Merge pull request #24 from genestack/feature/ODM-11455-Updating-depl…

…oyment-documentation feature/ODM-11455 Updating deployment documentation
genestack · Mar 21, 2024 · fe0e344 · fe0e344
2 parents 731db91 + 12e1e4b
commit fe0e344
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 33 deletions.
diff --git a/docs/deployment/clouds/aws.md b/docs/deployment/clouds/aws.md
@@ -18,7 +18,7 @@
 
     - The S3 Bucket can use KMS or default S3 encryption.
 
-    - You need to configure CORS, you can find an example here [CORS configuration for S3](#configuration-examples)
+    - You need to [configure CORS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html), you can find an example here [CORS configuration for S3](#configuration-examples)
 
 2. Create IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html), [policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) (it will be listed below) and [attach](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) the policy to the user.
 
@@ -52,7 +52,7 @@
 
     - If you do not have strict security requirements for ALB, then it is better to use the automatic creation of ALB using the ALB controller (details below in [EKS configuration](#recommended-steps-for-eks-configuration)).
 
-    - You can use either internal or public schema depending on your situation (with an internal scheme, SCIM synchronization with Azure AD will not work, only SSO Authorization).
+    - You can use either internal or public schema depending on your situation (with an internal scheme, [SCIM synchronization](../single-sign-on/scim/azure.md) with Azure AD will not work, only SSO Authorization).
 
     - ALB Configuration
 
@@ -64,15 +64,35 @@
 
 1. Deploy [EBS controller](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html).
 
-    - It is recommended to use GP3 storages (to do this, you need to deploy a specific [StorageClass](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/862fe33d2174e00f449ac34859c9990340234a63/docs/parameters.md)), but if required, you can use the default GP2 as well.
+    - Following the documentation, it is required to [create an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html) and [deploy the EKS addon](https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html).
+
+    - It is recommended to use GP3 storages (to do this, you need to deploy a specific [StorageClass](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/862fe33d2174e00f449ac34859c9990340234a63/docs/parameters.md), [example](#configuration-examples)), but if required, you can use the default GP2 as well.
 
 2. Deploy [ALB controller](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html).
 
-    - If you need to use already created ALB, follow [this documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/use_cases/self_managed_lb/).
+    - Following the documentation, it is required to [create an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/lbc-helm.html#lbc-helm-iam) and [deploy the ALB Controller](https://docs.aws.amazon.com/eks/latest/userguide/lbc-helm.html#lbc-helm-install).
+
+    - If you need to use already created ALB, please review [this documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/use_cases/self_managed_lb/) and follow the steps below.
+
+        1. [Create a target group manually](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html) and specify **any** IP address from the EKS subnet, it will be automatically replaced with the actual address by the ALB controller.
+
+            - Target type is `IP addresses`.
+
+            - Target group name is any name. For example: `Genestack-ODM`.
+
+            - `Protocol : Port` is `HTTP : 80`
+
+            - IP address type is `IPv4`
 
-        1. Create and deploy [TargetGroupBinding](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/use_cases/self_managed_lb/#create-targetgroupbinding-crd) ([example](#configuration-examples)) in Kubernetes.
+            - VPC is `YOUR_EKS_VPC`
 
-        2. [Add](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html) target group to ALB listener rules.
+            - Protocol version is `HTTP1`
+
+            - Health check protocol is `HTTP`
+
+            - Health check path is `/frontend/health`
+
+        2. [Create a listener](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html) in ALB and attach the target group.
 
             - HTTP Path Pattern is `/*`.
 
@@ -82,11 +102,13 @@
 
         4. Set `nginx.ingress.enabled` parameter to `false` in ODM helm chart.
 
-        5. Make sure that health checks pass, you may need to make changes to the Security Groups of the ALB (after ODM deployment).
+        5. Create and deploy [TargetGroupBinding](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/use_cases/self_managed_lb/#create-targetgroupbinding-crd) ([example](#configuration-examples)) in Kubernetes.
+
+        6. Ensure that health checks in the target group have passed (after ODM deployment). You may need to allow access for the ALB subnet in the EC2 Security Group.
 
     - If you don't have an ALB.
 
-        - It will be created automatically during ODM deployment.
+        - It will be created automatically during ODM deployment by ALB Controller.
 
 3. [Optional] Deploy [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md).
 
