IBM WebSphere Liberty for Amazon EKS on AWS
Partner Solution Operational Guide
Ranjan Kumar, Venu Beyagudem, Paul Baity, Jarek Gawor, Barbara Jones, and Pam Helyar, IBM
Senthil Nagaraj, AWS IBM Alliance team
Troy Lindsay and Vinod Shukla, AWS Integration & Automation team
|Visit our GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.|
This Partner Solution was created by IBM in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.
This guide covers information you need to use your IBM WebSphere Liberty for Amazon EKS Partner Solution.
For deployment instructions, refer to the IBM WebSphere Liberty for Amazon EKS Partner Solution Deployment Guide.
Connect to the EKS cluster
The steps you follow to connect to the EKS cluster depend on whether you use the boot node. After you connect, you can use
kubectl commands to manage your cluster.
Connect with the boot node
In the AWS CloudFormation console, go to the boot node. Look under the Resources tab of the boot-node stack. The node ID is listed in Outputs of the main stack.
Start the boot node.
Enable SSH (Secure Shell) to the boot node. Add a rule to the virtual private cloud (VPC) security group that permits inbound traffic on port 22.
Connect to the boot node by using SSH or EC2 Instance Connect in your browser.
Connect without the boot node
If you haven’t done so already, check your Amazon Resource Name (ARN) configuration. For details, refer to the predeployment steps in the deployment guide.
Use the Kubernetes command line interface to access the EKS cluster.
Run the following command, replacing the information in brackets:
aws eks update-kubeconfig --name <cluster_name> --region <cluster_region>
This command updates your
kubeconfigfile so that you can use
kubectlcommands to work with your cluster.
kubectlcommand, such as this one:
$ kubectl get pods
Confirm that the output messages show a connection to the cluster.
Unauthorizederror means that your IAM user or role was not granted access to the cluster. To gain access to the cluster, provide your IAM user ARN in the
AdditionalEKSAdminArnsparameter of the stack.
If needed, ask the creator of the EKS cluster to grant access by adding your IAM user or role to the
aws-authKubernetes ConfigMap in the
kube-systemnamespace. This ConfigMap maps IAM entities in AWS to user accounts in the Kubernetes cluster. The following steps use eksctl.
Get the ARN of the IAM entity to which you want to grant cluster access.
Example user ARN:
Example role ARN:
eksctlcommand to create a mapping for that IAM entity in the
eksctl create iamidentitymapping --cluster "<cluster_name>" --region "<cluster_region>" --arn "<arn>"
Find your deployment logs
CloudWatch log streams
You can find Amazon CloudWatch log streams either from the Amazon CloudWatch console or from your AWS CloudFormation stack.
From the CloudWatch console
During or after deployment, and even after a failed deployment, you can view log data in CloudWatch log streams as follows.
Open the CloudWatch console.
In the navigation pane, choose Logs, Log groups.
On the Log groups page, enter the stack name in the search bar.
From the Log streams tab of the log group details, select the log stream to view.
From your CloudFormation stack
After deployment, you can also view log streams from the Outputs tab for your CloudFormation stack.
Choose the Outputs tab for your main stack.
Choose the value of the
From the Log streams tab of the log group details, select the output logs.
Lambda function logs
Lambda function logs are at
/aws/lambda/ and have the file path
You can view Lambda function logs in CloudWatch.
From the stack Resources tab, select a Lambda function.
Choose the Monitor tab.
Choose View logs in CloudWatch.
Nested stacks such as
IBMLibertyWorkloadStack have a Lambda function.
SSM logs are on the boot node at
Get information about your deployments
To get information about your IBM WebSphere Liberty operator and any applications you’ve deployed, run this command:
$ kubectl get deployments
For a list of namespaces, append
-A (shorthand for
--all-namespaces). The application name and its namespace depend on your input. If you did not deploy an application, then no application or
cert-manager deployments are in your list.
$ kubectl get deployments -A NAMESPACE NAME default websphereliberty-app-sample kube-system coredns olm catalog-operator olm olm-operator olm packageserver operators cert-manager operators cert-manager-cainjector operators cert-manager-webhook operators wlo-controller-manager
For stack outputs, go to the Outputs tab for your CloudFormation stack, or go to the CloudWatch console.
deployment.properties file lists the deployment properties.
Recover from a failed stack
If your stack fails, delete it and retry the deployment. Stack deletion deletes all the artifacts that the stack created, including the EKS cluster and everything deployed in the cluster.
Stack deletion might fail due to timeouts or resource dependencies. If this happens, try to delete the failed stack again. If you installed any external components after the deployment, such as Ingress, those resources are not deleted and might prevent stack deletion. In this case, manually delete the resources that are preventing stack deletion.
For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.
To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:
This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.