v7.1

Deploying to Amazon EKS using Helm Charts

Amazon EKS (Elastic Kubernetes Service) is a service used to run Kubernetes in the AWS cloud and the local servers.

Before deploying the Wyn Enterprise in the Amazon Elastic Kubernetes Service (EKS) using Helm Charts ensure that you have installed the following tools on your local machine;

Kubectl: Kubectl is a command line tool used to communicate with the Kubernetes API Server. See the Installing or updating Kubectl help doc on AWS Knowledgebase for more information on installing Kubectl.
eksctl: Eksctl is a command line tool used to communicate and manage Kubernetes clusters on Amazon EKS. See the Installing or updating eksctl help doc on AWS Knowledgebase for more information on installing eksctl.
Helm: Helm is the package manager for the Kubernetes services that are used to provide, share, and use the software built for Kubernetes. See the Helm Docs help doc for more information on using Helm Charts.
aws-cli: Aws-cli is a command line tool used to work with AWS services including Amazon EKS. See the Installing, updating, and uninstalling AWS CLI help doc for more information.

Follow the below steps to deploy Wyn in Amazon EKS using Helm charts,

Create AWS EKS Cluster
Run the following command to create your AWS EKS Cluster,
```
eksctl create cluster --name {your-cluster-name} --region {your-region-code}
```
See the Getting started with Amazon EKS – eksctl for more information on Amazon EKS Cluster.
Note: This step may take several minutes to complete.
Create an IAM OIDC Provider
To create an IAM OIDC identity provider for your cluster with eksctl, follow the below instructions,

i) Retrieve the OIDC issuer ID of your cluster and store it in a variable. Replace the {your-cluster-name} with your own value.
```
cluster_name={your-cluster-name}
oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
echo $oidc_id
```
ii) Use the following command to determine whether an IAM OIDC provider with your cluster's issuer ID is already in your account.
```
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
```
If the output is returned, then an IAM OIDC provider is already present and you can skip the next step.

iii) In case no output is returned, you must create an IAM OIDC provider for your cluster using the following command.
```
eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
```
See the Creating an IAM OIDC provider for your cluster help article for more information on creating an IAM OIDC provider.

Install the AWS Load Balancer Controller

To install the AWS Load Balancer controlled, use the following commands,

# To download the IAM policy file
# AWS GovCloud (US-East) or AWS GovCloud (US-West) AWS Regions
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy_us-gov.json
mv iam_policy_us-gov.json iam_policy.json

# All other AWS Regions
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json

# To create an IAM policy
aws iam create-policy \
    --policy-name AWSLoadBalancerControllerIAMPolicy \
    --policy-document file://iam_policy.json

# To create an IAM role and a Kubernetes service account
eksctl create iamserviceaccount \
  --cluster={your_cluster_name} \
  --namespace=kube-system \
  --name=aws-load-balancer-controller \
  --role-name AmazonEKSLoadBalancerControllerRole \
  --attach-policy-arn=arn:aws:iam::{your_account_id}:policy/AWSLoadBalancerControllerIAMPolicy \
  --approve

# To install the AWS load balancer controller using Helm v3
helm repo add eks https://aws.github.io/eks-charts
helm repo update eks
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName={your_cluster_name} \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

See the Installing the AWS Load Balancer Controller add-on help article for more information on installing the AWS load balancer controller.

Install Amazon EFS CSI Driver

To install the Amazon EFS CSI Driver, follow the below instructions,

i) Create the IAM role and Kubernetes service account using the following commands,

# To download the IAM policy document
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/docs/iam-policy-example.json

# To create the policy
aws iam create-policy \
    --policy-name AmazonEKS_EFS_CSI_DriverPolicy \
    --policy-document file://iam-policy-example.json

# To create the IAM role AmazonEKS_EFS_CSI_DriverRole
eksctl create iamserviceaccount \
    --name efs-csi-fake-sa \
    --namespace kube-system \
    --cluster {your_cluster_name} \
    --role-name AmazonEKS_EFS_CSI_DriverRole \
    --role-only \
    --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEKS_EFS_CSI_DriverPolicy \
    --approve

# Edit the trust policy of the role AmazonEKS_EFS_CSI_DriverRole
TRUST_POLICY=$(aws iam get-role --role-name AmazonEKS_EFS_CSI_DriverRole --query 'Role.AssumeRolePolicyDocument' | \
    sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/')
aws iam update-assume-role-policy --role-name AmazonEKS_EFS_CSI_DriverRole --policy-document "$TRUST_POLICY"

# To create the service account efs-csi-controller-sa
eksctl create iamserviceaccount \
    --name efs-csi-controller-sa \
    --namespace kube-system \
    --cluster {your_cluster_name} \
    --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEKS_EFS_CSI_DriverPolicy \
    --attach-role-arn arn:aws:iam::{your_account_id}:role/AmazonEKS_EFS_CSI_DriverRole \
    --approve

# To create the service account efs-csi-controller-sa
eksctl create iamserviceaccount \
    --name efs-csi-node-sa \
    --namespace kube-system \
    --cluster {your_cluster_name} \
    --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEKS_EFS_CSI_DriverPolicy \
    --attach-role-arn arn:aws:iam::{your_account_id}:role/AmazonEKS_EFS_CSI_DriverRole \
    --approve

See the Amazon EFS CSI driver help article for more information on installing Amazon EFS CSI Driver.

ii) Install the Amazon EFS Driver using the following command,

# To install the Amazon EFS CSI driver using Helm v3, 
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
helm repo update aws-efs-csi-driver
helm upgrade --install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
--namespace kube-system \
--set image.repository={amazon_container_image_registry}/eks/aws-efs-csi-driver \
--set controller.serviceAccount.create=false \
--set controller.serviceAccount.name=efs-csi-controller-sa

Download the container image registry from this link.

iii) Create an Amazon EFS File system using the following commands,

# To retrieve the VPC ID of the cluster
vpc_id=$(aws eks describe-cluster \
    --name {your_cluster_name} \
    --query "cluster.resourcesVpcConfig.vpcId" \
    --output text)

# To retrieve the CIDR range for your cluster's VPC
cidr_range=$(aws ec2 describe-vpcs \
    --vpc-ids $vpc_id \
    --query "Vpcs[].CidrBlock" \
    --output text \
    --region {your_region_code})

# To create a security group with an inbound rule that allows inbound NFS traffic for your Amazon EFS mount points
security_group_id=$(aws ec2 create-security-group \
    --group-name AmazonEfsSecurityGroup \
    --description "Amazon EFS security group" \
    --vpc-id $vpc_id \
    --output text)
aws ec2 authorize-security-group-ingress \
    --group-id $security_group_id \
    --protocol tcp \
    --port 2049 \
    --cidr $cidr_range

# To create an Amazon EFS file system for your Amazon EKS cluster
file_system_id=$(aws efs create-file-system \
    --region {your_region_code} \
    --performance-mode generalPurpose \
    --query 'FileSystemId' \
    --output text)

# To get the IDs of the subnets in your VPC 
aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=$vpc_id" \
    --query 'Subnets[*].{SubnetId: SubnetId,AvailabilityZone: AvailabilityZone,CidrBlock: CidrBlock}' \
    --output table

# To add mount target for each subnet that in your VPC
aws efs create-mount-target \
    --file-system-id $file_system_id \
    --subnet-id {subnet_id} \
    --security-groups $security_group_id

See this help article for more information on creating an Amazon EFS file system.

iv) Create a storage class for EFS using the following command;

# retrieve your Amazon EFS file system id
aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

# download a storage manifest file
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml

# replace the value for "fileSystemId" with your EFS file system id in the file "storageclass.yaml" and save it
# fileSystemId: {your_EFS_file_system_id}

# deploy the storage class
kubectl apply -f storageclass.yaml

See this help article for more information on creating a storage class for EFS.

Create Docker Image Pulling Secret (Optional Step)
In case you are using a private docker repository, this step is mandatory. Otherwise, you can skip this step. Use the following command,
```
kubectl create secret docker-registry {secret\_name} --docker-server={docker\_server} --docker-username={user\_name} --docker-password={password}
```
Use the following command to fetch the secret;
```
kubectl get secret
```
Create PVC Resources
For PVC Resources, we dynamically use the efs-sc storage class to provision the persistent volumes. Follow the below instructions to create PVC resource,

i) Prepare a YAML file (name it pvc.yaml) like the one below,
```
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-wyn-data
spec:
accessModes:
    - ReadWriteMany
storageClassName: efs-sc
resources:
    requests:
    storage: 30Gi
```
ii) Use the following command to create the PVC resource;
```
kubectl apply -f pvc.yaml
```
iii) Fetch the PVC resource using the following command;
```
kubectl get pvc
```

Deploy Wyn

Follow the below instructions to deploy Wyn in Amazon EKS;

i) Prepare the configuration file like the one below,

pvcName: pvc-wyn-data
ingress:
enabled: true
apiVersion: networking.k8s.io/v1
name: wyn-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
hosts:
\- paths:
\- /

identityServerUrl: http://wyn-server:51980

database:
provider: {database_provider}
connectionStrings:
    dataExtraction: {database_connection_string}
     serverStorage:  {database_connection_string}
    identityServer: {database_connection_string}

server:
 replicas: 1
 enabled: true
analysisDbService:
 enabled: false
schedulerService:
 enabled: true
memoryDbService:
enabled: true
dataSourceService:
enabled: true
cotWorker:
enabled: true
 replicas: 1
reportingWorker:
 enabled: true
 replicas: 1
dashboardWorker:
 enabled: true
 replicas: 1

ii) Deploy Wyn with Helm v3 using the following commands;

# add helm repo
helm repo add wyn https://cdn.mescius.com/wyn/repos/helm-charts/
helm repo update wyn

# deploy Wyn
     helm install wyn -f eks-values.yaml wyn/wyn-enterprise

# wait all pods are running and ready to work
     kubectl get pod

# get the public address provided by ingress
     kubectl get ingress wyn-ingress

Now, you can visit Wyn Enterprise using the URL - http://{ingress_address}

Update the Settings
To update the Helm chart settings, edit the eks-values.yaml configuration file, and then update your deployment using the following command;
```
helm upgrade wyn -f eks-values.yaml wyn/wyn-enterprise
```

Horizontal Pod Autoscaler (HPA)

The Kubernetes Horizontal Pod Autoscaler is used to scale the number of pods in a deployment. See Horizontal Pod Autoscaler for more information. Follow the below instructions to deploy HPA,

i) Use the following command to install the Kubernetes Metrics Server,

# Deploy the Metrics Server with the following command
  kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
# Verify that the metrics-server deployment is running the desired number of Pods with the following command
  kubectl get deployment metrics-server -n kube-system

See Installing the Kubernetes Metrics Server help article for more information.

ii) Create HPA based on your requirements

Use the following command to create your HPA resource;

kubectl autoscale deployment wyn-server --cpu-percent=25 --min=2 --max=4`

You can also create a YAML file like the one below,

apiVersion: autoscaling/v2
    kind: HorizontalPodAutoscaler
    metadata:
    name: hpa-wyn-server
    spec:
    maxReplicas: 2
    minReplicas: 1
    scaleTargetRef:
        apiVersion: apps/v1
        kind: Deployment
        name: wyn-server
    metrics:
    - type: Resource
        resource:
        name: cpu
        target:
            type: Utilization
            averageUtilization: 25
    ---
    apiVersion: autoscaling/v2
    kind: HorizontalPodAutoscaler
    metadata:
    name: hpa-wyn-cot-worker
    spec:
    maxReplicas: 2
    minReplicas: 1
    scaleTargetRef:
        apiVersion: apps/v1
        kind: StatefulSet
        name: wyn-cot-worker
    metrics:
    - type: Resource
        resource:
        name: memory
        target:
            type: Utilization
            averageUtilization: 40

Deploy the autoscalers using the following command;

kubectl apply -f hpa.yaml
kubectl get hpa

See the HorizontalPodAutoscaler Walkthrough article for more information.

To Uninstall Wyn

Use the following command to uninstall the Wyn Enterprise application;

helm uninstall wyn