Update docs

This commit is contained in:
Stefan Reimer 2020-08-26 11:41:28 +01:00
parent b376544424
commit 1764d84ac5
2 changed files with 48 additions and 67 deletions

View File

@ -34,11 +34,18 @@ Cloudbender creates a kubezero config file, which incl. all outputs from the Clo
## Deploy KubeZero Helm chart
`./deploy.sh`
The deploy script will handle the initial bootstrap process up to point of installing advanced services like Istio or Prometheus.
It will take about 10min to reach the point of being able to install these advanced services.
The deploy script will handle the initial bootstrap process as well as the roll out of advanced components like Prometheus, Istio and ElasticSearch/Kibana in various phases.
It will take about 10 to 15 minutes for ArgoCD to roll out all the services...
# Own apps
- Add your own application to ArgoCD via the cli
# Troubleshooting
## Verify ArgoCD
At this stage we there is no support for any kind of Ingress yet. To reach the Argo API port forward from localhost via:
To reach the Argo API port forward from localhost via:
`kubectl port-forward svc/kubezero-argocd-server -n argocd 8080:443`
Next download the argo-cd cli, details for different OS see https://argoproj.github.io/argo-cd/cli_installation/
@ -46,37 +53,5 @@ Next download the argo-cd cli, details for different OS see https://argoproj.git
Finally login into argo-cd via `argocd login localhost:8080` using the *admin* user and the password set in values.yaml earlier.
List all Argo applications via: `argocd app list`.
Currently it is very likely that you need to manually trigger sync runs for `cert-manager`as well as `kiam`.
eg. `argocd app cert-manager sync`
# Only proceed any further if all Argo Applications show healthy !!
## WIP not yet integrated into KubeZero
### Istio
Istio is currently pinned to version 1.4.X as this is the last version supporting installation via helm charts.
Until Istio is integrated into KubeZero as well as upgraded to 1.6 we have to install manually.
- adjust values.yaml
- update domain in `ingress-certificate.yaml`
- update.sh
- deploy.sh
### Logging
To deploy fluentbit only required adjustment is the `fluentd_host=<LOG_HOST>` in the kustomization.yaml.
- deploy namespace for logging via deploy.sh
- deploy fluentbit via `kubectl apply -k fluentbit`
### Prometheus / Grafana
Only adjustment required is the ingress routing config in istio-service.yaml. Adjust as needed before executing:
`deploy.sh`
### EFS CSI
- add the EFS fs-ID from the worker cloudformation output into values.yaml and the efs-pv.yaml
- `./deploy.sh`
# Demo / own apps
- Add your own application to ArgoCD via the cli

View File

@ -14,44 +14,50 @@ All chosen components are 100% organic OpenSource.
- Work within each community / give back
# Components
## General
- Container runtime cri-o rather than Docker for improved security and performance
## Network / CNI
- Calico using VxLAN as default backend
## Certificate management
- cert-manager incl. a local self-signed cluster CA
## Control plane
- support for single node control plane for small clusters / test environments to reduce costs
- access to control plane from within the VPC only by default ( VPN access required for Admin tasks )
- controller nodes are used for various platform admin controllers / operators to reduce costs and noise on worker nodes
- integrated ArgoCD Gitops controller
## Metrics / Alerting
- Prometheus / Grafana
## AWS IAM access control
- Kiam allowing IAM roles per pod
- IAM roles are assumed / requested and cached on controller nodes for improved security
- blocking access to meta-data service on all nodes
- IAM roles are maintained/ automated and tracked via CFN templates
## Logging
- Fluent-bit
- Fluentd
- ElasticSearch
- Kibana
## Dashboard
- see ArgoCD
## Network
- Calico using VxLAN incl. increased MTU
- allows way more containers per worker
- isolates container traffic from VPC by using VxLAN overlay
- no restrictions on IP space / sizing from the underlying VPC architecture
## Storage
- EBS external CSI storage provider
- EFS external CSI storage provider
- LocalVolumes
- LocalPath
- flexible EBS support incl. zone awareness
- EFS support via automated EFS provisioning for worker groups via CFN templates
- local storage provider for latency sensitive high performance workloads
## Ingress
- AWS Network Loadbalancer
- Istio providing Public and Private Envoy proxies
- HTTP(s) and TCP support
- Real client source IPs available
- AWS Network Loadbalancer and Istio Ingress controllers
- No additional costs per exposed service
- Automated SSL Certificate handling via cert-manager incl. renewal etc.
- support for TCP services
- Client source IP available to workloads via HTTP header
- optional full service mesh
## Service Mesh ( optional )
# KubeZero vs. EKS
## Controller nodes used for various admin controllers
## KIAM incl. blocked access to meta-data service
## Metrics
- Prometheus support for all components
- automated service discovery allowing instant access to common workload metrics
- Preconfigured community maintained Grafana dashboards for common services
- Preconfigured community maintained Alerts
## Logging
- all container logs are enhanced with Kubernetes metadata to provide context for each message
- flexible ElasticSearch setup via ECK operator to ease maintenance and reduce required admin knowledge, incl automated backups to S3
- Kibana allowing easy search and dashboards for all logs, incl. pre configured index templates and index management to reduce costs
- fluentd central log ingress service allowing additional parsing and queuing to improved reliability
- lightweight fluent-bit agents on each node requiring minimal resources forwarding logs secure via SSL to fluentd