Versions Compared

Old Version 10

changes.mady.by.user Kam Heng Choy

Saved on

compared with

New Version 11

changes.mady.by.user Kam Heng Choy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To install OCI Native Ingress Controller, follow these steps:

  1. Add eks repository to the helm repositoryCreate a config file named user-auth-config.yaml, containing credential information, in the following format:

Code Block
languagebash
helm repo add eks https://aws.github.io/eks-charts

...

auth:
  region: <region-identifier>
  user: <user-ocid>
  fingerprint: <fingerprint>
  tenancy: <tenancy-ocid>

  1. Create a Kubernetes secret resource in the cluster by entering:

Code Block
languagebash
helm repo update

...


kubectl create secret generic <secret-name> \
--from-file=config=user-auth-config.yaml \
--from-file=private-key=<private-key-file-path>.pem \
--namespace uepe

  1. Grant permission to the OCI Native Ingress Controller to access resources created by other OCI services, such as the Load Balancer service and the Certificates service. Hence, these IAM policies must be installed.

Code Block
languagebash
helmAllow installgroup aws-load-balancer-controller eks/aws-load-balancer-controller \
-n uepe --version <helm chart version> \
--set clusterName=<cluster_name configured in terraform.tfvars> \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller

Where <helm chart version> is a compatible version listed in the Compatibility Matrix.

Info

Helm install command assumes service account for AWS Load Balancer Controller already exists.

Service Account name set to metadata.name under iam.serviceAccounts portion in the uepe-eks.yaml file in Set Up Kubernetes Cluster - AWS section

Namespace set to metadata.namespace under iam.serviceAccounts portion in the uepe-eks.yaml file in Set Up Kubernetes Cluster - AWS section
<group-name> to manage load-balancers in compartment <compartment-name>
Allow group <group-name> to use virtual-network-family in compartment <compartment-name>
Allow group <group-name> to manage cabundles in compartment <compartment-name>
Allow group <group-name> to manage cabundle-associations in compartment <compartment-name>
Allow group <group-name> to manage leaf-certificates in compartment <compartment-name>
Allow group <group-name> to read leaf-certificate-bundles in compartment <compartment-name>
Allow group <group-name> to manage certificate-associations in compartment <compartment-name>
Allow group <group-name> to read certificate-authorities in compartment <compartment-name>
Allow group <group-name> to manage certificate-authority-associations in compartment <compartment-name>
Allow group <group-name> to read certificate-authority-bundles in compartment <compartment-name>
Allow group <group-name> to read cluster-family in compartment <compartment-name>
Code Block
ALLOW any-user to manage network-security-groups in <compartment-name> Team-Stratus where request.principal.type = 'cluster'
ALLOW any-user to manage vcns in compartment <compartment-name> where request.principal.type = 'cluster'
ALLOW any-user to manage virtual-network-family in compartment <compartment-name> where request.principal.type = 'cluster'
Code Block
Allow group <group-name> to inspect certificate-authority-family in compartment <compartment-name>
Allow group <group-name> to use certificate-authority-delegate in compartment <compartment-name>
Allow group <group-name> to manage leaf-certificate-family in compartment <compartment-name>
Allow group <group-name> to use leaf-certificate-family in compartment <compartment-name>
Allow group <group-name> to use certificate-authority-delegate in compartment <compartment-name>
Allow group <group-name> to manage certificate-associations in compartment <compartment-name>
Allow group <group-name> to inspect certificate-authority-associations in compartment <compartment-name>
Allow group <group-name> to manage cabundle-associations in compartment <compartment-name>

Kubernetes Add-ons

The following general Kubernetes resources should be added:

...

  1. Install the ExternalDNS helm chart:

    Code Block
    languagebash
    helm install external-dns bitnami/external-dns -n uepe \
--version <helm chart version> -f external-dns-values.yaml

    Where <helm chart version> is a compatible version listed in the Compatibility Matrix.

Info

Namespace set to metadata.namespace under iam.serviceAccounts portion in the uepe-eks.yaml file in Set Up Kubernetes Cluster - AWS section

...

  1. Add the ingress-nginx helm repository:

    Code Block
    languagebash
    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

  2. Update the helm repository to get the latest software:

    Code Block
    languagebash
    helm repo update

  3. Create a file called ingress-nginx-values.yaml and populate it with the following helm values:

    Code Block
    languageyaml
    controller:
  scope:
    enabled: true
  admissionWebhooks:
    enabled: false
  metrics:
    enabled: false
    serviceMonitor:
      enabled: false
  ingressClassResource:
    name: nginx
    enabled: true
    default: false
    controllerValue: "k8s.io/ingress-nginx"
  watchIngressWithoutClass: false
  service:
    targetPorts:
      http: 80
      https: 443
    type: NodePort
  extraArgs:
    v: 1
serviceAccount:
  create: false

  4. Install the ingress-nginx-controller helm chart:

    Code Block
    languagebash
    helm install ingress-nginx ingress-nginx/ingress-nginx --version <helm chart version> -f ingress-nginx-values.yaml -n uepe

    Where <helm chart version> is a compatible version listed in the Compatibility Matrix.

Executing helm list should show all add-ons added in this section. Example:

...