This repository was part of HCA DCP/1 and is not maintained anymore. DCP/2 development of this component continues in the forked repository at https://github.com/ebi-ait/ingest-kube-deployment.
Deployment setup for the Ingestion Service on Kubernetes clusters.
git clone https://github.com/HumanCellAtlas/ingest-kube-deployment.git
- Install terraform:
brew install terraform
. - Ensure your pip is running on python 3.
- Install awscli:
pip install awscli
. - Install aws-iam-authenticator:
brew install aws-iam-authenticator
- Install kubectl:
brew install kubernetes-cli
- Install kubectx (kubens included):
brew install kubectx
- Install helm:
brew install kubernetes-helm
mkdir ~/.kube
- Install jq
brew install jq
git clone https://github.com/HumanCellAtlas/ingest-kube-deployment.git
- Install terraform with the terraform instructions.
- If you install with
sudo snap install terraform
you may run into the errorError configuring the backend "s3": NoCredentialProviders: no valid providers in chain. Deprecated.
- Install awscli:
pip install awscli
. - Install aws-iam-authenticator
- Install kubectl:
sudo snap install kubectl --classic
- Install kubectx and kubens.
- Install helm:
sudo snap install helm --classic
mkdir ~/.kube
- Install jq, if required.
sudo apt-get install jq
aws configure set default.region us-east-1
aws configure set default.output json
aws configure --profile hca-id
- See Quickly Configure ASW CLI for
AWS Access Key ID
&AWS Secret Access Key
- See Quickly Configure ASW CLI for
- See this video for configuring your connection to the DCP Developer Role.
- Account:
humancellatlas
- Role:
dcp-developer
- ARN:
arn:aws:iam::861229788715:role/dcp-developer
These steps assumes you have the correct aws credentials and local environment tools set up correctly. This only has to be run one time.
source config/environment_ENVNAME
where ENVNAME is the name of the environment you are trying to accesscd infra
make retrieve-kubeconfig-ENVNAME
where ENVNAME is the name of the environment you are trying to access
- To resolve
error: unable to recognize "dev/namespace.yaml": Get <...>: getting credentials: exec: exec: "heptio-authenticator-aws": executable file not found in $PATH
- Edit
~/.kube/config
, Replaceheptio-authenticator-aws
withaws-iam-authenticator
.
kubectl
,kubens
,kubectx
, andhelm
will now be tied to the cluster you have sourced in the step above.
These steps assumes you have the correct aws credentials + local environment tools set up correctly and that you have followed the instructions to access the existing cluster.
kubectx ingest-eks-ENVNAME
where ENVNAME is the name of the cluster environment you are trying to access- Generate token:
kubectl -n kube-system describe secrets/$(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')
- Start the proxy:
kubectl proxy
- Browse to the dashboard endpoint at http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
- Choose Token and paste token from step 2 above
These steps assumes you have the correct aws credentials and local environment tools set up correctly. These steps will set up a new ingest environment from scratch via terraform and will also apply all kubernetes monitoring and dashboard configs, RBAC role and aws auth setup.
cp config/environment_template config/environment_ENVNAME
where envname should reflect the name of the environment you are trying to create.- Replace all values marked as 'PROVIDE...' with the appropriate value
- Ensure the aws profile name in this config is mapped to the name of the aws profile in your ~/.aws/config or ~/.aws/credentials/ path that has admin access to the relevant aws account.
- Ensure the VPC IP in this config file is a valid and unique VPC IP value.
source config/environment_ENVNAME
where ENVNAME reflects the name of the environment in the config file you created abovecd infra
make create-cluster-ENVNAME
where ENVNAME is the name of the environment you are trying to create. This step will also deploy the backend services (mongo, redis, rabbit)- Follow the steps to access the kubernetes dashboard. Once you see one active tiller pod in the environment namespace, continue to the next step.
- Follow instructions below to deploy applications.
These steps assumes you have the correct aws credentials + local environment tools set up correctly and that you have followed the instructions to access the existing cluster.
source config/environment_ENVNAME
where ENVNAME reflects the name of the environment you are trying to modify.- Update infra/eks.tf as desired.
cd infra
make modify-cluster-ENVNAME
where ENVNAME reflects the name of the environment you are trying to modify.
