Skip to content

Rafay Docs

Home
Home
- Overview
- Key Concepts
- Architecture
- Common Use Cases
- CLI
  CLI
  - Overview
  - AddOns
  - Agents
  - Backup and Restore
  - Blueprints
  - Catalog
  - Clusters
  - Config
  - Credentials
  - Namespaces
  - Overrides
  - Pipelines
  - Policy
  - Projects
  - Repository
  - RBAC
  - Secret Stores
  - Trigger
  - Workloads
- APIs
- Self Hosted Controller
  Self Hosted Controller
  - Overview
  - Configurations
  - Environments
    Environments
    
    Bare Metal/VM
    Bare Metal/VM
    
    Requirements
    
    Installation
    
    AWS EC2
    AWS EC2
    
    Requirements
    
    Installation
    
    Azure AKS
    Azure AKS
    
    Requirements
    
    Installation
    
    Backup and Restore
    
    Google GKE
    Google GKE
    
    Requirements
    
    Installation
  - Upgrades
    Upgrades
    
    1.4.x to 1.5.x
    
    1.5.x to 1.6.x
- Release Notes
  Release Notes
  - 2022
  - 2021
  - 2020
  - 2019
- Bug Fixes
- Partners
  Partners
- Videos
- Contact
Get Started
Get Started
- Overview
- Kubernetes
  Kubernetes
  - Overview
  - Install MicroK8s
  - Kubernetes 101
    Kubernetes 101
    
    Part 1: Using Namespaces
    
    Part 2: Using Pods
    
    Part 3: Using Deployments
    
    Part 4: Using Services
    
    Part 5: Using Ingress
  - Kubernetes 201
    Kubernetes 201
    
    Part 1: Using ConfigMaps
    
    Part 2: Using Secrets
    
    Part 3: Using PV
    
    Part 4: Using PVC
  - Kubernetes 301
    Kubernetes 301
    
    Deployments, StatefulSets, DaemonSets
    
    Part 1: Using StatefulSets
    
    Part 2: Using DaemonSets
- Basics
  Basics
- Amazon EKS
  Amazon EKS
  - EKS Backup/Restore
    EKS Backup/Restore
    
    Overview
    
    Part 1: Setup Environment
    
    Part 2: Create Resources
    
    Part 3: Backup/Restore
  - Cluster Lifecycle
    Cluster Lifecycle
    
    Overview
    
    Part 1: Provision
    
    Part 2: Scale
    
    Part 3: Upgrade
    
    Part 4: Deprovision
  - CloudWatch
    CloudWatch
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Blueprint
    
    Part 4: Deprovision
  - Cluster Autoscaler
    Cluster Autoscaler
    
    Overview
    
    Part 1: Setup
    
    Part 2: Blueprint
    
    Part 3: Provision
    
    Part 4: Workload
    
    Part 5: Deprovision
  - EKS System Sync
    EKS System Sync
    
    Overview
    
    Part 1: Setup
    
    Part 2: Sync from Git
    
    Part 3: Sync from System
  - GPU
    GPU
    
    Overview
    
    Part 1: Setup
    
    Part 2: Blueprint
    
    Part 3: Provision
    
    Part 4: Workload
    
    Part 5: Scaling
    
    Part 6: Deprovision
  - Karpenter
    Karpenter
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Blueprint
    
    Part 4: Workload
    
    Part 5: Deprovision
- Amazon EKS Anywhere
  Amazon EKS Anywhere
  - Overview
  - Quick Start
- Azure AKS
  Azure AKS
  - Overview
- GitOps
  GitOps
  - Deployment Strategies
    Deployment Strategies
    
    Overview
    
    Setup
    
    Recreate
    
    Rolling Update
    
    Blue-Green
    
    Canary
  - System Sync
    System Sync
    
    Overview
    
    Part 1: Setup
    
    Part 2: Sync Blueprint
    
    Part 3: Sync Workload
  - EKS System Sync
    EKS System Sync
    
    Overview
    
    Part 1: Setup
    
    Part 2: Sync from Git
    
    Part 3: Sync from System
- Policy Management
  Policy Management
  - OPA Gatekeeper
    OPA Gatekeeper
    
    Overview
    
    Part 1: Setup
    
    Part 2: Policy
    
    Part 3: Blueprint
    
    Part 4: Workload
  - Turnkey OPA Policies
    Turnkey OPA Policies
    
    Overview
    
    Part 1: Setup
    
    Part 2: Apply
    
    Part 3: Test
- Zero Trust Kubectl
  Zero Trust Kubectl
- CNCF Recipes
Clusters
Clusters
- Overview
- Metadata
  Metadata
- Amazon EKS
  Amazon EKS
  - Overview
  - Templates
    Templates
    
    Create Cluster Template
    
    Create Cluster from Template
    
    CLI for Cluster Template
  - Credentials
  - IAM Policy
    IAM Policy
    
    Overview
    
    Full
    
    No VPC
    
    No VPC,IAM
    
    No VPC,IAM, Restrictions
  - Cluster Config
  - CLI
    CLI
    
    Overview
    
    GitOps
    GitOps
    
    Overview
    
    Examples
  - Config Schema
  - Provision
  - IAM Service Accounts
    IAM Service Accounts
    
