Overview
This is a reference design and implementation based on Rafay's Terraform Provider to provision a RBAC controlled, dedicated operating environment aka project for an application team/business unit using Azure AKS clusters. We will then run a number of day-two operations on our cluster. Resources in the project can be customized and provisioned in a sequence as described below.
Important
The lifecycle of all resources will be managed using Terraform Infrastructure as Code based on Rafay's Terraform Provider.
Background¶
It is a relatively common pattern for platform teams to provide downstream application teams with a dedicated operating environment.
Day-1¶
- This environment maps to a project in a Rafay Org
- Access to the project is controlled to specific users/groups based RBAC and/or ABAC rules
- It is common for organizations to require "separation of duties" esp. between infrastructure operations and application operations.
- Cloud credentials are automatically created in the project which is then used to provision at least one Kubernetes cluster for the application team
- It is common for organizations to standardize their clusters with a required baseline (aka cluster blueprint) comprising several software addons
- To ensure clusters operate within accordance of corporate policies OPA policies are put in place to validate all operations
Day-2¶
- The cluster may need to be scaled up/down as per the needs of the application team
- The cluster may need to be upgraded to a new Kubernetes version to ensure that it is supported by the provider
Items Out of Scope¶
Although possible using Rafay, this reference design does not include the following items. We have provided pointers below to content that can be used to address this.
- The user is expected to embed the working Terraform code in their pipeline.
- Creation and management of namespaces and/or workspaces for application teams
- How application teams can deploy/operate their containerized applications on the Kubernetes cluster.
What Will You Do by Part¶
| Part | What will you do? |
|---|---|
| 1 | Build out the infrastructure required to support application teams in Microsoft Azure. This will be using Rafay's Terraform provider to provision a number of Rafay resources. Once complete we will navigate the console and view the cluster through the integrated dashboard and securely access the cluster's API server using zero trust kubectl |
| 2 | Walk through a number of day-two operations on the cluster |
| 3 | Deprovision the cluster and remove the underlying infrastructure |
The following sequence describes the resources that can be customized and provisioned using Terraform IaC based automation.
sequenceDiagram
participant pipe as Pipeline
participant tf as Terraform <br>Provider
participant rafay as Rafay
participant csp as Cloud <br>(Azure)
pipe->>tf: New Operating Environment
tf-->>rafay: Create Project
tf-->>rafay: Create User Group
tf-->>rafay: Map Roles to Group (RBAC)
tf-->>rafay: Create Cloud Credential
tf-->>rafay: Add Git/Helm Repositories <br> (for Add-Ons)
tf-->>rafay: Create Namespaces <br> (for Add-Ons)
tf-->>rafay: Create Add-ons <br>(nginx, cert-manager)
tf-->>rafay: Create OPA Constraint Templates
tf-->>rafay: Create OPA Constraints
tf-->>rafay: Create OPA Installation Profile
tf-->>rafay: Create OPA Policy
tf-->>rafay: Create Custom Blueprint <br> (Managed and Custom Add-ons)
tf-->>rafay: Add Cluster Overrides
rafay->>csp: Provision AKS Cluster <br> (using Cloud Credential)
rafay->>csp: Apply Custom Blueprint <br> (with Cluster Override)
csp->>rafay: Blueprint Successful
rafay->>tf: Cluster Ready
tf->>pipe: Operating Environment Ready
tf-->>rafay: Create Nodegroup <br> (Day-2 Operation)
tf-->>rafay: Upgrade Cluster <br> (Day-2 Operation)Roadmap¶
This reference design is constantly evolving. We plan to progressively enhance the design with additional functionality based on our roadmap and customer feedback. Please watch this space or our product blogs for updates.
References¶
To access the documentation for Lifecycle Management for AKS, click here