Non-Interactive EKF Deployment¶
This section describes the way to perform a non-interactive, that is,
unattended, deployment of EKF, using rok-deploy
.
Overview
What You’ll Need¶
An encrypted deployment key for the Arrikto GitOps repository at https://github.com/arrikto/deployments, which is similar to the following:
gitconfig_dummy.asc1 -----BEGIN PGP MESSAGE----- 2 3 jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT 4-5 4 bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq 5 ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ 6 3eeSgHnfY0w= 7 =6Ssd 8 -----END PGP MESSAGE----- The encrypted Docker JSON configuration file, which is similar to the following:
dockerconfig_dummy.asc1 -----BEGIN PGP MESSAGE----- 2 3 jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT 4-5 4 bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq 5 ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ 6 3eeSgHnfY0w= 7 =6Ssd 8 -----END PGP MESSAGE----- The passphrases to decrypt each of the above.
Contact Arrikto
If you don’t have a deployment key or a Docker JSON configuration file, please contact the Arrikto Tech Team to create one for you.
Procedure¶
Note
Sensitive
This guide will ask you to type sensitive values in the terminal. The sensitive value will be getting echoed in the terminal as you type it. Please make sure that you are performing this action in a private environment.
Note
To get a description of what each of the following environment variables that you will be exporting does, run:
Specify the necessary environment variables that you need to run a non-interactive deployment:
Specify the type of the environment where you have created your management environment. Choose one of the following options:
root@rok-tools:~# export TOOLS_ENV_TYPE=kubernetesroot@rok-tools:~# export TOOLS_ENV_TYPE=dockerroot@rok-tools:~# export TOOLS_ENV_TYPE=ec2Specify your encrypted SSH key:
root@rok-tools:~# export ENCRYPTED_SSH_KEY=<SSH_KEY>Replace
<SSH_KEY>
with the encrypted SSH key you received from Arrikto via email, including the-----BEGIN PGP MESSAGE-----
and-----END PGP MESSAGE-----
lines. For example:root@rok-tools:~# export ENCRYPTED_SSH_KEY="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"Specify the passphrase to decrypt your encrypted SSH key:
root@rok-tools:~# export SSH_KEY_PASSPHRASE=<PASSPHRASE>Replace
<PASSPHRASE>
with the passphrase for the encrypted SSH key you received from Arrikto. For example:root@rok-tools:~# export SSH_KEY_PASSPHRASE=sshkeypassphraseSpecify the name that Git will use:
root@rok-tools:~# export GIT_USER_NAME=<NAME>Replace
<NAME>
with your name. For example:root@rok-tools:~# export GIT_USER_NAME="Joe Doe"Specify the email that Git will use:
root@rok-tools:~# export GIT_USER_EMAIL=<EMAIL>Replace
<EMAIL>
with your email. For example:root@rok-tools:~# export GIT_USER_EMAIL=joedoe@example.comSpecify the AWS access key ID for your desired IAM user:
root@rok-tools:~# export AWS_ACCESS_KEY_ID=<KEY_ID>Replace
<KEY_ID>
with the desired access key ID. For example:root@rok-tools:~# export AWS_ACCESS_KEY_ID=THISISANACCESSKEYIDSpecify the AWS secret access key for your desired IAM user:
root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>Replace
<SECRET_KEY>
with the desired secret access key. For example:root@rok-tools:~# export AWS_SECRET_ACCESS_KEY=THISISASECRETACCESSKEYSpecify the region where you want to perform this deployment:
root@rok-tools:~# export AWS_DEFAULT_REGION=<REGION>Replace
<REGION>
with the desired region. For example:root@rok-tools:~# export AWS_DEFAULT_REGION=us-east-1Specify your encrypted Docker configuration:
root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG=<DOCKERCONFIG>Replace
<DOCKERCONFIG>
with the encrypted Docker configuration you received from Arrikto via email, including the-----BEGIN PGP MESSAGE-----
and-----END PGP MESSAGE-----
lines. For example:root@rok-tools:~# export ENCRYPTED_DOCKERCONFIG="-----BEGIN PGP MESSAGE----- > jA0ECQMCZYE2c+tkxZf00ocBYakv/K62OUtCVQz/P8Xq9j6FQK+2y/AsNFQZdnqT > bOnutQa3iSeCjH9SPnaHWLAoyyULGxA8DWpnrjK6a0lkHyM8shyJufOL5kCgHHmq > ZZ9R5O8+6UgEPfzZZ8r2A8UcOpOY07L+K/K0eI0oRn0ShTPffVvfR+a5U6WqapF/ > 3eeSgHnfY0w= > =6Ssd > -----END PGP MESSAGE-----"Specify the passphrase to decrypt your encrypted Docker configuration:
root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=<PASSPHRASE>Replace
<PASSPHRASE>
with the passphrase for the encrypted Docker configuration you received from Arrikto. For example:root@rok-tools:~# export DOCKERCONFIG_PASSPHRASE=dockerconfigpassphraseSpecify the VPC configuration. Choose one of the following options:
