Storage Requirements
Depending on the environment on which you deploy Optimizer Hub, different configurations are documented here for the storage and related roles and permissions.
Optimizer Hub stores ReadyNow profiles, compilation caches, and other data in one single blob storage location, depending on the environment, a bucket or container.
All objects in this blob get stored by name, using a filesystem-path-like approach:
-
<bucket_or_container>/<namespace>/code-cache/ -
<bucket_or_container>/<namespace>/compiler-artifacts/ -
<bucket_or_container>/<namespace>/compiler-engines/ -
<bucket_or_container>/<namespace>/inventory/ -
<bucket_or_container>/<namespace>/persistent-profile/
Configuring AWS S3 Storage
Optimizer Hub requires a bucket and R/W permissions to the bucket.
-
Within the AWS system, create the bucket and R/W permissions.
-
Configure the Optimizer Hub storage by adding the following to your
values-override.yamlfile:storage: blobStorageService: s3 s3: commonBucket: opthub-storage0 -
Configure the permissions by adding the following to your
values-override.yamlfile:deployment: serviceAccount: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<...>:role/opthub-s3-role
Using Kubernetes Nodes and Permissions
To configure AWS S3 storage, use the following configuration. Ensure that your Kubernetes nodes with opthub-compilebroker and opthub-gateway have RW permissions to S3 bucket(s), and the target buckets exist.
You must assign a role with the below policy to instances (EC2, EC2 ASG, Fargate, etc) for the opthub-compilebroker and opthub-gateway pods.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::opthub-*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:*Object"
],
"Resource": [
"arn:aws:s3:::opthub-*/*"
],
"Effect": "Allow"
}
]
}
Using AWS Service Accounts
If your security practices do not allow you to give nodes access to S3 buckets, you can also grant access to just the key services in Optimizer Hub. You can do this by configuring AWS IAM, roles, and permissions as described in the AWS documentation.
In the next steps, Optimizer Hub assumes the role name is opthub-s3-role. The IAM role trust relationship entry needs the following additional settings in AWS (you need to change the IDs in this example to align with your configuration):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::163957972732:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/F7E8B430691CFE3B776B8CA663896762"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"oidc.eks.us-west-2.amazonaws.com/id/F7E8B430691CFE3B776B8CA663896762:sub": "system:serviceaccount:*:opthub*",
"oidc.eks.us-west-2.amazonaws.com/id/F7E8B430691CFE3B776B8CA663896762:aud": "sts.amazonaws.com"
}
}
}
]
}
After creating the Service Accounts, add the following settings to your values-override.yaml file:
deployment:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<...>:role/opthub-s3-role
The Helm chart of Optimizer Hub creates the following Service Accounts:
-
opthub-cache -
opthub-compile-broker -
opthub-gateway -
opthub-operator
Storage for ReadyNow Orchestrator
You can limit the usage of persistent storage by ReadyNow Orchestrator with the appropriate settings.
Configuring GCP Blob Storage
Optimizer Hub requires a bucket and R/W permissions to the bucket.
-
Within the Google Cloud system, create the bucket and R/W permissions.
-
Configure the Optimizer Hub storage by adding the following to your
values-override.yamlfile:storage: blobStorageService: gcp-blob gcpBlob: commonBucket: opthub-storage0 -
Configure the permissions by adding the following to your
values-override.yamlfile:deployment: serviceAccount: annotations: iam.gke.io/gcp-service-account: <YOUR_SERVICE_ACCOUNT>
IAM Policy Update
You need to add the role to the service account in the IAM policy to assign the required permissions for the bucket :
>> gsutil iam get gs://<YOUR_BUCKET>
{
"bindings": [
...
{
"members": [
"serviceAccount:<YOUR_SERVICE_ACCOUNT>"
],
"role": "roles/storage.objectAdmin"
}
],
"etag": "CAM="
}
You can use the following CLI command to assign the required roles to a bucket:
>>gsutil iam ch serviceAccount:<YOUR_SERVICE_ACCOUNT>:roles/storage.objectAdmin gs://<YOUR_BUCKET>
IAM Policy Binding
>>gcloud iam service-accounts get-iam-policy <YOUR_SERVICE_ACCOUNT>
bindings:
- members:
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-cache]
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-compile-broker]
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-gateway]
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-mgmt-gateway]
role: roles/iam.workloadIdentityUser
etag: BwYo0_53sDw=
version: 1
You can use the following CLI command to add workloadIdentity to the Kubernetes service account names for the server components (opthub-cache, opthub-compile-broker, opthub-gateway, and opthub-mgmt-gateway):
gcloud iam service-accounts \
add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-gateway]"
gcloud iam service-accounts \
add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog>[<YOUR_NAMESPACE>/opthub-cache]"
gcloud iam service-accounts \
add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-compile-broker]"
gcloud iam service-accounts \
add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-mgmt-gateway]"
Configuring Azure Blob Storage
Optimizer Hub requires a bucket and R/W permissions to the bucket.
-
Within the Azure system, create the bucket and R/W permissions.
-
Configure the Optimizer Hub storage by adding the following to your
values-override.yamlfile:storage: blobStorageService: azure-blob azureBlob: endpoint: https://{yourendpoint}.blob.core.windows.net container: {your-container} authMethod: {method} # sas-token, connection-string, or default-credentials -
Configure the permissions by adding the following to your
values-override.yamlfile:-
When using
authMethod:sas-token:secrets: azure: blobStorage: sasToken: "{your-token}" -
When using
authMethod:connection-string:secrets: azure: blobStorage: connectionString: "{your-connection-string}"
-
Storage for ReadyNow Orchestrator
You can limit the usage of persistent storage by ReadyNow Orchestrator with the appropriate settings.
Configuring S3 Compatible Storage
Use the S3 compatible storage and specify a bucket name in your values-override.yaml:
storage:
blobStorageService: s3
s3:
commonBucket: opthub-storage0
You may need additional settings, for example, when using MinIO and minikube:
storage:
blobStorageService: s3
s3:
commonBucket: opthub
credentialsType: "static"
storageEndpoint: http://minio.minio-dev.svc.cluster.local:9000
Specifying Bucket Location
By default, the Kubernetes namespace defines the path inside the bucket defined in commonBucket:
storage:
pathPrefix: "%namespace%"
You can change this value in your values-override.yaml file, some examples:
-
Extend it with a subdirectory:
pathPrefix: "%namespace%/test1" -
Use a custom subdirectory:
pathPrefix: "custom-path-for-opthub"