This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/incubator-openwhisk-deploy-kube.git
The following commit(s) were added to refs/heads/master by this push:
new d2d3719 Document ICP and Dynamic DNS Provisioning (#380)
d2d3719 is described below
commit d2d37193a5e9f1dc84af29338969ab69a6df05e9
Author: Jonathan Springer <jonps...@gmail.com>
AuthorDate: Fri Nov 30 10:55:46 2018 -0600
Document ICP and Dynamic DNS Provisioning (#380)
* Document ICP and Dynamic DNS Provisioning
Edits to documentation to address two concerns:
1. Directions for deploying OpenWhisk onto IBM Cloud Private,
including configuration of the IBM Image Security engine.
2. Further instructions on how to deploy an NFS-based dynamic
storage provisioning engine (which can be the easiest way
around the PersistentVolumeClaim needs of OpenWhisk).
---
README.md | 3 +-
docs/configurationChoices.md | 4 +
docs/k8s-ibm-private.md | 194 ++++++++++++++++++++++++++++++++++++++++
docs/k8s-nfs-dynamic-storage.md | 61 +++++++++++++
4 files changed, 261 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 328ef15..b8907e5 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,8 @@ appropriate to your Kubernetes cluster:
* [Docker for Mac](docs/k8s-docker-for-mac.md#configuring-openwhisk)
* [kubeadm-dind-cluster](docs/k8s-dind-cluster.md#configuring-openwhisk)
* [Minikube](docs/k8s-minikube.md#configuring-openwhisk)
-* [IBM (IKS)](docs/k8s-ibm-public.md#configuring-openwhisk)
+* [IBM Kubernetes Service (IKS)](docs/k8s-ibm-public.md#configuring-openwhisk)
+* [IBM Cloud Private (ICP)](docs/k8s-ibm-private.md#configuring-openwhisk)
* [Google (GKE)](docs/k8s-google.md#configuring-openwhisk)
* [Amazon (EKS)](docs/k8s-aws.md#configuring-openwhisk)
diff --git a/docs/configurationChoices.md b/docs/configurationChoices.md
index 54b68d2..3ffad96 100644
--- a/docs/configurationChoices.md
+++ b/docs/configurationChoices.md
@@ -174,6 +174,10 @@ be scheduled. If your Kubernetes cluster is properly
configured to support
including having a DefaultStorageClass admission controller and a
designated default StorageClass, then this will all happen seamlessly.
+See [NFS Dynamis Storage Provisioning](./k8s-nfs-dynamic-storage.md) for one
+approach to provisioning dynamic storage if it's not already provisioned
+on your cluster.
+
If your cluster is not properly configured, then you will need to
manually create the necessary PersistentVolumes when deploying the
Helm chart. In this case, you should also disable the use of dynamic
diff --git a/docs/k8s-ibm-private.md b/docs/k8s-ibm-private.md
new file mode 100644
index 0000000..53b429d
--- /dev/null
+++ b/docs/k8s-ibm-private.md
@@ -0,0 +1,194 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+# IBM IKS for OpenWhisk
+
+## Overview
+
+IBM Cloud Private (ICP) provides the core infrastructure needed to provision a
+production-quality OpenWhisk installation. This document outlines
+ICP-specific steps needed to provision that installation, and calls out
+shortcuts that could be taken for development-grade installation.
+
+## Initial setup
+
+### Creating the Kubernetes Cluster
+
+Follow IBM Cloud Private instructions to provision your cluster. Include
+GlusterFS provisioning, add
+[dynamic NFS provisioning](./k8s-nfs-dynamic-storage.md),
+or be prepared to provision volumes manually for OpenWhisk
+(see [here](./configurationChoices#persistence)).
+
+### Configuring OpenWhisk
+
+#### Configuring Image Security
+
+IBM Cloud Private includes a provision for filtering the images that are
+allowed to be deployed into a particular namespace. One _could_ disable this
+capability for the OpenWhisk namespace, but initally it is best to define
+a policy for the namespace: (In this case we assume the namespace is
+`openwhisk`)
+
+```yaml
+apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
+kind: ImagePolicy
+metadata:
+ name: openwhisk-image-policy
+ namespace: openwhisk
+spec:
+ repositories:
+ - name: docker.io/openwhisk/*
+ policy:
+ va:
+ enabled: false
+ - name: docker.io/apache/couchdb:*
+ policy:
+ va:
+ enabled: false
+ - name: docker.io/nginx:*
+ policy:
+ va:
+ enabled: false
+ - name: docker.io/redis:*
+ policy:
+ va:
+ enabled: false
+ - name: docker.io/zookeeper:*
+ policy:
+ va:
+ enabled: false
+ - name: docker.io/wurstmeister/kafka:*
+ policy:
+ va:
+ enabled: false
+```
+
+#### Configuring Ingress
+
+An IBM Cloud Private cluster has full support for TLS
+and can be configured with additional annotations to
+fine tune ingress performance.
+
+A prerequisite for OpenWhisk TLS access via Ingress as currently configured
+is a Fully Qualified Domain Name (FQDN) that can be resolved correctly from
+within OpenWhisk and points to the SSL Ingress point, usually your load
+balancer or proxy node.
