Installing the Self-Hosted Custom Edition on Amazon EKS

Prerequisites

Make sure that the following prerequisites are met:

• Instana agent key and download key are obtained.
• The following tools are available:
  • kubectl
  • AWS Command Line Interface (AWS CLI)
  • Helm
  • Docker or Podman

Procedure

To install Instana on Amazon EKS, complete the following steps:

1. Install the Instana kubectl plug-in, see Installing the Instana kubectl plug-in.

2. Install Helm, see Preparing for online installation.

3. Verify the Instana and Operator versions:

   kubectl instana -v
   

4. Create the namespaces for data stores:

   kubectl create ns instana-zookeeper
   kubectl create ns instana-kafka
   kubectl create ns instana-clickhouse
   kubectl create ns instana-postgres
   kubectl create ns instana-cassandra
   kubectl create ns instana-elastic
   kubectl create ns instana-core
   kubectl create ns instana-units
   kubectl create ns instana-operator
   kubectl create ns cert-manager
   

5. Add the Helm repositories, see Preparing to install data store operators.

6. Install data store Operator:

   1. Create a Cassandra data store, see Creating a Cassandra data store.
   2. Create a Clickhouse data store, see Creating a ClickHouse data store.
   3. Create an Elasticsearch data store, see Creating an Elasticsearch data store.
   4. Create a Kafka data store, see Creating a Kafka data store.
   5. Create a Postgres data store, see Creating a Postgres data store.
   6. Create a Zookeeper data store, see Creating a ZooKeeper data store.
   7. Install BeeInstana, see Using the BeeInstana Kubernetes Operator.

7. Install Instana Enterprise operator, see Installing the Instana Enterprise operator.

8. Download the Instana license:

   kubectl instana license download --sales-key <redacted>
   

9. Provision AWS resources: Instana requires the storage type ReadWriteMany to store rawSpans and monitor data with NFS or Ceph. In Public Cloud, Instana can use S3 Buckets or GCS.

   1. Create a S3 bucket in the same region where the cluster is deployed, create IAM User or IAM Role, and grant required IAM permissions by using IAM Policy, complete one of the following steps:

      • Provision IAM Role, IAM Policy AWS Console:

        1. Create an IAM Policy with the privileges.

           1. For S3:

              {
                  "Version": "2012-10-17",
                  "Statement": [
                      {
                          "Effect": "Allow",
                          "Action": [
                              "s3:CreateBucket",
                              "s3:DeleteBucket",
                              "s3:PutBucketTagging",
                              "s3:GetBucketTagging",
                              "s3:PutBucketPublicAccessBlock",
                              "s3:GetBucketPublicAccessBlock",
                              "s3:PutEncryptionConfiguration",
                              "s3:GetEncryptionConfiguration",
                              "s3:PutLifecycleConfiguration",
                              "s3:GetLifecycleConfiguration",
                              "s3:GetBucketLocation",
                              "s3:ListBucket",
                              "s3:GetObject",
                              "s3:PutObject",
                              "s3:DeleteObject",
                              "s3:ListBucketMultipartUploads",
                              "s3:AbortMultipartUpload",
                              "s3:ListMultipartUploadParts"
                          ],
                          "Resource": "arn:aws:s3:::my-pod-secrets-bucket"
                      }
                  ]
              }
              

           2. If Amazon Simple Email Service (SES) is used, add the IAM policy for SES:

              {
                "Id":"ExamplePolicy",
                "Version":"2012-10-17",
                "Statement":[
                  {
                    "Sid":"ControlAction",
                    "Effect":"Allow",
                    "Resource":"arn:aws:ses:<ReplaceWithActualRegion>:<ReplaceAccountID>:identity/<ReplaceWithEmailID>",
                    "Action":[
                      "ses:SendEmail",
                      "ses:SendRawEmail"
                    ]
                  }
                ]
              }
              

        2. Create an IAM Role and associate the IAM role. To prevent using static credentials, configure IAM role which can be attached to Service Accounts to grant access to S3, SES.
           1. Create an OIDC provider in AWS.
           2. Create an IAM role with the following trust relationship:

              {
                  "Version": "2012-10-17",
                  "Statement": [
                      {
                          "Sid": "",
                          "Effect": "Allow",
                          "Principal": {
                              "Federated": "arn:aws:iam::<ReplaceAccountID>:oidc-provider/oidc.eks.<ReplaceWithActualRegion>.amazonaws.com/id/<ReplaceWithID>"
                          },
                          "Action": "sts:AssumeRoleWithWebIdentity",
                          "Condition": {
                              "StringEquals": {
                                  "oidc.eks.<ReplaceWithActualRegion>.amazonaws.com/id/<ReplaceWithID>:sub": "system:serviceaccount:<KubernetesNamespace>:<KubernetesServiceAccount>",
                                  "oidc.eks.<ReplaceWithActualRegion>.amazonaws.com/id/<ReplaceWithID>:aud": "sts.amazonaws.com"
                              }
                          }
                      }
                  ]
              }
              

        3. Attach the newly created IAM policy.

10. Install Instana backend with S3 as RAW spans storage, see Installing the Instana backend.

11. Add the load balancer details and DNS, see Setting up load balancers and DNS.