Setting up Organisation Roost Control-plane

Assumptions: Setting it on AWS EC2 with Google Auth

Set up any one oAuth for Roost control-plane

Steps - Set up Google Auth Client

https://developers.google.com/identity/sign-in/web/sign-in
Login to https://console.cloud.google.com/apis/credentials
Create Credentials, Select OAuth Client and Application Type as Web Application
Add Authorised JavaScript Origin as
- https://roostapi.roost.io:60001
- https://<DNS_NAME
- http://localhost:3000
- http://localhost:4200
Add Authorised redirect URIs
- https://<DNS_NAME>/login
- https://<DNS_NAME>/api/auth/redirect/google
- https://roostapi.roost.io:60001/auth/redirect/google
Download the JSON
Make a note of the Google Client ID and the Client Secret (It is needed later in the config below)

Steps - Set up OKTA Auth Client

Sign-in to your OKTA account with admin privileges (If you do not have an existing Okta account then sign-up at http://developer.okta.com )
From the left navigation menu, go to Applications -> Applications
Select Create App Integration → OIDC - OpenID Connect → Web Application, then click Next
Fill in the suitable App integration name, upload the logo
Add Sign-in redirect URIs
- https://<DNS_NAME>/login
- https://<DNS_NAME>/api/auth/login/okta
- https://roostapi.roost.io:60001/auth/redirect/okta
Allow Access to users thru Assignments → Controlled Access
- Select the groups of users or Allow access to everyone
Save and Make a note of the Okta Client ID and the Client Secret (It is needed later in the config below)
From the left navigation menu, go to Security -> API
Make note of Issuer URI for default Authorization Server
- something like https://{your_domain}.okta.com/oauth2/default

Optional Step - Set up AWS RDS database

Select RDS
Choose Create Database
You can select “Easy Create” for “Amazon Aurora with MYSQL compatibility”
Make a note of the writer instance database end-point, user and password (It is needed later in the config below)
As a good practice, you can create a new user with read-write privileges and avoid using admin login.
Download and execute this sql as a one-time exercise
curl -L https://remote-roostprod.s3.us-west-1.amazonaws.com/roost.sql -o /tmp/roost.sql chmod +x /tmp/roost.sql sudo mysql # CREATE USER 'roost'@'localhost' identified WITH mysql_native_password by 'zbioRoost#123'; # GRANT ALL on *.* to 'roost'@'localhost'; \. /tmp/roost.sql

Optional Step - Set up Local Mysql database on Ubuntu instance

sudo apt update
sudo apt install mysql-server
sudo mysql_secure_installation

curl -L https://remote-roostprod.s3.us-west-1.amazonaws.com/roost.sql -o /tmp/roost.sql
chmod +x /tmp/roost.sql

sudo mysql
CREATE USER 'roost'@'localhost' identified WITH mysql_native_password by 'zbioRoost#123';
GRANT ALL on *.* to 'roost'@'localhost';
\. /tmp/roost.sql

Optional Step - Set up Load Balancer

Open the Amazon EC2 console and from the navigation bar, choose a Region for your load balancer. Be sure to select the same Region that you selected for your EC2 instances.
Under LOAD BALANCING, choose Load Balancers, click on Create Load Balancer.
Choose a Application Load Balancer, create.
Define the load balance with a name, scheme as internet-facing and IP address type as IPv4
For Network configuration, choose the default vpc, select a security group with 80 and 443 ports been opened and select the available Availability Zones
Add listeners with tcp 80 and TLS 443 and route the request to target group. Add a SSL/TLS certificate from ACM (Steps to create target group is given below)
Click on Create Load Balancer

Basic configuration for load balancer

Listener configuration

Steps to configure Target Group

i. Create a target group with instances as target type. Provide the target group name

ii. Set protocol as http, select the default vpc

iii. Set health check protocol as http and health check path as /api

iv. Add the Configured ec2 instances and click on create

v. Edit the target group attribute and enable the Stickiness and set Stickiness type as Load balancer generated cookie

Steps - EC2 Instance - Roost ControlPlane

This instance will be facing the team members for any Roost activity.

