Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-Cluster Support for EKS and RKE2 Clusters (Rancher) #8035

Open
githubeto opened this issue Sep 5, 2024 · 0 comments
Open

Multi-Cluster Support for EKS and RKE2 Clusters (Rancher) #8035

githubeto opened this issue Sep 5, 2024 · 0 comments
Labels
kind/question An issue that reports a question about the project

Comments

@githubeto
Copy link

githubeto commented Sep 5, 2024
edited
Loading

I have read the multi-cluster documentation, but I need support on how to specifically configure it.
please help...

In my use case, I have a management cluster as an EKS cluster, and I have installed Kubeapps on that cluster. Additionally, I have multiple EKS clusters (with AWS accounts different from the management cluster's account) and on-premises RKE2 clusters, which I operate as multi-clusters under Rancher's downstream clusters.

  • aws-mgr : management-cluster(EKS)
  • aws-dev : develop(EKS)
  • aws-prod : production(EKS)
  • onpremiss-dev : develop(RKE2, on-premiss)
  • onpremiss-prod : production(RKE2, on-premiss)

From reading the documentation, I understand that I need to maintain the authProxy and clusters sections of the HelmChart. For the clusters section, I was able to obtain information about clusters other than the management cluster using AWS CLI commands as shown below.

AWS CLI

aws eks describe-cluster --name aws-dev --region <region>

Helm Chart values.yaml

clusters:
- name: aws-mgr
  domain: cluster.local
- name: aws-dev
  apiServiceURL: https://XXXXXXXXXXXXXXXXXXXXXXXXX.gr7.ap-northeast-1.eks.amazonaws.com:6443
  certificateAuthorityData: LS0tXXXXXXXXXX...

However, it seems that without the authProxy section, I cannot perform a Helm upgrade. I believe that the settings around "Configuring your Kubernetes API servers for OIDC" mentioned in the documentation are necessary here.

Unfortunately, my knowledge around OIDC is limited, and I couldn't understand it even after reading the documentation. What steps should I follow to configure the EKS and RKE2 clusters and fill in the authProxy section?

Also, is it possible to use IAM IdP for this purpose?
Additionally, whether it is an on-premises cluster or an EKS cluster, we have registered the URL of the IAM IdP for each cluster. (For on-premises, we have prepared the IdP in S3.) Can we now configure the AuthProxy section for multi-cluster?

image

authProxy:
  enabled: true
  provider: oidc
  clientID: <???>
  clientSecret: <???>
  cookieSecret: <???>
  additionalFlags:
    - --oidc-issuer-url=https://oidc.eks.ap-northeast-1.amazonaws.com/id/<???>
    - --scope=<???>
    - --provider-ca-file=<???>
    - --ssl-insecure-skip-verify=<???>
    - --cookie-secure=<???>
@githubeto githubeto added the kind/question An issue that reports a question about the project label Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question An issue that reports a question about the project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@githubeto