-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Classified Provisioning Docs #101
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine as-is but I did submit some suggestions on copy. One potential caveat with Cilium and security groups.
"arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:volume/*", | ||
"arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:instance/*", | ||
"arn:aws:ec2:AWS_REGION_PLACEHOLDER':AWS_ACCOUNT_ID_PLACEHOLDER:snapshot/*", | ||
"arn:aws:kms:AWS_REGION_PLACEHOLDER':AWS_ACCOUNT_ID_PLACEHOLDER:key/*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we choose to use envvar style placeholders then savvy operators can pipe this through envsubst with the appropriate environment. And if we're doing that, worthwhile to use standard envvars e.g. ${AWS_REGION:-${AWS_DEFAULT_REGION}}
.
|
||
**NOTE**: In SC2S/C2S, not all Instance Types are available. Ensure you are leverage an Instance Type that is **available in your environment**. This list will be dynamic in the future. | ||
|
||
**NOTE**: If no security group is provided, Rancher will attempt to create a Security Group. If the ability to create Security Groups is limited, have a Security Group created by your Account Manager/Broker that has the [appropriate port configuration](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements) and select that existing Security Group in the `Advanced` settings. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think there is a needed caveat for cilium iirc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably mention that folks take note of the Cilium ports at https://docs.rke2.io/install/requirements#inbound-network-rules
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should scroll harder, this might be the best link to use: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements#rancher-aws-ec2-security-group
Think that covers everything, I need to hop on a meeting but can confirm after. End of the day, that's what Rancher is leveraging anyways.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I submitted https://github.com/rancher/rancher/issues/46233
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Jacob Blain Christen <[email protected]>
Co-authored-by: Jacob Blain Christen <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
github is mean to me
| Configuring PSS/PSA/PSP | | ✓ | | ||
|
||
|
||
Classified Provisioning provides the ability to natively provision clusters through Rancher onto the same AWS account that Rancher is running in through the use of IAM roles attached to the instances running Rancher. This greatly simplifies Day 2 Operations and enables a seamless experience in any environment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would move above the table due to the fact that most people don't fully read through pages
@@ -0,0 +1,24 @@ | |||
# Introduction | |||
|
|||
In classified regions of AWS, the ability to natively provision RKE2 clusters through the Rancher MCM provides a lot of benefits in comparison to importing clusters. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly add a bit more overview and background information? It feels like we are jumping right into it... https://gist.github.com/zackbradys/4a49ffbd5f310f13e29dc219d07f7db5
1. Download the Carbide public key. | ||
|
||
```bash | ||
wget -O /tmp/carbide-key.pub https://github.com/rancherfederal/carbide-releases/releases/download/0.1.1/carbide-key.pub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Match this example command to the rest of docs... https://rancherfederal.github.io/carbide-docs/docs/registry-docs/prereqs#required-artifacts
# download the public key for carbide
curl -sfOL https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub
metadata: | ||
name: carbide-rancher-extra | ||
annotations: | ||
hauler.dev/version: "v2.8.5-carbide-1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hauler.dev/version
isn't a valid annotation
for hauler
Additionally, there are no quotes required in hauler
manifest for image names
- name: "rgcrprod.azurecr.us/rancher/machine:v0.15.0-rancher112-carbide-1" | ||
- name: "rgcrprod.azurecr.us/rancher/rancher:v2.8.5-carbide-1" | ||
- name: "rgcrprod.azurecr.us/rancher/rancher-agent:v2.8.5-carbide-1" | ||
EOT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo... EOT
should be inside the code block
2. Load the bundle to the local store & copy the images to your registry. | ||
|
||
```bash | ||
hauler store load haul.tar.zst |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly provide a specific name for this haul
? Matches the rest of the docs... https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images#carbide
hauler store save --filename carbide-provisioning-images.tar.zst
``` | ||
|
||
\ | ||
For more information about Air-gaped Installation of Rancher, see the [Rancher air-gapped](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install) docs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update the formatting? Airgapped is spaced and capitalized differently here and in the rest of the docs
|
||
This role needs to then be attached to all EC2 instances that Rancher MCM is running on. | ||
|
||
![Modify IAM Role](/img/classified-provisioning/modify-iam-role.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly add the additional prerequisites and reference code regarding the AWS
and customer specific CAs? https://gist.github.com/zackbradys/4a49ffbd5f310f13e29dc219d07f7db5#rancher-manager-prerequisites
haul.tar.zst
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like an accidental commit of the haul.tar.zst
?
|
||
2. Select the Cloud Credentials created in the previous step, then add node pools as you normally would for provisioning a cluster from Rancher. | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly add the NOTE that SC2S/C2S requires encrypted EBS volumes? https://gist.github.com/zackbradys/4a49ffbd5f310f13e29dc219d07f7db5#step-4
cleaning up the syntax Co-authored-by: Jacob Blain Christen <[email protected]>
Docs for Classified Provisioning Capability
Closes rancher/rancher#100