Skip to main content

Amazon Kubernetes Service

This page describes how to install and configure Styra On-Premises on Amazon Kubernetes Service: Elastic Kubernetes Service (EKS) with Relational Database Service (RDS) and managed Elasticsearch Service (ES).

Prerequisites

The following shows the list of software requirements to install and configure Styra On-Premises on Elastic Kubernetes Service (EKS) with Relational Database Service (RDS) and managed Elasticsearch Service (ES).

  1. Ensure you have a Kubernetes cluster with version 1.11 or later, minimum of six vCPU, and 32GB of memory.

  2. Install kubectl clients.

  3. Install Simple Mail Transfer Protocol (SMTP): An SMTP server allows Styra to send emails. For example, Styra can send an email for user activation, and Styra can also send an email to assist the user for password recovery. During installation, the SMTP information must be specified as listed in the Install and Configure Styra On-Premise on EKS with RDS and Managed ES section.

    • You need an SMTP host, SMTP port, SMTP username and password, and SMTP From email address.

    • For Gmail, you can create a username or password for your account by clicking App Passwords from the security page.

  4. The Styra DAS can connect to AWS PostgreSQL RDS and Elasticsearch.

    • For RDS, use the database URL in the format: postgres://USERNAME:PASSWORD@ENDPOINT/postgres, where the endpoint is available on the RDS database dashboard in the AWS console, the username and password are valid PostgreSQL credentials.

    • Similarly, you need the VPC endpoint for Elasticsearch, that is available on the Elasticsearch dashboard in the AWS console, for example: https://vpc-myelastic-7icwafgw6u3kyowfu2yhhcsh4u.us-west-2.es.amazonaws.com.

important
  1. PostgreSQL should not use Identity and Access Management (IAM) based authentication. An example of a valid endpoint URL like mypostgres.cxfo17xhlaq4.us-west-2.rds.amazonaws.com is used.

  2. AWS managed Elasticsearch will use IAM based authentication. You should grant access to your Elasticsearch domain to an IAM user or role, and then configure Styra DAS appropriately for the user or role credentials (as described below).

  1. You should use Kubernetes 1.11 and above.

Install and Configure Styra On-Premise on EKS with RDS and Managed ES

  1. To ensure kubectl is pointing to the correct cluster, run kubectl config get-contexts.

  2. Download the Styra On-Premises YAML configuration files from the Overview page.

  3. If you are using the images directly from registry.styra.com then configure the cluster nodes to use a private registry with the following command. In this case, skip step #4 and step #5.

    export REPOSITORY_URL="registry.styra.com"

    For more information, see the Overview page.

info

It is assumed that either the cluster nodes are configured to use a private registry (to use images directly from registry.styra.com) OR Docker images are already downloaded from the Overview page and are available in the Cloud Registries (GCP or Azure or AWS).

  1. To setup the Project ID or authentication details, run export ACCOUNT=<account-id> && export REGION=<aws-region>.

  2. To set the REPOSITORY_URL environment variable, run export REPOSITORY_URL=$ACCOUNT.dkr.$REGION.amazonaws.com.

important

Follow the installation steps with either kubectl or helm.

Using kubectl

Use the following instructions to install Styra DAS with kubectl and configure the Kubernetes resources:

  1. Modify the YAML files to use the container registry.

    TMP_FILE=`mktemp /tmp/on-premises.yaml.XXXXXXXXXX`; sed -e "s/REPOSITORY_URL/$REPOSITORY_URL/" on-premises.yaml > $TMP_FILE; mv $TMP_FILE on-premises.yaml
  2. (Optional) Modify Elasticsearch and Postgres YAML files to use Standard Kubernetes container registry. You should skip this step if you are using AWS managed Elasticsearch and Postgres RDS.

