Product Documentation

Appearance

EE: All cloud platforms

Self-Managed: yb-operator

Install yb-operator with Helm. This will install the Yellowbrick Operator and Yellowbrick Manager.

INFO

Yelowbrick Operator creates and manages node groups in the EKS cluster for Yellowbrick Datawarehouse workloads.

If using yellowbrick created storage classes, it is required to install yb-storageclass See Helm: yb-storageclass.

When using the commands or values outlined here, please make appropriate substitutions defined as:

ValueDescription
{account}When on AWS, the account ID
{cloud-provider}Your cloud provider: aws, azure, or gcp
{cluster-name}The name of the Kubernetes cluster
{version}The chart version of yb-operator
{node-role-arn}The Role attached to the node group created during Infra: Node Group
{instance-name}The name of the Yellowbrick instance
{image-repo}The container image repository pushed by the Deployer
{image-tag}The corresponding tag of the container image
{namespace}The Kubernetes namespace into which you want to install
{observability-ns}The Kubernetes namespace of the observability suite
{observability-storage}The name of the storage location for the observability, when AWS an S3 bucket name, when Azure a Storage Account name
{oidc-provider-arn}When on AWS, the OpenID Connect provider ARN
{oidc-provider}When on AWS, the OpenID Connect provider
{partition}When on AWS, the partition: aws or aws-gov
{role-arn-operator}when on AWS, the IAM role ARN of the operator service account
{role-arn-diags}when on AWS, the IAM role ARN of the diagnostics service account
{role-arn-compute}when on AWS, the IAM role ARN of the computer cluster service account
{role-arn-manager}when on AWS, the IAM role ARN of the Yellowbrick Manager service account
{region}The name of the cloud provider region
{storage-class}The general purpose storage class name, e.g. AWS: gp3, Azure: standard, GCP: pd-balanced

Helm Chart

Running the Yellowbrick Deployer will push the Helm charts and container images you need into your cloud environment. For instructions on pushing assets using the Deployer, see the documentation.

Chart name: yb-operator

The get-assets subcommand can be used to find the version of chart name yb-operator, see cli reference.

Install Command

See Authenticating with ECR

bash
helm install yb-operator oci://{image-repo}/yb-operator \
  -n {namespace}  \
  -f values.yaml \
  --version {version}

Values

Please note that you may need to adjust the node selector values as appropriate for your installation.

INFO

The get-assets subcommand can be used to find the image tag for yellowbrick/yb-operator, yellowbrick/yb-manager and yellowbrick/yb-template, see cli reference.

yaml
image:
  registry: {image-repo}
  repository: yellowbrick/yb-operator
  tag: {image-version}

nodeSelector: &nodeSelector
  cluster.yellowbrick.io/hardware_type: t3.large
  cluster.yellowbrick.io/node_type: yb-op-standard
tolerations: &tolerations
  - effect: NoSchedule
    key: cluster.yellowbrick.io/owned
    operator: Equal
    value: "true"

config:
  data:
    provider: {cloud-provider}
    region: {region}
    diagsContainer: diags
    registryHost: {image-repo}
    observabilityBucketName: {observability-storage}
    klusterName: {cluster-name}
    monitoringNamespace: {observability-ns}
    additionalTags:
      cluster_yellowbrick_io_creator: yb-install
      cluster_yellowbrick_io_name: {instance-name}
      cluster_yellowbrick_io_owner: yb-install

installCrd: true

serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: { role-arn-operator }

diags:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: { role-arn-diags }

worker:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: { role-arn-compute }

pvc:
  storageClassName: {storage-class}

certManager:
  create: true
  selfSignedIssuerName: selfsigned

yb-manager:
  enabled: true
  cloudProvider: aws
  containerImage: {image-repo}/yellowbrick/yb-manager:{image-tag}
  instance:
    global: true
  # Using service.annotations disregards loadBalancer.internal and loadBalancer.tags
  service:
    annotations: {}
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: { role-arn-manager }
  loadBalancer:
    internal: false
    tags: ""
  nginxRepository: {image-repo}/nginx
  nodeSelector: *nodeSelector
  tolerations: *tolerations

  storageClassName: {storage-class}

  ybTemplateImage: {image-repo}/yellowbrick/yb-template:{image-tag}

If you are using the yb-storageclass Helm chart, please use those storage classes as the value for storageClassName.

INFO

Please note if you do not want to install Yellowbrick Custom Resource Definitions, add this value:

yaml
installCrd: false

If you want to use custom service annotations for customizing the LoadBalancer for YB Manager, use the following values:

yaml
yb-manager:
  service:
    annotations: {}
    # your custom annotaitons
    # foo: bar

Creating Cloud Infrastructure

AWS

When installing on AWS, IRSA service accounts are used. For details on IRSA, please see the AWS documentation.

