Prerequisites for Deploying Lazsa Orchestrator Agent

You must complete the following prerequisites before you deploy the Lazsa Orchestrator Agent in your environment:

Step	Specifications	Instructions
Create an EKS (AWS) cluster	A dedicated EKS (1.22) is required for Lazsa Orchestrator Agent. Kubernetes Nodes configuration (minimum) • 2 (minimum) • Each – 8/16 GB RAM, 4vCPU
Install Ingress Controller	Ingress Controller version 0.44
Set up a Network Load Balancer	Network Load Balancer (NLB)
Create an IAM Role	Assign IAM role to Kubernetes node to read secrets from AWS Secrets Manager	Refer to the Sample IAM Policy.
Configure AWS Secrets Manager	Configure AWS Secrets Manager in the AWS account/region same as the EKS Cluster used for deploying the Lazsa Orchestrator Agent.
Provide DNS name	DNS for Lazsa Orchestrator Agent Configure DNS name with Ingress Controller.	This also requires access to Route 53 AWS Service.
Create CA Certificates	openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Test Cert Authority' (Replace Test Cert Authority with valid text)	The certificate needs to be created for the DNS name provided above.
Create Server certificate for the domain	openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN= <your_domain_name> ' && openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt	Replace your domain name with actual domain. The server certificate needs to be applied to the Ingress Controller.
Create Client Certificate	openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Lazsa' && openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt To convert the certificate into pk12 format, use the following command: openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt	The client certificate must be in pk12 format and must have a password. The certificate needs to be created for the DNS name provided above.
Provide Network connectivity	Inbound and Outbound on port 443. Internet access to connect to Lazsa Registry.
Install Lazsa Orchestrator Agent	Helm (version 3.0) Kubectl (compatible with EKS cluster) AWS CLI Helm S3 adapter	Install Helm S3 adapter (https://github.com/hypnoglow/helm-s3.git)
Create Hosted Zone in Route 53		It is used for creating DNS record for Orchestrator.

Sample IAM Policy

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name1",
                "arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name2",
                "arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name3"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:UpdateSecret",
            "Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:secret-name-for-api-token"
        }
    ]
}