NOTE:We officially support only the Amazon EKS cluster to deploy Advanced Authentication on AWS. The EC2, Fargate, or ECS methods of deployment is not supported. EKS manages high availability, data replication, and auto-scalability. Also, it reduces manual intervention, unlike the other case of deployment.
This section contains details about how to deploy Advanced Authentication on Amazon Web Services (AWS) using Kubernetes. You can deploy Advanced Authentication containers into Kubernetes clusters by using the Helm charts.
NOTE:The procedure in this section are based on the assumption that you know basics of how containers work.
NOTE:The Risk Service is not supported on the Advanced Authentication server that is deployed on the public cloud.
In addition to the system requirements of Advanced Authentication appliance, ensure that you have completed following tasks:
Created an administrative account on Amazon Elastic Container Service for Kubernetes (Amazon EKS).
Configured an Amazon EKS cluster.
For more information about how to configure an Amazon EKS cluster, see Getting Started with Amazon EKS.
Set the Node Type as T3 large and Node Volume Size as 60 GB.
Installed kubectl and configured it to work with the Amazon EKS.
For more information about installing and configuring kubectl, see install kubectl and configure kubectl.
Download the aaf-<version>-helm-chart.zip file from Software Licenses and Downloads portal.
Unpack the zip file. You can view the aaf-<version>.tgz tar file.
Run the following command to unpack the tar file:
tar zxvf aaf-<version>.tgz
Run one of the following commands to deploy three Advanced Authentication instances into the cluster:
For helm v3.0.0, and kubectl v1.19.6 or prior versions:
helm install --namespace <name_of_kubernetes namespace> --name=<helm_chart_release_name> --set lb.enabled=true <path_of _helm_chart>
For example,
helm install --namespace aaf-test --name=aaf-test-1 --set lb.enabled=true ./aaf/
For helm v3.4.0 and kubectl v1.20.1 or later versions:
helm install --create-namespace --namespace <name_of_kubernetes namespace> <helm_chart_release_name> --set lb.enabled=true <path_of_helm_chart>
where, lb represents load balancer.
For example,
helm install --create-namespace --namespace aaf-test aaf-test-1 --set lb.enabled=true ./aaf/
NOTE:You can deploy one instance for testing purpose. But it is highly recommended to create a cluster with multiple instances of the server for the production environment.
Run the following command to get the IP addresses that are assigned to each Advanced Authentication instance in the cluster:
kubectl -n aaf-test get svc | grep LoadBalancer
NOTE:The Configuration Portal (port 9443) is not available for the Kubernetes environment. The Managing the Appliance is only relevant for the appliance.
This sample explains the prerequisites and step-by-step procedure to deploy Advanced Authentication instance on AWS with minimum configuration.
Before deployment, ensure to perform the following tasks:
Install AWS IAM authentication. For more information see, Installing AWS IAM Authenticator.
Install AWS CLI. For more information see, Installing AWS CLI.
Configure AWS CLI Credentials. For more information see, Configuring AWS CLI.
Install eksctl. For more information see, Install ekstcl section in Getting Started with ekstcl.
Perform the following steps to deploy Advanced Authentication on AWS with basic configuration:
Run the following command to create a cluster:
eksctl create cluster --name prod --version 1.13 --nodegroup-name standard-workers --node-type t3.large --node-volume-size 80 --nodes 2 --nodes-min 2 --nodes-max 2 --node-ami auto --zones us-east-1a,us-east-1b
Configure cluster role binding for particular group to grant access to Advanced Authentication instance on AWS for users with the specific role.
For more information, see Role-based access control.
WARNING:The following policy allows ALL service accounts to act as cluster administrators. Any application running in a container receives service account credentials automatically, and could perform any action against the API, including viewing secrets and modifying permissions. However, this is not a recommended policy for production environment.
kubectl create clusterrolebinding cluster-admin-default --clusterrole=cluster-admin --user=system:serviceaccount:kube-system:default
Run the following command to deploy Advanced Authentication instance into the cluster:
helm install --create namespace --namespace aaf-test aaf-test-1 --set lb.enabled=true ./aaf_63/