4 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)

This article is one of four (4) in a series:

1 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 1, you will set up the Kubernetes Cluster on Amazon Elastic Kubernetes Service (EKS).

2 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 2, you will install an AWS Application Load Balancer.

3 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 3, you will use Kubernetes to deploy the HumanGov application for California.

4 of 4: Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free)
In part 4, you will use Amazon Route 53 to name the application and AWS Certificate Manager to secure access to the application. You will also use Kubernetes to deploy ingress controller, so that Internet users can connect to the application. After testing, you will decommission the infrastructure.

For background on this series, go here:

Escaping Vendor Lock-in Jail (How Kubernetes Set Us Free) | A Four-Part Series

1 of 14. [Route 53] Create Domain

Note: .click domains are very cheap.

Remember to check for your validation e-mail.

Amazon Route 53 -/- Registered domains -/- [Register domains] Search for domains: humangov-ll3.click [Proceed to checkout] Duration: 1 year Auto renew: off [Next] Fill in contact information [Next] Review and submit Accept terms and conditions [Submit] Wait Check status

2 of 14. [Certificate Manager] Create Certificate for Load Balancer

You will request a certificate for *.domain-name.

AWS Certificate Manager (ACM) -/- [Request a certificate] Request a public certificate [Next] Fully qualified domain name: *.humangov-ll3.click Validation method: DNS [Request] [View certificate] Domains -/- [Create records in route 53] [Create records] Wait ...

3 of 14. [Cloud9] Create Ingress Rules

This allows Internet users to access the aplication.

Create file humangov-ingress-all.yaml in the 'human-gov-application/src' folder

Make sure the certificate arn matches your certificate

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: humangov-python-app-ingress annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/group.name: frontend alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:502983865814:certificate/94775391-6fcd-42dd-83eb-bb338360575d alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/ssl-redirect: '443' labels: app: humangov-python-app-ingress spec: ingressClassName: alb rules: - host: california.humangov-ll3.click http: paths: - path: / pathType: Prefix backend: service: name: humangov-nginx-service-california port: number: 80

Apply ingress

kubectl apply -f humangov-ingress-all.yaml

Validate Ingress

kubectl get ingress

Dig into the EC2 load balancers, and you can view the listener rules, showing how the traffic is being directed to the appropriate cluster.

Note: your california doesn't exist yet.

4 of 14. [Route 53] Create an alias for California

Route 53 -/- Hosted zones -/- [humangov-ll3.click] [Create record] Record name: california Alias Route traffic to: Alias to Applicatio and Classic Load Balancer Choose Region: us-east-1 Choose load balancer: the load balancer you just created [Create records]

5 of 14. [Browser / S3 / DynamoDB] Test the application

You should be able to reach the application via HTTPS. Further, you should be able to add an employee and see the employee's data in S3 and DynamoDB.

https://california.humangov-ll3.click [Add employee] Enter details, upload PDF [Add]

The following steps are about deploying the application for the state of Florida

6. of 14. [Cloud9] Provision Florida DynamoDB and S3 bucket

Make sure to record the resource names.

# Open the Terraform file human-gov-infrastructure/terraform/variables.tf using Cloud9 Editor and add florida to the state’s list. variable "states" { description = "The list of state names" default = ["california","florida"] } # Apply the Terraform configuration cd /home/ec2-user/environment/human-gov-infrastructure/terraform terraform plan terraform apply ​

7 of 14. [Cloud9] Create Florida deployment.

