...
Configure cluster nodes for registry mirror (containerd)
A DaemonSet
can be used to configure the GKE cluster nodes containerd
runtime.
K8s DaemonSet
ensures that all (or some) Nodes run a copy of a Pod, this Pod can execute logic which in this case can be used to configure the registry mirror as described here.
For further information about K8S DaemonSet
can be found in K8s documentation.
A generic example of “startup-script” DeamonSet
can be found here.
GKE nodes are automatically configured using the deprecated registry mirror format so the logic implemented in the example DaemonSet
is should continuing this method.
The user may change the DamonSet logic to convert the configuration to the new format
Update the following Environment variables in the DaemonSet yaml:
ICR_IO_MIRROR
- the url for the private registry containsicr.io
imagesCP_ICR_IO_MIRROR
- the url for the private registry containscp.icr.io
images
...
to the new format
Deploy DPOD Cloud Agent on k8s cluster using OLM
Starting k8s 1.25 Pod Security Admission
became stable
feature and adopted by most of the cloud providers which requires some configurations in order to deploy OLM
and use it to deploy operators and applications. https://kubernetes.io/docs/concepts/security/pod-security-admission/For further information see K8s documentation.
Change the DPOD Cloud Agent NS labels to conform with
Pod Security Admission
Code Block apiVersion: v1 kind: Namespace metadata: labels: kubernetes.io/metadata.name: example-dpod-cloudagent-ns pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest name: example-dpod-cloudagent-ns
Create the DPOD Cloud Agent
CatalogSource
inOLM
NSBased on
OLM
documentation in order to create subscription theCatalogSource
should be created in the target NS (where the subscription for DPOD Cloud Agent is created) or inOLM
NS (ClusterScope
)
https://olm.operatorframework.io/docs/troubleshooting/subscription/#a-subscription-in-namespace-x-cant-install-operators-from-a-catalogsource-in-namespace-yUse the following definition to create
CatalogSource
which conform withPod Security Admission
configured for theOLM
NS:Code Block apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-dpod-cloud-agent-catalog namespace: olm spec: displayName: IBM DataPower Operations Dashboard Cloud Agent image: icr.io/cpopen/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 publisher: IBM sourceType: grpc grpcPodConfig: securityContextConfig: restricted
Create OperatorGroup for the new namespace for ClusterScope
Code Block apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: dpod-cloudagent-group namespace: example-dpod-cloudagent-ns
Install the DPOD Cloud Agent operator
Code Block apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-dpod-cloud-agent-operator namespace: example-dpod-cloudagent-ns spec: channel: stable-v1.0 installPlanApproval: Automatic name: dpod-cloud-agent-operator source: ibm-dpod-cloud-agent-catalog sourceNamespace: olm startingCSV: dpod-cloud-agent-operator.v${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
Create CR to deploy the DPOD Cloud Agent
Create LoadBalancer services for DPOD Cloud Agent on Amazon EKS
Deploy
...
Manager LB service
Code Block |
---|
apiVersion: v1 kind: Service metadata: name: dpod-cloud-agent-prod-mng-lb-svc namespace: example-dpod-cloudagent-ns labels: app.kubernetes.io/component: dpod-cloud-agent-manager app.kubernetes.io/instance: dpod-cloud-agent-prod app.kubernetes.io/managed-by: dpod-cloud-agent-operator app.kubernetes.io/name: dpod-cloud-agent-manager app.kubernetes.io/part-of: dpod-cloud-agent app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION} annotations: service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance spec: type: LoadBalancer ports: - port: 443 targetPort: 8443 name: https-manager selector: app.kubernetes.io/component: dpod-cloud-agent-manager app.kubernetes.io/instance: dpod-cloud-agent-prod app.kubernetes.io/name: dpod-cloud-agent-manager app.kubernetes.io/part-of: dpod-cloud-agent sessionAffinity: None |
Deploy LoadBalancer service based on the number of messaging brokers replicas.
Deploy messaging Messaging bootstrap LB service
Code Block apiVersion: v1 kind: Service metadata: name: dpod-cloud-agent-prod-msg-bse-lb-svc namespace: example-dpod-cloudagent-ns labels: app.kubernetes.io/component: dpod-cloud-agent-manager app.kubernetes.io/instance: dpod-cloud-agent-prod app.kubernetes.io/managed-by: dpod-cloud-agent-operator app.kubernetes.io/name: dpod-cloud-agent-manager app.kubernetes.io/part-of: dpod-cloud-agent app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION} annotations: service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance spec: type: LoadBalancer ports: - port: 30100 targetPort: 29092 name: kafka-bootstrap selector: app.kubernetes.io/component: dpod-cloud-agent-messaging app.kubernetes.io/instance: dpod-cloud-agent-prod app.kubernetes.io/name: dpod-cloud-agent-messaging app.kubernetes.io/part-of: dpod-cloud-agent sessionAffinity: None
Deploy broker-0 LB service
...
Create LoadBalancer services for DPOD Cloud Agent on Google GKE
Deploy
...
Manager LB service
Code Block |
---|
apiVersion: v1 kind: Service metadata: name: dpod-cloud-agent-prod-mng-lb-svc namespace: example-dpod-cloudagent-ns labels: app.kubernetes.io/component: dpod-cloud-agent-manager app.kubernetes.io/instance: dpod-cloud-agent-prod app.kubernetes.io/managed-by: dpod-cloud-agent-operator app.kubernetes.io/name: dpod-cloud-agent-manager app.kubernetes.io/part-of: dpod-cloud-agent app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION} annotations: cloud.google.com/l4-rbs: "enabled" spec: type: LoadBalancer ports: - port: 443 targetPort: 8443 name: https-manager selector: app.kubernetes.io/component: dpod-cloud-agent-manager app.kubernetes.io/instance: dpod-cloud-agent-prod app.kubernetes.io/name: dpod-cloud-agent-manager app.kubernetes.io/part-of: dpod-cloud-agent sessionAffinity: None |
...