    TMP_FILE=`mktemp /tmp/postgres-deployment.yaml.XXXXXXXXXX`; sed -e "s/REPOSITORY_URL/$REPOSITORY_URL/" postgres/postgres-deployment.yaml > $TMP_FILE; mv $TMP_FILE postgres/postgres-deployment.yaml; \
    TMP_FILE=`mktemp /tmp/es-client.yaml.XXXXXXXXXX`; sed -e "s/REPOSITORY_URL/$REPOSITORY_URL/" elastic/es-client.yaml > $TMP_FILE; mv $TMP_FILE elastic/es-client.yaml; \
    TMP_FILE=`mktemp /tmp/es-data-stateful.yaml.XXXXXXXXXX`; sed -e "s/REPOSITORY_URL/$REPOSITORY_URL/" elastic/es-data-stateful.yaml > $TMP_FILE; mv $TMP_FILE elastic/es-data-stateful.yaml; \
    TMP_FILE=`mktemp /tmp/es-master.yaml.XXXXXXXXXX`; sed -e "s/REPOSITORY_URL/$REPOSITORY_URL/" elastic/es-master.yaml > $TMP_FILE; mv $TMP_FILE elastic/es-master.yaml

    When using AWS managed Elasticsearch and PostgreSQL RDS:

    • The Styra DAS must connect to AWS PostgreSQL RDS and Elasticsearch.

      • For RDS, use the database URL in the following format. The endpoint is available on the RDS database dashboard in the AWS console, the username and password are valid PostgreSQL credentials.

        postgres://USERNAME:PASSWORD@ENDPOINT/postgres

      • Similarly, you need the VPC endpoint for Elasticsearch that is available on the Elasticsearch dashboard in the AWS console.

  3. Create LoadBalancer IP address.

    • Create an ingress for the installation and determine the external URL assigned for it. You must use the ingress URL in settings.yaml.
  4. Configure the LoadBalancer IP or NodePort in the DAS gateway-public service specification by updating one of the following files.

    • (Optional) Add spec.loadBalancerIP in standard-external-http/load-balancer-svc.yaml OR
    • (Optional) Add spec.ports.nodePort in standard-external-http/node-port-svc.yaml.
  5. Configure settings by modifying settings.yaml.

    • ingress_url: http://<Cluster Ingress>

    • from_email_address: "YOUR EMAIL ADDRESS"

    • smtp_address: "smtp.gmail.com:PORT NUMBER" [25 or 465 or 587]

  6. Configure credentials by modifying credentials.yaml.

    • smtp_username: "YOUR SMTP USERNAME"

    • smtp_password: "YOUR SMTP PASSWORD"

  7. (Optional) When the SMTP server is not configured, then a root user must be added, so that you can login after installation to add or update other users.

    • Set the root user and password in environment variables.

      export ROOT_USER=<root user email>

      export ROOT_USER_PWD=<root user password>

    • Update the settings.yaml with the root user and password.

        TMP_FILE=`mktemp /tmp/settings.yaml.XXXXXXXXXX`; sed "s/.*config.json.*/  config.json: '{\"tenants\": {\"default\": {\"root_users\": {\"$ROOT_USER\": {\"encrypted_password\": \"\", \"password\": \"$ROOT_USER_PWD\"}}}}}'/" settings.yaml > $TMP_FILE; mv $TMP_FILE settings.yaml
  8. (Optional) Configure TLS:

    • Update gateway-tls/deployment.yaml.

        TMP_FILE=`mktemp /tmp/gateway-tls-deploy.yaml.XXXXXXXXXX`; sed -e "s/REPOSITORY_URL/$REPOSITORY_URL/" gateway-tls/deployment.yaml > $TMP_FILE; mv $TMP_FILE gateway-tls/deployment.yaml
- Update `credentials.yaml` and `settings.yaml` by mounting the `gateway_tls_private_key.pem` and `gateway_tls_cert.pem`.

data:
gateway_tls_cert.pem: |
<TLS_CERT_CONTENT>

- Similarly, update the secret (`credentials.yaml`) with `gateway_tls_private_key.pem` content.

data:
gateway_tls_private_key.pem: |
<TLS_KEY_CONTENT>

- Update `gateway-tls/gateway-public-tls-service.yaml`.

Add `spec.type: LoadBalancer`
(Optional) Add `spec.loadBalancerIP: <LoadBalancerIP>`
OR
Add `spec.type: NodePort`
(Optional) Add `spec.ports.nodePort: <NodePort>`.

