🚀
latest
  • Overview
  • Quick start - Linux
  • Quick start - Docker
  • Guides
    • Configure Domain Nameservers
    • Verify SSL Certificate
    • Use Private Docker Registry
    • Deploy a Demo Application
  • Reference
    • Configuration
    • CLI Commands
    • IAM policy for the CLI
    • Components
  • FAQ
Powered by GitBook
On this page
  • CLI Spec
  • AWS Spec
  • VPC Spec
  • EKS Spec
  • Routing Spec
  • Subnet Spec
  • EKSNodeGroup Spec
  • EKSLogging Spec
  • Kubernetes Spec
  • K8sGlobal Spec
  • K8sDocker Spec
  • K8sSecrets Spec
  • K8sImagePullSecret Spec
  • K8sImagePullSecretConfig Spec
  • AWS_SECRETS_MANAGER
  1. Reference

Configuration

Configurations affecting how your platform gets built.

Keeping with the theme of building an opinionated platform, most configurations are optional.

When field with the type Object are optional, you can omit them entirely, or use {}. For such fields, the defaults are be specified in their own spec table.

CLI Spec

Field
Type
Description
Required

environmentName

String

The name of the environment that will be created and managed by the CLI. This name is also used in naming a lot of resources, like the eks cluster, the vpc and so on. This name should follow these rules:

  1. All lower-case

  2. Alpha-numeric, with - and _ allowed

  3. Must start with a letter

  4. Not more than 16 characters in length

Yes

aws

Configurations for all components deployed on AWS, including vpc, eks and so on

Yes

kubernetes

Configurations for all services and operators running on the kubernetes cluster

No

AWS Spec

Field
Type
Description
Required

region

String

The name of the AWS region where you want to deploy your infrastructure. The name is the canonical name of the region like us-east-2 or eu-west-3

Yes

vpc

Configurations related to the vpc, subnets and other networking components

No

eks

Configurations for the eks cluster, and related components like node-groups and logging

No

routing

Configurations related to enabling public access for your services. Including Route53 zone creation, ACM TLS certificate and so on

No

VPC Spec

Field
Type
Description
Required
Default

cidr

String

The IPv4 network range for the VPC, in CIDR notation.

No

10.8.0.0/16

privateSubnets

Configuration for the private subnets to be attached to the VPC. These subnets are where all the eks workloads (your service pods) will be deployed

No

publicSubnets

Configuration for the private subnets to be attached to the VPC. Used for allowing public ingress/egress out of your Kubernetes cluster.

No

EKS Spec

Field
Type
Description
Required
Default

version

String

No

1.29

nodeGroups

No

logging

Configurations for Cloudwatch Logging for the EKS cluster

No

Routing Spec

Field
Type
Description
Required
Default

createSSLCert

Boolean

Whether CLI should create TLS/SSL certificate in AWS Certificate Manager

No

true

sslCertARN

String

Yes, If createSSLCert is set to false

domainName

String

The public DNS domain-name for to use with your services. This is usually the top-level domain for your organizations, like example.com

Yes

enableWildcardSubdomains

Boolean

If the SSL cert should allow wild-card for sub-domains. If the domain you are using is example.com, setting this to true will allow *.example.com

No

true

subjectAlternativeNames

Array[String]

No

[]

createHostedZoneForDomain

Boolean

No

true

Subnet Spec

Field
Type
Description
Required

cidr

String

The IPv4 network range for this subnet, in CIDR notation. This CIDR must be contained within the CIDR for the VPC to which this subnet is going to be attached.

Yes

EKSNodeGroup Spec

Field
Type
Description
Required

name

String

The name of this node-group. If you create multiple node-groups, all node-group names must be unique within an EKS cluster

This name should follow these rules:

  1. At most 63 characters in length.

  2. Must start with a letter or digit, but can also include hyphens and underscores for the remaining characters

Yes

instanceType

String

Yes

minNodes

Integer

The minimum number of worker nodes. Must be a number greater than 0.

