Andrey/docker-erpnext
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
docker-erpnext/documentation/deployment-guides/aws-managed/kubernetes-manifests/secrets.yaml
Brian Tan Seng 8894bbf56e ⏺ Perfect! I have successfully created the complete AWS equivalent of the GCP managed services 
deployment documentation. Here's a summary of what was created:

  📁 AWS Managed Services Documentation Structure

  Main Documentation Files:

  1. README.md - Comprehensive overview and decision guide
  2. 00-prerequisites-managed.md - AWS setup, VPC, security, and managed services
  3. 01-ecs-managed-deployment.md - Amazon ECS with Fargate deployment
  4. 02-eks-managed-deployment.md - Amazon EKS deployment
  5. 03-production-managed-setup.md - Production hardening and advanced features

  Kubernetes Manifests (kubernetes-manifests/):

  - namespace.yaml - Namespace with resource quotas and network policies
  - storage.yaml - EFS and EBS storage classes and PVCs
  - configmap.yaml - Application configuration and Nginx config
  - secrets.yaml - External Secrets Operator integration with AWS Secrets Manager
  - erpnext-backend.yaml - Backend deployment with RDS connectivity
  - erpnext-frontend.yaml - Frontend deployment with load balancing
  - erpnext-workers.yaml - Worker deployments for different queues
  - ingress.yaml - AWS Load Balancer Controller ingress configuration
  - jobs.yaml - Site creation and backup automation jobs

  Deployment Scripts (scripts/):

  - deploy-ecs.sh - Automated ECS deployment script
  - deploy-eks.sh - Automated EKS deployment script

  🔄 Key AWS Managed Services Used:

  Instead of GCP → AWS Equivalent:
  - Cloud SQL → Amazon RDS for MySQL
  - Memorystore → Amazon MemoryDB for Redis
  - Cloud Run → Amazon ECS with Fargate
  - GKE → Amazon EKS
  - Cloud Storage → Amazon S3
  - Secret Manager → AWS Secrets Manager
  - VPC Access Connector → VPC Endpoints/NAT Gateway

  🎯 Key Features Included:

  Production-Ready Features:

  -  High Availability - Multi-AZ RDS and MemoryDB deployment
  -  Auto-scaling - ECS Service Auto Scaling and EKS HPA
  -  Security - VPC isolation, IAM roles, WAF, encryption
  -  Monitoring - CloudWatch, X-Ray, custom metrics
  -  Backup & DR - Automated backups, cross-region replication
  -  Cost Optimization - Reserved instances, spot instances, right-sizing

  Deployment Options:

  - 🚀 Amazon ECS with Fargate - Serverless containers, minimal ops
  - ⚙️ Amazon EKS - Full Kubernetes with advanced features
  - 🛡️ Production Hardening - WAF, enhanced monitoring, security

  Automation Scripts:

  - 📜 One-click deployment scripts for both ECS and EKS
  - 🔧 Infrastructure as Code approach
  - 📊 Cost estimation and optimization guidance

  The documentation provides a complete migration path from GCP to AWS with equivalent managed
  services, maintaining the same level of reliability and operational efficiency while
  leveraging AWS-native services and best practices.
2025-08-22 19:15:03 +08:00

209 lines
4.9 KiB
YAML
Raw Permalink Blame History

# External Secrets Operator configuration for AWS Secrets Manager integration
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secretstore
namespace: erpnext
labels:
app: erpnext
component: secrets
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
jwt:
serviceAccountRef:
name: erpnext-sa
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: erpnext-db-secret
namespace: erpnext
labels:
app: erpnext
component: database
spec:
refreshInterval: 15s
secretStoreRef:
name: aws-secretstore
kind: SecretStore
target:
name: erpnext-db-secret
creationPolicy: Owner
template:
type: Opaque
metadata:
labels:
app: erpnext
component: database
data:
password: "{{ .password }}"
# Additional database connection string templates
mysql-uri: "mysql://admin:{{ .password }}@${DB_HOST}:3306/erpnext"
data:
- secretKey: password
remoteRef:
key: erpnext/database/password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: erpnext-redis-secret
namespace: erpnext
labels:
app: erpnext
component: cache
spec:
refreshInterval: 15s
secretStoreRef:
name: aws-secretstore
kind: SecretStore
target:
name: erpnext-redis-secret
creationPolicy: Owner
template:
type: Opaque
metadata:
labels:
app: erpnext
component: cache
data:
password: "{{ .password }}"
# Redis connection strings with auth
redis-cache-url: "redis://:{{ .password }}@${REDIS_HOST}:6379/0"
redis-queue-url: "redis://:{{ .password }}@${REDIS_HOST}:6379/1"
redis-socketio-url: "redis://:{{ .password }}@${REDIS_HOST}:6379/2"
data:
- secretKey: password
remoteRef:
key: erpnext/redis/password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: erpnext-admin-secret
namespace: erpnext
labels:
app: erpnext
component: admin
spec:
refreshInterval: 15s
secretStoreRef:
name: aws-secretstore
kind: SecretStore
target:
name: erpnext-admin-secret
creationPolicy: Owner
template:
type: Opaque
metadata:
labels:
app: erpnext
component: admin
data:
password: "{{ .password }}"
data:
- secretKey: password
remoteRef:
key: erpnext/admin/password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: erpnext-api-secret
namespace: erpnext
labels:
app: erpnext
component: api
spec:
refreshInterval: 15s
secretStoreRef:
name: aws-secretstore
kind: SecretStore
target:
name: erpnext-api-secret
creationPolicy: Owner
template:
type: Opaque
metadata:
labels:
app: erpnext
component: api
data:
api-key: "{{ .api_key }}"
api-secret: "{{ .api_secret }}"
data:
- secretKey: api_key
remoteRef:
key: erpnext/api/credentials
property: api_key
- secretKey: api_secret
remoteRef:
key: erpnext/api/credentials
property: api_secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: erpnext-ssl-certs
namespace: erpnext
labels:
app: erpnext
component: ssl
spec:
refreshInterval: 24h
secretStoreRef:
name: aws-secretstore
kind: SecretStore
target:
name: erpnext-ssl-certs
creationPolicy: Owner
template:
type: kubernetes.io/tls
metadata:
labels:
app: erpnext
component: ssl
data:
tls.crt: "{{ .certificate }}"
tls.key: "{{ .private_key }}"
ca.crt: "{{ .ca_certificate }}"
data:
- secretKey: certificate
remoteRef:
key: erpnext/ssl/certificate
- secretKey: private_key
remoteRef:
key: erpnext/ssl/private_key
- secretKey: ca_certificate
remoteRef:
key: erpnext/ssl/ca_certificate
---
# Service Account with IRSA (IAM Roles for Service Accounts) annotations
apiVersion: v1
kind: ServiceAccount
metadata:
name: erpnext-sa
namespace: erpnext
labels:
app: erpnext
component: serviceaccount
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/eksctl-erpnext-cluster-addon-iamserviceaccount-erpnext-erpnext-sa-Role1-${ROLE_SUFFIX}
automountServiceAccountToken: true
---
# Additional service account for external secrets operator
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-sa
namespace: erpnext
labels:
app: erpnext
component: external-secrets
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/eksctl-erpnext-cluster-addon-iamserviceaccount-external-secrets-external-secrets-operator-Role1-${ROLE_SUFFIX}
automountServiceAccountToken: true
Reference in New Issue View Git Blame Copy Permalink