Updates to use EKS for the cluster

Author: buzzsurfr

01-path-basics/101-start-here/readme.adoc

@@ -19,31 +19,31 @@ If you are unsure, we recommend the "Launch template with an existing VPC" optio
 Click on the "Deploy to AWS" button and follow the CloudFormation prompts to begin.
 
 [NOTE]
-AWS Cloud9 is currently available in 5 regions.
-Please choose the region closest to you.
+AWS Cloud9 is currently available in 5 regions, and EKS is currently available in 2 regions (us-east-1 and us-west-2).
+Please choose the region closest to you.  If you choose a region for Cloud9 that does not support EKS, you will need to change the `AWS_DEFAULT_REGION` environment variable later.
 
 |===
 
 |Region | Launch template with a new VPC | Launch template with an existing VPC
 | *N. Virginia* (us-east-1)
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-vpc.template]
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-novpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-vpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-novpc.template]
 
 | *Ohio* (us-east-2)
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-vpc.template]
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-novpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-vpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-novpc.template]
 
 | *Oregon* (us-west-2)
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-vpc.template]
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-novpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-vpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-novpc.template]
 
 | *Ireland* (eu-west-1)
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-vpc.template]
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-novpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-vpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-novpc.template]
 
 | *Singapore* (ap-southeast-1)
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-vpc.template]
-a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/lab-ide-novpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-vpc.template]
+a| image::./deploy-to-aws.png[link=https://console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stacks/new?stackName=k8s-workshop&templateURL=https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/lab-ide-novpc.template]
 
 |===
 
@@ -55,34 +55,40 @@ You should see an environment similar to this:
 
 image:cloud9-development-environment-welcome.png[]
 
+=== Cloud9 Instance Role
+
+The Cloud9 IDE needs to use the assigned IAM Instance profile. Open the "AWS Cloud9" menu, go to "Preferences", go to "AWS Settings", and disable "AWS managed temporary credentials" as depicted in the diagram here:
+
+image:cloud9-disable-temp-credentials.png[]
+
 === Build Script
 
 Once your Cloud9 is ready, download the build script and install in your IDE. This will prepare your IDE for running tutorials in this workshop. The build script installs the following:
 
 - jq
 - kubectl _(the Kubernetes CLI, which we'll cover in great detail later in the workshop)_
-- kops _(Kubernetes Operations, which we'll also cover in detail later)_
-- configures the AWS CLI and stores necessary environment variables in bash_profile
+- heptio/authenticator _(for authentication to the EKS cluster)_
+- updates/configures the AWS CLI and stores necessary environment variables in bash_profile
 - creates an SSH key
 - clone the workshop repository into Cloud9
 
 To install the script, run this command in the "bash" terminal tab of the Cloud9 IDE:
 
-    aws s3 cp s3://aws-kubernetes-artifacts/lab-ide-build.sh . && \
+    aws s3 cp s3://aws-kubernetes-artifacts/v0.5/lab-ide-build.sh . && \
     chmod +x lab-ide-build.sh && \
     . ./lab-ide-build.sh
 
 image:cloud9-run-script.png[Running the script in Cloud9 Terminal]
 
-[NOTE]
-All shell commands _(starting with "$")_ throughout the rest of the workshop should be run in this tab. You may want to resize it upwards to make it larger.
+If you deployed your Cloud9 IDE in any region not supported by EKS, you will need to manually set the `AWS_DEFAULT_REGION` environment variable to a region supported by EKS:
 
-At this point you can restart the Cloud9 IDE terminal session to ensure that the kublectl completion is enabled. Once a new terminal window is opened, type `kubectl get nodes`. You do not have to run the command. It is normal for this command to fail with an error message if you run it. You have not yet created the Kubernetes cluster. We are merely testing to make sure the `kubectl` tool is installed on the command line correctly and can autocomplete.
+    export AWS_DEFAULT_REGION=us-east-1
+    echo "AWS_DEFAULT_REGION=us-east-1" >> ~/.bash_profile
 
-One last step is required so that the Cloud9 IDE uses the assigned IAM Instance profile. Open the "AWS Cloud9" menu, go to "Preferences", go to "AWS Settings", and disable "AWS managed temporary credentials" as depicted in the diagram here:
-
-image:cloud9-disable-temp-credentials.png[]
+At this point you can restart the Cloud9 IDE terminal session to ensure that the kubectl completion is enabled. Once a new terminal window is opened, type `kubectl get nodes`. You do not have to run the command. It is normal for this command to fail with an error message if you run it. You have not yet created the Kubernetes cluster. We are merely testing to make sure the `kubectl` tool is installed on the command line correctly and can autocomplete.
 
+[NOTE]
+All shell commands _(starting with "$")_ throughout the rest of the workshop should be run in this tab. You may want to resize it upwards to make it larger.
 
