Generate Manifests

This section describes a use case on how you can only generate Arrikto-provided manifests for an EKF deployment in a automated way, by using rok-deploy.

Arrikto follows a generate-commit-apply GitOps approach for the completion of a deployment task. This guide will show you how to run rok-deploy to only generate and commit manifests, so you can inspect them and apply them on your own. The manifests you generate are .yaml files in your rok-tools management environment that describe the infrastructure and Kubernetes resources that you can deploy later on.

What You’ll Need

  • An encrypted deployment key for the Arrikto GitOps repository at https://github.com/arrikto/deployments, which is similar to the following:

    gitconfig_dummy.asc
    1-----BEGIN PGP MESSAGE-----
    2
    3jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT
    4-5
    4bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq
    5ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/
    63eeSgHnfY0w=
    7=6Ssd
    8-----END PGP MESSAGE-----
  • The encrypted Docker JSON configuration file, which is similar to the following:

    dockerconfig_dummy.asc
    1-----BEGIN PGP MESSAGE-----
    2
    3jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT
    4-5
    4bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq
    5ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/
    63eeSgHnfY0w=
    7=6Ssd
    8-----END PGP MESSAGE-----
  • The passphrases to decrypt each of the above.

  • A management environment.

Contact Arrikto

If you don’t have a deployment key or a Docker JSON configuration file, please contact the Arrikto Tech Team to create one for you.

Procedure

Generate the Arrikto-provided manifests interactively, or non-interactively, by choosing one of the following options:

Option 1: Generate Manifests Interactively

In this section you will run rok-deploy interactively. This means that, during the process, you will be prompted for input.

  1. Run rok-deploy and specify that you don’t want to apply the generated manifests:

    root@rok-tools:~# rok-deploy --assume-no-apply
  2. Follow the on-screen instructions.

    Note

    You might need to skip the verification steps of any EKF installation guide you haven’t deployed infrastructure for.

Option 2: Generate Manifests Non-Interactively

In this section you will run rok-deploy non-interactively. This means that you will run rok-deploy without being prompted for input once you specify the required environment variables.

Note

Sensitive

This guide will ask you to type sensitive values in the terminal. The sensitive value will be getting echoed in the terminal as you type it. Please make sure that you are performing this action in a private environment.

Note

To get a description of what each of the following environment variables that you will be exporting does, run:

root@rok-tools:~# rok-deploy --help
  1. Specify the necessary environment variables that you need to run a non-interactive deployment:

    1. Specify the type of the environment where you have created your management environment. Choose one of the following options:

      root@rok-tools:~# export TOOLS_ENV_TYPE=kubernetes
      root@rok-tools:~# export TOOLS_ENV_TYPE=docker
      root@rok-tools:~# export TOOLS_ENV_TYPE=ec2
    2. Specify your encrypted SSH key:

      root@rok-tools:~# export ENCRYPTED_SSH_KEY=<SSH_KEY>

      Replace <SSH_KEY> with the encrypted SSH key you received from Arrikto via email, including the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE----- lines. For example:

      root@rok-tools:~# export ENCRYPTED_SSH_KEY="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"
    3. Specify the passphrase to decrypt your encrypted SSH key:

      root@rok-tools:~# export SSH_KEY_PASSPHRASE=<PASSPHRASE>

      Replace <PASSPHRASE> with the passphrase for the encrypted SSH key you received from Arrikto. For example:

      root@rok-tools:~# export SSH_KEY_PASSPHRASE=sshkeypassphrase
    4. Specify the name that Git will use:

      root@rok-tools:~# export GIT_USER_NAME=<NAME>

      Replace <NAME> with your name. For example:

      root@rok-tools:~# export GIT_USER_NAME="Joe Doe"
    5. Specify the email that Git will use:

      root@rok-tools:~# export GIT_USER_EMAIL=<EMAIL>

      Replace <EMAIL> with your email. For example:

      root@rok-tools:~# export GIT_USER_EMAIL=joedoe@example.com
    6. Specify the AWS access key ID for your desired IAM user:

      root@rok-tools:~# export AWS_ACCESS_KEY_ID=<KEY_ID>

      Replace <KEY_ID> with the desired access key ID. For example:

      root@rok-tools:~# export AWS_ACCESS_KEY_ID=THISISANACCESSKEYID
    7. Specify the AWS secret access key for your desired IAM user:

      root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>

      Replace <SECRET_KEY> with the desired secret access key. For example:

      root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=THISISASECRETACCESSKEY
    8. Specify the region where you want to perform this deployment:

      root@rok-tools:~# export AWS_DEFAULT_REGION=<REGION>

      Replace <REGION> with the desired region. For example:

      root@rok-tools:~# export AWS_DEFAULT_REGION=us-east-1
    9. Specify your encrypted Docker configuration:

      root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG=<DOCKERCONFIG>

      Replace <DOCKERCONFIG> with the encrypted Docker configuration you received from Arrikto via email, including the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE----- lines. For example:

      root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"
    10. Specify the passphrase to decrypt your encrypted Docker configuration:

      root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=<PASSPHRASE>

      Replace <PASSPHRASE> with the passphrase for the encrypted Docker configuration you received from Arrikto. For example:

      root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=dockerconfigpassphrase
    11. Specify the VPC configuration. Choose one of the following options:

      root@rok-tools:~# export AWS_VPC_CONFIG=public
      root@rok-tools:~# export AWS_VPC_CONFIG=public-private
      root@rok-tools:~# export AWS_VPC_CONFIG=private
    12. Specify the name for your EKS cluster:

      root@rok-tools:~# export EKS_CLUSTER=<EKS_CLUSTER>

      Replace <EKS_CLUSTER> with the desired name for your EKS cluster. For example:

      root@rok-tools:~# export EKS_CLUSTER=arrikto-cluster
    13. Specify the trusted CIDRs for your EKS cluster:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS=<CIDRS>

      Replace <CIDRS> with your trusted CIDRs. For example, if you want to allow access for everyone, set:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS=0.0.0.0/0

      Note

      If you wish to specify multiple CIDRs, create a space-separated list. For example:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"
    14. Specify the name for your node group:

      root@rok-tools:~# export EKS_NODEGROUP=<NODEGROUP>

      Replace <NODEGROUP> with the desired name for your node group. For example:

      root@rok-tools:~# export EKS_NODEGROUP=general-workers
    15. Pick a password for the default Dex user:

      root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=<PASSWORD>

      Replace <PASSWORD> with the desired password for the default Dex user. For example:

      root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=dexpassword
    16. Specify the DNS name suffix (domain) for the hosted zone:

      root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=<DOMAIN>

      Replace <DOMAIN> with your desired domain. For example:

      root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=apps.example.com
    17. Specify the subdomain for your load balancer:

      root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=<SUBDOMAIN>

      Replace <SUBDOMAIN> with your desired subdomain. For example:

      root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=${EKS_CLUSTER?}.${EKS_ALB_ZONE_DOMAIN?} \ > && echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.com
    18. Specify the trusted CIDRs for your load balancer:

      root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=<CIDRS>

      Replace <CIDRS> with your trusted CIDRs. For example, if you want to allow access for everyone, set:

      root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=0.0.0.0/0

      Note

      If you wish to specify multiple CIDRs, create a space-separated list. For example:

      root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"
  2. Specify some additional environment variables that you need to generate the manifests non-interactively:

    1. Specify your AWS account ID:

      root@rok-tools:~# export AWS_ACCOUNT_ID=<ACCOUNT_ID>

      Replace <ACCOUNT_ID> with the ID of your AWS account, for example:

      root@rok-tools:~# export AWS_ACCOUNT_ID=1234567890
    2. Specify your VPC ID:

      root@rok-tools:~# export AWS_VPC_ID=<VPC_ID>

      Replace <VPC_ID> with the ID of your VPC, for example:

      root@rok-tools:~# export AWS_VPC_ID=vpc-069a2ce6446fa019a
    3. List your public subnets:

      root@rok-tools:~# export AWS_SUBNETS_PUBLIC="<SUBNET>"

      Replace <SUBNET> with the subnet ID of each of your public subnets, for example:

      root@rok-tools:~# export AWS_SUBNETS_PUBLIC="subnet-4ca5bc29b04512a27 subnet-4bf22b97877b600ac"
    4. List your private subnets:

      root@rok-tools:~# export AWS_SUBNETS_PRIVATE="<SUBNET>"

