Comments (14)
Doing Validation / Feedback here https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#e8dc3d8794a44ea29508ad40b24338ce
I have done a high-level check of both environments and only the previous comment called my attention. The rest looks good to me 👍.
Next for me is to exercise a few journeys that pentesters will exercise to do a lower-level validation of the environment. I do expect to complete this after scope meeting tomorrow with pentesters.
from clusters-config.
@AhmedSa-mir i did a couple of changes to connect the leaf cluster
- the token in the kubeconfig not to be base64 encoded
- rbac permissions #77
then we could see the apps in the leaf cluster
from clusters-config.
Feedback
a leaf cluster so we could test management to leaf cluster
I could see the cluster but cannot see the applications in the leaf cluster
➜ clusters-config git:(add-flagger-to-leaf) kubectl --kubeconfig=/Users/enekofb/.kube/leaf/config get kustomizations.kustomize.toolkit.fluxcd.io -A <aws:sts>
NAMESPACE NAME AGE READY STATUS
apps podinfo 23h True Applied revision: master/e40d32ba87f6004b5f22041f906713f525a6829b
flux-system common 23h True Applied revision: cluster-pentest-leaf/d15a733714d4b3ed3c4ded43f024f1cb6858cf2a
flux-system flagger 3h23m True Applied revision: cluster-pentest-leaf/d15a733714d4b3ed3c4ded43f024f1cb6858cf2a
flux-system flux-system 23h True Applied revision: cluster-pentest-leaf/d15a733714d4b3ed3c4ded43f024f1cb6858cf2a
flux-system shared-secrets 23h True Applied revision: cluster-pentest-leaf/d15a733714d4b3ed3c4ded43f024f1cb6858cf2a
➜
The issue i could think is that the stored kubeconfig will not work as the token will be retrieved via
command: aws-iam-authenticator
➜ ~ cat ~/Downloads/pentest-leaf.kubeconfig <aws:sts>
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:xx==
server: https://5C66B63C4A68E7F12FBEF4869267D7B9.sk1.eu-north-1.eks.amazonaws.com
name: pentest-leaf.eu-north-1.eksctl.io
contexts:
- context:
cluster: pentest-leaf.eu-north-1.eksctl.io
user: [email protected]@pentest-leaf.eu-north-1.eksctl.io
name: [email protected]@pentest-leaf.eu-north-1.eksctl.io
current-context: [email protected]@pentest-leaf.eu-north-1.eksctl.io
kind: Config
preferences: {}
users:
- name: [email protected]@pentest-leaf.eu-north-1.eksctl.io
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- pentest-leaf
command: aws-iam-authenticator
env:
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
- name: AWS_DEFAULT_REGION
value: eu-north-1
- name: AWS_PROFILE
value: sts
provideClusterInfo: false
A hint on how to address this issue is https://github.com/weaveworks/weave-gitops-clusters/blob/main/docs/connect-leaf-cluster.md
via generating static token like this
from clusters-config.
via generating static token like this
Wouldn't that static token expire after some time?
from clusters-config.
via generating static token like this
Wouldn't that static token expire after some time?
Nop, they dont have expiration
from clusters-config.
pentest-enterprise
Looking a bit more detailed into the journeys https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#0de13863219d4fdaab08d16798a8608a
I found the following that @enekofb should look a bit more in detail
- Create cluster experience should allow to create cluster PRs against thte repo. https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#c578ea641b614d8b9bc5d50ffe90aadb
- Add applications UI experience should create PR in github https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#5d0ebf61e02e4f608e334c93d3bef183
- Should apps developer be able to sync/supend https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#3306a12577804c4186c0df867a6c01c8
- Policy Agent is installed but no policies are in the cluster
I found the following that @AhmedSa-mir might be able help
- RBAC for flagger needs some tweaks https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#35cd80658b11400f9bfce456dd9022c1
- Pipelines UI is not visible withini the UI https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#dd25d437293a4d1182b757946242f20a
from clusters-config.
added policies
- Policy Agent is installed but no policies are in the cluster
from clusters-config.
for pipelines and github raised
from clusters-config.
I've added the pentest-leaf-kubeconfig
secret with static token in the pentest-enterprise
cluster. I couldn't encrypt it with sops to be reconciled and decrypted on the cluster, so I've added it manually for now. This should unblock you until I see the sops encryption.
from clusters-config.
btw, added this PR which could be of interest for the rest of the services
a enterprise-leaf folder with a set of common apps for enterprise leaf clusters
from clusters-config.
Pending this the rest looks good
-
Create cluster experience should allow to create cluster PRs against thte repo. https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#c578ea641b614d8b9bc5d50ffe90aadb
-
Add applications UI experience should create PR in github https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#5d0ebf61e02e4f608e334c93d3bef183
-
Should apps developer be able to sync/supend https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#3306a12577804c4186c0df867a6c01c8
from clusters-config.
Pending this the rest looks good
- Create cluster experience should allow to create cluster PRs against thte repo. https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#c578ea641b614d8b9bc5d50ffe90aadb
- Add applications UI experience should create PR in github https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#5d0ebf61e02e4f608e334c93d3bef183
- Should apps developer be able to sync/supend https://www.notion.so/weaveworks/Weave-gitops-September-2022-58017c08f4db4848b91dd99da383013b#3306a12577804c4186c0df867a6c01c8
To make the github PR integration to work we needed this commit
from clusters-config.
@enekofb Can we close this issue as done?
from clusters-config.
definitely! closing
from clusters-config.
Related Issues (20)
- Notifying cluster owner when the cluster is to be deleted
- manipulate the cluster creation options after provisioning the cluster
- Error in accessing leaf clusters (AccessDenied) when calling the AssumeRole HOT 2
- Upgrade WGE on demand
- install weave-policy-agent version from weave-gitops-enterprise mccp chart
- Delete pentesting clusters HOT 1
- Create Makefile
- checkout to main before request a cluster.
- Add bases dir to leaf clusters created by CAPA
- Expose promotion webhook via an ingress by default HOT 5
- Add option to deploy OSS from a PR HOT 1
- Bootstrap flux to leaf cluster HOT 3
- Actions: Node.js 12 deprecated
- Actions: `set-output` deprecated
- Add webhooks so push to github triggers cluster reconcilation
- flux issue with leaf cluster
- cluster nodes are created without control plane and cluster bootstrap controller doesn't see it as ready
- handover questions HOT 3
- Change user triggering delete action
- improve cost efficiency for clusters-config HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clusters-config.