(AWS) Deploying Cloud Discovery & Visibility in Elastic Kubernetes Service on Amazon Web Services - Adaptive Applications - BlueCat Gateway - 25.3

1. Install AWS command-line tools

You will need several tools to deploy CDV on EKS. To set these up, do the following::

1. Install the aws-cli tool using the following command:

   sudo snap install aws-cli --classic

2. Run the command aws configure and configure the aws-cli settings as follows:

   • AWS Access Key ID: The ID of the account that will be used to create EKS.

   • AWS Secret Access Key: The Secret Access Key for the account that will be used to create EKS.

   • Default region name: The name of the default region for the deployment.

   • Default output format: Leave empty and press Enter.

3. Install kubectl, using the following command:

   sudo snap install kubectl --classic

4. Install eksctl, using the following commands:

   curl -s --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
   sudo mv /tmp/eksctl /usr/local/bin

2. Start BlueCat Address Manager in the AWS Cloud

On the AWS Cloud, start a BlueCat Address Manager Server (or create a new one). For more details, see the Address Manager documentation.

3. Create an EKS cluster and node group

Create an EKS cluster and node group, using the following command:

eksctl create cluster --name eks-deploy-cdv-01 \
    --region ap-east-1 \
    --version 1.33 \
    --nodegroup-name node-group-01 \
    --node-ami-family AmazonLinux2 \
    --node-type t3.medium \
    --nodes 2 --nodes-min 1 --nodes-max 2

Wait for this command to completely finish before going on to the next step.

4. Set up an AWS Elastic File System (EFS) for persistent storage

Setting up an Elastic File System (EFS) has several steps.

1. Install the EFS CSI driver for EKS, with the following commands:

   helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
   helm repo update
   helm install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver --namespace kube-system

2. When the driver installation comples, identify the Security Group for the node group instance node-group-01 that you just created.

   You can find this information when viewing the node group instance in AWS. While viewing the instance, click the Security tab, expand the Security details section, and look at the Security groups setting.

3. In EFS, create a new file system in the cluster's Virtual Private Cloud (VPC).

4. In EFS, in the Network access settings for the new file system, assign the security group that you noted earlier to all mount targets of the EFS network.

5. In EFS, create access points for the logs folder and database folder that CDV will use.

   • For the POSIX User, set the UID and GID to 9000.

   • For the Root User, set the UID and GID to 9000, and Permission to 0770.

6. For the logs and database access points you just created, create the needed storage class, persistent volumes, and persistent volume claims. To do so:

   1. Create a YAML file named persistent-storage-efs.yaml with the following content, replacing <Elastic File System ID>, <Log access point ID>, and <Database access point ID> with appropriate values:

      apiVersion: storage.k8s.io/v1
      kind: StorageClass
      metadata:
        name: efs-sc
      provisioner: efs.csi.aws.com
      ---
      apiVersion: v1
      kind: PersistentVolume
      metadata:
        name: pv-logs-efs
        labels:
          type: efs
      spec:
        storageClassName: efs-sc
        claimRef:
          name: pv-claim-logs-efs
          namespace: default
        capacity:
          storage: 5Gi
        volumeMode: Filesystem
        persistentVolumeReclaimPolicy: Retain
        accessModes:
          - ReadWriteMany
        csi:
          driver: efs.csi.aws.com
          volumeHandle: <Elastic File System ID>::<Log access point ID>  # EFS ID and Access Point ID for logs
      ---
      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: pv-claim-logs-efs
        namespace: default
      spec:
        storageClassName: efs-sc
        volumeName: pv-logs-efs
        accessModes:
          - ReadWriteMany
        resources:
          requests:
            storage: 5Gi
      ---
      apiVersion: v1
      kind: PersistentVolume
      metadata:
        name: pv-database-efs
        labels:
          type: efs
      spec:
        storageClassName: efs-sc
        claimRef:
          name: pv-claim-database-efs
          namespace: default
        capacity:
          storage: 50Gi
        volumeMode: Filesystem
        persistentVolumeReclaimPolicy: Retain
        accessModes:
          - ReadWriteMany
        csi:
          driver: efs.csi.aws.com
          volumeHandle: <Elastic File System ID>::<Log access point ID>  # EFS ID and Access Point ID for database
      ---
      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: pv-claim-database-efs
        namespace: default
      spec:
        storageClassName: efs-sc
        volumeName: pv-database-efs
        accessModes:
          - ReadWriteMany
        resources:
          requests:
            storage: 50Gi

   We've provided a sample YAML file that performs these operations. Before using it, make sure that you change all instances of <efs-id> and <log-access-point-id> paramenters in the volumeHandle parameters to identify your EFS.

