Merge pull request #15 from Lemoncode/feature/eks-contents

Feature/eks contents

Author: JaimeSalas

.gitignore

@@ -17,3 +17,10 @@ exercise-solution/
 
 # code Jenkins demos
 app/
+
+# Access Keys
+*.pem
+*.pub
+
+# CDK8s demos
+*/08-ckd8s/00-hello-world-code/

04-cloud/01-eks/00-install-tools/readme.md

@@ -0,0 +1,15 @@
+# Install Tools
+
+Para trabajar con EKS necesitamos tener instalado en nuestros equipos las siguientes herramientas:
+
+* kubectl 
+* aws cli
+* eksctl
+
+Si bien la última herramienta no es obligatoria para trabajar con `EKS`, va a hacer todos nuestros procesos mucho más fáciles.
+
+En el caso de `kubectl`, en el siguinete enlace podemos encontrar la [guía instalación kubectl](https://kubernetes.io/es/docs/tasks/tools/install-kubectl/).
+
+Para instalar `aws cli`, podemos hacer uso del siguiente [enlace](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).
+
+Por último debemos instalar `eksctl`, en este [enlace](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html), tenemos los pasos necesarios.

04-cloud/01-eks/01-create-aws-user/readme.md

@@ -0,0 +1,114 @@
+# Create AWS user
+
+## Pre requisitos
+
+* Tener una cuenta de `AWS` y poder acceder a la consola de `AWS` vía web.
+* `AWS CLI` instalado en nuestro equipo.
+
+## Agenda
+
+
+## Introducción
+
+Cuando creamos una nueva cuenta en AWS, el usuario por defecto es `root`, se considera como buena práctica no utilizar este usuario para realizar las distaintas tareas en su día a día. En su lugar es mejor, crear un nuevo usario, con permisos de administrador y guardar las clavers de `root` en un lugar bien seguro. 
+
+Para poder crear un usuario con permisos de administrador previamente debemos crear un grupo y a este grupo añadir las poíticas de `AWS`, de administrador.
+
+## Creando un grupo
+
+```bash
+$ aws iam create-group --group-name <group-name>
+```
+
+> Contsraits: The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 128 characters in length.
+
+Para verificar que hemos tenido exito en nuestra operación
+
+```bash
+$ aws iam list-groups
+```
+
+La respuesta incluye el `Amazon Resource Name` (ARN) para el nuevo grupo. El `ARN` es un standard  que Amazon utiliza para identificar recursos.
+
+## Atando una política al grupo
+
+Utilizando el siguiente comando enlazamos la política de administardor con el grupo recientemenet creado 
+
+```bash
+$ aws iam attach-group-policy --group-name <group-name> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+``` 
+
+Para verificar que la política se ha atado correctamente al grupo 
+
+```bash
+$ aws iam list-attached-group-policies --group-name <group-name>
+``` 
+
+La respuesta nos da la lista de políticas atadas al grupo. Si queremos comprobar los contenidos de una política en particular podemos usar `aws iam get-policy`
+
+## Creando un usuario IAM y añadiendolo al grupo
+
+### 1. Creamos un usuario
+
+```bash
+$ aws iam create-user --user-name eksAdmin
+```
+
+### 2. Añadiendo el Usuaro a un grupo
+
+```bash
+$ aws iam add-user-to-group --group-name <group-name>  --user-name <user-name>
+``` 
+
+
+### 3. (Opcional) Dar al usuario acceso a la consola.
+
+Tenemos que proporcioanr al usuario la url de su cuenta para que se pueda registrar dentro de la consola
+
+```
+https://My_AWS_Account_ID.signin.aws.amazon.com/console/
+```
+
+```bash
+$ aws iam create-login-profile --generate-cli-skeleton > create-login-profile.json
+```
+
+Genera un `template`, que ahora podemos utilizar para inicializar el usuario
+
+```bash
+$ aws iam create-login-profile --cli-input-json file://create-login-profile.json
+``` 
+
+Esto nos da como salida
+
+```json
+{
+  "LoginProfile": {
+      "UserName": "eksAdmin",
+      "CreateDate": "2020-12-20T16:38:19+00:00",
+      "PasswordResetRequired": true
+  }
+}
+```
+
+Ahora con el `loginProfile` creado, del ARN del usuario extraemos su `Account ID` , solo los dígitos, y lo pegamos aquí:
+
+```
+google https://xxxxxxxxxxxx.signin.aws.amazon.com/console/
+``` 
+
+### 4. Crear Access Key
+
+Con esta `key` nuestro nuevo usuario tendrá acceso programático desde `AWS CLI`
+
+```bash
+$ aws iam create-access-key --user-name <user-name>
+``` 
+
+Con la salida anterior podemos configurar nuestro usurio por defecto usando `aws configute`
+
+En el caso de Linux y macOS, podemos encontrar nuestras credenciales en `/.aws`
+
+## Referencias
+
+> Configurar AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html

