Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EBS CSI EKS support #64

Merged
merged 28 commits into from
Jan 28, 2022
Merged

EBS CSI EKS support #64

merged 28 commits into from
Jan 28, 2022

Conversation

nickumia-reisys
Copy link
Contributor

@nickumia-reisys nickumia-reisys commented Jan 5, 2022
edited
Loading

Related to GSA/data.gov#3127

Changes:

  • Update Fairwinds VPC module to AWS VPC Module
  • Update AWS Provider from 3.61.0 to 3.73.0
  • Update Kubernetes Provider from 2.5 to 2.7.1
  • Update Helm Provider from 2.3 to 2.4

New Additions:

  • Provision EFS Volume alongside EKS cluster
  • Setup security group for EFS Volume
  • Mount EFS Volume to all private subnets in EKS cluster
    • No matter where a fargate node gets launched, it will have access to the EFS Volume
  • Attach EFS Policy to Fargate profile to interact with EFS Volume
  • EFS Volume Read/Write Test pulled from aws-efs-csi-driver repo

mogul
mogul previously approved these changes Jan 6, 2022
View reviewed changes
Copy link
Collaborator

@mogul mogul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks fine, but we need to see the tests passing.

@nickumia-reisys
Copy link
Contributor Author

Instructions on setting up EBS CSI Plugin: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html

@nickumia-reisys
new: add managed node group; the old iam_path restricted managed node…
43e36bb 
… groups from being created, so it was removed
@nickumia-reisys nickumia-reisys marked this pull request as draft January 8, 2022 01:19
@nickumia-reisys
new: EBS to EFS policy change
0e8d604 
This is the start of using EFS instead of EFS because it will be able to be shared memory between all of the Solr replicas; Plus, EBS is connected to each node individually and cannot connect to more than one node; EBS only works with managed nodes, not fargate; EFS supports static provisioning for Fargate
@nickumia-reisys
new: EBS to EFS provision change
6515dea 
There's no EKS addon for EFS, so we need to install via helm (https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html)
@nickumia-reisys
new: implement efs volumes in fargate
43096d4 
update VPC module to AWS support; add configuration for efs static provisioning; mount the efs volume on all nodes in VPC private subnets; remove managed nodes
@nickumia-reisys
new: add tests to verify EFS communication
1cf6f18
@nickumia-reisys nickumia-reisys mentioned this pull request Jan 26, 2022
Closed
@nickumia-reisys nickumia-reisys changed the title EBS CSI EKS addon EFS CSI EKS support Jan 26, 2022
@nickumia-reisys
update: broker service definition
7897bc7 
move persistent storage capability to new file; update file name in service definition
@nickumia-reisys
docs: update cleanup/README
8ee933e
@nickumia-reisys
update: refactor name
80099ba
@nickumia-reisys
update: finish test
6073b89 
make test CI-worthy
@nickumia-reisys nickumia-reisys marked this pull request as ready for review January 26, 2022 22:15
mogul
mogul previously approved these changes Jan 26, 2022
View reviewed changes
@nickumia-reisys
update: aws provider binary from 3.61 to 3.73
22f139f
@nickumia-reisys
fix: make sure test doesn't run forever
b5ae4d8
@nickumia-reisys
fix: grab EFS ID for cluster
1b10014 
For the test, the EFS ID is necessary in order to know where kubernetes should create the persistent volume; the only known way of doing this is through the aws cli
@nickumia-reisys nickumia-reisys mentioned this pull request Jan 27, 2022
Closed
1 task
@nickumia-reisys
new: don't add vpn gateway
280d3df 
I think I copied this from the VPC example, but we don't need it for our use case; also, only create a single nat gateway instead of one per availability zone
@nickumia-reisys nickumia-reisys marked this pull request as draft January 27, 2022 05:45
@nickumia-reisys
Copy link
Contributor Author

@mogul We need to enable encryption for the EFS volume. We can't merge this yet!

@nickumia-reisys
Copy link
Contributor Author

Commenting for reference, https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
image

@nickumia-reisys nickumia-reisys mentioned this pull request Jan 27, 2022
Merged
@nickumia-reisys
Copy link
Contributor Author

Ughh... I think there are a couple of problems with the tests.. Fargate has the EFS driver installed by default, KiND does not.. Real EKS has the current kubernetes configs applied, KiND does not... Will fix in the morning.

mogul
mogul requested changes Jan 27, 2022
View reviewed changes
Copy link
Collaborator

@mogul mogul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create the PV and storage class during the provision operation too.

test.sh Outdated Show resolved Hide resolved
@mogul
Copy link
Collaborator

mogul commented Jan 27, 2022
edited
Loading

Ughh... I think there are a couple of problems with the tests.. Fargate has the EFS driver installed by default, KiND does not.. Real EKS has the current kubernetes configs applied, KiND does not... Will fix in the morning.

The solr-operator doesn't care how PVs are implemented, only that they are available to make PVCs! So we don't need to set up EFS in KinD, we just need to set up KinD to have a local PV back-end and storageClass of its own available. This is how we do it.
793623b1-daa7-48bf-b939-2247a901dcb0_text

@mogul
Copy link
Collaborator

mogul commented Jan 27, 2022

A more in-depth example of implementing PVs in KinD, if we need to go any further than the SO answer linked above...

nickumia-reisys and others added 7 commits January 27, 2022 11:26
@nickumia-reisys
new: statically provision efs for k8s cluster
3c7aab4 
The EFS volume was being created, but kubernetes was not being made aware about it until the 'driver, storageclass, pv' k8s classes were created.
@nickumia-reisys
lint: ran terraform fmt
3f50c99
@nickumia-reisys
update: make EFS id unique to each cluster
d8ce2a6 
EFS Volumes will conflict without unique creation token.. we'll never have two eks clusters named the same thing, so it's a good reference point for EFS volume creations (+1)
@nickumia-reisys
fix: stupid typo..
395b406 
Damn..
@nickumia-reisys
fix: kubectl wait for pod timeouts too quick
fe29daa 
It takes about 2-3 minutes for the pod to come up
@mogul
Replace null_resource with the resources from the kubernetes provider
2055589
@mogul
Implement encryption-at-rest and encryption-in-transit for persistent…
6f27e96 
… volumes
@mogul mogul force-pushed the persistent-volumes branch from 7a36f13 to 9ca65ab Compare January 27, 2022 22:07
@mogul mogul force-pushed the persistent-volumes branch from 24fb89b to 193f89d Compare January 28, 2022 00:50
@mogul mogul requested a review from a team January 28, 2022 05:46
@mogul mogul marked this pull request as ready for review January 28, 2022 05:46
@mogul mogul merged commit ff467f4 into main Jan 28, 2022
@mogul mogul deleted the persistent-volumes branch January 28, 2022 05:47
@nickumia-reisys
Copy link
Contributor Author

Yay!! 🎈

@nickumia-reisys nickumia-reisys changed the title EFS CSI EKS support EBS CSI EKS support Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mogul mogul mogul approved these changes

Assignees
No one assigned
Labels
component/ssb
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nickumia-reisys @mogul