blob: 27991fc16e1a73b995995c9fc4cfad51dfef3d3a [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +01001
2==================
3Kubernetes Formula
4==================
5
Jakub Pavlik495d06f2016-06-17 11:33:05 +02006Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
7
8This formula deploys production ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +01009
10Based on official Kubernetes salt
11https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
12
13Extended on Contrail contribution https://github.com/Juniper/kubernetes/blob/opencontrail-integration/docs/getting-started-guides/opencontrail.md
14
15
16Sample pillars
17==============
18
Ales Komarek688a04c2016-07-15 15:12:30 +020019Containers on pool definitions in pool.service.local
20
Jakub Pavlik7e985322016-07-17 13:16:15 +020021.. code-block:: yaml
22
23 parameters:
24 kubernetes:
25 pool:
26 service:
27 local:
28 enabled: False
29 service: libvirt
30 cluster: openstack-compute
31 namespace: default
32 role: ${linux:system:name}
33 type: LoadBalancer
34 kind: Deployment
35 apiVersion: extensions/v1beta1
36 replicas: 1
37 host_pid: True
38 nodeSelector:
39 - key: openstack
40 value: ${linux:system:name}
41 hostNetwork: True
42 container:
43 libvirt-compute:
44 privileged: True
45 image: ${_param:docker_repository}/libvirt-compute
46 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +020047
48Master definition
49
marcoacdae7e2015-12-02 15:35:37 +010050.. code-block:: yaml
51
52 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +020053 master:
54 addons:
55 dns:
56 domain: cluster.local
57 enabled: true
58 replicas: 1
59 server: 10.254.0.10
60 heapster_influxdb:
61 enabled: true
62 public_ip: 185.22.97.132
63 ui:
64 enabled: true
65 public_ip: 185.22.97.131
66 admin:
67 password: password
68 username: admin
69 apiserver:
70 address: 10.0.175.100
71 port: 8080
72 ca: kubernetes
73 enabled: true
74 etcd:
75 host: 127.0.0.1
76 members:
77 - host: 10.0.175.100
78 name: node040
79 name: node040
80 token: ca939ec9c2a17b0786f6d411fe019e9b
81 kubelet:
82 allow_privileged: true
83 network:
84 engine: calico
85 hash: fb5e30ebe6154911a66ec3fb5f1195b2
86 private_ip_range: 10.150.0.0/16
87 version: v0.19.0
88 service_addresses: 10.254.0.0/16
89 storage:
90 engine: glusterfs
91 members:
92 - host: 10.0.175.101
93 port: 24007
94 - host: 10.0.175.102
95 port: 24007
96 - host: 10.0.175.103
97 port: 24007
98 port: 24007
99 token:
100 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
101 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
102 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
103 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
104 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
105 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
106 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
107 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
108 version: v1.2.4
109
marcoacdae7e2015-12-02 15:35:37 +0100110
111 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200112 pool:
113 address: 0.0.0.0
114 allow_privileged: true
115 ca: kubernetes
116 cluster_dns: 10.254.0.10
117 cluster_domain: cluster.local
118 enabled: true
119 kubelet:
120 allow_privileged: true
121 config: /etc/kubernetes/manifests
122 frequency: 5s
123 master:
124 apiserver:
125 members:
126 - host: 10.0.175.100
127 etcd:
128 members:
129 - host: 10.0.175.100
130 host: 10.0.175.100
131 network:
132 engine: calico
133 hash: fb5e30ebe6154911a66ec3fb5f1195b2
134 version: v0.19.0
135 token:
136 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
137 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
138 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100139
140
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200141
142Kubernetes with OpenContrail network plugin
143------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100144
145On Master:
146
147.. code-block:: yaml
148
149 kubernetes:
150 master:
151 network:
152 engine: opencontrail
153 host: 10.0.170.70
154 port: 8082
155 default_domain: default-domain
156 default_project: default-domain:default-project
157 public_network: default-domain:default-project:Public
158 public_ip_range: 185.22.97.128/26
159 private_ip_range: 10.150.0.0/16
160 service_cluster_ip_range: 10.254.0.0/16
161 network_label: name
162 service_label: uses
163 cluster_service: kube-system/default
164 network_manager:
165 image: pupapaik/opencontrail-kube-network-manager
166 tag: release-1.1-jpa-final-1
167
168On pools:
169
170.. code-block:: yaml
171
172 kubernetes:
173 pool:
174 network:
175 engine: opencontrail
176
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200177Kubernetes control plane running in systemd
178-------------------------------------------
179
180By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
181
182.. code-block:: yaml
183
184 kubernetes:
185 master:
186 container: false
187
188 kubernetes:
189 pool:
190 container: false
191
marco055ff852016-07-27 15:22:33 +0200192Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
193
194.. code-block:: yaml
195
196 kubernetes:
197 master:
198 apiserver:
199 secure_port: 8081
200
marcoacdae7e2015-12-02 15:35:37 +0100201Kubernetes with Flannel
202-----------------------
203
204On Master:
205
206.. code-block:: yaml
207
208 kubernetes:
209 master:
210 network:
211 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200212 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200213 etcd:
214 members:
215 - host: 10.0.175.101
216 port: 4001
217 - host: 10.0.175.102
218 port: 4001
219 - host: 10.0.175.103
220 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100221 common:
222 network:
223 engine: flannel
224
225On pools:
226
227.. code-block:: yaml
228
229 kubernetes:
230 pool:
231 network:
232 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200233 etcd:
234 members:
235 - host: 10.0.175.101
236 port: 4001
237 - host: 10.0.175.102
238 port: 4001
239 - host: 10.0.175.103
240 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100241 common:
242 network:
243 engine: flannel
244
245Kubernetes with Calico
246-----------------------
247
248On Master:
249
250.. code-block:: yaml
251
252 kubernetes:
253 master:
254 network:
255 engine: calico
Jakub Pavlik7e985322016-07-17 13:16:15 +0200256 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200257 etcd:
258 members:
259 - host: 10.0.175.101
260 port: 4001
261 - host: 10.0.175.102
262 port: 4001
263 - host: 10.0.175.103
264 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100265
266On pools:
267
268.. code-block:: yaml
269
270 kubernetes:
271 pool:
272 network:
273 engine: calico
marcoa05621f2016-07-14 10:35:24 +0200274 etcd:
275 members:
276 - host: 10.0.175.101
277 port: 4001
278 - host: 10.0.175.102
279 port: 4001
280 - host: 10.0.175.103
281 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100282
Jakub Pavlik7e985322016-07-17 13:16:15 +0200283Post deployment configuration
284
285.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200286
Jakub Pavlik7e985322016-07-17 13:16:15 +0200287 # set ETCD
288 export ETCD_AUTHORITY=10.0.111.201:4001
289
290 # Set NAT for pods subnet
291 calicoctl pool add 192.168.0.0/16 --nat-outgoing
292
293 # Status commands
294 calicoctl status
295 calicoctl node show
296
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200297Kubernetes with GlusterFS for storage
298---------------------------------------------
299
300.. code-block:: yaml
301
302 kubernetes:
303 master
304 ...