These steps assumes you have the correct aws credentials + local environment tools set up correctly and that you have followed the instructions to access the existing cluster. These steps will bring down the entire infrastructure and all the resources for your ingest kubernetes cluster and environment. This goes all the way up to the VPC that was created for this environment's cluster.
- Follow setups 2-5 in 'Create new ingest eks cluster (aws)' if config/environment_ENVNAME does not exist where ENVNAME is the environment you are trying to destroy
source config/environment_ENVNAME
where ENVNAME reflects the name of the environment in the config file you created abovecd infra
make destroy-cluster-ENVNAME
where ENVNAME is the name of the environment you are trying to destroy Note: The system could encounter an error (most likely a timeout) during the destroy operation. Failing to remove some resources such as the VPC, network interfaces, etc. can be tolerated if the ultimate goal is to rebuild the cluster. In the case VPC, for example, the EKS cluster will just reuse it once recreated.
The Terraform manifest declares some network components like the VPC and subnets, that for some reason refuse to get delete during the destroy operation. This operation needs some work to improve, but at the meantime, a workaround is suggested below.
Force the subnet declarations to use the existent ones by overriding the cidr_block
attribute of the aws_subnet.ingest_eks
resource. To see the undeleted subnet components, use terraform show
.
For example, in dev, the CIDR is set to 10.40.0.0/16
. The Terraform manifest at the time of writing makes computations with this on build time that often results in 2 subnets 10.40.0.0/24
and 10.40.1.0/24
that could refuse deletion. To make the Terraform build reuse these components, the cidr_block
attribute under the aws_subnet
resource can be set to the following:
cidr_block = "10.40.${count.index}.0/24"
cd infra
make deploy-backend-services-ENVNAME
where ENVNAME is the name of the environment you are trying to create.
Coming soon
- Make sure you have followed the instructions above to create or access an existing eks cluster
- Change the branch or tag in
config/environment_ENVNAME
if needed where ENVNAME is the environment you are deploying to. cd apps
make deploy-app-APPNAME
where APPNAME is the name of the ingest application. For example,make deploy-app-ingest-core
Notes on Fresh Installation
Before running the script to redeploy all ingest components, make sure that secrets have been properly defined in the AWS security manager. At the time of writing, the following secrets are required to be defined in dcp/ingest/<deployment_env>/secrets
to ensure that deployments go smoothly:
emails
staging_api_key
(retrieve this fromdcp/upload/staging/secrets
)exporter_auth_info
- Make sure you have followed the instructions above to create or access an existing eks cluster
- Change the branch or tag in
config/environment_ENVNAME
if needed where ENVNAME is the environment you are deploying to. cd apps
make deploy-all-apps
where APPNAME is the name of the ingest application.
All requests to the Ingest cluster go through the Ingress controller. Any outward facing service needs to be mapped to the Ingress service for it to work correctly. This is set through the AWS Route 53 mapping.
- The first step is to retrieve the external IP of the Ingress service load balancer. This can be done using
kubectl get services -l app=nginx-ingress
. - Copy the external IP and go the Route 53 service dashboard on the AWS Web console.
- From the Hosted Zones, search for
<deployment_env>.data.humancellatlas.org
and search for Ingest related records. - Update each record to use the Ingress load balancer external IP as alias.
- To ensure that each record are set correctly, run a quick test using the Test Record Set facility on the AWS Web console.
- Make sure you have followed the instructions above to create or access an existing eks cluster
- Source the configuration file for the environment
- Make sure the secrets api-keys and aws-keys are deployed substituted with valid base64 encoded values
cd infra
andmake install-infra-helm-chart-fluentd-cloudwatch
Coming soon
Coming soon
tldr: Use this command: kubectl port-forward rabbit-0 15672:15672
kubectl port-forward <localhost-port>:15672
https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/
- Get the rabbit service local port
kubectl get service rabbit-service
- Get the rabbit service pod
kubectl get pods | grep rabbit
- Access the RabbitMQ Management UI
kubectl port-forward rabbit-0 15672:15672