7. Run the new YAML file (from wherever it was saved) as follows:

   kubectl apply -f persistent-storage-efs.yaml

5. Create a Kubernetes Secret object for your secret key

Secret objects hold sensitive information, like account passwords and other details. You will need to create a Secret object for the secret-key value.

To create the Kubernetes Secret object

1. Create a YAML file named secret-key.yaml with the following content, replacing <String with 32 characters> with a secret password string of 32 characters:

   apiVersion: v1
   kind: Secret
   metadata:
     name: secret-key
   type: Opaque
   stringData:
     key: <String with 32 characters>

2. Run this file as follows:

   kubectl apply -f secret-key.yaml

6. Create a Kubernetes Secret object for your quay.io credentials

You will also need a separate Secret object so that the deployment process can access Quay.io and download the CDV container. This object will contain encrypted password details for Docker. To get this token:

1. From Quay.io, click your username in the top right of the page and select Account Settings.

2. Under Docker CLI Password, next to CLI Password, click Generate Encrypted Password.

3. Click Kubernetes Secret.

4. Click Download <Username>-secret.yml and save the file.

5. Open this file in a text editor.

   Note the value of the metadata specification. This is the pull name for the secret, which you can change if needed (save the file if you do so).

6. Create the Kubernetes Secret object with the following command:

   kubectl apply -f <Username>-secret.yml

7. Deploy CDV on EKS

To deploy CDV, do the following:

1. Open a text editor and create a YAML script named cdv-development.yaml with the content below. Make the following changes:

   • Replace <BlueCat Address Manager IP> with the IP address of the Address Manager Server that you're using.

   • Replace <Secret pull name> with the metadata name that you noted (or changed) in the <Username>-secret.yml file.

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: cdv-deployment
     labels:
       app: cdv
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: cdv
     template:
       metadata:
         labels:
           app: cdv
       spec:
         volumes:
         - name: logs
           persistentVolumeClaim:
             claimName: pv-claim-logs-efs
         - name: database
           persistentVolumeClaim:
             claimName: pv-claim-database-efs
         containers:
         - name: cdv
           image: quay.io/bluecat/cloud_discovery_visibility:25.3
           env:
           - name: BAM_IP
             value: <BlueCat Address Manager IP>  # BAM IP on Cloud
           - name: SECRET_KEY
             valueFrom:
               secretKeyRef:
                 name: secret-key
                 key: key
           ports:
           - containerPort: 44300
           volumeMounts:
           - mountPath: /logs/
             name: logs
           - mountPath: /var/lib/postgresql/
             name: database
           imagePullPolicy: Always
         imagePullSecrets:
         - name: <Secret pull name>  # Image pull secret

   Remember to save your changes when you're done.

2. To run the script and deploy CDV, run the following command:

   kubectl apply -f cdv-deployment.yaml

3. Confirm that the CDV container is deployed. To do so, run the following command to list currently-deployed Kubernetes pods:

   kubectl get pods --all-namespaces -o wide

   Look for a namespace with the same name given as the metadata/name setting in the YAML file (cdv-development).

4. Expose the CDV application to the network, so that it can perform discovery and visibility operations. To do so, run the following command:

   kubectl expose deployment cdv-deployment --type LoadBalancer --port 443 --target-port 44300

   To confirm that the appropriate ports are successfully exposed for the container, run the following command:

   kubectl get services

   In the table that displays, check the list of ports for cdv-development in the PORT(S) column. Also note the IP address in the EXTERNAL-IP column.

5. You can now use the LoadBalancer DNS to access the CDV application UI. Typically, you can access it through the External IP address that you noted before:

   https://<EXTERNAL-IP address>/

   such as:

   https://a2a8a43ea76564cf6b9c4f3a385fc4c3-268185863.us-east-2.elb.amazonaws.com/

Removing CDV and its resources from EKS

To remove the deployed instance of CDV and all of its resources, run the following commands:

kubectl delete service cdv-deployment

kubectl delete -f cdv-deployment.yaml