> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Post Cluster Configurations

> Complete post-cluster setup steps including DNS record creation and blob storage attachment for TrueFoundry.

Once your cluster is configured following steps needs to be done.

## Creating record for your load balancer

Once all the applications are created and the cluster is connected in the control plane, the endpoint where the applications are to be served must resolve to the endpoint of the load balancer's hostname. To get the load balancer's hostname run the following command

<CodeGroup>
  ```csharp shell lines theme={"dark"}
  kubectl get svc -n istio-system tfy-istio-ingress -ojsonpath='{.status.loadBalancer.ingress[0].hostname}'
  ```
</CodeGroup>

Once you get the hostname you can create a CNAME record with the address of your endpoint to the load balancer's address. For .e.g If you want your applications to host at `*.apps.example.com`, then create a CNAME record in your DNS provider resolving `*.apps.example.com` to the load balancer's hostname from the above command. You can keep the TTL to`1m` or `60` seconds.

Once it is done you can use the following command to check if the CNAME record is correct or not

```java lines theme={"dark"}
dig -t CNAME +short something.apps.example.com
```

Once done you can add the Base domain URL in the **Integrations** tab by editing the cluster

<Frame caption="Adding base domain URL">
  <img src="https://mintcdn.com/truefoundry/JFTbQOWMkMfvFjDC/images/b64be740-715f69f-image.png?fit=max&auto=format&n=JFTbQOWMkMfvFjDC&q=85&s=d33bd6af377f47504eef7629a413eb95" width="1480" height="414" data-path="images/b64be740-715f69f-image.png" />
</Frame>

## Attaching a blob storage

S3 Blob Storage is a cloud-based storage service that allows you to store and retrieve vast amounts of data in the form of objects, also known as blobs. It is designed to handle a wide variety of unstructured data, including documents, images, videos, backups, logs, and more. S3 provides durability, high availability, and scalability, making it an ideal solution for companies seeking reliable and cost-effective storage for their blob data.

### Attaching Blob storage to TrueFoundry's control plane

To attach a blob storage

* Create a [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html).

  * Make sure the bucket has lifecycle configuration to [abort multipart upload](https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpu-abort-incomplete-mpu-lifecycle-config.html) set for 7 days.
  * Make sure [CORS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html) is applied on the bucket with the below configuration

    <CodeGroup>
      ```json JSON lines theme={"dark"}
      [
        {
          "AllowedHeaders": ["*"],
          "AllowedMethods": ["GET", "POST", "PUT"],
          "AllowedOrigins": ["*"],
          "ExposeHeaders": ["ETag"],
          "MaxAgeSeconds": 3000
        }
      ]
      ```
    </CodeGroup>

* [Create a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) with [programmatic access](https://docs.aws.amazon.com/workspaces-web/latest/adminguide/getting-started-iam-user-access-keys.html) or [Create IAM role with assume role access](/docs/post-cluster-configurations#create-an-iam-role-with-assume-role) who has access to below permissions. Save the credentials somewhere safe.

  <CodeGroup>
    ```json JSON lines theme={"dark"}
    {
      "Sid": "S3",
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::<YOUR_S3_BUCKET_NAME>",
        "arn:aws:s3:::<YOUR_S3_BUCKET_NAME>/*"
      ]
    }
    ```
  </CodeGroup>

<Info>
  ### Giving full access to s3

  Currently there is a bug flow in our system which requires entire s3 access in your cloud. We are working on it and will be resolved soon. For now to attach a blob storage
</Info>

* Once this is done, head over to **Integrations** tab and then click **Connect Storage**.
* Fill in the details

<Frame caption="Connect Storage">
  <img src="https://mintcdn.com/truefoundry/DdP_2rhue4AQQlob/images/3b3aa0c7-ec2312d-image.png?fit=max&auto=format&n=DdP_2rhue4AQQlob&q=85&s=fadc418505f3f781afeca32d8ce55015" width="1538" height="1290" data-path="images/3b3aa0c7-ec2312d-image.png" />
</Frame>

* In the storage root enter `s3://<bucket name>`
* Enter the access key and secret key which were generated while creating a user.

## Attaching Secrets Manager

Secrets Manager is a secure and scalable service provided by Amazon Web Services (AWS) that allows you to securely store and manage sensitive information, such as database credentials, API keys, and other secrets used in your applications. It provides a centralized and highly available solution for managing secrets, eliminating the need to hardcode sensitive information in your code or configuration files.

### Attaching secrets manager to True Foundry's control plane

* [Create a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) with [programmatic access](https://docs.aws.amazon.com/workspaces-web/latest/adminguide/getting-started-iam-user-access-keys.html) or [Create IAM role with assume role access](/docs/post-cluster-configurations#create-an-iam-role-with-assume-role) who has access to below permissions. Save the credentials somewhere safe. The user which was created for blob storage can also be used with the below set of permission additionally attached to it.

