Merge pull request #1 from stacksimplify/master

leatest
stacksimplify · Jul 6, 2023 · 3071879 · 3071879
2 parents a4c930f + 1148246
commit 3071879
Show file tree

Hide file tree

Showing 6 changed files with 219 additions and 16 deletions.
diff --git a/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/01-ECR-Nginx-Deployment.yml b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/01-ECR-Nginx-Deployment.yml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubeapp-ecr
+  labels:
+    app: kubeapp-ecr
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: kubeapp-ecr
+  template:
+    metadata:
+      labels:
+        app: kubeapp-ecr
+    spec:
+      containers:
+        - name: kubeapp-ecr
+          image: 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx:1.0.0
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "500m"
+            limits:
+              memory: "256Mi"
+              cpu: "1000m"
+          ports:
+            - containerPort: 80
diff --git a/...Elastic-Container-Registry-and-EKS/02-kube-manifests-old/02-ECR-Nginx-NodePortService.yml b/...Elastic-Container-Registry-and-EKS/02-kube-manifests-old/02-ECR-Nginx-NodePortService.yml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubeapp-ecr-nodeport-service
+  labels:
+    app: kubeapp-ecr
+  annotations:    
+#Important Note:  Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer    
+    alb.ingress.kubernetes.io/healthcheck-path: /index.html    
+spec:
+  type: NodePort
+  selector:
+    app: kubeapp-ecr
+  ports:
+    - port: 80
+      targetPort: 80
diff --git a/...stic-Container-Registry-and-EKS/02-kube-manifests-old/03-ECR-Nginx-ALB-IngressService.yml b/...stic-Container-Registry-and-EKS/02-kube-manifests-old/03-ECR-Nginx-ALB-IngressService.yml
@@ -0,0 +1,41 @@
+# Annotations Reference:  https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ecr-ingress-service
+  labels:
+    app: kubeapp-ecr
+  annotations:
+    # Ingress Core Settings  
+    kubernetes.io/ingress.class: "alb"
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    # Health Check Settings
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP 
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
+    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
+    ## SSL Settings
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/9f042b5d-86fd-4fad-96d0-c81c5abc71e1
+    #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)    
+    # SSL Redirect Setting
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'   
+    # External DNS - For creating a Record Set in Route53
+    external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com       
+spec:
+  rules:
+    - http:
+        paths:
+          - path: /* # SSL Redirect Setting
+            backend:
+              serviceName: ssl-redirect
+              servicePort: use-annotation            
+          - path: /*
+            backend:
+              serviceName: kubeapp-ecr-nodeport-service
+              servicePort: 80                                   
+# Important Note-1: In path based routing order is very important, if we are going to use  "/*", try to use it at the end of all rules.         
+
diff --git a/...-Elastic-Container-Registry-and-EKS/02-kube-manifests/03-ECR-Nginx-ALB-IngressService.yml b/...-Elastic-Container-Registry-and-EKS/02-kube-manifests/03-ECR-Nginx-ALB-IngressService.yml
@@ -1,41 +1,43 @@
-# Annotations Reference:  https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/
-apiVersion: extensions/v1beta1
+# Annotations Reference: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ecr-ingress-service
   labels:
     app: kubeapp-ecr
   annotations:
+    # Load Balancer Name
+    alb.ingress.kubernetes.io/load-balancer-name: ecr-ingress
     # Ingress Core Settings  
-    kubernetes.io/ingress.class: "alb"
+    #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource)
     alb.ingress.kubernetes.io/scheme: internet-facing
     # Health Check Settings
     alb.ingress.kubernetes.io/healthcheck-protocol: HTTP 
     alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    #Important Note:  Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer    
     alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
     alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
     alb.ingress.kubernetes.io/success-codes: '200'
     alb.ingress.kubernetes.io/healthy-threshold-count: '2'
-    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
+    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'  
     ## SSL Settings
     alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
-    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/9f042b5d-86fd-4fad-96d0-c81c5abc71e1
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/d86de939-8ffd-410f-adce-0ce1f5be6e0d
     #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)    
     # SSL Redirect Setting
-    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'   
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
     # External DNS - For creating a Record Set in Route53
-    external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com       
+    external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com  
 spec:
   rules:
     - http:
-        paths:
-          - path: /* # SSL Redirect Setting
+        paths:      
+          - path: /
+            pathType: Prefix
             backend:
-              serviceName: ssl-redirect
-              servicePort: use-annotation            
-          - path: /*
-            backend:
-              serviceName: kubeapp-ecr-nodeport-service
-              servicePort: 80                                   
+              service:
+                name: kubeapp-ecr-nodeport-service
+                port: 
+                  number: 80                                   
 # Important Note-1: In path based routing order is very important, if we are going to use  "/*", try to use it at the end of all rules.         
 
