Generate Manifests¶
This section describes a use case on how you can only generate Arrikto-provided
manifests for an EKF deployment in a automated way, by using rok-deploy
.
Arrikto follows a generate-commit-apply GitOps approach for the completion of a
deployment task. This guide will show you how to run rok-deploy
to only
generate and commit manifests, so you can inspect them and apply them on your
own. The manifests you generate are .yaml
files in your rok-tools
management environment that describe the infrastructure and Kubernetes
resources that you can deploy later on.
Overview
What You’ll Need¶
An encrypted deployment key for the Arrikto GitOps repository at https://github.com/arrikto/deployments, which is similar to the following:
gitconfig_dummy.asc1 -----BEGIN PGP MESSAGE----- 2 3 jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT 4-5 4 bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq 5 ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ 6 3eeSgHnfY0w= 7 =6Ssd 8 -----END PGP MESSAGE----- The encrypted Docker JSON configuration file, which is similar to the following:
dockerconfig_dummy.asc1 -----BEGIN PGP MESSAGE----- 2 3 jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT 4-5 4 bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq 5 ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ 6 3eeSgHnfY0w= 7 =6Ssd 8 -----END PGP MESSAGE----- The passphrases to decrypt each of the above.
Contact Arrikto
If you don’t have a deployment key or a Docker JSON configuration file, please contact the Arrikto Tech Team to create one for you.
Procedure¶
Generate the Arrikto-provided manifests interactively, or non-interactively, by choosing one of the following options:
Option 1: Generate Manifests Interactively¶
In this section you will run rok-deploy
interactively. This means that,
during the process, you will be prompted for input.
Run
rok-deploy
and specify that you don’t want to apply the generated manifests:root@rok-tools:~# rok-deploy --assume-no-applyFollow the on-screen instructions.
Note
You might need to skip the verification steps of any EKF installation guide you haven’t deployed infrastructure for.
Option 2: Generate Manifests Non-Interactively¶
In this section you will run rok-deploy
non-interactively. This means that
you will run rok-deploy
without being prompted for input once you specify
the required environment variables.
Note
Sensitive
This guide will ask you to type sensitive values in the terminal. The sensitive value will be getting echoed in the terminal as you type it. Please make sure that you are performing this action in a private environment.
Note
To get a description of what each of the following environment variables that you will be exporting does, run:
Specify the necessary environment variables that you need to run a non-interactive deployment:
Specify the type of the environment where you have created your management environment. Choose one of the following options:
root@rok-tools:~# export TOOLS_ENV_TYPE=kubernetesroot@rok-tools:~# export TOOLS_ENV_TYPE=dockerroot@rok-tools:~# export TOOLS_ENV_TYPE=ec2Specify your encrypted SSH key:
root@rok-tools:~# export ENCRYPTED_SSH_KEY=<SSH_KEY>Replace
<SSH_KEY>
with the encrypted SSH key you received from Arrikto via email, including the-----BEGIN PGP MESSAGE-----
and-----END PGP MESSAGE-----
lines. For example:root@rok-tools:~# export ENCRYPTED_SSH_KEY="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"Specify the passphrase to decrypt your encrypted SSH key:
