Initial draft work-in-progress bring your own cluster docs

[johnbelamaric]

/hold

Work in progress

[henderiw]

Will this purely the mgmt cluster or also the workload cluster?
If so the networking is important to be sorted not?

For google multi-networking:

https://cloud.google.com/kubernetes-engine/docs/concepts/about-multinetwork-support-for-pods

• The above on google for multi-networking works very nicely with what we did. So we should just add a google provider that provisions the networks and vpcs. The provider on the network allow to do this.

I am doing something similar but I am making it such that I can use with any cloud or even on premises. I just need a daemon with host access to create the additional interfaces. I also can do dynamic interface creation independent on the pod lifecycle.

[johnbelamaric]

For now, this is mgmt cluster. For workload clusters, it will require KCC running and a derivative of the workload cluster package. We can provision vanilla GKE clusters in that way but to do the full R1 example network on GKE, we will need to use the GKE multi-networking functionality.

Unfortunately, we can't quite do full provisioning of GKE clusters with those options yet, because that is only in public preview, and so we do not have support for it in the KCC resources for GKE clusters and node pools yet. If GKE mutli-networking goes GA, and then the KCC support is added, we can do the full cluster provisioning including the multi-network via Nephio. We can still do the workload provisioning though, integrating with the GKE multi-network API instead of the Multus API.

For GA network resources like VPCs, we already have KCC resources and so can just create packages for those.

cc @mskrocki @diviner524

[henderiw]

The provider I am talking about would indeed interact with KCC. So what it does is select the ip addresses to ensure we don't overlap between clusters, but we would use KCC resources.

One q is do we have the ability for VLANs with the multi-networking once we go GA?

[johnbelamaric]

One q is do we have the ability for VLANs with the multi-networking once we go GA?

I don't think so, I don't see anything in the docs about VLAN support. Do the workloads need to be VLAN-aware? Isn't simply attaching the right interfaces to the Pods enough, regardless of the underlying technology to keep the traffic sorted?

Limitations: https://cloud.google.com/kubernetes-engine/docs/how-to/setup-multinetwork-support-for-pods#general-limitations

[henderiw]

No we don't need VLANs per se. Was just wondering. They are used in enterprise scenario's, but this is always a chicken and egg discussion with multi-tenant vs non multi-tenant UPF. What we see a lot is the current solutions are not optimal for single tenant as the resource consumption is too high.

[adetalhouet]

I still need to review from Nephio Stock Repositories

[adetalhouet]

I believe you need to deploy the resource backend first;

 kpt pkg get --for-deployment https://github.com/nephio-project/nephio-example-packages.git/resource-backend@v1.0.1
 kpt fn render resource-backend/
 kpt live init resource-backend/
 kpt live apply resource-backend/ --reconcile-timeout 15m --output=table

without it, the nephio controller fails with

2023-08-22T23:04:39.604Z ERROR controller-runtime.source.EventHandler failed to get informer from cache {"error": "failed to get API group resources: unable to retrieve the complete list of server APIs: ipam.resource.nephio.org/v1alpha1: the server could not find the requested resource"}
2023-08-22T23:04:39.605Z ERROR controller-runtime.source.EventHandler failed to get informer from cache {"error": "failed to get API group resources: unable to retrieve the complete list of server APIs: vlan.resource.nephio.org/v1alpha1: the server could not find the requested resource"}
2023-08-22T23:04:39.606Z ERROR controller-runtime.source.EventHandler failed to get informer from cache {"error": "failed to get API group resources: unable to retrieve the complete list of server APIs: inv.nephio.org/v1alpha1: the server could not find the requested resource"}
2023-08-22T23:04:39.616Z ERROR controller-runtime.source.EventHandler failed to get informer from cache {"error": "failed to get API group resources: unable to retrieve the complete list of server APIs: inv.nephio.org/v1alpha1: the server could not find the requested resource"}

I believe gittea should be deployed before the nephio-controllers as well

 kpt pkg get --for-deployment https://github.com/nephio-project/nephio-example-packages.git/gitea@v1.0.1
 kpt fn render gitea/
 kpt live init gitea/
 kpt live apply gitea/ --reconcile-timeout 15m --output=table

This PR addresses most of the gitea issues: nephio-project/nephio-example-packages#77

[johnbelamaric]

Ok, yeah, in R2 we should try to eliminate those dependencies. We shouldn't need the resource-backend or gitea.

