InstallationDeployDeploy to AWS EKS

Deploy MOSTLY AI to an AWS EKS cluster

To run MOSTLY AI in AWS, you need to create an Elastic Kubernetes Service (EKS) cluster. MOSTLY AI provides a set of automated scripts and configuration files that can help you create and configure an EKS cluster as well as create and mount the required EFS storage, and create and configure an AWS Application Load Balancer (ALB) for the application.

This page contains step-by-step tasks that guide you through the process of deploying MOSTLY AI in an AWS EKS cluster. The tasks are grouped into four categories.

Use the tasks on this page as a reference for what you might need to complete to reach the point in which MOSTLY AI runs in an EKS cluster and you can successfully generate synthetic datasets.

Some of the tasks describe configurations that you might have already completed in AWS. In such cases, use the tasks on this page as a reference for all required configurations.

Prerequisites

  • Make sure that you have the tools and commands listed below.
  • Decide in which AWS region you want to deploy MOSTLY AI. The page documents the steps in detail to deploy to eu-central-1. If you need to deploy to another region, read the information about the Region-specific EKS images and how to configure for that.
  • Obtain deployment details from your Customer Experience Engineer.
    • MOSTLY AI Helm chart. Required for Task 13.
    • First-time log in credentials for the MOSTLY AI application. Required for Task 16.
    • (Optional) MOSTLY AI image repository pull secret. Required only if you intend to use the MOSTLY AI image repository to pull the container images. Optional for Task 13 and Task 14.

Pre-deployment

Task 1: Create a key pair in EC2

When you create a key pair in EC2, you can use the generated security credentials to use ssh and log in to the EC2 instances that the MOSTLY AI deployment script creates.

Prerequisites

  • Log in to the AWS Management Console. You can do the steps here with your root AWS account.
  • Select the zone in which you want to create your Kubernetes cluster.

Steps

  1. From AWS Services, search and open EC2.

    AWS Services - Open EC2

  2. In EC2, select Key Pairs under Network & Security from the sidebar.

    Get a key pair - Open EC2 > Key pair

  3. Click Create key pair.

    Get a key pair - Click Create

  4. Enter a name for the new key pair and click Create key pair.

    💡

    Leave the default options:

    • Key pair type: RSA
    • Private key file format: .pem
    Get a key pair - Name and create

Result

The new key pair appears in the list. The generated .pem file that contains the certificate and access keys download automatically.

Get a key pair - Created key pair

What’s next

You can now create a non-ROOT user which is a requirement to run the deployment script in Task 11.

Also, later in Task 10, you define the key pair name in the eks-cluster.yaml deployment configuration file which is a requirement before you run the deployment. You can also use the downloaded certificate to log in to the Kubernetes pods that MOSTLY AI deploys.

Task 2: Create a user group

As a best practice, create a user group to which you will assign the required policies and add the user that will run the deployment script.

Steps

  1. From AWS Services, search and open Identity and Access Management (IAM). AWS Services - Open IAM
  2. In IAM, select User groups from the sidebar. AWS IAM - click User groups
  3. Click Create group. AWS IAM - click Create group
  4. Name the group eksctl-group and click Create group. AWS IAM - Name the group

Result

The user group eksctl-group is now listed under User groups.

AWS IAM - User group created

Task 3: Assign an administrator policy to the user group

Allow the user group to act as an administrator which will grant the user that runs the deployment script the privileges required to create an EKS cluster and all related resources.

Steps

  1. From User groups, click the eksctl-group to open its settings.
  2. Select the Permissions tab.
  3. Click Add permissions and select Attach policies from the drop-down menu. AWS IAM User group - Attach policies
  4. Select the AdministratorAccess policy. AWS IAM User group - Select Administrator Access policy
  5. Click Add permissions. AWS IAM User group - Click Add permissions

Result

The required AdministratorAccess policy is now added to the user group eksctl-group.

AWS IAM User group - Group with added permissions

Task 4: Create a user

Create a non-ROOT user that should be part of the new user group and will have permissions to run the MOSTLY AI deployment script.

Steps

  1. Open Identity and Access Management (IAM).
  2. Select Users from the sidebar. AWS IAM - Select Users from sidebar
  3. Click Create user. AWS IAM - Click Create user
  4. Name the user eksctl and click Next. AWS IAM - Name user and click Next
  5. On the Set permissions step, select the eksctl-group and click Next. AWS IAM - select user group and click Next
  6. On the Review and create step, click Create user. AWS IAM - click Create user

Result

The user is now created and appears in the Users table.

AWS IAM - new user added

Task 5: Create an access key for the user

Create an access key for the created user. You use the access key to configure and use the AWS CLI and run automated commands or scripts.

