Back Home

Write up and overlap with Jenkins/gradle

https://docs.openshift.com/enterprise/3.2/dev_guide/deployments.html

Secrets and Import Images

oc create secret docker-registry sosecret --docker-server=docker.io --docker-username=user --docker-password=password --docker-email=email

List Images in the Image Stream

 
oc get is

Pod Limits

$ oc get limits
NAME
limits

$ oc describe limits limits
Name:        limits
Namespace:   default
Type         Resource  Min Max Request Limit Limit/Request
----         --------  --- --- ------- ----- -------------
Pod          memory    6Mi 1Gi -       -     -
Pod          cpu       200m  2 -       -     -
Container    cpu       100m  2 200m    300m  10
Container    memory    4Mi 1Gi 100Mi   200Mi -

DaemonSets

kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: fluentd
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fluentd
  template:
    metadata:
      labels:
        app: fluentd
    spec:
      affinity:
        nodeAffinity:
          # ensure pods get scheduled on a node without inter-DC latency
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
                - key: cluster
                  operator: DoesNotExist
      containers:
      - name: fluentd
        imagePullPolicy: {{ IMAGE_PULL_POLICY }}
        image: {{ FLUENTD_REGISTRY }}/fluentd-kubernetes-daemonset:v1.7.3-debian-elasticsearch6-1.0
        env:
        - name: FLUENTD_CONF
          value: lite3_fluentd.conf
        - name: FLUENT_ELASTICSEARCH_SED_DISABLE
          value: "true"
        volumeMounts:
        - name: fluentd-config
          mountPath: /fluentd/etc/lite3_fluentd.conf
          subPath: lite3_fluentd.conf
        - name: ca-crt
          mountPath: /cloud/
        resources:
          requests:
            memory: {{ FLUENTD_MEMORY_REQUEST }}
          limits:
            memory: 2Gi
        ports:
        - containerPort: {{ FLUENTD_PORT }}
          name: fluentd
      securityContext:
        privileged: true
      volumes:
      - name: fluentd-config
        configMap:
          name: fluentd-cm
          items:
          - key: fluentd-conf
            path: lite3_fluentd.conf
      - name: ca-crt
        secret:
          secretName: "truststore-secret"
          items:
            - key: ca.crt
              path: ca.crt
apiVersion: v1
kind: Template
metadata:
  name: filebeat
  annotations:
    description: filebeat configuration for Openshift
    openshift.io/display-name: Filebeat
    template.openshift.io/long-description: Filebeat configured to tail container log files to monitor Red Hat Openshift
objects:
- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: filebeat-config
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  data:
    filebeat.yml: |-
      filebeat.config:
        #inputs:
          # Mounted `filebeat-inputs` configmap:
        #  path: ${path.config}/inputs.d/*.yml
          # Reload inputs configs as they change:
        #  reload.enabled: false
        modules:
          path: ${path.config}/modules.d/*.yml
          # Reload module configs as they change:
          reload.enabled: false

      #To enable hints based autodiscover, remove `filebeat.config.inputs` configuration and uncomment this:
      filebeat.autodiscover:
        providers:
          - type: kubernetes
            hints.enabled: true

      output.logstash:
        hosts: [${OUTPUT_HOSTS}]
        ssl.enabled: true
        ssl.certificate_authorities: ['${CA_CERT}']

- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: filebeat-inputs
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  data:
    kubernetes.yml: |-
      - type: docker
        containers.ids:
        - "*"
        processors:
          - add_kubernetes_metadata:
              host: ${NODE_NAME}
              in_cluster: true
              
- apiVersion: extensions/v1beta1
  kind: DaemonSet
  metadata:
    name: filebeat
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  spec:
    template:
      metadata:
        labels:
          app: ${APPLICATION_NAME}
      spec:
        serviceAccountName: filebeat
        terminationGracePeriodSeconds: 30
        containers:
        - name: filebeat
          image: ${DOCKER_IMAGE}
          args: [
            "-c", "/etc/filebeat.yml",
            "-e",
          ]
          env:
          - name: OUTPUT_HOSTS
            value: ${OUTPUT_HOSTS}
          - name: CA_CERT
            value: ${CA_CERT}
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          securityContext:
            runAsUser: 0
            privileged: true
          resources:
            limits:
              cpu: ${MAXIMUM_CPU}
              memory: ${MAXIMUM_MEMORY}
          volumeMounts:
          - name: cacert
            mountPath: /etc/tls
            readOnly: true
          - name: config
            mountPath: /etc/filebeat.yml
            readOnly: true
            subPath: filebeat.yml
          - name: inputs
            mountPath: /usr/share/filebeat/inputs.d
            readOnly: true
          - name: data
            mountPath: /usr/share/filebeat/data
          - name: varlibdockercontainers
            mountPath: /var/lib/docker/containers
            readOnly: true
        volumes:
        - name: config
          configMap:
            defaultMode: 0600
            name: filebeat-config
        - name: cacert
          secret:
            secretName: cacert
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers
        - name: inputs
          configMap:
            defaultMode: 0600
            name: filebeat-inputs
        # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
        - name: data
          hostPath:
            path: /var/lib/filebeat-data
            type: DirectoryOrCreate
            
- apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
  metadata:
    name: filebeat
  subjects:
  - kind: ServiceAccount
    name: filebeat
    namespace: ${PROJECT_NAME}
  roleRef:
    kind: ClusterRole
    name: filebeat
    apiGroup: rbac.authorization.k8s.io

- apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRole
  metadata:
    name: filebeat
    labels:
      app: ${APPLICATION_NAME}
  rules:
  - apiGroups: [""] # "" indicates the core API group
    resources:
    - namespaces
    - pods
    verbs:
    - get
    - watch
    - list

- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: filebeat
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
parameters:
- description: "Name of beats project."
  displayName: Project name
  name: PROJECT_NAME
  required: true
  value: "container-platform-monitoring"
- description: "Name of application."
  displayName: Application name
  name: APPLICATION_NAME
  required: true
  value: "filebeat"
- description: "Docker image to be used for the deployment."
  displayName: Docker image
  name: DOCKER_IMAGE
  required: true
  value: "docker.swift.com:5000/elastic/filebeat:6.5.4"
- description: "Logstash output hosts."
  displayName: Logstash output hosts
  name: OUTPUT_HOSTS
  required: true
  value: "logstash:5044"
- description: "CA cert mount path"
  displayName: CA cert Mount Path
  name: CA_CERT
  required: true
  value: "/etc/tls/ca_cert.pem"
- description: "Maximum processing power that a pod can use can be expressed in millicores(m)."
  displayName: Maximum cpu
  name: MAXIMUM_CPU
  required: true
  value: "500m"
- description: "Maximum memory that a pod can use can be in Mb or Gi."
  displayName: Maximum memory
  name: MAXIMUM_MEMORY
  required: true
  value: "256Mi"

Metric Beats

apiVersion: v1
kind: Template
metadata:
  name: metricbeat
  annotations:
    description: Metricbeat configured to monitor Red Hat Openshift
    openshift.io/display-name: Metricbeat
    template.openshift.io/long-description: Metricbeat configured to monitor Red Hat Openshift via host system metrics and Kubernetes state metrics and output to Logstash
objects:
- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: metricbeat-daemonset-config
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  data:
    metricbeat.yml: |-
      metricbeat.config.modules:
        path: ${path.config}/modules.d/*.yml
        reload.enabled: false
     logging:
        level: warning
      output.logstash:
        hosts: [${OUTPUT_HOSTS}]
        ssl.enabled: true
        ssl.certificate_authorities: ['${CA_CERT}']
- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: metricbeat-daemonset-modules
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  data:
    system.yml: |-
      - module: system
        metricsets:
          - cpu
          - load
          - memory
          - network
          - process
          - process_summary
          - core
          #- diskio
          #- socket
        period: 15s
        processes: ['.*']
        process.include_top_n:
          by_cpu: 5      # include top 5 processes by CPU
          by_memory: 5   # include top 5 processes by memory

      - module: system
        metricsets:
          - filesystem
          - fsstat
        period: 1m
        processors:
        - drop_event.when.regexp:
            system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)'

      - module: system
        metricsets:
          - uptime
        period: 15m

    kubernetes.yml: |-
      - module: kubernetes
        metricsets:
          - container
          - node
          - pod
          - volume
          - system
        period: 15s
        host: ${NODE_NAME}
        hosts: ["https://${HOSTNAME}:10250"]
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        ssl.certificate_authorities:
          - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
      
        add_metadata: true
        in_cluster: true
- apiVersion: extensions/v1beta1
  kind: DaemonSet
  metadata:
    name: metricbeat
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  spec:
    template:
      metadata:
        labels:
          app: ${APPLICATION_NAME}
      spec:
        serviceAccountName: metricbeat
        terminationGracePeriodSeconds: 30
        hostNetwork: true
        dnsPolicy: ClusterFirstWithHostNet
        containers:
        - name: metricbeat
          image: ${DOCKER_IMAGE}
          args: [
            "-c", "/etc/metricbeat.yml",
            "-e",
            "-system.hostfs=/hostfs",
          ]
          env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          securityContext:
            runAsUser: 0
          resources:
            limits:
              cpu: ${MAXIMUM_CPU}
              memory: ${MAXIMUM_MEMORY}
          volumeMounts:
          - name: cacert
            mountPath: /etc/tls
            readOnly: true
          - name: config
            mountPath: /etc/metricbeat.yml
            readOnly: true
            subPath: metricbeat.yml
          - name: modules
            mountPath: /usr/share/metricbeat/modules.d
            readOnly: true
          - name: dockersock
            mountPath: /var/run/docker.sock
            readOnly: true
          - name: proc
            mountPath: /hostfs/proc
            readOnly: true
          - name: cgroup
            mountPath: /hostfs/sys/fs/cgroup
            readOnly: true
        volumes:
        - name: cacert
          secret:
            secretName: cacert
        - name: proc
          hostPath:
            path: /proc
        - name: cgroup
          hostPath:
            path: /sys/fs/cgroup
        - name: dockersock
          hostPath:
            path: /var/run/docker.sock
        - name: config
          configMap:
            defaultMode: 0600
            name: metricbeat-daemonset-config
        - name: modules
          configMap:
            defaultMode: 0600
            name: metricbeat-daemonset-modules
        - name: data
          hostPath:
            path: /var/lib/metricbeat-data
            type: DirectoryOrCreate
- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: metricbeat-deployment-config
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  data:
    metricbeat.yml: |-
      metricbeat.config.modules:
        path: ${path.config}/modules.d/*.yml
        reload.enabled: false
      logging:
        level: warning
      output.logstash:
        hosts: [${OUTPUT_HOSTS}]
        ssl.enabled: true
        ssl.certificate_authorities: ['${CA_CERT}']
- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: metricbeat-deployment-modules
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  data:
    kubernetes.yml: |-
      # State metrics from internal openshift kube-state-metrics service:
      - module: kubernetes
        enabled: true
        metricsets:
          - state_node
          - state_deployment
          - state_replicaset
          - state_statefulset
          - state_pod
          - state_container
        period: 15s
        hosts: ["https://kube-state-metrics.openshift-monitoring.svc.cluster.local:8443"]
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        ssl.certificate_authorities:
          - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

      - module: kubernetes
        enabled: true
        metricsets:
          - event

      - module: kubernetes
        enabled: true
        metricsets:
          - apiserver
        hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"]
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        ssl.certificate_authorities:
          - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

        add_metadata: true
        in_cluster: true
- apiVersion: apps/v1beta1
  kind: Deployment
  metadata:
    name: metricbeat
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
  spec:
    template:
      metadata:
        labels:
          app: ${APPLICATION_NAME}
      spec:
        serviceAccountName: metricbeat
        hostNetwork: true
        dnsPolicy: ClusterFirstWithHostNet
        containers:
        - name: metricbeat
          image: ${DOCKER_IMAGE}
          args: [
            "-c", "/etc/metricbeat.yml",
            "-e",
          ] 
          env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          securityContext:
            runAsUser: 0
          resources:
            limits:
              cpu: ${MAXIMUM_CPU}
              memory: ${MAXIMUM_MEMORY}
          volumeMounts:
          - name: cacert
            mountPath: /etc/tls
            readOnly: true
          - name: config
            mountPath: /etc/metricbeat.yml
            readOnly: true
            subPath: metricbeat.yml
          - name: modules
            mountPath: /usr/share/metricbeat/modules.d
            readOnly: true
        volumes:
        - name: cacert
          secret:
            secretName: cacert
        - name: config
          configMap:
            defaultMode: 0600
            name: metricbeat-deployment-config
        - name: modules
          configMap:
            defaultMode: 0600
            name: metricbeat-deployment-modules
- apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
  metadata:
    name: metricbeat
  subjects:
  - kind: ServiceAccount
    name: metricbeat
    namespace: ${PROJECT_NAME}
  roleRef:
    kind: ClusterRole
    name: metricbeat
    apiGroup: rbac.authorization.k8s.io

- apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRole
  metadata:
    name: metricbeat
    labels:
      app: ${APPLICATION_NAME}
  rules:
  - apiGroups: [""]
    resources:
    - nodes
    - namespaces
    - events
    - pods
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources:
    - replicasets
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources:
    - statefulsets
    - deployments
    verbs: ["get", "list", "watch"]
  - apiGroups:
    - ""
    resources:
    - nodes/stats
    - nodes/metrics
    verbs:
    - get
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: metricbeat
    namespace: ${PROJECT_NAME}
    labels:
      app: ${APPLICATION_NAME}
parameters:
- description: "Name of beats project."
  displayName: Project name
  name: PROJECT_NAME
  required: true
  value: "container-platform-monitoring"
- description: "Name of application."
  displayName: Application name
  name: APPLICATION_NAME
  required: true
  value: "metricbeat"
- description: "Docker image to be used for the deployment."
  displayName: Docker image
  name: DOCKER_IMAGE
  required: true
  value: ""
- description: "Logstash output hosts."
  displayName: Logstash output hosts
  name: OUTPUT_HOSTS
  required: true
  value: "logstash:5044"
- description: "CA cert mount path"
  displayName: CA cert Mount Path
  name: CA_CERT
  required: true
  value: "/etc/tls/ca_cert.pem"
- description: "Maximum processing power that a pod can use can be expressed in millicores(m)."
  displayName: Maximum cpu
  name: MAXIMUM_CPU
  required: true
  value: "500m"
- description: "Maximum memory that a pod can use can be in Mb or Gi."
  displayName: Maximum memory
  name: MAXIMUM_MEMORY
  required: true
  value: "256Mi"

Service

kind: Service
apiVersion: v1
metadata:
  name: kibana-svc
  labels:
    app: kibana
spec:
  ports:
  - port: {{ KIBANA_PORT }}
    protocol: TCP
    name: http
  clusterIP: None
  sessionAffinity: ClientIP
  selector:
    app: kibana
 
openshift_deployments.txt · Last modified: 2020/01/23 07:26 by root
 
RSS - 200 © CrosswireDigitialMedia Ltd