github.com/vipernet-xyz/tm@v0.34.24/tools/mintnet-kubernetes/README.rst (about) 1 Using Kubernetes 2 ================ 3 4 .. figure:: assets/t_plus_k.png 5 :alt: Tendermint plus Kubernetes 6 7 Tendermint plus Kubernetes 8 9 This should primarily be used for testing purposes or for 10 tightly-defined chains operated by a single stakeholder (see `the 11 security precautions <#security>`__). If your desire is to launch an 12 application with many stakeholders, consider using our set of Ansible 13 scripts. 14 15 Quick Start 16 ----------- 17 18 For either platform, see the `requirements <https://github.com/kubernetes/minikube#requirements>`__ 19 20 MacOS 21 ^^^^^ 22 23 :: 24 25 curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/darwin/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl 26 curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.18.0/minikube-darwin-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ 27 minikube start 28 29 git clone https://github.com/tendermint/tools.git && cd tools/mintnet-kubernetes/examples/basecoin && make create 30 31 Linux 32 ^^^^^ 33 34 :: 35 36 curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl 37 curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.18.0/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ 38 minikube start 39 40 git clone https://github.com/tendermint/tools.git && cd tools/mintnet-kubernetes/examples/basecoin && make create 41 42 Verify it worked 43 ~~~~~~~~~~~~~~~~ 44 45 **Using a shell:** 46 47 First wait until all the pods are ``Running``: 48 49 ``kubectl get pods -w -o wide -L tm`` 50 51 then query the Tendermint app logs from the first pod: 52 53 ``kubectl logs -c tm -f tm-0`` 54 55 finally, use our `Rest API <https://tendermint.com/docs/tendermint-core/rpc.html>`__ to fetch the status of the second pod's Tendermint app. 56 57 Note we are using ``kubectl exec`` because pods are not exposed (and should not be) to the 58 outer network: 59 60 ``kubectl exec -c tm tm-0 -- curl -s http://tm-1.basecoin:26657/status | json_pp`` 61 62 **Using the dashboard:** 63 64 :: 65 66 minikube dashboard 67 68 Clean up 69 ~~~~~~~~ 70 71 :: 72 73 make destroy 74 75 Usage 76 ----- 77 78 Setup a Kubernetes cluster 79 ^^^^^^^^^^^^^^^^^^^^^^^^^^ 80 81 - locally using `Minikube <https://github.com/kubernetes/minikube>`__ 82 - on GCE with a single click in the web UI 83 - on AWS using `Kubernetes 84 Operations <https://github.com/kubernetes/kops/blob/master/docs/aws.md>`__ 85 - on Linux machines (Digital Ocean) using 86 `kubeadm <https://kubernetes.io/docs/getting-started-guides/kubeadm/>`__ 87 - on AWS, Azure, GCE or bare metal using `Kargo 88 (Ansible) <https://kubernetes.io/docs/getting-started-guides/kargo/>`__ 89 90 Please refer to `the official 91 documentation <https://kubernetes.io/docs/getting-started-guides/>`__ 92 for overview and comparison of different options. 93 94 Kubernetes on Digital Ocean 95 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 97 Available options: 98 99 - `kubeadm (alpha) <https://kubernetes.io/docs/getting-started-guides/kubeadm/>`__ 100 - `kargo <https://kubernetes.io/docs/getting-started-guides/kargo/>`__ 101 - `rancher <http://rancher.com/>`__ 102 - `terraform <https://github.com/hermanjunge/kubernetes-digitalocean-terraform>`__ 103 104 As you can see, there is no single tool for creating a cluster on DO. 105 Therefore, choose the one you know and comfortable working with. If you know 106 and used `terraform <https://www.terraform.io/>`__ before, then choose it. If you 107 know Ansible, then pick kargo. If none of these seem familiar to you, go with 108 ``kubeadm``. Rancher is a beautiful UI for deploying and managing containers in 109 production. 110 111 Kubernetes on Google Cloud Engine 112 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 113 114 Review the `Official Documentation <https://kubernetes.io/docs/getting-started-guides/gce/>`__ for Kubernetes on Google Compute 115 Engine. 116 117 **Create a cluster** 118 119 The recommended way is to use `Google Container 120 Engine <https://cloud.google.com/container-engine/>`__. You should be able 121 to create a fully fledged cluster with just a few clicks. 122 123 **Connect to it** 124 125 Install ``gcloud`` as a part of `Google Cloud SDK <https://cloud.google.com/sdk/>`__. 126 127 Make sure you have credentials for GCloud by running ``gcloud auth login``. 128 129 In order to make API calls against GCE, you must also run ``gcloud auth 130 application-default login``. 131 132 Press ``Connect``: 133 134 .. figure:: assets/gce1.png 135 136 and execute the first command in your shell. Then start a proxy by 137 executing ``kubectl` proxy``. 138 139 .. figure:: assets/gce2.png 140 141 Now you should be able to run ``kubectl`` command to create resources, get 142 resource info, logs, etc. 143 144 **Make sure you have Kubernetes >= 1.5, because you will be using 145 StatefulSets, which is a beta feature in 1.5.** 146 147 Create a configuration file 148 ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 149 150 Download a template: 151 152 :: 153 154 curl -Lo app.yaml https://github.com/tendermint/tools/raw/master/mintnet-kubernetes/app.template.yaml 155 156 Open ``app.yaml`` in your favorite editor and configure your app 157 container (navigate to ``- name: app``). Kubernetes DSL (Domain Specific 158 Language) is very simple, so it should be easy. You will need to set 159 Docker image, command and/or run arguments. Replace variables prefixed 160 with ``YOUR_APP`` with corresponding values. Set genesis time to now and 161 preferable chain ID in ConfigMap. 162 163 Please note if you are changing ``replicas`` number, do not forget to 164 update ``validators`` set in ConfigMap. You will be able to scale the 165 cluster up or down later, but new pods (nodes) won't become validators 166 automatically. 167 168 Deploy your application 169 ^^^^^^^^^^^^^^^^^^^^^^^ 170 171 :: 172 173 kubectl create -f ./app.yaml 174 175 Observe your cluster 176 ^^^^^^^^^^^^^^^^^^^^ 177 178 `web UI <https://github.com/kubernetes/dashboard>`__ 179 180 The easiest way to access Dashboard is to use ``kubectl``. Run the following 181 command in your desktop environment: 182 183 :: 184 185 kubectl proxy 186 187 ``kubectl`` will handle authentication with apiserver and make Dashboard 188 available at http://localhost:8001/ui 189 190 **shell** 191 192 List all the pods: 193 194 :: 195 196 kubectl get pods -o wide -L tm 197 198 StatefulSet details: 199 200 :: 201 202 kubectl describe statefulsets tm 203 204 First pod details: 205 206 :: 207 208 kubectl describe pod tm-0 209 210 Tendermint app logs from the first pod: 211 212 :: 213 214 kubectl logs tm-0 -c tm -f 215 216 App logs from the first pod: 217 218 :: 219 220 kubectl logs tm-0 -c app -f 221 222 Status of the second pod's Tendermint app: 223 224 :: 225 226 kubectl exec -c tm tm-0 -- curl -s http://tm-1.<YOUR_APP_NAME>:26657/status | json_pp 227 228 Security 229 -------- 230 231 Due to the nature of Kubernetes, where you typically have a single 232 master, the master could be a SPOF (Single Point Of Failure). Therefore, 233 you need to make sure only authorized people can access it. And these 234 people themselves had taken basic measures in order not to get hacked. 235 236 These are the best practices: 237 238 - all access to the master is over TLS 239 - access to the API Server is X.509 certificate or token based 240 - etcd is not exposed directly to the cluster 241 - ensure that images are free of vulnerabilities 242 (`1 <https://github.com/coreos/clair>`__) 243 - ensure that only authorized images are used in your environment 244 - disable direct access to Kubernetes nodes (no SSH) 245 - define resource quota 246 247 Resources: 248 249 - https://kubernetes.io/docs/admin/accessing-the-api/ 250 - http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html 251 - https://blog.openshift.com/securing-kubernetes/ 252 253 Fault tolerance 254 --------------- 255 256 Having a single master (API server) is a bad thing also because if 257 something happens to it, you risk being left without an access to the 258 application. 259 260 To avoid that you can `run Kubernetes in multiple 261 zones <https://kubernetes.io/docs/admin/multiple-zones/>`__, each zone 262 running an `API 263 server <https://kubernetes.io/docs/admin/high-availability/>`__ and load 264 balance requests between them. Do not forget to make sure only one 265 instance of scheduler and controller-manager are running at once. 266 267 Running in multiple zones is a lightweight version of a broader `Cluster 268 Federation feature <https://kubernetes.io/docs/admin/federation/>`__. 269 Federated deployments could span across multiple regions (not zones). We 270 haven't tried this feature yet, so any feedback is highly appreciated! 271 Especially, related to additional latency and cost of exchanging data 272 between the regions. 273 274 Resources: 275 276 - https://kubernetes.io/docs/admin/high-availability/ 277 278 Starting process 279 ---------------- 280 281 .. figure:: assets/statefulset.png 282 :alt: StatefulSet 283 284 StatefulSet 285 286 Init containers (``tm-gen-validator``) are run before all other 287 containers, creating public-private key pair for each pod. Every ``tm`` 288 container then asks other pods for their public keys, which are served 289 with nginx (``pub-key`` container). When ``tm`` container have all the 290 keys, it forms a genesis file and starts the Tendermint process.