Using an Existing EKS Cluster

By default, Release creates a new dedicated cluster from scratch when you create a new EKS cluster. However, you can create an EKS cluster using an existing EKS cluster, which is useful if you have specific requirements for your clusters, like specific security policies, internal processes and best practices, or existing infrastructure-as-code configurations.

To successfully use an existing EKS cluster with Release, take note of the requirements.

Prerequisites

Take a look at the [eksctl documentation on non eksctl-created clusters] to understand the requirements and get a sense of what is supported.

Follow the instructions in the documentation to give Release access to your cluster.

In summary, you need:

• An existing EKS cluster and node groups with associated VPC, routing requirements, and subnets.

• An updated aws-auth ConfigMap giving Release access to your Kubernetes cluster.

• Supporting add-ons or Helm charts – listed below.

Networking

If you have an existing EKS cluster, you should already have all the networking, routing, and security settings configured correctly.

The following table outlines the minimum configuration Release requires for your existing EKS cluster to ensure workloads deployed to it operate correctly.

Subnet tags

You must apply tags to each subnet when you create a cluster to tell Release what the subnet's function is (public or private) and which subnets to deploy to.

Be sure the name of the cluster you create matches the variable <cluster_name> wherever it is used.

You need at least two private subnets. Although public subnets are optional, you need at least two if you have any.

Note that tags for private and public subnets are different.

Add-ons and Helm charts

Release requires several add-ons and Helm charts to function properly, please go through the following table to identify if anything needs to be added to your cluster to function properly with Release. If you have any questions or concerns, feel free to reach out to us.

Allow Release access via ConfigMap

To access your cluster from the control plane, Release needs the Amazon Resource Name (ARN) for its role.

To find the ARN, go to the AWS Cloudformation template called release-integration. In the Resources tab, find the link to the ConsoleRole and follow it to AWS IAM. Copy the ARN, as you'll need it in the next steps.

For a cluster named my-cluster in region-code, the role ARN might look something like this: arn:aws:iam::111122223333:role/release/release-integration-ConsoleRole-xxxx.

To use the ARN to grant Release permission to deploy to your cluster, you need to remove the /release path.

We can now grant permission to Release to deploy to your cluster by adding an entry to its aws-auth ConfigMap using the shortened ARN:

eksctl create iamidentitymapping --cluster my-cluster --region region-code \
    --arn arn:aws:iam::111122223333:role/release-integration-ConsoleRole-xxxx \
    --username admin --group system:masters \
    --no-duplicate-arns

Import the existing cluster to Release

Now that the cluster information is readily available and Release has been granted access, you will be able to import the cluster as you can see in the dialog box:

Test and verify access

View the configuration of your cluster with the following command:

kubectl describe -n kube-system configmap/aws-auth

It will look something like this:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:masters
      rolearn: arn:aws:iam::1111222233333:role/release-integration-ConsoleRole-xxxx
      username: admin
  mapUsers: |
    []
kind: configMap

You can also navigate to Settings -> Clusters -> Cluster and click the Verify Cluster button. If the cluster status remains "Pending" (or worse, "Errored"), verify the configurations and settings described above. If you get no errors, your cluster is ready to go!