Merge pull request #69 from dbeaver/devel

Devel

Author: ggxed

.env.example

@@ -1,4 +1,4 @@
-CLOUDBEAVER_VERSION_TAG=25.1.0
+CLOUDBEAVER_VERSION_TAG=25.2.0
 IMAGE_SOURCE=dbeaver
 PODMAN_IMAGE_SOURCE=docker.io/dbeaver
 COMPOSE_PROJECT_NAME=dbeaver

.gitignore

@@ -4,4 +4,5 @@ values.yaml
 /.idea
 trusted-cacerts/*
 .env
-variables.tf
+variables.tf
+k8s/ingressSsl/

AWS/aws-eks/README.md

@@ -0,0 +1,130 @@
+# CloudBeaver Enterprise Edition - AWS EKS Deployment
+
+## Prerequisites
+
+- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+- [eksctl](https://eksctl.io/installation/) installed  
+- [Helm](https://helm.sh/docs/intro/install/) installed
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/) installed
+- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) installed
+- Access to an existing **EKS cluster**
+
+Policy required:
+- [AmazonElasticFileSystemFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticFileSystemFullAccess.html)
+
+## AWS volumes configuration for Kubernetes deployment
+
+To store CloudBeaver EE data in the cloud, you need to configure cloud volumes. For example, you can store connection configurations and user information in AWS EFS.
+
+### Step 1: Associate IAM OIDC Provider
+
+Associate the IAM OIDC provider with your EKS cluster to enable IAM roles for service accounts.
+
+```bash
+eksctl utils associate-iam-oidc-provider \
+  --region=<your-region> \
+  --cluster=<your-cluster-name> \
+  --approve
+```
+
+### Step 2: Install AWS EFS and EBS CSI Drivers
+
+Install the AWS EFS and EBS CSI drivers using Helm.
+
+```bash
+helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
+helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver/
+helm repo update
+
+helm install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver --namespace kube-system
+helm install aws-ebs-csi-driver aws-ebs-csi-driver/aws-ebs-csi-driver --namespace kube-system
+```
+
+### Step 3: Configure EFS via Terraform
+
+1. Navigate to directory `cloudbeaver-deploy/AWS/aws-eks`
+2. Open the `main.tf` file in a text editor.
+3. Update the following variables with your AWS region and EKS cluster name:
+```
+variable "region" {
+  description = "Region for AWS EFS"
+  default     = "<your-region>"
+}
+variable "cluster_name" {
+  description = "EKS cluster name"
+  default     = "<your-cluster-name>"
+}
+```
+4. Run `terraform init`.
+5. Next, run `terraform apply`, which will output `efs_file_system_id`.
+6. Open the file `cloudbeaver-deploy/k8s/values.yaml` and update the `fileSystemId` parameter with the value of `efs_file_system_id` obtained in the previous step.
+7. Fill in the other parameters as shown in the example:
+
+```yaml
+cloudProvider: aws
+storage:
+  type: efs
+  storageClassName: "efs-sc"
+  efs:
+    fileSystemId: "<your-efs-id>"
+```
+
+Once this is set up, you can deploy CloudBeaver EE by following [this guide](../../k8s/README.md).
+
+## AWS ALB configuration for Kubernetes deployment
+
+This deployment option can use Nginx, HAProxy, or AWS ALB as an ingress controller. If you want to use [AWS Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html), follow the steps below.
+
+Install `AWS CLI`: If `AWS CLI` is not installed yet, follow the instructions on the [official AWS CLI website](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).  
+
+Install `eksctl`: `eksctl` is a command-line utility for creating and managing EKS clusters. Install eksctl by following the instructions on the [official eksctl website](https://eksctl.io/installation/).  
+
+Policy required for eksctl to work:
+
+- [CloudFormation Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationFullAccess.html)
+- [EKS Full Access](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console)
+- [EC2 and EC2 Auto Scaling Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2FullAccess.html)
+- [IAM Full Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/IAMFullAccess.html)
+- [Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userGuide/security_iam_id-based-policy-examples.html)
+
+1. OIDC Provider Association:  
+
+```bash
+eksctl utils associate-iam-oidc-provider --region=<your-region> --cluster=<your-cluster-name> --approve
+```
+
+2. Create IAM role and link policy:  
+
+Create policy IAM:  
+```bash
+curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
+aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json
+```
+
+Create IAM role and link policy:  
+```bash
+eksctl create iamserviceaccount \
+  --cluster <your-cluster-name> \
+  --region <your-region> \
+  --namespace kube-system \
+  --name aws-load-balancer-controller \
+  --attach-policy-arn arn:aws:iam::<your-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
+  --approve
+```
+
+3. Install AWS Load Balancer Controller using Helm:  
+
+```bash
+helm repo add eks https://aws.github.io/eks-charts
+helm repo update
+
+helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
+  -n kube-system \
+  --set clusterName=<your-cluster-name> \
+  --set serviceAccount.create=false \
+  --set region=<your-region> \
+  --set vpcId=<your-vpc-id> \
+  --set serviceAccount.name=aws-load-balancer-controller
+```
+
+Once this is set up, you can deploy CloudBeaver EE by following [this guide](../../k8s/README.md). 

AWS/aws-eks/efs.tf

@@ -0,0 +1,65 @@
+data "aws_vpc" "vpc" {
+  id = data.aws_eks_cluster.eks_cluster.vpc_config[0].vpc_id
+}
+
+data "aws_subnets" "subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.vpc.id]
+  }
+}
+
+data "aws_security_group" "eks_security_group" {
+  id = data.aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
+}
+
+data "aws_subnet" "subnet_info" {
+  for_each = toset(data.aws_subnets.subnets.ids)
+  id       = each.value
+}
+
+locals {
+  subnets_by_az = { for subnet in data.aws_subnet.subnet_info : subnet.availability_zone => subnet.id... }
+  unique_subnet_ids = [for az, subnet_ids in local.subnets_by_az : subnet_ids[0]]
+}
+
+resource "aws_efs_file_system" "efs" {
+  creation_token   = var.efs_name
+  performance_mode = "generalPurpose"
+  throughput_mode  = "bursting"
+  
+  tags = {
+    Name = var.efs_name
+    CloudBeaver-EE = "true"
+  }
+}
+
+resource "aws_efs_mount_target" "efs_mount_target" {
+  for_each       = toset(local.unique_subnet_ids)
+  file_system_id = aws_efs_file_system.efs.id
+  subnet_id      = each.key
+  security_groups = [data.aws_security_group.eks_security_group.id]
+}
+
+resource "aws_efs_access_point" "efs_access_point" {
+  file_system_id = aws_efs_file_system.efs.id
+
+  posix_user {
+    gid = 8978
+    uid = 8978
+  }
+
+  root_directory {
+    path = "/"
+    creation_info {
+      owner_gid   = 8978
+      owner_uid   = 8978
+      permissions = "775"
+    }
+  }
+}
+
+output "efs_file_system_id" {
+  value = aws_efs_file_system.efs.id
+  description = "EFS file system ID for CloudBeaver EE"
+} 

AWS/aws-eks/iam.tf

@@ -0,0 +1,25 @@
+data "aws_eks_node_groups" "nodegroups" {
+  cluster_name = var.cluster_name
+}
+
+data "aws_eks_node_group" "nodegroup" { 
+  for_each = toset(data.aws_eks_node_groups.nodegroups.names)
+
+  cluster_name    = var.cluster_name
+  node_group_name = each.value
+}
+
+resource "aws_iam_role_policy_attachment" "ebs_csi_policy_attachment" {
+  for_each = data.aws_eks_node_group.nodegroup
+
+  role       = basename(each.value.node_role_arn)
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi_policy_attachment" {
+  for_each = data.aws_eks_node_group.nodegroup
+
+  role       = basename(each.value.node_role_arn)
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
+}
+