 You are now ready to continue on with the workshop!
 
@@ -100,23 +106,29 @@ You are now ready to continue on with the workshop!
 |link:../../operations-path.adoc[Go to Operations Index]
 |=====
 
-The next step is link:../102-your-first-cluster[to create a Kubernetes cluster using kops].
+The next step is link:../102-your-first-cluster[to create a Kubernetes cluster using EKS].
 
 
 == Workshop Cleanup
 
 Once you have finished with the workshop, please don't forget to spin down your cluster or you will incur additional charges.
 (We will also remind you at the end!)
 
-==== Delete Kubernetes cluster resources
+Ensure that you have deleted all services, etc from the `default` namespace before proceeding.
+
+==== Delete EKS worker nodeds
+
+Go to CloudFormation console, right click template with name 'k8s-workshop-worker-nodes' and select 'Delete Stack'
+
+==== Delete EKS cluster
 
-In your Cloud9 IDE, check if there are any running kubernetes cluster
+In your Cloud9 IDE, check if there are any running EKS clusters
 
-   $ kops get cluster
+   $ aws eks list-clusters
 
-Delete kubernetes cluster
+Delete EKS cluster
 
-   $ kops delete cluster example.cluster.k8s.local --yes
+   $ aws eks delete-cluster --name k8s-workshop
 
 Wait until all resources are deleted by kops
 

01-path-basics/101-start-here/scripts/aws-auth-cm.sh

@@ -0,0 +1,14 @@
+# aws-auth ConfigMap script
+#title           aws-auth-cm.sh
+#description     This script will add a ConfigMap aws-auth to the EKS cluster k8s-workshop, allowing the worker nodes to join the cluster.
+#author          @buzzsurfr
+#contributors    @buzzsurfr @dalbhanj @cloudymind
+#date            2018-06-05
+#version         0.1
+#usage           curl -sSL https://s3.amazonaws.com/aws-kubernetes-artifacts/v0.5/aws-auth-cm.sh | bash -s stable
+#==============================================================================
+
+curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/aws-auth-cm.yaml
+export EKS_WORKER_ROLE=$(aws cloudformation describe-stacks --stack-name k8s-workshop-worker-nodes | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="NodeInstanceRole")|.OutputValue')
+sed -i -e "s#<ARN of instance role (not instance profile)>#${EKS_WORKER_ROLE}#g" aws-auth-cm.yaml
+kubectl apply -f aws-auth-cm.yaml

01-path-basics/101-start-here/scripts/lab-ide-build.sh

@@ -1,16 +1,19 @@
 # IDE-Build script
 #title           lab-ide-build.sh
-#description     This script will make a header for a bash script.
-#author          [email protected]
-#date            2018-01-19
-#version         0.1
+#description     This script will setup the Cloud9 IDE with the prerequisite packages and code for the workshop.
+#author          @buzzsurfr
+#contributors    @buzzsurfr @dalbhanj @cloudymind
+#date            2018-05-12
+#version         0.2
 #usage           curl -sSL https://s3.amazonaws.com/lab-ide-theomazonian/lab-ide-build.sh | bash -s stable
-#notes           Install Vim and Emacs to use this script.
 #==============================================================================
 
 # Install jq
 sudo yum -y install jq
 
+# Update awscli
+sudo -H pip install -U awscli
+
 # Install bash-completion
 sudo yum install bash-completion -y
 
@@ -19,10 +22,9 @@ curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s htt
 chmod +x kubectl && sudo mv kubectl /usr/local/bin/
 echo "source <(kubectl completion bash)" >> ~/.bashrc
 
-# Install kops
-curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-linux-amd64
-chmod +x kops-linux-amd64
-sudo mv kops-linux-amd64 /usr/local/bin/kops
+# Install Heptio Authenticator
+go get -u github.com/heptio/authenticator/cmd/heptio-authenticator-aws
+export PATH=$PATH:$HOME/go/bin
 
 # Configure AWS CLI
 availability_zone=$(curl http://169.254.169.254/latest/meta-data/placement/availability-zone)
@@ -39,14 +41,39 @@ export AWS_MASTER_STACK=${AWS_MASTER_STACK%?}
 export AWS_MASTER_STACK=${AWS_MASTER_STACK#aws-cloud9-}
 export KOPS_STATE_STORE=s3://$(aws cloudformation describe-stack-resource --stack-name $AWS_MASTER_STACK --logical-resource-id "KopsStateStore" | jq -r '.StackResourceDetail.PhysicalResourceId')
 