04-cloud/01-eks/02-launching-cluster-eks/demos.yml

@@ -0,0 +1,20 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: lc-cluster
+  region: eu-west-3
+  version: "1.18"
+
+iam:
+  withOIDC: true
+
+managedNodeGroups:
+  - name: lc-nodes
+    instanceType: t2.small
+    desiredCapacity: 3
+    minSize: 1
+    maxSize: 4
+    ssh:
+      allow: true
+      publicKeyPath: "./eks_key.pub"

04-cloud/01-eks/02-launching-cluster-eks/readme.md

@@ -0,0 +1,130 @@
+# Build your first EKS Cluster
+
+## Introduction
+
+The official CLI to launch a cluster is `eksctl`, this is a tool develop by weavworks on conjuntion of AWS team. The goal of this tool is to build an `EKS cluster` much easier. If we thing the things that we have to do to build a cluster, we have to create VPC, provision subnets (multiples of them), set up routing in your VPC, then you con go to the control plane on the console and launch the cluster. All the infrastructure could be done using `CloudFormation`, but still being a lot of work.
+
+We can build the cluster from `EKS Cluster console`, all the choices expose there can be done with `eksctl`
+
+## How do I check the IAM role on the workspace?
+
+```bash
+aws sts get-caller-identity
+```
+
+## Create EC2 Key
+
+```bash
+$ aws ec2 create-key-pair --key-name EksKeyPair --query 'KeyMaterial' --output text > EksKeyPair.pem
+```
+
+Modify permissions over the private key to avoid future warnings
+
+```bash
+$ chmod 400 EksKeyPair.pem
+``` 
+
+With this new private key we can go ahead and generate a public one, that's the key that will be upload into the node (EC2 instance). If we provide this key, and we have the private one, we can connect to the remote instance.
+
+```bash
+$ ssh-keygen -y -f EksKeyPair.pem > eks_key.pub
+```
+
+## Create definition YAML
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: lc-cluster
+  region: eu-west-3
+  version: "1.18"
+
+iam:
+  withOIDC: true
+
+managedNodeGroups:
+  - name: lc-nodes
+    instanceType: t2.small
+    desiredCapacity: 3
+    minSize: 1
+    maxSize: 4
+    ssh:
+      allow: true
+      publicKeyPath: "./eks_key.pub"
+``` 
+
+```bash
+eksctl create cluster \
+--name lc-cluster \
+--version 1.18 \
+--region eu-west-3 \
+--nodegroup-name lc-nodes \
+--node-type t2.small \
+--nodes 3 \
+--nodes-min 1 \
+--nodes-max 4 \
+--with-oidc \
+--ssh-access=true \
+--ssh-public-key=eks_key.pub \
+--managed
+```
+
+Both forms are going to create exactly the same, but if we want to get all the power of `eksctl` we have to use the declarative way using the yaml form.
+
+## Understanding eks file
+
+`eksctl` is going to build our cluster using this file.
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: lc-cluster # [1]
+  region: eu-west-3 # [2]
+  version: "1.18" # [3]
+
+iam:
+  withOIDC: true # [4]
+
+managedNodeGroups: # [5]
+  - name: lc-nodes # [6]
+    instanceType: t2.small # [7]
+    desiredCapacity: 3 # [8]
+    minSize: 1 # [9]
+    maxSize: 4 # [10]
+    ssh: # [11]
+      allow: true # will use ~/.ssh/id_rsa.pub as the default ssh key
+      publicKeyPath: "./eks_key.pub" # Add path to key
+``` 
+
+1. This is the cluster name, in our case `lc-cluster`
+2. The AZ where the cluster is going to be deplyed
+3. The Kuberntes version that we're going to use, if we let it empty, will use the last stable for `AWS`
+4. enables the IAM OIDC provider as well as IRSA for the Amazon CNI plugin
+5. `managedNodeGroups` are a way for the `eks service` to actually provision your data plane on your behalf so normally if you think about the of a container orchestrator it's jsut orchestarte containers on your compute so we're starting to see expansion of that role a little bit so now instead of you bringing your own compute and you having to manage patching it, updating it, rolling in new versions of it and all that day to day stuff, it's possible to be managed by AWS, this is what `managedNodeGroup` does. AWS provides the AMI and provisioning into your account on your behalf.
+6. The name of the group of nodes
+7. The instance type that we're running. We're usding the free tier
+8. The number of nodes that we want to have on the node group
+9. If the cluster infrastructure is updated the minimun mumber of instances that we want on the node group
+10. If the cluster infrastructure is updated the max number of instances that we want on the node group
+11. The `ssh` key to connect to our EC2 instances.
+
+
+## Launching the Cluster
+
+Now we're ready to launch the cluster
+
+```bash
+$ eksctl create cluster -f demos.yml
+``` 
+
+## Test the cluster
+
+Now we can test that our cluster is up and running.
+
+```bash
+$ kubectl get nodes
+```

