Initial support for deploying Che to Kubernetes using Helm charts #8715
Conversation
Signed-off-by: Eyal Barlev <perspectivus@gmail.com>
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
@eivantsov do you think we need some docs update with this pr? |
benoitf
added
status/code-review
| CHE_INFRA_KUBERNETES_NAMESPACE: "" | ||
| CHE_INFRA_KUBERNETES_TRUST__CERTS: "false" | ||
| CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common" | ||
| CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS: "true" |
There was a problem hiding this comment.
Please change it to false according to #8726
| kubernetes.io/tls-acme: "true" | ||
| {{ else }} | ||
| nginx.ingress.kubernetes.io/ssl-redirect: "false" | ||
| ingress.kubernetes.io/proxy-read-timeout: "3600" |
There was a problem hiding this comment.
Are you sure that there is no need to update read and connect timeout when TLS is disabled?
| CHE_PREDEFINED_STACKS_RELOAD__ON__START: "false" | ||
| JAVA_OPTS: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Xms20m " | ||
| CHE_WORKSPACE_AUTO_START: "false" | ||
| CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"nginx.ingress.kubernetes.io/rewrite-target": "/","nginx.ingress.kubernetes.io/ssl-redirect": "false","nginx.ingress.kubernetes.io/proxy-connect-timeout": "3600","nginx.ingress.kubernetes.io/proxy-read-timeout": "3600"}' |
There was a problem hiding this comment.
Should not this value be updated according to the value of .Values.tlsEnabled configuration property?
There was a problem hiding this comment.
It should, but we will tackle TLS once we fully support host-based routing for workspace ingresses.
|
I tried to upgrade Che with Help when |
| kubernetes.io/tls-acme: "true" | ||
| {{ else }} | ||
| nginx.ingress.kubernetes.io/ssl-redirect: "false" | ||
| ingress.kubernetes.io/proxy-read-timeout: "3600" |
There was a problem hiding this comment.
Shouldn't ingress.kubernetes.io/proxy-read-timeout and connect timeout be prefixed with nginx as other nginx specific annotations?
There was a problem hiding this comment.
@perspectivus1 thanks for this PR! Why have you created a new folder che-kubernetes-helm? Why not using kubernetes folder itself. Helm should be the default way to deploy Che on kube anyway.
|
TLS is not yet working for workspace ingresses. We should first support host-based routing. Hope to get to it in a few days. The issue @sleshchenko encountered when trying to upgrade is a bug in helm that was fixed a couple of days ago in release 2.8.1. After downloading the new helm executable, run this command to update tiller: helm init --upgrade --service-account tiller@l0rd, I agree that helm should be the default way to deploy Che to Kubernetes. First, the name of the directory must match the name of the chart in Chart.yaml and 'kubernetes' is not descriptive enough if we ever intend to upload this chart to a Helm repository. I guess that once this PR is merged we can remove the plain kubectl deployment. |
| - Otherwise, you may have to modify the KUBECONFIG environment variable and then type `kubectl config use-context <my-context>` | ||
| - Install tiller on your cluster: | ||
| - Create a tiller serviceAccount and bind it to the almighty cluster-admin role: `kubectl apply -f ./tiller-rbac.yaml` | ||
| - Install tiller itself: `helm init --service-acount tiller` |
| - Ensure that you have an NGINX-based ingress controller. Note: This is the default ingress controller on Minikube. You can start it with `minikube addons enable ingress` | ||
| - DNS discovery should be enabled. Note: It is enabled by default in minikube. | ||
| ### Deployment Process | ||
| - Obtain the address of your Kubernetes cluser: |
There was a problem hiding this comment.
I think you should say here that the address is needed to set the value of cheDomain in values.yaml
| - Override default values by changing the values.yaml file and then typing: | ||
|
|
||
| ```bash | ||
| helm upgrade --install <my-che-installation> ./ |
There was a problem hiding this comment.
It may be interesting to add the minikube specific command:
helm upgrade --install <my-che-installation> --set ingress.cheDomain=$(minikube ip).nip.io ./There was a problem hiding this comment.
In my opinion, the beauty of helm is that it works seamlessly for any Kubernetes cluster (minikube or other). We could add a script file that automates the deployment specifically for minikube. What do you think?
|
|
||
| ```bash | ||
| helm upgrade --install <my-che-installation> --namespace <my-che-namespace> --set ingress.cheDomain=<my-hostname> --set cheImage=<my-image> ./ | ||
| ``` |
There was a problem hiding this comment.
It may be interesting to add the command to uninstall Che:
helm delete <my-che-installation>
| serviceName: che-host | ||
| servicePort: 8080 | ||
| path: / | ||
| {{- if .Values.isHostBased }} |
There was a problem hiding this comment.
I think that this if condition should be removed: it's already done in cheHost template and it's not consistent with how CHE_HOST and CHE_APIare defined.
There was a problem hiding this comment.
We're working on improving host-based routing support in Kubernetes. We'll cleanup the ingress in the process.
| name: tiller-role-binding | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: cluster-admin |
There was a problem hiding this comment.
Why do we need to add the service account tiller? And why should it have cluster-admin role?
There was a problem hiding this comment.
Basically, it's because tiller needs to create Kubernetes resources in namespace other than the namespace in which tiller is installed. Here are more details.
| spec: | ||
| containers: | ||
| - env: | ||
| - name: CHE_DOMAIN |
There was a problem hiding this comment.
Is it used by the Che Server?
There was a problem hiding this comment.
It is in prep for host-based routing in workspaces
There was a problem hiding this comment.
@perspectivus1 thanks for the updates and for your answers. This PR is an important step for k8s support. Are you ok if we merge this PR now?
|
Yes. Please go ahead with the merge. |
benoitf
removed
the
status/code-review
What does this PR do?
Enable deploying Che to Kubernetes using Helm charts.
What issues does this PR fix or reference?
One of the leftover tasks for SPI Kubernetes infrastructure issue
Release Notes
Docs PR