├── .editorconfig ├── .github └── workflows │ └── docbook.yml ├── .gitignore ├── DC-cap-guides ├── README.adoc ├── images └── src │ ├── png │ ├── stratos-app-instances-metrics.png │ ├── stratos-app-metrics-tab.png │ ├── stratos-edit-profile.png │ ├── stratos-kubernetes-node-metrics.png │ ├── stratos-kubernetes-view-caasp.png │ ├── stratos-kubernetes-view.png │ ├── stratos-profile.png │ └── stratos.png │ └── svg │ ├── cap-containerized.svg │ ├── cap-containers.svg │ ├── cap-detailed-services.svg │ ├── cap-kube.svg │ ├── cap-simple-services.svg │ └── cloud-101.svg └── xml ├── MAIN_cap_guides.xml ├── app_cf_operator_values_yaml.xml ├── app_kubecf_values_yaml.xml ├── appendix.xml ├── authors.xml ├── book_cap_guides.xml ├── cap_admin_app_autoscaler.xml ├── cap_admin_app_domains.xml ├── cap_admin_backup-restore.xml ├── cap_admin_buildpacks.xml ├── cap_admin_ccdb_key_rotation.xml ├── cap_admin_configuration_changes.xml ├── cap_admin_create_admin.xml ├── cap_admin_credhub.xml ├── cap_admin_logging.xml ├── cap_admin_memory_limits.xml ├── cap_admin_nproc_limits.xml ├── cap_admin_passwords.xml ├── cap_admin_secret_rotation.xml ├── cap_admin_service_broker.xml ├── cap_admin_uaa_ui.xml ├── cap_admin_upgrade.xml ├── cap_depl_admin_notes.xml ├── cap_depl_air_gap_registry.xml ├── cap_depl_aks.xml ├── cap_depl_caasp.xml ├── cap_depl_eirini.xml ├── cap_depl_eks.xml ├── cap_depl_gke.xml ├── cap_depl_private_registry.xml ├── cap_depl_stratos.xml ├── cap_depl_terraform.xml ├── cap_intro.xml ├── cap_kube_requirements.xml ├── cap_overview.xml ├── cap_troubleshooting.xml ├── cap_user_cf_cli.xml ├── common_copyright_gfdl.xml ├── common_gfdl1.2_i.xml ├── common_intro_available_doc_i.xml ├── common_intro_feedback_i.xml ├── common_intro_making_i.xml ├── common_intro_support_statement_i.xml ├── common_intro_target_audience_i.xml ├── common_intro_typografie_i.xml ├── common_legal.xml ├── entity-decl.ent ├── network-decl.ent ├── repeated-content-decl.ent └── schema.xml /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*.xml] 4 | end_of_line = lf 5 | insert_final_newline = false 6 | charset = utf-8 7 | indent_style = space 8 | indent_size = 1 9 | max_line_length = 80 10 | -------------------------------------------------------------------------------- /.github/workflows/docbook.yml: -------------------------------------------------------------------------------- 1 | name: Validate/build docs 2 | 3 | on: 4 | push: 5 | paths: 6 | - 'DC-*' 7 | - 'xml/**' 8 | - 'adoc/**' 9 | - 'images/src/**' 10 | - '.github/workflows/**' 11 | - '**/DC-*' 12 | - '**/xml/**' 13 | - '**/adoc/**' 14 | - '**/images/src/**' 15 | 16 | jobs: 17 | select-dc-files: 18 | runs-on: ubuntu-latest 19 | outputs: 20 | validate-list: ${{ steps.select-dc-validate.outputs.dc-list }} 21 | build-list: ${{ steps.select-dc-build.outputs.dc-list }} 22 | allow-build: ${{ steps.select-dc-build.outputs.allow-build }} 23 | relevant-branches: ${{ steps.select-dc-build.outputs.relevant-branches }} 24 | steps: 25 | - uses: actions/checkout@v2 26 | 27 | - name: Checking basic soundness of DC files 28 | uses: openSUSE/doc-ci@gha-select-dcs 29 | with: 30 | mode: soundness 31 | 32 | - name: Selecting DC files to validate 33 | id: select-dc-validate 34 | uses: openSUSE/doc-ci@gha-select-dcs 35 | with: 36 | mode: list-validate 37 | 38 | - name: Selecting DC files to build 39 | id: select-dc-build 40 | uses: openSUSE/doc-ci@gha-select-dcs 41 | with: 42 | mode: list-build 43 | original-org: SUSE 44 | 45 | validate: 46 | runs-on: ubuntu-latest 47 | needs: select-dc-files 48 | strategy: 49 | # don't cancel all validation runners when one of them fails, we want full results 50 | fail-fast: false 51 | matrix: 52 | dc-files: ${{ fromJson(needs.select-dc-files.outputs.validate-list) }} 53 | steps: 54 | - uses: actions/checkout@v2 55 | - name: Validating DC file(s) ${{ matrix.dc-files }} 56 | uses: openSUSE/doc-ci@gha-validate 57 | with: 58 | dc-files: ${{ matrix.dc-files }} 59 | validate-ids: false 60 | xml-schema: docbook51 61 | 62 | 63 | build-html: 64 | runs-on: ubuntu-latest 65 | needs: [select-dc-files, validate] 66 | if: ${{ needs.select-dc-files.outputs.allow-build == 'true' }} 67 | outputs: 68 | artifact-name: ${{ steps.build-dc.outputs.artifact-name }} 69 | artifact-dir: ${{ steps.build-dc.outputs.artifact-dir }} 70 | strategy: 71 | matrix: 72 | dc-files: ${{ fromJson(needs.select-dc-files.outputs.build-list) }} 73 | steps: 74 | - uses: actions/checkout@v2 75 | - name: Building DC file(s) ${{ matrix.dc-files }} 76 | id: build-dc 77 | uses: openSUSE/doc-ci@gha-build 78 | with: 79 | dc-files: ${{ matrix.dc-files }} 80 | - name: Uploading builds as artifact 81 | uses: actions/upload-artifact@v2 82 | with: 83 | name: ${{ steps.build-dc.outputs.artifact-name }} 84 | path: ${{ steps.build-dc.outputs.artifact-dir }}/* 85 | retention-days: 3 86 | 87 | 88 | publish: 89 | runs-on: ubuntu-latest 90 | if: ${{ success() }} 91 | needs: [select-dc-files, build-html] 92 | continue-on-error: true 93 | steps: 94 | - name: Downloading all build artifacts 95 | uses: actions/download-artifact@v2 96 | with: 97 | path: artifact-dir 98 | - name: Publishing builds on susedoc.github.io 99 | uses: openSUSE/doc-ci@gha-publish 100 | env: 101 | DEPLOY_KEY: ${{ secrets.DEPLOY_KEY_CAP }} 102 | with: 103 | artifact-path: artifact-dir 104 | relevant-dirs: ${{ needs.select-dc-files.outputs.relevant-branches }} 105 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | # emacs temp/autosave 3 | \#*# 4 | .#* 5 | *~ 6 | -------------------------------------------------------------------------------- /DC-cap-guides: -------------------------------------------------------------------------------- 1 | ## ---------------------------- 2 | ## Doc Config File for SUSE CAP 3 | ## Deployment Guide 4 | ## ---------------------------- 5 | 6 | ## Basics 7 | MAIN="MAIN_cap_guides.xml" 8 | ROOTID=book-cap-guides 9 | 10 | ## Profiling 11 | #PROFOS="sles" 12 | #PROFARCH="x86_64;zseries;power;aarch64" 13 | ROLE="admin;worker;plain" 14 | 15 | ## stylesheet location 16 | STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns" 17 | FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns" 18 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | = SUSE Cloud Application Platform (CAP) Documentation 2 | 3 | image:https://travis-ci.org/SUSE/doc-cap.svg?branch=develop["Build Status", link="https://travis-ci.org/SUSE/doc-cap"] 4 | 5 | This is the source for the official SUSE Cloud Application Platform (CAP) Documentation 6 | 7 | Released versions of the documentation will be published at 8 | https://documentation.suse.com/ once available. 9 | 10 | == Branches 11 | 12 | ***On Jan 29, 2020, we changed to a new branching model. We have switched the default branch from `develop` to `master`.*** 13 | 14 | * *Use the master branch* as the basis of your commits/of new feature branches. 15 | 16 | * The *develop branch has been deleted* on the server. Do not to push to the `develop` branch. 17 | Your changes may go lost in the medium term and never make it to the proper branch. 18 | 19 | === How to Update Your Local Repository 20 | 21 | If you *created* a local clone or GitHub fork of this repo *before Jan 29, 2020, do the following*: 22 | 23 | 1. Make sure that your `master` and `develop` branches do not contain any important changes. 24 | If there are changes on either branch, export them using `git format-patch` or put them on a 25 | different branch. 26 | 27 | 1. Go to the master branch: `git checkout master` 28 | . 29 | 30 | 1. To pull the latest changes from the remote repository and to delete references to branches 31 | that do not exist anymore on the server, run the following command: `git pull --prune` 32 | . 33 | 34 | 1. Delete your local develop branch: `git branch -D develop`. 35 | 36 | 1. To check for stale local branches, run: `git branch -v`. 37 | For any branches marked as `[gone]`, check if you still need them. If not, delete them: 38 | `git branch -D BRANCHNAME` 39 | 40 | 41 | .Overview of important branches 42 | [options="header"] 43 | |================================================ 44 | | Name | Purpose 45 | | `master` | doc development (latest development version) 46 | | `maintenance/*` | maintenance for released versions 47 | |================================================ 48 | 49 | == Contributing 50 | 51 | Thank you for contributing to this repo. When creating a pull request, please follow the guidelines below: 52 | 53 | . If you want to contribute to the most recent release, create your pull request against the `master` branch (not `develop`). The `master` branch is protected. 54 | 55 | . If you want to contribute to a previous release, please create your pull request against the respective `maintenance/*` branch. These branches are also protected. 56 | 57 | . Make sure all validation (Travis CI) checks are passed. 58 | 59 | . For your pull request to be reviewed, please tag the relevant subject matter expert(s) from the development team (if applicable) and members of the documentation team. 60 | 61 | . Implement the required changes. If you have any questions, ping a documentation team member in #susedoc on RocketChat. 62 | 63 | . For help on style and structure, refer to the https://doc.opensuse.org/products/opensuse/Styleguide/opensuse_documentation_styleguide_sd/[Documentation Styleguide]. 64 | 65 | 66 | == Editing DocBook 67 | 68 | To contribute to the documentation, you need to write DocBook. 69 | 70 | * You can learn about DocBook syntax at http://docbook.org/tdg5/en/html . 71 | * SUSE documents are generally built with DAPS (package `daps`) and the 72 | SUSE XSL Stylesheets (package `suse-xsl-stylesheets`). 73 | 74 | * Install the documentation environment with the following command: 75 | + 76 | [source] 77 | ---- 78 | sudo /sbin/OneClickInstallUI https://gitlab.nue.suse.com/susedoc/doc-ymp/raw/master/Documentation.ymp 79 | ---- 80 | 81 | * Basic daps usage: 82 | ** `$ daps -d DC- validate`: Make sure what you have written is 83 | well-formed XML and valid DocBook 5 84 | ** `$ daps -d DC- pdf`: Build a PDF document 85 | ** `$ daps -d DC- html`: Build multi-page HTML document 86 | ** `$ daps -d DC- optipng`: Always optimize new PNG images 87 | ** Learn more at https://opensuse.github.io/daps 88 | -------------------------------------------------------------------------------- /images/src/png/stratos-app-instances-metrics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-app-instances-metrics.png -------------------------------------------------------------------------------- /images/src/png/stratos-app-metrics-tab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-app-metrics-tab.png -------------------------------------------------------------------------------- /images/src/png/stratos-edit-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-edit-profile.png -------------------------------------------------------------------------------- /images/src/png/stratos-kubernetes-node-metrics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-kubernetes-node-metrics.png -------------------------------------------------------------------------------- /images/src/png/stratos-kubernetes-view-caasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-kubernetes-view-caasp.png -------------------------------------------------------------------------------- /images/src/png/stratos-kubernetes-view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-kubernetes-view.png -------------------------------------------------------------------------------- /images/src/png/stratos-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos-profile.png -------------------------------------------------------------------------------- /images/src/png/stratos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SUSE/doc-cap/f695aee0d18babb46c9dca91883509c974aaccf9/images/src/png/stratos.png -------------------------------------------------------------------------------- /xml/MAIN_cap_guides.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | %entities; 9 | ]> 10 | 14 | 15 | 16 | &productname; &productnumber; Documentation 17 | 18 | 19 | btat@suse.com 20 | editing 21 | 22 | 23 | 24 | 25 | CAP 26 | 27 | https://github.com/SUSE/doc-cap/issues/new 28 | bug,low priority 29 | btat 30 | 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /xml/app_cf_operator_values_yaml.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 13 | Complete suse/cf-operator values.yaml File 14 | 15 | 16 | This is the complete output of helm inspect values suse/cf-operator for 17 | the current &productname; &productnumber; release. 18 | 19 | 20 | ## Default values for Quarks Operator Helm Chart. 