EKS Add On

Using Calyptia Fluent Bit directly through AWS marketplace

Amazon Marketplace Integration

Calyptia Fluent Bit is provided as an AWS marketplace offering either by directly running the container images or using the dedicated EKS Add On.

EKS Add On

A Helm chart is provided to deploy the EKS Add On as well as via the AWS CLI and UI.
The eksctl and helm tools are used below to simplify deployment.

Step 1: Create IAM policy

To deploy, first assign an IAM policy with appropriate IAM permission to a Kubernetes service account before starting the deployment.
By default, the namespace and service account are set to calyptia-fluentbit.
This service account needs to be assigned AWS managed policy arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage (or an equivent one).
Here is an example IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:RegisterUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

Step 2: Ensure OIDC provider is set up

The Amazon EKS cluster needs to have IAM OIDC provider enabled.
The AWS Creating an IAM OIDC provider for your cluster documentation provides more details.
Remember to replace CLUSTER_NAME with your actual Amazon EKS cluster name.
eksctl utils associate-iam-oidc-provider --cluster="$CLUSTER_NAME" --approve

Step 3: Create an IAM role for service account (IRSA)

The command below helps to automate these manual steps:
  1. 1.
    Create an IAM role with AWS-managed IAM policy.
  2. 2.
    Create a service account named calyptia-fluentbit in the calyptia-fluentbit namespace within the Amazon EKS cluster.
  3. 3.
    Set up a trust relationship between the created IAM role with calyptia-fluentbit.
  4. 4.
    Modify calyptia-fluentbit by associating it with the created IAM role
Remember to replace CLUSTER_NAME with your actual Amazon EKS cluster name.
eksctl create iamserviceaccount \
--name calyptia-fluentbit \
--namespace calyptia-fluentbit \
--cluster CLUSTER_NAME \
--attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage \
--approve \
--override-existing-serviceaccounts
AWS provides more details on how to set up these kinds of relationships here.

Step 4: Deploy with attached roles

Deploy the helm chart using the pre-created service account in the right region.
Remember to replace AWS_REGION with your actual Amazon region.
helm repo add calyptia https://helm.calyptia.com --force-update
helm repo update
helm upgrade --install calyptia-fluentbit calyptia/fluent-bit-eks-addon \
--set serviceAccount.create=false,region="$AWS_REGION" \
--wait
Calyptia Core integration
The Helm chart also supports direct integration with Calyptia Core by providing the token to use.
Remember to replace PROJECT_TOKEN with your actual Calyptia Core token.
helm upgrade --install calyptia/fluent-bit-eks-addon \
--set serviceAccount.create=false,region="$AWS_REGION" \
-set project_token="$PROJECT_TOKEN" \
--wait
Modify version deployed
To deploy with different versions of the Calyptia Fluent Bit AWS marketplace offering, just configure the image.tag key:
helm upgrade --install calyptia-fluentbit calyptia/fluent-bit-eks-addon \
--set serviceAccount.create=false,region="$AWS_REGION" \
--set image.tag="23.4.5" \
--wait

Other options

A separate helm chart is provided to deploy the AWS marketplace offering of Calyptia Fluent Bit directly. Refer to the installation instructions for the helm chart: https://github.com/calyptia/charts/tree/master/charts/aws-fluent-bit.
The container image can also be directly consumed in ECS or EKS pods, ensuring the IAM role is set up to allow it.