AWS
Provisioning Control Plane Infrastructure on AWS
There are steps in this guide where Truefoundry team will have to be involved. Please reach out to support@truefoundry.com to get the credentials
Setting up Truefoundry control plane on your own cloud involves creating the infrastructure to support the platform and then installing the platform itself.
Setting up Infrastructure
Requirements
These are the infrastructure components required to set up a production grade Truefoundry control plane.
If you have the below requirements already set up then skip directly to the Installation section
Requirements | Description | Reason for Requirement |
---|---|---|
Kubernetes Cluster | Any Kubernetes cluster will work here - we can also choose the compute-plane cluster itself to install Truefoundry helm chart | The Truefoundry helm chart will be installed here. |
Postgres RDS | Postgres >= 13 | The database is used by Truefoundry control plane to store all its metadata. |
S3 bucket | Any S3 bucket reachable from control-plane. | This is used by control-plane to store the intermediate code while building the docker image. |
Egress Access for TruefoundryAuth | Egress access to https://auth.truefoundry.com | This is needed to verify the users logging into the Truefoundry platform for licensing purposes |
Egress access For Docker Registry | 1. public.ecr.aws 2. quay.io 3. ghcr.io 4. docker.io/truefoundrycloud 5. docker.io/natsio 6. nvcr.io 7. registry.k8s.io | This is to download docker images for Truefoundry, ArgoCD, NATS, ArgoRollouts, ArgoWorkflows, Istio. |
DNS with TLS/SSL | One endpoint to point to the control plane service (something like platform.example.com where example.com is your domain. There should also be a certificate with the domain so that the domains can be accessed over TLS.The control-plane url should be reachable from the compute-plane so that compute-plane cluster can connect to the control-plane | The developers will need to access the Truefoundry UI at domain that is provided here. |
User/ServiceAccount to provision the infrastructure | This is the set of permissions needed to provision the infrastructure for Truefoundry control-plane. Its detailed here |
Permissions Required
We will be using OCLI (Onboarding CLI) to create the infrastructure. We will be using a locally setup AWS profile. Please make sure the user has the following permissions
Run Infra Provisioning using OCLI
Prerequisites
- Install git if not already present.
- Install aws cli == 2.x.x and create an AWS profile locally with the specified access to the AWS account where you want to create the new cluster.
Installing OCLI
-
Download the binary using the below command.
-
Make the binary executable and move it to
$PATH
-
Confirm by running the command
Configuring Input Config file
-
To create a new cluster, you would require your AWS
Account ID
,Region
, and anAWS Profile
-
Run the following command to fill in the inputs interactively
-
For networking, there are two possible configurations:
- New VPC (Recommended) - This creates a new VPC for your new cluster.
- Existing VPC - You can enter your existing VPC and subnet IDs.
-
Once all the inputs are filled, a config file with the name
tfy-config.yaml
would be generated in your current directory -
Modify the file to enable control plane installation by setting
aws.tfy_control_plane.enabled: true
. Below is the sample for the same:
Create the cluster
Run the following command to create the EKS cluster and IAM roles needed to provide access to various infrastructure components as per the inputs configured above.
This command may take around 30-45 minutes to complete.
In the last step the database credentials will be printed. Make sure to note them down.
Installating TrueFoundry
Pre-requisites
-
Installing helm
-
Add the following chart repository
-
Updating helm repo to download the latest local repository index
Installing TrueFoundry helm chart
-
Install
argocd
helm chart -
Create values.yaml for the truefoundry helm chart. You can refer to the values for more details.
<terragruntOutput>
from the below yaml file can be replaced with the terragrunt output of theocli infra-create
command. If you are not usingocli
to create infrastructure you can chose the components to deploy and accordingly install the right components -
Fill the following values
tenantName
- name of the tenant. If you haven’t created one, please do it herecontrolPlaneURL
- URL at which to host the platform (for e.g. https://truefoundry.example.com)clusterName
- name of the cluster in AWS console
-
For the remaining values
truefoundry.tfyApiKey
- api key to given by TrueFoundry teamtruefoundry.truefoundryImagePullConfigJSON
- Image pull config JSON to be given by TrueFoundry teamtruefoundry.truefoundryFrontendApp.istio.hosts[0]
- control plane URL without protocol
-
Run the following command to install the chart
-
Once the helm chart is installed, point the control plane URL to the load balancer’s IP address. To get the IP address of the load balancer
-
We will also need the TLS certificates to be passed to the load balancer (in our case istio) to terminate the TLS traffic.
Add the compute plane
- Add the same cluster as the compute-plane from the UI and get the cluster token
-
Add the token in the values.yaml
-
The control plane URL should be reachable to from inside of the k8s cluster as the tfy-agent will use the control plane URL to initiate the connection to the control plane. Run the helm command to install the agent
Adding domain to Load balancer
-
We need to add one more domain to the load balancer so that a separate domain can be used to host the workloads only. This domain can be a wildcard (recommended) as well.
-
To add the domain
- Point the domain to the load balancer IP address
- Pass the TLS certificate to istio so that it can terminate the TLS traffic.
- Add the domain in the platform.