21 | ## This is a YAML-formatted file. 22 | ## Declare variables to be passed into your templates. 23 | 24 | 25 | # applyCRD is a boolean to control the installation of CRD's. 26 | applyCRD: true 27 | 28 | cluster: 29 | # domain is the the Kubernetes cluster domain 30 | domain: "cluster.local" 31 | 32 | # fullnameOverride overrides the release name 33 | fullnameOverride: "" 34 | 35 | # image is the docker image of quarks job. 36 | image: 37 | # repository that provides the operator docker image. 38 | repository: quarks-operator 39 | # org that provides the operator docker image. 40 | org: registry.suse.com/cap 41 | # tag of the operator docker image 42 | tag: v7.2.1-0.gaeb6ef3 43 | 44 | # creates a service account for coredns-quarks, the must be unique as it is used for the cluster role too. 45 | corednsServiceAccount: 46 | create: true 47 | name: coredns-quarks 48 | 49 | # logrotateInterval is the time between logrotate calls for instance groups in minutes 50 | logrotateInterval: 1440 51 | 52 | # logLevel defines from which level the logs should be printed (trace,debug,info,warn). 53 | logLevel: debug 54 | 55 | # nameOverride overrides the chart name part of the release name 56 | nameOverride: "" 57 | 58 | # workers are the int values for running maximum number of workers of the respective controller. 59 | workers: 60 | boshdeployment: 1 61 | 62 | operator: 63 | webhook: 64 | # host under which the webhook server can be reached from the cluster 65 | host: ~ 66 | # port the webhook server listens on 67 | port: "2999" 68 | # boshDNSDockerImage is the docker image used for emulating bosh DNS (a CoreDNS image). 69 | boshDNSDockerImage: "registry.suse.com/cap/coredns:0.1.0-1.6.7-bp152.1.19" 70 | hookDockerImage: "registry.suse.com/cap/kubecf-kubectl:v1.20.2" 71 | 72 | # serviceAccount contains the configuration 73 | # values of the service account used by quarks-operator. 74 | serviceAccount: 75 | # create is a boolean to control the creation of service account name. 76 | create: true 77 | # name of the service account. 78 | name: 79 | 80 | global: 81 | # Context Timeout for each K8's API request in seconds. 82 | contextTimeout: 300 83 | # MeltdownDuration is the duration (in seconds) of the meltdown period, in which we 84 | # postpone further reconciles for the same resource 85 | meltdownDuration: 60 86 | # MeltdownRequeueAfter is the duration (in seconds) for which we delay the requeuing of the reconcile 87 | meltdownRequeueAfter: 30 88 | image: 89 | # pullPolicy defines the policy used for pulling docker images. 90 | pullPolicy: IfNotPresent 91 | # credentials is used for pulling docker images. 92 | credentials: ~ 93 | # username: 94 | # password: 95 | # servername: 96 | # monitoredID is a string that has to match the content of the 'monitored' label in each monitored namespace. 97 | monitoredID: cfo 98 | operator: 99 | webhook: 100 | # useServiceReference is a boolean to control the use of the 101 | # service reference in the webhook spec instead of a url. 102 | useServiceReference: true 103 | rbac: 104 | # create is a boolean to control the installation of rbac resources. 105 | create: true 106 | singleNamespace: 107 | # create is a boolean to control the creation of resources for a simplified setup 108 | create: true 109 | # name is the name of the single namespace, being watched for BOSH deployments. 110 | name: kubecf 111 | 112 | quarks-job: 113 | logLevel: info 114 | serviceAccount: 115 | # create is a boolean to control the creation of service account name. 116 | create: true 117 | # name of the service account. 118 | name: 119 | persistOutputClusterRole: 120 | # create is a boolean to control the creation of the persist output cluster role 121 | create: true 122 | # name of the cluster role. 123 | name: qjob-persist-output 124 | singleNamespace: 125 | createNamespace: false 126 | 127 | quarks-secret: 128 | logLevel: info 129 | 130 | quarks-statefulset: 131 | logLevel: info 132 | 133 | 134 | -------------------------------------------------------------------------------- /xml/appendix.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 10 | Appendix 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /xml/authors.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 10 | CarlaSchroder 11 | 12 | BillyTat 13 | 14 | Claudia-AmeliaMarin 15 | 16 | LukasKucharczyk 17 | 18 | 19 | -------------------------------------------------------------------------------- /xml/book_cap_guides.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | %entities; 9 | ]> 10 | 14 | 15 | &guide;s&productname; 16 | &productnumber; 17 | 18 | 19 | 20 | 21 | 22 | Introducing &productname;, a software platform for cloud-native application 23 | deployment based on &kubecf; and &kube;. 24 | 25 | 26 | 27 | no 28 | 29 | 30 | 33 | 34 | 37 | 38 | Overview of &productname; 39 | 40 | 41 | 42 | 43 | 46 | 47 | Deploying &productname; 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 63 | 64 | &productname; Administration 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 86 | 87 | &productname; User Guide 88 | 89 | 90 | 91 | 94 | 95 | Troubleshooting 96 | 97 | 98 | 99 | 102 | 103 | 104 | 105 | -------------------------------------------------------------------------------- /xml/cap_admin_app_autoscaler.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | App-AutoScaler 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | The App-AutoScaler service is used for automatically managing an 20 | application's instance count when deployed on &kubecf;. The scaling behavior is 21 | determined by a set of criteria defined in a policy (See 22 | ). 23 | 24 | 25 | Prerequisites 26 | 27 | 28 | Using the App-AutoScaler service requires: 29 | 30 | 31 | 32 | 33 | 34 | A running deployment of kubecf 35 | 36 | 37 | 38 | 39 | &cfcli-prereq; 40 | 41 | 42 | 43 | The &cf; CLI AutoScaler Plug-in, see 44 | 45 | 46 | The plugin can be installed by running the following command: 47 | 48 | &prompt.user;cf install-plugin -r CF-Community app-autoscaler-plugin 49 | 50 | If the plugin repo is not found, add it first: 51 | 52 | &prompt.user;cf add-plugin-repo CF-Community https://plugins.cloudfoundry.org 53 | 54 | 55 | 56 | 57 | Enabling and Disabling the App-AutoScaler Service 58 | 59 | 60 | App-AutoScaler is disabled by default. To enable it, add the following 61 | block to your &values-filename; file. 62 | 63 | 64 | features: 65 | autoscaler: 66 | enabled: true 67 | 68 | 69 | 70 | To disable App-AutoScaler again, update the above block in your &values-filename; 71 | so that enabled is set to false. 72 | 73 | 74 | 75 | &config-new-vs-existing; 76 | 77 | 78 | 79 | 84 | 85 | 86 | Using the App-AutoScaler Service 87 | 88 | 89 | Push the application without starting it 90 | first: 91 | 92 | 93 | &prompt.user;cf push MY_APPLICATION --no-start 94 | 95 | 96 | 97 | Attach autoscaling policy to the application: 98 | 99 | 100 | &prompt.user;cf attach-autoscaling-policy MY_APPLICATION MY_POLICY.json 101 | 102 | 103 | The policy is defined as a JSON file 104 | (See ) in a proper format 105 | (See ). 106 | 107 | 108 | 109 | Start the application: 110 | 111 | 112 | &prompt.user;cf start MY_APPLICATION 113 | 114 | 115 | Autoscaling policies can be managed using &cfcli; with the App-AutoScaler plugin 116 | as above (See ) or using the 117 | App-AutoScaler API (See ). 118 | 119 | 120 | 121 | The App-AutoScaler &cfcli; Plugin 122 | 123 | The App-AutoScaler plugin is used for managing the service with your 124 | applications and provides the following commands (with shortcuts in brackets). Refer to for details about each command: 125 | 126 | 127 | 128 | autoscaling-api (asa) 129 | 130 | 131 | Set or view AutoScaler service API endpoint. See for more information. 132 | 133 | 134 | 135 | 136 | autoscaling-policy (asp) 137 | 138 | 139 | Retrieve the scaling policy of an application. See for more information. 140 | 141 | 142 | 143 | 144 | attach-autoscaling-policy (aasp) 145 | 146 | 147 | Attach a scaling policy to an application. See for more information. 148 | 149 | 150 | 151 | 152 | detach-autoscaling-policy (dasp) 153 | 154 | 155 | Detach the scaling policy from an application. See for more information. 156 | 157 | 158 | 159 | 160 | create-autoscaling-credential (casc) 161 | 162 | 163 | Create custom metric credential for an application. See for more information. 164 | 165 | 166 | 167 | 168 | delete-autoscaling-credential (dasc) 169 | 170 | 171 | Delete the custom metric credential of an application. 172 | See for more information. 173 | 174 | 175 | 176 | 177 | autoscaling-metrics (asm) 178 | 179 | 180 | Retrieve the metrics of an application. See for more information. 181 | 182 | 183 | 184 | 185 | autoscaling-history (ash) 186 | 187 | 188 | Retrieve the scaling history of an application. See for more information. 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | App-AutoScaler API 197 | 198 | The App-AutoScaler service provides a 199 | Public 200 | API with detailed usage information, see . It includes requests to: 201 | 202 | 203 | 204 | 205 | List scaling history of an application. For details, refer to 206 | 207 | 208 | 209 | 210 | List instance metrics of an application. For details, refer to 211 | 212 | 213 | 214 | 215 | List aggregated metrics of an application. For details, refer to 216 | 217 | 218 | 219 | 220 | Policy api. For details, refer to 221 | 222 | 223 | 224 | 225 | Delete policy. For details, refer to 226 | 227 | 228 | 229 | 230 | Get policy. For details, refer to 231 | 232 | 233 | 234 | 235 | 236 | 237 | Policies 238 | 239 | 240 | A policy identifies characteristics including minimum instance count, 241 | maximum instance count, and the rules used to determine when the number of 242 | application instances is scaled up or down. These rules are categorized into 243 | two types, scheduled scaling and dynamic scaling. (See 244 | ). Multiple scaling 245 | rules can be specified in a policy, but App-AutoScaler does not detect or 246 | handle conflicts that may occur. Ensure there are no conflicting rules to 247 | avoid unintended scaling behavior. 248 | 249 | 250 | 251 | Policies are defined using the JSON format and can be attached to an 252 | application either by passing the path to the policy file or directly as a 253 | parameter. 254 | 255 | 256 | 257 | The following is an example of a policy file, called 258 | my-policy.json. 259 | 260 | 261 | { 262 | "instance_min_count": 1, 263 | "instance_max_count": 4, 264 | "scaling_rules": [{ 265 | "metric_type": "memoryused", 266 | "stat_window_secs": 60, 267 | "breach_duration_secs": 60, 268 | "threshold": 10, 269 | "operator": ">=", 270 | "cool_down_secs": 300, 271 | "adjustment": "+1" 272 | }] 273 | } 274 | 275 | 276 | 277 | For an example that demonstrates defining multiple scaling rules in a single 278 | policy, refer to the sample of a policy file at . The complete list of configurable policy values can be 279 | found at 280 | . 281 | 282 | 283 | 284 | Scaling Types 285 | 286 | 287 | Scheduled Scaling 288 | 289 | 290 | Modifies an application's instance count at a predetermined time. This 291 | option is suitable for workloads with predictable resource usage. 292 | 293 | 294 | 295 | 296 | Dynamic Scaling 297 | 298 | 299 | Modifies an application's instance count based on metrics criteria. This 300 | option is suitable for workloads with dynamic resource usage. The 301 | following metrics are available: 302 | 303 | 304 | 305 | 306 | memoryused 307 | 308 | 309 | 310 | 311 | memoryutil 312 | 313 | 314 | 315 | 316 | cpu 317 | 318 | 319 | 320 | 321 | responsetime 322 | 323 | 324 | 325 | 326 | throughput 327 | 328 | 329 | 330 | 331 | custom metric 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | See 340 | for additional details. 341 | 342 | 343 | 344 | 345 | -------------------------------------------------------------------------------- /xml/cap_admin_app_domains.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | 15 | Custom Application Domains 16 | 17 | 18 | yes 19 | 20 | 21 | 22 | In a standard &kubecf; deployment, applications will use the same domain as the 23 | one configured in your &values-filename; for &kubecf;. 24 | For example, if DOMAIN is set as 25 | EXAMPLE.COM in your 26 | &values-filename; and you deploy an application 27 | called MY_APP then the application's URL will be 28 | MY_APP.EXAMPLE.COM. 29 | 30 | 31 | This chapter describes the changes required to allow applications to use a 32 | separate domain. 