The latest articles on Forem by M.M.Monirul Islam (@monirul87). https://forem.com/monirul87 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F859666%2F0b686fdf-f7ce-47bf-81a4-e7e98eed96c1.jpeg https://forem.com/monirul87 en M.M.Monirul Islam Wed, 06 Mar 2024 12:38:10 +0000 https://forem.com/monirul87/revolutionizing-monitoring-exploring-the-power-of-amazon-managed-service-for-prometheus-c0b https://forem.com/monirul87/revolutionizing-monitoring-exploring-the-power-of-amazon-managed-service-for-prometheus-c0b <p>In the dynamic landscape of cloud computing, efficient monitoring is paramount for ensuring the reliability and performance of applications. Amazon Web Services (AWS) has recently introduced a game-changer in the realm of observability – the Amazon Managed Service for Prometheus. This blog dives into the capabilities, benefits, and transformative impact of this managed service, showcasing how it empowers businesses to scale their monitoring infrastructure seamlessly.</p> <h2> Understanding the Need for Advanced Monitoring </h2> <p>In this section, we explore the evolving needs of modern applications and the challenges associated with traditional monitoring solutions. From the complexities of managing scale to the demand for real-time insights, we set the stage for the emergence of Amazon Managed Service for Prometheus.</p> <h2> Unveiling Amazon Managed Service for Prometheus </h2> <p>Delve into the features and architecture of Amazon Managed Service for Prometheus. Highlight the simplicity of setup, seamless integration with existing AWS services, and the scalability that it offers. Emphasize how this managed service lifts the burden of infrastructure management, allowing teams to focus on deriving actionable insights from their monitoring data.</p> <h2> Key Benefits and Use Cases </h2> <p>Examine the tangible benefits of adopting Amazon Managed Service for Prometheus. From cost savings to improved reliability, discuss how this service enhances observability for applications running on AWS. Provide real-world use cases that showcase the versatility of Prometheus in different scenarios.</p> <h2> Seamless Integration with AWS Ecosystem </h2> <p>Explore the tight integration of Amazon Managed Service for Prometheus with other AWS services, such as Amazon CloudWatch and AWS Identity and Access Management (IAM). Discuss how this interoperability enriches the monitoring experience and contributes to a holistic approach to application observability.</p> <h2> Getting Started - A Step-by-Step Guide </h2> <p>Offer readers a practical guide on getting started with Amazon Managed Service for Prometheus. Cover the essential steps, share best practices, and highlight any considerations for a smooth onboarding process.</p> <p><strong>Step 1: Accessing the AWS Management Console</strong><br> Begin by logging into the AWS Management Console. Navigate to the Amazon Managed Service for Prometheus section and initiate the setup process.</p> <p><strong>Step 2: Creating a Prometheus Workspace</strong><br> Follow the prompts to create a new Prometheus workspace. Define the required parameters such as the workspace name, desired region, and any specific configurations based on your monitoring needs.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff4fp45dhh115vgkgz7sk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff4fp45dhh115vgkgz7sk.png" alt="Image description" width="800" height="520"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6g1zjxqjdrv0kdfoll5h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6g1zjxqjdrv0kdfoll5h.png" alt="Image description" width="800" height="524"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv8padm7b62xzf4ey4i4j.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv8padm7b62xzf4ey4i4j.png" alt="Image description" width="800" height="456"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>arn:aws:aps:us-east-1:726459634338:workspace/ws-420cc8c0-93ff-4bfd-9dfb-48e0e9a02d5a </code></pre> </div> <p><strong>Endpoint - remote write URL</strong><br> <a href="https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-420cc8c0-93ff-4bfd-9dfb-48e0e9a02d5a/api/v1/remote_write">https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-420cc8c0-93ff-4bfd-9dfb-48e0e9a02d5a/api/v1/remote_write</a></p> <p><strong>Endpoint - query URL</strong><br> <a href="https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-420cc8c0-93ff-4bfd-9dfb-48e0e9a02d5a/api/v1/query">https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-420cc8c0-93ff-4bfd-9dfb-48e0e9a02d5a/api/v1/query</a></p> <p><strong>Step 3: Set up IAM roles for service accounts</strong><br> For the method of onboarding that we are documenting, you need to use IAM roles for service accounts in the Amazon EKS cluster where the Prometheus server is running. These roles are also called service roles.</p> <p>With service roles, you can associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions to the containers in any pod that uses that service account. For more information, see IAM roles for service accounts. </p> <p>If you have not already set up these roles, follow this instructions to set up the roles: Set up service roles for the ingestion of metrics from Amazon EKS clusters. </p> <p>Please make sure you have created an IAM role called amp-iamproxy-ingest-role before continuing.</p> <p><strong>Step 4: Upgrade your existing Prometheus server using Helm (for Prometheus version 2.26.0 or later)</strong></p> <p>The instructions in this section includes setting up remote write and sigv4 to authenticate and authorize the Prometheus server to remote write to your AMP workspace.</p> <p>To set up remote write from a Prometheus server using Helm chart:<br> Create a new remote write section in your Helm configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>serviceAccounts: server: name: "amp-iamproxy-ingest-service-account" annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::726459634338:role/amp-iamproxy-ingest-role" server: remoteWrite: - url: https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-420cc8c0-93ff-4bfd-9dfb-48e0e9a02d5a/api/v1/remote_write sigv4: region: us-east-1 queue_config: max_samples_per_send: 1000 max_shards: 200 capacity: 2500 </code></pre> </div> <p>Update your existing Prometheus Server configuration using Helm:</p> <p>First, find your Helm chart name by entering the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>helm ls --all-namespaces </code></pre> </div> <p>In the output from this command, look for a chart with a name that includes "prometheus".</p> <p>Then enter the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>helm upgrade prometheus-chart-name prometheus-community/prometheus -n prometheus_namespace -f my_prometheus_values_yaml --version current_helm_chart_version </code></pre> </div> <p>Replace these placeholders with the following:</p> <ul> <li>Replace prometheus-chart-name with the name of the helm chart you found with the previous command.</li> <li>Replace prometheus_namespace with the name of the Kubernetes namespace where your Prometheus Server is installed.</li> <li>Replace my_prometheus_values_yaml with the path to your Helm configuration file.</li> <li>Replace current_helm_chart_version with the current version of the Prometheus Server Helm chart you found with the previous command.</li> </ul> <h2> Grafana </h2> <p><strong>Step-1:</strong> Follow the following procedure to setting up managed grafana.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4hvg1hkb38x86848dxqu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4hvg1hkb38x86848dxqu.png" alt="Image description" width="800" height="510"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2kfvmz2678nqxthr4rv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2kfvmz2678nqxthr4rv.png" alt="Image description" width="800" height="465"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzm1t5mfx8jzkujcuk2jq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzm1t5mfx8jzkujcuk2jq.png" alt="Image description" width="800" height="465"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frfi3fehw1vcieb2gdhzi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frfi3fehw1vcieb2gdhzi.png" alt="Image description" width="800" height="465"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37gchetgnl4yh0b0uf8n.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37gchetgnl4yh0b0uf8n.png" alt="Image description" width="800" height="465"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvivkcspkhk823uqgdkrp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvivkcspkhk823uqgdkrp.png" alt="Image description" width="800" height="465"></a></p> <p><strong>Step 2:</strong> Configuring Data Retention and Storage Options<br> Fine-tune your monitoring environment by configuring data retention policies and storage options. Tailor these settings to align with your application's requirements and expected data volumes.</p> <p><strong>Step 3:</strong> Integrating with AWS Resources<br> Connect Amazon Managed Service for Prometheus with your existing AWS resources. This could include linking it to Amazon Elastic Kubernetes Service (EKS) clusters, Amazon EC2 instances, or any other AWS services generating monitoring data.</p> <p><strong>Step 4:</strong> Setting Up Alerts and Notifications<br> Enhance your observability by configuring alerts and notifications. Define thresholds for metrics that matter most to your applications and establish alerting mechanisms to keep your team informed of any deviations from expected behavior.</p> <p><strong>Step 5:</strong> Exploring Querying Capabilities<br> Dive into the querying capabilities of Amazon Managed Service for Prometheus. Learn how to write PromQL queries to extract valuable insights from your monitoring data. Leverage this functionality to troubleshoot issues, analyze trends, and optimize performance.</p> <p><strong>Step 6:</strong> Integrating with AWS CloudWatch<br> Explore the seamless integration between Amazon Managed Service for Prometheus and AWS CloudWatch. Understand how these services work together to provide a comprehensive monitoring solution for your AWS environment.</p> <p><strong>Step 7:</strong> Scaling and Optimization<br> As your application grows, ensure that your monitoring solution scales accordingly. Learn best practices for scaling Amazon Managed Service for Prometheus and optimizing its performance to meet the evolving demands of your applications.</p> <p>Wrap up the blog by summarizing the key takeaways and emphasizing the transformative potential of Amazon Managed Service for Prometheus. Encourage readers to explore this powerful monitoring solution to elevate their observability practices and stay ahead in the ever-evolving landscape of cloud-native applications.</p> <p>By shedding light on the capabilities of Amazon Managed Service for Prometheus, this blog aims to guide organizations toward a more efficient and scalable approach to monitoring, ultimately enhancing their ability to deliver reliable and performant applications on AWS.</p> M.M.Monirul Islam Tue, 16 Jan 2024 04:32:39 +0000 https://forem.com/monirul87/kong-gateway-on-aws-eks-a-journey-into-cloud-native-api-management-8dj https://forem.com/monirul87/kong-gateway-on-aws-eks-a-journey-into-cloud-native-api-management-8dj <p>In the ever-evolving landscape of cloud-native applications, managing APIs efficiently is crucial. An API Gateway plays a pivotal role as a bridge between clients and backends, orchestrating requests and responses while handling a myriad of tasks such as CORS validation, TLS termination, authentication, and more. In this blog post, we embark on a journey into cloud-native API management with Kong Gateway deployed on an AWS EKS cluster.</p> <h2> <strong>Understanding the Role of an API Gateway</strong> </h2> <p>At its core, an API Gateway acts as a proxy, mediating communication between clients and backend services. It streamlines the process by handling various tasks in transit, including CORS validation, TLS termination, JWT authentication, header injection, session management, response transformation, rate-limiting, ACLs, and much more. This intermediary layer ensures seamless and secure interactions within a microservices architecture.</p> <h2> <strong>Introducing Kong Gateway</strong> </h2> <p>Developed by KongHQ, Kong Gateway stands out as a lightweight and decentralized API Gateway solution. Operating as a Lua application within NGINX and distributed with OpenResty, Kong Gateway sets the stage for modular extensibility through a rich ecosystem of plugins. Whether your API management needs are basic or complex, Kong Gateway provides a scalable and versatile solution.</p> <h2> <strong>The Evolution: DBLess Kong Gateway</strong> </h2> <p>Traditionally, Kong Gateway configurations, including routes, services, and plugins, were stored in a database. However, the landscape shifted with the advent of "DBLess" Kong Gateway, also known as the "declarative" method. In this mode, configuration management shifts entirely to code, typically saved as a declarative.yaml file. This paradigm shift brings about several advantages:</p> <p><strong>1. Version Control:</strong><br> Configuration becomes easily versionable, enabling seamless collaboration and tracking changes over time.<br> <strong>2. Simplicity and Agility:</strong><br> Eliminating the need for a separate database streamlines deployment and enhances agility in managing configurations.<br> <strong>3. Infrastructure as Code (IaC):</strong><br> The move towards a code-centric approach aligns with the principles of Infrastructure as Code, promoting consistency and reproducibility.<br> <strong>4. Maintenance Ease:</strong><br> With configurations stored as code, the need for maintaining a separate database diminishes, simplifying the overall maintenance process.</p> <h2> <strong>Deploying Kong Gateway on AWS EKS</strong> </h2> <p>Now that we grasp the significance of Kong Gateway and the advantages of the DBLess approach, let's delve into the process of deploying Kong Gateway on an AWS EKS cluster. </p> <p><strong>Declarative Configuration (prd/declarative.yaml)</strong>: Specifies the Kong services, routes, and associated plugins using a DBLess approach.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>_format_version: <span class="s2">"2.1"</span> _transform: <span class="nb">true </span>services: - name: invoicing-matrics url: https://prdawsinvoicing.example.com/actuator/ routes: - paths: - /metrics methods: - GET - POST - PUT strip_path: <span class="nb">true </span>protocols: - https - http hosts: - k-prd.devopsmonirul.tech - name: businessCatalog url: https://prdawscatalogos.example.com/catalogs/v1.0/catalogs/catalogs/businessCatalog routes: - paths: - /catalogs/businessCatalog methods: - GET - POST - PUT strip_path: <span class="nb">true </span>protocols: - https - http hosts: - k-prd.devopsmonirul.tech - name: usermanagment url: https://prdawsusermanagment.example.com/usermanagement/v1.0/users routes: - paths: - /usermanagement methods: - GET - POST - PUT strip_path: <span class="nb">true </span>protocols: - https - http hosts: - k-prd.devopsmonirul.tech - name: ocr url: https://prdawsocr.example.com/ocr/v1.0/actuator routes: - paths: - /ocr methods: - GET - POST - PUT strip_path: <span class="nb">true </span>protocols: - https - http hosts: - k-prd.devopsmonirul.tech <span class="c">#------------------------------------------------- CORS Plugin ----------------------------------------------</span> plugins: - name: prometheus - name: cors service: invoicing-matrics config: origins: - https://controller-ai.com - https://www.example.com - https://monirul.digital - https://example.com - http://local.devopsmonirul.com:4200 - <span class="s2">"*"</span> methods: - GET - POST - PUT credentials: <span class="nb">false </span>max_age: 3600 preflight_continue: <span class="nb">false</span> - name: cors service: businessCatalog config: origins: - <span class="s2">"*"</span> methods: - GET - POST credentials: <span class="nb">false </span>max_age: 3600 preflight_continue: <span class="nb">false</span> - name: cors service: usermanagment config: origins: - <span class="s2">"*"</span> methods: - GET - POST - PUT credentials: <span class="nb">false </span>max_age: 3600 preflight_continue: <span class="nb">false</span> - name: cors service: ocr config: origins: - <span class="s2">"*"</span> methods: - GET - POST - PUT credentials: <span class="nb">false </span>max_age: 3600 preflight_continue: <span class="nb">false</span> </code></pre> </div> <p><strong>Helm Configuration (prd/kong.yaml)</strong>:<br> Helm chart configurations for Kong deployment, including resource limits, ingress controller settings, environment variables, and autoscaling parameters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deployment: serviceAccount: create: <span class="nb">false </span>podAnnotations: <span class="s2">"cluster-autoscaler.kubernetes.io/safe-to-evict"</span>: <span class="s2">"true"</span> resources: limits: memory: 1Gi requests: cpu: 500m memory: 1Gi ingressController: enabled: <span class="nb">false </span>installCRDs: <span class="nb">false env</span>: database: <span class="s2">"off"</span> nginx_worker_processes: <span class="s2">"2"</span> proxy_access_log: /dev/stdout json_analytics proxy_error_log: /dev/stdout log_level: <span class="s2">"error"</span> trusted_ips: <span class="s2">"0.0.0.0/0,::/0"</span> headers: <span class="s2">"off"</span> anonymous_reports: <span class="s2">"off"</span> admin_listen: <span class="s2">"off"</span> status_listen: 0.0.0.0:8100 nginx_http_log_format: | json_analytics <span class="nv">escape</span><span class="o">=</span>json <span class="s1">'{"msec": "$msec", "status": "$status", "request_uri": "$request_uri", "geoip_country_code": "$http_x_client_region", "client_subdivision": "$http_x_client_subdivision", "client_city": "$http_x_client_city","client_city_latlong": "$http_x_client_citylatlong", "connection": "$connection", "connection_requests": "$connection_requests", "pid": "$pid", "request_id": "$request_id", "request_length": "$request_length", "remote_addr": "$remote_addr", "remote_user": "$remote_user", "remote_port": "$remote_port", "time_local": "$time_local", "time_iso8601": "$time_iso8601", "request": "$request", "args": "$args", "body_bytes_sent": "$body_bytes_sent", "bytes_sent": "$bytes_sent", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "http_x_forwarded_for": "$http_x_forwarded_for", "http_host": "$http_host", "server_name": "$server_name", "request_time": "$request_time", "upstream": "$upstream_addr", "upstream_connect_time": "$upstream_connect_time", "upstream_header_time": "$upstream_header_time", "upstream_response_time": "$upstream_response_time", "upstream_response_length": "$upstream_response_length", "upstream_cache_status": "$upstream_cache_status", "ssl_protocol": "$ssl_protocol", "ssl_cipher": "$ssl_cipher", "scheme": "$scheme", "request_method": "$request_method", "server_protocol": "$server_protocol", "pipe": "$pipe", "gzip_ratio": "$gzip_ratio", "http_cf_ray": "$http_cf_ray", "trace_id": "$http_x_b3_traceid", "proxy_host": "$proxy_host"}'</span> admin: enabled: <span class="nb">true </span>http: enabled: <span class="nb">false </span>tls: enabled: <span class="nb">true </span>proxy: <span class="nb">type</span>: NodePort tls: enabled: <span class="nb">false </span>autoscaling: enabled: <span class="nb">true </span>minReplicas: 1 maxReplicas: 11 metrics: - <span class="nb">type</span>: Resource resource: name: cpu target: <span class="nb">type</span>: Utilization averageUtilization: 60 - <span class="nb">type</span>: Resource resource: name: memory target: <span class="nb">type</span>: Utilization averageUtilization: 80 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - amd64 - arm64 - key: eks.amazonaws.com/compute-type operator: NotIn values: - fargate </code></pre> </div> <p><strong>Vertical Pod Autoscaler Configuration (prd/vpa.yaml)</strong>: Configuration for the Vertical Pod Autoscaler, which adjusts resource requests and limits for pods based on their usage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apiVersion: autoscaling.k8s.io/v1 kind: VerticalPodAutoscaler metadata: name: prd-kong-vpa namespace: prd-kong spec: targetRef: apiVersion: <span class="s2">"apps/v1"</span> kind: Deployment name: prd-kong updatePolicy: updateMode: <span class="s2">"Off"</span> </code></pre> </div> <p><strong>Ingress Configuration (prd/ingress.yaml)</strong>: Configuration for the Ingress resource, specifying rules and annotations for AWS ALB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: prd-kong-ingress namespace: prd-kong annotations: alb.ingress.kubernetes.io/actions.ssl-redirect: <span class="s1">'{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'</span> alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:234366607644:certificate/c25d25f3-78ae-4197-a806-1882f6b947dc alb.ingress.kubernetes.io/listen-ports: <span class="s1">'[{"HTTP": 80}, {"HTTPS":443}]'</span> alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/success-codes: 200,404,301,302 alb.ingress.kubernetes.io/target-type: ip spec: ingressClassName: alb rules: - host: k-prd.devopsmonirul.tech http: paths: - path: /<span class="k">*</span> pathType: ImplementationSpecific backend: service: name: prd-kong-proxy port: number: 80 </code></pre> </div> <p><strong>Common Scripts (scripts/common.sh):</strong> Shell script with functions for common tasks, such as printing colored text, checking the existence of commands, and defining an exit strategy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">export </span><span class="nv">HELM_VERSION</span><span class="o">=</span><span class="s2">"v3.7.2"</span> <span class="k">function </span>red<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">text</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="p"> </span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[31m</span><span class="k">${</span><span class="nv">text</span><span class="k">}</span><span class="se">\0</span><span class="s2">33[0m"</span> <span class="o">}</span> <span class="k">function </span>green<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">text</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="p"> </span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[32m</span><span class="k">${</span><span class="nv">text</span><span class="k">}</span><span class="se">\0</span><span class="s2">33[0m"</span> <span class="o">}</span> <span class="k">function </span>yellow<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">text</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="p"> </span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[33m</span><span class="k">${</span><span class="nv">text</span><span class="k">}</span><span class="se">\0</span><span class="s2">33[0m"</span> <span class="o">}</span> <span class="k">function </span>blue<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">text</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="p"> </span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[36m</span><span class="k">${</span><span class="nv">text</span><span class="k">}</span><span class="se">\0</span><span class="s2">33[0m"</span> <span class="o">}</span> <span class="k">function </span>exists<span class="o">()</span> <span class="o">{</span> <span class="nb">command</span> <span class="nt">-v</span> <span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null 2&gt;&amp;1 <span class="o">}</span> <span class="k">function </span>graceful_exit<span class="o">()</span> <span class="o">{</span> red <span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="p"> </span><span class="k">}</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="o">}</span> <span class="k">function </span>bastion_command<span class="o">()</span> <span class="o">{</span> <span class="nb">local command</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="p"> </span><span class="k">}</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">command</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>error_exit <span class="s2">"Command can't be empty."</span> <span class="k">else </span>gcloud compute ssh <span class="nt">--project</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCP_PROJECT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--zone</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCP_ZONE_ID</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCP_USER</span><span class="k">}</span><span class="s2">@</span><span class="k">${</span><span class="nv">GCP_SERVER_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--tunnel-through-iap</span> <span class="nt">--command</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> <span class="k">function </span>install_kubectl<span class="o">()</span> <span class="o">{</span> <span class="k">if </span>exists /usr/local/bin/kubectl<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Kubectl is installed already"</span> <span class="k">else </span>curl <span class="nt">-o</span> kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.13/2022-10-31/bin/linux/amd64/kubectl <span class="nb">chmod</span> +x ./kubectl <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$HOME</span>/bin <span class="o">&amp;&amp;</span> <span class="nb">cp</span> ./kubectl <span class="nv">$HOME</span>/bin/kubectl <span class="o">&amp;&amp;</span> <span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="nv">$PATH</span>:<span class="nv">$HOME</span>/bin <span class="nb">cp</span> ./kubectl /usr/local/bin/kubectl kubectl version <span class="nt">--short</span> <span class="nt">--client</span> <span class="k">fi</span> <span class="o">}</span> <span class="k">function </span>install_helm<span class="o">()</span> <span class="o">{</span> <span class="k">if </span>exists /usr/local/bin/helm<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Helm is installed already"</span> <span class="k">else </span>curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash <span class="nt">-s</span> <span class="nt">--</span> <span class="nt">--version</span> <span class="s2">"</span><span class="k">${</span><span class="nv">HELM_VERSION</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> <span class="k">function </span>setup_aws_auth<span class="o">()</span> <span class="o">{</span> aws eks update-kubeconfig <span class="nt">--name</span> <span class="s2">"</span><span class="k">${</span><span class="nv">AWS_PROJECT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--region</span> <span class="s2">"</span><span class="k">${</span><span class="nv">AWS_LOCATION</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--profile</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CLUSTER_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <p><strong>Setup Kong Script (scripts/setup-kong.sh)</strong>: Script for installing kubectl, Helm, adding the Kong Helm repo, setting up AWS authentication, creating namespaces, applying VPA configuration, and deploying Kong using Helm.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">cd</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$0</span><span class="s2">"</span><span class="si">)</span><span class="s2">/.."</span> <span class="nb">source </span>scripts/common.sh green <span class="s2">"Installing Kubectl"</span> install_kubectl green <span class="s2">"Installing helm version =&gt; </span><span class="k">${</span><span class="nv">HELM_VERSION</span><span class="k">}</span><span class="s2">"</span> install_helm green <span class="s2">"Setting up Kong Helm Repo"</span> helm repo add kong https://charts.konghq.com helm repo update green <span class="s2">"Setting up AWS Auth"</span> setup_aws_auth green <span class="s2">"Creating Namespace =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">-kong"</span> kubectl create namespace <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span><span class="nt">-kong</span> <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml | kubectl apply <span class="nt">-f</span> - green <span class="s2">"Set the current namespace"</span> kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="nt">-kong</span> green <span class="s2">"Setting up VPA Config =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">-kong-vpa"</span> kubectl apply <span class="nt">-f</span> <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span>/vpa.yaml <span class="o">||</span> <span class="nb">true </span><span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="o">==</span> prd <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>green <span class="s2">"Setting up Ingress =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">-kong-ingress"</span> kubectl apply <span class="nt">-f</span> <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span>/ingress.yaml <span class="k">fi </span>green <span class="s2">"Setting up Kong =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span> helm upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> kong/kong <span class="se">\</span> <span class="nt">--namespace</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span><span class="nt">-kong</span> <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">-f</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span>/kong.yaml <span class="se">\</span> <span class="nt">--set-file</span> dblessConfig.config<span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span>/declarative.yaml <span class="se">\</span> <span class="nt">--version</span> 2.6.3 <span class="se">\</span> <span class="nt">--wait</span> <span class="se">\</span> <span class="nt">--debug</span> </code></pre> </div> <p><strong>Validate Kong Script (scripts/validate-kong.sh)</strong>: Script for validating the setup, including Helm diff, VPA configuration, and Ingress configuration (for prd environment).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">cd</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$0</span><span class="s2">"</span><span class="si">)</span><span class="s2">/.."</span> <span class="nb">source </span>scripts/common.sh green <span class="s2">"Installing Kubectl"</span> install_kubectl green <span class="s2">"Installing helm version =&gt; </span><span class="k">${</span><span class="nv">HELM_VERSION</span><span class="k">}</span><span class="s2">"</span> install_helm green <span class="s2">"Setting up Kong Helm Repo"</span> helm repo add kong https://charts.konghq.com helm repo update green <span class="s2">"Installing Helm Diff Plugin"</span> helm plugin <span class="nb">install </span>https://github.com/databus23/helm-diff <span class="o">||</span> <span class="nb">true </span>green <span class="s2">"Setting up AWS Auth"</span> setup_aws_auth green <span class="s2">"Set the current namespace"</span> kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="nt">-kong</span> green <span class="s2">"Validating VPA Config =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">-kong-vpa"</span> kubectl diff <span class="nt">-f</span> <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span>/vpa.yaml <span class="o">||</span> <span class="nb">true </span><span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="o">==</span> prd <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>green <span class="s2">"Validating Ingress =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">-kong-ingress"</span> kubectl diff <span class="nt">-f</span> <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span>/ingress.yaml <span class="o">||</span> <span class="nb">true </span><span class="k">fi </span>green <span class="s2">"Validating Kong =&gt; </span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span> helm diff upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> kong/kong <span class="se">\</span> <span class="nt">--namespace</span> <span class="s2">"</span><span class="k">${</span><span class="nv">NAMESPACE</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-f</span> <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span>/kong.yaml <span class="se">\</span> <span class="nt">--set-file</span> dblessConfig.config<span class="o">=</span><span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span>/declarative.yaml <span class="se">\</span> <span class="nt">--version</span> 2.6.3 </code></pre> </div> <p><strong>GitLab CI Configuration (.gitlab-ci.yml)</strong>: CI/CD pipeline configuration for validating and deploying Kong in the prd environment.</p> <p>For validations job,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>validate-kong-prd: stage: validate-kong-prd environment: kong-prd variables: ENV: prd KONG_NAME: prd AWS_PROJECT_ID: monirul-digital CLUSTER_NAME: monirul AWS_LOCATION: eu-west-1 NAMESPACE: <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="nt">-kong</span> extends: <span class="o">[</span> .common-dependencies <span class="o">]</span> script: - aws eks update-kubeconfig <span class="nt">--name</span> <span class="nv">$AWS_PROJECT_ID</span> <span class="nt">--region</span> <span class="nv">$AWS_LOCATION</span> <span class="nt">--profile</span> <span class="nv">$CLUSTER_NAME</span> - ./scripts/validate-kong.sh only: refs: - master - merge_requests changes: - prd/<span class="k">**</span>/<span class="k">*</span> allow_failure: <span class="nb">false</span> </code></pre> </div> <p>For Deployment Job,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deploy-helm-kong-prd: stage: deploy-kong-prd environment: kong-prd variables: ENV: prd KONG_NAME: prd AWS_PROJECT_ID: monirul-digital CLUSTER_NAME: monirul AWS_LOCATION: eu-west-1 NAMESPACE: <span class="k">${</span><span class="nv">KONG_NAME</span><span class="k">}</span><span class="nt">-kong</span> extends: <span class="o">[</span> .common-dependencies <span class="o">]</span> script: - aws eks update-kubeconfig <span class="nt">--name</span> <span class="nv">$AWS_PROJECT_ID</span> <span class="nt">--region</span> <span class="nv">$AWS_LOCATION</span> <span class="nt">--profile</span> <span class="nv">$CLUSTER_NAME</span> - ./scripts/setup-kong.sh only: refs: - master changes: - prd/<span class="k">**</span>/<span class="k">*</span> allow_failure: <span class="nb">false </span>when: manual </code></pre> </div> <p>The deployment setup appears to be well-organized and follows best practices for deploying Kong on AWS EKS. The use of GitLab CI/CD enhances automation and ensures consistent deployments.</p> <p><strong>Next Steps:</strong></p> <ul> <li>Ensure that your deployment scripts and configurations align with your specific requirements and AWS EKS environment.</li> <li>Monitor Kong Gateway's performance, logs, and metrics in the AWS EKS cluster to identify and address any issues.</li> <li>Consider further optimizations or enhancements based on specific use cases or evolving requirements.</li> </ul> <p>If you have any specific concerns or questions, feel free to ask!</p> aws eks kubernetes kong M.M.Monirul Islam Tue, 22 Aug 2023 05:03:54 +0000 https://forem.com/monirul87/connecting-multiple-gke-clusters-to-a-single-cloud-sql-instance-3fa0 https://forem.com/monirul87/connecting-multiple-gke-clusters-to-a-single-cloud-sql-instance-3fa0 <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzdsji3wx0wvkscu0d5va.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzdsji3wx0wvkscu0d5va.png" alt="Image description"></a><br> In a cloud-native environment, managing multiple Google Kubernetes Engine (GKE) clusters is common, especially when different parts of an application need to be isolated. However, these isolated clusters might still need to access a central database like Google Cloud SQL (PostgreSQL). In this blog post, we'll guide you through the process of connecting multiple GKE VPC-native clusters to a single Cloud SQL instance, even when they reside in separate VPC networks.</p> <p><strong>The Challenge</strong><br> Imagine you have several GKE clusters, each operating in its own Virtual Private Cloud (VPC) network, for reasons of security and isolation. On the other hand, you have a Cloud SQL instance (PostgreSQL) that serves as the central repository for your application's data. The challenge is to enable seamless connectivity between any of the GKE clusters and the shared Cloud SQL instance, maintaining both network isolation and data security.</p> <p><strong>The Solution</strong><br> To address this challenge, we will outline the steps to establish a secure and efficient connection between your GKE VPC-native clusters and the Cloud SQL database, regardless of the VPC network they are in.</p> <ul> <li><p>Dedicated Node Pools<br> Begin by creating dedicated node pools within each GKE cluster. These node pools are optimized for backend workloads and ensure that your applications requiring database access have the necessary resources.</p></li> <li><p>Provisioning Cloud SQL<br> Set up a PostgreSQL database instance in Google Cloud SQL. This instance will serve as the central database for your application's data.</p></li> </ul> <p>We have many options for creating this instance: we can use Infrastructure as Code (IAC)/manual steps or gcloud command steps provided below:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> gcloud sql instances create postgres-instance <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>monirul-test <span class="se">\</span> <span class="nt">--database-version</span><span class="o">=</span>POSTGRES_13 <span class="se">\</span> <span class="nt">--cpu</span><span class="o">=</span>2 <span class="se">\</span> <span class="nt">--memory</span><span class="o">=</span>4GiB <span class="se">\</span> <span class="nt">--root-password</span><span class="o">=</span><span class="s2">"DummyPass765#"</span> <span class="se">\</span> <span class="nt">--availability-type</span><span class="o">=</span>zonal <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>us-west2-a </code></pre> </div> <ul> <li>Configuring Service Accounts After creating the service account, you need to assign the Cloud SQL Client role to it. To allow this service account to authenticate and access Cloud SQL, you need to generate a JSON key file.</li> </ul> <p>Procedure to creating the service-account-key Secret from a file:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl create secret generic service-account-key <span class="nt">--from-file</span><span class="o">=</span>key.json<span class="o">=</span>/usr/local/monirul-test-c7a15664f347.json </code></pre> </div> <p>This command will generate a key file named key.json in your current directory. This key file will be used by the Cloud SQL Proxy and your GKE application to authenticate.</p> <ul> <li>Deploying the Cloud SQL Proxy</li> </ul> <p>Deploying the Cloud SQL Proxy as a sidecar is a crucial step in connecting your GKE application to a Cloud SQL database securely. Below is a Kubernetes Deployment YAML manifest demonstrating how to deploy the Cloud SQL Proxy container as a sidecar alongside your main application container:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: apps/v1 kind: Deployment metadata: name: test-app-deployment annotations: linkerd.io/inject: enabled spec: replicas: 1 strategy: <span class="nb">type</span>: RollingUpdate rollingUpdate: maxSurge: 50% maxUnavailable: 0 selector: matchLabels: app: test-app template: metadata: labels: app: test-app spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: dedicated operator: In values: - backend tolerations: - effect: NoSchedule key: dedicated operator: Equal value: backend containers: - name: test-app image: asia.gcr.io/monirul-test/test-app-deployment:test-app-1.0.0 ports: - containerPort: 5000 name: test-app resources: limits: cpu: <span class="s1">'1'</span> memory: <span class="s1">'3Gi'</span> requests: cpu: <span class="s1">'0.5'</span> memory: <span class="s1">'2Gi'</span> <span class="nb">env</span>: - name: DB_PASSWORD valueFrom: secretKeyRef: name: test-app-secret key: DB_PASSWORD - name: APP_PROJECT_ID valueFrom: configMapKeyRef: name: test-app-config key: APP_PROJECT_ID - name: DB_HOST valueFrom: configMapKeyRef: name: test-app-config key: DB_HOST - name: DB_USER valueFrom: configMapKeyRef: name: test-app-config key: DB_USER - name: APP_PORT valueFrom: configMapKeyRef: name: test-app-config key: APP_PORT - name: DB_NAME valueFrom: configMapKeyRef: name: test-app-config key: DB_NAME - name: DB_PORT valueFrom: configMapKeyRef: name: test-app-config key: DB_PORT - name: DATABASE_MAX_CONNECTIONS valueFrom: configMapKeyRef: name: test-app-config key: DATABASE_MAX_CONNECTIONS - name: cloud-sql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.22.0 <span class="nb">command</span>: - <span class="s1">'/cloud_sql_proxy'</span> - <span class="s1">'-ip_address_types=PUBLIC'</span> - <span class="s1">'-instances=monirul-test:us-west2:postgres-instance=tcp:0.0.0.0:5432'</span> - <span class="s1">'-credential_file=/var/secrets/cloud-sql/key.json'</span> resources: requests: cpu: <span class="s1">'100m'</span> memory: <span class="s1">'128Mi'</span> limits: cpu: <span class="s1">'200m'</span> memory: <span class="s1">'256Mi'</span> volumeMounts: <span class="c"># Mount the Secret as a volume</span> - name: service-account-key mountPath: /var/secrets/cloud-sql volumes: <span class="c"># Define the volume that references the Secret</span> - name: service-account-key secret: secretName: service-account-key </code></pre> </div> <p>This YAML manifest defines a Deployment for your application ("test-app-deployment") and includes a sidecar container named "cloud-sql-proxy." The Cloud SQL Proxy handles authentication and encryption for secure connections between your GKE application and the Cloud SQL database.</p> <p>Ensure you replace the image with your actual image. Once deployed, this configuration allows your GKE application to securely access the Cloud SQL database using the Cloud SQL Proxy.</p> <p>ConfigMap:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: v1 kind: ConfigMap metadata: name: test-app-config data: APP_PORT: <span class="s1">'5000'</span> APP_PROJECT_ID: monirul-test DB_NAME: postgres DB_HOST: localhost DB_USER: postgres DATABASE_MAX_CONNECTIONS: <span class="s1">'15'</span> DB_PORT: <span class="s1">'5432'</span> </code></pre> </div> <p>Secret:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: v1 data: DB_PASSWORD: <span class="nv">RXhDZXJlODc0Iw</span><span class="o">==</span> kind: Secret metadata: name: test-app-secret namespace: test-app <span class="nb">type</span>: Opaque </code></pre> </div> <p>Service.yaml</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: v1 kind: Service metadata: name: test-app-svc spec: ports: - name: test-app-svc-port protocol: TCP port: 5000 targetPort: 5000 </code></pre> </div> <p>The provided configurations are clear and should work for your use case. Just make sure that the actual values you use for your application match the ones you've configured in the ConfigMap and Secret.</p> <ul> <li>Testing and Validation Certainly, testing and validation are essential steps to ensure the GKE to Cloud SQL connection works correctly. Your provided commands for testing and validation look good:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>k <span class="nb">exec</span> <span class="nt">-it</span> test-app-deployment-786d4bdd56-2sktd <span class="nt">--</span> sh Defaulted container <span class="s2">"test-app"</span> out of: test-app, cloud-sql-proxy <span class="c"># curl http://localhost:5000</span> <span class="o">{</span><span class="s2">"message"</span>:<span class="s2">"hello world"</span><span class="o">}</span> <span class="c"># curl http://localhost:5000/data</span> <span class="o">[[</span><span class="s2">"+60102098121"</span>,<span class="s2">"Monirul"</span>,<span class="s2">"Islam"</span>,<span class="s2">"devops.monirul@gmail.com"</span><span class="o">]]</span> </code></pre> </div> <p>These commands will help you test various aspects of your setup, including basic connectivity and data retrieval. Be sure to conduct thorough testing, including edge cases and error scenarios, to ensure the reliability and performance of your GKE to Cloud SQL connection.</p> <p><strong>The Benefits</strong><br> Connecting multiple GKE VPC-native clusters to a centralized Cloud SQL instance provides several advantages:</p> <p>Isolation: Each GKE cluster remains isolated within its own VPC network, enhancing security and separation of workloads.</p> <p>Centralized Data Management: Data consistency is ensured with a single Cloud SQL database instance, simplifying data management.</p> <p>Scalability: This architecture can scale horizontally to handle increased workloads and data storage requirements.</p> <p>Security: Strong access controls, encryption, and secure connections guarantee data confidentiality and integrity.</p> <p>Efficiency: The Cloud SQL Proxy streamlines database connections, reducing latency and ensuring reliable access.</p> <p><strong>Conclusion</strong><br> Connecting multiple GKE VPC-native clusters to a shared Cloud SQL instance is a critical step in building scalable, secure, and efficient cloud-native applications. With the right architecture, tools, and best practices, you can seamlessly manage your data while maintaining network isolation and data security.</p> <p><em>Reference:</em> <br> <a href="https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine" rel="noopener noreferrer">https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine</a></p> gke cloudsql cloudsqlproxy cloud M.M.Monirul Islam Wed, 22 Mar 2023 10:33:34 +0000 https://forem.com/monirul87/eks-cluster-monitoring-for-aws-fargate-with-prometheus-and-managed-grafana-1h2f https://forem.com/monirul87/eks-cluster-monitoring-for-aws-fargate-with-prometheus-and-managed-grafana-1h2f <p>Firstly, We need to create node group in our existing EKS cluster as metrics are inaccessible to Fargate.</p> <h2> Architecture: </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzgp0plcwrh059v0rwre.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzgp0plcwrh059v0rwre.png" alt="Image description"></a></p> <h2> Node group for prometheus: </h2> <p>I actually used IAC (terrafrom) to create eks node group (worker node) for prometheus.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> resource <span class="s2">"aws_eks_node_group"</span> <span class="s2">"monirul_ec2"</span> <span class="o">{</span> cluster_name <span class="o">=</span> aws_eks_cluster.monirul.name node_group_name <span class="o">=</span> <span class="s2">"monirul_ec2_prometheus"</span> node_role_arn <span class="o">=</span> aws_iam_role.node.arn subnet_ids <span class="o">=</span> <span class="o">[</span> var.private_subnet_id_a, var.private_subnet_id_b <span class="o">]</span> scaling_config <span class="o">{</span> desired_size <span class="o">=</span> 2 max_size <span class="o">=</span> 5 min_size <span class="o">=</span> 1 <span class="o">}</span> ami_type <span class="o">=</span> <span class="s2">"AL2_x86_64"</span> <span class="c"># AL2_x86_64, AL2_x86_64_GPU, AL2_ARM_64, CUSTOM</span> capacity_type <span class="o">=</span> <span class="s2">"ON_DEMAND"</span> <span class="c"># ON_DEMAND, SPOT</span> disk_size <span class="o">=</span> 20 instance_types <span class="o">=</span> <span class="o">[</span><span class="s2">"m5.large"</span><span class="o">]</span> depends_on <span class="o">=</span> <span class="o">[</span> aws_iam_role_policy_attachment.node_AmazonEKSWorkerNodePolicy, aws_iam_role_policy_attachment.node_AmazonEKS_CNI_Policy, aws_iam_role_policy_attachment.node_AmazonEC2ContainerRegistryReadOnly, <span class="o">]</span> <span class="o">}</span> <span class="c"># EKS Node IAM Role</span> resource <span class="s2">"aws_iam_role"</span> <span class="s2">"node"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"Ec2-Worker-Role"</span> assume_role_policy <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="no">POLICY</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } </span><span class="no">POLICY </span><span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node_AmazonEKSWorkerNodePolicy"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> role <span class="o">=</span> aws_iam_role.node.name <span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node_AmazonEKS_CNI_Policy"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> role <span class="o">=</span> aws_iam_role.node.name <span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node_AmazonEC2ContainerRegistryReadOnly"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> role <span class="o">=</span> aws_iam_role.node.name <span class="o">}</span> </code></pre> </div> <p>Or we can create manually. Go to AWS Management Console -&gt; EKS -&gt; Your cluster -&gt; Compute -&gt; Add node group.</p> <p>We know that, We have to use EC2 for Prometheus, since will need volumes mounted to it.</p> <p>While creating node group, we have to attach an IAM role to EC2 worker nodes. For easy demonstration, I have created a new IAM role and attached policies as below.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxl71jl4eeatago33599e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxl71jl4eeatago33599e.png" alt="Image description"></a></p> <p>Run the following command to confirm that your EC2 worker nodes are running properly (2 pods are should be running state). </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>k get po <span class="nt">-n</span> kube-system | <span class="nb">grep </span>aws-node aws-node-jx8dh 1/1 Running 0 13d aws-node-mx4gq 1/1 Running 0 13d </code></pre> </div> <blockquote> <p>Note: Node exporter runs as a daemon set and is responsible for collecting metrics of the host it runs on. Most of these metrics are low-level operating system metrics like vCPU, memory, network, disk (of the host machine, not containers), and hardware statistics, etc. These metrics are inaccessible to Fargate customers since AWS is responsible for the health of the host machine.</p> </blockquote> <h2> Install EBS CSI driver </h2> <p>Prometheus and Grafana needs persistent storage attached to them, which is also called PV(Persistent Volume) in terms of Kubernetes.</p> <p>For stateful workloads to use Amazon EBS volumes as PV, we have to add aws-ebs-csi-driver into the cluster.</p> <h2> Associating IAM role to Service account </h2> <p>Before we add aws-ebs-csi-driver, we need to create an IAM role, and associate it with Kubernetes service account.</p> <p>Let's use an example policy file, which you can download using the command below.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-sSL</span> <span class="nt">-o</span> ebs-csi-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/docs/example-iam-policy.json </code></pre> </div> <p>Now let's create a new IAM policy with that file.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">EBS_CSI_POLICY_NAME</span><span class="o">=</span>AmazonEBSCSIPolicy <span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span><span class="s2">"eu-west-1"</span> aws iam create-policy <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$AWS_REGION</span> <span class="se">\</span> <span class="nt">--policy-name</span> <span class="nv">$EBS_CSI_POLICY_NAME</span> <span class="se">\</span> <span class="nt">--policy-document</span> file://ebs-csi-policy.json <span class="nb">export </span><span class="nv">EBS_CSI_POLICY_ARN</span><span class="o">=</span><span class="si">$(</span>aws <span class="nt">--region</span> eu-west-1 iam list-policies <span class="nt">--query</span> <span class="s1">'Policies[?PolicyName==`'</span><span class="nv">$EBS_CSI_POLICY_NAME</span><span class="s1">'`].Arn'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="nb">echo</span> <span class="nv">$EBS_CSI_POLICY_ARN</span> <span class="c"># arn:aws:iam::2343123456678:policy/AmazonEBSCSIPolicy</span> </code></pre> </div> <p>After that, let's attach the new policy to Kubernetes service account.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> eksctl create iamserviceaccount <span class="se">\</span> <span class="nt">--cluster</span> <span class="nv">$EKS_CLUSTER_NAME</span> <span class="se">\</span> <span class="nt">--name</span> ebs-csi-controller-irsa <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--attach-policy-arn</span> <span class="nv">$EBS_CSI_POLICY_ARN</span> <span class="se">\</span> <span class="nt">--override-existing-serviceaccounts</span> <span class="nt">--approve</span> </code></pre> </div> <p>And now, we're ready to install aws-ebs-csi-driver!</p> <h2> Setting up aws-ebs-csi-driver Helm Repo </h2> <p>Assuming that helm is installed, let's add new helm repository as below.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver helm repo update </code></pre> </div> <p>After adding new helm repository, let's install aws-ebs-csi-driver with below command using helm.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm upgrade <span class="nt">--install</span> aws-ebs-csi-driver <span class="se">\</span> <span class="nt">--version</span><span class="o">=</span>1.2.4 <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--set</span> serviceAccount.controller.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.snapshot.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">enableVolumeScheduling</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">enableVolumeResizing</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">enableVolumeSnapshot</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.snapshot.name<span class="o">=</span>ebs-csi-controller-irsa <span class="se">\</span> <span class="nt">--set</span> serviceAccount.controller.name<span class="o">=</span>ebs-csi-controller-irsa <span class="se">\</span> aws-ebs-csi-driver/aws-ebs-csi-driver </code></pre> </div> <h2> Creating Namespace =&gt; prometheus </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl create namespace prometheus <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml | kubectl apply <span class="nt">-f</span> - </code></pre> </div> <h2> Setting up Prometheus Helm Repositories </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm repo add kube-state-metrics https://kubernetes.github.io/kube-state-metrics helm repo add prometheus-community https://prometheus-community.github.io/helm-charts </code></pre> </div> <h2> Setting up Prometheus </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">CHART_VERSION</span><span class="o">=</span><span class="s2">"19.7.2"</span> helm upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> <span class="nt">--wait</span> <span class="se">\</span> prometheus prometheus-community/prometheus <span class="se">\</span> <span class="nt">--namespace</span> prometheus <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--version</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CHART_VERSION</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-f</span> prometheus/prometheus-values.yaml <span class="se">\</span> <span class="nt">--set</span> alertmanager.persistentVolume.storageClass<span class="o">=</span><span class="s2">"gp2"</span>,server.persistentVolume.storageClass<span class="o">=</span><span class="s2">"gp2"</span> <span class="se">\</span> <span class="nt">--debug</span> </code></pre> </div> <p>Verify that Prometheus pods are running:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>kubectl get pods <span class="nt">--namespace</span> prometheus NAME READY STATUS RESTARTS AGE prometheus-alertmanager-0 1/1 Running 0 12d prometheus-kube-state-metrics-6fcf5978bf-dssx2 1/1 Running 0 12d prometheus-prometheus-node-exporter-677lp 1/1 Running 0 13d prometheus-prometheus-node-exporter-mwn7j 1/1 Running 0 13d prometheus-prometheus-pushgateway-fdb75d75f-5pfdt 1/1 Running 0 12d prometheus-server-5d957cfd5f-thcvn 2/2 Running 0 12d </code></pre> </div> <p>Here is the prometheus value that we can use during installation. </p> <p><strong>prometheus-values.yaml</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> rbac: create: <span class="nb">true </span>podSecurityPolicy: enabled: <span class="nb">false </span>imagePullSecrets: <span class="o">[]</span> <span class="c"># - name: "image-pull-secret"</span> <span class="c">## Define serviceAccount names for components. Defaults to component's fully qualified name.</span> <span class="c">##</span> serviceAccounts: server: create: <span class="nb">true </span>name: <span class="s2">""</span> annotations: <span class="o">{}</span> <span class="c">## Monitors ConfigMap changes and POSTs to a URL</span> <span class="c">## Ref: https://github.com/jimmidyson/configmap-reload</span> <span class="c">##</span> configmapReload: prometheus: <span class="c">## If false, the configmap-reload container will not be deployed</span> <span class="c">##</span> enabled: <span class="nb">true</span> <span class="c">## configmap-reload container name</span> <span class="c">##</span> name: configmap-reload <span class="c">## configmap-reload container image</span> <span class="c">##</span> image: repository: jimmidyson/configmap-reload tag: v0.8.0 <span class="c"># When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value).</span> digest: <span class="s2">""</span> pullPolicy: IfNotPresent <span class="c"># containerPort: 9533</span> <span class="c">## Additional configmap-reload container arguments</span> <span class="c">##</span> extraArgs: <span class="o">{}</span> <span class="c">## Additional configmap-reload volume directories</span> <span class="c">##</span> extraVolumeDirs: <span class="o">[]</span> <span class="c">## Additional configmap-reload mounts</span> <span class="c">##</span> extraConfigmapMounts: <span class="o">[]</span> <span class="c"># - name: prometheus-alerts</span> <span class="c"># mountPath: /etc/alerts.d</span> <span class="c"># subPath: ""</span> <span class="c"># configMap: prometheus-alerts</span> <span class="c"># readOnly: true</span> <span class="c">## Security context to be added to configmap-reload container</span> containerSecurityContext: <span class="o">{}</span> <span class="c">## configmap-reload resource requests and limits</span> <span class="c">## Ref: http://kubernetes.io/docs/user-guide/compute-resources/</span> <span class="c">##</span> resources: <span class="o">{}</span> server: <span class="c">## Prometheus server container name</span> <span class="c">##</span> name: server <span class="c">## Use a ClusterRole (and ClusterRoleBinding)</span> <span class="c">## - If set to false - we define a RoleBinding in the defined namespaces ONLY</span> <span class="c">##</span> <span class="c">## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled.</span> <span class="c">## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide.</span> <span class="c">##</span> <span class="c">## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus.</span> <span class="c">##</span> <span class="c"># useExistingClusterRoleName: nameofclusterrole</span> <span class="c">## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges.</span> <span class="c"># namespaces:</span> <span class="c"># - yournamespace</span> <span class="c"># sidecarContainers - add more containers to prometheus server</span> <span class="c"># Key/Value where Key is the sidecar `- name: &lt;Key&gt;`</span> <span class="c"># Example:</span> <span class="c"># sidecarContainers:</span> <span class="c"># webserver:</span> <span class="c"># image: nginx</span> sidecarContainers: <span class="o">{}</span> <span class="c"># sidecarTemplateValues - context to be used in template for sidecarContainers</span> <span class="c"># Example:</span> <span class="c"># sidecarTemplateValues: *your-custom-globals</span> <span class="c"># sidecarContainers:</span> <span class="c"># webserver: |-</span> <span class="c"># {{ include "webserver-container-template" . }}</span> <span class="c"># Template for `webserver-container-template` might looks like this:</span> <span class="c"># image: "{{ .Values.server.sidecarTemplateValues.repository }}:{{ .Values.server.sidecarTemplateValues.tag }}"</span> <span class="c"># ...</span> <span class="c">#</span> sidecarTemplateValues: <span class="o">{}</span> <span class="c">## Prometheus server container image</span> <span class="c">##</span> image: repository: quay.io/prometheus/prometheus <span class="c"># if not set appVersion field from Chart.yaml is used</span> tag: <span class="s2">""</span> <span class="c"># When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value).