code for article pfeilbr/control-plane-playground
learn Control Plane
General
- multi-cloud (aws, azure, gcp)
- costs - compute, memory and egress are passed along to customer
- move off of platfrom team.
- checking latency 10xs per sec
- health check - multi-cloud for everything. resilient.
- dns is 2 major providers - rt 53, constellex
- graphana under the covers
- control plane can use oidc connect for aws identity (Creating OpenID Connect (OIDC) identity providers)
- reduced complexity for eng teams
- agent (ec2 instance) needs to run in vpc
- creates a wiregaurd connection to hub.controlplane.com
- agent can run on a local server
- secrets management is built in
- cli and tf provider (verified)
Concepts
- Org - strictly isolated bounded context that encapsulates all the resources managed by Control Plane
- Global Virtual Cloud (GVC) - defines a set of cloud providers and their locations.
- Workloads - you specify a container image. this is the unit of deployment.
- Policy - governs resource access within an org to a set of principals. It enables fine-grained authorization rules to define the minimum amount of permissions required when accessing resources of the platform.
- Principal Types
- supports 4 principal types.
- Users
- Service Accounts
- Groups
- Identity
- supports 4 principal types.
- Accessing Cloud Resources
- Erik - director of cust success
IAM Roles
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateRoles",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:DetachRolePolicy",
"iam:TagRole",
"iam:UpdateRoleDescription",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:UpdateRole",
"iam:PutRolePolicy",
"iam:TagPolicy"
],
"Resource": "*"
}
]
}
trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::957753459089:user/controlplane-driver",
"arn:aws:iam::957753459089:role/controlplane-driver"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "org-dev-01"
}
}
}
]
}
Demo
# cli usage only for the deployment of resources
Questions
- recommendation for secrets storage (api keys, db creds, etc.)
- “secrets” concept
- is there an iac solution for provisioning workload? what is used for “repeatability”
Resources
- Control Plane
- https://docs.controlplane.com/
- https://registry.terraform.io/providers/controlplane-com/cpln/latest
Twitter • Reddit