Deploying Edge Services on AWS
This guide helps you deploy Redact Edge in an AWS environment as part of an EKS cluster.
Prerequisites
Ensure you have the following before starting the deployment:
- An AWS account with sufficient IAM permissions to manage EKS resources
- AWS CLI installed and configured with your credentials
- Docker installed and configured (optional)
- Access to Pangea's private Docker Hub repository (granted by a Pangea representative)
- Set up Vault/Redact services to get below environment variables
Environment Configuration
Configure the required environment variables and set up Docker access for your deployment.
Environment Variables
Use values from your Pangea Console to set these environment variables:
PANGEA_CSP=aws # Cloud Service Provider
PANGEA_VAULT_SERVICE_TOKEN_ID=pvi_XXX # Vault Service Token ID
PANGEA_VAULT_TOKEN=pts_XXX # Vault Token
PANGEA_REGION=us # Deployment Region
PANGEA_REDACT_TOKEN=XXX # Redact Service Token
These variables can be found in your Pangea Console under the Edge Configuration section:
- Navigate to your Pangea Console
- Go to "Services" → "Redact" -> and under Settings, you will find "Edge"
- After you complete the preliminary steps for this, you should find the following:
Copy these directly from the console so you can set these variables in your environment using:
export PANGEA_CSP=aws
export PANGEA_VAULT_SERVICE_TOKEN_ID=your_token_id
# ... repeat for other variables
Keep these tokens secure and never commit them to version control.
Docker Registry Access
Pull the Redact Edge container image from Pangea's private repository:
docker pull pangeacyber/redact:latest
EKS Deployment
For production environments, deploy Redact Edge on AWS Elastic Kubernetes Service (EKS) to take advantage of container orchestration, scaling, and high availability features.
-
Create an EKS Cluster
If you don't have an EKS cluster, follow the EKS setup guide to create one.
noteSome requirements for the cluster:
- Ensure your cluster has sufficient IAM permissions for Kubernetes.
- Use an AMD64-compatible node group unless ARM64 is required.
- Configure appropriate VPC networking for your EKS cluster.
-
Configure Access to Your Cluster
Use the AWS CLI to retrieve cluster credentials and configure
kubectl:aws eks update-kubeconfig --region <region> --name <cluster-name>
kubectl create namespace pangea-edge -
Create a Docker Pull Secret
To pull the Redact Edge image from Pangea's private repository, create a file named
pangea_dockerhub_pull_secret.yaml:apiVersion: v1
kind: Secret
metadata:
name: pangea-registry-key
namespace: pangea-edge
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: [base64-encoded-docker-config]noteReplace
[base64-encoded-docker-config]with the base64-encoded Docker credentials. More details can be found here. -
Apply the Docker Pull Secret
Save the file and apply it to the namespace:
kubectl apply -f pangea_dockerhub_pull_secret.yaml -
Create a Vault Token Secret
Create a secret for the Vault token in a file named
pangea_vault_token.yaml:apiVersion: v1
kind: Secret
metadata:
name: vault-token
namespace: pangea-edge
type: Opaque
data:
PANGEA_VAULT_TOKEN: [base64-encoded-vault-token]noteReplace
[base64-encoded-vault-token]with the base64-encoded Vault token from the environment configuration. -
Apply the Vault Token Secret
Save the file and apply it to the namespace:
kubectl apply -f pangea_vault_token.yaml -
Deploy Redact Edge
Create a deployment file named
pangea_redact_eph_deployment.yaml:apiVersion: apps/v1
kind: Deployment
metadata:
namespace: pangea-edge
name: redact-edge
labels:
app: redact-edge
spec:
replicas: 2
selector:
matchLabels:
app: redact-edge
template:
metadata:
labels:
app: redact-edge
spec:
containers:
- name: redact-edge
image: pangeacyber/redact:latest
env:
- name: PANGEA_REGION
value: "us"
- name: PANGEA_CSP
value: "aws"
- name: PANGEA_VAULT_TOKEN
value: "/var/run/secrets/PANGEA_VAULT_TOKEN"
- name: PANGEA_VAULT_SERVICE_TOKEN_ID
value: "<your-service-token-id>"
- name: REDACT_CONFIG_DATA_COMMON_CLOUD_ONPREM_BM_RECORD_LOCAL_SUBMISSION_ENABLED
value: "true"
volumeMounts:
- name: ephemeral-storage
mountPath: "/var/pangea/data"
- name: pangea-vault-token
mountPath: /var/run/secrets
ports:
- containerPort: 8000
volumes:
- name: ephemeral-storage
emptyDir: {}
- name: pangea-vault-token
secret:
secretName: vault-token
imagePullSecrets:
- name: pangea-registry-keyApply the deployment:
kubectl apply -f pangea_redact_eph_deployment.yaml -
Expose the Deployment
Create a service file named
pangea_redact_service.yaml:apiVersion: v1
kind: Service
metadata:
namespace: pangea-edge
name: redact-edge-service
spec:
type: LoadBalancer
selector:
app: redact-edge
ports:
- protocol: TCP
port: 8000
targetPort: 8000Apply the service configuration:
kubectl apply -f pangea_redact_service.yaml -
Set Up Ingress
Create an ingress configuration file named
simple-edge-ingress.yaml:apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: redact-edge-ingress
namespace: pangea-edge
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: redact-edge-service
port:
number: 8000Apply the ingress configuration:
kubectl apply -f simple-edge-ingress.yaml -
Test Your Deployment
Use the external IP provided by the load balancer to test:
curl -sSLX POST 'http://<load-balancer-ip>:8000/v1/redact' \
-H 'Authorization: Bearer <your-redact-token>' \
-H 'Content-Type: application/json' \
-d '{"text":"This is test text with sensitive data SSN:123-45-6789"}'
Monitoring and Troubleshooting
Use the AWS CLI or kubectl to debug:
# EKS logs
kubectl logs -n pangea-edge -l app=redact-edge
# Check pod status
kubectl get pods -n pangea-edge
Was this article helpful?