root@rok-tools:~# export AWS_VPC_CONFIG=publicroot@rok-tools:~# export AWS_VPC_CONFIG=public-privateroot@rok-tools:~# export AWS_VPC_CONFIG=privateSpecify the name for your EKS cluster:
root@rok-tools:~# export EKS_CLUSTER=<EKS_CLUSTER>Replace
<EKS_CLUSTER>
with the desired name for your EKS cluster. For example:root@rok-tools:~# export EKS_CLUSTER=arrikto-clusterSpecify the trusted CIDRs for your EKS cluster:
root@rok-tools:~# export EKS_TRUSTED_CIDRS=<CIDRS>Replace
<CIDRS>
with your trusted CIDRs. For example, if you want to allow access for everyone, set:root@rok-tools:~# export EKS_TRUSTED_CIDRS=0.0.0.0/0Note
If you wish to specify multiple CIDRs, create a space-separated list. For example:
root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"Specify the name for your node group:
root@rok-tools:~# export EKS_NODEGROUP=<NODEGROUP>Replace
<NODEGROUP>
with the desired name for your node group. For example:root@rok-tools:~# export EKS_NODEGROUP=general-workersPick a password for the default Dex user:
root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=<PASSWORD>Replace
<PASSWORD>
with the desired password for the default Dex user. For example:root@rok-tools:~# export DEX_DEFAULT_USER_PASSWD=dexpasswordSpecify the DNS name suffix (domain) for the hosted zone:
root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=<DOMAIN>Replace
<DOMAIN>
with your desired domain. For example:root@rok-tools:~# export EKS_ALB_ZONE_DOMAIN=apps.example.comSpecify the subdomain for your load balancer:
root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=<SUBDOMAIN>Replace
<SUBDOMAIN>
with your desired subdomain. For example:root@rok-tools:~# export EKS_ALB_ACM_SUBDOMAIN=${EKS_CLUSTER?}.${EKS_ALB_ZONE_DOMAIN?} \ > && echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.comSpecify the trusted CIDRs for your load balancer:
root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=<CIDRS>Replace
<CIDRS>
with your trusted CIDRs. For example, if you want to allow access for everyone, set:root@rok-tools:~# export EKS_ALB_NGINX_TRUSTED_CIDRS=0.0.0.0/0Note
If you wish to specify multiple CIDRs, create a space-separated list. For example:
root@rok-tools:~# export EKS_TRUSTED_CIDRS="<CIDR1> <CIDR2>"
Configure
rok-deploy
to run non-interactively. This means that you will not be prompted for questions. If an answer is missing,rok-deploy
will fail the operation and report the missing answer:root@rok-tools:~# export ROK_FRONTEND=non-interactive root@rok-tools:~# export ROK_QUESTION_THRESHOLD=criticalChoose one of the following options to perform the non-interactive deployment:
Run
rok-deploy
and use the default choices:root@rok-tools:~# rok-deploy
Download the
preseed.py.j2
Jinja2 template file provided below and use it inside your management environment.preseed.py.j21 SEEDS = { 2 'tools/env_type': '{{TOOLS_ENV_TYPE}}', 3 'git/encrypted_ssh_key': '''{{ENCRYPTED_SSH_KEY}}''', 4-17 4 'git/ssh_key_passphrase': '{{SSH_KEY_PASSPHRASE}}', 5 'git/user_name': '{{GIT_USER_NAME}}', 6 'git/user_email': '{{GIT_USER_EMAIL}}', 7 'cli-aws/access_key_id': '{{AWS_ACCESS_KEY_ID}}', 8 'cli-aws/secret_access_key': '{{AWS_SECRET_ACCESS_KEY}}', 9 'envvars-aws/region': '{{AWS_DEFAULT_REGION}}', 10 'arriktoreg/dockerconfig_encrypted': '''{{ENCRYPTED_DOCKERCONFIG}}''', 11 'arriktoreg/dockerconfig_passphrase': '{{DOCKERCONFIG_PASSPHRASE}}', 12 'aws-vpc/config': '{{AWS_VPC_CONFIG}}', 13 'eks-cluster/name': '{{EKS_CLUSTER}}', 14 'eks-cluster/trusted_cidrs': '{{EKS_TRUSTED_CIDRS}}', 15 'eks-nodegroup/name': '{{EKS_NODEGROUP}}', 16 'users/dex_default_user_passwd': '{{DEX_DEFAULT_USER_PASSWD}}', 17 'eks-alb-zone/domain': '{{EKS_ALB_ZONE_DOMAIN}}', 18 'eks-alb-acm/subdomain': '{{EKS_ALB_ACM_SUBDOMAIN}}', 19 'eks-alb-nginx/trusted_cidrs': '{{EKS_ALB_NGINX_TRUSTED_CIDRS}}', 20 } Render the preseed file:
root@rok-tools:~# j2 preseed.py.j2 -o preseed.pyUnset all the environment variables you exported:
root@rok-tools:~# unset TOOLS_ENV_TYPE ENCRYPTED_SSH_KEY \ > SSH_KEY_PASSPHRASE GIT_USER_NAME GIT_USER_EMAIL AWS_ACCESS_KEY_ID \ > AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION ENCRYPTED_DOCKERCONFIG \ > DOCKERCONFIG_PASSPHRASE AWS_VPC_CONFIG EKS_CLUSTER \ > EKS_TRUSTED_CIDRS EKS_NODEGROUP DEX_DEFAULT_USER_PASSWD \ > EKS_ALB_ZONE_DOMAIN EKS_ALB_ACM_SUBDOMAIN \ > EKS_ALB_NGINX_TRUSTED_CIDRSRun
rok-deploy
using the preseed file you created and use the default choices:root@rok-tools:~# rok-deploy --preseed-load preseed.py
Verify¶
- Run the Test Rok guide, to make sure Rok is up and running.
- Run the Test Kubeflow guide, to make sure that you have properly installed Kubeflow.
What’s Next¶
Check out the rest of our guides regarding automated deployments.