- Install Gateway TLS YAML manifest files with `kubectl apply -f gateway-tls/`.
  1. Configure Elasticsearch

    • Update settings.yaml

      • elasticsearch_url: "YOUR ES URL"
      • es_sniff: "true"
      • es_ec2_iam_role_auth: "true" or "false"
      • aws_region: "YOUR AWS REGION"
    • Update credentials.yaml if using IAM user authentication. (If using IAM role authentication, then skip this step.)

      • aws_access_key_id: "YOUR ACCESS KEY ID"
      • aws_secret_access_key: "YOUR SECRET ACCESS KEY"
info

The es_username and es_password values in credentials.yaml should remain empty (""). They are ignored in an AWS managed ES environment in favor of IAM authentication.

  1. Configure PostgreSQL

    • Update settings.yaml

      • db_url: "YOUR POSTGRES URL"
    • Update credentials.yaml

      • db_username: "YOUR POSTGRES USERNAME"
      • db_password: "YOUR POSTGRES PASSWORD"
  2. (Optional) Install the Elasticsearch and Postgres YAML files (if using the bundled Elasticsearch and Postgres). If using AWS managed Elasticsearch and Postgres, then skip this step.

    for f in elastic/*.yaml postgres/*.yaml; do kubectl apply -f $f; done.

  3. a. Install the Styra DAS YAML files.

    for f in *.yaml; do kubectl apply -f $f; done.

    b. Expose the Styra DAS using LoadBalancer service type.

    kubectl apply -f standard-external-http/load-balancer-svc.yaml OR Expose the Styra DAS using NodePort service type.

    kubectl apply -f standard-external-http/node-port-svc.yaml.

  4. Wait until the status on all of the pods is running. To check the status of the pods, run kubectl get pods command.

  5. Point your browser to http://<YOUR LoadBalancer IP ADDRESS>.

  6. Reset the password for your email address(from_email_address:) by using the Forgot Password flow.

tip

The UI can be accessed without a public IP by port-forwarding the port 8080 to the Gateway pod. You can use kubectl port-forward <YOUR-GATEWAY-POD> 8080:8080 command to access the UI from localhost.

Using Helm

The supported Helm versions are Helm v2.16.1 and Helm v3.

Use the following instructions to install Styra DAS with helm and configure the Kubernetes resources:

  1. Navigate to the charts directory by using cd charts command.

  2. Edit the values.yamlby using vi styra-das/values.yaml command. The Helm chart provides Helm values and its description.

  3. Update the values.

    • email.from_address: "Your-Email"
    • global.repo: $REPOSITORY_URL
    • service.loadbalancerip: "LoadBalancerIP"
    • smtp.username: "username"
    • smtp.password: "password"
    • ingress.url: http://<YOUR LoadBalancer IP ADDRESS>
  4. (Optional) Update the values.

    • (Optional) If you want to use managed services of Postgres and Elasticsearch update the values as per the instructions in the values.yaml.

    • (Optional) Similarly, you can configure s3_decision_streaming, root_user credentials, oidc configuration as per the instructions present under respective sections.

  5. (Optional) Configure TLS to enable secure HTTPS communication between the cluster ingress and the Styra gateway-secure service.

    • Change the value of global.tls.enable to true in values.yaml.

    • Create the tls directory under styra-das/ with mkdir -p styra-das/tls command.

    • Copy your tls key and certificate files (with the names gateway_tls_cert.pem and gateway_tls_private_key.pem) into the tls/ directory by using the following commands.

      cp <path-to-ssl-cert> styra-das/tls/gateway_tls_cert.pem

      cp <path-to-ssl-key> styra-das/tls/gateway_tls_private_key.pem

  6. (Optional) Configure TLS to enable secure HTTPS communication between the Elasticsearch service and the Styra DAS ES clients. (agentloader and analysis-api services).

    • Change the value of elasticsearch.load_custom_ca to true in values.yaml.

    • Create the tls-ca directory under styra-das/ with mkdir -p styra-das/tls-ca command.

