Quickly deploy and configure Cert Manager and External DNS on AWS EKS using Terraform

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello I'm Fabricio Mariani I work at Blue Century Cloud as a devops team leader and in this video I'm going to show you how to help our customers to achieve automatic DNS record creation and SSL certificate provisioning for applications running on eks which is the AWS elastic kubernetes service this will be a simple walkthrough video to demonstrate how to deploy the required AWS infrastructure using terraform from our GitHub repo and how to create a simple application to validate our solution in case you're looking for a written and more detailed version of this guide please visit one of the links in the description below all right so the first thing that you have to do is to clone the repo that contains all the terraform scripts that will be responsible for provisioning all the required infrastructure so let's clone the repo once you click on the repo you just need to open it using your favorite code editor in my case it's vs code and you'll notice here that we are only relying on Community Driven terraform modules to to deploy all the required infrastructure so for example we will be creating a VPC from scratch using the community manager then we will create an eks cluster and even the IEM rows for cert manager and external DNS to work will be created using sub modules of the IEM module from the community all right so before initializing terraform and creating infrastructure we need to configure a few things the first thing will be to to replace some Demi values for example for the host exam for search manager and external DNS to work you first need to configure the IM rows that will allow them to manage the whole Route 53 hosted Zone on your behalf and for that to happen you need to create the IRSC irsa stands for IIM Row for service accounts that's the most secure way for your kubernetes service accounts to assume an IM Row in your AWS account so we already have all of that pre-configured using the community modules so everything that you need to do now is to replace some dummy values here so what I will do now is I'll go into our AWS account that we're using for the sandbox and I will get the The Zone ID and replace those Demi value so I put those memory values across all the repos on all the required resources so all you need to do is to search recursively in your folder and you can replace all those values by a real hosted designs so we're doing this right now so you can get the real values and we also need to update the domain for the central applications that we'll use later on and that's another example so you see we have some some DNS zones for our cluster issue and for our sample app so we will also in this case just search recursively for like example.com and replace that by our domain that we want to deploy the apps all right so everything is replaced now so now we'll open our terminal you will see that it's in the same folder that will work before just inside the repo before you do this you need to configure your terraform providers so under the providers file you'll have to up to date your AWS profile that you're working on as well as an S3 bucket and a key to hold your telephone state so be mindful of that so now we'll run some refer in it this will download all the modules from the community and configure RS3 back-ends now we'll validate to make sure that we have no syntax errors foreign this might take a minute or two because it needs to to basically show you a preview of how your infrastructure will look like and in our case for this tutorial for this tutorial we are creating everything from scratch like if we are on an empty AWS account the only requirements really to have a hosted Zone where you can control the DNS and that's it everything else will be created new so you will have a brand new VPC a brand new eks cluster and the search manager external DNS and even the nginx Ingress controller will be created automatically through terraform as well using their Community Health charts and here as you can see this is a preview of what will be creating what will be created so to create the VPC the AKs cluster and all requirements for rvpc in this case for eks you will notice that we are creating the endpoint as public which is not recommended recommended for production environments because even though we have we can have a fiber like a security group with more restricted rules it's still not a good practice to have your kubernetes API endpoint into a public endpoint you should have those placed into private subnets and access through a VPN but in this case for the sake of this tutorial we will keep it public and we will allow any ip2hr a kubernetes API so all right once you have it all there you just apply it this will trigger a new terraform plan and this apply stack will take about 15 up to 20 minutes depending on the region that you are deploying the resources and we will it it takes this amount of time because it needs to create the VPC and then it creates the AKs cluster then it creates the node groups for the eks Clusters and after those things are ready it starts deploying the helm releases that will create cert manager external DNS and the engine X Ingress controller so yeah we are okay with our plan so we'll type yes to accept and finally apply and create all of your infrastructure as I told you this will take about 15 minutes to complete so I will pause the video and come back once the other resources are created okay so after about 15 minutes all of your infrastructure is created so now if we want to connect your eks cluster we will have to run the following command to basically create the cube config and then we need to export that cubeconfig so you can see we are connected to our new page cluster let's see if the nodes are up and running and if all of our pods are available there we go it just took a little longer to respond and let's check if we have all of our pods running yes looks like we had no issues so now that we have search manager external DNS and the nginx Ingress controller installed at working fine we just had need to create one more prerequisite for more specifically for search manager which is the cluster issues so under the example folder you'll notice that I let a stage cluster issue and a production cluster issue that uh you should use the stage one until you get all of your tests validated so you don't hit all the limits imposed by let's encrypt and since I've already validated the solution with my domain and my simple app I'm going to strike for production because using the staging issuer does not give us a valid certificate that I want to show you in our lab here so here under the cluster issue since we already updated the hosted Zone with the one that we want for my lab set domain and we already have a correct name for the cluster researcher we just need to apply it so we'll run Cube control apply minus f example cluster issuerto rat and that will take care of creating the issue for us let's see if it's already validated yes as you can see here the Acme account was registered with the admin server now that we have our closer issuer created all you need to do to test is really just deploying a sample app in this case here our Simple app is composed by three different kubernetes resources the first one is a deployment which is really just running an nginx image and exporting the part 80. then we are creating a service to expose our deployment for the rest of the cluster and one quick note on this service is that you need to give the external DNS annotation so external DNS will will act on your behalf and create the Route 53 record for you so you don't have to worry about that the main purpose of this guide is to automate as much as possible and then for our Ingress resource we also need to give it an annotation informing what's the cluster issue that we want to use in this case is let's encrypted production then we need to match the same host name that we set for our service here and since this is a base configuration we don't really need to configure end path or backend just really points to the same part as our service and our container is listening to and then for the TLs you also need to make sure that you're using the same hostname and that you're giving it a secret name so search manager can can request a certificate on your behalf and start securely inside your kubernetes cluster so let's create our our sample application now as you can see here we have a new pod from our deployment and we have a new service and also let's check our Ingress whenever you create an Ingress you get a new load balancer so if you go under ec2 you send new load balancer that and I external DNS should be taken care of creating your DNS records on Route 53. since we have The annotation here for the cluster issuer we can check the certificate objects of your cluster and you'll see that we already have a new one called Simple app TLS and this is ready so let's just review our Ingress object again and then we can copy the host here and paste in your browser and see if we can access this website securely and there you go as you can see we have our engine X page here and if you click on the locker there and check the connection you will see that we have a valid certificate for our lab domain using let's encrypt that will be valid for 90 days and don't worry about renewing the certificate because search manager and let's encrypt will take care of that for you automatically and that's pretty much it I hope this video helped you and if you still have any questions or if you ran into any issues deploy and configure the different structure please use the comment sections below and I will be glad to help you

Info

Channel: Fabricio Mariani

Views: 1,825

Rating: undefined out of 5

Keywords:

Id: 3fKLbT1ZtUg

Channel Id: undefined

Length: 12min 42sec (762 seconds)

Published: Fri Nov 18 2022