@@ -96,6 +118,28 @@
 
 ## Configuration examples
 
+<details><summary>CORS configuration for S3</summary>
+```json
+[
+    {
+        "AllowedHeaders": [
+            "accept",
+            "accept-language",
+            "Content-Type"
+        ],
+        "AllowedMethods": [
+            "PUT"
+        ],
+        "AllowedOrigins": [
+            "https://ODM_FQDN"
+        ],
+        "ExposeHeaders": [],
+        "MaxAgeSeconds": 3000
+    }
+]
+```
+</details>
+
 <details><summary>IAM policy for S3 access</summary>
 ```json
 {
@@ -110,7 +154,7 @@
         "s3:ListBucketMultipartUploads",
         "s3:ListBucketVersions"
       ],
-      "Resource" : [S3_BUCKET_ARN]
+      "Resource" : ["S3_BUCKET_ARN"]
     },
     {
       "Sid" : "AllObjectActions",
@@ -120,7 +164,7 @@
         "s3:AbortMultipartUpload",
         "s3:ListMultipartUploadParts"
       ],
-      "Resource" : [S3_BUCKET_ARN/*]
+      "Resource" : ["S3_BUCKET_ARN/*"]
     },
     {
       "Sid" : "AllowUseOfTheKey",
@@ -132,32 +176,24 @@
         "kms:GenerateDataKey*",
         "kms:DescribeKey"
       ],
-      "Resource" : KMS_KEY_ARN
+      "Resource" : ["KMS_KEY_ARN"]
     }
   ]
 }
 ```
 </details>
 
-<details><summary>CORS configuration for S3</summary>
-```json
-[
-    {
-        "AllowedHeaders": [
-            "accept",
-            "accept-language",
-            "Content-Type"
-        ],
-        "AllowedMethods": [
-            "PUT"
-        ],
-        "AllowedOrigins": [
-            "https://ODM_FQDN"
-        ],
-        "ExposeHeaders": [],
-        "MaxAgeSeconds": 3000
-    }
-]
+<details><summary>GP3 StorageClass example</summary>
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: gp3
+parameters:
+  type: gp3
+provisioner: ebs.csi.aws.com
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
 ```
 </details>
 
@@ -173,6 +209,6 @@ spec:
   serviceRef:
     name: odm-nginx
     port: 80
-  targetGroupARN: arn:aws:elasticloadbalancing:us-east-1:12345678902:targetgroup/odm/d74e4eed524cddcd
+  targetGroupARN: TARGET_GROUP_ARN
 ```
 </details>
diff --git a/docs/deployment/helm/how-to-deploy.md b/docs/deployment/helm/how-to-deploy.md
@@ -21,11 +21,17 @@ This tool ensures seamless access to ECR by handling credential rotation.
 
     - It's important to note that the ECR password is valid for a duration of 12 hours.
 
+    - If you are using [AWS EKS](https://aws.amazon.com/eks/), you do not need this tool. Access to our ECR will be provided upon request.
+
 - To utilize external storage solutions that are compatible with Distributed File System (DFS) within a Kubernetes environment, it is necessary to first establish a Persistent Volume Claim (PVC).
 
 ## Deployment process
 
-1. [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html#getting-started-quickstart-new) (see **Long-term credentials**) with the credentials provided by our support team (this is necessary to access the ECR).
+1. Preparing to log in to ECR.
+
+    - If you are not hosting on AWS, [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html#getting-started-quickstart-new) (see **Long-term credentials**) with the credentials provided by our support team (this is necessary to access the ECR).
+
+    - If you are hosting on AWS, ensure that you have the [AmazonEC2ContainerRegistryReadOnly](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryReadOnly) policy or a similar one enabled for access to ECR.
 
 2. Login to ECR
 
@@ -34,7 +40,7 @@ This tool ensures seamless access to ECR by handling credential rotation.
     --password-stdin 091468197733.dkr.ecr.us-east-1.amazonaws.com
     ```
 
-3. Download Helm Chart (use the latest version)
+3. Download Helm Chart (the latest version will be downloaded automatically)
 
     ```shell
     helm pull oci://091468197733.dkr.ecr.us-east-1.amazonaws.com/genestack/chart/odm

diff --git a/...s/loading-new-ontology/skos-dictionary.md → ...s/loading-new-ontology/skos-dictionary.md b/...s/loading-new-ontology/skos-dictionary.md → ...s/loading-new-ontology/skos-dictionary.md