This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/incubator-openwhisk-deploy-kube.git
The following commit(s) were added to refs/heads/master by this push:
new a88aa80 Helm chart changes (#367)
a88aa80 is described below
commit a88aa80893bf9db7889786947f9e411c9501a5c2
Author: Neeraj Laad <[email protected]>
AuthorDate: Mon Nov 26 21:40:17 2018 +0000
Helm chart changes (#367)
Added readme for helm catalog
Updated chart description for helm catalog
updated notes.txt to include instruction on testing the release
included NodePort as default ingress
---
helm/openwhisk/Chart.yaml | 3 +-
helm/openwhisk/README.md | 197 +++++++++++++++++++++++++++++++++++++
helm/openwhisk/templates/NOTES.txt | 12 ++-
helm/openwhisk/values.yaml | 7 +-
4 files changed, 213 insertions(+), 6 deletions(-)
diff --git a/helm/openwhisk/Chart.yaml b/helm/openwhisk/Chart.yaml
index 62961e6..9069bac 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/Chart.yaml
@@ -2,12 +2,13 @@
# license agreements; and to You under the Apache License, Version 2.0.
apiVersion: v1
-description: A Helm chart to deploy Apache OpenWhisk for Kubernetes
+description: An open source, distributed serverless platform that executes
functions in response to events at any scale
name: openwhisk
version: 0.1.0
icon:
https://raw.githubusercontent.com/apache/incubator-openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
keywords:
- Apache OpenWhisk
+ - amd64
maintainers:
- name: Apache OpenWhisk committers
email: [email protected]
diff --git a/helm/openwhisk/README.md b/helm/openwhisk/README.md
new file mode 100644
index 0000000..3026efc
--- /dev/null
+++ b/helm/openwhisk/README.md
@@ -0,0 +1,197 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+# OpenWhisk
+
+Apache OpenWhisk is an open source, distributed serverless platform that
executes functions in response to events at any scale.
+
+## Introduction
+
+The [Apache OpenWhisk](https://openwhisk.apache.org/) serverless platform
supports a programming model in which developers write functional logic (called
Actions), in any supported programming language, that can be dynamically
scheduled and run in response to associated events (via Triggers) from external
sources (Feeds) or from HTTP requests.
+
+This chart will deploy the core OpenWhisk platform to your Kubernetes cluster.
In its default configuration, the chart enables runtime support for executing
actions written in NodeJS, Python, Swift, Java, PHP, Ruby, Go, and "blackbox"
docker containers. The main components of the OpenWhisk platform are a
front-end that provides a REST API to the user and the `wsk` CLI, a CouchDB
instance that stores user and system data, and a control plane that is
responsible for scheduling incoming i [...]
+
+Further documentation of the OpenWhisk system architecture, programming model,
tutorials, and sample programs can all be found at on the [Apache OpenWhisk
project website](https://openwhisk.apache.org/).
+
+## Chart Details
+
+In its default configuration, this chart will create the following Kubernetes
resources:
+* Externally exposed Services
+ * nginx -- used to access the deployed OpenWhisk via its REST API. By
default, exposed as a NodePort on port 31001.
+* Internal Services
+ * apigateway, controller, couchdb, kafka, nginx, redis, zookeeper
+* OpenWhisk control plane Pods:
+ * DaemonSet: invoker (on all nodes with label `openwhisk-role=invoker`)
+ * Deployments: apigateway, couchdb, nginx, redis
+ * SatefulSets: controller, kafka, zookeeper
+* Persistent Volume Claims
+ * couchdb-pvc
+ * kafka-pvc
+ * redis-pvc
+ * zookeeper-pvc-data
+ * zookeeper-pvc-datalog
+
+All user interaction with OpenWhisk uses the REST API exposed by the nginx
service via its NodePort ingress.
+
+The chart requires one or more Kubernetes worker nodes to be designated to be
used by OpenWhisk's invokers to execute user actions. These nodes are
designated by being labeled with `openwhisk-role=invoker` (see below for the
`kubectl` command). In its default configuration, the invokers will schedule
the containers to execute the user actions on these nodes *without* interacting
with the Kubernetes scheduler.
