Secured rolling update kubernetes deployment with awscli
It commonly happens when a DevOps developer wants to remotely/non-interactively rolling an update to a Kubernetes deployment, for example after a successful build.
And this post will explain how. This post assumes that the client machine has aws credentials and awscli binary installed.
- If you want to install awscli locally. Refer to this post.
- If you want to inline the aws credential without placing it in
$HOME/.aws. Inline it in each command via environment variablesAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY.
Next, I will introduce how to rolling an update in the remote Kubernetes cluster.
With kubectl installed
aws eks --region "${EKS_AWS_REGION}" update-kubeconfig --name "${EKS_CLUSTER_NAME}"
kubectl rollout restart -n ${namespace} deployment ${deployment}
Without kubectl
eks_token="$(aws eks get-token --cluster-name "${EKS_CLUSTER_NAME}" | \
jq .status.token -c | tr -d '"')"
eks_endpoint="$(aws eks describe-cluster \
--name "${EKS_CLUSTER_NAME}" \
--query cluster.endpoint \
--region "${EKS_AWS_REGION}" | tr -d '"')"
curl -XPATCH \
--cacert <(aws eks describe-cluster \
--name "${EKS_CLUSTER_NAME}" \
--query cluster.certificateAuthority.data \
--region "${EKS_AWS_REGION}" | tr -d '"' | base64 -d) \
-H "Content-Type: application/strategic-merge-patch+json" \
"${eks_endpoint}/apis/apps/v1/namespaces/${EKS_NAMESPACE}/deployments/${EKS_DEPLOYMENT}" \
-H "Authorization: Bearer ${eks_token}" \
--data "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"$(TZ=Asia/Tokyo date +%YY-%m-%dT%H:%M:%S+09:00)\"}}}}}"
- (optional) If you change the timezone in the last command (TZ=Asia/Tokyo), you should also change the timezone offset (+09:00) together to have the correct timestamp in the cluster.
- Where does the curl come from?
The underneath curl command can be inspected from any kubectl command with--v=9. link - In the older version of EKS,
apps/v1should be replaced withextensions/v1beta1.