Step

  1. In IAM > Users, select the eksctl user.
  2. Click Create access key. AWS IAM - click Create access key
  3. Select Comand Line Interface.
  4. Select the I understand the above recommendation… checkbox.
  5. Click Next. AWS IAM - Best practices
  6. Click Create access key. AWS IAM - Click Create access key
  7. (Optional) View the Access key and Secret access key values.
  8. Click Download .csv file to download the access key locally. AWS IAM - Download access key

Result

The file eksctl_accessKeys.csv is saved locally and contains the Access key and Secret access key values.

Task 6: Configure AWS CLI

With the user created specifically for the creation and deployment of MOSTLY AI, you can use it configure AWS CLI so that the user performs all scripted tasks.

Prerequisites

Steps

  1. Open a command-line application.
  2. Create an AWS CLI named profile for the eksctl user with the aws configure command. 
    aws configure --profile eksctl
  3. Complete the prompts for the aws configure command.
    1. For AWS Access Key ID [None], paste your access key.
    2. For AWS Secret Access Key [None], paste your secret access key.
    3. For Default region name [None], type the default AWS region you want to use. For example, eu-central-1.
    4. For Default output format [None], type json.

Result

You AWS CLI profile for the eksctl user is now created.

You can verify the configuration from your home folder. If you did not have a previously configured profile, the following commands should produce results similar to the ones below.

  1. View the contents of .aws/config in your home folder to see the configured profiles. 
    cat ~/.aws/config
    Without any previously configured profiles, the result should be similar to the following: 
    [profile eksctl]
region = eu-central-1
output = json
  2. View the contents of .aws/credentials in your home folder to see the saved access key and secret access key for the profile. 
    cat ~/.aws/credentials
    Without any previously configured profiles, the result should be similar to the following (actual secret values are obfuscated with asterisks): 
    [eksctl]
aws_access_key_id = AK******************
aws_secret_access_key = ******************
  3. Finally, you can use the aws sts-caller-identity command to check if the previous configurations were correct: 
    aws sts get-caller-identity --profile eksctl
    The result should be similar to the following (actual secret values are obfuscated with asterisks): 
    {
    "UserId": "AI*******************",
    "Account": "74**********",
    "Arn": "arn:aws:iam::74**********:user/eksctl"
}

Task 7: Create a hosted zone in Route 53

You need to have a fully-qualified domain name (FQDN) for your MOSTLY AI application. If you need to register a new FQDN, you can do so from any domain name registrar (such as GoDaddy, Namecheap, or any other) or use AWS Route 53. You can also use a subdomain.

If you register an FQDN with Route 53, you already have your hosted zone available in AWS under Route 53 > Hosted zones.

If you register an FQDN from another domain registrar, you need to create a hosted zone in Route 53 with your registered domain. In this case, follow the steps below.

Steps

  1. From AWS Services, search and open Route 53.

    AWS Services - Open EC2

  2. Select Hosted zones from the sidebar.

  3. Click Create hosted zone.

    AWS S3 - upload deployment files

  4. For Domain name, type your FQDN.

  5. Click Create hosted zone.

    AWS S3 - upload deployment files

    Step result: Your FQDN appears in the Records tabe.

  6. From the Records table, copy the name servers for the hosted zone you created.

    AWS S3 - upload deployment files

  7. Go to your domain registrar and add the copied name servers as custom nameservers for your domain.

    The propagation of the updated name servers across the DNS network might take several hours.

    For more information, contact your domain registrar.

Result

You now have a configured hosted zone in Route 53 for your FQDN.

Depending on your domain name provider, it might take some time (sometimes up to a few days) before the new nameservers are updated and propagated across the global DNS network.

Task 8: Create a SSL certificate for your FQDN

To enable encrypted access with your FQDN, you need an SSL certificate. You can create a SSL certificate through AWS Certificate Manager.

An SSL certificate for your FQDN is required to deploy MOSTLY AI in an EKS cluster.

Steps

  1. From AWS Services, search and open Certificate Manager.

    AWS Services - Open EC2

  2. Click List certificates from the sidebar.

  3. Click Request.

    AWS Certificate Manager - Click Request

  4. Select Request a public certificate and click Next.

    AWS Certificate Manager - Request a public certificate

  5. Configure and submit a certificate request.

    1. For Fully qualified domain name, type your FQDN.
    2. Select DNS validation under Validation method.
    3. Click Requst. AWS Certificate Manager - type FQDN select DNS validation and request

    Step result: A notification indicates that the certificate requires further validation.

    AWS Certificate Manager - type FQDN select DNS validation and request

  6. Validate you are the owner of your domain.

    💡

    AWS provides two validation methods: DNS validation and Email validation.

    For more information, see Validating domain ownership in the AWS Certificate Manager (ACM) documentation.

    The steps below demonstrate the DNS validation method when your domain name provider is not AWS Route 53.

