Create Other cluster
This section will help you create a Saagie-compatible Kubernetes cluster if you are not using a Kubernetes-as-a-Service platform.
1. Create or configure cluster
If you are using an on-premise cloud or are not using a Kubernetes-as-a-Service platform, you’ll need a Vanilla Kubernetes cluster.
Follow Kubernetes' tutorial to create your Vanilla Kubernetes cluster: Creating a single control-plane cluster with kubeadm.
Make sure you have the following:
Requirement | Details |
---|---|
Network add-on (CNI) |
Choose Calico in the section Installing a Pod network add-on. Saagie is only tested and certified with Calico. Saagie might work with other CNIs, but they have not been tested. |
Volume Management System |
You need a storage provider to create persistent storage. |
LoadBalancer |
Recommended tool to give users access to the Saagie platform. Other methods (such as NodePort + reverse proxy) are possible but not recommended as they haven’t been tested as extensively. Parts of your Saagie platform may not function as expected without additional setup and testing. |
2. Verify your Kubernetes cluster
Run the following command to verify that you have access to your Kubernetes cluster:
kubectl get nodes
All nodes must have the status ready .
|
3. Create requirements
All Saagie deployments need the same requirements.yml
file, regardless of your cloud provider.
The requirements.yml
file will create the following on your cluster:
-
Two service accounts on the
saagie-common
namespace:-
sa-saagie-deploy
withcluster-admin
role -
traefik-ingress-controller
with its related ClusterRole and ClusterRoleBinding
-
3.1. Create requirements.yml
file
Create your requirements.yml
with the code exactly as it appears below.
---
apiVersion: v1
kind: Namespace
metadata:
name: saagie-common
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-saagie-deploy
namespace: saagie-common
automountServiceAccountToken: true
imagePullSecrets:
- name: saagie-docker-config
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-saagie-deploy-crbinding
namespace: saagie-common
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: sa-saagie-deploy
namespace: saagie-common
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: saagie-common
imagePullSecrets:
- name: saagie-docker-config
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-cluster-binding
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: saagie-common
roleRef:
kind: ClusterRole
name: traefik-ingress-cluster
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-cluster
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- apiGroups:
- apiextensions.k8s.io
resourceNames:
- middlewares.traefik.containo.us
- ingressroutes.traefik.containo.us
- traefikservices.traefik.containo.us
- ingressroutetcps.traefik.containo.us
- ingressrouteudps.traefik.containo.us
- tlsoptions.traefik.containo.us
- tlsstores.traefik.containo.us
resources:
- customresourcedefinitions
verbs:
- get
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/cluster-service: "true"
name: 00-saagie-common-psp
spec:
allowPrivilegeEscalation: false
allowedHostPaths:
- pathPrefix: /etc/machine-id
readOnly: true
- pathPrefix: /etc/fluent-bit
readOnly: false
- pathPrefix: /var/log
readOnly: true
- pathPrefix: /var/lib/docker/containers
readOnly: true
- pathPrefix: /data/docker/containers
readOnly: true
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- emptyDir
- secret
- persistentVolumeClaim
- hostPath
- projected
- downwardAPI
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/cluster-service: "true"
name: 00-saagie-project-psp
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- emptyDir
- secret
- persistentVolumeClaim
- projected
- downwardAPI
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/cluster-service: "true"
name: psp:saagie-common:saagie-common-cluster-psp
rules:
- apiGroups:
- policy
resourceNames:
- 00-saagie-common-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/cluster-service: "true"
name: psp:saagie-common:saagie-project-cluster-psp
rules:
- apiGroups:
- policy
resourceNames:
- 00-saagie-common-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: psp:saagie-common:saagie-deploy-psp-crbinding
namespace: saagie-common
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:saagie-common:saagie-common-cluster-psp
subjects:
- kind: Group
name: system:serviceaccounts:saagie-common
3.2. Apply requirements.yml
file
Run the following command to apply your requirements.yml
file:
kubectl apply -f requirements.yml
The output should be similar to this:
namespace/saagie-common created
serviceaccount/sa-saagie-deploy created
...
rolebinding.rbac.authorization.k8s.io/psp:saagie-commin:saagie-deploy-psp-cribinding created
4. Apply or install secret saagie-docker-config
Saagie Docker images are pulled from a private registry that requires credentials. The credentials should have been provided to you.
-
Apply or install the secret:
-
Apply: If you receive the credentials in a Kubernetes secret file, apply the secret to your cluster by running the following
kubectl
command:kubectl apply -n saagie-common -f saagie-docker-config.yaml
-
Install: If you receive a username and password, install the secret by running the following
kubectl
command:kubectl create secret docker-registry -n saagie-common saagie-docker-config \ --docker-server=<registry server> \ (1) --docker-username=<username> \ (2) --docker-password=<password> (3)
1 Replace <registry server>
with the Docker repository hosting Saagie images.2 Replace <username>
with the username provided to you.3 Replace <password>
with the password provided to you
-
-
Edit the default service account to reference the
saagie-docker-config
secret by running the followingkubectl
command.kubectl patch serviceaccount -n saagie-common default -p '{"imagePullSecrets":[{"name" : "saagie-docker-config"}]}'
-
Run the following command to confirm that the secret are properly installed:
kubectl get secret -n saagie-common
The output should be similar to this:
NAME TYPE DATA AGE saagie-docker-config kubernetes.io/dockerconfigjson 1 2m43s
5. Offline cluster specifications
When your Kubernetes cluster is not connected to the Internet, you’ll install Saagie in offline mode.
For offline installation, you need to manage your own Docker registry containing images of the Saagie product as well as Saagie technologies. This section of documentation will guide you through uploading the resources to your registry and installing the repository in your cluster.
Saagie will provide the archives of the Docker images needed to run your platform, as well as the technologies. |
5.1. Upload Docker images
To upload the Docker images in your registry, you need:
-
A machine with access to your Docker registry
-
tar
archives provided by Saagie (Saagie product and Saagie technologies) -
Command line tool
skopeo
installed on your machine (refer to Install Skopeo) -
Credentials to push images into the registry (if any)
5.1.1. Upload Saagie product archive
Once you meet these requirements, complete the following steps to upload your Docker images.
-
First, run the following command to decompress the archive:
untar xvf <product-tar-archive> (1)
1 The file name of the Saagie product tar archive
Saagie provided. -
Next, if you need to require authentication, configure the user and password to connect to your registry using
skopeo login
(refer to Skopeo login). -
Finally, run the following command in the decompressed archive to launch the image upload:
./pushall.sh <registry> (1)
1 <registry>
is the hostname of your Docker registry.
5.1.2. Upload Saagie technologies archive
The process is the same as for the Saagie technologies tar archive
.
If you configured authentication on this machine when uploading the first tar archive , you will not need to configure it again.
|
-
Run the following command to decompress the archive:
untar xvf <technologies-tar-archive> (1)
1 The file name of the Saagie technologies tar archive
Saagie provided. -
If you need to require authentication, configure the user and password to connect to your registry using
skopeo login
(refer to Skopeo login). -
Run the following command in the decompressed archive to launch the image upload:
./pushall.sh <registry> (1)
1 <registry>
is the hostname of your Docker registry.
5.2. Install technology repository
The repository containing your technologies needs be installed manually in your cluster.
Refer to our SDK documentation for more information about adding technologies. |
-
Copy the path to the
technologies.zip
file that contains your technologies. -
Run the following
saagiectl
command to install the repository in your cluster:./bin/saagiectl upload technologies --file <technologies-file> (1)
1 Replace <technologies-file>
with the path to yourtechnologies.zip
file.
6. SMTP requirements
A SMTP Server is mandatory to send, receive, and/or relay outgoing mail between your Saagie platform and users email address.
Therefore Saagie must have access to your SMTP server and is compatible with the following configurations:
-
SMTP authentication can either be anonymous or require authentication.
-
SMTP transport can be SMTP or SMTPS.
-
You must have a valid TLS certificate.
Once configured you will be able use your user email address to gets status alerts or change/reset the password associated with your Saagie account. |
7. Install certificate
A TLS certificate is required and needs to be installed in your Kubernetes cluster. Make sure that your TLS certificate is valid for the DNS entry you determined when verifying your prerequisites.
Your certificate must respect the following constraints:
|
To create and deploy your certificate, run the following command line:
kubectl create secret tls saagie-common-tls --cert=cert.pem --key=cert.key -n saagie-common --dry-run=client -o yaml | kubectl apply -f -
Run the same command line to update your certificate. |