Classified Provisioning Docs #101
Conversation
| "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:volume/*", | ||
| "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:instance/*", | ||
| "arn:aws:ec2:AWS_REGION_PLACEHOLDER':AWS_ACCOUNT_ID_PLACEHOLDER:snapshot/*", | ||
| "arn:aws:kms:AWS_REGION_PLACEHOLDER':AWS_ACCOUNT_ID_PLACEHOLDER:key/*" |
There was a problem hiding this comment.
If we choose to use envvar style placeholders then savvy operators can pipe this through envsubst with the appropriate environment. And if we're doing that, worthwhile to use standard envvars e.g. ${AWS_REGION:-${AWS_DEFAULT_REGION}}.
|
|
||
| **NOTE**: In SC2S/C2S, not all Instance Types are available. Ensure you are leverage an Instance Type that is **available in your environment**. This list will be dynamic in the future. | ||
|
|
||
| **NOTE**: If no security group is provided, Rancher will attempt to create a Security Group. If the ability to create Security Groups is limited, have a Security Group created by your Account Manager/Broker that has the [appropriate port configuration](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements) and select that existing Security Group in the `Advanced` settings. |
There was a problem hiding this comment.
i think there is a needed caveat for cilium iirc
There was a problem hiding this comment.
We should probably mention that folks take note of the Cilium ports at https://docs.rke2.io/install/requirements#inbound-network-rules
There was a problem hiding this comment.
I should scroll harder, this might be the best link to use: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements#rancher-aws-ec2-security-group
Think that covers everything, I need to hop on a meeting but can confirm after. End of the day, that's what Rancher is leveraging anyways.
There was a problem hiding this comment.
Also I submitted https://github.com/rancher/rancher/issues/46233
There was a problem hiding this comment.
The first port is covered as its vxlan but the second two aren't.
Co-authored-by: Jacob Blain Christen <[email protected]>
Co-authored-by: Jacob Blain Christen <[email protected]>
| | Configuring PSS/PSA/PSP | | ✓ | | ||
|
|
||
|
|
||
| Classified Provisioning provides the ability to natively provision clusters through Rancher onto the same AWS account that Rancher is running in through the use of IAM roles attached to the instances running Rancher. This greatly simplifies Day 2 Operations and enables a seamless experience in any environment. |
There was a problem hiding this comment.
I would move above the table due to the fact that most people don't fully read through pages
| @@ -0,0 +1,24 @@ | |||
| # Introduction | |||
|
|
|||
| In classified regions of AWS, the ability to natively provision RKE2 clusters through the Rancher MCM provides a lot of benefits in comparison to importing clusters. | |||
There was a problem hiding this comment.
Possibly add a bit more overview and background information? It feels like we are jumping right into it... https://gist.github.com/zackbradys/4a49ffbd5f310f13e29dc219d07f7db5
| 1. Download the Carbide public key. | ||
|
|
||
| ```bash | ||
| wget -O /tmp/carbide-key.pub https://github.com/rancherfederal/carbide-releases/releases/download/0.1.1/carbide-key.pub |
There was a problem hiding this comment.
Match this example command to the rest of docs... https://rancherfederal.github.io/carbide-docs/docs/registry-docs/prereqs#required-artifacts
# download the public key for carbide
curl -sfOL https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub| metadata: | ||
| name: carbide-rancher-extra | ||
| annotations: | ||
| hauler.dev/version: "v2.8.5-carbide-1" |
There was a problem hiding this comment.
hauler.dev/version isn't a valid annotation for hauler
Additionally, there are no quotes required in hauler manifest for image names
| - name: "rgcrprod.azurecr.us/rancher/machine:v0.15.0-rancher112-carbide-1" | ||
| - name: "rgcrprod.azurecr.us/rancher/rancher:v2.8.5-carbide-1" | ||
| - name: "rgcrprod.azurecr.us/rancher/rancher-agent:v2.8.5-carbide-1" | ||
| EOT |
There was a problem hiding this comment.
Typo... EOT should be inside the code block
| 2. Load the bundle to the local store & copy the images to your registry. | ||
|
|
||
| ```bash | ||
| hauler store load haul.tar.zst |
There was a problem hiding this comment.
Possibly provide a specific name for this haul? Matches the rest of the docs... https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images#carbide
hauler store save --filename carbide-provisioning-images.tar.zst| ``` | ||
|
|
||
| \ | ||
| For more information about Air-gaped Installation of Rancher, see the [Rancher air-gapped](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install) docs. |
There was a problem hiding this comment.
Update the formatting? Airgapped is spaced and capitalized differently here and in the rest of the docs
|
|
||
| This role needs to then be attached to all EC2 instances that Rancher MCM is running on. | ||
|
|
||
|  |
There was a problem hiding this comment.
Possibly add the additional prerequisites and reference code regarding the AWS and customer specific CAs? https://gist.github.com/zackbradys/4a49ffbd5f310f13e29dc219d07f7db5#rancher-manager-prerequisites
haul.tar.zst
Outdated
There was a problem hiding this comment.
Looks like an accidental commit of the haul.tar.zst?
|
|
||
| 2. Select the Cloud Credentials created in the previous step, then add node pools as you normally would for provisioning a cluster from Rancher. | ||
|
|
||
|
|
There was a problem hiding this comment.
Possibly add the NOTE that SC2S/C2S requires encrypted EBS volumes? https://gist.github.com/zackbradys/4a49ffbd5f310f13e29dc219d07f7db5#step-4
cleaning up the syntax Co-authored-by: Jacob Blain Christen <[email protected]>
Docs for Classified Provisioning Capability
Closes rancher/rancher#100