Overview
Overview¶
This system template allows you to configure, templatize, and provision a AWS EKS cluster using AWS Infra’s native IaC OpenTofu provider. The templates are designed to support both Day 0 (initial setup) and Day 2 (ongoing management and maintenance) operations.
The template will enable users to provision & manage the lifecycle of AWS EKS, and the add-ons defined in cluster blueprints. As part of the template output, the end user is provided with a kubeconfig file that includes cluster-wide privileges and enables secure access to the cluster.
- For detailed step-by-step instructions, refer to the **EKS System Template Get Started Guide
Intial Setup¶
The platform team is responsible for performing the initial configuration and setup of the AWS EKS template. The sequence diagram below outlines the high-level steps. In this process, the platform team will configure and share the template from the system catalog to the project they manage and then share the template downstream with the end user.
sequenceDiagram
participant Admin as Platform Admin
participant Catalog as System Catalog
participant Project as End User Project
Admin->>Catalog: Selects AWS EKS Cluster Template from System Catalog
Admin->>Project: Shares Template with Predefined Controls
Project-->>Admin: Template Available in End User's ProjectEnd User Flow¶
The end user launches a shared template, provides required input values, and deploys the cluster.
sequenceDiagram
participant User as End User
participant Project as Rafay Project
participant Cluster as AWS Infra
User->>Project: Launches Shared Template for AWS EKS
User->>Project: Provides Required Input Values
User->>Project: Clicks "Deploy"
Project->>Cluster: Provisions a AWS EKS Cluster on AWS Infra
Cluster-->>User: Cluster Deployed SuccessfullyThe templates are designed to support both:
- Day 0 operations: Initial setup
- Day 2 operations: Ongoing management
Resources¶
This system template will deploy an AWS EKS Cluster along with its dependent resources for Cluster LCM (Lifecycle Management).
Pre-Requisites¶
-
AWS Credentials:
- Ensure necessary permissions to create and manage AWS Infra resources.
- Refer to the required IAM roles listed here
-
Rafay Agent Deployment
- Deploy an agent in the project where the template will be used. Follow these instructions to set up the agent. Existing agents can also be reused.
Note
Deploy the agent in the same network as the EKS cluster to ensure network access for managing the cluster. The agent drives the automation workflow and must have an IAM role that grants access to AWS services, which is essential for EKS to assume roles during execution. This is required only when the user prefers to provide an AWS Role ARN instead of Access Key and Secret as input in the template.
The EC2 instance where the agent is deployed must have an IAM role attached with appropriate permissions. This role should have permissions to assume and pass roles permission.
- Configuration:
At template launch, provide the required configuration values as exposed by the Platform Admin. This may include:
-
Credentials:
- API_KEY: Rafay controller API key.
- AWS Role ARN, Access Key, or Secret Key: AWS credentials required for cluster LCM.
-
Cluster Configuration:
- Kubernetes Version: Select the Kubernetes version for the cluster.
- Node Group Configuration: Specify the managed or self-managed node group settings.
After entering the required information, click Deploy to initiate the cluster deployment.
Input Variables for AWS EKS System Template¶
General Configuration¶
| Name | Value Type | Description |
|---|---|---|
| Blueprint Name | Text | Name of the EKS blueprint. |
| Blueprint Version | Text | Version of the EKS blueprint. |
| Cluster Project | Text | Project where the EKS cluster is created. |
| Username | Text | Username for accessing the cluster. |
| Cluster Name | Text | Name of the EKS cluster. |
| Cluster Tags | JSON | Tags applied to the EKS cluster. |
| Cluster Kubernetes Version | Text | Kubernetes version for the cluster. |
| Cluster Region | Text | AWS region where the cluster is deployed. |
| Cluster Public Access | Text | Enables or disables public access to the cluster. |
| Node Group Management | Text | Type of node group management (e.g., EKS-managed, self-managed). |
| Control Plane Subnet IDs | JSON | List of subnet IDs for the control plane. |
| VPC ID | Text | ID of the VPC where the cluster is deployed. |
| Cluster Private Access | Text | Enables or disables private access to the cluster. |
| Enable Cluster Creator Admin Permissions | Text | Grants admin permissions to the cluster creator. |
| Cluster Endpoint Public Access Cidrs | JSON | List of CIDRs allowed to access the cluster endpoint. |
| Cluster Enabled Log Types | JSON | Types of logs enabled for the cluster. |
| Cluster Security Group ID | Text | Security group ID associated with the cluster. |
| Cluster IP Family | Text | IP family used for cluster networking (e.g., IPv4, IPv6). |
| Create Cluster Security Group | Text | Whether to create a security group for the cluster. |
| Cluster Additional Security Group IDs | JSON | Additional security group IDs associated with the cluster. |
| Cluster Upgrade Policy | Text | Upgrade policy for the cluster. |
| Cluster Service IPV4 Cidr | Text | CIDR block for cluster service IPv4. |
| Cluster IAM Role ARN | Text | IAM role ARN used by the cluster. |
| Node IAM Role ARN | Text | IAM role ARN used by node groups. |
Node Groups Configuration¶
| Name | Value Type | Description |
|---|---|---|
| EKS Managed Node Group | JSON | Configuration details for EKS-managed node groups. |
| Self Managed Node Group | JSON | Configuration details for self-managed node groups. |
Cluster Add-Ons Configuration¶
| Name | Value Type | Description |
|---|---|---|
| Cluster Addons | JSON | List of cluster add-ons to be installed. |
CloudWatch Configuration¶
| Name | Value Type | Description |
|---|---|---|
| Cloudwatch Log Group KMS Key ID | Text | KMS Key ID for encrypting CloudWatch log group. |
| Cloudwatch Log Group Tags | JSON | Tags applied to the CloudWatch log group. |
| Cloudwatch Log Group Class | Text | Storage class for CloudWatch logs. |
| Cloudwatch Log Group Retention In Days | Text | Number of days to retain CloudWatch logs. |
| Create Cloudwatch Log Group | Text | Whether to create a CloudWatch log group. |
KMS Configuration¶
| Name | Value Type | Description |
|---|---|---|
| Create KMS Key | Text | Whether to create a KMS key for encryption. |
| KMS Key Deletion Window In Days | Text | Number of days before the KMS key is deleted after destruction. |
| Enable KMS Key Rotation | Text | Whether to enable KMS key rotation. |
| KMS Key Enable Default Policy | Text | Whether to apply the default policy to the KMS key. |
Access Configuration¶
| Name | Value Type | Description |
|---|---|---|
| Access Entries | JSON | List of users or roles with access to the cluster. |
| Cluster Authentication Mode | Text | Authentication mode for cluster access (e.g., API, ConfigMap). |
Advanced Configuration¶
| Name | Value Type | Description |
|---|---|---|
| Cluster Timeouts | JSON | Timeout settings for cluster operations. |
| Cluster Remote Network Config | JSON | Configuration for remote network access. |
| Cluster Zonal Shift Config | JSON | Configuration for zonal shifts within the cluster. |
| Cluster Outpost Config | JSON | Configuration for EKS Outpost clusters. |
| Cluster Encryption Config | JSON | Configuration for cluster encryption. |
| Attach Cluster Encryption Policy | Text | Whether to attach an encryption policy to the cluster. |
eks-rafay-env-vars (Holds Credentials and ARNs)¶
| Name | Value Type | Description |
|---|---|---|
| AWS Role ARN or Access Key/Secret | Text | Credentials or ARN required to access AWS services. |
Launch Time¶
The estimated time to launch an AWS EKS cluster using this template is approximately 25 minutes.