Kubernetes / OpenShift zero-config/install operation

[maxandersen]

Description

With fmp/jkube maven/gradle plugins and dekorate we have the opportunity to provide a initial experience with openshift/kubernetes that literally only require account credentials for a cluster.

we should make that happen while having a gradual way of allowing users to configure/expand to use full features of other tools.

Analysis

(links to analysis docs containing architecture design work, requirements gathering, etc)

Tasks

• POC of kubernetes/openshift build/deploy via kubernetes extension github.com/Add support for building and deploying container to Kubernetes #5496
• check and document how users will customize via jkube/dekorate
• check and document how it works with odo
• check and document how users will customize via kustomize
• check and document how works with skaffold.dev
• build container images with jib Use jib to generate container images during build phase #6007

[jclingan]

One interesting use case that came up at KubeCon is that some organizations (banks, Gov) don't allow Docker on the desktop. If this could be done in a manner that that did not require a local docker registry it would address the needs of more secure environments.

[gunnarmorling]

Might be provided via #6007

[maxandersen]

@jclingan #6007 talks about generating the container - you'll still need a registry to push to from whereever you build and then pull from it where you want to run it. With this you can do the build but still can't run it...

[emmanuelbernard]

Hey @maxandersen I'm working on the roadmap and I think this one needs work.
Can we consider it closed, should we create a different epic for the work we want to do in the next 3-6 months?

[gattytto]

the best would be an OCI compliant runtime for CRI-O, like gVisor could I sugest qVisor for the name? (just kidding). So instead of having a generic image with an embeded framework (multi-stage dockerfile), the framework could be present in a runtime binary (as a sandbox), and maybe allow the runtime binary to take arguments and use different implementations of the "vm" (sandbox-extensions like kotlin?)? I'm sorry if I'm being vague, I am new to OCI and k8s, and quarkus but I already seen Kata-containers, runc, runsc(gvisor) and maybe more runtimes available for the kuberentes. And the OCI model seems to bring a long term solution and is implemented in new version of kubernetes as the runtimeClassName annotation.

if we could have an implementation like kata-containers, it has a runtime-binary(the one cri-o contacts as a command call with arguments) that reads a config (/etc/some-kata.conf) and reads/writes to a runtime .sock systemd service that deploys and manages qemu-kvm isolated containers (and their resources using .toml config files).

related reading: https://blogs.oracle.com/weblogicserver/weblogic-announce-support-for-cri-o-container-runtime

https://youtu.be/pWyJahTWa4I?t=745

[geoand]

I added checkboxes to what has already been done.

[maxandersen]

@geoand @iocanel the one "big thing" missing in this is to have it working with but not needing kubectl/oc/docker to authenticate/build - how far are we actually from that ? can we pass in username/passwords or in case of missing kubeconfig credentials do the login and update the kubeconfig for future operations ?

[geoand]

We don't have that AFAIK.
@iocanel the client can do that can't it? So it's just of matter of supplying the proper Quarkus configuration, right?

[iocanel]

The client can use raw token for Kubernetes and Openshift. Also is able to use username/password for Openshift. For docker authentication, build and push we have lot of options. Maybe Rohan and Marc can help with that.

…

On Sun, Apr 12, 2020, 10:38 Georgios Andrianakis ***@***.***> wrote: We don't have that AFAIK. @iocanel <https://github.com/iocanel> the client can do that can't it? So it's just of matter of supplying the proper Quarkus configuration, right? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5920 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADCEWGICHNMN4FXRHRTM43RMFVWFANCNFSM4JUYXLKA> .

[emmanuelbernard]

@maxandersen @iocanel and friends, what shoudl we target this for 1.6 or later?

[emmanuelbernard]

@maxandersen ping the pinger

[n1hility]

@maxandersen should we call this complete?

[iocanel]

For kubernetes and openshift we are ok, but we won't update the .kube/config. For docker though there are two things that are missing: - we use the docker binary under the hood. - we require a . docker/config.json The latter is possibly true for job too. Let me pick this up.

…

On Sat, Jan 16, 2021, 12:20 AM Jason T. Greene ***@***.***> wrote: @maxandersen <https://github.com/maxandersen> should we call this complete? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5920 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADCEWG344M2XBEYJYGKVMTS2C5T7ANCNFSM4JUYXLKA> .