Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 36b887fa0eb54a59c19590262605709d4bb50685 / . / README.rst
blob: 4f7a3e320b45291b0a42664a0a5d4172f075e315 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1
2==================
3Kubernetes Formula
4==================
5
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]6Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
7
8This formula deploys production ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]9
10Based on official Kubernetes salt
11https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
12
13Extended on Contrail contribution https://github.com/Juniper/kubernetes/blob/opencontrail-integration/docs/getting-started-guides/opencontrail.md
14
15
16Sample pillars
17==============
18
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]19**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
20
21.. code-block:: yaml
22
23 parameters:
24 kubernetes:
25 common:
26 hyperkube:
27 image: gcr.io/google_containers/hyperkube:v1.4.6
28 pool:
29 network:
30 calicoctl:
31 image: calico/ctl
32 cni:
33 image: calico/cni
34
35
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]36Containers on pool definitions in pool.service.local
37
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]38.. code-block:: yaml
39
40 parameters:
41 kubernetes:
42 pool:
43 service:
44 local:
45 enabled: False
46 service: libvirt
47 cluster: openstack-compute
48 namespace: default
49 role: ${linux:system:name}
50 type: LoadBalancer
51 kind: Deployment
52 apiVersion: extensions/v1beta1
53 replicas: 1
54 host_pid: True
55 nodeSelector:
56 - key: openstack
57 value: ${linux:system:name}
58 hostNetwork: True
59 container:
60 libvirt-compute:
61 privileged: True
62 image: ${_param:docker_repository}/libvirt-compute
63 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]64
65Master definition
66
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]67.. code-block:: yaml
68
69 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]70 master:
71 addons:
72 dns:
73 domain: cluster.local
74 enabled: true
75 replicas: 1
76 server: 10.254.0.10
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]77 admin:
78 password: password
79 username: admin
80 apiserver:
81 address: 10.0.175.100
82 port: 8080
83 ca: kubernetes
84 enabled: true
85 etcd:
86 host: 127.0.0.1
87 members:
88 - host: 10.0.175.100
89 name: node040
90 name: node040
91 token: ca939ec9c2a17b0786f6d411fe019e9b
92 kubelet:
93 allow_privileged: true
94 network:
95 engine: calico
96 hash: fb5e30ebe6154911a66ec3fb5f1195b2
97 private_ip_range: 10.150.0.0/16
98 version: v0.19.0
99 service_addresses: 10.254.0.0/16
100 storage:
101 engine: glusterfs
102 members:
103 - host: 10.0.175.101
104 port: 24007
105 - host: 10.0.175.102
106 port: 24007
107 - host: 10.0.175.103
108 port: 24007
109 port: 24007
110 token:
111 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
112 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
113 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
114 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
115 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
116 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
117 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
118 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
119 version: v1.2.4
120
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]121
122 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]123 pool:
124 address: 0.0.0.0
125 allow_privileged: true
126 ca: kubernetes
127 cluster_dns: 10.254.0.10
128 cluster_domain: cluster.local
129 enabled: true
130 kubelet:
131 allow_privileged: true
132 config: /etc/kubernetes/manifests
133 frequency: 5s
134 master:
135 apiserver:
136 members:
137 - host: 10.0.175.100
138 etcd:
139 members:
140 - host: 10.0.175.100
141 host: 10.0.175.100
142 network:
143 engine: calico
144 hash: fb5e30ebe6154911a66ec3fb5f1195b2
145 version: v0.19.0
146 token:
147 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
148 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
149 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]150
151
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]152
153Kubernetes with OpenContrail network plugin
154------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]155
156On Master:
157
158.. code-block:: yaml
159
160 kubernetes:
161 master:
162 network:
163 engine: opencontrail
164 host: 10.0.170.70
165 port: 8082
166 default_domain: default-domain
167 default_project: default-domain:default-project
168 public_network: default-domain:default-project:Public
169 public_ip_range: 185.22.97.128/26
170 private_ip_range: 10.150.0.0/16
171 service_cluster_ip_range: 10.254.0.0/16
172 network_label: name
173 service_label: uses
174 cluster_service: kube-system/default
175 network_manager:
176 image: pupapaik/opencontrail-kube-network-manager
177 tag: release-1.1-jpa-final-1
178
179On pools:
180
181.. code-block:: yaml
182
183 kubernetes:
184 pool:
185 network:
186 engine: opencontrail
187
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]188Kubernetes control plane running in systemd
189-------------------------------------------
190
191By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
192
193.. code-block:: yaml
194
195 kubernetes:
196 master:
197 container: false
198
199 kubernetes:
200 pool:
201 container: false
202
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]203Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
204
205.. code-block:: yaml
206
207 kubernetes:
208 master:
209 apiserver:
210 secure_port: 8081
211
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]212Kubernetes with Flannel
213-----------------------
214
215On Master:
216
217.. code-block:: yaml
218
219 kubernetes:
220 master:
221 network:
222 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]223 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]224 etcd:
225 members:
226 - host: 10.0.175.101
227 port: 4001
228 - host: 10.0.175.102
229 port: 4001
230 - host: 10.0.175.103
231 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]232 common:
233 network:
234 engine: flannel
235
236On pools:
237
238.. code-block:: yaml
239
240 kubernetes:
241 pool:
242 network:
243 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]244 etcd:
245 members:
246 - host: 10.0.175.101
247 port: 4001
248 - host: 10.0.175.102
249 port: 4001
250 - host: 10.0.175.103
251 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]252 common:
253 network:
254 engine: flannel
255
256Kubernetes with Calico
257-----------------------
258
259On Master:
260
261.. code-block:: yaml
262
263 kubernetes:
264 master:
265 network:
266 engine: calico
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]267 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]268 etcd:
269 members:
270 - host: 10.0.175.101
271 port: 4001
272 - host: 10.0.175.102
273 port: 4001
274 - host: 10.0.175.103
275 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]276
277On pools:
278
279.. code-block:: yaml
280
281 kubernetes:
282 pool:
283 network:
284 engine: calico
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]285 etcd:
286 members:
287 - host: 10.0.175.101
288 port: 4001
289 - host: 10.0.175.102
290 port: 4001
291 - host: 10.0.175.103
292 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]293
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]294Post deployment configuration
295
296.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]297
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]298 # set ETCD
299 export ETCD_AUTHORITY=10.0.111.201:4001
300
301 # Set NAT for pods subnet
302 calicoctl pool add 192.168.0.0/16 --nat-outgoing
303
304 # Status commands
305 calicoctl status
306 calicoctl node show
307
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]308Kubernetes with GlusterFS for storage
309---------------------------------------------
310
311.. code-block:: yaml
312
313 kubernetes:
314 master
315 ...
316 storage:
317 engine: glusterfs
318 port: 24007
319 members:
320 - host: 10.0.175.101
321 port: 24007
322 - host: 10.0.175.102
323 port: 24007
324 - host: 10.0.175.103
325 port: 24007
326 ...
327
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]328Kubernetes namespaces
329---------------------
330
331Create namespace:
332
333.. code-block:: yaml
334
335 kubernetes:
336 master
337 ...
338 namespace:
339 kube-system:
340 enabled: True
341 namespace2:
342 enabled: True
343 namespace3:
344 enabled: False
345 ...
346
347Kubernetes labels
348-----------------
349
350Create namespace:
351
352.. code-block:: yaml
353
354 kubernetes:
355 pool
356 ...
357 host:
358 label:
359 key01:
360 value: value01
361 enable: True
362 key02:
363 value: value02
364 enable: False
365 name: ${linux:system:name}
366 ...
367
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]368Pull images from private registries
369-----------------------------------
370
371.. code-block:: yaml
372
373 kubernetes:
374 master
375 ...
376 registry:
377 secret:
378 registry01:
379 enabled: True
380 key: (get from `cat /root/.docker/config.json | base64`)
381 namespace: default
382 ...
383 control:
384 ...
385 service:
386 service01:
387 ...
388 image_pull_secretes: registry01
389 ...
390
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]391Kubernetes Service Definitions in pillars
392==========================================
393
394Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
395
396Deployment manifest
397---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]398
399.. code-block:: yaml
400
401 salt:
402 control:
403 enabled: True
404 hostNetwork: True
405 service:
406 memcached:
407 privileged: True
408 service: memcached
409 role: server
410 type: LoadBalancer
411 replicas: 3
412 kind: Deployment
413 apiVersion: extensions/v1beta1
414 ports:
415 - port: 8774
416 name: nova-api
417 - port: 8775
418 name: nova-metadata
419 volume:
420 volume_name:
421 type: hostPath
422 mount: /certs
423 path: /etc/certs
424 container:
425 memcached:
426 image: memcached
427 tag:2
428 ports:
429 - port: 8774
430 name: nova-api
431 - port: 8775
432 name: nova-metadata
433 variables:
434 - name: HTTP_TLS_CERTIFICATE:
435 value: /certs/domain.crt
436 - name: HTTP_TLS_KEY
437 value: /certs/domain.key
438 volumes:
439 - name: /etc/certs
440 type: hostPath
441 mount: /certs
442 path: /etc/certs
443
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]444PetSet manifest
445---------------------
446
447.. code-block:: yaml
448
449 service:
450 memcached:
451 apiVersion: apps/v1alpha1
452 kind: PetSet
453 service_name: 'memcached'
454 container:
455 memcached:
456 ...
457
458
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]459Configmap
460---------
461
462You are able to create configmaps using support layer between formulas.
463It works simple, eg. in nova formula there's file ``meta/config.yml`` which
464defines config files used by that service and roles.
465
466Kubernetes formula is able to generate these files using custom pillar and
467grains structure. This way you are able to run docker images built by any way
468while still re-using your configuration management.
469
470Example pillar:
471
472.. code-block:: bash
473
474 kubernetes:
475 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]476 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]477 configmap:
478 nova-control:
479 grains:
480 # Alternate grains as OS running in container may differ from
481 # salt minion OS. Needed only if grains matters for config
482 # generation.
483 os_family: Debian
484 pillar:
485 # Generic pillar for nova controller
486 nova:
487 controller:
488 enabled: true
489 versionn: liberty
490 ...
