EKS Setup
This section includes the following topics:
- Overview
- Creating an EKS Cluster
- Updating the Helm Repository
- Creating an Application Load Balancer
- Installing the Kubernetes Secrets store CSI driver
- Deploying EKS Services
Overview
Assuming that all EKS related steps are executed from Preparation.
A couple of new AWS resources will be spun up when building the cluster.
By default, the setup will create a new VPC (10.8.0.0/16 ) with all 3 subnets, private and public route tables, Internet and NAT gateways, as well as 3 node groups in different availability zones inside us-west-2 region. Each node will be created with the t3.medium instance type.
Creating an EKS Cluster
Define shell environment variables before continuing to execute the commands:
export AWS_PROFILE='default'
export AWS_REGION='us-west-1'
export AWS_ACCOUNT=$(aws sts get-caller-identity --query 'Account' --output text)
export CLUSTER_NAME='zerosystems-cluster'
export HELM_VERSION='1.9.0'
export IMAGE_TAG='1.9.0.41'
export SECRET_NAME=''
export CERT_ARN=''
SECRET_NAME - get the secret Name from the Secrets Manager that you created in Preparation page.
CERT_ARN - ARN value you noted in the SSL Certificate section.
Open zero-eksctl.yaml and edit availabilityZones, region in the cluster section, and availabilityZones in the nodegroups section per your needs. In case of need, edit the VPC CIDR and cluster name. Save the file, then run eksctl:
$ eksctl create cluster -f zero-eksctl.yaml
After the command execution displayed above, a new VPC will be created which can now be used to setup a database. For details on how to setup a database, see Database Setup.
Find the VPC ID using this CLI command. It will be used later in the helm install.
$ export VPC_ID=$(aws ec2 describe-vpcs --filter Name=tag:Name,Values=eksctl-${CLUSTER_NAME}-cluster/VPC --query 'Vpcs[].VpcId' --output text)
Create an IAM policy:
-
Download an IAM policy for the AWS Load Balancer Controller so it can make calls to AWS APIs on your behalf.
-
AWS GovCloud (US-East) or AWS GovCloud (US-West) AWS regions
$ curl -o iam_policy_us-gov.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.3/docs/install/iam_policy_us-gov.json
-
All other AWS regions
$ curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.3/docs/install/iam_policy.json
-
-
Create an IAM policy using the policy downloaded in the previous step. In case you downloaded
iam_policy_us-gov.json
then rename it toiam_policy.json
before running the command:$ aws iam create-policy --policy-name
AWSLoadBalancerControllerIAMPolicy
--policy-document file://iam_policy.json
Create an IAM service account:
$ eksctl create iamserviceaccount \
--cluster=${CLUSTER_NAME} \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name "AmazonEKSLoadBalancerControllerRoleZero" \
--attach-policy-arn=arn:aws:iam::${AWS_ACCOUNT}:policy/AWSLoadBalancerControllerIAMPolicy \
--approve
$ kubectl annotate serviceaccount -n kube-system aws-load-balancer-controller eks.amazonaws.com/sts-regional-endpoints=true
Load balancing is handled by ALB (Application Load Balancer).
Updating the Helm Repository
Use the following script to update the Helm repository:
$ helm repo add eks https://aws.github.io/eks-charts
$ helm repo add zeroconnectapi https://saas-repo.zerosystems.com/helm/
$ helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
$ helm repo update
Creating an Application Load Balancer
$ helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system --set clusterName=${CLUSTER_NAME} \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller \
--set region=${AWS_REGION} \
--set vpcId=${VPC_ID} \
--set image.repository=602401143452.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-load-balancer-controller
602401143452 may be a different value depending on the region you're deploying to. For details, refer to the list of Amazon container image registries.
Installing the Kubernetes Secrets store CSI driver
Execute helm and kubectl commands:
$ helm install -n kube-system --set syncSecret.enabled=true csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
$ kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
Create an IAM policy:
POLICY_ARN=$(aws --query Policy.Arn --output text iam create-policy --policy-name secretsmanager-policy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}
]
}')
Create the service account to be used by the pod and associate the IAM policy above with the created service account.
$ eksctl create iamserviceaccount --name secretsmanager-policy-sa --cluster ${CLUSTER_NAME} --attach-policy-arn "$POLICY_ARN" --approve --override-existing-serviceaccounts
Deploying EKS Services
Finalize cluster creation process:
$ helm install zeroconnectapi zeroconnectapi/zeroconnectapi --version $HELM_VERSION --set secretsName="${SECRET_NAME}" --set ingress.certificateARN=${CERT_ARN} --set image.tag=$IMAGE_TAG
After completion, go to EC2 service -> Load Balancers. You will find a new ELB instance prefixed with zero-connect. Take the DNS name and open it in a browser.
Was this article helpful?
Discussions