-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
216 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,216 @@ | ||
| # Learn Terraform - Provision an EKS Cluster | ||
|
|
||
| This repo is a companion repo to the [Provision an EKS Cluster learn guide](https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster), containing | ||
| Terraform configuration files to provision an EKS cluster on AWS. | ||
|
|
||
| After installing the AWS CLI. Configure it to use your credentials. | ||
|
|
||
| ```shell | ||
| $ aws configure | ||
| AWS Access Key ID [None]: <YOUR_AWS_ACCESS_KEY_ID> | ||
| AWS Secret Access Key [None]: <YOUR_AWS_SECRET_ACCESS_KEY> | ||
| Default region name [None]: <YOUR_AWS_REGION> | ||
| Default output format [None]: json | ||
| ``` | ||
|
|
||
| This enables Terraform access to the configuration file and performs operations on your behalf with these security credentials. | ||
|
|
||
| After you've done this, initalize your Terraform workspace, which will download | ||
| the provider and initialize it with the values provided in the `terraform.tfvars` file. | ||
|
|
||
| ```shell | ||
| $ terraform init | ||
| Initializing modules... | ||
| Downloading terraform-aws-modules/eks/aws 9.0.0 for eks... | ||
| - eks in .terraform/modules/eks/terraform-aws-modules-terraform-aws-eks-908c656 | ||
| - eks.node_groups in .terraform/modules/eks/terraform-aws-modules-terraform-aws-eks-908c656/modules/node_groups | ||
| Downloading terraform-aws-modules/vpc/aws 2.6.0 for vpc... | ||
| - vpc in .terraform/modules/vpc/terraform-aws-modules-terraform-aws-vpc-4b28d3d | ||
|
|
||
| Initializing the backend... | ||
|
|
||
| Initializing provider plugins... | ||
| - Checking for available provider plugins... | ||
| - Downloading plugin for provider "template" (hashicorp/template) 2.1.2... | ||
| - Downloading plugin for provider "kubernetes" (hashicorp/kubernetes) 1.10.0... | ||
| - Downloading plugin for provider "aws" (hashicorp/aws) 2.52.0... | ||
| - Downloading plugin for provider "random" (hashicorp/random) 2.2.1... | ||
| - Downloading plugin for provider "local" (hashicorp/local) 1.4.0... | ||
| - Downloading plugin for provider "null" (hashicorp/null) 2.1.2... | ||
|
|
||
| Terraform has been successfully initialized! | ||
| ``` | ||
|
|
||
| Then, provision your EKS cluster by running `terraform apply`. This will | ||
| take approximately 10 minutes. | ||
|
|
||
| ```shell | ||
| $ terraform apply | ||
|
|
||
| # Output truncated... | ||
|
|
||
| Plan: 51 to add, 0 to change, 0 to destroy. | ||
|
|
||
| Do you want to perform these actions? | ||
| Terraform will perform the actions described above. | ||
| Only 'yes' will be accepted to approve. | ||
|
|
||
| # Output truncated... | ||
|
|
||
| Apply complete! Resources: 51 added, 0 changed, 0 destroyed. | ||
|
|
||
| Outputs: | ||
|
|
||
| cluster_endpoint = https://A1ADBDD0AE833267869C6ED0476D6B41.gr7.us-east-2.eks.amazonaws.com | ||
| cluster_security_group_id = sg-084ecbab456328732 | ||
| kubectl_config = apiVersion: v1 | ||
| preferences: {} | ||
| kind: Config | ||
|
|
||
| clusters: | ||
| - cluster: | ||
| server: https://A1ADBDD0AE833267869C6ED0476D6B41.gr7.us-east-2.eks.amazonaws.com | ||
| certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ETXdPVEU0TXpVeU1sb1hEVE13TURNd056RTRNelV5TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTThkClZaN1lmbjZmWm41MEgwL0d1Qi9lRmVud2dydXQxQlJWd29nL1JXdFpNdkZaeStES0FlaG5lYnR5eHJ2VVZWMXkKTXVxelBiMzgwR3Vla3BTVnNTcDJVR0ptZ2N5UVBWVi9VYVZDQUpDaDZNYmIvL3U1bWFMUmVOZTBnb3VuMWlLbgpoalJBYlBJM2JvLzFPaGFuSXV1ejF4bmpDYVBvWlE1U2N5MklwNnlGZTlNbHZYQmJ6VGpESzdtK2VST2VpZUJWCjJQMGd0QXJ3alV1N2MrSmp6OVdvcGxCcTlHZ1RuNkRqT1laRHVHSHFRNEpDUnRsRjZBQXpTUVZ0cy9aRXBnMncKb2NHakd5ZE9pSmpMb1NsYU9weDIrMTNMbHcxMDAvNmY4Q0F2ajRIbFZUZDBQOW5rN1UyK04xNSt5VjRpNjFoQgp3bHl4SXFUWEhDR0JvYmRNNE5VQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIbEI3bGVMTnJYRXZnNksvNUdtR2s5Tlh4SUkKRDd0Y1dkTklBdnFka1hWK3ltVkxpTXV2ZGpQVjVKV3pBbEozTWJqYjhjcmlQWWxnVk1JNFJwc0N0aGJnajMzMwpVWTNESnNxSmZPUUZkUnkvUTlBbHRTQlBqQldwbEtaZGc2dklxS0R0eHB5bHovOE1BZ1RldjJ6Zm9SdzE4ZnhCCkI2QnNUSktxVGZCNCtyZytVcS9ULzBVS1VXS0R5K2gyUFVPTEY2dFVZSXhXM2RncWh0YWV3MGJnQmZyV3ZvSW8KYitSOVFDTk42UHRQNEFFQSsyQnJYYzhFTmd1M2EvNG9rN3lPMjZhTGJLdC9sbUNoNWVBOEdBRGJycHlWb3ZjVgpuTGdyb0FvRnVRMCtzYjNCTThUcEtxK0YwZ2dwSFptL3ZFNjh5NUk1VFlmUUdHeEZ6VEVyOHR5NHk1az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | ||
| name: eks_training-eks-TNajBRIF | ||
|
|
||
| contexts: | ||
| - context: | ||
| cluster: eks_training-eks-TNajBRIF | ||
| user: eks_training-eks-TNajBRIF | ||
| name: eks_training-eks-TNajBRIF | ||
|
|
||
| current-context: eks_training-eks-TNajBRIF | ||
|
|
||
| users: | ||
| - name: eks_training-eks-TNajBRIF | ||
| user: | ||
| exec: | ||
| apiVersion: client.authentication.k8s.io/v1alpha1 | ||
| command: aws-iam-authenticator | ||
| args: | ||
| - "token" | ||
| - "-i" | ||
| - "training-eks-TNajBRIF" | ||
|
|
||
|
|
||
|
|
||
| region = us-east-2 | ||
| ``` | ||
|
|
||
| ## Configure kubectl | ||
|
|
||
| To configure kubetcl, you need both [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) and [AWS IAM Authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html). | ||
|
|
||
| The following command will get the access credentials for your cluster and automatically | ||
| configure `kubectl`. | ||
|
|
||
| ```shell | ||
| $ aws eks --region us-east-2 update-kubeconfig --name training-eks-sR8eLIil | ||
| ``` | ||
|
|
||
| The | ||
| [Kubernetes cluster name](https://github.com/hashicorp/learn-terraform-eks/blob/master/outputs.tf#L26) | ||
| and [region](https://github.com/hashicorp/learn-terraform-eks/blob/master/outputs.tf#L21) | ||
| correspond to the output variables showed after the successful Terraform run. | ||
|
|
||
| You can view these outputs again by running: | ||
|
|
||
| ```shell | ||
| $ terraform output | ||
| ``` | ||
|
|
||
| ## Deploy and access Kubernetes Dashboard | ||
|
|
||
| To verify that your cluster is configured correctly and running, you will install a Kubernetes dashboard and navigate to it in your local browser. | ||
|
|
||
| ### Deploy Kubernetes Metrics Server | ||
|
|
||
| The Kubernetes Metrics Server, used to gether metrics such as cluster CPU and memory usage | ||
| over time, is not deployed by default in EKS clusters. | ||
|
|
||
| Download and unzip the metrics server by running the following command. | ||
|
|
||
| ```shell | ||
| $ wget -O v0.3.6.tar.gz https://codeload.github.com/kubernetes-sigs/metrics-server/tar.gz/v0.3.6 && tar -xzf v0.3.6.tar.gz | ||
| ``` | ||
|
|
||
| Deploy the metrics server to the cluster by running the following command. | ||
|
|
||
| ```shell | ||
| $ kubectl apply -f metrics-server-0.3.6/deploy/1.8+/ | ||
| ``` | ||
|
|
||
| Verify that the metrics server has been deployed. If successful, you should see something like this. | ||
|
|
||
| ```shell | ||
| $ kubectl get deployment metrics-server -n kube-system | ||
| NAME READY UP-TO-DATE AVAILABLE AGE | ||
| metrics-server 1/1 1 1 4s | ||
| ``` | ||
|
|
||
| ### Deploy Kubernetes Dashboard | ||
|
|
||
| The following command will schedule the resources necessary for the dashboard. | ||
|
|
||
| ```shell | ||
| $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml | ||
|
|
||
| namespace/kubernetes-dashboard created | ||
| serviceaccount/kubernetes-dashboard created | ||
| service/kubernetes-dashboard created | ||
| secret/kubernetes-dashboard-certs created | ||
| secret/kubernetes-dashboard-csrf created | ||
| secret/kubernetes-dashboard-key-holder created | ||
| configmap/kubernetes-dashboard-settings created | ||
| role.rbac.authorization.k8s.io/kubernetes-dashboard created | ||
| clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created | ||
| rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created | ||
| clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created | ||
| deployment.apps/kubernetes-dashboard created | ||
| service/dashboard-metrics-scraper created | ||
| deployment.apps/dashboard-metrics-scraper created | ||
| ``` | ||
|
|
||
| Now, create a proxy server that will allow you to navigate to the dashboard | ||
| from the browser on your local machine. This will continue running until you stop the process by pressing `CTRL + C`. | ||
|
|
||
| ```shell | ||
| $ kubectl proxy | ||
| ``` | ||
|
|
||
| You should be able to access the Kubernetes dashboard [here](http://127.0.0.1:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/). | ||
|
|
||
| ```plaintext | ||
| http://127.0.0.1:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ | ||
| ``` | ||
|
|
||
| ## Authenticate the dashboard | ||
|
|
||
| To use the Kubernetes dashboard, you need to provide an authorization token. | ||
| Authenticating using `kubeconfig` is **not** an option. You can read more about | ||
| it in the [Kubernetes documentation](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui). | ||
|
|
||
| Generate the token in another terminal (do not close the `kubectl proxy` process). | ||
|
|
||
| ```shell | ||
| $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep service-controller-token | awk '{print $1}') | ||
|
|
||
| Name: service-controller-token-46qlm | ||
| Namespace: kube-system | ||
| Labels: <none> | ||
| Annotations: kubernetes.io/service-account.name: service-controller | ||
| kubernetes.io/service-account.uid: dd1948f3-6234-11ea-bb3f-0a063115cf22 | ||
|
|
||
| Type: kubernetes.io/service-account-token | ||
|
|
||
| Data | ||
| ==== | ||
| ca.crt: 1025 bytes | ||
| namespace: 11 bytes | ||
| token: eyJhbGciOiJSUzI1NiIsImtpZCI6I... | ||
| ``` | ||
|
|
||
| Select "Token" on the Dashboard UI then copy and paste the entire token you | ||
| receive into the | ||
| [dashboard authentication screen](http://127.0.0.1:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/) | ||
| to sign in. You are now signed in to the dashboard for your Kubernetes cluster. |