Using Chainstack, you can deploy all Chainstack-supported blockchain nodes and networks into your own Amazon
Since Chainstack is not managing your Amazon EKS infrastructure, please keep in mind that you are responsible for keeping the cluster operational:
- You have the snapshots set up.
- The IAM user and RBAC privileges are safe.
- You have the adequate node group sizes set up. See Private hosting resource requirements.
Also, see the Deploying a Hybrid Network article.
Prepare IAM resources
Overview
As an IAM admin, you must prepare the following:
- An IAM user as an EKS cluster manager. The IAM user will be granted the necessary rights through IAM policies. In this guide, the IAM user is referenced as clusterManager.
- An EKS cluster service role that allows the Kubernetes control plane to manage the AWS resources on your behalf. See also Amazon EKS cluster IAM role. In this guide, the EKS cluster service role is referenced it as eksClusterRole.
- An Amazon EKS node IAM role that you will use to create a node group. See also Amazon EKS node IAM role. In this guide, the Amazon EKS node IAM role is referenced as EKSNodeGroup.
- A custom policy for your EKS cluster service role. In this guide, this custom policy is referenced as EC2DescribeResourcesPolicy.
- A custom policy for a non-root user that creates EKS cluster. In this guide, this custom policy is referenced as ChainstackPrivateHostingReadDescribePolicy.
See also Security best practices in IAM.
Create clusterManager IAM user
- Under Identity and Access Management (IAM), click Users > Add user.
- In the User name field, provide the clusterManager name.
- For Access type, select both Programmatic access and AWS Management Console access.
Create eksClusterRole
- Under Identity and Access Management (IAM), click Roles > Create role.
- Select AWS service > EKS > EKS - Cluster.
- Verify the role has AmazonEKSClusterPolicy set.
- Name your role eksClusterRole.
Create EC2DescribeResourcesPolicy
- Under Identity and Access Management (IAM), click Policies > Create policy.
- Select EC2.
- Under Actions, select:
- DescribeAccountAttributes
- DescribeInternetGateways
- Save the policy as EC2DescribeResourcesPolicy.
Attach policies to eksClusterRole
- Select eksClusterRole you have created previously.
- Click Permissions > Attach policies.
- Select and attach the following policies:
- AmazonEKSServicePolicy
- EC2DescribeResourcesPolicy
- The resulting set of policies for eksClusterRole must be the following:
- AmazonEKSClusterPolicy
- AmazonEKSServicePolicy
- EC2DescribeResourcesPolicy
Create EKSNodeGroup role
- Under Identity and Access Management (IAM), click Roles > Create role.
- Select AWS service > EC2.
- Select the following policies:
- AmazonEKSWorkerNodePolicy
- ElasticLoadBalancingFullAccess
- AmazonEC2ContainerRegistryReadOnly
- AmazonEKS_CNI_Policy
- Provide the name for the policy: EKSNodeGroup
Create AWSServiceRoleForAmazonEKSNodegroup role
- Under Identity and Access Management (IAM), click Roles > Create role.
- Select AWS service > EKS > EKS - Nodegroup.
- Verify the role has AWSServiceRoleForAmazonEKSNodegroup set.
- Leave the name for your role AWSServiceRoleForAmazonEKSNodegroup.
Create ChainstackPrivateHostingReadDescribe policy
- Under Identity and Access Management (IAM), click Policies > Create policy.
- Under Service, select IAM. Under Actions, select:
-
- PassRole
-
- Select EC2. Under Actions, select:
-
- DescribeKeyPairs
- CreateKeyPair
-
- Select ELB. Under Actions, select:
-
- DescribeLoadBalancers
- DescribeInstanceHealth
- DescribeLoadBalancerAttributes
- DescribeLoadBalancerPolicies
- DescribeLoadBalancerPolicyTypes
- DescribeTags
-
- Select EKS. Under Actions, select:
- ListAddons
- ListClusters
- ListFargatesProfiles
- ListNodegroups
- ListTagsForResource
- ListUpdates
- AccessKubernetesApi
- DescribeAddon
- DescribeAddonVersions
- DescribeCluster
- DescribeFargateProfile
- DescribeNodegroup
- DescribeUpdate
- TagResource
- UntagResource
- CreateAddon
- CreateCluster
- CreateFargateProfile
- CreateNodegroup
- DeleteAddon
- DeleteCluster
- DeleteFargateProfile
- DeleteNodegroup
- UpdateAddon
- UpdateClusterConfig
- UpdateClusterVersion
- UpdateNodegroupConfig
- UpdateNodegroupVersion
- Save the policy as ChainstackPrivateHostingReadDescribe.
Attach policies to your clusterManager IAM user
- Select the clusterManager IAM user.
