Amazon Elastic Kubernetes Service (EKS)

This guide will show you how to install Okteto Enterprise onto Amazon Elastic Kubernetes Service (EKS). We'll be focusing exclusively on EKS in order to keep it as simple as possible.

Requirements

In order to fully install Okteto Enterprise, you'll need the following:

• A subdomain to which you can add a wildcard DNS record
• A Kubernetes cluster
• A working installation of kubectl
• A working installation of Helm v3
• A GitHub OAuth application
• An IAM user
• An S3 bucket
• An Okteto Enterprise License (optional)

Subdomain

You'll need to have access to a internet accessible subdomain to which you can add a wildcard DNS record, such as dev.example.com. Let's Encrypt servers must be able to resolve the addresses in order to issue the required certificates.

This guide will assume that your domain is registered in Amazon Route53. Other DNS services can be used, but aren't covered here.

Deploy a Kubernetes cluster

We recommend that you follow Amazon's cluster creation guide.

We recommend the following specs:

• v1.19 or newer
• A pool with at least 3 m4.xlarge nodes
• 100 GB per disk

You'll be using the cluster's API server endpoint when configuring Okteto Enterprise

Installing kubectl

Follow Amazon's documentation for installing kubectl. Once installed, configure kubectl to talk to your new cluster.

Installing Helm v3

Follow the official documentation for installing the latest release of Helm v3.

Creating the GitHub OAuth application

Okteto Enterprise supports OAuth providers like Google, GitHub, or OpenID Connect to handle user authentication. For this guide, we'll focus on using GitHub. All the supported configuration settings are described here.

Follow GitHub's official documentation on how to create an OAuth App.

When creating the OAuth App, you will need to provide the following values:

Homepage URL:

https://okteto.DOMAIN

Authorization callback URL:

https://okteto.DOMAIN/auth/callback

You'll use the Client ID and Client Secret when installing Okteto Enterprise.

Creating an Amazon S3 Bucket

Okteto Enterprise uses S3 to store your private images. Follow Amazon's guide on how to create s3 buckets. Create the bucket in the region as your EKS cluster, and keep it private.

Creating an IAM

The Okteto Enterprise sub-components need access to Route 53 (to fulfill the ACME challenge for the certificates) and S3 (for uploading and downloading your container images).

We recommend you follow AWS' official documentation on how to create and manage IAM Users for more information on this.

You'll need to perform the following tasks:

1. Create an IAM User

2. Allow the following actions (replace YOUR_BUCKET with your s3 bucket name):

     {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": "route53:GetChange",
               "Resource": "arn:aws:route53:::change/*"
           },
           {
               "Effect": "Allow",
               "Action": "route53:ChangeResourceRecordSets",
               "Resource": "arn:aws:route53:::hostedzone/*"
           },
           {
               "Effect": "Allow",
               "Action": "route53:ListHostedZonesByName",
               "Resource": "*"
           },
           {
               "Effect": "Allow",
               "Action": [
                   "s3:ListBucket",
                   "s3:GetBucketLocation",
                   "s3:ListBucketMultipartUploads"
               ],
               "Resource": "arn:aws:s3:::YOUR_BUCKET"
           },
           {
               "Effect": "Allow",
               "Action": [
                   "s3:PutObject",
                   "s3:GetObject",
                   "s3:DeleteObject",
                   "s3:ListMultipartUploadParts",
                   "s3:AbortMultipartUpload"
               ],
               "Resource": "arn:aws:s3:::YOUR_BUCKET/*"
           }
       ]
   }

3. Create a set of Access keys and save them locally. We'll be using this when installing Okteto Enterprise.

Adding the Okteto Enterprise Helm repository

You'll need to add the Okteto Enterprise repository to be able to install Okteto Enterprise:

helm repo add okteto https://charts.okteto.com
helm repo update

Getting your Okteto Enterprise License

Okteto Enterprise is free for small teams. You get all the features of Okteto Enterprise for up to 3 users with 3 namespaces each.

