# AWS EKS
## Tutorials & Articles
* [Provision a Kubernetes Cluster in Amazon EKS with Weaveworks eksctl and AWS CDK](https://blog.reactioncommerce.com/deploying-kubernetes-clusters-in-aws-eks-with-the-aws-cloud-development-kit/).
## Creating EKS cluster using the eksctl CLI
eksctl create cluster \
--name staging \
--version 1.14 \
--nodegroup-name staging-workers \
--node-type m5.xlarge \
--nodes 3 \
--nodes-min 1 \
--nodes-max 10 \
--node-ami auto
### Create RDS PostgreSQL instance
Create `hydra` database and `hydradbadmin` user/role in the database.
hydra=> CREATE DATABASE hydra;
CREATE DATABASE
hydra=> \q
hydra=> CREATE ROLE hydradbadmin;
CREATE ROLE
hydra=> ALTER ROLE hydradbadmin LOGIN;
ALTER ROLE
hydra=> ALTER USER hydradbadmin PASSWORD 'PASS';
ALTER ROLE
DB connection string: `postgres://hydradbadmin:PASS@staging.cjwa4nveh3ws.us-west-2.rds.amazonaws.com:5432/hydra`
### Create MongoDB database and user in Atlas
MONGO_OPLOG_URL: mongodb://domain:PASS@cluster0-shard-00-02-gk3cz.mongodb.net.:27017,[cluster0-shard-00-01-gk3cz.mongodb.net](http://cluster0-shard-00-01-gk3cz.mongodb.net/).:27017,[cluster0-shard-00-00-gk3cz.mongodb.net](http://cluster0-shard-00-00-gk3cz.mongodb.net/).:27017/local?authSource=admin&gssapiServiceName=mongodb&replicaSet=Cluster0-shard-0&ssl=true
MONGO_URL: mongodb://domain:PASS@cluster0-shard-00-02-gk3cz.mongodb.net.:27017,[cluster0-shard-00-01-gk3cz.mongodb.net](http://cluster0-shard-00-01-gk3cz.mongodb.net/).:27017,[cluster0-shard-00-00-gk3cz.mongodb.net](http://cluster0-shard-00-00-gk3cz.mongodb.net/).:27017/rc-staging?authSource=admin&gssapiServiceName=mongodb&replicaSet=Cluster0-shard-0&ssl=true
### Generate kubeconfig files for administrator and developer roles
Save the above file somewhere, then
export KUBECONFIG=/path/to/file
export AWS_PROFILE=profilename
This configuration uses the `aws-iam-authenticator` binary (needs to exist locally)
and maps an IAM role to an internal Kubernetes RBAC role.
This was created in the EKS cluster with:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: k8s-developer-role
namespace: staging
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: k8s-developer-rolebinding
namespace: staging
subjects:
- kind: User
name: k8s-developer-user
roleRef:
kind: Role
name: k8s-developer-role
apiGroup: rbac.authorization.k8s.io
### Install nginx ingress controller and create ALB in front of nginx ingress service
The `Service` type for the `ingress-nginx` service is `NodePort` and not `LoadBalancer`
because we don't want AWS to create a new Load Balancer every time we recreate the ingress.
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: kube-ingress
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
selector:
app: ingress-nginx
ports:
- name: http
port: 80
nodePort: 30080
targetPort: http
- name: https
port: 443
nodePort: 30443
targetPort: https
Instead, we provision an ALB and send both HTTP and HTTPS traffic to a Target Group that targets port 30080 on
the EKS worker nodes (which is the `nodePort` in the manifest above for HTTP traffic).
**NOTE**: need to add rule in EKS worker SG to allow SG of ALB to access port 30080.
### Create Kubernetes Secret for DockerHub credentials (for pulling private images)
apiVersion: v1
type: kubernetes.io/dockerconfigjson
kind: Secret
metadata:
name: reaction-docker-hub
data:
.dockerconfigjson: BASE64_OF_DOCKERHUB_AUTH_STRING
DOCKERHUB_AUTH_STRING={"auths":{"https://index.docker.io/v1/":{"username":"rck8s","password":"PASS","auth":"OBTAINED_FROM_DOCKER_CONFIG.JSON"}}}
This Secret was created in several namespaces (`default`, `staging`, `monitoring`, `logging`, `flux-system`)
### Install and customize Flux for GitOps workflow
Flux is installed in its own `flux-system` namespace.
To install it, it we ran:
kustomize build overlays/staging | kubectl apply -f -
The default `Deployment` for Flux is using the `weaveworks/flux` Docker image, which as of its last
version contains an older binary for `kustomize`.
Here is the `Dockerfile` for that image:
FROM fluxcd/flux:1.15.0
ARG REACTION_ENVIRONMENT
ENV SOPS_VERSION 3.4.0
ENV REACTION_ENVIRONMENT=${REACTION_ENVIRONMENT}
RUN /sbin/apk add npm
RUN wget https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux \
-O /usr/local/bin/sops; chmod +x /usr/local/bin/sops
For now, the script `build_and_push_image_staging.sh` sets this variable to `staging`:
#!/bin/bash
COMMIT_TAG=$(git rev-parse --short HEAD)
docker build --build-arg REACTION_ENVIRONMENT=staging -t reaction-flux:staging .
docker tag reaction-flux:staging reactioncommerce/reaction-flux:staging-${COMMIT_TAG}
docker push reactioncommerce/reaction-flux:staging-${COMMIT_TAG}
Flux generates an ssh key upon startup. We need to obtain that key with `fluxctl` and add
it as a deploy key to the `reaction-gitops` GitHub repo:
fluxctl --k8s-fwd-ns=flux-system identity
The `manifest-generation=true` argument allows Flux to inspect and use a special configuration file called
`.flux.yaml` in the root of the associated Git repo. The contents of this file are:
version: 1
commandUpdated:
generators:
- command: ./generate_kustomize_output.sh
Flux will `cd` into the `git-path` (set to `.` in our case in the args above), then will run the `command`
specified in the `.flux.yaml` file. The output of the command needs to be valid YAML, which Flux will apply
to the Kubernetes cluster via `kubectl apply -f -`.
We can run whatever commands we need, following whatever conventions we come up with, inside the `generate_kustomize_output.sh` script. Currently we do something along these lines:
#!/bin/bash
if [ -z $ENVIRONMENT ]; then
echo Please set the ENVIRONMENT environment variable to a value such as staging before running this script.
exit 1
fi
# this is necessary when running npm/npx inside a Docker container
npm config set unsafe-perm true
cd kustomize
for SUBDIR in `ls`; do
if [ "$1" ] && [ "${SUBDIR}" != "$1" ]; then
continue
fi
OVERLAY_DIR=${SUBDIR}/overlays/${ENVIRONMENT}
if [ ! -d "${OVERLAY_DIR}" ]; then
continue
fi
if [ -d "${OVERLAY_DIR}/.sops" ]; then
# decrypt sops-encrypted values and merge them into stub manifests for Secret objects
npx --quiet --package @reactioncommerce/merge-sops-secrets@1.2.1 sops-to-secret ${OVERLAY_DIR}/secret-stub.yaml > ${OVERLAY_DIR}/secret.yaml
fi
# generate kustomize output
kustomize build ${OVERLAY_DIR}
echo "---"
rm -rf ${OVERLAY_DIR}/secret.yaml
done
Flux will do a `git pull` against the branch of the `reaction-gitops` repo specified in the
command-line args (`master` in our case) every 5 minutes, and it will run the `generate_kustomize_output.sh` script, then will run `kubectl apply -f -` against the output of that script, applying any manifests that have changed.
The Flux `git pull` can also be forced with `fluxctl sync`:
fluxctl sync --k8s-fwd-ns flux-system
To redeploy a Flux container for example when the underlying Docker image changes, do this in the
`reaction-gitops` root directory:
cd bootstrap/flux
kustomize build overlays/staging | kubectl apply -f -
### Management of Kubernetes secrets
We use sops to encrypt secret values for environment variables representing credentials, database connections, etc.
We create one file per secret in directories of the format `kustomize/SERVICE/overlays/ENVIRONMENT/.sops.`
We encrypt the files with a KMS key specified in `.sops.yaml` in the directory `kustomize/SERVICE/overlays/ENVIRONMENT`.
Example:
cd kustomize/hydra/overlays/staging
echo -n "postgres://hydradbadmin:PASS@staging.cjwa4nveh3ws.us-west-2.rds.amazonaws.com:5432/hydra" > .sops/DATABASE_URL.enc
sops -e -i .sops/DATABASE_URL.enc
We also create a `secret-stub.yaml` file in the directory `kustomize/SERVICE/overlays/ENVIRONMENT` similar to this:
$ cat overlays/staging/secret-stub.yaml
apiVersion: v1
kind: Secret
metadata:
name: hydra
type: Opaque
data:
DATABASE_URL: BASE64_OF_PLAIN_TEXT_SECRET
OIDC_SUBJECT_TYPE_PAIRWISE_SALT: BASE64_OF_PLAIN_TEXT_SECRET
SYSTEM_SECRET: BASE64_OF_PLAIN_TEXT_SECRET
The Flux container will call the `generate_kustomize_output.sh` script, which will decrypt the files via Pete's `@reactioncommerce/merge-sops-secrets@1.2.1 sops-to-secret` utility and will stitch their values inside `secret-stub.yaml`, saving the output in a `secret.yaml` file which will then be read by `kustomize`.
Here is the relevant section from the `generate_kustomize_output.sh` script:
npx --quiet \
--package @reactioncommerce/merge-sops-secrets@1.2.1 \
sops-to-secret ${OVERLAY_DIR}/secret-stub.yaml > ${OVERLAY_DIR}/secret.yaml
The Flux container needs to be able to use the KMS key for decryption, so we had to create an IAM policy allowing access to this KMS key, then attach the policy to the EKS worker node IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:GetKeyPolicy",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:us-west-2:773713188930:key/a8d73206-e37a-4ddf-987e-dbfa6c2cd2f8"
}
]
}
### Kubernetes manifest generation with Kustomize
We use Kustomize to generate Kubernetes manifests in YAML format.
There are several directories under the `kustomize` directory, one for each service to be deployed.
Example directory structure under `kustomize/reaction-storefront`:
|____overlays
| |____staging
| | |____patch-deployment-imagepullsecret.yaml
| | |____kustomization.yaml
| | |____hpa.yaml
| | |____secret-stub.yaml
| | |____.sops
| | | |____SESSION_SECRET.enc
| | | |____OAUTH2_CLIENT_SECRET.enc
| | |____configmap.yaml
| | |____.sops.yaml
|____base
| |____deployment.yaml
| |____ingress.yaml
| |____kustomization.yaml
| |____service.yaml
The manifests under the `base` directory define the various Kubernetes objects that will be created for `reaction-storefront` (similar to YAML manifests under the `templates` directory of a Helm chart, but with no templating). In this example we have a Deployment, a Service and an Ingress defined in their respective files.
The file `base/kustomization.yaml` specifies how these manifests files are collated and how other common information is appended:
$ cat base/kustomization.yaml
# Labels to add to all resources and selectors.
commonLabels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: reaction-storefront
app.kubernetes.io/name: reaction-storefront
# Value of this field is prepended to the
# names of all resources
#namePrefix: reaction-storefront
configMapGenerator:
- name: reaction-storefront
# List of resource files that kustomize reads, modifies
# and emits as a YAML string
resources:
- deployment.yaml
- ingress.yaml
- service.yaml
The customization for a specific environment such as `staging` happens in files in the directory `overlays/staging`. Here is the `kustomization.yaml` file from that directory:
$ cat overlays/staging/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: staging-
namespace: staging
images:
- name: docker.io/reactioncommerce/reaction-next-starterkit
newTag: 4e1c281ec5de541ec6b22c52c38e6e2e6e072a1c
resources:
- secret.yaml
- ../../base
patchesJson6902:
- patch: |-
- op: replace
path: /spec/rules/0/host
value: storefront.staging.reactioncommerce.io
target:
group: extensions
kind: Ingress
name: reaction-storefront
version: v1beta1
patchesStrategicMerge:
- configmap.yaml
- patch-deployment-imagepullsecret.yaml
Some things to note:
- You can customize the Docker image and tag used for a container inside a pod
- You can specify a prefix to be added to all object names, so a deployment declared in the `base/deployment.yaml` file with the name `reaction-storefront` will get `staging-` in front and will become `staging-reaction-storefront`
- You can apply patches to the files under `base` and specify values specific to this environment
Patches can be declared either inline in the `kustomization.yaml` file (such as the Ingress patch above), or in separate YAML files (such as the files in the `patchesStrategicMerge` section).
Here is an example of a separate patch file:
$ cat overlays/staging/patch-deployment-imagepullsecret.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: reaction-storefront
spec:
template:
spec:
imagePullSecrets:
- name: reaction-docker-hub
You need to specify enough information in the patch file for `kustomize` to identify the object to be patched. If you think of the YAML manifest as a graph with nodes specified by a succession of keys, then the patch needs to specify which node needs to be modified or added, and what is the new value for that key. In the example above, we add a new key at `spec->template->spec->imagePullSecrets->0 (item index)->name` and set its value to `reaction-docker-hub`.
**Environment variables** for a specific environment are set in the `configmap.yaml` file in the `overlays/ENVIRONMENT` directory. Example for `reaction-storefront`:
$ cat overlays/staging/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: reaction-storefront
data:
CANONICAL_URL: https://storefront.staging.reactioncommerce.io
DEFAULT_CACHE_TTL: "3600"
ELASTICSEARCH_URL: http://elasticsearch-client:9200
EXTERNAL_GRAPHQL_URL: https://api.staging.reactioncommerce.io/graphql-beta
HYDRA_ADMIN_URL: http://staging-hydra:4445
INTERNAL_GRAPHQL_URL: http://staging-reaction-core/graphql-beta
OAUTH2_ADMIN_PORT: "4445"
OAUTH2_AUTH_URL: https://auth.staging.reactioncommerce.io/oauth2/auth
OAUTH2_CLIENT_ID: staging-storefront
OAUTH2_HOST: staging-hydra
OAUTH2_IDP_HOST_URL: https://api.staging.reactioncommerce.io/
OAUTH2_REDIRECT_URL: https://storefront.staging.reactioncommerce.io/callback
OAUTH2_TOKEN_URL: http://staging-hydra:4444/oauth2/token
PRINT_ERRORS: "false"
SEARCH_ENABLED: "false"
SESSION_MAX_AGE_MS: "2592000000"
Another example of a patch is adding `serviceMonitorNamespaceSelector` and `serviceMonitorSelector` sections to a Prometheus manifest file:
$ cat bootstrap/prometheus-operator/overlays/staging/patch-prometheus-application-selectors.yaml
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
labels:
prometheus: application
name: application
namespace: monitoring
spec:
serviceMonitorNamespaceSelector:
matchExpressions:
- key: name
operator: In
values:
- staging
serviceMonitorSelector:
matchLabels:
monitoring: application
**In short, the Kustomize patching mechanism is powerful, and it represents the main method for customizing manifests for a given environment while keeping intact the default manifests under the `base` directory.**
### Automated PR creation into reaction-gitops from example-storefront
We added a job to the CircleCI workflow for `reactioncommerce/example-storefront` (`master` branch) to create a PR automatically against `reactioncommerce/reaction-gitops`.
The PR contains a single modification of the `reaction-storefront/overlays/staging/kustomize.yaml` file. It sets the Docker image tag to the CIRCLE_SHA1 of the current build by calling `kustomize edit set image [docker.io/${DOCKER_REPOSITORY}:${CIRCLE_SHA1}](http://docker.io/$%7BDOCKER_REPOSITORY%7D:$%7BCIRCLE_SHA1%7D)`.
Details here:
[https://github.com/reactioncommerce/example-storefront/blob/master/.circleci/config.yml#L101](https://github.com/reactioncommerce/example-storefront/blob/master/.circleci/config.yml#L101)
### Set up ElasticSearch and Fluentd for Kubernetes pod logging
Create IAM policy and add it to EKS worker node role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Create ElasticSearch domain `staging-logs` and configure it to use Amazon Cognito for user authentication for Kibana.
Download `fluentd.yml` from [https://eksworkshop.com/logging/deploy.files/fluentd.yml](https://eksworkshop.com/logging/deploy.files/fluentd.yml) , kustomize it, then install `fluentd` manifests for staging:
$ kustomize build bootstrap/fluentd/overlays/staging | kubectl create -f -