blob: 118efd8187913db75212f89cd35ffcbb18b530c3 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +01001
2==================
3Kubernetes Formula
4==================
5
Jakub Pavlik495d06f2016-06-17 11:33:05 +02006Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
7
8This formula deploys production ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +01009
10Based on official Kubernetes salt
11https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
12
13Extended on Contrail contribution https://github.com/Juniper/kubernetes/blob/opencontrail-integration/docs/getting-started-guides/opencontrail.md
14
15
16Sample pillars
17==============
18
Ales Komarek688a04c2016-07-15 15:12:30 +020019Containers on pool definitions in pool.service.local
20
Jakub Pavlik7e985322016-07-17 13:16:15 +020021.. code-block:: yaml
22
23 parameters:
24 kubernetes:
25 pool:
26 service:
27 local:
28 enabled: False
29 service: libvirt
30 cluster: openstack-compute
31 namespace: default
32 role: ${linux:system:name}
33 type: LoadBalancer
34 kind: Deployment
35 apiVersion: extensions/v1beta1
36 replicas: 1
37 host_pid: True
38 nodeSelector:
39 - key: openstack
40 value: ${linux:system:name}
41 hostNetwork: True
42 container:
43 libvirt-compute:
44 privileged: True
45 image: ${_param:docker_repository}/libvirt-compute
46 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +020047
48Master definition
49
marcoacdae7e2015-12-02 15:35:37 +010050.. code-block:: yaml
51
52 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +020053 master:
54 addons:
55 dns:
56 domain: cluster.local
57 enabled: true
58 replicas: 1
59 server: 10.254.0.10
60 heapster_influxdb:
61 enabled: true
62 public_ip: 185.22.97.132
63 ui:
64 enabled: true
65 public_ip: 185.22.97.131
66 admin:
67 password: password
68 username: admin
69 apiserver:
70 address: 10.0.175.100
71 port: 8080
72 ca: kubernetes
73 enabled: true
74 etcd:
75 host: 127.0.0.1
76 members:
77 - host: 10.0.175.100
78 name: node040
79 name: node040
80 token: ca939ec9c2a17b0786f6d411fe019e9b
81 kubelet:
82 allow_privileged: true
83 network:
84 engine: calico
85 hash: fb5e30ebe6154911a66ec3fb5f1195b2
86 private_ip_range: 10.150.0.0/16
87 version: v0.19.0
88 service_addresses: 10.254.0.0/16
89 storage:
90 engine: glusterfs
91 members:
92 - host: 10.0.175.101
93 port: 24007
94 - host: 10.0.175.102
95 port: 24007
96 - host: 10.0.175.103
97 port: 24007
98 port: 24007
99 token:
100 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
101 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
102 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
103 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
104 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
105 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
106 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
107 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
108 version: v1.2.4
109
marcoacdae7e2015-12-02 15:35:37 +0100110
111 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200112 pool:
113 address: 0.0.0.0
114 allow_privileged: true
115 ca: kubernetes
116 cluster_dns: 10.254.0.10
117 cluster_domain: cluster.local
118 enabled: true
119 kubelet:
120 allow_privileged: true
121 config: /etc/kubernetes/manifests
122 frequency: 5s
123 master:
124 apiserver:
125 members:
126 - host: 10.0.175.100
127 etcd:
128 members:
129 - host: 10.0.175.100
130 host: 10.0.175.100
131 network:
132 engine: calico
133 hash: fb5e30ebe6154911a66ec3fb5f1195b2
134 version: v0.19.0
135 token:
136 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
137 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
138 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100139
140
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200141
142Kubernetes with OpenContrail network plugin
143------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100144
145On Master:
146
147.. code-block:: yaml
148
149 kubernetes:
150 master:
151 network:
152 engine: opencontrail
153 host: 10.0.170.70
154 port: 8082
155 default_domain: default-domain
156 default_project: default-domain:default-project
157 public_network: default-domain:default-project:Public
158 public_ip_range: 185.22.97.128/26
159 private_ip_range: 10.150.0.0/16
160 service_cluster_ip_range: 10.254.0.0/16
161 network_label: name
