Installation on AWS
NEW IN RELEASE 154
Sonatype IQ Server can be configured to operate simultaneously on 2 or more Kubernetes nodes with Active-Active Clustering to limit downtime. The HA cluster is limited to a single logical EKS cluster spanning across multiple AZs in a single region.
These requirements are designed to protect your installations on Amazon Web Services (AWS) from scenarios such as:
- AWS Availability Zone (AZ) outage within a single AWS region
- Node/server (EC2) failures
- IQ Server service/database failures
We have thoroughly tested and verified the functionality and performance of the Sonatype IQ Server with the named third-party tools, technologies, and platforms mentioned in this section. Using other equivalent technologies and platforms may not result in the exact same outcomes, and is not supported by Sonatype.
On this page
- Requirements for HA installation on Amazon Web Services (AWS)
- Reference Architecture
- Steps to Implement the Reference Architecture
- Running the Kubernetes Cluster
- Required Overrides for Helm Chart
Requirements for HA Installation on Amazon Web Services (AWS)
In addition to the general requirements, here are the specific requirements for AWS deployments:
- Amazon Elastic Kubernetes Service (EKS)
- Amazon Elastic File System (EFS)
- Relational Database Service (RDS) for PostgreSQL
- Application Load Balancer (ALB)
Steps to Implement the Reference Architecture
Step 1: Amazon Virtual Private Cloud (VPC)
- Create a VPC to launch the required AWS resources (EKS, EFS, RDS, and ALB) needed.
Step 2: Amazon Aurora PostgreSQL Cluster
- Create an Amazon Aurora PostgreSQL DB cluster to store the cluster's database.
Step 3 - Amazon Elastic Kubernetes Service (EKS) Cluster
- Create an EKS cluster with a node group of at least 2 nodes.
- Configure the cluster to allow 1 IQ Server pod to run on each node.
- Pods must have the correct permissions for resources to be used (e.g., RDS, EFS, ALB, Cloudwatch, etc.)
- Permissions can either be associated with a service account that the pods can use or with the EKS worker nodes.
- We recommend using security groups associated with the resources to manage the permissions.
Step 4 - Amazon Elastic File System (EFS)
- Create an EFS to store shared files containing non-database data (e.g. scans, reports, etc.) between multiple IQ Server instances.
Step 5 - Amazon Application Load Balancer (ALB)
Install the ALB controller in your cluster. It can be configured in any of the following ways:
- The ALB controller automatically provisions a new ALB via an ingress
- The ALB controller automatically configures an existing ALB, with no ingress required
You can manually provision and configure an ALB.
Step 6 - Amazon EFS Container Storage Interface (CSI) Driver Controller
Install the EFS CSI driver into your cluster and configure it to effectively manage EFS access.
Step 7 - EFS Storage Class - optional
Install the EFS storage class in the cluster for dynamic provisioning. This is optional; the Helm chart can alternatively use static provisioning, which requires a direct reference to the EFS. It can also use a pre-existing PV/PVC pointing to an EFS.
Step 8 - Kubernetes Secrets Store CSI Driver - optional
- Install the Kubernetes Secrets Store CSI Driver into your cluster and configure it to enable AWS Secrets Manager access.
- This is useful if you wish to store the license, the initial admin password, or the database settings in AWS secrets.
- Alternatively, the license can be passed directly during installation as a file or a reference to a Kubernetes secret, and the passwords can be passed directly during installation as text or as references to Kubernetes secrets.
Step 9 - Kubernetes Namespace - optional
Create a separate Kubernetes namespace for IQ Server HA by using the kubectl tool:
kubectl create namespace <namespace>
Alternatively, you can use the default namespace.
Step 10 - Install Helm chart
Running your Kubernetes Cluster
Follow the steps in the latest README for running the Kubernetes cluster.
Overrides for Helm Chart
Customization or override of some settings in the Helm chart will be required to match IQ Server HA deployment requirements.
Use a –set flag (or set-file) to override the Helm chart settings, as specified in the README.
The list below shows the Helm chart overrides (refer to the README for implementation details):
- IQ Server License (required): A IQ Server license that supports the HA feature must be pre-installed.
- Database configuration (required)
- Shared file system (required): To share data between IQ Server pods, such as scans, reports, component details, advanced search index, etc.
- Load Balancer (required): A load balancer must be configured to allow and route external requests to IQ Server pods.
- Transport Layer Security (TLS) certificate and key (optional)
- IQ Server configuration parameters (optional)
- Unified logging layer - Fluentd (required)
- Autoscaling configuration parameters (optional)