Versions Compared

Version Old Version 1 New Version 2
Changes made by

Shachar Greenberg

Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following scenarios

...

of deploying the DPOD Cloud Agent on k8s cloud providers are provided only as

...

examples.
The details may change between different cloud providers, k8s versions and k8s cluster custom configuration.

...

You are expected to modify and adjust the commands according to your

...

specific case.

The following variables are used across this document:

Code Block
DPOD_CLOUD_AGENT_VERSION="1.0.21.0"
DPOD_CLOUD_AGENT_OPERATOR_VERSION="1.1.0"

Configure Amazon EKS for Cloud Agent Deployment

Configure cluster nodes for registry mirror (containerd)

  • Create an EC2 Launch Template for the cluster nodes.

  • In the Launch Template Advanced details -> User data add the following configuration:
    Change the configuration according to your environment (at least the host attribute).

    Code Block
    MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="//"

--//
Content-Type: text/x-shellscript; charset="us-ascii"
#!/bin/bash

mkdir -p /etc/containerd/certs.d/icr.io
printf 'server = "https://icr.io"\n[host."https://icr.io/dpod"]\n    capabilities = ["pull", "resolve"]\n    skip_verify = false\n    override_path = true\n' | tee /etc/containerd/certs.d/icr.io/hosts.toml
--//--

  • Make sure to create the cluster with Node Group that uses the new Launch Template.

Configure Google GKE for Cloud Agent Deployment

Configure cluster nodes for registry mirror (containerd)

  • A DaemonSet can be used to configure the GKE cluster nodes containerd runtime.

  • K8s DaemonSet ensures that all (or some)

...

  • nodes run a copy of a

...

  • pod, which executes logic which in this case can be used to configure the registry mirror as described

...

...

  • Further information about

...

  • k8s DaemonSet can be found in

...

  • the k8s documentation.

  • A generic example of “startup-script” DeamonSet can be found here.

GKE nodes are automatically configured using the deprecated registry mirror format so the logic implemented in the DaemonSet should continuing this use the same method.
The user may change the DamonSet logic to convert the configuration to the new format.

Deploy DPOD Cloud Agent on k8s cluster using OLM

  • Starting k8s 1.25, Pod Security Admission became a stable feature and adopted by most of the cloud providers, which

...

  • require some configurations in order to deploy OLM and use it to deploy operators and applications. For further information see K8s documentation.

  • Change the DPOD Cloud Agent NS labels to conform with the Pod Security Admission:

    Code Block
    apiVersion: v1
kind: Namespace
metadata:
  labels:
    kubernetes.io/metadata.name: example-dpod-cloudagent-ns
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest
  name: example-dpod-cloudagent-ns

  • Create the DPOD Cloud Agent CatalogSource in OLM NS namespace.

    • Based on OLM documentation, in order to create a subscription, the CatalogSource should be created in the target NS (where the subscription for DPOD Cloud Agent is created) or in OLM NS (for ClusterScope).

    • Use the following definition to create a CatalogSource which conform with the Pod Security Admission configured for the OLM NS:

      Code Block
      apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-dpod-cloud-agent-catalog
  namespace: olm
spec:
  displayName: IBM DataPower Operations Dashboard Cloud Agent
  image: icr.io/cpopen/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
  publisher: IBM
  sourceType: grpc
  grpcPodConfig:
    securityContextConfig: restricted

  • Create an OperatorGroup for the new namespace for ClusterScope:

    Code Block
    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: dpod-cloudagent-group
  namespace: example-dpod-cloudagent-ns

  • Install the DPOD Cloud Agent operator:

    Code Block
    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-dpod-cloud-agent-operator
  namespace: example-dpod-cloudagent-ns
spec:
  channel: stable-v1.0
  installPlanApproval: Automatic
  name: dpod-cloud-agent-operator
  source: ibm-dpod-cloud-agent-catalog
  sourceNamespace: olm
  startingCSV: dpod-cloud-agent-operator.v${DPOD_CLOUD_AGENT_OPERATOR_VERSION}

  • Create a CR to deploy the DPOD Cloud Agent.

Create LoadBalancer

...

Services for DPOD Cloud Agent on Amazon EKS

(Assuming 3 Messaging broker replicas)

  • Deploy the Manager LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-mng-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 8443
      name: https-manager
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

  • Deploy

...

  • the

...

  • Deploy Messaging bootstrap LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-bse-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 30100
      targetPort: 29092
      name: kafka-bootstrap
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

  • Deploy the broker-0 LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-dir-lb-svc-0
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 30101
      targetPort: 29092
      name: kafka-broker-0
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
    statefulset.kubernetes.io/pod-name: dpod-cloud-agent-prod-msg-0
  sessionAffinity: None

  • Deploy the broker-1 LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-dir-lb-svc-1
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 30102
      targetPort: 29092
      name: kafka-broker-1
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
    statefulset.kubernetes.io/pod-name: dpod-cloud-agent-prod-msg-1
  sessionAffinity: None

  • Deploy the broker-2 LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-dir-lb-svc-2
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external 
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
spec:
  type: LoadBalancer
  ports:
    - port: 30103
      targetPort: 29092
      name: kafka-broker-2
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
    statefulset.kubernetes.io/pod-name: dpod-cloud-agent-prod-msg-2
  sessionAffinity: None

Create LoadBalancer

...

Services for DPOD Cloud Agent on Google GKE

(Assuming 3 Messaging broker replicas)

  • Deploy the Manager LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-mng-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    cloud.google.com/l4-rbs: "enabled"
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 8443
      name: https-manager
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

  • Deploy

...

  • Deploy messaging the Messaging bootstrap LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-bse-lb-svc
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    cloud.google.com/l4-rbs: "enabled"
spec:
  type: LoadBalancer
  ports:
    - port: 30100
      targetPort: 29092
      name: kafka-bootstrap
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
  sessionAffinity: None

  • Deploy the broker-0 LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-dir-lb-svc-0
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    cloud.google.com/l4-rbs: "enabled"
spec:
  type: LoadBalancer
  ports:
    - port: 30101
      targetPort: 29092
      name: kafka-broker-0
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
    statefulset.kubernetes.io/pod-name: dpod-cloud-agent-prod-msg-0
  sessionAffinity: None

  • Deploy the broker-1 LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-dir-lb-svc-1
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    cloud.google.com/l4-rbs: "enabled"
spec:
  type: LoadBalancer
  ports:
    - port: 30102
      targetPort: 29092
      name: kafka-broker-1
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
    statefulset.kubernetes.io/pod-name: dpod-cloud-agent-prod-msg-1
  sessionAffinity: None

  • Deploy the broker-2 LB service:

    Code Block
    apiVersion: v1
kind: Service
metadata:
  name: dpod-cloud-agent-prod-msg-dir-lb-svc-2
  namespace: example-dpod-cloudagent-ns
  labels:
    app.kubernetes.io/component: dpod-cloud-agent-manager
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/managed-by: dpod-cloud-agent-operator
    app.kubernetes.io/name: dpod-cloud-agent-manager
    app.kubernetes.io/part-of: dpod-cloud-agent
    app.kubernetes.io/version: ${DPOD_CLOUD_AGENT_OPERATOR_VERSION}
  annotations:
    cloud.google.com/l4-rbs: "enabled"
spec:
  type: LoadBalancer
  ports:
    - port: 30103
      targetPort: 29092
      name: kafka-broker-2
  selector:
    app.kubernetes.io/component: dpod-cloud-agent-messaging
    app.kubernetes.io/instance: dpod-cloud-agent-prod
    app.kubernetes.io/name: dpod-cloud-agent-messaging
    app.kubernetes.io/part-of: dpod-cloud-agent
    statefulset.kubernetes.io/pod-name: dpod-cloud-agent-prod-msg-2
  sessionAffinity: None

Update the DNS

...

Records

Get the LB external address:

Code Block
kubectl get svc -n example-dpod-cloudagent-ns |grep lb
NAME                                     TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)           
dpod-cloud-agent-prod-mng-lb-svc         LoadBalancer   10.100.12.184   34.41.36.111     443:30997/TCP     
dpod-cloud-agent-prod-msg-bse-lb-svc     LoadBalancer   10.100.13.1     34.66.80.161     30100:31232/TCP   
dpod-cloud-agent-prod-msg-dir-lb-svc-0   LoadBalancer   10.100.12.9     35.223.187.112   30101:31830/TCP 
dpod-cloud-agent-prod-msg-dir-lb-svc-1   LoadBalancer   10.100.12.10    35.223.182.103   30101:31830/TCP
dpod-cloud-agent-prod-msg-dir-lb-svc-2   LoadBalancer   10.100.12.11    35.223.116.42    30101:31830/TCP