In this tutorial we will try to expose tekton-pipeline dashboard using application load balancer with ssl enabled at AWS EKS cluster.
Photo by ATM Arafath Ali on Unsplash
Pre-Requisite
- EKS Cluster
- Kubectl is configured at your local machine
- Tekton pipeline is installed
Context
Tekton Dashboard is a Web-based UI for Tekton Pipelines and Tekton Triggers resources. Its quite easy to install following the official Install guidelines using kubectl. In your self-managed kubernetes cluster, you can easily expose it with ingress controller, But at EKS you have to install some ingress controller which is AWS Load Balancer Controller which seems to be a bit hassle to me if you want to achieve something quickly. Rather than I would use Service to achieve this.
Install Tekton Dashboard
Install the Tekton Dashboard using the official documentation
Expose Tekton Dashboard with Service (without https)
Create a LoadBalancer Type Service (ie tekton-dashboard-svc.yaml) with the following manifests:
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-dashboard
name: tekton-dashboard
namespace: tekton-pipelines
spec:
type: LoadBalancer
ports:
- name: http
port: 9097
protocol: TCP
targetPort: 9097
selector:
app.kubernetes.io/component: dashboard
app.kubernetes.io/instance: default
app.kubernetes.io/name: dashboard
app.kubernetes.io/part-of: tekton-dashboard
sessionAffinity: None
Create this service using kubectl:
$ kubectl apply -n tekton-pipelines -f tekton-dashboard-svc.yaml
This will create a LoadBalancer at aws, with the load balancer url you can access the dashboard or you can also map this loadBalancer with your domain name eg tekton-dashboard.myeks.com
using Route53 service.
Expose Tekton Dashboard with Service and https enabled
Exposing the Tekton Dashboard with LoadBalancer Service was quite easy. Now we want to enable https. To do that we have to do the following steps:
Step 1: Create Certificate
Create Certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.com
. Make sure you also validate the certificate.
Step 2 : Create Service with the certificate
Add the following annotations with the certificate arn:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
So the service will be like following (ie. tekton-dashboard-svc-ssl.yaml):
apiVersion: v1
kind: Service
metadata:
annotations:
# Note that the backend talks over HTTP.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# TODO: Fill in with the ARN of your certificate.
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
# Only run SSL on the port named "https" below.
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
labels:
app: tekton-dashboard
name: tekton-dashboard-ssl
namespace: tekton-pipelines
spec:
type: LoadBalancer
ports:
- name: http
port: 80
protocol: TCP
targetPort: 9097
- name: https
port: 443
protocol: TCP
targetPort: 9097
selector:
app.kubernetes.io/component: dashboard
app.kubernetes.io/instance: default
app.kubernetes.io/name: dashboard
app.kubernetes.io/part-of: tekton-dashboard
sessionAffinity: None
Create this service using kubectl:
$ kubectl apply -n tekton-pipelines -f tekton-dashboard-svc-ssl.yaml
If you had created the service using tekton-dashboard-svc.yaml, you can delete that service.
Wait for some time, the load balancer will be created and now you can use now https.
Step 3 : Use the domain name
Now, Find your LoadBalancer from the service:
$ kc get svc tekton-dashboard-ssl -n tekton-pipelines
You will get the LoadBalancer URl at the External-IP
field.
-- With the URL, Locate that LoadBalancer at AWS Console and check at the Listener there is 443
port. For the SSL certificate check the certificate you defined at the Service
has been attached at the loadbalancer.
-- From AWS Route53, Associate your domain name (eg. tekton-dashboard.myeks.com
) with the LoadBalancer. If you are doing it for the first time, you can follow the AWS Routing traffic to an ELB load balancer documentation
That's it now you can browse the tekton dashboard using https://tekton-dashboard.myeks.com 🎉
If you want to Make your Tekton Dashboard user authenticated, Look at my next post to authenticate Tekton Dashboard using AWS Cognito.
NB. The picture attached at this post not related to content, its just attached to soothe your eyes
:)
References:
https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https