Deploying 3-Tier Architecture with 8 Services and 2 Databases on Amazon EKS | E-commerce Robot Shop
A Comprehensive Guide to deploy a 3-tier app on Kubernetes
What is 3 tier architecture model
The 3-tier architecture is a common design pattern in software development that organizes an application’s components into three interconnected layers or tiers. Each tier serves a specific purpose and has distinct responsibilities.
- frontend — user interface — presentation layer
- backend — logic layer
- database — data layer
Why frontend?
To handle user interactions, displays product information, facilitates navigation, and manages the shopping experience.
Why backend
To executes business rules, manage inventory, calculate prices, process transactions, and interact with the data tier for data retrieval and storage.
Why database
To store and retrieve data, ensure data integrity, and support the data requirements of the application tier.
High level design of this robot shop application
This Robot Shop Project has basically 2 workflows
- User Workflow
- Application Workflow
- Users can go to the registration page or go to login page
- Users get to know — switch to the catalogue page
- different sections — two categories — Artificial Intelliogence products and other one is robots
- If user goes to the robots section — sees rating — if they like they add it to cart — then payment — if interested in buying — provide shipping details — the order is completed from user’s side and the user gets an order id
- Each components need logic — written by the dev team.
- if — one single binary or monolithic approach. Different actions — catalouge, ratings, payment etc etc. — diff kind of logic; all together in 10,000 lines of code — single binary. This is not a good practice.
- We have made these components — individually deployable — microservice architecture. It’s easy to test, debug one particular service without hampering other services — providing good user experience.
DataBases and In memory Data Store
Once you click on the catalog — pricing, rating, discounts, etc details are shown to the user — for the catalog there is one database.
Another is for validation of users — registered or not, logging with the proper credentials or not?
Another case comes →
Need in-memory data store For cart — redis
Add one of the products to cart → that very moment somehow the application broker down or you got logged out → Again after some days again log in → product still in the cart.
Also can use in memory cache →
problem → if this application goes down — all the details → what the user have added to the cart — will be lost.
Redis — create it as stateful set in kubernetes.
To store user details, this app uses MongoDB.
To store the catalog (ratings) the app uses MySQL.
OIDC-IAM Configuration
In the context of deploying applications on Amazon EKS and integrating with AWS resources, OIDC-IAM configuration could be introduced to enhance identity verification and access control.
Amazon EKS, a prominent service within AWS, serves as the foundational framework for deploying various pods, each representing a distinct component of an application.
In particular, when dealing with stateful workloads like Redis, a persistent volume becomes imperative for maintaining data integrity. This is achieved through Elastic Block Store (EBS) , a reliable storage solution that seamlessly integrates with EKS.
For effective communication between the EKS service and EBS volumes, Kubernetes service accounts play a crucial role.
In Kubernetes, service accounts are created by default, serving as a means for pods to authenticate and interact within the cluster. To extend this authentication to AWS services, integration with AWS Identity and Access Management (IAM) becomes pivotal. By associating Kubernetes service accounts with IAM policies, a secure and seamless communication channel is established. This integration empowers Kubernetes pods to effectively communicate with various AWS services, ensuring that they can access and utilize resources securely.
In this demo project, this integration empowers Kubernetes pods, especially those within a stateful set dedicated to Redis, to communicate seamlessly with EBS volumes. The persistent volume (PV) derived from EBS becomes an essential conduit, ensuring that Redis stateful pods can efficiently store and retrieve data. This meticulous integration not only streamlines communication within the EKS environment but also grants the necessary access to AWS resources, enhancing the overall efficiency and reliability of the deployed architecture.
**Practical Part**
STEP 1: CREATE IAM USER IN AWS
1. Log in to the AWS console using your credentials.
2. In the search bar, enter ‘IAM’ to access the IAM Dashboard.
3. Navigate to the ‘Users’ section and click on ‘Create User’.
Provide a Name and provide checkboxes and click on Next
Explore Direct Attachment of Policies: Leveraging AdministratorAccess for Educational Purposes
Click on Next
Click on Create user.
Click on View user
Click on Continue
Click on Security credentials
Now under security credentials, Go to Access keys
Click on Create access key
Select CLI & Accept terms and click on Next
Click on Create access key
Download .csv file and click on Done
STEP2: Create EC2 Instance
1. Sign in to AWS Console: Log in to your AWS Management Console.
2. Navigate to EC2 Dashboard: Go to the EC2 Dashboard by selecting “Services” in the top menu and then choosing “EC2” under the Compute section.
3. Launch Instance: Click on the “Launch Instance” button to start the instance creation process.
4. Choose an Amazon Machine Image (AMI): Select an appropriate AMI for your instance. For example, you can choose Ubuntu image.
5. Choose an Instance Type: In the “Choose Instance Type” step, select t2.medium as your instance type. Proceed by clicking “Next: Configure Instance Details.”
6. Configure Instance Details:
- For “Number of Instances,” set it to 1 (unless you need multiple instances).
- Configure additional settings like network, subnets, IAM role, etc., if necessary.
- For “Storage,” click “Add New Volume” and set the size to 8GB (or modify the existing storage to 16GB).
- Click “Next: Add Tags” when you’re done.
7. Add Tags (Optional): Add any desired tags to your instance. This step is optional, but it helps in organizing instances.
8. Configure Security Group:
- Choose an existing security group or create a new one.
- Ensure the security group has the necessary inbound/outbound rules to allow access as required.
9. Review and Launch: Review the configuration details. Ensure everything is set as desired.
10. Select Key Pair:
- Select “Choose an existing key pair” and choose the key pair from the dropdown.
- Acknowledge that you have access to the selected private key file.
- Click “Launch Instances” to create the instance.
