Tungsten Fabric: 10 minute deployment with k8s on AWS

ato edited this page May 24, 2018 · 15 revisions

Introduction

This document contains instructions to deploy a Tungsten Fabric cluster that interconnects PODs orchestrated by Kubernetes. The Tungsten Fabric cluster is composed of one controller and two compute nodes that run as EC2 VMs.

Requirements

New AWS individual users only have root access and they may optionally set up IAM. If you are connected as a root user, you only need to subscribe to the Centos 7 image.

  1. Once you have signed into the AWS console, go to the following URL: https://aws.amazon.com/marketplace/
  2. Search for Centos and click on the "CentOS 7 (x86_64) - with Updates HVM" image. Continue to Subscribe. Accept Terms.

If you are connected as an IAM user, check the Appendix at the end of the document.

Procedure

Just click on this button to create the stack:

Launch Stack

  1. Click Next. Give a name to the stack.
  2. Leave AnsibleDeployerCommit to this to the default value (master).
  3. Leave the AnsibleDeployerConfigURL to the default value, unless you want to change things like the topology, role distribution, container version, etc.
  4. Leave the AnsibleOrchestrator at its default value (kubernetes).
  5. Set InstallTungstenFabric to Yes.
  6. Remember - or - change the InstallPassword.
  7. Leave other fields at their default value. Click Next. Again, Click Next.
  8. Check "I acknowledge that AWS CloudFormation might create IAM resources". Click Create.

This will trigger the creation, among other things, of one instance that runs the Ansible host. In turn, the Ansible host will create the cluster:

IMPORTANT: If you don’t want to spend a fortune, when you are done with the lab make sure you manually delete the 3 cluster VMs, then delete the stack, and verify no instances run and no volumes are left either.

Accessing the cluster:

First, you need to SSH the Ansible host with user root and password tungsten123 (or whatever password you set).

After you have connected to the Ansible host, you can connect from there to the controller or compute nodes:

ssh centos@<ip>   # <ip> can be the public IP or the private IP of the controller/compute VM, both work
sudo -s

Accessing the Contrail webUI:

https://<controller-public-ip>:8143      admin / contrail123

Accessing the Kubernetes dashboard:

On the controller:

kubectl get pods -n kube-system -o wide | grep dashboard

Check the IP column. It tells you the private IP address of the compute node where the dashboard POD is running. You need to find out the associated public IP address (it is left to you as an exercise). Once you know it, you can connect to the URL:

https://<public-ip>:8443

Select the token option. Where can you get the token from? There is one on the controller’s file /root/k8s_dashboard_token.txt , but it only allows to visualize. If you want read-write access do the following:

kubectl get secret -n contrail | grep kubemanager
kubectl describe secret <name> -n contrail | grep "token:" | awk '{print $2}'

Take your time to browse the dashboard. During the next exercises, you can choose to do some tasks on the web instead of (or in addition to) the CLI.

Appendix: IAM Users

If, instead of using a root account, you are signing with an IAM user, you need to grant additional privileges for the user.

  • Log on to the AWS console.
  • In the AWS services search at the top left of the console, look for IAM and select it.
  • On the left navigation bar, click on the user whose privileges you need to change.
  • At the right bottom, click Add inline policy.
  • Go to the JSON tab, and replace the content with the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "aws-marketplace:*",
                "sns:*",
                "s3:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "cloudwatch:*",
                "autoscaling:*",
                "iam:*"
            ],
            "Resource": "*"
        }
    ]
}
  • Review policy. Add policy name. Create policy.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.