+
+## Resources Required
+
+* A Kubernetes cluster with at least 1 worker node with at least 4GB of memory.
+
+## Prerequisites
+
+* Kubernetes 1.10 - 1.11.*
+
+### Image Policy Requirements
+
+If Container Image Security is enabled, you will not be able to download
non-trusted container images. If this is the case, please add the following to
the trusted registries so that these container images can be pulled during
chart installation:
+
+* docker.io/openwhisk/*
+* docker.io/apache/couchdb:*
+
+### Persistent Volume Requirements
+
+This chart requires 5 Persistent Volumes to be created to avoid loss of data.
One of the following must be true to satisfy the Persistent Volume requirements
for this chart:
+
+* When the chart is deployed, the value `k8s.persistence.enabled` is set to
false to disable usage of Persistent Volumes (for development and test
activities).
+* The Kubernetes cluster supports Dynamic Volume Provisioning and has a
default StorageClass defined with an associated provisioner.
+* The Kubernetes cluster supports Dynamic Volume Provisioning and when the
chart is deployed, the value `k8s.persistence.defaultStorageClass` is set to a
StorageClass which has an associated provisioner.
+
+### PodSecurityPolicy Requirements
+
+OpenWhisk's Invokers need elevated security permissions to be able to create
the containers that execute the user actions. Therefore, this chart requires a
PodSecurityPolicy that permits host access to be bound to the target namespace
prior to installation. If the default Pod security policy on your cluster is
not restrictive then this step is not needed. If the default is restrictive,
please create a new namespace with either a predefined PodSecurityPolicy
`ibm-anyuid-hostpath-psp`:
+
+* Predefined PodSecurityPolicy name:
[`ibm-anyuid-hostpath-psp`](https://ibm.biz/cpkspec-psp)
+
+Alternatively, you can have your cluster administrator setup a custom
PodSecurityPolicy for you using the below definition:
+
+* Custom PodSecurityPolicy definition:
+
+ ```
+ apiVersion: extensions/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+ name: ibm-anyuid-hostpath-psp
+ annotations:
+ kubernetes.io/description: "This policy allows pods to run with
+ any UID and GID and any volume, including the host path.
+ WARNING: This policy allows hostPath volumes.
+ Use with caution."
+ spec:
+ allowPrivilegeEscalation: true
+ fsGroup:
+ rule: RunAsAny
+ requiredDropCapabilities:
+ - MKNOD
+ allowedCapabilities:
+ - SETPCAP
+ - AUDIT_WRITE
+ - CHOWN
+ - NET_RAW
+ - DAC_OVERRIDE
+ - FOWNER
+ - FSETID
+ - KILL
+ - SETUID
+ - SETGID
+ - NET_BIND_SERVICE
+ - SYS_CHROOT
+ - SETFCAP
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - '*'
+ ```
+
+## Initial setup
+
+Identify the Kubernetes worker nodes that should be used to execute
+user containers. Do this by labeling each node with
+`openwhisk-role=invoker`. If you have a multi-node cluster, for each node
<INVOKER_NODE_NAME>
+you want to be an invoker, execute
+```shell
+kubectl label nodes <INVOKER_NODE_NAME> openwhisk-role=invoker
+```
+For a single node cluster, simply do
+```shell
+kubectl label nodes --all openwhisk-role=invoker
+```
+
+## Installing the Chart
+
+Please ensure that you have reviewed the [prerequisites](#prerequisites) and
the [initial setup](#initial-setup) instructions.
+
+To install the chart using helm cli:
+
+```bash
+$ helm install [--tls] openwhisk --namespace <my-namespace> --name
<my-release> --set whisk.ingress.apiHostName=<cluster-ip-address>
+```
+
+The command deploys OpenWhisk on the Kubernetes cluster in the default
configuration. The [configuration](#configuration) section lists the
parameters that can be configured during installation.
