You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by cs...@apache.org on 2018/05/16 23:36:15 UTC

[incubator-openwhisk-deploy-kube] branch master updated: add ingress configuration for IBM Cloud Standard Clusters to Helm deploy (#200)

This is an automated email from the ASF dual-hosted git repository.

csantanapr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk-deploy-kube.git


The following commit(s) were added to refs/heads/master by this push:
     new 58b9b4e  add ingress configuration for IBM Cloud Standard Clusters to Helm deploy (#200)
58b9b4e is described below

commit 58b9b4eab738c0de2bdbb866b2b3b9b5e4d67629
Author: David Grove <dg...@users.noreply.github.com>
AuthorDate: Wed May 16 19:36:13 2018 -0400

    add ingress configuration for IBM Cloud Standard Clusters to Helm deploy (#200)
---
 helm/README.md                     |  35 +++++-----
 helm/ingress.md                    | 131 +++++++++++++++++++++++++++++++++++++
 helm/templates/apigateway.yaml     |  11 +---
 helm/templates/cluster_config.yaml |   1 -
 helm/templates/ingress.yaml        |  67 +++++++++++++++++++
 helm/values.yaml                   |   4 +-
 tools/travis/build-helm.sh         |   5 +-
 7 files changed, 220 insertions(+), 34 deletions(-)

diff --git a/helm/README.md b/helm/README.md
index c774a2e..83383aa 100644
--- a/helm/README.md
+++ b/helm/README.md
@@ -77,26 +77,26 @@ you want to be an invoker, execute
 $ kubectl label nodes <INVOKER_NODE_NAME> openwhisk-role=invoker
 ```
 
-### Step 4. Deploy Charts
-You will need to create a mycluster.yaml file that specifies the host
-and port information that will be used to access your cluster.  See
-the [ingress discussion](../kubernetes/ingress/README.md) for
-details. Below is a sample file appropriate for a minikube cluster
-where `minikube ip` returns `192.168.99.100`.
+### Step 4. Define `mycluster.yaml`
+
+You will need to create a mycluster.yaml file that records how the
+OpenWhisk deployment on your cluster will be accessed by clients.  See
+the [ingress discussion](./ingress.md) for details. Below is a sample
+file appropriate for a minikube cluster where `minikube ip` returns
+`192.168.99.100` and port 31001 is available to be used.
 
 ```yaml
 whisk:
   ingress:
+    type: NodePort
     api_host: 192.168.99.100:31001
-    apigw_url: http://192.168.99.100:31004
 
 nginx:
   httpsNodePort: 31001
-
-apigw:
-  apiNodePort: 31004
 ```
 
+### Step 5. Deploy Charts
+
 Deployment can be done by using the following single command:
 ```shell
 helm install . --namespace=openwhisk --name=your_release_name -f mycluster.yaml
@@ -107,18 +107,19 @@ After a while, if you can see all the pods listed by the following command are i
 kubectl get pods -n openwhisk
 ```
 
-### Test Deployment
+### Step 6. Configure the `wsk` CLI
 
-Install an [OpenWhisk client](https://github.com/apache/incubator-openwhisk/tree/master/docs) to test the deployed OpenWhisk environment.
-
-For now, we are using nginx to provide web access for OpenWhisk client. By default, the nginx service is configured to run at port 31000 for HTTP connection and 31001 for HTTPS connection.
-
-As a result, please run the following command to config your OpenWhisk client:
+Configure the OpenWhisk CLI, wsk, by setting the auth and apihost
+properties (if you don't already have the wsk cli, follow the
+instructions [here](https://github.com/apache/incubator-openwhisk-cli)
+to get it).
 ```shell
-wsk property set --apihost http://<nginx_node_IP>:31000
+wsk property set --apihost <Value of whisk.ingress.api_host from mycluster.yaml>
 wsk property set --auth 23bc46b1-71f6-4ed5-8c54-816aa4f8c502:123zO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP
 ```
 
+### Step 7. Test your Deployment
+
 Prepare a small js function like the following and save it to `greeting.js`:
 ```js
 /**
diff --git a/helm/ingress.md b/helm/ingress.md
new file mode 100644
index 0000000..ce3459a
--- /dev/null
+++ b/helm/ingress.md
@@ -0,0 +1,131 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+Ingress
+-------
+
+Defining a Kubernetes Ingress is what makes the OpenWhisk system you
+are going to deploy available outside of your Kubernetes cluster. When
+you select an ingress method, you are determining what values to use
+for the `whisk.ingress` stanza of your `mycluster.yaml` file that you
+will use in the `helm install` command.  You will need to define
+values for at least `whisk.ingress.type` and `whisk.ingress.api_host`.
+
+Unfortunately, the exact details of configuring an Ingress vary across
+cloud providers.  The detailed instructions
+[below](#possible-ingress-types) describe multiple possible Ingress
+configurations.  We welcome contributions from the community to
+describe how to configure Ingress for additional cloud providers.
+
+If you are deploying on minikube, use the NodePort instructions below.
+
+# Possible Ingress Types
+
+## NodePort
+
+NodePort is the simplest type of Ingress and is suitable for use with
+minikube and single node clusters that do not support more advanced
+ingress options.  Deploying a NodePort ingress will expose a port on
+each Kubernetes worker node for OpenWhisk's nginx service.
+In this Ingress, TLS termination will be handled by OpenWhisk's
+`nginx` service and will use self-signed certificates.  You will need
+to invoke `wsk` with the `-i` command line argument to bypass
+certificate checking.
+
+First,  obtain the IP address of the Kubernetes nodes. If you are
+using minikube, use the command
+```shell
+minikube ip
+```
+otherwise use
+```
+kubectl get nodes
+```
+
+Next pick an unassigned port (eg 31001) and define mycluster.yaml as
+```yaml
+whisk:
+  ingress:
+    type: NodePort
+    api_host: 192.168.99.100:31001
+
+nginx:
+  httpsNodePort: 31001
+```
+
+## IBM Cloud
+
+### IBM Cloud Lite cluster
+
+The only available ingress method for a Lite cluster is to use a
+NodePort (see above). Obtain the Public IP address of the sole worker
+node by using the command
+ ```
+bx cs workers <my-cluster>
+ ```
+Then define mycluster.yaml as
+
+```yaml
+whisk:
+  ingress:
+    type: NodePort
+    api_host: YOUR_WORKERS_PUBLIC_IP_ADDR:31001
+
+nginx:
+  httpsNodePort: 31001
+```
+
+### IBM Cloud standard cluster
+
+This type of cluster can support a more advanced ingress style that
+does not use self-signed certificates for TLS termination (you can use
+`wsk` instead of `wsk -i`).  You will need to determine the values for
+<ibmdomain> and <ibmtlssecret> for your cluster by running the command
+```
+bx cs cluster-get <mycluster>
+```
+The CLI output will look something like
+```
+bx cs cluster-get <mycluster>
+Retrieving cluster <mycluster>...
+OK
+Name:    <mycluster>
+ID:    b9c6b00dc0aa487f97123440b4895f2d
+Created:  2017-04-26T19:47:08+0000
+State:    normal
+Master URL:  https://169.57.40.165:1931
+Ingress subdomain:  <ibmdomain>
+Ingress secret:  <ibmtlssecret>
+Workers:  3
+```
+
+Now define mycluster.yaml as below (substituting the real values for
+`<ibmdomain>` and `<ibmtlssecret>`).
+```yaml
+whisk:
+  ingress:
+    type: ibm.standard
+    ibmdomain: <ibmdomain>
+    ibmtlssecret: <ibmtlssecret>
+    api_host: <ibmdomain>
+```
+
+## Other cloud providers
+
+Please submit Pull Requests with instructions for other cloud providers.
diff --git a/helm/templates/apigateway.yaml b/helm/templates/apigateway.yaml
index 15a698c..ba3e1eb 100644
--- a/helm/templates/apigateway.yaml
+++ b/helm/templates/apigateway.yaml
@@ -10,18 +10,12 @@ metadata:
   labels:
     name: {{ .Values.apigw.name | quote }}
 spec:
-  {{- if .Values.apigw.apiNodePort }}
-  type: NodePort
-  {{- end }}
   selector:
     name: {{ .Values.apigw.name | quote }}
   ports:
     - port: {{ .Values.apigw.mgmtPort }}
       name: mgmt
     - port: {{ .Values.apigw.apiPort }}
-      {{- if .Values.apigw.apiNodePort }}
-      nodePort: {{ .Values.apigw.apiNodePort }}
-      {{- end }}
       name: api
 
 ---
@@ -66,7 +60,4 @@ spec:
           - name: "REDIS_PORT"
             value: "6379"
           - name: "PUBLIC_GATEWAY_URL"
-            valueFrom:
-              configMapKeyRef:
-                name: whisk.ingress
-                key: apigw_url
+            value: "https://{{ .Values.whisk.ingress.api_host }}"
diff --git a/helm/templates/cluster_config.yaml b/helm/templates/cluster_config.yaml
index c2c4220..237edf6 100644
--- a/helm/templates/cluster_config.yaml
+++ b/helm/templates/cluster_config.yaml
@@ -9,7 +9,6 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
 data:
   api_host: {{ required "A valid api_host is required" .Values.whisk.ingress.api_host }}
-  apigw_url: {{ required "A valid apigw_url is required" .Values.whisk.ingress.apigw_url }}
 
 ---
 apiVersion: v1
diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml
new file mode 100644
index 0000000..bb3fc6c
--- /dev/null
+++ b/helm/templates/ingress.yaml
@@ -0,0 +1,67 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more contributor
+# license agreements; and to You under the Apache License, Version 2.0.
+
+{{- if eq .Values.whisk.ingress.type "ibm.standard" }}
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ .Values.whisk.ingress.name | quote }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # A blocking request is held open by the controller for slightly more than 60 seconds
+    # before it is responded to with HTTP status code 202 (accepted) and closed.
+    # Set to 75s to be on the safe side.
+    # See https://console.bluemix.net/docs/containers/cs_annotations.html#proxy-connect-timeout
+    # See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
+    ingress.bluemix.net/proxy-read-timeout: "75s"
+
+    # Allow up to 50 MiB body size to support creation of large actions and large
+    # parameter sizes.
+    # See https://console.bluemix.net/docs/containers/cs_annotations.html#client-max-body-size
+    # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+    ingress.bluemix.net/client-max-body-size: "size=50m"
+
+    # Add the request_id, generated by nginx, to the request against the controllers. This id will be used as tid there.
+    # https://console.bluemix.net/docs/containers/cs_annotations.html#proxy-add-headers
+    ingress.bluemix.net/proxy-add-headers: |
+      serviceName=controller {
+        'X-Request-ID' $request_id;
+      }
+spec:
+  tls:
+  - hosts:
+    - {{ .Values.whisk.ingress.ibmdomain }}
+    secretName: {{ .Values.whisk.ingress.ibmtlssecret }}
+  rules:
+  - host: {{ .Values.whisk.ingress.ibmdomain }}
+    http:
+      paths:
+      - path: /api/v1/web
+        backend:
+          serviceName: controller
+          servicePort: http
+      - path: /api/v1
+        backend:
+          serviceName: controller
+          servicePort: http
+      # API GW generated API invocation
+      - path: /api
+        backend:
+          serviceName: apigateway
+          servicePort: mgmt
+      # API GW health status
+      - path: /v1/health-check
+        backend:
+          serviceName: apigateway
+          servicePort: api
+      # API management REST APIs
+      - path: /v2
+        backend:
+          serviceName: apigateway
+          servicePort: api
+      - path: /
+        backend:
+          serviceName: nginx
+          servicePort: http
+{{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
index 5d28497..bcffa16 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -5,10 +5,10 @@
 
 # Overall system configuration
 whisk:
-  # You must provide these ingress values when deploying the chart
   ingress:
+    name: "ow-ingress"
+    # You _MUST_ provide a value for whisk.ingress.api_host when deploying the chart
     api_host: nil
-    apigw_url: nil
   # Production deployments _MUST_ override these default auth values
   auth:
     system: "789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP"
diff --git a/tools/travis/build-helm.sh b/tools/travis/build-helm.sh
index d5c6971..b1679e0 100755
--- a/tools/travis/build-helm.sh
+++ b/tools/travis/build-helm.sh
@@ -150,15 +150,12 @@ travis: true
 
 whisk:
   ingress:
+    type: NodePort
     api_host: $WSK_HOST:$WSK_PORT
-    apigw_url: http://$WSK_HOST:$APIGW_PORT
   runtimes: "runtimes-minimal-travis.json"
 
 nginx:
   httpsNodePort: $WSK_PORT
-
-apigw:
-  apiNodePort: $APIGW_PORT
 EOF
 
 cat mycluster.yaml

-- 
To stop receiving notification emails like this one, please contact
csantanapr@apache.org.