      Replace <SUBNET> with the subnet ID of each of your private subnets, for example:

      root@rok-tools:~# export AWS_SUBNETS_PRIVATE="subnet-057bbb30d4491"
    5. Set the name of your OIDC provider for your cluster:

      root@rok-tools:~# export EKS_CLUSTER_OIDC=<OIDC>

      Replace <OIDC> with the OIDC provider for your cluster, for example:

      root@rok-tools:~# export EKS_CLUSTER_OIDC="oidc.eks.us-east-1.amazonaws.com/id/6E2A9EFA10BCABCDEF6BCDBC5"
    6. Specify the ID of the hosted zone:

      root@rok-tools:~# export EKS_ALB_ZONE_ID=<ZONE>

      Replace <ZONE> with the ID of the hosted zone, for example:

      root@rok-tools:~# export EKS_ALB_ZONE_ID="/hostedzone/Z08893681SHDKAMZ2MRWZ4"
    7. Specify the ARN of the IAM role for ExternalDNS:

      root@rok-tools:~# export EKS_ALB_EDNS_IAM_ROLE_ARN=<ARN>

      Replace <ARN> with the ARN of the IAM role for ExternalDNS, for example:

      root@rok-tools:~# export EKS_ALB_EDNS_IAM_ROLE_ARN="arn:aws:iam::1234567890:role/rok-us-east-1-edns"
    8. Specify the ARN of the ACM certificate:

      root@rok-tools:~# export EKS_ALB_ACM_CERT=<ARN>

      Replace <ARN> with the ARN of the ACM certificate, for example:

      root@rok-tools:~# export EKS_ALB_ACM_CERT="arn:aws:acm:us-east-1:1234567890:certificate/c1557acb-e5a3-4c2c-114d-4dbdd570d6ab"
    9. Specify the ARN of the IAM role for AWS Load Balancer Controller:

      root@rok-tools:~# export EKS_ALB_ALB_IAM_ROLE_ARN=<ARN>

      Replace <ARN> with the ARN of the IAM role for AWS Load Balancer Controller, for example:

      root@rok-tools:~# export EKS_ALB_ALB_IAM_ROLE_ARN="arn:aws:iam::1234567890:role/rok-us-east-1-alb"
    10. Specify the hostname of the ALB:

      root@rok-tools:~# export EKS_ALB_NGINX_HOSTNAME=<HOSTNAME>

      Replace <HOSTNAME> with the hostname of the ALB, for example:

      root@rok-tools:~# export EKS_ALB_NGINX_HOSTNAME="k8s-ingressn-ingressn-9123456783-664321247.us-east-1.elb.amazonaws.com"
  3. Configure rok-deploy to run non-interactively. This means that you will not be prompted for questions. If an answer is missing, rok-deploy will fail the operation and report the missing answer:

    root@rok-tools:~# export ROK_FRONTEND=non-interactive root@rok-tools:~# export ROK_QUESTION_THRESHOLD=critical
  4. Choose one of the following options to perform the non-interactive deployment:

    1. Run rok-deploy and use the default choices:

      root@rok-tools:~# rok-deploy --assume-no-apply
    1. Download the preseed-manifests.py.j2 Jinja2 template file provided below and use it inside your management environment.

