Skip to main content
Version: 3.11
    Features and pricing

    Deployment Guide on AWS

    This document explains how to deploy ScalarDB GraphQL servers on the Amazon EKS environment.

    We will deploy multiple GraphQL servers to an EKS cluster with an AWS Load Balancer Controller, which manages an internal AWS Application Load Balancer. The AWS Application Load Balancer handles HTTP cookie-based session affinity. When we deploy multiple GraphQL servers, session affinity is required to handle transactions properly. This is because GraphQL servers keep the transactions in memory, so GraphQL queries that use continued transactions must be routed to the same server that started the transaction.

    What we create

    In this guide, we will create the following components.

    • A VPC with NAT gateway
    • An EKS cluster with a Kubernetes node group
    • A managed database service
    • A bastion instance with a public IP
    • An internal ALB for load balancing HTTP requests using the AWS Load Balancer Controller.

    Step 1. Configure an EKS cluster

    Please follow steps 1 to 3 in the Deploy ScalarDL on AWS guide to set up a VPC, subnets, a bastion host, a database, an EKS cluster, and a node group.

    Note: That guide instructs to add a label to the node group with a key agentpool and a value scalardlpool. However, since we will deploy GraphQL servers, not ScalarDL, we should change the label. For example, the node group can be labeled with a key agentpool and a value scalardbgraphqlpool. The label can be used to select nodes when deploying ScalarDB GraphQL servers.

    In this document, a placeholder cluster name <your-cluster-name> will be used in command examples. Please change it to your cluster name.

    Step 2. Load Database Schema

    We need to load a database schema to the database before starting ScalarDB GraphQL.

    Here is an example for DynamoDB. For other databases and more detailed instructions, please refer to the ScalarDB Schema Loader.

    1. Create a database.properties configuration file for DynamoDB

      scalar.db.contact_points=<AWS region>
      scalar.db.username=<AWS access key ID>
      scalar.db.password=<AWS secret access Key>
      scalar.db.storage=dynamo

    2. Create a schema.json file. Please refer to the sample in the ScalarDB Schema Loader document.

    3. Load the schema to the database with ScalarDB Schema Loader

      docker run --rm -v $PWD/schema.json:/schema.json \
        -v $PWD/database.properties:/database.properties \
        ghcr.io/scalar-labs/scalardb-schema-loader:3.5.2 \
        -c /database.properties -f /schema.json --coordinator

    Step 3. Install eksctl

    Log in to the bastion host and install the eksctl command by following the official documents.

    We also need to install AWS CLI and configure AWS API credentials.

    Step 4. Install the AWS Load Balancer Controller add-on to EKS

    The AWS Load Balancer Controller is a controller to manage AWS Elastic Load Balancers for a Kubernetes cluster.

    We use it to create an AWS Application Load Balancer (ALB) in front of multiple GraphQL servers in the cluster. When we create a Kubernetes Ingress resource in the cluster, the controller provisions an ALB according to it.

    In this section, we will install the controller according to the official installation documents below.

    Set up IAM Permissions

    We need to set up IAM permissions before installing the AWS Load Balancer Controller so that the controller running on the worker nodes can manage ALBs on AWS.

    1. Create IAM OpenID Connect (OIDC) provider

      eksctl utils associate-iam-oidc-provider --cluster <your-cluster-name> --approve

      In the AWS Management Console, we can see an IAM Identity provider has been created.

      oidc-provider

    2. Download the IAM policy document for the AWS Load Balancer Controller

      curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json

    3. Create an IAM policy named AWSLoadBalancerControllerIAMPolicy

      aws iam create-policy \
        --policy-name AWSLoadBalancerControllerIAMPolicy \
        --policy-document file://iam-policy.json

      Please take note of the policy ARN created with the command, as we will specify it in the next step.

