# Digazu product for AWS Marketplace instructions

Below are the steps required to deploy the Digazu helm chart on an AWS Kubernetes cluster.

## Create a cluster with the appropriate node configuration

### Prerequisites

- An AWS account with administrative access.
- `kubectl` installed. [Install it here](https://kubernetes.io/docs/tasks/tools/install-kubectl/).

### Install the required tools

#### eksctl

This tool makes it easier to create Kubernetes clusters on AWS.

```shell
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz"
tar xzf eksctl_Linux_amd64.tar.gz -C /tmp && rm eksctl_Linux_amd64.tar.gz
sudo mv /tmp/eksctl /usr/local/bin
```

#### AWS CLI

eksctl requires the latest AWS CLI.

```shell
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
```

### Create a Kubernetes Cluster

The below command installs a cluster with three `t3.2xlarge` nodes.

```shell
eksctl create cluster --name digazu \
    --version 1.25  \
    --region eu-west-1   \
    -N 3 -t t3.2xlarge  \
    --with-oidc \
    --alb-ingress-access
```

### Configure identity and add-on to provision Kubernetes storage

```shell
eksctl create iamserviceaccount \
    --region eu-west-1 \
    --name ebs-csi-controller-sa \
    --namespace kube-system \
    --cluster digazu \
    --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
    --approve \
    --role-only \
    --role-name AmazonEKS_EBS_CSI_DriverRole
```

```shell
eksctl create addon --name aws-ebs-csi-driver   \
    --cluster digazu \
    --service-account-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AmazonEKS_EBS_CSI_DriverRole    \
    --force --region eu-west-1
```

### Configure kubectl

To connect to the cluster, run the following:

```shell
aws eks --region eu-west-1 update-kubeconfig --name digazu
```

## Create an S3 bucket and configure access to it

Create an AWS S3 bucket

```bash
aws s3api create-bucket \
    --bucket digazu-storage \
    --region eu-west-1
```

Create an AWS role with the following permission policies to allow Digazu to access and upload files to this bucket:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1554422960000",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::digazu-storage",
                "arn:aws:s3:::digazu-storage/*"
            ]
        }
    ]
}
```

And the following Trust relationships:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::220994048790:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/20A1C02834FE4A9A0FDAEF7BBE7C2C52"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.eu-west-1.amazonaws.com/id/20A1C02834FE4A9A0FDAEF7BBE7C2C52:sub": "system:serviceaccount:digazu:s3-bucket-storage",
                    "oidc.eks.eu-west-1.amazonaws.com/id/20A1C02834FE4A9A0FDAEF7BBE7C2C52:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
```

Where 20A1C02834FE4A9A0FDAEF7BBE7C2C52 is the OIDC ID of your cluster, you can get the
value for your cluster using the following command:

```bash
oidc_id=$(aws eks describe-cluster --name digazu --query "cluster.identity.oidc.issuer" --output text --region eu-west-1 | cut -d '/' -f 5)
```

Here `system:serviceaccount:digazu:s3-bucket-storage` refers to the service account installed by Digazu, named `s3-bucket-storage` and placed in the `digazu` namespace.

Once the role is created, provide its name in the Helm chart parameter `s3BucketStorage.roleArn`, e.g. `arn:aws:iam::220994048790:role/s3-sa-role`.

## Install the Helm chart

First, pull the chart from our repository:

```bash
helm pull oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/digazu/resources --version {version} --untar
```


Then, install the chart with the override values defined, such as:

```yaml
s3BucketStorage:
  bucketName: digazu-storage-test
  roleArn: arn:aws:iam::220994048790:role/s3-sa-role
superMarioBootstrapFile:
  bootstrapDataJson: "{\"users\":[{\"email\":\"admin@digazu.com\",\"name\":\"admin\",\"password\":\"XXX_REPLACE_ME\",\"roles\":[\"super_admin\"]}]}"
```

```bash
helm install digazu ./resources -f values-override.yaml --namespace digazu
```

To access the Digazu UI, port-forward the reverse-proxy service:

```bash
kubectl port-forward svc/reverse-proxy  -n digazu 8080:8080
```

And login with the credentials configured in value override `superMarioBootstrapFile.bootstrapDataJson`.