dbeaver · ggxed · Sep 24, 2024 · Aug 3, 2024 · Sep 10, 2024 · Sep 10, 2024
diff --git a/k8s/README.md b/k8s/README.md
@@ -15,21 +15,21 @@
 - `cd team-edition-deploy/k8s/cbte`
 - `cp ./values.example.yaml ./values.yaml`
 - Edit chart values in `values.yaml` (use any text editor)
-- Configure domain and SSL certificate (optional)
+- Configure domain and SSL certificate 
   - Add an A record in your DNS hosting for a value of `cloudbeaverBaseDomain` variable with load balancer IP address.
   - Generate internal services certificates:  
      On Linux or macOS, run the script to prepare services certificates:   
        `./services-certs-generator.sh`
   - If you set the *HTTPS* endpoint scheme, then create a valid TLS certificate for the domain endpoint `cloudbeaverBaseDomain` and place it into `k8s/cbte/ingressSsl`:  
     Certificate: `ingressSsl/fullchain.pem`  
     Private Key: `ingressSsl/privkey.pem`
-- Deploy Team Edition with Helm: `helm install cloudbeaver`
+- Deploy Team Edition with Helm: `helm install cloudbeaver-te ./ --values ./values.yaml`
 
 ### Version update procedure.
 
 - Change directory to `team-edition-deploy/k8s/cbte`.
 - Change value of `imageTag` in configuration file `values.yaml` with a preferred version. Go to next step if tag `latest` set.
-- Upgrade cluster: `helm upgrade cloudbeaver` 
+- Upgrade cluster: `helm upgrade cloudbeaver-te ./ --values ./values.yaml` 
 
 ### OpenShift deployment
 
@@ -46,6 +46,61 @@ You need additional configuration changes
           #     fsGroupChangePolicy: "Always"
     ```
 
+### AWS ALB configuration  
+
+Install `AWS CLI`: If `AWS CLI` is not installed yet, install it by following the instructions on the [official AWS CLI website](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).  
+
+Install `eksctl`: `eksctl` is a command-line utility for creating and managing EKS clusters. Install eksctl by following the instructions on the [official eksctl website](https://eksctl.io/installation/).  
+
+
+Policy required for eksctl to work:
+
+- [CloudFormation Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationFullAccess.html)
+- [EKS Full Access](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console)
+- [EC2 and EC2 Auto Scaling Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2FullAccess.html)
+- [IAM Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/IAMFullAccess.html)
+- [Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_id-based-policy-examples.html)
+
+1. OIDC Provider Association:  
+
+```
+eksctl utils associate-iam-oidc-provider --region=<your-region> --cluster=<your-cluster-name> --approve
+```
+
+2. Create IAM role and link policy:  
+
+Create policy IAM:  
+```
+curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
+aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json
+```
+
+Create IAM role and link policy:  
+```
+eksctl create iamserviceaccount \
+  --cluster <your-cluster-name> \
+  --region <your-region> \
+  --namespace kube-system \
+  --name aws-load-balancer-controller \
+  --attach-policy-arn arn:aws:iam::<your-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
+  --approve
+```
+
+3. Installing AWS Load Balancer Controller using Helm:  
+
+```
+helm repo add eks https://aws.github.io/eks-charts
+helm repo update
+
+helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
+  -n kube-system \
+  --set clusterName=<your-cluster-name> \
+  --set serviceAccount.create=false \
+  --set region=<your-region> \
+  --set vpcId=<your-vpc-id> \
+  --set serviceAccount.name=aws-load-balancer-controller
+```
+
 ### Digital Ocean proxy configuration
 
 Edit ingress controller with:

diff --git a/k8s/cbte/templates/ingress-aws-alb.yaml b/k8s/cbte/templates/ingress-aws-alb.yaml
@@ -0,0 +1,76 @@
+---
+{{- if eq .Values.ingressController "aws-alb" }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-{{ .Release.Name }}
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    {{- if .Values.certificateARN }}
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.certificateARN }}"
+    {{- end }}
+    {{- if eq "https" .Values.httpScheme }}
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+    alb.ingress.kubernetes.io/rewrite-target: "/$1$2"
+    alb.ingress.kubernetes.io/affinity: "cookie"
+    alb.ingress.kubernetes.io/affinity-mode: "persistent"
+    alb.ingress.kubernetes.io/session-cookie-name: "cb-node-id"
+    alb.ingress.kubernetes.io/session-cookie-path: "/"
+    alb.ingress.kubernetes.io/session-cookie-domain: "{{ .Values.cloudbeaverBaseDomain }}"
+    alb.ingress.kubernetes.io/session-cookie-change-on-failure: "true"
+    alb.ingress.kubernetes.io/session-cookie-secure: "true"
+    alb.ingress.kubernetes.io/session-cookie-max-age: "345600"
+    alb.ingress.kubernetes.io/proxy-body-size: "500m"
+    alb.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    alb.ingress.kubernetes.io/proxy-send-timeout: "3600"
+spec:
+  ingressClassName: alb
+{{- if eq "https" .Values.httpScheme }}
+  tls:
+    - hosts:
+      - {{ .Values.cloudbeaverBaseDomain }}
+      secretName: {{ .Release.Name }}-ingress-tls
+{{- end }}
+  rules:
+  - host: "{{ .Values.cloudbeaverBaseDomain }}"
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: cloudbeaver-te
+              port:
+                number: 8978
+        - path: /dc/
+          pathType: Prefix
+          backend:
+            service:
+              name: cloudbeaver-dc
+              port:
+                number: 8970
+        - path: /rm/
+          pathType: Prefix
+          backend:
+            service:
+              name: cloudbeaver-rm
+              port:
+                number: 8971
+        - path: /qm/
+          pathType: Prefix
+          backend:
+            service:
+              name: cloudbeaver-qm
+              port:
+                number: 8972
+        - path: /tm/
+          pathType: Prefix
+          backend:
+            service:
+              name: cloudbeaver-tm
+              port:
+                number: 8973        
+{{ end }}
diff --git a/k8s/cbte/values.example.yaml b/k8s/cbte/values.example.yaml
@@ -10,7 +10,7 @@ cloudbeaver:
   # pullCredsName: regcred
 
 # Ingress Values
-# Supported ingress controllers: nginx, haproxy
+# Supported ingress controllers: aws-alb, nginx, haproxy
 ingressController: nginx
 # Domain name for ingress endpoint
 cloudbeaverBaseDomain: "cloudbeaver.local"
@@ -21,6 +21,9 @@ httpScheme: http
 httpsCertPath: "ingressSsl"
 # certificate: <httpsCertPath>/fullchain.pem
 # certificate key: <httpsCertPath>/privkey.pem
+# If you keep certificate in AWS Certificate Manager and use aws-alb set your certificate ARN
+# Domain certificates must equal cloudbeaverBaseDomain
+certificateARN: ""
 
 
 crossServiceCertPath: "crossSsl"