From 3a0dc1e33b22ce25c32a11500b6b8d8622fc7b45 Mon Sep 17 00:00:00 2001 From: Vladislav Tropnikov Date: Thu, 27 Feb 2025 18:47:02 +0100 Subject: [PATCH] feature/ODM-12422 update docs --- docs/home/clouds/aws.md | 68 ++++++++++++++++++++++---- docs/home/release-notes/v1.50-v1.59.md | 19 ------- docs/home/release-notes/v1.60-v1.69.md | 44 +++++++++++++++++ mkdocs.yml | 3 +- 4 files changed, 105 insertions(+), 29 deletions(-) create mode 100644 docs/home/release-notes/v1.60-v1.69.md diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md index 5b25f9c7..1cac3556 100644 --- a/docs/home/clouds/aws.md +++ b/docs/home/clouds/aws.md @@ -3,7 +3,8 @@ ## Required types of resources - [AWS S3 Bucket](https://aws.amazon.com/s3/) -- [AWS IAM](https://aws.amazon.com/iam/) user with bucket access above (programmatic access) +- [AWS IAM](https://aws.amazon.com/iam/) user with bucket access above (programmatic access) [_up to ODM version 1.60_] +- [AWS IAM](https://aws.amazon.com/iam/) role with bucket access above [_after ODM version 1.60_] - [AWS EKS](https://aws.amazon.com/eks/) - [AWS EBS](https://aws.amazon.com/ebs/) - [AWS ALB](https://aws.amazon.com/elasticloadbalancing/) @@ -20,22 +21,28 @@ - It is recommended to set up a lifecycle rule to clean up unfinished multipart uploads. Example of [AbortIncompleteMultipartUpload rule](#configuration-examples). -2. Create IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html), [policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) (it will be listed below) and [attach](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) the policy to the user. - - - [Programmatic access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) is required to work ODM with IAM user. - - - You can find the recommended IAM policy here [IAM policy for S3 access](#configuration-examples). - -3. Create [VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html). +2. Create [VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html). - Must have at least 2 private subnets [[link](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html)]. - Each subnets must contain at least 100 free IP addresses [recommendation]. -4. Create [EKS](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html). +3. Create [EKS](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html). - Deploy the addons you need. +4. Create IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) [_up to ODM version 1.60_], [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) [_after ODM version 1.60_], [policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) (it will be listed below) and [attach](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) the policy to the user/role. + + - [Programmatic access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) is required to work ODM with IAM user. + + - You can find the recommended IAM policy here [IAM policy for S3 access](#configuration-examples). + + - Choose between [EKS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) and [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) based on your requirements; however, we recommend using EKS Pod Identity. + + - You can find the recommended `Trust Relationships` for EKS IRSA here [IRSA Trust Relationships](#configuration-examples). + + - You can find the recommended `Trust Relationships` for EKS Pod Identity here [Pod Identity Trust Relationships](#configuration-examples). + 5. Create Route53 [hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html). - You can use private or public zone. @@ -177,6 +184,49 @@ ``` +
IRSA Trust Relationships +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringLike": { + "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID:sub": "system:serviceaccount:odm:odm", + "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID:aud": "sts.amazonaws.com" + } + } + } + ] +} +``` +
+ +
Pod Identity Trust Relationships +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:TagSession", + "sts:AssumeRole" + ] + } + ] +} +``` +
+
GP3 StorageClass example ```yaml apiVersion: storage.k8s.io/v1 diff --git a/docs/home/release-notes/v1.50-v1.59.md b/docs/home/release-notes/v1.50-v1.59.md index fa32d1c7..cc04ea2f 100644 --- a/docs/home/release-notes/v1.50-v1.59.md +++ b/docs/home/release-notes/v1.50-v1.59.md @@ -1,24 +1,5 @@ # Release notes -## Version 1.60 - -!!! tip "" -Helm chart version 1.60.x - -### Rclone Migration - -The following ODM component called `funcFile` was replaced with `rclone`. - -As a result of this migration, the configuration of storages was moved from `funcFile` to `application.yaml` files in `core`, `applications`, and `funcJob`. -You can find configuration examples in the "examples" directory within the Helm chart. -Note that the configuration section `genestack.rclone` in all three of these services should be identical. For this purpose, we recommend using YAML anchors, which are also included in the examples. - -## SAML elimitaion - -Support of SAML was eliminated. - -### Helm configuration changes - ## Version 1.59 !!! tip "" diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md new file mode 100644 index 00000000..c9085fdc --- /dev/null +++ b/docs/home/release-notes/v1.60-v1.69.md @@ -0,0 +1,44 @@ +# Release notes + +## Version 1.60 + +!!! tip "" + Helm chart version 1.60.x + +### Rclone Migration + +The following ODM component called `funcFile` was replaced with `rclone`. + +As a result of this migration, the configuration of storages was moved from `funcFile` to `application.yaml` files in `core`, `applications`, and `funcJob`. +You can find configuration examples in the "examples" directory within the Helm chart. +Note that the configuration section `genestack.rclone` in all three of these services should be identical. For this purpose, we recommend using YAML anchors, which are also included in the examples. + +Also, Rclone allows to use the AWS IAM role instead of the AWS IAM user. If this is relevant fo your environment, then information on deployment can be found [here](./../clouds/aws.md) in paragraph 4. + +### SAML elimitaion + +Support of SAML was eliminated. + +### Helm configuration changes + +- The `credentials` section has been removed, please use the `rclone` configuration instead. + + ```yaml + credentials: + awsS3Region: + awsS3AccessKey: + awsS3SecretAccessKey: + ``` + +- All configuration related to `SAML` has been removed. + +- The `region` parameter has been removed from the `applications` configuration. + + ```yaml + applications: + files: + "/var/lib/genestack/properties/application.yaml": + frontend: + aws: + region: + ``` diff --git a/mkdocs.yml b/mkdocs.yml index 5f093781..69073736 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,7 +29,8 @@ nav: - Azure SCIM: home/troubleshooting/azure-scim.md - Sanity check: home/troubleshooting/sanity-check.md - Release Notes: - - v1.50 - v1.59: home/release-notes/v1.50-v1.59.md + - v1.60 - v1.69: home/release-notes/v1.60-v1.69.md + - v1.50 - v1.59: home/release-notes/v1.50-v1.59.md theme: name: material palette: