Install Otomi on EKS with DNS using Route53
Prerequisites
Additional resources
- If you use VSCode, hover over variables to see the description/type in .tf and .tfvars files with the Terraform extension
- How to setup aws cli and terraform
# Obtain account
aws sts get-caller-identity
# Obtain username and userarn
aws iam get-user
# Obtain rolearn
aws iam list-roles
# Obtain groups
aws iam list-groups
Create an EKS cluster
Clone the Otomi Terraform repository:
git clone https://github.com/redkubes/quickstart.git
cd eks
- Copy
example.tfvarsfile toterraform.tfvarsfile and fill in missing configuration parameters - Open a terminal and run the following:
terraform init
# install the EKS cluster
terraform apply
Get the credentials of the cluster:
# Update your kubeconfig
# Default: aws eks update-kubeconfig --name otomi
aws eks update-kubeconfig --name <cluster_name>
Add a CNI
To use the network policies feature in Otomi, make sure to install the Calico CNI or any other CNI that supports Kubernetes network polices.
Install Tigera Operator:
helm repo add projectcalico https://docs.tigera.io/calico/charts
helm repo update
kubectl create namespace tigera-operator
helm install calico projectcalico/tigera-operator --version v3.26.3 --namespace tigera-operator
Or install Calico minimal:
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.3/manifests/calico.yaml
Configure Route53
Follow these steps to use AWS Route53.
- Register a domain and retrieve the Hosted zone ID
- Create a
dns-policy.jsonfile for the policy and add the Zone ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<your-zone-id>"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZonesByName",
"route53:ListHostedZones"
],
"Resource": [
"*"
]
}
]
}
- Create the policy:
aws iam create-policy --policy-name "otomi-dns" --policy-document file://dns-policy.json
- export the policy ARN:
export POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`<policy-name>`].Arn' --output text)
- Create a user:
USER=user-name
aws iam create-user --user-name $USER
- Attach the user to the policy:
aws iam attach-user-policy --user-name $USER --policy-arn $POLICY_ARN
- Create the
access-key:
ACCESS_KEY=$(aws iam create-access-key --user-name $USER)
- Get the
secret-access-idandsecret-access-key:
ACCESS_KEY_ID=$(echo $ACCESS_KEY | jq -r '.AccessKey.AccessKeyId')
ACCESS_KEY_SECRET=$(echo $ACCESS_KEY | jq -r '.AccessKey.SecretAccessKey')
Create the values.yaml file
-
Get the API server endpoint. You can find the API server endpoint in the Details section of the cluster in the AWS console.
-
Add the DNS configuration created in the previous step, the API server endpoint, the
domainSuffix,domainFilters,regionandemailto thevalues.yamlthat we'll use to install Otomi:
tee values.yaml<<EOF
cluster:
name: otomi
provider: aws
region: your-region
apiName: api-server-endpoint
domainSuffix: your-domain.com
otomi:
hasExternalDNS: true
dns:
domainFilters:
- your-domain.com
provider:
aws:
credentials:
secretKey: $ACCESS_KEY_ID
accessKey: $ACCESS_KEY_SECRET
region: your-region
apps:
cert-manager:
issuer: letsencrypt
stage: production
email: admin@your-domain.com
EOF
Install Otomi on EKS
Install Otomi using Helm:
helm repo add otomi https://otomi.io/otomi-core
helm repo update
helm install -f values.yaml otomi otomi/otomi
Monitor the logs of the installer job:
kubectl logs jobs/otomi -n default -f
When the installer is finished, copy the url and admin-password from the console output.
Follow the activation steps here.
Like to learn how to use Otomi? Go through the Get Started labs