iWay AWS Deployment

iWay AWS Deployment overview

The goal of this tutorial is to show how to deploy an iWay application that was built using iIT in the previous tutorial to the AWS Cloud.

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

In short this application consists of two Docker containers:

1. iWay Application exposing an API(defined via RAML file) which utilized the iIT MongoDB Connector
2. MongoDB Server

We brought these containers up and managed communication between two by using Kubernetes technology.

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.

We deploy this application on AWS Cloud by utilizing brand new AWS product called Amazon Elastic Container Service for Kubernetes (Amazon EKS).

 

Actually, by utilizing technologies described above we managed to build a Software as a Service (SaaS) managed by AWS Cloud!

Software as a service (SaaS) is a software distribution model in which a third-party provider hosts applications and makes them available to customers over the Internet.

SaaS is one of three main categories of cloud computing, alongside infrastructure as a service (IaaS) and platform as a service (PaaS).

What Is Amazon EKS?

Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on AWS without needing to stand up or maintain your own Kubernetes control plane. Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability. Amazon EKS automatically detects and replaces unhealthy control plane instances, and it provides automated version upgrades and patching for them.

Amazon EKS is also integrated with many AWS services to provide scalability and security for your applications, including the following:

• Elastic Load Balancing for load distribution
• IAM for authentication
• Amazon VPC for isolation

Amazon EKS runs up-to-date versions of the open-source Kubernetes software, so you can use all the existing plugins and tooling from the Kubernetes community.
Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, whether running in on-premises data centers or public clouds. This means that you can easily migrate any standard Kubernetes application to Amazon EKS without any code modification required.

How Does Amazon EKS Work?

Steps to deploy application with Amazon EKS :

1. First, create an Amazon EKS cluster in the AWS Management Console or with the AWS CLI or one of the AWS SDKs.
2. Then, launch worker nodes that register with the Amazon EKS cluster. We provide you with an AWS CloudFormation template that automatically configures your nodes.
3. When your cluster is ready, you can configure your favorite Kubernetes tools (such as kubectl) to communicate with your cluster.
4. Deploy and manage applications on your Amazon EKS cluster the same way that you would with any other Kubernetes environment.

For more information about creating your required resources and your first Amazon EKS cluster, see Getting Started with Amazon EKS.

Amazon EKS Prerequisites

Before you can create an Amazon EKS cluster, you must create an IAM role that Kubernetes can assume to create AWS resources. For example, when a load balancer is created,

Kubernetes assumes the role to create an Elastic Load Balancing load balancer in your account. This only needs to be done one time and can be used for multiple EKS clusters.

You must also create a VPC with and a security group for your cluster to use.

Although the VPC and security groups can be used for multiple EKS clusters, it is advisable to use a separate VPC for each EKS cluster to provide better network isolation.

1. Create your Amazon EKS Service Role.

To create your Amazon EKS service role:

1. Open the IAM console at https://console.aws.amazon.com/iam/, Choose Roles, then Create role.

   

2. Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.

   

3. Choose Next: Review.

   

4. For Role name, enter a unique name for your role

   

5. Then choose Create role

   

2. Create your Amazon EKS Cluster VPC

To create your cluster VPC:

1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
2. From the navigation bar, select a Region that supports Amazon EKS.
3. Choose Create stack.
4. For Choose a template, select Specify an Amazon S3 template URL.
5. Paste the following URL into the text area and choose Next:

   https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-vpc-sample.yaml

   

6. On the Specify Details page, fill out the parameters accordingly, and then choose Next.
   • Stack name: Choose a stack name for your AWS CloudFormation stack. For example, you can call it eks-vpc.
   • VpcBlock: Choose a CIDR range for your VPC. You may leave the default value.
   • Subnet01Block: Choose a CIDR range for subnet 1. You may leave the default value.
   • Subnet02Block: Choose a CIDR range for subnet 2. You may leave the default value.
   • Subnet03Block: Choose a CIDR range for subnet 3. You may leave the default value.
7. (Optional) On the Options page, tag your stack resources. Choose Next.

   

8. On the Review page, choose Create.
9. When your stack is created, select it in the console and choose Outputs.
10. Record the SecurityGroups value for the security group that was created. You need this when you create your EKS cluster; this security group is applied to the cross-account elastic network interfaces that are created in your subnets that allow the Amazon EKS control plane to communicate with your worker nodes.
11. Record the VpcId for the subnets that were created. You need this when you launch your worker node group template.
12. Record the SubnetIds for the subnets that were created. You need this when you create your EKS cluster; these are the subnets that your worker nodes are launched into.

