Deploy a management cluster using the Container Cloud API¶
Caution
Since Container Cloud 2.27.3 (Cluster release 16.2.3), support
for vSphere-based clusters is suspended. For details, see
Deprecation notes.
This section contains an overview of the cluster-related objects along with
the configuration procedure of these objects during deployment of a
management cluster using Bootstrap v2 through the Container Cloud API.
Overview of the cluster-related objects in the Container Cloud API/CLI¶
The following cluster-related objects are available through the Container
Cloud API. Use these objects to deploy a management cluster using the
Container Cloud API.
Region and provider names for a management cluster and all related
objects. First object to create in the bootstrap cluster. For
the bootstrap region definition, see Introduction.
ProviderCredentials
Provider credentials to access cloud infrastructure where the
Container Cloud machines are deployed. Before Container Cloud 2.26.0
(Cluster releases 17.1.0 and 16.1.0), requires the region name label.
SSHKey
Optional. SSH configuration with any number of SSH public keys to be
added to cluster machines.
By default, any bootstrap cluster has a pregenerated bootstrap-key
object to use for the cluster configuration. This is the service SSH key
used by the Bootstrap Controller to access machines for their
deployment. The private part of bootstrap-key is always saved to
kaas-bootstrap/ssh_key.
Proxy
Proxy configuration. Mandatory for offline environments with no direct
access to the Internet. Such configuration usually contains proxy for
the bootstrap cluster and already has the bootstrap-proxy object
to use in the cluster configuration by default.
Provider-specific configuration for a management cluster. Before
Container Cloud 2.26.0 (Cluster releases 17.1.0 and 16.1.0), requires
the region name label with the name of the BootstrapRegion object.
Machine
Machine configuration that must fit the following requirements:
Role - only manager
Number - odd for the management cluster HA
Mandatory labels - provider, cluster-name, and region
Note
The kaas.mirantis.com/region label is removed from all
Container Cloud objects in 2.26.0 (Cluster releases 17.1.0 and 16.1.0).
Therefore, do not add the label starting these releases. On existing
clusters updated to these releases, or if manually added, this label will
be ignored by Container Cloud.
ServiceUser
Service user is the initial user to create in Keycloak for
access to a newly deployed management cluster. By default, it has the
global-admin, operator (namespaced), and bm-pool-operator
(namespaced) roles.
You can delete serviceuser after setting up other required users with
specific roles or after any integration with an external identity provider,
such as LDAP.
BareMetalHost
For the bare metal provider only. Information about hardware
configuration of a machine. Required for further machine selection
during bootstrap. For details, see API Reference: BareMetalHost.
BareMetalHostCredential
For the bare metal provider only. The object is created for each
BareMetalHost and contains information about the Baseboard
Management Controller (bmc) credentials. For details,
see API Reference: BareMetalHostCredential.
BareMetalHostProfile
For the bare metal provider only. Provisioning and configuration
settings of the storage devices and the operating system. For details,
see API Reference: BareMetalHostProfile.
L2Template
For the bare metal provider only. Advanced host networking configuration
for clusters, which enables, for example, creation of bond interfaces
on top of physical interfaces on the host or the use of multiple subnets
to separate different types of network traffic. For details, see
API Reference: L2Template.
MetalLBConfig
For the bare metal provider only. Default and mandatory object for the
MetalLB configuration. For details, see
API Reference: MetalLBConfig.
Before Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0)
contains a reference to the MetalLBConfigTemplate object, which is
deprecated in 2.27.0.
MetalLBConfigTemplate
For the bare metal provider only. Deprecated in Container Cloud 2.27.0
(17.2.0 and 16.2.0). Before Container Cloud 2.27.0, default object for
the MetalLB configuration, which enables the use of Subnet objects
to define MetalLB IP address pools. For details, see
API Reference: MetalLBConfigTemplate.
Subnet
For the bare metal provider only. Configuration for IP address
allocation for cluster nodes. For details, see
API Reference: Subnet.
