You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by dg...@apache.org on 2020/04/02 19:32:52 UTC
[openwhisk-deploy-kube] branch master updated (07e9aec -> 1ef8e23)
This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git.
from 07e9aec Explain why CouchDB connections may fail. (#592)
new d67925b update for AWS SSL support
new 2c6bd31 update for AWS SSL support
new 71db260 update docs for aws ssl
new 1ef8e23 remove trailing whitespace
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
docs/k8s-aws.md | 25 +++++++++++++++++++++-
.../configMapFiles/installPackages/myTask.sh | 14 ++++++------
helm/openwhisk/templates/install-packages-job.yaml | 6 +++++-
helm/openwhisk/templates/nginx-svc.yaml | 9 ++++++++
helm/openwhisk/templates/ow-whisk-cm.yaml | 8 +++++++
helm/openwhisk/values.yaml | 1 +
6 files changed, 54 insertions(+), 9 deletions(-)
[openwhisk-deploy-kube] 02/04: update for AWS SSL support
Posted by dg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git
commit 2c6bd31888e10c60858e4c861a07b013a5b30045
Author: Tom Barber <to...@spicule.co.uk>
AuthorDate: Tue Mar 17 21:41:17 2020 +0000
update for AWS SSL support
---
helm/openwhisk/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/helm/openwhisk/values.yaml b/helm/openwhisk/values.yaml
index 5406d8b..ae81ec2 100644
--- a/helm/openwhisk/values.yaml
+++ b/helm/openwhisk/values.yaml
@@ -48,7 +48,7 @@ whisk:
# See the "Configuring OpenWhisk section" of the docs/k8s-*.md that matches
# your cluster type for details on what values to provide and how to get them.
ingress:
- aws: "false"
+ awsSSL: "false"
apiHostName: ""
apiHostPort: 31001
apiHostProto: "https"
[openwhisk-deploy-kube] 03/04: update docs for aws ssl
Posted by dg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git
commit 71db26075b960bbbefc96370fd4acd42d35b1642
Author: Tom Barber <to...@spicule.co.uk>
AuthorDate: Tue Mar 17 21:48:14 2020 +0000
update docs for aws ssl
---
docs/k8s-aws.md | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/docs/k8s-aws.md b/docs/k8s-aws.md
index 5fa956a..1c8c8ba 100644
--- a/docs/k8s-aws.md
+++ b/docs/k8s-aws.md
@@ -27,7 +27,7 @@
Follow Amazon's instructions to provision your cluster.
-### Configuring OpenWhisk
+### Configuring OpenWhisk using SSL and IAM
AWS's Elastic Kubernetes Service (EKS) does not support standard Kubernetes
ingress. Instead, it relies on provisioning Elastic Load
@@ -86,6 +86,29 @@ available before the hostname is actually properly registered in DNS.
Be patient and keep trying until you stop getting `no such host`
errors from `wsk` when attempting to access it.
+### Configuring Openwhisk using SSL and Elastic Loadbalancers
+
+Due to the way AWS supports TLS termination on ELBs there are a couple of configuration options required to put a
+signed certificate in place when deploying openwhisk.
+
+First ensure you have a signed certificate in your AWS Certificate Manager.
+
+Then ensure you enable the following:
+```yaml
+whisk:
+ ingress:
+ awsSSL: "true"
+ type: LoadBalancer
+ annotations:
+ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+ service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https-api
+ service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your certificate ARN>
+```
+
+This will setup a loadbalanced service that allows your users to connect via HTTPS to the cluster. Internally we switch
+from SSL to plain HTTP communication as we're forwarding ports internally.
+Please read [this doc](https://kubernetes-on-aws.readthedocs.io/en/latest/user-guide/tls-termination.html#common-pitfalls) for more information.
+
## Hints and Tips
## Limitations
[openwhisk-deploy-kube] 04/04: remove trailing whitespace
Posted by dg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git
commit 1ef8e235809001a34c91daeebe9821fbdf96ea79
Author: David Grove <gr...@us.ibm.com>
AuthorDate: Wed Mar 25 09:13:30 2020 -0400
remove trailing whitespace
---
docs/k8s-aws.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/k8s-aws.md b/docs/k8s-aws.md
index 1c8c8ba..b73e868 100644
--- a/docs/k8s-aws.md
+++ b/docs/k8s-aws.md
@@ -91,7 +91,7 @@ errors from `wsk` when attempting to access it.
Due to the way AWS supports TLS termination on ELBs there are a couple of configuration options required to put a
signed certificate in place when deploying openwhisk.
-First ensure you have a signed certificate in your AWS Certificate Manager.
+First ensure you have a signed certificate in your AWS Certificate Manager.
Then ensure you enable the following:
```yaml
@@ -105,8 +105,8 @@ whisk:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your certificate ARN>
```
-This will setup a loadbalanced service that allows your users to connect via HTTPS to the cluster. Internally we switch
-from SSL to plain HTTP communication as we're forwarding ports internally.
+This will setup a loadbalanced service that allows your users to connect via HTTPS to the cluster. Internally we switch
+from SSL to plain HTTP communication as we're forwarding ports internally.
Please read [this doc](https://kubernetes-on-aws.readthedocs.io/en/latest/user-guide/tls-termination.html#common-pitfalls) for more information.
## Hints and Tips
[openwhisk-deploy-kube] 01/04: update for AWS SSL support
Posted by dg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git
commit d67925ba6a8953c68b7cf76a8e26cd4e5bd45e32
Author: Tom Barber <to...@spicule.co.uk>
AuthorDate: Tue Mar 17 21:40:57 2020 +0000
update for AWS SSL support
---
helm/openwhisk/configMapFiles/installPackages/myTask.sh | 14 +++++++-------
helm/openwhisk/templates/install-packages-job.yaml | 6 +++++-
helm/openwhisk/templates/nginx-svc.yaml | 9 +++++++++
helm/openwhisk/templates/ow-whisk-cm.yaml | 8 ++++++++
helm/openwhisk/values.yaml | 1 +
5 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/helm/openwhisk/configMapFiles/installPackages/myTask.sh b/helm/openwhisk/configMapFiles/installPackages/myTask.sh
index 04691d8..23947d0 100644
--- a/helm/openwhisk/configMapFiles/installPackages/myTask.sh
+++ b/helm/openwhisk/configMapFiles/installPackages/myTask.sh
@@ -54,14 +54,14 @@ pushd $OPENWHISK_HOME/ansible/roles/routemgmt/files
PASSED=false
TRIES=0
until $PASSED || [ $TRIES -eq 10 ]; do
- if ./installRouteMgmt.sh $WHISK_AUTH $WHISK_API_HOST $WHISK_SYSTEM_NAMESPACE /usr/local/bin/wsk; then
+ if ./installRouteMgmt.sh $WHISK_AUTH $WHISK_API_HOST_URL $WHISK_SYSTEM_NAMESPACE /usr/local/bin/wsk; then
PASSED=true
echo "Successfully deployed routemgmt package"
else
echo "Failed to deploy routemgmt package; will pause, uninstall, and try again"
let TRIES=TRIES+1
sleep 10
- ./uninstallRouteMgmt.sh $WHISK_AUTH $WHISK_API_HOST $WHISK_SYSTEM_NAMESPACE /usr/local/bin/wsk;
+ ./uninstallRouteMgmt.sh $WHISK_AUTH $WHISK_API_HOST_URL $WHISK_SYSTEM_NAMESPACE /usr/local/bin/wsk;
fi
done
if ! $PASSED; then
@@ -79,7 +79,7 @@ pushd openwhisk-catalog
popd
pushd openwhisk-catalog/packages
- ./installCatalogUsingWskdeploy.sh $WHISK_AUTH $WHISK_API_HOST /usr/local/bin/wsk || exit 1
+ ./installCatalogUsingWskdeploy.sh $WHISK_AUTH $WHISK_API_HOST_URL /usr/local/bin/wsk || exit 1
popd
@@ -101,7 +101,7 @@ if [ "$OW_INSTALL_ALARM_PROVIDER" == "yes" ]; then
pushd /openwhisk-package-alarms
git checkout $OW_GIT_TAG_OPENWHISK_PACKAGE_ALARMS
- ./installCatalog.sh $WHISK_AUTH $WHISK_API_HOST $PROVIDER_DB_URL $ALARM_DB_PREFIX $WHISK_API_HOST || exit 1
+ ./installCatalog.sh $WHISK_AUTH $WHISK_API_HOST_URL $PROVIDER_DB_URL $ALARM_DB_PREFIX $WHISK_API_HOST_URL || exit 1
popd
fi
@@ -116,7 +116,7 @@ if [ "$OW_INSTALL_CLOUDANT_PROVIDER" == "yes" ]; then
pushd /openwhisk-package-cloudant
git checkout $OW_GIT_TAG_OPENWHISK_PACKAGE_CLOUDANT
- ./installCatalog.sh $WHISK_AUTH $WHISK_API_HOST $PROVIDER_DB_URL $CLOUDANT_DB_PREFIX $WHISK_API_HOST || exit 1
+ ./installCatalog.sh $WHISK_AUTH $WHISK_API_HOST_URL $PROVIDER_DB_URL $CLOUDANT_DB_PREFIX $WHISK_API_HOST_URL || exit 1
popd
fi
@@ -131,8 +131,8 @@ if [ "$OW_INSTALL_KAFKA_PROVIDER" == "yes" ]; then
pushd /openwhisk-package-kafka
git checkout $OW_GIT_TAG_OPENWHISK_PACKAGE_KAFKA
- ./installKafka.sh $WHISK_AUTH $WHISK_API_HOST $PROVIDER_DB_URL $KAFKA_DB_PREFIX $WHISK_API_HOST || exit 1
- ./installCatalog.sh $WHISK_AUTH $WHISK_API_HOST $PROVIDER_DB_URL $KAFKA_DB_PREFIX $WHISK_API_HOST || exit 1
+ ./installKafka.sh $WHISK_AUTH $WHISK_API_HOST_URL $PROVIDER_DB_URL $KAFKA_DB_PREFIX $WHISK_API_HOST_URL || exit 1
+ ./installCatalog.sh $WHISK_AUTH $WHISK_API_HOST_URL $PROVIDER_DB_URL $KAFKA_DB_PREFIX $WHISK_API_HOST_URL || exit 1
popd
fi
diff --git a/helm/openwhisk/templates/install-packages-job.yaml b/helm/openwhisk/templates/install-packages-job.yaml
index 6535ac8..de12aa6 100644
--- a/helm/openwhisk/templates/install-packages-job.yaml
+++ b/helm/openwhisk/templates/install-packages-job.yaml
@@ -61,7 +61,11 @@ spec:
configMapKeyRef:
name: {{ .Release.Name }}-whisk.config
key: whisk_api_host_nameAndPort
-
+ - name: "WHISK_API_HOST_URL"
+ valueFrom:
+ configMapKeyRef:
+ name: {{ .Release.Name }}-whisk.config
+ key: whisk_api_host_url
# apigateway configuration (for installing routemgmt actions)
- name: "WHISK_SYSTEM_NAMESPACE"
valueFrom:
diff --git a/helm/openwhisk/templates/nginx-svc.yaml b/helm/openwhisk/templates/nginx-svc.yaml
index ee478be..e67bc61 100644
--- a/helm/openwhisk/templates/nginx-svc.yaml
+++ b/helm/openwhisk/templates/nginx-svc.yaml
@@ -19,6 +19,12 @@
apiVersion: v1
kind: Service
metadata:
+ {{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
+ annotations:
+ {{- range $key, $value := .Values.whisk.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
name: {{ .Release.Name }}-nginx
labels:
name: {{ .Release.Name }}-nginx
@@ -39,4 +45,7 @@ spec:
nodePort: {{ .Values.nginx.httpsNodePort }}
{{- end }}
name: https-api
+ {{- if eq .Values.whisk.ingress.awsSSL "true"}}
+ targetPort: http
+ {{- end}}
{{- end }}
diff --git a/helm/openwhisk/templates/ow-whisk-cm.yaml b/helm/openwhisk/templates/ow-whisk-cm.yaml
index 222fc24..2e20623 100644
--- a/helm/openwhisk/templates/ow-whisk-cm.yaml
+++ b/helm/openwhisk/templates/ow-whisk-cm.yaml
@@ -27,11 +27,19 @@ data:
whisk_cli_version_tag: {{ .Values.whisk.versions.openwhiskCli.tag | quote }}
whisk_system_namespace: {{ .Values.whisk.systemNameSpace | quote }}
{{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
+{{- if eq .Values.whisk.ingress.awsSSL "true" }}
+ whisk_api_host_proto: "http"
+ whisk_api_host_port: {{ .Values.nginx.httpPort | quote }}
+ whisk_api_host_name: "{{ .Release.Name }}-nginx.{{ .Release.Namespace }}.svc.{{ .Values.k8s.domain }}"
+ whisk_api_host_nameAndPort: "{{ .Release.Name }}-nginx.{{ .Release.Namespace }}.svc.{{ .Values.k8s.domain }}:{{ .Values.nginx.httpPort }}"
+ whisk_api_host_url: "http://{{ .Release.Name }}-nginx.{{ .Release.Namespace }}.svc.{{ .Values.k8s.domain }}:{{ .Values.nginx.httpPort }}"
+{{- else }}
whisk_api_host_proto: "https"
whisk_api_host_port: {{ .Values.nginx.httpsPort | quote }}
whisk_api_host_name: "{{ .Release.Name }}-nginx.{{ .Release.Namespace }}.svc.{{ .Values.k8s.domain }}"
whisk_api_host_nameAndPort: "{{ .Release.Name }}-nginx.{{ .Release.Namespace }}.svc.{{ .Values.k8s.domain }}:{{ .Values.nginx.httpsPort }}"
whisk_api_host_url: "https://{{ .Release.Name }}-nginx.{{ .Release.Namespace }}.svc.{{ .Values.k8s.domain }}:{{ .Values.nginx.httpsPort }}"
+{{- end }}
{{- else }}
whisk_api_host_proto: {{ .Values.whisk.ingress.apiHostProto | quote }}
whisk_api_host_port: {{ .Values.whisk.ingress.apiHostPort | quote }}
diff --git a/helm/openwhisk/values.yaml b/helm/openwhisk/values.yaml
index 4adc202..5406d8b 100644
--- a/helm/openwhisk/values.yaml
+++ b/helm/openwhisk/values.yaml
@@ -48,6 +48,7 @@ whisk:
# See the "Configuring OpenWhisk section" of the docs/k8s-*.md that matches
# your cluster type for details on what values to provide and how to get them.
ingress:
+ aws: "false"
apiHostName: ""
apiHostPort: 31001
apiHostProto: "https"