AWS Remote Provisioning
10 May 2023 · Read time 6 min
Introduction
Altinity.Cloud Anywhere operates inside user’s Kubernetes environment.
Kubernetes can be provided by a user (see “Kubernetes Installation” section), or provisioned by Altinity.
Altinity technical support can remotely provision AWS EKS clusters with an Altinity.Cloud Anywhere environment on your Amazon account. Instructions on this page describe how to configure your EKS clusters to provide permission to Altinity to provision ClickHouse to your Amazon EKS Kubernetes environment. Shown in Figure 1 is a high level view that shows the Altinity.Cloud Kubernetes infrastructure.
Summary of the Bootstrap Process
This section summarizes the bootstrap process so that you can use Altinity.Cloud to deploy a ClickHouse cluster to your AWS EKS environment.
-
Follow the Altinity.Cloud Anywhere Quickstart.
- Get an Altinity.Cloud account.
- Get an Altinity.Cloud Anywhere environment record.
- From Altinity Cloud Manager Environment connection wizard get a connection token.
-
Provision an AWS EKS cluster using EC2 instance running with a user account.
The EC2 instance is required in order to deploy altinitycloud-connect, which will establish an outbound connection to Altinity.Cloud and start the EKS provisioning process.
The EC2 instance can be set up in two ways:- Automatically by using the AWS Cloud Formation Template to automate the process.
- Manually set up by a user following Altinity documentation.
-
Follow this document to complete the provisioning process.
-
In the Altinity Cloud Manager, complete the configuration of EKS resources.
Automated Provisioning of the EKS using EC2 instance created from the AWS Cloud Formation Template
An Amazon AWS EC2 instance is required to deploy altinitycloud-connect, which will establish an outbound connection to Altinity.Cloud and start the EKS provisioning process.
In Altinity.Cloud
-
Get an Altinity.Cloud account.
-
Get an Altinity.Cloud Anywhere environment record.
-
Get the connection token from Altinity Cloud Manager connection wizard.
- Go to the URL for Create stack Cloud Formation Stack as shown in Figure 2:
NOTE: The URL will be different for other regions.
Login to your AWS account then navigate to:
us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create
- From the altinitycloud-connect release page, download the Cloud Formation YAML file.
altinitycloud-connect-<releasу-tag>.aws-cloudformation.yaml
-
Choose Upload a template file and select the Altinity Cloud Formation Template YAML file as shown in Figure 2.
-
Fill missing fields on Specify Stack Details page:
-
Set ‘Stack Name’ to: NOTE: (replace $USER and the $ENV_NAME as needed) altinitycloud-connect-$USER-$ENV_NAME
-
Set ‘Subnets’ where altinitycloud-connect EC2 instance(s) should be launched (Example: subnet-17c1674a, subnet-2d5c8855, subnet-e0d425aa)
-
Set the ‘Token presented by https://acm.altinity.cloud’ with a token value from Step 2.
-
-
Important: At the last step of the wizard, checkmark the notice: “I acknowledge that AWS CloudFormation might create IAM resources with custom names”
-
Complete the wizard and submit the form.
EC2 background processing explained
The EC2 instance is processed in the background as follows:
- EC2 instance gets started from the cloud formation template
- EC2 gets connected to Altinity.Cloud using altinitycloud-connect
- EKS cluster gets provisioned
- EKS cluster gets connected to Altinity.Cloud using altinitycloud-connect
In Altinity.Cloud
-
Select the ‘Proceed’ button in the connection wizard. NOTE: It is ok to select Proceed more than once, since provisioning takes some time. Once the EKS cluster is provisioned, wizard will switch to the ‘Resources Configuration’ page.
-
Finish configuration of node pools as described in the Resource Configuration section.
Manual Provisioning of the EC2 instance
The AWS EC2 instance should meet the following requirements:
EC2 Instance Requirements
- CPU: t2.micro minimum
- OS: Ubuntu Server v20.04
Creating a Role with AIM policies
Set up a role with IAM policies to access IAM, EC2, VPC, EKS, S3 & Lambda as follows:
arn:aws:iam::aws:policy/IAMFullAccess
arn:aws:iam::aws:policy/AmazonEC2FullAccess
arn:aws:iam::aws:policy/AmazonVPCFullAccess
arn:aws:iam::aws:policy/AmazonS3FullAccess
arn:aws:iam::aws:policy/AWSLambda_FullAccess
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
NOTE:
AmazonSSMManagedInstanceCoreis used for the Break Glass Procedure over AWS SSM.
Creating a policy for EKS full access
- Create a standard policy for EKS full access as follows:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"eks :*"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*",
"Condition":{
"StringEquals":{
"iam:PassedToService":"eks.amazonaws.com"
}
}
}
]
}
-
To set this instance to have access to the EC2 metadata and Internet, set the Security group to:
- deny all inbound traffic
- allow all outbound traffic
Installing Altinity.Cloud Connect
-
Download altinitycloud-connect.
-
Run the installer using the following terminal command. NOTE: The following example is for an Intel Linux installation.
curl -sSL https://github.com/altinity/altinitycloud-connect/releases/download/v0.20.0/altinitycloud-connect-0.20.0-linux-amd64 -o altinitycloud-connect \ && chmod a+x altinitycloud-connect \ && sudo mv altinitycloud-connect /usr/local/bin/ -
Login to Altinity.Cloud and get a connection token. NOTE: A
cloud-connect.pemfile is created in the current working directory.altinitycloud-connect login --token=<registration token> -
Connect to Altinity.Cloud:
altinitycloud-connect --capability aws
Start EKS provisioning
The following data is required in order to create the VPC and EKS cluster properly:
- The CIDR for the Kubernetes VPC (at least
/21recommended, e.g. 10.1.0.0/21) - The Number of Availability Zones (3 are recommended)
Please send this information to your Altinity support representative to start the EKS provisioning process. When completed, the Altinity Cloud Manager (ACM) will be updated then you can create your ClickHouse clusters.
The remainder of the provisioning process is handled by Altinity.Cloud. Users may switch back to ACM and wait for connection to be established in order to finish configuration.
In Altinity.Cloud
-
Select the Proceed button in the connection wizard. You may repeat this step more than once to see if the connection has completed, since provisioning takes some time. Once the EKS cluster is provisioned, the connection wizard will switch to the Resources Configuration page.
-
Finish the configuration of the node pools as described in the Resources Configuration section.
Break Glass Procedure
The “Break Glass” procedure allows Altinity access to EC2 instance with SSH, using AWS SSM in order to troubleshoot altinitycloud-connect that is running on this instance.
-
Create an AnywhereAdmin IAM role with trust policy set:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::313342380333:role/AnywhereAdmin" }, "Action":"sts:AssumeRole" } ] } -
Add a permission policy set:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws:ec2:$REGION:$ACCOUNT_ID:instance/$INSTANCE_ID", "arn:aws:ssm:*:*:document/AWS-StartSSHSession" ] } ] } -
Send the following ARN string to Altinity: NOTE: This is used to revoke the Break Glass Procedure access change, or remove the permission policy.
arn:aws:ec2:$REGION:$ACCOUNT_ID:instance/$INSTANCE_ID
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that. We'll track this issue and see how we can improve.