Since Container Cloud 2.27.3 (Cluster release 16.2.3), support
for vSphere-based clusters is suspended. For details, see
Deprecation notes.
The following procedure describes how to prepare and deploy a management
cluster using Bootstrap v2 by operating YAML templates available in the
kaas-bootstrap/templates/ folder.
If you deploy Container Cloud on top of MOSK Victoria with Tungsten Fabric
and use the default security group for newly created load balancers, add the
following rules for the Kubernetes API server endpoint, Container Cloud
application endpoint, and for the MKE web UI and API using the OpenStack CLI:
direction='ingress'
ethertype='IPv4'
protocol='tcp'
remote_ip_prefix='0.0.0.0/0'
port_range_max and port_range_min:
'443' for Kubernetes API and Container Cloud application endpoints
'6443' for MKE web UI and API
Verify access to the target cloud endpoint from Docker. For example:
Depending on the selected provider, navigate to one of the following
locations:
Bare metal: kaas-bootstrap/templates/bm
OpenStack: kaas-bootstrap/templates
Warning
The kubectl apply command automatically saves the
applied data as plain text into the
kubectl.kubernetes.io/last-applied-configuration annotation of the
corresponding object. This may result in revealing sensitive data in this
annotation when creating or modifying objects containing credentials.
Such Container Cloud objects include:
BareMetalHostCredential
ClusterOIDCConfiguration
License
OpenstackCredential
Proxy
ServiceUser
TLSConfig
Therefore, do not use kubectl apply on these objects.
Use kubectl create, kubectl patch, or
kubectl edit instead.
If you used kubectl apply on these objects, you
can remove the kubectl.kubernetes.io/last-applied-configuration
annotation from the objects using kubectl edit.
Create the BootstrapRegion object by modifying
bootstrapregion.yaml.template.
Configuration of bootstrapregion.yaml.template
Select from the following options:
Since Container Cloud 2.26.0 (Cluster releases 16.1.0 and 17.1.0),
set the required <providerName> and use the default
<regionName>, which is region-one.
Before Container Cloud 2.26.0, set the required <providerName>
and <regionName>.
For the OpenStack provider only. Create the Credentials object by
modifying <providerName>-config.yaml.template.
Configuration for OpenStack credentials
Add the provider-specific parameters:
Parameter
Description
SET_OS_AUTH_URL
Identity endpoint URL.
SET_OS_USERNAME
OpenStack user name.
SET_OS_PASSWORD
Value of the OpenStack password. This field is available only
when the user creates or changes password. Once the controller
detects this field, it updates the password in the secret and
removes the value field from the OpenStackCredential
object.
SET_OS_PROJECT_ID
Unique ID of the OpenStack project.
Skip this step since Container Cloud 2.26.0. Before this release, set
the kaas.mirantis.com/region:<regionName> label that must match
the BootstrapRegion object name.
Skip this step since Container Cloud 2.26.0. Before this release, set
the kaas.mirantis.com/regional-credential label to "true"
to use the credentials for the management cluster deployment. For
example, for OpenStack:
The output of the command must be "true". Otherwise, fix the issue
with credentials before proceeding to the next step.
Create the ServiceUser object by modifying
serviceusers.yaml.template.
Configuration of serviceusers.yaml.template
Service user is the initial user to create in Keycloak for
access to a newly deployed management cluster. By default, it has the
global-admin, operator (namespaced), and bm-pool-operator
(namespaced) roles.
You can delete serviceuser after setting up other required users with
specific roles or after any integration with an external identity provider,
such as LDAP.
The region label must match the BootstrapRegion object name.
Note
The kaas.mirantis.com/region label is removed from all
Container Cloud objects in 2.26.0 (Cluster releases 17.1.0 and 16.1.0).
Therefore, do not add the label starting these releases. On existing
clusters updated to these releases, or if manually added, this label will
be ignored by Container Cloud.