AWS/aws-eks/main.tf

@@ -0,0 +1,22 @@
+provider "aws" {
+  region = var.region
+}
+
+variable "region" {
+  description = "Region for AWS EFS"
+  default     = ""
+}
+
+variable "cluster_name" {
+  description = "EKS cluster name"
+  default     = ""
+}
+
+variable "efs_name" {
+  description = "Name for EFS"
+  default     = "CloudBeaver-EKS-EFS"
+}
+
+data "aws_eks_cluster" "eks_cluster" {
+  name = var.cluster_name
+} 

AWS/aws-eks/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+  
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+} 

AWS/ecs-fargate/README.md

@@ -34,7 +34,7 @@
    ![alt text](images/image-1.png)
 
    - Ensure that the `alb_certificate_Identifier` variable contains the ID from [AWS Certificate Manager](#importing-an-ssl-certificate-in-aws) corresponding to the domain name specified   in the `CLOUDBEAVER_PUBLIC_URL` variable within variables.tf. The domain name in `CLOUDBEAVER_PUBLIC_URL` must match the domain for which the certificates have been issued.
-   - You can customize the deployment version by updating the `cloudbeaver_version` environment variable. The default version is `25.0.0`.
+   - You can customize the deployment version by updating the `cloudbeaver_version` environment variable. The default version is `25.2.0`.
 
 6. Run `terraform init` and then `terraform apply` in `ecs-fargate` directory to create the ECS cluster and complete the deployment.
 

AWS/ecs-fargate/efs.tf

@@ -16,4 +16,20 @@ resource "aws_efs_mount_target" "cloudbeaver_data_mt" {
   file_system_id = aws_efs_file_system.cloudbeaver_data.id
   subnet_id      = aws_subnet.private_subnets[count.index].id
   security_groups = [aws_security_group.cloudbeaver_efs.id]
-}
+}
+
+resource "aws_efs_file_system" "api_tokens" {
+  creation_token = "api_tokens"
+  performance_mode = "generalPurpose"
+  throughput_mode = "bursting"
+  encrypted = "false"
+  
+  tags = merge(var.common_tags, { Name = "Cloudbeaver API token EFS" })
+}
+
+resource "aws_efs_mount_target" "api_tokens_mt" {
+  count = length(aws_subnet.private_subnets)
+  file_system_id = aws_efs_file_system.api_tokens.id
+  subnet_id      = aws_subnet.private_subnets[count.index].id
+  security_groups = [aws_security_group.cloudbeaver_efs.id]
+}

AWS/ecs-fargate/main.tf

@@ -48,6 +48,13 @@ resource "aws_ecs_task_definition" "cloudbeaver-task" {
       root_directory = "/"
     }
   }
+  volume {
+    name = "api_tokens"
+    efs_volume_configuration {
+      file_system_id = aws_efs_file_system.api_tokens.id
+      root_directory = "/"
+    }
+  }
 
   container_definitions = jsonencode([{
     name        = "${var.task_name}"
@@ -63,10 +70,16 @@ resource "aws_ecs_task_definition" "cloudbeaver-task" {
                     "awslogs-stream-prefix": "cb"
                 }
     }
-    mountPoints = [{
-              "containerPath": "/opt/cloudbeaver/workspace",
-              "sourceVolume": "cloudbeaver_data"
-    }]
+    mountPoints = [
+      {
+        containerPath = "/opt/cloudbeaver/workspace",
+        sourceVolume  = "cloudbeaver_data"
+      },
+      {
+        containerPath = "/opt/cloudbeaver/conf/keys/"
+        sourceVolume  = "api_tokens"
+      }
+    ]
     portMappings = [{
       name = "${var.task_name}"
       protocol      = "tcp"