Kubernetes Pre-Installation Check
This check includes links to Kubernetes resources and will prepare you for the Istari-specific instructions, but this is not required to run the Istari Platform.
There are some universal requirements for running any website on Kubernetes that fall outside the scope of the Istari product, specifically:
- A properly configured Kubernetes cluster
- Installing a Helm chart
- A method for securely terminating TLS/SSL connections
- A cloud-specific load balancer
- DNS records
There are many ways to implement this on any given cloud, and your internal Kubernetes or OpenShift experts will have a preferred method for doing this. In many cases some of the necessary infrastructure will already be in place, making it essential that you work together with them when completing this exercise.
Install Test Helm Chart
The sample application for this test is podinfo, a tiny webapp used for end-to-end testing, workshops, and tutorials.
Begin by creating the file podinfo-values.yaml with the following contents:
image:
repository: ghcr.io/stefanprodan/podinfo
tag: 6.9.0
# # If using images from a private repo, also uncomment the following
# # four lines & replace '<image_pull_secret>' with the name of the Kubernetes secret used to pull images
# serviceAccount:
# enabled: true
# imagePullSecrets:
# - name: <image_pull_secret>
logLevel: debug
Then, to install it run:
helm upgrade \
--install \
--wait \
--create-namespace \
--namespace podinfo \
--version 6.9.0 \
-f podinfo-values.yaml \
podinfo \
oci://ghcr.io/stefanprodan/charts/podinfo
Access Webapp
To open a temporary connection to the podinfo webapp, run the following commands:
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl -n podinfo port-forward deploy/podinfo 8080:9898
Then open http://127.0.0.1:8080 in your browser.
Once satisfied, press Ctrl + C to end the connection and regain control of your terminal.
TLS Termination, DNS, & Load Balancing
You should now set up TLS termination, load balancing, and DNS for your site so that it can be accessed securely from a URL such as https://podinfo.example.com. There are many ways to do this, some of which require installing additional software on your Kubernetes cluster.
If your Kubernetes cluster was created by another team in your organization, please reach out to them for instructions.
For those who are creating a cluster from scratch and have no internal precedent for using Kubernetes, the following are helpful resources.
AWS EKS Recommendation
For Elastic Kubernetes Service (EKS), the simplest method to accomplish this is to use ACM to issue a wildcard cert, install the AWS Load Balancer Controller on their cluster, create a load balancer, and finally add a DNS entry in Route 53. The following are helpful resources for learning how to do this:
- EKS Workshop: Exposing applications
- AWS Blog: Setting up end-to-end TLS encryption on Amazon EKS with the new AWS Load Balancer Controller
- AWS Blog: Serve distinct domains with TLS powered by ACM on Amazon EKS
If using an NLB you must do one of the following:
- Set the target type to IP (recommend). If doing so you must also enable the VPC CNI EKS add-on.
- Disable client IP preservation for the target groups.
Logging
Logging in Kubernetes is typically handled by installing a collector on the Kubernetes cluster which then fowards all logs to a service such as Grafana/Loki, Splunk, or Datadog. Applications that emit logs, including podinfo and the Istari Platform, should require no special configuration for this to work. If a Kubernetes cluster was provided for you this software is likely already in place, and it is recommended that you consult with your Kubernetes experts on accessing these logs. If not, please reference your logging forward for instructions on how to set up the collector.
podinfo is configured to emit a steady stream of logs, which you can use to confirm that logging is configured correctly on your cluster.
Take Some Screenshots
Great job! We recommend taking a few screenshots of the webapp with the newly configured URL, which should include the chosen domain as well as an https:// prefix. This will serve as a useful reference should any issues arise when installing the Istari Platform and its dependencies.
Cleanup Steps
TLS, DNS, & Load Balancer Cleanup
This will vary based on the implementation method, but generally consists of deleting AWS and Kubernetes resources. If Kubernetes-based software (such as the AWS Load Balancer Controller) is used to manage cloud resources, it is recommended to uninstall this as the final step.
Helm Chart Uninstallation
To uninstall the Helm chart and delete the temporary namespace, run the following commands:
helm uninstall --namespace podinfo podinfo
kubectl delete ns/podinfo