INSTALL: simplify documentation for subnet selection

Uses more advanced aws jmespath/jq queries to bring together information with less work from the user, and with clearer output. The subnet commands were in the middle of the cluster settings, too, which are now moved above the subnet commands, so the user doesn't have to keep track of those two sections mentally.
bottlerocket-os · Oct 16, 2019 · 17712c2 · 17712c2
1 parent 574462f
commit 17712c2
Showing 1 changed file with 32 additions and 22 deletions.
diff --git a/INSTALL.md b/INSTALL.md
@@ -126,33 +126,17 @@ kubectl patch daemonset aws-node \
 
 ## Cluster info
 
-Next, we retrieve some information about the new cluster to use in later steps.
-Run this, and save the base64 encoded certificate authority and API Endpoint URL from the output.
-Also save the subnet IDs of the subnets it created in EC2, which we'll use in the next step.
+This section helps you determine some of the cluster information needed later by the instance launch command.
 
-```
-eksctl get cluster -o yaml --name thar
-```
-
-Take the subnet IDs (`subnet-*`) from that output and insert them in this command, which will tell us whether each subnet is public or private.
-You can choose whether you want public or private, but make sure to save the subnet ID for later in the launch command.
-* Choose private for production deployments to get maximum isolation of worker nodes.
-* Choose public to more easily debug your instance.  These subnets have an Internet Gateway, so if you add a public IP address to your instance, you can talk to it.  (You can manually add an Internet Gateway to a private subnet later, so this is a reversible decision.)
-
-Note that if you choose to use the public subnet, you'll need your instance to have a publicly accessible IP address.
-That either means adding `--associate-public-ip-address` to the launch command below, or attaching an Elastic IP address.
-There will be a reminder about this when we talk about the launch command.
-
-(If you use an EC2 region other than "us-west-2", make sure to change that.)
+### Kubernetes cluster info
 
+Run this to get the API endpoint and base64-encoded certificate authority, which we use in the next step.
 ```
-aws ec2 describe-subnets \
---subnet-ids PUT-THE-SUBNETS-IDS-HERE subnet-1 subnet-2 ... \
---region us-west-2 \
---query "Subnets[].[SubnetId, Tags[?Key=='aws:cloudformation:logical-id']]"
+eksctl get cluster --name thar -o json \
+   | jq --raw-output '.[] | "Endpoint: " + .Endpoint,"\nCA: " + .CertificateAuthority.Data'
 ```
 
-Using the information from eksctl, create a file like this, named `userdata.toml`.
+Using that information from eksctl, create a file like this, named `userdata.toml`.
 This will be used at the end, in the instance launch command.
 
 ```
@@ -162,6 +146,32 @@ cluster-name = "thar"
 cluster-certificate = "YOUR-CERTIFICATE-AUTHORITY-HERE"
 ```
 
+### Subnet info
+
+Next, run this to get information about the subnets that eksctl created.
+It will give you a list of the subnets and tell you whether each is public or private.
+(If you use an EC2 region other than "us-west-2", make sure to change that.)
+
+```
+aws ec2 describe-subnets \
+   --subnet-ids $(eksctl get cluster --name thar -o json | jq --raw-output '.[].ResourcesVpcConfig.SubnetIds[]') \
+   --region us-west-2 \
+   --query "Subnets[].[SubnetId, Tags[?Key=='aws:cloudformation:logical-id'].Value]" \
+   | xargs -L2
+```
+
+You'll want to pick one and save it for the launch command later.
+
+You can choose whether you want public or private.
+* Choose private for production deployments to get maximum isolation of worker nodes.
+* Choose public to more easily debug your instance.  These subnets have an Internet Gateway, so if you add a public IP address to your instance, you can talk to it.  (You can manually add an Internet Gateway to a private subnet later, so this is a reversible decision.)
+
+Note that if you choose to use the public subnet, you'll need your instance to have a publicly accessible IP address.
+That either means adding `--associate-public-ip-address` to the launch command below, or attaching an Elastic IP address.
+There will be a reminder about this when we talk about the launch command.
+
+Finally, note that if you want to launch in a specific availability zone, make sure you pick a subnet that matches; the AZ is listed right next to the public/private status.
+
 ## IAM role
 
 The instance we launch needs to be associated with an IAM role that allows for communication with EKS.