|
| 1 | +--- |
| 2 | +title: 'EKS add-ons Advanced Configuration for ADOT: Collector Deployment (<v0.88.0-eksbuild.1)' |
| 3 | +description: |
| 4 | + This page details Collector deployment through EKS add-on advanced configuration for ADOT. |
| 5 | +path: '/docs/getting-started/adot-eks-add-on/add-on-configuration-collector-deployment-deprecated' |
| 6 | +--- |
| 7 | + |
| 8 | +As discussed in the section [Add-on Advanced Configuration (<v0.88.0-eksbuild.1)](/docs/getting-started/adot-eks-add-on/add-on-configuration-deprecated), EKS add-ons now provides the ability to configure ADOT during installation time of the add-on. With this functionality, an ADOT Collector can also be deployed during an installation, provided that add-on version `v0.62.1-eksbuild.1` or higher is being used. |
| 9 | + |
| 10 | +For more information on Collector configuration, and to learn about Amazon Managed Service for Prometheus (AMP), Amazon CloudWatch (CW), and AWS X-Ray as telemetry destinations, see the [Collector configuration introduction](/docs/getting-started/adot-eks-add-on/config-collector-intro) section. |
| 11 | + |
| 12 | +Below is a list of configurable values EKS add-ons provides for ADOT, specifically to enable Collector deployment. |
| 13 | + |
| 14 | +| Value | Description | Default | Example | |
| 15 | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 16 | +| `collector.mode` | Specifies what mode to deploy the Collector in. Modes are `deployment`, `daemonset`, `statefulset`, and `sidecar`. | `deployment` | "{"collector":{"mode":"deployment"}}" | |
| 17 | +| `collector.replicas` | Specifies how many replicas of the Collector to deploy. | `1` | "{"collector":{"replicas":1}}" | |
| 18 | +| `collector.resources.limits.cpu` | Modifies the cpu resource limit for the ADOT Collector pod.* | `256m` | "{"collector":{"resource":{"limits":{"cpu":"256m"}}}}" | |
| 19 | +| `collector.resources.limits.memory` | Modifies the memory resource limit for the ADOT Collector pod.* | `512Mi` | "{"collector":{"resource":{"limits":{"memory":"512Mi"}}}}" | |
| 20 | +| `collector.resources.requests.cpu` | Modifies the cpu resource request for the ADOT Collector pod.* | `64m` | "{"collector":{"resource":{"requests":{"cpu":"64m"}}}}" | |
| 21 | +| `collector.resources.requests.memory` | Modifies the memory resource request for the ADOT Collector pod.* | `128Mi` | "{"collector":{"resource":{"requests":{"memory":"128Mi"}}}}" | |
| 22 | +| `collector.serviceAccount.create` | Specify whether or not to create a service account for use with Collector deployment. | `true` | "{"collector":{"serviceAccount":{"create":true}}}" | |
| 23 | +| `collector.serviceAccount.name` | Specify a name for a service account for use with Collector deployment, either to create or a pre-existing service account. | `aws-otel-collector` | "{"collector":{"serviceAccount":{"name":"aws-otel-collector"}}}" | |
| 24 | +| `collector.serviceAccount.annotations**` | Specifies annotations for a service account for use with Collector deployment. | N/A | "{"collector":{"serviceAccount":{"annotations":{"eks.amazonaws.com/role-arn":"arn:aws:iam::000000000000:role/adot-collector"}}}}}" | |
| 25 | +| `collector.amp.enabled` | Specify whether or not to enable AMP as a destination for Collector deployment. | `false` | "{"collector":{"amp":{"enabled":true}}}" | |
| 26 | +| `collector.amp.remoteWriteEndpoint` | Specify a remote write endpoint for AMP. Required if `collector.amp.enabled` is true. | N/A | "{"collector":{"amp":{"remoteWriteEndpoint":"https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api/v1/remote_write"}}}" | |
| 27 | +| `collector.cloudwatch.enabled` | Specify whether or not to enable CW as a destination for Collector deployment. | `false` | "{"collector":{"cloudwatch":{"enabled":true}}}" | |
| 28 | +| `collector.xray.enabled` | Specify whether or not to enable X-Ray as a destination for Collector deployment. | `false` | "{"collector":{"xray":{"enabled":true}}}" | |
| 29 | + |
| 30 | +*Note that in Fargate, resource requests and limits must be equal, see this [troubleshooting guide](https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting-adot.html) for more information. |
| 31 | + |
| 32 | +**The `collector.serviceAccount.annotations` configuration value can be used to annotate your service account and associate it with an IAM role for the IAM Roles for Service Accounts (IRSA). As an alternative to using this configuration value for IRSA, you can use the `--service-account-role-arn` flag when creating or updating the add-on. This flag will annotate service accounts created by the add-on with the role ARN you provide. The equivalent to the example provided for `collector.serviceAccount.annotations` is `--service-account-role-arn arn:aws:iam::000000000000:role/adot-collector`. |
| 33 | + |
| 34 | +## Use your IAM role to launch the ADOT Collector |
| 35 | +You can associate your IAM role to your EKS service account using [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html). Your service account can then provide AWS permissions to the containers you run in any pod that use that service account. You must use this command for each cluster where you're installing ADOT to grant your AWS service account permissions. |
| 36 | +Follow these steps to associate your IAM role to your EKS service account using IRSA: |
| 37 | + |
| 38 | +1. Create an IAM OpenID Connect (OIDC) provider for your cluster by following the steps in the link below: |
| 39 | + * [Create an IAM OIDC provider for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) |
| 40 | +2. Create your service account and IAM role. In this command, you must have values for the following flags: |
| 41 | + * For the `--name` flag, add the name of the service account you want to create; for this example we will name it `adot-collector`. |
| 42 | + * For the `--namespace` flag, use the namespace your service account will reside in; for our example we will use the default namespace. |
| 43 | + * For the `--cluster` flag, use the name of your cluster. |
| 44 | + * The three `--attach-policy-arn` values are the policies to be attached. These three policies are the policies needed for each service we want to export to. If you only plan on using 1 or 2 of the services, you only need to attach the policies for that service: |
| 45 | + * `arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess` grants write access to the Prometheus service. |
| 46 | + * `arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess` grants write access to the AWS X-Ray service. |
| 47 | + * `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` grants access to write the CloudWatch service. |
| 48 | + * The `--override-existing-serviceaccounts` flag is for if you have a service account already created in the cluster without an IAM Role. You can exclude this if that is not the case. |
| 49 | + |
| 50 | +```console |
| 51 | +eksctl create iamserviceaccount \ |
| 52 | + --name adot-collector \ |
| 53 | + --namespace default \ |
| 54 | + --cluster <your_cluster_name> \ |
| 55 | + --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \ |
| 56 | + --attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \ |
| 57 | + --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \ |
| 58 | + --approve \ |
| 59 | + --override-existing-serviceaccounts |
| 60 | +``` |
| 61 | + |
| 62 | +We can see in the above table that one of the configurable values is `collector.serviceAccount`. We will utilize this field by adding the `serviceAccount: { name: adot-collector }` field to our collector configuration to use IRSA. |
| 63 | + |
| 64 | +An example of how to use EKS add-ons to install ADOT, with a Collector deployment to AMP using a pre-existing service account for IRSA, can be seen in the command below |
| 65 | + |
| 66 | +```console |
| 67 | +aws eks create-addon \ |
| 68 | + --cluster-name <YOUR-EKS-CLUSTER-NAME> \ |
| 69 | + --addon-name adot \ |
| 70 | + --addon-version v0.62.1-eksbuild.1 \ |
| 71 | + --configuration-values file://configuration-values.json |
| 72 | +``` |
| 73 | + |
| 74 | +```json |
| 75 | +// configuration-values.json |
| 76 | +{ |
| 77 | + "collector": { |
| 78 | + "serviceAccount": { |
| 79 | + "create": false, |
| 80 | + "name": "<YOUR-SERVICE-ACCOUNT-NAME>" |
| 81 | + }, |
| 82 | + "amp": { |
| 83 | + "enabled": true, |
| 84 | + "remoteWriteEndpoint": "https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api/v1/remote_write" |
| 85 | + } |
| 86 | + } |
| 87 | +} |
| 88 | +``` |
| 89 | + |
| 90 | +Note that collector may take 2-3 minutes to create and show up in your cluster. |
| 91 | + |
| 92 | + |
| 93 | +## [Previous Topic: Add-on Advanced Configuration (<v0.88.0-eksbuild.1)](/docs/getting-started/adot-eks-add-on/add-on-configuration-deprecated) |
| 94 | + |
| 95 | +## [Next Topic: Updating and Cleanup](/docs/getting-started/adot-eks-add-on/update-and-cleanup) |
0 commit comments