33 | 34 | 35 | Customizing Application Domains 36 | 37 | 38 | Begin by adding the following to your &values-filename;. Replace 39 | MY_APP_DOMAIN.COM with the domain to use with your 40 | applications: 41 | 42 | 43 | bosh: 44 | instance_groups: 45 | - name: api-group 46 | jobs: 47 | - name: cloud_controller_ng 48 | properties: 49 | app_domains: 50 | - MY_APP_DOMAIN.COM 51 | 52 | 53 | 54 | If this is an initial deployment, use helm install to 55 | deploy kubecf: 56 | 57 | &prompt.user;kubectl create namespace kubecf 58 | 59 | &prompt.user;helm install kubecf suse/kubecf \ 60 | --namespace kubecf \ 61 | --values &values-file; 62 | 63 | 64 | 65 | If this is an existing deployment, use helm upgrade to 66 | apply the change: 67 | 68 | &prompt.user;helm upgrade kubecf suse/kubecf \ 69 | --namespace kubecf \ 70 | --values &values-file; \ 71 | --version &kubecf_chart; 72 | 73 | 74 | &kubecf-deploy-complete; 75 | 76 | 77 | When the kubecf is complete, do the following to confirm 78 | custom application domains have been configured correctly. 79 | 80 | 81 | 82 | Run cf curl /v2/info and verify the &kubecf; domain is not 83 | MY_APP_DOMAIN.COM: 84 | 85 | 86 | &prompt.user;cf api --skip-ssl-validation https://api.EXAMPLE.COM 87 | &prompt.user;cf curl /v2/info | grep endpoint 88 | 89 | 90 | 91 | Deploy an application and examine the routes field to 92 | verify MY_APP_DOMAIN.COM is being used: 93 | 94 | 95 | &prompt.user;cf login 96 | &prompt.user;cf create-org MY_ORG 97 | &prompt.user;cf create-space MY_SPACE -oMY_ORG 98 | &prompt.user;cf target -o MY_ORG -sMY_SPACE 99 | &prompt.user;cf push MY_APP 100 | cf push MY_APP 101 | Pushing app MY_APP to orgMY_ORG / space MY_SPACE as admin... 102 | Getting app info... 103 | Creating app with these attributes... 104 | name: MY_APP 105 | path: /path/to/MY_APP 106 | routes: 107 | + MY_APP.MY_APP_DOMAIN.COM 108 | 109 | Creating app MY_APP... 110 | Mapping routes... 111 | 112 | ... 113 | 114 | Waiting for app to start... 115 | 116 | name: MY_APP 117 | requested state: started 118 | instances: 1/1 119 | usage: 1G x 1 instances 120 | routes: MY_APP.MY_APP_DOMAIN.COM 121 | last uploaded: Mon 14 Jan 11:08:02 PST 2019 122 | stack: sle15 123 | buildpack: ruby 124 | start command: bundle exec rackup config.ru -p $PORT 125 | 126 | state since cpu memory disk details 127 | #0 running 2019-01-14T19:09:42Z 0.0% 2.7M of 1G 80.6M of 1G 128 | 129 | 130 | 131 | -------------------------------------------------------------------------------- /xml/cap_admin_ccdb_key_rotation.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Cloud Controller Database Secret Rotation 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | The Cloud Controller Database (CCDB) encrypts sensitive information like 20 | passwords. The encryption key is generated when &kubecf; is deployed. 21 | If it is compromised or needs to be rotated for any other reason, new keys can be 22 | added. Note that existing encrypted information will not be updated. The 23 | encrypted information must be set again to have them re-encrypted with the 24 | new key. The old key cannot be dropped until all references to it are removed 25 | from the database. 26 | 27 | 28 | Updating these secrets is a manual process that involves decrypting the 29 | current contents of the database using the old key and re-encrypting the 30 | contents using a new key. The following procedure outlines 31 | how this is done. 32 | 33 | 34 | 35 | 36 | For each label under key_labels, &kubecf; will generate 37 | an encryption key. The current_key_label indicates which 38 | key is currently being used. 39 | 40 | 41 | ccdb: 42 | encryption: 43 | rotation: 44 | key_labels: 45 | - encryption_key_0 46 | current_key_label: encryption_key_0 47 | 48 | 49 | 50 | 51 | In order to rotate the CCDB encryption key, add a new label to 52 | key_labels (keeping the old labels), and mark 53 | the current_key_label with the newly added label: 54 | 55 | 56 | ccdb: 57 | encryption: 58 | rotation: 59 | key_labels: 60 | - encryption_key_0 61 | - encryption_key_1 62 | current_key_label: encryption_key_1 63 | 64 | 65 | 66 | 67 | Save the above information into a file, for example 68 | rotate-secret.yaml, and perform the rotation: 69 | 70 | 71 | 72 | 73 | Update the &kubecf; &helm; installation: 74 | 75 | 76 | &prompt.user;helm upgrade kubecf --namespace kubecf --values rotate-secret.yaml --reuse-values 77 | 78 | 79 | 80 | 81 | After &helm; finishes its updates, trigger the 82 | rotate-cc-database-key errand: 83 | 84 | &prompt.user;kubectl patch qjob kubecf-rotate-cc-database-key \ 85 | --namespace kubecf \ 86 | --type merge \ 87 | --patch '{"spec":{"trigger":{"strategy":"now"}}}' 88 | 89 | 90 | 91 | 92 | 93 | 94 | Tables with Encrypted Information 95 | 96 | 97 | The CCDB contains several tables with encrypted information as follows: 98 | 99 | 100 | 101 | 102 | apps 103 | 104 | 105 | Environment variables 106 | 107 | 108 | 109 | 110 | buildpack_lifecycle_buildpacks 111 | 112 | 113 | Buildpack URLs may contain passwords 114 | 115 | 116 | 117 | 118 | buildpack_lifecycle_data 119 | 120 | 121 | Buildpack URLs may contain passwords 122 | 123 | 124 | 125 | 126 | droplets 127 | 128 | 129 | May contain &docker; registry passwords 130 | 131 | 132 | 133 | 134 | env_groups 135 | 136 | 137 | Environment variables 138 | 139 | 140 | 141 | 142 | packages 143 | 144 | 145 | May contain &docker; registry passwords 146 | 147 | 148 | 149 | 150 | service_bindings 151 | 152 | 153 | Contains service credentials 154 | 155 | 156 | 157 | 158 | service_brokers 159 | 160 | 161 | Contains service credentials 162 | 163 | 164 | 165 | 166 | service_instances 167 | 168 | 169 | Contains service credentials 170 | 171 | 172 | 173 | 174 | service_keys 175 | 176 | 177 | Contains service credentials 178 | 179 | 180 | 181 | 182 | tasks 183 | 184 | 185 | Environment variables 186 | 187 | 188 | 189 | 190 | 191 | 192 | Update Existing Data with New Encryption Key 193 | 194 | To ensure the encryption key is updated for existing data, the command (or 195 | its update- equivalent) can be run again with the same 196 | parameters. Some commands need to be deleted/recreated to update the label. 197 | 198 | 199 | 200 | apps 201 | 202 | 203 | Run cf set-env again 204 | 205 | 206 | 207 | 208 | buildpack_lifecycle_buildpacks, buildpack_lifecycle_data, droplets 209 | 210 | 211 | cf restage the app 212 | 213 | 214 | 215 | 216 | packages 217 | 218 | 219 | cf delete, then cf push the app 220 | (&docker; apps with registry password) 221 | 222 | 223 | 224 | 225 | env_groups 226 | 227 | 228 | Run cf set-staging-environment-variable-group or 229 | cf set-running-environment-variable-group again 230 | 231 | 232 | 233 | 234 | service_bindings 235 | 236 | 237 | Run cf unbind-service and cf 238 | bind-service again 239 | 240 | 241 | 242 | 243 | service_brokers 244 | 245 | 246 | Run cf update-service-broker with the appropriate 247 | credentials 248 | 249 | 250 | 251 | 252 | service_instances 253 | 254 | 255 | Run cf update-service with the appropriate 256 | credentials 257 | 258 | 259 | 260 | 261 | service_keys 262 | 263 | 264 | Run cf delete-service-key and cf 265 | create-service-key again 266 | 267 | 268 | 269 | 270 | tasks 271 | 272 | 273 | While tasks have an encryption key label, they are generally meant to be 274 | a one-off event, and left to run to completion. If there is a task still 275 | running, it could be stopped with cf terminate-task, 276 | then run again with cf run-task. 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | -------------------------------------------------------------------------------- /xml/cap_admin_configuration_changes.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Configuration Changes 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | After the initial deployment of ∩, any changes made to your &helm; chart 20 | values, whether through your &values-filename; file 21 | or directly using &helm;'s --set flag, are applied using 22 | the helm upgrade command. 23 | 24 | 25 | Do Not Make Changes to Pod Counts During a Version Upgrade 26 | 27 | The helm upgrade command can be used to apply 28 | configuration changes as well as perform version upgrades to ∩. A change 29 | to the pod count configuration should not be applied simultaneously with a 30 | version upgrade. Sizing changes should be made separately, either before or 31 | after, from a version upgrade. 32 | 33 | 34 | 35 | Configuration Change Example 36 | 37 | 38 | Consider an example where you want to enable the App-AutoScaler. 39 | 40 | 41 | 42 | The entry below is added to your &values-filename; file and set with 43 | enabled set to true. 44 | 45 | 46 | features: 47 | autoscaler: 48 | enabled: true 49 | 50 | 51 | 52 | The changed is then applied with the helm upgrade command. This 53 | example assumes the suse/kubecf &helm; chart deployed was 54 | named kubecf. 55 | 56 | 57 | &prompt.user;helm upgrade kubecf suse/kubecf \ 58 | --namespace kubecf \ 59 | --values &values-file; \ 60 | --version &kubecf_chart; 61 | 62 | 63 | 64 | When all pods are in a READY state, the configuration 65 | change will also be reflected. Assuming the chart was deployed to the 66 | kubecf namespace, progress can be monitored with: 67 | 68 | 69 | &prompt.user;watch --color 'kubectl get pods --namespace kubecf' 70 | 71 | 72 | Other Examples 73 | 74 | 75 | The following are other examples of using helm upgrade to 76 | make configuration changes: 77 | 78 | 79 | 80 | 81 | 82 | Secrets rotation (see ) 83 | 84 | 85 | 86 | 87 | Enabling additional services (see 88 | ) 89 | 90 | 91 | 92 | 93 | 94 | -------------------------------------------------------------------------------- /xml/cap_admin_create_admin.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Creating Admin Users 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | This chapter provides an overview on how to create additional 20 | administrators for your ∩ cluster. 21 | 22 | 23 | Prerequisites 24 | 25 | 26 | The following prerequisites are required in order to create 27 | additional ∩ cluster administrators: 28 | 29 | 30 | 31 | 32 | &cfcli-prereq; 33 | 34 | 35 | &uaac-prereq; 36 | 37 | 38 | 39 | 40 | Creating an Example ∩ Cluster Administrator 41 | 42 | The following example demonstrates the steps required to create a new 43 | administrator user for your ∩ cluster. Note that creating administrator 44 | accounts must be done using the UAAC and cannot be done using the &cfcli;. 45 | 46 | 47 | &uaac-target; 48 | &uaac-authenticate; 49 | 50 | 51 | Create a new user: 52 | 53 | &prompt.user;uaac user add NEW_ADMIN --password PASSWORD --emails new-admin@example.com --zone kubecf 54 | 55 | 56 | 57 | Add the new user to the following groups to grant administrator privileges 58 | to the cluster (see 59 | for information on privileges provided by each group): 60 | 61 | &prompt.user;uaac member add scim.write NEW_ADMIN --zone kubecf 62 | 63 | &prompt.user;uaac member add scim.read NEW_ADMIN --zone kubecf 64 | 65 | &prompt.user;uaac member add cloud_controller.admin NEW_ADMIN --zone kubecf 66 | 67 | &prompt.user;uaac member add clients.read NEW_ADMIN --zone kubecf 68 | 69 | &prompt.user;uaac member add clients.write NEW_ADMIN --zone kubecf 70 | 71 | &prompt.user;uaac member add doppler.firehose NEW_ADMIN --zone kubecf 72 | 73 | &prompt.user;uaac member add routing.router_groups.read NEW_ADMIN --zone kubecf 74 | 75 | &prompt.user;uaac member add routing.router_groups.write NEW_ADMIN --zone kubecf 76 | 77 | 78 | 79 | 80 | Log into your ∩ deployment as the newly created administrator: 81 | 82 | &prompt.user;cf api --skip-ssl-validation https://api.example.com 83 | 84 | &prompt.user;cf login -u NEW_ADMIN 85 | 86 | 87 | 88 | 89 | The following commands can be used to verify the new administrator account has sufficient permissions: 90 | 91 | &prompt.user;cf create-shared-domain TEST_DOMAIN.COM 92 | 93 | &prompt.user;cf set-org-role NEW_ADMIN org OrgManager 94 | 95 | &prompt.user;cf create-buildpack TEST_BUILDPACK /tmp/ruby_buildpack-cached-sle15-v1.7.30.1.zip 1 96 | 97 | 98 | If the account has sufficient permissions, you should not receive any authorization message similar to the following: 99 | 100 | FAILED 101 | Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action 102 | 103 | 104 | See for other administrator-specific commands that can be run to confirm sufficient permissions are provided. 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | -------------------------------------------------------------------------------- /xml/cap_admin_credhub.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Integrating CredHub with &productname; 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | &productname; supports CredHub integration. You should already have a working 20 | CredHub instance, a CredHub service on your cluster, then apply the steps in 21 | this chapter to connect &productname;. 