    

    If cluster VPC was created successfully:

    

3. Install and Configure kubectl for Amazon EKS

Amazon EKS clusters require kubectl and kubelet binaries and the Heptio Authenticator to allow IAM authentication for your Kubernetes cluster. Beginning with Kubernetes version 1.10,

You can configure the stock kubectl client to work with Amazon EKS by installing the Heptio Authenticator and modifying your kubectl configuration file to use it for authentication.

After you install kubectl, you can verify its version with the following command:

kubectl version --short –client

To install heptio-authenticator-aws for Amazon EKS:

or you can use go get to fetch the binary from the Heptio Authenticator project on GitHub for other operating systems.

1. Download and install the heptio-authenticator-aws binary. Amazon EKS vends heptio-authenticator-aws binaries that you can use,
2. Download the Amazon EKS-vended heptio-authenticator-aws binary from Amazon S3:
   • Linux: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/linux/amd64/heptio-authenticator-aws
   • MacOS: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/darwin/amd64/heptio-authenticator-aws
   • Windows: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/windows/amd64/heptio-authenticator-aws.exe
3. Test that the heptio-authenticator-aws binary works:

   heptio-authenticator-aws help

   

4. (Optional) Download and Install the Latest AWS CLI

   Amazon EKS requires at least version 1.15.32 of the AWS CLI. To install or upgrade the AWS CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

Note:

Your system's Python version must be Python 3, or Python 2.7.9 or greater. Otherwise, you receive hostname doesn't match errors with AWS CLI calls to Amazon EKS. For more information, see What are "hostname doesn't match" errors? in the Python Requests FAQ.

Create Your Amazon EKS Cluster

Now you can create your Amazon EKS cluster.

Important:

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. Also, the Heptio Authenticator uses the AWS SDK for Go to authenticate against your Amazon EKS cluster. If you use the console to create the cluster, you must ensure that the same IAM user credentials are in the AWS SDK credential chain when you are running kubectl commands on your cluster.

If you install and configure the AWS CLI, you can configure the IAM credentials for your user. These also work for the Heptio Authenticator. If the AWS CLI is configured properly for your user, then the Heptio Authenticator can find those credentials as well. For more information, see Configuring the AWS CLI in the AWS Command Line Interface User Guide.

Important:

You must use IAM user credentials for this step, not root credentials. If you create your Amazon EKS cluster using root credentials, you cannot authenticate to the cluster. For more information, see How Users Sign In to Your Account in the IAM User Guide.

1. To add a new user with the console

1. Set user details:

   

2. Set new user permissions:

   

3. Review new user properties and click button "Create user":

   

   You should get the Summary page:

   

2. To create your cluster with the console:

1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.

   Note:

   If your IAM user does not have administrative privileges, you must explicitly add permissions for that user to call the Amazon EKS API operations.

   For more information, see Creating Amazon EKS IAM Policies.

2. On the Create cluster page, fill in the following fields and then choose Create:
   • Cluster name: A unique name for your cluster.
   • Kubernetes version: The version of Kubernetes to use for your cluster. By default, the latest available version is selected.
   • Role ARN: Select the IAM role that you created with Create your Amazon EKS Service Role.
   • VPC: The VPC you created with Create your Amazon EKS Cluster VPC. You can find the name of your VPC in the drop-down list.
   • Subnets: The SubnetIds values (comma-separated) from the AWS CloudFormation output that you generated with Create your Amazon EKS Cluster VPC. By default, the available subnets in the above VPC are preselected.
   • Security Groups: The SecurityGroups value from the AWS CloudFormation output that you generated with Create your Amazon EKS Cluster VPC. This security group has ControlPlaneSecurityGroup in the drop-down name.

   Amazon EKS Cluster configuration screen:

   

3. Select button "Create":

   

   Important:

   The worker node AWS CloudFormation template modifies the security group that you specify here, so we recommend that you use a dedicated security group for your cluster control plane. If you share it with other resources, you may block or disrupt connections to those resources.

   Note:

   You may receive an error that one of the Availability Zones in your request does not have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account.

4. On the Clusters page, choose the name of your newly created cluster to view the cluster information.

   The Status field shows CREATING until the cluster provisioning process completes. When your cluster provisioning is complete (usually less than 10 minutes), and note the API server endpoint and Certificate authority values. These are used in your kubectl configuration.

Configure kubectl for Amazon EKS

In this section, you create a kubeconfig file for your cluster. The code block in the procedure below shows the kubeconfig elements to add to your configuration.