Yes

maxNodes

Integer

The maximum number of worker nodes. Must be larger than or equal to minNodes

Yes

capacityType

String

One of the following values

  1. SPOT

  2. ON_DEMAND

Yes

amiType

String

One of the following values

  1. AL2_x86_64

  2. AL2_x86_64_GPU

  3. AL2_ARM_64

  4. BOTTLEROCKET_ARM_64

  5. BOTTLEROCKET_x86_64

  6. BOTTLEROCKET_ARM_64_NVIDIA

  7. BOTTLEROCKET_x86_64_NVIDIA

Yes

EKSLogging Spec

Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. In clusters created by NotOps, this logging is enabled by default for certain components.

Field
Type
Description
Required

logTypes

Array[String]

Yes. You can specify an empty array to disable all control-plane logs

retentionDays

Integer

The number of days to retain the control-plane logs in Cloudwatch. Must be one of the values from 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653

Yes

Kubernetes Spec

Field
Type
Description
Required
Default

global

The shared config that will be applied to all services installed by the CLI

No

{}

argocd

Object

No

awsLoadBalancerController

Object

No

externalSecrets

Object

No

istio

Object

Configuration for the following Istio helm charts:

The three charts here have namespaced configs and a shared config under a key global. Because the configs are namespaced, we can provide a single config object that works with all three.

No

istioIngressGateway

Object

No

karpenter

Object

No

K8sGlobal Spec

Field
Type
Description
Required
Default

docker

Global configuration related to Docker, like docker-registry

No

{}

secrets

No

{}

K8sDocker Spec

Field
Type
Description
Required

registryUrl

String

The docker registry URL where you have mirrored the images for all the Kubernetes services deployed by the CLI If this is a private registry, you must specify the imagePullSecret config that provides the credentials for pulling from that registry

No

K8sSecrets Spec

Field
Type
Description
Required
Default

dockerImagePull

No

{}

K8sImagePullSecret Spec

Field
Type
Description
Required

name

String

Yes

providerType

String

One of:

  1. AWS_SECRETS_MANAGER

(only one provider supported at the moment)

Yes

config

Provider specific configuration, with details about the secret

One of:

Yes

K8sImagePullSecretConfig Spec

This config object will differ based on the type of the Secret Provider used. See K8sImagePullSecret Spec for a list of supported providers.

AWS_SECRETS_MANAGER

Field
Type
Description
Required

path

String

Yes

PreviousReferenceNextCLI Commands

Last updated 9 months ago

Object -

Object -

Object -

Object -

Object -

Array[]

Array[]

The with which this eks cluster should be created.

Array[]

Configuring the node-groups for the EKS clusters. Most people won't need to override this value since none of your workloads would be deployed on this node-group. This node-group only exists to launch and . Nodes for the rest of the workloads are provisioned by Karpenter.

Object -

The SSL cert is created and managed using . These certificates are free, and can be renewed automatically. There's also an option for you to import certificates bought from third-party providers.

AWS Certificate Manager ARN for an existing certificate. This is imported from third-party certificate providers you may have already purchased from for your domain. This certificate is assumed to be pre-validated. Follow steps for importing certificate to AWS Certificate Manager. This config should only be set if createSSLCert flag is set to false

Additional values, most commonly hostnames, to attach to the SSL certificate, using

Whether to create a for your domain. If your domain is managed by a third-party provider, e.g. namecheap or godaddy, set this to false. Additionally, you can set this to true and

One of the available EC2 instance types to use for the nodes in this node group. For example, t3.large or m7g.12xlarge. See all available types

The EKS control-plane components for which to generate logs. Each log-type corresponds to a control-plane component. To learn more about these components, see in the Kubernetes documentation. Following log-types are available:

API: Enables logs for the

AUDIT: Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. See for more details

AUTHENTICATOR: Authenticator logs are unique to Amazon EKS. These logs represent the control plane component that Amazon EKS uses for Kubernetes (RBAC) authentication using IAM credentials

CONTROLLER_MANAGER: The controller manager manages the core control loops that are shipped with Kubernetes. For more information, see

SCHEDULER: The scheduler component manages when and where to run Pods in your cluster. For more information, see

Object -

Configuration for the Argo CD Helm Chart. All values from the chart's are supported and can be overridden

