Create AWS EKS cluster from GitLab
Problem to solve
Users cannot currently create a cluster on AWS' EKS from GitLab. Creating a cluster on EKS is difficult for first time users.
Further details
https://docs.aws.amazon.com/cli/latest/reference/eks/create-cluster.html
It looks like eksctl create cluster
takes care of everything, including adding nodes: https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html (edited)
Identity providers and federation https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
Proposal
Provide a tight integration with EKS where users can create clusters from the GitLab GUI (similar to GKE)
Pre-requisites:
- User creates an IAM Policy that grants access to the required resources (read VPC, create cluster, nodes etc). GitLab will provide example JSON for this.
- User creates an IAM Cross Account Role, adding the GitLab AWS account ID as a trusted entity and the policy above for permissions.
User Flow
- User to enter the Role ARN and External ID generated in the pre-requisites step into the cluster form. These cannot be changed once set (for now).
- GitLab provisions a dedicated service account for this cluster in the GitLab AWS account, and grants permissions to assume the role above.
- GitLab (frontend) uses the service account to assume the role, and fills-in/validates the remaining fields in the cluster form.
- User completes the cluster form and submits it.
- Cluster name
- Kubernetes version (default to latest)
- Region
- Role Name (select existing)
- VPC (select existing)
- subnets (auto fill from VPC)
- security group (auto fill from VPC)
-
GitLab (backend) uses the service account to assume the role, and can provision the cluster. From here it is the same process as a GKE cluster (poll to check progress etc)
-
Update cluster creation screen to provide two options
- Create on cloud provider
- Add existing cluster
-
Once users select the new "Create on cloud provider" option, the flow for GKE will be the same as it is now.
-
Cluster should have public access enabled by default so GitLab can interact with it.
User is able to select between EKS and GKE (alphabetical order):
SVGs:
The user would choose AWS from the first screen and we would keep them on that page but transition the content to be a form field that would allow them to input the necessary account details (instead of navigating away as we do with signing in to google). On that screen we can include a link to the docs that details how to get the necessary information (creating a service account) needed to provide credentials.
previous solution that involves logging in via AWS - this not a possible option.
Clicking either would take the user to the screen to authorize application permissions:Amazon | |
---|---|
This essentially removes the "login with google" button.
From there, the user sees the fields necessary to create the EKS cluster:
Kubernetes cluster name
[ ]
Environment scope
[ * ]
Choose which of your environments will use this cluster.
Kubernetes version
[ 1.13 ]
Select the Kubernetes version to install.
Role name
[ Select role name ˅ ]
Select the IAM Role to allow Amazon EKS and the Kubernetes control plane to manage AWS resources on your behalf. To use a new role name, first create one on Amazon Web Services
↗
Region
[ Select Region ˅ ]
Learn more about Regions
↗ .
Key pair name
[ Select region to choose key pair name ˅ ] (DISABLED IF REGION HAS NOT BEEN SELECTED)
[ Select key pair name ˅ ] (ENABLED IF REGION HAS BEEN SELECTED)
Select the key pair name that will be used to create EC2 nodes. To use a new key pair name, first create one on Amazon Web Services
↗
VPC
[ Select VPC ˅ ]
Select a VPC to use for your EKS Cluster resources. To use a new VPC, first create one on Amazon Web Services
↗
Subnets
[ subnet-4397a627 +6 more ˅ ]
Choose the subnets
↗ in your VPC where your worker nodes will run.
Security groups
[ None ˅ ]
Choose the security groups
↗ to apply to the EKS-managed Elastic Network Interfaces that are created in your worker node subnets.
[✓] GitLab-managed cluster
Allow GitLab to manage namespace and service accounts for this cluster. More information
- Kubernetes version should be prefilled and have existing options in the dropdown
- Role names and VPCs should be show existing options in the dropdown
- Subnets and Security groups should be prefilled and are also multi-select. The options within the dropdown would look like:
Solution
Assets
What does success look like, and how can we measure that?
Add EKS
as a platform in usage ping, similar to https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/usage_data.rb#L67
Links / references
Ruby Gem API method for creating cluster https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/EKS/Client.html#create_cluster-instance_method
https://aws.amazon.com/blogs/startups/from-zero-to-eks-with-terraform-and-helm/