Order

eksctl create iamserviceaccount \
    --name dynamodb-pull-sa \
    --region=ap-northeast-2 \
    --cluster wsi-eks-cluster \
    --namespace=wsi\
    --attach-policy-arn "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" \
    --override-existing-serviceaccounts \
    --approve
Shell
복사

#!/bin/bash
ROLE_ARN=$(eksctl get iamserviceaccount --cluster wsi-eks-cluster --name dynamodb-pull-sa --namespace wsi --region ap-northeast-2 --output json | jq -r '.[].status.roleARN')
ROLE_NAME=$(aws iam get-role --role-name $(aws iam list-roles --query "Roles[?Arn=='$ROLE_ARN'].RoleName" --output text) --query "Role.RoleName" --output text)
keys=$(aws kms list-keys --output json)
key_ids=$(echo $keys | jq -r '.Keys[].KeyId')
for key_id in $key_ids; do
    name_tag=$(aws kms list-resource-tags --key-id $key_id --query "Tags[].TagValue" --output text 2> /dev/null)
    if [ "$name_tag" == "db-kms" ]; then
        kms_arn=$(aws kms describe-key --key-id $key_id --query "KeyMetadata.Arn" --output text)
    fi
done

aws iam put-role-policy \
    --role-name $ROLE_NAME \
    --policy-name AllowKMSDecrypt \
    --policy-document "{
        \"Version\": \"2012-10-17\",
        \"Statement\": [
            {
                \"Effect\": \"Allow\",
                \"Action\": \"kms:Decrypt\",
                \"Resource\": \"${kms_arn}\"
            }
        ]
    }"
Shell
복사

apiVersion: apps/v1
kind: Deployment
metadata:
  name: order
  namespace: wsi
  labels:
    app: order
spec:
  replicas: 2
  selector:
    matchLabels:
      app: order
  template:
    metadata:
      labels:
        app: order
        type: fargate
    spec:
      serviceAccount: dynamodb-pull-sa
      containers:
      - name: order-cnt
        image: IMAGE
        ports:
        - containerPort: 8080
        volumeMounts:
        - name: log-volume
          mountPath: /log
        resources:
          requests:
            memory: "1Gi"
            cpu: "0.5"
          limits:
            memory: "1Gi"
            cpu: "0.5"
        env:
        - name: AWS_REGION
          valueFrom:
            secretKeyRef:
              name: order-credentials
              key: REGION
      - name: fluent-bit-cnt
        image: fluent/fluent-bit:latest
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 2020
          name: metrics
          protocol: TCP
        volumeMounts:
        - name: config-volume
          mountPath: /fluent-bit/etc/
        - name: log-volume
          mountPath: /log
      volumes:
      - name: log-volume
        emptyDir: {}
      - name: config-volume
        configMap:
          name: order
YAML
복사

IMAGE_URL=$(aws ecr describe-repositories --repository-name order-ecr --query "repositories[].repositoryUri" --output text)
IMAGE_TAG=$(aws ecr describe-images --repository-name order-ecr --query "imageDetails[].imageTags" --output text)
IMAGE="$IMAGE_URL:$IMAGE_TAG"
Shell
복사

sed -i "s|IMAGE|$IMAGE|g" deployment.yaml
Shell
복사

kubectl apply -f deployment.yaml
Shell
복사

apiVersion: v1
kind: Service
metadata:
  name: order-service
  namespace: wsi
spec:
  selector:
    app: order
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 8080
YAML
복사

kubectl apply -f service.yaml
Shell
복사