Skip to content

Commit

Permalink
Merge pull request #108 from wunderio/feature/slt-945-uks-docs
Browse files Browse the repository at this point in the history 
SLT-945: Added vendor page about Upcloud UKS.
  • Loading branch information
@Rade333
Rade333 authored Nov 27, 2023
2 parents 39d7042 + e0a1e1f commit 9a59e88
Show file tree
Hide file tree
Showing 2 changed files with 124 additions and 2 deletions.
5 changes: 3 additions & 2 deletions docs/vendor-eks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ On new, empty cluster, before installing silta-cluster chart:
Enabling proxy protocol over ingress-nginx, for passing client IP to pods:
```yaml
ingress-nginx:
config:
use-proxy-protocol: true
controller:
config:
use-proxy-protocol: true
service:
annotations:
"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"
Expand Down
121 changes: 121 additions & 0 deletions docs/vendor-uks.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
# Upcloud compatibility

Silta is mostly Upcloud compatible, there are some requirements for environments deployed to UKS cluster.

## Cluster requirements

- Load balancers are configured using json in annotations, see https://github.com/UpCloudLtd/uks-instructions/blob/main/ccm/README.md#customising-load-balancer-configuration
- By default, they are in HTTP mode, which needs to be changed to TCP
- Example configuration for ingress-nginx:
```yaml
ingress-nginx:
controller:
admissionWebhooks:
enabled: true
autoscaling:
enabled: false
config:
use-forwarded-headers: "true"
compute-full-forwarded-for: "true"
use-proxy-protocol: "true"
real-ip-header: "proxy_protocol"
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/upcloud-load-balancer-config: |
{
"name": "silta-ingress-1",
"plan": "production-small",
"frontends": [
{
"name": "https",
"mode": "tcp",
"port": 443
},
{
"name": "http",
"mode": "tcp",
"port": 80
}
],
"backends": [
{
"name": "https",
"properties": { "outbound_proxy_protocol": "v1"}
},
{
"name": "http",
"properties": { "outbound_proxy_protocol": "v1"}
}
]
}
```
- To enable whitelist for VPN, SSH service has to annotated with:
```
gitAuth:
annotations:
service.beta.kubernetes.io/upcloud-load-balancer-config: |
{
"name": "silta-ssh-1",
"plan": "development",
"frontends": [
{
"name": "ssh",
"mode": "tcp",
"port": 22,
"rules": [
{
"name": "allow-vpn",
"priority": 100,
"matchers": [
{
"type": "src_ip",
"inverse": true,
"match_src_ip": {
"value": "<VPN_IP_HERE>"
}
}
],
"actions": [
{
"type": "tcp_reject",
"action_tcp_reject": {}
}
]
}
]
}
]
}
```
- Creating an object storage and configuring rclone is quite well explained at https://upcloud.com/resources/tutorials/migrate-object-storage-rclone
- Example configuration:
```yaml
rclone:
params:
remote: s3
remotePath: silta-shared
s3-access-key-id: <ACCESS_KEY>
s3-acl: private
s3-endpoint: xyz.fi-hel2.upcloudobjects.com
s3-provider: Other
s3-region: fi-hel2
s3-secret-access-key: <SECRET_KEY>
```
- If using managed database, create a new database user and set authentication method to `mysql_native_password`

- Smallest size for UKS storage volumes is 1Gi - set this for mariadb, elasticsearch pods

There are few more requirements listed on [silta-cluster chart page](https://github.com/wunderio/charts/tree/master/silta-cluster#requirements), those are common for all silta-cluster installations


## Missing functionality

- Managed Docker image registry
- Managed NFS storage

## Deployment specifics

There is no extra configuration required for basic deployments. The only change would be `cluster.type` but it's normally overridden in CI pipeline.

0 comments on commit 9a59e88

Please sign in to comment.