Create AWS EKS cluster from GitLab
Problem to solve
Users cannot currently create a cluster on AWS' EKS from GitLab. Creating a cluster on EKS is difficult for first time users.
It looks like
eksctl create cluster takes care of everything, including adding nodes: https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html (edited)
Identity providers and federation https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
Provide a tight integration with EKS where users can create clusters from the GitLab GUI (similar to GKE)
- User creates an IAM Policy that grants access to the required resources (read VPC, create cluster, nodes etc). GitLab will provide example JSON for this.
- User creates an IAM Cross Account Role, adding the GitLab AWS account ID as a trusted entity and the policy above for permissions.
- User to enter the Role ARN and External ID generated in the pre-requisites step into the cluster form. These cannot be changed once set (for now).
- GitLab provisions a dedicated service account for this cluster in the GitLab AWS account, and grants permissions to assume the role above.
- GitLab (frontend) uses the service account to assume the role, and fills-in/validates the remaining fields in the cluster form.
- User completes the cluster form and submits it.
- Cluster name
- Kubernetes version (default to latest)
- Role Name (select existing)
- VPC (select existing)
- subnets (auto fill from VPC)
- security group (auto fill from VPC)
GitLab (backend) uses the service account to assume the role, and can provision the cluster. From here it is the same process as a GKE cluster (poll to check progress etc)
Update cluster creation screen to provide two options
- Create on cloud provider
- Add existing cluster
Once users select the new "Create on cloud provider" option, the flow for GKE will be the same as it is now.
Cluster should have public access enabled by default so GitLab can interact with it.
User is able to select between EKS and GKE (alphabetical order):
The user would choose AWS from the first screen and we would keep them on that page but transition the content to be a form field that would allow them to input the necessary account details (instead of navigating away as we do with signing in to google). On that screen we can include a link to the docs that details how to get the necessary information (creating a service account) needed to provide credentials.
previous solution that involves logging in via AWS - this not a possible option.Clicking either would take the user to the screen to authorize application permissions:
This essentially removes the "login with google" button.
From there, the user sees the fields necessary to create the EKS cluster:
Kubernetes cluster name
[ * ]
Choose which of your environments will use this cluster.
[ 1.13 ]
Select the Kubernetes version to install.
[ Select role name ˅ ]
Select the IAM Role to allow Amazon EKS and the Kubernetes control plane to manage AWS resources on your behalf. To use a new role name, first create one on Amazon Web Services
[ Select Region ˅ ]
Learn more about Regions
Key pair name
[ Select region to choose key pair name ˅ ] (DISABLED IF REGION HAS NOT BEEN SELECTED)
[ Select key pair name ˅ ] (ENABLED IF REGION HAS BEEN SELECTED)
Select the key pair name that will be used to create EC2 nodes. To use a new key pair name, first create one on Amazon Web Services
[ Select VPC ˅ ]
Select a VPC to use for your EKS Cluster resources. To use a new VPC, first create one on Amazon Web Services
[ subnet-4397a627 +6 more ˅ ]
Choose the subnets
↗in your VPC where your worker nodes will run.
[ None ˅ ]
Choose the security groups
↗to apply to the EKS-managed Elastic Network Interfaces that are created in your worker node subnets.
[✓] GitLab-managed cluster
Allow GitLab to manage namespace and service accounts for this cluster. More information
- Kubernetes version should be prefilled and have existing options in the dropdown
- Role names and VPCs should be show existing options in the dropdown
- Subnets and Security groups should be prefilled and are also multi-select. The options within the dropdown would look like:
What does success look like, and how can we measure that?
EKS as a platform in usage ping, similar to https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/usage_data.rb#L67
Links / references
Ruby Gem API method for creating cluster https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/EKS/Client.html#create_cluster-instance_method