Amazon Web Services (AWS) is a well-known provider of cloud services, while Kubernetes is quickly becoming the standard way to manage application containers in production environment. Amazon Elastic Container Service for Kubernetes (EKS) brings these two solutions together, allowing users to quickly and easily create Kubernetes clusters in the cloud.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
This guide walks you, step by step, through the process of provisioning a new Kubernetes cluster using Amazon EKS and then deploying WordPress to the cluster using a Bitnami Helm chart.
This guide will introduce you to Amazon EKS by provisioning a Kubernetes cluster and deploying the Bitnami WordPress Helm chart on it. This will give you a pre-configured WordPress blog that you can start using right away. But WordPress is just an example: there are hundreds of other Bitnami applications to choose from, and they’re all equally easy to set up.
Here are the steps you’ll follow in this tutorial:
The next sections will walk you through these steps in detail.
This guide assumes that:
NOTE: You must use kubectl v1.10 or later with Amazon EKS.
IMPORTANT: At the time of writing, Amazon EKS is only available in the us-west-2 and us-east-1 regions. Therefore, before proceeding with the remainder of this guide, select one of these two regions in the AWS console and perform the operations listed below in that region alone.
The first step is to generate an AWS Access Key ID and Secret Access Key, which will be used to authenticate your interaction with the Amazon EKS service. To do this:
Click the “Create access key” button.
A new key pair, consisting of an “Access Key ID” and “Secret Access Key”, will be generated and displayed. The “Secret Access Key” value will not be displayed again, so accurately down the “Access Key ID” and “Secret Access Key” values displayed.
On your local system, run the following command to create an AWS profile. Enter the AWS Access Key ID, Secret Access Key and selected region when prompted.
This will create a profile file in your home directory on your local system named ~/.aws/credentials. Typically, this file contains a default profile named default with your credentials. These credentials will be used when interacting with your Amazon EKS cluster.
The next step is to create a service role that will interact with the Amazon EKS cluster. To do this:
Select “AWS service” as the type of entity and “EKS” as the service. Click the “Next: Permissions” button to proceed.
Click the “Next: Review” button to proceed.
Enter a name for the service role and click “Create role” to create the role. Note the name of the service role.
To generate an SSH key pair, which you will need to log in to your EC2 instances, follow the steps below:
Log in to the AWS Console.
From the Amazon Web Services menu, select the EC2 service.
If required, use the region selector in the top right corner to switch to the region where your instance will be launched.
From the Amazon EC2 dashboard, select the “Key Pairs” option in the “Network & Security” menu.
Click the “Create Key Pair” button. In the resulting dialog box, enter a name for the new key pair and click the “Create” button.
A new key pair, consisting of an SSH public and private key, will be generated. You will be prompted to download the private SSH key to your computer.
NOTE: You will only be able to download the private SSH key once. Store it safely as you will not be able to log in to your AWS servers without it.
Amazon EKS also requires a Virtual Private Cloud (VPC) in which to deploy the cluster. To create this VPC:
On the “Select Template” page, select the option to “Specify an Amazon S3 template URL” and enter the URL below:
Click “Next” to proceed.
On the “Specify Details” page, enter a name for the new stack. Click “Next” to proceed.
On the “Options” page, leave all values at their defaults. Click “Next” to proceed.
On the “Review” page, review and confirm the details of the stack. Click “Create” to proceed.
Stack creation will take a few minutes. Once complete, select the stack name in the list of available stacks and select the “Outputs” section in the lower left pane. Note the identifiers of the security group, VPC and VPC subnets.
At this point, you are ready to create a new Amazon EKS cluster. To do this:
Enter details into the EKS cluster creation form as follows:
Click “Create” to create the Amazon EKS cluster.
NOTE: If cluster creation fails due to insufficient capacity in your selected region or unavailability of subnets in certain zones, repeat the process using a different region.
Cluster creation may take up to 10 minutes. You can monitor the status of the cluster from the Amazon EKS console. Once complete, the cluster status will change to “Active” as shown below.
The next step is to configure kubectl to recognize the new cluster’s control plane. To do this:
Create a kubectl configuration file in your ~/.kube directory as ~/.kube/config-eks:
Add the file to the $KUBECONFIG environment variable so that kubectl is able to find it:
Fill the file with the following contents, replacing the placeholders shown as follows:
Replace the PROFILE-NAME placeholder with the name of your AWS credentials profile from the ~/.aws/credentials file (typically, default).
