This is a simple web app that returns counter on how many times page has been seen. The application is using redis to store the count.
It also has anendpoint protected by basic http auth that will provide you with a secret string.
If you are an AWS Organization IAM user, please run commands related to AWS through aws-vault
.
## For example
aws-vault exec deleteit -- make init && make plan
EKS uses IAM to provide authentication to your Kubernetes cluster, via the aws eks get-token
or AWS IAM Authenticator fro Kubernetes
.
But it still relies on the RBAC which native on Kubernetes.
To follow the best practices of EKS, let's stick to use IAM user to access the cluster.
After the user created, we will also have to add it on the ConfigMap by kubectl edit configmap/aws-auth -n kube-system
.
Check the official documentation below.
AWS - Managing Users or IAM Roles for your Cluster
Following the steps to access this EKS cluster and before we start, please make sure you already added the Access / Secret Keys
in your ~/.aws/credentials
and corresponding profile on ~/.aws/config
.
A. Check the current IAM user that you are using.
aws sts get-caller-identity
B. Update your kubeconfig
aws eks --region eu-west-2 update-kubeconfig --name demo-cluster
C. Check the result!
kubectl get nodes
SSH with keychain to bastion instance to access the internal resources.
We can get the ALB address by kubectl
.
kubectl get ingress -n demo -o=jsonpath="{..status.loadBalancer.ingress[0].hostname}"
The Flask and Redis related resources are all in demo
namespace.
kubectl get all -n demo
The secrets will be injected on the CI/CD steps as a secured environ variable.
Even though it's not a perfect way to deal with secret, it works well.
I think the perfect way is to store the secret in some kind of secret management system
such as SSM Parameter Store
and modify the code to retrieve the secrets on the container runtime to avoid leaking.
We are using Helm to deploy the application and --set
to specify the variable.
Of course, you can also use -f values.yaml
instead.
This Helm Chart contains Flask Deployment / Service / Ingress / Secrets
and Redis Deployment / Service
as well as a namespace
.
## First time to install the chart.
helm install app ./chart \
--set deployment.flask.image.repository=$ACCOUNT_ID.dkr.ecr.eu-west-2.amazonaws.com/flask-app \
--set deployment.flask.image.tag=$DEPLOY_VERSION \
--set secrets.username.value=$USERNAME \
--set secrets.password.value=$PASSWORD \
--set secrets.thebigsecret.value=$BIGSECRET \
--set deploy.version=$DEPLOY_VERSION
## To Upgrade the chart (deploy/release)
helm upgrade app ./chart \
--set deployment.flask.image.repository=$ACCOUNT_ID.dkr.ecr.eu-west-2.amazonaws.com/flask-app \
--set deployment.flask.image.tag=$DEPLOY_VERSION \
--set secrets.username.value=$USERNAME \
--set secrets.password.value=$PASSWORD \
--set secrets.thebigsecret.value=$BIGSECRET \
--set deploy.version=$DEPLOY_VERSION
## If you just want to check the result first.
helm upgrade app ./chart ...(skip) --dry-run --debug
All of tfstate
are store in S3
which created on state-s3
this project.
The VPC, Subnets, Internet Gateway, NAT Gateway and Security Group are all created by Terraform.
You can change the configurations by modify the terraform/vpc/config/dev.tfvars
. For organization user, remember to use aws-vault
.
## Go into the VPC project directory.
cd terraform/vpc
## If you wanna check the status of those resources, please run the following commands.
make init && make plan
## If you wanna deploy the changes.
make apply
The EKS cluster and related resources are all created by Terraform.
The Terraform project contains EKS Cluster
, Node Group
, IAM Roles/Policies
, ECR
and OIDC & IRSA
.
## Go into the EKS project directory.
cd terraform/eks
## If you wanna check the status of those resources, please run the following commands.
make init && make plan
## If you wanna deploy the changes.
make apply
On the eks-addons
this directory, we are going to install some of the following plugins in Ansible Playbooks
.
- Metrics Server
- Kubernetes Dashboard
- EKS Admin ServiceAccount
- ALB Ingress Controller
- Cluster Autoscaler (CA)
Travis CI
is my choice, and it's a quite simple tool to deploy a simple application.
All of the details are in .travis.yml
.
docker-compose up
- GET / - path shows hello message with a counter on how many time the page has been visited.
- GET /spersecret - this path requires basic http authentication and it will tell you a super secret.
- GET /health - health check page.