22 | 23 | 24 | Installing the CredHub Client 25 | 26 | 27 | Start by creating a new directory for the CredHub client on your local 28 | workstation, then download and unpack the CredHub client. The following 29 | example is for the 2.2.0 Linux release. For other platforms and current 30 | releases, see the cloudfoundry-incubator/credhub-cli at 31 | 32 | 33 | 34 | &prompt.user;mkdir chclient 35 | &prompt.user;cd chclient 36 | &prompt.user;wget https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/2.2.0/credhub-linux-2.2.0.tgz 37 | &prompt.user;tar zxf credhub-linux-2.2.0.tgz 38 | 39 | 40 | 41 | Enabling and Disabling CredHub 42 | 43 | 44 | CredHub is enabled by default. To disable it, add the following the following 45 | block to your &values-filename; file. 46 | 47 | 48 | features: 49 | credhub: 50 | enabled: false 51 | 52 | 53 | 54 | To enable CredHub again, update the above block in your &values-filename; so that 55 | enabled is set to true. 56 | 57 | 58 | 59 | &config-new-vs-existing; 60 | 61 | 62 | 63 | On occasion, the credhub pod may fail to start due to 64 | database migration failures; this has been spotted intermittently on 65 | &aks-full; and to a lesser extent, other public clouds. 66 | In these situations, manual intervention is required to track the last 67 | completed transaction in credhub_user database and 68 | update the flyway schema history table with the record of the last 69 | completed transaction. Please contact support for further instructions. 70 | 71 | 72 | 73 | 74 | Connecting to the CredHub Service 75 | 76 | 77 | Set environment variables for the CredHub client, your CredHub service 78 | location, and ∩ namespace. In these guides the example namespace is 79 | kubecf: 80 | 81 | &prompt.user;CH_CLI=~/chclient/credhub 82 | &prompt.user;CH_SERVICE=https://credhub.example.com 83 | &prompt.user;NAMESPACE=kubecf 84 | 85 | 86 | Set up the CredHub service location: 87 | 88 | 89 | &prompt.user;SECRET="$(kubectl get secrets --namespace "${NAMESPACE}" | awk '/^secrets-/ { print $1 }')" 90 | &prompt.user;CH_SECRET="$(kubectl get secrets --namespace "${NAMESPACE}" "${SECRET}" --output jsonpath="{.data['uaa-clients-credhub-user-cli-secret']}"|base64 --decode)" 91 | &prompt.user;CH_CLIENT=credhub_user_cli 92 | &prompt.user;echo Service ......@ $CH_SERVICE 93 | &prompt.user;echo CH cli Secret @ $CH_SECRET 94 | 95 | 96 | Set the CredHub target through its &kube; service, then log into CredHub: 97 | 98 | 99 | &prompt.user;"${CH_CLI}" api --skip-tls-validation --server "${CH_SERVICE}" 100 | &prompt.user;"${CH_CLI}" login --client-name="${CH_CLIENT}" --client-secret="${CH_SECRET}" 101 | 102 | 103 | Test your new connection by inserting and retrieving some fake credentials: 104 | 105 | 106 | &prompt.user;"${CH_CLI}" set --name FOX --type value --value 'fox over lazy dog' 107 | &prompt.user;"${CH_CLI}" set --name DOG --type user --username dog --password fox 108 | &prompt.user;"${CH_CLI}" get --name FOX 109 | &prompt.user;"${CH_CLI}" get --name DOG 110 | 111 | 112 | 113 | 118 | 119 | -------------------------------------------------------------------------------- /xml/cap_admin_logging.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Logging 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | There are two types of logs in a deployment of &productname;, applications 20 | logs and component logs. The following provides a brief overview of each log 21 | type and how to retrieve them for monitoring and debugging use. 22 | 23 | 24 | 25 | &log-types-and-fetch; 26 | 27 | 28 | Logging to an External Syslog Server 29 | 30 | 31 | ∩ supports sending the cluster's log data to external logging services 32 | where additional processing and analysis can be performed. 33 | 34 | 35 | 36 | Configuring ∩ 37 | 38 | In your &values-filename; file add the following 39 | configuration values to the env: section. The example 40 | values below are configured for an external ELK stack. 41 | 42 | env: 43 | SCF_LOG_HOST: elk.example.com 44 | SCF_LOG_PORT: 5001 45 | SCF_LOG_PROTOCOL: "tcp" 46 | 47 | 48 | 49 | Example using the ELK Stack 50 | 51 | The ELK stack is an example of an external syslog server where log data can 52 | be sent to for log management. The ELK stack consists of: 53 | 54 | 55 | 56 | Elasticsearch 57 | 58 | 59 | A tool for search and analytics. For more information, refer to 60 | . 61 | 62 | 63 | 64 | 65 | Logstash 66 | 67 | 68 | A tool for data processing. For more information, refer to 69 | . 70 | 71 | 72 | 73 | 74 | Kibana 75 | 76 | 77 | 78 | A tool for data visualization. For more information, refer to 79 | . 80 | 81 | 82 | 83 | 84 | 85 | 86 | Prerequisites 87 | 88 | Java 8 is required by: 89 | 90 | 91 | 92 | Elasticsearch 93 | 94 | 95 | 96 | For more information, refer to 97 | . 98 | 99 | 100 | 101 | 102 | Logstash 103 | 104 | 105 | For more information, refer to 106 | . 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | Installing and Configuring Elasticsearch 115 | 116 | For methods of installing Elasticsearch, refer to 117 | . 118 | 119 | 120 | After installation, modify the config file 121 | /etc/elasticsearch/elasticsearch.yml to set the 122 | following value. 123 | 124 | network.host: localhost 125 | 126 | 127 | 128 | Installing and Configuring Logstash 129 | 130 | For methods of installing Logstash, refer to 131 | . 132 | 133 | 134 | After installation, create the configuration file 135 | /etc/logstash/conf.d/00-scf.conf. In this example, we 136 | will name it 00-scf.conf. Add the following into the 137 | file. Take note of the port used in the input section. This value will 138 | need to match the value of the SCF_LOG_PORT property in 139 | your &values-filename; file. 140 | 141 | input { 142 | tcp { 143 | port => 5001 144 | } 145 | } 146 | output { 147 | stdout {} 148 | elasticsearch { 149 | hosts => ["localhost:9200"] 150 | index => "scf-%{+YYYY.MM.dd}" 151 | } 152 | } 153 | 154 | 155 | Additional input plug-ins can be found at 156 | 157 | and output plug-ins can be found at 158 | . 159 | For this example, we will demonstrate the flow of data through the stack, 160 | but filter plugins can also be specified to perform processing of the log 161 | data. For more details about filter plug-ins, refer to 162 | . 163 | 164 | 165 | 166 | Installing and Configuring Kibana 167 | 168 | For methods of installing Kibana, refer to 169 | . 170 | 171 | 172 | No configuration changes are required at this point. Refer to 173 | 174 | for additonal properties that can configured through the 175 | kibana.yml file. 176 | 177 | 178 | 179 | 180 | 181 | Log Levels 182 | 183 | 184 | The log level is configured through the 185 | &values-filename; file by using the 186 | LOG_LEVEL property found in the env: 187 | section. The LOG_LEVEL property is mapped to 188 | component-specific levels. Components have differing technology compositions 189 | (for example languages, frameworks) and results in each component 190 | determining for itself what content to provide at each level, which may vary 191 | between components. 192 | 193 | 194 | 195 | The following are the log levels available along with examples of log 196 | entries at the given level. 197 | 198 | 199 | 200 | 201 | 202 | off: disable log messages 203 | 204 | 205 | 206 | 207 | fatal: fatal conditions 208 | 209 | 210 | 211 | 212 | error: error conditions 213 | 214 | <11>1 2018-08-21T17:59:48.321059+00:00 api-group-0 vcap.cloud_controller_ng 215 | - - - 216 | {"timestamp":1534874388.3206334,"message":"Mysql2::Error: MySQL 217 | server has gone away: SELECT count(*) AS `count` FROM `tasks` WHERE 218 | (`state` = 'RUNNING') LIMIT 1","log_level":"error","source":"cc.db","data": 219 | {},"thread_id":47367387197280,"fiber_id":47367404488760,"process_id":3400,"file":"/ 220 | var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/ 221 | gems/sequel-4.49.0/lib/sequel/database/logging.rb","lineno":88,"method":"block in 222 | log_each"} 223 | 224 | 225 | 226 | 227 | warn: warning conditions 228 | 229 | <12>1 2018-08-21T18:49:37.651186+00:00 api-group-0 vcap.cloud_controller_ng 230 | - - - 231 | {"timestamp":1534877377.6507676,"message":"Invalid bearer token: 232 | #<CF::UAA::InvalidSignature: Signature verification failed> [\"/var/vcap/ 233 | packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/gems/ 234 | cf-uaa-lib-3.14.3/lib/uaa/token_coder.rb:118:in `decode'\", \"/var/vcap/packages/ 235 | cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/gems/cf-uaa- 236 | lib-3.14.3/lib/uaa/token_coder.rb:212:in `decode_at_reference_time'\", \"/var/ 237 | vcap/packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/ 238 | lib/cloud_controller/uaa/uaa_token_decoder.rb:70:in `decode_token_with_key'\", 239 | \"/var/vcap/packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/ 240 | cloud_controller_ng/lib/cloud_controller/uaa/uaa_token_decoder.rb:58:in 241 | `block in decode_token_with_asymmetric_key'\", \"/var/vcap/packages- 242 | src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/ 243 | lib/cloud_controller/uaa/uaa_token_decoder.rb:56:in `each'\", \"/ 244 | var/vcap/packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/ 245 | cloud_controller_ng/lib/cloud_controller/uaa/uaa_token_decoder.rb:56:in 246 | `decode_token_with_asymmetric_key'\", \"/var/vcap/packages- 247 | src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/lib/ 248 | cloud_controller/uaa/uaa_token_decoder.rb:29:in `decode_token'\", \"/var/vcap/ 249 | packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/lib/ 250 | cloud_controller/security/security_context_configurer.rb:22:in `decode_token'\", \"/ 251 | var/vcap/packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/ 252 | lib/cloud_controller/security/security_context_configurer.rb:10:in `configure'\", 253 | \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/middleware/ 254 | security_context_setter.rb:12:in `call'\", \"/var/vcap/packages/cloud_controller_ng/ 255 | cloud_controller_ng/middleware/vcap_request_id.rb:15:in `call'\", \"/var/vcap/ 256 | packages/cloud_controller_ng/cloud_controller_ng/middleware/cors.rb:49:in 257 | `call_app'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/ 258 | middleware/cors.rb:14:in `call'\", \"/var/vcap/packages/cloud_controller_ng/ 259 | cloud_controller_ng/middleware/request_metrics.rb:12:in `call'\", \"/ 260 | var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ 261 | ruby/2.4.0/gems/rack-1.6.9/lib/rack/builder.rb:153:in `call'\", \"/var/vcap/ 262 | packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/ 263 | gems/thin-1.7.0/lib/thin/connection.rb:86:in `block in pre_process'\", \"/ 264 | var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ 265 | ruby/2.4.0/gems/thin-1.7.0/lib/thin/connection.rb:84:in `catch'\", \"/var/ 266 | vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/ 267 | gems/thin-1.7.0/lib/thin/connection.rb:84:in `pre_process'\", \"/var/vcap/ 268 | packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/ 269 | gems/thin-1.7.0/lib/thin/connection.rb:50:in `block in process'\", \"/ 270 | var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ 271 | ruby/2.4.0/gems/eventmachine-1.0.9.1/lib/eventmachine.rb:1067:in `block in 272 | spawn_threadpool'\"]","log_level":"warn","source":"cc.uaa_token_decoder","data": 273 | {"request_guid":"f3e25c45-a94a-4748-7ccf-5a72600fbb17::774bdb79-5d6a-4ccb-a9b8- 274 | f4022afa3bdd"},"thread_id":47339751566100,"fiber_id":47339769104800,"process_id":3245,"file":"/ 275 | var/vcap/packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/ 276 | lib/cloud_controller/uaa/uaa_token_decoder.rb","lineno":35,"method":"rescue in 277 | decode_token"} 278 | 279 | 280 | 281 | 282 | info: informational messages 283 | 284 | <14>1 2018-08-21T22:42:54.324023+00:00 api-group-0 vcap.cloud_controller_ng 285 | - - - 286 | {"timestamp":1534891374.3237739,"message":"Started GET 287 | \"/v2/info\" for user: , ip: 127.0.0.1 with vcap-request-id: 288 | 45e00b66-e0b7-4b10-b1e0-2657f43284e7 at 2018-08-21 22:42:54 289 | UTC","log_level":"info","source":"cc.api","data":{"request_guid":"45e00b66- 290 | e0b7-4b10- 291 | b1e0-2657f43284e7"},"thread_id":47420077354840,"fiber_id":47420124921300,"process_id":3200,"file": 292 | var/vcap/packages/cloud_controller_ng/cloud_controller_ng/middleware/ 293 | request_logs.rb","lineno":12,"method":"call"} 294 | 295 | 296 | 297 | 298 | debug: debugging messages 299 | 300 | <15>1 2018-08-21T22:45:15.146838+00:00 api-group-0 vcap.cloud_controller_ng 301 | - - - 302 | {"timestamp":1534891515.1463814,"message":"dispatch 303 | VCAP::CloudController::InfoController get /v2/ 304 | info","log_level":"debug","source":"cc.api","data":{"request_guid":"b228ef6d- 305 | af5e-4808- 306 | af0b-791a37f51154"},"thread_id":47420125585200,"fiber_id":47420098783620,"process_id":3200,"file": 307 | var/vcap/packages-src/8d7a6cd54ff4180c0094fc9aefbe3e5f43169e13/cloud_controller_ng/ 308 | lib/cloud_controller/rest_controller/routes.rb","lineno":12,"method":"block in 309 | define_route"} 310 | 311 | 312 | 313 | 314 | debug1: lower-level debugging messages 315 | 316 | 317 | 318 | 319 | debug2: lowest-level debugging message 320 | 321 | <15>1 2018-08-21T22:46:02.173445+00:00 api-group-0 vcap.cloud_controller_ng - - - 322 | {"timestamp":1534891562.1731355,"message":"(0.006130s) SELECT * FROM `delayed_jobs` 323 | WHERE ((((`run_at` <= '2018-08-21 22:46:02') AND (`locked_at` IS NULL)) OR 324 | (`locked_at` < '2018-08-21 18:46:02') OR (`locked_by` = 'cc_api_worker.api.0.1')) 325 | AND (`failed_at` IS NULL) AND (`queue` IN ('cc-api-0'))) ORDER BY `priority` 326 | ASC, `run_at` ASC LIMIT 5","log_level":"debug2","source":"cc.background","data": 327 | {},"thread_id":47194852110160,"fiber_id":47194886034680,"process_id":3296,"file":"/ 328 | var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/ 329 | gems/sequel-4.49.0/lib/sequel/database/logging.rb","lineno":88,"method":"block in 330 | log_each"} 331 | 332 | 333 | 334 | 335 | 336 | -------------------------------------------------------------------------------- /xml/cap_admin_memory_limits.