Recently I came across an use-case of deploying a microservice on EKS using CodeBuild with GitHub as source. Although I've used Jenkins numerous times to do the same thing but I haven't used AWS Serverless to deploy on EKS.
This blog is for you if you want to deploy your microservice to Kubernetes, or want to learn how to setup AWS CodePipeline with CodeBuild, or like to integrate CodeBuild with EKS or you are generally curious about Kubernetes and Serverless :)
- I enquired about the source code and got to know it was on GitHub. For this blogpost I am going to create my own GitHub Repo with a basic deployment manifest. You can create your own repo and have the full stack of manifests starting from Ingress, to the service, deployment etc required for your microservice.
Next, I setup a CodePipeline. I'll show you how to do that:
- Navigate to Developer Tools in the console, and select Code Pipeline. Provide your pipeline a name, select the default service role so CodePipeline can create a role on your behalf, let the advanced setting be as it is unless you have a custom location for your artifact and want to use a custom KMS Key.
Moving on you need to specify where is your SourceCode that you want to build or deploy.
- Add a Source Provider: In our case that would be GitHub (Version2). Connection: Select if you have an existing connection with your GitHub Account or Create a connection for GitHub, it's fairly simple. Once you authenticate CodePipeline to connect to your GitHub Account you shall receive a CodeStar connection URL, use that. Once you fill in all the details it should look something like this.
Next, we shall add a build stage.
As a build provider we will select AWS CodeBuild. Feel free to choose the region of your choice. If you have an existing project you can select the same or else create a new project. I am going to setup a project from scratch.
Additional Environment Configuration
Select your VPC, choose a private subnet and a SG with outbound allow and then validate your VPC setting. This is where your codebuild server will be provisioned ~ No, Serverless does not mean there are no servers, it's just that, you don't have to manage them ;)
Provide appropriate compute resource to the server as per your code requirements and we are good to go. If you require you can add environment variables and filesystems for your server.
You can leave the buildspec section empty if your buildspec file is buildspec.yml as codebuild will look for that file in your repo, if you have named your file otherwise you can mention that in the buildspec name section. Also if you have some additional requirements while building your code you can mention those in the additional build commands.
Will ignore Batch configuration as we do not require that for this blogpost.
It's best practise to export your build logs to Cloudwatch so that it's easier for you to troubleshoot. Additionally you can also export your CodeBuild logs to S3 for later analysis.
Once you click on continue to CodePipeline, the CodeBuild Project will be created and you can complete your CodePipeline setup.
- In environment variables you can refer to environment values generated from CodePipeline or can add new env variables. On Build Type, we shall be executing a single build on execution.
Skip Deploy stage as codebuild will be taking care of the deployment and create your CodePipeline :)
- EKS Cluster: I shall consider you have a running EKS cluster where we shall be doing the deployment, if not, you can deploy a new EKS cluster. In case you need help, refer this previous blog of mine - Setup your EKS Cluster from scratch
To allow CodeBuild to deploy on the EKS cluster we need to modify EKS RBAC by adding the CodeBuild Service Role with the required permission on the aws-auth configmap that is used to manage EKS RBAC.
To know more about EKS RBAC
- Open your buildproject, that you shall be using. In Build details tab, scroll down to Environment where you can see the Service Role hyperlink.
- To edit the configmap run - kubectl edit cm aws-auth -n kube-system
Under mapRoles we shall add a new entry:
rolearn: arn:aws:iam::xxxaccidxxx:role/codebuild- microservice-deploy-to-eks-service-role
username: CodeBuild Role to Access EKS
Note If you directly copy paste the CodeBuild Role ARN from the console to the configmap you will get a "error: You must be logged in to the server (Unauthorized)", make sure your remove the /servicerole path from the ARN.
- Additionally to the CodeBuild Service Role attach a policy with eks:DescribeCluster action allowed. This will allow codebuild to download the kubeconfig file onto it's server.
- Once you have done all as I mentioned, you would have your application running on EKS with the help of CodeBuild :)
If you want to know more about Kubernetes, DevOps, Serverless follow me, also I would love to have a chat with you on LinkedIn :)