Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / b305797eca726746bd4926d421fcf66a2535f272 / . / README.rst
blob: 662556ac380b59459179eec67e616b80e107f1ec [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +0400[diff] [blame]73 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74 hosts:
75 - cmp01
76 - cmp02
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]77
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]78Enable netchecker addon
79
80.. code-block:: yaml
81
82 parameters:
83 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]84 common:
85 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]86 netchecker:
87 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]88 master:
89 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]90 netchecker:
91 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]92
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]93Enable Kubenetes Federation control plane
94
95.. code-block:: yaml
96
97 parameters:
98 kubernetes:
99 master:
100 federation:
101 enabled: True
102 name: federation
103 namespace: federation-system
104 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
105 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
106 service_type: NodePort
107 dns_provider: coredns
108 childclusters:
109 - secondcluster.mydomain
110 - thirdcluster.mydomain
111
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]112Enable external DNS addon with CoreDNS provider
113
114.. code-block:: yaml
115
116 parameters:
117 kubernetes:
118 common:
119 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 coredns:
121 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]122 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]123 enabled: True
124 domain: company.mydomain
125 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]126
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]127Enable external DNS addon with Designate provider
128
129.. code-block:: yaml
130
131 parameters:
132 kubernetes:
133 common:
134 addons:
135 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]136 enabled: True
137 domain: company.mydomain
138 provider: designate
139 designate_os_options:
140 OS_AUTH_URL: https://keystone_auth_endpoint:5000
141 OS_PROJECT_DOMAIN_NAME: default
142 OS_USER_DOMAIN_NAME: default
143 OS_PROJECT_NAME: admin
144 OS_USERNAME: admin
145 OS_PASSWORD: password
146 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]147
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]148Enable external DNS addon with AWS provider
149
150.. code-block:: yaml
151
152 parameters:
153 kubernetes:
154 common:
155 addons:
156 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]157 enabled: True
158 domain: company.mydomain
159 provider: aws
160 aws_options:
161 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
162 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
163
164Enable external DNS addon with Google CloudDNS provider
165
166.. code-block:: yaml
167
168 parameters:
169 kubernetes:
170 common:
171 addons:
172 externaldns:
173 enabled: True
174 domain: company.mydomain
175 provider: google
176 google_options:
177 key: ''
178 project: default-123
179key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]180
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]181Enable OpenStack cloud provider
182
183.. code-block:: yaml
184
185 parameters:
186 kubernetes:
187 common:
188 cloudprovider:
189 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]190 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]191 params:
192 auth_url: https://openstack.mydomain:5000/v3
193 username: nova
194 password: nova
195 region: RegionOne
196 tenant_id: 4bce4162d8744c599e350099cfa22a0a
197 domain_name: default
198 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
199 lb_version: v2
200
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]201Configure service verbosity
202
203.. code-block:: yaml
204
205 parameters:
206 kubernetes:
207 master:
208 verbosity: 2
209 pool:
210 verbosity: 2
211
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]212Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]213
214.. code-block:: yaml
215
216 parameters:
217 kubernetes:
218 common:
219 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]220 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]221
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]222Enable autoscaler for dns addon. Poll period can be skipped.
223
224.. code-block:: yaml
225
226 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]227 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]228 addons:
229 dns:
230 domain: cluster.local
231 enabled: true
232 replicas: 1
233 server: 10.254.0.10
234 autoscaler:
235 enabled: true
236 poll-period-seconds: 60
237
238
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]239Pass aditional parameters to daemons:
240
241.. code-block:: yaml
242
243 parameters:
244 kubernetes:
245 master:
246 apiserver:
247 daemon_opts:
248 storage-backend: pigeon
249 controller_manager:
250 daemon_opts:
251 log-dir: /dev/nulL
252 pool:
253 kubelet:
254 daemon_opts:
255 max-pods: "6"
256
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]257
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]258Containers on pool definitions in pool.service.local
259
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]260.. code-block:: yaml
261
262 parameters:
263 kubernetes:
264 pool:
265 service:
266 local:
267 enabled: False
268 service: libvirt
269 cluster: openstack-compute
270 namespace: default
271 role: ${linux:system:name}
272 type: LoadBalancer
273 kind: Deployment
274 apiVersion: extensions/v1beta1
275 replicas: 1
276 host_pid: True
277 nodeSelector:
278 - key: openstack
279 value: ${linux:system:name}
280 hostNetwork: True
281 container:
282 libvirt-compute:
283 privileged: True
284 image: ${_param:docker_repository}/libvirt-compute
285 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]286
287Master definition
288
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]289.. code-block:: yaml
290
291 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]292 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]293 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]294 addons:
295 dns:
296 domain: cluster.local
297 enabled: true
298 replicas: 1
299 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]300 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]301 admin:
302 password: password
303 username: admin
304 apiserver:
305 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]306 secure_port: 443
307 insecure_address: 127.0.0.1
308 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]309 ca: kubernetes
310 enabled: true
311 etcd:
312 host: 127.0.0.1
313 members:
314 - host: 10.0.175.100
315 name: node040
316 name: node040
317 token: ca939ec9c2a17b0786f6d411fe019e9b
318 kubelet:
319 allow_privileged: true
320 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]321 calico:
322 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]323 service_addresses: 10.254.0.0/16
324 storage:
325 engine: glusterfs
326 members:
327 - host: 10.0.175.101
328 port: 24007
329 - host: 10.0.175.102
330 port: 24007
331 - host: 10.0.175.103
332 port: 24007
333 port: 24007
334 token:
335 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
336 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
337 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
338 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
339 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
340 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
341 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
342 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
343 version: v1.2.4
344
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]345
346 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]347 pool:
348 address: 0.0.0.0
349 allow_privileged: true
350 ca: kubernetes
351 cluster_dns: 10.254.0.10
352 cluster_domain: cluster.local
353 enabled: true
354 kubelet:
355 allow_privileged: true
356 config: /etc/kubernetes/manifests
357 frequency: 5s
358 master:
359 apiserver:
360 members:
361 - host: 10.0.175.100
362 etcd:
363 members:
364 - host: 10.0.175.100
365 host: 10.0.175.100
366 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]367 calico:
368 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]369 token:
370 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
371 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
372 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]373
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]374
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]375Enable basic, token and http authentication, disable ssl auth, create some
376static users:
377
378.. code-block:: yaml
379
380 kubernetes:
381 master:
382 auth:
383 basic:
384 enabled: true
385 user:
386 jdoe:
387 password: dummy
388 groups:
389 - system:admin
390 http:
391 enabled: true
392 header:
393 user: X-Remote-User
394 group: X-Remote-Group
395 ssl:
396 enabled: false
397 token:
398 enabled: true
399 user:
400 jdoe:
401 token: dummytoken
402 groups:
403 - system:admin
404
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]405Kubernetes with OpenContrail network plugin
406------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]407
408On Master:
409
410.. code-block:: yaml
411
412 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]413 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]414 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]415 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]416 enabled: true
417 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]418 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]419 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]420 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]421 opencontrail:
422 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]423 default_domain: default-domain
424 default_project: default-domain:default-project
425 public_network: default-domain:default-project:Public
426 public_ip_range: 185.22.97.128/26
427 private_ip_range: 10.150.0.0/16
428 service_cluster_ip_range: 10.254.0.0/16
429 network_label: name
430 service_label: uses
431 cluster_service: kube-system/default
432 config:
433 api:
434 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]435On pools:
436
437.. code-block:: yaml
438
439 kubernetes:
440 pool:
441 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]442 opencontrail:
443 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]444
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]445
446Dashboard public IP must be configured when Contrail network is used:
447
448.. code-block:: yaml
449
450 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]451 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]452 addons:
453 public_ip: 1.1.1.1
454
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]455Kubernetes control plane running in systemd
456-------------------------------------------
457
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]458By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]459
460.. code-block:: yaml
461
462 kubernetes:
463 master:
464 container: false
465
466 kubernetes:
467 pool:
468 container: false
469
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]470Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
471
472.. code-block:: yaml
473
474 kubernetes:
475 master:
476 apiserver:
477 secure_port: 8081
478
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300[diff] [blame]479Kubernetes with MetalLB
480-----------------------
481
482On Master:
483
484.. code-block:: yaml
485
486 kubernetes:
487 common:
488 addons:
489 metallb:
490 enabled: true
491 addresses:
492 - 172.16.10.150-172.16.10.180
493 - 172.16.10.192/26
494
Andrey Shestakovb3057972018-06-25 17:50:23 +0300[diff] [blame^]495Kubernetes with SRIOV
496-----------------------
497
498On Master:
499
500.. code-block:: yaml
501
502 kubernetes:
503 master:
504 network:
505 sriov:
506 enabled: true
507 interface: eno2
508 subnet: 10.55.208.0/24
509 gateway: 10.55.208.1
510
511On pools:
512
513.. code-block:: yaml
514
515 kubernetes:
516 pool:
517 network:
518 sriov:
519 enabled: true
520 interface: eno2
521 subnet: 10.55.208.0/24
522 gateway: 10.55.208.1
523
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]524Kubernetes with Flannel
525-----------------------
526
527On Master:
528
529.. code-block:: yaml
530
531 kubernetes:
532 master:
533 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]534 flannel:
535 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]536
537On pools:
538
539.. code-block:: yaml
540
541 kubernetes:
542 pool:
543 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]544 flannel:
545 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]546
547Kubernetes with Calico
548-----------------------
549
550On Master:
551
552.. code-block:: yaml
553
554 kubernetes:
555 master:
556 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]557 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]558 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]559 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]560 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]561 etcd:
562 members:
563 - host: 10.0.175.101
564 port: 4001
565 - host: 10.0.175.102
566 port: 4001
567 - host: 10.0.175.103
568 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]569
570On pools:
571
572.. code-block:: yaml
573
574 kubernetes:
575 pool:
576 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]577 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]578 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]579 mtu: 1500
580 etcd:
581 members:
582 - host: 10.0.175.101
583 port: 4001
584 - host: 10.0.175.102
585 port: 4001
586 - host: 10.0.175.103
587 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]588
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]589Running with secured etcd:
590
591.. code-block:: yaml
592
593 kubernetes:
594 pool:
595 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]596 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]597 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]598 etcd:
599 ssl:
600 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]601 master:
602 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]603 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]604 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]605 etcd:
606 ssl:
607 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]608
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]609Running with calico-policy controller:
610
611.. code-block:: yaml
612
613 kubernetes:
614 pool:
615 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]616 calico:
617 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]618 addons:
619 calico_policy:
620 enabled: true
621
622 master:
623 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]624 calico:
625 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]626 addons:
627 calico_policy:
628 enabled: true
629
630
631
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]632Enable Prometheus metrics in Felix
633
634.. code-block:: yaml
635
636 kubernetes:
637 pool:
638 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]639 calico:
640 prometheus:
641 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]642 master:
643 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]644 calico:
645 prometheus:
646 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]647
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]648Post deployment configuration
649
650.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]651
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]652 # set ETCD
653 export ETCD_AUTHORITY=10.0.111.201:4001
654
655 # Set NAT for pods subnet
656 calicoctl pool add 192.168.0.0/16 --nat-outgoing
657
658 # Status commands
659 calicoctl status
660 calicoctl node show
661
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]662Kubernetes with GlusterFS for storage
663---------------------------------------------
664
665.. code-block:: yaml
666
667 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]668 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]669 ...
670 storage:
671 engine: glusterfs
672 port: 24007
673 members:
674 - host: 10.0.175.101
675 port: 24007
676 - host: 10.0.175.102
677 port: 24007
678 - host: 10.0.175.103
679 port: 24007
680 ...
681
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]682Kubernetes Storage Class
683------------------------
684
685AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
686
687.. code-block:: yaml
688
689 kubernetes:
690 common:
691 addons:
692 storageclass:
693 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]694 enabled: True
695 default: True
696 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]697 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]698 type: gp2
699 iopspergb: "10"
700 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]701 nfs_shared:
702 name: elasti01
703 enabled: True
704 provisioner: nfs
705 spec:
706 name: elastic_data
707 nfs:
708 server: 10.0.0.1
709 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]710
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]711Kubernetes namespaces
712---------------------
713
714Create namespace:
715
716.. code-block:: yaml
717
718 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]719 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]720 ...
721 namespace:
722 kube-system:
723 enabled: True
724 namespace2:
725 enabled: True
726 namespace3:
727 enabled: False
728 ...
729
730Kubernetes labels
731-----------------
732
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]733Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]734
735.. code-block:: yaml
736
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]737 kubernetes:
738 master:
739 label:
740 label01:
741 value: value01
742 node: node01
743 enabled: true
744 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]745 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]746
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]747Pull images from private registries
748-----------------------------------
749
750.. code-block:: yaml
751
752 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]753 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]754 ...
755 registry:
756 secret:
757 registry01:
758 enabled: True
759 key: (get from `cat /root/.docker/config.json | base64`)
760 namespace: default
761 ...
762 control:
763 ...
764 service:
765 service01:
766 ...
767 image_pull_secretes: registry01
768 ...
769
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]770Kubernetes Service Definitions in pillars
771==========================================
772
773Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
774
775Deployment manifest
776---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]777
778.. code-block:: yaml
779
780 salt:
781 control:
782 enabled: True
783 hostNetwork: True
784 service:
785 memcached:
786 privileged: True
787 service: memcached
788 role: server
789 type: LoadBalancer
790 replicas: 3
791 kind: Deployment
792 apiVersion: extensions/v1beta1
793 ports:
794 - port: 8774
795 name: nova-api
796 - port: 8775
797 name: nova-metadata
798 volume:
799 volume_name:
800 type: hostPath
801 mount: /certs
802 path: /etc/certs
803 container:
804 memcached:
805 image: memcached
806 tag:2
807 ports:
808 - port: 8774
809 name: nova-api
810 - port: 8775
811 name: nova-metadata
812 variables:
813 - name: HTTP_TLS_CERTIFICATE:
814 value: /certs/domain.crt
815 - name: HTTP_TLS_KEY
816 value: /certs/domain.key
817 volumes:
818 - name: /etc/certs
819 type: hostPath
820 mount: /certs
821 path: /etc/certs
822
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]823PetSet manifest
824---------------------
825
826.. code-block:: yaml
827
828 service:
829 memcached:
830 apiVersion: apps/v1alpha1
831 kind: PetSet
832 service_name: 'memcached'
833 container:
834 memcached:
835 ...
836
837
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]838Configmap
839---------
840
841You are able to create configmaps using support layer between formulas.
842It works simple, eg. in nova formula there's file ``meta/config.yml`` which
843defines config files used by that service and roles.
844
845Kubernetes formula is able to generate these files using custom pillar and
846grains structure. This way you are able to run docker images built by any way
847while still re-using your configuration management.
848
849Example pillar:
850
851.. code-block:: bash
852
853 kubernetes:
854 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]855 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]856 configmap:
857 nova-control:
858 grains:
859 # Alternate grains as OS running in container may differ from
860 # salt minion OS. Needed only if grains matters for config
861 # generation.
862 os_family: Debian
863 pillar:
864 # Generic pillar for nova controller
865 nova:
866 controller:
867 enabled: true
868 versionn: liberty
869 ...
870
871To tell which services supports config generation, you need to ensure pillar
872structure like this to determine support:
873
874.. code-block:: yaml
875
876 nova:
877 _support:
878 config:
879 enabled: true
880
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]881initContainers
882--------------
883
884Example pillar:
885
886.. code-block:: bash
887
888 kubernetes:
889 control:
890 service:
891 memcached:
892 init_containers:
893 - name: test-mysql
894 image: busybox
895 command:
896 - sleep
897 - 3600
898 volumes:
899 - name: config
900 mount: /test
901 - name: test-memcached
902 image: busybox
903 command:
904 - sleep
905 - 3600
906 volumes:
907 - name: config
908 mount: /test
909
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]910Affinity
911--------
912
913podAffinity
914===========
915
916Example pillar:
917
918.. code-block:: bash
919
920 kubernetes:
921 control:
922 service:
923 memcached:
924 affinity:
925 pod_affinity:
926 name: podAffinity
927 expression:
928 label_selector:
929 name: labelSelector
930 selectors:
931 - key: app
932 value: memcached
933 topology_key: kubernetes.io/hostname
934
935podAntiAffinity
936===============
937
938Example pillar:
939
940.. code-block:: bash
941
942 kubernetes:
943 control:
944 service:
945 memcached:
946 affinity:
947 anti_affinity:
948 name: podAntiAffinity
949 expression:
950 label_selector:
951 name: labelSelector
952 selectors:
953 - key: app
954 value: opencontrail-control
955 topology_key: kubernetes.io/hostname
956
957nodeAffinity
958===============
959
960Example pillar:
961
962.. code-block:: bash
963
964 kubernetes:
965 control:
966 service:
967 memcached:
968 affinity:
969 node_affinity:
970 name: nodeAffinity
971 expression:
972 match_expressions:
973 name: matchExpressions
974 selectors:
975 - key: key
976 operator: In
977 values:
978 - value1
979 - value2
980
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]981Volumes
982-------
983
984hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]985==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]986
987.. code-block:: yaml
988
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]989 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]990 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]991 container:
992 memcached:
993 volumes:
994 - name: volume1
995 mountPath: /volume
996 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]997 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]998 volume:
999 volume1:
1000 name: /etc/certs
1001 type: hostPath
1002 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1003
1004emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]1005========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1006
1007.. code-block:: yaml
1008
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1009 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1010 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1011 container:
1012 memcached:
1013 volumes:
1014 - name: volume1
1015 mountPath: /volume
1016 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1017 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1018 volume:
1019 volume1:
1020 name: /etc/certs
1021 type: emptyDir
1022
1023configMap
1024=========
1025
1026.. code-block:: yaml
1027
1028 service:
1029 memcached:
1030 container:
1031 memcached:
1032 volumes:
1033 - name: volume1
1034 mountPath: /volume
1035 readOnly: True
1036 ...
