# AWS EKS ## Tutorials & Articles * [Provision a Kubernetes Cluster in Amazon EKS with Weaveworks eksctl and AWS CDK](https://blog.reactioncommerce.com/deploying-kubernetes-clusters-in-aws-eks-with-the-aws-cloud-development-kit/). ## Creating EKS cluster using the eksctl CLI eksctl create cluster \ --name staging \ --version 1.14 \ --nodegroup-name staging-workers \ --node-type m5.xlarge \ --nodes 3 \ --nodes-min 1 \ --nodes-max 10 \ --node-ami auto ### Create RDS PostgreSQL instance Create `hydra` database and `hydradbadmin` user/role in the database. hydra=> CREATE DATABASE hydra; CREATE DATABASE hydra=> \q hydra=> CREATE ROLE hydradbadmin; CREATE ROLE hydra=> ALTER ROLE hydradbadmin LOGIN; ALTER ROLE hydra=> ALTER USER hydradbadmin PASSWORD 'PASS'; ALTER ROLE DB connection string: `postgres://hydradbadmin:PASS@staging.cjwa4nveh3ws.us-west-2.rds.amazonaws.com:5432/hydra` ### Create MongoDB database and user in Atlas MONGO_OPLOG_URL: mongodb://domain:PASS@cluster0-shard-00-02-gk3cz.mongodb.net.:27017,[cluster0-shard-00-01-gk3cz.mongodb.net](http://cluster0-shard-00-01-gk3cz.mongodb.net/).:27017,[cluster0-shard-00-00-gk3cz.mongodb.net](http://cluster0-shard-00-00-gk3cz.mongodb.net/).:27017/local?authSource=admin&gssapiServiceName=mongodb&replicaSet=Cluster0-shard-0&ssl=true MONGO_URL: mongodb://domain:PASS@cluster0-shard-00-02-gk3cz.mongodb.net.:27017,[cluster0-shard-00-01-gk3cz.mongodb.net](http://cluster0-shard-00-01-gk3cz.mongodb.net/).:27017,[cluster0-shard-00-00-gk3cz.mongodb.net](http://cluster0-shard-00-00-gk3cz.mongodb.net/).:27017/rc-staging?authSource=admin&gssapiServiceName=mongodb&replicaSet=Cluster0-shard-0&ssl=true ### Generate kubeconfig files for administrator and developer roles Save the above file somewhere, then export KUBECONFIG=/path/to/file export AWS_PROFILE=profilename This configuration uses the `aws-iam-authenticator` binary (needs to exist locally) and maps an IAM role to an internal Kubernetes RBAC role. This was created in the EKS cluster with: kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: k8s-developer-role namespace: staging rules: - apiGroups: - "" - "apps" - "batch" - "extensions" resources: - "configmaps" - "cronjobs" - "deployments" - "events" - "ingresses" - "jobs" - "pods" - "pods/attach" - "pods/exec" - "pods/log" - "pods/portforward" - "secrets" - "services" verbs: - "create" - "delete" - "describe" - "get" - "list" - "patch" - "update" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: k8s-developer-rolebinding namespace: staging subjects: - kind: User name: k8s-developer-user roleRef: kind: Role name: k8s-developer-role apiGroup: rbac.authorization.k8s.io ### Install nginx ingress controller and create ALB in front of nginx ingress service The `Service` type for the `ingress-nginx` service is `NodePort` and not `LoadBalancer` because we don't want AWS to create a new Load Balancer every time we recreate the ingress. kind: Service apiVersion: v1 metadata: name: ingress-nginx namespace: kube-ingress labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: type: NodePort selector: app: ingress-nginx ports: - name: http port: 80 nodePort: 30080 targetPort: http - name: https port: 443 nodePort: 30443 targetPort: https Instead, we provision an ALB and send both HTTP and HTTPS traffic to a Target Group that targets port 30080 on the EKS worker nodes (which is the `nodePort` in the manifest above for HTTP traffic). **NOTE**: need to add rule in EKS worker SG to allow SG of ALB to access port 30080. ### Create Kubernetes Secret for DockerHub credentials (for pulling private images) apiVersion: v1 type: kubernetes.io/dockerconfigjson kind: Secret metadata: name: reaction-docker-hub data: .dockerconfigjson: BASE64_OF_DOCKERHUB_AUTH_STRING DOCKERHUB_AUTH_STRING={"auths":{"https://index.docker.io/v1/":{"username":"rck8s","password":"PASS","auth":"OBTAINED_FROM_DOCKER_CONFIG.JSON"}}} This Secret was created in several namespaces (`default`, `staging`, `monitoring`, `logging`, `flux-system`) ### Install and