subcollection | copyright | lastupdated | lasttested | content-type | services | account-plan | completion-time | use-case | ||
---|---|---|---|---|---|---|---|---|---|---|
solution-tutorials |
|
2024-01-08 |
2023-09-14 |
tutorial |
containers, Registry, secrets-manager |
paid |
2h |
ApplicationModernization, Cybersecurity, Containers |
{{site.data.keyword.attribute-definition-list}}
{: #scalable-webapp-kubernetes} {: toc-content-type="tutorial"} {: toc-services="containers, Registry, secrets-manager"} {: toc-completion-time="2h"}
This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage. {: tip}
This tutorial walks you through how to run a web application locally in a container, and then deploy it to a Kubernetes cluster created with {{site.data.keyword.containershort_notm}}. As an optional step you can build a container image and push the image to a private registry. Additionally, you will learn how to bind a custom subdomain, monitor the health of the environment, and scale the application. {: shortdesc}
Containers are a standard way to package apps and all their dependencies so that you can seamlessly move the apps between environments. Unlike virtual machines, containers do not bundle the operating system. Only the app code, run time, system tools, libraries, and settings are packaged inside containers. Containers are more lightweight, portable, and efficient than virtual machines.
{: #scalable-webapp-kubernetes-objectives}
- Deploy a web application to the Kubernetes cluster.
- Bind a custom subdomain.
- Monitor the logs and health of the cluster.
- Scale Kubernetes pods.
{: caption="Architecture diagram" caption-side="bottom" class="center" } {: style="text-align: center;"}
- A developer downloads or clones a sample web application.
- Optionally build the application to produce a container image.
- Optionally the image is pushed to a namespace in the {{site.data.keyword.registrylong_notm}}.
- The application is deployed to a Kubernetes cluster.
- Users access the application.
{: #scalable-webapp-kubernetes-prereqs}
This tutorial requires:
- {{site.data.keyword.cloud_notm}} CLI,
- {{site.data.keyword.containerfull_notm}} plugin (
kubernetes-service
),
- {{site.data.keyword.containerfull_notm}} plugin (
kubectl
to interact with Kubernetes clusters,Helm 3
to deploy charts.
You will find instructions to download and install these tools for your operating environment in the Getting started with tutorials guide.
To avoid the installation of these tools you can use the {{site.data.keyword.cloud-shell_short}} from the {{site.data.keyword.cloud_notm}} console. {: tip}
In addition:
- You will need a {{site.data.keyword.secrets-manager_short}} instance. With {{site.data.keyword.secrets-manager_short}}, you can create, lease, and centrally manage secrets that are used in IBM Cloud services or your custom-built applications. Secrets are stored in a dedicated {{site.data.keyword.secrets-manager_short}} instance and you can use built in features to monitor for expiration, schedule or manually rotate your secrets. In this tutorial, you will use a Kubernetes Operator to retrieve a TLS certificate from {{site.data.keyword.secrets-manager_short}} and inject into a Kubernetes secret. You can use an existing instance if you already have one or create a new one by following the steps outlined in Creating a {{site.data.keyword.secrets-manager_short}} service instance.
- Optionally set up a registry namespace. It is only needed if you will build your own custom container image.
- Understand the basics of Kubernetes{: external}.
{: #secrets-mgr_setup_s2s} {: step}
Integrating {{site.data.keyword.secrets-manager_short}} with your {{site.data.keyword.containerlong_notm}} cluster requires service-to-service communication authorization. Follow these steps to set up the authorization. For more information, see Integrations for {{site.data.keyword.secrets-manager_short}}.
- In the {{site.data.keyword.cloud_notm}} console, click Manage > Access (IAM).
- Click Authorizations.
- Click Create.
- In the Source service list, select Kubernetes Service.
- Select the option to scope the access to All resources.
- In the Target service list, select {{site.data.keyword.secrets-manager_short}}.
- Select the option to scope the access to All resources.
- In the Service access section, check the Manager option.
- Click Authorize.
{: #scalable-webapp-kubernetes-create_kube_cluster} {: step}
The {{site.data.keyword.containerlong_notm}} is a managed offering to create your own Kubernetes cluster of compute hosts to deploy and manage containerized apps on IBM Cloud. A minimal cluster with one (1) zone, one (1) worker node and the smallest available size (Flavor) is sufficient for this tutorial.
-
Open the Kubernetes clusters and click Create cluster.
-
Create a cluster on your choice of Infrastructure.
-
The following steps are if you select VPC for Kubernetes on VPC infrastructure. You are required to create a VPC and subnet(s) before creating the Kubernetes cluster. Reference the Creating VPC clusters documentation for more details.
- Click Create VPC.
