Gopi Vivek Manne's Blog
Stan's Robot-Shop: Deploying a Three-Tier Architecture on EKS for a Demo E-Commerce Project

Stan's Robot-Shop: Deploying a Three-Tier Architecture on EKS for a Demo E-Commerce Project

Gopi Vivek Manne's photo
Gopi Vivek Manne
·

4 min read

This process deploys a scalable, secure, and efficient e-commerce application on EKS that sells Robots and AI products. The project includes 12 components: 8 microservices, 2 databases, 1 messaging queue, and 1 in-memory data store.

Prerequisites

  1. Install kubectl

  2. Install eksctl

  3. Install Helm

  4. Configure awscli

Create an EKS Cluster

  • Use eksctl to create a cluster in the desired region

      eksctl create cluster --name demo-cluster-1 --region us-east-1

  • Make sure the cluster is up and running with two worker nodes.

IAM OIDC Provider Configuration

  • Associate an IAM OIDC provider with the cluster.

  • This allows components within the cluster to communicate with other AWS services.

  • The OIDC token provider issues signed JWT tokens to the service account of pods via the API server.

  • This enables pods to obtain temporary credentials and session tokens from AWS STS for authentication and authorization (ServiceAccount+Role+Policy)

  • Export cluster name using command

      export cluster_name=<CLUSTER-NAME>

  oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)

  • Check if there is an IAM OIDC provider configured already

      aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

  #If not, run the below command by replacing your cluster anme 
  eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve

Ingress Controller Deployment

  • Deploy an ingress controller using a Helm chart to expose the application externally.

  • Create a service account (sa) for the ALB controller.

  • Attach the necessary role and policy to the service account.

  • Configure the service account to use the OIDC token.

  • This setup enables communication with AWS services like VPC, subnets, ELB, and target groups.

  • Download IAM policy

      curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json

  • Create IAM Policy

      aws iam create-policy \
      --policy-name AWSLoadBalancerControllerIAMPolicy \
      --policy-document file://iam_policy.json

  • Create IAM Role

      eksctl create iamserviceaccount \
    --cluster=<your-cluster-name> \
    --namespace=kube-system \
    --name=aws-load-balancer-controller \
    --role-name AmazonEKSLoadBalancerControllerRole \
    --attach-policy-arn=arn:aws:iam::<your-aws-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
    --approve

Deploy ALB controller

  • Add helm repo

      helm repo add eks https://aws.github.io/eks-charts

  • Update the repo

      helm repo update eks

  • Install

      helm install aws-load-balancer-controller eks/aws-load-balancer-controller \            
    -n kube-system \
    --set clusterName=<your-cluster-name> \
    --set serviceAccount.create=false \
    --set serviceAccount.name=aws-load-balancer-controller \
    --set region=<region> \
    --set vpcId=<your-vpc-id>

  • Verify that the deployments are running

      kubectl get deployment -n kube-system aws-load-balancer-controller

EBS CSI Plugin configuration

  • Add the EBS CSI driver to the EKS cluster for dynamic volume provisioning.

  • Create a service account for the EBS CSI driver.

  • Attach the appropriate role and policy permissions to the service account.

  • This allows the storage class to provision and attach volumes to pods based on persistent volume claims (PVCs)

  • The command deploys an AWS CloudFormation stack that creates an IAM role and attaches the IAM policy to it.

      eksctl create iamserviceaccount \
      --name ebs-csi-controller-sa \
      --namespace kube-system \
      --cluster <YOUR-CLUSTER-NAME> \
      --role-name AmazonEKS_EBS_CSI_DriverRole \
      --role-only \
      --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
      --approve

  • Run the following command. Replace with the name of your cluster, with your account ID.

      eksctl create addon --name aws-ebs-csi-driver --cluster <YOUR-CLUSTER-NAME> --service-account-role-arn arn:aws:iam::<AWS-ACCOUNT-ID>:role/AmazonEKS_EBS_CSI_DriverRole --force

Deploy the Application

  • Use Helm charts to deploy all microservices.

  • Create an ingress resource for the web service to expose it externally.

  • The ALB controller implements the ingress rules and manages the desired state of the cluster.

  • Make sure to apply ingress resource created for web service,

      cd EKS/helm/ingress.yaml
  kubectl apply -f ingress.yaml

  • Use the following commands to deploy Helm charts

      $ kubectl create ns robot-shop
  $ helm install robot-shop --namespace robot-shop .

  • Once all the services are up and running, then using the Loadbalancer DNS name try to access the application.

    In real time, each microservice typically has its own dedicated repository and individual workflows or pipelines. These repositories are integrated with CI/CD systems to ensure that any changes made in Git automatically trigger the pipeline, enabling seamless deployment to the EKS cluster.