[adetalhouet]

Understood. but for now, the BYOC workflow should bring the dependencies before installing nephio-controller

[johnbelamaric]

I think if we turn off the repo provisioning reconciler, we may not need to install Gitea. But for now we can just require it, and refine in R2.

[adetalhouet]

For some reason I'm getting OOMKilled on the nephio-controller. Had to bump the limit to 256Mi
Once fixed, I encountered, hence the comment above for gitea.

2023-08-22T23:16:05.836Z ERROR Cannot get secret, please follow README and create the gitea secret {"error": "secrets \"git-user-secret\" not found"}

[johnbelamaric]

Yeah, I didn't really check in detail. I wonder if the OOM kill is due to some leak in the error handling code.

[adetalhouet]

OOM kill happened once I was passed the errors; i.e. OOM kill with 124Mi running normally.

[adetalhouet]

FYI - none of that configuration is needed for OpenShift, as the underlying Service will be exposed through a Route.

[johnbelamaric]

Maybe we should just assume a Gateway or Ingress implementation?

[adetalhouet]

Yes, this would be a fair assumption.

[johnbelamaric]

By "that" you mean the LB piece, right? Because I think you need the URL piece in order for Backstage to work properly, don't you? I think you probably also need it for OAuth or OIDC to work.

[adetalhouet]

So far, having everything set to localhost is working fine for me. Not sure it is necessary to change the URL when it is fronted with an Ingress. Same for OIDC; based on my testing so far.

[johnbelamaric]

oo, nice

[johnbelamaric]

@adetalhouet I am thinking of re-organizing this into a few opinionated examples, instead of trying to allow a separate choice for each component. So, I am thinking of reworking this as:

• A discussion of the different components and options, and how they fit together, without details on setting each up.
• A separate page for each opinionated environment: one for GCP, one for OpenShift, etc.

Each opinionated environment would pick specific solutions, and show how to set it up with that. We can even create separate package repositories that create derivative packages based on the R1 originals. For example, for the GCP one, I would swap out KinD CAPI clusters with GKE-based clusters provisioned by KCC (which in fact will have a separate repository, and not use the mgmt repository for GCP infrastructure deployment).

I think that will be a lot simpler. Over time, if needed, we can grow create slightly different environments (choose GitHub instead of Gitea, for example). But I think if we just have a couple good examples: Nephio-in-a-box (current R1 demo), GCP, OpenShift, maybe if someone wants to do EKS, that will get us a long way. WDYT?

[adetalhouet]

@johnbelamaric sounds like a good idea. I'll let you finish this PR; and will submit a follow-up one for OpenShift.

[johnbelamaric]

I have reorganized this, and marked different pages as work-in-progress. Maybe we should merge it and that way we can collaboratively make edits?

See https://nephio.slack.com/archives/C03QV5ZSHL5/p1693262820452229 as well for where it is heading.

/hold cancel

[adetalhouet]

LGTM, thank you

[electrocucaracha]

I think this Gitea process will be common among the different installations, so maybe we can put it in a separated document.

[johnbelamaric]

That was my original thinking, too, but it won't be, because we need to reconfigure it based on a few different things. In particular the services (and later the secrets). We might be able to make it common enough that the only difference is the upstream package used. But I am not sure yet.

[electrocucaracha]

These are the instructions for setting up a gitea service.

[johnbelamaric]

yeah, wip. I will be adding instructions on how to modify the gitea package to work in the opinionated GCP install

[henderiw]

/lgtm

[electrocucaracha]

/lgtm

[johnbelamaric]

/approve

[nephio-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johnbelamaric

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [johnbelamaric]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment