Our evolving vision for the CNCF demo is to provide a widely referenced marketing demo using the shortest path to multi-cloud deployments.
The approach needs to be opinionated to get us to multi-cloud deployments asap, while at the same time being easy for others to understand and modify.
A cloud-init approach is, by definition very cloud-native and can be replicated across multiple provisioning toolchains.
Terraform is well documented/maintained and supports the aws resources we need to configure. Targeting Azure, Google, and Packet would require minimal code changes. Simply templating cloud-init across all those clouds which would reduce our dependency on vendor specific provisioning code. (We have also developed an approach for hardware deploys via Hanlon/PXE for CNCF Cluster)
We took some time to understand and in the process simplify the cncf/demo codebase.
You can take a look at code.ii.coop/cncf/demo
- Multiple Cloud Providers (GCE? CNCF Cluster? Virtualbox?)
- Parallel Deploys to the same cloud provider
- ENV driven CI with metrics
- Clean up this quick and dirty PoC
$ export AWS_ACCESS_KEY_ID="YOUR_AWS_KEY_ID"
$ export AWS_SECRET_ACCESS_KEY="YOUR_AWS_SECRET_KEY"
# /tmp/data will have terraform, certs, aws, and kubectl configs
# http://localhost:8001/ui is your Kubernetes Dashboard
$ docker run -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
-v $(pwd)/data:/cncf/data \
--net=host \
--name=cncfdemo \
iicoop/cncfdemo
Some commands you can run from another terminal:
docker exec -ti cncfdemo kubectl get nodes
docker exec -ti cncfdemo kubectl get pods --namespace=kube-system
docker exec -ti cncfdemo kubectl get pods
docker exec -ti cncfdemo kubectl get pods --namespace=monitoring
To access Elasticseach, Kibana and Dashboard visit:
- http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/elasticsearch-logging
- http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kibana-logging
- [http://localhost:8001/ui] (http://localhost:8001/ui)
# To destroy everything
$ docker run -v $(pwd)/data:/cncf/data iicoop/cncfdemo destroy
$ docker rm -f cncfdemo
- TLS certificate generation
- EC2 Key Pair creation
- AWS VPC Public and Private subnets
- IAM protected S3 bucket for asset (TLS and manifests) distribution
- Bastion Host
- Multi-AZ Auto-Scaling Worker Nodes
- NAT Gateway
- etcd DNS Discovery Bootstrap
- kubelet runs under rkt (using CoreOS recommended Kubelet Wrapper Script)
- Highly Available ApiServer Configuration
- Service accounts enabled
- SkyDNS utilizing cluster's etcd
- CoreOS AMI sourcing
- Terraform Pattern Modules
-
AWS Users Permissions:
- AmazonEC2FullAccess
- AmazonS3FullAccess
- AWSCodeDeployFullAccess
- AmazonRoute53DomainsFullAccess
- AmazonRoute53FullAccess
- IAMFullAccess
- IAMUserChangePassword
- client and server TLS assets
- s3 bucket for TLS assets (secured by IAM roles for master and worker nodes)
- AWS VPC with private and public subnets
- Route 53 internal zone for VPC
- Etcd cluster bootstrapped from Route 53
- High Availability Kubernetes configuration (masters running on etcd nodes)
- Autoscaling worker node group across subnets in selected region
- kube-system namespace and addons: DNS, UI, Dashboard