root@rok-tools:~# export SSH_KEY_PASSPHRASE=<PASSPHRASE>Replace
<PASSPHRASE>
with the passphrase for the encrypted SSH key you received from Arrikto. For example:root@rok-tools:~# export SSH_KEY_PASSPHRASE=sshkeypassphraseSpecify the name that Git will use:
root@rok-tools:~# export GIT_USER_NAME=<NAME>Replace
<NAME>
with your name. For example:root@rok-tools:~# export GIT_USER_NAME="Joe Doe"Specify the email that Git will use:
root@rok-tools:~# export GIT_USER_EMAIL=<EMAIL>Replace
<EMAIL>
with your email. For example:root@rok-tools:~# export GIT_USER_EMAIL=joedoe@example.comSpecify the AWS access key ID for your desired IAM user:
root@rok-tools:~# export AWS_ACCESS_KEY_ID=<KEY_ID>Replace
<KEY_ID>
with the desired access key ID. For example:root@rok-tools:~# export AWS_ACCESS_KEY_ID=THISISANACCESSKEYIDSpecify the AWS secret access key for your desired IAM user:
root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>Replace
<SECRET_KEY>
with the desired secret access key. For example:root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=THISISASECRETACCESSKEYSpecify the region where you want to perform this deployment:
root@rok-tools:~# export AWS_DEFAULT_REGION=<REGION>Replace
<REGION>
with the desired region. For example:root@rok-tools:~# export AWS_DEFAULT_REGION=us-east-1Specify your encrypted Docker configuration:
root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG=<DOCKERCONFIG>Replace
<DOCKERCONFIG>
with the encrypted Docker configuration you received from Arrikto via email, including the-----BEGIN PGP MESSAGE-----
and-----END PGP MESSAGE-----
lines. For example:root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"Specify the passphrase to decrypt your encrypted Docker configuration:
root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=<PASSPHRASE>Replace
<PASSPHRASE>
with the passphrase for the encrypted Docker configuration you received from Arrikto. For example:root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=dockerconfigpassphraseSpecify the VPC configuration. Choose one of the following options:
root@rok-tools:~# export AWS_VPC_CONFIG=publicroot@rok-tools:~# export AWS_VPC_CONFIG=public-privateroot@rok-tools:~# export AWS_VPC_CONFIG=privateSpecify the name for your EKS cluster:
root@rok-tools:~# export EKS_CLUSTER=<EKS_CLUSTER>Replace
<EKS_CLUSTER>
with the desired name for your EKS cluster. For example:root@rok-tools:~# export EKS_CLUSTER=arrikto-clusterSpecify the trusted CIDRs for your EKS cluster:
root@rok-tools:~# export EKS_TRUSTED_CIDRS=<CIDRS>Replace
<CIDRS>
with your trusted CIDRs. For example, if you want to allow access for everyone, set:root@rok-tools:~# export EKS_TRUSTED_CIDRS=0.0.0.0/0Note
If you wish to specify multiple CIDRs, create a space-separated list. For example:
root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"Specify the name for your node group:
root@rok-tools:~# export EKS_NODEGROUP=<NODEGROUP>Replace
<NODEGROUP>
with the desired name for your node group. For example:root@rok-tools:~# export EKS_NODEGROUP=general-workersPick a password for the default Dex user:
root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=<PASSWORD>Replace
<PASSWORD>
with the desired password for the default Dex user. For example:root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=dexpasswordSpecify the DNS name suffix (domain) for the hosted zone:
root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=<DOMAIN>Replace
<DOMAIN>
with your desired domain. For example:root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=apps.example.comSpecify the subdomain for your load balancer:
root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=<SUBDOMAIN>Replace
<SUBDOMAIN>
with your desired subdomain. For example:root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=${EKS_CLUSTER?}.${EKS_ALB_ZONE_DOMAIN?} \ > && echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.comSpecify the trusted CIDRs for your load balancer:
root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=<CIDRS>Replace
<CIDRS>
with your trusted CIDRs. For example, if you want to allow access for everyone, set:root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=0.0.0.0/0Note
If you wish to specify multiple CIDRs, create a space-separated list. For example:
root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"
Specify some additional environment variables that you need to generate the manifests non-interactively:
Specify your AWS account ID:
root@rok-tools:~# export AWS_ACCOUNT_ID=<ACCOUNT_ID>Replace
<ACCOUNT_ID>
with the ID of your AWS account, for example:root@rok-tools:~# export AWS_ACCOUNT_ID=1234567890Specify your VPC ID:
root@rok-tools:~# export AWS_VPC_ID=<VPC_ID>Replace
<VPC_ID>
with the ID of your VPC, for example:root@rok-tools:~# export AWS_VPC_ID=vpc-069a2ce6446fa019aList your public subnets:
root@rok-tools:~# export AWS_SUBNETS_PUBLIC="<SUBNET>"Replace
<SUBNET>
with the subnet ID of each of your public subnets, for example:root@rok-tools:~# export AWS_SUBNETS_PUBLIC="subnet-4ca5bc29b04512a27 subnet-4bf22b97877b600ac"List your private subnets:
root@rok-tools:~# export AWS_SUBNETS_PRIVATE="<SUBNET>"Replace
<SUBNET>
with the subnet ID of each of your private subnets, for example:root@rok-tools:~# export AWS_SUBNETS_PRIVATE="subnet-057bbb30d4491"Set the name of your OIDC provider for your cluster:
root@rok-tools:~# export EKS_CLUSTER_OIDC=<OIDC>Replace
<OIDC>
with the OIDC provider for your cluster, for example:root@rok-tools:~# export EKS_CLUSTER_OIDC="oidc.eks.us-east-1.amazonaws.com/id/6E2A9EFA10BCABCDEF6BCDBC5"Specify the ID of the hosted zone:
root@rok-tools:~# export EKS_ALB_ZONE_ID=<ZONE>Replace
<ZONE>
with the ID of the hosted zone, for example:root@rok-tools:~# export EKS_ALB_ZONE_ID="/hostedzone/Z08893681SHDKAMZ2MRWZ4"Specify the ARN of the IAM role for ExternalDNS:
root@rok-tools:~# export EKS_ALB_EDNS_IAM_ROLE_ARN=<ARN>Replace
<ARN>
with the ARN of the IAM role for ExternalDNS, for example:root@rok-tools:~# export EKS_ALB_EDNS_IAM_ROLE_ARN="arn:aws:iam::1234567890:role/rok-us-east-1-edns"Specify the ARN of the ACM certificate:
root@rok-tools:~# export EKS_ALB_ACM_CERT=<ARN>Replace
<ARN>
with the ARN of the ACM certificate, for example:root@rok-tools:~# export EKS_ALB_ACM_CERT="arn:aws:acm:us-east-1:1234567890:certificate/c1557acb-e5a3-4c2c-114d-4dbdd570d6ab"Specify the ARN of the IAM role for AWS Load Balancer Controller:
root@rok-tools:~# export EKS_ALB_ALB_IAM_ROLE_ARN=<ARN>Replace
<ARN>
with the ARN of the IAM role for AWS Load Balancer Controller, for example:root@rok-tools:~# export EKS_ALB_ALB_IAM_ROLE_ARN="arn:aws:iam::1234567890:role/rok-us-east-1-alb"Specify the hostname of the ALB:
root@rok-tools:~# export EKS_ALB_NGINX_HOSTNAME=<HOSTNAME>Replace
<HOSTNAME>
with the hostname of the ALB, for example:root@rok-tools:~# export EKS_ALB_NGINX_HOSTNAME="k8s-ingressn-ingressn-9123456783-664321247.us-east-1.elb.amazonaws.com"
Configure
rok-deploy
to run non-interactively. This means that you will not be prompted for questions. If an answer is missing,rok-deploy