    If your domain name provider is AWS Route 53, see DNS validation in the AWS Certificate Manager (ACM) documentation.

    1. Select List certificates.
    2. Select the Certificate ID in a Pending validation status. AWS Certificate Manager - open the certificate request with pending validation
    3. Copy the CNAME name and value and add them as a new CNAME record in your DNS provider. AWS Certificate Manager - copy CNAME name and value
    4. Create a new CNAME record for your domain name in your domain name provider web interface.
      ⚠️

      See your domain name provider documentation on how to add a new CNAME record for the DNS validation.

Result

As explained the DNS validation page in the AWS ACM Documentation, the DNS validation can take up to 30 minutes after you add the CNAME record in your domain name provider web interface.

After the DNS validation completes, the Status of your certificate changes to Issued in the certificates list.

AWS Certificate Manager - copy CNAME name and value

Task 9: Create an AWS EKS cluster

To simplify the creation of an EKS cluster, you can use the eksctl command-line tool. The tool creates the cluster and the required resources in CloudFormation.

Prerequisites

Install eksctl.

Steps

  1. Create a CloudFormation YAML file named mostly-ai-cluster.yaml with the contents below.

    mostly-ai-cluster.yaml
    apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
 
metadata:
  name: mostly-ai
  region: eu-central-1
 
nodeGroups:
  - name: mostly-ai-nodegroup
    instanceType: m5.8xlarge
    desiredCapacity: 1
 
cloudWatch:
  clusterLogging:
    enableTypes: ["audit", "authenticator", "controllerManager"]
 
addons:
  - name: aws-ebs-csi-driver
    version: latest
    attachPolicyARNs:
      - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy

  2. Run the CloudFormation definition with your AWS CLI.

    shell
    eksctl create cluster -f mostly-ai-cluster.yaml

Result

The cluster creation is started in CloudFormation.

What’s next

You can track the cluster creation in CloudFormation. When the cluster is created, you can proceed to grant access to your AWS user to view resources in the cluster.

Task 10: Grant permissions to view cluster resources

With your cluster ready, you can view it in the AWS Management Console under Elastic Kubernetes Service > Clusters. However, when you open the Resources tabs or browse To do so, you need to grant permissions to the user that created the cluster.

Add the the AmazonEKSAdminPolicy and AmazonEKSClusterAdminPolicy policies to the user creating the cluster. The policies are required so that the user that you create the cluster with can view and manage nodes and resources in the EKS cluster.

Steps

  1. In AWS, open Elastic Kubernetes Service (EKS).
  2. From the sidebar, select Clusters.
  3. Select the mostly-ai-cluster.
  4. From the cluster tabs, select Access.
  5. View the entries under IAM access entries.
  6. Select the user to which you need to grant permissions. AWS EKS Cluster - View IAM Access Entries
  7. Click Add access policy. AWS EKS Cluster - Click Add access policy
  8. Add the AmazonEKSAdminPolicy and AmazonEKSClusterAdminPolicy policies. Repeat the steps below for each.
    1. For Policy name, select one of the policies.
    2. For Access scope, select Cluster.
    3. Click Add access policy in the bottom right. AWS EKS Cluster - Step to add an Access policy

Result

The access policies now appear for the user.

The user can now view the available nodes on the Compute tab and view the pods on Resources tab, under Workloads > Pods.

Task 11: Grant permissions to provision storage volumes

The shared storage service minio that is provisioned during the deployment requires permissions to create storage volumes. To grant the required permissions, you need to attach the AmazonEC2FullAccess policy to the eksctl-mostly-ai-cluster-nodegroup-NodeInstanceRole-****** role.

Steps

  1. In AWS, open Identity and Access Management (IAM).
  2. From the sidebar, select Roles.
  3. Search for nodeinstance and open the eksctl-mostly-ai-cluster-nodegroup-NodeInstanceRole-****** role. AWS IAM - Search for nodeinstance role
  4. Click Add permissions and select Attach policies. AWS IAM - Search for nodeinstance role
  5. Search for ec2fullaccess, select AmazonEC2FullAccess and click Add permissions. AWS IAM - Search for nodeinstance role

Result

The eksctl-mostly-ai-cluster-nodegroup-NodeInstanceRole-****** role now has the AmazonEC2FullAccess policy attached. With the policy, the role can provision storage volumes as required by the minio shared storage service.

Task 12: Configure an ingress controller

MOSTLY AI supports HAProxy by default as the ingress controller. NGINX and Istio virtual services are also supported.

For details on how to configure each, see Ingress controllers.

Deployment

Task 13: Edit the values.yaml file

Steps

  1. In a terminal or command prompt, make the Helm chart directory the current directory .
    shell
    cd <helm-chart-directory>
  2. Edit the values.yaml file.
  3. At the start, set the application domain name to an FQDN. Do the same as listed below for minio.
    💡

    minio is the shared storage service.

    values.yaml
    _customerInstallation:
  domainNames:
    mostly-ai: &fqdn yourfqdn.com
  4. (Optional) Apply one of the configurations below depending on whether you intend to use TLS-encrypted access to the MOSTLY AI application.