04-cloud/01-eks/03-deploy-k8s-dashboard/readme.md

@@ -0,0 +1,86 @@
+# Deploy the Kubernetes Dashboard 
+
+## Deploy the Official Kubernetes Dashboard
+
+The official Kubernetes dashboard is not deployed by default, but there are instructions in the official documentation
+
+We can deploy the dashboard with the following command:
+
+```bash
+export DASHBOARD_VERSION="v2.0.0"
+
+$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/${DASHBOARD_VERSION}/aio/deploy/recommended.yaml
+
+namespace/kubernetes-dashboard created
+serviceaccount/kubernetes-dashboard created
+service/kubernetes-dashboard created
+secret/kubernetes-dashboard-certs created
+secret/kubernetes-dashboard-csrf created
+secret/kubernetes-dashboard-key-holder created
+configmap/kubernetes-dashboard-settings created
+role.rbac.authorization.k8s.io/kubernetes-dashboard created
+clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
+rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
+clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
+deployment.apps/kubernetes-dashboard created
+service/dashboard-metrics-scraper created
+deployment.apps/dashboard-metrics-scraper created
+```
+
+If we have a look into our services we can find
+
+```bash
+ kubectl get services --all-namespaces
+NAMESPACE              NAME                        TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
+default                kubernetes                  ClusterIP   10.100.0.1     <none>        443/TCP         3h15m
+kube-system            kube-dns                    ClusterIP   10.100.0.10    <none>        53/UDP,53/TCP   3h15m
+kubernetes-dashboard   dashboard-metrics-scraper   ClusterIP   10.100.90.15   <none>        8000/TCP        75s
+kubernetes-dashboard   kubernetes-dashboard        ClusterIP   10.100.9.10    <none>        443/TCP         76s
+```
+
+## Access the Dashboard
+
+Since this is deployed to our private cluster, we need to access it via a proxy. `kube-proxy` is available to proxy our requests to the dashboard service. In your workspace, run the following command:
+
+```bash
+$ kubectl proxy --port=8080 --address=0.0.0.0 --disable-filter=true &
+```
+
+> Running from a local environment is enough to do `kubectl proxy --port=8080` (or any other port that we want to use)
+
+This will start the proxy, listen on port 8080, listen on all interface, and will filtering of non-localhost requests.
+
+This command will continue to run in the background of the current terminal's session
+
+Now we can access the Kubernetes Dashboard from
+
+```
+google localhost:8080/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
+```
+
+To access the dashboard we have to provide a `token`, we can achive this by running the following:
+
+```bash
+$ aws eks get-token --cluster-name lc-cluster | jq -r '.status.token'
+```
+
+Copy the output of this command and then click the radio button next to Token then in the text field below paste the output from the last command
+
+## Cleanup
+
+Stop the proxy and delete the dashboard deployment
+
+```bash
+# kill proxy
+pkill -f 'kubectl proxy --port=8080'
+
+# delete dashboard
+kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/${DASHBOARD_VERSION}/aio/deploy/recommended.yaml
+
+unset DASHBOARD_VERSION
+```
+
+## References
+
+> How to use kubectl proxy to access your applications:  https://www.returngis.net/2019/04/como-usar-kubectl-proxy-para-acceder-a-tus-aplicaciones/
+> Proxies in Kubernetes official documentation: https://kubernetes.io/docs/concepts/cluster-administration/proxies/