    Overview
    
    CLI for IRSA
  - CNI Providers
  - Control Plane
  - VPC Networking
    VPC Networking
    
    Overview
    
    Secondary CIDR with VPC
  - Nodegroups
    Nodegroups
    
    Overview
    
    Custom AMI
  - Wavelength Zone
  - AWS Tags
  - Spot Instances
  - Node Labels
  - Visibility and Monitoring
  - RBAC based KubeCTL
  - Deprovision
  - k8s Upgrades
  - AMI Upgrades
  - Audit
  - API
  - Best Practices
  - FAQ
  - Troubleshooting
- Amazon EKS Anywhere
  Amazon EKS Anywhere
  - Overview
  - Quick Start
- Amazon EKS Distro
  Amazon EKS Distro
  - Overview
  - Quick Start
- Azure AKS
  Azure AKS
  - Overview
  - Azure Setup
  - Credentials
  - Provision
  - Node Labels
  - Spot Price
  - Visibility and Monitoring
  - Deprovision
  - K8s Upgrades
  - Audit
  - CLI
    CLI
    
    Overview
    
    GitOps
    GitOps
    
    Overview
    
    Examples
  - Config Schema
- Google GKE
  Google GKE
  - Overview
  - Lifecycle
- Imported
  Imported
- Red Hat Openshift
  Red Hat Openshift
  - Overview
  - Import
  - Blueprints
  - Dashboards
- Upstream Kubernetes
  Upstream Kubernetes
  - Approaches
  - Bare Metal and VMs
    Bare Metal and VMs
    
    Overview
    
    Supported Environments
    
    Configuration
    
    Preflight Checks
    
    Provisioning
  - CLI
  - QCOW Virtual Appliance
    QCOW Virtual Appliance
    
    Overview
    
    Provision
    
    Deprovision
    
    Lifecycle
    
    FAQ
  - OVA Virtual Appliance
    OVA Virtual Appliance
    
    Overview
    
    Provision
    
    Deprovision
    
    Lifecycle
    
    FAQ
  - AWS
    AWS
    
    Credentials
    
    IAM Policy
    
    Steps
  - Equinix Metal
    Equinix Metal
    
    Overview
    
    Provision Servers
    
    Provision Kubernetes
  - GCP
    GCP
    
    Credentials
    
    Steps
  - Developers
    Developers
    
    Overview
    
    Windows
    Windows
    
    Provision
    
    Deprovision
    
    FAQ
    
    macOS
    macOS
    
    Provision
    
    Deprovision
    
    FAQ
  - Master Nodes
  - Worker Nodes
  - Upgrades
  - Storage
  - Troubleshooting
  - Retry and Backoff
  - Reset Node
- Troubleshooting
Dashboards
Dashboards
- Overview
- Organization
- Projects
  Projects
- Cluster
- My Clusters
- Nodes
- Kubernetes Resources
  Kubernetes Resources
  - View/Edit/Delete
  - Create
- Kubernetes Events
- Pod Dashboard
- Container Dashboard
- Configuration
- GPU Dashboard
Catalog
Catalog
Blueprints
Blueprints
- Overview
- Namespaces
  Namespaces
  - Overview
- Add-Ons
- Managed Add-Ons
- Base Blueprints
  Base Blueprints
- Pod Security Policy (PSP)
- Custom Blueprint
- Cluster Fleet Management
- Exceptions
- Disable Default
- Sharing
- Cluster Overrides
- Update Blueprint
- CLI
- API
ZTKA
ZTKA
- Background
- Overview
- KubeCTL
  KubeCTL
  - Browser
  - KubeCTL CLI
- Configuration
- RBAC
- Audit Trail
- Private Kube API Proxy
- FAQ
Policy Mgmt
Policy Mgmt
Workloads
Workloads
- Namespaces
  Namespaces
  - Overview
- Workload Types
  Workload Types
  - Overview
  - Helm Charts
  - k8s YAML
  - Wizard
    Wizard
    
    Overview
    
    Ingress
    
    Containers
    
    Container Registry
    
    Upgrade Strategy
    
    Storage
    
    Policy
    
    Publish
  - VM Wizard
- Zero Trust Debug
  Zero Trust Debug
  - Overview
  - Developer Tools
- Cluster Overrides
- CLI
GitOps
GitOps
- Overview
- Benefits
- Pipelines
- Stages
  Stages
- Triggers
  Triggers
  - Overview
  - Troubleshooting
- Agents
Backup
Backup
- Overview
- Backup Location
  Backup Location
- Credentials
  Credentials
  - Overview
  - AWS
  - Azure
  - S3 Compatible
- Data Agent
- Backup Policy
- Backup Job
- Restore Policy
- Restore Job
- Considerations
Security
Security
- Overview
- Organizations
- Projects
- Users
- MFA
- Groups
- CLI
- Roles
- Cluster Sharing
- Audit Logs
- Compliance
- Vulnerabilities
- CIS Benchmark
- Contact
Integrations
Integrations
- Overview
- Backup And Restore
  Backup And Restore
- Networking
  Networking
  - Overview
- Storage
  Storage
  - Overview
- CI
  CI
  - Overview
  - Common Patterns
  - Jenkins
    Jenkins
    
