Tag Archives: Kubernetes

ADOT Collector in EKS: Enhancing Observability in Fargate

04 Thursday Apr 2024

Posted by in Amazon AWS, Devops, Kubernetes

Leave a comment

Tags

, ,

In the world of Kubernetes and container orchestration, ensuring the efficient monitoring, tracing, and logging of applications is pivotal. For AWS users, particularly those leveraging Amazon Elastic Kubernetes Service (EKS) with AWS Fargate, the AWS Distro for OpenTelemetry (ADOT) plays a crucial role in streamlining these processes. This blog post delves into the importance of the ADOT collector in EKS, spotlighting its implementation as a StatefulSet in Fargate-based systems.

Understanding ADOT

AWS Distro for OpenTelemetry (ADOT) is a secure, production-ready, AWS-supported distribution of the OpenTelemetry project. OpenTelemetry provides open-source APIs, libraries, and agents to collect traces and metrics from your application. You can then send the data to various monitoring tools, including AWS services like Amazon CloudWatch, AWS X-Ray, and third-party tools, for analysis and visualization.

Why ADOT in EKS?

Kubernetes environments, especially those managed through EKS, can become complex, hosting numerous microservices that communicate internally and externally. Tracking every request, error, and transaction across these services without impacting performance is where ADOT shines. It efficiently collects, processes, and exports telemetry data, offering insights into application performance and behavior, thereby enabling developers to maintain high service reliability and performance.

The ADOT Collector as a StatefulSet in AWS Fargate

The deployment of the ADOT collector in EKS can vary based on the underlying infrastructure—Node-based or Fargate. For Fargate-based systems, the configuration manifests a significant divergence, particularly in using StatefulSet over DaemonSet. Here’s why this distinction is crucial.

Fargate: A Serverless Compute Engine

Fargate allows you to run containers without managing servers or clusters. It abstracts the server and cluster management tasks, enabling you to focus on designing and building your applications. This serverless approach, however, means that you don’t have direct control over the nodes running your workloads, differing significantly from a Node-based system where DaemonSet would be ideal for deploying agents like the ADOT collector across all nodes.

Why StatefulSet?

In Fargate, every pod runs on its own isolated environment without sharing the underlying host with other pods. This isolation makes DaemonSet, which is designed to run a copy of a pod on each node in the cluster, incompatible with Fargate’s architecture. Instead, StatefulSet is used to manage the deployment and scaling of a set of Pods and to provide guarantees about the ordering and uniqueness of these Pods. Here’s how the ADOT collector configuration looks when deployed as a StatefulSet:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: adot-collector
  namespace: fargate-container-insights
...

This configuration ensures that the ADOT collector runs reliably within the Fargate infrastructure, adhering to the serverless principles while providing the necessary observability features.

Advantages of Using StatefulSet for ADOT in Fargate

  • Isolation and Security: Each instance of the ADOT collector runs in its own isolated environment, enhancing security and reliability.
  • Scalability: Easily scale telemetry collection in tandem with your application without worrying about the underlying infrastructure.
  • Consistent Configuration: StatefulSet ensures that each collector instance is configured identically, simplifying deployment and management.
  • Persistent Storage: If needed, StatefulSet can leverage persistent storage options, ensuring that data is not lost between pod restarts.

Conclusion

Integrating the ADOT collector in EKS as a StatefulSet for Fargate-based systems harmonizes with the serverless nature of Fargate, offering a scalable, secure, and efficient method for telemetry data collection. This setup not only aligns with the modern cloud-native approach to application development but also enhances the observability and operability of applications deployed on AWS, ensuring that developers and operations teams have the insights needed to maintain high performance and reliability.

By leveraging the ADOT collector in this manner, organizations can harness the full power of AWS Fargate’s serverless compute alongside EKS, driving forward the next generation of cloud-native applications with confidence.

Create docker secret for Amazon ECR in Kubernetes using Java Client

04 Monday Feb 2019

Posted by in Amazon AWS, Devops, Docker, Kubernetes

Leave a comment

Tags

, ,

It’s quite easy to use dockerhub with kubernetes deployments. Unfortunately that’s not the case if you want to use Amazon ECR as your container repository.

Amazon ECR has a few quirks before you can use it in your kubernetes platform. Amazon ECR does not allow you to use the API keys directly to create images. You need to generate a token to be used with ECR & the token is valid only for 12 hours.

Before you begin, please add below dependencies to your maven project.


<dependency>
	<groupId>com.github.docker-java</groupId>
	<artifactId>docker-java</artifactId>
	<version>3.0.14</version>
</dependency>

<dependency>
	<groupId>io.kubernetes</groupId>
	<artifactId>client-java</artifactId>
	<version>4.0.0-beta1</version>
</dependency>

<dependency>
	<groupId>com.amazonaws</groupId>
	<artifactId>aws-java-sdk-ecr</artifactId>
	<version>1.11.477</version>
</dependency>

There are 2 main parts in using Amazon ECR with Docker & Kubernetes –
I) Push Docker Image to Amazon ECR

  1. Create Amazon ECR Authorization Token 
    
    @Value("${aws.ecr.access.key}")
    private String accessKey;

    @Value("${aws.ecr.access.secret}")
    private String accessSecret;

    @Value("${aws.ecr.default.region}")
    private String region;