      In the AWS Management Console, we can see an IAM Policy has been created.

      lb-controller-iam-policy

    4. Create an IAM role and ServiceAccount for the AWS Load Balancer controller

      eksctl create iamserviceaccount \
        --cluster=<your-cluster-name> \
        --namespace=kube-system \
        --name=aws-load-balancer-controller \
        --attach-policy-arn=arn:aws:iam::<AWS account ID>:policy/AWSLoadBalancerControllerIAMPolicy \
        --override-existing-serviceaccounts \
        --approve

      Please specify the policy ARN from the previous step as the --attach-policy-arn option.

      To check if the IAM service account has been created, run:

      eksctl get iamserviceaccount --cluster=<your-cluster-name>
      NAMESPACE       NAME                            ROLE ARN
      kube-system     aws-load-balancer-controller    arn:aws:iam::***:role/******

      In the AWS Management Console, we can see an IAM Role has been created and the policy is attached to it.

      iam-role-for-serviceaccount

    Add AWS Load Balancer Controller to Cluster

    Now we can install the AWS Load Balancer Controller with Helm.

    1. Add the EKS chart repo to helm

      helm repo add eks https://aws.github.io/eks-charts

    2. Install the helm chart

      We need to specify both of the chart values serviceAccount.create=false and serviceAccount.name=aws-load-balancer-controller since we have already created a service account named aws-load-balancer-controller in the previous section.

      helm install aws-load-balancer-controller \
        eks/aws-load-balancer-controller -n kube-system \
        --set clusterName=<your-cluster-name> \
        --set serviceAccount.create=false \
        --set serviceAccount.name=aws-load-balancer-controller

      Note: If upgrading the chart using helm upgrade instead of helm install, the TargetGroupBinding CRDs must be installed manually before running the previous command.

      kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"

    3. Verify that the controller is installed

      kubectl get deployment -n kube-system aws-load-balancer-controller
      NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
      aws-load-balancer-controller   2/2     2            2           11s

    Step 5. Install ScalarDB GraphQL

    1. Create a secret to get the image from ghcr.io.

      kubectl create secret docker-registry reg-docker-secrets \
        --docker-server=ghcr.io \
        --docker-username=<github-username> \
        --docker-password=<github-personal-access-token>

      The GitHub Personal Access Token (PAT) specified here must have access with the read:packages scope.

    2. Create a custom values file.

      Download the scalardb-graphql-custom-values.yaml from the scalar-kubernetes repository. Note that the file is going to be versioned in the future, so you might want to change the branch to use a proper version.

      Please update the database configuration in the scalarDbGraphQlConfiguration key according to your needs. The namespaces should be the namespace you have loaded to the database.

      Under the ingress key, the className must be alb so that the Ingress object can control the ALB. The annotations specifies the behavior of the Ingress object. Especially, alb.ingress.kubernetes.io/target-group-attributes specifies the attributes of the Target Groups. stickiness.enabled=true is required here because we need cookie-based sticky sessions. (This setting requires alb.ingress.kubernetes.io/target-type to be set to ip). For more details about annotations, please refer to Ingress annotations.

      The affinity key specifies node affinity. With this example settings, the pods are scheduled based on node labels. The pods will be deployed to the nodes labeled with the key agentpool and the value scalardbgraphqlpool.

      The tolerations key is applied to the pods. With this example, you should add taints kubernetes.io/app=scalardbgraphqlpool:NoSchedule to each worker node where you do not want to deploy other pods than the ScalarDB GraphQL pod (e.g. application pods). In other words, the tainted nodes will be dedicated nodes for ScalarDB GraphQL.

