Deploy to AWS

1

Build Infrastructure ⏱️ 15 Mins

We've tested automation that provisions the required infra.

Deploy Infrastructure

git clone https://github.com/opengovern/automation.git
cd automation/terraform/eks
terraform init
terraform plan
terraform apply -auto-approve

Connect to Kubernetes Clusters; After infrastructure is provisioned, you will be an output similar to this:

Outputs:

configure_kubectl = "aws eks --region us-east-2 update-kubeconfig --name opencomply-abc123"
eks_cluster_name = "opencomply"

Run the output of configure_kubectl command to connect to Kubernetes Cluster

2

Install App

helm repo add opencomply https://charts.opencomply.io
helm repo update
helm install -n opencomply opencomply opencomply/opencomply --create-namespace
3

Configure HTTPS Certificate with ACM

If you already have an ACM certificate for your domain in the same region as Kubernetes, you can simply export the ARN of the existing certificate

export CERTIFICATE_ARN=arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ef-ghij-1234567890a

  1. To request a new ACM certificate for the domain using DNS validation:

    aws acm request-certificate \
  --domain-name $DOMAIN \
  --validation-method DNS \
  --idempotency-token deploy-2024 \

  2. Retrieve the Certificate ARN and DNS Validation Records:

    CERTIFICATE_ARN=$(aws acm list-certificates --region us-east-1 --query "CertificateSummaryList[?DomainName=='demo.opengovernance.io'].CertificateArn" --output text)
echo "Certificate ARN: $CERTIFICATE_ARN"

VALIDATION_RECORDS=$(aws acm describe-certificate --certificate-arn $CERTIFICATE_ARN --region us-east-1 --query "Certificate.DomainValidationOptions[].ResourceRecord" --output json)
echo "Validation Records: $VALIDATION_RECORDS"
4

Deploy Load Balancer

a. Create Ingress

Use a heredoc to define and apply the Ingress YAML, injecting environment variables for DOMAIN_NAME and CERTIFICATE_ARN.

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: opencomply
  name: opencomply-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/backend-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: "$CERTIFICATE_ARN"
    kubernetes.io/ingress.class: alb
spec:
  ingressClassName: alb
  rules:
    - host: "$DOMAIN_NAME"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-proxy  # Replace with actual service name if different
                port:
                  number: 80
EOF

b. Retrieve the Load Balancer DNS Name:

LB_DNS=$(kubectl get ingress opengovernance-ingress -n opengovernance -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo "Load Balancer DNS: $LB_DNS"

c. Create DNS Records

  • Host/Name: demo.example.io

  • Type: CNAME

  • Value/Points to: $LB_DNS

5

Restart App

a. Update App Config

helm upgrade opencomply opencomply/opencomply -n opencomply -f <(cat <<EOF
global:
  domain: ${DOMAIN}
dex:
  config:
    issuer: https://${DOMAIN}/dex
EOF
)

b. Restart Services

kubectl delete pods -l app=nginx-proxy -n opencomply && kubectl delete pods -l app.kubernetes.io/name=dex -n opencomply

App is not accessible at https://<your-domain-name>

PreviousDeploy on DigitalOcean / LinodeNextSingle Sign-On

Last updated