Deploying a password generator application in AWS EKS - Part 1

In the post Creating a distroless signed docker image, a password generator application was shipped in a distroless signed docker image. In this tutorial, we are going to use that image and deploy the same application in AWS EKS.

We are not going to show how to install local dependencies or how to set an AWS Account and user permissions, however we provide the documentation for such.

Dependencies

In order to complete this tutorial, you need to install and configure the following applications and services:

• kubectl
• eksctl
• helm
• AWS User Account with permissions to create and manage an AWS EKS cluster.
• AWS CLI
• Configuration and credential file settings in the AWS CLI

Creating an AWS EKS cluster and Installing Nginx Ingress Controller

After installing and configuring the dependencies above, run the command below to create the an AWS EKS cluster:

eksctl create cluster --name=eks-cluster --version=1.30 --region=us-east-1 --nodegroup-name=eks-cluster-nodegroup --node-type=t3.medium --nodes=3 --nodes-min=1 --nodes-max=4 --managed --profile iamadmin-prod

The command above takes about 15 minutes to create an AWS EKS cluster named eks-cluster, using Kubernetes v1.30 in the region us-east-1. The managed cluster uses t3.medium EC2 nodes and is created using an Admin account.

After that, create the ingress-nginx Namespace, add the Ingress Nginx repo in Helm and install it afterwards. The commands to execute these operations are presented below:

kubectl create namespace ingress-nginx
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx

The expected output start with something like this:

NAME: ingress-nginx
LAST DEPLOYED: ...
NAMESPACE: ingress-nginx
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the load balancer IP to be available.
You can watch the status by running 'kubectl get service --namespace ingress-nginx ingress-nginx-controller --output wide --watch'
...

The last command creates a Kubernetes Service of type LoadBalancer that exposes the application to the outside world, and also a ClusterIP service that manages or validate Ingress resources, such as Hosts and Paths. To check if both services were properly created, run the command kubectl get svc -n ingress-nginx. A similar result is expected:

NAME                                 TYPE           CLUSTER-IP       EXTERNAL-IP                                                               PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.100.170.245   <LOAD BALANCER ID>.us-east-1.elb.amazonaws.com   80:32709/TCP,443:31961/TCP   78s
ingress-nginx-controller-admission   ClusterIP      10.100.34.75     <none>                                                                    443/TCP                      78s

You can also check if the service is running by copying the External IP for the Load Balancer and opening the URL in your preferred browser. If you land in the Nginx 404 page, it means you can proceed to the next steps to deploy the app.

Deployng the app

The current state of the app is composed by five manifests listed below:

• app-deployment.yaml: Deployment object that creates and manages pods that uses the kellermann92/linuxtips-giropops-senhas:1.0 image.
• redis-deployment.yaml: Deployment object that creates and manages Redis pods.
• app-service.yaml and redis-service.yaml: create Service objects of type ClusterIP that enables connectivity between pods in the Cluster.
• app-ingress.yaml: Ingress object that manages external access to the application service.

The app-deployment.yaml file content is presented below:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: giropops-senhas
  name: giropops-senhas
spec:
  replicas: 3
  selector:
    matchLabels:
      app: giropops-senhas
  template:
    metadata:
      labels:
        app: giropops-senhas
    spec:
      containers:
      - image: kellermann92/linuxtips-giropops-senhas:1.0
        name: giropops-senhas
        env:
        - name: REDIS_HOST
          value: redis-service
        ports:
        - containerPort: 5000
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 300m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 64Mi

Create the Deployment by running the command kubectl get deployment giropops-senhas. To check if the Deployment was properly created, run the command kubectl get deployment giropops-senhas. The expected output should look similar to the text below:

# kubectl get deployment giropops-senhas
NAME              READY   UP-TO-DATE   AVAILABLE   AGE
giropops-senhas   3/3     3            3           ...

The app-deployment.yaml file creates a Deployment object that manages 3 pods of our application. In order to make the pods in the deployment above to be discoverable by other pods in the cluster, create a Service. The app-service.yaml manifest file creates such an object. Its content is presented below:

apiVersion: v1
kind: Service
metadata:
  name: giropops-senhas
  labels:
    app: giropops-senhas
spec:
  selector:
    app: giropops-senhas
  ports:
    - protocol: TCP
      port: 5000
      targetPort: 5000
      name: tcp-app
  type: ClusterIP

Run the command kubectl apply -f app-service.yamlto create the Service object.To check if the Service was properly created, run the command kubectl get svc giropops-senhas. The expected output should look similar to the text below:

NAME              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
giropops-senhas   ClusterIP   10.100.28.48   <none>        5000/TCP   ...

Now, proceed with a similar process to create redis-deployment Deployment object and the redis-service Service Object. The content of the redis-deployment.yaml file is presented below:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: redis
  name: redis-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - image: redis
        name: redis
        ports:
          - containerPort: 6379
        resources:
          limits:
            memory: 256Mi
            cpu: 500m
          requests:
            memory: 64Mi
            cpu: 100m

The content of the file redis-service.yaml is presented below:

apiVersion: v1
kind: Service
metadata:
  name: redis-service
spec:
  selector:
    app: redis
  ports:
    - protocol: TCP
      port: 6379
      targetPort: 6379
  type: ClusterIP

In order to build both objects in the EKS cluster, run the commands below:

kubectl apply -f redis-deployment.yaml
kubectl apply -f redis-service.yaml

It’s possible to check if the services were successfully created by running the comand kubectl get svc. The result should be similar to the output below:

NAME              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
giropops-senhas   ClusterIP   10.100.190.4     <none>        5000/TCP   ...
kubernetes        ClusterIP   10.100.0.1       <none>        443/TCP    ...
redis-service     ClusterIP   10.100.236.148   <none>        6379/TCP   ...

Similarly, we can check if the deployments were sucessfuly created by running the command kubectl get pods. The result should be similar to the output below:

giropops-senhas-7587cddcb7-lxltf    1/1     Running   0          3m6s
giropops-senhas-7587cddcb7-tstzx    1/1     Running   0          3m6s
redis-deployment-6fb85d7d6d-dlc9h   1/1     Running   0          68s
redis-deployment-6fb85d7d6d-scpdj   1/1     Running   0          68s
redis-deployment-6fb85d7d6d-v48rz   1/1     Running   0          68s

At this stage, the application is exposed to other pods within the cluster. In order to manage external access to it, we need to create an Ingress Object. The content of the file app-ingress.yaml is presented below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: giropops-senhas
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/limit-rps: "2"
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: giropops-senhas
            port:
              number: 5000

To crete the Ingress Object, run the command kubectl apply -f app-ingress.yaml. After that, check if the ingress was successfuly created by running the command kubectl get ingress. You should get the output similar to the one below:

NAME              CLASS   HOSTS   ADDRESS                                                                   PORTS   AGE
giropops-senhas   nginx   *       <LOAD BALANCER ID>.us-east-1.elb.amazonaws.com   80      113s

Note: the address field value may be not available after running the kubectl get ingress command as soon as the object is created. It’s recommended to wait for 2 minutes or thereabouts to guarantee that the address field will be provided.

After that, open the address Load Balancer link in you web browser. If the screen below is displayed, congratulations! It means the application was successfuly deployed.

However, we can spot at least two problems in the image above:

• The connection is not secure: there is no SSL certificate that allows HTTPS.
• Almost no one wil ever remember the address to access the service.

These problems are going to be addressed in a second post.

References

• Kubernetes Service Object
• Kubernetes Deployment Object
• Kubernetes Ingress Object
• Ingress Nginx
• What is an SSL certificate?
• Descomplicando Kubernetes by Linuxtips (in Portuguese)