With the ever-increasing demand for agile and efficient application deployment, Kubernetes has emerged as the de facto standard for container orchestration, revolutionizing the way companies deploy and manage their applications. By facilitating the streamlining of complex containerized environments, Kubernetes has garnered widespread adoption among enterprises of all sizes.
Amazon Web Services (AWS) has been at the forefront of providing powerful tools and services that help organizations harness the full potential of modern technology and meet the challenges of today’s dynamic business landscape. Among these offerings is Amazon Elastic Kubernetes Service (EKS), a fully managed Kubernetes service that empowers companies to leverage the benefits of containerization.
By streamlining the process of deploying, managing, and scaling containerized applications, EKS provides a robust infrastructure foundation for organizations seeking to embrace the agility and scalability of Kubernetes. Amazon EKS facilitates a smoother integration of Kubernetes into the AWS ecosystem, enabling businesses to focus on their core applications and deliver value to their customers efficiently.
In an ongoing effort to simplify and expedite the adoption of Amazon EKS, AWS has introduced an open-source project known as EKS Blueprints. This innovative collection of Infrastructure as Code (IaC) modules is specifically designed to empower users in seamlessly deploying consistent EKS clusters across multiple accounts and regions, bolstering operational efficiency and reducing complexity.
With EKS Blueprints, users gain access to a comprehensive suite of pre-configured templates that enable effortless bootstrapping of EKS clusters. These templates encompass a wide array of functionalities, including the integration of Amazon EKS add-ons and various popular open-source add-ons such as Prometheus, Karpenter, Nginx, Traefik, AWS Load Balancer Controller, Fluent Bit, Keda, Argo CD, and more. Leveraging these Blueprints allows users to expedite their cluster deployments while ensuring compatibility with a diverse range of tools and add-ons.
EKS Blueprints also empowers users to implement robust security controls tailored to their specific requirements. This capability is particularly valuable in environments where multiple teams operate workloads within the same cluster. By providing the means to enforce relevant security measures, EKS Blueprints ensure the integrity and isolation of workloads to foster a secure and efficient operational environment.
Below are the advantages of EKS Blueprints, including how the adoption process is streamlined and the enhancement of the deployment consistency for EKS clusters. A practical example is also provided to illustrate the seamless deployment of Argo CD using the EKS Blueprints.
EKS Blueprints offer a host of benefits that significantly streamline the deployment of Kubernetes applications.
In the following example, we will demonstrate the deployment of ArgoCD, a widely used GitOps tool, utilizing the capabilities of EKS Blueprints.
provider “aws” { region = local.region} provider “kubernetes” { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) token = data.aws_eks_cluster_auth.this.token} provider “helm” { kubernetes { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) token = data.aws_eks_cluster_auth.this.token }} provider “bcrypt” {} data “aws_eks_cluster_auth” “this” { name = module.eks.cluster_name} data “aws_availability_zones” “available” {} locals { name = basename(path.cwd) region = “us-west-2” cluster_version = “1.24” vpc_cidr = “10.0.0.0/16” azs = slice(data.aws_availability_zones.available.names, 0, 3) tags = { Blueprint = local.name GithubRepo = “github.com/aws-ia/terraform-aws-eks-blueprints” }} |
In the example provided, several providers are utilized to establish the necessary connections for the deployment of ArgoCD with EKS Blueprints. The “aws” provider is configured to interact with AWS services, specifying the desired region for the deployment. The “kubernetes” provider establishes a connection with the EKS cluster, utilizing the cluster endpoint and certificate authority data. Additionally, the “helm” provider connects to the EKS cluster, enabling the deployment and management of Helm charts.
To gather essential information for the deployment, data sources are leveraged in the example. The “aws_eks_cluster_auth” data source retrieves the authentication token required to establish a connection with the EKS cluster. This token is obtained by specifying the cluster name from the “eks” module. The “aws_availability_zones” data source fetches the availability zones available in the chosen region, which are then stored for further use in the code.
The “locals” block in the provided code snippet defines various local variables used throughout the deployment process. The “name” local variable represents the basename of the current working directory, serving as an identifier for the EKS cluster. The “region” local variable specifies the desired region, which in this case is set to “us-west-2.” The “cluster_version” local variable determines the desired version of the EKS cluster. The “vpc_cidr” variable defines the CIDR block for the Virtual Private Cloud (VPC), and the “azs” variable retrieves the names of the available availability zones in the region. Finally, the “tags” variable contains custom tags that can be associated with the resources created during the deployment, including the name of the blueprint and the GitHub repository used.
