Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue 452: Correcting setup script and updating documentation #455

Merged
merged 5 commits into from
Oct 1, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ There are manual deployment, upgrade and rollback options available as well.
To understand how to deploy a Pravega Operator using helm, refer to [this](charts/pravega-operator#installing-the-chart).

#### Deploying in Test Mode
The Operator can be run in a "test" mode if we want to create pravega on minikube or on a cluster with very limited resources by enabling `testmode: true` in `values.yaml` file. Operator running in test mode skips minimum replica requirement checks on Pravega components. "Test" mode ensures a bare minimum setup of pravega and is not recommended to be used in production environments.
The Operator can be run in `test mode` if we want to deploy pravega on minikube or on a cluster with very limited resources by enabling `testmode: true` in `values.yaml` file. Operator running in test mode skips minimum replica requirement checks on Pravega components. Test mode provides a bare minimum setup and is not recommended to be used in production environments.

### Upgrade the Operator

Expand All @@ -74,6 +74,8 @@ Check out the available [options for long term storage](doc/longtermstorage.md)
For demo purposes, you can quickly install a toy NFS server.

```
$ helm repo add stable https://kubernetes-charts.storage.googleapis.com
$ helm repo update
$ helm install stable/nfs-server-provisioner --generate-name
```

Expand Down
7 changes: 3 additions & 4 deletions charts/pravega-operator/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,18 @@ To install the pravega-operator chart, use the following commands:
```
$ helm repo add pravega https://charts.pravega.io
$ helm repo update
$ helm install [RELEASE_NAME] pravega/pravega-operator --version=[VERSION] --set webhookCert.crt=[TLS_CRT] --set webhookCert.generate=false --set webhookCert.certName=[CERT_NAME] --set webhookCert.secretName=[SECRET_NAME]
$ helm install [RELEASE_NAME] pravega/pravega-operator --version=[VERSION] --set webhookCert.certName=[CERT_NAME] --set webhookCert.secretName=[SECRET_NAME]
```
where:
- **[RELEASE_NAME]** is the release name for the pravega-operator chart.
- **[DEPLOYMENT_NAME]** is the name of the pravega-operator deployment so created. (If [RELEASE_NAME] contains the string `pravega-operator`, `[DEPLOYMENT_NAME] = [RELEASE_NAME]`, else `[DEPLOYMENT_NAME] = [RELEASE_NAME]-pravega-operator`. The [DEPLOYMENT_NAME] can however be overridden by providing `--set fullnameOverride=[DEPLOYMENT_NAME]` along with the helm install command)
- **[VERSION]** can be any stable release version for pravega-operator from 0.5.0 onwards.
- **[CERT_NAME]** is the name of the certificate created in the previous step
- **[CERT_NAME]** is the name of the certificate created as a prerequisite
- **[SECRET_NAME]** is the name of the secret created by the above certificate
- **[TLS_CRT]** is contained in the above secret and can be obtained using the command `kubectl get secret [SECRET_NAME] -o yaml | grep tls.crt`

This command deploys a pravega-operator on the Kubernetes cluster in its default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.

>Note: If the pravega-operator version is 0.4.5, webhookCert.generate, webhookCert.crt, webhookCert.certName and webhookCert.secretName should not be set. Also in this case, bookkeeper operator, cert-manager and the certificate/issuer do not need to be deployed as prerequisites.
>Note: If the pravega-operator version is 0.4.5, webhookCert.certName and webhookCert.secretName should not be set. Also in this case, bookkeeper operator, cert-manager and the certificate/issuer do not need to be deployed as prerequisites.

## Uninstalling the Chart

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,9 @@ spec:
conversionReviewVersions: ["v1beta1", "v1alpha1"]
strategy: Webhook
webhookClientConfig:
{{- if .Release.IsUpgrade }}
caBundle: {{ .Values.webhookCert.crt }}
{{- end }}
service:
name: pravega-webhook-svc
namespace: {{ .Release.Namespace }}
Expand Down
16 changes: 9 additions & 7 deletions charts/pravega-operator/templates/version_map.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,15 @@ data:
0.3.1:0.3.1,0.3.2
0.3.2:0.3.2
0.4.0:0.4.0
0.5.0:0.5.0,0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1
0.5.1:0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1
0.6.0:0.6.0,0.6.1,0.6.2,0.7.0,0.7.1
0.6.1:0.6.1,0.6.2,0.7.0,0.7.1
0.6.2:0.6.2,0.7.0,0.7.1
0.7.0:0.7.0,0.7.1
0.7.1:0.7.1
0.5.0:0.5.0,0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.5.1:0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.6.0:0.6.0,0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.6.1:0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.6.2:0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.7.0:0.7.0,0.7.1,0.7.2,0.8.0
0.7.1:0.7.1,0.7.2,0.8.0
0.7.2:0.7.2,0.8.0
0.8.0:0.8.0
{{- if and .Values.testmode.enabled .Values.testmode.version }}
{{ .Values.testmode.version }}:{{ .Values.testmode.version }}
{{- end }}
3 changes: 2 additions & 1 deletion charts/pravega-operator/templates/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,15 @@ metadata:
labels:
{{ include "pravega-operator.commonLabels" . | indent 4 }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.certName }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.webhookCert.certName }}
webhooks:
- clientConfig:
service:
name: pravega-webhook-svc
namespace: {{ .Release.Namespace }}
path: /validate-pravega-pravega-io-v1beta1-pravegacluster
name: pravegawebhook.pravega.io
failurePolicy: Fail
rules:
- apiGroups:
- pravega.pravega.io
Expand Down
2 changes: 1 addition & 1 deletion charts/pravega/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,6 @@ The following table lists the configurable parameters of the pravega chart and t
| `storage.longtermStorage.filesystem.pvc` | Name of the pre-created PVC, if long term storage type is filesystem | `pravega-tier2` |
| `storage.longtermStorage.ecs` | Configuration to use a Dell EMC ECS system, if long term storage type is ecs | `{}` |
| `storage.longtermStorage.hdfs` | Configuration to use an HDFS system, if long term storage type is hdfs | `{}` |
| `storage.cache.className` | Storage class for cache volume | `standard` |
| `storage.cache.className` | Storage class for cache volume | `` |
| `storage.cache.size` | Storage requests for cache volume | `20Gi` |
| `options` | List of Pravega options | |
2 changes: 0 additions & 2 deletions charts/pravega/templates/pravega.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,9 @@ spec:
{{- if .Values.storage.cache.className }}
storageClassName: {{ .Values.storage.cache.className }}
{{- end }}
{{- if .Values.storage.cache.size }}
resources:
requests:
storage: {{ .Values.storage.cache.size }}
{{- end }}
{{- end }}
longtermStorage:
{{- if eq (default .Values.storage.longtermStorage.type "filesystem") "ecs" }}
Expand Down
6 changes: 3 additions & 3 deletions charts/pravega/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ segmentStore:
## used to override the service type for segmentStore
type:
annotations: {}
segmentStoreLoadBalancerIP:
segmentStoreExternalTrafficPolicy: Local
loadBalancerIP:
externalTrafficPolicy: Local
jvmOptions: ["-Xmx2g", "-XX:MaxDirectMemorySize=2g"]

storage:
Expand Down Expand Up @@ -108,7 +108,7 @@ storage:

cache:
size: 20Gi
className: standard
className:

options:
bookkeeper.ensemble.size: "3"
Expand Down
16 changes: 9 additions & 7 deletions deploy/version_map.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@ data:
0.3.1:0.3.1,0.3.2
0.3.2:0.3.2
0.4.0:0.4.0
0.5.0:0.5.0,0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1
0.5.1:0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1
0.6.0:0.6.0,0.6.1,0.6.2,0.7.0,0.7.1
0.6.1:0.6.1,0.6.2,0.7.0,0.7.1
0.6.2:0.6.2,0.7.0,0.7.1
0.7.0:0.7.0,0.7.1
0.7.1:0.7.1
0.5.0:0.5.0,0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.5.1:0.5.1,0.6.0,0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.6.0:0.6.0,0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.6.1:0.6.1,0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.6.2:0.6.2,0.7.0,0.7.1,0.7.2,0.8.0
0.7.0:0.7.0,0.7.1,0.7.2,0.8.0
0.7.1:0.7.1,0.7.2,0.8.0
0.7.2:0.7.2,0.8.0
0.8.0:0.8.0
1 change: 1 addition & 0 deletions deploy/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ webhooks:
namespace: default
path: /validate-pravega-pravega-io-v1beta1-pravegacluster
name: pravegawebhook.pravega.io
failurePolicy: Fail
rules:
- apiGroups:
- pravega.pravega.io
Expand Down
8 changes: 5 additions & 3 deletions doc/longtermstorage.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,17 @@ The following LongTermStorage storage providers are supported:
The following example uses an NFS volume provisioned by the [NFS Server Provisioner](https://github.com/kubernetes/charts/tree/master/stable/nfs-server-provisioner) helm chart to provide LongTermStorage storage.

```
$ helm install stable/nfs-server-provisioner
$ helm repo add stable https://kubernetes-charts.storage.googleapis.com
$ helm repo update
$ helm install stable/nfs-server-provisioner --generate-name
```

Note that the `nfs-server-provisioner` is a toy NFS server and is ONLY intended as a demo and should NOT be used for production deployments.

You can also connect to an existing NFS server by using [NFS Client Provisioner](https://github.com/helm/charts/tree/master/stable/nfs-client-provisioner).

```
helm install --set nfs.server=<address:x.x.x.x> --set nfs.path=</exported/path> --set storageClass.name=nfs --set nfs.mountOptions='{nolock,sec=sys,vers=4.0}' stable/nfs-client-provisioner
helm install --set nfs.server=<address:x.x.x.x> --set nfs.path=</exported/path> --set storageClass.name=nfs --set nfs.mountOptions='{nolock,sec=sys,vers=4.0}' stable/nfs-client-provisioner --generate-name
```

Verify that the `nfs` storage class is now available.
Expand Down Expand Up @@ -169,7 +171,7 @@ Refer to the steps below to add ECS server certificate or CA's certificate into
$ kubectl create -f ecs-tls.yaml
```

3. In Pravega manifest, add the secret name defined above into "tls/static/caBundle" section.
3. In Pravega manifest, add the secret name defined above into "tls/static/caBundle" section.
```
...
kind: "PravegaCluster"
Expand Down
6 changes: 4 additions & 2 deletions doc/operator-upgrade.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,15 +104,17 @@ To install cert-manager check [this](https://cert-manager.io/docs/installation/k
```
./pre-upgrade.sh [PRAVEGA_OPERATOR_RELEASE_NAME][PRAVEGA_OPERATOR_NAMESPACE]
```

where:
- `[PRAVEGA_OPERATOR_RELEASE_NAME]` is the release name of the pravega operator deployment
- `[PRAVEGA_OPERATOR_NAMESPACE]` is the namespace in which the pravega operator has been deployed (this is an optional parameter and its default value is `default`)

### Triggering the upgrade

#### Upgrade via helm

The upgrade to Operator 0.5.0 can be triggered using the following command
```
helm upgrade [PRAVEGA_OPERATOR_RELEASE_NAME] pravega/pravega-operator --version=0.5.0 --set webhookCert.crt=[TLS_CRT] --set webhookCert.generate=false --set webhookCert.certName=[CERT_NAME] --set webhookCert.secretName=[SECRET_NAME]
helm upgrade [PRAVEGA_OPERATOR_RELEASE_NAME] pravega/pravega-operator --version=0.5.0 --set webhookCert.crt=[TLS_CRT] --set webhookCert.certName=[CERT_NAME] --set webhookCert.secretName=[SECRET_NAME]
```
where:
- `[CERT_NAME]` is the name of the certificate that has been created
Expand Down
36 changes: 17 additions & 19 deletions doc/webhook.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,25 @@
## Admission Webhook

[Admission webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) are HTTP callbacks that receive admission requests and do something with them.
There are two webhooks [ValidatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) and
[MutatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) which are basically
doing the same thing except MutatingAdmissionWebhook can modify the requests. In our case, we use MutatingAdmissionWebhook because it can validate requests as well as mutating them. E.g. clear the image tag
if version is specified.
There are two webhooks [ValidatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) and
[MutatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) which are basically doing the same thing except MutatingAdmissionWebhook can modify the requests. In our case, we are using a ValidatingAdmissionWebhook so that it can reject requests to enforce custom policies (which in our case is to ensure that the user is unable to install an invalid pravega version or upgrade to any unsupported pravega version).

In the Pravega operator repo, we are leveraging the webhook implementation from controller-runtime package, here is the [GoDoc](https://godoc.org/sigs.k8s.io/controller-runtime/pkg/webhook).
In detail, there are two steps that developers need to do 1) create webhook server and 2) implement the handler.
In the Pravega operator repo, we are leveraging the webhook implementation from controller-runtime package, here is the [GoDoc](https://godoc.org/sigs.k8s.io/controller-runtime/pkg/webhook).

If you want to implement admission webhooks for your CRD, the only thing you need to do is to implement the `Defaulter` and (or) the `Validator` interface. Kubebuilder takes care of the rest for you, such as:
- Creating the webhook server.
- Ensuring the server has been added in the manager.
- Creating handlers for your webhooks.
- Registering each handler with a path in your server.
The webhook server registers webhook configuration with the apiserver and creates an HTTP server to route requests to the handlers.
The server is behind a Kubernetes Service and provides a certificate to the apiserver when serving requests. The kubebuilder has a detailed instruction of
building a webhook, see [here](https://github.com/kubernetes-sigs/kubebuilder/blob/86026527c754a144defa6474af6fb352143b9270/docs/book/beyond_basics/sample_webhook.md).
The server is behind a Kubernetes Service and provides a certificate to the apiserver when serving requests.
The kubebuilder has a detailed instruction of building a webhook, see [here](https://book.kubebuilder.io/cronjob-tutorial/webhook-implementation.html)

The webhook feature itself is enabled by default but it can be disabled if `webhook=false` is specified when installing the
operator locally using `operator-sdk up local`. E.g. ` operator-sdk up local --operator-flags -webhook=false`. The use case of this is that webhook needs to be
disabled when developing the operator locally since webhook can only be deployed in Kubernetes environment.
The webhook feature itself is enabled by default but it can be disabled if `webhook=false` is specified when installing the
operator locally using `operator-sdk run --local`. E.g. `operator-sdk run --local --operator-flags -webhook=false`. The use case of this is that webhook needs to be disabled when developing the operator locally since webhook can only be deployed in Kubernetes environment.

### How to deploy
The webhook is deployed along with the Pravega operator, thus there is no extra steps needed. However, there are some configurations that are necessary to make webhook work.
The ValidatingAdmissionWebhook and the webhook service should be deployed using the provided manifest `webhook.yaml` while deploying the Pravega Operator. However, there are some configurations that are necessary to make webhook work.

1. Permission

Expand All @@ -27,7 +29,7 @@ an example of the additional permission
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
```
Expand All @@ -36,11 +38,7 @@ an example of the additional permission

The webhook will deploy a Kubernetes service. This service will need to select the operator pod as its backend.
The way to select is using Kubernetes label selector and user will need to specify `"component": "pravega-operator"` as the label
when deploying the Pravega operator deployment.
```
when deploying the Pravega operator deployment.

### What it does
The webhook maintains a compatibility matrix of the Pravega versions. Reuqests will be rejected if the version is not valid or not upgrade compatible
with the current running version. Also, all the upgrade requests will be rejected if the current cluster is in upgrade status.


