GitLab EKS Cluster backend services
What does this MR do?
Adds backend services for creating EKS clusters from GitLab.
There are several steps to this process:
-
GitLab assumes the role provided by the user and stores a set of temporary credentials on the provider record. By default these credentials are valid for one hour.
-
A CloudFormation stack is created, based on the template in vendor/aws/cloudformation/eks_cluster.yaml. This triggers creation of all resources required for an EKS cluster.
-
GitLab polls the status of the stack until all resources are ready, which takes somewhere between 10 and 15 minutes in most cases.
-
When the cluster is ready, GitLab stores the cluster details and fetches another set of temporary credentials, this time to allow connecting to the cluster via Kubeclient. These credentials are valid for one minute.
-
GitLab configures the worker nodes so that they are able to authenticate to the cluster, and creates a service account for itself for future operations.
-
Finally, all details and credentials that are no longer required are removed.
The CloudFormation template itself is being added in a separate merge request: !17036 (merged)
Labelled as ~backstage because there is currently no way to trigger these services.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
-
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides - [-] Separation of EE specific content
Performance and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team