Kubernetes on AWS
Context
The purpose of this page is to describe how to create the necessary infrastructure to deploy Vectice on a Kubernetes cluster in AWS, followed by instructions to deploy the Vectice software
1. Understanding prerequisites
Infrastructure requirements
#
Requirement
Notes or Details
Note: Within the same VPC
1
Security Groups
Port 443 (HTTPS)
3128 Outbound (pip install)
SMTP Port (e.g 2525)
2
Kubernetes Cluster
v1.16+ deployed
2 nodes with t3.xlarge
3
S3 Bucket
In the same region
4
Managed PostgreSQL
13.x RDS instance
Other requirements
#
Requirement
Notes or Details
5
Domain Name
Example: https://vectice.my-company.com
6
SSL Certificate
Must be associated with the domain name above
Self-signed certificates are not recommended
Deployment environment with the following tools:
7
Helm v3
8
Kubectl
9
AWS CLI
10
Eksctl
11
Openssl
2. How to provision the infrastructure
You have two ways to create the infrastructure necessary for running Vectice.
Provisioning via Terraform (with Terragrunt Wrapper)
Expected Time: 40 minutes
Steps:
Provisioning via AWS console
Expected Time: 2 hours
Steps:
Create a VPC, or reuse an existing one
PostgreSQL Instance creation, see Appendix 1: Creating the SQL Instance
IAM roles and Bucket creation, see Appendix 2: Creating the S3 Buck
Kubernetes cluster creation, see Appendix 3: Cluster Creation
3. How to deploy the Vectice application
The provisioning of Vectice on Kubernetes will happen in 6 steps:
Step 1: Connect to the cluster and create the Vectice namespace
First, define the variables for the next steps and retrieve connections from your deployment machine. Below, sample values are provided between brackets:
The expected output should look like this:
Next, test the connection:
The expected output should look like this:
Finally, create the Vectice namespace where applications will be deployed:
Step 2: Install the AWS Application Load Balancer (ALB)
First, download the ALB policy:
Then, create the ALB policy:
Next, associate the OIDC provider to the cluster:
If a Service account already exists, update it accordingly:
Otherwise, create a Service account associated with the Load Balancer Policy:
Check if the Service account was really created:
The expected output should look like this:
If the aws-load-balancer-controller
item is not on the output list, delete the ghost service account:
The expected output should look like this:
Next, install the load balancer with Helm, then add the Helm repository to the repository list:
Deploy the AWS helm chart on the cluster:
Finally, verify that the controller is installed:
The expected output should look like this:
Step 3: Create PostgreSQL databases
Run commands to create the databases โvecticeโ and โkeycloak.โ Once itโs done, the temporary deployment can be deleted.
Step 4: Install the Cert Manager
Next, install the cert-manager and cert-manager-csi-driver applications on the cluster.
Next, generate a custom Certificate Authority and create its associated secret:
Step 5: Create Secrets for Ingress and Docker image retriever
First, create a self-signed certificate using the following command, replacing the item highlighted with your own Common Name (CN). Below are sample values:
Then, use the command below to install your certificates in the cluster:
Next, import the certificate into Amazon Certificate Manager, and copy the Amazon Resource Name (ARN) to reference it later:
The expected output should look like this:
Step 6: Install the Vectice Stack
From the package your account team provided, untar helm vectice chart and create myvalues.yml
from values.yml file
. Below, sample values are provided between brackets:
Next, fill in the values in myvalues.yaml
according to your environment deployment, and deploy Vectice global objects using Helm:
Once this is done, retrieve the Vectice ingress CNAME. Note: this might take up to 5 minutes to appear
The expected output should look like this, below are example values:
Finally, add the CNAME as a new entry in your DNS resolver.
In this example, the CNAME record would look like below.