Introduction to AppMesh

# Introduction to AppMesh HackMD: https://reurl.cc/gZvljQ EventEngine: https://dashboard.eventengine.run/login?hash=26d9-14eb6d11b4-fa Event Hash: 26d9-14eb6d11b4-fa Lab Guide: https://www.appmeshworkshop.com/introduction/ 簽到: ![](https://i.imgur.com/tDhVVQm.jpg) 實做Lab章節： Start the Workshop (從Create a workspace開始) Mesh the Crystal Service (僅需Create the service mesh) Mesh the NodeJS Service Mesh the Frontend Service Monitoring & Logging (僅需Setup Container Insights for NodeJS App) Cloud Map Service Discovery(僅需Create a Discovery Service, NodeJS app with Cloud Map, Remove NodeJS Load Balancer) Ingress with Virtual Gateway (僅需Virtual Gateway Ingress to NodeJS service) ~~Header based routing (需ECS Service以及Deployment Strategies)~~ Agenda ![](https://i.imgur.com/GazyuAs.png) ## Start the Workshop > 注意！！！確認你在Oregon(us-west-2)創建AWS資源 ### Create a workspace 請確定命名 Cloud9 environment `AppMesh-Workshop`，不然後面操作上可能有不預期問題。 Cloud9 instance type請選Addtional Instance: t3.medium，其他保持預設。 ### Installed the Required Tools 需修改中間段落eksctl URL直接帶上版本號 *v0.126.0* ```bash! curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.126.0/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp ``` 執行完畢下 `eksctl version` 確認有安裝成功。 ### Deploy the baseline stack Frontend LB health check失敗，因為CloudFormation包的user-data用了太舊的rbenv版本，手動重新執行EC2 launch template後半段的user-data。先執行下一步RETRIEVE THE SSH KEY拿到Public key https://www.appmeshworkshop.com/prerequisites/sshkey/ 開新的Terminal連進其中一台Ruby(總共有三台Ruby frontend的EC2)，切到root user並將bash設定source進來。 ```bash= # From Cloud9 terminal ssh {EC2 public ip} ... sudo su - source /tmp/.bashrc ``` 接著複製以下重新執行： ```bash= rbenv install 2.5.1 && rbenv global 2.5.1 # Install rails and bundler gem install --force rails:4.2.10 bundler:1.17.3 # gem update --system # Skip it # Clone the repo and build the app export RUBY_ROOT=/tmp/ecsdemo-frontend git clone https://github.com/ffeijoo/ecsdemo-frontend.git /tmp/ecsdemo-frontend cd $RUBY_ROOT bundle update --bundler bundle install # Set environment variables for routing export MESH_RUN='true' export CRYSTAL_URL='http://crystal.appmeshworkshop.hosted.local:3000/crystal' export NODEJS_URL='http://nodejs.appmeshworkshop.hosted.local:3000' # Run at boot sed -i '$ d' startup.sh && echo 'rails s -e production -b 0.0.0.0' >> startup.sh nohup ./startup.sh & ``` ** 要等待十分鐘左右Ruby Frontend才會起來，期間可以開新的Terminal轉作另外兩台剩下的Ruby，重複上述步驟，直到三台的health check都正常。原始檔案可至EC2 → Launch templates → Ruby-EC2Instance-LaunchTemplate-appmesh-workshop → Details → (Tab) Advanced details 查看。 `rbenv install 2.5.1 && rbenv global 2.5.1` 這行（包含）以下都沒有正確被安裝和執行。 Ruby frontend暫時不影響本Lab，回到主要的Terminal繼續往下做。 ### Deploy the NodeJs Service (Optional) 打開Console user的EKS權限方便後續debugging ```bash= rolearn=$(aws cloud9 describe-environment-memberships --environment-id=$C9_PID | jq -r '.memberships[].userArn') echo ${rolearn} ``` [!] If echo command's result contains assumed-role, perform the additional actions below. ```bash= assumedrolename=$(echo ${rolearn} | awk -F/ '{print $(NF-1)}') rolearn=$(aws iam get-role --role-name ${assumedrolename} --query Role.Arn --output text) echo ${rolearn} ``` Create an identity mapping then check aws-auth config map information ```bash= eksctl create iamidentitymapping --cluster appmesh-workshop --arn ${rolearn} --group system:masters --username admin kubectl describe configmap -n kube-system aws-auth ``` ========================== ** 確認Ruby Frontend已成功啟動。