You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/11/30 16:55:48 UTC

[GitHub] dgrove-oss closed pull request #380: Document ICP and Dynamic DNS Provisioning

dgrove-oss closed pull request #380: Document ICP and Dynamic DNS Provisioning
URL: https://github.com/apache/incubator-openwhisk-deploy-kube/pull/380
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/README.md b/README.md
index 328ef15..b8907e5 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,8 @@ appropriate to your Kubernetes cluster:
 * [Docker for Mac](docs/k8s-docker-for-mac.md#configuring-openwhisk)
 * [kubeadm-dind-cluster](docs/k8s-dind-cluster.md#configuring-openwhisk)
 * [Minikube](docs/k8s-minikube.md#configuring-openwhisk)
-* [IBM (IKS)](docs/k8s-ibm-public.md#configuring-openwhisk)
+* [IBM Kubernetes Service (IKS)](docs/k8s-ibm-public.md#configuring-openwhisk)
+* [IBM Cloud Private (ICP)](docs/k8s-ibm-private.md#configuring-openwhisk)
 * [Google (GKE)](docs/k8s-google.md#configuring-openwhisk)
 * [Amazon (EKS)](docs/k8s-aws.md#configuring-openwhisk)
 
diff --git a/docs/configurationChoices.md b/docs/configurationChoices.md
index 54b68d2..3ffad96 100644
--- a/docs/configurationChoices.md
+++ b/docs/configurationChoices.md
@@ -174,6 +174,10 @@ be scheduled.  If your Kubernetes cluster is properly configured to support
 including having a DefaultStorageClass admission controller and a
 designated default StorageClass, then this will all happen seamlessly.
 
+See [NFS Dynamis Storage Provisioning](./k8s-nfs-dynamic-storage.md) for one
+approach to provisioning dynamic storage if it's not already provisioned
+on your cluster.
+
 If your cluster is not properly configured, then you will need to
 manually create the necessary PersistentVolumes when deploying the
 Helm chart. In this case, you should also disable the use of dynamic
diff --git a/docs/k8s-ibm-private.md b/docs/k8s-ibm-private.md
new file mode 100644
index 0000000..53b429d
--- /dev/null
+++ b/docs/k8s-ibm-private.md
@@ -0,0 +1,194 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+# IBM IKS for OpenWhisk
+
+## Overview
+
+IBM Cloud Private (ICP) provides the core infrastructure needed to provision a
+production-quality OpenWhisk installation.  This document outlines
+ICP-specific steps needed to provision that installation, and calls out
+shortcuts that could be taken for development-grade installation.
+
+## Initial setup
+
+### Creating the Kubernetes Cluster
+
+Follow IBM Cloud Private instructions to provision your cluster.  Include
+GlusterFS provisioning, add
+[dynamic NFS provisioning](./k8s-nfs-dynamic-storage.md),
+or be prepared to provision volumes manually for OpenWhisk
+(see [here](./configurationChoices#persistence)).
+
+### Configuring OpenWhisk
+
+#### Configuring Image Security
+
+IBM Cloud Private includes a provision for filtering the images that are
+allowed to be deployed into a particular namespace.  One _could_ disable this
+capability for the OpenWhisk namespace, but initally it is best to define
+a policy for the namespace:  (In this case we assume the namespace is
+`openwhisk`)
+
+```yaml
+apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
+kind: ImagePolicy
+metadata:
+  name: openwhisk-image-policy
+  namespace: openwhisk
+spec:
+  repositories:
+  - name: docker.io/openwhisk/*
+    policy:
+      va:
+        enabled: false
+  - name: docker.io/apache/couchdb:*
+    policy:
+      va:
+        enabled: false
+  - name: docker.io/nginx:*
+    policy:
+      va:
+        enabled: false
+  - name: docker.io/redis:*
+    policy:
+      va:
+        enabled: false
+  - name: docker.io/zookeeper:*
+    policy:
+      va:
+        enabled: false
+  - name: docker.io/wurstmeister/kafka:*
+    policy:
+      va:
+        enabled: false
+```
+
+#### Configuring Ingress
+
+An IBM Cloud Private cluster has full support for TLS
+and can be configured with additional annotations to
+fine tune ingress performance.
+
+A prerequisite for OpenWhisk TLS access via Ingress as currently configured
+is a Fully Qualified Domain Name (FQDN) that can be resolved correctly from
+within OpenWhisk and points to the SSL Ingress point, usually your load
+balancer or proxy node.
+
+You will also need to create a TLS certificate to be used by the Ingress
+controller for your domain.  The YAML to create in Kubernetes is
+(substituting the real values for `<your fqdn>`):
+
+```yaml
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: openwhisk-tls-secret-1
+  namespace: openwhisk
+spec:
+  commonName: <your fqdn>
+  dnsNames:
+  - <your fqdn>
+  issuerRef:
+    kind: ClusterIssuer
+    name: icp-ca-issuer
+  secretName: openwhisk-tls-secret-1
+```
+
+#### Putting it all together
+
+Now define `mycluster.yaml` as below (substituting the real values for
+`<your fqdn>`).
+
+```yaml
+whisk:
+  ingress:
+    apiHostName: <your fqdn>
+    apiHostPort: 443
+    apiHostProto: https
+    type: standard
+    domain: <your fqdn>
+    tls:
+      enabled: true
+      secretenabled: true
+      createsecret: false
+      secretname: openwhisk-tls-secret-1
+    annotations:
+      # A blocking request is held open by the controller for slightly more than 60 seconds
+      # before it is responded to with HTTP status code 202 (accepted) and closed.
+      # Set to 75s to be on the safe side.
+      # See https://console.bluemix.net/docs/containers/cs_annotations.html#proxy-connect-timeout
+      # See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "75s"
+
+      # Allow up to 50 MiB body size to support creation of large actions and large
+      # parameter sizes.
+      # See https://console.bluemix.net/docs/containers/cs_annotations.html#client-max-body-size
+      # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+      nginx.ingress.kubernetes.io/client-max-body-size: "size=50m"
+
+      # Add the request_id, generated by nginx, to the request against the controllers. This id will be used as tid there.
+      # https://console.bluemix.net/docs/containers/cs_annotations.html#proxy-add-headers
+      nginx.ingress.kubernetes.io/proxy-add-headers: |
+        serviceName=controller {
+          'X-Request-ID' $request_id;
+        }
+
+k8s:
+  persistence:
+    defaultStorageClass: openwhisk
+```
+
+ICP does not (by default) provide a properly configured DefaultStorageClass,
+instead you need to tell the Helm chart to use a storage class you've
+defined (see Creating the Kubernetes Cluster
+[above](#creating-the-kubernetes-cluster)).
+
+#### Don't want to deal with Ingress (or can't create an FQDN)?
+
+An alternative to the Ingress-based access model is to
+use a NodePort. Use the IP address of any worker node in the cluster to
+define `mycluster.yaml` as
+
+```yaml
+whisk:
+  ingress:
+    type: NodePort
+    apiHostName: YOUR_WORKERS_PUBLIC_IP_ADDR
+    apiHostPort: 31001
+
+nginx:
+  httpsNodePort: 31001
+
+k8s:
+  persistence:
+    defaultStorageClass: openwhisk
+```
+
+ICP does not (by default) provide a properly configured DefaultStorageClass,
+instead you need to tell the Helm chart to use a storage class you've
+defined (see Creating the Kubernetes Cluster
+[above](#creating-the-kubernetes-cluster)).
+
+## Hints and Tips
+
+On IBM Cloud Private clusters, you can configure OpenWhisk to integrate
+with platform logging and monitoring services following the general
+instructions for enabling these services for pods deployed on
+Kubernetes.
diff --git a/docs/k8s-nfs-dynamic-storage.md b/docs/k8s-nfs-dynamic-storage.md
new file mode 100644
index 0000000..1c62c27
--- /dev/null
+++ b/docs/k8s-nfs-dynamic-storage.md
@@ -0,0 +1,61 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+# Using Dynamic Storage Provisioning for OpenWhisk
+
+## NFS-based Dynamic Provisioning
+
+You will need an already-provisioned NFS server supporting NFS v4 or better,
+preferably provisioned for at least 5 GB.
+The server must be set up to accept connections from all nodes in your cluster --
+we leave it to you to determine the best strategy for that, though you may
+wish to consider the
+[nfs-server-provisioner](https://github.com/helm/charts/tree/master/stable/nfs-server-provisioner)
+Helm Chart (*TODO: link*) if youhave lots of storage available on your nodes or
+an NFS server provided by your cloud provider.
+
+Once the NFS server is defined, the fastest way to make a dynamic file store
+available is with the
+[nfs-client-provisioner](https://github.com/helm/charts/tree/master/stable/nfs-client-provisioner)
+helm Chart.
+
+Create a local file `openwhisk-nfs-client-provisioner.yaml` to configure the
+provisioner.  You need to provide the server and path information.  Note also
+that the storageClass is explictly defined.
+
+```yaml
+nfs:
+  #  See https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client
+  server: <!-- To be provided -->
+  path: <!-- To be provided -->
+
+storageClass:
+  name: openwhisk-nfs
+  reclaimPolicy: Delete
+```
+
+And run a command to install it...
+```
+helm install --namespace openwhisk \
+  --values ./openwhisk-nfs-client-provisioner.yaml \
+  stable/nfs-client-provisioner
+```
+
+When you configure OpenWhisk, do remember to set the `k8s.persistence.defaultStorageClass`
+to be `openwhisk`.  And then you should be off to the races.


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services