customize Flux for GitOps workflow Flux is installed in its own `flux-system` namespace. To install it, it we ran: kustomize build overlays/staging | kubectl apply -f - The default `Deployment` for Flux is using the `weaveworks/flux` Docker image, which as of its last version contains an older binary for `kustomize`. Here is the `Dockerfile` for that image: FROM fluxcd/flux:1.15.0 ARG REACTION_ENVIRONMENT ENV SOPS_VERSION 3.4.0 ENV REACTION_ENVIRONMENT=${REACTION_ENVIRONMENT} RUN /sbin/apk add npm RUN wget https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux \ -O /usr/local/bin/sops; chmod +x /usr/local/bin/sops For now, the script `build_and_push_image_staging.sh` sets this variable to `staging`: #!/bin/bash COMMIT_TAG=$(git rev-parse --short HEAD) docker build --build-arg REACTION_ENVIRONMENT=staging -t reaction-flux:staging . docker tag reaction-flux:staging reactioncommerce/reaction-flux:staging-${COMMIT_TAG} docker push reactioncommerce/reaction-flux:staging-${COMMIT_TAG} Flux generates an ssh key upon startup. We need to obtain that key with `fluxctl` and add it as a deploy key to the `reaction-gitops` GitHub repo: fluxctl --k8s-fwd-ns=flux-system identity The `manifest-generation=true` argument allows Flux to inspect and use a special configuration file called `.flux.yaml` in the root of the associated Git repo. The contents of this file are: version: 1 commandUpdated: generators: - command: ./generate_kustomize_output.sh Flux will `cd` into the `git-path` (set to `.` in our case in the args above), then will run the `command` specified in the `.flux.yaml` file. The output of the command needs to be valid YAML, which Flux will apply to the Kubernetes cluster via `kubectl apply -f -`. We can run whatever commands we need, following whatever conventions we come up with, inside the `generate_kustomize_output.sh` script. Currently we do something along these lines: #!/bin/bash if [ -z $ENVIRONMENT ]; then echo Please set the ENVIRONMENT environment variable to a value such as staging before running this script. exit 1 fi # this is necessary when running npm/npx inside a Docker container npm config set unsafe-perm true cd kustomize for SUBDIR in `ls`; do if [ "$1" ] && [ "${SUBDIR}" != "$1" ]; then continue fi OVERLAY_DIR=${SUBDIR}/overlays/${ENVIRONMENT} if [ ! -d "${OVERLAY_DIR}" ]; then continue fi if [ -d "${OVERLAY_DIR}/.sops" ]; then # decrypt sops-encrypted values and merge them into stub manifests for Secret objects npx --quiet --package @reactioncommerce/merge-sops-secrets@1.2.1 sops-to-secret ${OVERLAY_DIR}/secret-stub.yaml > ${OVERLAY_DIR}/secret.yaml fi # generate kustomize output kustomize build ${OVERLAY_DIR} echo "---" rm -rf ${OVERLAY_DIR}/secret.yaml done Flux will do a `git pull` against the branch of the `reaction-gitops` repo specified in the command-line args (`master` in our case) every 5 minutes, and it will run the `generate_kustomize_output.sh` script, then will run `kubectl apply -f -` against the output of that script, applying any manifests that have changed. The Flux `git pull` can also be forced with `fluxctl sync`: fluxctl sync --k8s-fwd-ns flux-system To redeploy a Flux container for example when the underlying Docker image changes, do this in the `reaction-gitops` root directory: cd bootstrap/flux kustomize build overlays/staging | kubectl apply -f - ### Management of Kubernetes secrets We use sops to encrypt secret values for environment variables representing credentials, database connections, etc. We create one file per secret in directories of the format `kustomize/SERVICE/overlays/ENVIRONMENT/.sops.