The webhook maintains a compatibility matrix of the Pravega versions. Requests will be rejected if the version is not valid or not upgrade compatible with the current running version. Also, all the upgrade requests will be rejected if the current cluster is in upgrade status.
4 changes: 2 additions & 2 deletions scripts/pre-upgrade.sh
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
#! /bin/bash
set -ex

if [ "$#" -ne 2 ]; then
if [[ "$#" -lt 1 || "$#" -gt 2 ]]; then
echo "Error : Invalid number of arguments"
Usage: "./pre-upgrade.sh <pravega-operator-release-name> <pravega-operator-namespace>"
exit 1
fi

name=$1
namespace=$2
namespace=${2:-default}

kubectl annotate Service pravega-webhook-svc meta.helm.sh/release-name=$name -n $namespace --overwrite
kubectl annotate Service pravega-webhook-svc meta.helm.sh/release-namespace=$namespace -n $namespace --overwrite
Expand Down
23 changes: 6 additions & 17 deletions setup/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,10 @@ The purpose of this script is to sequentially deploy all the dependencies (i.e.
## Prerequisites

- Kubernetes 1.15+ with Beta APIs
- Helm 3+
- Helm 3.2.1+
- [Tier 2 Setup](https://github.com/pravega/pravega-operator#set-up-tier-2-storage)
- Cert-Manager v0.15.0+
- Copy the necessary charts to the right location

First clone the [Zookeeper Operator](https://github.com/pravega/zookeeper-operator) and [Bookkeeper Operator](https://github.com/pravega/bookkeeper-operator) repositories locally using :
```
git clone https://github.com/pravega/zookeeper-operator
git clone https://github.com/pravega/bookkeeper-operator
```

Next, copy the contents of the charts directory from both these repositories inside the charts directory of this repository.
```
cp -r <path-to-zookeeper-operator-repo>/charts/ <path-to-pravega-operator-repo>/charts/.
cp -r <path-to-bookkeeper-operator-repo>/charts/ <path-to-pravega-operator-repo>/charts/.
```

This will result in separate sub-directories for [zookeeper-operator](https://github.com/pravega/zookeeper-operator/tree/master/charts/zookeeper-operator), [zookeeper](https://github.com/pravega/zookeeper-operator/tree/master/charts/zookeeper), [bookkeeper-operator](https://github.com/pravega/bookkeeper-operator/tree/master/charts/pravega-operator) and [bookkeeper](https://github.com/pravega/bookkeeper-operator/tree/master/charts/pravega) charts alongside the directories for [pravega-operator](https://github.com/pravega/pravega-operator/tree/master/charts/pravega-operator) and [pravega](https://github.com/pravega/pravega-operator/tree/master/charts/pravega) charts inside the [charts](https://github.com/pravega/pravega-operator/tree/master/charts) directory.
- An Issuer and a Certificate (either self-signed or CA signed) for the Bookkeeper Operator (refer to [this](https://github.com/pravega/bookkeeper-operator/blob/master/deploy/certificate.yaml) manifest to create a self-signed certificate in the default namespace)

We use cert-manager for certificate management for webhook services in Kubernetes. In case you plan to use the same, you would need to [install cert-manager](https://cert-manager.io/docs/installation/kubernetes/)

Expand All @@ -31,8 +17,11 @@ We use cert-manager for certificate management for webhook services in Kubernete
To deploy the Pravega Cluster along with all the required dependencies, run the following command:

```
$ ./pravegacluster.sh deploy
$ ./pravegacluster.sh deploy [CERT_NAME] [SECRET_NAME]
```
where:
- **[CERT_NAME]** is the name of the bookkeeper operator certificate created as a prerequisite (this is an optional parameter and its default value is `selfsigned-cert-bk`)
- **[SECRET_NAME]** is the name of the secret created by the above certificate (this is an optional parameter and its default value is `selfsigned-cert-tls-bk`)

## Undeploying the Pravega Cluster

Expand Down
Loading