    • Copy your custom Certificate Authority (CA) file under the newly created tls-ca directory with the following command and rename tls-ca directory as ca-cert-es.pem directory with cp <path-to-tls-ca-file> styra-das/tls-ca/ca-cert-es.pem command.

  7. Install the charts directory with helm install styra-das styra-das/ command.

tip

Storing the hardcoded secrets in values.yaml can be avoided by passing the values as arguments while installing the helm chart. For example, the email and password values for the root_user can be set dynamically by using environment variables.

export PASSWORD="top-secret"
helm install styra-das styra-das/ --set root_user.email=admin@example.com --set root_user.password=$PASSWORD
  1. Wait until the status on all of the pods is running. To check the status of the pods, run kubectl get pods command.

  2. Point your browser to http://<YOUR LoadBalancer IP ADDRESS>.

  3. Reset the password for your email address(from_email_address:) by using the Forgot Password flow.

Reference

Helm Values

The following shows the description of various values that can be configured with values.yaml in the Helm chart for Styra DAS.

# smtp: Configures the SMTP server settings. If SMTP is not used, then
# you must leave "serveraddress" blank ("")

smtp:
serveraddress: smtp.gmail.com:587
username: ""
password: ""

# email.from_address: The user for SMTP server and also the default
# admin user created on installation.
#
# If you have SMTP configured, then you can use the "Forgot Password"
# flow to reset the password and login.
# If SMTP is not configured, then you must set the "root_user" with a
# valid login created during installation.
email:
from_address: support@styra.com

# cluster: For future use. Leave this as "gke" for now.
cluster: gke
# gke.loadbalancerip: Defines the public IP that is used to configure
# Styra public gateway.
gke:
loadbalancerip: <YOUR GKE IP ADDRESS>
# ingress.url: URL for the ingress.
ingress:
url: http://styra.customer.com

postgres:
# postgres.enabled: Set to false, if managed RDS is used.
enabled: true
db_url: "postgres://postgres/postgresdb?sslmode=disable"
db_username: "postgresadmin"
db_password: "admin123"

elasticsearch:
# elasticsearch.enabled: Set to false, if managed Elasticsearch
# is used.
enabled: true
# elasticsearch.url: Set the elasticsearch URL if you are using
# managed ES; otherwise, leave it unchanged.
# only effective if "enabled: false".
url: ""
# elasticsearch.username and password enables authentication.
# enabled flag doesn't affect either of them.
username: ""
password: ""

aws:
access_key_id: ""
secret_access_key: ""
region: ""

# s3_decision_streaming: decisions S3 settings for streaming decisions.
s3_decision_streaming:
s3_url: ""
s3_region: ""
s3_access_key: ""
s3_secret_access_key_id: ""

# root_user: Defines a root user which will be created by default as
# admin. Must be set if SMTP is not configured.
# If SMTP is configured, this can be left blank.
root_user:
#root_user.email: Email address of the root user.
email: ""
password: ""

# oidc fields configure the OIDC provider provisioned and enabled.
# oidc.issuer_url is the OIDC issuer URL provided by the provider. For
# example, "https://oidc.customer.com".
# oidc.client_id and client_secret are the credentials provided by the
# provider.
# oidc.allowed_domain is the domain for allowed user acounts, e.g.,
# "customer.com".
# oidc.scopes is the OIDC scopes requirested from the provider. The
# value is an array of strings. If an empty array is provided, then the
# default ["openid", "profile", "email"] is used.
oidc:
id: "OIDC"
issuer_url: ""
client_id: ""
client_secret: ""
allowed_domain: ""
scopes: []

# global.repo: Docker image repository URL
global:
repo: REPOSITORY_URL
# TLS configurations to enable secure HTTPS communication between the cluster
# ingress and the Styra `gateway-secure` service.
# mark "enable: true", and
# Create the `tls` directory under `charts/styra-das/` using the following command.
# mkdir -p charts/styra-das/tls
# Copy your tls key and certificate files into the `tls/` directory.
# cp <path-to-ssl-cert> tls/tls_cert.pem
# cp <path-to-ssl-key> tls/tls_private_key.pem
tls:
enable: false