Amazon Web Services (AWS)

Required types of resources

• AWS S3 Bucket
• AWS IAM user with bucket access above (programmatic access)
• AWS EKS
  • AWS EBS
  • AWS ALB
  • AWS ACM
  • AWS Route53

Steps for creating AWS resources

1. Create S3 Bucket.

   • You can use the S3 Bucket only from one region, it is recommended to use a common region with EKS.

   • The S3 Bucket can use KMS or default S3 encryption.

   • You need to configure CORS, you can find an example here CORS configuration for S3

2. Create IAM user, policy (it will be listed below) and attach the policy to the user.

   • Programmatic access is required to work ODM with IAM user.

   • You can find the recommended IAM policy here IAM policy for S3 access.

3. Create VPC.

   • Must have at least 2 private subnets [link].

   • Each subnets must contain at least 100 free IP addresses [recommendation].

4. Create EKS.

   • Deploy the addons you need.

5. Create Route53 hosted zone.

   • You can use private or public zone.

   • It is recommended to use A type of record and a simple routing method.

   • The recording name should refer to your service (for example ALB).

6. Create ACM with your FQDN.

   • You can use wildcard certificate.

7. Create ALB with ACM above.

   • If you do not have strict security requirements for ALB, then it is better to use the automatic creation of ALB using the ALB controller (details below in EKS configuration).

   • You can use either internal or public schema depending on your situation (with an internal scheme, SCIM synchronization with Azure AD will not work, only SSO Authorization).

   • ALB Configuration

     • HTTP/2 - On

     • Idle timeout - 4000 seconds

Recommended steps for EKS configuration

1. Deploy EBS controller.

   • Following the documentation, it is required to create an IAM role and deploy the EKS addon.

   • It is recommended to use GP3 storages (to do this, you need to deploy a specific StorageClass, example), but if required, you can use the default GP2 as well.

2. Deploy ALB controller.

   • Following the documentation, it is required to create an IAM role and deploy the ALB Controller.

   • If you need to use already created ALB, please review this documentation and follow the steps below.

     1. Create a target group manually and specify any IP address from the EKS subnet, it will be automatically replaced with the actual address by the ALB controller.

        • Target type is IP addresses.

        • Target group name is any name. For example: Genestack-ODM.

        • Protocol : Port is HTTP : 80

        • IP address type is IPv4

        • VPC is YOUR_EKS_VPC

        • Protocol version is HTTP1

        • Health check protocol is HTTP

        • Health check path is /frontend/health

     2. Create a listener in ALB and attach the target group.

        • HTTP Path Pattern is /*.

        • HTTP Host Header is ODM_FQDN. ODM_FQDN - ODM url without https:// or http://. For example: odm.genestack.com.

     3. Forward to target group above

     4. Set nginx.ingress.enabled parameter to false in ODM helm chart.

     5. Create and deploy TargetGroupBinding (example) in Kubernetes.

     6. Ensure that health checks in the target group have passed (after ODM deployment). You may need to allow access for the ALB subnet in the EC2 Security Group.

   • If you don't have an ALB.

     • It will be created automatically during ODM deployment by ALB Controller.

3. [Optional] Deploy External DNS.

   • To automatically create records in Route53, it is recommended to use External DNS.

   • Be careful when using it, you should limit the list of zones with which it can work. And if the zone is used for something else, then make sure that it will not delete records from there.

Configuration examples

CORS configuration for S3

[
    {
        "AllowedHeaders": [
            "accept",
            "accept-language",
            "Content-Type"
        ],
        "AllowedMethods": [
            "PUT"
        ],
        "AllowedOrigins": [
            "https://ODM_FQDN"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

IAM policy for S3 access

{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Sid" : "ListObjectsInBucket",
      "Effect" : "Allow",
      "Action" : [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions"
      ],
      "Resource" : ["S3_BUCKET_ARN"]
    },
    {
      "Sid" : "AllObjectActions",
      "Effect" : "Allow",
      "Action" : [
        "s3:*Object*",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource" : ["S3_BUCKET_ARN/*"]
    },
    {
      "Sid" : "AllowUseOfTheKey",
      "Effect" : "Allow",
      "Action" : [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource" : ["KMS_KEY_ARN"]
    }
  ]
}

GP3 StorageClass example

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: gp3
parameters:
  type: gp3
provisioner: ebs.csi.aws.com
volumeBindingMode: Immediate
allowVolumeExpansion: true

TargetGroupBinding example

apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
  name: odm
  namespace: odm
spec:
  ipAddressType: ipv4
  serviceRef:
    name: odm-nginx
    port: 80
  targetGroupARN: TARGET_GROUP_ARN