</span> digest: <span class="s2">""</span> pullPolicy: IfNotPresent <span class="c">## prometheus server priorityClassName</span> <span class="c">##</span> priorityClassName: <span class="s2">""</span> <span class="c">## EnableServiceLinks indicates whether information about services should be injected</span> <span class="c">## into pod's environment variables, matching the syntax of Docker links.</span> <span class="c">## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0.</span> <span class="c">##</span> enableServiceLinks: <span class="nb">true</span> <span class="c">## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug</span> <span class="c">## so that the various internal URLs are still able to access as they are in the default case.</span> <span class="c">## (Optional)</span> prefixURL: <span class="s2">""</span> <span class="c">## External URL which can access prometheus</span> <span class="c">## Maybe same with Ingress host name</span> baseURL: <span class="s2">""</span> <span class="c">## Additional server container environment variables</span> <span class="c">##</span> <span class="c">## You specify this manually like you would a raw deployment manifest.</span> <span class="c">## This means you can bind in environment variables from secrets.</span> <span class="c">##</span> <span class="c">## e.g. static environment variable:</span> <span class="c">## - name: DEMO_GREETING</span> <span class="c">## value: "Hello from the environment"</span> <span class="c">##</span> <span class="c">## e.g. secret environment variable:</span> <span class="c">## - name: USERNAME</span> <span class="c">## valueFrom:</span> <span class="c">## secretKeyRef:</span> <span class="c">## name: mysecret</span> <span class="c">## key: username</span> <span class="nb">env</span>: <span class="o">[]</span> <span class="c"># List of flags to override default parameters, e.g:</span> <span class="c"># - --enable-feature=agent</span> <span class="c"># - --storage.agent.retention.max-time=30m</span> defaultFlagsOverride: <span class="o">[]</span> extraFlags: - web.enable-lifecycle <span class="c">## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as</span> <span class="c">## deleting time series. This is disabled by default.</span> <span class="c"># - web.enable-admin-api</span> <span class="c">##</span> <span class="c">## storage.tsdb.no-lockfile flag controls BD locking</span> <span class="c"># - storage.tsdb.no-lockfile</span> <span class="c">##</span> <span class="c">## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL)</span> <span class="c"># - storage.tsdb.wal-compression</span> <span class="c">## Path to a configuration file on prometheus server container FS</span> configPath: /etc/config/prometheus.yml <span class="c">### The data directory used by prometheus to set --storage.tsdb.path</span> <span class="c">### When empty server.persistentVolume.mountPath is used instead</span> storagePath: <span class="s2">""</span> global: <span class="c">## How frequently to scrape targets by default</span> <span class="c">##</span> scrape_interval: 1m <span class="c">## How long until a scrape request times out</span> <span class="c">##</span> scrape_timeout: 10s <span class="c">## How frequently to evaluate rules</span> <span class="c">##</span> evaluation_interval: 1m <span class="c">## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write</span> <span class="c">##</span> remoteWrite: <span class="o">[]</span> <span class="c">## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read</span> <span class="c">##</span> remoteRead: <span class="o">[]</span> <span class="c">## Custom HTTP headers for Liveness/Readiness/Startup Probe</span> <span class="c">##</span> <span class="c">## Useful for providing HTTP Basic Auth to healthchecks</span> probeHeaders: <span class="o">[]</span> <span class="c"># - name: "Authorization"</span> <span class="c"># value: "Bearer ABCDEabcde12345"</span> <span class="c">## Additional Prometheus server container arguments</span> <span class="c">##</span> extraArgs: <span class="o">{}</span> <span class="c">## Additional InitContainers to initialize the pod</span> <span class="c">##</span> extraInitContainers: <span class="o">[]</span> <span class="c">## Additional Prometheus server Volume mounts</span> <span class="c">##</span> extraVolumeMounts: <span class="o">[]</span> <span class="c">## Additional Prometheus server Volumes</span> <span class="c">##</span> extraVolumes: <span class="o">[]</span> <span class="c">## Additional Prometheus server hostPath mounts</span> <span class="c">##</span> extraHostPathMounts: <span class="o">[]</span> <span class="c"># - name: certs-dir</span> <span class="c"># mountPath: /etc/kubernetes/certs</span> <span class="c"># subPath: ""</span> <span class="c"># hostPath: /etc/kubernetes/certs</span> <span class="c"># readOnly: true</span> extraConfigmapMounts: <span class="o">[]</span> <span class="c"># - name: certs-configmap</span> <span class="c"># mountPath: /prometheus</span> <span class="c"># subPath: ""</span> <span class="c"># configMap: certs-configmap</span> <span class="c"># readOnly: true</span> <span class="c">## Additional Prometheus server Secret mounts</span> <span class="c"># Defines additional mounts with secrets. Secrets must be manually created in the namespace.</span> extraSecretMounts: <span class="o">[]</span> <span class="c"># - name: secret-files</span> <span class="c"># mountPath: /etc/secrets</span> <span class="c"># subPath: ""</span> <span class="c"># secretName: prom-secret-files</span> <span class="c"># readOnly: true</span> <span class="c">## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}}</span> <span class="c">## Defining configMapOverrideName will cause templates/server-configmap.yaml</span> <span class="c">## to NOT generate a ConfigMap resource</span> <span class="c">##</span> configMapOverrideName: <span class="s2">""</span> <span class="c">## Extra labels for Prometheus server ConfigMap (ConfigMap that holds serverFiles)</span> extraConfigmapLabels: <span class="o">{}</span> ingress: <span class="c">## If true, Prometheus server Ingress will be created</span> <span class="c">##</span> enabled: <span class="nb">false</span> <span class="c"># For Kubernetes &gt;= 1.18 you should specify the ingress-controller via the field ingressClassName</span> <span class="c"># See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress</span> <span class="c"># ingressClassName: nginx</span> <span class="c">## Prometheus server Ingress annotations</span> <span class="c">##</span> annotations: <span class="o">{}</span> <span class="c"># kubernetes.io/ingress.class: nginx</span> <span class="c"># kubernetes.io/tls-acme: 'true'</span> <span class="c">## Prometheus server Ingress additional labels</span> <span class="c">##</span> extraLabels: <span class="o">{}</span> <span class="c">## Prometheus server Ingress hostnames with optional path</span> <span class="c">## Must be provided if Ingress is enabled</span> <span class="c">##</span> hosts: <span class="o">[]</span> <span class="c"># - prometheus.domain.com</span> <span class="c"># - domain.com/prometheus</span> path: / <span class="c"># pathType is only for k8s &gt;= 1.18</span> pathType: Prefix <span class="c">## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.</span> extraPaths: <span class="o">[]</span> <span class="c"># - path: /*</span> <span class="c"># backend:</span> <span class="c"># serviceName: ssl-redirect</span> <span class="c"># servicePort: use-annotation</span> <span class="c">## Prometheus server Ingress TLS configuration</span> <span class="c">## Secrets must be manually created in the namespace</span> <span class="c">##</span> tls: <span class="o">[]</span> <span class="c"># - secretName: prometheus-server-tls</span> <span class="c"># hosts:</span> <span class="c"># - prometheus.domain.com</span> <span class="c">## Server Deployment Strategy type</span> strategy: <span class="nb">type</span>: Recreate <span class="c">## hostAliases allows adding entries to /etc/hosts inside the containers</span> hostAliases: <span class="o">[]</span> <span class="c"># - ip: "127.0.0.1"</span> <span class="c"># hostnames:</span> <span class="c"># - "example.com"</span> <span class="c">## Node tolerations for server scheduling to nodes with taints</span> <span class="c">## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/</span> <span class="c">##</span> tolerations: <span class="o">[]</span> <span class="c"># - key: "key"</span> <span class="c"># operator: "Equal|Exists"</span> <span class="c"># value: "value"</span> <span class="c"># effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"</span> <span class="c">## Node labels for Prometheus server pod assignment</span> <span class="c">## Ref: https://kubernetes.io/docs/user-guide/node-selection/</span> <span class="c">##</span> nodeSelector: <span class="o">{}</span> <span class="c">## Pod affinity</span> <span class="c">##</span> <span class="c"># affinity: {}</span> <span class="c"># affinity:</span> <span class="c"># nodeAffinity:</span> <span class="c"># requiredDuringSchedulingIgnoredDuringExecution:</span> <span class="c"># nodeSelectorTerms:</span> <span class="c"># - matchExpressions:</span> <span class="c"># - key: eks.amazonaws.com/compute-type</span> <span class="c"># operator: NotIn</span> <span class="c"># values:</span> <span class="c"># - fargate</span> affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - amd64 - arm64 - key: eks.amazonaws.com/compute-type operator: NotIn values: - fargate <span class="c">## PodDisruptionBudget settings</span> <span class="c">## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/</span> <span class="c">##</span> podDisruptionBudget: enabled: <span class="nb">false </span>maxUnavailable: 1 <span class="c">## Use an alternate scheduler, e.g. "stork".</span> <span class="c">## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/</span> <span class="c">##</span> <span class="c"># schedulerName:</span> persistentVolume: <span class="c">## If true, Prometheus server will create/use a Persistent Volume Claim</span> <span class="c">## If false, use emptyDir</span> <span class="c">##</span> enabled: <span class="nb">true</span> <span class="c">## Prometheus server data Persistent Volume access modes</span> <span class="c">## Must match those of existing PV or dynamic provisioner</span> <span class="c">## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/</span> <span class="c">##</span> accessModes: - ReadWriteOnce <span class="c">## Prometheus server data Persistent Volume labels</span> <span class="c">##</span> labels: <span class="o">{}</span> <span class="c">## Prometheus server data Persistent Volume annotations</span> <span class="c">##</span> annotations: <span class="o">{}</span> <span class="c">## Prometheus server data Persistent Volume existing claim name</span> <span class="c">## Requires server.persistentVolume.enabled: true</span> <span class="c">## If defined, PVC must be created manually before volume will be bound</span> existingClaim: <span class="s2">""</span> <span class="c">## Prometheus server data Persistent Volume mount root path</span> <span class="c">##</span> mountPath: /data <span class="c">## Prometheus server data Persistent Volume size</span> <span class="c">##</span> size: 8Gi <span class="c">## Prometheus server data Persistent Volume Storage Class</span> <span class="c">## If defined, storageClassName: &lt;storageClass&gt;</span> <span class="c">## If set to "-", storageClassName: "", which disables dynamic provisioning</span> <span class="c">## If undefined (the default) or set to null, no storageClassName spec is</span> <span class="c">## set, choosing the default provisioner. (gp2 on AWS, standard on</span> <span class="c">## GKE, AWS &amp; OpenStack)</span> <span class="c">##</span> <span class="c"># storageClass: "-"</span> <span class="c">## Prometheus server data Persistent Volume Binding Mode</span> <span class="c">## If defined, volumeBindingMode: &lt;volumeBindingMode&gt;</span> <span class="c">## If undefined (the default) or set to null, no volumeBindingMode spec is</span> <span class="c">## set, choosing the default mode.</span> <span class="c">##</span> <span class="c"># volumeBindingMode: ""</span> <span class="c">## Subdirectory of Prometheus server data Persistent Volume to mount</span> <span class="c">## Useful if the volume's root directory is not empty</span> <span class="c">##</span> subPath: <span class="s2">""</span> <span class="c">## Persistent Volume Claim Selector</span> <span class="c">## Useful if Persistent Volumes have been provisioned in advance</span> <span class="c">## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector</span> <span class="c">##</span> <span class="c"># selector:</span> <span class="c"># matchLabels:</span> <span class="c"># release: "stable"</span> <span class="c"># matchExpressions:</span> <span class="c"># - { key: environment, operator: In, values: [ dev ] }</span> <span class="c">## Persistent Volume Name</span> <span class="c">## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one</span> <span class="c">##</span> <span class="c"># volumeName: ""</span> emptyDir: <span class="c">## Prometheus server emptyDir volume size limit</span> <span class="c">##</span> sizeLimit: <span class="s2">""</span> <span class="c">## Annotations to be added to Prometheus server pods</span> <span class="c">##</span> podAnnotations: <span class="o">{}</span> <span class="c"># iam.amazonaws.com/role: prometheus</span> <span class="c">## Labels to be added to Prometheus server pods</span> <span class="c">##</span> podLabels: <span class="o">{}</span> <span class="c">## Prometheus AlertManager configuration</span> <span class="c">##</span> alertmanagers: <span class="o">[]</span> <span class="c">## Specify if a Pod Security Policy for node-exporter must be created</span> <span class="c">## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/</span> <span class="c">##</span> podSecurityPolicy: annotations: <span class="o">{}</span> <span class="c">## Specify pod annotations</span> <span class="c">## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor</span> <span class="c">## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp</span> <span class="c">## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl</span> <span class="c">##</span> <span class="c"># seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'</span> <span class="c"># seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'</span> <span class="c"># apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'</span> <span class="c">## Use a StatefulSet if replicaCount needs to be greater than 1 (see below)</span> <span class="c">##</span> replicaCount: 1 <span class="c">## Annotations to be added to deployment</span> <span class="c">##</span> deploymentAnnotations: <span class="o">{}</span> statefulSet: <span class="c">## If true, use a statefulset instead of a deployment for pod management.</span> <span class="c">## This allows to scale replicas to more than 1 pod</span> <span class="c">##</span> enabled: <span class="nb">false </span>annotations: <span class="o">{}</span> labels: <span class="o">{}</span> podManagementPolicy: OrderedReady <span class="c">## Alertmanager headless service to use for the statefulset</span> <span class="c">##</span> headless: annotations: <span class="o">{}</span> labels: <span class="o">{}</span> servicePort: 80 <span class="c">## Enable gRPC port on service to allow auto discovery with thanos-querier</span> gRPC: enabled: <span class="nb">false </span>servicePort: 10901 <span class="c"># nodePort: 10901</span> <span class="c">## Prometheus server readiness and liveness probe initial delay and timeout</span> <span class="c">## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/</span> <span class="c">##</span> tcpSocketProbeEnabled: <span class="nb">false </span>probeScheme: HTTP readinessProbeInitialDelay: 30 readinessProbePeriodSeconds: 5 readinessProbeTimeout: 4 readinessProbeFailureThreshold: 3 readinessProbeSuccessThreshold: 1 livenessProbeInitialDelay: 30 livenessProbePeriodSeconds: 15 livenessProbeTimeout: 10 livenessProbeFailureThreshold: 3 livenessProbeSuccessThreshold: 1 startupProbe: enabled: <span class="nb">false </span>periodSeconds: 5 failureThreshold: 30 timeoutSeconds: 10 <span class="c">## Prometheus server resource requests and limits</span> <span class="c">## Ref: http://kubernetes.io/docs/user-guide/compute-resources/</span> <span class="c">##</span> resources: <span class="o">{}</span> <span class="c"># limits:</span> <span class="c"># cpu: 500m</span> <span class="c"># memory: 512Mi</span> <span class="c"># requests:</span> <span class="c"># cpu: 500m</span> <span class="c"># memory: 512Mi</span> <span class="c"># Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico),</span> <span class="c"># because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working</span> <span class="c">##</span> hostNetwork: <span class="nb">false</span> <span class="c"># When hostNetwork is enabled, this will set to ClusterFirstWithHostNet automatically</span> dnsPolicy: ClusterFirst <span class="c"># Use hostPort</span> <span class="c"># hostPort: 9090</span> <span class="c">## Vertical Pod Autoscaler config</span> <span class="c">## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler</span> verticalAutoscaler: <span class="c">## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs)</span> enabled: <span class="nb">false</span> <span class="c"># updateMode: "Auto"</span> <span class="c"># containerPolicies:</span> <span class="c"># - containerName: 'prometheus-server'</span> <span class="c"># Custom DNS configuration to be added to prometheus server pods</span> dnsConfig: <span class="o">{}</span> <span class="c"># nameservers:</span> <span class="c"># - 1.2.3.4</span> <span class="c"># searches:</span> <span class="c"># - ns1.svc.cluster-domain.example</span> <span class="c"># - my.dns.search.suffix</span> <span class="c"># options:</span> <span class="c"># - name: ndots</span> <span class="c"># value: "2"</span> <span class="c"># - name: edns0</span> <span class="c">## Security context to be added to server pods</span> <span class="c">##</span> securityContext: runAsUser: 65534 runAsNonRoot: <span class="nb">true </span>runAsGroup: 65534 fsGroup: 65534 <span class="c">## Security context to be added to server container</span> <span class="c">##</span> containerSecurityContext: <span class="o">{}</span> service: <span class="c">## If false, no Service will be created for the Prometheus server</span> <span class="c">##</span> enabled: <span class="nb">true </span>annotations: <span class="o">{}</span> labels: <span class="o">{}</span> clusterIP: <span class="s2">""</span> <span class="c">## List of IP addresses at which the Prometheus server service is available</span> <span class="c">## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips</span> <span class="c">##</span> externalIPs: <span class="o">[]</span> loadBalancerIP: <span class="s2">""</span> loadBalancerSourceRanges: <span class="o">[]</span> servicePort: 80 sessionAffinity: None <span class="nb">type</span>: ClusterIP <span class="c">## Enable gRPC port on service to allow auto discovery with thanos-querier</span> gRPC: enabled: <span class="nb">false </span>servicePort: 10901 <span class="c"># nodePort: 10901</span> <span class="c">## If using a statefulSet (statefulSet.enabled=true), configure the</span> <span class="c">## service to connect to a specific replica to have a consistent view</span> <span class="c">## of the data.</span> statefulsetReplica: enabled: <span class="nb">false </span>replica: 0 <span class="c">## Prometheus server pod termination grace period</span> <span class="c">##</span> terminationGracePeriodSeconds: 300 <span class="c">## Prometheus data retention period (default if not specified is 15 days)</span> <span class="c">##</span> retention: <span class="s2">"15d"</span> <span class="c">## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation)</span> ruleFiles: <span class="o">{}</span> <span class="c">## Prometheus server ConfigMap entries</span> <span class="c">##</span> serverFiles: <span class="c">## Alerts configuration</span> <span class="c">## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/</span> alerting_rules.yml: <span class="o">{}</span> <span class="c"># groups:</span> <span class="c"># - name: Instances</span> <span class="c"># rules:</span> <span class="c"># - alert: InstanceDown</span> <span class="c"># expr: up == 0</span> <span class="c"># for: 5m</span> <span class="c"># labels:</span> <span class="c"># severity: page</span> <span class="c"># annotations:</span> <span class="c"># description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.'