diff --git a/11-DevOps-with-AWS-Developer-Tools/README.md b/11-DevOps-with-AWS-Developer-Tools/README.md
@@ -109,6 +109,86 @@ aws iam put-role-policy --role-name EksCodeBuildKubectlRole --policy-name eks-de
 # Verify the same on Management Console
 ```
 
+### For Windows users who are using Powershell
+```t
+Here is a solutions to creating the Trust policy from AWS Tech Support
+
+I understand that you are following an instruction to create an IAM role for CodeBuild but the commands do not work for PowerShell.
+
+In PowerShell, the format is different from the scripts in Mac OS. Cmdlets are used in PowerShell. I have used Cmdlets in PowerShell to create a role and attach an inline policy. Please check the following for the details:
+
+1. Create IAM Role for CodeBuild to Interact with EKS
+
+First create a new file NewRoleTrustPolicy.json with the following contents:
+
+{
+
+"Version": "2012-10-17",
+
+"Statement": [
+
+{
+
+"Sid": "",
+
+"Effect": "Allow",
+
+"Principal": {
+
+"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
+
+},
+
+"Action": "sts:AssumeRole"
+
+}
+
+]
+
+}
+
+Note: please replace your account ID in the above Principal parameter.
+
+
+New-IAMRole -AssumeRolePolicyDocument (Get-Content -raw NewRoleTrustPolicy.json) -RoleName EksCodeBuildKubectlRole
+
+After the above command, you can check if the IAM role EksCodeBuildKubectlRole is created in your AWS account. Please check the New-IAMRole Cmdlet reference in [1].
+
+
+2. Define Inline Policy with eks Describe permission in a file iam-eks-describe-policy
+
+First create a new file iam-eks-describe-policy.json with the following contents:
+
+{ "Version": "2012-10-17",
+
+"Statement":
+
+[ { "Effect": "Allow",
+
+"Action": "eks:Describe*",
+
+"Resource": "*" }
+
+]
+
+}
+
+Write-IAMRolePolicy -RoleName EksCodeBuildKubectlRole -PolicyName eks-describe -PolicyDocument (Get-Content -Raw iam-eks-describe-policy.json)
+
+
+After the above command, you can check if the IAM role EksCodeBuildKubectlRole has the inline policy eks-describe attached. Please check the Write-IAMRolePolicy Cmdlet reference in [2].
+I hope the above information can help you.
+
+References
+================
+[1]: New-IAMRole
+https://docs.aws.amazon.com/powershell/latest/reference/items/New-IAMRole.html
+[2]: Write-IAMRolePolicy
+https://docs.aws.amazon.com/powershell/latest/reference/items/Write-IAMRolePolicy.html
+
+
+```
+
 ## Step-07: Update EKS Cluster aws-auth ConfigMap with new role created in previous step
 - We are going to add the role to the `aws-auth ConfigMap` for the EKS cluster.
 - Once the `EKS aws-auth ConfigMap` includes this new role, kubectl in the CodeBuild stage of the pipeline will be able to interact with the EKS cluster via the IAM role.
@@ -132,6 +212,42 @@ kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-pat
 kubectl get configmap aws-auth -o yaml -n kube-system
 ```
 
+### This is for the changing the Configmap with Windows PowerShell 
+```t
+This is for the changing the Configmap and PowerShell
+
+In PowerShell, the following steps can be used:
+
+1. kubectl edit -n kube-system configmap/aws-auth
+2. In step1, there will be a file opened for you to edit configmap/aws-auth.
+In the opened file, there is a mapRoles field such as:
+data:
+mapRoles: |
+- rolearn: <ARN of instance role>
+username: system:node:{{EC2PrivateDNSName}}
+groups:
+- system:bootstrappers
+- system:nodes
+
+3. Add the EksCodeBuildKubectlRole information into the mapRoles field of the file such as:
+data:
+mapRoles: |
+- rolearn: arn:aws:iam::018185988195:role/EksCodeBuildKubectlRole
+username: build
+groups:
+- system:masters
+- rolearn: <ARN of instance role (not instance profile)>
+username: system:node:{{EC2PrivateDNSName}}
+groups:
+- system:bootstrappers
+- system:nodes
+
+Save the file.
+
+
+4. After the file is saved and closed, configmap/aws-auth has been edited. You can check configmap/aws-auth using the command "kubectl describe -n kube-system configmap/aws-auth".
+```
+
 ## Step-08: Review the buildspec.yml for CodeBuild & Environment Variables
 
 ### Code Build Introduction
@@ -362,4 +478,4 @@ kubectl delete -f kube-manifests/
 - https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
 - https://github.com/aws/aws-codebuild-docker-images/blob/master/al2/x86_64/standard/3.0/Dockerfile
 - **STS Assume Role:** https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html
-- https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html
diff --git a/presentation/AWS-Fargate-and-EKS-Masterclass-V8.pdf b/presentation/AWS-Fargate-and-EKS-Masterclass-V8.pdf