Our evolving vision for the CNCF demo is to provide a widely referenced marketing demo using the shortest path to multi-cloud deployments.

The approach needs to be opinionated to get us to multi-cloud deployments asap, while at the same time being easy for others to understand and modify.

A cloud-init approach is, by definition very cloud-native and can be replicated across multiple provisioning toolchains.

Terraform is well documented/maintained and supports the aws resources we need to configure. Targeting Azure, Google, and Packet would require minimal code changes. Simply templating cloud-init across all those clouds which would reduce our dependency on vendor specific provisioning code. (We have also developed an approach for hardware deploys via Hanlon/PXE for CNCF Cluster)

We took some time to understand and in the process simplify the cncf/demo codebase.

You can take a look at code.ii.coop/cncf/demo

• Multiple Cloud Providers (GCE? CNCF Cluster? Virtualbox?)
• Parallel Deploys to the same cloud provider
• ENV driven CI with metrics
• Clean up this quick and dirty PoC

$ export AWS_ACCESS_KEY_ID="YOUR_AWS_KEY_ID"
$ export AWS_SECRET_ACCESS_KEY="YOUR_AWS_SECRET_KEY"
# /tmp/data will have terraform, certs, aws, and kubectl configs
# http://localhost:8001/ui is your Kubernetes Dashboard
$ docker run -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
             -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
             -v $(pwd)/data:/cncf/data \
             --net=host \
             --name=cncfdemo \
             iicoop/cncfdemo

Some commands you can run from another terminal:

docker exec -ti cncfdemo kubectl get nodes
docker exec -ti cncfdemo kubectl get pods --namespace=kube-system
docker exec -ti cncfdemo kubectl get pods
docker exec -ti cncfdemo kubectl get pods --namespace=monitoring

To access Elasticseach, Kibana and Dashboard visit:

• http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/elasticsearch-logging
• http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kibana-logging
• [http://localhost:8001/ui] (http://localhost:8001/ui)

# To destroy everything
$ docker run -v $(pwd)/data:/cncf/data iicoop/cncfdemo destroy
$ docker rm -f cncfdemo

• TLS certificate generation

• EC2 Key Pair creation
• AWS VPC Public and Private subnets
• IAM protected S3 bucket for asset (TLS and manifests) distribution
• Bastion Host
• Multi-AZ Auto-Scaling Worker Nodes
• NAT Gateway

• etcd DNS Discovery Bootstrap
• kubelet runs under rkt (using CoreOS recommended Kubelet Wrapper Script)

• Highly Available ApiServer Configuration
• Service accounts enabled
• SkyDNS utilizing cluster's etcd

• CoreOS AMI sourcing
• Terraform Pattern Modules

• docker

• AWS Users Permissions:

  • AmazonEC2FullAccess
  • AmazonS3FullAccess
  • AWSCodeDeployFullAccess
  • AmazonRoute53DomainsFullAccess
  • AmazonRoute53FullAccess
  • IAMFullAccess
  • IAMUserChangePassword

• client and server TLS assets
• s3 bucket for TLS assets (secured by IAM roles for master and worker nodes)
• AWS VPC with private and public subnets
• Route 53 internal zone for VPC
• Etcd cluster bootstrapped from Route 53
• High Availability Kubernetes configuration (masters running on etcd nodes)
• Autoscaling worker node group across subnets in selected region
• kube-system namespace and addons: DNS, UI, Dashboard