Run the command below to confirm that kubectl is able to communicate with the new cluster’s control plane:
You should see output similar to what is shown below:
Once the control plane of your cluster has been activated, the next step is to add nodes to it. To do this:
On the “Select Template” page, select the option to “Specify an Amazon S3 template URL” and enter the URL below:
Click “Next” to proceed.
On the “Specify Details” page, enter details as follows:
Click “Next” to proceed.
On the “Options” page, leave all values at their defaults. Click “Next” to proceed.
On the “Review” page, review and confirm the details of the stack and tick the checkbox to confirm that the stack can create additional IAM resources. Click “Create” to proceed.
Once stack creation is complete, select the stack name in the list of available stacks and select the “Outputs” section in the lower left pane. Note the identifier of the node instance role.
On your local system, create a file named auth.yaml and fill it with the content below. Replace the ARN-ROLE placeholder with the node instance role obtained from the stack output.
Apply the changes to the cluster configuration with kubectl:
At this point, your nodes are configured to join the cluster. You can check the status of each node using the command below:
By default, Amazon EKS does not create a storage class for a cluster. However, many Kubernetes applications (including the Bitnami WordPress Helm chart) request persistent volumes for storage, so a storage class is required to provide EBS volumes to applications. To do this:
On your local system, create a file named storage-class.yaml and fill it with the definition below:
Apply the changes to the cluster configuration with kubectl:
At this point, your storage class is provisioned. You can check this using the command below:
Helm is the easiest way to manage applications in a Kubernetes cluster. Helm allows you to perform key operations for managing applications such as installation, upgrade and removal.
Follow these steps:
To install Helm v3.x, run the following commands:
TIP: If you are using OS X you can install it with the brew install command: brew install helm.
Once Helm is installed, you’re ready to deploy WordPress using the Bitnami WordPress Helm chart.
Add the Bitnami chart repository to Helm:
Install the WordPress Helm chart:
You should see something like the output below as the chart is installed. Pay special attention to the NOTES section of the output, as it contains important information to access the application.
Check pod status until both WordPress and MariaDB are “running”:
Obtain the load balancer’s public hostname, replacing RELEASE-NAME with the correct release name:
Get the credentials for the application by executing the commands shown in the output of helm install:
Browse to the load balancer’s external IP address and you should see WordPress running. Here’s what it should look like:
To log in to the WordPress dashboard, follow these steps:
Browse to the WordPress dashboard, usually at the URL http://SERVER-IP/wp-admin.
Log in with the administrator credentials from the previous step.
You should now arrive at the WordPress dashboard, which allows you to manage posts, pages and comments; customize your blog with themes and plugins; import and export content; manage navigation menus; add or delete new user accounts; and much more.
You can now add a new post using the following steps:
Select the “Posts -> Add New” menu option to create a new post.
Enter a title and content for the post. You can use the formatting tools at the top of the content area to format your post and add hyperlinks or images.
Optionally, choose the format and category for your post.
Publish it immediately using the “Publish” button.
And now, when you visit your blog’s front page, you should see your new post.
Congratulations! You now have a working, fully-functional WordPress blog in the cloud.
You can keep your WordPress installation up-to-date with the WordPress update feature. To access this:
Select the “Dashboard -> Updates” menu item.
Review the resulting page to see if WordPress needs an update. If an update is available, you can install it by clicking the “Update Now” button. You can also re-install WordPress if needed with the “Re-install Now” button.
To learn more about the topics discussed in this tutorial, use the links below:
These custom script will rotate AWS access keys and verify the rotation was successful. The rotation follows AWS best practices.In order for the rotation to work, we will need AWS PowerShell SDK installed on Secret Server or the Distributed Engines. Secret Server doesn't capture results back from scripts, and since the script is generating the keys on Amazon and not in Secret Server, we need to send the new keys back to Secret Server. We do that by making an API call once we generate the new keys, and put them back in the Secret. The account used to make the call can be either a domain account (recommended since we can use IWA), or local Secret Server account.
Environment | Version |
---|---|
Secret Server | 10.0+ |
Operating System | Any Supported |
PowerShell | Windows Management Framework 5+ |
Create a new Secret and choose the Access Key Template we created earlier in the process
Fill in the fields with:
Navigate to Remote Password Changing tab on the Secret
Click Edit > Run PowerShell Using Privileged Account > Click No Selected Secret to choose the Secret which will run PowerShell
Before Saving, Choose one of the methods below for calling back Secret Server's API:
The user accounts used for API access will need to have Edit permissions on the Access Key Secret
The user account used for API access will also need at least View permissions on the secret created for its own account.