1037 volume:
1038 volume1:
1039 type: config_map
1040 item:
1041 configMap1:
1042 key: config.conf
1043 path: config.conf
1044 configMap2:
1045 key: policy.json
1046 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1047
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1048To mount single configuration file instead of whole directory:
1049
1050.. code-block:: yaml
1051
1052 service:
1053 memcached:
1054 container:
1055 memcached:
1056 volumes:
1057 - name: volume1
1058 mountPath: /volume/config.conf
1059 sub_path: config.conf
1060
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1061Generating Jobs
1062===============
1063
1064Example pillar:
1065
1066.. code-block:: yaml
1067
1068 kubernetes:
1069 control:
1070 job:
1071 sleep:
1072 job: sleep
1073 restart_policy: Never
1074 container:
1075 sleep:
1076 image: busybox
1077 tag: latest
1078 command:
1079 - sleep
1080 - "3600"
1081
1082Volumes and Variables can be used as the same way as during Deployment generation.
1083
1084Custom params:
1085
1086.. code-block:: yaml
1087
1088 kubernetes:
1089 control:
1090 job:
1091 host_network: True
1092 host_pid: True
1093 container:
1094 sleep:
1095 privileged: True
1096 node_selector:
1097 key: node
1098 value: one
1099 image_pull_secretes: password
1100
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1101Role-based access control
1102=========================
1103
1104To enable RBAC, you need to set following option on your apiserver:
1105
1106.. code-block:: yaml
1107
1108 kubernetes:
1109 master:
1110 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1111 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1112
1113Then you can use ``kubernetes.control.role`` state to orchestrate role and
1114rolebindings. Following example shows how to create brand new role and binding
1115for service account:
1116
1117.. code-block:: yaml
1118
1119 control:
1120 role:
1121 etcd-operator:
1122 kind: ClusterRole
1123 rules:
1124 - apiGroups:
1125 - etcd.coreos.com
1126 resources:
1127 - clusters
1128 verbs:
1129 - "*"
1130 - apiGroups:
1131 - extensions
1132 resources:
1133 - thirdpartyresources
1134 verbs:
1135 - create
1136 - apiGroups:
1137 - storage.k8s.io
1138 resources:
1139 - storageclasses
1140 verbs:
1141 - create
1142 - apiGroups:
1143 - ""
1144 resources:
1145 - replicasets
1146 verbs:
1147 - "*"
1148 binding:
1149 etcd-operator:
1150 kind: ClusterRoleBinding
1151 namespace: test # <-- if no namespace, then it's clusterrolebinding
1152 subject:
1153 etcd-operator:
1154 kind: ServiceAccount
1155
1156Simplest possible use-case, add user test edit permissions on it's test
1157namespace:
1158
1159.. code-block:: yaml
1160
1161 kubernetes:
1162 control:
1163 role:
1164 edit:
1165 kind: ClusterRole
1166 # No rules defined, so only binding will be created assuming role
1167 # already exists
1168 binding:
1169 test:
1170 namespace: test
1171 subject:
1172 test:
1173 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1174
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1175More Information
1176================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1177
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1178* https://github.com/Juniper/kubernetes/blob
1179/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1180* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1181
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1182
1183Documentation and Bugs
1184======================
1185
1186To learn how to install and update salt-formulas, consult the documentation
1187available online at:
1188
1189 http://salt-formulas.readthedocs.io/
1190
1191In the unfortunate event that bugs are discovered, they should be reported to
1192the appropriate issue tracker. Use Github issue tracker for specific salt
1193formula:
1194
1195 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1196
1197For feature requests, bug reports or blueprints affecting entire ecosystem,
1198use Launchpad salt-formulas project:
1199
1200 https://launchpad.net/salt-formulas
1201
1202You can also join salt-formulas-users team and subscribe to mailing list:
1203
1204 https://launchpad.net/~salt-formulas-users
1205
1206Developers wishing to work on the salt-formulas projects should always base
1207their work on master branch and submit pull request against specific formula.
1208
1209 https://github.com/salt-formulas/salt-formula-kubernetes
1210
1211Any questions or feedback is always welcome so feel free to join our IRC
1212channel:
1213
1214 #salt-formulas @ irc.freenode.net