티스토리 뷰

카테고리 없음

fdsajkl GJ

채희태 2025. 9. 20. 23:13
728x90

2025_day1_gyeonggi-main Bastion 배포 순서

1️⃣ GitHub Repository 준비

  • Repository: gj2025-repository
  • Branch
    • Red App: app-red, GitOps: gitops-red
    • Green App: app-green, GitOps: gitops-green
  • 경로: /home/ec2-user/gj2025-repository
 
cd /home/ec2-user git clone https://github.com//gj2025-repository.git cd gj2025-repository # 각 브랜치 체크아웃 git checkout -b app-red origin/app-red git checkout -b app-green origin/app-green

모든 git push/pull은 ec2-user 계정으로 수행하며, GitHub AccessToken은 Secrets Manager에서 가져와 사용

2️⃣ Terraform으로 AWS 인프라 구성

  • VPC, Subnet, IGW, NAT, TGW, Security Group, Network Firewall, RDS, EKS NodeGroup 등 생성
  • Region: ap-northeast-2
 
cd ~/gj2025-repository/terraform terraform init terraform apply -auto-approve

주요 Naming

  • Hub VPC: gj2025-hub-vpc
  • App VPC: gj2025-app-vpc
  • TGW: gj2025-tgw
  • Bastion: gj2025-bastion
  • DB: gj2025-db-instance, RDS Proxy: gj2025-rds-proxy
  • EKS: gj2025-eks-cluster

3️⃣ Bastion EC2 설정

  • Instance: Amazon Linux 2023, t3.medium
  • Security
    • SSH 포트 2222
    • Public Subnet: gj2025-hub-public-subnet-a
    • Security Group Outbound 80/443 AnyOpen
  • 필수 패키지 설치
 
sudo yum update -y
sudo yum install -y awscli curl jq git
curl -sSL https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl
chmod +x /usr/local/bin/kubectl
curl -sSL https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz | tar -xz -C /usr/local/bin
eksctl version
# Argo Rollouts CLI 설치
kubectl krew install argo-rollouts

4️⃣ kubeconfig 업데이트

aws eks update-kubeconfig --name gj2025-eks-cluster --region ap-northeast-2
kubectl get nodes -A

 

5️⃣ ALB Ingress Controller 설치

  • D1 매뉴얼 기준
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.1/docs/install/v2_5_1_full.yaml
kubectl get pods -n kube-system | grep aws-load-balancer
 

kubectl --kubeconfig=$KUBE_CONFIG apply -f https://raw.githubusercontent.com/NaverCloudPlatform/nks-alb-ingress-controller/main/docs/install/pub/install.yaml

6️⃣ Namespace 및 External Secrets 설치

kubectl create ns skills
./install-external-secrets.sh
kubectl apply -f k8s/external-secrets.yaml -n skills
  • ExternalSecret 이름: db-secret
  • IRSA를 이용해 Secrets Manager 접근

7️⃣ ArgoCD 설치

 
./argocd.sh
kubectl get pods -n argocd
kubectl port-forward svc/argocd-server -n argocd 8080:443
# 브라우저 접속: https://localhost:8080
# admin / Skills53 로그인
  • ArgoCD Ingress: gj2025-argo-external-nlb (External NLB), Internal NLB: gj2025-argo-internal-nlb

8️⃣ Argo Rollouts 설치

 
./argo-rollouts.sh
kubectl get pods -n argo-rollouts
 
  • Red App Rollout: red-rollout
  • Green App Rollout: green-rollout

9️⃣ Container Registry(ECR) 준비

 
aws ecr create-repository --repository-name red --region ap-northeast-2
aws ecr create-repository --repository-name green --region ap-northeast-2
  • KMS 암호화 적용
  • Docker Image Build & Push
 
docker build -t red ./red
docker tag red:latest <account-id>.dkr.ecr.ap-northeast-2.amazonaws.com/red:latest
docker push <account-id>.dkr.ecr.ap-northeast-2.amazonaws.com/red:latest
# Green 동일

🔟 Application 배포 (EKS)

  • App Nodegroup: gj2025-eks-app-nodegroup
  • Addon Nodegroup: gj2025-eks-addon-nodegroup
  • Namespace: skills
 
kubectl apply -f k8s/app-red.yaml -n skills
kubectl apply -f k8s/app-green.yaml -n skills
  • ExternalSecrets에서 DB 환경변수 읽어서 Pod에 주입

1️⃣1️⃣ FluentBit 로그 수집

  • Daemonset: red-fluent-bit, green-fluent-bit
  • Namespace: amazon-cloudwatch
  • 로그 전송
kubectl apply -f k8s/fluentbit-red.yaml
kubectl apply -f k8s/fluentbit-green.yaml

 

  • CloudWatch Log Group
    • Red: /gj2025/app/red
    • Green: /gj2025/app/green
    • Network Firewall: /gj2025/firewall

1️⃣2️⃣ Load Balancer 구성

  • Internal ALB: gj2025-app-alb
  • Internal NLB: gj2025-app-internal-nlb
  • External NLB: gj2025-app-external-nlb
  • PrivateLink로 Internal ALB와 External NLB 연결

1️⃣3️⃣ CI/CD 구성

  • CodeBuild: gj2025-app-red-build, gj2025-app-green-build
  • CodePipeline: gj2025-app-red-pipeline, gj2025-app-green-pipeline
  • GitOps 브랜치 감지 후 ArgoCD에서 Blue/Green 배포 수행
  • Health Check: /health, 문제 없으면 Blue Stage로 배포

핵심 체크포인트

  1. Bastion EC2에서 SSH 포트 2222, Security Group Outbound AnyOpen
  2. 모든 리소스 ap-northeast-2
  3. EKS App Nodegroup에만 앱 배포, Addon Nodegroup에만 Addon 배포
  4. Secrets Manager + External Secrets로 DB 환경변수 관리
  5. Blue/Green 무중단 배포, Health Check /health
  6. FluentBit 로그 CloudWatch 3초 내 확인 가능
  7. Network Firewall Stateful, Suricata Rule 적용, Bastion 연결 허용
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG more
«   2026/02   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
글 보관함
250x250