    @Override
    public AuthorizationData getECRAuthorizationData(String repositoryName) {

        //Create AWS Credentials using Access Key
        AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, accessSecret);

        //Create AWS ECR Client
        AmazonECR amazonECR = AmazonECRClientBuilder.standard()
                .withRegion(region)
                .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
                .build();

        Repository repository = null;
        //Describe Repos. Check if repo exists for given repository name
        try {
            DescribeRepositoriesRequest describeRepositoriesRequest = new DescribeRepositoriesRequest();
            List listOfRepos = new ArrayList();
            listOfRepos.add(repositoryName);
            describeRepositoriesRequest.setRepositoryNames(listOfRepos);
            DescribeRepositoriesResult describeRepositoriesResult = amazonECR.describeRepositories(describeRepositoriesRequest);

            List repositories = describeRepositoriesResult.getRepositories();
            repository = repositories.get(0);

        }catch(Exception e){
            System.out.println("Error fetching repo. Error is : " + e.getMessage());
            System.out.println("Creating repo....");
            //Create Repository if required
            CreateRepositoryRequest createRepositoryRequest = new CreateRepositoryRequest().withRepositoryName(repositoryName);
            CreateRepositoryResult createRepositoryResult = amazonECR.createRepository(createRepositoryRequest);
            System.out.println("Created new repository : " + createRepositoryResult.getRepository().getRegistryId());
            repository = createRepositoryResult.getRepository();
        }
		
	    //Get Auth Token for Repository using it's registry Id
        GetAuthorizationTokenResult authorizationToken = amazonECR
                .getAuthorizationToken(new GetAuthorizationTokenRequest().withRegistryIds(repository.getRegistryId()));

        List authorizationData = authorizationToken.getAuthorizationData();
        return authorizationData.get(0);

    }
  2. Use token in docker java client 
    
        String userPassword = StringUtils.newStringUtf8(Base64.decodeBase64(authData.getAuthorizationToken()));
        String user = userPassword.substring(0, userPassword.indexOf(":"));
        String password = userPassword.substring(userPassword.indexOf(":") + 1);

        System.out.println("ECR Endpoint : " + authData.getProxyEndpoint());

        //Create Docker Config
        DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder()
                .withDockerHost(dockerUrl)
                .withDockerTlsVerify(false)
                .withRegistryUrl(authData.getProxyEndpoint())
                .withRegistryUsername(user)
                .withRegistryPassword(password)
                .withRegistryEmail("padmarag.lokhande@golaunchpad.io")
                .build();
        DockerClient docker = DockerClientBuilder.getInstance(config).build();
  3. Build Docker image 
    		
		String imageId = docker.buildImageCmd()
                        .withDockerfile(new File(params.getFilePath() + "\\Dockerfile"))
                        .withPull(true)
                        .withNoCache(true)
                        .withTag("latest")
                        .exec(new BuildImageResultCallback())
                        .awaitImageId();
  4. Tag Docker image 
    						
		String tag = "latest";
        String repository = authData.getProxyEndpoint().replaceFirst("https://", org.apache.commons.lang.StringUtils.EMPTY) + "/" + params.getApplicationName();
		
		TagImageCmd tagImageCmd = docker.tagImageCmd(imageId, repository, tag);
        tagImageCmd.exec();
  5. Push Docker image to Amazon ECR 
            
        docker.pushImageCmd(repository)
              .withTag("latest")
              .exec(new PushImageResultCallback())
              .awaitCompletion(600, TimeUnit.SECONDS);

II) Pull Docker Image from ECR into Kubernetes

  1. Create Secret in Kubernetes

    2. First we need to create Kubernetes config using kubernetes api server url and token for admin account.

    
ApiClient client = Config.fromToken(master, token,false);
String userPassword = org.apache.commons.codec.binary.StringUtils.newStringUtf8(Base64.decodeBase64(ecrAuthorizationData.getAuthorizationToken()));
String user = userPassword.substring(0, userPassword.indexOf(":"));
String password = userPassword.substring(userPassword.indexOf(":") + 1);

    This is one important difference between normal kubernetes secret and special docker ecr secret. Check the type “kubernetes.io/dockerconfigjson”

    
V1Secret newSecret = new V1SecretBuilder()
                    .withNewMetadata()
                    .withName(ECR_REGISTRY)
                    .withNamespace(params.getNamespace())
                    .endMetadata()
                    .withType("kubernetes.io/dockerconfigjson")
                    .build();

newSecret.setType("kubernetes.io/dockerconfigjson");

    The content for kubernetes docker secret needs to be created in specifically formatted json using data as set below. This is then set as byte data in V1Secret.

    
HashMap secretData = new HashMap(1);
String dockerCfg = String.format("{\"auths\": {\"%s\": {\"username\": \"%s\",\t\"password\": \"%s\",\"email\": \"%s\",\t\"auth\": \"%s\"}}}",
        ecrAuthorizationData.getProxyEndpoint(),
        user,
        password,
        "padmarag.lokhande@golaunchpad.io",
        ecrAuthorizationData.getAuthorizationToken());

Map data = new HashMap();
data.put(".dockerconfigjson",dockerCfg.getBytes());
newSecret.setData(data);

V1Secret namespacedSecret = api.createNamespacedSecret(params.getNamespace(), newSecret, true, params.getPretty(), params.getDryRun());