A Terraform module to create Crafter CMS compatible Kubernetes clusters.
wget https://releases.hashicorp.com/terraform/0.12.23/terraform_0.12.23_darwin_amd64.zip
unzip terraform_0.12.23_darwin_amd64.zip
sudo mv terraform /usr/local/bin/terraform
curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.14.6/2019-08-22/bin/darwin/amd64/aws-iam-authenticator
chmod +x aws-iam-authenticator
sudo mv ./aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
wget https://get.helm.sh/helm-v3.1.2-darwin-amd64.tar.gz
tar xzvf helm-v3.1.2-darwin-amd64.tar.gz
sudo cp darwin-amd64/helm /usr/local/bin/helm
sudo chmod +x /usr/local/bin/helm
Create RDS secrets using AWS Secret Manager:
Valid RDS password: Only printable ASCII characters besides '/', '@', '"', ' '
content
cat > mycreds.json <<EOF
{
"db_user":"crafter",
"db_password":"Hvu5#d37**",
}
EOF
Store secrets into AWS Secret Manager
aws secretsmanager create-secret --name /crafter/test/credentials \
--description "Crafter credentials" \
--secret-string file://mycreds.json --region eu-west-2
Remove secret file from disk.
rm -rf mycreds.json
Clone github repo
git clone https://github.com/shirwahersi/craftercms-eks.git
cd craftercms-eks/terraform
terraform init
terraform plan
terraform apply
terraform output kubectl_config > ${HOME}/.kube/crafter-eks
export KUBECONFIG=${HOME}/.kube/crafter-eks
kubectl cluster-info
Kubernetes master is running at https://FE0F3397D3C752BCC1D4EF7D60EEC825.yl4.eu-west-2.eks.amazonaws.com
CoreDNS is running at https://FE0F3397D3C752BCC1D4EF7D60EEC825.yl4.eu-west-2.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-172-16-3-103.eu-west-2.compute.internal Ready <none> 13m v1.14.9-eks-1f0ca9
The AWS ALB Ingress Controller for Kubernetes is a controller that triggers the creation of an Application Load Balancer (ALB) and the necessary supporting AWS resources whenever an Ingress resource is created on the cluster with the kubernetes.io/ingress.class: alb annotation. The Ingress resource configures the ALB to route HTTP or HTTPS traffic to different pods within the cluster. The ALB Ingress Controller is supported for production workloads running on Amazon EKS clusters.
Add helm incubator repository
helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
Install ALB ingress controller
helm install alb-ingress-controller \
--set autoDiscoverAwsRegion=true \
--set autoDiscoverAwsVpcID=true \
--set clusterName=staging-craftercms-eks-cluster \
--set rbac.serviceAccountAnnotations."eks\.amazonaws\.com/role-arn=arn:aws:iam::414336264239:role/ALBIngressControllerIAMRole" \
--namespace kube-system \
incubator/aws-alb-ingress-controller
Verify that the deployment was successful and the controller started:
kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o alb-ingress[a-zA-Z0-9-]+)
ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with Route53 DNS.
helm install external-dns \
--set provider=aws \
--set aws.zoneType=public \
--set txtOwnerId=external-dns \
--set domainFilters[0]=shirwalab.com \
--set policy=sync \
--set rbac.serviceAccountAnnotations."eks\.amazonaws\.com/role-arn=arn:aws:iam::414336264239:role/ExternalDnsIAMRole" \
--namespace kube-system \
stable/external-dns
The Delivery Pod will need SSH access to the Authoring Pod to pull the site content. For this, you need to generate an SSH public/private key pair for authentication and provide the key pair as a Kubernetes Secret to the Pods:
mkdir ssh-secrets
ssh-keygen -m PEM -b 4096 -t rsa -C "crafter@example.com" -f ssh-secrets/id_rsa
cp ssh-secrets/id_rsa.pub ssh-secrets/authorized_keys
cat > ssh-secrets/config <<EOF
Host authoring-ssh-service
StrictHostKeyChecking no
EOF
Create Secret ssh-keys with the files just generated:
kubectl create secret generic ssh-keys \
--from-file=ssh-secrets/authorized_keys \
--from-file=ssh-secrets/id_rsa \
--from-file=ssh-secrets/id_rsa.pub \
--from-file=ssh-secrets/config
Delete ssh-secrets directory
rm -rf ssh-secrets/
Create Database credentials secret
kubectl create secret generic crafter-secrets \
--from-literal=MARIADB_USER=$(aws secretsmanager get-secret-value --secret-id /crafter/test/credentials | jq --raw-output '.SecretString' | jq -r .db_user) \
--from-literal=MARIADB_PASSWD=$(aws secretsmanager get-secret-value --secret-id /crafter/test/credentials | jq --raw-output '.SecretString' | jq -r .db_password)
Create ConfigMap containing RDS and Elasticsearch endpoint url
kubectl create configmap crafter-config \
--from-literal=MARIADB_HOST=$(terraform output rds_endpoint) \
--from-literal=ES_URL=https://$(terraform output es_endpoint) \
--from-literal=ES_PORT=443
cd ../k8s-manifests
kubectl apply -f authoring/
kubectl apply -f delivery/
kubectl get pods
NAME READY STATUS RESTARTS AGE
authoring-deployment-6cccf489d4-6k8jv 3/3 Running 0 56m
delivery-deployment-577bdd4fc7-8jkfc 2/2 Running 0 41m