1# Patch: cfcr-openstack 2 3## Known Issues 4 5- This patch does not support dns. 6- This patch is tied to `kubo-release v0.16.0` and will change with the next release 7- `kubo-deployment` is using keystone v2 and `bosh-deployment` is using keystone v3. 8We have to change the auth url (that we expect to be v3) provided to bbl to use the v2 endpoint. 9 10## Steps 11 12Steps to deploy cfcr with bbl: 13 141. Pick a valid floating IP that's available within your openstack account and export it so we can attach it to the k8s master. 15 ``` 16 export kubernetes_master_host=some-ip 17 ``` 18 191. Find and export the project ID guid associated with $BBL_OPENSTACK_PROJECT 20 ``` 21 export OPENSTACK_RPOJECT_ID=some-uid 22 ``` 23 241. Follow the normal steps to bbl up with a patch. 25 ``` 26 mkdir banana-env && cd banana-env 27 bbl plan --name banana-env 28 cp -r bosh-bootloader/plan-patches/cfcr-openstack/. . 29 bbl up 30 eval "$(bbl print-env)" 31 ``` 32 331. Export `KD` as your path to `kubo-deployment` so you can copy-paste from below if you so desire. 34 be careful to check out the manifest that matches the kubo-release you uploaded above. 35 ``` 36 git clone git@github.com:cloudfoundry-incubator/kubo-deployment.git 37 export KD=$(pwd)/kubo-deployment 38 ``` 39 401. `bosh upload-stemcell https://bosh.io/stemcells/bosh-openstack-esxi-ubuntu-trusty-go_agent?v=$(bosh int ${KD}/manifests/cfcr.yml --path=/stemcells/0/version)` 41 421. Deploy the cfcr manifest. Since openstack can't provision load balancers for 43us, we're going to deploy with a single master with a set static IP. 44 45 ``` 46 bosh -d cfcr deploy ${KD}/manifests/cfcr.yml \ 47 -o ${KD}/manifests/ops-files/iaas/openstack/cloud-provider.yml \ 48 -o ${KD}/manifests/ops-files/iaas/openstack/master-static-ip.yml \ 49 -v kubernetes_master_host=${kubernetes_master_host} \ 50 -v openstack_username=${BBL_OPENSTACK_USERNAME} \ 51 -v openstack_password=${BBL_OPENSTACK_PASSWORD} \ 52 -v openstack_project_id=${OPENSTACK_PROJECT_ID} \ 53 -l <(bbl outputs) \ 54 -v auth_url=$(sed 's|v3|v2.0|' <(echo $BBL_OPENSTACK_AUTH_URL)) 55 ``` 56 57 > Note If you'd like a multi-master cfcr, you'll need to go back to step one, 58 > select a range of 3 valid IPs, re bbl-up, and remove the `single-master.yml` opsfile from the below invokation. 59 > The master-static-ip.yml opsfile in kubo-deployment might not play well with 3 static IPs. 60 611. Configure kubectl 62 63 Then run the following to mix them together into kubectl-appropriate forms: 64 ``` 65 export director_name=$(bosh int <(bbl outputs) --path=/director_name) 66 export address="https://${kubernetes_master_host}:8443" 67 export cluster_name="kubo:${director_name}:cfcr" 68 export user_name="kubo:${director_name}:cfcr-admin" 69 export context_name="kubo:${director_name}:cfcr" 70 71 credhub login 72 export admin_password=$(bosh int <(credhub get -n "${director_name}/cfcr/kubo-admin-password" --output-json) --path=/value) 73 ``` 74 75 If you want to have a tls-secured kubernetes api, you'll need to add credhub's generated CA to your trusted CAs. We'll leave that as an excercise for the operator. 76 ``` 77 # export tmp_ca_file="$(mktemp)" 78 # bosh int <(credhub get -n "${director_name}/cfcr/tls-kubernetes" --output-json) --path=/value/ca > "${tmp_ca_file}" 79 ``` 80 81 ``` 82 kubectl config set-cluster "${cluster_name}" --server="${address}" --insecure-skip-tls-verify=true 83 kubectl config set-credentials "${user_name}" --token="${admin_password}" 84 kubectl config set-context "${context_name}" --cluster="${cluster_name}" --user="${user_name}" 85 kubectl config use-context "${context_name}" 86 ``` 87 881. Create, scale, and expose apps with the kubernetes bootcamp docker image. 89Please note that the openstack cloud-provider, like openstack, does not have load balancer support built in, so you'll have to use nodeports. 90 91 ``` 92 kubectl run kubernetes-bootcamp --image=docker.io/jocatalin/kubernetes-bootcamp:v1 --port=8080 93 kubectl get pods 94 kubectl expose deployment kubernetes-bootcamp --type NodePort --name k8s-bootcamp-service 95 ``` 96 97 After you've completed this, other services within your openstack cluster should be able to reach kubernetes-bootcamp on any worker's NodePort. 98