If you have an existing configuration and you are comfortable working with kubeconfig files, you can merge these elements into your existing setup.

Be sure to replace the <endpoint-url> value with the full endpoint URL (for example,https://API_SERVER_ENDPOINT.yl4.us-west-2.eks.amazonaws.com) that was created for your cluster, replace the <base64-encoded-ca-cert> with the certificateAuthority.data value you retrieved earlier, and replace the <cluster-name> with your cluster name.

1. Save the file to the default kubectl folder, with your cluster name in the file name. For example, if your cluster name is iway_cluster, save the file to ~/.kube/config-iway_cluster.
2. Add that file path to your KUBECONFIG environment variable so that kubectl knows where to look for your cluster configuration.

   

   Amazon EKS uses the Heptio Authenticator with kubectl for cluster authentication, which uses the same default AWS credential provider chain as the AWS CLI and AWS SDKs.

   If you have installed the AWS CLI on your system, then by default the Heptio authenticator will use the same credentials that are returned with the following command:

   aws sts get-caller-identity

   

3. Test your configuration:

   kubectl get svc

   

Note:

If you receive the error "heptio-authenticator-aws": executable file not found in $PATH, then your kubectl is not configured for Amazon EKS.

For more information, see Configure kubectl for Amazon EKS.

Launch and Configure Amazon EKS Worker Nodes

Now that your VPC and Kubernetes control plane are created, you can launch and configure your worker nodes.

Important:

Amazon EKS worker nodes are standard Amazon EC2 instances, and you are billed for them based on normal Amazon EC2 On-Demand Instance prices. For more information, see Amazon EC2 Pricing.

To launch your worker nodes

1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
2. From the navigation bar, select a Region that supports Amazon EKS.

   Note:

   Amazon EKS is available in the following Regions at this time:

   • US West (Oregon) (us-west-2)
   • US East (N. Virginia) (us-east-1)
3. Choose Create stack.
4. For Choose a template, select Specify an Amazon S3 template URL.
5. Paste the following URL into the text area and choose Next:

   https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml

6. On the Specify Details page, fill out the following parameters accordingly, and choose Next.
   • Stack name: Choose a stack name for your AWS CloudFormation stack. For example, you can call it <cluster-name>-worker-nodes.
   • ClusterName: Enter the name that you used when you created your Amazon EKS cluster.

   Important:

   This name must exactly match the name you used in Step 1: Create Your Amazon EKS Cluster; otherwise, your worker nodes cannot join the cluster.

   • ClusterControlPlaneSecurityGroup: Choose the SecurityGroups value from the AWS CloudFormation output that you generated with Create your Amazon EKS Cluster VPC.
   • NodeGroupName: Enter a name for your node group that is included in your Auto Scaling node group name.
   • NodeAutoScalingGroupMinSize: Enter the minimum number of nodes that your worker node Auto Scaling group can scale in to.
   • NodeAutoScalingGroupMaxSize: Enter the maximum number of nodes that your worker node Auto Scaling group can scale out to.
   • NodeInstanceType: Choose an instance type for your worker nodes.
   • NodeImageId: Enter the current Amazon EKS worker node AMI ID for your Region.

     Region	Amazon EKS-optimized AMI ID
     US West (Oregon) (us-west-2)	ami-73a6e20b
     US East (N. Virginia) (us-east-1)	ami-dea4d5a1

   Note:

   • The Amazon EKS worker node AMI is based on Amazon Linux 2. You can track security or privacy events for Amazon Linux 2 at the Amazon Linux Security Center or subscribe to the associated RSS feed. Security and privacy events include an overview of the issue, what packages are affected, and how to update your instances to correct the issue.
   • KeyName: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your worker nodes with after they launch.
   • VpcId: Enter the ID for the VPC that you created in Create your Amazon EKS Cluster VPC.
   • Subnets: Choose the subnets that you created in Create your Amazon EKS Cluster VPC.
7. On the Options page, you can choose to tag your stack resources. Choose Next.
8. On the Review page, review your information, acknowledge that the stack might create IAM resources, and then choose Create.
9. When your stack has finished creating, select it in the console and choose the Outputs tab.
10. Record the NodeInstanceRole for the node group that was created. You need this when you configure your Amazon EKS worker nodes.

To enable worker nodes to join your cluster:

1. Download, edit, and apply the AWS authenticator configuration map:
2. Download the configuration map.

   https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/aws-auth-cm.yaml

3. Open the file with your favorite text editor. Replace the <ARN of instance role (not instance profile)> snippet with the NodeInstanceRolevalue that you recorded in the previous procedure, and save the file.