Configure and apply the cluster configuration using cluster deployment
templates:
In cluster.yaml.template, set mandatory cluster labels:
The kaas.mirantis.com/region label is removed from all
Container Cloud objects in 2.26.0 (Cluster releases 17.1.0 and 16.1.0).
Therefore, do not add the label starting these releases. On existing
clusters updated to these releases, or if manually added, this label will
be ignored by Container Cloud.
Configure provider-specific settings as required.
Bare metal
Inspect the default bare metal host profile definition in
templates/bm/baremetalhostprofiles.yaml.template and adjust it to fit
your hardware configuration. For details, see Customize the default bare metal host profile.
Warning
Any data stored on any device defined in the fileSystems
list can be deleted or corrupted during cluster (re)deployment. It happens
because each device from the fileSystems list is a part of the
rootfs directory tree that is overwritten during (re)deployment.
Examples of affected devices include:
A raw device partition with a file system on it
A device partition in a volume group with a logical volume that has a
file system on it
An mdadm RAID device with a file system on it
An LVM RAID device with a file system on it
The wipe field (deprecated) or wipeDevice structure (recommended
since Container Cloud 2.26.0) have no effect in this case and cannot
protect data on these devices.
Therefore, to prevent data loss, move the necessary data from these file
systems to another server beforehand, if required.
In templates/bm/baremetalhosts.yaml.template, update the bare metal host
definitions according to your environment configuration. Use the reference
table below to manually set all parameters that start with SET_.
Note
Before Container Cloud 2.26.0 (Cluster releases 17.1.0 and 16.1.0),
also set the name of the bootstrapRegion object from
bootstrapregion.yaml.template for the kaas.mirantis.com/region label
across all objects listed in templates/bm/baremetalhosts.yaml.template.
The MAC address of the first master node in the PXE network.
ac:1f:6b:02:84:71
SET_MACHINE_0_BMC_ADDRESS
The IP address of the BMC endpoint for the first master node in
the cluster. Must be an address from the OOB network
that is accessible through the management network gateway.
The MAC address of the second master node in the PXE network.
ac:1f:6b:02:84:72
SET_MACHINE_1_BMC_ADDRESS
The IP address of the BMC endpoint for the second master node in
the cluster. Must be an address from the OOB network
that is accessible through the management network gateway.
The MAC address of the third master node in the PXE network.
ac:1f:6b:02:84:73
SET_MACHINE_2_BMC_ADDRESS
The IP address of the BMC endpoint for the third master node in
the cluster. Must be an address from the OOB network
that is accessible through the management network gateway.
The parameter requires a user name and password in plain text.
Configure cluster network:
Important
Bootstrap V2 supports only separated
PXE and LCM networks.
To ensure successful bootstrap, enable asymmetric routing on the interfaces
of the management cluster nodes. This is required because the seed node
relies on one network by default, which can potentially cause
traffic asymmetry.
In the kernelParameters section of
bm/baremetalhostprofiles.yaml.template, set rp_filter to 2.
This enables loose mode as defined in
RFC3704.
Example configuration of asymmetric routing
...kernelParameters:...sysctl:# Enables the "Loose mode" for the "k8s-lcm" interface (management network)net.ipv4.conf.k8s-lcm.rp_filter:"2"# Enables the "Loose mode" for the "bond0" interface (PXE network)net.ipv4.conf.bond0.rp_filter:"2"...
Note
More complicated solutions that are not described in this manual
include getting rid of traffic asymmetry, for example:
Configure source routing on management cluster nodes.
Plug the seed node into the same networks as the management cluster nodes,
which requires custom configuration of the seed node.
Update the network objects definition in
templates/bm/ipam-objects.yaml.template according to the environment
configuration. By default, this template implies the use of separate PXE
and life-cycle management (LCM) networks.
Manually set all parameters that start with SET_.
For configuration details of bond network interface for the PXE and management
network, see Configure NIC bonding.
Example of the default L2 template snippet for a management cluster:
In this example, the following configuration applies:
A bond of two NIC interfaces
A static address in the PXE network set on the bond
An isolated L2 segment for the LCM network is configured using
the k8s-lcm VLAN with the static address in the LCM network
The default gateway address is in the LCM network
For general concepts of configuring separate PXE and LCM networks for a
management cluster, see Separate PXE and management networks. For the latest object
templates and variable names to use, see the following tables.
The below table contains examples of mandatory parameter values to set
in templates/bm/ipam-objects.yaml.template for the network scheme that
has the following networks:
172.16.59.0/24 - PXE network
172.16.61.0/25 - LCM network
Mandatory network parameters of the IPAM objects template¶
Parameter
Description
Example value
SET_PXE_CIDR
The IP address of the PXE network in the CIDR notation. The minimum
recommended network size is 256 addresses (/24 prefix length).
172.16.59.0/24
SET_PXE_SVC_POOL
The IP address range to use for endpoints of load balancers in the PXE
network for the Container Cloud services: Ironic-API, DHCP server,
HTTP server, and caching server. The minimum required range size is
5 addresses.
172.16.59.6-172.16.59.15
SET_PXE_ADDR_POOL
The IP address range in the PXE network to use for dynamic address
allocation for hosts during inspection and provisioning.
The minimum recommended range size is 30 addresses for management
cluster nodes if it is located in a separate PXE network segment.
Otherwise, it depends on the number of managed cluster nodes to
deploy in the same PXE network segment as the management cluster nodes.
172.16.59.51-172.16.59.200
SET_PXE_ADDR_RANGE
The IP address range in the PXE network to use for static address
allocation on each management cluster node. The minimum recommended
range size is 6 addresses.
172.16.59.41-172.16.59.50
SET_MGMT_CIDR
The IP address of the LCM network for the management cluster
in the CIDR notation.
If managed clusters will have their separate LCM networks, those
networks must be routable to the LCM network. The minimum
recommended network size is 128 addresses (/25 prefix length).
172.16.61.0/25
SET_MGMT_NW_GW
The default gateway address in the LCM network. This gateway
must provide access to the OOB network of the Container Cloud cluster
and to the Internet to download the Mirantis artifacts.
172.16.61.1
SET_LB_HOST
The IP address of the externally accessible MKE API endpoint
of the cluster in the CIDR notation. This address must be within
the management SET_MGMT_CIDR network but must NOT overlap
with any other addresses or address ranges within this network.
External load balancers are not supported.
172.16.61.5/32
SET_MGMT_DNS
An external (non-Kubernetes) DNS server accessible from the
LCM network.
8.8.8.8
SET_MGMT_ADDR_RANGE
The IP address range that includes addresses to be allocated to
bare metal hosts in the LCM network for the management cluster.
When this network is shared with managed clusters, the size of this
range limits the number of hosts that can be deployed in all clusters
sharing this network.
When this network is solely used by a management cluster, the range
must include at least 6 addresses for bare metal hosts of the
management cluster.
172.16.61.30-172.16.61.40
SET_MGMT_SVC_POOL
The IP address range to use for the externally accessible endpoints
of load balancers in the LCM network for the Container Cloud
services, such as Keycloak, web UI, and so on. The minimum required
range size is 19 addresses.
172.16.61.10-172.16.61.29
SET_VLAN_ID
The VLAN ID used for isolation of LCM network. The
bootstrap.sh process and the seed node must have routable
access to the network in this VLAN.
3975
When using separate PXE and LCM networks, the management cluster
services are exposed in different networks using two separate MetalLB
address pools:
Services exposed through the PXE network are as follows:
Ironic API as a bare metal provisioning server
HTTP server that provides images for network boot and server
provisioning
Caching server for accessing the Container Cloud artifacts deployed
on hosts
Services exposed through the LCM network are all other
Container Cloud services, such as Keycloak, web UI, and so on.
The default MetalLB configuration described in the MetalLBConfigTemplate
object template of templates/bm/ipam-objects.yaml.template uses two
separate MetalLB address pools. Also, it uses the interfaces selector
in its l2Advertisements template.