</span> <span class="c"># summary: 'Instance {{ $labels.instance }} down'</span> <span class="c">## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml</span> alerts: <span class="o">{}</span> <span class="c">## Records configuration</span> <span class="c">## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/</span> recording_rules.yml: <span class="o">{}</span> <span class="c">## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml</span> rules: <span class="o">{}</span> prometheus.yml: rule_files: - /etc/config/recording_rules.yml - /etc/config/alerting_rules.yml <span class="c">## Below two files are DEPRECATED will be removed from this default values file</span> - /etc/config/rules - /etc/config/alerts scrape_configs: - job_name: prometheus static_configs: - targets: - localhost:9090 <span class="c"># A scrape configuration for running Prometheus on a Kubernetes cluster.</span> <span class="c"># This uses separate scrape configs for cluster components (i.e. API server, node)</span> <span class="c"># and services to allow each to use different authentication configs.</span> <span class="c">#</span> <span class="c"># Kubernetes labels will be added as Prometheus labels on metrics via the</span> <span class="c"># `labelmap` relabeling action.</span> <span class="c"># Scrape config for API servers.</span> <span class="c">#</span> <span class="c"># Kubernetes exposes API servers as endpoints to the default/kubernetes</span> <span class="c"># service so this uses `endpoints` role and uses relabelling to only keep</span> <span class="c"># the endpoints associated with the default/kubernetes service using the</span> <span class="c"># default named port `https`. This works for single API server deployments as</span> <span class="c"># well as HA API server deployments.</span> - job_name: <span class="s1">'kubernetes-apiservers'</span> kubernetes_sd_configs: - role: endpoints <span class="c"># Default to scraping over https. If required, just disable this or change to</span> <span class="c"># `http`.</span> scheme: https <span class="c"># This TLS &amp; bearer token file config is used to connect to the actual scrape</span> <span class="c"># endpoints for cluster components. This is separate to discovery auth</span> <span class="c"># configuration because discovery &amp; scraping are two separate concerns in</span> <span class="c"># Prometheus. The discovery auth config is automatic if Prometheus runs inside</span> <span class="c"># the cluster. Otherwise, more config options have to be provided within the</span> <span class="c"># &lt;kubernetes_sd_config&gt;.</span> tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt <span class="c"># If your node certificates are self-signed or use a different CA to the</span> <span class="c"># master CA, then disable certificate verification below. Note that</span> <span class="c"># certificate verification is an integral part of a secure infrastructure</span> <span class="c"># so this should only be disabled in a controlled environment. You can</span> <span class="c"># disable certificate verification by uncommenting the line below.</span> <span class="c">#</span> insecure_skip_verify: <span class="nb">true </span>bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token <span class="c"># Keep only the default/kubernetes service endpoints for the https port. This</span> <span class="c"># will add targets for each API server which Kubernetes adds an endpoint to</span> <span class="c"># the default/kubernetes service.</span> relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: default<span class="p">;</span>kubernetes<span class="p">;</span>https - job_name: <span class="s1">'kubernetes-nodes'</span> <span class="c"># Default to scraping over https. If required, just disable this or change to</span> <span class="c"># `http`.</span> scheme: https <span class="c"># This TLS &amp; bearer token file config is used to connect to the actual scrape</span> <span class="c"># endpoints for cluster components. This is separate to discovery auth</span> <span class="c"># configuration because discovery &amp; scraping are two separate concerns in</span> <span class="c"># Prometheus. The discovery auth config is automatic if Prometheus runs inside</span> <span class="c"># the cluster. Otherwise, more config options have to be provided within the</span> <span class="c"># &lt;kubernetes_sd_config&gt;.</span> tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt <span class="c"># If your node certificates are self-signed or use a different CA to the</span> <span class="c"># master CA, then disable certificate verification below. Note that</span> <span class="c"># certificate verification is an integral part of a secure infrastructure</span> <span class="c"># so this should only be disabled in a controlled environment. You can</span> <span class="c"># disable certificate verification by uncommenting the line below.</span> <span class="c">#</span> insecure_skip_verify: <span class="nb">true </span>bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_<span class="o">(</span>.+<span class="o">)</span> - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: <span class="o">[</span>__meta_kubernetes_node_name] regex: <span class="o">(</span>.+<span class="o">)</span> target_label: __metrics_path__ replacement: /api/v1/nodes/<span class="nv">$1</span>/proxy/metrics - job_name: <span class="s1">'kubernetes-nodes-cadvisor'</span> <span class="c"># Default to scraping over https. If required, just disable this or change to</span> <span class="c"># `http`.</span> scheme: https <span class="c"># This TLS &amp; bearer token file config is used to connect to the actual scrape</span> <span class="c"># endpoints for cluster components. This is separate to discovery auth</span> <span class="c"># configuration because discovery &amp; scraping are two separate concerns in</span> <span class="c"># Prometheus. The discovery auth config is automatic if Prometheus runs inside</span> <span class="c"># the cluster. Otherwise, more config options have to be provided within the</span> <span class="c"># &lt;kubernetes_sd_config&gt;.</span> tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt <span class="c"># If your node certificates are self-signed or use a different CA to the</span> <span class="c"># master CA, then disable certificate verification below. Note that</span> <span class="c"># certificate verification is an integral part of a secure infrastructure</span> <span class="c"># so this should only be disabled in a controlled environment. You can</span> <span class="c"># disable certificate verification by uncommenting the line below.</span> <span class="c">#</span> insecure_skip_verify: <span class="nb">true </span>bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node <span class="c"># This configuration will work only on kubelet 1.7.3+</span> <span class="c"># As the scrape endpoints for cAdvisor have changed</span> <span class="c"># if you are using older version you need to change the replacement to</span> <span class="c"># replacement: /api/v1/nodes/$1:4194/proxy/metrics</span> <span class="c"># more info here https://github.com/coreos/prometheus-operator/issues/633</span> relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_<span class="o">(</span>.+<span class="o">)</span> - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: <span class="o">[</span>__meta_kubernetes_node_name] regex: <span class="o">(</span>.+<span class="o">)</span> target_label: __metrics_path__ replacement: /api/v1/nodes/<span class="nv">$1</span>/proxy/metrics/cadvisor <span class="c"># Metric relabel configs to apply to samples before ingestion.</span> <span class="c"># [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)</span> <span class="c"># metric_relabel_configs:</span> <span class="c"># - action: labeldrop</span> <span class="c"># regex: (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os|beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone)</span> <span class="c"># Scrape config for service endpoints.</span> <span class="c">#</span> <span class="c"># The relabeling allows the actual service scrape endpoint to be configured</span> <span class="c"># via the following annotations:</span> <span class="c">#</span> <span class="c"># * `prometheus.io/scrape`: Only scrape services that have a value of</span> <span class="c"># `true`, except if `prometheus.io/scrape-slow` is set to `true` as well.</span> <span class="c"># * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need</span> <span class="c"># to set this to `https` &amp; most likely set the `tls_config` of the scrape config.</span> <span class="c"># * `prometheus.io/path`: If the metrics path is not `/metrics` override this.</span> <span class="c"># * `prometheus.io/port`: If the metrics are exposed on a different port to the</span> <span class="c"># service then set this appropriately.</span> <span class="c"># * `prometheus.io/param_&lt;parameter&gt;`: If the metrics endpoint uses parameters</span> <span class="c"># then you can set any parameter</span> - job_name: <span class="s1">'kubernetes-service-endpoints'</span> honor_labels: <span class="nb">true </span>kubernetes_sd_configs: - role: endpoints relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_scrape] action: keep regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] action: drop regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_scheme] action: replace target_label: __scheme__ regex: <span class="o">(</span>https?<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: <span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__address__, __meta_kubernetes_service_annotation_prometheus_io_port] action: replace target_label: __address__ regex: <span class="o">(</span>.+?<span class="o">)(</span>?::<span class="se">\d</span>+<span class="o">)</span>?<span class="p">;</span><span class="o">(</span><span class="se">\d</span>+<span class="o">)</span> replacement: <span class="nv">$1</span>:<span class="nv">$2</span> - action: labelmap regex: __meta_kubernetes_service_annotation_prometheus_io_param_<span class="o">(</span>.+<span class="o">)</span> replacement: __param_<span class="nv">$1</span> - action: labelmap regex: __meta_kubernetes_service_label_<span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: <span class="o">[</span>__meta_kubernetes_service_name] action: replace target_label: service - source_labels: <span class="o">[</span>__meta_kubernetes_pod_node_name] action: replace target_label: node <span class="c"># Scrape config for slow service endpoints; same as above, but with a larger</span> <span class="c"># timeout and a larger interval</span> <span class="c">#</span> <span class="c"># The relabeling allows the actual service scrape endpoint to be configured</span> <span class="c"># via the following annotations:</span> <span class="c">#</span> <span class="c"># * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true`</span> <span class="c"># * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need</span> <span class="c"># to set this to `https` &amp; most likely set the `tls_config` of the scrape config.</span> <span class="c"># * `prometheus.io/path`: If the metrics path is not `/metrics` override this.</span> <span class="c"># * `prometheus.io/port`: If the metrics are exposed on a different port to the</span> <span class="c"># service then set this appropriately.</span> <span class="c"># * `prometheus.io/param_&lt;parameter&gt;`: If the metrics endpoint uses parameters</span> <span class="c"># then you can set any parameter</span> - job_name: <span class="s1">'kubernetes-service-endpoints-slow'</span> honor_labels: <span class="nb">true </span>scrape_interval: 5m scrape_timeout: 30s kubernetes_sd_configs: - role: endpoints relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] action: keep regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_scheme] action: replace target_label: __scheme__ regex: <span class="o">(</span>https?<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: <span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__address__, __meta_kubernetes_service_annotation_prometheus_io_port] action: replace target_label: __address__ regex: <span class="o">(</span>.+?<span class="o">)(</span>?::<span class="se">\d</span>+<span class="o">)</span>?<span class="p">;</span><span class="o">(</span><span class="se">\d</span>+<span class="o">)</span> replacement: <span class="nv">$1</span>:<span class="nv">$2</span> - action: labelmap regex: __meta_kubernetes_service_annotation_prometheus_io_param_<span class="o">(</span>.+<span class="o">)</span> replacement: __param_<span class="nv">$1</span> - action: labelmap regex: __meta_kubernetes_service_label_<span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: <span class="o">[</span>__meta_kubernetes_service_name] action: replace target_label: service - source_labels: <span class="o">[</span>__meta_kubernetes_pod_node_name] action: replace target_label: node - job_name: <span class="s1">'prometheus-pushgateway'</span> honor_labels: <span class="nb">true </span>kubernetes_sd_configs: - role: service relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_probe] action: keep regex: pushgateway <span class="c"># Example scrape config for probing services via the Blackbox Exporter.</span> <span class="c">#</span> <span class="c"># The relabeling allows the actual service scrape endpoint to be configured</span> <span class="c"># via the following annotations:</span> <span class="c">#</span> <span class="c"># * `prometheus.io/probe`: Only probe services that have a value of `true`</span> - job_name: <span class="s1">'kubernetes-services'</span> honor_labels: <span class="nb">true </span>metrics_path: /probe params: module: <span class="o">[</span>http_2xx] kubernetes_sd_configs: - role: service relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_service_annotation_prometheus_io_probe] action: keep regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__address__] target_label: __param_target - target_label: __address__ replacement: blackbox - source_labels: <span class="o">[</span>__param_target] target_label: instance - action: labelmap regex: __meta_kubernetes_service_label_<span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_namespace] target_label: namespace - source_labels: <span class="o">[</span>__meta_kubernetes_service_name] target_label: service <span class="c"># Example scrape config for pods</span> <span class="c">#</span> <span class="c"># The relabeling allows the actual pod scrape endpoint to be configured via the</span> <span class="c"># following annotations:</span> <span class="c">#</span> <span class="c"># * `prometheus.io/scrape`: Only scrape pods that have a value of `true`,</span> <span class="c"># except if `prometheus.io/scrape-slow` is set to `true` as well.</span> <span class="c"># * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need</span> <span class="c"># to set this to `https` &amp; most likely set the `tls_config` of the scrape config.</span> <span class="c"># * `prometheus.io/path`: If the metrics path is not `/metrics` override this.</span> <span class="c"># * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`.</span> - job_name: <span class="s1">'kubernetes-pods'</span> honor_labels: <span class="nb">true </span>kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] action: drop regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_scheme] action: replace regex: <span class="o">(</span>https?<span class="o">)</span> target_label: __scheme__ - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: <span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] action: replace regex: <span class="o">(</span><span class="se">\d</span>+<span class="o">)</span><span class="p">;</span><span class="o">(([</span>A-Fa-f0-9]<span class="o">{</span>1,4<span class="o">}</span>::?<span class="o">){</span>1,7<span class="o">}[</span>A-Fa-f0-9]<span class="o">{</span>1,4<span class="o">})</span> replacement: <span class="s1">'[$2]:$1'</span> target_label: __address__ - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] action: replace regex: <span class="o">(</span><span class="se">\d</span>+<span class="o">)</span><span class="p">;</span><span class="o">((([</span>0-9]+?<span class="o">)(</span><span class="se">\.</span>|<span class="nv">$)</span><span class="o">){</span>4<span class="o">})</span> replacement: <span class="nv">$2</span>:<span class="nv">$1</span> target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_annotation_prometheus_io_param_<span class="o">(</span>.+<span class="o">)</span> replacement: __param_<span class="nv">$1</span> - action: labelmap regex: __meta_kubernetes_pod_label_<span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: <span class="o">[</span>__meta_kubernetes_pod_name] action: replace target_label: pod - source_labels: <span class="o">[</span>__meta_kubernetes_pod_phase] regex: Pending|Succeeded|Failed|Completed action: drop <span class="c"># Example Scrape config for pods which should be scraped slower. An useful example</span> <span class="c"># would be stackriver-exporter which queries an API on every scrape of the pod</span> <span class="c">#</span> <span class="c"># The relabeling allows the actual pod scrape endpoint to be configured via the</span> <span class="c"># following annotations:</span> <span class="c">#</span> <span class="c"># * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true`</span> <span class="c"># * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need</span> <span class="c"># to set this to `https` &amp; most likely set the `tls_config` of the scrape config.</span> <span class="c"># * `prometheus.io/path`: If the metrics path is not `/metrics` override this.</span> <span class="c"># * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`.</span> - job_name: <span class="s1">'kubernetes-pods-slow'</span> honor_labels: <span class="nb">true </span>scrape_interval: 5m scrape_timeout: 30s kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] action: keep regex: <span class="nb">true</span> - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_scheme] action: replace regex: <span class="o">(</span>https?<span class="o">)</span> target_label: __scheme__ - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: <span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] action: replace regex: <span class="o">(</span><span class="se">\d</span>+<span class="o">)</span><span class="p">;</span><span class="o">(([</span>A-Fa-f0-9]<span class="o">{</span>1,4<span class="o">}</span>::?<span class="o">){</span>1,7<span class="o">}[</span>A-Fa-f0-9]<span class="o">{</span>1,4<span class="o">})</span> replacement: <span class="s1">'[$2]:$1'</span> target_label: __address__ - source_labels: <span class="o">[</span>__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] action: replace regex: <span class="o">(</span><span class="se">\d</span>+<span class="o">)</span><span class="p">;</span><span class="o">((([</span>0-9]+?<span class="o">)(</span><span class="se">\.</span>|<span class="nv">$)</span><span class="o">){</span>4<span class="o">})</span> replacement: <span class="nv">$2</span>:<span class="nv">$1</span> target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_annotation_prometheus_io_param_<span class="o">(</span>.+<span class="o">)</span> replacement: __param_<span class="nv">$1</span> - action: labelmap regex: __meta_kubernetes_pod_label_<span class="o">(</span>.