Launch EC2 instance
Choose Ubuntu 20 (ubuntu-focal-20.04) AMI
Instance Type as t3.medium
Security group to allow from control-plane traffic from any source IP or just the private VPC/Subnets
1. SSH (port 22)
2. HTTP (port 80)
3. HTTPS (port 443) and
4. Custom TCP Port 2502 (for Stun)
Root volume storage should be 20 GB or more
Preferred separate EBS volume of 100GB
Enable Avoid Accidental Termination and disable EBS delete on termination
Add tags and key-pair and launch
Download key-pair; change permissions to 0400
Review configuration and Launch Instance
Connect to EC2 using SSH once it is running

Steps - EC2 Instance - WebConsole proxy

This instance will also act as the default jumpHost for user managed clusters. Optionally, it can host a Docker Host and Docker Insecure Registry

Launch EC2 instance
Choose Ubuntu 20 (ubuntu-focal-20.04) AMI
Instance Type as t3.medium
Security group for web-console proxy to allow TCP traffic from VPC or any source IP
1. TCP Port 5000 for Docker Host
2. TCP Port 5002 for Docker Insecure Registry
3. TCP Port 60001 for JumpHost RoostApi Server
4. TCP Port 60002 for ClusterLauncher
5. TCP Port 60003 for EaaS API Server
6. TCP Port 60005 for Cypress Video Server
7. TCP Port 60006 for Web-console(gotty) default service - ubuntu user
8. TCP Port 62020-62050 for dynamic gotty ports - mapped to individual users
Root volume storage should be 20 GB or more
Preferred separate EBS volume of 100GB
Enable Avoid Accidental Termination and disable EBS delete on termination
Add tags and key-pair and launch
Download key-pair; change permissions to 0400
Review configuration and Launch Instance
Connect to EC2 using SSH once it is running

Steps - Installing dependencies on EC2 Instance

Mount the EBS volume
Check the 100GB disk NAME
lsblk

Use the EBS disk name that is not mounted

Steps - Install SSL Certs

Get the SSL_certs.key and SSL_certs.crt file for your organisation domain and put it under a folder that will be accessible to the current user. Preferred to be kept under /var/tmp/Roost/certs
It is possible to use a self generated certificate (not recommended though)
You can generate a self-signed certificate using command given below
The “root.cer” will have to be installed to the certificate authority on all Roost user systems as a trusted certificate. Article with steps for all OS is mentioned here https://zbio.atlassian.net/wiki/spaces/RFD/pages/1673134089
Instructions for generating the self-signed certs is given below.

6. Update the root.cnf and server.cnf to reflect your organisation name and the DNS entries

7. Run the open_ssl commands displayed in the output of get-certs.sh

Steps - Configure Roost Environment and Start Docker containers

Download config.json

Sample Config looks like the below

Replace the values to reflect for your organisation
Keep values empty of the client_id/secrets for the 3rd party that is not needed
Keep ENV_DATABASE detail unchanged if database is not external
Add JWT_SECRET
Recommend value of remote_console_proxy is same as enterprise_dns unless you want to start proxy elsewhere.
If your servers are behind Load Balancer user load_balancer : “true” for different configuration.

Starting the Roost.ai containers for the first time

Setting up Roost Proxy Server

Verifying the Roost.ai components

Connect to the public_ip/login using a browser
Use the 3rd party auth to connect to the control-plane

Next Steps:

Go to Admin Settings and

Enable cloud vendor of choice and provide default settings
Add the webconsole-proxy EC2 details in the “Configure EC2 Launcher”
Enable JumpHost and refresh the page
Go to JumpHost settings and add the webconsole-proxy EC2 details as 'default' jumpHost

Update Roost.ai Control-plane, when there is a new Roost release