Configuration for the AWS Load Balancer Controller Helm Chart. All values from the chart's are supported and can be overridden

Configuration for the External Secrets Helm Chart. All values from the chart's are supported and can be overridden

Creates an for routing ingress traffic into the Kubernetes cluster, using Istio Gateway Helm Chart. All values from the chart's are supported and can be overridden

Configuration for the Karpenter Helm Chart. All values from the chart's are supported and can be overridden

Object -

Object -

Global secrets to use with all Kubernetes services deployed by the CLI. For example, secrets that allow

Array[]

A list of secrets to be used for pulling container images . At least one secret must be specified if a private registry is being used to host the images to be deployed by the CLI If more than one secret is specified, they will be tried in order until one succeeds.

The name of the secret. If you provide multiple secrets, each must have a unique name. This name will also be used to create a , and must be a valid name for such objects.

Object -

The name of the secret in . This usually looks like a file-system path. For example /my-team/service-x/database The name must contain between 1 and 512 characters

- cidr: "10.8.8.0/21"
- cidr: "10.8.16.0/21"
- cidr: "10.8.1.0/26"
- cidr: "10.8.2.0/26"
- name: "notops-default"
  instanceType: "t3.medium"
  minNodes: 2
  maxNodes: 20
  capacityType: "SPOT"
  amiType: "BOTTLEROCKET_x86_64"
logTypes:
  - "API"
  - "AUDIT"
retentionDays: 7
redis-ha:
  enabled: false

controller:
  replicas: 1

server:
  autoscaling:
    enabled: true
    minReplicas: 1

repoServer:
  autoscaling:
    enabled: true
    minReplicas: 1

applicationSet:
  enabled: false
replicaCount: 1
# Without this, the generated names look like "release-name-external-secrets"
fullnameOverride: "external-secrets"
global:
  priorityClassName: system-cluster-critical


##############################################################################################################
# CNI chart section from https://artifacthub.io/packages/helm/istio-official/cni/1.20.2?modal=values
##############################################################################################################

cni:
  enabled: true
  chained: true # it's true by default, but we want to make it explicit

##############################################################################################################
# Istio Discovery Chart section from https://artifacthub.io/packages/helm/istio-official/istiod/1.20.2?modal=values
##############################################################################################################

meshConfig:
  accessLogFile: /dev/stdout

# This has to be configured separately from the "cni" section
# https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
istio_cni:
  enabled: true
  chained: true # it's true by default, but we want to make it explicit
name: "istio-ingressgateway"

service:
  ports:
    - name: http
      port: 443
      protocol: TCP
      targetPort: 80
  annotations:
    "service.beta.kubernetes.io/aws-load-balancer-scheme": "internet-facing"
    "service.beta.kubernetes.io/aws-load-balancer-type": "external"
    "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type": "ip"
    "service.beta.kubernetes.io/aws-load-balancer-healthcheck-port": "15021"
    "service.beta.kubernetes.io/aws-load-balancer-healthcheck-path": "/healthz/ready"
fullnameOverride: "karpenter"
# Need karpenter to be very reliable
# It already has default settings for topology spread constraints and node affinity/anti-affinity to spread it across
# AZs (if multiple AZs are available)
replicas: 2
AWS Certificate Manager
Kubernetes version
Karpenter
External Secrets Operator
these
Subject Alternative Names
public Route53 hosted-zone
configure your domain-provider with the nameservers from AWS
here
Kubernetes Components
kube-apiserver component
auditing
Role Based Access Control
kube-controller-manager
kube-scheduler
default values.yaml
default values.yaml
default values.yaml
istio-base
istio-cni
istiod
Istio Gateway
default values.yaml
default values.yaml
pulling from a private docker registry
from a private registry
Kubernetes Secret
AWS Secrets Manager
AWS Spec
Kubernetes Spec
VPC Spec
EKS Spec
Routing Spec
Subnet Spec
Subnet Spec
EKSNodeGroup Spec
EKSLogging Spec
K8sGlobal Spec
K8sDocker Spec
K8sSecrets Spec
K8sImagePullSecret Spec
K8sImagePullSecretConfig Spec
AWS_SECRETS_MANAGER