You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/community/maintainers/release-process.md
+4-13Lines changed: 4 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,24 +47,15 @@ For example, the first Nebari CalVer release was `2022.10.1`. If a hotfix releas
47
47
48
48
We use the following guidelines to manage `git` branches by assigning certain roles to particular branches.
49
49
50
-
-[`develop`](https://github.com/nebari-dev/nebari/tree/develop) - Represents the active development branch and is the _default_ branch on the GitHub repository.
50
+
-[`main`](https://github.com/nebari-dev/nebari/tree/main) - Represents the active development branch and is the _default_ branch on the GitHub repository.
51
51
52
-
-[`main`](https://github.com/nebari-dev/nebari/tree/main) - Represents a production-ready state of the code-base, with an appropriate tag to match the most recent release.
52
+
## Release Tags
53
53
54
-
-`release/YYYY-MM-releaseNumber` - Represents the branch for the upcoming release and only briefly exist while actively preparing for the release.
54
+
-`YYYY-MM-releaseNumber` - Represents the tag for a particular release.
55
55
56
56
### Process
57
57
58
-
Although this process is captured in the [release checklist template](https://github.com/nebari-dev/nebari/issues/new?assignees=&labels=type%3A+release+%F0%9F%8F%B7&template=release-checklist.md&title=%5BRELEASE%5D+%3Cversion%3E), it's worth making clear how branches are managed.
59
-
60
-
- Active development occurs against the `develop` branch.
61
-
- When it's time for a release, the Release Captain will create the release branch `release/YYYY-MM-releaseNumber` and prepare the branch for the release. At times, this might mean cherry-picking commits that are needed for this release and at other times, this might mean merging `develop` into this release branch.
62
-
- As soon as this release branch is ready, the Release Captain can open a pull request against `main`. From here, all of the changes that are included in the release should be visible in the "Files changed" section of the pull request.
63
-
- Once CI passes, all manual tests are successful and the team is happy with the changes, the Release Captain can complete the release checklist and cut the release.
64
-
65
-
#### Hotfixes
66
-
67
-
In the event that a patch or hotfix release is needed, release process is the same as outlined above. The only difference is that the commits that are merged into the hotfix release branch will need to be cherry-picked from the `develop` branch.
58
+
The release process is captured in the [release checklist template](https://github.com/nebari-dev/nebari/blob/main/.github/ISSUE_TEMPLATE/release-checklist.md). In the event that a patch or hotfix release is needed, release process is the same as outlined above.
You can use AWS Key Management Service (KMS) to enhance security by encrypting Kubernetes secrets in
104
+
Amazon Elastic Kubernetes Service (EKS). This approach adds an extra layer of protection for sensitive
105
+
information, like passwords, credentials, and TLS keys, by applying user-managed encryption keys to Kubernetes
106
+
secrets, supporting a [defense-in-depth strategy](https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/).
107
+
108
+
Nebari supports setting an existing KMS key while deploying Nebari to implement encryption of secrets
109
+
created in Nebari's EKS cluster. The KMS key must be a **Symmetric** key set to **encrypt and decrypt** data.
110
+
111
+
:::warning
112
+
Enabling EKS cluster secrets encryption, by setting `amazon_web_services.eks_kms_arn`, is an
113
+
_irreversible_ action and re-deploying Nebari to try to remove a previously set `eks_kms_arn` will fail.
114
+
On the other hand, if you try to change the KMS key in use for cluster encryption, by re-deploying Nebari
115
+
after setting a _different_ key ARN, the re-deploy should succeed but the KMS key used for encryption will
116
+
not actually change in the cluster config and the original key will remain set. The integrity of a faulty
117
+
deployment can be restored, following a failed re-deploy attempt to remove a previously set KMS key, by
118
+
simply re-deploying Nebari while ensuring `eks_kms_arn` is set to the original KMS key ARN.
119
+
:::
120
+
121
+
:::danger
122
+
If the KMS key used for envelope encryption of secrets is ever deleted, then there is no way to recover
123
+
the EKS cluster.
124
+
:::
125
+
126
+
:::note
127
+
After enabling cluster encryption on your cluster, you must encrypt all existing secrets with the
Consult [Encrypt K8s secrets with AWS KMS on existing clusters](https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html) for more information.
131
+
:::
132
+
133
+
Here is an example of how you would set KMS key ARN in `nebari-config.yaml`.
Nebari supports configuring launch templates for your node groups, enabling you to customize settings like the AMI ID and pre-bootstrap commands. This is particularly useful if you need to use a custom AMI or perform specific actions before the node joins the cluster.
144
+
145
+
:::warning
146
+
If you add a `launch_template` to an existing node group that was previously created without one, AWS will treat this as a change requiring the replacement of the entire node group. This action will trigger a reallocation of resources, effectively destroying the current node group and recreating it. This behavior is due to how AWS handles self-managed node groups versus those using launch templates with custom settings.
147
+
:::
148
+
149
+
:::tip
150
+
To avoid unexpected downtime or data loss, consider creating a new node group with the launch template settings and migrating your workloads accordingly. This approach allows you to implement the new configuration without disrupting your existing resources.
151
+
:::
152
+
153
+
#### Configuring a Launch Template
154
+
155
+
To configure a launch template for a node group in your `nebari-config.yaml`, add the `launch_template` section under the desired node group:
156
+
157
+
```yaml
158
+
amazon_web_services:
159
+
region: us-west-2
160
+
kubernetes_version: "1.18"
161
+
node_groups:
162
+
custom-node-group:
163
+
instance: "m5.large"
164
+
min_nodes: 1
165
+
max_nodes: 5
166
+
gpu: false # Set to true if using GPU instances
167
+
launch_template:
168
+
# Replace with your custom AMI ID
169
+
ami_id: ami-0abcdef1234567890
170
+
# Command to run before the node joins the cluster
171
+
pre_bootstrap_command: |
172
+
#!/bin/bash
173
+
# This script is executed before the node is bootstrapped
174
+
# You can use this script to install additional packages or configure the node
175
+
# For example, to install the `htop` package, you can run:
176
+
# sudo apt-get update
177
+
# sudo apt-get install -y htop"
178
+
```
179
+
180
+
**Parameters:**
181
+
182
+
-`ami_id` (Optional): The ID of the custom AMI to use for the nodes in this group; this assumes the AMI provided is an EKS-optimized AMI derivative. If specified, the `ami_type` is automatically set to `CUSTOM`.
183
+
-`pre_bootstrap_command` (Optional): A command or script to execute on the node before
184
+
it joins the Kubernetes cluster. This can be used for custom setup or configuration
185
+
tasks. The format should be a single string in conformation with the shell syntax.
186
+
This command is injected in the `user_data` field of the launch template. For more
187
+
information, see [User Data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html).
188
+
189
+
> If you're using a `launch_template` with a custom `ami_id`, there's an issue with updating the `scaling.desired_size` via Nebari configuration (terraform). To scale up, you must recreate the node group or adjust the scaling settings directly in the AWS Console UI (recommended). We are aware of this inconsistency and plan to address it in a future update.
190
+
191
+
:::note
192
+
If an `ami_id` is not provided, AWS will use the default Amazon Linux 2 AMI for the
193
+
specified instance type. You can find the latest optimized AMI IDs for Amazon EKS in your
194
+
cluster region by inspecting its respective SSM parameters. For more information, see
195
+
[Retrieve recommended Amazon Linux AMI IDs](https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html).
Copy file name to clipboardExpand all lines: docs/docs/how-tos/nebari-gcp.md
+12-10Lines changed: 12 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,15 +11,19 @@ will walk you through the following steps:
11
11
12
12
-[Introduction](#introduction)
13
13
-[Sign up for Google Cloud Platform](#sign-up-for-google-cloud-platform)
14
-
-[Set up the `gcloud` CLI](#set-up-the-gcloud-cli)
15
14
-[Authentication](#authentication)
15
+
-[Required GCP APIs](#required-gcp-apis)
16
16
-[Initializing Nebari](#initializing-nebari)
17
17
-[Deploying Nebari](#deploying-nebari)
18
18
-[Destroying Nebari](#destroying-nebari)
19
19
20
-
For those already familiar with Google Cloud Platform and `gcloud`, feel free to skip this first step and jump straight to the [Nebari authentication](#authentication) section of
20
+
For those already familiar with Google Cloud Platform, feel free to skip this first step and jump straight to the [Nebari authentication](#authentication) section of
21
21
this guide.
22
22
23
+
:::warning important
24
+
Before version 2024.9.1, Nebari relied on users having `gcloud`, Google Cloud's CLI, installed locally on the machine they were deploying Nebari from. If you want to install an older version, make sure to [install it](https://cloud.google.com/sdk/docs/install).
25
+
:::
26
+
23
27
## Sign up for Google Cloud Platform
24
28
25
29
This documentation assumes that you are already familiar with Google Cloud Platform accounts, and that you have prior knowledge regarding GCP billing and cost usage for Kubernetes related
@@ -46,12 +50,6 @@ A Nebari deployment on GCP will **NOT** fall into `free tier` usage. Therefore,
46
50
administrator for more information. If you provision resources outside the free tier, you may be charged. We're not responsible for any charges you may incur if this happens.
47
51
:::
48
52
49
-
## Set up the `gcloud` CLI
50
-
51
-
As Nebari executes some preliminary steps to check Kubernetes compatibility within the GCP infrastructure, it needs to use the
52
-
[`gcloud` command line interface (CLI)](https://cloud.google.com/sdk/gcloud) to interact with the Google Cloud Platform. You will have to
53
-
[install the `gcloud` CLI on your system](https://cloud.google.com/sdk/docs/install) before you can use Nebari.
54
-
55
53
The remaining steps will assume that you are logged in to a GCP account that has admin privileges for the newly created project.
56
54
57
55
## Authentication
@@ -66,7 +64,11 @@ management.
66
64
67
65
If it's your first time creating a service account, please follow
68
66
[these detailed instructions](https://cloud.google.com/iam/docs/creating-managing-service-accounts) to create a Google Service Account with the following roles attached:
69
-
"roles/editor", "roles/resourcemanager.projectIamAdmin" and "roles/container.admin".
For more information about roles and permissions, see the
72
74
[Google Cloud Platform IAM documentation](https://cloud.google.com/iam/docs/choose-predefined-roles). Remember to check the active project before creating resources, especially if
@@ -114,7 +116,7 @@ startup file (for example, for example in the `~/.bashrc` or `~/.profile` for th
114
116
115
117
:::note
116
118
The steps in the following sections assume you have (i) completed the [Install Nebari][nebari-install] section, (ii) confirmed that Nebari is successfully
117
-
installed in your environment, (iii) opted for **GCP** as your cloud provider which includes installing and initializing `gcloud`, and (iv) already configured the Nebari
119
+
installed in your environment, (iii) opted for **GCP** as your cloud provider, and (iv) already configured the Nebari
118
120
environment variables. If you had any issues during the installation, please visit the "Get started" section of our [troubleshooting page][nebari-troubleshooting] for further
0 commit comments