Operator

To the values above, add this value to include the ARN of the AWS IAM role:

yaml
serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: { role-arn-operator }

Create the IAM role:

bash
aws iam create-role \
  --role-name yb-eks-pod-yb-operator-{instance-name}-{region} \
  --assume-role-policy-document file://trust-policy.json

The trust policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "{oidc-provider-arn}"
     },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "{oidc-provider}:sub": "system:serviceaccount:{namespace}:yb-operator-sa"
       }
     }
   }
  ]
}

Create the IAM policy

bash
aws iam put-role-policy \
  --role-name yb-eks-pod-yb-operator-{instance-name}-{region} \
  --policy-name operator-policy \
  --policy-document file://iam-policy.json

The IAM policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObjectVersion",
        "s3:ListBucketVersions",
        "s3:CreateBucket",
        "s3:ListBucket",
        "s3:GetBucketPolicy",
        "s3:GetEncryptionConfiguration",
        "s3:PutBucketTagging",
        "s3:DeleteObject",
        "s3:DeleteBucket",
        "s3:GetObject",
        "s3:PutBucketPolicy",
        "s3:GetObjectVersion",
        "ec2:DescribePlacementGroups",
        "ec2:DescribeLaunchTemplates",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:CreatePlacementGroup",
        "ec2:DescribeLaunchTemplateVersions",
        "ec2:CreateTags",
        "ec2:RunInstances",
        "ec2:DescribeImages",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:CreateSnapshot",
        "ec2:CreateVolume",
        "ec2:DescribeSnapshotAttribute",
        "ec2:DescribeVolumeAttribute",
        "ec2:DeleteSnapshot",
        "ec2:DeleteVolume",
        "ec2:ModifyLaunchTemplate",
        "eks:ListNodegroups",
        "eks:TagResource",
        "eks:DescribeCluster",
        "eks:CreateNodegroup",
        "eks:DescribeNodegroup",
        "eks:UpdateNodegroupVersion",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
        "autoscaling:CreateOrUpdateTags",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["iam:PassRole"],
      "Resource": "arn:{partition}:iam::{account}:role/{node-role-arn}"
    }
  ]
}

Diagnostics

S3 bucket

To create an s3 bucket, the following command can be used:

bash
aws s3api create-bucket \
  --bucket {observability-storage} \
  --region {region} \
  --create-bucket-configuration LocationConstraint={region}

The above command is a simple example, and can be modified to include complex configurations.

IAM Role

To the values above, add this value to include the ARN of the AWS IAM role:

yaml
diags:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: { role-arn-diags }

Create the IAM role:

bash
aws iam create-role \
  --role-name yb-eks-pod-diags-{instance-name}-{region} \
  --assume-role-policy-document file://trust-policy.json

The trust policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "{oidc-provider-arn}"
     },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "{oidc-provider}:sub": "system:serviceaccount:{namespace}:yb-diags-sa"
       }
     }
   }
  ]
}

Create the IAM policy

bash
aws iam put-role-policy \
  --role-name yb-eks-pod-diags-{instance-name}-{region} \
  --policy-name diags-upload \
  --policy-document file://iam-policy.json

The IAM policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
      "Resource": "arn:{partition}:s3:::{observability-storage}/*"
    }
  ]
}

YB Manager

To the values above, add this value to include the ARN of the AWS IAM role:

yaml
yb-manager:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: { role-arn-manager }

Create the IAM role:

bash
aws iam create-role \
  --role-name yb-eks-pod-manager-{instance-name}-{region} \
  --assume-role-policy-document file://trust-policy.json

The trust policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "{oidc-provider-arn}"
     },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "{oidc-provider}:sub": "system:serviceaccount:{namespace}:yb-manager-serviceaccount"
       }
     }
   }
  ]
}

Create the IAM policy

bash
aws iam put-role-policy \
  --role-name yb-eks-pod-manager-{instance-name}-{region} \
  --policy-name manager \
  --policy-document file://iam-policy.json

The IAM policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::{observability-storage}/*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeTags",
      "Resource": "*"
    }
  ]
}

Compute Cluster

To the values above, add this value to include the ARN of the AWS IAM role:

yaml
worker:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: { role-arn-compute }

Create the IAM role:

bash
aws iam create-role \
  --role-name yb-eks-pod-compute-cluster-{instance-name}-{region} \
  --assume-role-policy-document file://trust-policy.json

The trust policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "{oidc-provider-arn}"
     },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "{oidc-provider}:sub": "system:serviceaccount:{namespace}:yb-{namespace}-worker-sa"
       }
     }
   }
  ]
}

Create the IAM policy

bash
aws iam put-role-policy \
  --role-name yb-eks-pod-compute-cluster-{instance-name}-{region} \
  --policy-name diags-upload \
  --policy-document file://iam-policy.json

The IAM policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": "arn:aws:s3:::yb-*/*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
      "Resource": "arn:aws:s3:::yb-*"
    }
  ]
}

INFO

The security of this policy can be further restricted to use yb-*-{suffix} as the resource pattern. The {suffix} variable is uniquely calculated as the first 6 characters of the SHA1 hash of the string concatenation of the cluster name, account ID, and region.

For example:

bash
$ A="cluster-name" B="123456789012" C="us-east-1" && echo -n "${A}${B}${C}" | sha1sum | head -c6
bdc688