Using a9s Kubernetes

This topic describes how developers use a9s Kubernetes.

Use a9s Kubernetes with kubectl

To use a9s Kubernetes with kubectl, create a service instance and a Service Key. For more information on managing service instances, see Managing Service Instances with the cf CLI.

View the a9s Kubernetes Service

After the service is installed, you can see the a9s-kubernetes and its service plans appear in your CF marketplace. Run cf marketplace to see the service listing:

$ cf marketplace
Getting services from marketplace in org test / space test as admin...
OK
service               plans                                                     description
a9s-kubernetes    kubernetes-single-small  This is a service creating and managing dedicated Kubernetes service instances and clusters, powered by the anynines Service Framework.

Create a Service Instance

To provision a Kubernetes service, run cf create-service. For example:

$ cf create-service a9s-kubernetes kubernetes-single-small my-kubernetes-service

Depending on your infrastructure and service broker utilization, it may take several minutes to create the service instance.

Run the cf services command to view the creation status. This command displays a list of all your service instances. To view the status of a specific service instance, run cf service NAME-OF-YOUR-SERVICE.

Create a Service Key

After your Kubernetes service is created, run cf create-service-key NAME-OF-YOUR-SERVICE NAME-OF-SERVICE-KEY in order to create a Service Key for you Kubernetes Service:

$ cf create-service-key my-kubernetes-service my-service-key

Obtain Service Instance Access Credentials

After a Service Key is created, the credentials of your Kubernetes service can be displayed by running cf service-key NAME-OF-YOUR-SERVICE NAME-OF-SERVICE-KEY:

$ cf service-key my-kubernetes-service my-service-key
Getting key my-service-key for service instance my-kubernetes-service as admin...
OK

{
 "certificate-authority": "EXAMPLE_CERTIFICATE_AUTHORITY",
 "certificate-authority-data": "EXAMPLE_CERTIFICATE_AUTHORITY_DATA",
 "deployment_name": "EXAMPLE_DEPLOYMENT_NAME",
 "kubeconfig": "KUBECONFIG_STRING",
 "kubernetes_api": "EXAMPLE_KUBERNETES_API",
 "service_guid": "EXAMPLE_SERVICE_GUID",
 "token": "EXAMPLE_TOKEN",
 "username": "EXAMPLE_USERNAME"
}

You need the kubernetes_api, username, token and either certificate-authority or certificate-authority-data values to connect to our Kubernetes Service with kubectl. The certificate-authority is the CA file in PEM format, which can be saved in a file and used in the kubeconfig file with certificate-authority. The certificate-authority-data is the certificate-authority Base64 encoded and can be used in the kubeconfig file with certificate-authority-data.

Connect to Kubernetes with kubectl

Important: For ease of use the Kuberentes plan now provides developers with a kubectl config file within the service key. To use simply save the string in kube config path as described below.

The kubeconfig string contains unescaped '\n'. To easily remove them, just use:

echo "paste here the copied kubeconfig" > new_kubeconfig.yaml

It is also possible to create the config file by hand according to the template underneath. All necessary values ('EXAMPLE_...' in the template) are contained in the service key.

apiVersion: v1
kind: Config
clusters:
- cluster:
    server: "EXAMPLE_KUBERNETES_API"
    #Either use `certificate-authority-data` OR `certificate-authority`
    certificate-authority-data: "EXAMPLE_CERTIFICATE_AUTHORITY_DATA"
    certificate-authority: /path/to/file/with/content/of/EXAMPLE_CERTIFICATE_AUTHORITY
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: "EXAMPLE_USERNAME"
  name: context
current-context: context
users:
- name: "EXAMPLE_USERNAME"
  user:
    token: "EXAMPLE_TOKEN"

Use the following command to connect to your Kubernetes Cluster by using the previously created config file:

$ kubectl --kubeconfig=/path/to/kube.conf get all

Currently TLS Verify needs to be disabled, since the certificate could not be delivered to the customer.

Use Image from Harbor

If you want to make a deployment based on an Image from a Harbor service perform the following steps:

1 . Create a secret to grant access to the Harbor service by invoking kubectl create secret docker-registry registry-cred --docker-server=<HARBOR URI> --docker-username=<HARBOR USER> --docker-password=<HARBOR PASSWORD> --docker-email=<EMAIL ADDRESS>

  1. Create a manifest file based on the following example:
apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <IMAGE>
  imagePullSecrets:
  - name: registry-cred
  1. Trigger deployment with kubectl create -f <MANIFEST FILE>

Access Cluster using the Dashboard

The Kubernetes plan can be used with the Kubernetes Web UI(Dashboard) The dashboard can be accessed via the dashboard_url provided inside the service key binding.

Delete an a9s Kubernetes Service Instance

Before you can delete a service instance, you must delete all existing Service Key associated to that service instance.

List Service Keys for Service Instance

Run cf service-keys NAME-OF-YOUR-SERVICE to list all Service Keys for the respective service.

$ cf service-keys my-kubernetes-service

Getting keys for service instance my-kubernetes-service as admin...

name
my-service-key

Delete Service Keys for Service Instance

Run cf delete-service-key to delete the service key.

$ cf cf delete-service-key my-kubernetes-service my-service-key

Delete a Service Instance

After deleting all Service Keys, you can run cf delete-service to delete the service:

$ cf delete-service my-kubernetes-service

It may take several minutes to delete the service. Deleting a service deprovisions the corresponding infrastructure resources. Run the cf services command to view the deletion status.

Upgrade the Service Instance to another Service Plan

Once created, you can upgrade your service instance to another, larger service plan. A larger service plan provides more CPU, RAM and storage. For more information, see the Update a Service Instance of the Managing Service Instances with the cf CLI topic.

$ cf update-service my-kubernetes-service -p a-bigger-plan

Here are the plans you can upgrade to depending on the one you are currently using:

TODO when out of beta and there is more than just one plan.

Cloud Foundry Application Security Groups

This topic describes how to check whether a security group was created.

Each a9s Data Service will automatically create and update Cloud Foundry security groups in order to protected service instances to be accessed by applications not running in the same Cloud Foundry applications space. To get a better understanding about Security Groups you can have a look on the Understanding Application Security Groups topic.

Get Service Instance GUID

Run cf service INSTANCE_NAME --guid to get the guid of the service instance.

$ cf service my-kubernetes --guid
ca16f111-5073-40b7-973a-156c75dd3028

Check available Security Groups

To see all available security groups use cf security-groups.

$ cf security-groups
Getting security groups as demo@anynines.com
OK

     Name                                         Organization     Space
#0   public_networks
#1   dns
#2   tcp_open
#3   guard_432fb752-876d-443b-a311-a075f4df2237   demonstrations   demo
#4   guard_ca16f111-5073-40b7-973a-156c75dd3028   demonstrations   demo

There you can see a security group named guard_ca16f111-5073-40b7-973a-156c75dd3028 was successfully created.

NOTE: in some circumstances the connection between the application and the service instance is not possible, in this case check if a security group was created.

Setup Disk Usage Alerts

Each service comes with the a9s Parachute. This component monitors ephemeral and persistent disk usage. See the a9s Parachute documentation how to configure the component.