To setup TLS for DataOpsServer Deployment we need below
Prerequisites
- Linux terminal is required to run the below commands.
- Existing EKS cluster with dataopsserver deployment #https://help.datagaps.com/articles/#!dataops-suite/eks
- aws cli required.
- eksctl required.
- helm3 required
- crt and key files are needed for the required FQDN
Run the below commands in Linux terminal from where you have Authorized privileges on AWS.
1. cluster_name=<Cluster name>
2. oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
3. echo $oidc_id
4. aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
#if the output of above is empty then you have to run below command otherwise not required
5. eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
#update OIDC value,Region and Account ID in the below command then run it.
6. cat <<EOF > trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<accountID>:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/73B2FF294097348C7FC4C3B6B27BE682"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-1.amazonaws.com/id/73B2FF294097348C7FC4C3B6B27BE682:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller",
"oidc.eks.ap-south-1.amazonaws.com/id/73B2FF294097348C7FC4C3B6B27BE682:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF
7. aws iam create-role \
--role-name AmazonEKSLoadBalancerControllerRole \
--assume-role-policy-document file://"trust-policy.json"
8. curl -o iam_policy_alb.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.7.1/docs/install/iam_policy.json
9. aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy_alb.json
10. aws iam attach-role-policy \
--policy-arn arn:aws:I am::<accountnumber>:policy/AWSLoadBalancerControllerIAMPolicy \
--role-name AmazonEKSLoadBalancerControllerRole
11. kubectl create sa -n kube-system aws-load-balancer-controller
12.kubectl annotate serviceaccount aws-load-balancer-controller -n kube-system eks.amazonaws.com/role-arn: arn:aws:iam::<accountnumber>:role/AmazonEKSLoadBalancerControllerRole
13.helm repo add eks https://aws.github.io/eks-charts
14. helm repo update eks
15. helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=<clustername> \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller \
--set vpcId=vpc-0fbc34d579cf1633e --set region=ap-south-1
16.kubectl create secret tls certsecret --cert=domain.crt --key=domain.key -n datagaps
17. cat >ingress.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dataopsingress
namespace: datagaps
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/subnets: subnet-02d1b2c5c412faed8,subnet-01e251e2ee96960ff
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:<accountID>:certificate/2376f178-fdd8-4613-9d89-a986a436427f
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=900
spec:
ingressClassName: alb
tls:
- hosts:
- https-eks.datagapsinc.in
secretName: certsecret
rules:
- host: eks.datagapsinc.in
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dataopsserver
port:
number: 6055
EOF