+
+You can use the command ```helm status <my-release> [--tls]``` to get a
summary of the various Kubernetes artifacts that make up your OpenWhisk
deployment. Once the ```install-packages``` Pod is in the Completed state, your
OpenWhisk deployment is ready to be used.
+
+### Configuration
+
+[Values.yaml](./values.yaml) outlines the configuration options that are
supported by this chart.
+
+### Verifying the Chart
+
+To verify your deployment was successful, simply run:
+```bash
+helm test <my-release> [--tls] --cleanup
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the deployment:
+
+```bash
+$ helm delete <my-release> --purge [--tls]
+```
+
+The command removes all the Kubernetes components associated with the chart
and deletes the release.
+
+## Limitations
+
+* Deployment limitation - only one instance of the chart can be deployed
within a namespace.
+* Platform limitation - only supports amd64.
+
+## Documentation
+
+Documentation of the OpenWhisk system architecture, programming model,
tutorials, and sample programs can all be found at on the [Apache OpenWhisk
project website](https://openwhisk.apache.org/).
+
+# Disclaimer
+
+Apache OpenWhisk Deployment on Kubernetes is an effort undergoing incubation
at The Apache Software Foundation (ASF), sponsored by the Apache Incubator.
Incubation is required of all newly accepted projects until a further review
indicates that the infrastructure, communications, and decision making process
have stabilized in a manner consistent with other successful ASF projects.
While incubation status is not necessarily a reflection of the completeness or
stability of the code, it d [...]
+
+# Support
+
+For questions, hints, and tips for developing in Apache OpenWhisk:
+
+* [Join the Dev Mailing
List](https://openwhisk.apache.org/community.html#mailing-lists)
+
+* [Join the OpenWhisk Slack](http://slack.openwhisk.org/)
+
+* [Follow OpenWhisk Media](https://openwhisk.apache.org/community.html#social)
diff --git a/helm/openwhisk/templates/NOTES.txt
b/helm/openwhisk/templates/NOTES.txt
index 6cc51dd..b2168aa 100644
--- a/helm/openwhisk/templates/NOTES.txt
+++ b/helm/openwhisk/templates/NOTES.txt
@@ -8,7 +8,7 @@ The Apache Software Foundation (http://www.apache.org/).
To configure your wsk cli to connect to it, set the apihost property
{{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
-by running the command `kubectl get services -o wide` and
+by running the command `kubectl get services -o wide` and
use the hostname of the `EXTERNAL-IP` of the {{ .Values.nginx.name }} service
and port 443 in the command below:
@@ -23,5 +23,11 @@ Your release is named {{ .Release.Name }}.
To learn more about the release, try:
- $ helm status {{ .Release.Name }}
- $ helm get {{ .Release.Name }}
+ $ helm status {{ .Release.Name }} [--tls]
+ $ helm get {{ .Release.Name }} [--tls]
+
+Once the 'install-packages' Pod is in the Completed state, your OpenWhisk
deployment is ready to be used.
+
+Once the deployment is ready, you can verify it using:
+
+ $ helm test {{ .Release.Name }} [--tls] --cleanup
diff --git a/helm/openwhisk/values.yaml b/helm/openwhisk/values.yaml
index 000772f..07ebb29 100644
--- a/helm/openwhisk/values.yaml
+++ b/helm/openwhisk/values.yaml
@@ -24,9 +24,11 @@ whisk:
# See docs/ingress.md for a discussion of how to provide these values.
ingress:
name: "ow-ingress"
- apiHostName: nil
- apiHostPort: nil
+ apiHostName: ""
+ apiHostPort: 31001
apiHostProto: "https"
+ type: NodePort
+
# Production deployments _MUST_ override these default auth values
auth:
system:
"789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP"
@@ -161,6 +163,7 @@ nginx:
httpPort: 80
httpsPort: 443
httpsAdminPort: 8443
+ httpsNodePort: 31001
# Controller configurations
controller:
