ISD-Argo On-Prem Production Infrastructure Requirements

Identify Kubernetes Environment:

  • Access: Admin access to ONE namespace

  • Compute:

    • Minimum: 4CPU, 16GB, 1 node

    • Preferred: 8CPU/32 GB Ram 2 Nodes

  • Network: Is outbound internet access, http and grpc traffic, http traffic to all cloud-endpoints and artifact repos allowed?

    • If Yes: Proceed with normal installation

    • If No: Choose Air-Gapped installation.

    • Yes, but Proxy access is required for http but grpc is not allowed: Same as “No” and configure proxies as mentioned below.

    • ISTIO/Service Mesh: If this is in use, additional considerations are required w.r.t. to external access, including DB, cloud-endpoints, artifact and data endpoints. This is to ensure seamless integration.

ISD requires the following databases:

  • Aurora Postgres (e.g. RDS): Recommended Size of the Server is “db.r6g.xlarge(4CPU’s & 32gb)” up to Ver 13.3 has been tested: This is used by Autopilot (aka OEA). As a starting point we start with an estimated 20GB.

  • S3 Bucket(s): Required for Kayenta (or Verification)

  • Elastic Caching Redis(5.0.6): Recommended Size of the Cluster to be “cache.r6g.large” gate+other services. Typically, one redis instance is adequate for all services (gate, fiat, Orca(?))

Identify Proxy configuration:

Identify the proxy configuration for accessing any resources. The example “JAVA_OPTS” for http.proxyHost and http.noProxyHosts values need to be defined. We need to add all ISD-services to noProxyHosts.

Note: Most proxy-services automatically redirect https to http and vice-versa and proxy the requests. If this is NOT the case, please define https.proxyHost and https.noProxyHosts as well.

Custom CA certificates:

If any custom CAs or self-signed CAs need to be honored, they need to be included in oes-cacerts as mentioned here.


Identify the SSO used (SAML(e.g. Okta),OIDC, LDAP).

  • Admin User: Create a service account user that will act as an admin.

  • Admin group(s): Identify groups that will give admin rights to users if they belong to any one of the groups.

  • RBAC: Define the groups/roles that are needed for the organization.

Note: In the case of LDAP, configuring the appropriate search strings might involve a bit of trial and error depending on the admin support available, knowledge of the group structure, how well structured the groups are, and available documentation.

URLs, routing and TLS termination:

  • Identify URLs for the application: Two URLs are required for ISD. One additional URL may be needed depending on the usage of Argo Agent based deployments.

  • Decide on how the traffic from the URLs will be routed to the Kubernetes services: Ingress(nginx, other?), ISTIO-gw or LoadBalancer.

  • Decide on where TLS termination will happen: Ingress, Load Balancer, gate+UI.

  • Decide on how the TLS certificates will be created: cert-manager, Cloud(e.g AWS) or custom-certificates.

Secrets handling:

  • Decide where do we want to store secrets: k8s, Vault or other (e.g. AWS Secret Manager, Azure KV, CyberArk, etc), please be informed that all the Autopilot-ISD and Argo secrets for their respective services are created and stored as kubernetes secrets by default within the cluster’s namespace.

  • Should any customization be required, this needs to be included in the helm-chart.

Last updated