Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: adding documentation for paralus addon #714

Merged
merged 5 commits into from
Jun 22, 2023
Merged

docs: adding documentation for paralus addon #714

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e6c9eba
docs: adding documentation for paralus addon
niravparikh05 Jun 6, 2023
009ddc9
restructed paralus addon docs
niravparikh05 Jun 13, 2023
c7aa2d5
Merge branch 'aws-quickstart:main' into paralus-addon-docs
niravparikh05 Jun 22, 2023
a16504b
addressed review comments
niravparikh05 Jun 22, 2023
f2ad882
Merge branch 'paralus-addon-docs' of ssh://github.com/paralus/cdk-eks…
niravparikh05 Jun 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions docs/addons/paralus.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
# Paralus Amazon EKS Addon

The Paralus project is a free, open source tool that enables controlled, audited access to Kubernetes infrastructure. It comes with just-in-time service account creation and user-level credential management that integrates with your RBAC and SSO. [Learn more ..](https://www.paralus.io/)

Paralus Blueprint Addon deploys paralus controller on your EKS cluster using [paralus construct](https://github.com/aws-samples/cdk-eks-blueprints-patterns/tree/main/lib/paralus-construct) implemented with the EKS Blueprints [CDK](https://aws.amazon.com/cdk/). Detailed documentation on the same can be accessed from [here](https://github.com/aws-samples/cdk-eks-blueprints-patterns/blob/main/docs/patterns/paralus.md).

Paralus add-on depends on the following add-ons:

AwsLoadBalancerController, VpcCni, KubeProxy, EbsCsiDriverAddOn

NOTE: By default paralus installs few dependent modules like postgres, kratos and also comes with a dashboard. At it's core paralus works atop domain based routing, inter service communication and hence above supporting Add-Ons are required.

## These features makes kubernetes rbac management centralized with a seamless experience

- Creation of custom [roles, users, and groups](https://www.paralus.io/docs/usage/roles).
- Dynamic and immediate changing and revoking of permissions.
- Ability to control access via [pre-configured roles](https://www.paralus.io/docs/usage/) across clusters, namespaces, projects, and more.
- Seamless integration with [Identity Providers (IdPs)](https://www.paralus.io/docs/single-sign-on/) allowing the use of external authentication engines for users and group definitions, such as GitHub, Google, Azure AD, Okta, and others.
- [Automatic logging](https://www.paralus.io/docs/usage/audit-logs) of all user actions performed for audit and compliance purposes.
- Interact with Paralus either with a modern web GUI (default), a CLI tool called [pctl](https://www.paralus.io/docs/usage/cli), or [Paralus API](https://www.paralus.io/docs/references/api-reference).

<p align="center">
<a href="https://paralus.io">
<img alt="Kubernetes Goat" src="https://raw.githubusercontent.com/paralus/paralus/main/paralus.gif" width="600" />
</a>
</p>


## Prerequisite

You must have a domain and access to updating it's DNS records as paralus works atop domain based routing.

## Usage

Run the following command to install the paralus-eks-blueprints-addon dependency in your project.

```
npm i @paralus/paralus-eks-blueprints-addon
```

# Sample EKS Blueprint using Paralus addon

```
import { App } from 'aws-cdk-lib';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import { ParalusAddOn } from '../dist';

const app = new App();

blueprints.EksBlueprint.builder()
.addOns(
new blueprints.AwsLoadBalancerControllerAddOn(),
new blueprints.VpcCniAddOn(),
new blueprints.KubeProxyAddOn(),
new blueprints.EbsCsiDriverAddOn(),
new blueprints.CertManagerAddOn(),
new ParalusAddOn({
namespace: 'paralus-system',
/**
* Values to pass to the chart as per https://github.com/paralus/helm-charts/blob/main/charts/ztka/values.yaml.
*/
// update this to your domain, as paralus works based on domain based routing
values: {
fqdn": {
"domain": <yourdomain.com>,
"hostname": "console-eks",
"coreConnectorSubdomain": "*.core-connector.eks",
"userSubdomain": "*.user.eks"
}
}
}))
.teams()
.build(app, 'paralus-test-blueprint');
```

## AddOn Options

| Option | Description | Default |
|-------------------------|-----------------------------------------------------|-------------------------------|
| `deploy.contour.enable` | Deploy and use Contour as the default ingress | true |
| `deploy.kratos.enable` | Deploy and use Kratos | true |
| `deploy.postgresql.enable` | Deploy and use postgres database | false |
| `deploy.postgresql.dsn` | DSN of your existing postgres database for paralus to use | "" |
| `deploy.fluentbit.enable` | Deploy and use fluentbit for auditlogs with database storage | "" |
| `paralus.initialize.adminEmail` | Admin email to access paralus | "[email protected]" |
| `paralus.initialize.org` | Organization name using paralus | "ParalusOrg" |
| `auditLogs.storage` | Default storage of auditlogs | "database" |
| `fqdn.domain` | Root domain | "paralus.local" |
| `fqdn.hostname` | subdomain used for viewing dashboard | "console" |
| `fqdn.coreConnectorSubdomain` | a wildcard subdomain used for controller cluster to target cluster communication | "*.core-connector" |
| `fqdn.userSubdomain` | a wildcard subdomain used for controller cluster to end user communication | "*.user" |
| `values` | Configuration values passed to the chart. [See options](https://github.com/paralus/helm-charts/tree/main/charts/ztka#values). | {} |

## Configure DNS Settings
Once Paralus is installed continue with following steps to configure DNS settings, reset default password and start using paralus

Obtain the external ip address by executing below command against the installation
`kubectl get svc blueprints-addon-paralus-contour-envoy -n paralus-system`

```
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
blueprints-addon-paralus-contour-envoy LoadBalancer 10.100.101.216 a814da526d40d4661bf9f04d66ca53b5-65bfb655b5662d24.elb.us-west-2.amazonaws.com 80:31810/TCP,443:30292/TCP 10m
```

Update the DNS settings to add CNAME records
```
name: console-eks
value: a814da526d40d4661bf9f04d66ca53b5-65bfb655b5662d24.elb.us-west-2.amazonaws.com

name: *.core-connector.eks
value: a814da526d40d4661bf9f04d66ca53b5-65bfb655b5662d24.elb.us-west-2.amazonaws.com

name: *.user.eks
value: a814da526d40d4661bf9f04d66ca53b5-65bfb655b5662d24.elb.us-west-2.amazonaws.com
```

Obtain your default password and reset it upon first login

`kubectl logs -f --namespace paralus-system $(kubectl get pods --namespace paralus-system -l app.kubernetes.io/name='paralus' -o jsonpath='{ .items[0].metadata.name }') initialize | grep 'Org Admin default password:'`

You can now access dashboard with http://console-eks.<yourdomain.com> ( refers to the hostname.domain specified during installation ), start importing clusters and using paralus.

Note: you can also refer to this [paralus eks blogpost](https://www.paralus.io/blog/eks-quickstart#configuring-dns-settings)

## Support
If you have any questions about Paralus, get in touch with the team [on Slack](https://join.slack.com/t/paralus/shared_invite/zt-1a9x6y729-ySmAq~I3tjclEG7nDoXB0A).

Paralus is maintained and supported by [Rafay](https://rafay.co)