feat: add AWS deployment variant for EKS (3217fdab) · Commits · to be continuous... / Helm

README.md

+89 −0

Original line number	Diff line number	Diff line
		@@ -610,3 +610,92 @@ include:
		# default GCP Service Account
		gcp-oidc-account: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
		```

		### EKS variant

		The EKS variant provides seamless integration with AWS EKS (Elastic Kubernetes Service) for deploying Helm charts.

		#### Prerequisites

		List of requirements before using this variant for deploying your charts to EKS:

		1. You must have configured [GitLab OIDC authentication with AWS](https://docs.gitlab.com/ci/cloud_services/aws/).
		2. You must have an AWS IAM role with permissions to access EKS clusters.
		3. You must have proper IAM mappings configured in your EKS cluster (via access entries for API mode or aws-auth ConfigMap for CONFIG_MAP mode).
		4. For private EKS clusters: You must have an EC2 instance with SSM agent installed in the same VPC as your EKS cluster.

		#### Configuration

		\| Input / Variable \| Description \| Default value \|
		\|-------------------------------------------------------------\|-------------------------------------------------------------------------------------------------------------------------------------------------------------------\|----------------------------------------------------------------------\|
		\| `TBC_AWS_PROVIDER_IMAGE` \| The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) \| `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest` \|
		\| `aws-region` / `AWS_REGION` \| Default AWS region to use \| _none_ \|
		\| `aws-oidc-aud` / `AWS_OIDC_AUD` \| The `aud` claim for the JWT token _(required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_ \| `$CI_SERVER_URL` \|
		\| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` \| Default AWS IAM role ARN for OpenID Connect authentication \| _none_ \|
		\| `aws-review-region` / `AWS_REVIEW_REGION` \| AWS region to use for `review` environment _(only define to override default)_ \| _none_ \|
		\| `aws-review-oidc-role-arn` / `AWS_REVIEW_OIDC_ROLE_ARN` \| AWS IAM role ARN for OpenID Connect authentication on `review` environment _(only define to override default)_ \| _none_ \|
		\| `aws-integ-region` / `AWS_INTEG_REGION` \| AWS region to use for `integration` environment _(only define to override default)_ \| _none_ \|
		\| `aws-integ-oidc-role-arn` / `AWS_INTEG_OIDC_ROLE_ARN` \| AWS IAM role ARN for OpenID Connect authentication on `integration` environment _(only define to override default)_ \| _none_ \|
		\| `aws-staging-region` / `AWS_STAGING_REGION` \| AWS region to use for `staging` environment _(only define to override default)_ \| _none_ \|
		\| `aws-staging-oidc-role-arn` / `AWS_STAGING_OIDC_ROLE_ARN` \| AWS IAM role ARN for OpenID Connect authentication on `staging` environment _(only define to override default)_ \| _none_ \|
		\| `aws-prod-region` / `AWS_PROD_REGION` \| AWS region to use for `production` environment _(only define to override default)_ \| _none_ \|
		\| `aws-prod-oidc-role-arn` / `AWS_PROD_OIDC_ROLE_ARN` \| AWS IAM role ARN for OpenID Connect authentication on `production` environment _(only define to override default)_ \| _none_ \|

		#### Example - Deploy to EKS (Public Cluster)

		```yaml
		include:
		# main template
		- component: $CI_SERVER_FQDN/to-be-continuous/helm/gitlab-ci-helm@9.1.0
		inputs:
		base-app-name: my-app
		review-enabled: true
		staging-enabled: true
		prod-enabled: true
		# AWS auth variant
		- component: $CI_SERVER_FQDN/to-be-continuous/helm/gitlab-ci-helm-eks@9.1.0
		inputs:
		# default AWS configuration
		aws-region: us-east-1
		aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci-role"
		# production-specific configuration
		aws-prod-region: us-west-2
		aws-prod-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci-prod-role"

		variables:
		# Configure kubeconfig URLs per environment
		HELM_REVIEW_KUBECONFIG: "@url@http://aws-auth-provider/kubeconfig?cluster_name=dev-cluster&region=us-east-1"
		HELM_STAGING_KUBECONFIG: "@url@http://aws-auth-provider/kubeconfig?cluster_name=staging-cluster&region=us-east-1"
		HELM_PROD_KUBECONFIG: "@url@http://aws-auth-provider/kubeconfig?cluster_name=prod-cluster&region=us-west-2"
		```

		#### Example - Deploy to Private EKS Cluster

		For private EKS clusters, you need to provide an EC2 instance ID for SSM port forwarding in the kubeconfig URL:

		```yaml
		include:
		# main template
		- component: $CI_SERVER_FQDN/to-be-continuous/helm/gitlab-ci-helm@9.1.0
		inputs:
		base-app-name: my-app
		prod-enabled: true
		# AWS auth variant
		- component: $CI_SERVER_FQDN/to-be-continuous/helm/gitlab-ci-helm-eks@9.1.0
		inputs:
		aws-region: us-east-1
		aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci-role"

		variables:
		# Instance with SSM agent in the same VPC as EKS
		HELM_PROD_KUBECONFIG: "@url@http://aws-auth-provider/kubeconfig?cluster_name=my-private-cluster&region=us-east-1&instance_id=i-1234567890abcdef0"
		```

		#### How it works

		The AWS variant template provides:

		EKS kubeconfig via AWS Auth Provider: Users configure the `HELM_<ENV>_KUBECONFIG` variable with a URL pattern (`@url@http://aws-auth-provider/kubeconfig?cluster_name=...`) that dynamically retrieves a valid kubeconfig file with authentication tokens for their EKS cluster. The AWS Auth Provider service supports both public and private EKS clusters (using SSM port forwarding for private clusters via the `instance_id` parameter).

		The authentication uses [GitLab's OIDC integration with AWS](https://docs.gitlab.com/ci/cloud_services/aws/), which means you don't need to manage long-lived AWS credentials in your CI/CD variables.

kicker.json

+68 −0

Original line number	Diff line number	Diff line
		@@ -508,6 +508,74 @@
		"advanced": true
		}
		]
		},
		{
		"id": "eks",
		"name": "Elastic Kubernetes Service",
		"description": "Deploy to Amazon EKS (Elastic Kubernetes Service)",
		"template_path": "templates/gitlab-ci-helm-eks.yml",
		"variables": [
		{
		"name": "TBC_AWS_PROVIDER_IMAGE",
		"description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",
		"default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest",
		"advanced": true
		},
		{
		"name": "AWS_REGION",
		"description": "Default AWS region to use"
		},
		{
		"name": "AWS_OIDC_AUD",
		"description": "The `aud` claim for the JWT token _(required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
		"default": "$CI_SERVER_URL",
		"advanced": true
		},
		{
		"name": "AWS_OIDC_ROLE_ARN",
		"description": "Default AWS IAM role ARN for OpenID Connect authentication"
		},
		{
		"name": "AWS_REVIEW_REGION",
		"description": "AWS region to use for `review` environment",
		"advanced": true
		},
		{
		"name": "AWS_REVIEW_OIDC_ROLE_ARN",
		"description": "AWS IAM role ARN for OpenID Connect authentication on `review` environment",
		"advanced": true
		},
		{
		"name": "AWS_INTEG_REGION",
		"description": "AWS region to use for `integration` environment",
		"advanced": true
		},
		{
		"name": "AWS_INTEG_OIDC_ROLE_ARN",
		"description": "AWS IAM role ARN for OpenID Connect authentication on `integration` environment",
		"advanced": true
		},
		{
		"name": "AWS_STAGING_REGION",
		"description": "AWS region to use for `staging` environment",
		"advanced": true
		},
		{
		"name": "AWS_STAGING_OIDC_ROLE_ARN",
		"description": "AWS IAM role ARN for OpenID Connect authentication on `staging` environment",
		"advanced": true
		},
		{
		"name": "AWS_PROD_REGION",
		"description": "AWS region to use for `production` environment",
		"advanced": true
		},
		{
		"name": "AWS_PROD_OIDC_ROLE_ARN",
		"description": "AWS IAM role ARN for OpenID Connect authentication on `production` environment",
		"advanced": true
		}
		]
		}

		]

templates/gitlab-ci-helm-eks.yml

0 → 100644

+66 −0

Original line number	Diff line number	Diff line
		# =====================================================================================================================
		# === EKS Auth template variant
		# =====================================================================================================================
		spec:
		inputs:
		aws-region:
		description: Default AWS region to use
		default: ''
		aws-oidc-aud:
		description: The `aud` claim for the JWT token _(required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
		default: $CI_SERVER_URL
		aws-oidc-role-arn:
		description: Default AWS IAM role ARN for OpenID Connect authentication
		default: ''
		aws-review-region:
		description: AWS region to use for `review` environment
		default: ''
		aws-review-oidc-role-arn:
		description: AWS IAM role ARN for OpenID Connect authentication on `review` environment
		default: ''
		aws-integ-region:
		description: AWS region to use for `integration` environment
		default: ''
		aws-integ-oidc-role-arn:
		description: AWS IAM role ARN for OpenID Connect authentication on `integration` environment
		default: ''
		aws-staging-region:
		description: AWS region to use for `staging` environment
		default: ''
		aws-staging-oidc-role-arn:
		description: AWS IAM role ARN for OpenID Connect authentication on `staging` environment
		default: ''
		aws-prod-region:
		description: AWS region to use for `production` environment
		default: ''
		aws-prod-oidc-role-arn:
		description: AWS IAM role ARN for OpenID Connect authentication on `production` environment
		default: ''

		---
		variables:
		TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest
		AWS_REGION: $[[ inputs.aws-region ]]
		AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
		AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
		AWS_REVIEW_REGION: $[[ inputs.aws-review-region ]]
		AWS_REVIEW_OIDC_ROLE_ARN: $[[ inputs.aws-review-oidc-role-arn ]]
		AWS_INTEG_REGION: $[[ inputs.aws-integ-region ]]
		AWS_INTEG_OIDC_ROLE_ARN: $[[ inputs.aws-integ-oidc-role-arn ]]
		AWS_STAGING_REGION: $[[ inputs.aws-staging-region ]]
		AWS_STAGING_OIDC_ROLE_ARN: $[[ inputs.aws-staging-oidc-role-arn ]]
		AWS_PROD_REGION: $[[ inputs.aws-prod-region ]]
		AWS_PROD_OIDC_ROLE_ARN: $[[ inputs.aws-prod-oidc-role-arn ]]

		.helm-deploy:
		services:
		- name: "$TBC_TRACKING_IMAGE"
		command: [ "--service", "helm", "9.1.0" ]
		- name: "$TBC_AWS_PROVIDER_IMAGE"
		alias: "aws-auth-provider"
		variables:
		# have to be explicitly declared in the YAML to be exported to the service
		AWS_JWT: $AWS_JWT
		id_tokens:
		AWS_JWT:
		aud: "$AWS_OIDC_AUD"

templates/gitlab-ci-helm-gcp.yml

+1 −1

Original line number	Diff line number	Diff line
		@@ -107,7 +107,7 @@ variables:
		.helm-publish:
		services:
		- name: "$TBC_TRACKING_IMAGE"
		command: ["--service", "docker", "9.1.0"]
		command: ["--service", "helm", "9.1.0"]
		- name: "$TBC_GCP_PROVIDER_IMAGE"
		alias: "gcp-auth-provider"
		variables: