Skip to content

Amazon Web Services (AWS)

Required types of resources

Steps for creating AWS resources

  1. Create S3 Bucket.

    • You can use the S3 Bucket only from one region, it is recommended to use a common region with EKS.

    • The S3 Bucket can use KMS or default S3 encryption.

    • It is recommended to set up a lifecycle rule to clean up unfinished multipart uploads. Example of AbortIncompleteMultipartUpload rule.

  2. Create VPC.

    • Must have at least 2 private subnets [link].

    • Each subnets must contain at least 100 free IP addresses [recommendation].

  3. Create EKS.

    • Deploy the addons you need.

  4. Create IAM user [up to ODM version 1.60], role [after ODM version 1.60], policy (it will be listed below) and attach the policy to the user/role.

  5. Create Route53 hosted zone.

    • You can use private or public zone.

    • It is recommended to use A type of record and a simple routing method.

    • The recording name should refer to your service (for example ALB).

  6. Create ACM with your FQDN.

    • You can use wildcard certificate.

  7. Create ALB with ACM above.

    • If you do not have strict security requirements for ALB, then it is better to use the automatic creation of ALB using the ALB controller (details below in EKS configuration).

    • You can use either internal or public schema depending on your situation (with an internal scheme, SCIM synchronization with Azure AD will not work, only SSO Authorization).

    • ALB Configuration

      • HTTP/2 - On

      • Idle timeout - 4000 seconds

  1. Deploy EBS controller.

  2. Deploy ALB controller.

    • Following the documentation, it is required to create an IAM role and deploy the ALB Controller.

    • If you need to use already created ALB, please review this documentation and follow the steps below.

      1. Create a target group manually and specify any IP address from the EKS subnet, it will be automatically replaced with the actual address by the ALB controller.

        • Target type is IP addresses.

        • Target group name is any name. For example: Genestack-ODM.

        • Protocol : Port is HTTP : 80

        • IP address type is IPv4

        • VPC is YOUR_EKS_VPC

        • Protocol version is HTTP1

        • Health check protocol is HTTP

        • Health check path is /frontend/health

      2. Create a listener in ALB and attach the target group.

        • HTTP Path Pattern is /*.

        • HTTP Host Header is ODM_FQDN. ODM_FQDN - ODM url without https:// or http://. For example: odm.genestack.com.

      3. Forward to target group above

      4. Set nginx.ingress.enabled parameter to false in ODM helm chart.

      5. Create and deploy TargetGroupBinding (example) in Kubernetes.

      6. Ensure that health checks in the target group have passed (after ODM deployment). You may need to allow access for the ALB subnet in the EC2 Security Group.

    • If you don't have an ALB.

      • It will be created automatically during ODM deployment by ALB Controller.

  3. [Optional] Deploy External DNS.

    • To automatically create records in Route53, it is recommended to use External DNS.

    • Be careful when using it, you should limit the list of zones with which it can work. And if the zone is used for something else, then make sure that it will not delete records from there.

Configuration examples

AbortIncompleteMultipartUpload rule 
{
    "Rules": [
        {
            "ID": "PruneAbandonedMultipartUpload",
            "Status": "Enabled",
            "AbortIncompleteMultipartUpload": {
                "DaysAfterInitiation": 7
            }
        }
    ]
}
IAM policy for S3 access 
{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Sid" : "ListObjectsInBucket",
      "Effect" : "Allow",
      "Action" : [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions"
      ],
      "Resource" : ["S3_BUCKET_ARN"]
    },
    {
      "Sid" : "AllObjectActions",
      "Effect" : "Allow",
      "Action" : [
        "s3:*Object*",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource" : ["S3_BUCKET_ARN/*"]
    },
    {
      "Sid" : "AllowUseOfTheKey",
      "Effect" : "Allow",
      "Action" : [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource" : ["KMS_KEY_ARN"]
    }
  ]
}
IRSA Trust Relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID:sub": "system:serviceaccount:odm:odm",
                    "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
Pod Identity Trust Relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ]
        }
    ]
}
GP3 StorageClass example 
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: gp3
parameters:
  type: gp3
provisioner: ebs.csi.aws.com
volumeBindingMode: Immediate
allowVolumeExpansion: true
TargetGroupBinding example 
apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
  name: odm
  namespace: odm
spec:
  ipAddressType: ipv4
  serviceRef:
    name: odm-nginx
    port: 80
  targetGroupARN: TARGET_GROUP_ARN