This is an automated email from the ASF dual-hosted git repository. rabbah pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk-deploy-kube.git
The following commit(s) were added to refs/heads/master by this push: new 4b95c6f add configuration of Ingress and restructure docs accordingly (#82) 4b95c6f is described below commit 4b95c6fdc196f434f4742c73ae4eaf77d8e6419f Author: David Grove <dgrove-...@users.noreply.github.com> AuthorDate: Wed Nov 29 10:50:32 2017 -0500 add configuration of Ingress and restructure docs accordingly (#82) Add configuring Ingress as a separate step and include examples of using a NodePort, a Single Service Ingress, and configurations for IBM Cloud Lite Cluster and IBM Cloud Standard Cluster. Extend nginx.conf to also allow connection over port 80 (needed when TLS termination is handled by the Ingress). Minor restructuring of top-level configuration instructions to push down details of how to determine the API_HOST for OpenWhisk into the new ingress/README.md file. --- README.md | 42 +++---------- configure/cleanup.sh | 3 + kubernetes/ingress/README.md | 109 ++++++++++++++++++++++++++++++++++ kubernetes/ingress/ingress-ibm.yml | 20 +++++++ kubernetes/ingress/ingress-simple.yml | 9 +++ kubernetes/nginx/README.md | 52 ++++++++++------ kubernetes/nginx/nginx.conf | 1 + 7 files changed, 184 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 555a7a4..3c996f5 100644 --- a/README.md +++ b/README.md @@ -61,51 +61,28 @@ manually deploy the rest of the OpenWhisk components. * [Controller](kubernetes/controller/README.md) * [Invoker](kubernetes/invoker/README.md) * [Nginx](kubernetes/nginx/README.md) +* [Ingress](kubernetes/ingress/README.md) -From here, you will now need to get the publicly available address -of Nginx. If you are using the default Nginx image with a NodePort -Service, then you can obtain the public IP using the following guide: +In the commands below, replace API_HOST with the URL appropriate for the Ingress you deployed. - 1. Obtain the IP address of the Kubernetes nodes. - - ``` - kubectl get nodes - ``` - - 2. Obtain the public port for the Kubernetes Nginx Service - - ``` - kubectl -n openwhisk describe service nginx - ``` - - From here you should note the port used for the api endpoint. E.g: - - ``` - export WSK_PORT=$(kubectl -n openwhisk describe service nginx | grep https-api | grep NodePort| awk '{print $3}' | cut -d'/' -f1) - ``` - -Now you should be able to setup the wsk cli like normal and interact with -Openwhisk. +Configure the wsk cli by setting the auth and apihost properties. ``` -wsk property set --auth 23bc46b1-71f6-4ed5-8c54-816aa4f8c502:123zO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP --apihost https://[nginx_ip]:$WSK_PORT +wsk property set --auth 23bc46b1-71f6-4ed5-8c54-816aa4f8c502:123zO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP --apihost https://API_HOST ``` -Lastly, you will need to install the initial catalog. To do this, you will need -to set the `OPENWHISK_HOME` environment variable: +Install the initial catalog. To do this, you will need to set +the `OPENWHISK_HOME` environment variable: ``` export OPENWHISK_HOME [location of the openwhisk repo] ``` -Then you should be able to run the following commands. Just make sure to -replace the `[nginx_ip]` bellow. - ``` pushd /tmp git clone https://github.com/apache/incubator-openwhisk-catalog cd incubator-openwhisk-catalog/packages - ./installCatalog.sh 789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP https://[nginx_ip]:$WSK_PORT + ./installCatalog.sh 789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP https://API_HOST popd ``` @@ -132,11 +109,6 @@ to make a public image and once it is resolved, then we can switch to the public [here](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md#v163) for more information. -## Enhancements - -* Use a public Edge Docker image once this [issue](https://github.com/apache/incubator-openwhisk/issues/2152) - is resolved - # Issues Report bugs, ask questions and request features [here on GitHub](../../issues). diff --git a/configure/cleanup.sh b/configure/cleanup.sh index d9b3349..7d4a604 100755 --- a/configure/cleanup.sh +++ b/configure/cleanup.sh @@ -20,6 +20,9 @@ kubectl -n openwhisk delete cm nginx # delete secrets kubectl -n openwhisk delete secret nginx +# delete ingress +kubectl -n openwhisk delete ingress ow-ingress + # delete services kubectl -n openwhisk delete service couchdb kubectl -n openwhisk delete service redis diff --git a/kubernetes/ingress/README.md b/kubernetes/ingress/README.md new file mode 100644 index 0000000..5de062c --- /dev/null +++ b/kubernetes/ingress/README.md @@ -0,0 +1,109 @@ +Ingress +------- + +To make your OpenWhisk deployment available outside of Kubernetes, you +need to configure an Ingress to expose the nginx service. +Unfortunately, the exact details of configuring an Ingress vary across +cloud providers. The instructions below describe multiple possible +Ingress configurations. We welcome contributions from the community +to describe how to configure ingress for all the major cloud provider +providers. + +# NodePort + +When it was deployed, the nginx service was configured to expose +itself via a NodePort [see](https://github.com/apache/incubator-openwhisk-deploy-kube/tree/master/kubernetes/nginx/nginx.yml#L10) +By determining the IP address of a worker node and the exposed port +number, you can determine your API_HOST. There are no additional files +to apply. TLS termination is handled by the nginx service. + + 1. Obtain the IP address of the Kubernetes nodes. + + ``` + kubectl get nodes + ``` + + 2. Obtain the public port for https port of the openwhisk.nginx Service + + ``` +kubectl -n openwhisk describe service nginx | grep https-api | grep NodePort| awk '{print $3}' | cut -d'/' -f1 + ``` + +Use IP_ADDR:PUBLIC_PORT as your API_HOST + + +# Simple Service Ingress + +A basic ingress that simply connects through to the nginx +service. With this ingress, TLS termination will be handled by the +OpenWhisk nginx service. + +``` +kubectl apply -f ingress-simple.yml +```` + +Use `kubectl get ingress` to determine the IP address and port to use +to define API_HOST for a simple service ingress. + +# IBM Cloud + +## IBM Cloud Lite cluster + +The only available ingress method for a Lite cluster is to use a +NodePort (see above). By determining the IP address of a worker node +and the exposed port number, you can determine your API_HOST. There +are no additional files to apply. TLS termination is handled by the +nginx service. + + 1. Obtain the Public IP address of the sole worker node. + + ``` +bx cs workers <my-cluster> + ``` + + 2. Obtain the public port for https port of the openwhisk.nginx Service + + ``` +kubectl -n openwhisk describe service nginx | grep https-api | grep NodePort| awk '{print $3}' | cut -d'/' -f1 + ``` +Use PublicIP:PORT as your API_HOST + +## IBM Cloud standard cluster + +A template file ingress-ibm.yml is provided. You will need to edit +this file to replace <ibmdomain> and <ibmtlssecret> with the correct +values for your cluster. Note that <ibmdomain> appears twice in the +template file. + +To determine this values, run the command +``` +bx cs cluster-get <mycluster> +``` +The CLI output will look something like +``` +bx cs cluster-get <mycluster> +Retrieving cluster <mycluster>... +OK +Name: <mycluster> +ID: b9c6b00dc0aa487f97123440b4895f2d +Created: 2017-04-26T19:47:08+0000 +State: normal +Master URL: https://169.57.40.165:1931 +Ingress subdomain: <ibmdomain> +Ingress secret: <ibmtlssecret> +Workers: 3 +``` +You can see the IBM-provided domain in the Ingress subdomain and the +IBM-provided certificate in the Ingress secret field. + +After editing the template file, deploy it. +``` +kubectl apply -f ingress-ibm.yml +``` + +Your OpenWhisk API_HOST will be <ibmdomain>/openwhisk + + +# Other cloud providers + +Please submit Pull Requests with instructions for other cloud providers. diff --git a/kubernetes/ingress/ingress-ibm.yml b/kubernetes/ingress/ingress-ibm.yml new file mode 100644 index 0000000..505004f --- /dev/null +++ b/kubernetes/ingress/ingress-ibm.yml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: ow-ingress + namespace: openwhisk + annotations: + ingress.bluemix.net/rewrite-path: "serviceName=nginx rewrite=/" +spec: + tls: + - hosts: + - <ibmdomain> + secretName: <ibmtlssecret> + rules: + - host: <ibmdomain> + http: + paths: + - path: /openwhisk/ + backend: + serviceName: nginx + servicePort: 80 diff --git a/kubernetes/ingress/ingress-simple.yml b/kubernetes/ingress/ingress-simple.yml new file mode 100644 index 0000000..90ad2a7 --- /dev/null +++ b/kubernetes/ingress/ingress-simple.yml @@ -0,0 +1,9 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: ow-ingress + namespace: openwhisk +spec: + backend: + serviceName: nginx + servicePort: 443 diff --git a/kubernetes/nginx/README.md b/kubernetes/nginx/README.md index db1dd0d..e0ae9d6 100644 --- a/kubernetes/nginx/README.md +++ b/kubernetes/nginx/README.md @@ -3,12 +3,23 @@ Nginx # Deploy Nginx -The Nginx Pod needs to be configured with custom certificates -and nginx configuration file. To achieve this, nginx will need -to create a Kube ConfigMap for the `nginx.conf` file and a -Secrets resource with the certs. - -To help generate the certs there is a little helper script. +Depending on how you are deploying OpenWhisk, the Nginx pod +may or may not need to support handling TLS termination +for incoming requests. In production deployments, TLS termination +will be handled by an Ingress placed in front of the Nginx service. +In dev/test scenarios or when deploying on a single node cluster, it +is likely that you will use a basic Ingress that does not handle TLS +termination and therefore will need Nginx to handle it. + +The instructions below configure Nginx with self-signed certificates +to enable basic TLS termination for dev/test. If TLS termination is +being handled by the Ingress, you can optionally skip generating the +certificate, chop the ssl configuration and port 443 from nginx.conf, +and eliminate the secret from nginx.yml. If you have real +certificates, you can modify nginx.conf with the proper hostname and +install them instead of the self-signed ones generated below. + +## Generate self-signed certificates * `certs.sh` can be used to generate self signed certs for OpenWhisk. By default, the current `nginx.conf` file expects the server url @@ -22,23 +33,23 @@ To help generate the certs there is a little helper script. If you want to modify the domain name, make sure to update the [nginx.conf](nginx.conf) file appropriately. -## Create Nginx ConfigMap +## Create Nginx Secrets -To create the ConfigMap in the OpenWhisk namespace with the `nginx.conf` -file, run the following command: +With the generated certs for Nginx or your own certificates, you +should now be able to create the nginx Secrets. To create the Secrets +resource in the OpenWhisk namespace run the following command: ``` -kubectl -n openwhisk create configmap nginx --from-file=nginx.conf +kubectl -n openwhisk create secret tls nginx --cert=certs/cert.pem --key=certs/key.pem ``` -## Create Nginx Secrets +## Create Nginx ConfigMap -With the generated certs for Nginx, you should now be able to create -the nginx Secrets. To create the Secrets resource in the OpenWhisk -namespace run the following command: +To create the ConfigMap in the OpenWhisk namespace with the `nginx.conf` +file, run the following command: ``` -kubectl -n openwhisk create secret tls nginx --cert=certs/cert.pem --key=certs/key.pem +kubectl -n openwhisk create configmap nginx --from-file=nginx.conf ``` ## Deploying Nginx @@ -60,7 +71,7 @@ To update the nginx ConfigMap: kubectl -n openwhisk edit cm nginx -o yaml ``` -Kubernetes will then go through an update any deployed Nginx +Kubernetes will then go through and update any deployed Nginx instances. Updating all of the keys defined in the nginx ConfigMap. @@ -96,6 +107,13 @@ Secrets. # Create Nginx Docker Image +We currently deploy a custom Nginx docker image that includes the +OpenWhisk CLI and other downloadable artifacts. Once there are proper +releases of these artifacts, we can switch to using a standard Nginx +image and redirect to the official release archives for the artifacts +we are currently storing in the custom docker image. See the GitHub +[issue](https://github.com/openwhisk/openwhisk/issues/2152). + To build the Nginx docker image for Kubernetes on OpenWhisk, you will need to run the build script [build.sh](docker/build.sh). This script requires one parameter, which is the repo to bush @@ -106,7 +124,7 @@ E.G docker/builds.sh <danlavine> ``` -This script goes through and donwload the OpenWhisk reop under the +This script goes through and donwload the OpenWhisk repo under the tmp directory, builds the Blackbox image and copies it into the Docker image. Then, each of the published WSK CLIs are download into the Docker image so that users are able to download them as usual. diff --git a/kubernetes/nginx/nginx.conf b/kubernetes/nginx/nginx.conf index c32a432..5693f39 100644 --- a/kubernetes/nginx/nginx.conf +++ b/kubernetes/nginx/nginx.conf @@ -12,6 +12,7 @@ http { access_log /logs/nginx_access.log combined-upstream; server { + listen 80; listen 443 default ssl; # match namespace, note while OpenWhisk allows a richer character set for a -- To stop receiving notification emails like this one, please contact ['"commits@openwhisk.apache.org" <commits@openwhisk.apache.org>'].