What are we doing here? We are deploying a simple Flask application that is powered by an underlying database called CockroachDB. We are deploying this on Amazon's Elastic Kubernetes Service (EKS) so that you can learn how to deploy modern applications that work on a consistent database and efficient, flexible infrastructure.
Why is this important? For modernizing your skill set so you can develop modern applications for yourself, for someone else, your business, your charity, your company, etc.
1- Sign up for Amazon Web Services account if you don't have one. You can do this with GKE and other flavors of K8S but the instructions below will have to be adjusted.
2- Install helm - This is a package manger for deploying software on Kubernetes. I have a mac so homebrew works the best...
brew install helm
helm repo add stable https://kubernetes-charts.storage.googleapis.com
helm repo update
3- Install aws cli and eksctl. Make sure AWS-IAM Authenticator and kubectl is installed too. The eksctl installer should install these things. If not...
brew install aws-iam-authenticator
brew install kubectl
You can utilize Cockroach Labs documentation as well for creating an EKS cluster with the proper resource settings. Update the EKS_CLUSTER_NAME and EKS_PUBLIC_KEY variables in the script below.
./create_eks.sh
Two options here: Insecure (Helm install) or Secure with custom CA (Manual Install)
While your EKS cluster is being created, you can start another terminal session and prepare Helm.
helm template stable/cockroachdb --output-dir ./
Ensure your template/values.yaml file with the following params
- statefulset.resources.limits.memory: "8Gi"
- statefulset.resources.requests.memory: "8Gi"
- conf.cache: "2Gi"
- conf.max-sql-memory: "2Gi"
helm install my-release --values ./cockroachdb/templates/values.yaml stable/cockroachdb
Primary Documentation to do this is here. Unfortunately you can not do a Helm install for a secure EKS install since EKS doesn't support certificate signing requests. The StatefulSet in this repo is maintained here
mkdir certs
mkdir my-safe-directory
cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
cockroach cert create-client maxroach --certs-dir=certs --ca-key=my-safe-directory/ca.key
kubectl create secret generic cockroachdb.client.root --from-file=certs
kubectl create secret generic cockroachdb.client.maxroach --from-file=certs
cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 cockroachdb-public cockroachdb-public.default cockroachdb-public.default.svc.cluster.local *.cockroachdb *.cockroachdb.default *.cockroachdb.default.svc.cluster.local
kubectl create secret generic cockroachdb.node --from-file=certs
kubectl create -f cockroachdb-statefulset.yaml
kubectl exec -it cockroachdb-0 -- /cockroach/cockroach init --certs-dir=/cockroach/cockroach-certs
kubectl port-forward cockroachdb-0 8080
If using Chrome and you get block by cert / privacy warning; type in "thisisunsafe". Or just use Safari and click thru.
The client.yaml file in this repo is maintained here.
kubectl create -f client.yaml
kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=cockroachdb-public
CREATE USER maxroach WITH PASSWORD 'cockroach';
CREATE DATABASE todos;
USE todos;
GRANT ALL ON DATABASE todos TO maxroach;
CREATE TABLE todos ( todo_id INT8 NOT NULL DEFAULT unique_rowid(), title VARCHAR(60) NULL, text VARCHAR NULL, done BOOL NULL, pub_date TIMESTAMP NULL, CONSTRAINT "primary" PRIMARY KEY (todo_id ASC), FAMILY "primary" (todo_id, title, text, done, pub_date) );
Primary Documentation and Primary Repo. All I did was create a Dockerfile and mucked with the DB connection URI in the hello.cfg file to make this work for a secure CockroachDB cluster.
Only do this if you want to re-dockerize the Flask app. Otherwise, you can pull it from my Docker Hub repo:
cd hello-app
docker login
docker build hello-app .
docker push hello-app
If you want to connect your EKS cluster to your Docker Hub account, you can use the following snippet to add Docker credentials into EKS. Run this from your home directory.
cd ~
kubectl create secret generic dockercred --from-file=.dockerconfigjson=.docker/config.json --type=kubernetes.io/dockerconfigjson
kubectl apply -f app-deployment.yaml
kubectl port-forward kubectl get pods -l app=flask | grep appdeploy | head -1 | awk '{print $1}' 5000
Try killing a node and observer the behavior
kubectl delete pod cockroachdb-2
If you're able to setup all of the above correctly, you can utilize these scripts to deploy and remove the Cockroach K8S resources. Running apply_cockroach.sh will deploy the CockroachDB stateful set, Deploy the Flask app and do a Resilience test.
./apply_cockroach.sh
To remove all K8S applied resources, run the following script
./remove_all.sh
Also, it's a pain doing kubectl for everything. It's to put an alias such as 'k' for kubectl in your .bash_profile.
aws sts get-caller-identity - your current aws identity
kubectl api-resources - Show all K8S resources
kubectl describe nodes - Describe the nodes of your K8S cluster
kubectl get pods - Get pods
kubectl delete pod <pod_name> - Delete a pod
kubectl exec -it <pod_name> -- /bin/bash - Connect to a running container / pod
kubectl get secrets - get secrets
1) If receiving the following error when creating an EKS cluster, go into CloudFormation UI and delete the stack mentioned below.
[✖] creating CloudFormation stack "eksctl-chrisc-test-cluster": AlreadyExistsException: Stack [eksctl-chrisc-test-cluster] already exists status code: 400, request id: c857aabf-2dea-4f54-b58a-da91c5a88c60
- kubectl Cheat Sheet
- Cockroach EKS Deployment
- EKS Cluster Deletion Issues <-- This was useful more than once