In this section, you will perform a few one-time tasks required to connect a Rafay account to an AWS account along with additional setup of tools that will be used throughout the workshop. We also will learn some key concepts used during the configuration of Rafay account.

Multi-tenancy

Every enterprise has multiple teams, business units and sometimes even multiple production environments. Single cluster, Kubernetes cluster level multi tenancy using namespaces does not work for multi cluster and complex organizations.

Organizations

Enterprises can optionally use completely separate Orgs (aka tenants) ensuring complete isolation. Authorized users can seamlessly switch between different Organizations with the click of a button. An Org can host multiple projects. In this workshop all pre-configured Rafay accounts belong to AWS Organization created for training purposes only.

Projects

Projects are a way to implement multi tenancy within an Organization and implement true isolation boundaries across “different operating environments”, “different business units” etc. A project can host multiple Kubernetes clusters.

Creation and Deletion of Projects are privileged operations. This is typically performed by an Org Admin using the Web Console because RBAC assignments also need to be implemented along with this.

Prior to proceeding with the setup, please navigate to Rafay Home dashboard and identify the project number you have been assigned to (it is the number in aws-workshop-xx project name). Please use this number instead of xx value for the naming convention in the steps below. Rafay Project

Step 1: Create Cloud Credentials

Cloud credentials provide privileges to programmatically interact with your Amazon AWS account so that the lifecycle of infrastructure associated with the Amazon EKS cluster can be managed by Rafay’s Kubernetes Operations Platform.

  • Login to the Rafay Console with the credentials provided and click on Infrastructure

  • Select Cloud Credentials, Click on New Credential and provide a unique name aws-cloudcredential-xx where xx is the Rafay project number assigned to you in AWS Organization Create Cloud Credential

  • Click on the dropdown for Credential Type and select Role

  • Click the Copy button for the External ID. You will need it in the next step as the input for the CloudFormation template

  • Click on the following CloudFormation template link. It opens AWS Management Console in the new browser tab under the credentials you have logged in before from Event Engine tool. You should see Create Stack page. This template creates cross-account access role for Rafay to perform necessary operations with IAM, CloudFormation, EKS, EC2 and Auto-scaling groups in your AWS account. Click Next to continue

  • On Specify Stack Details page navigate to the External ID field and insert External ID value copied from Rafay Add Credential screen, click Next

  • Scroll down of Configure Stack Options page and click Next

  • On Review Rafay-Cloud-Credential page, scroll to the bottom and check the box that you acknowledge that the CloudFormation template might create an IAM resource and then click Create Stack

  • Wait for a few seconds and refresh the Events tab. Navigate to Outputs tab at the top of the page and copy the RoleARN value Copy RoleARN value

  • Return to the Rafay Console and paste the RoleARN value into Role ARN section in Add Credential window and hit Save Create Cloud Credential

Step 2: Download and configure Rafay command line interface utility (RCTL)

The RCTL CLI allows you to programmatically interact with the controller enabling users to construct sophisticated automation workflows.

Run the following commands in the Cloud9 instance to download and extract RCTL:

curl -s -o rctl-linux-amd64.tar.bz2 https://s3-us-west-2.amazonaws.com/rafay-prod-cli/publish/rctl-linux-amd64.tar.bz2
tar -xf rctl-linux-amd64.tar.bz2
chmod 0755 rctl

Set Path for RCTL

After downloading the RCTL CLI, run the command below to add it to your OS’s PATH environment variable.

export PATH=$PATH:/home/ec2-user/environment

Initialize RCTL

The RCTL utility needs to be initialized with credentials and other information before it can interact with the Controller.

RCTL supports both a “config file” as well as “dynamic config” model. The latter is well suited for automation pipelines where the configuration is provided dynamically and there is no need to permanently bind RCTL to an Org or Project. For today’s workshop, we will use a “config file”.

Initialize RCTL Config File

  • Navigate to the My Tools page in the Rafay Web Console

  • Click on Download CLI Config to download the configuration file

  • Save the configuration file on your local system

CLI Tools Page

  • In the Cloud9 interface, go to File -> Upload Local Files…

  • Drag and drop or select the CLI config file that was previously downloaded

  • In the Cloud9 terminal, run the following command to initialize RCTL

    rctl config init "<CONFIG FILE NAME>"

At a given time, RCTL can be initialized with only one configuration. To learn more how to configure Rafay CLI please check the documentation.

If you receive The requested URL /auth/v1/projects// was not found on this server error please make sure you executed the previous step export PATH=$PATH:/home/ec2-user/environment command

If you receive Error: accepts 1 arg(s), received 2 error please make sure you added double quotes around the config file name since AWS Workshop organization has the space in the name , for example rctl config init "AWS Workshop-user@amazon.com.json"

View RCTL Config

You can view the current configuration for RCTL by using the rctl config show command.

Profile:                                                                    prod
REST Endpoint:                                                 console.rafay.dev
OPS Endpoint:                                                      ops.rafay.dev
API Key:                                                            <Masked>
API Secret:                                                         <Masked>
Project:                                                          defaultproject

Set Project

By default, the RCTL config points to the defaultproject as you saw on the previous step while viewing the config.

For the purpose of this workshop each person will have their own project that will be provided along with the credentials. This step will ensure that you set the project context before you can perform operations in this project. For example, to set the project context to your Rafay project provided in the workshop run the below command with the name of the project provided

rctl config set project <NAME OF ASSIGNED PROJECT>

Once the project context has been successfully set, ensure you verify this in your local config file by running rctl config show again.

The name of the project is case-sensitive

Step 3: Clone Git Repo

A GitHub account is required for this step. If you don’t have a GitHub account, you can sign up here.

Declarative specs for the Amazon EKS cluster and other resources are available in a Git repository.

  • Clone the Git repository to Cloud9 environment using the command below:

    git clone https://github.com/RafaySystems/aws-workshops.git

  • Once complete, you should see a folder called kop_workshop which contains the specs needed for this guide. Cloud9 Environment folder structure

Recap

At this point, you have everything setup and configured for the workshop.