+
+You will also need to create a TLS certificate to be used by the Ingress
+controller for your domain. The YAML to create in Kubernetes is
+(substituting the real values for `<your fqdn>`):
+
+```yaml
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+ name: openwhisk-tls-secret-1
+ namespace: openwhisk
+spec:
+ commonName: <your fqdn>
+ dnsNames:
+ - <your fqdn>
+ issuerRef:
+ kind: ClusterIssuer
+ name: icp-ca-issuer
+ secretName: openwhisk-tls-secret-1
+```
+
+#### Putting it all together
+
+Now define `mycluster.yaml` as below (substituting the real values for
+`<your fqdn>`).
+
+```yaml
+whisk:
+ ingress:
+ apiHostName: <your fqdn>
+ apiHostPort: 443
+ apiHostProto: https
+ type: standard
+ domain: <your fqdn>
+ tls:
+ enabled: true
+ secretenabled: true
+ createsecret: false
+ secretname: openwhisk-tls-secret-1
+ annotations:
+ # A blocking request is held open by the controller for slightly more
than 60 seconds
+ # before it is responded to with HTTP status code 202 (accepted) and
closed.
+ # Set to 75s to be on the safe side.
+ # See
https://console.bluemix.net/docs/containers/cs_annotations.html#proxy-connect-timeout
+ # See
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
+ nginx.ingress.kubernetes.io/proxy-read-timeout: "75s"
+
+ # Allow up to 50 MiB body size to support creation of large actions and
large
+ # parameter sizes.
+ # See
https://console.bluemix.net/docs/containers/cs_annotations.html#client-max-body-size
+ # See
http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+ nginx.ingress.kubernetes.io/client-max-body-size: "size=50m"
+
+ # Add the request_id, generated by nginx, to the request against the
controllers. This id will be used as tid there.
+ #
https://console.bluemix.net/docs/containers/cs_annotations.html#proxy-add-headers
+ nginx.ingress.kubernetes.io/proxy-add-headers: |
+ serviceName=controller {
+ 'X-Request-ID' $request_id;
+ }
+
+k8s:
+ persistence:
+ defaultStorageClass: openwhisk
+```
+
+ICP does not (by default) provide a properly configured DefaultStorageClass,
+instead you need to tell the Helm chart to use a storage class you've
+defined (see Creating the Kubernetes Cluster
+[above](#creating-the-kubernetes-cluster)).
+
+#### Don't want to deal with Ingress (or can't create an FQDN)?
+
+An alternative to the Ingress-based access model is to
+use a NodePort. Use the IP address of any worker node in the cluster to
+define `mycluster.yaml` as
+
+```yaml
+whisk:
+ ingress:
+ type: NodePort
+ apiHostName: YOUR_WORKERS_PUBLIC_IP_ADDR
+ apiHostPort: 31001
+
+nginx:
+ httpsNodePort: 31001
+
+k8s:
+ persistence:
+ defaultStorageClass: openwhisk
+```
+
+ICP does not (by default) provide a properly configured DefaultStorageClass,
+instead you need to tell the Helm chart to use a storage class you've
+defined (see Creating the Kubernetes Cluster
+[above](#creating-the-kubernetes-cluster)).
+
+## Hints and Tips
+
+On IBM Cloud Private clusters, you can configure OpenWhisk to integrate
+with platform logging and monitoring services following the general
+instructions for enabling these services for pods deployed on
+Kubernetes.
diff --git a/docs/k8s-nfs-dynamic-storage.md b/docs/k8s-nfs-dynamic-storage.md
new file mode 100644
index 0000000..1c62c27
--- /dev/null
+++ b/docs/k8s-nfs-dynamic-storage.md
@@ -0,0 +1,61 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+# Using Dynamic Storage Provisioning for OpenWhisk
+
+## NFS-based Dynamic Provisioning
+
+You will need an already-provisioned NFS server supporting NFS v4 or better,
+preferably provisioned for at least 5 GB.
+The server must be set up to accept connections from all nodes in your cluster
--
+we leave it to you to determine the best strategy for that, though you may
+wish to consider the
+[nfs-server-provisioner](https://github.com/helm/charts/tree/master/stable/nfs-server-provisioner)
+Helm Chart (*TODO: link*) if youhave lots of storage available on your nodes or
+an NFS server provided by your cloud provider.
+
+Once the NFS server is defined, the fastest way to make a dynamic file store
+available is with the
+[nfs-client-provisioner](https://github.com/helm/charts/tree/master/stable/nfs-client-provisioner)
+helm Chart.
+
+Create a local file `openwhisk-nfs-client-provisioner.yaml` to configure the
+provisioner. You need to provide the server and path information. Note also
+that the storageClass is explictly defined.
+
+```yaml
+nfs:
+ # See
https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client
+ server: <!-- To be provided -->
+ path: <!-- To be provided -->
+
+storageClass:
+ name: openwhisk-nfs
+ reclaimPolicy: Delete
+```
+
+And run a command to install it...
+```
+helm install --namespace openwhisk \
+ --values ./openwhisk-nfs-client-provisioner.yaml \
+ stable/nfs-client-provisioner
+```
+
+When you configure OpenWhisk, do remember to set the
`k8s.persistence.defaultStorageClass`
+to be `openwhisk`. And then you should be off to the races.