11. Access the EC2 Instance: Once the instance is launched, you can access it using the key pair and the instance’s public IP or DNS.
Step3: Connect to Instance and Install Required Packages
eksctl
sudo apt update
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
eksctl version
Kubectl
curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.3/2023-11-14/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$HOME/bin:$PATH
kubectl version --client
Aws CLI
sudo apt install unzip -y
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
Helm
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
STEP4: EKS Setup
aws configureUsing us-east-1 region
Lets clone GitHub repo
git clone https://github.com/Sayantan2k24/three-tier-architecture-demo.git
cd three-tier-architecture-demo/
Create cluster ( it requires 10 to 15 min to create an eks cluster)
I am using us-east-1 region to create my eks cluster.
eksctl create cluster --name demo-cluster-three-tier-1 --region us-east-1
commands to configure IAM OIDC provider
USE CLUSTER NAME demo-cluster-three-tier-1
export cluster_name=<CLUSTER-NAME>The command “export cluster_name=” is used in a computer’s command-line interface to create a named storage space (variable) that holds a specific value. It’s like giving a name to something so you can use it later. In this case, it’s creating a storage space called “cluster_name” and putting a value in it, which represents the name of a cluster. This helps remember and use the cluster’s name in other commands or programs without typing it repeatedly.
oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)This command uses the AWS CLI (Command Line Interface) to extract a specific piece of information about an Amazon EKS (Elastic Kubernetes Service) cluster
Check if there is an IAM OIDC provider configured already
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4This command utilizes the AWS CLI (Command Line Interface) to list OpenID Connect (OIDC) providers in your AWS Identity and Access Management (IAM) and extract specific information
eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approveEKSCTL command used to associate the IAM OIDC provider with an Amazon EKS (Elastic Kubernetes Service) cluster.
setup alb add on
Download IAM policy
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json
create IAM role
Please Add cluster name and Aws account ID
eksctl create iamserviceaccount \
--cluster=<your-cluster-name> \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name AmazonEKSLoadBalancerControllerRole \
--attach-policy-arn=arn:aws:iam::<your-aws-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
--approveTo get aws account id
Go to aws console and click on Right side profile name and copy it
Deploy ALB controller
Add helm repo
helm repo add eks https://aws.github.io/eks-chartsUpdate the repo
helm repo update eks
Install
please update VPC_ID in this command
go to eks and copy vpc id
helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=demo-cluster-three-tier-1 --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller --set region=us-east-1 --set vpcId=<vpc-id>
Verify that the deployments are running
kubectl get deployment -n kube-system aws-load-balancer-controller
EBS CSI Plugin configuration
When deploying Redis as a stateful set for in-memory data storage, the need for persistence arises, and AWS Elastic Block Store (EBS) serves as a suitable solution.
Whenever we create redis , it has two components.
- persistent volume claim
- storage class
When you create a persistent volume claim. Storage Class will look at the claim, it has to manage to create the ebs volume.
To make it happen automatically, we need a mechanism. In AWS we have AWS CSI plugin, we need to add it to EKS.
SC and CSI plugin together, whenever a pvc is created, It automatically interprets the PVC’s requirements and dynamically orchestrates the creation and attached to redis stateful set.
The Amazon EBS CSI plugin requires IAM permissions to make calls to AWS APIs on your behalf.
Create an IAM role and attach a policy. AWS maintains an AWS managed policy or you can create your own custom policy. You can create an IAM role and attach the AWS managed policy with the following command. Replace my-cluster with the name of your cluster. The command deploys an AWS CloudFormation stack that creates an IAM role and attaches the IAM policy to it.
Please add Cluster name
eksctl create iamserviceaccount \
--name ebs-csi-controller-sa \
--namespace kube-system \
--cluster <YOUR-CLUSTER-NAME> \
--role-name AmazonEKS_EBS_CSI_DriverRole \
--role-only \
--attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
--approve
Run the following command.
Replace with the name of your cluster, with your account ID.
eksctl create addon --name aws-ebs-csi-driver --cluster <YOUR-CLUSTER-NAME> --service-account-role-arn arn:aws:iam::<AWS-ACCOUNT-ID>:role/AmazonEKS_EBS_CSI_DriverRole --force
Now Go inside the helm and create a namespace
cd helm
kubectl create ns robot-shop
Now
helm install robot-shop --namespace robot-shop .
Now check pods (wait for 5 mins at least for all the pods to be up and running)
watch -n 1 'kubectl get pods -n robot-shop'
Check service
kubectl get svc -n robot-shop
Now Apply ingress
kubectl apply -f ingress.yaml
Now go to AWS CONSOLE
search for Ec2 and Go to load balancers
COPY DNS
Open a new tab and paste
After registering
Everything is good.
STEP5: DELETE CLUSTER
JUST PROVIDE THIS COMMAND
eksctl delete cluster --name demo-cluster-three-tier-1 --region us-east-1
Embarking on the journey of deploying and setting up Stan’s Robot Shop — a versatile microservices application — has been an enlightening experience in the world of containerized applications, orchestration, and monitoring.
In this guide, we’ve covered essential steps, from using Docker Compose to deploy the application to integrating IAM OIDC providers with Amazon EKS clusters. This integration not only ensures secure access to AWS resources but also unleashes the potential of Kubernetes service accounts.
Stan’s Robot Shop is not just a playground for testing technologies like NodeJS, Java, and Python; it’s a practical learning space for mastering tools like Kubernetes and monitoring solutions like Instana.
As you explore the complexities of microservices, container orchestration, and monitoring, remember that Stan’s Robot Shop is a starting point — a place to explore, test, and enhance your skills in a secure environment.
We hope this guide has provided valuable insights and practical guidance, empowering you to advance your knowledge and proficiency in containerized applications and Kubernetes.
Thanks for reading till now!!