4 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)

This article is one of four (4) in a series:

1 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 1, you will set up the Kubernetes Cluster on Amazon Elastic Kubernetes Service (EKS).

2 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 2, you will install an AWS Application Load Balancer.

3 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 3, you will use Kubernetes to deploy the HumanGov application for California.

4 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 4, you will use Amazon Route 53 to name the application and AWS Certificate Manager to secure access to the application. You will also use Kubernetes to deploy ingress controller, so that Internet users can connect to the application. After testing, you will decommission the infrastructure.

For background on this series, go here:

Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free) | A Four-Part Series

1 of 14. [Route 53] Create Domain

Note: .click domains are very cheap.

Remember to check for your validation e-mail.

Amazon Route 53 -/- Registered domains -/- [Register domains] Search for domains: humangov-ll3.click [Proceed to checkout] Duration: 1 year Auto renew: off [Next] Fill in contact information [Next] Review and submit Accept terms and conditions [Submit] Wait Check status

2 of 14. [Certificate Manager] Create Certificate for Load Balancer

You will request a certificate for *.domain-name.

AWS Certificate Manager (ACM) -/- [Request a certificate] Request a public certificate [Next] Fully qualified domain name: *.humangov-ll3.click Validation method: DNS [Request] [View certificate] Domains -/- [Create records in route 53] [Create records] Wait ...

3 of 14. [Cloud9] Create Ingress Rules

This allows Internet users to access the aplication.

Create file humangov-ingress-all.yaml in the 'human-gov-application/src' folder

Make sure the certificate arn matches your certificate

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: humangov-python-app-ingress annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/group.name: frontend alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:502983865814:certificate/94775391-6fcd-42dd-83eb-bb338360575d alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/ssl-redirect: '443' labels: app: humangov-python-app-ingress spec: ingressClassName: alb rules: - host: california.humangov-ll3.click http: paths: - path: / pathType: Prefix backend: service: name: humangov-nginx-service-california port: number: 80

Apply ingress

kubectl apply -f humangov-ingress-all.yaml

Validate Ingress

kubectl get ingress

Dig into the EC2 load balancers, and you can view the listener rules, showing how the traffic is being directed to the appropriate cluster.

Note: your california doesn't exist yet.

4 of 14. [Route 53] Create an alias for California

Route 53 -/- Hosted zones -/- [humangov-ll3.click] [Create record] Record name: california Alias Route traffic to: Alias to Applicatio and Classic Load Balancer Choose Region: us-east-1 Choose load balancer: the load balancer you just created [Create records]

5 of 14. [Browser / S3 / DynamoDB] Test the application

You should be able to reach the application via HTTPS. Further, you should be able to add an employee and see the employee's data in S3 and DynamoDB.

https://california.humangov-ll3.click [Add employee] Enter details, upload PDF [Add]

The following steps are about deploying the application for the state of Florida

6. of 14. [Cloud9] Provision Florida DynamoDB and S3 bucket

Make sure to record the resource names.

# Open the Terraform file human-gov-infrastructure/terraform/variables.tf using Cloud9 Editor and add florida to the state’s list. variable "states" { description = "The list of state names" default = ["california","florida"] } # Apply the Terraform configuration cd /home/ec2-user/environment/human-gov-infrastructure/terraform terraform plan terraform apply ​

7 of 14. [Cloud9] Create Florida deployment.

