Prepare EKS Cluster

To deploy the Hydrolix platform you should create project (optional) and create the Google Kubernetes (GKE) Cluster.

Check you have all your environment variables set.

echo -e  " -CLIENT_ID = $CLIENT_ID \n 
-ADMIN_EMAIL = $ADMIN_EMAIL \n 
-OWNER = $OWNER \n 
-HYDROLIX_HOST = $HYDROLIX_HOST \n 
-HYDROLIX_DOMAIN = $HYDROLIX_DOMAIN \n 
-CLOUD = $CLOUD \n 
-REGION = $REGION \n 
-HKT_VERSION = $HKT_VERSION \n 
-AWS_ACCOUNT_ID = $AWS_ACCOUNT_ID \n 
-KUBERNETES_CLUSTER = $KUBERNETES_CLUSTER\n"

Create the AWS bucket

aws s3 mb --region "$REGION" "s3://$CLIENT_ID"

Create the bucket policy

read -r -d '' POLICY_DOC << EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::$CLIENT_ID",
                "arn:aws:s3:::hdx-public"
            ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                "arn:aws:s3:::$CLIENT_ID/*",
                "arn:aws:s3:::hdx-public/*"
            ]
        }
    ]
}
EOF

## Apply the policy

aws iam create-policy --policy-name "$CLIENT_ID-bucket" --policy-document "$POLICY_DOC"

Create node configuration and basic cluster eksctl.yaml

cat > eksctl.yaml << EOF
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: $KUBERNETES_CLUSTER 
  region: $REGION 

addons:
  - name: aws-ebs-csi-driver

iam:
  withOIDC: true

managedNodeGroups:
  - name: nodegroup0 
    instanceType: m5n.4xlarge
    minSize: 7
    maxSize: 7
    desiredCapacity: 7
    volumeSize: 256
    privateNetworking: true
EOF

πŸ“˜

Dev Clusters

If you are looking to create a dev cluster we'd suggest changing the instanceType to t3.2xlarge.

This can take a little while to create the cluster.

eksctl create cluster -f eksctl.yaml

Retrieve the Identity Provider for the cluster

OIDC_PROVIDER="$(aws --region "$REGION" eks describe-cluster --name "$KUBERNETES_CLUSTER" \
    --query "cluster.identity.oidc.issuer" \
    --output text | sed -e "s/^https:\/\///")"

Check the OIDC_PROVIDER Environment Variable

echo "$OIDC_PROVIDER"

If this is blank retry the previous step to retrieve the Identity Provider for the cluster

Create an IAM Policy for Kubernetes Service Accounts

read -r -d '' SA_POLICY_DOC << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/$OIDC_PROVIDER"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "$OIDC_PROVIDER:aud": "sts.amazonaws.com",
          "$OIDC_PROVIDER:sub": "system:serviceaccount:$CLIENT_ID:hydrolix"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/$OIDC_PROVIDER"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "$OIDC_PROVIDER:aud": "sts.amazonaws.com",
          "$OIDC_PROVIDER:sub": "system:serviceaccount:$CLIENT_ID:turbine-api"
        }
      }
    }
  ]
}
EOF

Create an IAM Role for Kubernetes Service Accounts

aws iam create-role --role-name "$CLIENT_ID-bucket" \
    --assume-role-policy-document "$SA_POLICY_DOC" \
    --description "$CLIENT_ID-bucket"

Attach the Service Account IAM Policy to the Service Account IAM Role

aws iam attach-role-policy --role-name "$CLIENT_ID-bucket" \
    --policy-arn="arn:aws:iam::$AWS_ACCOUNT_ID:policy/$CLIENT_ID-bucket"

# Grab the ARN into a variable
export AWS_STORAGE_ROLE="arn:aws:iam::$AWS_ACCOUNT_ID:role/$CLIENT_ID-bucket"

Create the namespace

kubectl create namespace $CLIENT_ID

For ease of use, set your new namespace as a default:

kubectl config set-context --current --namespace="$CLIENT_ID"

Now its time to deploy the cluster!


Did this page help you?