162 service_label: uses
163 cluster_service: kube-system/default
164 network_manager:
165 image: pupapaik/opencontrail-kube-network-manager
166 tag: release-1.1-jpa-final-1
167
168On pools:
169
170.. code-block:: yaml
171
172 kubernetes:
173 pool:
174 network:
175 engine: opencontrail
176
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200177Kubernetes control plane running in systemd
178-------------------------------------------
179
180By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
181
182.. code-block:: yaml
183
184 kubernetes:
185 master:
186 container: false
187
188 kubernetes:
189 pool:
190 container: false
191
marco055ff852016-07-27 15:22:33 +0200192Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
193
194.. code-block:: yaml
195
196 kubernetes:
197 master:
198 apiserver:
199 secure_port: 8081
200
marcoacdae7e2015-12-02 15:35:37 +0100201Kubernetes with Flannel
202-----------------------
203
204On Master:
205
206.. code-block:: yaml
207
208 kubernetes:
209 master:
210 network:
211 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200212 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200213 etcd:
214 members:
215 - host: 10.0.175.101
216 port: 4001
217 - host: 10.0.175.102
218 port: 4001
219 - host: 10.0.175.103
220 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100221 common:
222 network:
223 engine: flannel
224
225On pools:
226
227.. code-block:: yaml
228
229 kubernetes:
230 pool:
231 network:
232 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200233 etcd:
234 members:
235 - host: 10.0.175.101
236 port: 4001
237 - host: 10.0.175.102
238 port: 4001
239 - host: 10.0.175.103
240 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100241 common:
242 network:
243 engine: flannel
244
245Kubernetes with Calico
246-----------------------
247
248On Master:
249
250.. code-block:: yaml
251
252 kubernetes:
253 master:
254 network:
255 engine: calico
Jakub Pavlik7e985322016-07-17 13:16:15 +0200256 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200257 etcd:
258 members:
259 - host: 10.0.175.101
260 port: 4001
261 - host: 10.0.175.102
262 port: 4001
263 - host: 10.0.175.103
264 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100265
266On pools:
267
268.. code-block:: yaml
269
270 kubernetes:
271 pool:
272 network:
273 engine: calico
marcoa05621f2016-07-14 10:35:24 +0200274 etcd:
275 members:
276 - host: 10.0.175.101
277 port: 4001
278 - host: 10.0.175.102
279 port: 4001
280 - host: 10.0.175.103
281 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100282
Jakub Pavlik7e985322016-07-17 13:16:15 +0200283Post deployment configuration
284
285.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200286
Jakub Pavlik7e985322016-07-17 13:16:15 +0200287 # set ETCD
288 export ETCD_AUTHORITY=10.0.111.201:4001
289
290 # Set NAT for pods subnet
291 calicoctl pool add 192.168.0.0/16 --nat-outgoing
292
293 # Status commands
294 calicoctl status
295 calicoctl node show
296
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200297Kubernetes with GlusterFS for storage
298---------------------------------------------
299
300.. code-block:: yaml
301
302 kubernetes:
303 master
304 ...
305 storage:
306 engine: glusterfs
307 port: 24007
308 members:
309 - host: 10.0.175.101
310 port: 24007
311 - host: 10.0.175.102
312 port: 24007
313 - host: 10.0.175.103
314 port: 24007
315 ...
316
marco45fc1b72016-07-02 16:11:18 +0200317Kubernetes namespaces
318---------------------
319
320Create namespace:
321
322.. code-block:: yaml
323
324 kubernetes:
325 master
326 ...
327 namespace:
328 kube-system:
329 enabled: True
330 namespace2:
331 enabled: True
332 namespace3:
333 enabled: False
334 ...
335
336Kubernetes labels
337-----------------
338
339Create namespace:
340
341.. code-block:: yaml
342
343 kubernetes:
344 pool
345 ...
346 host:
347 label:
348 key01:
349 value: value01
350 enable: True
351 key02:
352 value: value02
353 enable: False
354 name: ${linux:system:name}
355 ...
356
marcof7efecb2016-07-16 16:13:37 +0200357Pull images from private registries
358-----------------------------------
359
360.. code-block:: yaml
361
362 kubernetes:
363 master
364 ...
365 registry:
366 secret:
367 registry01:
368 enabled: True
369 key: (get from `cat /root/.docker/config.json | base64`)
370 namespace: default
371 ...
372 control:
373 ...
374 service:
375 service01:
376 ...
377 image_pull_secretes: registry01
378 ...
379
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200380Kubernetes Service Definitions in pillars
381==========================================
382
383Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
384
385Deployment manifest
386---------------------
marcoacdae7e2015-12-02 15:35:37 +0100387
388.. code-block:: yaml
389
390 salt:
391 control:
392 enabled: True
393 hostNetwork: True
394 service:
395 memcached:
396 privileged: True
397 service: memcached
398 role: server
399 type: LoadBalancer
400 replicas: 3
401 kind: Deployment
402 apiVersion: extensions/v1beta1
403 ports:
404 - port: 8774
405 name: nova-api
406 - port: 8775
407 name: nova-metadata
408 volume:
409 volume_name:
410 type: hostPath
411 mount: /certs
412 path: /etc/certs
413 container:
414 memcached:
415 image: memcached
416 tag:2
417 ports:
418 - port: 8774
419 name: nova-api
420 - port: 8775
421 name: nova-metadata
422 variables:
423 - name: HTTP_TLS_CERTIFICATE:
424 value: /certs/domain.crt
425 - name: HTTP_TLS_KEY
426 value: /certs/domain.key
427 volumes:
428 - name: /etc/certs
429 type: hostPath
430 mount: /certs
431 path: /etc/certs
432
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200433Configmap
434---------
435
436You are able to create configmaps using support layer between formulas.
437It works simple, eg. in nova formula there's file ``meta/config.yml`` which
438defines config files used by that service and roles.
439
440Kubernetes formula is able to generate these files using custom pillar and
441grains structure. This way you are able to run docker images built by any way
442while still re-using your configuration management.
443
444Example pillar:
445
446.. code-block:: bash
447
448 kubernetes:
449 control:
450 configmap:
451 nova-control:
452 grains:
453 # Alternate grains as OS running in container may differ from
454 # salt minion OS. Needed only if grains matters for config
455 # generation.
456 os_family: Debian
457 pillar:
458 # Generic pillar for nova controller
459 nova:
460 controller:
461 enabled: true
462 versionn: liberty
463 ...
464
465To tell which services supports config generation, you need to ensure pillar
466structure like this to determine support:
467
468.. code-block:: yaml
469
470 nova:
471 _support:
472 config:
473 enabled: true
474
marcoacdae7e2015-12-02 15:35:37 +0100475Volumes
476-------
477
478hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200479==========
marcoacdae7e2015-12-02 15:35:37 +0100480
481.. code-block:: yaml
482
483 container:
484 memcached:
485 ...
486 volumes:
487 - name: /etc/certs
488 mount: /certs
489 type: hostPath
490 path: /etc/certs
491
492emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200493========
marcoacdae7e2015-12-02 15:35:37 +0100494
495.. code-block:: yaml
496
497 container:
498 memcached:
499 ...
500 volumes:
501 - name: /etc/certs
502 mount: /certs
Jakub Pavlik7e985322016-07-17 13:16:15 +0200503 type: emptyDir
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200504
505Documentation and Bugs
Filip Pytloun06a55402016-08-12 14:53:30 +0200506======================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200507
508To learn how to deploy OpenStack Salt, consult the documentation available
509online at:
510
511 https://wiki.openstack.org/wiki/OpenStackSalt
512
513In the unfortunate event that bugs are discovered, they should be reported to
514the appropriate bug tracker. If you obtained the software from a 3rd party
515operating system vendor, it is often wise to use their own bug tracker for
516reporting problems. In all other cases use the master OpenStack bug tracker,
517available at:
518
519 http://bugs.launchpad.net/openstack-salt
520
521Developers wishing to work on the OpenStack Salt project should always base
522their work on the latest formulas code, available from the master GIT
523repository at:
524
525 https://git.openstack.org/cgit/openstack/salt-formula-kubernetes
526
527Developers should also join the discussion on the IRC list, at:
528
529 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun06a55402016-08-12 14:53:30 +0200530
531Copyright and authors
532=====================
533
534(c) 2016 tcp cloud a.s.
535(c) 2016 OpenStack Foundation