-
Notifications
You must be signed in to change notification settings - Fork 41
Eirini
IMPORTANT: There are some cloud specific settings for Azure Kubernetes Cluster and Amazon Kubernetes Cluster, we strongly recommend to read them first.
-
eirininamespace should be available in kubernetes before deploying scf -
cf sshto apps doesn't work (yet, but it's possible to ssh via kubectl into the apps pods) - Restarting a cluster might cause losing of your apps logs
- Heapster needs to be installed (in some cases manually, e.g. AWS): is required to display apps metrics (CPU/RAM/DISK usage)
- Air gapped environments or usage of manual certificates are not supported with Eirini
To enable Eirini, we need to disable Diego, and enable Eirini explictly in the scf-config-values.yaml file:
enable:
eirini: true
[...]
sizing:
diego_api:
count: 0
diego_brain:
count: 0
diego_cell:
count: 0
diego_ssh:
count: 0
eirini:
count: 1
kube:
auth: rbac(You need kube.auth: rbac otherwise some components needed for Eirini will not be deployed correctly)
Note The relevant parts that are enabling Eirini are the sizing, and the env.ENABLE_EIRINI=true. We need to set the sizing of Diego to 0 to disable it completely.
$> kubectl create -f - <<< '{"kind": "Namespace","apiVersion": "v1","metadata": {"name": "eirini","labels": {"name": "eirini"}}}' # create eirini namespace
$> helm repo add suse https://kubernetes-charts.suse.com/
$> helm repo update
$> helm install suse/uaa --name susecf-uaa --namespace uaa --values scf-config-values.yaml
$> watch -c "kubectl get pods --namespace uaa" # wait for uaa to come up
$> SECRET=$(kubectl get pods --namespace uaa \
-o jsonpath='{.items[?(.metadata.name=="uaa-0")].spec.containers[?(.name=="uaa")].env[?(.name=="INTERNAL_CA_CERT")].valueFrom.secretKeyRef.name}')
$> CA_CERT="$(kubectl get secret $SECRET --namespace uaa \
-o jsonpath="{.data['internal-ca-cert']}" | base64 --decode -)" && echo $CA_CERT
$> helm install suse/cf --name susecf-scf --namespace scf --values scf-config-values.yaml --set "secrets.UAA_CA_CERT=${CA_CERT}"
$> watch -c "kubectl get pods --namespace scf" # wait for scf to come up
Note: Some pods will go not go into ready state when DNS has not been set up. DNS setup can be done in paralell.
To setup the dns you need to get all active loadbalancers using kubectl get services --all-namespaces|grep public
Set the DNS according to the following table:
| Entry | Service | Type | Comment |
|---|---|---|---|
| example.domain.tld | router-gorouter-public | A | Use IP of LB |
| *.example.domain.tld | router-gorouter-public | A | Use IP of LB |
| tcp.example.domain.tld | tcp-router-public | CNAME | |
| uaa.example.domain.tld | uaa-public | CNAME | |
| *.uaa.example.domain.tld | uaa-public | CNAME |
Important: Heapster is deprecated and has been archived/retired upstream (see https://github.com/kubernetes-retired/heapster for details). It is going to be replaced by metrics server (https://github.com/kubernetes-incubator/metrics-server) which is not working with eirini (yet).
Depending on your cluster configuration, you might need to deploy Heapster if not already present. You can install the latest stable Heapster via helm:
$> helm install --name heapster --namespace kube-system stable/heapsterAnd then you need to apply rbac and controller configurations:
$> kubectl apply --filename https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml$> kubectl apply --filename https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/standalone/heapster-controller.yamlSee also the official heapster docs for reference
Note: It will take a couple of minutes for the heapster metrics to be visible in the console or in cf app <someapp>.