The purpose of this document is to provide instructions for deploying OneList Application to be hosted in EKS. Networking, security and firewall design and configuration is not in the scope of this document.
Prerequisites
Install Kubernetes CLI tool - kubectl. Instructions can be found here: https://kubernetes.io/docs/tasks/tools/install-kubectl/
Install the AWS CLI version 2:
Install Helm package manager
SQL Server connection string.
The SQL user account specified in the connection string must have the db_owner role of the databases so it can create or change tables.
Request the container registry login from IQX for pulling OneList images;
SMTP server login and sender email address. A full mailbox is required if email approval channel is enabled;
Generate the Machine Key for each environment. This is a Base64 string representing an array of 50 bytes.
Use tools like https://generate.plus/en/base64 to generate a random string of the required length.
Define the Kubernetes namespace for the OneList environment to be deployed. E.g. onelist-dev, onelist-qa, onelist-prod. It may be required to follow your company's naming standard for these namespaces.
Use this value to replace the <ONELIST_NAMESPACE> placeholder in the instructions below.
Define the label for the OneList environment to be deployed. This is a short label, e.g. dev, qa, prod. The first letter must be unique in all the environments planned and it is used as the suffix of the database names.
Use this value to replace the <environment> placeholder in the instructions below.
Request a Public Certificate using ACM or Import a Certificate into ACM.
Download these Yaml files
alb-onelist-ingressthe below two files and put them in the same directory.
| View file | ||
|---|---|---|
|
...
| View file | ||
|---|---|---|
|
...
|
...
|
...
Recommended Configuration
Environments | EKS | SQL |
|---|---|---|
Production | Worker node: EC2 T3.large, 2 vCPU, |
16 GiB RAM Worker node count: 3;
| Amazon RDS for SQL Server
|
|
Databases:
| |
Non-production | Worker node: EC2 T3.large, 2 vCPU, |
16 GiB RAM Worker node count: 3; | Amazon RDS for SQL Server
|
|
Databases: the "x" represents the environment tag, e.g. d for Development, q for QA.
|
Connect to EKS cluster
Configure your AWS CLI credential if it is not yet configured.
Run command below andinput information prompted.
aws configure
For more information, see Configuring the AWS CLI.Set context to the EKS cluster. Run the command below.
aws eks --region <region> update-kubeconfig --name <cluster_name>
Deployment steps
Open a command prompt from the folder that contains the YAML deployment files. Flow steps below to deploy OneList.
1. Create the Kubernetes namespace
Run the command below to create the Kubernetes namespace for the OneList environment, e.g. onelist-dev.
...
kubectl create namespace onelist-dev
2. Create ConfigMap and Secret
These Kubernetes ConfigMap and Secret contains The values.yaml file configures the required environment variables that are used by OneList services.
Open the "configvalues.yaml" in notepad and update the following fields with the actual value.
Config
RoleManager__MachineKey
The value is the generated machine key.Database__ConnectionString
The value is the SQL Server connection string. The name of the databases will be automatically specified by the services.ASPNETCORE_ENVIRONMENT
The value is <environment>.Smtp__UserName
Smtp__Password
Smtp__From
This is the sender email address of notifications from OneListSmtp__Host
This is the SMTP server OneList use to send notifications.Smtp__Port
This is the port of SMTP server.Smtp__UseSsl
Define if SMTP server uses SSL connection. For Office365 SMTP service, the value is always false.
Save the "config.yaml" file then run the command below.
kubectl apply -f config.yaml --namespace <ONELIST_NAMESPACE>
For example:
kubectl apply -f config.yaml --namespace onelist-dev
3. Create the Secrete for pulling OneList images
Replace placeholders in the command below and run it.
kubectl create secret docker-registry iqx.acr --docker-server=https://iqxbusiness.azurecr.io/ --docker-username=<ACR_USERNAME> --docker-password=<ACR_PASSWORD> --docker-email=<YOUR_EMAIL_ADDRESS> --namespace <ONELIST_NAMESPACE>
For example: kubectl create secret docker-registry iqx.acr --docker-server=https://iqxbusiness.azurecr.io/ --docker-username=acr_username --docker-password=acr_password --docker-email=myemail@example.com --namespace onelist-dev
4. Deploy OneList containers for the apps and services
Run the 2 commands below.
kubectl apply -f onelist-deployment.yaml --namespace <ONELIST_NAMESPACE>
kubectl apply -f alb-onelist-service.yaml --namespace <ONELIST_NAMESPACE>
For example:
kubectl apply -f onelist-deployment.yaml --namespace onelist-dev
kubectl apply -f onelist-service.yaml --namespace onelist-dev
5. Create Ingress object and ALB load balancer
Follow the instructions in 5.1 to deploy the first OneList environment and the instructions in 5.2 to deploy the additional environments.
5.1 Deploy the first OneList environment (namespace)
Create ALB Ingress Controller
Follow the deployment steps 1-10 in this documentation to create an ALB controller in kube-system namespace.
Open alb-onelist-ingress.yaml in notepad.
Find and replace '<SSL certificate ARN>' with the ARN of certificate in ACM.
Save your changes and close the file.
Run the command below.
kubectl apply -f alb-onelist-ingress.yaml --namespace <ONELIST_NAMESPACE>
For example:
kubectl apply -f alb-onelist-ingress.yaml --namespace onelist-dev
5.2 Deploy additional OneList environment (namespace)
Open alb-onelist-ingress.yaml in notepad.
Find and replace '<SSL certificate ARN>' with the ARN of certificate in ACM.
Save your changes and close the file.
Run the command below.
kubectl apply -f alb-onelist-ingress.yaml --namespace <ONELIST_NAMESPACE>
For example:
kubectl apply -f alb-onelist-ingress.yaml --namespace onelist-dev
...
Localization__DefaultCulture
The default culture. Use the code from: Supported LanguagesLocalization__DefaultTimeZone
The default time zone. The time zone id is the “TZ database name” from this page: https://en.wikipedia.org/wiki/List_of_tz_database_time_zonessupportedCultures
Localization__SupportedCultures__0
The other supported cultures. Use the code from: Supported Languages. When there is more than one supported culture, add another Localization__SupportedCultures__n entry and increase the trailing number n by 1. E.g. Localization__SupportedCultures__1
imageCredentials
username
Login username of IQX container registry.password
Login password of IQX container registry.email
Your email address.
ingress
host
The DNS host name of the OneList application.alb.ingress.kubernetes.io/certificate-arn
ARN of the SSL certificate in ACM.alb.ingress.kubernetes.io/wafv2-acl-arn
ARN of the WAF ACL.
persistentVolumeVolumeHandle
EFS ID for supporting the EKS persistent volume.
The ID is in this format: <file system ID>::<access point ID>
Example: fs-09b1fb3a7c9299901::fsap-07ab32df8345e6591image
tag
Tag name of the images that are going to be deployed.
Save the "values.yaml" file.
3. Install the AWS Load Balancer Controller add-on (if not installed)
Verify that if the controller is installed. Skip this section if already installed.
Code Block kubectl get deployment -n kube-system aws-load-balancer-controllerIf you see the following. The Controller is installed.
Code Block NAME READY UP-TO-DATE AVAILABLE AGE aws-load-balancer-controller 2/2 2 2 20hFollow this instruction to create a n OIDC provider for the cluster.
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.htmlSkip this step if AWSLoadBalancerControllerIAMPolicy policy already exist.
Download an IAM policy file.
https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.jsonCreate an IAM policy using the policy downloaded in the previous step.
Code Block aws iam create-policy \ --policy-name AWSLoadBalancerControllerIAMPolicy \ --policy-document file://iam_policy.jsonCheck if role AmazonEKSLoadBalancerControllerRole already exists. If already exists, use another role name.
a. Create an IAM role. Replace my-cluster with the name of your cluster, 111122223333 with your account ID, AmazonEKSLoadBalancerControllerRole with your role name and then run the command.
Code Block eksctl create iamserviceaccount \ --cluster=my-cluster \ --namespace=kube-system \ --name=aws-load-balancer-controller \ --role-name AmazonEKSLoadBalancerControllerRole \ --attach-policy-arn=arn:aws:iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ --approveInstall the AWS Load Balancer Controller using Helm. Replace region-code, vpc-xxxxxxxx and my-cluster with the correct value.
Code Block helm repo add eks https://aws.github.io/eks-charts helm repo update eks helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ -n kube-system \ --set clusterName=my-cluster \ --set serviceAccount.create=false \ --set serviceAccount.name=aws-load-balancer-controller \ --set region=region-code \ --set vpcId=vpc-xxxxxxxx
4. Deploy OneList Helm chart
Enter the folder that contains the values.yaml and onelist.tgz files. Run the command below.
helm install <ONELIST_NAMESPACE> -n <ONELIST_NAMESPACE> -f .\values.yaml onelist.tgz
For example:
helm install onelist-dev -n onelist-dev -f .\values.yaml onelist.tgz
5. Get the generated AWS public URL for OneList DNS configuration
Run the following command to discover the public URL of the environment for configuring the OneList DNS alias.
...
The AWS public URL is similar to this: e6325261-onelist650-onelis-7461-1342161572.ap-southeast-2.elb.amazonaws.com
...
6. Create the administrator user account
Navigate to the OneList URL in the browser, you will be presented to the following page to create the first user account. The System Administrator access is automatically granted to this user account.
...