Kubernetes Developer Guide | Helm Development Guide | Reference Architecture

ARCDEVOPS-1 - AWS Cloud Architecture In Progress

ARCDEVOPS-10 - non-root container architecture for kubernetes/docker To Do

Architecture Diagrams

At least 3 types of diagram (full, application, flow)



Full	Includes application agnostic security (DDoS, DPI, CVE)
Application	Includes application specific components
Flow	Shows flows through the system per use case

Kubernetes Architectures

Helm/Kubernetes based Architecture

(recommended) - Reference Architecture#Architecture

Nascent AWS Architecture Examples

AWS Developer Guide#AWSArchitectureConsiderations

Best Practices AWS Architecture

https://calculator.s3.amazonaws.com/index.html

This architecture details what can be achieved using the latest Helm/Kubernetes as the orchestrator and/or ECS/Fargate as the cluster manager

AWS EKS Kubernetes based Architecture

(recommended)

AWS ECS Fargate based Architecture

(recommended)

AWS ECS EC2 based Architecture

(not fully optimized) - see AWS Developer Guide#ECS-ElasticContainerService-Development and AWS-4 - AWS API-Gateway to ECS pipeline via console In Progress

The following AWS architecture is based around the Elastic Container Service (ECS) running on 1 ore more EC2 instances in an EC2 cluster.

The pipeline consists of pushing git artifacts to S3, running CodeBuild to produce the War or spring boot Jar and the docker image in ECR, running CodeDeploy to deploy the task definition to ECS.

User access to the deployed service is via the API Gateway through the ELB.

Developer access to the docker container(s) is either via the Systems Manager or via the bastion on an SSH tunnel.

AWS Architecture - Fargate

This architecture is an example of a resource constrained design - for example using ECS/EC2 instead of Fargate as the cluster manager or Kubernetes as the orchestrator.

Infrastructure/Platform/Software/Function as a Service

There are many valid architectures suited to a particular set of use cases and requirements. Some of these are hybrid, some are a combination of local or cloud based infrastructure, platform, software or function as a service offerings. I will summarize a subset that I am familiar with or actively implementing here.

AWS CodeCommit/CodeBuild/CodeDeploy/CodePipeline
Well Architected Framework - AWS

Based on the standard Amazon AWS Well Architected Best Practices

Server Reference Architecture

IE: EC2

Platform as a Service Reference Architecture

IE: ElasticBeanstalk

Serverless Reference Architecture

IE: Lambda

Messaging

API Gateway

https://microservices.io/patterns/apigateway.html

Monitoring

Log Streaming and Tracing - Logging

Security

Data Storage

File Storage

Networking

Scaling

Resiliency

Availability

Placement groups

If resizing a cluster re-launch all the VMS to allow for single placement

CI/CD Pipelines

I have experience in the past going back to 2014 where I used Atlassian Bamboo to run AWS EC2 instances for build and deployment. AWS now provides a better alternative where we run our CodeBuild instances inside the private subnet of a VPC - where we can get access to everything inside.

https://docs.aws.amazon.com/codebuild/latest/userguide/vpc-support.html

see

https://wiki.onap.org/display/DW/Cloud+Native+Deployment and https://medium.com/swlh/universal-cicd-pipeline-on-aws-and-k8s-7b4129fac5d4

Github/CodeCommit + CodeBuild + CodeDeploy + CodePipeline

Prerequisites

We need a 2 subnet VPC that uses a NAT Gateway - not a NAT EC2 instance. We also need a <repo>-codebuild yaml file with the buildspec or we get the following

[Container] 2019/06/26 17:50:23 CODEBUILD_SRC_DIR=/codebuild/output/src388071284/src/github.com/obrienlabs/difference-cloud

[Container] 2019/06/26 17:50:23

Phase context status code: YAML_FILE_ERROR Message: stat /codebuild/output/src388071284/src/github.com/obrienlabs/difference-cloud/difference-cloud-codebuild: no such file or directory

Create a 2 subnet Public/Private VPC with NAT Gateway and Bastion

AWS Developer Guide#Createa2subnetPublic/PrivateVPCwithNATGatewayandBastion

Cognito Errors

Unrecognizable lambda output (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidLambdaResponseException; Request ID: 36ca1bee-b978-4803-80e8-d89cc48ae80b)

github + jenkins + sh script + AWS

Traditional custom scripts are the layer over direct AWS deployment commands or cloudformation templates.

github + jenkins + terraform + AWS

Add terraform as the layer over cloudformation.

Example Architectures

Backend: Relational DB - App: Spring Boot REST WAR with AngularJS Frontend

In this section we will create a simple one page web application that is running a REST controller on top of a relational ORM DB. Deployment will be via docker container using kubernetes as the orchestrator.

Eclipse Project Creation

Navigate to spring.io to create the project template

Deployment

Best Practices

GUI and REST API Separation

Use an API gateway approach. See Netflix and CloudFoundry

Database and Use case Matching

Relational DB for relational data

Graph DB for deep traversal data

KV store for unstructured row level data

Identity and SSO

Secure Remote Protocol - http://srp.stanford.edu/ | Signature Version 4 - https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html |

Reference Architecture#SingleSignOn

WebSocket vs HTTP 1/2 and SSE

https://medium.com/platform-engineer/web-api-design-35df8167460

https://serialized.net/2020/09/multiplayer/

Platform Maturity

Some of what I learned working on ONAP S3P - design for Security, Scalability, Stability and Performance. A lot of maturity requirements are met by using a container framework like Kubernetes under Helm.

References

https://medium.com/netflix-techblog/fault-tolerance-in-a-high-volume-distributed-system-91ab4faae74a
https://architectelevator.com/architecture/architect-bookshelf/

Page tree

Architecture