+# EKS-specific variables from CloudFormation
+export EKS_VPC_ID=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksVpcId")|.OutputValue')
+export EKS_SUBNET_IDS=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksVpcSubnetIds")|.OutputValue')
+export EKS_SECURITY_GROUPS=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksVpcSecurityGroups")|.OutputValue')
+export EKS_SERVICE_ROLE=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksServiceRoleArn")|.OutputValue')
+
 # Persist lab variables
+echo "export PATH=$HOME/go/bin:$PATH" >> ~/.bashrc
 echo "AWS_AVAILABILITY_ZONES=$AWS_AVAILABILITY_ZONES" >> ~/.bash_profile
 echo "KOPS_STATE_STORE=$KOPS_STATE_STORE" >> ~/.bash_profile
 echo "export AWS_AVAILABILITY_ZONES KOPS_STATE_STORE" >> ~/.bash_profile
 
+# Persist EKS variables
+echo "EKS_VPC_ID=$EKS_VPC_ID" >> ~/.bash_profile
+echo "EKS_SUBNET_IDS=$EKS_SUBNET_IDS" >> ~/.bash_profile
+echo "EKS_SECURITY_GROUPS=$EKS_SECURITY_GROUPS" >> ~/.bash_profile
+echo "EKS_SERVICE_ROLE=$EKS_SERVICE_ROLE" >> ~/.bash_profile
+
+# EKS-Optimized AMI
+if [ "$AWS_DEFAULT_REGION" == "us-east-1" ]; then
+  export EKS_WORKER_AMI=ami-dea4d5a1
+elif [ "$AWS_DEFAULT_REGION" == "us-west-2" ]; then
+  export EKS_WORKER_AMI=ami-73a6e20b
+fi
+echo "EKS_WORKER_AMI=$EKS_WORKER_AMI" >> ~/.bash_profile
+
 # Create SSH key
 ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
 
+# Create EC2 Keypair
+aws ec2 create-key-pair --key-name ${AWS_STACK_NAME} --query 'KeyMaterial' --output text > $HOME/.ssh/k8s-workshop.pem
+chmod 0400 $HOME/.ssh/k8s-workshop.pem
+
 if [ ! -d "aws-workshop-for-kubernetes/" ]; then
   # Download lab Repository
   git clone https://github.com/aws-samples/aws-workshop-for-kubernetes

01-path-basics/101-start-here/templates/config-k8s-workshop

@@ -0,0 +1,26 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: <endpoint-url>
+    certificate-authority-data: <base64-encoded-ca-cert>
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: heptio-authenticator-aws
+      args:
+        - "token"
+        - "-i"
+        - "<cluster-name>"
+        # - "-r"
+        # - "<role-arn>"

01-path-basics/101-start-here/templates/lab-ide-novpc.template

@@ -1,6 +1,6 @@
 {
   "AWSTemplateFormatVersion": "2010-09-09",
-  "Description": "Lab IDE using existing Subnet for container workshop v0.4",
+  "Description": "Lab IDE using existing Subnet for container workshop v0.5",
   "Metadata": {},
   "Parameters": {
     "SubnetId": {
@@ -12,6 +12,18 @@
   "Mappings": {},
   "Conditions": {},
   "Resources": {
+    "EksVpc": {
+      "Type" : "AWS::CloudFormation::Stack",
+      "Properties" : {
+        "TemplateURL" : "https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-vpc-sample.yaml"
+      }
+    },
+    "EksServiceRole": {
+      "Type" : "AWS::CloudFormation::Stack",
+      "Properties" : {
+        "TemplateURL" : "https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-service-role.yaml"
+      }
+    },
     "LabIDE": {
       "Description": "-",
       "Type": "AWS::Cloud9::EnvironmentEC2",
@@ -55,6 +67,25 @@
             }
           ]
         },
+        "Policies": [
+          {
+            "PolicyName": "eks-service",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "eks:*",
+                    "cloudformation:CreateStack",
+                    "cloudformation:UpdateStack"
+                  ],
+                  "Resource": "*"
+                }
+              ]
+            }
+          }
+        ],
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
           "arn:aws:iam::aws:policy/AmazonRoute53FullAccess",
@@ -302,6 +333,26 @@
           ]
         ]
       }
+    },
+    "EksServiceRoleArn": {
+      "Value": {
+        "Fn::GetAtt": ["EksServiceRole", "Outputs.RoleArn"]
+      }
+    },
+    "EksVpcId": {
+      "Value": {
+        "Fn::GetAtt": ["EksVpc", "Outputs.VpcId"]
+      }
+    },
+    "EksVpcSubnetIds": {
+      "Value": {
+        "Fn::GetAtt": ["EksVpc", "Outputs.SubnetIds"]
+      }
+    },
+    "EksVpcSecurityGroups": {
+      "Value": {
+        "Fn::GetAtt": ["EksVpc", "Outputs.SecurityGroups"]
+      }
     }
   }
 }