deploy.md

Deploying Cloud Foundry on a Kubernetes cluster

• Prerequisites
  • Required Tools
  • Kubernetes Cluster Requirements
  • IaaS Requirements
  • Requirements for pushing source-code based apps to Cloud Foundry foundation
• Known Issues
• Steps to deploy
  • Option A - Use the included hack-script to generate the install values
  • Option B - Create the install values by hand
• Validate the deployment
• Delete the cf-for-k8s deployment
• Additional Resources

Prerequisites

Required Tools

You need the following CLIs on your system to be able to run the script:

• cf cli (v6.50+)
• kapp
• ytt
• kubectl

Make sure that your Kubernetes config (e.g, ~/.kube/config) is pointing to the cluster you intend to deploy cf-for-k8s to.

Kubernetes Cluster Requirements

❗ This project is in it's early stages of development and hence the resource requirements are subject to change in the future. This document and the release notes will be updated accordingly. ❗

To deploy cf-for-k8s as is, the cluster should:

• be running Kubernetes version within range 1.16.x to 1.18.x
• have a minimum of 5 nodes
• have a minimum of 4 CPU, 15GB memory per node
• support LoadBalancer services
• support metrics-server
  • Most IaaSes come with metrics-server, but if yours does not come with it or if you're using kind, you will need to include config-optional/add-metrics-server-components.yml when you render the K8s template.
• defines a default StorageClass
  • requires additional config on vSphere, for example

Requirements for pushing source-code based apps to Cloud Foundry foundation

To be able to push source-code based apps to your cf-for-k8s installation, you will need to add OCI compliant registry (e.g. hub.docker.com) to the configuration.

Under the hood, cf-for-k8s uses Cloud Native buildpacks to detect and build the app source code into an oci compliant image and pushes the app image to the registry. Though cf-for-k8s has been tested with Google Container Registry and Dockerhub.com, it should work for any external OCI compliant registry.

Currently, we have tested the following two container registries:

• Docker Hub:

  1. Create an account in hub.docker.com. Note down the user name and password you used during signup.
  2. Create a repository in your account. Note down the repository name.

• Google Container Registry:

  1. Create a GCP Service Account with Storage/Storage Admin role.
  2. Create a Service Key JSON and download it to the machine from which you will install cf-for-k8s (referred to, below, as path-to-kpack-gcr-service-account).

Known Issues

This project is in it's early stages of development and hence there are features missing. For a list of the known issues, take a look at the GitHub issues tagged 'known-issue'.

Requirements to use an external database

cf-for-k8s can be configured to use an external database.

Steps to deploy

1. Clone and initialize this git repository:

   git clone https://github.com/cloudfoundry/cf-for-k8s.git
   cd cf-for-k8s
   TMP_DIR=<your-tmp-dir-path> ; mkdir -p ${TMP_DIR}

2. Create a "CF Installation Values" file and configure it:

   You can either: a) auto-generate the installation values or b) create the values by yourself.

   Option A - Use the included hack-script to generate the install values

   NOTE: The script requires the BOSH CLI in installed on your machine. The BOSH CLI is an handy tool to generate self signed certs and passwords.

   ./hack/generate-values.sh -d <cf-domain> > ${TMP_DIR}/cf-values.yml

   Replace <cf-domain> with your registered DNS domain name for your CF installation.

   Option B - Create the install values by hand

   1. Clone file sample-cf-install-values.yml from this directory as a starting point.

      cp sample-cf-install-values.yml ${TMP_DIR}/cf-values.yml

   2. Open the file and change the system_domain and app_domain to your desired domain address.

   3. Generate certificates for the above domains and paste them in crt, key, ca values

      • IMPORTANT Your certificates must include a subject alternative name entry for the internal *.cf-system.svc.cluster.local domain in addition to your chosen external domain.

3. To enable Cloud Native buildpacks feature, configure access to an external registry in cf-values.yml:

   You can choose any of the cloud provider container registries, such as hub.docker.com, Google container registry, Azure container registry and so on. Below are examples for dockerhub or google container registry.

   1. To configure Dockerhub.com

      Add the following registry config block to the end of cf-values.yml file.

      app_registry:
         hostname: https://index.docker.io/v1/
         repository_prefix: "<my_username>"
         username: "<my_username>"
         password: "<my_password>"
      

      1. Update <my_username> with your docker username.
      2. Update <my_password> with your docker password.

   2. To configure a Google Container Registry, add the following registry config block to the end of cf-values.yml file.

      app_registry:
         hostname: gcr.io
         repository_prefix: gcr.io/<gcp_project_id>/cf-workloads
         username: _json_key
         password: |
         <contents_of_service_account_json>

      1. Update the gcp_project_id portion to your GCP Project Id.
      2. Change contents_of_service_account_json to be the entire contents of your GCP Service Account JSON.

4. Run the following commands to install Cloud Foundry on your Kubernetes cluster.

   i. Render the final K8s template to raw K8s configuration

   ytt -f config -f ${TMP_DIR}/cf-values.yml > ${TMP_DIR}/cf-for-k8s-rendered.yml

   cf-for-k8s uses ytt to create and maintain reusable YAML templates. You can visit the ytt playground to learn more about it's templating features. In the above command, ytt can take a folder e.g. config or file via -f. See all options by running ytt help.

   ii. Install using kapp and pass the above K8s configuration file

   kapp deploy -a cf -f ${TMP_DIR}/cf-for-k8s-rendered.yml -y

   cf-for-k8s uses kapp to manage it's lifecycle. kapp will first show you a list of resources it plans to install on the cluster and then will attempt to install those resources. kapp will not exit untill all resources are installed and their status is running. See all options by running kapp help.

   Once you run the command, it should take about 10 minutes depending on your cluster bandwidth, size. kapp will provide updates on pending resource creations in the cluster and will wait until all resources are created and running. Here is a sample snippet from kapp output:

   4:08:19PM: ---- waiting on 1 changes [0/1 done] ----
   4:08:19PM: ok: reconcile serviceaccount/cc-kpack-registry-service-account (v1) namespace: cf-workloads-staging
   4:08:19PM: ---- waiting complete [5/10 done] ----
   ...

5. Configure DNS on your IaaS provider to point the wildcard subdomain of your system domain and the wildcard subdomain of all apps domains to point to external IP of the Istio Ingress Gateway service. You can retrieve the external IP of this service by running

   kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[*].ip}'

   OR in certain environments, the external ip may be surfaced as a hostname instead. In that case use:

   kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[*].hostname}'

   If you used a single DNS record for both system_domain and app_domains, then have it resolve to the Ingress Gateway's external IP

   e.g.

   # sample A record in Google cloud DNS. The IP address below is the address of Ingress gateway's external IP
   Domain         Record Type  TTL  IP Address
   *.<cf-domain>  A            30   35.111.111.111

Validate the deployment

1. Target your CF CLI to point to the new CF instance

   cf api --skip-ssl-validation https://api.<cf-domain>

   Replace <cf-domain> with your desired domain address.

2. Login using the admin credentials for key cf_admin_password in ${TMP_DIR}/cf-values.yml

   cf auth admin <cf-values.yml.cf-admin_password>
   # or using yq: cf auth admin "$(yq -r '.cf_admin_password' ${TMP_DIR}/cf-values.yml)"

3. Create an org/space for your app:

   cf create-org test-org
   cf create-space -o test-org test-space
   cf target -o test-org -s test-space

4. Deploy a source code based app:

   cf push test-node-app -p tests/smoke/assets/test-node-app

   Pushing app test-node-app to org test-org / space test-space as admin...
   Getting app info...
   Creating app with these attributes...
   
   name: test-node-app
   path: /Users/pivotal/workspace/cf-for-k8s/tests/smoke/assets/test-node-app
   routes: test-node-app.<cf-domain>
   
   Creating app test-node-app...
   Mapping routes...
   Comparing local files to remote cache...
   Packaging files to upload...
   Uploading files...
   
   .... logs omitted for brevity
   
   
   Waiting for app to start...
   
   name: test-node-app
   requested state: started
   isolation segment: placeholder
   routes: test-node-app.<cf-domain>
   last uploaded: Tue 17 Mar 19:24:21 PDT 2020
   stack:
   buildpacks:
   
   type: web
   instances: 1/1
   memory usage: 1024M
   state since cpu memory disk details
   #0 running 2020-03-18T02:24:51Z 0.0% 0 of 1G 0 of 1G

   
   

5. Validate the app is reachable over https

   # for self-signed certs, use -k to allow insecure server connections when using SSL
   curl -k https://test-node-app.<cf-domain>

   Hello World

Delete the cf-for-k8s deployment

You can delete the cf-for-k8s deployment by running the following command.

# Assuming that you ran `kapp deploy -a cf...`
kapp delete -a cf

Additional resources

Use the following resources to enable additional features in cf-for-k8s.

• Setup ingress certs with letsencrypt
• Setup static loadbalancer IP