Caution
When you change the L2Template object template in
templates/bm/ipam-objects.yaml.template, ensure that interfaces
listed in the interfaces field of the
MetalLBConfigTemplate.spec.templates.l2Advertisements section
match those used in your L2Template. For details about the
interfaces selector, see API Reference:
MetalLBConfigTemplate spec.
In cluster.yaml.template, update the cluster-related
settings to fit your deployment.
Optional. Enable WireGuard for traffic encryption on the Kubernetes workloads
network.
WireGuard configuration
Ensure that the Calico MTU size is at least 60 bytes smaller than the
interface MTU size of the workload network. IPv4 WireGuard uses a
60-byte header. For details, see Set the MTU size for Calico.
In templates/bm/cluster.yaml.template, enable WireGuard by adding
the secureOverlay parameter:
spec:...providerSpec:value:...secureOverlay:true
Caution
Changing this parameter on a running cluster causes a
downtime that can vary depending on the cluster size.
Adjust the templates/cluster.yaml.template parameters to suit your
deployment:
In the spec::providerSpec::value section, add the mandatory
ExternalNetworkID parameter that is the ID of an external
OpenStack network. It is required to have public Internet access
to virtual machines.
In the spec::clusterNetwork::services section, add the
corresponding values for cidrBlocks.
The kaas.mirantis.com/region label is removed from all
Container Cloud objects in 2.26.0 (Cluster releases 17.1.0 and 16.1.0).
Therefore, do not add the label starting these releases. On existing
clusters updated to these releases, or if manually added, this label will
be ignored by Container Cloud.
Configure the provider-specific settings:
Bare metal
Inspect the machines.yaml.template and adjust spec and labels of
each entry according to your deployment. Adjust
spec.providerSpec.value.hostSelector values to match BareMetalHost
corresponding to each machine. For details, see API Reference:
Bare metal Machine spec.
OpenStack
In templates/machines.yaml.template, modify the
spec:providerSpec:value section for 3 control plane nodes marked with
the cluster.sigs.k8s.io/control-plane label by substituting the
flavor and image parameters with the corresponding values
of the control plane nodes in the related OpenStack cluster. For example:
The flavor parameter value provided in the example above
is cloud-specific and must meet the Container Cloud
requirements.
Optional. Available as TechPreview. To boot cluster machines from a block
storage volume, define the following parameter in the spec:providerSpec
section of templates/machines.yaml.template:
To boot the Bastion node from a volume, add the same parameter to
templates/cluster.yaml.template in the spec:providerSpec section
for Bastion. The default amount of storage 80 is enough.
Also, modify other parameters as required.
For the bare metal provider, monitor the inspecting process of the
baremetal hosts and wait until all hosts are in the available state:
kubectlgetbmh-ogo-template='{{- range .items -}} {{.status.provisioning.state}}{{"\n"}} {{- end -}}'
Example of system response:
available
available
available
Monitor the BootstrapRegion object status and wait until it is ready.
For a more convenient system response, consider using dedicated tools such
as jq or yq and adjust the -o flag to output in
json or yaml format accordingly.
Note
For the bare metal provider, before Container Cloud 2.26.0,
the BareMetalObjectReferences condition is not mandatory and may
remain in the notready state with no effect on the
BootstrapRegion object. Since Container Cloud 2.26.0, this condition
is mandatory.
Change the directory to /kaas-bootstrap/.
Approve the BootstrapRegion object to start the cluster deployment:
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress
network is created by default and occupies the 10.0.0.0/24 address
block. Also, three MCR networks are created by default and occupy
three address blocks: 10.99.0.0/20, 10.99.16.0/20,
10.99.32.0/20.
To verify the actual networks state and addresses in use, run:
dockernetworkls
dockernetworkinspect<networkName>
Optional for the bare metal provider. If you plan to use multiple L2 segments for provisioning of managed
cluster nodes, consider the requirements specified in Configure multiple DHCP ranges using Subnet resources.