ISD-Argo On-Prem Production Infrastructure Requirements

Identify Kubernetes Environment:

Access: Admin access to ONE namespace
Compute:
- Minimum: 4CPU, 16GB, 1 node
- Preferred: 8CPU/32 GB Ram 2 Nodes
Network: Is outbound internet access, http and grpc traffic, http traffic to all cloud-endpoints and artifact repos allowed?
- If Yes: Proceed with normal installation
- If No: Choose Air-Gapped installation.
- Yes, but Proxy access is required for http but grpc is not allowed: Same as “No” and configure proxies as mentioned below.
- ISTIO/Service Mesh: If this is in use, additional considerations are required w.r.t. to external access, including DB, cloud-endpoints, artifact and data endpoints. This is to ensure seamless integration.

ISD requires the following databases:

Aurora Postgres (e.g. RDS): Recommended Size of the Server is “db.r6g.xlarge(4CPU’s & 32gb)” up to Ver 13.3 has been tested: This is used by Autopilot (aka OEA). As a starting point we start with an estimated 20GB.
S3 Bucket(s): Required for Kayenta (or Verification)
Elastic Caching Redis(5.0.6): Recommended Size of the Cluster to be “cache.r6g.large” gate+other services. Typically, one redis instance is adequate for all services (gate, fiat, Orca(?))

Identify Proxy configuration:

Identify the proxy configuration for accessing any resources. The example “JAVA_OPTS” for http.proxyHost and http.noProxyHosts values need to be defined. We need to add all ISD-services to noProxyHosts.

Note: Most proxy-services automatically redirect https to http and vice-versa and proxy the requests. If this is NOT the case, please define https.proxyHost and https.noProxyHosts as well.

Custom CA certificates:

If any custom CAs or self-signed CAs need to be honored, they need to be included in oes-cacerts as mentioned here.

SSO:

Identify the SSO used (SAML(e.g. Okta),OIDC, LDAP).

Admin User: Create a service account user that will act as an admin.
Admin group(s): Identify groups that will give admin rights to users if they belong to any one of the groups.
RBAC: Define the groups/roles that are needed for the organization.

Note: In the case of LDAP, configuring the appropriate search strings might involve a bit of trial and error depending on the admin support available, knowledge of the group structure, how well structured the groups are, and available documentation.

URLs, routing and TLS termination:

Identify URLs for the application: Two URLs are required for ISD. One additional URL may be needed depending on the usage of Argo Agent based deployments.
Decide on how the traffic from the URLs will be routed to the Kubernetes services: Ingress(nginx, other?), ISTIO-gw or LoadBalancer.
Decide on where TLS termination will happen: Ingress, Load Balancer, gate+UI.
Decide on how the TLS certificates will be created: cert-manager, Cloud(e.g AWS) or custom-certificates.

Secrets handling:

Decide where do we want to store secrets: k8s, Vault or other (e.g. AWS Secret Manager, Azure KV, CyberArk, etc), please be informed that all the Autopilot-ISD and Argo secrets for their respective services are created and stored as kubernetes secrets by default within the cluster’s namespace.
Should any customization be required, this needs to be included in the helm-chart.

PreviousISD-Argo On-Prem POV Infrastructure Requirements NextEnvironment setup for ISD-Argo

Last updated 1 year ago