This section contains details about how to deploy Advanced Authentication on Amazon Web Services (AWS) using Kubernetes. You can deploy Advanced Authentication containers into Kubernetes clusters by using the Helm charts.
NOTE:The procedures in this section are based on the assumption that you know basics of how containers work.
In addition to the system requirements of Advanced Authentication appliance, ensure that you have completed the following tasks:
Created an administrative account on Amazon Elastic Container Service for Kubernetes (Amazon EKS).
Configured an Amazon EKS cluster.
For more information about how to configure an Amazon EKS cluster, see Getting Started with Amazon EKS.
Set the disk volumes limits as 13 for the Amazon instance (VM) type.
Installed kubectl and configured it to work with the Amazon EKS.
For more information about installing and configuring kubectl, see install kubectl and configure kubectl.
Download the aaf-<version>-helm-chart.zip file from NetIQ Downloads.
Unpack the zip file. You can view the aaf-<version>.tgz tar file.
Run the following command to unpack the tar file:
tar zxvf aaf-<version>.tgz
Run the following command to deploy Advanced Authentication instance into the cluster:
helm install --namespace <name_of_kubernetes namespace> --name=<helm_chart_release_name> --set lb.enabled=true <path_of _helm_chart>
where, lb represents load balancer.
For example,
helm install --namespace aaf-test --name=aaf-test-1 --set lb.enabled=true ./aaf/
NOTE:You can deploy one instance for testing purpose. But it is highly recommended to create a cluster with multiple instances of the server for the production environment.
Run the following command to get the IP address that is assigned to the Advanced Authentication instance in the cluster:
kubectl -n aaf-test get svc | grep LoadBalancer
NOTE:The Configuration Portal (port 9443) is not available for the Kubernetes environment. The Managing the Appliance is only relevant for the appliance.
This sample explains the prerequisites and step-by-step procedure to deploy Advanced Authentication instance on AWS with minimum configuration.
Before deployment, ensure to perform the following tasks:
Install AWS IAM authentication. For more information see, Installing AWS IAM Authenticator.
Install AWS CLI. For more information see, Installing AWS CLI.
Configure AWS CLI Credentials. For more information see, Configuring AWS CLI.
Install eksctl. For more information see, Install ekstcl section in Getting Started with ekstcl.
Perform the following steps to deploy Advanced Authentication on AWS with basic configuration:
Run the following command to create a cluster:
eksctl create cluster --name prod --version 1.13 --nodegroup-name standard-workers --node-type t3.large --node-volume-size 80 --nodes 2 --nodes-min 2 --nodes-max 2 --node-ami auto --zones us-east-1a,us-east-1b
Run the following command to install tiller on your cluster:
helm init
Configure cluster role binding for particular group to grant access to Advanced Authentication instance on AWS for users with the specific role.
For more information, see Role-based access control.
WARNING:The following policy allows ALL service accounts to act as cluster administrators. Any application running in a container receives service account credentials automatically, and could perform any action against the API, including viewing secrets and modifying permissions. However, this is not a recommended policy for production environment.
kubectl create clusterrolebinding cluster-admin-default --clusterrole=cluster-admin --user=system:serviceaccount:kube-system:default
Run the following command to deploy Advanced Authentication instance into the cluster:
helm install --namespace aaf-test --name=aaf-test-1 --set lb.enabled=true ./aaf_62/