Skip to main content

Setup Amazon EKS for Java Application

Objective

This chapter shows you how to deploy the Kubernetes resources for Java Application within an Amazon EKS cluster.

Prerequisites

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.

1. Adding Kubernetes namespace for the application and a service account

The Java application needs to push events to EventBridge, read parameters from Parameter Store and secrets from Secrets Manager. To achieve that and develop a secure application with the "Principle of least privilege" we need to create a Service Account and give it required permissions to access AWS services. We also want to create a Kubernetes namespace for the Java Application.

Create a Kubernetes namespace for the application:

kubectl create namespace unicorn-store-spring

Create a Kubernetes Service Account with a reference to the previous created IAM policy:

eksctl create iamserviceaccount --cluster=unicorn-store --name=unicorn-store-spring --namespace=unicorn-store-spring \
   --attach-policy-arn=$(aws iam list-policies --query 'Policies[?PolicyName==`unicorn-eks-service-account-policy`].Arn' --output text) --approve --region=$AWS_REGION

2. Synchronizing parameters and secrets

Create the Kubernetes External Secret resources:

cat <<EOF | envsubst | kubectl create -f -
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: unicorn-store-spring-secret-store
  namespace: unicorn-store-spring
spec:
  provider:
    aws:
      service: SecretsManager
      region: $AWS_REGION
      auth:
        jwt:
          serviceAccountRef:
            name: unicorn-store-spring
EOF

cat <<EOF | kubectl create -f -
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: unicorn-store-spring-external-secret
  namespace: unicorn-store-spring
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: unicorn-store-spring-secret-store
    kind: SecretStore
  target:
    name: unicornstore-db-secret
    creationPolicy: Owner
  data:
    - secretKey: password
      remoteRef:
        key: unicornstore-db-secret
        property: password
EOF

Conclusion

In this lab we walked you through the process of deploying the Kubernetes resources for Java Application within an Amazon EKS cluster.