Infrastructure Providers

The Educates installation package provides pre-canned configurations for a number of infrastructure providers. These, as well as custom configurations for some other platforms are described below.

Installation to Amazon EKS

Installation is supported on Amazon Elastic Kubernetes Service. This is indicated by setting provider to eks.

The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.

Additional components will be installed. These are:

  • external-dns - to configure a wildcard entry in your domain’s desired HostedZone.

  • cert-manager - for certificate management integration with Let’s Encrypt.

  • certs - creates an ACME wildcard domain ClusterIssuer for cert-manager.

This installer package relies on having an EKS IAM Role for Service Account (IRSA) so you will need to create two IAM roles for both external-dns and cert-manager services. The details of the roles need to be specified in the aws.irsaRoles section of the configuration, with a format arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>.

Additionally, you need to specify the AWS region where your cluster is running, and if the domain you’re using is not a real HostedZone in AWS, you may need to specify aws.route53.hostedZone with the actual domain.

This is a sample snippet that will get Educates installed on an existing EKS cluster.

clusterInfrastructure:
  provider: "eks"
  aws:
    region: "eu-west-1"
    route53:
      hostedZone: "example.com"
    irsaRoles:
      external-dns: "arn:aws:iam::123456789012:role/external-dns"
      cert-manager: "arn:aws:iam::123456789012:role/cert-manager"
clusterIngress:
  domain: "educates.example.com"

Installation to Google GKE

Installation is supported on Google Kubernetes Engine. This is indicated by setting provider to gke.

The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.

Additional components will be installed. These are:

  • external-dns - to configure a wildcard entry in your domain’s desired DNS Zone in Google CloudDNS.

  • cert-manager - for certificate management integration with Let’s Encrypt.

  • certs - creates an ACME wildcard domain ClusterIssuer for cert-manager.

This installer package relies on having an GKE Workload Identity so you will need to create two IAM roles for both external-dns and cert-manager services. The details of the roles need to be specified in the gcp.workloadIdentity section of the configuration, with a format <ROLE_NAME>@<PROJECT_ID>.iam.gserviceaccount.com

Additionally, you need to specify the Google project Id for your GKE cluster, and if the domain you’re using is not a real DNS Zone in Google CloudDNS, you may need to specify the gcp.cloudDNS.zone with the actual domain.

This is a sample snippet that will get Educates installed on an existing GKE cluster.

clusterInfrastructure:
  provider: "gke"
  gcp:
    project: "my-project"
    cloudDNS:
      zone: "example.com"
    workloadIdentity:
      external-dns: "external-dns@my-project.iam.gserviceaccount.com"
      cert-manager: "cert-manager@my-project.iam.gserviceaccount.com"
clusterIngress:
  domain: "educates.example.com"

Installation to local Kind

Installation is supported on a local Kubernetes cluster created using Kind (Kubernetes in Docker). This is indicated by setting provider to kind.

The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.

For this case it is required that the Kind cluster be configured to map ports 80/443 such that the Kubernetes ingress controller is accessible via the host. The wildcard ingress domain must map to the host IP.

Note that if using the educates create-cluster command the Kind cluster will be created for you.

Installation to Minikube

Installation is supported on a local Kubernetes cluster created using Minikube. This is indicated by setting provider to minikube.

The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement.

If using the docker driver for Minikube, you will need to use the minikube tunnel command to expose the ingress controller and the wildcard ingress domain must map to the host IP.

If using a driver for Minikube which exposes the cluster on it’s own IP address, the wildcard ingress domain must map to the IP of the Minikube cluster.

If you do not want to use Contour as the ingress controller, but use the Nginx ingress controller directly supported by Minikube, you can instead set provider to generic, or alternatively still use minikube, but disable installation of Contour.

Installation to OpenShift

Installation is supported on a local Kubernetes cluster created using OpenShift. This is indicated by setting provider to openshift.

The components which will be installed are the Educates training platform, and Kyverno for workshop security policy enforcement.

OpenShift security context constraints (SCC) will be used for cluster security policies. For ingress, the native OpenShift ingress controller will be used.

Installation to a vCluster

Installation is supported on a Kubernetes virtual cluster using the vCluster software from Loft Labs. This is indicated by setting provider to vcluster.

The components which will be installed are the Educates training platform and Kyverno for cluster and workshop security policy enforcement.

For this case Kubernetes ingresses must still work within the virtual cluster. This means you need to have done one of the following:

  • Pre-configure the virtual cluster to synchronize ingress resources from the virtual cluster to the underlying host Kubernetes cluster, so that ingresses created in the virtual cluster are handled by the ingress controller running in the underlying host Kubernetes cluster.

  • Install a separate ingress controller into the virtual cluster with its own external ingress router for incoming traffic, or have the ingress controller of the underlying host Kubernetes cluster proxy to the ingress router of the virtual cluster for a suitable wildcard ingress domain.

Virtual clusters created by Educates itself as part of a workshop session satisfy this requirement for working ingresses, and as such it is possible to install Educates inside of Educates for the purposes of creating workshops to train users on Educates. In this scenario though, since security policies would be enforced by the underlying Educates installation, to reduce the amount of resources required and speed up installation of Educates inside of the virtual cluster, installation of Kyverno and enforcement of security policies can be disabled.

# Specify the infrastructure provider hosting the Kubernetes cluster.

clusterInfrastructure:
  provider: vcluster

# Specify the ingress domain to be used to access the workshops hosted by
# the Educates installation.

clusterIngress:
  domain: educates-local-dev.test

# Disable the cluster and security policy engines, and skip installing
# Kyverno, as policies are enforced by the Educates installation running
# this workshop session.

clusterPackages:
  kyverno:
    enabled: false

clusterSecurity:
  policyEngine: none

workshopSecurity:
  rulesEngine: none