########################################################################## Supporting Resources######################################################################### module “vpc” { source = “terraform-aws-modules/vpc/aws” version = “~> 4.0” name = local.name cidr = local.vpc_cidr azs = local.azs private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] enable_nat_gateway = true single_nat_gateway = true public_subnet_tags = { “kubernetes.io/role/elb” = 1 } private_subnet_tags = { “kubernetes.io/role/internal-elb” = 1 } tags = local.tags} |
The “module vpc” in the provided code sets up a VPC (Virtual Private Cloud) using the “terraform-aws-modules/vpc/aws” module. It creates public and private subnets across multiple availability zones (AZs), enables NAT gateway for outbound internet access, and applies custom tags to subnets for role identification. This VPC configuration ensures a secure and scalable network infrastructure for the EKS cluster and associated resources.
module “vpc”:
########################################################################## Cluster######################################################################### #tfsec:ignore:aws-eks-enable-control-plane-loggingmodule “eks” { source = “terraform-aws-modules/eks/aws” version = “~> 19.12” cluster_name = local.name cluster_version = local.cluster_version cluster_endpoint_public_access = true # EKS Addons cluster_addons = { coredns = {} kube-proxy = {} vpc-cni = {} } vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets eks_managed_node_groups = { initial = { instance_types = [“m5.large”] min_size = 3 max_size = 10 desired_size = 5 } } tags = local.tags} ################################################################################# Kubernetes Addons################################################################################ module “eks_blueprints_kubernetes_addons” { source = “github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.29.0“ eks_cluster_id = module.eks.cluster_name eks_cluster_endpoint = module.eks.cluster_endpoint eks_oidc_provider = module.eks.oidc_provider eks_cluster_version = module.eks.cluster_version enable_argocd = true # This example shows how to set default ArgoCD Admin Password using SecretsManager with Helm Chart set_sensitive values. argocd_helm_config = { set_sensitive = [ { name = “configs.secret.argocdServerAdminPassword” value = bcrypt_hash.argo.id } ] } keda_helm_config = { values = [ { name = “serviceAccount.create” value = “false” } ] } argocd_manage_add_ons = true # Indicates that ArgoCD is responsible for managing/deploying add-ons argocd_applications = { addons = { path = “chart” repo_url = “https://github.com/aws-samples/eks-blueprints-add-ons.git” add_on_application = true } workloads = { path = “envs/dev” repo_url = “https://github.com/aws-samples/eks-blueprints-workloads.git” add_on_application = false } } # Add-ons enable_amazon_eks_aws_ebs_csi_driver = true enable_aws_for_fluentbit = true # Let fluentbit create the cw log group aws_for_fluentbit_create_cw_log_group = false enable_cert_manager = true enable_cluster_autoscaler = true enable_karpenter = true enable_keda = true enable_metrics_server = true enable_prometheus = true enable_traefik = true enable_vpa = true enable_yunikorn = true enable_argo_rollouts = true tags = local.tags} #—————————————————————# ArgoCD Admin Password credentials with Secrets Manager# Login to AWS Secrets manager with the same role as Terraform to extract the ArgoCD admin password with the secret name as “argocd”#—————————————————————resource “random_password” “argocd” { length = 16 special = true override_special = “!#$%&*()-_=+[]{}<>:?”} # Argo requires the password to be bcrypt, we use custom provider of bcrypt,# as the default bcrypt function generates diff for each terraform planresource “bcrypt_hash” “argo” { cleartext = random_password.argocd.result} #tfsec:ignore:aws-ssm-secret-use-customer-keyresource “aws_secretsmanager_secret” “argocd” { name = “argocd” recovery_window_in_days = 0 # Set to zero for this example to force delete during Terraform destroy} resource “aws_secretsmanager_secret_version” “argocd” { secret_id = aws_secretsmanager_secret.argocd.id secret_string = random_password.argocd.result} |
The provided Terraform code block demonstrates the setup of an AWS EKS (Elastic Kubernetes Service) cluster and the deployment of various Kubernetes addons using Helm charts. The following is an overview of the key components and their functionalities:
The “eks” module is used to define the EKS cluster’s configuration parameters. It specifies the cluster name, version, and accessibility settings. Additionally, it includes the declaration of EKS add-ons such as CoreDNS, kube-proxy, and VPC-CNI. The module also incorporates managed node groups to define the desired instance types and scaling settings.
The “eks_blueprints_kubernetes_addons” module is employed to deploy various Kubernetes addons and configure them for the EKS cluster.
These add-ons include:
To manage the ArgoCD admin password securely, the code includes the generation of a random password using “random_password” and a bcrypt hash using a custom provider called “bcrypt_hash”. Additionally, AWS Secrets Manager is utilized to store and manage the secret “argocd” with the ArgoCD admin password.
Note: The explanations in this article provide a high-level overview of the code. Users may need to modify the code and configurations based on their specific requirements.
AWS EKS Blueprints serve as a powerful tool to simplify and expedite Kubernetes deployments on Amazon Elastic Kubernetes Service. By leveraging pre-configured templates, users can effortlessly set up and configure popular Kubernetes applications like ArgoCD or monitoring stacks.
Leveraging the streamlined setup, adherence to best practices, and reproducibility offered by EKS Blueprints can greatly enhance Kubernetes deployments. However, it is essential to assess customization needs and consider the dependency on AWS EKS when determining the suitability of EKS Blueprints for specific use cases.
TrackIt is an Amazon Web Services Advanced Tier Services Partner specializing in cloud management, consulting, and software development solutions based in Marina del Rey, CA.
TrackIt specializes in Modern Software Development, DevOps, Infrastructure-As-Code, Serverless, CI/CD, and Containerization with specialized expertise in Media & Entertainment workflows, High-Performance Computing environments, and data storage.
In addition to providing cloud management, consulting, and modern software development services, TrackIt also provides an open-source AWS cost management tool that allows users to optimize their costs and resources on AWS.