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Container Memory Limits and Requests 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | In &productname;, containers have predefined memory limits and request sizes. 20 | Depending on the workload, these may need to be adjusted in some cases. 21 | 22 | 23 | Enabling and Disabling Memory Limits and Request Sizes 24 | 25 | By default, memory limits and request sizes are enabled. To disable it, add 26 | the following block to your &values-filename; file. 27 | 28 | features: 29 | memory_limits: 30 | enabled: false 31 | 32 | 33 | To enable memory limits again, update the above block in your 34 | &values-filename; so that enabled is set to 35 | true. 36 | 37 | 38 | 39 | &config-new-vs-existing; 40 | 41 | 42 | Configuring Memory Limits and Request Sizes 43 | 44 | Configuring memory limits and request sizes requires that 45 | feature.memory_limits is enabled. The default memory limits 46 | and request sizes can be found by examining the resources 47 | block at 48 | . 49 | To configure memory limits and request sizes, add a 50 | resources block to your &values-filename;. It contains a 51 | mapping of instance groups to jobs to processes. The process then contains a 52 | resource definition with limits and requests. All values are integers and 53 | represent the number of megabytes (Mi) for the given limit or request. A fully 54 | expanded tree looks like: 55 | 56 | resources: 57 | some_ig: 58 | some_job: 59 | some_process: 60 | memory: 61 | limit: ~ 62 | request: ~ 63 | 64 | 65 | Each level can define a $defaults resource definition that 66 | will be applied to all processes below it, that don't have their own 67 | definition (or a default further down the tree closer to them): 68 | 69 | resources: 70 | '$defaults': 71 | memory: 72 | limit: ~ 73 | request: ~ 74 | some_ig: 75 | '$defaults': { ... } 76 | some_job: 77 | '$defaults': { ... } 78 | some_process: ~ 79 | 80 | 81 | For convenience a $defaults value can be just an integer. 82 | This 83 | 84 | resources: 85 | '$defaults': 32 86 | 87 | 88 | is a shortcut for: 89 | 90 | resources: 91 | '$defaults': {memory: {limit: 32, request: ~}, cpu: {limit: ~, request:~}} 92 | 93 | 94 | In addition, an instance group, job, or process can also be set to just an 95 | integer. This: 96 | 97 | resources: 98 | some_ig: 32 99 | 100 | 101 | is a shortcut for: 102 | 103 | resources: 104 | some_ig: 105 | $defaults': 32 106 | 107 | 108 | Of course this means that any lower level jobs and processes will have to 109 | share this specific resource definition, as there is no way to explicitly 110 | enumerate the jobs or processes when the value is just an integer and not a 111 | map. 112 | 113 | 114 | Note that there is a difference between this 115 | 116 | resources: 117 | '$defaults': 32 118 | some_ig: 64 119 | 120 | 121 | and this: 122 | 123 | resources: 124 | '$defaults': 32 125 | some_ig: 126 | some_job: 64 127 | 128 | 129 | The former definitions sets the memory limit of 130 | all jobs under some_ig 131 | while the latter only specifies the limit for some_job. If 132 | there are more jobs in some_ig, then they will use the 133 | global limit (32) and only some_job will use the specific 134 | limit (64). 135 | 136 | 137 | Memory requests will have a calculated default value, which is a configurable 138 | percentage of the limit, at least some configurable minimum value, and never 139 | higher than the limit itself. The default is always at least a minimum value, 140 | but never larger than the limit itself. These defaults can be configured by 141 | using features.memory_limits.default_request_minimum and 142 | features.memory_limits.default_request_in_percent. The 143 | following is an example configuration where the example values are the 144 | respective defaults. 145 | 146 | features: 147 | memory_limits: 148 | default_request_minimum: 32 149 | default_request_in_percent: 25 150 | 151 | 152 | 153 | &config-new-vs-existing; 154 | 155 | 156 | -------------------------------------------------------------------------------- /xml/cap_admin_nproc_limits.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Managing Nproc Limits of Pods 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | 20 | Do Not Adjust Without Guidance 21 | 22 | It is not recommended to change these values without the guidance of 23 | &productname; developers. Please contact support for assistance. 24 | 25 | 26 | 27 | 28 | Nproc is the maximum number of processes allowed per user. In the case of 29 | kubecf, the nproc value applies to the 30 | vcap user. In kubecf, there are parameters, 31 | kube.limits.nproc.soft and 32 | kube.limits.nproc.hard, to configure a soft nproc limit 33 | and a hard nproc limit for processes spawned by the vcap 34 | user in kubecf pods. By default, the soft limit is 1024 while 35 | the hard limit is 2048. The soft and hard limits can be changed 36 | to suit your workloads. Note that the limits are applied to all pods. 37 | 38 | 39 | 40 | When configuring the nproc limits, take note that: 41 | 42 | 43 | 44 | 45 | 46 | If the soft limit is set, the hard limit must be set as well. 47 | 48 | 49 | 50 | 51 | If the hard limit is set, the soft limit must be set as well. 52 | 53 | 54 | 55 | 56 | The soft limit cannot be greater than the hard limit. 57 | 58 | 59 | 60 | 61 | 62 | Configuring and Applying Nproc Limits 63 | 64 | 65 | To configure the nproc limits, add the following to your 66 | &values-filename;. Replace 67 | the example values with limits suitable for your workloads: 68 | 69 | 70 | kube: 71 | limits: 72 | nproc: 73 | hard: 3072 74 | soft: 2048 75 | 76 | 77 | 78 | New Deployments 79 | 80 | 81 | For new &productname; deployments, follow the steps below to deploy 82 | &productname; with nproc limits configured: 83 | 84 | 85 | 86 | 87 | 88 | Deploy kubecf: 89 | 90 | &prompt.user;kubectl create namespace kubecf 91 | 92 | &prompt.user;helm install kubecf suse/kubecf \ 93 | --namespace kubecf \ 94 | --values &values-file; 95 | 96 | 97 | 98 | 99 | Monitor the deployment progress using the watch command: 100 | 101 | &prompt.user;watch --color 'kubectl get pods --namespace kubecf' 102 | 103 | 104 | 105 | Open a shell into any container. The command below opens a shell to the default 106 | container in the blobstore-0 pod: 107 | 108 | &prompt.user;kubectl exec --stdin --tty blobstore-0 --namespace kubecf -- env /bin/bash 109 | 110 | 111 | 112 | Use the vcap user identity: 113 | 114 | &prompt.user;su vcap 115 | 116 | 117 | 118 | Verify the maximum number of processes for the vcap user matches the limits you set: 119 | 120 | &prompt.user;ulimit -u 121 | 122 | &prompt.user;cat /etc/security/limits.conf | grep nproc 123 | 124 | 125 | 126 | 127 | 128 | 129 | Existing Deployments 130 | 131 | 132 | For existing &productname; deployments, follow the steps below to redeploy 133 | &productname; with nproc limits configured: 134 | 135 | 136 | 137 | 138 | 139 | Use helm upgrade to apply the change: 140 | 141 | &prompt.user;helm upgrade kubecf suse/kubecf \ 142 | --namespace kubecf \ 143 | --values &values-file; \ 144 | --version &kubecf_chart; 145 | 146 | 147 | 148 | 149 | Monitor the deployment progress using the watch command: 150 | 151 | &prompt.user;watch --color 'kubectl get pods --namespace kubecf' 152 | 153 | 154 | 155 | Open a shell into any container. The command below opens a shell to the default 156 | container in the blobstore-0 pod: 157 | 158 | &prompt.user;kubectl exec --stdin --tty blobstore-0 --namespace kubecf -- env /bin/bash 159 | 160 | 161 | 162 | Use the vcap user identity: 163 | 164 | &prompt.user;su vcap 165 | 166 | 167 | 168 | Verify the maximum number of processes for the vcap user matches the limits you set: 169 | 170 | &prompt.user;ulimit -u 171 | 172 | &prompt.user;cat /etc/security/limits.conf | grep nproc 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /xml/cap_admin_passwords.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Managing Passwords 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | The various components of &productname; authenticate to each other using 20 | passwords that are automatically managed by the ∩ secrets-generator. The 21 | only passwords managed by the cluster administrator are passwords for human 22 | users. The administrator may create and remove user logins, but cannot change 23 | user passwords. 24 | 25 | 26 | 27 | 28 | The cluster administrator password is initially defined in the deployment's 29 | values.yaml file with 30 | CLUSTER_ADMIN_PASSWORD 31 | 32 | 33 | 34 | 35 | The Stratos Web UI provides a form for users, including the administrator, 36 | to change their own passwords 37 | 38 | 39 | 40 | 41 | User logins are created (and removed) with the &cf; Client, 42 | &cfcli; 43 | 44 | 45 | 46 | 47 | Password Management with the &cf; Client 48 | 49 | 50 | The administrator cannot change other users' passwords. Only users may 51 | change their own passwords, and password changes require the current 52 | password: 53 | 54 | 55 | 56 | &prompt.user;cf passwd 57 | Current Password> 58 | New Password> 59 | Verify Password> 60 | Changing password... 61 | OK 62 | Please log in again 63 | 64 | 65 | 66 | The administrator can create a new user: 67 | 68 | 69 | 70 | &prompt.user;cf create-user NEW_USER PASSWORD 71 | 72 | 73 | and delete a user: 74 | 75 | 76 | 77 | &prompt.user;cf delete-user NEW_USER PASSWORD 78 | 79 | 80 | Use the &cfcli; to assign space and org roles. Run cf help 81 | -a for a complete command listing, or see 82 | Creating 83 | and Managing Users with the &cfcli;. 84 | 85 | 86 | 87 | Changing User Passwords with Stratos 88 | 89 | 90 | The Stratos Web UI provides a form for changing passwords on your profile 91 | page. Click the overflow menu button on the top right to access your 92 | profile, then click the edit button on your profile page. You can manage 93 | your password and username on this page. 94 | 95 | 96 |
97 | Stratos Profile Page 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 |
107 | 108 |
109 | Stratos Edit Profile Page 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 |