    Overview
    
    Workload Basics
    
    Workload Wizard
    
    Helm Workloads
    
    YAML Workloads
    
    Provision Upstream k8s
    
    Provision Amazon EKS
  - CircleCI
  - GitLab
  - Azure DevOps
- GSLB
  GSLB
  - DNS based GSLB
- Terraform
  Terraform
  - Overview
- Ingress
  Ingress
  - Background
  - Managed Ingress
- Log Aggregation
  Log Aggregation
- Monitoring
  Monitoring
- Registry
  Registry
  - Overview
- Repositories
  Repositories
- Vault
  Vault
  - Overview
  - Configure Vault
  - Use Vault-Helm/YAML
    Use Vault-Helm/YAML
    
    ENV Variables
    
    Files
    
    Use Vault-Wizard
- CSI driver (Beta)
  CSI driver (Beta)
  - Secret Provider Classes
  - IRSA for AWS Secret Manager
  - Configure AWS Secret Manager Configure AWS Secret Manager
    Table of contents
    
    Step 1: Create Secret Store
    
    Step 2: Edit Secret Store
  - CLI
- Sealers
  Sealers
  - Secret Sealer
  - Use Secret Sealer
- SIEM / Audit Logs
  SIEM / Audit Logs
  - Overview
  - DataDog
  - Splunk
- Single Sign On
  Single Sign On
  - Overview
  - AWS SSO
  - Azure AD
  - Duo SSO
  - Google Workspace
  - KeyCloak
  - Okta
  - Ping One
  - CLI
Recipes
Recipes
- Overview
- AlertManager
  AlertManager
  - Slack
  - PagerDuty
  - Opsgenie
- Backup
  Backup
  - CloudCasa
  - Velero
    Velero
    
    Overview
    
    Credentials - IAM Role
    
    Credentials - IAM User
    
    Credentials - MinIO
    
    Use Velero
- Cost Management
  Cost Management
  - Overview
  - Kubecost
- Cert-Manager
  Cert-Manager
- Databases
  Databases
  - Redis
  - InfluxDB
- Functions
  Functions
  - Kubeless
- Governance
  Governance
- GPU
  GPU
- Ingress
  Ingress
  - ALB
    ALB
    
    Overview
    
    Create
    
    Configure
    
    Access
  - Ambassador
  - Citrix
  - Kong
- Load Balancer
  Load Balancer
  - MetalLB
    MetalLB
    
    Overview
    
    Setup
    
    Install
    
    Test
- Log Aggregation
  Log Aggregation
  - Fluent Bit
- Logging
  Logging
  - CloudWatch
  - Elastic Cloud
    Elastic Cloud
    
    Overview
    
    ECK Operator
    
    Elasticsearch
    
    Kibana
    
    Recap
  - OpenSearch
    OpenSearch
    
    Overview
    
    Create
    
    Configure
    
    Access
  - Splunk
  - Sumologic
  - New Relic
- Monitoring
  Monitoring
  - Amazon Prometheus
    Amazon Prometheus
    
    Overview
    
    Create
    
    Configure
    
    Access
  - CloudWatch
  - Datadog Agent
  - Grafana
  - New Relic
  - Prometheus Operator
  - Splunk Connect
- Network Policies
  Network Policies
  - Overview
  - Install
  - Test
- Secrets
  Secrets
  - AWS Secrets Manager
    AWS Secrets Manager
    
    Overview
    
    Create
    
    Configure
    
    Access
  - Hashicorp Vault
  - Sealed Secrets
- Security
  Security
  - Araali
  - Kube-bench
- Service Mesh
  Service Mesh
  - Istio
  - Use Istio
- Storage
  Storage
  - MinIO

Configure AWS Secret Manager

Follow the steps documented to pull secrets from AWS Secret Manager and establish trust between your AWS server and your controller Managed clusters

Step 1: Create Secret Store¶

From the Integrations > Secret Stores page, click New Secret Store
Provide a Name , select CSI - AWS from the drop down for Provider
Click CREATE button to create this secret store

Create Vault

Step 2: Edit Secret Store¶

In the Edit Secret Store page:

Click Add Clusters to add the Kubernetes cluster to use this secret store
Click Add IRSA to add the Service account details along with the Role ARN
Click Add Secret Provider Class and select the required Secret Provider Class from the drop-down along with the namespace
Click Save & Exit to save the secret store settings

Create Vault

Important

It will take ~30 seconds for the secret integration configuration to be deployed to the managed Kubernetes clusters

Create Vault