Skip to main content

Install Mission Control Agent on an AWS EKS cluster

Prerequisites

To install and run Mission Control you need to have the following prerequisites:

  • GKE 1.28+ with an Ingress Controller
  • 500-1000m of CPU and 4GB of Memory
  • Persistent Volumes with 20GB+ of storage or an external postgres database like CloudSQL

Choosing an IAM Role

Depending on use case, Mission Control can be associated with the following GCP IAM roles:

Use CaseRole Name
Read Only Scrapingroles/viewer
Playbooks to create and update GCP Resourcesroles/editor
Secret Management (optional)roles/cloudkms.cryptoKeyEncrypterDecrypter

Configure IAM Roles for Mission Control

You can also refer the official docs for Workload Identity

  1. Enable workload identity

    # The name of your existing GKE cluster where mission control is to be deployed to
    export CLUSTER=cluster-name

    # GCP Project ID
    export PROJECT_ID=gcp-project-id

    # GCP Project Number
    export PROJECT_NUMBER=gcp-project-number

    # Location of GKE Cluster
    export LOCATION=us-east1

    # the default namespace the mission-control helm chart uses
    export NAMESPACE=mission-control

    # enable workload identity in the host cluster
    gcloud container clusters update $CLUSTER \
        --location=$LOCATION \
        --workload-pool=$PROJECT_ID.svc.id.goog

  2. Bind IAM Policy

    $KSA_NAME refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: mission-control-sa, canary-checker-sa and config-db-sa

    export ROLE_NAME=roles/viewer

    for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do
        gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
            --role=$ROLE_NAME \
            --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \
            --condition=None
    done

  3. Choose a routable DOMAIN for Mission Control

    See Ingress for more options on configuring the ingress including generating certs with cert-manager

    See Local Testing for testing using a kind or minikube without a routable domain

  4. Install Mission Control

    apiVersion: v1
    kind: Namespace
    metadata:
      name: mission-control
    ---
    apiVersion: source.toolkit.fluxcd.io/v1
    kind: HelmRepository
    metadata:
      name: flanksource
      namespace: mission-control
    spec:
      interval: 5m0s
      url: https://flanksource.github.io/charts
    ---
    apiVersion:  helm.toolkit.fluxcd.io/v2
    kind: HelmRelease
    metadata:
      name: mission-control-agent
      namespace: mission-control
    spec:
      chart:
        spec:
          chart: mission-control-agent
          sourceRef:
            kind: HelmRepository
            name: flanksource
            namespace: mission-control
      interval: 5m
    values:
      upstream.agent: YOUR_LOCAL_NAME
      upstream.username: token
      upstream.password: 
      upstream.host:
    See values.yaml

KMS Setup for Secret Management

If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. This requires creating a new Mission Control connection and updating the Helm chart to point Mission Control to the KMS connection.

Create a KMS Key

# Set your project ID (if not already set)
export PROJECT_ID=gcp-project-id

# Create a key ring
gcloud kms keyrings create mission-control-keyring \
    --location=global \
    --project=$PROJECT_ID

# Create a KMS key for Mission Control
gcloud kms keys create mission-control-key \
    --keyring=mission-control-keyring \
    --location=global \
    --purpose=encryption \
    --project=$PROJECT_ID

Bind GCP Service Account to IAM Role

gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter \
    --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \
    --condition=None

Create a Mission Control connection

gcpkms.yaml
---
# yaml-language-server: $schema=../../config/schemas/connection.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Connection
metadata:
  name: flanksource-gcpkms
spec:
  gcpkms:
    keyID: projects/flanksource-sandbox/locations/global/keyRings/sops-keyring/cryptoKeys/sops-key
    certificate:
      valueFrom:
        secretKeyRef:
          name: flanksource-gcloud
          key: credentials

Update Mission Control Helm Values

Set kmsConnection to the KMS connection reference used by your installation:

apiVersion: v1
kind: Namespace
metadata:
  name: mission-control
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: flanksource
  namespace: mission-control
spec:
  interval: 5m0s
  url: https://flanksource.github.io/charts
---
apiVersion:  helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: mission-control-agent
  namespace: mission-control
spec:
  chart:
    spec:
      chart: mission-control-agent
      sourceRef:
        kind: HelmRepository
        name: flanksource
        namespace: mission-control
  interval: 5m
values:
  upstream.agent: YOUR_LOCAL_NAME
  upstream.username: token
  upstream.password: 
  upstream.host:   
  kmsConnection: "connection://<namespace>/<kms-connection-name>"
See values.yaml

Next Steps

Scrape GCP Resources
Integration
Scraper
CRD