Infrastructure Prerequisites
There are several pieces of infrastructure that a customer must have in place to install the Istari Digital Platform. These include:
- A VPC.
- An object store (AWS S3 bucket or Azure Blob Storage container).
- An AWS RDS instance, or an equivalent PostgreSQL database.
- A Kubernetes cluster. We recommend EKS (Elastic Kubernetes Service) for AWS.
- The Istari Digital Platform currently supports AWS as the cloud provider.
- Support for other cloud providers is under development. The Istari Digital Platform will be available on other cloud providers in the future.
Configuring The Kubernetes Cluster
The customer needs to provide a Kubernetes cluster. This can be an Elastic Kubernetes Service (EKS) Cluster if the customer is using AWS.
We recommend starting with the following (EKS specific) configuration:
- 3 availability zones (AZs) in the same region.
- 3 private subnets of size
/26or larger. For long-term scalability needs we recommended using subnets of size/24or larger. - 2 worker nodes per subnet (6 total) of size
t3.xlargeor larger. Only nodes x86-64 architecture (also known as AMD64 and Intel 64) are supported at this time.
Both the Istari Digital Platform and the Istari Digital Agent can be run in the same VPC, however, Istari recommends using separate VPCs for each to ensure better isolation and security.
Service Mesh
Service Mesh will provide a number of features that are useful for managing microservices, including mTLS, traffic management, security, and observability. We recommend using Istio as the service mesh for the Istari Digital Platform for being the most widely used and supported service mesh in the Kubernetes ecosystem, in addition of being provided as a managed service by multiple cloud providers.
Create TLS Certificates
This step assumes that the customer domain is customer_domain.com. The customer domain should be replaced with the actual customer domain.
Create either a combined or separate TLS certificates for the subdomains istari.customer_domain.com and *.istari.customer_domain.com.
The Istari Digital Platform uses these certificates to secure the communication between the Istari Digital Platform and the Istari Digital Agent.
In case wild card certificates are not an option, the following are the subdomains to consider for TLS certificates:
istari.customer_domain.com(This is what end users will see in their browsers)registry-service.istari.customer_domain.comspicedb.istari.customer_domain.comzitadel.istari.customer_domain.commcp.istari.customer_domain.com(if planning to enable the MCP server)
SpiceDB and Zitadel can be hosted under different domains, but they must be accessible from the Istari Digital Platform. The Istari Digital Platform will not work if these services are not accessible.