119 | 120 | 121 | -------------------------------------------------------------------------------- /xml/cap_admin_secret_rotation.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Rotating Automatically Generated Secrets 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | ∩ uses a number of automatically generated secrets (passwords and 20 | certificates) for use internally provided by &operator;. This removes 21 | the burden from human operators while allowing for secure communication. 22 | 23 | From time to time, operators may wish to change such secrets, either manually 24 | or on a schedule. This is called rotating a secret. 25 | 26 | 27 | Finding Secrets 28 | 29 | Retrieve the list of all secrets maintained by &kubecf;: 30 | 31 | 32 | &prompt.user;kubectl get quarkssecret --namespace kubecf 33 | 34 | 35 | To see information about a specific secret, for example the NATS 36 | password: 37 | 38 | 39 | &prompt.user;kubectl get quarkssecret --namespace kubecf kubecf.var-nats-password --output yaml 40 | 41 | 42 | Note that each quarkssecret has a corresponding regular &kube; secret 43 | that it controls: 44 | 45 | 46 | &prompt.user;kubectl get secret --namespace kubecf 47 | &prompt.user;kubectl get secret --namespace kubecf kubecf.var-nats-password --output yaml 48 | 49 | 50 | 51 | Rotating Specific Secrets 52 | 53 | To rotate a secret, for example kubecf.var-nats-password: 54 | 55 | 56 | 57 | Create a YAML file for a ConfigMap of the form: 58 | 59 | --- 60 | apiVersion: v1 61 | kind: ConfigMap 62 | metadata: 63 | name: rotate-kubecf.var-nats-password 64 | labels: 65 | quarks.cloudfoundry.org/secret-rotation: "true" 66 | data: 67 | secrets: '["kubecf.var-nats-password"]' 68 | 69 | 70 | The name of the ConfigMap can be anything allowed by &kube; syntax but 71 | we recommend using a name derived from the name of the secret itself. 72 | 73 | 74 | Also, the example above rotates only a single secret but 75 | the data.secrets key accepts an array of secret 76 | names, allowing simultaneous rotation of many secrets. 77 | 78 | 79 | 80 | Apply the ConfigMap: 81 | 82 | &prompt.user;kubectl apply --namespace kubecf -f /path/to/your/yaml/file 83 | 84 | 85 | The result can be seen in the &operator;'s log. 86 | 87 | 88 | 89 | After the rotation is complete, that is after secrets have been 90 | changed and all affected pods have been restarted, delete the config 91 | map again: 92 | 93 | 94 | &prompt.user;kubectl delete --namespace kubecf -f /path/to/your/yaml/file 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /xml/cap_admin_uaa_ui.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Accessing the UAA User Interface 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | After UAA is deployed successfully, users will not be able to log in to the 20 | UAA user interface (UI) with the admin user and the 21 | UAA_ADMIN_CLIENT_SECRET credentials. This user is only an 22 | OAuth client that is authorized to call UAA REST APIs and will need to create 23 | a separate user in the UAA server by using the UAAC utility. 24 | 25 | 26 | Prerequisites 27 | 28 | 29 | The following prerequisites are required in order to access the UAA UI. 30 | 31 | 32 | 33 | 34 | &cfcli-prereq; 35 | 36 | 37 | &uaac-prereq; 38 | 39 | 40 | 41 | UAA has been successfully deployed. 42 | 43 | 44 | 45 | 46 | 47 | Procedure 48 | 49 | &uaac-target; 50 | &uaac-authenticate; 51 | 52 | 53 | Create a new user. 54 | 55 | &prompt.user;uaac user add NEW-USER -p PASSWORD --emails NEW-USER-EMAIL 56 | 57 | 58 | 59 | Go to the UAA UI at 60 | , replacing example.com with your domain. 61 | 62 | 63 | 64 | 65 | Log in using the the newly created user. Use the username and password as 66 | the credentials. 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /xml/cap_admin_upgrade.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Upgrading &productname; 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | &productname; upgrades are delivered as container images from the &suse; 20 | registry and applied with &helm;. 21 | 22 | 23 | For additional upgrade information, always review the release notes 24 | published at 25 | . 26 | 27 | 28 | Important Considerations 29 | 30 | 31 | Before performing an upgrade, be sure to take note of the following: 32 | 33 | 34 | 35 | 36 | Perform Upgrades in Sequence 37 | 38 | 39 | ∩ only supports upgrading releases in sequential order. If there are 40 | any intermediate releases between your current release and your target 41 | release, they must be installed. Skipping releases is not supported. 42 | 43 | 44 | 45 | 46 | Preserve &helm; Value Changes during Upgrades 47 | 48 | 49 | During a helm upgrade, always ensure your 50 | &values-filename; file is passed. This will 51 | preserve any previously set &helm; values while allowing additional 52 | &helm; value changes to be made. 53 | 54 | 55 | 56 | 57 | helm rollback Is Not Supported 58 | 59 | 60 | helm rollback is not supported in &productname; or in 61 | upstream &cf;, and may break your cluster completely, because database 62 | migrations only run forward and cannot be reversed. Database schema can 63 | change over time. During upgrades both pods of the current and the next 64 | release may run concurrently, so the schema must stay compatible with the 65 | immediately previous release. But there is no way to guarantee such 66 | compatibility for future upgrades. One way to address this is to perform a 67 | full raw data backup and restore. (See 68 | ) 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Upgrading &productname; 77 | 78 | 79 | The supported upgrade method is to install all upgrades, in order. Skipping 80 | releases is not supported. This table matches the Helm chart versions to 81 | each release: 82 | 83 | 84 | &releases-table; 85 | 86 | 87 | Use helm list to see the version of your installed release 88 | . Perform sequential upgrades until you reach the desired &productname; 89 | release. 90 | 91 | 92 | 93 | The example procedure below demonstrates how to upgrade to the current 94 | release. If you are not upgrading to the current release, replace the 95 | version with the version you intend to upgrade to. 96 | 97 | 98 | 99 | 100 | 101 | Begin by upgrading &operator;. 102 | 103 | &prompt.user;helm upgrade cf-operator suse/cf-operator \ 104 | --namespace cf-operator \ 105 | --set "global.singleNamespace.name=kubecf" \ 106 | --version &operator_chart; 107 | 108 | 109 | 110 | 111 | Wait until &operator; is successfully upgraded before proceeding. Monitor 112 | the status of your &operator; upgrade using the watch 113 | command. 114 | 115 | &prompt.user;watch --color 'kubectl get pods --namespace cf-operator' 116 | 117 | 118 | 119 | When the &operator; upgrade is completed, upgrade &kubecf;. 120 | 121 | &prompt.user;helm upgrade kubecf suse/kubecf \ 122 | --namespace kubecf \ 123 | --values &values-file; \ 124 | --version &kubecf_chart; 125 | 126 | 127 | 128 | 129 | Monitor the status of your &kubecf; upgrade using the watch 130 | command. 131 | 132 | &prompt.user;watch --color 'kubectl get pods --namespace kubecf' 133 | 134 | 135 | 136 | 137 | -------------------------------------------------------------------------------- /xml/cap_depl_admin_notes.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Deployment and Administration Notes 13 | 14 | 15 | yes 16 | 17 | 18 | 20 | 21 | Important things to know before deploying &productname;. 22 | 23 | 24 | Important Changes 25 | 26 | Schedulers such as Diego and Eirini, and stacks such as 27 | cflinuxfs3 or sle15, have different 28 | memory requirements for applications. Not every combination is tested so 29 | there is no universal memory setting for ∩, and because it depends on the 30 | application deployed, it is up to the user to adjust the setting based on 31 | their application. 32 | 33 | 34 | 35 | Status of Pods during Deployment 36 | &deployment-pod-status; 37 | 38 | 39 | Length of Release Names 40 | &release-name-length; 41 | 42 | 43 | Releases and Associated Versions 44 | 45 | &kubecf-operator-versions; 46 | 47 | 48 | The supported upgrade method is to install all upgrades, in order. Skipping 49 | releases is not supported. This table matches the &helm; chart versions to 50 | each release as well as other version related information. 51 | 52 | &releases-table; 53 | 54 | 55 | -------------------------------------------------------------------------------- /xml/cap_depl_air_gap_registry.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Setting Up a Registry for an Air Gapped Environment 13 | 14 | 15 | yes 16 | 17 | 18 | &readmefirst; 19 | 20 | ∩, which consists of &docker; images, is deployed to a &kube; cluster 21 | through &helm;. These images are hosted on a &docker; registry at 22 | registry.suse.com. In an air gapped environment, 23 | registry.suse.com will not be accessible. You will need to 24 | create a registry, and populate it will the images used by ∩. 25 | 26 | 27 | This chapter describes how to load your registry with the necessary images to 28 | deploy ∩ in an air gapped environment. 29 | 30 | 31 | Prerequisites 32 | 33 | 34 | The following prerequisites are required: 35 | 36 | 37 | 38 | 39 | 40 | The &docker; Command Line. See 41 | 42 | for more information. 43 | 44 | 45 | 46 | 47 | A &docker; registry has been created in your air gapped environment. Refer to 48 | the &docker; documentation at 49 | for instructions. 50 | 51 | 52 | 53 | 54 | 55 | 56 | Mirror Images to Registry 57 | 58 | All the ∩ &helm; charts include an imagelist.txt 59 | file that lists all images from the registry.suse.com 60 | registry under the cap organization. They can be mirrored 61 | to a local registry with the following script. 62 | 63 | 64 | Replace the value of MIRROR with your registry's domain. 65 | 66 | #!/bin/bash 67 | 68 | MIRROR=MY_REGISTRY.COM 69 | 70 | set -ex 71 | 72 | function mirror { 73 | CHART=$1 74 | CHARTDIR=$(mktemp -d) 75 | helm fetch suse/$1 --untar --untardir=${CHARTDIR} 76 | IMAGES=$(cat ${CHARTDIR}/**/imagelist.txt) 77 | for IMAGE in ${IMAGES}; do 78 | echo $IMAGE 79 | docker pull registry.suse.com/cap/$IMAGE 80 | docker tag registry.suse.com/cap/$IMAGE $MIRROR/cap/$IMAGE 81 | docker push $MIRROR/cap/$IMAGE 82 | done 83 | docker save -o ${CHART}-images.tar.gz \ 84 | $(perl -E "say qq(registry.suse.com/cap/\$_) for @ARGV" ${IMAGES}) 85 | rm -r ${CHARTDIR} 86 | } 87 | 88 | mirror cf-operator 89 | mirror kubecf 90 | mirror console 91 | mirror metrics 92 | mirror minibroker 93 | 94 | 95 | The script above will both mirror to a local registry and save the images in 96 | a local tarball that can be restored with 97 | docker load foo-images.tgz. In general only one of these 98 | mechanisms will be needed. 99 | 100 | 101 | Also take note of the following regarding the script provided above. 102 | 103 | 104 | 105 | 106 | The nginx-ingress chart is not supported by this 107 | mechanism because it is not part of the cap organization 108 | (and cannot be configured with the 109 | kube.registry.hostname setting at deploy time either). 110 | 111 | 112 | Instead manually parse the &helm; chart for the image names and do a manual 113 | docker pull && docker tag && docker push 114 | on them. 115 | 116 | 117 | 118 | 119 | Before deploying ∩ using helm install, ensure the 120 | following in your 121 | &values-filename; has been updated to point to your 122 | registry, and not registry.suse.com. 123 | 124 | kube: 125 | registry: 126 | # example registry domain 127 | hostname: "MY_REGISTRY.COM" 128 | username: "" 129 | password: "" 130 | organization: "cap" 131 | 132 | 133 | 134 | -------------------------------------------------------------------------------- /xml/cap_depl_aks.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Deploying &productname; on &aks-full; (AKS) 13 | 14 | 15 | yes 16 | 17 | 18 | &readmefirst; 19 | 20 | &productname; supports deployment on &aks-full; 21 | (AKS), Microsoft's managed &kube; service. This chapter describes the steps 22 | for preparing Azure for a &productname; deployment, deployed with the default 23 | Azure Standard SKU load balancer (see 24 | ). 25 | 26 | 27 | In &kube; terminology a node used to be a minion, which was the name for a 28 | worker node. Now the correct term is simply node (see 29 | ). 30 | This can be confusing, as computing nodes have traditionally been defined as 31 | any device in a network that has an IP address. In Azure they are called 32 | agent nodes. In this chapter we call them agent nodes or &kube; nodes. 33 | 34 | 35 | Prerequisites 36 | 37 | 38 | The following are required to deploy and use &productname; on AKS: 39 | 40 | 41 | 42 | 43 | 44 | az, the Azure command line client. See 45 | 46 | for more information and installation instructions. 47 | 48 | 49 | 50 | 51 | A &ms; Azure account. For details, refer to 52 | . 53 | 54 | 55 | 56 | 57 | Your Azure account has sufficient quota. The minimal installation described 58 | in this chapter require 24 vCPUs. If your account has insufficient quota, 59 | you can request a quota increase by going to 60 | . 61 | 62 | 63 | 64 | 65 | A SSH key that can be used for access to the nodes of the cluster. 66 | 67 | 68 | 69 | 70 | &cfcli-prereq; 71 | &kubectl-prereq; 72 | &jq-prereq; 73 | &curl-prereq; 74 | &sed-prereq; 75 | 76 | 77 | 78 | Create Resource Group and AKS Instance 79 | 80 | 81 | Log in to your Azure account, which should have the 82 | Contributor role. 83 | 84 | 85 | &prompt.user;az login 86 | 87 | 88 | 89 | 90 | 91 | You can set up an AKS cluster with an automatically generated service 92 | principal. Note that to be be able to create a service principal your user 93 | account must have permissions to register an application with your Azure 94 | Active Directory tenant, and to assign the application to a role in your 95 | subscription. For details, see . 