Using Exostellar Installer Tool

x-install is a new Exostellar installer tool. It provides subcommands to assess and discover the target installation environment, install Exostellar products, and report the post-install readiness.

Prerequisites

Terraform 1.8+
Git 2.34+
Valid AWS Marketplace subscriptions to Exostellar Management Server, Exostellar Controller, and Exostellar Worker AMIs
x-install tool
AWS Account with the following IAM Permissions

AWS Account IAM Permissions (TBD)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": "*"
        },
        {
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:*:<account_id>:parameter/aws/*",
                "arn:aws:ssm:*::parameter/aws/*"
            ],
            "Effect": "Allow"
        },
        {
             "Action": [
               "kms:CreateGrant",
               "kms:DescribeKey"
             ],
             "Resource": "*",
             "Effect": "Allow"
        },
        {
             "Action": [
               "logs:PutRetentionPolicy"
             ],
             "Resource": "*",
             "Effect": "Allow"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:GetRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy",
                "iam:GetOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider",
                "iam:DeleteOpenIDConnectProvider",
                "iam:TagOpenIDConnectProvider",
                "iam:ListAttachedRolePolicies",
                "iam:TagRole",
                "iam:UntagRole",
                "iam:GetPolicy",
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:ListPolicyVersions"
            ],
            "Resource": [
                "arn:aws:iam::<account_id>:instance-profile/eksctl-*",
                "arn:aws:iam::<account_id>:role/eksctl-*",
                "arn:aws:iam::<account_id>:policy/eksctl-*",
                "arn:aws:iam::<account_id>:oidc-provider/*",
                "arn:aws:iam::<account_id>:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
                "arn:aws:iam::<account_id>:role/eksctl-managed-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:GetUser"
            ],
            "Resource": [
                "arn:aws:iam::<account_id>:role/*",
                "arn:aws:iam::<account_id>:user/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "eks.amazonaws.com",
                        "eks-nodegroup.amazonaws.com",
                        "eks-fargate.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudtrail:LookupEvents",
				"cloudformation:ListStacks",
				"cloudformation:DescribeStackEvents",
				"cloudformation:DescribeStacks",
				"cloudformation:ListStackResources",
				"cloudformation:CreateStack",
				"cloudformation:GetTemplateSummary",
				"cloudformation:CreateUploadBucket",
				"ssm:ListAssociations",
				"ec2:RunInstances",
				"ec2:DescribeSubnets",
				"ec2:DescribeKeyPairs",
				"ec2:DescribeVpcs",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSecurityGroupRules",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:CreateTags",
				"ec2:CreateSecurityGroup",
				"sns:ListTopics",
				"s3:CreateBucket",
				"iam:AttachRolePolicy",
				"iam:CreateRole",
				"iam:ListRoles",
				"iam:TagRole",
				"iam:PutRolePolicy",
				"iam:CreateInstanceProfile",
				"iam:AddRoleToInstanceProfile",
				"iam:PassRole",
				"ec2:DescribeInstances",
				"ec2:DescribeInstanceTypes",
				"ec2:RunInstances",
				"ec2:DescribeImages",
				"ec2:DescribeImageAttribute",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeRouteTables",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribeInstanceStatus",
				"ec2:DescribeAddresses",
				"ec2:DescribeDhcpOptions",
				"ec2:DescribeSnapshots",
				"ec2:DescribeVolumes",
				"ec2:DescribeVolumeStatus",
				"ec2:DescribeVolumesModifications",
				"cloudwatch:DescribeAlarms",
				"cloudwatch:ListMetrics",
				"iam:ListUsers",
				"iam:ListAccessKeys",
				"iam:CreateAccessKey",
				"ec2:AuthorizeSecurityGroupEgress",
				"iam:ListPolicyVersions",
				"eks:ListClusters",
				"eks:DescribeCluster",
				"eks:ListNodegroups",
				"eks:DescribeNodegroup",
				"eks:DescribeAddon",
				"eks:ListAddons",
				"eks:DescribeIdentityProviderConfig"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObject"
			],
			"Resource": "arn:aws:s3:::cf-template*"
		},
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": [
				"eks:CreateCluster",
				"eks:DescribeCluster",
				"eks:DeleteCluster",
				"eks:ListClusters",
				"eks:UpdateClusterConfig",
				"eks:UpdateClusterVersion",
				"eks:CreateNodegroup",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups",
				"eks:UpdateNodegroupConfig",
				"eks:UpdateNodegroupVersion",
				"eks:DescribeAddonVersions",
				"eks:CreateAddon",
				"eks:DeleteAddon",
				"eks:DescribeAddon",
				"eks:ListAddons",
				"eks:UpdateAddon",
				"eks:AccessKubernetesApi",
				"eks:ListAccessPolicies",
				"eks:ListAccessEntries",
				"eks:ListIdentityProviderConfigs",
				"eks:DescribeAccessEntry",
				"eks:ListPodIdentityAssociations",
				"eks:ListAssociatedAccessPolicies",
				"eks:CreateAccessEntry",
				"eks:AssociateAccessPolicy"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:DeleteRolePolicy",
				"iam:DeleteRole",
				"iam:GetRole",
				"iam:ListPolicies",
				"iam:ListAttachedRolePolicies",
				"iam:CreateServiceLinkedRole",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:DeleteInstanceProfile",
				"iam:ListEntitiesForPolicy",
				"iam:GetInstanceProfile",
				"iam:ListInstanceProfiles",
				"iam:ListInstanceProfilesForRole",
				"iam:ListOpenIDConnectProviders",
				"iam:GetOpenIDConnectProvider",
				"iam:GetRolePolicy",
				"ec2:RevokeSecurityGroupIngress",
				"ec2:DeleteSecurityGroup",
				"ec2:StopInstances",
				"ec2:TerminateInstances",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeTags",
				"ec2:DescribeNetworkInterfaces",
				"cloudformation:DeleteStack",
				"ec2:RevokeSecurityGroupEgress",
				"iam:ListRolePolicies",
				"iam:CreatePolicy",
				"iam:GetPolicy",
				"ec2:DescribeInstanceAttribute",
				"iam:GetPolicyVersion"
			],
			"Resource": "*"
		},
		{
			"Sid": "AdditionalPermissions",
			"Effect": "Allow",
			"Action": [
				"iam:DetachRolePolicy",
				"ec2:CreateVpc",
				"ec2:DeleteVpc",
				"ec2:CreateSubnet",
				"ec2:DeleteSubnet",
				"ec2:CreateRouteTable",
				"ec2:CreateRoute",
				"ec2:AssociateRouteTable",
				"ec2:ReplaceRouteTableAssociation",
				"ec2:DeleteRouteTable",
				"ec2:CreateInternetGateway",
				"ec2:AttachInternetGateway",
				"ec2:AllocateAddress",
				"ec2:ReleaseAddress",
				"ec2:CreateNatGateway",
				"ec2:DeleteNatGateway",
				"cloudformation:UpdateStack",
				"cloudformation:DeleteChangeSet",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"cloudtrail:DescribeTrails",
				"cloudtrail:GetTrailStatus",
				"cloudtrail:GetEventSelectors",
				"logs:DescribeLogGroups",
				"logs:DescribeLogStreams",
				"logs:GetLogEvents",
				"logs:FilterLogEvents",
				"iam:GetUserPolicy",
				"iam:GetGroupPolicy",
				"iam:GetPolicyVersion",
				"ec2:CreateLaunchTemplate",
				"ec2:DescribeLaunchTemplates",
				"ec2:DescribeInternetGateways",
				"ec2:ModifyVpcAttribute",
				"ec2:ModifySubnetAttribute",
				"ec2:DescribeNatGateways",
				"ec2:DescribeInstanceTypeOfferings",
				"ec2:DescribeEgressOnlyInternetGateways",
				"ec2:DescribeLaunchTemplateVersions",
				"ec2:DeleteLaunchTemplate",
				"eks:TagResource",
				"elasticloadbalancing:CreateLoadBalancer",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DeleteLoadBalancer",
				"elasticloadbalancing:CreateTargetGroup",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:RegisterTargets",
				"autoscaling:CreateAutoScalingGroup",
				"autoscaling:UpdateAutoScalingGroup",
				"autoscaling:DeleteAutoScalingGroup",
				"autoscaling:DescribeAutoScalingGroups",
				"autoscaling:DescribeScalingActivities",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"s3:CreateBucket",
				"s3:DeleteBucket",
				"s3:ListBucket",
				"s3:GetBucketLocation",
				"s3:GetBucketPolicy",
				"s3:PutBucketPolicy"
			],
			"Resource": "*"
		}
	]
}