    3. Add a tag to the subnets

      As shown in the custom values file above, we are creating an internal ALB by setting the annotation alb.ingress.kubernetes.io/scheme to internal (default). The internal ALB will discover subnets by the tag kubernetes.io/role/internal-elb. For more information on the Subnet Discovery, please refer to the documentation of the AWS Load Balancer Controller: Subnet Discovery - AWS Load Balancer Controller

      Add the tag to the private subnets using the AWS Management Console or by running the following aws commmand.

      aws ec2 create-tags --resources <Subnet ID> <Subnet ID> ... --tags "Key=kubernetes.io/role/internal-elb,Value=1"

    4. Install the Helm chart

      # Add Helm charts
      helm repo add scalar-labs https://scalar-labs.github.io/helm-charts

      # Install ScalarDB GraphQL with a release name `my-release-scalardb-graphql`
      helm upgrade --install my-release-scalardb-graphql \
        scalar-labs/scalardb-graphql --namespace default \
        -f scalardb-graphql-custom-values.yaml

    5. Verify that an internal ALB has been created

      kubectl get ingress
      NAME                          CLASS   HOSTS   ADDRESS                                                                           PORTS   AGE
      my-release-scalardb-graphql   alb     *       internal-k8s-default-myreleas-551ab46922-2136573255.us-west-1.elb.amazonaws.com   80      9m36s

      The ALB DNS name is output in the ADDRESS column.

    6. Test the ALB is working

      The following curl command sends a simple GraphQL request to the ALB. The ALB should return a 200 response.

      curl 'http://<ALB DNS name>/graphql -v -H 'Content-Type: application/graphql' --data '{__typename}'
      ...
      > POST /graphql HTTP/1.1
      ...
      < HTTP/1.1 200 OK
      ...
      < Set-Cookie: AWSALB=...; Expires=Tue, 24 May 2022 07:24:06 GMT; Path=/
      < Set-Cookie: AWSALBCORS=...; Expires=Tue, 24 May 2022 07:24:06 GMT; Path=/; SameSite=None
      ...
      {"data":{"__typename":"Query"}}

      Note on cookies: In this example, the ALB returns Set-Cookie response headers since the sticky sessions attributes are specified for the ALB Target Groups in the custom values file. By handling cookies, you can route the subsequent requests to the same target behind the ALB.

    Clean up the resources

    When you need to remove the resources you have created, uninstall/delete the resources in the following order.

    • ScalarDB GraphQL
    • IAM service account
    • Load Balancer IAM Policy
    • IAM OpenID Connect (OIDC) provider
    • Other resources

    Uninstall ScalarDB GraphQL

    The following command uninstalls ScalarDB GraphQL with a release name my-release-scalardb-graphql. This command will also remove the ALB since the Ingress resource manages it.

    helm uninstall my-release-scalardb-graphql --namespace default

    Delete IAM Service Account

    Delete the IAM policy that was created by the eksctl create iamserviceaccount command.

    eksctl delete iamserviceaccount --cluster=<your-cluster-name> --namespace=kube-system --name=aws-load-balancer-controller

    Delete Load Balancer IAM Policy

    Delete the IAM policy created by the aws iam create-policy command.

    aws iam delete-policy --policy-arn arn:aws:iam::<AWS account ID>:policy/AWSLoadBalancerControllerIAMPolicy

    Delete IAM OpenID Connect (OIDC) provider

    Delete the IAM OpenID Connect (OIDC) provider created by the eksctl utils associate-iam-oidc-provider.

    If you delete the cluster with an eksctl delete cluster command, the provider will be deleted automatically. But if you are deleting the cluster in a different way, or if you need to delete the provider without deleting the cluster, use the following commands:

    # List the providers
    aws iam list-open-id-connect-providers

    # Get the provider URL associated with the cluster
    aws eks describe-cluster --name <your-cluster-name> --output json | jq -r .cluster.identity.oidc.issuer

    # Find the ARN matching the URL from the list, and delete it
    aws iam delete-open-id-connect-provider --open-id-connect-provider-arn <Provider ARN (beginning with arn:aws:iam::)>

    Delete other resources

    Other resources created for deployment, such as node groups, EKS clusters, databases, VPCs, should be deleted as needed.