Want to use Okteto Enterprise with a bigger team? Let's talk

Installing Okteto Enterprise

Creating the Okteto namespace

Create a dedicated namespace for your Okteto Enterprise instance, and the required CRDs:

$ kubectl apply -f https://charts.okteto.com/namespace.yaml

$ kubectl apply -f https://charts.okteto.com/crds.yaml

Configuring your Okteto Enterprise instance

Create a Kubernetes secret with the IAM User's Access secret key you created before:

kubectl create secret generic okteto-cloud-secret --namespace=okteto --from-literal=key=IAM_ACCESS_SECRET

Download a copy of the Okteto Enterprise EKS configuration file, open it, and update the following values:

• Your email
• Your license (optional)
• A subdomain
• clientId and clientSecret of the OAuth Application you created
• Your cluster's API server endpoint
• The name of the bucket you created
• The Access key ID of the IAM User

You can also configure Okteto to assume a role instead of using access keys. Check the AWS section in the configuration page to learn more.

For example:

email: admin@example.com
license: 1234567890ABCD==
subdomain: dev.example.com
cluster:
  endpoint: "https://XXXXXX.gr7.us-west-2.eks.amazonaws.com"

auth:
  github:
    enabled: true
    clientId: ae8924d074d8c8809999
    clientSecret: ABCD90598b706d5342f07cce18fee5e5da391234

cloud:
  provider:
    aws:
      enabled: true
      region: us-west-2
      bucket: okteto-private-images
      iam:
        accessKeyID: "XXXXXX"

buildkit:
  ingress:
    enabled: false
  service:
    type: LoadBalancer

Installing your Okteto Enterprise instance

Install the latest version of Okteto Enterprise by running:

helm install okteto okteto/okteto-enterprise -f config.yaml --namespace=okteto

After a few seconds, all the resources will be created. The output will look something like this:

Release "okteto" has been installed. Happy Helming!
NAME: okteto
LAST DEPLOYED: Thu Mar 26 18:07:55 2020
NAMESPACE: okteto
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Create the following DNS record, pointing it to the NGINX controller service External-IP:
- "*.dev.example.com"

You can retrieve the External IP by running:
    kubectl get service -l=app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller --namespace=okteto

2. Create the following DNS record, pointing it to the Buildkit service External-IP:
- "buildkit.dev.example.com"

You can retrieve the External IP by running:
    kubectl get service -l=app.kubernetes.io/instance=okteto,app.kubernetes.io/component=buildkit --namespace=okteto

3. Once you create both DNS entries you can access your Okteto Enterprise instance at this URL:
https://okteto.dev.example.com

You can also install a specific version by including the --version argument.

Retrieve the Ingress Controller IP address

We can use the instructions kubectl to fetch the address that has been dynamically allocated by EKS to the NGINX Ingress we've just installed and configured as a part of Okteto Enterprise:

kubectl get service -l=app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller --namespace=okteto

The output will look something like this:

NAME                             TYPE           CLUSTER-IP   EXTERNAL-IP                          PORT(S)                                     AGE
okteto-ingress-nginx-controller  LoadBalancer   10.0.7.73    a519c8b3b27f94...elb.amazonaws.com   80:30795/TCP,443:32481/TCP,1234:30885/TCP   5m

You'll need to take the EXTERNAL-IP address, and add it to your DNS for the domain you have chosen to use. In Route 53, this is done by creating an A record with the name *, pointing to the alias of the Elastic Load Balancer.

Note: avoid using a CNAME record for * pointing to the public hostname of the Elastic Load Balancer, as it will block the cert-manager default capability for issuing/renewing certificates via ACME dns01.

Retrieve the Buildkit IP address

You can use kubectl to fetch the address that has been dynamically allocated by EKS to the Buildkit instance you've just installed and configured as a part of Okteto Enterprise:

kubectl get service -l=app.kubernetes.io/instance=okteto,app.kubernetes.io/component=buildkit --namespace=okteto

The output will look something like this:

NAME                                  TYPE           CLUSTER-IP      EXTERNAL-IP                           PORT(S)          AGE
okteto-okteto-enterprise-buildkit     LoadBalancer   10.245.142.73   a519c8b3b27f95...elb.amazonaws.com    1234:32449/TCP   5m

You'll need to take the EXTERNAL-IP address and add it to your DNS for the domain you have chosen to use. This is done by creating an A record with the name buildkit.

Sign in to your Okteto Enterprise

You can access your Okteto Enterprise instance at https://okteto.SUBDOMAIN. Your account will be automatically created as you soon as you click the Login button.

Troubleshooting

If you experience issues during this guide, we recommend you check these things first:

1. okteto.SUBDOMAIN resolves to the IP address you retrieved.
2. If you get a certificate warning, there has been a problem with Let's Encrypt. This is usually related to DNS resolution, the need to retry, or the permissions of the credentials created.

For further troubleshooting tips, see our troubleshooting guide.