    ➡️ You use a TLS certificate. Replace your-tls-secret with the TLS secret name as defined in your cluster configuration.
    💡

    Your IT department or Kubernetes administrator creates the FQDN and its TLS certificate and adds it to the configuration of your cluster. When added, it comes with a TLS secret name that you can define in the values.yaml file. For details, see Configure your domain TLS certificate.

    values.yaml
    _customerInstallation:
...
  deploymentSettings:
    tlsSecretName: &tlsSecretName your-tls-secret
...
global:
  ...
  tls:
    enabled: true
...
    ➡️ You do not use an TLS certificate. Replace the your-tls-secret with an empty string and, for global.tls, set enabled to false.
    values.yaml
    _customerInstallation:
...
  deploymentSettings:
    tlsSecretName: &tlsSecretName [] # your-tls-secret
...
global:
  ...
  tls:
    enabled: false
...
  5. (Optional) If you host third-party container images in an internal repository, replace docker.io in registryFor3rdPartyComponents.
    values.yaml
    _customerInstallation:
...
  deploymentSettings:
  ...
    registryFor3rdPartyComponents: &registryFor3rdPartyComponents REPLACE_WITH_INTERNAL_IMAGE_REPOSITORY
...
  6. (Optional) If you need to host MOSTLY AI container images in an internal repository, replace quay.io/mostlyai in mostlyRegistry.
    values.yaml
    _customerInstallation:
...
  deploymentSettings:
  ...
    mostlyRegistry: &mostlyRegistry quay.io/mostlyai
...
  7. (Optional) If you intend to use the MOSTLY AI image repository at quay.io/mostlyai, set its secret in mostlyRegistryDockerConfigJson.
    💡

    To obtain the secret, contact your MOSTLY AI Customer Experience Engineer.

    values.yaml
    _customerInstallation:
...
  deploymentSettings:
  ...
    mostlyRegistryDockerConfigJson: &mostlyRegistryDockerConfigJson INSERT_QUAY.IO_SECRET
...
  8. Set an AWS storage class in _customerInstallation.deploymentSettings.persistenceStorageClass. For example, set gp2 for the default AWS storage class.
    values.yaml
    _customerInstallation:
  ...
  deploymentSettings:
    ...
    persistenceStorageClass: &persistenceStorageClass gp2
  ...

Result

The values.yaml file is now configured for your deployment.

Task 14: Deploy MOSTLY AI

  1. Deploy the MOSTLY AI Helm chart.
    shell
    helm upgrade --install mostly-ai ./mostly-combined --values values.yaml --namespace mostly-ai --create-namespace
    The result from the command should be similar to the following. If you see errors, see the Troubleshoot AWS EKS deployment issues section. 
    Release "mostly-ai" does not exist. Installing it now.
NAME: mostly-ai
LAST DEPLOYED: Fri Nov 10 18:45:58 2023
NAMESPACE: mostly-ai
STATUS: deployed
REVISION: 1
TEST SUITE: None

Post-deployment

Task 15: Set your FQDN to point at your ALB

If the deployment script finishes successfully in Task 11, you now need to configure your FQDN to point to the ALB that is created by the CloudFormation script at the address that is output by the script.

Steps

  1. Go to Route 53 > Hosted zones and select the hosted zone for your FQDN.
  2. Click Create record. AWS Route 53 - click Create record
  3. Configure the record.
    1. For Record type, select A - Route traffic to an IPv4 address and some AWS resources.
    2. For Alias, enable the checkbox.
    3. Under Route traffic to, select the following options:
      • Alias to an Application and Classic Load Balancer
      • Select your region. In this case, Europe (Frankfurt).
      • From the search box, select the name of your ALB. AWS Route 53 - configure A record
  4. Click Create records.

Result

Your FQDN now points to the ALB for the MOSTLY AI app.

What’s next

You can now direct your browser to your FQDN and open your deployed MOSTLY AI app for the first time.

Task 16: Log in to your MOSTLY AI deployment

Log in for the first time to your MOSTLY AI deployment to set a new password for the superadmin user.

Prerequisites

Contact MOSTLY AI to obtain the supeadmin credentials as you need them to log in for the first time.

Steps

  1. Open your FQDN in your browser.
    Step result: You Sign in page for your MOSTLY AI deployment opens. MOSTLY AI Deployment - Log in page
  2. Enter the superadmin credentials and click Sign in.
  3. Provide a new password and click Change password.

Result

Your superadmin password is now changed and you can use it to log in again to your MOSTLY AI deployment.