+<span class="o">)</span> - source_labels: <span class="o">[</span>__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: <span class="o">[</span>__meta_kubernetes_pod_name] action: replace target_label: pod - source_labels: <span class="o">[</span>__meta_kubernetes_pod_phase] regex: Pending|Succeeded|Failed|Completed action: drop <span class="c"># adds additional scrape configs to prometheus.yml</span> <span class="c"># must be a string so you have to add a | after extraScrapeConfigs:</span> <span class="c"># example adds prometheus-blackbox-exporter scrape config</span> extraScrapeConfigs: <span class="s2">""</span> <span class="c"># - job_name: 'prometheus-blackbox-exporter'</span> <span class="c"># metrics_path: /probe</span> <span class="c"># params:</span> <span class="c"># module: [http_2xx]</span> <span class="c"># static_configs:</span> <span class="c"># - targets:</span> <span class="c"># - https://example.com</span> <span class="c"># relabel_configs:</span> <span class="c"># - source_labels: [__address__]</span> <span class="c"># target_label: __param_target</span> <span class="c"># - source_labels: [__param_target]</span> <span class="c"># target_label: instance</span> <span class="c"># - target_label: __address__</span> <span class="c"># replacement: prometheus-blackbox-exporter:9115</span> <span class="c"># Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager</span> <span class="c"># useful in H/A prometheus with different external labels but the same alerts</span> alertRelabelConfigs: <span class="o">{}</span> <span class="c"># alert_relabel_configs:</span> <span class="c"># - source_labels: [dc]</span> <span class="c"># regex: (.+)\d+</span> <span class="c"># target_label: dc</span> networkPolicy: <span class="c">## Enable creation of NetworkPolicy resources.</span> <span class="c">##</span> enabled: <span class="nb">false</span> <span class="c"># Force namespace of namespaced resources</span> forceNamespace: <span class="s2">""</span> <span class="c"># Extra manifests to deploy as an array</span> extraManifests: <span class="o">[]</span> <span class="c"># - apiVersion: v1</span> <span class="c"># kind: ConfigMap</span> <span class="c"># metadata:</span> <span class="c"># labels:</span> <span class="c"># name: prometheus-extra</span> <span class="c"># data:</span> <span class="c"># extra-data: "value"</span> <span class="c"># Configuration of subcharts defined in Chart.yaml</span> <span class="c">## alertmanager sub-chart configurable values</span> <span class="c">## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/alertmanager</span> <span class="c">##</span> alertmanager: <span class="c">## If false, alertmanager will not be installed</span> <span class="c">##</span> enabled: <span class="nb">true </span>persistence: size: 2Gi podSecurityContext: runAsUser: 65534 runAsNonRoot: <span class="nb">true </span>runAsGroup: 65534 fsGroup: 65534 <span class="c">## kube-state-metrics sub-chart configurable values</span> <span class="c">## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics</span> <span class="c">##</span> kube-state-metrics: <span class="c">## If false, kube-state-metrics sub-chart will not be installed</span> <span class="c">##</span> enabled: <span class="nb">true</span> <span class="c">## promtheus-node-exporter sub-chart configurable values</span> <span class="c">## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter</span> <span class="c">##</span> prometheus-node-exporter: <span class="c">## If false, node-exporter will not be installed</span> <span class="c">##</span> enabled: <span class="nb">true </span>rbac: pspEnabled: <span class="nb">false </span>containerSecurityContext: allowPrivilegeEscalation: <span class="nb">false </span>affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - amd64 - arm64 - key: eks.amazonaws.com/compute-type operator: NotIn values: - fargate <span class="c">## pprometheus-pushgateway sub-chart configurable values</span> <span class="c">## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway</span> <span class="c">##</span> prometheus-pushgateway: <span class="c">## If false, pushgateway will not be installed</span> <span class="c">##</span> enabled: <span class="nb">true</span> <span class="c"># Optional service annotations</span> serviceAnnotations: prometheus.io/probe: pushgateway </code></pre> </div> <p><strong>Note: you have to add nodeAffinity for node exporter</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>affinity:<br> nodeAffinity:<br> requiredDuringSchedulingIgnoredDuringExecution:<br> nodeSelectorTerms:<br> - matchExpressions:<br> - key: kubernetes.io/os<br> operator: In<br> values:<br> - linux<br> - key: kubernetes.io/arch<br> operator: In<br> values:<br> - amd64<br> - arm64<br> - key: eks.amazonaws.com/compute-type<br> operator: NotIn<br> values:<br> - fargate</p> </code></pre> </div> <h2> <br> <br> <br> Ingress for prometheus url<br> </h2> <p>Lets add the ingress for prometheus in the following way-</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>apiVersion: networking.k8s.io/v1<br> kind: Ingress<br> metadata:<br> annotations:<br> alb.ingress.kubernetes.io/actions.ssl-redirect: <span class="s1">'{"Type": "redirect", "RedirectConfig":<br> { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'</span><br> alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:2343668766434:certificate/c25d25f3-78ae-4197-a806-1882f6b947dc<br> alb.ingress.kubernetes.io/listen-ports: <span class="s1">'[{"HTTP": 80}, {"HTTPS":443}]'</span><br> alb.ingress.kubernetes.io/scheme: internet-facing<br> alb.ingress.kubernetes.io/success-codes: 200,404,301,302<br> alb.ingress.kubernetes.io/target-type: ip<br> finalizers:</p> <ul> <li>ingress.k8s.aws/resources name: prometheus-server namespace: prometheus spec: ingressClassName: alb rules:</li> <li>http: paths: <ul> <li>backend: service: name: prometheus-server port: number: 80 path: / pathType: Prefix</li> <li>backend: service: name: prometheus-server port: number: 80 path: / pathType: Prefix</li> </ul> </li> </ul> </code></pre> </div> <h2> <br> <br> <br> AWS Managed Grafana:<br> </h2> <p>Add this prometheus url as a datasource on grafana. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fci8i5s10nfkol1k7bdbx.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fci8i5s10nfkol1k7bdbx.png" alt="Image description"></a></p> <p>That's it! . It's ready now to create dashboard. </p> eks kubernetes prometheus grafana M.M.Monirul Islam Mon, 23 May 2022 15:47:50 +0000 https://forem.com/monirul87/aws-eks-setup-with-eksctl-argo-cd-installation-configuration-deploy-app-with-argocd-kustomize-56pg https://forem.com/monirul87/aws-eks-setup-with-eksctl-argo-cd-installation-configuration-deploy-app-with-argocd-kustomize-56pg <h1> Setting up a production Kubernetes service on AWS EKS </h1> <p>The easiest way to create an EKS on AWS is to use eksctl. And it is recommended to create a bastion server in AWS and run it there rather than a laptop as the environment to run the eksctl cli. </p> <h2> Create AWS User </h2> <p>First, create an admin user so that it can be used programatically in AWS IAM, and obtain the AWS Access Key ID and AWS Secret Access Key of the user.</p> <h2> Create Bastion Server </h2> <p>Let's create a bastion server in AWS. Even if the instance type is t3.small, it is sufficient. </p> <h2> Install kubectl </h2> <p>Install kubectl of desired kubernetes version</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>curl <span class="nt">-o</span> kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/kubectl <span class="nv">$ </span><span class="nb">chmod</span> +x ./kubectl <span class="nv">$ </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$HOME</span>/bin <span class="o">&amp;&amp;</span> <span class="nb">cp</span> ./kubectl <span class="nv">$HOME</span>/bin/kubectl <span class="o">&amp;&amp;</span> <span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="nv">$PATH</span>:<span class="nv">$HOME</span>/bin <span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'export PATH=$PATH:$HOME/bin'</span> <span class="o">&gt;&gt;</span> ~/.bashrc <span class="nv">$ </span>kubectl version <span class="nt">--short</span> <span class="nt">--client</span> </code></pre> </div> <p>Reference link: <a href="https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html" rel="noopener noreferrer">https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html</a></p> <h2> Install aws cli </h2> <p>To use eksctl, We need to set the credential of the AWS user. </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>apt <span class="nb">install </span>unzip <span class="nv">$ </span>curl <span class="s2">"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"</span> <span class="nt">-o</span> <span class="s2">"awscliv2.zip"</span> <span class="nv">$ </span>unzip awscliv2.zip <span class="nv">$ </span>./aws/install </code></pre> </div> <p>Reference link to install the aws cli:<br> <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html</a></p> <h2> AWS cli configuration settings </h2> <p>Now set configuration in aws cli in the following way-</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>aws configure AWS Access Key ID <span class="o">[</span>None]: ~~~ AWS Secret Access Key <span class="o">[</span>None]: ~~~ Default region name <span class="o">[</span>None]: ap-southeast-1 Default output format <span class="o">[</span>None]: json </code></pre> </div> <p>Reference link: <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html</a></p> <h2> Install eksctl cli </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>curl <span class="nt">--silent</span> <span class="nt">--location</span> <span class="s2">"https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_</span><span class="si">$(</span><span class="nb">uname</span> <span class="nt">-s</span><span class="si">)</span><span class="s2">_amd64.tar.gz"</span> | <span class="nb">tar </span>xz <span class="nt">-C</span> /tmp <span class="nv">$ </span><span class="nb">mv</span> /tmp/eksctl /usr/local/bin <span class="nv">$ </span>eksctl version 0.98.0 </code></pre> </div> <p>Reference link: <a href="https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html" rel="noopener noreferrer">https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html</a></p> <h2> Create EKS Cluster </h2> <p>Create EKS Cluster with eksctl cli.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>eksctl create cluster <span class="se">\</span> <span class="nt">--version</span> 1.21 <span class="se">\</span> <span class="nt">--name</span> eks-monirul-cluster <span class="se">\</span> <span class="nt">--vpc-nat-mode</span> HighlyAvailable <span class="se">\</span> <span class="nt">--node-private-networking</span> <span class="se">\</span> <span class="nt">--region</span> ap-southeast-1 <span class="se">\</span> <span class="nt">--node-type</span> t3.medium <span class="se">\</span> <span class="nt">--nodes</span> 2 <span class="se">\</span> <span class="nt">--with-oidc</span> <span class="se">\</span> <span class="nt">--ssh-access</span> <span class="se">\</span> <span class="nt">--ssh-public-key</span> monirul <span class="se">\</span> <span class="nt">--managed</span> </code></pre> </div> <p>Here,<br> <code>version</code>: the Kubernetes version to use</p> <p><code>vpc-nat-mode</code>: All outbounds of kubernetes go out through the nat gateway. The default option is single, so only one is created. In a development environment, it may not matter, but in production, we must use the <code>HighAvailable</code> option to create one for each subnet.</p> <p><code>node-private-networking</code>: If this option is not present, a node group is created in the public subnet. Use this option so that it is created in a private subnet for security.</p> <p><code>node-type</code>: the instance type of the node to be created</p> <p><code>nodes</code>: the number of nodes to be created</p> <p>Check if the cluster has been successfully created</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>kubectl get nodes <span class="nt">-o</span> wide </code></pre> </div> <h2> EKS security related settings </h2> <p>Up to this point, a Kubernets cluster is created in a secure way considering HA for commercial use. But for security, we need to do one more thing. The current state is that the cluster endpoint is allowed to be public.<br> <a href="https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/" rel="noopener noreferrer">https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/</a><br> <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html" rel="noopener noreferrer">https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html</a></p> <p>To restrict this, allow private access and modify kubernetes to issue commands only to the bastion server by limiting the CIDR block. Enter the public IPv4 address of the bastion server.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>eksctl utils update-cluster-endpoints <span class="nt">--cluster</span><span class="o">=</span>eks-monirul-cluster <span class="nt">--private-access</span><span class="o">=</span><span class="nb">true</span> <span class="nt">--public-access</span><span class="o">=</span><span class="nb">true</span> <span class="nt">--approve</span> <span class="nv">$ </span>eksctl utils set-public-access-cidrs <span class="nt">--cluster</span><span class="o">=</span>eks-monirul-cluster 1.1.1.1/32 <span class="nt">--approve</span> </code></pre> </div> <p>1.1.1.1/32 is the address of the bastion server.</p> <blockquote> <p>In fact, EKS Cluster creation can be created at once by creating a yaml file with the --dry-run option of eksctl and giving all options from creation to EKS security-related settings.</p> </blockquote> <p>Now, if we install Istio in the EKS Cluster created in this way and deploy the service, we can use it immediately.</p> <h1> Argo CD installation, setup &amp; deploy a simple app with kustomize </h1> <p>ArgoCD monitors changes in Kubernetes manifests managed by GitOps, and plays a role in maintaining the form deployed in the actual cluster in the same way.</p> <h2> Argo CD installation </h2> <p><a href="https://argo-cd.readthedocs.io/en/stable/getting_started/" rel="noopener noreferrer">https://argo-cd.readthedocs.io/en/stable/getting_started/</a><br> Install Argo CD on kubernetes cluster</p> <p>In production, install the HA version of the Argo CD.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>kubectl create namespace argocd <span class="nv">$ </span>kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/ha/install.yaml </code></pre> </div> <h2> Install Argo CD CLI </h2> <p>Install Argo CD CLI</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>curl <span class="nt">-sSL</span> <span class="nt">-o</span> /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 <span class="nv">$ </span><span class="nb">chmod</span> +x /usr/local/bin/argocd </code></pre> </div> <h2> Argo CD service exposure </h2> <p>Argo CD does not expose the server to the outside by default. Change the service type to LoadBalancer as shown below and expose it to the outside.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>kubectl patch svc argocd-server <span class="nt">-n</span> argocd <span class="nt">-p</span> <span class="s1">'{"spec": {"type": "LoadBalancer"}}'</span> </code></pre> </div> <h2> Change admin password </h2> <p>Argo CD stores the initial password of the initial admin account as the secret of kubernetes. Get the password as below.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> | <span class="nb">base64</span> <span class="nt">-d</span><span class="p">;</span> <span class="nb">echo </span>jaIyQ3MMuLnl6h0l </code></pre> </div> <p>Log in to Argo CD using the Argo CD CLI. First, get the address of the created Load Balancer.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>kubectl get svc argocd-server <span class="nt">-n</span> argocd </code></pre> </div> <p>And log in. Username is admin</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>argocd login &lt;ARGOCD_SERVER_DOMAIN/URL&gt; </code></pre> </div> <p>Update the password of the admin user after first login.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>argocd account update-password </code></pre> </div> <blockquote> <p>Argo CD polls the Git repository once every 3 minutes to check the difference from the actual kubernetes cluster. Therefore, if we are unlucky during distribution, we have to wait up to 3 minutes before Argo CD distributes the changed image. If we want to eliminate the delay caused by polling like this, we can create a webhook with Argo CD in the Git repository. Here is the link:<br> <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/webhook/" rel="noopener noreferrer">https://argo-cd.readthedocs.io/en/stable/operator-manual/webhook/</a></p> </blockquote> <p>And, usually Argo CD has only a specific IP inbound in the security group to prevent access except for internal developers or operators. At this time, if we have created a webhook as above, we must also open Github's webhook-related API inbound to the Argo CD's load balancer.</p> <blockquote> <p>The link below contains information about the IP address of GitHub,<br> <a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses" rel="noopener noreferrer">https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses</a><br> We can check the IP that needs to be put in the actual inbound below. Just put the list in hooks.<br> <a href="https://api.github.com/meta" rel="noopener noreferrer">https://api.github.com/meta</a></p> </blockquote> <p>If we configure to send notification to Slack using Argo CD Notification, the development team can receive a notification when the deployment is not successful.</p> <p>There is also a way to set up the project by using the ApplicationSet of the Argo CD. If we used App of Apps in the past, a more advanced concept here is Application Sets.</p> <p><a href="https://opengitops.dev/" rel="noopener noreferrer">https://opengitops.dev/</a><br> <a href="https://github.com/open-gitops/documents" rel="noopener noreferrer">https://github.com/open-gitops/documents</a></p> <blockquote> <p>Currently, kustomize is used for configuration management of Kubernetes, and kustomize is deployed from Argo CD. If we are using branching in kustomize or helm, it might be helpful to read Stop Using Branches for Deploying to Different GitOps Environments.</p> </blockquote> <h2> Kustomize yaml- </h2> <p>kustomization.yaml</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namePrefix: kustomize-monirul- resources: - nginx-deployment.yaml - nginx-svc.yaml </code></pre> </div> <p>Deployment definition file: nginx-deployment.yaml</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx name: nginx </code></pre> </div> <p>Service definition file: nginx-svc.yaml</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>apiVersion: v1<br> kind: Service<br> metadata:<br> labels:<br> app: nginx<br> name: nginx<br> spec:<br> ports:</p> <ul> <li>port: 80 protocol: TCP targetPort: 80 selector: app: nginx <span class="nb">type</span>: ClusterIP</li> </ul> </code></pre> </div> <h2> <br> <br> <br> ArgoCD configuration to deploy simple app:<br> </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73eolgd2dt6kxyu6dkg3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73eolgd2dt6kxyu6dkg3.png" alt="Image description"></a></p> <h2> Screenshot of Argo CD: </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3haq6q9pfy3u659d1rse.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3haq6q9pfy3u659d1rse.png" alt="Image description"></a></p> aws eks kubernetes argocd M.M.Monirul Islam Wed, 18 May 2022 15:32:59 +0000 https://forem.com/monirul87/provisioning-amazon-elastic-kubernetes-service-amazon-eks-with-terraform-5cd6 https://forem.com/monirul87/provisioning-amazon-elastic-kubernetes-service-amazon-eks-with-terraform-5cd6 <p>AWS EKS is a managed container service to run and scale Kubernetes applications in the cloud or on-premises.</p> <p>HashiCorp Terraform is an Infrastructure as Code (IaC) tool that lets us define both cloud and on-prem resources in human-readable configuration files that can version, reuse, and share.