Deploy on Minikube
Deploying Orc8r on Minikube is the easiest way to test changes to the Helm charts. Most steps are similar to the main deployment guide, with a few differences.
Prerequisites
Spin up Minikube
Set up Minikube with one of the following commands, including sufficient resources and seeding the metrics config files:
-
On macOS
minikube start --cni=bridge --driver=hyperkit --memory=8gb --cpus=8 --kubernetes-version='v1.20.2' --mount --mount-string "${MAGMA_ROOT}/orc8r/cloud/docker/metrics-configs:/configs" -
On Linux
minikube start --cni=bridge --driver=docker --memory=8gb --cpus=8 --kubernetes-version='v1.20.2' --mount --mount-string "${MAGMA_ROOT}/orc8r/cloud/docker/metrics-configs:/configs"
where the only difference between the two is the driver used.
Note:
- There are a lot of things that can go wrong with spinning up Minikube, so if you have problems check for documentation specific to your system.
- Make sure you are not connected to a VPN when running this command.
- For further information on the recommended drivers used above, see Minikube configs.
Now install prerequisites for Orc8r and create the orc8r K8s namespace
helm repo add bitnami https://charts.bitnami.com/bitnami
helm upgrade --install \
--create-namespace \
--namespace orc8r \
--set global.postgresql.auth.postgresPassword=postgres,global.postgresql.auth.database=magma,fullnameOverride=postgresql \
postgresql \
bitnami/postgresql
Build and publish images
NOTE: skip this step if you want to use the official container images at linuxfoundation.jfrog.io.
There are 2 ways you can publish your own images: to a private registry, or to a localhost registry. Choose an option, then complete the relevant prerequisites:
- Publish to private registry (specifically, we'll use DockerHub)
docker login- Use
registry.hub.docker.com/USERNAMEas your registry name
- Publish to localhost registry (specifically, we'll use the local Docker registry via Minikube)
minikube addons enable registrydocker run --rm -it --network=host alpine ash -c "apk add socat && socat TCP-LISTEN:5000,reuseaddr,fork TCP:$(minikube ip):5000"- This should hang, open new tab for other commands
- Use
localhost:5000as your registry name
After completing the prerequisites listed above, follow the instructions at Building Orchestrator to publish container images to the chosen registry.
Install
Generate secrets
If you haven't already, the easiest way to generate these secrets is temporarily spinning up a local, Docker-based deployment
export CERTS_DIR=${MAGMA_ROOT}/.cache/test_certs
cd ${MAGMA_ROOT}/orc8r/cloud/docker && ./build.py && ./run.py && sleep 30 && docker-compose down && ls -l ${CERTS_DIR} && cd -
Apply secrets
Create the K8s secrets
export IMAGE_REGISTRY_URL=linuxfoundation.jfrog.io/magma-docker # or replace with your registry
export IMAGE_REGISTRY_USERNAME=''
export IMAGE_REGISTRY_PASSWORD=''
export CERTS_DIR=${MAGMA_ROOT}/.cache/test_certs # mirrored from above
cd ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r
helm template orc8r charts/secrets \
--namespace orc8r \
--set-string secret.certs.enabled=true \
--set-file 'secret.certs.files.rootCA\.pem'=${CERTS_DIR}/rootCA.pem \
--set-file 'secret.certs.files.bootstrapper\.key'=${CERTS_DIR}/bootstrapper.key \
--set-file 'secret.certs.files.controller\.crt'=${CERTS_DIR}/controller.crt \
