Document toolboxDocument toolbox

Deploying Kyvos (with Kubernetes) using CloudFormation Template

Applies to: Kyvos Enterprise  Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace   Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)


To deploy the Kyvos using the default CloudFormation template, perform the following steps.

  1. Log in to your AWS Console, with the user having sufficient rights as mentioned in the prerequisites.

  2. On the AWS CloudFormation Console, Create Stack With New Resources (Standard) option.

Warning

Please provide the information carefully, as you cannot edit the stack after creation.

Step 1: Specify template

  1. In the Prerequisite - Prepare template, select the Template is ready option.

  2. In the Specify template,  select the Upload a template file option to upload your CloudFormation template using the Choose File button.

  3. Click NEXT.

Step 2: Specify stack details

  1. Enter a Stack name. Stack name can contain letters (A-Z and a-z), numbers (0-9), and dashes (-). The Kyvos cluster will be deployed in this name, and you cannot edit the name after deployment.

  2. The Parameters area displays the configurations defined in your template. It also allows you to enter custom values to create or update a stack.

  3. Enter details as:

Configuration

Parameter

Description/Remarks

Configuration

Parameter

Description/Remarks

Security Configurations

Select the name of the Key Pair to be used with EC2 instances

A key pair consisting of a public key (stored by AWS), and a private key file (stored by the user). Together, they allow you to connect to your instance securely.

Enter the SSH Private Key text

Provide the text of your SSH key. To get this, open your .pem file in edit mode, and copy the complete text.

Enable SSH for EMR/Databricks cluster 

This is not applicable to Databricks, as SSH is not supported on it. Hence, false is selected by default and cannot be changed.

S3 Configurations

S3 bucket name

Enter the name of your existing bucket, if you selected False above. If you select True, Kyvos will create a bucket with this name. Ensure that the bucket is not already in use.

NOTE: See the AWS rules for naming buckets. Additionally, Kyvos does not allow . (dot) to be used for Bucket Name. The cluster may fail to deploy if you do not meet these requirements.

Network Configurations

VPC

Select the VPC in which EC2 instances will be launched.

NOTE: If you have created your VPC using the NAT Gateway template or the Internet Gateway template, select that VPC here.

Subnets

Select the Subnet to be attached to EC2 instances.

NOTE: In the case of Kyvos Web Portal HA (High Availability) or an RDS repository, you must select at least two subnets from different Availability Zones. Otherwise, you have to select only one subnet.

Availability Zone

Select the Availability Zone where the subnet (selected above) exists.

IAM Roles Configurations 

EC2 instances IAM Role

Provide the name of the IAM Role that you want to attach to the EC2 instance.

Refer to the section Creating IAM Roles for EC2 and Lambda to create new roles.

Lambda functions IAM role

Provide the name of the IAM Role that you want to attach to the Lambda functions.

Refer to the section Creating IAM Roles for EC2 and Lambda to create new role

Custom Prefix Configurations

Custom Prefix EC2 Instances 

Enter the prefix to be append before Virtual Machines.

NOTE: The prefix can be up to 20 characters long and must begin and end with a word character.

Custom Prefix Volumes 

Enter the prefix to be append before Disks of Virtual Machines.

NOTE: The prefix can be up to 20 characters long and must begin and end with a word character.

Custom Prefix Other Services 

Enter the prefix to be append before the services: security groups, EMR, load balancer, and RDS (if included).

NOTE: The prefix can be up to 20 characters long and must begin and end with a word character.

Custom Prefix Secret Manager 

Enter the prefix to be append before Secret Manager.

NOTE: The prefix can be up to 20 characters long and must begin and end with a word character.

The parameter is displayed only when you select the Deploy with Enhanced Security checkbox while creating the CFT template.

RDS Configurations 

Create a new subnet group for RDS? 

Select True to create a new subnet group for RDS.

Enter the name of existing Subnet group 

If creating a new subnet group for RDS is false, enter the name of the existing subnet group.

Specify whether the database instance is a multiple Availability Zone deployment

Select True to specify the database instance is a multiple availability zone deployment.  

Choose the version of RDS which needs to be launched

Enter the RDS version to be launched. 

NOTE: From Kyvos 2024.3 onwards, the Postgres version is upgraded to 16.3 for both new deployments and upgrades. The Postgres version 13.11 is approaching its end of life (EOL).

Load-Balancer Configuration

Select the Public Subnets to be used for elastic load balancer

Select 2 public subnets, each from a different availability zone. Make sure that public subnet's availability zone matches the availability zone of the private subnets in which Kyvos instances are launched.

Kubernetes Configurations

NodeInstanceType

Enter EC2 instance type for the worker nodes.

 

MinPodCount

Enter number of Pod count.

 

MaxWorkerNodeCount

Enter maximum desired number of worker nodes

Kyvos Configurations

Enter the Access key 

Access key to access the Kyvos bundle. Contact us if you haven't received it yet.

