Content-Type: application/node.eks.aws
+Mime-Version: 1.0
+
+---
+apiVersion: node.eks.aws/v1alpha1
+kind: NodeConfig
+spec:
+  cluster:
+    name: ${module.eks.cluster_name}
+    apiServerEndpoint: ${module.eks.cluster_endpoint}
+    certificateAuthority: ${module.eks.cluster_certificate_authority_data}
+    cidr: ${module.eks.cluster_service_cidr}
+  kubelet:
+    config:
+      clusterDomain: test.example # <- here
+```

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/data.tf

@@ -0,0 +1,17 @@
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "available" {}
+data "aws_eks_cluster_auth" "this" {
+  name = module.eks.cluster_name
+}
+locals {
+  name   = basename(path.cwd)
+  region = var.region
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    project  = local.name
+  }
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/eks.tf

@@ -0,0 +1,35 @@
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 20.0"
+
+  cluster_name                   = local.name
+  cluster_version                = var.eks_version
+  cluster_endpoint_public_access = true
+  cluster_endpoint_private_access = true
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  access_entries = {
+    # One access entry with a policy associated
+    admin = {
+      kubernetes_groups = []
+      principal_arn     = data.aws_caller_identity.current.arn
+
+      policy_associations = {
+        admin = {
+          policy_arn = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            type       = "cluster"
+          }
+        }
+      }
+    }
+  }
+
+  tags = local.tags
+}
+
+data "aws_ssm_parameter" "windows_ami" {
+  name = "/aws/service/eks/optimized-ami/1.29/amazon-linux-2023/x86_64/standard/recommended/image_id"
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/iam.tf

@@ -0,0 +1,35 @@
+# IAM Role for EKS worker nodes
+resource "aws_iam_role" "eks_worker_role" {
+  name = "${local.name}-eks-worker-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+# Attach the AmazonEKSWorkerNodePolicy to the IAM Role
+resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
+  role       = aws_iam_role.eks_worker_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+}
+
+# Attach the AmazonEC2ContainerRegistryReadOnly policy to allow access to ECR
+resource "aws_iam_role_policy_attachment" "eks_ecr_readonly_policy" {
+  role       = aws_iam_role.eks_worker_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}
+
+# Attach the AmazonEKS_CNI_Policy for networking permissions
+resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
+  role       = aws_iam_role.eks_worker_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/k8s.tf

@@ -0,0 +1,79 @@
+resource "kubernetes_daemonset" "dnsutils" {
+  metadata {
+    name      = "dnsutils"
+    namespace = "default"
+  }
+  spec {
+    selector {
+      match_labels = {
+        name = "dnsutils"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          name = "dnsutils"
+        }
+      }
+      spec {
+        container {
+          name    = "dnsutils"
+          image   = "tutum/dnsutils"
+          command = ["sleep", "3600"]
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_deployment" "nginx" {
+  metadata {
+    name      = "nginx-sample"
+    namespace = "default"
+    labels = {
+      app = "nginx-sample"
+    }
+  }
+  spec {
+    replicas = 2
+    selector {
+      match_labels = {
+        app = "nginx-sample"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "nginx-sample"
+        }
+      }
+      spec {
+        container {
+          name  = "nginx"
+          image = "nginx:latest"
+          port {
+            container_port = 80
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "nginx" {
+  metadata {
+    name      = "nginx-sample"
+    namespace = "default"
+  }
+  spec {
+    selector = {
+      app = kubernetes_deployment.nginx.metadata[0].labels["app"]
+    }
+    port {
+      port        = 80
+      target_port = 80
+    }
+    type = "ClusterIP"
+  }
+}
+

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/mng.tf

@@ -0,0 +1,54 @@
+resource "aws_launch_template" "eks_custom_lt" {
+  name_prefix   = "${local.name}-lt"
+  image_id      = data.aws_ssm_parameter.eks_al2023_ami.value
+  instance_type = "t3.medium"
+
+  user_data = base64encode(<<-EOF
+Content-Type: multipart/mixed; boundary="BOUNDARY"
+MIME-Version: 1.0
+
+--BOUNDARY
+Content-Transfer-Encoding: 7bit
+Content-Type: application/node.eks.aws
+Mime-Version: 1.0
+
+---
+apiVersion: node.eks.aws/v1alpha1
+kind: NodeConfig
+spec:
+  cluster:
+    name: ${module.eks.cluster_name}
+    apiServerEndpoint: ${module.eks.cluster_endpoint}
+    certificateAuthority: ${module.eks.cluster_certificate_authority_data}
+    cidr: ${module.eks.cluster_service_cidr}
+  kubelet:
+    config:
+      clusterDomain: test.example
+--BOUNDARY--
+  EOF
+  )
+}
+
+data "aws_ssm_parameter" "eks_al2023_ami" {
+  name = "/aws/service/eks/optimized-ami/1.31/amazon-linux-2023/x86_64/standard/recommended/image_id"
+}
+
+
+resource "aws_eks_node_group" "mng-custom" {
+  cluster_name    = module.eks.cluster_name
+  node_group_name = "mng-custom"
+  node_role_arn   = aws_iam_role.eks_worker_role.arn
+
+  subnet_ids = module.vpc.private_subnets
+
+  scaling_config {
+    desired_size = 2
+    max_size     = 5
+    min_size     = 1
+  }
+
+  launch_template {
+    id      = aws_launch_template.eks_custom_lt.id
+    version = "$Latest"
+  }
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/output.tf

@@ -0,0 +1,4 @@
+output "configure_kubectl" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}"
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/terraform.tf

@@ -0,0 +1,40 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.34"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.9"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.20"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14"
+    }
+  }
+}
+
+provider "aws" {
+  region = local.region
+}
+
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.this.token
+}
+
+provider "kubectl" {
+  apply_retry_count      = 10
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  load_config_file       = false
+  token                  = data.aws_eks_cluster_auth.this.token
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/variable.tf

@@ -0,0 +1,8 @@
+variable "region" {
+  type = string
+}
+
+variable "eks_version" {
+  type = string
+  default = "1.31"
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/custom-cluster-domain/vpc.tf

@@ -0,0 +1,16 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  tags = local.tags
+}