` We encrypt the files with a KMS key specified in `.sops.yaml` in the directory `kustomize/SERVICE/overlays/ENVIRONMENT`. Example: cd kustomize/hydra/overlays/staging echo -n "postgres://hydradbadmin:PASS@staging.cjwa4nveh3ws.us-west-2.rds.amazonaws.com:5432/hydra" > .sops/DATABASE_URL.enc sops -e -i .sops/DATABASE_URL.enc We also create a `secret-stub.yaml` file in the directory `kustomize/SERVICE/overlays/ENVIRONMENT` similar to this: $ cat overlays/staging/secret-stub.yaml apiVersion: v1 kind: Secret metadata: name: hydra type: Opaque data: DATABASE_URL: BASE64_OF_PLAIN_TEXT_SECRET OIDC_SUBJECT_TYPE_PAIRWISE_SALT: BASE64_OF_PLAIN_TEXT_SECRET SYSTEM_SECRET: BASE64_OF_PLAIN_TEXT_SECRET The Flux container will call the `generate_kustomize_output.sh` script, which will decrypt the files via Pete's `@reactioncommerce/merge-sops-secrets@1.2.1 sops-to-secret` utility and will stitch their values inside `secret-stub.yaml`, saving the output in a `secret.yaml` file which will then be read by `kustomize`. Here is the relevant section from the `generate_kustomize_output.sh` script: npx --quiet \ --package @reactioncommerce/merge-sops-secrets@1.2.1 \ sops-to-secret ${OVERLAY_DIR}/secret-stub.yaml > ${OVERLAY_DIR}/secret.yaml The Flux container needs to be able to use the KMS key for decryption, so we had to create an IAM policy allowing access to this KMS key, then attach the policy to the EKS worker node IAM role. { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:GetKeyPolicy", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:us-west-2:773713188930:key/a8d73206-e37a-4ddf-987e-dbfa6c2cd2f8" } ] } ### Kubernetes manifest generation with Kustomize We use Kustomize to generate Kubernetes manifests in YAML format. There are several directories under the `kustomize` directory, one for each service to be deployed. Example directory structure under `kustomize/reaction-storefront`: |____overlays | |____staging | | |____patch-deployment-imagepullsecret.yaml | | |____kustomization.yaml | | |____hpa.yaml | | |____secret-stub.yaml | | |____.sops | | | |____SESSION_SECRET.enc | | | |____OAUTH2_CLIENT_SECRET.enc | | |____configmap.yaml | | |____.sops.yaml |____base | |____deployment.yaml | |____ingress.yaml | |____kustomization.yaml | |____service.yaml The manifests under the `base` directory define the various Kubernetes objects that will be created for `reaction-storefront` (similar to YAML manifests under the `templates` directory of a Helm chart, but with no templating). In this example we have a Deployment, a Service and an Ingress defined in their respective files. The file `base/kustomization.yaml` specifies how these manifests files are collated and how other common information is appended: $ cat base/kustomization.yaml # Labels to add to all resources and selectors. commonLabels: app.kubernetes.io/component: frontend app.kubernetes.io/instance: reaction-storefront app.kubernetes.io/name: reaction-storefront # Value of this field is prepended to the # names of all resources #namePrefix: reaction-storefront configMapGenerator: - name: reaction-storefront # List of resource files that kustomize reads, modifies # and emits as a YAML string resources: - deployment.yaml - ingress.yaml - service.yaml The customization for a specific environment such as `staging` happens in files in the directory `overlays/staging`. Here is the `kustomization.yaml` file from that directory: $ cat overlays/staging/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namePrefix: staging- namespace: staging images: - name: docker.io/reactioncommerce/reaction-next-starterkit newTag: 4e1c281ec5de541ec6b22c52c38e6e2e6e072a1c resources: - secret.yaml - ../../base patchesJson6902: - patch: |- - op: replace path: /spec/rules/0/host value: storefront.staging.reactioncommerce.io target: group: extensions kind: Ingress name: reaction-storefront version: v1beta1 patchesStrategicMerge: - configmap.yaml - patch-deployment-imagepullsecret.yaml Some things to note: - You can customize the Docker image and tag used for a container inside a pod - You can specify a prefix to be added to all object names, so a deployment declared in the `base/deployment.yaml` file with the name `reaction-storefront` will get `staging-` in front and will become `staging-reaction-storefront` - You can apply patches to the files under `base` and specify values specific to this environment Patches can be declared either