--set-file 'secret.certs.files.controller\.key'=${CERTS_DIR}/controller.key \
--set-file 'secret.certs.files.admin_operator\.pem'=${CERTS_DIR}/admin_operator.pem \
--set-file 'secret.certs.files.admin_operator\.key\.pem'=${CERTS_DIR}/admin_operator.key.pem \
--set-file 'secret.certs.files.certifier\.pem'=${CERTS_DIR}/certifier.pem \
--set-file 'secret.certs.files.certifier\.key'=${CERTS_DIR}/certifier.key \
--set-file 'secret.certs.files.nms_nginx\.pem'=${CERTS_DIR}/controller.crt \
--set-file 'secret.certs.files.nms_nginx\.key\.pem'=${CERTS_DIR}/controller.key \
--set=docker.registry=${IMAGE_REGISTRY_URL} \
--set=docker.username=${IMAGE_REGISTRY_USERNAME} \
--set=docker.password=${IMAGE_REGISTRY_PASSWORD} |
kubectl apply -f -
Optional: fluentd secrets
To use fluentd on the minikube deployment, create additional fluentd secrets
cd ${CERTS_DIR}
openssl genrsa -out fluentd.key 2048
openssl req -new -key fluentd.key -out fluentd.csr -subj "/C=US/CN=fluentd.$domain"
openssl x509 -req -in fluentd.csr -CA certifier.pem -CAkey certifier.key -CAcreateserial -out fluentd.pem -days 3650 -sha256
Apply the secrets
cd ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r
helm template orc8r charts/secrets \
--namespace orc8r \
--set-file 'secret.certs.files.fluentd\.pem'=${CERTS_DIR}/fluentd.pem \
--set-file 'secret.certs.files.fluentd\.key'=${CERTS_DIR}/fluentd.key |
kubectl apply -f -
Create values file
A minimal values file is at ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r/examples/minikube.values.yaml
- Copy that file to
${MAGMA_ROOT}/orc8r/cloud/helm/orc8r.values.yaml - Replace
IMAGE_REGISTRY_URLwith your registry andIMAGE_TAGwith your tag - Make additional edits as desired
Install charts
This section describes how to install based on local charts. However, you can also install charts from the official chart repositories
- Stable: https://linuxfoundation.jfrog.io/artifactory/magma-helm-prod/
- Test: https://linuxfoundation.jfrog.io/artifactory/magma-helm-test/
Install base orc8r chart
cd ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r
helm dep update
helm upgrade --install --namespace orc8r --values ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r.values.yaml orc8r .
Optionally install other charts, like the lte charts, similarly
cd ${MAGMA_ROOT}/lte/cloud/helm/lte-orc8r
helm dep update
helm upgrade --install --namespace orc8r --values ${MAGMA_ROOT}/orc8r/cloud/helm/lte.values.yaml lte .
Optionally install the fluentd charts by editing the file at ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r/charts/logging/values.yaml
fluentd_daemon:
create: true
image:
repository: IMAGE_REGISTRY_URL
tag: IMAGE_TAG
pullPolicy: IfNotPresent
env:
elastic_host: "host.minikube.internal"
elastic_port: "9200"
elastic_scheme: "http"
fluentd_forward:
create: true
# Domain-proxy output
dp_output: true
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
image:
repository: IMAGE_REPOSITORY
tag: IMAGE_TAG
pullPolicy: IfNotPresent
env:
elastic_host: "host.minikube.internal"
elastic_port: "9200"
elastic_scheme: "http"
elastic_flush_interval: 5s
Replace IMAGE_REGISTRY_URL with your registry and IMAGE_TAG with your tag.
Then install the charts
helm upgrade --install --namespace orc8r --values ${MAGMA_ROOT}/orc8r/cloud/helm/orc8r.values.yaml orc8r .
It may take a couple minutes before all pods are finished being created, but if successful, you should get something like this
$ kubectl --namespace orc8r get pods
NAME READY STATUS RESTARTS AGE
mysql-57955549d5-n69pd 1/1 Running 0 6m14s
nms-magmalte-7c84667c4c-pvtlj 1/1 Running 0 2m58s
nms-nginx-proxy-5b86f479f7-lvjpn 1/1 Running 0 2m58s
orc8r-alertmanager-57d5d6ccc4-ht4n4 1/1 Running 0 2m58s
orc8r-alertmanager-configurer-76cf8f8f57-rmwjf 1/1 Running 0 2m58s
orc8r-controller-fdf59f456-vvqr2 1/1 Running 0 2m58s
orc8r-nginx-7d6c78647-n6d8z 1/1 Running 0 2m58s
orc8r-prometheus-77dccb799b-w9z6z 1/1 Running 0 2m58s
orc8r-prometheus-cache-6d647df4d9-2wqkc 1/1 Running 0 2m58s
orc8r-prometheus-configurer-6d6d987c88-pgm87 1/1 Running 0 2m58s
orc8r-user-grafana-6498bb6959-rchx5 1/1 Running 0 2m58s
postgresql-0 1/1 Running 4 6d23h
If using fluentd, there should be the pods orc8r-fluentd-forward and orc8r-fluentd-daemon as well
$ kubectl --namespace orc8r get pods
NAME READY STATUS RESTARTS AGE
mysql-57955549d5-n69pd 1/1 Running 0 6m14s
nms-magmalte-7c84667c4c-pvtlj 1/1 Running 0 2m58s
nms-nginx-proxy-5b86f479f7-lvjpn 1/1 Running 0 2m58s
orc8r-alertmanager-57d5d6ccc4-ht4n4 1/1 Running 0 2m58s
orc8r-alertmanager-configurer-76cf8f8f57-rmwjf 1/1 Running 0 2m58s
orc8r-controller-fdf59f456-vvqr2 1/1 Running 0 2m58s
orc8r-fluentd-forward-54794d4d86-599lv 1/1 Running 0 2m58s
orc8r-nginx-7d6c78647-n6d8z 1/1 Running 0 2m58s
orc8r-prometheus-77dccb799b-w9z6z 1/1 Running 0 2m58s
orc8r-prometheus-cache-6d647df4d9-2wqkc 1/1 Running 0 2m58s
orc8r-prometheus-configurer-6d6d987c88-pgm87 1/1 Running 0 2m58s
orc8r-user-grafana-6498bb6959-rchx5 1/1 Running 0 2m58s
postgresql-0 1/1 Running 4 6d23h
$ kubectl --namespace kube-system get pods
NAME READY STATUS RESTARTS AGE
coredns-74ff55c5b-xsz59 1/1 Running 0 3d
etcd-minikube 1/1 Running 0 3d
kube-apiserver-minikube 1/1 Running 0 3d
kube-controller-manager-minikube 1/1 Running 0 3d
kube-proxy-cp6s5 1/1 Running 0 3d
kube-scheduler-minikube 1/1 Running 0 3d
orc8r-fluentd-daemon-b7wpt 1/1 Running 0 4h
registry-46g6n 1/1 Running 0 3d
registry-proxy-n6kml 1/1 Running 0 3d
storage-provisioner 1/1 Running 0 3d
Optionally, start the elasticsearch and kibana containers which handle the logs aggregated by fluentd
cd ${MAGMA_ROOT}/cloud/docker
./run.py
Access logs through Kibana
The Orchestrator logs aggregated by fluentd can be accessed via Kibana in the web browser under http://localhost:5601/.
There should be two index patterns: fluentd (from fluentd-forward) and logstash (from fluentd-daemon).
The logstash index pattern collects all logs from the Orchestrator, and fluentd the logs from connected gateways.
Configure
Access Orc8r
Create an Orc8r admin user
kubectl exec -it --namespace orc8r deploy/orc8r-orchestrator -- \
/var/opt/magma/bin/accessc \
add-existing -admin -cert /var/opt/magma/certs/admin_operator.pem \
admin_operator
Now ensure the API and your certs are working
# Tab 1 (should hang)
kubectl --namespace orc8r port-forward svc/orc8r-nginx-proxy 7443:8443 7444:8444 9443:443
# Tab 2
export CERTS_DIR=${MAGMA_ROOT}/.cache/test_certs # mirrored from above
curl \
--insecure \
--cert ${CERTS_DIR}/admin_operator.pem \
--key ${CERTS_DIR}/admin_operator.key.pem \
https://localhost:9443
# Should output: "hello"
Access NMS
Follow the instructions to create an NMS admin user
Port-forward Nginx
kubectl --namespace orc8r port-forward svc/nginx-proxy 8081:443
Log in to NMS at https://magma-test.localhost:8081 using credentials: admin@magma.test/password1234
Appendix
Minikube configs
We use the HyperKit driver on macOS instead of the default Docker driver because the former is more performant in supporting hairpin mode (via the CNI network plugin). I.e., Orc8r has some services that make requests to themselves, which requires K8s support.
You could also accomplish this with --cni=bridge --driver=docker, but this causes a 2x increase in pod startup times. Note that the HyperKit driver is not supported on Linux.