Prerequisites

A dedicated EKS cluster is required to deploy Lazsa Orchestrator Agent. Consider the following minimum requirements for compute resources as you configure the Kubernetes nodes in the cluster:

EKS Cluster Requirements

EKS version 1.24 or later
Minimum 2 nodes (Minimum 8GiB RAM and 2vCPU per node)
Deploy the EKS cluster in the same region where the Lazsa Platform is deployed. For any queries, contact Calibo Technical Support Team.
Create EKS cluster IAM role and Amazon EKS node IAM role as per the AWS guidelines.

2. Install NGINX Ingress Controller

Install NGINX Ingress Controller with Network Load Balancer (NLB) in the EKS cluster that you created in prerequisite 1. We recommend using an internal NLB, which ensures that the Ingress Controller is accessible only within the cluster's internal network, enhancing security.

NGINX Ingress Controller Requirements

Version 1.3.0 or later

For information about how to install the Ingress-Nginx Controller, see Ingress-Nginx Controller Installation Guide.

3. Store a placeholder secret in AWS Secrets Manager

Configure AWS Secrets Manager in the same AWS account as the Amazon EKS Cluster used for deploying the Lazsa Orchestrator Agent.
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
Click Store a new secret.
For Secret type, select Other type of secret.

In Key/value pairs, add the following key with its value as an empty string.

Key

apiKey

Note:

This is a predefined secret used by the Lazsa Orchestrator Agent. Do not change the key name.

Value <empty string>

Creating a placeholder secret in AWS Secrets Manager

On the next page, provide the secret name. For more information, refer to AWS documentation.

Lazsa Orchestrator Agent uses this placeholder secret to store its API key. This key is used to authenticate the API requests sent from the Lazsa Platform.

4. Create an IAM policy

Create an IAM policy to allow the Amazon EKS node to resolve secrets from AWS Secrets Manager and to update the API token secret (apiKey) that you created in the earlier section.

Refer to the following sample IAM policy:

Sample IAM Policy

While editing this sample IAM policy, replace the following placeholder values with your actual values. This sample policy contains minimal permissions which must not be altered.

Placeholder Value	Expected Value
`<AWS Region>`	Replace this with your AWS region name.
`<Account ID>`	Replace this with your AWS account ID.
`<Secret Name>`	Replace this with the name of the tool's secret that you want Lazsa Orchestrator Agent to resolve. For each tool's secret, add a separate entry in the policy. `"Resource": [ "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<Secret Name 1>", "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<Secret Name 2>", "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<Secret Name 3>"`
`<secret-name-for-api-token>`	Replace this with the name of the placeholder secret that you configured in prerequisite 3. `"Resource": "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<secret-name-for-api-token>"` Note: The sample policy allows the Amazon EKS node on which the Lazsa Orchestrator Agent runs to update the value of this secret during key rotation.

Copy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "kms:Decrypt",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<Secret Name 1>",
        "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<Secret Name 2>",
        "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<Secret Name 3>"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "secretsmanager:ListSecrets",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "secretsmanager:UpdateSecret",
      "Resource": "arn:aws:secretsmanager:<AWS Region>:<Account ID>:secret:<secret-name-for-api-token>"
    }
  ]
}

Attach this IAM policy to the Amazon EKS node IAM role that you have created while setting up your Amazon EKS cluster.

5. Provide network connectivity

Allow inbound and outbound connectivity on port 443 to the Amazon EKS cluster on which you deploy the Lazsa Orchestrator Agent. Make sure that the following services are accessible from your EKS cluster:

Docker Hub
Ensure access to Docker Hub. This connectivity is required to download the Orchestrator Agent images from the Docker Hub.
Amazon S3
Ensure connectivity to Amazon S3 to download Lazsa Orchestrator Agent Helm charts.
Lazsa Platform
Ensure the Lazsa Platform is accessible from your EKS cluster. This connectivity is required to establish a secure connection between the Orchestrator agent and the Lazsa Platform.

6. Create TLS certificates

The following commands help you generate a self-signed Certificate Authority (CA) certificate, server certificate, and client certificate. You can also use your trusted root CA to generate these certificates.

Create a CA certificate by running the following command in your command line interface. Replace Test Cert Authority with the name of your trusted certificate authority. The -days parameter indicates the validity period of the certificate. By default, it is set to 365. You can modify this value. After the specified period, the certificate will expire and you must regenerate the self-signed CA certificate.
Copy
```
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 -nodes -subj "/CN=Test Cert Authority"
```

Create a server certificate for your domain by using the CA certificate that you created in step 1. To create the server certificate, run the following command in your command-line interface. Replace <your_domain_name> with your domain name. The -days parameter indicates the validity period of the certificate. By default, it is set to 365. You can modify this value. After the specified period, the server certificate will expire and you must regenerate it.
Copy
```
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj "/CN= <your_domain_name>" && openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
```

Create a client certificate by using the CA certificate that you created in step 1. To create a client certificate, run the following command in your command line interface. The -days parameter indicates the validity period of the certificate. By default, it is set to 365. You can modify this value. After the specified period, the certificate will expire and you must regenerate the certificate and upload it to the Lazsa Platform by editing the agent details.
Copy
```
openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj "/CN=Lazsa" && openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
```

Convert the client certificate to PKCS#12 format by running the following command. Remember the password that you add to create the certificate in PKCS#12 format. You must provide this password when you upload the client certificate during agent installation.
Copy
```
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt
```

Prerequisites to Install Lazsa Orchestrator Agent on Amazon EKS Cluster by Using mTLS

Note:

Note: