# ISD-Argo On-Prem Production Infrastructure Requirements

## &#x20;Identify Kubernetes Environment:

* **Access**: Admin access to ONE namespace&#x20;
* **Compute**:&#x20;
  * Minimum: 4CPU, 16GB, 1 node&#x20;
  * Preferred: 8CPU/32 GB Ram 2 Nodes&#x20;
* **Network**: Is outbound internet access, http and grpc traffic, http traffic to all cloud-endpoints and artifact repos allowed?&#x20;
  * **If Yes**: Proceed with normal installation&#x20;
  * **If No**: Choose Air-Gapped installation.&#x20;
  * Yes, but Proxy access is required for http but grpc is not allowed: Same as “No” and configure proxies as mentioned below.
  * **ISTIO/Service Mesh:** If this is in use, additional considerations are required w\.r.t. to external access, including DB, cloud-endpoints, artifact and data endpoints. This is to ensure seamless integration.

### **ISD requires the following databases:**

* Aurora Postgres (e.g. RDS): Recommended Size of the Server is “db.r6g.xlarge(4CPU’s & 32gb)” up to Ver 13.3 has been tested: This is used by Autopilot (aka OEA). As a starting point we start with an estimated 20GB.&#x20;
* S3 Bucket(s): Required for Kayenta (or Verification)&#x20;
* Elastic Caching Redis(5.0.6): Recommended Size of the Cluster to be “cache.r6g.large” gate+other services. Typically, one redis instance is adequate for all services (gate, fiat, Orca(?))

### **Identify Proxy configuration:**

Identify the proxy configuration for accessing any resources. The example “JAVA\_OPTS” for http.proxyHost and http.noProxyHosts values need to be defined. **We need to add all ISD-services to noProxyHosts.**

{% hint style="info" %}
**Note:** Most proxy-services automatically redirect https to http and vice-versa and proxy the requests. If this is NOT the case, please define https.proxyHost and https.noProxyHosts as well.
{% endhint %}

### **Custom CA certificates:**

If any custom CAs or self-signed CAs need to be honored, they need to be included in oes-cacerts as mentioned [**here**](https://opsmx.freshdesk.com/a/solutions/articles/27000069757)**.**

### **SSO:**

Identify the SSO used (SAML(e.g. Okta),OIDC, LDAP).&#x20;

* **Admin User**: Create a service account user that will act as an admin.&#x20;
* **Admin group(s)**: Identify groups that will give admin rights to users if they belong to any one of the groups.&#x20;
* **RBAC**: Define the groups/roles that are needed for the organization.&#x20;

{% hint style="info" %}
**Note**: In the case of LDAP, configuring the appropriate search strings might involve a bit of trial and error depending on the admin support available, knowledge of the group structure, how well structured the groups are, and available documentation.
{% endhint %}

### **URLs, routing and TLS termination:**

* Identify URLs for the application: Two URLs are required for ISD. One additional URL may be needed depending on the usage of Argo Agent based deployments.&#x20;
* Decide on how the traffic from the URLs will be routed to the **Kubernetes** services: Ingress(nginx, other?), ISTIO-gw or LoadBalancer.&#x20;
* Decide on where TLS termination will happen: Ingress, Load Balancer, gate+UI.&#x20;
* Decide on how the TLS certificates will be created: cert-manager, Cloud(e.g AWS) or custom-certificates.

### **Secrets handling:**

* Decide where do we want to store secrets: k8s, Vault or other (e.g. AWS Secret Manager, Azure KV, CyberArk, etc), please be informed that all the Autopilot-ISD and Argo secrets for their respective services are created and stored as kubernetes secrets by default within the cluster’s namespace.&#x20;
* Should any customization be required, this needs to be included in the helm-chart.