# Cloud Specific Details ## Prerequisites ### Provision Enabling Systems For quick deployment, mainly for development and testing purposes, you may wish to use cloud marketplaces, managed providers or Rierino playbooks for enabling systems: {% tabs %} {% tab title="AWS" %} {% embed url="" %} MongoDB {% endembed %} For this MongoDB package, configuration updates and restart details can be found from the vendor [site](https://docs.bitnami.com/aws/infrastructure/mean/administration/change-reset-password/). {% embed url="" %} Kafka {% endembed %} {% embed url="" %} Keycloak {% endembed %} {% hint style="info" %} If you will be using Keycloak with http for development / testing purposes, you may need to open up the port on local firewall (e.g. sudo ufw allow 8080/tcp) and set "Require SSL" option to false on master realm. {% endhint %} {% embed url="" %} Elasticsearch {% endembed %} {% endtab %} {% tab title="GCP" %} {% embed url="" %} MongoDB {% endembed %} {% embed url="" %} Kafka {% endembed %} {% embed url="" %} Keycloak {% endembed %} {% endtab %} {% tab title="Managed Service" %} {% embed url="" %} MongoDB {% endembed %} {% embed url="" %} Kafka {% endembed %} {% embed url="" %} Keycloak {% endembed %} {% endtab %} {% tab title="Rierino Playbook" %} {% embed url="" %} MongoDB {% endembed %} {% embed url="" %} Kafka {% endembed %} {% embed url="" %} Keycloak {% endembed %} {% endtab %} {% endtabs %} ### Set-up Initial Deployment Host Ansible playbooks require access to VM inventory as well as kubernetes cluster from initial deployment host, which requires installation of certain collections and tools: {% tabs %} {% tab title="AWS" %} {% embed url="" %} AWS CLI Installation {% endembed %} ```sh ansible-galaxy collection install amazon.aws community.aws ``` Set-up environment variables used by Ansible and AWS tools: ```sh export KUBECONFIG=[kubeconfig file path] export K8S_AUTH_KUBECONFIG=[same as KUBECONFIG] export AWS_REGION=[AWS deployment region] export AWS_ACCESS_KEY_ID=[AWS access key id] export AWS_SECRET_KEY=[AWS secret key] export AWS_SECRET_ACCESS_KEY=[same as AWS_SECRET_KEY] ``` {% hint style="info" %} If you are using WSL for initial deployment and receive error on valid AWS credentials, your instance's time may be out of sync with Amazon servers. You may use a command such as *sudo hwclock -s* for synchronization. {% endhint %} {% hint style="warning" %} As a best practice, it is recommended not to use AWS account root user credentials for these environment variables which are used during deployment. {% endhint %} {% endtab %} {% tab title="GCP" %} {% embed url="" %} gcloud Installation {% endembed %} ```sh pip install google-auth ansible-galaxy collection install google.cloud gcloud components install gke-gcloud-auth-plugin ``` Set-up environment variables used by Ansible and GCP tools: ```sh export KUBECONFIG=[kubeconfig file path] export K8S_AUTH_KUBECONFIG=[same as KUBECONFIG] export GCP_PROJECT=[GCP deployment project] export GCP_REGION=[GCP deployment region] export GOOGLE_APPLICATION_CREDENTIALS=[GCP service account json file path] ``` For authentication, service account file is used with GCP, which is passed as a parameter. {% hint style="info" %} If you are using WSL for initial deployment and receive error on valid GCP credentials, your instance's time may be out of sync with Google servers. You may use a command such as *sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"* for synchronization. {% endhint %} {% endtab %} {% endtabs %} ### Provision a Kubernetes Cluster {% tabs %} {% tab title="AWS" %} {% hint style="warning" %} Note that for AWS installations, you may need to manually update kubeconfig file contents output from "terraform apply" step, setting authentication apiVersion to "v1beta1" if you are receiving "invalid apiVersion client.authentication.k8s.io/v1alpha1"error. This is due to a compatibility bug between AWS CLI and recent helm/kubectl versions. {% endhint %} It is possible to deploy Rierino platform on any AWS region that has EKS and ELB availability. For the latest list of regions supported for these services, please refer to [AWS availability listing](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). {% endtab %} {% tab title="GCP" %} For GCP deployments on a new project, you will beed to enable "Compute Engine API" and "Kubernetes Engine API" for the project first. {% embed url="" %} Compute Engine API {% endembed %} {% embed url="" %} Kubernetes Engine API {% endembed %} {% endtab %} {% endtabs %} #### AWS ### Configure Network Connectivity {% tabs %} {% tab title="AWS" %} You can use security groups for configuring connectivity between kubernetes cluster and enabling systems (such as one group allowing ingress from all sources within the group and another granting access to static admin IPs). {% embed url="" %} Amazon Security Groups {% endembed %} You can issue SSL certificates using ACM for your domain. {% embed url="" %} AWS Certificate Manager {% endembed %} You can reserve static IPs to assign them to external facing load balancers. {% embed url="" %} Amazon Elastic IPs {% endembed %} You can map your static IPs to DNS records. {% embed url="" %} Amazon Route 53 {% endembed %} {% endtab %} {% tab title="GCP" %} You can use tags and configure firewall rules to allow them as source / target for configuring connectivity between kubernetes cluster and enabling systems, in addition to static admin IPs. {% embed url="" %} Google Cloud Firewall Rules {% endembed %} You can issue SSL certificates using Google Cloud Certificate Manager for your domain. {% embed url="" %} Google Cloud Certificate Manager {% endembed %} You can reserve static IPs to assign them to external facing load balancers. {% embed url="" %} Google Static Public IP {% endembed %} You can map your static IPs to DNS records. {% embed url="" %} {% endtab %} {% endtabs %} ## Deployments ### Load Balancer Variables {% tabs %} {% tab title="AWS" %} For ansible-playbook deployments including external facing load balancers (admin gateway and admin UI), include the following variables for static IP and certificate assignments: | Variable | Definition | Default | | ------------- | ---------------------------------------------------------------------------- | ------- | | awsACMARN | ARN for ACM certificate (if certificate is used) | - | | awsLBSubnets | List of subnets on which static IPs shall be assigned (if static ip is used) | - | | {% endtab %} | | | | {% endtabs %} | | |