WARNING: The resources created in this guide will cost about $70.00/month. The actual price might depend on its usage, but make sure to delete the resources as described in Step 5 Deinstallation when you do not need them anymore.
This example expects you to have the following cli tools setup.
# First we'll need a cluster, you can create one using the eksctl cli.
# This will take a couple of minutes
eksctl create cluster \
--name multi-juicer \
--version 1.14 \
--nodegroup-name standard-workers \
--node-type t3.medium \
--nodes 2 \
--nodes-min 1 \
--nodes-max 4 \
--node-ami auto
# After completion verify that your kubectl context has been updated:
# Should print something like: [email protected]
kubectl config current-context# You'll need to add the multi-juicer helm repo to your helm repos
helm repo add multi-juicer https://iteratec.github.io/multi-juicer/
helm install multi-juicer multi-juicer/multi-juicer
# kubernetes will now spin up the pods
# to verify every thing is starting up, run:
kubectl get pods
# This should show you two pods a juice-balancer pod and a progress-watchdog pod
# Wait until both pods are readyThis step is optional, but helpful to catch errors quicker.
# lets test out if the app is working correctly before proceeding
# for that we can port forward the JuiceBalancer service to your local machine
kubectl port-forward service/juice-balancer 3000:3000
# Open up your browser for localhost:3000
# You should be able to see the MultiJuicer Balancer UI
# Try to create a team and see if everything works correctly
# You should be able to access a JuiceShop instances after a few seconds after creating a team,
# and after clicking the "Start Hacking" Button
# You can also try out if the admin UI works correctly
# Go back to localhost:3000/balancer
# To log in as the admin log in as the team "admin"
# The password for the team gets autogenerated if not specified, you can extract it from the kubernetes secret:
kubectl get secrets juice-balancer-secret -o=jsonpath='{.data.adminPassword}' | base64 --decodeFirst, we need to create an iam policy which gives permissions to create the load balancer.
#Take note of the ARN of the Policy
aws iam create-policy \
--policy-name ALBIngressControllerIAMPolicy \
--policy-document https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/iam-policy.jsonNext, we will integrate Kubernetes with AWS, allowing the Kubernetes to provision an Application load balancer on our behalf.
IMPORTANT! Note the second step requires modifying cluster-iam.yaml
#Associate IAM OIDC Provider
wget https://raw.githubusercontent.com/iteratec/multi-juicer/master/guides/aws/cluster-iam.yaml
#Edit line 15 - Place the ARN of the policy you created in the attachPolicyARNs field and update your aws region in the metadata section.
eksctl utils associate-iam-oidc-provider --config-file=cluster-iam.yaml --approve
#Create Kubernetes Service Account and bind it to Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml
#Create IAM Role to attach to Service Account
eksctl create iamserviceaccount --config-file=cluster-iam.yaml --approve --override-existing-serviceaccounts
#Create Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/iteratec/multi-juicer/master/guides/aws/alb-ingress-controller.yamlAfter you have set that up we can now create a ingress config for our the MultiJuicer Stack.
# create the ingress for the JuiceBalancer service
kubectl apply -f https://raw.githubusercontent.com/iteratec/multi-juicer/master/guides/aws/aws-ingress.yamlYou can get the LoadBalancer's DNS record either from the AWS console, or by running:
kubectl get ingress
# Should print something like:
# NAME HOSTS ADDRESS PORTS AGE
# juice-balancer-ingress * YOUR_DNS_RECORD_WILL_BE_HERE.elb.amazonaws.com 80 2m3sUse kubectl get podsto see the pods you have successfully running, which should be similar to
kubectl get pods
# NAME READY STATUS RESTARTS AGE
# cleanup-job-ID-ID 0/1 Completed 0 48m
# juice-balancer-ID-ID 1/1 Running 0 80m
# progress-watchdog-ID-ID 1/1 Running 0 80m
kubectl get pods -n kube-system
# NAME READY STATUS RESTARTS AGE
# alb-ingress-controller-ID-ID 1/1 Running 0 30s
# aws-node-ID 1/1 Running 0 59m
# aws-node-ID 1/1 Running 0 59m
# coredns-ID-ID 1/1 Running 0 65m
# coredns-ID-ID 1/1 Running 0 65m
# kube-proxy-ID 1/1 Running 0 59m
# kube-proxy-ID 1/1 Running 0 59mhelm delete multi-juicer
# Delete the ingress setup
kubectl delete -f https://raw.githubusercontent.com/iteratec/multi-juicer/master/guides/aws/aws-ingress.yaml
kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml
# Delete the kubernetes cluster
eksctl delete cluster multi-juicerAWS::IAM::Role/Role1: CREATE_FAILED – "1 validation error detected: Value '' at 'policyArn' failed to satisfy constraint: Member must have length greater than or equal to 20 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: X)"
This error may occur when you don't update cluster-iam.yaml with your Region and Policy ARN.
- Update
cluster-iam.yaml - Run
eksctl delete iamserviceaccount --cluster=multi-juicer --name=alb-ingress-controller --namespace=kube-systemto delete the old account if it exists - Run
eksctl create iamserviceaccount --config-file=cluster-iam.yaml --approve --override-existing-serviceaccounts