Skip to main content
Skip table of contents

AWS Air-gapped Bootstrap

Bootstrap a kind cluster and CAPI controllers

Konvoy deploys all cluster lifecycle services to a bootstrap cluster, which deploys a workload cluster. When the workload cluster is ready, move the cluster lifecycle services to the workload cluster, after which the workload cluster manages its own lifecycle.

  1. Assuming you have downloaded dkp-air-gapped-bundle_v2.7.2_linux_amd64.tar.gz , extract the tarball to a local directory:

    CODE
    tar -xzvf dkp-air-gapped-bundle_v2.7.2_linux_amd64.tar.gz && cd dkp-v2.7.2
  2. Set an environment variable with your registry address with this command:

    CODE
    export REGISTRY_URL="<https/http>://<registry-address>:<registry-port>"
    export REGISTRY_URL=<ecr-registry-URI>
    export REGISTRY_USERNAME=<username>
    export REGISTRY_PASSWORD=<password>
    export REGISTRY_CA=<path to the cacert file on the bastion>

    REGISTRY_URL: the address of an existing local registry accessible in the VPC that the new cluster nodes will be configured to use a mirror registry when pulling images.

For ECR, the environment where you are running the dkp push command must be authenticated with AWS in order to load your images into ECR.

  1. Seed the registry by running the following command to load the air-gapped image bundle into your private registry:

    CODE
    dkp push bundle --bundle ./container-images/konvoy-image-bundle-v2.7.2.tar --to-registry=${REGISTRY_URL} --to-registry-username=${REGISTRY_USERNAME} --to-registry-password=${REGISTRY_PASSWORD}
  2. Load the bootstrap container image on your bastion machine using Docker or Podman command:

    CODE
    docker load -i konvoy-bootstrap-image-v2.7.2.tar
    CODE
    podman load -i konvoy-bootstrap-image-v2.7.2.tar
  3. Create a bootstrap cluster:

    CODE
    dkp create bootstrap --kubeconfig $HOME/.kube/config

    Configuring an HTTP/HTTPS Proxy use --http-proxy, --https-proxy, and --no-proxy and their related values in this command for it to be successful.

HTTP Proxy flags if needed:

To create a bootstrap cluster in a proxied environment use this command syntax, in addition to any other flags you may need:

CODE
  --http-proxy <string> \
  --https-proxy <string> \
  --no-proxy <string>
Using a Custom AWS CA

You need to add the custom CAs into two places:

  • The capa-controller-manager pod, because CAPA controllers interact with AWS API when creating and deleting infrastructure.

  • The trusted root CAs in the AWS AMI used as Kubernetes nodes. The first step of the node bootstrap process is to fetch the sensitive information from the AWS Secrets Manager service, so the aws client on the instances needs to trust this custom CA. This process is unique to your environment but a general flow can be similar to what is documented in adding trusted root certificates to the server.

  1. Place the AWS CA file as ca.pem in your working directory

  2. Create a ConfigMap with the contents of the file:

    CODE
    kubectl create configmap -n capa-system aws-ca --from-file=ca.pem
  3. Update the capa-controller-manager to set an environment variable AWS_CA_BUNDLE in capa-controller-manager:

    CODE
    kubectl patch deployment -n capa-system capa-controller-manager --patch '{"spec":{"template":{"spec":{"$setElementOrder/containers":[{"name":"manager"},{"name":"kube-rbac-proxy"}],"$setElementOrder/volumes":[{"name":"cert"},{"name":"credentials"},{"name":"aws-ca"}],"containers":[{"$setElementOrder/env":[{"name":"AWS_SHARED_CREDENTIALS_FILE"},{"name":"AWS_CA_BUNDLE"}],"$setElementOrder/volumeMounts":[{"mountPath":"/tmp/k8s-webhook-server/serving-certs"},{"mountPath":"/home/.aws"},{"mountPath":"/home/.konvoy/aws-ca.pem"}],"env":[{"name":"AWS_CA_BUNDLE","value":"/home/.konvoy/aws-ca.pem"}],"name":"manager","volumeMounts":[{"mountPath":"/home/.konvoy/aws-ca.pem","name":"aws-ca","subPath":"ca.pem"}]}],"volumes":[{"configMap":{"name":"aws-ca"},"name":"aws-ca"}]}}}}'
  1. (Optional) Refresh the credentials used by the AWS provider at any time, using the command:

CODE
dkp update bootstrap credentials aws

Konvoy creates a bootstrap cluster using KIND as a library. Konvoy then deploys the following Cluster API providers on the cluster:

Next Step

AWS Create a New Air-gapped Cluster

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.