Steps

Use the following command to create a standalone X-IO stack named xio-standalone:

x-install create-standalone \
  --stack-name=xio-standalone \
  --vpc-cidr=10.0.0.0/16 \
  --ssh-key-pair-name=my-dev-key \
  --region=us-west-1

The new VPC and EKS cluster will be named after the stack name. The VPC is assigned the 10.0.0.0/16 CIDR block. The EC2 SSH key pair my-dev-key can later be used to access the X-IO Management Server.

The stack name, VPC CIDR, SSH key pair name and region should be adjusted to suit your environment.

Once the create-standalone command completed successfully, use the next command to confirm X-IO service readiness:

x-install post-install --stack-name=xio-standalone

It might take a few attempts for post-install to pass all system units and containers readiness checks, due to infrastructure readiness latency.

Once the post-install checks completed successfully, add an x-compute node to the standalone EKS cluster using the eks-node-cli tool found on the X-IO Management Server:

# ssh to the X-IO Management Server
$ ssh rocky@<management-server-public-ip>

# on the X-IO Management Server, add a new node to the standalone EKS cluster
eks-node-cli add -n node-00 -c 1 -m 4096 -p pool-a -r az1 -k xio-standalone

The new node can be verified using the kubectl command:

$ kubectl get node -l eks.amazonaws.com/nodegroup=x-compute
NAME                                          STATUS   ROLES    AGE     VERSION
ip-10-0-39-220.us-west-1.x-compute.internal   Ready    <none>   4m17s   v1.29.3-eks-ae9a62a

By default, the EKS token used to access the standalone EKS cluster expired after 60 minutes. Following that, all attempts to access the cluster will fail with Unauthorized errors.

To generate a new EKS token and use it with your existing kubeconfig file, run:

x-install update-kubeconfig --stack-name=xio-standalone

Once the free trial period is over, the entire standalone stack can be deleted with the destroy command:

x-install destroy --stack-name xio-standalone

Sometimes, Terraform might time out during the destroy process. Re-running the destroy command will allow Terraform to reconcile its final state.

At this time, all controllers and workers EC2 instances need to be manually terminated.

For more information on other subcommands, run:

x-install help