Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / a27797222840ff7459015a025d5b8bdbb28b07fa / . / README.rst
blob: 8e69cf4a9592dff1a093e1f00a1edb9686bc18b4 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1
2==================
3Kubernetes Formula
4==================
5
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]6Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
7
8This formula deploys production ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]9
10Based on official Kubernetes salt
11https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
12
13Extended on Contrail contribution https://github.com/Juniper/kubernetes/blob/opencontrail-integration/docs/getting-started-guides/opencontrail.md
14
15
16Sample pillars
17==============
18
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]19Containers on pool definitions in pool.service.local
20
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]21.. code-block:: yaml
22
23 parameters:
24 kubernetes:
25 pool:
26 service:
27 local:
28 enabled: False
29 service: libvirt
30 cluster: openstack-compute
31 namespace: default
32 role: ${linux:system:name}
33 type: LoadBalancer
34 kind: Deployment
35 apiVersion: extensions/v1beta1
36 replicas: 1
37 host_pid: True
38 nodeSelector:
39 - key: openstack
40 value: ${linux:system:name}
41 hostNetwork: True
42 container:
43 libvirt-compute:
44 privileged: True
45 image: ${_param:docker_repository}/libvirt-compute
46 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]47
48Master definition
49
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]50.. code-block:: yaml
51
52 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]53 master:
54 addons:
55 dns:
56 domain: cluster.local
57 enabled: true
58 replicas: 1
59 server: 10.254.0.10
60 heapster_influxdb:
61 enabled: true
62 public_ip: 185.22.97.132
63 ui:
64 enabled: true
65 public_ip: 185.22.97.131
66 admin:
67 password: password
68 username: admin
69 apiserver:
70 address: 10.0.175.100
71 port: 8080
72 ca: kubernetes
73 enabled: true
74 etcd:
75 host: 127.0.0.1
76 members:
77 - host: 10.0.175.100
78 name: node040
79 name: node040
80 token: ca939ec9c2a17b0786f6d411fe019e9b
81 kubelet:
82 allow_privileged: true
83 network:
84 engine: calico
85 hash: fb5e30ebe6154911a66ec3fb5f1195b2
86 private_ip_range: 10.150.0.0/16
87 version: v0.19.0
88 service_addresses: 10.254.0.0/16
89 storage:
90 engine: glusterfs
91 members:
92 - host: 10.0.175.101
93 port: 24007
94 - host: 10.0.175.102
95 port: 24007
96 - host: 10.0.175.103
97 port: 24007
98 port: 24007
99 token:
100 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
101 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
102 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
103 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
104 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
105 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
106 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
107 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
108 version: v1.2.4
109
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]110
111 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]112 pool:
113 address: 0.0.0.0
114 allow_privileged: true
115 ca: kubernetes
116 cluster_dns: 10.254.0.10
117 cluster_domain: cluster.local
118 enabled: true
119 kubelet:
120 allow_privileged: true
121 config: /etc/kubernetes/manifests
122 frequency: 5s
123 master:
124 apiserver:
125 members:
126 - host: 10.0.175.100
127 etcd:
128 members:
129 - host: 10.0.175.100
130 host: 10.0.175.100
131 network:
132 engine: calico
133 hash: fb5e30ebe6154911a66ec3fb5f1195b2
134 version: v0.19.0
135 token:
136 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
137 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
138 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]139
140
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]141
142Kubernetes with OpenContrail network plugin
143------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]144
145On Master:
146
147.. code-block:: yaml
148
149 kubernetes:
150 master:
151 network:
152 engine: opencontrail
153 host: 10.0.170.70
154 port: 8082
155 default_domain: default-domain
156 default_project: default-domain:default-project
157 public_network: default-domain:default-project:Public
158 public_ip_range: 185.22.97.128/26
159 private_ip_range: 10.150.0.0/16
160 service_cluster_ip_range: 10.254.0.0/16
161 network_label: name
162 service_label: uses
163 cluster_service: kube-system/default
164 network_manager:
165 image: pupapaik/opencontrail-kube-network-manager
166 tag: release-1.1-jpa-final-1
167
168On pools:
169
170.. code-block:: yaml
171
172 kubernetes:
173 pool:
174 network:
175 engine: opencontrail
176
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]177Kubernetes control plane running in systemd
178-------------------------------------------
179
180By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
181
182.. code-block:: yaml
183
184 kubernetes:
185 master:
186 container: false
187
188 kubernetes:
189 pool:
190 container: false
191
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]192Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
193
194.. code-block:: yaml
195
196 kubernetes:
197 master:
198 apiserver:
199 secure_port: 8081
200
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]201Kubernetes with Flannel
202-----------------------
203
204On Master:
205
206.. code-block:: yaml
207
208 kubernetes:
209 master:
210 network:
211 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]212 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]213 etcd:
214 members:
215 - host: 10.0.175.101
216 port: 4001
217 - host: 10.0.175.102
218 port: 4001
219 - host: 10.0.175.103
220 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]221 common:
222 network:
223 engine: flannel
224
225On pools:
226
227.. code-block:: yaml
228
229 kubernetes:
230 pool:
231 network:
232 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]233 etcd:
234 members:
235 - host: 10.0.175.101
236 port: 4001
237 - host: 10.0.175.102
238 port: 4001
239 - host: 10.0.175.103
240 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]241 common:
242 network:
243 engine: flannel
244
245Kubernetes with Calico
246-----------------------
247
248On Master:
249
250.. code-block:: yaml
251
252 kubernetes:
253 master:
254 network:
255 engine: calico
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]256 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]257 etcd:
258 members:
259 - host: 10.0.175.101
260 port: 4001
261 - host: 10.0.175.102
262 port: 4001
263 - host: 10.0.175.103
264 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]265
266On pools:
267
268.. code-block:: yaml
269
270 kubernetes:
271 pool:
272 network:
273 engine: calico
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]274 etcd:
275 members:
276 - host: 10.0.175.101
277 port: 4001
278 - host: 10.0.175.102
279 port: 4001
280 - host: 10.0.175.103
281 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]282
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]283Post deployment configuration
284
285.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]286
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]287 # set ETCD
288 export ETCD_AUTHORITY=10.0.111.201:4001
289
290 # Set NAT for pods subnet
291 calicoctl pool add 192.168.0.0/16 --nat-outgoing
292
293 # Status commands
294 calicoctl status
295 calicoctl node show
296
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]297Kubernetes with GlusterFS for storage
298---------------------------------------------
299
300.. code-block:: yaml
301
302 kubernetes:
303 master
304 ...
305 storage:
306 engine: glusterfs
307 port: 24007
308 members:
309 - host: 10.0.175.101
310 port: 24007
311 - host: 10.0.175.102
312 port: 24007
313 - host: 10.0.175.103
314 port: 24007
315 ...
316
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]317Kubernetes namespaces
318---------------------
319
320Create namespace:
321
322.. code-block:: yaml
323
324 kubernetes:
325 master
326 ...
327 namespace:
328 kube-system:
329 enabled: True
330 namespace2:
331 enabled: True
332 namespace3:
333 enabled: False
334 ...
335
336Kubernetes labels
337-----------------
338
339Create namespace:
340
341.. code-block:: yaml
342
343 kubernetes:
344 pool
345 ...
346 host:
347 label:
348 key01:
349 value: value01
350 enable: True
351 key02:
352 value: value02
353 enable: False
354 name: ${linux:system:name}
355 ...
356
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]357Pull images from private registries
358-----------------------------------
359
360.. code-block:: yaml
361
362 kubernetes:
363 master
364 ...
365 registry:
366 secret:
367 registry01:
368 enabled: True
369 key: (get from `cat /root/.docker/config.json | base64`)
370 namespace: default
371 ...
372 control:
373 ...
374 service:
375 service01:
376 ...
377 image_pull_secretes: registry01
378 ...
379
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]380Kubernetes Service Definitions in pillars
381==========================================
382
383Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
384
385Deployment manifest
386---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]387
388.. code-block:: yaml
389
390 salt:
391 control:
392 enabled: True
393 hostNetwork: True
394 service:
395 memcached:
396 privileged: True
397 service: memcached
398 role: server
399 type: LoadBalancer
400 replicas: 3
401 kind: Deployment
402 apiVersion: extensions/v1beta1
403 ports:
404 - port: 8774
405 name: nova-api
406 - port: 8775
407 name: nova-metadata
408 volume:
409 volume_name:
410 type: hostPath
411 mount: /certs
412 path: /etc/certs
413 container:
414 memcached:
415 image: memcached
416 tag:2
417 ports:
418 - port: 8774
419 name: nova-api
420 - port: 8775
421 name: nova-metadata
422 variables:
423 - name: HTTP_TLS_CERTIFICATE:
424 value: /certs/domain.crt
425 - name: HTTP_TLS_KEY
426 value: /certs/domain.key
427 volumes:
428 - name: /etc/certs
429 type: hostPath
430 mount: /certs
431 path: /etc/certs
432
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]433PetSet manifest
434---------------------
435
436.. code-block:: yaml
437
438 service:
439 memcached:
440 apiVersion: apps/v1alpha1
441 kind: PetSet
442 service_name: 'memcached'
443 container:
444 memcached:
445 ...
446
447
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]448Configmap
449---------
450
451You are able to create configmaps using support layer between formulas.
452It works simple, eg. in nova formula there's file ``meta/config.yml`` which
453defines config files used by that service and roles.
454
455Kubernetes formula is able to generate these files using custom pillar and
456grains structure. This way you are able to run docker images built by any way
457while still re-using your configuration management.
458
459Example pillar:
460
461.. code-block:: bash
462
463 kubernetes:
464 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame^]465 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]466 configmap:
467 nova-control:
468 grains:
469 # Alternate grains as OS running in container may differ from
470 # salt minion OS. Needed only if grains matters for config
471 # generation.
472 os_family: Debian
473 pillar:
474 # Generic pillar for nova controller
475 nova:
476 controller:
477 enabled: true
478 versionn: liberty
479 ...
480
481To tell which services supports config generation, you need to ensure pillar
482structure like this to determine support:
483
484.. code-block:: yaml
485
486 nova:
487 _support:
488 config:
489 enabled: true
490
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]491initContainers
492--------------
493
494Example pillar:
495
496.. code-block:: bash
497
498 kubernetes:
499 control:
500 service:
501 memcached:
502 init_containers:
503 - name: test-mysql
504 image: busybox
505 command:
506 - sleep
507 - 3600
508 volumes:
509 - name: config
510 mount: /test
511 - name: test-memcached
512 image: busybox
513 command:
514 - sleep
515 - 3600
516 volumes:
517 - name: config
518 mount: /test
519
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]520Affinity
521--------
522
523podAffinity
524===========
525
526Example pillar:
527
528.. code-block:: bash
529
530 kubernetes:
531 control:
532 service:
533 memcached:
534 affinity:
535 pod_affinity:
536 name: podAffinity
537 expression:
538 label_selector:
539 name: labelSelector
540 selectors:
541 - key: app
542 value: memcached
543 topology_key: kubernetes.io/hostname
544
545podAntiAffinity
546===============
547
548Example pillar:
549
550.. code-block:: bash
551
552 kubernetes:
553 control:
554 service:
555 memcached:
556 affinity:
557 anti_affinity:
558 name: podAntiAffinity
559 expression:
560 label_selector:
561 name: labelSelector
562 selectors:
563 - key: app
564 value: opencontrail-control
565 topology_key: kubernetes.io/hostname
566
567nodeAffinity
568===============
569
570Example pillar:
571
572.. code-block:: bash
573
574 kubernetes:
575 control:
576 service:
577 memcached:
578 affinity:
579 node_affinity:
580 name: nodeAffinity
581 expression:
582 match_expressions:
583 name: matchExpressions
584 selectors:
585 - key: key
586 operator: In
587 values:
588 - value1
589 - value2
590
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]591Volumes
592-------
593
594hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]595==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]596
597.. code-block:: yaml
598
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]599 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]600 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]601 container:
602 memcached:
603 volumes:
604 - name: volume1
605 mountPath: /volume
606 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]607 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]608 volume:
609 volume1:
610 name: /etc/certs
611 type: hostPath
612 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]613
614emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]615========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]616
617.. code-block:: yaml
618
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]619 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]620 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]621 container:
622 memcached:
623 volumes:
624 - name: volume1
625 mountPath: /volume
626 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]627 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]628 volume:
629 volume1:
630 name: /etc/certs
631 type: emptyDir
632
633configMap
634=========
635
636.. code-block:: yaml
637
638 service:
639 memcached:
640 container:
641 memcached:
642 volumes:
643 - name: volume1
644 mountPath: /volume
645 readOnly: True
646 ...
647 volume:
648 volume1:
649 type: config_map
650 item:
651 configMap1:
652 key: config.conf
653 path: config.conf
654 configMap2:
655 key: policy.json
656 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]657
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]658To mount single configuration file instead of whole directory:
659
660.. code-block:: yaml
661
662 service:
663 memcached:
664 container:
665 memcached:
666 volumes:
667 - name: volume1
668 mountPath: /volume/config.conf
669 sub_path: config.conf
670
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]671Generating Jobs
672===============
673
674Example pillar:
675
676.. code-block:: yaml
677
678 kubernetes:
679 control:
680 job:
681 sleep:
682 job: sleep
683 restart_policy: Never
684 container:
685 sleep:
686 image: busybox
687 tag: latest
688 command:
689 - sleep
690 - "3600"
691
692Volumes and Variables can be used as the same way as during Deployment generation.
693
694Custom params:
695
696.. code-block:: yaml
697
698 kubernetes:
699 control:
700 job:
701 host_network: True
702 host_pid: True
703 container:
704 sleep:
705 privileged: True
706 node_selector:
707 key: node
708 value: one
709 image_pull_secretes: password
710
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]711Documentation and Bugs
Filip Pytloun06a55402016-08-12 14:53:30 +0200[diff] [blame]712======================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]713
714To learn how to deploy OpenStack Salt, consult the documentation available
715online at:
716
717 https://wiki.openstack.org/wiki/OpenStackSalt
718
719In the unfortunate event that bugs are discovered, they should be reported to
720the appropriate bug tracker. If you obtained the software from a 3rd party
721operating system vendor, it is often wise to use their own bug tracker for
722reporting problems. In all other cases use the master OpenStack bug tracker,
723available at:
724
725 http://bugs.launchpad.net/openstack-salt
726
727Developers wishing to work on the OpenStack Salt project should always base
728their work on the latest formulas code, available from the master GIT
729repository at:
730
731 https://git.openstack.org/cgit/openstack/salt-formula-kubernetes
732
733Developers should also join the discussion on the IRC list, at:
734
735 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun06a55402016-08-12 14:53:30 +0200[diff] [blame]736
737Copyright and authors
738=====================
739
740(c) 2016 tcp cloud a.s.
741(c) 2016 OpenStack Foundation