From 55631793cae3c8d25cc00c58d65869e5d448f910 Mon Sep 17 00:00:00 2001 From: Greg Miller Date: Sat, 3 Aug 2024 17:27:58 +0200 Subject: [PATCH 1/5] #1341 Added AWS ALB instruction and configuration in k8s helm deployment --- k8s/README.md | 46 ++++++++++++++++ k8s/cbte/templates/ingress-aws-alb.yaml | 73 +++++++++++++++++++++++++ k8s/cbte/values.example.yaml | 2 +- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 k8s/cbte/templates/ingress-aws-alb.yaml diff --git a/k8s/README.md b/k8s/README.md index 24ad639..6a4b3f1 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -46,6 +46,52 @@ You need additional configuration changes # fsGroupChangePolicy: "Always" ``` +### AWS ALB configuration + +Install `AWS CLI`: If `AWS CLI` is not installed yet, install it by following the instructions on the [official AWS CLI website](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html). + +Install `eksctl`: `eksctl` is a command-line utility for creating and managing EKS clusters. Install eksctl by following the instructions on the [official eksctl website](https://eksctl.io/installation/). + + +1. OIDC Provider Association: + +``` +eksctl utils associate-iam-oidc-provider --region= --cluster= --approve +``` + +2. Create IAM role and link policy: + +Create policy IAM: +``` +curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json +aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json +``` + +Create IAM role and link policy: +``` +eksctl create iamserviceaccount \ + --cluster \ + --namespace kube-system \ + --name aws-load-balancer-controller \ + --attach-policy-arn arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \ + --approve +``` + +3. Installing AWS Load Balancer Controller using Helm: + +``` +helm repo add eks https://aws.github.io/eks-charts +helm repo update + +helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ + -n kube-system \ + --set clusterName= \ + --set serviceAccount.create=false \ + --set region= \ + --set vpcId= \ + --set serviceAccount.name=aws-load-balancer-controller +``` + ### Digital Ocean proxy configuration Edit ingress controller with: diff --git a/k8s/cbte/templates/ingress-aws-alb.yaml b/k8s/cbte/templates/ingress-aws-alb.yaml new file mode 100644 index 0000000..05d43bd --- /dev/null +++ b/k8s/cbte/templates/ingress-aws-alb.yaml @@ -0,0 +1,73 @@ +--- +{{- if eq .Values.ingressController "aws-alb" }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-{{ .Release.Name }} + annotations: + kubernetes.io/ingress.class: "alb" + alb.ingress.kubernetes.io/scheme: "internet-facing" + {{- if eq "https" .Values.httpScheme }} + ingress.kubernetes.io/ssl-redirect: "true" + {{- end }} + alb.ingress.kubernetes.io/rewrite-target: "/$1$2" + alb.ingress.kubernetes.io/affinity: "cookie" + alb.ingress.kubernetes.io/affinity-mode: "persistent" + alb.ingress.kubernetes.io/session-cookie-name: "cb-node-id" + alb.ingress.kubernetes.io/session-cookie-path: "/" + alb.ingress.kubernetes.io/session-cookie-domain: "{{ .Values.cloudbeaverBaseDomain }}" + alb.ingress.kubernetes.io/session-cookie-change-on-failure: "true" + alb.ingress.kubernetes.io/session-cookie-secure: "true" + alb.ingress.kubernetes.io/session-cookie-max-age: "345600" + alb.ingress.kubernetes.io/proxy-body-size: "500m" + alb.ingress.kubernetes.io/proxy-read-timeout: "3600" + alb.ingress.kubernetes.io/proxy-send-timeout: "3600" + # alb.ingress.kubernetes.io/use-regex: true + +spec: +{{- if eq "https" .Values.httpScheme }} + tls: + - hosts: + - {{ .Values.cloudbeaverBaseDomain }} + secretName: {{ .Release.Name }}-ingress-tls +{{- end }} + rules: + - host: "{{ .Values.cloudbeaverBaseDomain }}" + http: + paths: + - path: /(.*)(.*) + pathType: Prefix + backend: + service: + name: cloudbeaver-te + port: + number: 8978 + - path: /(dc/|dc$)(.*) + pathType: Prefix + backend: + service: + name: cloudbeaver-dc + port: + number: 8970 + - path: /(rm/|rm$)(.*) + pathType: Prefix + backend: + service: + name: cloudbeaver-rm + port: + number: 8971 + - path: /(qm/|qm$)(.*) + pathType: Prefix + backend: + service: + name: cloudbeaver-qm + port: + number: 8972 + - path: /(tm/|tm$)(.*) + pathType: Prefix + backend: + service: + name: cloudbeaver-tm + port: + number: 8973 +{{ end }} \ No newline at end of file diff --git a/k8s/cbte/values.example.yaml b/k8s/cbte/values.example.yaml index 13b62cb..bcff522 100644 --- a/k8s/cbte/values.example.yaml +++ b/k8s/cbte/values.example.yaml @@ -10,7 +10,7 @@ cloudbeaver: # pullCredsName: regcred # Ingress Values -# Supported ingress controllers: nginx, haproxy +# Supported ingress controllers: aws-alb, nginx, haproxy ingressController: nginx # Domain name for ingress endpoint cloudbeaverBaseDomain: "cloudbeaver.local" From 24069ec5df2510b671ba2c179a822a876bef8ded Mon Sep 17 00:00:00 2001 From: Greg Miller Date: Tue, 10 Sep 2024 16:45:17 +0200 Subject: [PATCH 2/5] #1341 Small changes in params aws ingress --- k8s/cbte/templates/ingress-aws-alb.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/k8s/cbte/templates/ingress-aws-alb.yaml b/k8s/cbte/templates/ingress-aws-alb.yaml index 05d43bd..de0c309 100644 --- a/k8s/cbte/templates/ingress-aws-alb.yaml +++ b/k8s/cbte/templates/ingress-aws-alb.yaml @@ -5,8 +5,8 @@ kind: Ingress metadata: name: ingress-{{ .Release.Name }} annotations: - kubernetes.io/ingress.class: "alb" - alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip {{- if eq "https" .Values.httpScheme }} ingress.kubernetes.io/ssl-redirect: "true" {{- end }} @@ -25,6 +25,7 @@ metadata: # alb.ingress.kubernetes.io/use-regex: true spec: + ingressClassName: alb {{- if eq "https" .Values.httpScheme }} tls: - hosts: @@ -35,39 +36,39 @@ spec: - host: "{{ .Values.cloudbeaverBaseDomain }}" http: paths: - - path: /(.*)(.*) + - path: / pathType: Prefix backend: service: name: cloudbeaver-te port: number: 8978 - - path: /(dc/|dc$)(.*) + - path: /dc/ pathType: Prefix backend: service: name: cloudbeaver-dc port: number: 8970 - - path: /(rm/|rm$)(.*) + - path: /rm/ pathType: Prefix backend: service: name: cloudbeaver-rm port: number: 8971 - - path: /(qm/|qm$)(.*) + - path: /qm/ pathType: Prefix backend: service: name: cloudbeaver-qm port: number: 8972 - - path: /(tm/|tm$)(.*) + - path: /tm/ pathType: Prefix backend: service: name: cloudbeaver-tm port: - number: 8973 + number: 8973 {{ end }} \ No newline at end of file From 4bfb634673bec268c9654afaad1aaecae5476108 Mon Sep 17 00:00:00 2001 From: Greg Miller Date: Tue, 10 Sep 2024 20:07:19 +0200 Subject: [PATCH 3/5] #1341 Update params for certificate-arn in aws-alb --- k8s/cbte/templates/ingress-aws-alb.yaml | 13 +++++++------ k8s/cbte/values.example.yaml | 3 +++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/k8s/cbte/templates/ingress-aws-alb.yaml b/k8s/cbte/templates/ingress-aws-alb.yaml index de0c309..d97b9ba 100644 --- a/k8s/cbte/templates/ingress-aws-alb.yaml +++ b/k8s/cbte/templates/ingress-aws-alb.yaml @@ -7,9 +7,13 @@ metadata: annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip + {{- if .Values.certificateARN }} + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.certificateARN }}" + {{- end }} {{- if eq "https" .Values.httpScheme }} - ingress.kubernetes.io/ssl-redirect: "true" + alb.ingress.kubernetes.io/ssl-redirect: '443' {{- end }} + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' alb.ingress.kubernetes.io/rewrite-target: "/$1$2" alb.ingress.kubernetes.io/affinity: "cookie" alb.ingress.kubernetes.io/affinity-mode: "persistent" @@ -21,9 +25,7 @@ metadata: alb.ingress.kubernetes.io/session-cookie-max-age: "345600" alb.ingress.kubernetes.io/proxy-body-size: "500m" alb.ingress.kubernetes.io/proxy-read-timeout: "3600" - alb.ingress.kubernetes.io/proxy-send-timeout: "3600" - # alb.ingress.kubernetes.io/use-regex: true - + alb.ingress.kubernetes.io/proxy-send-timeout: "3600" spec: ingressClassName: alb {{- if eq "https" .Values.httpScheme }} @@ -33,8 +35,7 @@ spec: secretName: {{ .Release.Name }}-ingress-tls {{- end }} rules: - - host: "{{ .Values.cloudbeaverBaseDomain }}" - http: + - http: paths: - path: / pathType: Prefix diff --git a/k8s/cbte/values.example.yaml b/k8s/cbte/values.example.yaml index bcff522..f470cd5 100644 --- a/k8s/cbte/values.example.yaml +++ b/k8s/cbte/values.example.yaml @@ -21,6 +21,9 @@ httpScheme: http httpsCertPath: "ingressSsl" # certificate: /fullchain.pem # certificate key: /privkey.pem +# If you keep certificate in AWS Certificate Manager and use aws-alb set your certificate ARN +# Domain certificates must equal cloudbeaverBaseDomain +certificateARN: "" crossServiceCertPath: "crossSsl" From d98ea37122981ac91071caa9ce4864cd4aa058a5 Mon Sep 17 00:00:00 2001 From: Greg Miller Date: Mon, 23 Sep 2024 13:47:05 +0200 Subject: [PATCH 4/5] dbeaver/dbeaver-devops#1341-k8s-aws-alb-gateway-ingress Updated readme --- k8s/README.md | 7 ++++--- k8s/cbte/templates/ingress-aws-alb.yaml | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/k8s/README.md b/k8s/README.md index 6a4b3f1..b79afd9 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -15,7 +15,7 @@ - `cd team-edition-deploy/k8s/cbte` - `cp ./values.example.yaml ./values.yaml` - Edit chart values in `values.yaml` (use any text editor) -- Configure domain and SSL certificate (optional) +- Configure domain and SSL certificate - Add an A record in your DNS hosting for a value of `cloudbeaverBaseDomain` variable with load balancer IP address. - Generate internal services certificates: On Linux or macOS, run the script to prepare services certificates: @@ -23,13 +23,13 @@ - If you set the *HTTPS* endpoint scheme, then create a valid TLS certificate for the domain endpoint `cloudbeaverBaseDomain` and place it into `k8s/cbte/ingressSsl`: Certificate: `ingressSsl/fullchain.pem` Private Key: `ingressSsl/privkey.pem` -- Deploy Team Edition with Helm: `helm install cloudbeaver` +- Deploy Team Edition with Helm: `helm install cloudbeaver-te ./ --values ./values.yaml` ### Version update procedure. - Change directory to `team-edition-deploy/k8s/cbte`. - Change value of `imageTag` in configuration file `values.yaml` with a preferred version. Go to next step if tag `latest` set. -- Upgrade cluster: `helm upgrade cloudbeaver` +- Upgrade cluster: `helm upgrade cloudbeaver-te ./ --values ./values.yaml` ### OpenShift deployment @@ -71,6 +71,7 @@ Create IAM role and link policy: ``` eksctl create iamserviceaccount \ --cluster \ + --region \ --namespace kube-system \ --name aws-load-balancer-controller \ --attach-policy-arn arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \ diff --git a/k8s/cbte/templates/ingress-aws-alb.yaml b/k8s/cbte/templates/ingress-aws-alb.yaml index d97b9ba..27803dd 100644 --- a/k8s/cbte/templates/ingress-aws-alb.yaml +++ b/k8s/cbte/templates/ingress-aws-alb.yaml @@ -35,7 +35,8 @@ spec: secretName: {{ .Release.Name }}-ingress-tls {{- end }} rules: - - http: + - host: "{{ .Values.cloudbeaverBaseDomain }}" + http: paths: - path: / pathType: Prefix From 19bf9ecf4d4a23a52b4982a1315c5ad6664939da Mon Sep 17 00:00:00 2001 From: Greg Miller Date: Tue, 24 Sep 2024 13:12:00 +0200 Subject: [PATCH 5/5] dbeaver/dbeaver-devops#1341 Added policy list for eksctl to work --- k8s/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/k8s/README.md b/k8s/README.md index b79afd9..7695f60 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -53,6 +53,14 @@ Install `AWS CLI`: If `AWS CLI` is not installed yet, install it by following th Install `eksctl`: `eksctl` is a command-line utility for creating and managing EKS clusters. Install eksctl by following the instructions on the [official eksctl website](https://eksctl.io/installation/). +Policy required for eksctl to work: + +- [CloudFormation Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationFullAccess.html) +- [EKS Full Access](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console) +- [EC2 and EC2 Auto Scaling Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2FullAccess.html) +- [IAM Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/IAMFullAccess.html) +- [Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_id-based-policy-examples.html) + 1. OIDC Provider Association: ```