Skip to content

Overview

This is a reference design and implementation based on Rafay Environment Manager using Terraform IaC sourced from a Git repository. You will setup and use Environment Manager to build and manage operating environments based on Amazon EKS clusters in RBAC controlled Rafay projects. Environment Manager enables a self-service model for Development and DevOps teams (Admins) to create environments while giving enough control to the central Ops, SRE and Platform teams (End Users) to enforce security, cost, governance guardrails and standardization.

Important

This design builds on and extends the Terraform based reference design by providing self service based automation using Environment Manager.

Source Code for Template

The Terraform source code and related assets are available in a public Git repo as shown below

Git Repo

Background

It is a relatively common pattern for platform teams to provide downstream application teams with a dedicated operating environment.

Day-1

  • This environment maps to a project in a Rafay Org
  • Access to the project is controlled to specific users/groups based RBAC and/or ABAC rules
  • It is common for organizations to require "separation of duties" esp. between infrastructure operations and application operations.
  • Cloud credentials are automatically created in the project which is then used to provision at least one Kubernetes cluster for the application team
  • It is common for organizations to standardize their clusters with a required baseline (aka cluster blueprint) comprising several software addons

Day-2

  • The cluster may need to be scaled up/down as per the needs of the application team
  • The cluster may need to be upgraded to a new Kubernetes version to ensure that it is supported by the provider

Items Out of Scope

Although possible using Rafay, this reference design does not include the following items. We have provided pointers below to content that can be used to address this.

  • Creation and management of namespaces and/or workspaces for application teams
  • How application teams can deploy/operate their containerized applications on the Kubernetes cluster.

What Will You Do by Part

Part What will you do?
1 Setup and Configure Environment Manager
2 Manage the lifecycle of a AWS environment

The following resources will be created as part of the environment:

sequenceDiagram
    participant pipe as Rafay <br> Env Manager
    participant tf as Terraform <br>Provider
    participant rafay as Rafay
    participant csp as Cloud <br>(AWS)

    pipe->>tf: New Operating Environment 
    tf-->>rafay: Create Project 
    tf-->>rafay: Create User Group
    tf-->>rafay: Map Roles to Group (RBAC)
    tf-->>rafay: Create Cloud Credential
    tf-->>rafay: Add Git/Helm Repositories <br> (for Add-Ons)
    tf-->>rafay: Create Add-ons <br>(nginx, cert-manager)
    tf-->>rafay: Create Custom Blueprint <br> (Managed and Custom Add-ons)
    tf-->>rafay: Add Cluster Overrides 
    rafay->>csp: Provision EKS Cluster <br> (using Cloud Credential)
    rafay->>csp: Apply Custom Blueprint <br> (with Cluster Override)
    csp->>rafay: Blueprint Successful 
    rafay->>tf: Cluster Ready
    tf->>pipe: Operating Environment Ready
    tf-->>rafay: Create Nodegroup <br> (Day-2 Operation)
    tf-->>rafay: Scale Nodegroup <br> (Day-2 Operation)
    tf-->>rafay: Upgrade Cluster <br> (Day-2 Operation)

This exercise is expected to take ~60 minutes to complete. A setup script will be used to assist in setting up the pre-requisites for this guide. The setup script wil perform the following actions:

  • Create a repository in the controller
  • Create a Secret Sealer in the controller
  • Create a GitOps Agent that will run on the machine where the setup script is executed from
  • Create a GitOps System-Sync pipeline in the controller that will be used to sync resources between the controller and the forked Git repository

The sequence diagram below illustrates the steps you will experience at a high level.

Important

Either the Environment Template User or the Infra Admin can perform the deploy/destroy operations on an environment.

sequenceDiagram
    autonumber
    participant admin as Platform Team
    participant rafay as Rafay
    participant user as Developer


    rect rgb(191, 223, 255)
    Note over admin,rafay: Setup Environment Template
    admin->>admin: Clone Git Repo
    admin->>rafay: Setup Env Manager <br>Resources
    admin->>rafay: Input Cloud Credentials
    end

    rect rgb(191, 223, 255)
    Note over rafay,user: Provision & Use Environment
    user->>rafay: Create Environment
    user->>rafay: Use Environment
    user->>rafay: Destroy Environment
    end

Assumptions

  • You have access to a AWS Account
  • You have access to a Mac or Linux machine
  • You have a Git client on your machine that is setup for push/pull