https://github.com/muthuri-dev/devops-eks-helm-terraform-ansible
Its devops time
https://github.com/muthuri-dev/devops-eks-helm-terraform-ansible
Last synced: 5 months ago
JSON representation
Its devops time
- Host: GitHub
- URL: https://github.com/muthuri-dev/devops-eks-helm-terraform-ansible
- Owner: muthuri-dev
- License: mit
- Created: 2025-10-01T12:23:09.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2025-10-01T22:54:15.000Z (9 months ago)
- Last Synced: 2025-10-02T00:12:15.213Z (9 months ago)
- Language: HCL
- Homepage:
- Size: 32.2 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Production EKS Infrastructure with Terraform, Helm & GitOps
A production-ready Kubernetes infrastructure on Amazon EKS featuring comprehensive observability, automated CI/CD with GitOps, centralized logging, metrics monitoring, secrets management, and SSL certificate automation.
## ποΈ Architecture Overview
### High-Level Infrastructure Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Cloud β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β VPC (10.0.0.0/16) β β
β β β β
β β ββββββββββββββββββββ ββββββββββββββββββββ β β
β β β Public Subnet β β Public Subnet β β β
β β β (us-east-1a) β β (us-east-1b) β β β
β β β β β β β β
β β β βββββββββββββββ β β ββββββββββββββββ β β β
β β β β NAT Gateway β β β βNGINX Ingress β β β β
β β β β β β β β Controller β β β β
β β β βββββββββββββββ β β β (LoadBalancer) β β
β β ββββββββββββββββββββ β ββββββββββββββββ β β β
β β β ββββββββββββββββββββ β β
β β β β β β
β β ββββββββββββββββββββ ββββββββββββββββββββ β β
β β β Private Subnet β β Private Subnet β β β
β β β (us-east-1a) β β (us-east-1b) β β β
β β β β β β β β
β β β ββββββββββββββββ β β ββββββββββββββββ β β β
β β β β EKS Workers β β β β EKS Workers β β β β
β β β β (Auto-Scale) β β β β (Auto-Scale) β β β β
β β β β β β β β β β β β
β β β β ββββββββββββ β β β β ββββββββββββ β β β β
β β β β βArgoCD β β β β β βPrometheusβ β β β β
β β β β βVault β β β β β βGrafana β β β β β
β β β β βKibana β β β β β βApps β β β β β
β β β β βPostgreSQLβ β β β β βFluent Bitβ β β β β
β β β β ββββββββββββ β β β β ββββββββββββ β β β β
β β β ββββββββββββββββ β β ββββββββββββββββ β β β
β β ββββββββββββββββββββ ββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Amazon ECR (Container Registry) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Repository β
β ββββββββββββββββββββββ ββββββββββββββββββββββββ β
β β Application Code β β Helm Charts β β
β β (Dev/Main Branch) β β (values.yaml) β β
β ββββββββββββββββββββββ ββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
### Traffic Flow Architecture
```
Internet User
β
β HTTPS Request
β (*.shipcodes.tech)
βΌ
ββββββββββββββββββββββββ
β Route 53 / DNS β
β (Domain Resolution) β
ββββββββββββββββββββββββ
β
β
βΌ
ββββββββββββββββββββββββ
β AWS Load Balancer β
β (Created by NGINX) β
ββββββββββββββββββββββββ
β
β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β β β
βΌ βΌ βΌ
ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
β EKS Worker Node β β EKS Worker Node β β EKS Worker Node β
β β β β β β
β ββββββββββββββββ β β ββββββββββββββββ β β ββββββββββββββββ β
β βNGINX Ingress β β β βNGINX Ingress β β β βNGINX Ingress β β
β β Controller β β β β Controller β β β β Controller β β
β β (DaemonSet)β β β β (DaemonSet)β β β β (DaemonSet)β β
β ββββββββββββββββ β β ββββββββββββββββ β β ββββββββββββββββ β
ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
β β β
β SSL Termination β β
β (Let's Encrypt) β β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β
ββββββββββββΌβββββββββββ
β Ingress Resources β
β (Route by Domain) β
βββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
β ArgoCD Service β β Grafana Service β β Vault Service β
β (ClusterIP) β β (ClusterIP) β β (ClusterIP) β
ββββββββββββββββββββ ββββββββββββββββββββ
β β β
βΌ βΌ βΌ
ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