# Duplicate the Kubernetes deployment file cd /home/ec2-user/environment/human-gov-application/src cp humangov-california.yaml humangov-florida.yaml # open humangov-florida.yaml # ... replace all california entries by florida using the Cloud9 Search and Replace. # Update the AWS_BUCKET name to the Florida’s bucket name in the humangov-florida.yaml file. # Save the file. apiVersion: apps/v1 kind: Deployment metadata: name: humangov-python-app-florida spec: replicas: 1 selector: matchLabels: app: humangov-python-app-florida template: metadata: labels: app: humangov-python-app-florida spec: serviceAccountName: humangov-pod-execution-role containers: - name: humangov-python-app-florida image: public.ecr.aws/i7y0m4q9/humangov-app:latest env: - name: AWS_BUCKET value: "humangov-florida-s3-m30s" - name: AWS_DYNAMODB_TABLE value: "humangov-florida-dynamodb" - name: AWS_REGION value: "us-east-1" - name: US_STATE value: "florida" --- apiVersion: v1 kind: Service metadata: name: humangov-python-app-service-florida spec: type: ClusterIP selector: app: humangov-python-app-florida ports: - protocol: TCP port: 8000 targetPort: 8000 --- apiVersion: apps/v1 kind: Deployment metadata: name: humangov-nginx-reverse-proxy-florida spec: replicas: 1 selector: matchLabels: app: humangov-nginx-reverse-proxy-florida template: metadata: labels: app: humangov-nginx-reverse-proxy-florida spec: containers: - name: humangov-nginx-reverse-proxy-florida image: nginx:alpine ports: - containerPort: 80 volumeMounts: - name: humangov-nginx-config-florida-vol mountPath: /etc/nginx/ volumes: - name: humangov-nginx-config-florida-vol configMap: name: humangov-nginx-config-florida --- apiVersion: v1 kind: Service metadata: name: humangov-nginx-service-florida spec: selector: app: humangov-nginx-reverse-proxy-florida ports: - protocol: TCP port: 80 targetPort: 80 --- apiVersion: v1 kind: ConfigMap metadata: name: humangov-nginx-config-florida data: nginx.conf: | events { worker_connections 1024; } http { server { listen 80; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://humangov-python-app-service-florida:8000; # App container } } } proxy_params: | proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

8 of 14. [Cloud9] Deploy HumanGov Florida

kubectl apply -f humangov-florida.yaml ​

9 of 14. [Cloud9] Update humangov-ingress-all.yaml

Add rule for Florida. Make sure that the domain is yours [check the 'host' field].

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: humangov-python-app-ingress annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/group.name: frontend alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:502983865814:certificate/94775391-6fcd-42dd-83eb-bb338360575d alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/ssl-redirect: '443' labels: app: humangov-python-app-ingress spec: ingressClassName: alb rules: - host: california.humangov-ll3.click http: paths: - path: / pathType: Prefix backend: service: name: humangov-nginx-service-california port: number: 80 - host: florida.humangov-ll3.click http: paths: - path: / pathType: Prefix backend: service: name: humangov-nginx-service-florida port: number: 80

10 of 14. [Cloud9] Deploy ingress

If you check the load balancer, you should find the rule for florida now.

kubectl apply -f humangov-ingress-all.yaml kubectl get ingress

11 of 14. [Route53] Add DNS entry for Florida

Note that California and Florida point to the same load balancer

Route 53 -/- Hosted zones -/- [humangov-ll3.click] [Create record] Record name: florida Alias Route traffic to: Alias to Applicatio and Classic Load Balancer Choose Region: us-east-1 Choose load balancer: the load balancer you just created [Create records]

12 of 14. [Browser / DynamoDB / S3] Test the application

After adding an employee, you should see records created in the DynamoDB and S3 for Florida.

Who knew that being an Isekai Protagonist paid so well?

# browse to the site, via https https://florida.humangov-ll3.click [Add employee] Enter details, upload PDF [Add]

13 of 14. [Cloud9] Check the Kubernetes resources

kubectl get pods kubectl get deployment kubectl get svc kubectl get ingress

14 of 14. [Cloud9] Cleaning up the environment

Doucle-check the AWS console that the cluster has been removed.

# Delete the Kubernetes Ingress kubectl delete -f humangov-ingress-all.yaml # Delete the application resources on kubernetes kubectl delete -f humangov-california.yaml kubectl delete -f humangov-florida.yaml # delete eks cluster eksctl delete cluster --name humangov-cluster --region us-east-1 # De-activate the access keys you created for the 'eks-user' # Revert Cloud9 back to 'Managed Credentials'

Warning: DO NOT remove these resources (they'll be used again in a near-term project:
# DynamoDB # S3 # ECR # Route 53 Hosted Zone # Registered Domain

References

DNS Service - Amazon Route 53 - AWS

Working with hosted zones - Amazon Route 53

Certificate Manager- AWS Certificate Manager - AWS

Identity and Access Management for AWS Cloud9 - AWS Cloud9

Load Balancer - Elastic Load Balancing (ELB) - AWS

Managing access keys for IAM users - AWS Identity and Access Management

Creating and managing clusters - eksctl

kubectl Quick Reference | Kubernetes

Command: apply | Terraform | HashiCorp Developer

Command: plan | Terraform | HashiCorp Developer

Lewis Lampkin, III - Blog

Lewis Lampkin, III - LinkedIn

Lewis Lampkin, III - Medium

Comments

Post a Comment

Popular posts from this blog

Orphaned No More: Adopting AWS Lambda

Image
Background HumanGov is a Model Automated Multi-Tenant Architecture (MAMA) that is meant to be used by the 50 states for personnel tracking. Currently the architecture is fully automated on AWS. The architecture is not ready for go-live. All actions so far are for a proof-of-concept that is presented to the Chief Technical Officer (CTO) for review. During the weekly team meeting, Ko (User Experience Lead) reports that his team has performed thousands of tests against the infrastructure, with moves, adds, and changes, and is not finding any issues in the application user interface. Woo (Infrastructure Lead) reports that there are hundreds of 'orphaned' files in the S3 bucket. (These files are considered 'orphaned' because they do not have corresponding records in the DynamoDB table.) Kim (Tech Lead) reports that there is not a trigger to delete the file from the bucket when a user is deleted from the DynamoDB database. Brady (Lawyer) reports that not deleting t...
Read more

Containing the Chaos! | A Three-Part Series Demonstrating the Usefulness of Containerization to HumanGov

Background HumanGov is a Model Automated Multi-Tenant Architecture (MAMA) that is meant to be used by the 50 states for personnel tracking. Currently the architecture requires Amazon Elastic Compute Cloud (EC2) instances that are maintained by the HumanGov systems administrators. The systems administrators handle all the patching, operations, etc. Due to states wanting their data separate from each other, each state gets a separate set of EC2 instances, which means that as the application scales from one state up to 50 states, the systems administrators will have to patch 50x as many EC2 instances. The system administrators report that they have begun to schedule more and more overtime to handle the maintenance windows for updating the EC2 instances. The lead developer remarked that it was taking longer and longer for new application deployments to get rolled out as the infrastructure grew and more states came on board. By the way, the development environment does not have standa...
Read more

Ansible is the Answer! | A Three-Part Series Demonstrating the Usefulness of Ansible to HumanGov

This is a three (3) part series that demonstrates how Ansible can be useful/leveraged for configuring your infrastructure. The background story here is that HumanGov is a multi-tenant cloud application that requires that each of the fifty (50) states has its own separate infrastructure. The HumanGov Infrastructure Engineers are trying to figure out how they can get it done, and they are considering using Ansible to help them deploy the application. Part 1 sets up the base infrastructure for the scenario. The HumanGov Infrastructure Engineers are accustomed to using Terraform to efficiently deploy infrastructure, but they are not very experienced with Ansible. Part 1 of 3: HumanGov: Ansible is the Answer! | Terraform | AWS Cloud9 | AWS IAM | AWS EC2 | AWS DynamoDB | AWS S3 Part 2 attempts to setup HumanGov via a MANUAL process. Part 2 goes through the steps to MANUALLY install Python, Nginx AND application files as well as MANUALLY configuring the firewall in Ubuntu. After g...
Read more