okctl relies on services in AWS and GitHub to provide its functionality. In the following sections we describe some core services we use from the cloud provider.
Cloud providers offer a vast array of functionality for:
- Block storage
- Artificial intelligence
okctl we use a subset of this functionality to provide a platform for running production workloads:
- Amazon Web Services as the cloud provider
- Virtual Private Cloud for network isolation
- Elastic Kubernetes Service for deploying and running applications
- Route53 for DNS
- Certificate Manager for issuing SSL/TLS certificates for secure communication
- Systems Manager Parameter Store for storing secrets
- RDS Postgresql providing a relational database
- Secrets Manager for storing rotatable secrets
- Cognito for authentication and authorisation
This isn't an exhaustive list of integrations, but gives some idea of the types of services we integrate with.
Amazon Web Services (AWS)¶
okctl we use AWS as our cloud operator; there is no particular reason for preferring AWS to other cloud vendors, such as Microsoft Azure or Google Cloud. In Oslo kommune, we can use any of these, but there are a number of teams that have greater experience with AWS.
Virtual Private Cloud (VPC)¶
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
Elastic Kubernetes Service (EKS)¶
Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes (k8s) service. Being a fully managed service, AWS ensures that the control plane is secure, reliable and scalable. This allows us to focus more on application security.
K8s is an open-source system for automating deployment, scaling, and management of containerized applications. It provides a powerful platform to build applications on top of.
AWS Route53 (Route53)¶
AWS Route53 (Route53) is a highly available and scalable Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other.
dig test.oslo.systems NS +short ns-327.awsdns-40.com. ns-612.awsdns-12.net. ns-1706.awsdns-21.co.uk. ns-1322.awsdns-37.org.
AWS Certificate Manager (ACM)¶
AWS Certificate Manager (ACM) lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services, and your internal connected resources. SSL/TLS certificates secure network communication and establish the identity of websites over the Internet as well as resources on private networks.
curl -vvI https://argocd.veiviser.oslo.systems <snip> * Server certificate: * subject: CN=argocd.veiviser.oslo.systems * start date: Jun 17 00:00:00 2020 GMT * expire date: Jul 17 12:00:00 2021 GMT * subjectAltName: host "argocd.veiviser.oslo.systems" matched cert's "argocd.veiviser.oslo.systems" * issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon * SSL certificate verify ok. <snip>
AWS Systems Manager (Amazon SSM) Parameter Store¶
AWS Systems Manager (Amazon SSM) gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.
The parameter store provides centralized storage and management of secrets and configuration data such as passwords, database strings, and license codes. We can encrypt values, or store as plain text, and secure access at every level.