Non-Interactive EKF Deployment

This section describes the way to perform a non-interactive, that is, unattended, deployment of EKF, using rok-deploy.

What You’ll Need

  • An encrypted deployment key for the Arrikto GitOps repository at https://github.com/arrikto/deployments, which is similar to the following:

    gitconfig_dummy.asc
    1-----BEGIN PGP MESSAGE-----
    2
    3jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT
    4-5
    4bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq
    5ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/
    63eeSgHnfY0w=
    7=6Ssd
    8-----END PGP MESSAGE-----
  • The encrypted Docker JSON configuration file, which is similar to the following:

    dockerconfig_dummy.asc
    1-----BEGIN PGP MESSAGE-----
    2
    3jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT
    4-5
    4bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq
    5ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/
    63eeSgHnfY0w=
    7=6Ssd
    8-----END PGP MESSAGE-----
  • The passphrases to decrypt each of the above.

  • A management environment.

Contact Arrikto

If you don’t have a deployment key or a Docker JSON configuration file, please contact the Arrikto Tech Team to create one for you.

Procedure

Note

Sensitive

This guide will ask you to type sensitive values in the terminal. The sensitive value will be getting echoed in the terminal as you type it. Please make sure that you are performing this action in a private environment.

Note

To get a description of what each of the following environment variables that you will be exporting does, run:

root@rok-tools:~# rok-deploy --help
  1. Specify the necessary environment variables that you need to run a non-interactive deployment:

    1. Specify the type of the environment where you have created your management environment. Choose one of the following options:

      root@rok-tools:~# export TOOLS_ENV_TYPE=kubernetes
      root@rok-tools:~# export TOOLS_ENV_TYPE=docker
      root@rok-tools:~# export TOOLS_ENV_TYPE=ec2
    2. Specify your encrypted SSH key:

      root@rok-tools:~# export ENCRYPTED_SSH_KEY=<SSH_KEY>

      Replace <SSH_KEY> with the encrypted SSH key you received from Arrikto via email, including the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE----- lines. For example:

      root@rok-tools:~# export ENCRYPTED_SSH_KEY="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"
    3. Specify the passphrase to decrypt your encrypted SSH key:

      root@rok-tools:~# export SSH_KEY_PASSPHRASE=<PASSPHRASE>

      Replace <PASSPHRASE> with the passphrase for the encrypted SSH key you received from Arrikto. For example:

      root@rok-tools:~# export SSH_KEY_PASSPHRASE=sshkeypassphrase
    4. Specify the name that Git will use:

      root@rok-tools:~# export GIT_USER_NAME=<NAME>

      Replace <NAME> with your name. For example:

      root@rok-tools:~# export GIT_USER_NAME="Joe Doe"
    5. Specify the email that Git will use:

      root@rok-tools:~# export GIT_USER_EMAIL=<EMAIL>

      Replace <EMAIL> with your email. For example:

      root@rok-tools:~# export GIT_USER_EMAIL=joedoe@example.com
    6. Specify the AWS access key ID for your desired IAM user:

      root@rok-tools:~# export AWS_ACCESS_KEY_ID=<KEY_ID>

      Replace <KEY_ID> with the desired access key ID. For example:

      root@rok-tools:~# export AWS_ACCESS_KEY_ID=THISISANACCESSKEYID
    7. Specify the AWS secret access key for your desired IAM user:

      root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>

      Replace <SECRET_KEY> with the desired secret access key. For example:

      root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=THISISASECRETACCESSKEY
    8. Specify the region where you want to perform this deployment:

      root@rok-tools:~# export AWS_DEFAULT_REGION=<REGION>

      Replace <REGION> with the desired region. For example:

      root@rok-tools:~# export AWS_DEFAULT_REGION=us-east-1
    9. Specify your encrypted Docker configuration:

      root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG=<DOCKERCONFIG>

      Replace <DOCKERCONFIG> with the encrypted Docker configuration you received from Arrikto via email, including the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE----- lines. For example:

      root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"
    10. Specify the passphrase to decrypt your encrypted Docker configuration:

      root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=<PASSPHRASE>

      Replace <PASSPHRASE> with the passphrase for the encrypted Docker configuration you received from Arrikto. For example:

      root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=dockerconfigpassphrase
    11. Specify the VPC configuration. Choose one of the following options:

      root@rok-tools:~# export AWS_VPC_CONFIG=public
      root@rok-tools:~# export AWS_VPC_CONFIG=public-private
      root@rok-tools:~# export AWS_VPC_CONFIG=private
    12. Specify the name for your EKS cluster:

      root@rok-tools:~# export EKS_CLUSTER=<EKS_CLUSTER>

      Replace <EKS_CLUSTER> with the desired name for your EKS cluster. For example:

      root@rok-tools:~# export EKS_CLUSTER=arrikto-cluster
    13. Specify the trusted CIDRs for your EKS cluster:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS=<CIDRS>

      Replace <CIDRS> with your trusted CIDRs. For example, if you want to allow access for everyone, set:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS=0.0.0.0/0

