Skip to content

Requirements

For organizations who need to maintain control over their environment, they can run the Air Gapped Controller in an Amazon Web Service Elastic Kubernetes Service (AWS EKS). While organizations might use cloud services, like AWS, their organization administrators will be the only ones with access to their Air Gapped Controller.

For AWS EKS environments, the Controller can be installed with a custom Elastic Container Registry (ECR).

With the Air Gapped Controller, the organization is responsible for all aspects of the controller. This includes deployment, maintenance, backup procedures, and troubleshooting issues. For organizations that would prefer a SaaS model, there is a service available for that.

Here are the pre-requisites for installation of the Air Gapped Controller with a custom ECR registry in Amazon EKS environments.

Local Binaries

The following binaries are required on the system where the Controller will be installed.

  • AWS CLI
  • Eksctl
  • Git
  • Helm
  • Kubectl
  • Terraform

DNS Records

Installation of the Air Gapped Controller requires DNS records as mentioned below. In the below examples, replace Controller-FQDN with the fully qualified domain name for the Controller.

  • Create the following DNS records with an "A" record and a "TXT" record.

    ui.<Controller-FQDN>
backend.<Controller-FQDN>
core-registry.<Controller-FQDN>

  • Create the following DNS records with a CNAME value of ui.<Controller-FQDN>.

    api.<Controller-FQDN>
console.<Controller-FQDN>
fluentd-aggr.<Controller-FQDN>
ops-console.<Controller-FQDN>

  • Create the following DNS records with a CNAME value of backend.<Controller-FQDN>.

    peering.<Controller-FQDN>
rcr.<Controller-FQDN>
regauth.<Controller-FQDN>
*.cdrelay.<Controller-FQDN>
*.core-connector.<Controller-FQDN>
*.core.<Controller-FQDN>
*.kubeapi-proxy.<Controller-FQDN>
*.user.<Controller-FQDN>

  • The following DNS name is used after initializing the Registry in section 4.

    core-registry.<Controller-FQDN>

X.509 Certificates

All Controller endpoints use TLS for secure communication. X.509 certificates are required for all endpoints.

The user is expected to provide a wildcard certificate for the target domain, such as *.rafay.example.com or enable generate_self_signed_cert in the config.yaml file for the controller to create its own self-signed certificates.

In cloud-based controllers such as EKS, the signed RSA certificate is passed via the ACM using its ARN for the load balancers to handle SSL.