7 Platform Control Plane Foundations

 

This chapter covers

  • Managing Cloud Account Baseline Settings
  • Defining the Transit Network Layer
  • Separating Customer Identity
  • Deploying the Cloud Service Control Plane

Previously, we started building the Epetech engineering platform by gathering the required resources. We also bootstrapped the initial pipeline, which manages the service accounts and roles that we will use in our infrastructure pipelines. We had to run the configuration from our laptops initially to create the service accounts and the role to manage permissions. But from this point on, both are now managed directly by the pipeline whenever we make changes to the repository. We began with the same developer tools we will provide our internal customers, like source control, secrets management, and pipeline orchestration. Remember that our goal in this section of the book will be to establish the foundation for the Epetech engineering platform. With the initial bootstrap of the IAM roles pipeline, we can proceed to the foundational components of the platform. The overall product goal for our engineering platform is to provide Epetech developers access to all the resources they need to build, release, and operate software independently, without the usual engineering friction. Every component of our platform needs to be resilient. This goes beyond merely including redundancy to minimize the impact of failure.

7.1 Cloud Account Baseline

7.1.1 Account Baseline Security Scanning

7.1.2 Account Baseline Observability

7.1.3 Hosted Zones and Delegated Domains

7.2 Transit Network Layer

7.2.1 Role-based Network Structure

7.3 Customer Identity

7.3.1 Authentication and Authorization

7.3.2 OIDC Device-Auth-Flow and Team Membership Claims

7.3.3 Project 7.1: Configure SaaS Identity Provider for Device Auth Flow

7.4 Cloud Service Control Plane Base

7.4.1 AWS Managed Node Groups

7.4.2 Dependencies for AWS Managed EKS Services

7.4.3 AWS Managed EKS Addons

7.4.4 Integrating an OIDC Provider with the Control Plane Base

7.4.5 Post-Terraform Configuration

7.4.6 Strategy for Testing EKS Base

7.4.7 Project 7.2: Create a Platform CLI that uses the Customer identity provider to generate a customer identity token and a Kubeconfig file for accessing the Kubernetes clusters.

7.5 Summary