      Note

      If you wish to specify multiple CIDRs, create a space-separated list. For example:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"
    14. Specify the name for your node group:

      root@rok-tools:~# export EKS_NODEGROUP=<NODEGROUP>

      Replace <NODEGROUP> with the desired name for your node group. For example:

      root@rok-tools:~# export EKS_NODEGROUP=general-workers
    15. Pick a password for the default Dex user:

      root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=<PASSWORD>

      Replace <PASSWORD> with the desired password for the default Dex user. For example:

      root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=dexpassword
    16. Specify the DNS name suffix (domain) for the hosted zone:

      root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=<DOMAIN>

      Replace <DOMAIN> with your desired domain. For example:

      root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=apps.example.com
    17. Specify the subdomain for your load balancer:

      root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=<SUBDOMAIN>

      Replace <SUBDOMAIN> with your desired subdomain. For example:

      root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=${EKS_CLUSTER?}.${EKS_ALB_ZONE_DOMAIN?} \ > && echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.com
    18. Specify the trusted CIDRs for your load balancer:

      root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=<CIDRS>

      Replace <CIDRS> with your trusted CIDRs. For example, if you want to allow access for everyone, set:

      root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=0.0.0.0/0

      Note

      If you wish to specify multiple CIDRs, create a space-separated list. For example:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"
  2. Configure rok-deploy to run non-interactively. This means that you will not be prompted for questions. If an answer is missing, rok-deploy will fail the operation and report the missing answer:

    root@rok-tools:~# export ROK_FRONTEND=non-interactive root@rok-tools:~# export ROK_QUESTION_THRESHOLD=critical
  3. Choose one of the following options to perform the non-interactive deployment:

    1. Run rok-deploy and use the default choices:

      root@rok-tools:~# rok-deploy
    1. Download the preseed.py.j2 Jinja2 template file provided below and use it inside your management environment.

      preseed.py.j2
      1SEEDS = {
      2 'tools/env_type': '{{TOOLS_ENV_TYPE}}',
      3 'git/encrypted_ssh_key': '''{{ENCRYPTED_SSH_KEY}}''',
      4-17
      4 'git/ssh_key_passphrase': '{{SSH_KEY_PASSPHRASE}}',
      5 'git/user_name': '{{GIT_USER_NAME}}',
      6 'git/user_email': '{{GIT_USER_EMAIL}}',
      7 'cli-aws/access_key_id': '{{AWS_ACCESS_KEY_ID}}',
      8 'cli-aws/secret_access_key': '{{AWS_SECRET_ACCESS_KEY}}',
      9 'envvars-aws/region': '{{AWS_DEFAULT_REGION}}',
      10 'arriktoreg/dockerconfig_encrypted': '''{{ENCRYPTED_DOCKERCONFIG}}''',
      11 'arriktoreg/dockerconfig_passphrase': '{{DOCKERCONFIG_PASSPHRASE}}',
      12 'aws-vpc/config': '{{AWS_VPC_CONFIG}}',
      13 'eks-cluster/name': '{{EKS_CLUSTER}}',
      14 'eks-cluster/trusted_cidrs': '{{EKS_TRUSTED_CIDRS}}',
      15 'eks-nodegroup/name': '{{EKS_NODEGROUP}}',
      16 'users/dex_default_user_passwd': '{{DEX_DEFAULT_USER_PASSWD}}',
      17 'eks-alb-zone/domain': '{{EKS_ALB_ZONE_DOMAIN}}',
      18 'eks-alb-acm/subdomain': '{{EKS_ALB_ACM_SUBDOMAIN}}',
      19 'eks-alb-nginx/trusted_cidrs': '{{EKS_ALB_NGINX_TRUSTED_CIDRS}}',
      20}
    2. Render the preseed file:

      root@rok-tools:~# j2 preseed.py.j2 -o preseed.py
    3. Unset all the environment variables you exported:

      root@rok-tools:~# unset TOOLS_ENV_TYPE ENCRYPTED_SSH_KEY \ > SSH_KEY_PASSPHRASE GIT_USER_NAME GIT_USER_EMAIL AWS_ACCESS_KEY_ID \ > AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION ENCRYPTED_DOCKERCONFIG \ > DOCKERCONFIG_PASSPHRASE AWS_VPC_CONFIG EKS_CLUSTER \ > EKS_TRUSTED_CIDRS EKS_NODEGROUP DEX_DEFAULT_USER_PASSWD \ > EKS_ALB_ZONE_DOMAIN EKS_ALB_ACM_SUBDOMAIN \ > EKS_ALB_NGINX_TRUSTED_CIDRS
    4. Run rok-deploy using the preseed file you created and use the default choices:

      root@rok-tools:~# rok-deploy --preseed-load preseed.py

Verify

  1. Run the Test Rok guide, to make sure Rok is up and running.
  2. Run the Test Kubeflow guide, to make sure that you have properly installed Kubeflow.

Summary

You have performed a non-interactive installation of EKF.

What’s Next

Check out the rest of our guides regarding automated deployments.