   Important:

   Do not modify any other lines in this file.

   

4. Then execute the following command:

   kubectl apply -f aws-auth-cm.yaml

   Note:

   If you receive the error "heptio-authenticator-aws": executable file not found in $PATH, then your kubectl is not configured for Amazon EKS. For more information, see Configure kubectl for Amazon EKS.

5. Watch the status of your nodes and wait for them to reach the Ready status.
6. Run the command:

   kubectl get nodes –watch

   and wait till status becomes ready.

   

Launch an iWay application

In this section, you will finally launch an iWay API application to the AWS Cloud.

We start the process with creating AWS Storage Class, because Amazon EKS clusters are not created with any storage classes.

You must define storage classes for your cluster to use and you should define a default storage class for your persistent volume claims.

For more information, see Storage Classes in the Kubernetes documentation.

To create an AWS storage class for your Amazon EKS cluster create an AWS storage class manifest file for your storage class.

Steps to deploy iWAY API application to the AWS Cloud are:

1. Create Storage by executing the following command:

   kubectl apply -f gp2.yaml

   Here is the file gp2.yaml:

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
     creationTimestamp: null
     labels:
       io.kompose.service: gp2
     name: slow
   spec:
     accessModes:
     - ReadWriteOnce
     resources:
       requests:
         storage: 10Gi
   status: {}

   Output:  storageclass "gp2" created

2. Verify that the storage class was created by executing the following kubernetes command:

   kubectl get storageclass

   

3. Create persistent data volume:

   kubectl apply  -f myclaim.yaml

   Here is the file myclaim.yaml:

   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: myclaim
   spec:
     accessModes:
       - ReadWriteOnce
     volumeMode: Filesystem
     resources:
       requests:
         storage: 8Gi
     storageClassName: gp2

4. Create myiway kubernetes pod:

   kubectl create -f deployment.yml

   Here is the file deployment.yaml:

   apiVersion: extensions/v1beta1
   kind: Deployment>
   metadata:>
     name: myiway>
     labels:>
       app: myiway>
   spec:>
     replicas: 1>
     strategy: {}>
     template:>
       metadata:>
         labels:>
           app: myiway>
       spec:>
         containers:>
         - image: iwaydocker/iwaydemo>
           imagePullPolicy: Always>
           name: myiway>
           ports:>
           - containerPort: 9999>
           - containerPort: 9000>
           - containerPort: 9001>
           - containerPort: 8081>
           resources: {}>
         restartPolicy: Always>
   status: {}

5. Create the mongodb kubernetes pod

   kubectl apply  -f mongodb-deployment.yml

   Here is the file mongodb-deployment.yaml:

   apiVersion: extensions/v1beta1
   kind: Deployment
   metadata:
     annotations:
       kompose.cmd: C:\Program Files\docker\kompose-windows-amd64.exe convert -f docker-compose.yml
       kompose.version: 1.12.0 (0ab07be)
     creationTimestamp: null
     labels:
       io.kompose.service: mongodb
     name: mongodb
   spec:
     replicas: 1
     strategy:
       type: Recreate
     template:
       metadata:
         creationTimestamp: null
         labels:
           io.kompose.service: mongodb
       spec:
         containers:
         - image: bitnami/mongodb:latest
           name: mongodb
           ports:
           - containerPort: 27017
           resources: {}
           volumeMounts:
           - mountPath: /data/db
             name: slow
         restartPolicy: Always
         volumes:
         - name: slow
           persistentVolumeClaim:
             claimName: slow
   status: {}

6. Get kubernetes pods:

   Kubectl get pods

   

7. You may see the details of the myiway pod:

   kubectl describe pod myiway-bd87fff48-44gsh

   

8. You may also check the details of the mongodb pod:

   kubectl describe pod mongodb-84dc9b4694-d4cct

   

9. Also yo may get the description of the Persistent Volume Claim:

   kubectl describe pvc myclaim

   

10. Next step should be to create a kubernetes service for myiway:

    kubectl  expose deployment myiway --name=myiway --type=LoadBalancer

    

11. And create a kubernetes service for the mongodb:

    kubectl expose deployment mongodb --name=mongodb --type=LoadBalancer

    

12. By executing the following command

    kubectl get svc -o wide,

    we list the running services and capture the external IP address and ports:

    

13. By using EXTERNAL-IP address and port 9999 for the service myiway, we may visit the iWay Service manager Console:

    

14. Use EXTERNAL-IP address on port 8081 and iIT iWay Explorer to post JSON document into MongoDB database:

    

15. Use the API endpoint below to browse the posted document: