Update docs
This commit is contained in:
parent
b376544424
commit
1764d84ac5
@ -34,11 +34,18 @@ Cloudbender creates a kubezero config file, which incl. all outputs from the Clo
|
|||||||
## Deploy KubeZero Helm chart
|
## Deploy KubeZero Helm chart
|
||||||
`./deploy.sh`
|
`./deploy.sh`
|
||||||
|
|
||||||
The deploy script will handle the initial bootstrap process up to point of installing advanced services like Istio or Prometheus.
|
The deploy script will handle the initial bootstrap process as well as the roll out of advanced components like Prometheus, Istio and ElasticSearch/Kibana in various phases.
|
||||||
It will take about 10min to reach the point of being able to install these advanced services.
|
|
||||||
|
It will take about 10 to 15 minutes for ArgoCD to roll out all the services...
|
||||||
|
|
||||||
|
|
||||||
|
# Own apps
|
||||||
|
- Add your own application to ArgoCD via the cli
|
||||||
|
|
||||||
|
# Troubleshooting
|
||||||
|
|
||||||
## Verify ArgoCD
|
## Verify ArgoCD
|
||||||
At this stage we there is no support for any kind of Ingress yet. To reach the Argo API port forward from localhost via:
|
To reach the Argo API port forward from localhost via:
|
||||||
`kubectl port-forward svc/kubezero-argocd-server -n argocd 8080:443`
|
`kubectl port-forward svc/kubezero-argocd-server -n argocd 8080:443`
|
||||||
|
|
||||||
Next download the argo-cd cli, details for different OS see https://argoproj.github.io/argo-cd/cli_installation/
|
Next download the argo-cd cli, details for different OS see https://argoproj.github.io/argo-cd/cli_installation/
|
||||||
@ -46,37 +53,5 @@ Next download the argo-cd cli, details for different OS see https://argoproj.git
|
|||||||
Finally login into argo-cd via `argocd login localhost:8080` using the *admin* user and the password set in values.yaml earlier.
|
Finally login into argo-cd via `argocd login localhost:8080` using the *admin* user and the password set in values.yaml earlier.
|
||||||
|
|
||||||
List all Argo applications via: `argocd app list`.
|
List all Argo applications via: `argocd app list`.
|
||||||
Currently it is very likely that you need to manually trigger sync runs for `cert-manager`as well as `kiam`.
|
|
||||||
eg. `argocd app cert-manager sync`
|
|
||||||
|
|
||||||
|
|
||||||
# Only proceed any further if all Argo Applications show healthy !!
|
|
||||||
|
|
||||||
## WIP not yet integrated into KubeZero
|
|
||||||
|
|
||||||
### Istio
|
|
||||||
Istio is currently pinned to version 1.4.X as this is the last version supporting installation via helm charts.
|
|
||||||
|
|
||||||
Until Istio is integrated into KubeZero as well as upgraded to 1.6 we have to install manually.
|
|
||||||
|
|
||||||
- adjust values.yaml
|
|
||||||
- update domain in `ingress-certificate.yaml`
|
|
||||||
- update.sh
|
|
||||||
- deploy.sh
|
|
||||||
|
|
||||||
### Logging
|
|
||||||
To deploy fluentbit only required adjustment is the `fluentd_host=<LOG_HOST>` in the kustomization.yaml.
|
|
||||||
|
|
||||||
- deploy namespace for logging via deploy.sh
|
|
||||||
- deploy fluentbit via `kubectl apply -k fluentbit`
|
|
||||||
|
|
||||||
### Prometheus / Grafana
|
|
||||||
Only adjustment required is the ingress routing config in istio-service.yaml. Adjust as needed before executing:
|
|
||||||
`deploy.sh`
|
|
||||||
|
|
||||||
### EFS CSI
|
|
||||||
- add the EFS fs-ID from the worker cloudformation output into values.yaml and the efs-pv.yaml
|
|
||||||
- `./deploy.sh`
|
|
||||||
|
|
||||||
# Demo / own apps
|
|
||||||
- Add your own application to ArgoCD via the cli
|
|
70
README.md
70
README.md
@ -14,44 +14,50 @@ All chosen components are 100% organic OpenSource.
|
|||||||
- Work within each community / give back
|
- Work within each community / give back
|
||||||
|
|
||||||
|
|
||||||
# Components
|
## General
|
||||||
|
- Container runtime cri-o rather than Docker for improved security and performance
|
||||||
|
|
||||||
## Network / CNI
|
|
||||||
- Calico using VxLAN as default backend
|
|
||||||
|
|
||||||
## Certificate management
|
## Control plane
|
||||||
- cert-manager incl. a local self-signed cluster CA
|
- support for single node control plane for small clusters / test environments to reduce costs
|
||||||
|
- access to control plane from within the VPC only by default ( VPN access required for Admin tasks )
|
||||||
|
- controller nodes are used for various platform admin controllers / operators to reduce costs and noise on worker nodes
|
||||||
|
- integrated ArgoCD Gitops controller
|
||||||
|
|
||||||
## Metrics / Alerting
|
## AWS IAM access control
|
||||||
- Prometheus / Grafana
|
- Kiam allowing IAM roles per pod
|
||||||
|
- IAM roles are assumed / requested and cached on controller nodes for improved security
|
||||||
|
- blocking access to meta-data service on all nodes
|
||||||
|
- IAM roles are maintained/ automated and tracked via CFN templates
|
||||||
|
|
||||||
## Logging
|
## Network
|
||||||
- Fluent-bit
|
- Calico using VxLAN incl. increased MTU
|
||||||
- Fluentd
|
- allows way more containers per worker
|
||||||
- ElasticSearch
|
- isolates container traffic from VPC by using VxLAN overlay
|
||||||
- Kibana
|
- no restrictions on IP space / sizing from the underlying VPC architecture
|
||||||
|
|
||||||
## Dashboard
|
|
||||||
- see ArgoCD
|
|
||||||
|
|
||||||
## Storage
|
## Storage
|
||||||
- EBS external CSI storage provider
|
- flexible EBS support incl. zone awareness
|
||||||
- EFS external CSI storage provider
|
- EFS support via automated EFS provisioning for worker groups via CFN templates
|
||||||
- LocalVolumes
|
- local storage provider for latency sensitive high performance workloads
|
||||||
- LocalPath
|
|
||||||
|
|
||||||
## Ingress
|
## Ingress
|
||||||
- AWS Network Loadbalancer
|
- AWS Network Loadbalancer and Istio Ingress controllers
|
||||||
- Istio providing Public and Private Envoy proxies
|
- No additional costs per exposed service
|
||||||
- HTTP(s) and TCP support
|
- Automated SSL Certificate handling via cert-manager incl. renewal etc.
|
||||||
- Real client source IPs available
|
- support for TCP services
|
||||||
|
- Client source IP available to workloads via HTTP header
|
||||||
|
- optional full service mesh
|
||||||
|
|
||||||
## Service Mesh ( optional )
|
## Metrics
|
||||||
|
- Prometheus support for all components
|
||||||
|
- automated service discovery allowing instant access to common workload metrics
|
||||||
# KubeZero vs. EKS
|
- Preconfigured community maintained Grafana dashboards for common services
|
||||||
|
- Preconfigured community maintained Alerts
|
||||||
## Controller nodes used for various admin controllers
|
|
||||||
|
|
||||||
## KIAM incl. blocked access to meta-data service
|
|
||||||
|
|
||||||
|
## Logging
|
||||||
|
- all container logs are enhanced with Kubernetes metadata to provide context for each message
|
||||||
|
- flexible ElasticSearch setup via ECK operator to ease maintenance and reduce required admin knowledge, incl automated backups to S3
|
||||||
|
- Kibana allowing easy search and dashboards for all logs, incl. pre configured index templates and index management to reduce costs
|
||||||
|
- fluentd central log ingress service allowing additional parsing and queuing to improved reliability
|
||||||
|
- lightweight fluent-bit agents on each node requiring minimal resources forwarding logs secure via SSL to fluentd
|
||||||
|
Loading…
Reference in New Issue
Block a user