      preseed-manifests.py.j2
      1SEEDS = {
      2 'tools/env_type': '{{TOOLS_ENV_TYPE}}',
      3 'git/encrypted_ssh_key': '''{{ENCRYPTED_SSH_KEY}}''',
      4-27
      4 'git/ssh_key_passphrase': '{{SSH_KEY_PASSPHRASE}}',
      5 'git/user_name': '{{GIT_USER_NAME}}',
      6 'git/user_email': '{{GIT_USER_EMAIL}}',
      7 'cli-aws/access_key_id': '{{AWS_ACCESS_KEY_ID}}',
      8 'cli-aws/secret_access_key': '{{AWS_SECRET_ACCESS_KEY}}',
      9 'envvars-aws/account_id': '{{AWS_ACCOUNT_ID}}',
      10 'envvars-aws/region': '{{AWS_DEFAULT_REGION}}',
      11 'arriktoreg/dockerconfig_encrypted': '''{{ENCRYPTED_DOCKERCONFIG}}''',
      12 'arriktoreg/dockerconfig_passphrase': '{{DOCKERCONFIG_PASSPHRASE}}',
      13 'aws-vpc/config': '{{AWS_VPC_CONFIG}}',
      14 'aws-vpc/id': '{{AWS_VPC_ID}}',
      15 'aws-subnets/public': '{{AWS_SUBNETS_PUBLIC}}',
      16 'aws-subnets/private': '{{AWS_SUBNETS_PRIVATE}}',
      17 'eks-cluster/name': '{{EKS_CLUSTER}}',
      18 'eks-cluster/trusted_cidrs': '{{EKS_TRUSTED_CIDRS}}',
      19 'eks/cluster_oidc': '{{EKS_CLUSTER_OIDC}}',
      20 'eks-nodegroup/name': '{{EKS_NODEGROUP}}',
      21 'users/dex_default_user_passwd': '{{DEX_DEFAULT_USER_PASSWD}}',
      22 'eks-alb-zone/domain': '{{EKS_ALB_ZONE_DOMAIN}}',
      23 'eks-alb-zone/zone_id': '{{EKS_ALB_ZONE_ID}}',
      24 'eks-alb-edns/iam_role_arn': '{{EKS_ALB_EDNS_IAM_ROLE_ARN}}',
      25 'eks-alb-acm/subdomain': '{{EKS_ALB_ACM_SUBDOMAIN}}',
      26 'eks-alb-acm/arn': '{{EKS_ALB_ACM_CERT}}',
      27 'eks-alb-alb/iam_role_arn': '{{EKS_ALB_ALB_IAM_ROLE_ARN}}',
      28 'eks-alb-nginx/trusted_cidrs': '{{EKS_ALB_NGINX_TRUSTED_CIDRS}}',
      29 'eks-alb-nginx/alb_hostname': '{{EKS_ALB_NGINX_HOSTNAME}}',
      30}
    2. Render the preseed file:

      root@rok-tools:~# j2 preseed-manifests.py.j2 -o preseed-manifests.py
    3. Unset all the environment variables you exported:

      root@rok-tools:~# unset TOOLS_ENV_TYPE ENCRYPTED_SSH_KEY \ > SSH_KEY_PASSPHRASE GIT_USER_NAME GIT_USER_EMAIL AWS_ACCESS_KEY_ID \ > AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION ENCRYPTED_DOCKERCONFIG \ > DOCKERCONFIG_PASSPHRASE AWS_VPC_CONFIG EKS_CLUSTER \ > EKS_TRUSTED_CIDRS EKS_NODEGROUP DEX_DEFAULT_USER_PASSWD \ > EKS_ALB_ZONE_DOMAIN EKS_ALB_ACM_SUBDOMAIN \ > EKS_ALB_NGINX_TRUSTED_CIDRS AWS_ACCOUNT_ID AWS_VPC_ID \ > AWS_SUBNETS_PUBLIC AWS_SUBNETS_PRIVATE EKS_CLUSTER_OIDC \ > EKS_ALB_ZONE_ID EKS_ALB_EDNS_IAM_ROLE_ARN \ > EKS_ALB_ACM_CERT EKS_ALB_ALB_IAM_ROLE_ARN \ > EKS_ALB_NGINX_HOSTNAME
    4. Run rok-deploy using the preseed file you created and use the default choices:

      root@rok-tools:~# rok-deploy \ > --assume-no-apply \ > --preseed-load preseed-manifests.py

Verify

  1. Go to the GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Inspect the commits that rok-deploy created as well as their contents:

    root@rok-tools:~/ops/deployments# git log -p commit 4910bfc3943a1239945b6b212b910f2876d13c6e Author: Rok Deploy 1.4-rc7 <no-reply@arrikto.com> Date: Tue Jan 4 13:23:32 2022 +0000 deploy: Expose Istio ...

Summary

You have generated and committed the Arrikto-provided manifests with your custom input for an EKF installation.

What’s Next

Check out the rest of our guides regarding automated deployments.