β ArgoCD Pods β β Grafana Pods β β Vault Pods β
β (Deployment) β β (StatefulSet) β β (StatefulSet) β
ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
```
### Request/Response Flow Detail
```
1. User Request:
https://argocd.shipcodes.tech
β
βΌ
2. DNS Resolution:
Cloudflare β AWS Load Balancer IP
β
βΌ
3. Load Balancer:
Distributes to NGINX Ingress on any worker node
β
βΌ
4. NGINX Ingress Controller:
- Reads Ingress resource
- Checks host: argocd.shipcodes.tech
- Terminates SSL (Let's Encrypt cert)
- Routes to backend service
β
βΌ
5. Kubernetes Service:
argocd-server (ClusterIP) on port 80
β
βΌ
6. Pod Selection:
Service selects healthy ArgoCD pod via label selector
β
βΌ
7. ArgoCD Pod:
Processes request and generates response
β
βΌ
8. Response Path (Reverse):
Pod β Service β Ingress β Load Balancer β User
```
## π― Complete Infrastructure Components
### β
Core Kubernetes Infrastructure
- **Amazon EKS Cluster**: Managed Kubernetes control plane
- **EKS Node Groups**: Auto-scaling worker nodes (2-12 nodes)
- **Cluster Autoscaler**: Automatic node scaling based on pod demand
- **VPC & Networking**: Production-grade multi-AZ setup
- **EBS CSI Driver**: Persistent storage with dynamic provisioning
- **Metrics Server**: Resource metrics for HPA and monitoring
### β
Ingress & Networking
- **NGINX Ingress Controller**: Centralized ingress with SSL termination
- **Cert-Manager**: Automatic SSL certificate provisioning via Let's Encrypt
- **DNS Integration**: Domain-based routing (\*.shipcodes.tech)
- **Load Balancer**: AWS NLB/ALB for external traffic
### β
Observability Stack
#### Logging (EFK Stack)
- **Elasticsearch**: Centralized log storage and indexing
- **Fluent Bit**: Lightweight log collector (DaemonSet on all nodes)
- **Kibana**: Log visualization and analysis dashboard
#### Monitoring
- **Prometheus**: Metrics collection and storage
- **Grafana**: Metrics visualization and alerting
- **Service Discovery**: Automatic scraping of Kubernetes metrics
### β
GitOps & CI/CD
- **ArgoCD**: GitOps continuous deployment
- **GitHub Actions**: CI pipeline for build and push
- **Helm Charts**: Application packaging and versioning
### β
Secrets & Database
- **HashiCorp Vault**: Centralized secrets management
- **CloudNativePG**: PostgreSQL operator for database workloads
- **Amazon ECR**: Private container registry
## π Project Structure
```
devops-eks-infrastructure/
βββ infrastructure/ # Terraform IaC
β βββ 01-provider.tf # Provider configuration
β βββ 02-backend.tf # S3 backend with state
β βββ 03-variables.tf # Variable definitions
β βββ 04-vpc-networking.tf # VPC, subnets, NAT
β βββ 05-eks-cluster.tf # EKS cluster
β βββ 06-ebs-csi.tf # EBS CSI driver
β βββ 07-nodegroup.tf # Auto-scaling node groups
β βββ 08-monitoring.tf # Prometheus & Grafana
β βββ 09-argocd.tf # ArgoCD with Ingress
β βββ 10-logging.tf # EFK stack
β βββ 11-nginx-ingress.tf # NGINX Ingress Controller
β βββ 12-cert-manager.tf # Cert-Manager
β βββ 13-vault.tf # Vault with Ingress
β βββ 14-ecr.tf # Amazon ECR
β βββ 15-cloudnative-pg.tf # PostgreSQL operator
β βββ 16-cluster-autoscaler.tf # Cluster autoscaler
β βββ 17-metrics-server.tf # Metrics server
β βββ 18-outputs.tf # Infrastructure outputs
βββ helm-charts/ # Application Helm charts
β βββ myapp/
β βββ Chart.yaml
β βββ values.yaml # Updated by CI/CD
β βββ templates/
βββ application/ # Application source code
β βββ src/
β βββ Dockerfile
β βββ requirements.txt
βββ .github/
β βββ workflows/
β βββ deploy.yml # GitHub Actions workflow
βββ README.md
```
## π Complete CI/CD Pipeline Flow
### Pipeline Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Developer Workflow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββ
β 1. Developer Push β
β to 'dev' branch β
ββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββ
β 2. Create PR β
β dev β main β
ββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββ
β 3. Code Review & β
β Merge to main β
ββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Actions Workflow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Step 1: Checkout Code β
β ββ actions/checkout@v3 β
β ββ Fetches repository code β
β β
β Step 2: Authenticate with Vault β
β ββ Connect to Vault (vault.shipcodes.tech) β
β ββ Retrieve AWS credentials β
β ββ Get ECR registry details β
β β β
β βΌ β
β ββββββββββββββ β
β β Vault β β
β β Secrets: β β
β β - AWS_KEY β β
β β - AWS_SEC β β
β β - ECR_URI β β
β ββββββββββββββ β
β β β
β Step 3: Build Docker Image β
β ββ docker build -t myapp:$GITHUB_SHA β
β ββ Tag with commit SHA for versioning β
β β
β Step 4: Push to Amazon ECR β
β ββ aws ecr get-login-password β
β ββ docker tag myapp:$SHA $ECR_URI/myapp:$SHA β
β ββ docker push $ECR_URI/myapp:$SHA β
β β β
β βΌ β
β ββββββββββββββ β
β β Amazon ECR β β
β β Image: β β
β β myapp:abc1 β β
β ββββββββββββββ β
β β β
β Step 5: Update Helm Chart β
β ββ Checkout helm-charts repository β
β ββ Update values.yaml with new image tag β
β β image: β
β β repository: $ECR_URI/myapp β
β β tag: abc123def456 # New commit SHA β
β ββ git commit -m "Update image to abc123" β
β ββ git push to helm-charts repo β
β |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ArgoCD GitOps Sync β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Step 1: Detect Changes β
β ββ ArgoCD monitors helm-charts repository β
β ββ Detects values.yaml change β
β ββ Triggers sync (auto or manual) β
β β
β Step 2: Sync Application β
β ββ Renders Helm chart with new values β
β ββ Compares with cluster state β
β ββ Applies changes to EKS cluster β
β β
β Step 3: Rolling Update β
β ββ Kubernetes Deployment rollout β
β ββ Pull new image from ECR β
β ββ Create new pods with new image β
β ββ Wait for health checks β
β ββ Terminate old pods β
β β
β Step 4: Health Verification β
β ββ Check pod readiness probes β
β ββ Verify service endpoints β
β ββ Application accessible via ingress β
β |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββ
β Application Live! β
β https://api β
β .shipcodes.tech β
ββββββββββββββββββββββββ
```
## π EFK Stack Architecture (Logging)
### EFK Stack Components
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EFK Logging Stack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
β EKS Node 1 β β EKS Node 2 β β EKS Node 3 β
β β β β β β
β ββββββββββββββββ β β ββββββββββββββββ β β ββββββββββββββββ β
β β Fluent Bit β β β β Fluent Bit β β β β Fluent Bit β β
β β (DaemonSet) β β β β (DaemonSet) β β β β (DaemonSet) β β
β ββββββββ¬ββββββββ β β ββββββββ¬ββββββββ β β ββββββββ¬ββββββββ β
β β β β β β β β β
β ββββββββΌββββββββ β β ββββββββΌββββββββ β β ββββββββΌββββββββ β
β β App Pod 1 β β β β App Pod 3 β β β β App Pod 5 β β
β β logs/*.log β β β β logs/*.log β β β β logs/*.log β β
β ββββββββββββββββ β β ββββββββββββββββ β β ββββββββββββββββ β
β ββββββββββββββββ β β ββββββββββββββββ β β ββββββββββββββββ β
β β App Pod 2 β β β β App Pod 4 β β β β App Pod 6 β β
β β logs/*.log β β β β logs/*.log β β β β logs/*.log β β
β ββββββββββββββββ β β ββββββββββββββββ β β ββββββββββββββββ β
ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ
β β β
β Parse & Forward β β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββ
β Elasticsearch β
β (StatefulSet) β
β β
β β’ Index: fluent-* β
β β’ Storage: 5GB β
β β’ Replicas: 1 β
βββββββββββββββββββββββ
β
β Query & Visualize
βΌ
βββββββββββββββββββββββ
β Kibana β
β (Deployment) β
β β
β kibana.shipcodes β
β .tech β
βββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββ
β NGINX Ingress β
β (SSL Enabled) β
βββββββββββββββββββββββ
```
### Fluent Bit Log Collection Process
```
1. Fluent Bit DaemonSet:
- Deployed on EVERY node in the cluster
- Runs as privileged pod with host access
- Mounts /var/log/containers from host
2. Log Collection:
