Versions Compared

Old Version 1

changes.mady.by.user Shachar Greenberg

Saved on

compared with

New Version 2

changes.mady.by.user Shachar Greenberg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configure cluster nodes for registry mirror (containerd)

A DaemonSet can be used to configure the GKE cluster nodes containerd runtime.

K8s DaemonSet ensures that all (or some) Nodes run a copy of a Pod, this Pod can execute logic which in this case can be used to configure the registry mirror as described here.

For further information about K8S DaemonSet can be found in K8s documentation.

A generic example of “startup-script” DeamonSet can be found here.

GKE nodes are automatically configured using the deprecated registry mirror format so the logic implemented in the example DaemonSet is should continuing this method.
The user may change the DamonSet logic to convert the configuration to the new format

Update the following Environment variables in the DaemonSet yaml:

  • ICR_IO_MIRROR - the url for the private registry contains icr.io images

  • CP_ICR_IO_MIRROR- the url for the private registry contains cp.icr.io images

...

to the new format

Deploy DPOD Cloud Agent on k8s cluster using OLM

Starting k8s 1.25 Pod Security Admission became stable feature and adopted by most of the cloud providers which requires some configurations in order to deploy OLM and use it to deploy operators and applications. https://kubernetes.io/docs/concepts/security/pod-security-admission/For further information see K8s documentation.

  • Change the DPOD Cloud Agent NS labels to conform with Pod Security Admission

    Code Block
    apiVersion: v1
kind: Namespace
metadata:
  labels:
    kubernetes.io/metadata.name: example-dpod-cloudagent-ns
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest
  name: example-dpod-cloudagent-ns

  • Create the DPOD Cloud Agent CatalogSource in OLM NS

    • Based on OLM documentation in order to create subscription the CatalogSource should be created in the target NS (where the subscription for DPOD Cloud Agent is created) or in OLM NS (ClusterScope)
      https://olm.operatorframework.io/docs/troubleshooting/subscription/#a-subscription-in-namespace-x-cant-install-operators-from-a-catalogsource-in-namespace-y

    • Use the following definition to create CatalogSource which conform with Pod Security Admission configured for the OLM NS:

      Code Block
      apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-dpod-cloud-agent-catalog
  namespace: olm
spec:
  displayName: IBM DataPower Operations Dashboard Cloud Agent
  image: icr.io/cpopen/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
  publisher: IBM
  sourceType: grpc
  grpcPodConfig:
    securityContextConfig: restricted

  • Create OperatorGroup for the new namespace for ClusterScope

    Code Block
    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: dpod-cloudagent-group
  namespace: example-dpod-cloudagent-ns

  • Install the DPOD Cloud Agent operator

    Code Block
    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-dpod-cloud-agent-operator
  namespace: example-dpod-cloudagent-ns
spec:
  channel: stable-v1.0
  installPlanApproval: Automatic
  name: dpod-cloud-agent-operator
  source: ibm-dpod-cloud-agent-catalog
  sourceNamespace: olm
  startingCSV: dpod-cloud-agent-operator.v${DPOD_CLOUD_AGENT_OPERATOR_VERSION}

  • Create CR to deploy the DPOD Cloud Agent

Create LoadBalancer services for DPOD Cloud Agent on Amazon EKS

Deploy

...

Manager LB service

Code Block
apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-mng-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 8443
      name: https-manager
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

Deploy LoadBalancer service based on the number of messaging brokers replicas.

  • Deploy messaging Messaging bootstrap LB service

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-bse-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 30100
      targetPort: 29092
      name: kafka-bootstrap
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

  • Deploy broker-0 LB service

...

Create LoadBalancer services for DPOD Cloud Agent on Google GKE

Deploy

...

Manager LB service

Code Block
apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-mng-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    cloud.google.com/l4-rbs: "enabled"
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 8443
      name: https-manager
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

...