Deploy Portefaix on Alibaba Cloud

This guide shows you how to deploy a Portefaix platform on Alibaba Cloud using Alibaba Cloud Container Service for Kubernetes (ACK), OSS for Terraform state storage, and TableStore for state locking.

Prerequisites

• Alibaba Cloud account with AdministratorAccess or equivalent RAM policy
• aliyun CLI configured with your Access Key credentials
• Terraform ≥ 1.5, kubectl, and Helm installed locally
• An Access Key / Secret Key pair for a RAM user with ECS, VPC, CS, OSS, and OTS permissions

1. Configure your environment

Add Alibaba Cloud credentials to your Portefaix config file at $HOME/.config/portefaix/portefaix.sh:

function setup_alicloud() {
    export ALICLOUD_ACCESS_KEY="LTAI5xxxxxxxxxxxxxxx"
    export ALICLOUD_SECRET_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    export ALICLOUD_REGION="eu-central-1"
    export TF_VAR_access_key="$ALICLOUD_ACCESS_KEY"
    export TF_VAR_secret_key="$ALICLOUD_SECRET_KEY"
    export TF_VAR_region="$ALICLOUD_REGION"
}

. ./portefaix.sh alicloud

export PORTEFAIX_ENV="staging"

2. Create Terraform remote state storage

Alibaba Cloud uses OSS (Object Storage Service) for Terraform state and TableStore for state locking — the equivalent of S3 + DynamoDB on AWS.

# Create OSS bucket for state
aliyun oss mb oss://portefaix-tfstate \
  --region $ALICLOUD_REGION

# Enable versioning
aliyun oss bucket-versioning \
  --method put oss://portefaix-tfstate \
  --status Enabled

# Create TableStore instance for state locking
aliyun ots CreateInstance \
  --InstanceName portefaix-tfstate \
  --Description "Portefaix Terraform state lock" \
  --RegionId $ALICLOUD_REGION

# Create the lock table
aliyun ots CreateTable \
  --InstanceName portefaix-tfstate \
  --TableMeta.TableName terraform-state-lock \
  --TableMeta.PrimaryKey.1.Name LockID \
  --TableMeta.PrimaryKey.1.Type STRING

3. Provision the ACK cluster with Terraform

cd portefaix-infrastructure/terraform/alicloud/ack
cp terraform.tfvars.example terraform.tfvars

Key variables in terraform.tfvars:

region          = "eu-central-1"
cluster_name    = "portefaix-staging"
k8s_version     = "1.30"
vpc_cidr        = "192.168.0.0/16"
pod_cidr        = "172.20.0.0/16"
service_cidr    = "172.21.0.0/20"

terraform init \
  -backend-config="bucket=portefaix-tfstate" \
  -backend-config="prefix=ack/$PORTEFAIX_ENV" \
  -backend-config="region=$ALICLOUD_REGION" \
  -backend-config="tablestore_endpoint=https://portefaix-tfstate.$ALICLOUD_REGION.ots.aliyuncs.com" \
  -backend-config="tablestore_table=terraform-state-lock"

terraform plan -out=tfplan
terraform apply tfplan

4. Fetch cluster credentials

# Get the cluster ID from Terraform output
export ACK_CLUSTER_ID="$(terraform output -raw cluster_id)"

# Download kubeconfig
aliyun cs GET /k8s/$ACK_CLUSTER_ID/user_config \
  --output json | jq -r '.config' > ~/.kube/portefaix-alicloud

export KUBECONFIG="$HOME/.kube/portefaix-alicloud"

kubectl get nodes

5. Configure RAM roles for workloads

ACK supports RRSA (RAM Role for Service Account), which binds RAM roles to Kubernetes service accounts — similar to AWS Pod Identity. Enable it on your cluster and verify:

# Enable RRSA on the cluster
aliyun cs POST /clusters/$ACK_CLUSTER_ID \
  --body '{"rrsa_config":{"enabled":true}}'

# Verify RRSA is active
aliyun cs GET /clusters/$ACK_CLUSTER_ID \
  --output json | jq '.rrsa_config'

6. Deploy Portefaix stacks via ArgoCD

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update

helm install argocd argo/argo-cd \
  --namespace argocd --create-namespace \
  --values portefaix-kubernetes/gitops/argocd/values-alicloud.yaml \
  --wait

kubectl apply -f portefaix-kubernetes/gitops/argocd/bootstrap/app-of-apps-alicloud-$PORTEFAIX_ENV.yaml

argocd app wait portefaix-bootstrap --health --timeout 600

Stacks available on Alibaba Cloud