From 1764d84ac5a3336c1249f489224b66ceaeb6842b Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 26 Aug 2020 11:41:28 +0100 Subject: [PATCH] Update docs --- Quickstart.md | 45 ++++++++------------------------- README.md | 70 ++++++++++++++++++++++++++++----------------------- 2 files changed, 48 insertions(+), 67 deletions(-) diff --git a/Quickstart.md b/Quickstart.md index 28b811f8..6623ce99 100644 --- a/Quickstart.md +++ b/Quickstart.md @@ -34,11 +34,18 @@ Cloudbender creates a kubezero config file, which incl. all outputs from the Clo ## Deploy KubeZero Helm chart `./deploy.sh` -The deploy script will handle the initial bootstrap process up to point of installing advanced services like Istio or Prometheus. -It will take about 10min to reach the point of being able to install these advanced services. +The deploy script will handle the initial bootstrap process as well as the roll out of advanced components like Prometheus, Istio and ElasticSearch/Kibana in various phases. + +It will take about 10 to 15 minutes for ArgoCD to roll out all the services... + + +# Own apps +- Add your own application to ArgoCD via the cli + +# Troubleshooting ## Verify ArgoCD -At this stage we there is no support for any kind of Ingress yet. To reach the Argo API port forward from localhost via: +To reach the Argo API port forward from localhost via: `kubectl port-forward svc/kubezero-argocd-server -n argocd 8080:443` Next download the argo-cd cli, details for different OS see https://argoproj.github.io/argo-cd/cli_installation/ @@ -46,37 +53,5 @@ Next download the argo-cd cli, details for different OS see https://argoproj.git Finally login into argo-cd via `argocd login localhost:8080` using the *admin* user and the password set in values.yaml earlier. List all Argo applications via: `argocd app list`. -Currently it is very likely that you need to manually trigger sync runs for `cert-manager`as well as `kiam`. -eg. `argocd app cert-manager sync` -# Only proceed any further if all Argo Applications show healthy !! - -## WIP not yet integrated into KubeZero - -### Istio -Istio is currently pinned to version 1.4.X as this is the last version supporting installation via helm charts. - -Until Istio is integrated into KubeZero as well as upgraded to 1.6 we have to install manually. - -- adjust values.yaml -- update domain in `ingress-certificate.yaml` -- update.sh -- deploy.sh - -### Logging -To deploy fluentbit only required adjustment is the `fluentd_host=` in the kustomization.yaml. - -- deploy namespace for logging via deploy.sh -- deploy fluentbit via `kubectl apply -k fluentbit` - -### Prometheus / Grafana -Only adjustment required is the ingress routing config in istio-service.yaml. Adjust as needed before executing: -`deploy.sh` - -### EFS CSI -- add the EFS fs-ID from the worker cloudformation output into values.yaml and the efs-pv.yaml -- `./deploy.sh` - -# Demo / own apps -- Add your own application to ArgoCD via the cli \ No newline at end of file diff --git a/README.md b/README.md index b945c68e..04afae0e 100644 --- a/README.md +++ b/README.md @@ -14,44 +14,50 @@ All chosen components are 100% organic OpenSource. - Work within each community / give back -# Components +## General +- Container runtime cri-o rather than Docker for improved security and performance -## Network / CNI -- Calico using VxLAN as default backend -## Certificate management -- cert-manager incl. a local self-signed cluster CA +## Control plane +- support for single node control plane for small clusters / test environments to reduce costs +- access to control plane from within the VPC only by default ( VPN access required for Admin tasks ) +- controller nodes are used for various platform admin controllers / operators to reduce costs and noise on worker nodes +- integrated ArgoCD Gitops controller -## Metrics / Alerting -- Prometheus / Grafana +## AWS IAM access control +- Kiam allowing IAM roles per pod +- IAM roles are assumed / requested and cached on controller nodes for improved security +- blocking access to meta-data service on all nodes +- IAM roles are maintained/ automated and tracked via CFN templates -## Logging -- Fluent-bit -- Fluentd -- ElasticSearch -- Kibana - -## Dashboard -- see ArgoCD +## Network +- Calico using VxLAN incl. increased MTU +- allows way more containers per worker +- isolates container traffic from VPC by using VxLAN overlay +- no restrictions on IP space / sizing from the underlying VPC architecture ## Storage -- EBS external CSI storage provider -- EFS external CSI storage provider -- LocalVolumes -- LocalPath +- flexible EBS support incl. zone awareness +- EFS support via automated EFS provisioning for worker groups via CFN templates +- local storage provider for latency sensitive high performance workloads -## Ingress -- AWS Network Loadbalancer -- Istio providing Public and Private Envoy proxies -- HTTP(s) and TCP support -- Real client source IPs available +## Ingress +- AWS Network Loadbalancer and Istio Ingress controllers +- No additional costs per exposed service +- Automated SSL Certificate handling via cert-manager incl. renewal etc. +- support for TCP services +- Client source IP available to workloads via HTTP header +- optional full service mesh -## Service Mesh ( optional ) - - -# KubeZero vs. EKS - -## Controller nodes used for various admin controllers - -## KIAM incl. blocked access to meta-data service +## Metrics +- Prometheus support for all components +- automated service discovery allowing instant access to common workload metrics +- Preconfigured community maintained Grafana dashboards for common services +- Preconfigured community maintained Alerts +## Logging +- all container logs are enhanced with Kubernetes metadata to provide context for each message +- flexible ElasticSearch setup via ECK operator to ease maintenance and reduce required admin knowledge, incl automated backups to S3 +- Kibana allowing easy search and dashboards for all logs, incl. pre configured index templates and index management to reduce costs +- fluentd central log ingress service allowing additional parsing and queuing to improved reliability +- lightweight fluent-bit agents on each node requiring minimal resources forwarding logs secure via SSL to fluentd