Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 6ef3f8939244e6ee3d0eb7389ce5605f9a2264d1 / . / README.rst
blob: be3af09415101abd4c03c5b0ad49641f15f5e7bc [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1
2==================
3Kubernetes Formula
4==================
5
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]6Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
7
8This formula deploys production ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]9
10Based on official Kubernetes salt
11https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
12
13Extended on Contrail contribution https://github.com/Juniper/kubernetes/blob/opencontrail-integration/docs/getting-started-guides/opencontrail.md
14
15
16Sample pillars
17==============
18
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]19**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
20
21.. code-block:: yaml
22
23 parameters:
24 kubernetes:
25 common:
26 hyperkube:
27 image: gcr.io/google_containers/hyperkube:v1.4.6
28 pool:
29 network:
30 calicoctl:
31 image: calico/ctl
32 cni:
33 image: calico/cni
34
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame^]35Pass aditional parameters to daemons:
36
37.. code-block:: yaml
38
39 parameters:
40 kubernetes:
41 master:
42 apiserver:
43 daemon_opts:
44 storage-backend: pigeon
45 controller_manager:
46 daemon_opts:
47 log-dir: /dev/nulL
48 pool:
49 kubelet:
50 daemon_opts:
51 max-pods: "6"
52
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]53
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]54Containers on pool definitions in pool.service.local
55
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]56.. code-block:: yaml
57
58 parameters:
59 kubernetes:
60 pool:
61 service:
62 local:
63 enabled: False
64 service: libvirt
65 cluster: openstack-compute
66 namespace: default
67 role: ${linux:system:name}
68 type: LoadBalancer
69 kind: Deployment
70 apiVersion: extensions/v1beta1
71 replicas: 1
72 host_pid: True
73 nodeSelector:
74 - key: openstack
75 value: ${linux:system:name}
76 hostNetwork: True
77 container:
78 libvirt-compute:
79 privileged: True
80 image: ${_param:docker_repository}/libvirt-compute
81 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]82
83Master definition
84
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]85.. code-block:: yaml
86
87 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]88 master:
89 addons:
90 dns:
91 domain: cluster.local
92 enabled: true
93 replicas: 1
94 server: 10.254.0.10
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]95 admin:
96 password: password
97 username: admin
98 apiserver:
99 address: 10.0.175.100
100 port: 8080
101 ca: kubernetes
102 enabled: true
103 etcd:
104 host: 127.0.0.1
105 members:
106 - host: 10.0.175.100
107 name: node040
108 name: node040
109 token: ca939ec9c2a17b0786f6d411fe019e9b
110 kubelet:
111 allow_privileged: true
112 network:
113 engine: calico
114 hash: fb5e30ebe6154911a66ec3fb5f1195b2
115 private_ip_range: 10.150.0.0/16
116 version: v0.19.0
117 service_addresses: 10.254.0.0/16
118 storage:
119 engine: glusterfs
120 members:
121 - host: 10.0.175.101
122 port: 24007
123 - host: 10.0.175.102
124 port: 24007
125 - host: 10.0.175.103
126 port: 24007
127 port: 24007
128 token:
129 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
130 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
131 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
132 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
133 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
134 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
135 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
136 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
137 version: v1.2.4
138
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]139
140 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]141 pool:
142 address: 0.0.0.0
143 allow_privileged: true
144 ca: kubernetes
145 cluster_dns: 10.254.0.10
146 cluster_domain: cluster.local
147 enabled: true
148 kubelet:
149 allow_privileged: true
150 config: /etc/kubernetes/manifests
151 frequency: 5s
152 master:
153 apiserver:
154 members:
155 - host: 10.0.175.100
156 etcd:
157 members:
158 - host: 10.0.175.100
159 host: 10.0.175.100
160 network:
161 engine: calico
162 hash: fb5e30ebe6154911a66ec3fb5f1195b2
163 version: v0.19.0
164 token:
165 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
166 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
167 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]168
169
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]170
171Kubernetes with OpenContrail network plugin
172------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]173
174On Master:
175
176.. code-block:: yaml
177
178 kubernetes:
179 master:
180 network:
181 engine: opencontrail
182 host: 10.0.170.70
183 port: 8082
184 default_domain: default-domain
185 default_project: default-domain:default-project
186 public_network: default-domain:default-project:Public
187 public_ip_range: 185.22.97.128/26
188 private_ip_range: 10.150.0.0/16
189 service_cluster_ip_range: 10.254.0.0/16
190 network_label: name
191 service_label: uses
192 cluster_service: kube-system/default
193 network_manager:
194 image: pupapaik/opencontrail-kube-network-manager
195 tag: release-1.1-jpa-final-1
196
197On pools:
198
199.. code-block:: yaml
200
201 kubernetes:
202 pool:
203 network:
204 engine: opencontrail
205
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]206Kubernetes control plane running in systemd
207-------------------------------------------
208
209By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
210
211.. code-block:: yaml
212
213 kubernetes:
214 master:
215 container: false
216
217 kubernetes:
218 pool:
219 container: false
220
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]221Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
222
223.. code-block:: yaml
224
225 kubernetes:
226 master:
227 apiserver:
228 secure_port: 8081
229
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]230Kubernetes with Flannel
231-----------------------
232
233On Master:
234
235.. code-block:: yaml
236
237 kubernetes:
238 master:
239 network:
240 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]241 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]242 etcd:
243 members:
244 - host: 10.0.175.101
245 port: 4001
246 - host: 10.0.175.102
247 port: 4001
248 - host: 10.0.175.103
249 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]250 common:
251 network:
252 engine: flannel
253
254On pools:
255
256.. code-block:: yaml
257
258 kubernetes:
259 pool:
260 network:
261 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]262 etcd:
263 members:
264 - host: 10.0.175.101
265 port: 4001
266 - host: 10.0.175.102
267 port: 4001
268 - host: 10.0.175.103
269 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]270 common:
271 network:
272 engine: flannel
273
274Kubernetes with Calico
275-----------------------
276
277On Master:
278
279.. code-block:: yaml
280
281 kubernetes:
282 master:
283 network:
284 engine: calico
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]285 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]286 etcd:
287 members:
288 - host: 10.0.175.101
289 port: 4001
290 - host: 10.0.175.102
291 port: 4001
292 - host: 10.0.175.103
293 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]294
295On pools:
296
297.. code-block:: yaml
298
299 kubernetes:
300 pool:
301 network:
302 engine: calico
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]303 etcd:
304 members:
305 - host: 10.0.175.101
306 port: 4001
307 - host: 10.0.175.102
308 port: 4001
309 - host: 10.0.175.103
310 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]311
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]312Post deployment configuration
313
314.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]315
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]316 # set ETCD
317 export ETCD_AUTHORITY=10.0.111.201:4001
318
319 # Set NAT for pods subnet
320 calicoctl pool add 192.168.0.0/16 --nat-outgoing
321
322 # Status commands
323 calicoctl status
324 calicoctl node show
325
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]326Kubernetes with GlusterFS for storage
327---------------------------------------------
328
329.. code-block:: yaml
330
331 kubernetes:
332 master
333 ...
334 storage:
335 engine: glusterfs
336 port: 24007
337 members:
338 - host: 10.0.175.101
339 port: 24007
340 - host: 10.0.175.102
341 port: 24007
342 - host: 10.0.175.103
343 port: 24007
344 ...
345
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]346Kubernetes namespaces
347---------------------
348
349Create namespace:
350
351.. code-block:: yaml
352
353 kubernetes:
354 master
355 ...
356 namespace:
357 kube-system:
358 enabled: True
359 namespace2:
360 enabled: True
361 namespace3:
362 enabled: False
363 ...
364
365Kubernetes labels
366-----------------
367
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]368Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]369
370.. code-block:: yaml
371
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]372 kubernetes:
373 master:
374 label:
375 label01:
376 value: value01
377 node: node01
378 enabled: true
379 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]380 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]381
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]382Pull images from private registries
383-----------------------------------
384
385.. code-block:: yaml
386
387 kubernetes:
388 master
389 ...
390 registry:
391 secret:
392 registry01:
393 enabled: True
394 key: (get from `cat /root/.docker/config.json | base64`)
395 namespace: default
396 ...
397 control:
398 ...
399 service:
400 service01:
401 ...
402 image_pull_secretes: registry01
403 ...
404
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]405Kubernetes Service Definitions in pillars
406==========================================
407
408Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
409
410Deployment manifest
411---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]412
413.. code-block:: yaml
414
415 salt:
416 control:
417 enabled: True
418 hostNetwork: True
419 service:
420 memcached:
421 privileged: True
422 service: memcached
423 role: server
424 type: LoadBalancer
425 replicas: 3
426 kind: Deployment
427 apiVersion: extensions/v1beta1
428 ports:
429 - port: 8774
430 name: nova-api
431 - port: 8775
432 name: nova-metadata
433 volume:
434 volume_name:
435 type: hostPath
436 mount: /certs
437 path: /etc/certs
438 container:
439 memcached:
440 image: memcached
441 tag:2
442 ports:
443 - port: 8774
444 name: nova-api
445 - port: 8775
446 name: nova-metadata
447 variables:
448 - name: HTTP_TLS_CERTIFICATE:
449 value: /certs/domain.crt
450 - name: HTTP_TLS_KEY
451 value: /certs/domain.key
452 volumes:
453 - name: /etc/certs
454 type: hostPath
455 mount: /certs
456 path: /etc/certs
457
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]458PetSet manifest
459---------------------
460
461.. code-block:: yaml
462
463 service:
464 memcached:
465 apiVersion: apps/v1alpha1
466 kind: PetSet
467 service_name: 'memcached'
468 container:
469 memcached:
470 ...
471
472
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]473Configmap
474---------
475
476You are able to create configmaps using support layer between formulas.
477It works simple, eg. in nova formula there's file ``meta/config.yml`` which
478defines config files used by that service and roles.
479
480Kubernetes formula is able to generate these files using custom pillar and
481grains structure. This way you are able to run docker images built by any way
482while still re-using your configuration management.
483
484Example pillar:
485
486.. code-block:: bash
487
488 kubernetes:
489 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]490 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]491 configmap:
492 nova-control:
493 grains:
494 # Alternate grains as OS running in container may differ from
495 # salt minion OS. Needed only if grains matters for config
496 # generation.
497 os_family: Debian
498 pillar:
499 # Generic pillar for nova controller
500 nova:
501 controller:
502 enabled: true
503 versionn: liberty
504 ...
505
506To tell which services supports config generation, you need to ensure pillar
507structure like this to determine support:
508
509.. code-block:: yaml
510
511 nova:
512 _support:
513 config:
514 enabled: true
515
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]516initContainers
517--------------
518
519Example pillar:
520
521.. code-block:: bash
522
523 kubernetes:
524 control:
525 service:
526 memcached:
527 init_containers:
528 - name: test-mysql
529 image: busybox
530 command:
531 - sleep
532 - 3600
533 volumes:
534 - name: config
535 mount: /test
536 - name: test-memcached
537 image: busybox
538 command:
539 - sleep
540 - 3600
541 volumes:
542 - name: config
543 mount: /test
544
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]545Affinity
546--------
547
548podAffinity
549===========
550
551Example pillar:
552
553.. code-block:: bash
554
555 kubernetes:
556 control:
557 service:
558 memcached:
559 affinity:
560 pod_affinity:
561 name: podAffinity
562 expression:
563 label_selector:
564 name: labelSelector
565 selectors:
566 - key: app
567 value: memcached
568 topology_key: kubernetes.io/hostname
569
570podAntiAffinity
571===============
572
573Example pillar:
574
575.. code-block:: bash
576
577 kubernetes:
578 control:
579 service:
580 memcached:
581 affinity:
582 anti_affinity:
583 name: podAntiAffinity
584 expression:
585 label_selector:
586 name: labelSelector
587 selectors:
588 - key: app
589 value: opencontrail-control
590 topology_key: kubernetes.io/hostname
591
592nodeAffinity
593===============
594
595Example pillar:
596
597.. code-block:: bash
598
599 kubernetes:
600 control:
601 service:
602 memcached:
603 affinity:
604 node_affinity:
605 name: nodeAffinity
606 expression:
607 match_expressions:
608 name: matchExpressions
609 selectors:
610 - key: key
611 operator: In
612 values:
613 - value1
614 - value2
615
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]616Volumes
617-------
618
619hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]620==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]621
622.. code-block:: yaml
623
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]624 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]625 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]626 container:
627 memcached:
628 volumes:
629 - name: volume1
630 mountPath: /volume
631 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]632 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]633 volume:
634 volume1:
635 name: /etc/certs
636 type: hostPath
637 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]638
639emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]640========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]641
642.. code-block:: yaml
643
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]644 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]645 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]646 container:
647 memcached:
648 volumes:
649 - name: volume1
650 mountPath: /volume
651 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]652 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]653 volume:
654 volume1:
655 name: /etc/certs
656 type: emptyDir
657
658configMap
659=========
660
661.. code-block:: yaml
662
663 service:
664 memcached:
665 container:
666 memcached:
667 volumes:
668 - name: volume1
669 mountPath: /volume
670 readOnly: True
671 ...
672 volume:
673 volume1:
674 type: config_map
675 item:
676 configMap1:
677 key: config.conf
678 path: config.conf
679 configMap2:
680 key: policy.json
681 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]682
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]683To mount single configuration file instead of whole directory:
684
685.. code-block:: yaml
686
687 service:
688 memcached:
689 container:
690 memcached:
691 volumes:
692 - name: volume1
693 mountPath: /volume/config.conf
694 sub_path: config.conf
695
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]696Generating Jobs
697===============
698
699Example pillar:
700
701.. code-block:: yaml
702
703 kubernetes:
704 control:
705 job:
706 sleep:
707 job: sleep
708 restart_policy: Never
709 container:
710 sleep:
711 image: busybox
712 tag: latest
713 command:
714 - sleep
715 - "3600"
716
717Volumes and Variables can be used as the same way as during Deployment generation.
718
719Custom params:
720
721.. code-block:: yaml
722
723 kubernetes:
724 control:
725 job:
726 host_network: True
727 host_pid: True
728 container:
729 sleep:
730 privileged: True
731 node_selector:
732 key: node
733 value: one
734 image_pull_secretes: password
735
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]736Documentation and Bugs
Filip Pytloun06a55402016-08-12 14:53:30 +0200[diff] [blame]737======================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]738
739To learn how to deploy OpenStack Salt, consult the documentation available
740online at:
741
742 https://wiki.openstack.org/wiki/OpenStackSalt
743
744In the unfortunate event that bugs are discovered, they should be reported to
745the appropriate bug tracker. If you obtained the software from a 3rd party
746operating system vendor, it is often wise to use their own bug tracker for
747reporting problems. In all other cases use the master OpenStack bug tracker,
748available at:
749
750 http://bugs.launchpad.net/openstack-salt
751
752Developers wishing to work on the OpenStack Salt project should always base
753their work on the latest formulas code, available from the master GIT
754repository at:
755
756 https://git.openstack.org/cgit/openstack/salt-formula-kubernetes
757
758Developers should also join the discussion on the IRC list, at:
759
760 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun06a55402016-08-12 14:53:30 +0200[diff] [blame]761
762Copyright and authors
763=====================
764
765(c) 2016 tcp cloud a.s.
766(c) 2016 OpenStack Foundation
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]767
768Documentation and Bugs
769======================
770
771To learn how to install and update salt-formulas, consult the documentation
772available online at:
773
774 http://salt-formulas.readthedocs.io/
775
776In the unfortunate event that bugs are discovered, they should be reported to
777the appropriate issue tracker. Use Github issue tracker for specific salt
778formula:
779
780 https://github.com/salt-formulas/salt-formula-kubernetes/issues
781
782For feature requests, bug reports or blueprints affecting entire ecosystem,
783use Launchpad salt-formulas project:
784
785 https://launchpad.net/salt-formulas
786
787You can also join salt-formulas-users team and subscribe to mailing list:
788
789 https://launchpad.net/~salt-formulas-users
790
791Developers wishing to work on the salt-formulas projects should always base
792their work on master branch and submit pull request against specific formula.
793
794 https://github.com/salt-formulas/salt-formula-kubernetes
795
796Any questions or feedback is always welcome so feel free to join our IRC
797channel:
798
799 #salt-formulas @ irc.freenode.net