will fail the operation and report the missing answer:root@rok-tools:~# export ROK_FRONTEND=non-interactive root@rok-tools:~# export ROK_QUESTION_THRESHOLD=criticalChoose one of the following options to perform the non-interactive deployment:
Run
rok-deploy
and use the default choices:root@rok-tools:~# rok-deploy --assume-no-apply
Download the
preseed-manifests.py.j2
Jinja2 template file provided below and use it inside your management environment.preseed-manifests.py.j21 SEEDS = { 2 'tools/env_type': '{{TOOLS_ENV_TYPE}}', 3 'git/encrypted_ssh_key': '''{{ENCRYPTED_SSH_KEY}}''', 4-27 4 'git/ssh_key_passphrase': '{{SSH_KEY_PASSPHRASE}}', 5 'git/user_name': '{{GIT_USER_NAME}}', 6 'git/user_email': '{{GIT_USER_EMAIL}}', 7 'cli-aws/access_key_id': '{{AWS_ACCESS_KEY_ID}}', 8 'cli-aws/secret_access_key': '{{AWS_SECRET_ACCESS_KEY}}', 9 'envvars-aws/account_id': '{{AWS_ACCOUNT_ID}}', 10 'envvars-aws/region': '{{AWS_DEFAULT_REGION}}', 11 'arriktoreg/dockerconfig_encrypted': '''{{ENCRYPTED_DOCKERCONFIG}}''', 12 'arriktoreg/dockerconfig_passphrase': '{{DOCKERCONFIG_PASSPHRASE}}', 13 'aws-vpc/config': '{{AWS_VPC_CONFIG}}', 14 'aws-vpc/id': '{{AWS_VPC_ID}}', 15 'aws-subnets/public': '{{AWS_SUBNETS_PUBLIC}}', 16 'aws-subnets/private': '{{AWS_SUBNETS_PRIVATE}}', 17 'eks-cluster/name': '{{EKS_CLUSTER}}', 18 'eks-cluster/trusted_cidrs': '{{EKS_TRUSTED_CIDRS}}', 19 'eks/cluster_oidc': '{{EKS_CLUSTER_OIDC}}', 20 'eks-nodegroup/name': '{{EKS_NODEGROUP}}', 21 'users/dex_default_user_passwd': '{{DEX_DEFAULT_USER_PASSWD}}', 22 'eks-alb-zone/domain': '{{EKS_ALB_ZONE_DOMAIN}}', 23 'eks-alb-zone/zone_id': '{{EKS_ALB_ZONE_ID}}', 24 'eks-alb-edns/iam_role_arn': '{{EKS_ALB_EDNS_IAM_ROLE_ARN}}', 25 'eks-alb-acm/subdomain': '{{EKS_ALB_ACM_SUBDOMAIN}}', 26 'eks-alb-acm/arn': '{{EKS_ALB_ACM_CERT}}', 27 'eks-alb-alb/iam_role_arn': '{{EKS_ALB_ALB_IAM_ROLE_ARN}}', 28 'eks-alb-nginx/trusted_cidrs': '{{EKS_ALB_NGINX_TRUSTED_CIDRS}}', 29 'eks-alb-nginx/alb_hostname': '{{EKS_ALB_NGINX_HOSTNAME}}', 30 } Render the preseed file:
root@rok-tools:~# j2 preseed-manifests.py.j2 -o preseed-manifests.pyUnset all the environment variables you exported:
root@rok-tools:~# unset TOOLS_ENV_TYPE ENCRYPTED_SSH_KEY \ > SSH_KEY_PASSPHRASE GIT_USER_NAME GIT_USER_EMAIL AWS_ACCESS_KEY_ID \ > AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION ENCRYPTED_DOCKERCONFIG \ > DOCKERCONFIG_PASSPHRASE AWS_VPC_CONFIG EKS_CLUSTER \ > EKS_TRUSTED_CIDRS EKS_NODEGROUP DEX_DEFAULT_USER_PASSWD \ > EKS_ALB_ZONE_DOMAIN EKS_ALB_ACM_SUBDOMAIN \ > EKS_ALB_NGINX_TRUSTED_CIDRS AWS_ACCOUNT_ID AWS_VPC_ID \ > AWS_SUBNETS_PUBLIC AWS_SUBNETS_PRIVATE EKS_CLUSTER_OIDC \ > EKS_ALB_ZONE_ID EKS_ALB_EDNS_IAM_ROLE_ARN \ > EKS_ALB_ACM_CERT EKS_ALB_ALB_IAM_ROLE_ARN \ > EKS_ALB_NGINX_HOSTNAMERun
rok-deploy
using the preseed file you created and use the default choices:root@rok-tools:~# rok-deploy \ > --assume-no-apply \ > --preseed-load preseed-manifests.py
Verify¶
Go to the GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsInspect the commits that
rok-deploy
created as well as their contents:root@rok-tools:~/ops/deployments# git log -p commit 4910bfc3943a1239945b6b212b910f2876d13c6e Author: Rok Deploy 1.4-rc7 <no-reply@arrikto.com> Date: Tue Jan 4 13:23:32 2022 +0000 deploy: Expose Istio ...
Summary¶
You have generated and committed the Arrikto-provided manifests with your custom input for an EKF installation.
What’s Next¶
Check out the rest of our guides regarding automated deployments.