-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Does this plugin support AWS EKS? #81
Comments
Hi @carlosjgp, the plugin works just fine with EKS. We may need additional documentation for setting up with EKS. While we update our documentation, I'm putting a list of steps together that I'll share with you soon. But if you have specific questions, I'm happy to answer them as well. |
@carlosjgp Though the plugin works, the mechanism to get the token isn't easy and the token can expire. So, the thought is that this needs a special authenticator to make it straightforward. Something which understands EKS more natively. Do you have time to answer a couple of questions and maybe sometime over the next week or so, talk to us if necessary? The questions I have now are:
Another thought is: "If a GoCD server is already running inside EKS, to launch more agent pods, it shouldn't need the aws-iam-authenticator". It's something we're looking into. Maybe it is wrong. Thank you! |
answering to your questions...
In theory, if the server is inside the cluster is only requires to be deployed with a kubernetes service account and use a K8s Java client pointing to the internal K8s API endpoint... normally I would happily help to implement this if you want |
Hi @carlosjgp, Sorry about the delayed response. I tested the Helm chart with multiple EKS ingress options today and here are my findings.
a. To get an ingress resource on EKS, I first disabled the ingress resource that is created with the Helm chart (helm install stable/gocd --set server.ingress.enabled=false). b. I then created an AWS ALB ingress controller and an associated ingress resource. I found these instructions useful - https://aws.amazon.com/blogs/opensource/kubernetes-ingress-aws-alb-ingress-controller c. I configured the gocd nodeport service as a backend in the ingress resource configuration. This allowed me to connect to the GoCD instance on EKS.
So, the general recommendation I have is, on EKS, don't install the ingress resources that ships with the GoCD helm chart. Instead, create an ingress resource based on the ingress controller you're using on your EKS cluster and connect it to the GoCD nodeport service. Let me know if this works for you or if you'd like to discuss this further. cc: @arvindsv |
@sheroy - can you please post the ingress resource that you created (along with the ALB) after disabling the ingress that comes with the helm chart? I wanted to know what the difference is and why the ingress.yaml that's packaged with the gocd helm chart doesn't work. |
Ingress definition:
@varshavaradarajan the main difference I see is the ALB specific annotations. |
@sheroy - you can provide the ingress annotations in values.yaml for the gocd helm chart - https://github.com/helm/charts/blob/master/stable/gocd/templates/ingress.yaml#L14 |
I think there is some setup involved wrt ingress controller depending on the platform on which the k8s cluster is hosted. For minikube, its But one of the questions was will just having the helm chart installed on EKS enough to bring up elastic agents every time a gocd job is scheduled? Or will it require this k8s plugin to do something more to bring up elastic agents? That is, did you see jobs being successfully assigned elastic agents? Another thing to take care of was the plugin bringing up an agent in the cluster and connecting to a remote gocd server, according to #81 (comment) . |
Yes, that's why I think the helm chart should be limited to setting up a nodeport service that can then be wired up to an ingress resource based on the target platform, rather than create a new ingress just for GoCD.
I'm not sure if I understand your question. If you mean does the elastic agent work on EKS as intended, yes it does.
I haven't tested this scenario specifically. I can test it tomorrow if I get some time. I thought @carlosjgp was migrating a GoCD server (and agents based on the k8s elastic agent) over to EKS. I might have misunderstood. |
Hmm.. this should work, I can give it a shot. |
Updated steps based on @varshavaradarajan's comment.
Installing the helm chart now will bring up a GoCD server with the elastic agent pre-configured with a service account token, and an ingress resource with a GoCD service backend. cc: @carlosjgp @arvindsv |
@sheroy So, does that mean that all that needs to be done after this is to create the ALB ingress controller and everything works fine? |
@arvindsv yes, and the ALB ingress controller is created in step 1 above. So you need the ALB ingress controller installed, provide extra annotations while installing the Helm chart and you'll be good to go. |
Hi @sheroy, thanks for all your hard work and investigations. Now that you have mentioned the service account creation I have remembered how to get the token but the main challenge is to find the Certificate value to configure the plugin. Can you point me to the documentation about to get his field for EKS? I've checked my '~/.kube/config' file but due to the especial configuration for EKS required to contact the AWS K8s cluster the certificate is not there anymore AWS uses my AWS CLI credentials to login |
@carlosjgp - once the helm chart is installed, you get a preconfigured k8s elastic agent plugin settings and profile, which will fill in values for security token and certificate. However, if you need to get the security token and cert for configuring the plugin settings again, you can use the below commands:
Make sure that the service account name that you're providing above has the right pod related permissions as specified in https://github.com/helm/charts/tree/master/stable/gocd#rbac-and-service-accounts. This is no different for EKS. Accessing kubectl or the kubernetes API will require AWS credentials from your commandline. But as @sheroy mentioned, once the helm chart was installed on EKS, it wasn't necessary to do any additional setup. This issue can be closed, @sheroy |
@carlosjgp Sorry I missed your last comment. Did @varshavaradarajan's response give you what you need? I'll wait for a couple of days to hear back from you and close this issue. \cc: @arvindsv |
Due to the special configuration required to use EKS I'm not able to figure out how to configure this plugin properly
It might not be compatible at all...?
The text was updated successfully, but these errors were encountered: