Install Mission Control Agent on an AWS EKS cluster

Prerequisites

To install and run Mission Control you need to have the following prerequisites:

• GKE 1.28+ with an Ingress Controller
• 500-1000m of CPU and 4GB of Memory
• Persistent Volumes with 20GB+ of storage or an external postgres database like CloudSQL

Choosing an IAM Role

Depending on usecase, Mission Control can be associated with the following GCP IAM roles:

Use Case	Role Name
Read Only Scraping	roles/viewer
Playbooks to create and update GCP Resources	roles/editor

Configure IAM Roles for Mission Control

Workload Identity

Assign Role to Kubernetes service account principle

You can also refer the official docs for Workload Identity

1. Enable workload identity

   # The name of the GKE cluster mission control is being deployed to
   export CLUSTER=<CLUSTER_NAME>
   # GCP Project ID
   export PROJECT_ID=gcp-project-id
   # GCP Project Number
   export PROJECT_NUMBER=gcp-project-number
   # Location of GKE Cluster
   LOCATION=us-east1
   # the default namespace the mission-control helm chart uses
   export NAMESPACE=mission-control
   
   # enable workload identity in the host cluster
   gcloud container clusters update $CLUSTER \
       --location=$LOCATION \
       --workload-pool=$PROJECT_ID.svc.id.goog
   

2. Bind IAM Policy

   $KSA_NAME refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: mission-control-sa, canary-checker-sa and config-db-sa

   for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do
       gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
           --role=$ROLE_NAME \
           --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \
           --condition=None
   done
   

3. Choose a routable DOMAIN for Mission Control

   See Ingress for more options on configuring the ingress including generating certs with cert-manager

   See Local Testing for testing using a kind or minikube without a routable domain

4. Install Mission Control

   Helm

   helm repo add flanksource https://flanksource.github.io/charts 
   helm repo update
   helm install mission-control-agent flanksource/mission-control-agent \
    --set upstream.agent=YOUR_LOCAL_NAME \
    --set upstream.username=token \
    --set upstream.password= \
    --set upstream.host= \
    -n mission-control --create-namespace \
    --wait 

   Flux

   apiVersion: v1
   kind: Namespace
   metadata:
     name: mission-control
   ---
   apiVersion: source.toolkit.fluxcd.io/v1
   kind: HelmRepository
   metadata:
     name: flanksource
     namespace: mission-control
   spec:
     interval: 5m0s
     url: https://flanksource.github.io/charts
   ---
   apiVersion:  helm.toolkit.fluxcd.io/v2
   kind: HelmRelease
   metadata:
     name: mission-control-agent
     namespace: mission-control
   spec:
     chart:
       spec:
         chart: mission-control-agent
         sourceRef:
           kind: HelmRepository
           name: flanksource
           namespace: mission-control
     interval: 5m
   values:
     upstream.agent: YOUR_LOCAL_NAME
     upstream.username: token
     upstream.password: 
     upstream.host: 
   See values.yaml

Allow Kubernetes service account to impersonate GCP service account

You can also refer the official docs: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

1. Enable workload identity in the host cluster

   # The name of the GKE cluster mission control is being deployed to
   export CLUSTER=<CLUSTER_NAME>
   # GCP Project ID
   export PROJECT_ID=gcp-project-id
   # Location of GKE Cluster
   LOCATION=us-east1
   # the default namespace the mission-control helm chart uses
   export NAMESPACE=mission-control
   # IAM service account name
   export IAM_SA_NAME=mission-control
   
   # enable workload identity in the host cluster
   gcloud container clusters update $CLUSTER \
       --location=$LOCATION \
       --workload-pool=$PROJECT_ID.svc.id.goog
   

2. Create a new IAM ServiceAccount

    gcloud iam service-accounts create $IAM_SA_NAME \
        --project=$PROJECT_ID
   

3. Bind GCP Service Account to IAM Role

   gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member "serviceAccount:$IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com" \
   --role "$ROLE_NAME"
   

4. Create an IAM allow policy that gives the Kubernetes service account access to impersonate the IAM service account:

   The $KSA_NAME refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: mission-control, canary-checker and config-db

    for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do
        gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com \
            --role roles/iam.workloadIdentityUser \
            --member "serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/$KSA_NAME]"
    done
   

5. Install Mission Control

   Helm

   cat > values.yaml << EOF
   
   serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account=IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com
   
   canary-checker:
    serviceAccount:
      annotations:
        iam.gke.io/gcp-service-account=IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com
   
   config-db:
    serviceAccount:
      annotations:
        iam.gke.io/gcp-service-account=IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com
   
   EOF
   
   helm repo add flanksource https://flanksource.github.io/charts 
   helm repo update
   helm install mission-control-agent flanksource/mission-control-agent \
    --set upstream.agent=YOUR_LOCAL_NAME \
    --set upstream.username=token \
    --set upstream.password= \
    --set upstream.host= \
    --set-file values.yaml \
    -n mission-control --create-namespace \
    --wait 

   Flux

   apiVersion: v1
   kind: Namespace
   metadata:
     name: mission-control
   ---
   apiVersion: source.toolkit.fluxcd.io/v1
   kind: HelmRepository
   metadata:
     name: flanksource
     namespace: mission-control
   spec:
     interval: 5m0s
     url: https://flanksource.github.io/charts
   ---
   apiVersion:  helm.toolkit.fluxcd.io/v2
   kind: HelmRelease
   metadata:
     name: mission-control-agent
     namespace: mission-control
   spec:
     chart:
       spec:
         chart: mission-control-agent
         sourceRef:
           kind: HelmRepository
           name: flanksource
           namespace: mission-control
     interval: 5m
   values:
     upstream.agent: YOUR_LOCAL_NAME
     upstream.username: token
     upstream.password: 
     upstream.host:   
     serviceAccount:
      annotations:
        iam.gke.io/gcp-service-account=IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com
     
     canary-checker:
      serviceAccount:
        annotations:
          iam.gke.io/gcp-service-account=IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com
     
     config-db:
      serviceAccount:
        annotations:
          iam.gke.io/gcp-service-account=IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com
     
   See values.yaml

6. Choose a routable DOMAIN for Mission Control

   See Ingress for more options on configuring the ingress including generating certs with cert-manager

   See Local Testing for testing using a kind or minikube without a routable domain

Next Steps

Scrape GCP Resources

Integration

Scraper

CRD