Prerequisites for Deploying Lazsa Orchestrator Agent
You must complete the following prerequisites before you deploy the Lazsa Orchestrator Agent in your environment:
Step | Specifications | Instructions |
---|---|---|
Create an EKS (AWS) cluster |
A dedicated EKS (1.22) is required for Lazsa Orchestrator Agent. Kubernetes Nodes configuration (minimum) • 2 (minimum) • Each – 8/16 GB RAM, 4vCPU |
|
Install Ingress Controller | Ingress Controller version 0.44 | |
Set up a Network Load Balancer |
Network Load Balancer (NLB) |
|
Create an IAM Role |
Assign IAM role to Kubernetes node to read secrets from AWS Secrets Manager |
Refer to the Sample IAM Policy.
|
Configure AWS Secrets Manager | Configure AWS Secrets Manager in the AWS account/region same as the EKS Cluster used for deploying the Lazsa Orchestrator Agent. | |
Provide DNS name |
|
This also requires access to Route 53 AWS Service. |
Create CA Certificates |
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Test Cert Authority' (Replace Test Cert Authority with valid text) |
The certificate needs to be created for the DNS name provided above. |
Create Server certificate for the domain |
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN= <your_domain_name> ' && openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt |
Replace your domain name with actual domain. The server certificate needs to be applied to the Ingress Controller. |
Create Client Certificate |
openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Lazsa' && openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt To convert the certificate into pk12 format, use the following command: openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt |
The client certificate must be in pk12 format and must have a password. The certificate needs to be created for the DNS name provided above. |
Provide Network connectivity |
|
|
Install Lazsa Orchestrator Agent |
|
Install Helm S3 adapter |
Create Hosted Zone in Route 53 | It is used for creating DNS record for Orchestrator. |
Sample IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name1",
"arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name2",
"arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name3"
]
},
{
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:UpdateSecret",
"Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name-for-api-token"
}
]
}