- Reads container logs: /var/log/containers/*.log
- Parses JSON format from container runtime
- Extracts metadata: pod, namespace, container name
3. Log Processing:
- Filters: Remove system logs if needed
- Parsers: JSON, regex for custom formats
- Enrichment: Add Kubernetes metadata
4. Log Forwarding:
- Protocol: HTTP/HTTPS
- Destination: Elasticsearch service
- Index: kubernetes-
- Buffering: Local disk for reliability
5. Elasticsearch Storage:
- Creates daily indices
- Applies mapping for log fields
- Stores with retention policy
```
### Kibana Log Visualization Setup
1. Access Kibana at `https://kibana.shipcodes.tech`
2. Navigate to **Management** β **Index Patterns**
3. Create index pattern: `kubernetes*`
4. Select time field: `@timestamp`
5. Go to **Discover** to view logs
6. Create visualizations and dashboards
## π Prometheus & Grafana Monitoring
### Monitoring Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Prometheus Monitoring Stack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Metrics Sources β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Node Exporterβ βkube-state β β cAdvisor β β Custom β β
β β β β -metrics β β β β App Metrics β β
β β :9100/metrics β :8080/metrics β :10250/metrics β :8080/metrics β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β β β β β
β β β β β β
β βββββββββββββββββββ΄ββββββββββββββββββ΄ββββββββββββββββββ β
β β β
β Service Discovery β
β (Kubernetes API Integration) β
ββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββ
β
β Scrape every 30s
βΌ
βββββββββββββββββββββββ
β Prometheus β
β (StatefulSet) β
β β
β β’ TSDB Storage β
β β’ Retention: 15d β
β β’ PVC: 20GB β
β β’ HA: Replicas β
βββββββββββββββββββββββ
β
β PromQL Queries
βΌ
βββββββββββββββββββββββ
β Grafana β
β (StatefulSet) β
β β
β grafana.shipcodes β
β .tech β
β β
β β’ Dashboards β
β β’ Alerts β
β β’ PVC: 10GB β
βββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββ
β NGINX Ingress β
β (SSL Enabled) β
βββββββββββββββββββββββ
```
### Key Metrics Collected
**Node Metrics (Node Exporter)**
- CPU usage per core
- Memory usage and available
- Disk I/O and space
- Network traffic
**Cluster Metrics (kube-state-metrics)**
- Pod status and restarts
- Deployment replicas
- Node status
- Resource requests/limits
**Container Metrics (cAdvisor)**
- Container CPU usage
- Container memory usage
- Container network I/O
- Container filesystem usage
### Grafana Dashboard Access
1. Access Grafana at `https://grafana.shipcodes.tech`
2. Login with configured credentials
3. Pre-configured dashboards:
- **Kubernetes Cluster Monitoring**: Overall cluster health
- **Node Exporter Full**: Detailed node metrics
- **Pod Monitoring**: Per-pod resource usage
- **Namespace Monitoring**: Resource usage by namespace
## π Security & Secrets Management
### Vault Integration
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Vault Secrets Management β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββ
β HashiCorp Vault β
β (StatefulSet) β
β β
β vault.shipcodes β
β .tech β
βββββββββββββββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββ
β β β
βΌ βΌ βΌ
ββββββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ
β GitHub Actions β β Application β β Operators β
β β β Pods β β β
β β’ AWS Creds β β β’ DB Creds β β β’ API Keys β
β β’ ECR Access β β β’ API Keys β β β’ Certificates β
β β’ Deploy Keys β β β’ Configs β β β’ Tokens β
ββββββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ
```
## SSL Certificate Management
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Cert-Manager Certificate Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββ
β Kubernetes Ingress β
β Created with TLS β
β β
β annotations: β
β cert-manager.io/ β
β cluster-issuer: β
β letsencrypt-prod β
ββββββββββββββββββββββββ
β
β Triggers
βΌ
ββββββββββββββββββββββββ
β Cert-Manager β
β (Deployment) β
ββββββββββββββββββββββββ
β
β Creates
βΌ
ββββββββββββββββββββββββ
β Certificate Object β
β (CRD) β
ββββββββββββββββββββββββ
β
β ACME Challenge
βΌ
ββββββββββββββββββββββββ
β Let's Encrypt CA β
β (HTTP-01) β
ββββββββββββββββββββββββ
β
β Validates domain
β Issues certificate
βΌ
ββββββββββββββββββββββββ
β Kubernetes Secret β
β (TLS Certificate) β
β β
β - tls.crt β
β - tls.key β
ββββββββββββββββββββββββ
β
β Mounted by
βΌ
ββββββββββββββββββββββββ
β NGINX Ingress β
β (SSL Termination) β
ββββββββββββββββββββββββ
```
## π Getting Started
Prerequisites
Install required tools:
```
# Terraform
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform
```
# AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
# Helm
```
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
AWS Configuration
bash# Configure AWS credentials
aws configure
# AWS Access Key ID: YOUR_ACCESS_KEY
# AWS Secret Access Key: YOUR_SECRET_KEY
# Default region: us-east-1
# Default output format: json
# Verify configuration
```
aws sts get-caller-identity
## ποΈ Infrastructure Deployment
### Step 1: Initialize Terraform
```
cd infrastructure/
```
### Initialize Terraform with backend
```
terraform init
```
### Validate configuration
```
terraform validate
```
### Format configuration files
```
terraform fmt
```
### Step 2: Plan Infrastructure
```
# Review planned changes
terraform plan
```
# Save plan to file (optional)
```
terraform plan
```
### Step 3: Deploy Infrastructure
```
# Apply configuration
terraform apply
```
# Or apply saved plan
terraform apply
Deployment creates:
β
EKS cluster with control plane
β
VPC with public/private subnets
β
NAT Gateway for private subnet internet access
β
Auto-scaling node groups (2-12 nodes)
β
NGINX Ingress Controller with LoadBalancer
β
Cert-Manager with Let's Encrypt integration
β
Prometheus & Grafana with persistent storage
β
Elasticsearch, Kibana, and Fluent Bit
β
ArgoCD with GitOps configuration
β
HashiCorp Vault for secrets
β
CloudNativePG PostgreSQL operator
β
Amazon ECR repository
β
Cluster Autoscaler
β
Metrics Server
### Step 4: Configure kubectl
```
bash# Update kubeconfig for EKS cluster
aws eks update-kubeconfig --region us-east-1 --name production_eks
```
# Verify cluster access
```
kubectl cluster-info
```
# Check all nodes are ready
```
kubectl get nodes
```
# View all pods across namespaces
```
kubectl get pods --all-namespaces
π Accessing Services
Get Service URLs
bash# Get all ingress URLs
kubectl get ingress --all-namespaces
# Expected output:
# NAMESPACE NAME HOSTS ADDRESS
# argocd argocd-ingress argocd.shipcodes.tech
# monitoring grafana-ingress grafana.shipcodes.tech
# elastic-stack kibana-ingress kibana.shipcodes.tech
# vault vault-ingress vault.shipcodes.tech
```
Configure DNS Records
For each service, create DNS A/CNAME records pointing to the LoadBalancer:
bash# Get LoadBalancer DNS
kubectl get service -n ingress-nginx ingress-nginx-controller
Create DNS records in Route 53 or your DNS provider like cloudflare:
argocd.shipcodes.tech β LoadBalancer DNS
grafana.shipcodes.tech β LoadBalancer DNS
kibana.shipcodes.tech β LoadBalancer DNS
vault.shipcodes.tech β LoadBalancer DNS
## π¦ Deploying Applications
Application Deployment Flow
```
Developer β GitHub (dev) β PR β Merge (main) β GitHub Actions
β
βββββββββββββ΄βββββββββββββ
β β
Vault Secrets Build Image
β β
βββββββββββββ¬βββββββββββββ
β
Push to ECR
β
Update Helm Chart (values.yaml)
β
ArgoCD Detects
β
Sync to EKS Cluster
β
Application Deployed
β
Accessible via Ingress
Create Application Helm Chart
```
## π Best Practices
Security
Rotate Secrets Regularly: Update credentials in Vault periodically
Use RBAC: Implement least-privilege access controls
Enable Pod Security: Use Pod Security Standards
Network Policies: Restrict pod-to-pod communication
Image Scanning: Enable ECR image scanning
Audit Logging: Enable EKS control plane logging