# Duplicate the Kubernetes deployment file cd /home/ec2-user/environment/human-gov-application/src cp humangov-california.yaml humangov-florida.yaml # open humangov-florida.yaml # ... replace all california entries by florida using the Cloud9 Search and Replace. # Update the AWS_BUCKET name to the Florida’s bucket name in the humangov-florida.yaml file. # Save the file. apiVersion: apps/v1 kind: Deployment metadata: name: humangov-python-app-florida spec: replicas: 1 selector: matchLabels: app: humangov-python-app-florida template: metadata: labels: app: humangov-python-app-florida spec: serviceAccountName: humangov-pod-execution-role containers: - name: humangov-python-app-florida image: public.ecr.aws/i7y0m4q9/humangov-app:latest env: - name: AWS_BUCKET value: "humangov-florida-s3-m30s" - name: AWS_DYNAMODB_TABLE value: "humangov-florida-dynamodb" - name: AWS_REGION value: "us-east-1" - name: US_STATE value: "florida" --- apiVersion: v1 kind: Service metadata: name: humangov-python-app-service-florida spec: type: ClusterIP selector: app: humangov-python-app-florida ports: - protocol: TCP port: 8000 targetPort: 8000 --- apiVersion: apps/v1 kind: Deployment metadata: name: humangov-nginx-reverse-proxy-florida spec: replicas: 1 selector: matchLabels: app: humangov-nginx-reverse-proxy-florida template: metadata: labels: app: humangov-nginx-reverse-proxy-florida spec: containers: - name: humangov-nginx-reverse-proxy-florida image: nginx:alpine ports: - containerPort: 80 volumeMounts: - name: humangov-nginx-config-florida-vol mountPath: /etc/nginx/ volumes: - name: humangov-nginx-config-florida-vol configMap: name: humangov-nginx-config-florida --- apiVersion: v1 kind: Service metadata: name: humangov-nginx-service-florida spec: selector: app: humangov-nginx-reverse-proxy-florida ports: - protocol: TCP port: 80 targetPort: 80 --- apiVersion: v1 kind: ConfigMap metadata: name: humangov-nginx-config-florida data: nginx.conf: | events { worker_connections 1024; } http { server { listen 80; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://humangov-python-app-service-florida:8000; # App container } } } proxy_params: | proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

8 of 14. [Cloud9] Deploy HumanGov Florida

kubectl apply -f humangov-florida.yaml ​

9 of 14. [Cloud9] Update humangov-ingress-all.yaml

Add rule for Florida. Make sure that the domain is yours [check the 'host' field].

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: humangov-python-app-ingress annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/group.name: frontend alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:502983865814:certificate/94775391-6fcd-42dd-83eb-bb338360575d alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/ssl-redirect: '443' labels: app: humangov-python-app-ingress spec: ingressClassName: alb rules: - host: california.humangov-ll3.click http: paths: - path: / pathType: Prefix backend: service: name: humangov-nginx-service-california port: number: 80 - host: florida.humangov-ll3.click http: paths: - path: / pathType: Prefix backend: service: name: humangov-nginx-service-florida port: number: 80

10 of 14. [Cloud9] Deploy ingress

If you check the load balancer, you should find the rule for florida now.

kubectl apply -f humangov-ingress-all.yaml kubectl get ingress

11 of 14. [Route53] Add DNS entry for Florida

Note that California and Florida point to the same load balancer

Route 53 -/- Hosted zones -/- [humangov-ll3.click] [Create record] Record name: florida Alias Route traffic to: Alias to Applicatio and Classic Load Balancer Choose Region: us-east-1 Choose load balancer: the load balancer you just created [Create records]

12 of 14. [Browser / DynamoDB / S3] Test the application

After adding an employee, you should see records created in the DynamoDB and S3 for Florida.

Who knew that being an Isekai Protagonist paid so well?

# browse to the site, via https https://florida.humangov-ll3.click [Add employee] Enter details, upload PDF [Add]

13 of 14. [Cloud9] Check the Kubernetes resources

kubectl get pods kubectl get deployment kubectl get svc kubectl get ingress

14 of 14. [Cloud9] Cleaning up the environment

Doucle-check the AWS console that the cluster has been removed.

# Delete the Kubernetes Ingress kubectl delete -f humangov-ingress-all.yaml # Delete the application resources on kubernetes kubectl delete -f humangov-california.yaml kubectl delete -f humangov-florida.yaml # delete eks cluster eksctl delete cluster --name humangov-cluster --region us-east-1 # De-activate the access keys you created for the 'eks-user' # Revert Cloud9 back to 'Managed Credentials'

Warning: DO NOT remove these resources (they'll be used again in a near-term project:
# DynamoDB # S3 # ECR # Route 53 Hosted Zone # Registered Domain

References

DNS Service - Amazon Route 53 - AWS

Working with hosted zones - Amazon Route 53

Certificate Manager- AWS Certificate Manager - AWS

Identity and Access Management for AWS Cloud9 - AWS Cloud9

Load Balancer - Elastic Load Balancing (ELB) - AWS

Managing access keys for IAM users - AWS Identity and Access Management

Creating and managing clusters - eksctl

kubectl Quick Reference | Kubernetes

Command: apply | Terraform | HashiCorp Developer

Command: plan | Terraform | HashiCorp Developer


Lewis Lampkin, III - Blog

Lewis Lampkin, III - LinkedIn

Lewis Lampkin, III - Medium

Comments

Popular posts from this blog

Containing the Chaos! | A Three-Part Series Demonstrating the Usefulness of Containerization to HumanGov

Orphaned No More: Adopting AWS Lambda