Infrastructure and deployment

Infrastructure and cloud hosting requirements

MOSIP cluster on Amazon EKS
Overview :
The instructions here install an EKS cluster on AWS along with Network Loadbalancer and Istio. We have chosen the cloud's Network Load Balancer (Layer 4) over the Application Load Balancer (Layer 7) as we have application load balancing done by Istio Ingress running inside the cluster.
Requirements for hosting :
AWS ACM certificates for authorizing our Domain Names.
AWS Route53 for Domain mapping.
Network Load Balancer
Mosip gives Hardware Requirements:

No. of nodes	No. of vCPUs	RAM	Storage	AWS Type of each node	Used as part of

No. of nodes	No. of vCPUs	RAM	Storage	AWS Type of each node	Used as part of
6	8 vCPU	32GB	64 GB	t3.2xlarge	Cluster nodes
1	2 vCPU	4 GB	8 GB	t2.micro	Wireguard Bastion Node

Hardware provided by Govstack:

No. of nodes	No. of vCPUs	RAM	Storage	AWS Type of each node	Used as part of

No. of nodes	No. of vCPUs	RAM	Storage	AWS Type of each node	Used as part of
7	8 vCPU	32GB	128 GB	t3a.2xlarge	Cluster nodes

Deployment procedures:
For IDBB deployment procedure we can follow up on our govstack documentation.
Deployment Guide
Source code repository:
https://github.com/tf-govstack/mosip-infra/tree/tf-develop-B3/deployment/v3
https://github.com/tf-govstack/k8s-infra/tree/main/mosip/aws
https://github.com/tf-govstack/mosip-helm/tree/v1.2.0.1-B3
https://github.com/tf-govstack/mosip-config

Challenges, resolutions, and lessons learned
- Technical challenges faced and strategies employed to overcome them.
  - If you are facing any issues while accessing the domain names that could be because proxy-protocol is not enabled in the target groups. or routing is not done properly and LB listners configurations are not done properly so check everything once again.
  - When accessing istio-system from terminal it should show DNS name of load balancer in EXTERNAL-IP section or else not able to access endpoints. It causes because of multiple security-groups attached to your nodes. Make sure only one security-group attached to each node.
    If you are facing any issues while accessing the domain names that could be because proxy-protocol is not enabled in the target groups. or routing is not done properly and LB listners configurations are not done properly so check everything once again.
  - When accessing istio-system from the terminal it should show DNS name of load balancer in EXTERNAL-IP section or else not able to access endpoints. It causes because of multiple security-groups attached to your nodes. Make sure only one security-group attached to each node.
  - If facing intermittent connectivity issues while login esignet then please disable istio layer from softhsm namespace run below command.
    kubectl label ns softhsm istio-injection=disabled --overwrite
  - Facing issues while building INJI application, so that can be resolved by
    nji Troubleshooting
    - UIN FETCHING ISSUE (something went wrong please try again later)due to base url while building APK
      USED BELOW URLS:
      backendServiceDefaultUrl: https://api-internal.tfgovidbb.sandbox-playground.com
      default: 'https://api-internal.tfgovidbb.sandbox-playground.com'
    CARD DOWNLOAD AND ACTIVATION ISSUE:(card keep on loading/ not downloading)
    updated mimoto default properties
    idp.binding.base.url=https://api-internal.tfgovidbb.sandbox-playground.com/v1/esignet/binding
    BINDING_OTP=https://api-internal.tfgovidbb.sandbox-playground.com/binding-otp
    WALLET_BINDING=https://api-internal.tfgovidbb.sandbox-playground.com/wallet-binding
    LOGIN WITH ESIGNET ISSUE (unable to recocnize the face)
    Updated inji default properties
    mosip.inji.faceSdkModelUrl=https://${mosip.api.internal.host}/inji
    mosip.inji.warningDomainName=https://${mosip.api.internal.host}
  - Facing issues in accessing endpoints, need to make services publicly via VirtualServices/Gateways.
  - And make changes on configuration side as api-internal where your using api.sandbox as a domain name