inline in the `kustomization.yaml` file (such as the Ingress patch above), or in separate YAML files (such as the files in the `patchesStrategicMerge` section). Here is an example of a separate patch file: $ cat overlays/staging/patch-deployment-imagepullsecret.yaml apiVersion: apps/v1 kind: Deployment metadata: name: reaction-storefront spec: template: spec: imagePullSecrets: - name: reaction-docker-hub You need to specify enough information in the patch file for `kustomize` to identify the object to be patched. If you think of the YAML manifest as a graph with nodes specified by a succession of keys, then the patch needs to specify which node needs to be modified or added, and what is the new value for that key. In the example above, we add a new key at `spec->template->spec->imagePullSecrets->0 (item index)->name` and set its value to `reaction-docker-hub`. **Environment variables** for a specific environment are set in the `configmap.yaml` file in the `overlays/ENVIRONMENT` directory. Example for `reaction-storefront`: $ cat overlays/staging/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: reaction-storefront data: CANONICAL_URL: https://storefront.staging.reactioncommerce.io DEFAULT_CACHE_TTL: "3600" ELASTICSEARCH_URL: http://elasticsearch-client:9200 EXTERNAL_GRAPHQL_URL: https://api.staging.reactioncommerce.io/graphql-beta HYDRA_ADMIN_URL: http://staging-hydra:4445 INTERNAL_GRAPHQL_URL: http://staging-reaction-core/graphql-beta OAUTH2_ADMIN_PORT: "4445" OAUTH2_AUTH_URL: https://auth.staging.reactioncommerce.io/oauth2/auth OAUTH2_CLIENT_ID: staging-storefront OAUTH2_HOST: staging-hydra OAUTH2_IDP_HOST_URL: https://api.staging.reactioncommerce.io/ OAUTH2_REDIRECT_URL: https://storefront.staging.reactioncommerce.io/callback OAUTH2_TOKEN_URL: http://staging-hydra:4444/oauth2/token PRINT_ERRORS: "false" SEARCH_ENABLED: "false" SESSION_MAX_AGE_MS: "2592000000" Another example of a patch is adding `serviceMonitorNamespaceSelector` and `serviceMonitorSelector` sections to a Prometheus manifest file: $ cat bootstrap/prometheus-operator/overlays/staging/patch-prometheus-application-selectors.yaml apiVersion: monitoring.coreos.com/v1 kind: Prometheus metadata: labels: prometheus: application name: application namespace: monitoring spec: serviceMonitorNamespaceSelector: matchExpressions: - key: name operator: In values: - staging serviceMonitorSelector: matchLabels: monitoring: application **In short, the Kustomize patching mechanism is powerful, and it represents the main method for customizing manifests for a given environment while keeping intact the default manifests under the `base` directory.** ### Automated PR creation into reaction-gitops from example-storefront We added a job to the CircleCI workflow for `reactioncommerce/example-storefront` (`master` branch) to create a PR automatically against `reactioncommerce/reaction-gitops`. The PR contains a single modification of the `reaction-storefront/overlays/staging/kustomize.yaml` file. It sets the Docker image tag to the CIRCLE_SHA1 of the current build by calling `kustomize edit set image [docker.io/${DOCKER_REPOSITORY}:${CIRCLE_SHA1}](http://docker.io/$%7BDOCKER_REPOSITORY%7D:$%7BCIRCLE_SHA1%7D)`. Details here: [https://github.com/reactioncommerce/example-storefront/blob/master/.circleci/config.yml#L101](https://github.com/reactioncommerce/example-storefront/blob/master/.circleci/config.yml#L101) ### Set up ElasticSearch and Fluentd for Kubernetes pod logging Create IAM policy and add it to EKS worker node role: { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*", "Effect": "Allow" } ] } Create ElasticSearch domain `staging-logs` and configure it to use Amazon Cognito for user authentication for Kibana. Download `fluentd.yml` from [https://eksworkshop.com/logging/deploy.files/fluentd.yml](https://eksworkshop.com/logging/deploy.files/fluentd.yml) , kustomize it, then install `fluentd` manifests for staging: $ kustomize build bootstrap/fluentd/overlays/staging | kubectl create -f -