master #11
|
@ -34,11 +34,18 @@ Cloudbender creates a kubezero config file, which incl. all outputs from the Clo
|
|||
## Deploy KubeZero Helm chart
|
||||
`./deploy.sh`
|
||||
|
||||
The deploy script will handle the initial bootstrap process up to point of installing advanced services like Istio or Prometheus.
|
||||
It will take about 10min to reach the point of being able to install these advanced services.
|
||||
The deploy script will handle the initial bootstrap process as well as the roll out of advanced components like Prometheus, Istio and ElasticSearch/Kibana in various phases.
|
||||
|
||||
It will take about 10 to 15 minutes for ArgoCD to roll out all the services...
|
||||
|
||||
|
||||
# Own apps
|
||||
- Add your own application to ArgoCD via the cli
|
||||
|
||||
# Troubleshooting
|
||||
|
||||
## Verify ArgoCD
|
||||
At this stage we there is no support for any kind of Ingress yet. To reach the Argo API port forward from localhost via:
|
||||
To reach the Argo API port forward from localhost via:
|
||||
`kubectl port-forward svc/kubezero-argocd-server -n argocd 8080:443`
|
||||
|
||||
Next download the argo-cd cli, details for different OS see https://argoproj.github.io/argo-cd/cli_installation/
|
||||
|
@ -46,37 +53,5 @@ Next download the argo-cd cli, details for different OS see https://argoproj.git
|
|||
Finally login into argo-cd via `argocd login localhost:8080` using the *admin* user and the password set in values.yaml earlier.
|
||||
|
||||
List all Argo applications via: `argocd app list`.
|
||||
Currently it is very likely that you need to manually trigger sync runs for `cert-manager`as well as `kiam`.
|
||||
eg. `argocd app cert-manager sync`
|
||||
|
||||
|
||||
# Only proceed any further if all Argo Applications show healthy !!
|
||||
|
||||
## WIP not yet integrated into KubeZero
|
||||
|
||||
### Istio
|
||||
Istio is currently pinned to version 1.4.X as this is the last version supporting installation via helm charts.
|
||||
|
||||
Until Istio is integrated into KubeZero as well as upgraded to 1.6 we have to install manually.
|
||||
|
||||
- adjust values.yaml
|
||||
- update domain in `ingress-certificate.yaml`
|
||||
- update.sh
|
||||
- deploy.sh
|
||||
|
||||
### Logging
|
||||
To deploy fluentbit only required adjustment is the `fluentd_host=<LOG_HOST>` in the kustomization.yaml.
|
||||
|
||||
- deploy namespace for logging via deploy.sh
|
||||
- deploy fluentbit via `kubectl apply -k fluentbit`
|
||||
|
||||
### Prometheus / Grafana
|
||||
Only adjustment required is the ingress routing config in istio-service.yaml. Adjust as needed before executing:
|
||||
`deploy.sh`
|
||||
|
||||
### EFS CSI
|
||||
- add the EFS fs-ID from the worker cloudformation output into values.yaml and the efs-pv.yaml
|
||||
- `./deploy.sh`
|
||||
|
||||
# Demo / own apps
|
||||
- Add your own application to ArgoCD via the cli
|
70
README.md
70
README.md
|
@ -14,44 +14,50 @@ All chosen components are 100% organic OpenSource.
