AWS Bootstrap Cluster
To create Kubernetes clusters, Konvoy uses Cluster API (CAPI) controllers. These controllers run on a Kubernetes cluster. To get started, you need a bootstrap cluster. By default, Konvoy creates a bootstrap cluster for you in a Docker container using the Kubernetes-in-Docker (KIND) tool.
Prerequisites
Before you begin, you must:
Complete the steps in Prerequisites.
Ensure the
dkp
binary can be found in your $PATH.
Bootstrap Cluster Lifecycle Services
If an HTTP proxy is required for the bootstrap cluster, set the local
http_proxy
,https_proxy
, andno_proxy
environment variables. They are copied into the bootstrap cluster.Create a bootstrap cluster:
CODEdkp create bootstrap --kubeconfig $HOME/.kube/config
If your environment uses HTTP/HTTPS proxies, you must include the flags
--http-proxy
,--https-proxy
, and--no-proxy
and their related values in this command for it to be successful. More information is available in Configuring an HTTP/HTTPS Proxy.
The output resembles:CODE✓ Creating a bootstrap cluster ✓ Initializing new CAPI components
Konvoy creates a bootstrap cluster using KIND as a library. Konvoy then deploys the following Cluster API providers on the cluster:
Konvoy waits until the controller-manager and webhook deployments of these providers are ready. List these deployments using this command:
CODEkubectl get --all-namespaces deployments -l=clusterctl.cluster.x-k8s.io
CODENAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE capa-system capa-controller-manager 1/1 1 1 2m8s capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-controller-manager 1/1 1 1 2m10s capi-kubeadm-control-plane-system capi-kubeadm-control-plane-controller-manager 1/1 1 1 2m10s capi-system capi-controller-manager 1/1 1 1 2m11s cappp-system cappp-controller-manager 1/1 1 1 2m6s capv-system capv-controller-manager 1/1 1 1 2m5s capz-system capz-controller-manager 1/1 1 1 2m7s cert-manager cert-manager 1/1 1 1 2m21s cert-manager cert-manager-cainjector 1/1 1 1 2m21s cert-manager cert-manager-webhook 1/1 1 1 2m21s
Using a Custom AWS CA
You need to add the custom CAs into two places:
The
capa-controller-manager
pod, because CAPA controllers interact with AWS API when creating and deleting infrastructure.The trusted root CAs in the AWS AMI used as Kubernetes nodes. The first step of the node bootstrap process is to fetch the sensitive information from the AWS Secrets Manager service, so the
aws
client on the instances needs to trust this custom CA. This process is unique to your environment but a general flow can be similar to what is documented in adding trusted root certificates to the server.
Place the AWS CA file as
ca.pem
in your working directoryCreate a ConfigMap with the contents of the file:
CODEkubectl create configmap -n capa-system aws-ca --from-file=ca.pem
Update the capa-controller-manager to set an environment variable
AWS_CA_BUNDLE
incapa-controller-manager
:CODEkubectl patch deployment -n capa-system capa-controller-manager --patch '{"spec":{"template":{"spec":{"$setElementOrder/containers":[{"name":"manager"},{"name":"kube-rbac-proxy"}],"$setElementOrder/volumes":[{"name":"cert"},{"name":"credentials"},{"name":"aws-ca"}],"containers":[{"$setElementOrder/env":[{"name":"AWS_SHARED_CREDENTIALS_FILE"},{"name":"AWS_CA_BUNDLE"}],"$setElementOrder/volumeMounts":[{"mountPath":"/tmp/k8s-webhook-server/serving-certs"},{"mountPath":"/home/.aws"},{"mountPath":"/home/.konvoy/aws-ca.pem"}],"env":[{"name":"AWS_CA_BUNDLE","value":"/home/.konvoy/aws-ca.pem"}],"name":"manager","volumeMounts":[{"mountPath":"/home/.konvoy/aws-ca.pem","name":"aws-ca","subPath":"ca.pem"}]}],"volumes":[{"configMap":{"name":"aws-ca"},"name":"aws-ca"}]}}}}'