491
492To tell which services supports config generation, you need to ensure pillar
493structure like this to determine support:
494
495.. code-block:: yaml
496
497 nova:
498 _support:
499 config:
500 enabled: true
501
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]502initContainers
503--------------
504
505Example pillar:
506
507.. code-block:: bash
508
509 kubernetes:
510 control:
511 service:
512 memcached:
513 init_containers:
514 - name: test-mysql
515 image: busybox
516 command:
517 - sleep
518 - 3600
519 volumes:
520 - name: config
521 mount: /test
522 - name: test-memcached
523 image: busybox
524 command:
525 - sleep
526 - 3600
527 volumes:
528 - name: config
529 mount: /test
530
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]531Affinity
532--------
533
534podAffinity
535===========
536
537Example pillar:
538
539.. code-block:: bash
540
541 kubernetes:
542 control:
543 service:
544 memcached:
545 affinity:
546 pod_affinity:
547 name: podAffinity
548 expression:
549 label_selector:
550 name: labelSelector
551 selectors:
552 - key: app
553 value: memcached
554 topology_key: kubernetes.io/hostname
555
556podAntiAffinity
557===============
558
559Example pillar:
560
561.. code-block:: bash
562
563 kubernetes:
564 control:
565 service:
566 memcached:
567 affinity:
568 anti_affinity:
569 name: podAntiAffinity
570 expression:
571 label_selector:
572 name: labelSelector
573 selectors:
574 - key: app
575 value: opencontrail-control
576 topology_key: kubernetes.io/hostname
577
578nodeAffinity
579===============
580
581Example pillar:
582
583.. code-block:: bash
584
585 kubernetes:
586 control:
587 service:
588 memcached:
589 affinity:
590 node_affinity:
591 name: nodeAffinity
592 expression:
593 match_expressions:
594 name: matchExpressions
595 selectors:
596 - key: key
597 operator: In
598 values:
599 - value1
600 - value2
601
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]602Volumes
603-------
604
605hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]606==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]607
608.. code-block:: yaml
609
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]610 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]611 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]612 container:
613 memcached:
614 volumes:
615 - name: volume1
616 mountPath: /volume
617 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]618 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]619 volume:
620 volume1:
621 name: /etc/certs
622 type: hostPath
623 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]624
625emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]626========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]627
628.. code-block:: yaml
629
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]630 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]631 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]632 container:
633 memcached:
634 volumes:
635 - name: volume1
636 mountPath: /volume
637 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]638 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]639 volume:
640 volume1:
641 name: /etc/certs
642 type: emptyDir
643
644configMap
645=========
646
647.. code-block:: yaml
648
649 service:
650 memcached:
651 container:
652 memcached:
653 volumes:
654 - name: volume1
655 mountPath: /volume
656 readOnly: True
657 ...
658 volume:
659 volume1:
660 type: config_map
661 item:
662 configMap1:
663 key: config.conf
664 path: config.conf
665 configMap2:
666 key: policy.json
667 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]668
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]669To mount single configuration file instead of whole directory:
670
671.. code-block:: yaml
672
673 service:
674 memcached:
675 container:
676 memcached:
677 volumes:
678 - name: volume1
679 mountPath: /volume/config.conf
680 sub_path: config.conf
681
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]682Generating Jobs
683===============
684
685Example pillar:
686
687.. code-block:: yaml
688
689 kubernetes:
690 control:
691 job:
692 sleep:
693 job: sleep
694 restart_policy: Never
695 container:
696 sleep:
697 image: busybox
698 tag: latest
699 command:
700 - sleep
701 - "3600"
702
703Volumes and Variables can be used as the same way as during Deployment generation.
704
705Custom params:
706
707.. code-block:: yaml
708
709 kubernetes:
710 control:
711 job:
712 host_network: True
713 host_pid: True
714 container:
715 sleep:
716 privileged: True
717 node_selector:
718 key: node
719 value: one
720 image_pull_secretes: password
721
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]722Documentation and Bugs
Filip Pytloun06a55402016-08-12 14:53:30 +0200[diff] [blame]723======================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]724
725To learn how to deploy OpenStack Salt, consult the documentation available
726online at:
727
728 https://wiki.openstack.org/wiki/OpenStackSalt
729
730In the unfortunate event that bugs are discovered, they should be reported to
731the appropriate bug tracker. If you obtained the software from a 3rd party
732operating system vendor, it is often wise to use their own bug tracker for
733reporting problems. In all other cases use the master OpenStack bug tracker,
734available at:
735
736 http://bugs.launchpad.net/openstack-salt
737
738Developers wishing to work on the OpenStack Salt project should always base
739their work on the latest formulas code, available from the master GIT
740repository at:
741
742 https://git.openstack.org/cgit/openstack/salt-formula-kubernetes
743
744Developers should also join the discussion on the IRC list, at:
745
746 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun06a55402016-08-12 14:53:30 +0200[diff] [blame]747
748Copyright and authors
749=====================
750
751(c) 2016 tcp cloud a.s.
752(c) 2016 OpenStack Foundation