AWS EKS
This guide describes how to deploy Runops to an EKS cluster.
Requirements
- A provisioned working EKS cluster
- AWS Load Balancer Controller
- A postgres RDS instance deployed in the same VPC of the cluster
- Access configure a subdomain and ACM for your runops instance, e.g.: hoop.yourdomain.tld
- An account in OKTA or Auth0
Identity Provider Configuration
To use your own Identity Provider, a new application needs to be created in the provider. The application must be a "Regular Web App" Application (Authorization Code flow).
Configuring Okta as Identity Provider
1) Create a new application
- click on the Create App Integration button:
- Signing method: OIDC - OpenID Connect
- Application Type: Web Application
2) Configure the APP with a login callback URL
- Signin redirect URIs: https://hoop.yourdomain.tld/api/callback
WARNING
You need to replace {API_URL} by your configured domain.
Example: https://hoop.yourdomain.tld/api/callback
3) Save the Application
4) Collect some required information:
- IDP_ISSUER
- IDP_CLIENT_ID
- IDP_CLIENT_SECRET
- IDP_AUDIENCE
- API_URL
5) Where the data can be found:
- IDP_CLIENT_ID and IDP_CLIENT_SECRET:
On the Application Home:
- IDP_AUDIENCE and IDP_ISSUER
On Security > API
- API_URL
This is your public domain where Hoop is running in your cluster
(example https://hoop.yourdomain.tld)
1. Application Deployment
Create the following configuration as a secret in a namespace
NAMESPACE=hoop
kubectl create ns $NAMESPACE
kubectl -n $NAMESPACE create secret generic hoop-config \
--from-literal=XTDB_ADDRESS=http://127.0.0.1:3001 \
--from-literal=IDP_ISSUER=$IDP_ISSUER \
--from-literal=IDP_CLIENT_ID=$IDP_CLIENT_ID \
--from-literal=IDP_CLIENT_SECRET=$IDP_CLIENT_SECRET \
--from-literal=IDP_AUDIENCE=$IDP_AUDIENCE \
--from-literal=API_URL=$API_URL
kubectl -n $NAMESPACE create secret generic xtdb-config \
--from-literal=PG_HOST=$PG_HOST \
--from-literal=PG_PORT=$PG_PORT \
--from-literal=PG_USER=$PG_USER \
--from-literal=PG_DB=$PG_DB \
--from-literal=PG_PASSWORD=$PGPASSWORD
Deploy the application
kubectl -n $NAMESPACE apply -f - <<EOF
kind: Service
apiVersion: v1
metadata:
name: hoopdb
spec:
type: ExternalName
externalName: $PG_HOST
---
apiVersion: v1
kind: Service
metadata:
name: hoopgateway
spec:
selector:
app: hoopgateway
clusterIP: None
ports:
- port: 8010
name: grpc
protocol: TCP
targetPort: 8010
- port: 8009
name: http
protocol: TCP
targetPort: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hoopgateway
spec:
selector:
matchLabels:
app: hoopgateway
strategy:
type: Recreate
template:
metadata:
labels:
app: hoopgateway
spec:
containers:
- image: hoophq/hoop
name: hoopgateway
args: ["hoop", "start", "gateway"]
envFrom:
- secretRef:
name: hoop-config
resources:
requests:
cpu: 1024m
memory: 1Gi
volumeMounts:
- mountPath: /opt/hoop/sessions
name: sessions-volume
ports:
- containerPort: 8010
name: grpc
- containerPort: 8009
name: api
- image: hoophq/xtdb
name: xtdb
envFrom:
- secretRef:
name: xtdb-config
resources:
requests:
cpu: 1024m
memory: 1Gi
ports:
- containerPort: 3001
name: api
volumes:
- name: sessions-volume
emptyDir: {}
EOF
2. Gateway Configuration
Make sure to change the following values in the yaml:
alb.ingress.kubernetes.io/subnetsalb.ingress.kubernetes.io/security-groupsalb.ingress.kubernetes.io/certificate-arnhoop.domain.tldto your subdomain
The security group must be allowed to accept connections from 0.0.0.0/0 in ports 8443 and 443
Reference: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/
kubectl -n $NAMESPACE apply -f - <<EOF
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol-version: GRPC
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 8443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: 'hoop'
alb.ingress.kubernetes.io/subnets: SUBNET01,SUBNET02
alb.ingress.kubernetes.io/security-groups: SG01
alb.ingress.kubernetes.io/healthcheck-path: /
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/certificate-arn: ACM-ARN
labels:
app: hoopgateway-grpc
name: hoopgateway-grpc
spec:
rules:
- host: hoop.<YOURDOMAIN>
http:
paths:
- backend:
serviceName: hoopgateway
servicePort: 8010
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: 'hoop'
alb.ingress.kubernetes.io/subnets: SUBNET01,SUBNET02
alb.ingress.kubernetes.io/security-groups: SG01
alb.ingress.kubernetes.io/healthcheck-path: /
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/certificate-arn: ACM-ARN
labels:
app: hoopgateway-web
name: hoopgateway-web
spec:
rules:
- host: hoop.<YOURDOMAIN>
http:
paths:
- backend:
serviceName: hoopgateway
servicePort: 8009
EOF
- Go to AWS EC2 > Load Balancer and get the DNS of the load balancer.
- Add a new DNS record CNAME with name
hoop.<YOURDOMAIN>with the value of the DNS load balancer
3. Signup
Install the latest command line utility and signup
brew tap hoophq/hoopcli https://github.com/hoophq/hoopcli
brew install hoop
hoop login
After that you'll have a new organization and your user registered as admin.
You could access the webapp at https://hoop.<YOURDOMAIN>/login
4. Agents
An agent is required to connect services in your private infra-structure. Create a new one
ACCESS_TOKEN=$(cat ~/.hoop/config.toml |grep -i token |sed 's|"||g' |awk {'print $3'})
curl https://hoop.<YOURDOMAIN>/api/agents -XPOST -d '{"name": "default"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
{"id":"a9fbe755-dadf-4812-8a6c-f984867055ea","token":"x-agt-3cc584be-0b5e-4722-aee9-c4b03169956f","name":"default","hostname":"","machine-id":"","kernel_version":"","status":""}
Get the token attribute and use in the command below to deploy a first agent
kubectl -n hoophq create secret generic default-agent \
--from-literal=TOKEN=<x-agt-TOKEN> \
--from-literal=SERVER_ADDRESS=hoop.<YOURDOMAIN>:8443
NAMESPACE=hoop
kubectl -n $NAMESPACE apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: defaultagent
spec:
selector:
matchLabels:
app: defaultagent
strategy:
type: Recreate
template:
metadata:
labels:
app: defaultagent
spec:
containers:
- image: hoophq/hoop
name: defaultagent
args: ["hoop", "start", "agent"]
envFrom:
- secretRef:
name: default-agent
EOF```
5. Creating a connection
- Go to
https://hoop.<YOURDOMAIN>/login - Add a bash type connection
Test it
hoop connect bash-demo
connection: bash-demo | session: fa0206d6-57c2-483b-94d0-2627f58b5d8f
root@defaultagent-548b49654-tgg5h:/# echo $MYENV
myenv-value
root@defaultagent-548b49654-tgg5h:/#
After closing the connection, check the audit page https://hoop.<YOURDOMAIN>/plugins/audit, it should contain everything you typed in the base-example connection