</p> <h2> Amazon EKS Cluster using Terraform: </h2> <p>This Repository will be used to keep infrastructure configuration for eks cluster</p> <h2> Prerequisite </h2> <ul> <li>AWS Account</li> <li>Terraform</li> <li>AWS CLI</li> </ul> <p>To configure AWS CLI, We need to enter AWS Access Key ID, Secret Access Key, region and output format. Please note proper privillage is required to create eks cluster resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws configure AWS Access Key ID <span class="o">[</span>None]: AWS_ACCESS_KEY_ID AWS Secret Access Key <span class="o">[</span>None]: AWS_SECRET_ACCESS_KEY Default region name <span class="o">[</span>None]: AWS_REGION Default output format <span class="o">[</span>None]: json </code></pre> </div> <h2> Terraform Initial Setup Configuration </h2> <p>Need to create an AWS provider. It allows to interact with the AWS resources, such as VPC, EKS, S3, EC2, and many others.</p> <p><strong>providers.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="o">{</span> required_version <span class="o">=</span> <span class="s2">"&gt;= 1.1.0"</span> required_providers <span class="o">{</span> aws <span class="o">=</span> <span class="o">{</span> <span class="nb">source</span> <span class="o">=</span> <span class="s2">"hashicorp/aws"</span> version <span class="o">=</span> <span class="s2">"~&gt; 4.0"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> provider <span class="s2">"aws"</span> <span class="o">{</span> region <span class="o">=</span> var.region access_key <span class="o">=</span> var.aws_access_key secret_key <span class="o">=</span> var.aws_secret_key <span class="c"># other options for authentication</span> <span class="o">}</span> </code></pre> </div> <h2> Terraform State Setup </h2> <p>Now, We need to create terraform backend to specify the location of the backend Terraform state file on S3.<br> Remote state is storing that state file remotely, rather than on my local filesystem.<br> <strong>backend.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="o">{</span> backend <span class="s2">"s3"</span> <span class="o">{</span> bucket <span class="o">=</span> <span class="s2">"mondev-terraform-states"</span> key <span class="o">=</span> <span class="s2">"terraform-aws-eks-mondev.tfstate"</span> region <span class="o">=</span> <span class="s2">"ap-southeast-1"</span> encrypt <span class="o">=</span> <span class="nb">true</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Network Infrastructure Setup </h2> <p>Setting up the VPC, Subnets, Security Groups, etc.<br> Amazon EKS requires subnets must be in at least two different availability zones.</p> <ul> <li>AWS VPC (Virtual Private Cloud).</li> <li>Two public and two private Subnets in different availability zones.</li> <li>Internet Gateway to provide internet access for services within VPC.</li> <li>NAT Gateway in public subnets. It is used in private subnets to allow services to connect to the internet.</li> <li>Routing Tables and associate subnets with them. Add required routing rules.</li> <li>Security Groups and associate subnets with them. Add required routing rules.</li> </ul> <p><strong>vpc.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># VPC</span> resource <span class="s2">"aws_vpc"</span> <span class="s2">"mondev"</span> <span class="o">{</span> cidr_block <span class="o">=</span> var.vpc_cidr enable_dns_hostnames <span class="o">=</span> <span class="nb">true </span>enable_dns_support <span class="o">=</span> <span class="nb">true </span>tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-vpc"</span>, <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster"</span> <span class="o">=</span> <span class="s2">"shared"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Public Subnets</span> resource <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="o">{</span> count <span class="o">=</span> var.availability_zones_count vpc_id <span class="o">=</span> aws_vpc.mondev.id cidr_block <span class="o">=</span> cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, count.index<span class="o">)</span> availability_zone <span class="o">=</span> data.aws_availability_zones.available.names[count.index] tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-public-sg"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster"</span> <span class="o">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="o">=</span> 1 <span class="o">}</span> map_public_ip_on_launch <span class="o">=</span> <span class="nb">true</span> <span class="o">}</span> <span class="c"># Private Subnets</span> resource <span class="s2">"aws_subnet"</span> <span class="s2">"private"</span> <span class="o">{</span> count <span class="o">=</span> var.availability_zones_count vpc_id <span class="o">=</span> aws_vpc.mondev.id cidr_block <span class="o">=</span> cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, count.index + var.availability_zones_count<span class="o">)</span> availability_zone <span class="o">=</span> data.aws_availability_zones.available.names[count.index] tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-private-sg"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster"</span> <span class="o">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="o">=</span> 1 <span class="o">}</span> <span class="o">}</span> <span class="c"># Internet Gateway</span> resource <span class="s2">"aws_internet_gateway"</span> <span class="s2">"mondev"</span> <span class="o">{</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id tags <span class="o">=</span> <span class="o">{</span> <span class="s2">"Name"</span> <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-igw"</span> <span class="o">}</span> depends_on <span class="o">=</span> <span class="o">[</span>aws_vpc.mondev] <span class="o">}</span> <span class="c"># Route Table(s)</span> <span class="c"># Route the public subnet traffic through the IGW</span> resource <span class="s2">"aws_route_table"</span> <span class="s2">"main"</span> <span class="o">{</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id route <span class="o">{</span> cidr_block <span class="o">=</span> <span class="s2">"0.0.0.0/0"</span> gateway_id <span class="o">=</span> aws_internet_gateway.mondev.id <span class="o">}</span> tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Default-rt"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Route table and subnet associations</span> resource <span class="s2">"aws_route_table_association"</span> <span class="s2">"internet_access"</span> <span class="o">{</span> count <span class="o">=</span> var.availability_zones_count subnet_id <span class="o">=</span> aws_subnet.public[count.index].id route_table_id <span class="o">=</span> aws_route_table.main.id <span class="o">}</span> <span class="c"># NAT Elastic IP</span> resource <span class="s2">"aws_eip"</span> <span class="s2">"main"</span> <span class="o">{</span> vpc <span class="o">=</span> <span class="nb">true </span>tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-ngw-ip"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># NAT Gateway</span> resource <span class="s2">"aws_nat_gateway"</span> <span class="s2">"main"</span> <span class="o">{</span> allocation_id <span class="o">=</span> aws_eip.main.id subnet_id <span class="o">=</span> aws_subnet.public[0].id tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-ngw"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Add route to route table</span> resource <span class="s2">"aws_route"</span> <span class="s2">"main"</span> <span class="o">{</span> route_table_id <span class="o">=</span> aws_vpc.mondev.default_route_table_id nat_gateway_id <span class="o">=</span> aws_nat_gateway.main.id destination_cidr_block <span class="o">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="o">}</span> <span class="c"># Security group for public subnet</span> resource <span class="s2">"aws_security_group"</span> <span class="s2">"public_sg"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Public-sg"</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Public-sg"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Security group traffic rules</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"sg_ingress_public_443"</span> <span class="o">{</span> security_group_id <span class="o">=</span> aws_security_group.public_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> from_port <span class="o">=</span> 443 to_port <span class="o">=</span> 443 protocol <span class="o">=</span> <span class="s2">"tcp"</span> cidr_blocks <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"sg_ingress_public_80"</span> <span class="o">{</span> security_group_id <span class="o">=</span> aws_security_group.public_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> from_port <span class="o">=</span> 80 to_port <span class="o">=</span> 80 protocol <span class="o">=</span> <span class="s2">"tcp"</span> cidr_blocks <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"sg_egress_public"</span> <span class="o">{</span> security_group_id <span class="o">=</span> aws_security_group.public_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"egress"</span> from_port <span class="o">=</span> 0 to_port <span class="o">=</span> 0 protocol <span class="o">=</span> <span class="s2">"-1"</span> cidr_blocks <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> <span class="c"># Security group for data plane</span> resource <span class="s2">"aws_security_group"</span> <span class="s2">"data_plane_sg"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Worker-sg"</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Worker-sg"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Security group traffic rules</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"nodes"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"Allow nodes to communicate with each other"</span> security_group_id <span class="o">=</span> aws_security_group.data_plane_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> from_port <span class="o">=</span> 0 to_port <span class="o">=</span> 65535 protocol <span class="o">=</span> <span class="s2">"-1"</span> cidr_blocks <span class="o">=</span> flatten<span class="o">([</span>cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 0<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 1<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 2<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 3<span class="o">)])</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"nodes_inbound"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"Allow worker Kubelets and pods to receive communication from the cluster control plane"</span> security_group_id <span class="o">=</span> aws_security_group.data_plane_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> from_port <span class="o">=</span> 1025 to_port <span class="o">=</span> 65535 protocol <span class="o">=</span> <span class="s2">"tcp"</span> cidr_blocks <span class="o">=</span> flatten<span class="o">([</span>cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 2<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 3<span class="o">)])</span> <span class="c"># cidr_blocks = flatten([var.private_subnet_cidr_blocks])</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"node_outbound"</span> <span class="o">{</span> security_group_id <span class="o">=</span> aws_security_group.data_plane_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"egress"</span> from_port <span class="o">=</span> 0 to_port <span class="o">=</span> 0 protocol <span class="o">=</span> <span class="s2">"-1"</span> cidr_blocks <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> <span class="c"># Security group for control plane</span> resource <span class="s2">"aws_security_group"</span> <span class="s2">"control_plane_sg"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-ControlPlane-sg"</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-ControlPlane-sg"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Security group traffic rules</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"control_plane_inbound"</span> <span class="o">{</span> security_group_id <span class="o">=</span> aws_security_group.control_plane_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> from_port <span class="o">=</span> 0 to_port <span class="o">=</span> 65535 protocol <span class="o">=</span> <span class="s2">"tcp"</span> cidr_blocks <span class="o">=</span> flatten<span class="o">([</span>cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 0<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 1<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 2<span class="o">)</span>, cidrsubnet<span class="o">(</span>var.vpc_cidr, var.subnet_cidr_bits, 3<span class="o">)])</span> <span class="c"># cidr_blocks = flatten([var.private_subnet_cidr_blocks, var.public_subnet_cidr_blocks])</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"control_plane_outbound"</span> <span class="o">{</span> security_group_id <span class="o">=</span> aws_security_group.control_plane_sg.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"egress"</span> from_port <span class="o">=</span> 0 to_port <span class="o">=</span> 65535 protocol <span class="o">=</span> <span class="s2">"-1"</span> cidr_blocks <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> </code></pre> </div> <h1> EKS Cluster Setup </h1> <p>Creating EKS cluster. Kubernetes clusters managed by Amazon EKS make calls to other AWS services on your behalf to manage the resources that we use with the service. For example, EKS will create an Auto Scaling Groups for each instance group if we use managed nodes.</p> <p>Setting up the IAM Roles and Policies for EKS: EKS requires a few IAM Roles with relevant Policies to be pre-defined to operate correctly.</p> <p><strong>IAM Role:</strong> Create Role with the needed permissions that Amazon EKS will use to create AWS resources for Kubernetes clusters and interact with AWS APIs.</p> <p><strong>IAM Policy:</strong> Attach the trusted Policy (AmazonEKSClusterPolicy) which will allow Amazon EKS to assume and use this role.</p> <p><strong>eks-cluster.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># EKS Cluster</span> resource <span class="s2">"aws_eks_cluster"</span> <span class="s2">"mondev"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster"</span> role_arn <span class="o">=</span> aws_iam_role.cluster.arn version <span class="o">=</span> <span class="s2">"1.22"</span> vpc_config <span class="o">{</span> <span class="c"># security_group_ids = [aws_security_group.eks_cluster.id, aws_security_group.eks_nodes.id] # already applied to subnet</span> subnet_ids <span class="o">=</span> flatten<span class="o">([</span>aws_subnet.public[<span class="k">*</span><span class="o">]</span>.id, aws_subnet.private[<span class="k">*</span><span class="o">]</span>.id]<span class="o">)</span> endpoint_private_access <span class="o">=</span> <span class="nb">true </span>endpoint_public_access <span class="o">=</span> <span class="nb">true </span>public_access_cidrs <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> tags <span class="o">=</span> merge<span class="o">(</span> var.tags <span class="o">)</span> depends_on <span class="o">=</span> <span class="o">[</span> aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy <span class="o">]</span> <span class="o">}</span> <span class="c"># EKS Cluster IAM Role</span> resource <span class="s2">"aws_iam_role"</span> <span class="s2">"cluster"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Cluster-Role"</span> assume_role_policy <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="no">POLICY</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } </span><span class="no">POLICY </span><span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"cluster_AmazonEKSClusterPolicy"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"</span> role <span class="o">=</span> aws_iam_role.cluster.name <span class="o">}</span> <span class="c"># EKS Cluster Security Group</span> resource <span class="s2">"aws_security_group"</span> <span class="s2">"eks_cluster"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster-sg"</span> description <span class="o">=</span> <span class="s2">"Cluster communication with worker nodes"</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster-sg"</span> <span class="o">}</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"cluster_inbound"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"Allow worker nodes to communicate with the cluster API Server"</span> from_port <span class="o">=</span> 443 protocol <span class="o">=</span> <span class="s2">"tcp"</span> security_group_id <span class="o">=</span> aws_security_group.eks_cluster.id source_security_group_id <span class="o">=</span> aws_security_group.eks_nodes.id to_port <span class="o">=</span> 443 <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"cluster_outbound"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"Allow cluster API Server to communicate with the worker nodes"</span> from_port <span class="o">=</span> 1024 protocol <span class="o">=</span> <span class="s2">"tcp"</span> security_group_id <span class="o">=</span> aws_security_group.eks_cluster.id source_security_group_id <span class="o">=</span> aws_security_group.eks_nodes.id to_port <span class="o">=</span> 65535 <span class="nb">type</span> <span class="o">=</span> <span class="s2">"egress"</span> </code></pre> </div> <h2> Node Groups (Managed) Setup </h2> <p>Creating a Node Group(s) to run application workload.<br> <strong>IAM Role:</strong> Similar to the EKS cluster, before we create worker node group, we must create IAM role with needed permissions for the node group to communicate with other AWS services.</p> <p><strong>IAM Policy:</strong> Attach the trusted Policy (AmazonEKSWorkerNodePolicy) which will allow amazon EC2 to assume and using this role. Also, attach the AWS managed permission Policy (AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly).</p> <p><strong>node-groups.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># EKS Node Groups</span> resource <span class="s2">"aws_eks_node_group"</span> <span class="s2">"mondev"</span> <span class="o">{</span> cluster_name <span class="o">=</span> aws_eks_cluster.mondev.name node_group_name <span class="o">=</span> var.project node_role_arn <span class="o">=</span> aws_iam_role.node.arn subnet_ids <span class="o">=</span> aws_subnet.private[<span class="k">*</span><span class="o">]</span>.id scaling_config <span class="o">{</span> desired_size <span class="o">=</span> 2 max_size <span class="o">=</span> 5 min_size <span class="o">=</span> 1 <span class="o">}</span> ami_type <span class="o">=</span> <span class="s2">"AL2_x86_64"</span> <span class="c"># AL2_x86_64, AL2_x86_64_GPU, AL2_ARM_64, CUSTOM</span> capacity_type <span class="o">=</span> <span class="s2">"ON_DEMAND"</span> <span class="c"># ON_DEMAND, SPOT</span> disk_size <span class="o">=</span> 20 instance_types <span class="o">=</span> <span class="o">[</span><span class="s2">"t2.medium"</span><span class="o">]</span> tags <span class="o">=</span> merge<span class="o">(</span> var.tags <span class="o">)</span> depends_on <span class="o">=</span> <span class="o">[</span> aws_iam_role_policy_attachment.node_AmazonEKSWorkerNodePolicy, aws_iam_role_policy_attachment.node_AmazonEKS_CNI_Policy, aws_iam_role_policy_attachment.node_AmazonEC2ContainerRegistryReadOnly, <span class="o">]</span> <span class="o">}</span> <span class="c"># EKS Node IAM Role</span> resource <span class="s2">"aws_iam_role"</span> <span class="s2">"node"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-Worker-Role"</span> assume_role_policy <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="no">POLICY</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } </span><span class="no">POLICY </span><span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node_AmazonEKSWorkerNodePolicy"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> role <span class="o">=</span> aws_iam_role.node.name <span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node_AmazonEKS_CNI_Policy"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> role <span class="o">=</span> aws_iam_role.node.name <span class="o">}</span> resource <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node_AmazonEC2ContainerRegistryReadOnly"</span> <span class="o">{</span> policy_arn <span class="o">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> role <span class="o">=</span> aws_iam_role.node.name <span class="o">}</span> <span class="c"># EKS Node Security Group</span> resource <span class="s2">"aws_security_group"</span> <span class="s2">"eks_nodes"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-node-sg"</span> description <span class="o">=</span> <span class="s2">"Security group for all nodes in the cluster"</span> vpc_id <span class="o">=</span> aws_vpc.mondev.id egress <span class="o">{</span> from_port <span class="o">=</span> 0 to_port <span class="o">=</span> 0 protocol <span class="o">=</span> <span class="s2">"-1"</span> cidr_blocks <span class="o">=</span> <span class="o">[</span><span class="s2">"0.0.0.0/0"</span><span class="o">]</span> <span class="o">}</span> tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-node-sg"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="nv">var</span><span class="p">.project</span><span class="k">}</span><span class="s2">-cluster"</span> <span class="o">=</span> <span class="s2">"owned"</span> <span class="o">}</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"nodes_internal"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"Allow nodes to communicate with each other"</span> from_port <span class="o">=</span> 0 protocol <span class="o">=</span> <span class="s2">"-1"</span> security_group_id <span class="o">=</span> aws_security_group.eks_nodes.id source_security_group_id <span class="o">=</span> aws_security_group.eks_nodes.id to_port <span class="o">=</span> 65535 <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> <span class="o">}</span> resource <span class="s2">"aws_security_group_rule"</span> <span class="s2">"nodes_cluster_inbound"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"Allow worker Kubelets and pods to receive communication from the cluster control plane"</span> from_port <span class="o">=</span> 1025 protocol <span class="o">=</span> <span class="s2">"tcp"</span> security_group_id <span class="o">=</span> aws_security_group.eks_nodes.id source_security_group_id <span class="o">=</span> aws_security_group.eks_cluster.id to_port <span class="o">=</span> 65535 <span class="nb">type</span> <span class="o">=</span> <span class="s2">"ingress"</span> <span class="o">}</span> </code></pre> </div> <h2> Terraform Variables </h2> <p>Creating IAM user with administrator access to the AWS account, and get access key and secret key for authentication.<br> <strong>variables.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>variable <span class="s2">"aws_access_key"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"AWS access key"</span> <span class="nb">type</span> <span class="o">=</span> string <span class="o">}</span> variable <span class="s2">"aws_secret_key"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"AWS secret key"</span> <span class="nb">type</span> <span class="o">=</span> string <span class="o">}</span> variable <span class="s2">"region"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"The aws region. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html"</span> <span class="nb">type</span> <span class="o">=</span> string default <span class="o">=</span> <span class="s2">"ap-southeast-1"</span> <span class="o">}</span> variable <span class="s2">"availability_zones_count"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"The number of AZs."</span> <span class="nb">type</span> <span class="o">=</span> number default <span class="o">=</span> 2 <span class="o">}</span> variable <span class="s2">"project"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"MonirulProject"</span> <span class="nb">type</span> <span class="o">=</span> string <span class="o">}</span> variable <span class="s2">"vpc_cidr"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden"</span> <span class="nb">type</span> <span class="o">=</span> string default <span class="o">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="o">}</span> variable <span class="s2">"subnet_cidr_bits"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"The number of subnet bits for the CIDR. For example, specifying a value 8 for this parameter will create a CIDR with a mask of /24."</span> <span class="nb">type</span> <span class="o">=</span> number default <span class="o">=</span> 8 <span class="o">}</span> variable <span class="s2">"tags"</span> <span class="o">{</span> description <span class="o">=</span> <span class="s2">"A map of tags to add to all resources"</span> <span class="nb">type</span> <span class="o">=</span> map<span class="o">(</span>string<span class="o">)</span> default <span class="o">=</span> <span class="o">{</span> <span class="s2">"Project"</span> <span class="o">=</span> <span class="s2">"MonirulProject"</span> <span class="s2">"Environment"</span> <span class="o">=</span> <span class="s2">"Development"</span> <span class="s2">"Owner"</span> <span class="o">=</span> <span class="s2">"Monirul"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Set terraform variables values as per requirements.<br> <strong>terraform.tfvars</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws_access_key <span class="o">=</span> <span class="s2">"aaaaaaaaaaaaaa"</span> aws_secret_key <span class="o">=</span> <span class="s2">"bbbbbbbbbbbbbbbbbbbbb"</span> region <span class="o">=</span> <span class="s2">"ap-southeast-1"</span> availability_zones_count <span class="o">=</span> 2 project <span class="o">=</span> <span class="s2">"MonirulProject"</span> vpc_cidr <span class="o">=</span> <span class="s2">"10.0.0.0/16"</span> subnet_cidr_bits <span class="o">=</span> 8 </code></pre> </div> <p>And, terraform data sources as well.<br> <strong>data-sources.tf</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>data <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="o">{</span> state <span class="o">=</span> <span class="s2">"available"</span> <span class="o">}</span> </code></pre> </div> <h2> Launch EKS Infrastructure </h2> <p>Once we have finished declaring the resources, we can deploy all resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform init <span class="nv">$ </span>terraform plan <span class="nv">$ </span>terraform apply </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd0vi5qdkankiu27uynh8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd0vi5qdkankiu27uynh8.png" alt="Image description" width="800" height="318"></a></p> <h3> Output </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform output </code></pre> </div> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Cluster |-- README.md |-- backend.tf |-- data-sources.tf |-- eks-cluster.tf |-- node-groups.tf |-- outputs.tf |-- providers.tf |-- terraform.tfvars |-- variables.tf |-- vpc.tf </code></pre> </div> <h2> Access Cluster and create different namespace if required </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks <span class="nt">--region</span> ap-southeast-1 update-kubeconfig <span class="nt">--name</span> MonirulProject-cluster kubectl create ns dev <span class="o">&amp;&amp;</span> kubectl create ns stg <span class="o">&amp;&amp;</span> kubectl create ns prd </code></pre> </div> <h2> Availability zone (Pod Topology) </h2> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nbhqjyld4cpyajs9plk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nbhqjyld4cpyajs9plk.png" alt="Image description" width="800" height="148"></a> </p> <h2> Clean up workspace </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform destroy </code></pre> </div> <h2> Workspaces for multiple environments </h2> <p>To manage multiple distinct sets of infrastructure resources/environments.<br> Instead of creating a new directory for each environment to manage we need to just create workspace and use them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform workspace new dev <span class="nv">$ </span>terraform workspace new stg <span class="nv">$ </span>terraform workspace new prd <span class="nv">$ </span>terraform workspace list </code></pre> </div> aws eks kubernetes terraform M.M.Monirul Islam Mon, 09 May 2022 09:00:50 +0000 https://forem.com/monirul87/auto-scale-kubernetes-pods-for-microservices-3761 https://forem.com/monirul87/auto-scale-kubernetes-pods-for-microservices-3761 <p>In Kubernetes, autoscaling prevents over provisioning resources for microservices running in a cluster. Here is the procedure to set up horizontal and vertical scaling.</p> <p>In Kubernetes, cluster capacity planning is critical to avoid overprovisioned or under provisioned infrastructure. IT admins need a reliable and cost-effective way to maintain operational clusters and pods in high-load situations and to scale infrastructure automatically to meet resource requirements.</p> <p>We know that, Kubernetes supports 3 different types of autoscaling:</p> <p><strong>1. Vertical Pod Autoscaler (VPA)</strong>. Increases or decreases the resource limits on the pod.<br> <strong>2. Horizontal Pod Autoscaler (HPA)</strong>. Increases or decreases the number of pod instances.<br> <strong>3. Cluster Autoscaler (CA).</strong> Increases or decreases the nodes in the node pool, based on pod<br> scheduling.</p> <p>I’m going to focuses on the Horizontal and Vertical options, as I will be working on a pod level, not a node level.</p> <h2> Set up a microservice in a Kubernetes cluster: </h2> <p>To get started, let's create a <strong>REST API</strong> to deploy as a microservice in containers on Kubernetes. To take this deeper, we can first <strong>create the REST API</strong> -- written in Go, as presented below -- which deploys a microservice on Kubernetes. Save the below content in a file named <strong>deployment.yml</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apiVersion: apps/v1 kind: Deployment metadata: name: microsvcmonirul namespace: monirul spec: selector: matchLabels: run: microsvcmonirul replicas: 1 template: metadata: labels: run: microsvcmonirul spec: containers: - name: microsvcmonirul image: <span class="s2">"monirul87/microsvcmonirul-1.0.3"</span> ports: - containerPort: 8080 resources: requests: memory: <span class="s2">"64Mi"</span> cpu: <span class="s2">"125m"</span> limits: memory: <span class="s2">"128Mi"</span> cpu: <span class="s2">"250m"</span> <span class="nt">---</span> apiVersion: v1 kind: Service metadata: name: microsvcmonirul namespace: monirul labels: run: microsvcmonirul spec: ports: - port: 8087 targetPort: 8080 selector: run: microsvcmonirul </code></pre> </div> <p>Now, run the following command to deploy the microservice into the Kubernetes cluster:<br> <code>[root@kmaster microservice]# kubectl apply -f deployment.yml<br> </code><br> Once complete, the new pod will start up in the cluster as shown below-<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0fh2odafllrsc9q2qsr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0fh2odafllrsc9q2qsr.png" alt="Image description" width="800" height="255"></a></p> <p>To access the microservice's operational activity, expose the service ports to the public ip,</p> <p><code>[root@kmaster microservice]# kubectl patch svc microsvcmonirul -n<br> monirul -p '{"spec": {"type": "LoadBalancer",<br> "externalIPs":["149.20.184.84"]}}'</code></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2j9uwj2jsvezf3mpzlpo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2j9uwj2jsvezf3mpzlpo.png" alt="Image description" width="800" height="80"></a></p> <p>If I try to access the Golang REST API from my browser, it will return the expected results below seen-<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8hp466eembauvb95ohdb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8hp466eembauvb95ohdb.png" alt="Image description" width="800" height="256"></a></p> <p>Now that the application is running as a microservice in a Kubernetes cluster, let's auto scale my application horizontally in response to a sudden increase or decrease in resource demand</p> <h2> Horizontal Pod Autoscaler (HPA) </h2> <p>The HPA scales the number of pods in a deployment based on a custom metric or a resource metric of a pod. Kubernetes admins can also use it to set thresholds that trigger autoscaling through changes to the number of pod replicas inside a deployment controller.</p> <p>For example, if there is a sustained spike in CPU utilization above a designated threshold, the HPA will increase the number of pods in the deployment to manage the new load to maintain smooth application function.</p> <p>To configure the HPA controller to manage a workload, create a <strong>HorizontalPodAutoscaler</strong> object. Or, HPA can also be configured with the <strong>kubectl autoscale</strong> subcommand. Here I’m going to use subcommand-<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: name: microsvcmonirul namespace: monirul spec: maxReplicas: 10 minReplicas: 1 scaleTargetRef: apiVersion: extensions/v1beta1 kind: Deployment name: microsvcmonirul targetCPUUtilizationPercentage: 50 </code></pre> </div> <p>Using the following subcommand to create an autoscaling CPU deployment,</p> <p><code>[root@kmaster microservice]# kubectl autoscale deployment<br> microsvcmonirul -n monirul --cpu-percent=50 --min=1 --max=4</code></p> <p>This will increase pods to a maximum of four replicas when the microservice deployment observes more than 50% CPU utilization over a sustained period.</p> <p>To check the HPA status with namespace monirul, run the <code>kubectl get hpa -n monirul</code> command, which will give us the current and target CPU consumption. Initially an ''unknown'' value can appear in the current state, but with time to pull metrics, the server and percentage utilization will start to appear.</p> <p>For a detailed HPA status, use the <strong>describe</strong> command to find details such as metrics, events and conditions.</p> <p><code>kubectl describe hpa -n monirul</code><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5lxnjnj0b87tbty95bud.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5lxnjnj0b87tbty95bud.png" alt="Image description" width="800" height="309"></a></p> <p>The above microservice running in a single pod has less than 50% CPU utilization, there is no need to auto scale the pods.</p> <h2> Trigger microservice autoscaling by applying load </h2> <p>To introduce load on the application, we use a BusyBox image in a container, which will run a shell script to make infinite calls to the REST endpoint created in the previous microservice. BusyBox is a lightweight image of many common Unix utilities -- like <strong>wget</strong> -- which we use to put stress on the microservice. This stress increases the resource consumption on the pods.</p> <p>Save the following YAML configuration to a file named <strong>infinite-calls-monirul.yaml</strong>. At the bottom of the code, the <strong>wget</strong> command calls the REST API on an infinite <strong>while loop</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apiVersion: apps/v1 kind: Deployment metadata: name: infinite-calls-monirul namespace: monirul labels: app: infinite-calls-monirul spec: replicas: 1 selector: matchLabels: app: infinite-calls-monirul template: <span class="k">done</span><span class="s2">" metadata: name: infinite-calls-monirul labels: app: infinite-calls-monirul spec: containers: - name: infinite-calls-monirul image: busybox command: - /bin/sh - -c - "</span><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>wget <span class="nt">-q</span> <span class="nt">-O-</span> http://149.20.184.84:8087/employee<span class="p">;</span> </code></pre> </div> <p>Deploy this YAML configuration with the <code>kubectl apply -f infinite-calls-monirul.yml</code> command.</p> <p>Once the container is active, run a <strong>/bin/sh</strong> shell on the container using the <code>kubectl exec -it &lt;CONTAINER_NAME&gt; sh</code> command to verify that a process is running and performing web requests to the REST endpoint infinitely. These infinite calls introduce load on the application and result in processor time on the container hosting this web application.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5a2tixtukrfcmfwexlke.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5a2tixtukrfcmfwexlke.png" alt="Image description" width="800" height="290"></a><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxy8ysd03jborgfy60jmz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxy8ysd03jborgfy60jmz.png" alt="Image description" width="800" height="107"></a></p> <p>After a few minutes of running under this load, the HPA begins to observe an increase in current CPU utilization and auto scales to manage the incoming load. It creates the maximum number of pods to maintain CPU below that 50% -- that is why the replica count is now four, which is the maximum.<br> <code>kubectl get hpa -w -n monirul</code></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgx947ebb0leq503xlruy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgx947ebb0leq503xlruy.png" alt="Image description" width="800" height="109"></a></p> <p>To see the detailed events and activity of the HPA, run the following command and observe the highlighted section below for the events and autoscaling triggers.<br> <code>kubectl describe hpa -n monirul</code><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2my6656hnwi6f6zkkg91.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2my6656hnwi6f6zkkg91.png" alt="Image description" width="800" height="143"></a> <br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F44p7xs7dqrej27r5xcxc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F44p7xs7dqrej27r5xcxc.png" alt="Image description" width="800" height="88"></a><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7u4erqnsw6fz49rt7zm4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7u4erqnsw6fz49rt7zm4.png" alt="Image description" width="800" height="314"></a><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpjqs4r1n2nrz1vdjumvy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpjqs4r1n2nrz1vdjumvy.png" alt="Image description" width="800" height="283"></a></p> <h2> Vertical Pod Autoscaler </h2> <p>The VPA increases and decreases the CPU and memory resource requests of pod containers to better match the allocated cluster resource to actual usage. Container resource limits are based on live metrics from a metric server, rather than manual adjustments to benchmark resource utilization on the pods.</p> <p>In other words, a VPA frees users from manually setting up resource limits and requests for the containers in their pods to match the current resource requirements.</p> <p>The VPA can only replace the pods managed by a replication controller, such as deployments, and it requires the Kubernetes metrics server.</p> <p>A VPA has three main components:</p> <ol> <li><p><strong>Recommender:</strong> Monitors resource utilization and computes target values. In the recommendation mode, VPA will update the suggested values but will not terminate pods.</p></li> <li><p><strong>Updater:</strong> Terminates the pods that were scaled with new resource limits. Because Kubernetes can't change the resource limits of a running pod, VPA terminates the pods with outdated limits and replaces them with pods with updated resource request and limit values.</p></li> <li><p><strong>Admission Controller:</strong> Intercepts pod creation requests. If the pod is matched by a VPA config with mode not set to "off," the controller rewrites the request by applying recommended resources to the pod specification. </p></li> </ol> <h2> Conflicts, caveats and challenges in autoscaling </h2> <p>Kubernetes autoscaling demonstrates flexibility and a powerful use case: It dynamically manages infrastructure scaling in production environments and enhances resource utilization, which reduces overhead.</p> <p>HPA and VPA are useful, and there is a temptation to use both, but this can lead to potential conflicts. For example, HPA and VPA detect CPU at threshold levels. And while the VPA will try to terminate the resource and create a new one with updated thresholds, HPA will try to create new pods with old specs.</p> <p>This can lead to wrong resource allocations and conflicts.<br> To prevent such a situation and still use HPA and VPA in parallel, make sure they rely on different metrics to auto scale.</p> kubernetes eks aws go