96 | 97 | 98 | 99 | Alternatively, you can specify an existing service principal but the service 100 | principal must have sufficient rights to be able to create resources at the 101 | appropriate level, for example resource group, subscription etc. For more 102 | details please see: 103 | 104 | 105 | 106 | 107 | 108 | Create a service principal: 109 | 110 | 111 | 112 | 113 | Create a role assignment for the service principal, at the subscription or 114 | resource group level: 115 | 116 | 117 | 118 | 119 | Create the cluster with the service principal: 120 | 121 | 122 | 123 | 124 | 125 | Specify the following additional parameters for creating the cluster: node 126 | count, a username for SSH access to the nodes, SSH key, VM type, VM disk size 127 | and optionally, the &kube; version and a nodepool name. 128 | 129 | 130 | &prompt.user;az aks create --resource-group my-resource-group --name cap-aks \ 131 | --node-count 3 --admin-username cap-user \ 132 | --ssh-key-value /path/to/some_key.pub --node-vm-size Standard_DS4_v2 \ 133 | --node-osdisk-size &node_size; --nodepool-name mypool 134 | 135 | 137 | 138 | 139 | For more az aks create options see 140 | . 141 | 142 | 143 | 144 | This takes a few minutes. When it is completed, fetch your 145 | kubectl credentials. The default behavior for az 146 | aks get-credentials is to merge the new credentials with the 147 | existing default configuration, and to set the new credentials as as the 148 | current &kube; context. The context name is your AKS_NAME value. You should 149 | first backup your current configuration, or move it to a different location, 150 | then fetch the new credentials: 151 | 152 | 153 | &prompt.user;az aks get-credentials --resource-group $RG_NAME --name $AKS_NAME 154 | Merged "cap-aks" as current context in /home/&exampleuser_plain;/.kube/config 155 | 156 | 157 | Verify that you can connect to your cluster: 158 | 159 | 160 | &prompt.user;kubectl get nodes 161 | 162 | 163 | When all nodes are in a ready state and all pods are running, proceed to the 164 | next steps. 165 | 166 | 167 | 168 | 169 | &install-helm; 170 | 171 | 172 | &storage-class; 173 | 174 | 175 | 176 | Deployment Configuration 177 | 178 | The following file, &values-filename;, provides a 179 | minimal example deployment configuration. 180 | 181 | 182 | &values-file-changes; 183 | 184 | &supported-domains; 185 | 186 | &example-config; 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | &certificates; 195 | 196 | 197 | 198 | 199 | &ingress-controller; 200 | 201 | 202 | 203 | 204 | &affinity; 205 | 206 | 207 | 208 | 209 | &high-availability; 210 | 211 | 212 | 213 | 214 | &external-blobstore; 215 | 216 | 217 | 218 | 219 | &external-database; 220 | 221 | 222 | 223 | 224 | 225 | Add the &kube; Charts Repository 226 | 227 | 228 | Download the &suse; &kube; charts repository with &helm;: 229 | 230 | 231 | &prompt.user;helm repo add suse https://kubernetes-charts.suse.com/ 232 | 233 | 234 | You may replace the example suse name with any 235 | name. Verify with helm: 236 | 237 | 238 | &prompt.user;helm repo list 239 | NAME URL 240 | stable https://kubernetes-charts.storage.googleapis.com 241 | local http://127.0.0.1:8879/charts 242 | suse https://kubernetes-charts.suse.com/ 243 | 244 | 245 | 246 | List your chart names, as you will need these for some operations: 247 | 248 | 249 | &helm-search-suse; 250 | 251 | 252 | 253 | Deploying &productname; 254 | 255 | This section describes how to deploy &productname; with a Azure Standard SKU 256 | load balancer. 257 | 258 | 259 | &kubecf-operator-versions; 260 | 261 | 262 | &deploy-operator; 263 | 264 | 265 | 266 | Deploy &kubecf; 267 | 268 | &deploy-kubecf; 269 | 270 | 271 | Create DNS A records for the public services. 272 | 273 | &dns-mappings; 274 | 275 | 276 | 277 | When all pods are fully ready, verify your deployment. See for more information. 278 | 279 | &cf-auth; 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | &ldap; 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | Expanding Capacity of a ∩ Deployment on &aks; 299 | 300 | 301 | If the current capacity of your ∩ deployment is insufficient for your 302 | workloads, you can expand the capacity using the procedure in this section. 303 | 304 | 305 | 306 | These instructions assume you have followed the procedure in 307 | and have a running ∩ deployment on 308 | &aks;. The instructions below will use environment variables defined in 309 | . 310 | 311 | 312 | 313 | 314 | 315 | Get the current number of &kube; nodes in the cluster. 316 | 317 | &prompt.user;export OLD_NODE_COUNT=$(kubectl get nodes --output json | jq '.items | length') 318 | 319 | 320 | 321 | Set the number of &kube; nodes the cluster will be expanded to. Replace the 322 | example value with the number of nodes required for your workload. 323 | 324 | &prompt.user;export NEW_NODE_COUNT=5 325 | 326 | 327 | 328 | 329 | Increase the &kube; node count in the cluster. 330 | 331 | &prompt.user;az aks scale --resource-group $RG_NAME --name $AKS_NAME \ 332 | --node-count $NEW_NODE_COUNT \ 333 | --nodepool-name $NODEPOOL_NAME 334 | 335 | 336 | 337 | 338 | Verify the new nodes are in a Ready state before proceeding. 339 | 340 | &prompt.user;kubectl get nodes 341 | 342 | 343 | 344 | Add or update the following in your 345 | &values-filename; file to increase the number of 346 | diego-cell in your ∩ deployment. Replace the 347 | example value with the number required by your workflow. 348 | 349 | sizing: 350 | diego_cell: 351 | instances: 5 352 | 353 | 354 | 355 | 356 | Perform a helm upgrade to apply the change. 357 | 358 | &prompt.user;helm upgrade kubecf suse/kubecf \ 359 | --namespace kubecf \ 360 | --values &values-file; \ 361 | --version &kubecf_chart; 362 | 363 | 364 | 365 | 366 | Monitor progress of the additional diego-cell pods: 367 | 368 | &prompt.user;watch --color 'kubectl get pods --namespace kubecf' 369 | 370 | 371 | 372 | 373 | -------------------------------------------------------------------------------- /xml/cap_depl_eirini.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Eirini 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | 20 | Eirini, an alternative to Diego, is a scheduler for the &cf; Application 21 | Runtime (CFAR) that runs &cf; user applications in &kube;. For details about 22 | Eirini, see 23 | and 24 | 25 | 26 | 27 | Different schedulers and stacks have different memory requirements for 28 | applications. Not every combination is tested so there is no universal memory 29 | setting for ∩, and because it depends on the application deployed, it is 30 | up to the user to adjust the setting based on their application. 31 | 32 | 33 | 34 | Limitations and Other Considerations 35 | 36 | When using Eirini, it is important to take into consideration: 37 | 38 | 39 | 40 | 41 | If you are upgrading from &productname; 2.0.1 to 2.1.0 and plan to convert 42 | from Diego to Eirini, please upgrade your Diego environment to &productname; 43 | 2.1.0 first and then migrate to Eirini as the earlier CAP versions relied a 44 | technical preview version of Eirini. 45 | 46 | 47 | In this situation, your current applications relying on the 48 | cflinuxfs3 stack need to be converted to the 49 | sle15 stack. You can re-push your applications with 50 | cf push APP_NAME -s sle15 to do so, otherwise your 51 | applications will crash on Eirini. 52 | 53 | 54 | 55 | 56 | Applications on Eirini will require slightly more memory than on Diego. 57 | From testing, add an additional 32 MB to your application's manifest. The 58 | increase may vary, depending on your application. 59 | 60 | 61 | 62 | 63 | TCP routing is not available in Eirini deployments at this time. 64 | 65 | 66 | 67 | 68 | Eirini requires the k8s-metrics-server to be installed 69 | on the &kube; environment where &productname; is installed in order for 70 | Stratos Metrics to work. 71 | 72 | 73 | 74 | 75 | Stratos Metrics will not show disk stats on Eirini. 76 | 77 | 78 | 79 | 80 | When there is a &kube; outage, Eirini will not automatically restart 81 | applications upon its return. You will need to manually start them up at 82 | present. 83 | 84 | 85 | 86 | 87 | 88 | Enabling Eirini 89 | 90 | 91 | 92 | 93 | To enable Eirini, and disable Diego, add the following to your 94 | &values-filename; file. 95 | 96 | 97 | features: 98 | eirini: 99 | enabled: true 100 | 101 | 102 | When Eirini is enabled, both features.suse_default_stack 103 | and features.suse_buildpacks must be enabled as well. 104 | A cflinuxfs3 Eirini image is currently not available, and the &suse; stack 105 | must be used. By default, both the &suse; stack and buildpacks are enabled. 106 | 107 | 108 | 109 | 110 | 111 | After enabling Eirini, you will still see the 112 | diego-api pod. This is normal behavior because the Diego pod has a component required by Eirini. 113 | 114 | 115 | 116 | 117 | Eirini will only work on a cluster that has the parameter --cluster-domain set to cluster.local. 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | Deploy kubecf. 126 | 127 | 128 | Refer to the following for platform-specific instructions: 129 | 130 | &deployment-platforms; 131 | 132 | 133 | 134 | In order for Eirini to report application metrics, Metrics Server 135 | (link xlink:href="https://github.com/kubernetes-sigs/metrics-server"/> must 136 | be installed. 137 | 138 | 139 | Note that --kubelet-insecure-tls is not recommended for 140 | production usage, but can be useful in test clusters with self-signed 141 | Kubelet serving certificates. For production, use 142 | --tls-private-key-file. 143 | 144 | &prompt.user;helm install metrics-server stable/metrics-server --set args[0]="--kubelet-preferred-address-types=InternalIP" --set args[1]="--kubelet-insecure-tls" 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /xml/cap_depl_eks.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Deploying &productname; on &eks-full; (EKS) 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | &readmefirst; 20 | 21 | 22 | This chapter describes how to deploy &productname; on &eks-full; (EKS), using 23 | Amazon's Elastic Load Balancer to provide fault-tolerant access to your 24 | cluster. 25 | 26 | 27 | Prerequisites 28 | 29 | 30 | The following are required to deploy and use &productname; on EKS: 31 | 32 | 33 | 34 | 35 | 36 | An Amazon AWS account with sufficient permissions. For details, refer to 37 | . 38 | 39 | 40 | 41 | 42 | eksctl, a command line client to create and manage 43 | &kube; clusters on &eks;. See 44 | 45 | for more information and installation instructions. 46 | 47 | 48 | 49 | 50 | &cfcli-prereq; 51 | &kubectl-prereq; 52 | &curl-prereq; 53 | 54 | 55 | 56 | 57 | Create an EKS Cluster 58 | 59 | 60 | Now you can create an EKS cluster using eksctl. Be sure to 61 | keep in mind the following minimum requirements of the cluster. 62 | 63 | 64 | 65 | 66 | 67 | Node sizes are at least t3.xlarge. 68 | 69 | 70 | 71 | 72 | The NodeVolumeSize must be a minimum of &node_size; GB. 73 | 74 | 75 | 76 | 77 | The &kube; version is at least &min_kube;. 78 | 79 | 80 | 81 | 82 | As a minimal example, the following command will create an EKS cluster. To 83 | see additional configuration parameters, see eksctl create cluster --help. 84 | 85 | 86 | &prompt.user;eksctl create cluster --name kubecf --version &min_kube; \ 87 | --nodegroup-name standard-workers --node-type t3.xlarge \ 88 | --nodes 3 --node-volume-size &node_size; \ 89 | --region us-east-2 --managed \ 90 | --ssh-access --ssh-public-key /path/to/some_key.pub 91 | 92 | 93 | 94 | 95 | &install-helm; 96 | 97 | 98 | &storage-class; 99 | 100 | 101 | 102 | Deployment Configuration 103 | 104 | 105 | Use this example &values-filename; as a template 106 | for your configuration. 107 | 108 | 109 | &values-file-changes; 110 | 111 | &supported-domains; 112 | 113 | &example-config; 114 | 115 | 116 | 117 | 118 | 119 | 120 | &certificates; 121 | 122 | 123 | 124 | 125 | &ingress-controller; 126 | 127 | 128 | 129 | 130 | &affinity; 131 | 132 | 133 | 134 | 135 | &high-availability; 136 | 137 | 138 | 139 | 140 | &external-blobstore; 141 | 142 | 143 | 144 | 145 | &external-database; 146 | 147 | 148 | 149 | 150 | 151 | Add the &kube; Charts Repository 152 | 153 | 154 | Download the &suse; &kube; charts repository with &helm;: 155 | 156 | 157 | &prompt.user;helm repo add suse https://kubernetes-charts.suse.com/ 158 | 159 | 160 | You may replace the example suse name with any 161 | name. Verify with helm: 162 | 163 | 164 | &prompt.user;helm repo list 165 | NAME URL 166 | stable https://kubernetes-charts.storage.googleapis.com 167 | local http://127.0.0.1:8879/charts 168 | suse https://kubernetes-charts.suse.com/ 169 | 170 | 171 | List your chart names, as you will need these for some operations: 172 | 173 | 174 | &helm-search-suse; 175 | 176 | 177 | 178 | Deploying &productname; 179 | 180 | This section describes how to deploy &productname; on &eks;. 