  <CodeGroup>
    ```json JSON lines theme={"dark"}
    {
      "Sid": "SSM",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:DeleteParameters",
        "ssm:GetParameterHistory"
      ],
      "Resource": ["arn:aws:ssm:AWS_REGION:ACCOUNT_ID:parameter/tfy-secret/*"]
    }
    ```
  </CodeGroup>

* Go to **Integrations** tab in the control plane and click on **Connect Secret Store**

* Fill in the AWS access key and AWS secret key with the right region in the form.

<Frame caption="Connecting Secrets Store">
  <img src="https://mintcdn.com/truefoundry/PSBc0bX31_cIC7pm/images/dbee080b-3b93284-image.png?fit=max&auto=format&n=PSBc0bX31_cIC7pm&q=85&s=9d228dd1c075695e495e624f5b978163" width="1544" height="1014" data-path="images/dbee080b-3b93284-image.png" />
</Frame>

## Attaching container registry

AWS Elastic Container Registry (ECR) is a fully managed Docker container registry provided by Amazon Web Services (AWS). It serves as a secure and scalable storage solution for storing, managing, and deploying container images. With ECR, you can easily store and retrieve container images to facilitate the development, testing, and deployment of containerized applications.

### Attaching AWS ECR to True Foundry's control plane

[Create a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) with [programmatic access](https://docs.aws.amazon.com/workspaces-web/latest/adminguide/getting-started-iam-user-access-keys.html) or [Create IAM role with assume role access](/docs/post-cluster-configurations#create-an-iam-role-with-assume-role) who has access to below permissions. Save the credentials somewhere safe. The user which was created for blob storage or Secrets store can also be used with the below set of permission additionally attached to it.

<CodeGroup>
  ```json JSON lines theme={"dark"}
  [
    {
      "Sid": "ECR",
      "Effect": "Allow",
      "Action": [
        "ecr:GetRegistryPolicy",
        "ecr:DescribeImageScanFindings",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:CreateRepository",
        "ecr:GetDownloadUrlForLayer",
        "ecr:DescribeImageReplicationStatus",
        "ecr:ListTagsForResource",
        "ecr:BatchGetRepositoryScanningConfiguration",
        "ecr:GetRegistryScanningConfiguration",
        "ecr:PutImage",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetRepositoryPolicy",
        "ecr:GetLifecyclePolicy",
        "ecr:ListImages",
        "ecr:InitiateLayerUpload",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DeleteRepository",
        "ecr:UploadLayerPart"
      ],
      "Resource": ["arn:aws:ecr:AWS_REGION:ACCOUNT_ID:repository/tfy-*"]
    },
    {
      "Sid": "ECR",
      "Effect": "Allow",
      "Action": [
        "ecr:DescribeRegistry",
        "ecr:GetAuthorizationToken",
        "sts:GetServiceBearerToken"
      ],
      "Resource": ["*"]
    }
  ]
  ```
</CodeGroup>

* Go to **Integrations** tab in the control plane and go to the card of **Docker registry** and click on **Connect Secret Store**
* Fill in the AWS access key and AWS secret key with the right registry URL in the form. Click here to check your [Registry URL](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html). It will be of form `aws_account_id.dkr.ecr.region.amazonaws.com`

<Frame caption="Connecting Registry">
  <img src="https://mintcdn.com/truefoundry/DdP_2rhue4AQQlob/images/39ec5f1f-5061dd5-image.png?fit=max&auto=format&n=DdP_2rhue4AQQlob&q=85&s=7af3e8bce50dc8dea4e4cafa16dda681" width="1540" height="868" data-path="images/39ec5f1f-5061dd5-image.png" />
</Frame>

## Create an IAM role with assume role

* Using IAM access keys creates a security loophole and an overhead of rotating the keys.
* To avoid this TrueFoundry support IAM role with access to assume role so that access keys can be avoided.
* This IAM role generates temporary access keys which expire after certain time resulting in a secure key-less architecture.
* You can create an IAM role for TrueFoundry with the above permissions for [blob storage](/docs/post-cluster-configurations#attaching-blob-storage-to-truefoundrys-control-plane), [ECR](/docs/post-cluster-configurations#attaching-aws-ecr-to-true-foundrys-control-plane) and [SSM](/docs/post-cluster-configurations#attaching-secrets-manager-to-true-foundrys-control-plane)
* The role should have following Trust relationships added (if you are using TrueFoundry's control plane)

  <CodeGroup>
    ```json JSON lines theme={"dark"}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps"
          },
          "Action": "sts:AssumeRole",
          "Condition": {}
        }
      ]
    }
    ```
  </CodeGroup>
