Trustsoft K8s 1-2.6.23

Trustsoft K8s 1-2.6.23 === * Summary https://docs.google.com/presentation/d/1T3c2_C5H6hSR6k4CPN-X67Nx_T6hKhYQh-QKLB1_ntY/edit?usp=sharing * Minikube https://docs.google.com/presentation/d/1bX3UGMQRuBjkZW89urH-xvz0rOBXbD8q3rmwYW8JQZw/edit?usp=sharing ## Connect to the account ``` aws configure sso trustsoft https://d-93670c3d7a.awsapps.com/start# eu-west-1 ``` Or login ``` aws sso login --profile trustsoft ``` Check `~/.aws/config` and add profile to the new block. `config` dump: ``` [profile trustsoft] sso_start_url = https://d-93670c3d7a.awsapps.com/start# sso_region = eu-west-1 sso_account_id = 168194167032 sso_role_name = AWSAdministratorAccess region = eu-west-1 [profile AWSAdministratorAccess-168194167032] sso_start_url = https://d-93670c3d7a.awsapps.com/start# sso_region = eu-west-1 sso_account_id = 168194167032 sso_role_name = AWSAdministratorAccess region = eu-west-1 ``` Clone ``` git clone git@github.com:beranm14/eks_demo.git git clone https://github.com/beranm14/eks_demo.git ``` ## EKS Adjust `prefix` in `main.tf` Check: * `main.tf` * `vpc.tf` Run: ``` terraform init terraform plan terraform apply ``` Run `aws eks update-kubeconfig --region eu-west-1 --name beranm-testing-01 --profile trustsoft` Get credentials `kubectl config use-context arn:aws:eks:eu-west-1:168194167032:cluster/beranm-testing-01` Apply tooks 10 minutes. ## ArgoCD ``` kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml ``` Login ``` kubectl port-forward service/argocd-server 8080:80 -n argocd & ``` Password ``` kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo ``` ## Lens Install from https://k8slens.dev/ Missing metrics ## Install prometheus Get `jsonnet`: ``` brew install jsonnet ``` or use `pip`. Check resources repo: * Go to the prometheus folder * Generate apps manifests and apply: * jsonnet crd.jsonnet * jsonnet app.jsonnet Check installation with argocd UI and `jsonnet app.jsonnet | kubectl apply -f -` * `jsonnet crd.jsonnet | kubectl apply -f -` * `jsonnet app.jsonnet | kubectl apply -f -` Check Lens for metrics. Check https://docs.aws.amazon.com/eks/latest/userguide/prometheus.html ## AWS application load balancer Check & uncomment `lb.tf` ``` terraform init terraform plan terraform apply ``` ## Deploy testing app Check `app` folder ## External DNS Check & uncomment `dns.tf` **Zone definition might be only one** ``` terraform init terraform plan terraform apply ``` Zone ns servers needed. If you have your domain, feel free to use yours. Get role arn and use it in `external-dns`. Also change `txtOwnerId`. ## AWS Certificate manager Check & uncomment `tls.tf` **Certificate definition might be only one** Chec certificate arn. Adjust load balancer: ``` kubectl annotate ingress sayhi "alb.ingress.kubernetes.io/certificate-arn"="arn:aws:acm:eu-west-1:168194167032:certificate/92aa5e0c-5e43-4266-aab1-b59050c78225" -n app ``` Or edit it. ## Helm ``` helm template helm-chart helm template --set general.metadata.namespace=123456 helm-chart helm upgrade --install app helm-chart helm list ``` ## Chart museum Check `helm.tf` file. We need bucket and role ARN. Let's deploy app in `chart-museum` folder. ### Publish chart ``` cd helm-chart helm package . kubectl port-forward service/chartmuseum 8081:8080 -n chartmuseum & curl --data-binary "@sayhi-v1.0.0.tgz" http://localhost:8081/api/charts ``` Check data ``` aws s3 ls s3://chart-museum-5n1y92wq --profile trustsoft curl http://localhost:8081/api/charts ``` ### Deploy app to argocd ``` helm delete app jsonnet app.jsonnet | kubectl apply -f - ``` ## Traefik Check values https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml Service type load balancer creates AWS classic application load balancer :-) Limited External DNS support - set on service. ## Cert-manager * Install app in cert-manager folder * Install issuer (check it's just staging setup) * Adjust ingress * `kubectl annotate ingress -n app sayhi cert-manager.io/cluster-issuer=letsencrypt-staging` * `kubectl patch ingress sayhi -n app -p '{"spec":{"tls":[{"hosts":["trustsoft.beranm.cz"],"secretName":"tls"}]}}'` - change hostname based on your setup Careful: ``` The certificate request has failed to complete and will be retried: Failed to wait for order resource "tls-7dkgs-3790729635" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: Error creating new order :: Cannot issue for "k8s-app-sayhi-0878e2b579-1290160924.eu-west-1.elb.amazonaws.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy ``` Choose custom domain. Check `kubectl explain clusterissuer.spec.acme.solvers.http01.ingress.ingressTemplate.metadata` ## Misc Heapster: ``` kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml ``` Random testing pod: ``` kubectl run -ti -n default ubuntu --image=ubuntu bash ``` IRSA: IAM Roles for Service Accounts https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html