Enter the Secret key 

Secret key to access the Kyvos bundle. Contact us if you haven't received it yet.

Kyvos Work Directory 

Enter the work directory path to be used by Kyvos.

Kyvos License Information 

Enter the temporary Kyvos license key provided in your onboarding email. Copy the content of the license file here.

Enable Environment validation

Select true to validate the environment information that you provided for where the Kyvos cluster needs to be deployed. 

If you select false, the deployment will continue without validation.

Show hostname for cluster deployment 

Select true to use the hostname for cluster deployment.

DatabaseKmRepo

Enter the name of database to be used for Kyvos Manager Repository.

NOTE: This parameter is displayed only when you select the Create New RDS option during the Kyvos template creation. 

KyvosManagerRepoDBInstanceIdentifierName

Instance Name of shared RDS

NOTE: This parameter is displayed only when you select the Existing RDS option during the Kyvos template creation. 

PostgresPassword

Provide the password used for Postgres.

RDSPasswordKmRepo

Specifies the value of the password used for KyvosManager Repository. The password can include any printable ASCII character except "/", """, "@" and single quote. 

NOTE: This parameter is displayed only when you select the Create New RDS option during the Kyvos template creation. 

SecretName 

Enter the name of your existing Secret Manager. If blank, a new Secret Manager will be created automatically.

Allowed IP Range  

Provide the range of IP addresses allowed to access Kyvos Instances. Use 0.0.0.0/0 to allow all users access.  

UsernameKmRepo

Enter the username to be used for connecting to the Kyvos Manager Repository.

NOTE: This parameter is displayed only when you select the Create New RDS option during the Kyvos template creation. 

PublicSubnets 

For deployments with Web portal high availability, if you selected a public subnet while creating the template, please select two public subnets.

AMI Configurations 

Enter the AMI default logged in Linux user

Each Linux instance launches with a default Linux system user account. For more details, refer to AWS documentation.

(Displayed only if you selected the Custom Image option at the time of creating the template)

Enter the AMI ID to be used for launching Kyvos Instances 

 Provide the AMI ID.

  1. Click NEXT.

Step 3: Configure stack options

  1. Tags: You can specify tags (key-value pairs) to apply to resources in your stack. You can add up to 50 unique tags for each stack.

Note

If deploying in a secure environment with Ranger deployed on AWS, then you MUST provide the tag as UsedBy=Kyvos

DO NOT use the UsedBy tag for any other deployments.

  1. Permissions: Choose an IAM role to explicitly define how CloudFormation can create, modify, or delete resources in the stack. If you don't choose a role, CloudFormation uses permissions based on your user credentials.

  2. Advanced options: Optionally, you can set additional options for your stack, like notification options and a stack policy. 
    Enter details as:

Parameter

Description/Remarks

Parameter

Description/Remarks

Stack policy

Defines the resources that you want to protect from unintentional updates during a stack update. Kyvos does not allow any updates in the stack, so you can leave this blank.

Rollback configuration

Specify alarms for CloudFormation to monitor when creating and updating the stack. If the operation breaches an alarm threshold, CloudFormation rolls it back.

  • Monitoring time (optional): The number of minutes after the operation completes that CloudFormation should continue monitoring the specified alarms.

  • CloudWatch alarm (optional): Amazon Resource Name (ARN) of the alarm to monitor.

Notification options

Specify SNS topic ARN (optional).

Stack creation options

  • Rollback on failure: Specifies whether the stack should be rolled back if stack creation fails.

  • Timeout: The number of minutes before a stack creation times out.

  • Termination protection: Prevents the stack from being accidentally deleted. Once created, you can update this through stack actions.

Step 4: Review

Review the settings selected so far. Click Previous if you need to change any configurations.

Warning

Please review the settings and information thoroughly. Once the stack is created, you CANNOT update any information. You will have to delete the stack and start over again.

Step 5: Create Stack

To proceed, select the I acknowledge checkbox and click Create Stack to create and deploy the Kyvos cluster on your AWS environment.

Stack creation starts and takes around 20-25 minutes. Once the cluster is deployed, you will receive the KMAccessUrl in the Outputs tab, as shown in the following figure.

Click the image to see a full-size view.

Note

You can start or stop your EC2 instance from your AWS Console at any time. However, once you start your instances, you need to start the Kyvos Services.

You can decide the number of machines that you want to turn off or keep running. For example, if you have 5 EC2 instances running, and want to turn off 2 of them, you can do this tool.

Caution

If you are deploying Kyvos in a secure environment with Ranger deployed on AWS, then you MUST follow the Post Deployment steps given at Ranger deployment for Kyvos AWS environment.

NEXT: Accessing Kyvos and Kyvos Manager

Copyright Kyvos, Inc. All rights reserved.