AWS Air-gapped Bootstrap
Bootstrap a kind cluster and CAPI controllers
Konvoy deploys all cluster lifecycle services to a bootstrap cluster, which deploys a workload cluster. When the workload cluster is ready, move the cluster lifecycle services to the workload cluster, after which the workload cluster manages its own lifecycle.
Assuming you have downloaded
dkp-air-gapped-bundle_v2.5.2_linux_amd64.tar.gz
, extract the tarball to a local directory:CODEtar -xzvf dkp-air-gapped-bundle_v2.5.2_linux_amd64.tar.gz && cd dkp-v2.5.2
Set an environment variable with your registry address with this command:
CODEexport REGISTRY_ADDRESS=<registry-address>:<registry-port> export REGISTRY_USERNAME=<username> export REGISTRY_PASSWORD=<password> export REGISTRY_CA=<path to the cacert file on the bastion>
Seed the registry by running the following command to load the air-gapped image bundle into your private registry:
CODEdkp push image-bundle --image-bundle ./container-images/konvoy-image-bundle-v2.5.2.tar --to-registry $REGISTRY_ADDRESS --to-registry-username $REGISTRY_USERNAME --to-registry-password $REGISTRY_PASSWORD
Load the bootstrap image on your bastion machine.
CODEdocker load -i konvoy-bootstrap-image-v2.5.2.tar
OR
CODEpodman load -i konvoy-bootstrap-image-v2.5.2.tar
Create a bootstrap cluster:
CODEdkp create bootstrap --kubeconfig $HOME/.kube/config
If your environment uses HTTP/HTTPS proxies, you must include the flags
--http-proxy
,--https-proxy
, and--no-proxy
and their related values in this command for it to be successful. More information is available in Configuring an HTTP/HTTPS Proxy.(Optional) Refresh the credentials used by the AWS provider at any time, using the command:
CODEdkp update bootstrap credentials aws
Using a Custom AWS CA
You need to add the custom CAs into two places:
The
capa-controller-manager
pod, because CAPA controllers interact with AWS API when creating and deleting infrastructure.The trusted root CAs in the AWS AMI used as Kubernetes nodes. The first step of the node bootstrap process is to fetch the sensitive information from the AWS Secrets Manager service, so the
aws
client on the instances needs to trust this custom CA. This process is unique to your environment but a general flow can be similar to what is documented in adding trusted root certificates to the server.
Place the AWS CA file as
ca.pem
in your working directoryCreate a ConfigMap with the contents of the file:
CODEkubectl create configmap -n capa-system aws-ca --from-file=ca.pem
Update the capa-controller-manager to set an environment variable
AWS_CA_BUNDLE
incapa-controller-manager
:CODEkubectl patch deployment -n capa-system capa-controller-manager --patch '{"spec":{"template":{"spec":{"$setElementOrder/containers":[{"name":"manager"},{"name":"kube-rbac-proxy"}],"$setElementOrder/volumes":[{"name":"cert"},{"name":"credentials"},{"name":"aws-ca"}],"containers":[{"$setElementOrder/env":[{"name":"AWS_SHARED_CREDENTIALS_FILE"},{"name":"AWS_CA_BUNDLE"}],"$setElementOrder/volumeMounts":[{"mountPath":"/tmp/k8s-webhook-server/serving-certs"},{"mountPath":"/home/.aws"},{"mountPath":"/home/.konvoy/aws-ca.pem"}],"env":[{"name":"AWS_CA_BUNDLE","value":"/home/.konvoy/aws-ca.pem"}],"name":"manager","volumeMounts":[{"mountPath":"/home/.konvoy/aws-ca.pem","name":"aws-ca","subPath":"ca.pem"}]}],"volumes":[{"configMap":{"name":"aws-ca"},"name":"aws-ca"}]}}}}'