Skip to content

Create

In this part, you will

  • Configure and provision an Amazon EKS Cluster
  • Create Secrets Store CSI Driver and ASCP addon.
  • Create a custom cluster blueprint with the newly created addons.
  • Apply the custom cluster blueprint to your EKS cluster.

Step 1: Configure RCTL

This step is a one-time task. In this step, you will download the RCTL CLI so that you can interact with your Org programmatically and embed all operations in your existing automation platform.

  • Login into your Org and click on My Tools
  • Download the RCTL CLI binary for your operating system and install it on a node from which you can perform Kubectl operations to your EKS-A cluster.
  • Download the CLI config and initialize the RCTL CLI with the config file
./rctl config init <full path to config file>

Optionally, check if RCTL is properly configured and can interact with your Org. You should see an output similar to the example below.

./rctl get projects

NAME
defaultproject

Step 2: Provision EKS cluster

This step assumes the following:

  • You have already created "cloud credentials" in the "default project".
  • You have configured the RCTL CLI to interact with "default project".

In the example below, you will provision an Amazon EKS cluster in the "default project" with "one managed nodegroup" using the cluster specification provided below.

Type Description
Cluster Name aws-sm-demo
Project default
Blueprint default
k8s Version 1.20
AWS Region us-west-1
Worker Nodes 2
Node Group Type Managed
kind: Cluster
metadata:
  name: aws-sm-demo
  project: defaultproject
spec:
  type: eks
  cloudprovider: demo-aws-full-role
  blueprint: default
---
apiVersion: rafay.io/v1alpha5
kind: ClusterConfig
metadata:
  name: aws-sm-demo
  region: us-west-1
  version: "1.20"

managedNodeGroups:
  - name: managed-ng1
    instanceType: t3.large
    desiredCapacity: 2
  • Copy the cluster specification and save it to a YAML file (e.g "aws-sm-demo.yaml")
  • Use the RCTL CLI to provision the EKS cluster in your project
./rctl apply -f "aws-sm-demo.yaml"

This will start the provisioning of an EKS cluster in the project. This step can take ~10-15 minutes to complete. Once provisioning is successful, you should be able to interact with your EKS cluster in your Project.


Step 3: Cluster Blueprint

In this step, you will:

  • Create and configure a a repository to dynamically pull the desired version of the Secrets Store CSI Driver Helm chart.
  • Create a Secrets Store CSI Driver addon allowing you to make secrets stored in AWS Secrets Manager appear as files mounted in K8s pods. Additional functionality such as secret sync and secret rotation has recently been added.
  • Create a Secrets Manager and Config Provider(ASCP) addon which allows organizations that are utilizing AWS Secrets Manager to have their secrets appear as files mounted in K8s pods.
  • Create a custom cluster blueprint with the Secrets Store CSI Driver and ASCP addon.

Add Secrets Store CSI Driver Repo

Configure the repo endpoint so that the controller can automatically retrieve the required Helm chart directly from the Internet facing repository.

Add Secrets Store CSI Driver Repository

  • Optionally, you can validate the correct configuration of the repository by clicking on the validate option.

Validae Secrets Store CSI Driver Repository


Create Namespace

  • Click on Infrastructure -> Namespaces
  • Click New Namespace
  • Enter "kube-system" in the "Name" section
  • For "Type" Select "Wizard" from the dropdown
  • In the Pod Security Policy section, enter "rafay-privileged-psp"
  • Click "SAVE"

Create Secrets Store CSI Driver Addon

  • Click on Infrastructure -> Addons.
  • Click on Create New Addon with the name "secrets-store-csi-driver".
  • Select "Helm3" for addon type.
  • Select "Pull files from repository" for Artifact Sync.
  • Select repository type as "helm".
  • Select the "kube-system" namespace from the dropdown.

Create Addon


Custom Values

The Secrets Store CSI Driver supports many functions such as support for secret rotation and K8s secret sync that can be enabled in an overrides file. To enable secret sync the following parameter should be set in the override file and uploaded to the addon. Save the following override in a "secrets-store-csi-driver-values.yaml" file.

syncSecret:
  enabled: true

New Secrets Store CSI Driver Addon Version

  • Click on "New Version" to create a new version of the secrets store csi driver addon.
  • Provide a version (e.g. v1).
  • Select the "secrets-store-csi-driver" repository.
  • Enter "secrets-store-csi-driver" for the Chart Name.
  • Enter "0.3.0" for the version number.
  • Select "Upload Files" and select the file created above if the plan is to sync secrets pulled from AWS Secrets Manager to Kubernetes Secrets or enabling support for additional functionality.

New Addon Version


Create ASCP Addon

  • Download the K8S YAML manifest from the Git repo.
wget https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
  • Click on Infrastructure -> Addons.
  • Click on Create New Addon with the name "ascp".
  • Select "K8s YAML" for addon type.
  • Select "Upload files manually" for Artifact Sync.
  • Select the "kube-system" namespace from the dropdown.

Create Addon


New ASCP Addon Version

  • Click on "New Version" to create a new version of the ascp addon.
  • Provide a version (e.g. v1).
  • Select the file "aws-provider-installer.yaml" downloaded in the previous step.

New Addon Version

New Blueprint

  • Select blueprints and create a new blueprint (e.g. aws-secrets-manager).
  • Click on "New version" (e.g. v1).
  • Select the "ascp" and "secrets-store-csi-driver" addon and "version" from the list of custom addons.
  • Save blueprint.

New Blueprint Version


Step 4: Apply Blueprint

Now, we are ready to apply the newly created, custom blueprint to our EKS cluster.

  • Select Infrastructure -> Clusters.
  • Click on the gear icon on the far right of the EKS cluster.
  • Update blueprint and select the new blueprint and version.

Update Blueprint

In a few minutes, all the k8s resources matching the custom cluster blueprint will become operational on the cluster.

Update Blueprint

Notice that the cluster's blueprint name and version match what you created in the prior step.

Successful Secrets Manager Blueprint


Step 5: Verify Setup

Optionally, to verify if the Secrets Store CSI Driver and ASCP addon have been properly deployed you can do the following:

  • Click on the EKS cluster.
  • Select Resources to view the integrated k8s dashboard.
  • Select "pods" from the resource selector and filter by the "kube-system" namespace.
  • Verify all pods are in a running state.

Blueprint Verification


Next Steps

You are now ready to move on to the second part of the recipe.