先登入ECR ```bash! aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 180262397898.dkr.ecr.us-west-2.amazonaws.com ``` 修改~/environment/eks-scripts/nodejs-deployment.yml的image:aws-containers/ecsdemo-nodejs:latest，更改為你的ECR appmesh-workshop-nodejs image URL ```bash! spec: containers: # image:aws-containers/ecsdemo-nodejs:latest更改成你upload上ECR的imageURL，如： - image: 180262397898.dkr.ecr.us-west-2.amazonaws.com/appmesh-workshop-nodejs-wn491vbusl2r:latest ``` ## Mesh the NodeJS Service (EKS) 安裝Helm. v3.8以後有issue, 定版在v3.8.2 ```bash= curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh --version v3.8.2 ``` 到了create IAM Roles for Service Accounts (IRSA) 這段程式碼時，改複製下列程式碼貼上，workshop上給的權限不足做後續動作。 ```bash= kubectl create ns appmesh-system # Create your OIDC identity provider for the cluster eksctl utils associate-iam-oidc-provider \ --cluster appmesh-workshop \ --approve # Download the IAM policy for AWS App Mesh Kubernetes Controller curl -o controller-iam-policy.json https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/controller-iam-policy.json # Create an IAM policy called AWSAppMeshK8sControllerIAMPolicy aws iam create-policy \ --policy-name AWSAppMeshK8sControllerIAMPolicy \ --policy-document file://controller-iam-policy.json # Create an IAM role for the appmesh-controller service account eksctl create iamserviceaccount --cluster appmesh-workshop \ --namespace appmesh-system \ --name appmesh-controller \ --attach-policy-arn arn:aws:iam::$ACCOUNT_ID:policy/AWSAppMeshK8sControllerIAMPolicy \ --override-existing-serviceaccounts \ --approve ``` 關於app-mesh controller的每種CDR（_meshes, virtualnodes, virtualrouters, virtualservices, virtualgateways and gatewayroutes_）怎麼使用可以參考： https://docs.aws.amazon.com/app-mesh/latest/userguide/getting-started-kubernetes.html ## Monitoring & Logging ### Setup Container Insights for NodeJS App 更換安裝cwagent和fluentd agent的url為下： ```bash! curl -s https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/quickstart/cwagent-fluentd-quickstart.yaml | sed "s/{{cluster_name}}/eksworkshop-eksctl/;s/{{region_name}}/${AWS_REGION}/" | kubectl apply -f - ``` 安裝完成後，執行下面cmd取得你的EKS container insights網址 ```bash! echo " Use the URL below to access Cloudwatch Container Insights in $AWS_REGION: https://console.aws.amazon.com/cloudwatch/home?region=${AWS_REGION}#container-insights:performance/EKS:Service?~(query~(controls~(CW*3a*3aEKS.cluster~(~'eksworkshop-eksctl)))~context~())" ``` ## Ingress with virtual gateway ### Virtual Gateway Ingress to NodeJS Service 再Create Virtual Service yaml file後，少了Kubectl apply，執行： ```bash= kubectl apply -f ~/environment/eks-scripts/app-mesh-virtual-gateway.yml ``` We add the Kube context for EKS connectivity這段刪掉下面的Add new context arn:aws:eks:xxxxx:xxxxxxx:cluster...，只執行第一行 ```bash! aws eks --region us-west-2 update-kubeconfig --name appmesh-workshop ``` # Survey Link ![](https://i.imgur.com/W72Iaz8.png)