Gitiles
Code Review Sign In
gerrit.opencord.org / aether-docs / fc751aa23651e38113b7d4e6e00293bd765ab2e3 / . / pronto_deployment_guide / run_time_deployment.rst
blob: e465dac503b815a771f1f86b283dae99623d2b46 [file] [log] [blame]
Hung-Wei Chiu77c969e2020-10-23 18:13:07 +0000[diff] [blame]1..
2 SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
3 SPDX-License-Identifier: Apache-2.0
4
5==========================
6Aether Run-Time Deployment
7==========================
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]8This section describes how to install Aether edge runtime and connectivity edge applications.
9Aether provides GitOps based automated deployment,
10so we just need to create a couple of patches to aether-pod-configs repository.
11
12Before you begin
13================
14Make sure you have the edge pod checklist ready. Specifically, the following information is required in this section.
15
16* Management network subnet
17* K8S pod and service IP ranges
18* List of servers and switches, and their management IP addresses
19
20Download aether-pod-configs repository
21======================================
22First, download the aether-pod-configs repository to your development machine.
23
24.. code-block:: shell
25
26 $ cd $WORKDIR
27 $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-pod-configs"
28
29Create first patch to add ACE admin user
30========================================
31The first patch is to add a new ACE admin with full access to `EdgeApps` project.
32Here is an example review request https://gerrit.opencord.org/c/aether-pod-configs/+/21393 you can refer to with the commands below.
33Please replace "new" keyword with the name of the new ACE.
34
35.. code-block:: diff
36
37 $ cd $WORKDIR/aether-pod-configs/production
38 $ vi user_map.tfvars
39 # Add the new cluster admin user to the end of the list
40
41 $ git diff
42 diff --git a/production/user_map.tfvars b/production/user_map.tfvars
43 index c0ec3a3..6b9ffb4 100644
44 --- a/production/user_map.tfvars
45 +++ b/production/user_map.tfvars
46 @@ -40,5 +40,10 @@ user_map = {
47 username = "menlo"
48 password = "changeme"
49 global_roles = ["user-base", "catalogs-use"]
50 + },
51 + new_admin = {
52 + username = "new"
53 + password = "changeme"
54 + global_roles = ["user-base", "catalogs-use"]
55 }
56 }
57
58 $ git add production/user_map.tfvars
59 $ git commit -m "Add admin user for new ACE"
60 $ git review
61
62The second patch has dependency on the first patch, so please make sure the first patch is merged before proceeding.
63
64Create second patch to install edge runtime and apps
65====================================================
66Now create another patch that will eventually install K8S and edge applications
67including monitoring and logging stacks as well as Aether connected edge.
68Unlike the first patch, this patch requires creating and editing multiple files.
69Here is an example of the patch https://gerrit.opencord.org/c/aether-pod-configs/+/21395.
70Please replace cluster names and IP addresses in this example accordingly.
71
72Update cluster_map.tfvars
73^^^^^^^^^^^^^^^^^^^^^^^^^
74The first file to edit is `cluster_map.tfvars`.
75Move the directory to `aether-pod-configs/production`, open `cluster_map.tfvars` file, and add the new ACE cluster information at the end of the map.
76This change is required to register a new K8S cluster to Rancher, and update ACC and AMP clusters for inter-cluster service discovery.
77
78.. code-block:: diff
79
80 $ cd $WORKDIR/aether-pod-configs/production
81 $ vi cluster_map.tfvars
82 # Edit the file and add the new cluster information to the end of the map
83
84 $ git diff cluster_map.tfvars
85 diff --git a/production/cluster_map.tfvars b/production/cluster_map.tfvars
86 index c944352..a6d05a8 100644
87 --- a/production/cluster_map.tfvars
88 +++ b/production/cluster_map.tfvars
89 @@ -89,6 +89,16 @@ cluster_map = {
90 kube_dns_cluster_ip = "10.53.128.10"
91 cluster_domain = "prd.menlo.aetherproject.net"
92 calico_ip_detect_method = "can-reach=www.google.com"
93 + },
94 + ace-new = {
95 + cluster_name = "ace-new"
96 + management_subnets = ["10.94.1.0/24"]
97 + k8s_version = "v1.18.8-rancher1-1"
98 + k8s_pod_range = "10.54.0.0/17"
99 + k8s_cluster_ip_range = "10.54.128.0/17"
100 + kube_dns_cluster_ip = "10.54.128.10"
101 + cluster_domain = "prd.new.aetherproject.net"
102 + calico_ip_detect_method = "can-reach=www.google.com"
103 }
104 }
105 }
106
107Update vpn_map.tfvars
108^^^^^^^^^^^^^^^^^^^^^
109The second file to edit is `vpn_map.tfvars`.
110Move the directory to `aether-pod-configs/production`, open `vpn_map.tfvars` file, and add VPN tunnel information at the end of the map.
111Unless you have specific preference, set ASN and BGP peer addresses to the next available vales in the map.
112This change is required to add tunnels and router interfaces to Aether central.
113
114.. code-block:: diff
115
116 $ cd $WORKDIR/aether-pod-configs/production
117 $ vi vpn_map.tfvars
118 # Edit the file and add VPN tunnel information to the end of the map
119
120 $ git diff vpn_map.tfvars
121 diff --git a/production/vpn_map.tfvars b/production/vpn_map.tfvars
122 index 3c1f9b9..dd62fce 100644
123 --- a/production/vpn_map.tfvars
124 +++ b/production/vpn_map.tfvars
125 @@ -24,5 +24,15 @@ vpn_map = {
126 bgp_peer_ip_address_1 = "169.254.0.6"
127 bgp_peer_ip_range_2 = "169.254.1.5/30"
128 bgp_peer_ip_address_2 = "169.254.1.6"
129 + },
130 + ace-new = {
131 + peer_name = "production-ace-new"
132 + peer_vpn_gateway_address = "111.222.333.444"
133 + tunnel_shared_secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
134 + bgp_peer_asn = "65003"
135 + bgp_peer_ip_range_1 = "169.254.0.9/30"
136 + bgp_peer_ip_address_1 = "169.254.0.10"
137 + bgp_peer_ip_range_2 = "169.254.1.9/30"
138 + bgp_peer_ip_address_2 = "169.254.1.10"
139 }
140 }
141
142Create ACE specific state directory
143^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
144Next step is to create a directory containing Terraform configs
145that define desired state of Rancher and GCP resources for the new ACE cluster,
146and ACE specific configurations such as IP addresses of the ACE cluster nodes.
147
148
149Let's create a new directory under `aether-pod-configs/production` and
150symbolic links to predefined Terraform configs(`*.tf` files) that will add
151cluster, projects and applications in Rancher and VPN tunnels and firewall rules in GCP for the new ACE.
152And note that Aether maintains a separate Terraform state per ACE.
153So we will create a remote Terraform state definition for the new ACE, too.
154
155.. code-block:: shell
156
157 # Create symbolic links to pre-defined Terraform configs
158 $ cd $WORKDIR/aether-pod-configs/production
159 $ mkdir ace-new && cd ace-new
160 $ ln -s ../../common/ace-custom/* .
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]161 $ ln -s ../../common/alerts/alerts.tf .
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]162
163 $ export CLUSTER_NAME=ace-new
164 $ export CLUSTER_DOMAIN=prd.new.aetherproject.net
165
166 # Create Terraform state definition file
167 $ cat >> backend.tf << EOF
168 # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
169
170 terraform {
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]171 backend "gcs" {
172 bucket = "aether-terraform-bucket"
173 prefix = "product/${CLUSTER_NAME}"
174 }
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]175 }
176 EOF
177
178 # Confirm the changes
179 $ tree .
180 .
181 ├── alerts.tf -> ../../common/ace-custom/alerts.tf
182 ├── backend.tf
183 ├── cluster.tf -> ../../common/ace-custom/cluster.tf
184 ├── gcp_fw.tf -> ../../common/ace-custom/gcp_fw.tf
185 ├── gcp_ha_vpn.tf -> ../../common/ace-custom/gcp_ha_vpn.tf
186 ├── main.tf -> ../../common/ace-custom/main.tf
187 └── variables.tf -> ../../common/ace-custom/variables.tf
188
189
190Now create another file called `cluster_val.tfvars` that defines all cluster nodes including switches and servers.
191ACE can have various number of servers and switches but note that an odd number of *servers* can have `etcd` and `controlplane` roles.
192Also, switches are not allowed to play a K8S master or normal worker role.
193So don’t forget to add `node-role.aetherproject.org=switch` to labels and `node-role.aetherproject.org=switch:NoSchedule` to taints.
194
195
196If the ACE requires any special settings, different set of projects for example,
197please take a closer look at `variables.tf` file and override the default values specified there to `cluster_val.tfvars`, too.
198
199.. code-block:: shell
200
201 $ cd $WORKDIR/aether-pod-configs/production/$CLUSTER_NAME
202 $ vi cluster_val.tfvars
203 # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
204
205 cluster_name = "ace-new"
206 cluster_admin = "new_admin"
207 cluster_nodes = {
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]208 new-prd-leaf1 = {
209 user = "root"
210 private_key = "~/.ssh/id_rsa_terraform"
211 host = "10.94.1.3"
212 roles = ["worker"]
213 labels = ["node-role.aetherproject.org=switch"]
214 taints = ["node-role.aetherproject.org=switch:NoSchedule"]
215 },
216 new-server-1 = {
217 user = "terraform"
218 private_key = "~/.ssh/id_rsa_terraform"
219 host = "10.94.1.3"
220 roles = ["etcd", "controlplane", "worker"]
221 labels = []
222 taints = []
223 },
224 new-server-2 = {
225 user = "terraform"
226 private_key = "~/.ssh/id_rsa_terraform"
227 host = "10.94.1.4"
228 roles = ["etcd", "controlplane", "worker"]
229 labels = []
230 taints = []
231 },
232 new-server-3 = {
233 user = "terraform"
234 private_key = "~/.ssh/id_rsa_terraform"
235 host = "10.94.1.5"
236 roles = ["etcd", "controlplane", "worker"]
237 labels = []
238 taints = []
239 }
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]240 }
241
242 projects = [
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]243 "system_apps",
244 "connectivity_edge_up4",
245 "edge_apps"
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]246 ]
247
248Lastly, we will create a couple of overriding values files for the managed applications,
249one for DNS server for UEs and the other for the connectivity edge application, omec-upf-pfcp-agent.
250
251.. code-block:: shell
252
253 $ cd $WORKDIR/aether-pod-configs/production/$CLUSTER_NAME
254 $ mkdir app_values && cd app_values
255
256 $ export CLUSTER_NAME=ace-new
257 $ export CLUSTER_DOMAIN=prd.new.aetherproject.net
258 $ export K8S_DNS=10.54.128.10 # same address as kube_dns_cluster_ip
259 $ export UE_DNS=10.54.128.11 # next address of kube_dns_cluster_ip
260
261 # Create ace-coredns overriding values file
262 $ cat >> ace-coredns.yml << EOF
263 # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
264
265 serviceType: ClusterIP
266 service:
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]267 clusterIP: ${UE_DNS}
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]268 servers:
269 - zones:
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]270 - zone: .
271 port: 53
272 plugins:
273 - name: errors
274 - name: health
275 configBlock: |-
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]276 lameduck 5s
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]277 - name: ready
278 - name: prometheus
279 parameters: 0.0.0.0:9153
280 - name: forward
281 parameters: . /etc/resolv.conf
282 - name: cache
283 parameters: 30
284 - name: loop
285 - name: reload
286 - name: loadbalance
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]287 - zones:
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]288 - zone: apps.svc.${CLUSTER_DOMAIN}
289 port: 53
290 plugins:
291 - name: errors
292 - name: forward
293 parameters: . ${K8S_DNS}
294 - name: cache
295 parameters: 30
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]296 EOF
297
298 # Create PFCP agent overriding values file
299 $ cat >> omec-upf-pfcp-agent.yml << EOF
300 # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
301
302 config:
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]303 pfcp:
304 cfgFiles:
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]305 upf.json:
Hyunsun Moonfc751aa2020-11-11 18:49:47 -0800[diff] [blame^]306 p4rtciface:
307 p4rtc_server: "onos-tost-onos-classic-hs.tost.svc.${CLUSTER_DOMAIN}"
Hyunsun Moon5ca6bfb2020-10-29 22:29:12 -0700[diff] [blame]308 EOF
309
310Make sure the ace-new directory has all necessary files and before a review request.
311
312.. code-block:: shell
313
314 $ cd $WORKDIR/aether-pod-configs/production/$CLUSTER_NAME
315 $ tree .
316 .
317 ├── alerts.tf -> ../../common/ace-custom/alerts.tf
318 ├── app_values
319 │ ├── ace-coredns.yml
320 │ └── omec-upf-pfcp-agent.yml
321 ├── backend.tf
322 ├── cluster.tf -> ../../common/ace-custom/cluster.tf
323 ├── cluster_val.tfvars
324 ├── gcp_fw.tf -> ../../common/ace-custom/gcp_fw.tf
325 ├── gcp_ha_vpn.tf -> ../../common/ace-custom/gcp_ha_vpn.tf
326 ├── main.tf -> ../../common/ace-custom/main.tf
327 └── variables.tf -> ../../common/ace-custom/variables.tf
328
329Create a review request
330^^^^^^^^^^^^^^^^^^^^^^^
331Now the patch is ready to review. The final step is to create a pull request!
332Once the patch is accepted and merged, CD pipeline will install ACE runtime based on the patch.
333
334.. code-block:: shell
335
336 $ cd $WORKDIR/aether-pod-configs/production
337 $ git status
338 On branch ace-new
339 Changes not staged for commit:
340 (use "git add <file>..." to update what will be committed)
341 (use "git checkout -- <file>..." to discard changes in working directory)
342
343 modified: cluster_map.tfvars
344 modified: vpn_map.tfvars
345
346 Untracked files:
347 (use "git add <file>..." to include in what will be committed)
348
349 ace-new/
350
351 $ git add .
352 $ git commit -m "Add new ACE"
353 $ git review