source/plugins/cloudstack-kubernetes-provider.rst

.. Licensed to the Apache Software Foundation (ASF) under one
   or more contributor license agreements.  See the NOTICE file
   distributed with this work for additional information#
   regarding copyright ownership.  The ASF licenses this file
   to you under the Apache License, Version 2.0 (the
   "License"); you may not use this file except in compliance
   with the License.  You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing,
   software distributed under the License is distributed on an
   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   KIND, either express or implied.  See the License for the
   specific language governing permissions and limitations
   under the License.

The CloudStack Kubernetes Provider
==================================

Introduction
------------

The CloudStack Kubernetes Provider facilitates Kubernetes deployments on Cloudstack.
It allows Kubernetes to dynamically allocate IP addresses and the respective networking
rules on CloudStack to ensure seamless TCP, UDP and TCP-Proxy LoadBalancer deployments
on Kubernetes.

It also automatically manages these rules modifying them based on the deployment as well
as the size of the cluster.

It was initially the Cloudstack provider in Kubernetes which was later extracted to allow
for pluggable providers.

The Prebuilt containers are available on `Docker Hub <https://hub.docker.com/r/apache/cloudstack-kubernetes-provider>`_.

Deployment
----------
The CloudStack Kubernetes Provider is automatically deployed when a Kuberentes Cluster is
created on CloudStack 4.16+

In order to communicate with CloudStack, a separate service user **kubeadmin** is created
in the same account as the cluster owner. The provider uses this user's API keys to get
the details of the cluster as well as update the networking rules. It is imperative that
this user is not altered or have its keys regenerated.

The provider can also be manually deployed with instructions `here
<https://github.com/apache/cloudstack-kubernetes-provider/blob/main/README.md>`_

Further details as well as instructions on how to build and contribute to the project can be found `here
<https://github.com/apache/cloudstack-kubernetes-provider/blob/main/README.md>`_

Usage
-----

In the following example, a LoadBalancer Service is created to balance traffic between the nodes in
a cluster. The DaemonSet creates pods and maps the ports on the pods to the same ports on the host.
The LoadBalancer creates an externally-accessible IP address that sends traffic to the correct port
on the cluster nodes.

#. The following yaml creates a DaemonSet which brings up a pod on every node and maps port 80 and
   443 from the pod to the node. The LoadBalancer Service then creates a public IP to balance traffic
   on port 80 and 443 between the nodes.

   .. parsed-literal::
      ---
      apiVersion: v1
      kind: Service
      metadata:
      name: traefik
      annotations:
         service.beta.kubernetes.io/cloudstack-load-balancer-proxy-protocol: enabled
      spec:
      type: LoadBalancer
      ports:
      - name: http
        port: 80
        targetPort: http
      - name: https
        port: 443
        targetPort: https
      ---
      apiVersion: v1
      kind: ConfigMap
      metadata:
      name: traefik-conf
      data:
      traefik.toml: |
         defaultEntryPoints = ["http"]
         [entryPoints]
            [entryPoints.http]
            address = ":80"
            [entryPoints.http.proxyProtocol]
            trustedIPs = ["127.0.0.1/32", "10.0.0.1/32"]
            [entryPoints.https]
            address = ":443"
            [entryPoints.https.proxyProtocol]
            trustedIPs = ["127.0.0.1/32", "10.0.0.1/32"]
      ---
      apiVersion: apps/v1
      kind: DaemonSet
      metadata:
      name: traefik-ingress-controller
      spec:
      selector:
         matchLabels:
            name: traefik-ingress-controller
      template:
         metadata:
            labels:
            name: traefik-ingress-controller
         spec:
            hostNetwork: true
            containers:
            - args:
            - --configfile=/config/traefik.toml
            image: traefik:1.7.12
            imagePullPolicy: Always
            name: traefik-ingress
            ports:
            - containerPort: 80
               hostPort: 80
               name: http
               protocol: TCP
            - containerPort: 443
               hostPort: 443
               name: https
               protocol: TCP
            volumeMounts:
            - mountPath: /config
               name: config
            volumes:
            - configMap:
               defaultMode: 420
               name: traefik-conf
            name: config

   It can be deployed by running the command

   .. parsed-literal::
      kubectl apply -f https://raw.githubusercontent.com/apache/cloudstack-kubernetes-provider/main/traefik-ingress-controller.yml

#. On successfully deploying the yaml file, a new Public IP Address in the same network
   as the cluster will be created. It will automatically have the firewall and port forwarding
   rules configured to distribute any traffic amongst the cluster worker nodes

|ckp-ip.png|

|ckp-ip-fw.png|

|ckp-ip-lb.png|

.. |ckp-ip.png| image:: /_static/images/ckp-ip.png
.. |ckp-ip-fw.png| image:: /_static/images/ckp-ip-fw.png
.. |ckp-ip-lb.png| image:: /_static/images/ckp-ip-lb.png