305 storage:
306 engine: glusterfs
307 port: 24007
308 members:
309 - host: 10.0.175.101
310 port: 24007
311 - host: 10.0.175.102
312 port: 24007
313 - host: 10.0.175.103
314 port: 24007
315 ...
316
marco45fc1b72016-07-02 16:11:18 +0200317Kubernetes namespaces
318---------------------
319
320Create namespace:
321
322.. code-block:: yaml
323
324 kubernetes:
325 master
326 ...
327 namespace:
328 kube-system:
329 enabled: True
330 namespace2:
331 enabled: True
332 namespace3:
333 enabled: False
334 ...
335
336Kubernetes labels
337-----------------
338
339Create namespace:
340
341.. code-block:: yaml
342
343 kubernetes:
344 pool
345 ...
346 host:
347 label:
348 key01:
349 value: value01
350 enable: True
351 key02:
352 value: value02
353 enable: False
354 name: ${linux:system:name}
355 ...
356
marcof7efecb2016-07-16 16:13:37 +0200357Pull images from private registries
358-----------------------------------
359
360.. code-block:: yaml
361
362 kubernetes:
363 master
364 ...
365 registry:
366 secret:
367 registry01:
368 enabled: True
369 key: (get from `cat /root/.docker/config.json | base64`)
370 namespace: default
371 ...
372 control:
373 ...
374 service:
375 service01:
376 ...
377 image_pull_secretes: registry01
378 ...
379
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200380Kubernetes Service Definitions in pillars
381==========================================
382
383Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
384
385Deployment manifest
386---------------------
marcoacdae7e2015-12-02 15:35:37 +0100387
388.. code-block:: yaml
389
390 salt:
391 control:
392 enabled: True
393 hostNetwork: True
394 service:
395 memcached:
396 privileged: True
397 service: memcached
398 role: server
399 type: LoadBalancer
400 replicas: 3
401 kind: Deployment
402 apiVersion: extensions/v1beta1
403 ports:
404 - port: 8774
405 name: nova-api
406 - port: 8775
407 name: nova-metadata
408 volume:
409 volume_name:
410 type: hostPath
411 mount: /certs
412 path: /etc/certs
413 container:
414 memcached:
415 image: memcached
416 tag:2
417 ports:
418 - port: 8774
419 name: nova-api
420 - port: 8775
421 name: nova-metadata
422 variables:
423 - name: HTTP_TLS_CERTIFICATE:
424 value: /certs/domain.crt
425 - name: HTTP_TLS_KEY
426 value: /certs/domain.key
427 volumes:
428 - name: /etc/certs
429 type: hostPath
430 mount: /certs
431 path: /etc/certs
432
433Volumes
434-------
435
436hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200437==========
marcoacdae7e2015-12-02 15:35:37 +0100438
439.. code-block:: yaml
440
441 container:
442 memcached:
443 ...
444 volumes:
445 - name: /etc/certs
446 mount: /certs
447 type: hostPath
448 path: /etc/certs
449
450emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200451========
marcoacdae7e2015-12-02 15:35:37 +0100452
453.. code-block:: yaml
454
455 container:
456 memcached:
457 ...
458 volumes:
459 - name: /etc/certs
460 mount: /certs
Jakub Pavlik7e985322016-07-17 13:16:15 +0200461 type: emptyDir
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200462
463Documentation and Bugs
464============================
465
466To learn how to deploy OpenStack Salt, consult the documentation available
467online at:
468
469 https://wiki.openstack.org/wiki/OpenStackSalt
470
471In the unfortunate event that bugs are discovered, they should be reported to
472the appropriate bug tracker. If you obtained the software from a 3rd party
473operating system vendor, it is often wise to use their own bug tracker for
474reporting problems. In all other cases use the master OpenStack bug tracker,
475available at:
476
477 http://bugs.launchpad.net/openstack-salt
478
479Developers wishing to work on the OpenStack Salt project should always base
480their work on the latest formulas code, available from the master GIT
481repository at:
482
483 https://git.openstack.org/cgit/openstack/salt-formula-kubernetes
484
485Developers should also join the discussion on the IRC list, at:
486
487 https://wiki.openstack.org/wiki/Meetings/openstack-salt