|
|||
- Work within each community / give back
|
||||
|
||||
|
||||
# Components
|
||||
## General
|
||||
- Container runtime cri-o rather than Docker for improved security and performance
|
||||
|
||||
## Network / CNI
|
||||
- Calico using VxLAN as default backend
|
||||
|
||||
## Certificate management
|
||||
- cert-manager incl. a local self-signed cluster CA
|
||||
## Control plane
|
||||
- support for single node control plane for small clusters / test environments to reduce costs
|
||||
- access to control plane from within the VPC only by default ( VPN access required for Admin tasks )
|
||||
- controller nodes are used for various platform admin controllers / operators to reduce costs and noise on worker nodes
|
||||
- integrated ArgoCD Gitops controller
|
||||
|
||||
## Metrics / Alerting
|
||||
- Prometheus / Grafana
|
||||
## AWS IAM access control
|
||||
- Kiam allowing IAM roles per pod
|
||||
- IAM roles are assumed / requested and cached on controller nodes for improved security
|
||||
- blocking access to meta-data service on all nodes
|
||||
- IAM roles are maintained/ automated and tracked via CFN templates
|
||||
|
||||
## Logging
|
||||
- Fluent-bit
|
||||
- Fluentd
|
||||
- ElasticSearch
|
||||
- Kibana
|
||||
|
||||
## Dashboard
|
||||
- see ArgoCD
|
||||
## Network
|
||||
- Calico using VxLAN incl. increased MTU
|
||||
- allows way more containers per worker
|
||||
- isolates container traffic from VPC by using VxLAN overlay
|
||||
- no restrictions on IP space / sizing from the underlying VPC architecture
|
||||
|
||||
## Storage
|
||||
- EBS external CSI storage provider
|
||||
- EFS external CSI storage provider
|
||||
- LocalVolumes
|
||||
- LocalPath
|
||||
- flexible EBS support incl. zone awareness
|
||||
- EFS support via automated EFS provisioning for worker groups via CFN templates
|
||||
- local storage provider for latency sensitive high performance workloads
|
||||
|
||||
## Ingress
|
||||
- AWS Network Loadbalancer
|
||||
- Istio providing Public and Private Envoy proxies
|
||||
- HTTP(s) and TCP support
|
||||
- Real client source IPs available
|
||||
## Ingress
|
||||
- AWS Network Loadbalancer and Istio Ingress controllers
|
||||
- No additional costs per exposed service
|
||||
- Automated SSL Certificate handling via cert-manager incl. renewal etc.
|
||||
- support for TCP services
|
||||
- Client source IP available to workloads via HTTP header
|
||||
- optional full service mesh
|
||||
|
||||
## Service Mesh ( optional )
|
||||
|
||||
|
||||
# KubeZero vs. EKS
|
||||
|
||||
## Controller nodes used for various admin controllers
|
||||
|
||||
## KIAM incl. blocked access to meta-data service
|
||||
## Metrics
|
||||
- Prometheus support for all components
|
||||
- automated service discovery allowing instant access to common workload metrics
|
||||
- Preconfigured community maintained Grafana dashboards for common services
|
||||
- Preconfigured community maintained Alerts
|
||||
|
||||
## Logging
|
||||
- all container logs are enhanced with Kubernetes metadata to provide context for each message
|
||||
- flexible ElasticSearch setup via ECK operator to ease maintenance and reduce required admin knowledge, incl automated backups to S3
|
||||
- Kibana allowing easy search and dashboards for all logs, incl. pre configured index templates and index management to reduce costs
|
||||
- fluentd central log ingress service allowing additional parsing and queuing to improved reliability
|
||||
- lightweight fluent-bit agents on each node requiring minimal resources forwarding logs secure via SSL to fluentd
|
||||
|
|
|
@ -8,7 +8,7 @@ ingress:
|
|||
type: NodePort
|
||||
private:
|
||||
enabled: true
|
||||
nodeSelector: "31080_31443_30671_30672_31224"
|
||||
nodeSelector: "31080_31443_31671_31672_31224"
|
||||
dnsNames:
|
||||
- "*"
|
||||
|
||||
|
|
|
@ -11,6 +11,5 @@ metadata:
|
|||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
data:
|
||||
username: {{ "elastic" | b64enc | quote }}
|
||||
elastic: {{ .Values.elastic_password | b64enc | quote }}
|
||||
{{- end }}
|
||||
|
|
|
@ -136,11 +136,11 @@ fluentd:
|
|||
user "#{ENV['OUTPUT_USER']}"
|
||||
password "#{ENV['OUTPUT_PASSWORD']}"
|
||||
|
||||
log_es_400_reason
|
||||
logstash_format true
|
||||
reload_connections false
|
||||
reconnect_on_error true
|
||||
reload_on_failure true
|
||||
request_timeout 30s
|
||||
# reload_on_failure true
|
||||
request_timeout 15s
|
||||
suppress_type_name true
|
||||
|
||||
<buffer>
|
||||
|
@ -148,11 +148,10 @@ fluentd:
|
|||
path /var/log/fluentd-buffers/kubernetes.system.buffer
|
||||
flush_mode interval
|
||||
flush_thread_count 2
|
||||
flush_interval 5s
|
||||
flush_interval 30s
|
||||
flush_at_shutdown true
|
||||
retry_type exponential_backoff
|
||||
retry_timeout 60m
|
||||
retry_max_interval 30
|
||||
chunk_limit_size "#{ENV['OUTPUT_BUFFER_CHUNK_LIMIT']}"
|
||||
queue_limit_length "#{ENV['OUTPUT_BUFFER_QUEUE_LIMIT']}"
|
||||
overflow_action drop_oldest_chunk
|
||||
|
|
Loading…
Reference in New Issue