- Under the Location section, select a Geography and Region, for example
Europe
andLondon
. - Enter a Name of your VPC, select a Resource group and optionally, add Tags to organize your resources.
- Uncheck Allow SSH and Allow ping from the Default security group.
- Uncheck Create subnet in every zone.
- Click on Create.
- Under Worker zones and subnets, uncheck the two zones for which the subnet wasn't created.
- Set the Worker nodes per zone to
1
and click on Change flavor to explore and change to the worker node size of your choice. - Under Ingress, enable Ingress secrets management and select your existing {{site.data.keyword.secrets-manager_short}} instance.
- Enter a Cluster name and select the same Resource group that you used for the VPC.
- Logging or Monitoring aren't required in this tutorial, disable those options and click on Create.
- While you waiting for the cluster to become active, attach a public gateway to the VPC. Navigate to the Virtual private clouds.
- Click on the name for the VPC used by the cluster and scroll down to subnets section.
- Click on the name of the subnet created earlier and in the Public Gateway section, click on Detached to change the state to Attached.
-
The following steps are if you select Classic for Kubernetes on Classic infrastructure. Reference the Creating a standard classic cluster documentation for more details.
- Under the Location section, select a Geography, multizone Availability, and Metro for example
Europe
andLondon
. - Under Worker zones and VLANs, uncheck all zones except for one.
- Set the Worker nodes per zone to
1
and click on Change flavor to explore and change to the worker node size of your choice. - Under Master service endpoint, select Both private & public endpoints.
- Under Ingress, enable Ingress secrets management and select your existing {{site.data.keyword.secrets-manager_short}} instance.
- Enter a Cluster name and select the Resource group to create these resources under.
- Logging or Monitoring aren't required in this tutorial, disable those options and click on Create.
- Under the Location section, select a Geography, multizone Availability, and Metro for example
-
{: #scalable-webapp-kubernetes-clone_application} {: step}
In this section, you will clone a GitHub repo with a simple Helm-based NodeJS{: external} sample application with a landing page and two endpoints to get started. You can always extend the sample application based on your requirements.
-
On a terminal, run the below command to clone the GitHub repository{: external}:
git clone https://github.com/IBM-Cloud/kubernetes-node-app
{: pre}
-
Change to the application directory:
cd kubernetes-node-app
{: pre}
This sample application code contains all the necessary configuration files for local development and deployment to Kubernetes.
{: #scalable-webapp-kubernetes-deploy} {: step}
{: #scalable-webapp-kubernetes-9}
The container image for the application as already been built and pushed to a public registry in the {{site.data.keyword.registryfull_notm}}. In this section you will deploy the sample application using Helm{: external}. Helm helps you manage Kubernetes applications through Helm Charts, which helps define, install, and upgrade even the most complex Kubernetes application.
Note: If you want to build and push the application to your own container registry you can use the Docker CLI to do so. The Dockerfile is provided in the repository and images can be pushed to the {{site.data.keyword.registryfull_notm}} or any other container registry.
{: tip}
-
Define an environment variable named
MYAPP
and set the name of the application by replacing the placeholder with your initials:export MYAPP=<your-initials>kubenodeapp
{: pre}
-
Identify your cluster:
ibmcloud ks cluster ls
{: pre}
-
Initialize the variable with the cluster name:
export MYCLUSTER=<CLUSTER_NAME>
{: pre}
-
Initialize the
kubectl
cli environment:ibmcloud ks cluster config --cluster $MYCLUSTER
{: pre}
Make sure the CLI is configured for the region and resource group where your created your cluster using
ibmcloud target -r <region> -g <resource_group>
. For more information on gaining access to your cluster and to configure the CLI to run kubectl commands, check the CLI configure section {: tip} -
You can either use the
default
Kubernetes namespace or create a new namespace for this application.-
If you want to use the
default
Kubernetes namespace, run the below command to set an environment variable:export KUBERNETES_NAMESPACE=default
{: pre}
-
If you want to create a new Kubernetes namespace, follow the steps mentioned under Copying an existing image pull secret and Storing the image pull secret in the Kubernetes service account for the selected namespace sections of the Kubernetes service documentation. Once completed, run the below command:
export KUBERNETES_NAMESPACE=<KUBERNETES_NAMESPACE_NAME>
{: pre}
-
-
Change to the chart directory under your sample application directory:
cd chart/kubernetesnodeapp
{: pre}
-
Install the Helm chart:
helm install $MYAPP --namespace $KUBERNETES_NAMESPACE . --set image.repository=icr.io/solution-tutorials/tutorial-scalable-webapp-kubernetes
{: pre}
-
Change back to the sample application directory:
cd ../..
{: pre}
{: #scalable-webapp-kubernetes-12}
-
List the Kubernetes services in the namespace:
kubectl get services -n $KUBERNETES_NAMESPACE
{: pre}
-
List the Kubernetes pods in the namespace:
kubectl get pods -n $KUBERNETES_NAMESPACE
{: pre}
{: #scalable-webapp-kubernetes-ibm_domain} {: step}
Clusters come with an IBM-provided domain. This gives you a better option to expose applications with a proper URL and on standard HTTP/S ports.
Use Ingress to set up the cluster inbound connection to the service.
{: caption="Ingress" caption-side="bottom"} {: style="text-align: center;"}
-
Identify your IBM-provided Ingress subdomain and Ingress secret:
ibmcloud ks cluster get --cluster $MYCLUSTER
{: pre}
to find
Ingress subdomain: mycluster.us-south.containers.appdomain.cloud Ingress secret: mycluster
{: screen}
-
Define environment variable
INGRESS_SUBDOMAIN
to hold the value of the Ingress subdomain:export INGRESS_SUBDOMAIN=<INGRESS_SUBDOMAIN>
{: pre}
-
Define environment variable
INGRESS_SECRET
to hold the value of the Ingress secret:export INGRESS_SECRET=<INGRESS_SECRET>
{: pre}
-
In the sample application directory run the below bash command to create an Ingress file
ingress-ibmsubdomain.yaml
pointing to the IBM-provided domain with support for HTTP and HTTPS:./ingress.sh ibmsubdomain_https
{: pre}
The file is generated from a template file
ingress-ibmsubdomain-template.yaml
under yaml-templates folder by replacing all the values wrapped in the placeholders ($
) with the appropriate values from the environment variables. -
Deploy the Ingress:
kubectl apply -f ingress-ibmsubdomain.yaml
{: pre}
-
Open your application in a browser at
https://<myapp>.<ingress-subdomain>/
or run the below command to see the HTTP output:curl -I https://$MYAPP.$INGRESS_SUBDOMAIN
{: pre}
{: #scalable-webapp-kubernetes-custom_domain} {: step}
This section requires you to own a custom domain. You will need to create a CNAME
record pointing to the IBM-provided ingress subdomain for the cluster. If your domain is example.com
then the CNAME will be <myapp>.<example.com>
pointing to <myapp>.<ingress-subdomain>
.
{: #scalable-webapp-kubernetes-15}
-
Create an environment variable pointing to your custom domain:
export CUSTOM_DOMAIN=<example.com>
{: pre}
-
Create an Ingress file
ingress-customdomain-http.yaml
pointing to your domain from the template fileingress-customdomain-http-template.yaml
:./ingress.sh customdomain_http
{: pre}
-
Deploy the Ingress:
kubectl apply -f ingress-customdomain-http.yaml
{: pre}
-
Access your application at
http://<myapp>.<example.com>/
.
{: #scalable-webapp-kubernetes-16}
If you were to try to access your application with HTTPS at this time https://<myapp>.example.com/
, you will likely get a security warning from your web browser telling you the connection is not private.
Now, import your certificate into the {{site.data.keyword.secrets-manager_short}} instance you configured earlier to your cluster.
-
Access the {{site.data.keyword.secrets-manager_short}} service instance from the Resource List Under Security.
-
Click on Secrets in the left navigation.
-
Click Add.
-
You can select either Public certificate, Imported certificate or Private certificate. Detailed steps are available in the respective documentation topics: Ordering SSL/TLS public certificates, Importing SSL/TLS certificates or Creating SSL/TLS private certificates. If you selected to import a certificate, make sure to upload the certificate, private key and intermediate certificate files.
-
Locate the entry for the imported or ordered certificate and click on it.
- Verify the domain name matches your $CUSTOM_DOMAIN. If you uploaded a wildcard certificate, an asterisk is included in the domain name.
- Click the copy icon next to the certificate's ID.
- Create an environment variable pointing to the value you just copied:
export CERTIFICATE_ID=<certificate ID>
{: pre}
-
In {{site.data.keyword.secrets-manager_short}}, certificates that you import to the service are imported certificates (imported_cert). Certificates that you order through {{site.data.keyword.secrets-manager_short}} from a third-party certificate authority are public certificates (public_cert). This information is needed in the helm chart you will be using later on to configure the ingress. Select and run the command that is appropriate for your selection in the previous step.
export CERTIFICATE_TYPE=imported_cert
{: pre}
or
export CERTIFICATE_TYPE=public_cert
{: pre}
-
Click on Endpoints in the left navigation.
-
Locate the Public endpoint for the Service API.
- Create an environment variable pointing to the endpoint:
export SECRETS_MANAGER_URL=<public endpoint>
{: pre}
In order to access the {{site.data.keyword.secrets-manager_short}} service instance from your cluster, we will use the External Secrets Operator{: external} and configure a service ID and API key for it.
-
Create a service ID and set it as an environment variable:
export SERVICE_ID=`ibmcloud iam service-id-create kubernetesnodeapp-tutorial --description "A service ID for scalable-webapp-kubernetes tutorial." --output json | jq -r ".id"`; echo $SERVICE_ID
{: codeblock}
-
Assign the service ID permissions to read secrets from {{site.data.keyword.secrets-manager_short}}:
ibmcloud iam service-policy-create $SERVICE_ID --roles "SecretsReader" --service-name secrets-manager
{: codeblock}
-
Create an API key for your service ID:
export IBM_CLOUD_API_KEY=`ibmcloud iam service-api-key-create kubernetesnodeapp-tutorial $SERVICE_ID --description "An API key for scalable-webapp-kubernetes tutorial." --output json | jq -r ".apikey"`
{: codeblock}
-
Create a secret in your cluster for that API key:
kubectl -n $KUBERNETES_NAMESPACE create secret generic kubernetesnodeapp-api-key --from-literal=apikey=$IBM_CLOUD_API_KEY
{: codeblock}
-
Run the following commands to install the External Secrets Operator:
helm repo add external-secrets https://charts.external-secrets.io
{: codeblock}
helm install external-secrets external-secrets/external-secrets
{: codeblock}
-
Create an Ingress file
ingress-customdomain-https.yaml
pointing to your domain from the templateingress-customdomain-https-template.yaml
:./ingress.sh customdomain_https
{: pre}
-
Deploy the Ingress:
kubectl apply -f ingress-customdomain-https.yaml
{: pre}
-
Validate the secret was created:
kubectl get secret kubernetesnodeapp-certificate -n $KUBERNETES_NAMESPACE
{: pre}
If you encounter any errors running the above command, you can run the following command to obtain more details on the reasons for that error.
kubectl get externalsecret.external-secrets.io/kubernetesnodeapp-external-secret -o json
{: pre}
-
Access your application at
https://$MYAPP.$CUSTOM_DOMAIN/
.curl -I https://$MYAPP.$CUSTOM_DOMAIN
{: pre}
{: #scalable-webapp-kubernetes-monitor_application} {: step}
- To check the health of your application, navigate to clusters to see a list of clusters and click on your cluster.
- Click Kubernetes Dashboard to launch the dashboard in a new tab.
- Click Pods on the left then click a pod-name matching $MYAPP
- Examine he CPU and Memory usage.
- Note the node IP name.
- Click View logs in the action menu in the upper right to see the standard output and error of the application.
- Select Nodes on the left pane, click the Name of a node noted earlier and see the Allocation Resources to see the health of your nodes.
- To exec into the container select Exec into in the action menu
{: #scalable-webapp-kubernetes-scale_cluster} {: step}
As load increases on your application, you can manually increase the number of pod replicas in your deployment. Replicas are managed by a ReplicaSet{: external}. To scale the application to two replicas, run the following command:
kubectl scale deployment kubernetesnodeapp-deployment --replicas=2
{: pre}
After a short while, you will see two pods for your application in the Kubernetes dashboard (or with kubectl get pods
). The Ingress controller in the cluster will handle the load balancing between the two replicas.
With Kubernetes, you can enable horizontal pod autoscaling{: external} to automatically increase or decrease the number of instances of your apps based on CPU.
To create an autoscaler and to define your policy, run the below command
kubectl autoscale deployment kubernetesnodeapp-deployment --cpu-percent=5 --min=1 --max=5
{: pre}
Once the autoscaler is successfully created, you should see
horizontalpodautoscaler.autoscaling/<deployment-name> autoscaled
.
{: #scalable-webapp-kubernetes-0} {: step}
-
Delete the horizontal pod autoscaler:
kubectl delete horizontalpodautoscaler.autoscaling/kubernetesnodeapp-deployment
{: pre}
-
Delete the resources applied:
kubectl delete -f ingress-customdomain-https.yaml kubectl delete -f ingress-customdomain-http.yaml kubectl delete -f ingress-ibmsubdomain.yaml
{: pre}
-
Delete the Kubernetes artifacts created for this application:
helm uninstall $MYAPP --namespace $KUBERNETES_NAMESPACE
{: pre}
-
Delete the Kubernetes secret:
kubectl -n $KUBERNETES_NAMESPACE delete secret kubernetesnodeapp-api-key
{: pre}
-
Delete the External Secrets Operator:
helm uninstall external-secrets
{: pre}
-
Delete the service ID:
ibmcloud iam service-id-delete $SERVICE_ID
{: pre}
-
Delete the cluster.
{: #scalable-webapp-kubernetes-20}