AWS
AWS Self-Hosted (Vanilla) K8s Cluster Provisioner
The Astro platform deploys a Kubernetes cluster on EC2 instances on your behalf, allowing you to select the instance type, size, zone, region, and other configurations. This approach is beneficial when you require a cluster that is not managed by the cloud provider, providing you with full control over the cluster, including the control plane.
Prerequisites
To create a self-hosted cluster on AWS, ensure the following CLI tools are installed on your local machine:
- AWS CLI for EKS cluster communication
- kubectl (optional) for EKS cluster interaction
- astroctl for cluster management
AWS Provisioner
Pre-requisites
You must run the cloudformation stack before creating the cluster via astroctl. You can find the cloudformation template here.
The cloudformation outputs will provide you the necessary inputs to create the cluster. The outputs are:
accessKeysecretKeybucketName
This information is required to configure the provisioner specification.
Note: The platform does not automatically generate AWS_SESSION_TOKEN for assume role and sts. If security is a concern, customers can use their own automation to generate the token and provide it. Currently, the platform uses a static credential model, which stores credentials on the Astro platform. In a future release, the platform will support dynamic credentials like eks provisioner, allowing it to use temporary keys to deploy clusters.
API Specification
The selfHosted type represents the spec for the AWS self-hosted provisioner.
| Field | Description | Required |
|---|---|---|
accountId | The AWS account ID. | Yes |
networkId | The VPC ID in AWS. Only required for Bring Your Own VPC (BYOVPC) configurations. | No |
credentials | The AWS credentials. Currently, only static credentials are supported. | Yes |
bucketName | The S3 bucket name for storing cluster configuration. Must be in the same region as the cluster. | Yes |
BYOA (Bring Your Own Account)
provider: aws
provisioner:
type: selfHosted
selfHosted:
accountId: "xxxxx" # account id
credentials:
type: static
data:
AWS_ACCESS_KEY_ID: ${accessKey} # output from cloudformation
AWS_SECRET_ACCESS_KEY: ${secretKey} # output from cloudformation
# AWS_SESSION_TOKEN: "xxx" # optional, only if using temporary keys
bucketName: ${bucketName} # output from cloudformation
Currently, only static credentials are supported. You can pass the required credentials in the credentials section.
In future release, it will support the dynamic credentials where it will use assume role to generate the temporary keys.
Bring Your Own VPC (BYOVPC)
provider: aws
provisioner:
type: selfHosted
selfHosted:
accountId: "xxxxx" # account id
networkId: "vpc-xxxx" # VPC ID, this is the ID of the VPC you own and required for BYOVPC
credentials:
type: static
data:
AWS_ACCESS_KEY_ID: ${accessKey} # output from cloudformation
AWS_SECRET_ACCESS_KEY: ${secretKey} # output from cloudformation
# AWS_SESSION_TOKEN: "xxx" # optional, only if using temporary keys
bucketName: ${bucketName} # output from cloudformation
For BYOVPC, you need to make sure the VPC is in the same region as the cluster and internet gateway is attached to the VPC. The VPC must have DNS hostnames and DNS resolution enabled. You need to use your own automation either via AWS CLI or AWS Console to create the VPC and internet gateway.
Note: The cloudformation will be provided to create VPC, subnets, internet gateway, route table, and route table association in future release.
KubeConfig
With simple command like below, you can set the context to the cluster and have the access to the cluster. You need to make sure to install the kubectl CLI as required.
astroctl clusters set-context <cluster-name>
The cluster uses the client authentication type mutual TLS authentication to authenticate the kubeconfig. The platform lets you to configure the duration for the kubeconfig to be valid. Only the platform admin or admin of the organization can export the kubeconfig.