- Attach the following policies:
- AmazonVPCReadOnlyAccess
- IAMReadOnlyAccess
- ChainstackPrivateHostingReadDescribePolicy
Create an AWS IAM account with programmatic access
You will now create an account that Chainstack will use to deploy to your cluster.
Create an IAM policy
- Under Identity and Access Management (IAM), click Policies > Create policy.
- Select EKS. Under Actions, select DescribeCluster.
- Provide the ARN for the EKS cluster that you will integrate.
- Provide the name for the policy: chainstack-iam-policy
Create an IAM account
- Under Identity and Access Management (IAM), click Users > Add user.
- In the User name field, provide the iam-user name.
- For Access type, select Programmatic access.
- Under Permissions, select Attach existing policies directly.
- Select chainstack-iam-policy.
After you finish the user creation, save the CSV file with the iam-user keys. You will need these for Chainstack integration.
Create an EKS cluster
For reference, see Creating an Amazon EKS cluster.
- Log in as EKS cluster manager in AWS Management Console and navigate to EKS service in the region of your preference.
- Provide a name for your cluster.
- Select a Kubernetes version starting from 1.23.
- For Cluster Service Role, select eksClusterRole.
- Select a VPC to use for your EKS resources and subnets for your elastic network interfaces.
- Select a level of logging for your setup. See also Amazon EKS control plane logging.
- To finish the wizard and start the cluster creation process, click Create.
The cluster creation process may take up to 15 minutes.
Create a Node Group within your EKS cluster
For reference, see Creating a managed node group.
- On your cluster details page, navigate to the Cluster configuration section.
- Select Compute > Add Node Group.
- Provide a name for the node group.
- Select the previously create EKSNodeGroup role.
- For AMI type, select Amazon Linux 2 (AL2_x86_64).
- For Capacity type, select On-Demand.
- For Instance types, select the size that fits the network protocol. See Private hosting resource requirements.
- Once you complete the wizard, click Create.
Node group creation will 5 minutes on average.
Set up your workstation
You now need to grant your IAM account with enough privileges to integrate with Chainstack.
On your workstation, install:
- Kubectl version 1.16+. Recommended to match the client version with the server version. See Install and Set Up kubectl.
- Helm version 3.4.0 or any stable Helm3 version. See Installing Helm.
- Install and configure aws-cli. See Installing, updating, and uninstalling the AWS CLI and Configuring the AWS CLI.
Configure aws-cli by running:
aws configure
Check the correct configuration by running:
aws sts get-caller-identity
This should return the ARN of your clusterManager user.
Connect to your cluster by running:
aws eks update-kubeconfig --name NAME --region REGION
where
- NAME — the name of your EKS cluster.
- REGION — the region of your EKS cluster
Configure EKS from your workstation
Create a namespace
Run:
kubectl create ns NAMESPACE
where NAMESPACE is any name you want to give to it.
Add IAM account as a user to the EKS cluster
Get the configmap:
kubectl get configmap -n kube-system aws-auth
Edit the configmap to include the ARN for the user you created previously as iam-user.
Run:
kubectl edit configmap -n kube-system aws-auth
Under data, add:
mapUsers: |
- userarn: 'arn:aws:iam::338492513114:user/chainstack'
username: 'chainstack'
See also: How do I provide access to other users and roles after cluster creation in Amazon EKS?
Grant RBAC privileges to the IAM user
Download the following files:
In the downloaded YAML files, change the namespace and user to your cluster namespace and iam-user.
Apply the configurations:
kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml
kubectl apply -f clusterrole.yaml
kubectl apply -f clusterrolebinding.yaml
Install cert-manager
Chainstack installs the following tools:
- Nginx Ingress controller for public access to deployments
- external-dns to automatically create public DNS names for deployments
- cert-manager to support TLS encryption of all endpoints
- Kubernetes storage classes to support provisioning block storage volumes (EBS) for Blockchain deployments.
While all of them are automatically installed and configured during the integration workflow, cert-manager is an exception. Since it requires many elevated privileges over the EKS cluster, you must install it yourself with the same account used to perform the EKS configuration.
The actual TLS certificate issuance and configuration is handled by the Chainstack integration workflow.
Add the helm repo for cert-manager:
helm repo add jetstack https://charts.jetstack.io
Update the helm repository:
helm repo update
Helm install cert-manager:
helm install cert-manager jetstack/cert-manager -n NAMESPACE --set installCRDs=true --version=1.9.1
where NAMESPACE is the namespace you have previously created.
Install EBS CSI as an add-on
Please kindly note that EBS CSI is required for the integration, please enable this by referring to this guide.
For Chainstack integration, see Manage your organization's integration.
Comments
0 comments
Article is closed for comments.