181 | 182 | 183 | &kubecf-operator-versions; 184 | 185 | 186 | &deploy-operator; 187 | 188 | 189 | 190 | Deploy &kubecf; 191 | 192 | &deploy-kubecf; 193 | 194 | 195 | Create DNS CNAME records for the public services. 196 | 197 | &dns-mappings; 198 | 199 | 200 | 201 | When all pods are fully ready, verify your deployment. See for more information. 202 | 203 | &cf-auth; 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | &ldap; 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | Expanding Capacity of a ∩ Deployment on &eks; 223 | 224 | 225 | If the current capacity of your ∩ deployment is insufficient for your 226 | workloads, you can expand the capacity using the procedure in this section. 227 | 228 | 229 | 230 | These instructions assume you have followed the procedure in 231 | and have a running ∩ deployment on 232 | &eks;. 233 | 234 | 235 | 236 | 237 | 238 | Get the current number of &kube; nodes in the cluster. 239 | 240 | &prompt.user;eksctl get nodegroup --name standard-workers \ 241 | --cluster kubecf \ 242 | --region us-east-2 243 | 244 | 245 | 246 | 247 | Scale the nodegroup to the desired node count. 248 | 249 | &prompt.user;eksctl scale nodegroup --name standard-workers \ 250 | --cluster kubecf \ 251 | --nodes 4 \ 252 | --region us-east-2 253 | 254 | 255 | 256 | 257 | Verify the new nodes are in a Ready state before 258 | proceeding. 259 | 260 | &prompt.user;kubectl get nodes 261 | 262 | 263 | 264 | Add or update the following in your 265 | &values-filename; file to increase the number of 266 | diego-cell in your ∩ deployment. Replace the 267 | example value with the number required by your workflow. 268 | 269 | sizing: 270 | diego_cell: 271 | instances: 5 272 | 273 | 274 | 275 | 276 | Perform a helm upgrade to apply the change. 277 | 278 | &prompt.user;helm upgrade kubecf suse/kubecf \ 279 | --namespace kubecf \ 280 | --values &values-file; \ 281 | --version &kubecf_chart; 282 | 283 | 284 | 285 | 286 | Monitor progress of the additional diego-cell pods: 287 | 288 | &prompt.user;watch --color 'kubectl get pods --namespace 289 | kubecf' 290 | 291 | 292 | 293 | 294 | -------------------------------------------------------------------------------- /xml/cap_depl_gke.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Deploying &productname; on &gke-full; (GKE) 13 | 14 | 15 | yes 16 | 17 | 18 | &readmefirst; 19 | 20 | &productname; supports deployment on &gke-full; (GKE). This chapter describes the steps 21 | to prepare a &productname; deployment on GKE using its integrated network load balancers. See 22 | 23 | for more information on GKE. 24 | 25 | 26 | Prerequisites 27 | 28 | 29 | The following are required to deploy and use &productname; on GKE: 30 | 31 | 32 | 33 | 34 | 35 | A Google Cloud Platform (GCP) user account or a service account with the 36 | following IAM roles. If you do not have an account, visit 37 | to create one. 38 | 39 | 40 | 41 | 42 | compute.admin. For details regarding this role, refer to 43 | . 44 | 45 | 46 | 47 | 48 | container.admin. For details regarding this role, refer to 49 | . 50 | 51 | 52 | 53 | 54 | iam.serviceAccountUser. For details regarding this role, refer to 55 | . 56 | 57 | 58 | 59 | 60 | 61 | 62 | Access to a GCP project with the &kube; Engine API enabled. If a 63 | project needs to be created, refer to 64 | . 65 | To enable access to the API, refer to 66 | . 67 | 68 | 69 | 70 | 71 | gcloud, the primary command line interface to Google 72 | Cloud Platform. See 73 | for more 74 | information and installation instructions. 75 | 76 | 77 | 78 | 79 | &cfcli-prereq; 80 | &kubectl-prereq; 81 | &jq-prereq; 82 | &curl-prereq; 83 | &sed-prereq; 84 | 85 | 86 | 87 | Creating a GKE cluster 88 | 89 | 90 | In order to deploy &productname;, create a cluster that: 91 | 92 | 93 | 94 | 95 | 96 | Is a Zonal or Regional type. Do not 97 | use a Alpha cluster. 98 | 99 | 100 | 101 | 102 | Uses Ubuntu as the host operating system. If using the 103 | gcloud CLI, include --image-type=UBUNTU 104 | during the cluster creation. 105 | 106 | 107 | 108 | 109 | Allows access to all Cloud APIs (in order for storage to work correctly). 110 | 114 | 115 | 116 | 117 | 118 | Has at least 3 nodes of machine type n1-standard-4. If using the 119 | gcloud CLI, include --machine-type=n1-standard-4 120 | and --num-nodes=3 during the cluster creation. For details, see 121 | . 122 | 123 | 124 | 125 | 126 | Has at least &node_size; GB local storage per node. 127 | 128 | 129 | 130 | 131 | (Optional) Uses preemptible nodes to keep costs low. For details, see 132 | . 133 | 134 | 135 | 136 | 137 | 138 | 139 | Set a name for your cluster: 140 | 141 | &prompt.user;export CLUSTER_NAME="cap" 142 | 143 | 144 | 145 | Set the zone for your cluster: 146 | 147 | &prompt.user;export CLUSTER_ZONE="us-west1-a" 148 | 149 | 150 | 151 | Set the number of nodes for your cluster: 152 | 153 | &prompt.user;export NODE_COUNT=3 154 | 155 | 156 | 157 | Create the cluster: 158 | 159 | &prompt.user;gcloud container clusters create ${CLUSTER_NAME} \ 160 | --image-type=UBUNTU \ 161 | --machine-type=n1-standard-4 \ 162 | --zone ${CLUSTER_ZONE} \ 163 | --num-nodes=$NODE_COUNT \ 164 | --no-enable-basic-auth \ 165 | --no-issue-client-certificate \ 166 | --no-enable-autoupgrade 167 | 168 | 169 | 170 | 171 | Specify the --no-enable-basic-auth and 172 | --no-issue-client-certificate flags so that 173 | kubectl does not use basic or client certificate 174 | authentication, but uses OAuth Bearer Tokens instead. Configure the 175 | flags to suit your desired authentication mechanism. 176 | 177 | 178 | 179 | 180 | Specify --no-enable-autoupgrade to disable 181 | automatic upgrades. 182 | 183 | 184 | 185 | 186 | Disable legacy metadata server endpoints using 187 | --metadata disable-legacy-endpoints=true as a best 188 | practice as indicated in 189 | . 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | Get <literal>kubeconfig</literal> File 199 | 200 | 201 | Get the kubeconfig file for your cluster. 202 | 203 | 204 | &prompt.user;gcloud container clusters get-credentials --zone ${CLUSTER_ZONE:?required} ${CLUSTER_NAME:?required} --project example-project 205 | 206 | 207 | 208 | 209 | &install-helm; 210 | 211 | 212 | &storage-class; 213 | 214 | 215 | 216 | Deployment Configuration 217 | 218 | The following file, &values-filename;, provides a 219 | minimal example deployment configuration. 220 | 221 | 222 | &values-file-changes; 223 | 224 | &supported-domains; 225 | 226 | &example-config; 227 | 228 | 229 | 230 | 231 | 232 | 233 | &certificates; 234 | 235 | 236 | 237 | 238 | &ingress-controller; 239 | 240 | 241 | 242 | 243 | &affinity; 244 | 245 | 246 | 247 | 248 | &high-availability; 249 | 250 | 251 | 252 | 253 | &external-blobstore; 254 | 255 | 256 | 257 | 258 | &external-database; 259 | 260 | 261 | 262 | 263 | 264 | Add the &kube; charts repository 265 | 266 | 267 | Download the &suse; &kube; charts repository with &helm;: 268 | 269 | 270 | &prompt.user;helm repo add suse https://kubernetes-charts.suse.com/ 271 | 272 | 273 | You may replace the example suse name with any 274 | name. Verify with helm: 275 | 276 | 277 | &prompt.user;helm repo list 278 | NAME URL 279 | stable https://kubernetes-charts.storage.googleapis.com 280 | local http://127.0.0.1:8879/charts 281 | suse https://kubernetes-charts.suse.com/ 282 | 283 | 284 | 285 | List your chart names, as you will need these for some operations: 286 | 287 | 288 | &helm-search-suse; 289 | 290 | 291 | 292 | Deploying &productname; 293 | 294 | This section describes how to deploy &productname; on &gke;, and how to 295 | configure your DNS records. 296 | 297 | 298 | &kubecf-operator-versions; 299 | 300 | 301 | &deploy-operator; 302 | 303 | 304 | 305 | Deploy &kubecf; 306 | 307 | &deploy-kubecf; 308 | 309 | 310 | Create DNS A records for the public services. 311 | 312 | &dns-mappings; 313 | 314 | 315 | 316 | When all pods are fully ready, verify your deployment. See for more information. 317 | 318 | &cf-auth; 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | &ldap; 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | Expanding Capacity of a ∩ Deployment on &gke; 338 | 339 | 340 | If the current capacity of your ∩ deployment is insufficient for your 341 | workloads, you can expand the capacity using the procedure in this section. 342 | 343 | 344 | 345 | These instructions assume you have followed the procedure in 346 | and have a running ∩ deployment on 347 | &aks;. The instructions below will use environment variables defined in 348 | . 349 | 350 | 351 | 352 | 353 | 354 | Get the most recently created node in the cluster. 355 | 356 | &prompt.user;RECENT_VM_NODE=$(gcloud compute instances list --filter=name~${CLUSTER_NAME:?required} --format json | jq --raw-output '[sort_by(.creationTimestamp) | .[].creationTimestamp ] | last | .[0:19] | strptime("%Y-%m-%dT%H:%M:%S") | mktime') 357 | 358 | 359 | 360 | 361 | Increase the &kube; node count in the cluster. Replace the example value 362 | with the number of nodes required for your workload. 363 | 364 | &prompt.user;gcloud container clusters resize $CLUSTER_NAME \ 365 | --num-nodes 5 366 | 367 | 368 | 369 | 370 | Verify the new nodes are in a Ready state before proceeding. 371 | 372 | &prompt.user;kubectl get nodes 373 | 374 | 375 | 376 | Add or update the following in your 377 | &values-filename; file to increase the number of 378 | diego-cell in your ∩ deployment. Replace the 379 | example value with the number required by your workflow. 380 | 381 | sizing: 382 | diego_cell: 383 | instances: 5 384 | 385 | 386 | 387 | 388 | Perform a helm upgrade to apply the change. 389 | 390 | &prompt.user;helm upgrade kubecf suse/kubecf \ 391 | --namespace kubecf \ 392 | --values &values-file; \ 393 | --version &kubecf_chart; 394 | 395 | 396 | 397 | 398 | Monitor progress of the additional diego-cell pods: 399 | 400 | &prompt.user;watch --color 'kubectl get pods --namespace kubecf' 401 | 402 | 403 | 404 | 405 | -------------------------------------------------------------------------------- /xml/cap_depl_private_registry.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | &suse; Private Registry 13 | 14 | 15 | yes 16 | 17 | 18 | &readmefirst; 19 | 20 | &productname; offers &suse; Private Registry as an Open Container Initiative 21 | (OCI) registry solution to store, replicate, manage, and secure OCI images and 22 | artifacts. Operators who opt to use &suse; Private Registry can follow the 23 | configuration and installation instructions from 24 | . 25 | 26 | 27 | -------------------------------------------------------------------------------- /xml/cap_depl_terraform.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Deploying &productname; Using Terraform 13 | 14 | 15 | yes 16 | 17 | 18 | &readmefirst; 19 | 20 | In addition to the manual deployment methods mentioned earlier in this guide, 21 | operators have the option to deploy &productname; on AWS, Azure, or GCP using 22 | Terraform. The Terraform scripts will deploy the entirety of &productname;, 23 | including &kubecf;, &operator;, Stratos, and Stratos Metrics. Operators can 24 | deploy using Terraform by following the instructions from 25 | . 26 | 27 | 28 | -------------------------------------------------------------------------------- /xml/cap_intro.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | About This Guide 12 | 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | &productname; is a software platform for cloud-native applications based on 20 | Cloud Foundry Application Runtime (&operator;, &kubecf;, and Stratos) with 21 | additional supporting components. 22 | 23 | 24 | ∩ is designed to run on any &kube; cluster. This guide describes how 25 | to deploy it on: 26 | 27 | 28 | &deployment-platforms; 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /xml/cap_kube_requirements.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Other &kube; Systems 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | &kube; Requirements 20 | 21 | 22 | &productname; is designed to run on any &kube; system that meets the 23 | following requirements: 24 | 25 | 26 | 27 | 28 | 29 | &kube; API version of at least &min_kube; 30 | 31 | 32 | 33 | 34 | &kernel-prereq; 35 | 36 | 37 | 38 | The container runtime storage driver should 39 | not be aufs. 40 | 41 | 42 | 43 | 44 | Presence of a storage class for &productname; to use 45 | 46 | 47 | 48 | 49 | kubectl can authenticate with the apiserver 50 | 51 | 52 | 53 | 54 | kube-dns or core-dns should be 55 | running and ready 56 | 57 | 58 | 59 | 60 | ntp, systemd-timesyncd, 61 | or chrony must be installed and active 62 | 63 | 64 | 65 | 66 | The container runtime must be configured to allow privileged containers 67 | 68 | 69 | 70 | 71 | Privileged container must be enabled in kube-apiserver. 72 | See 73 | kube-apiserver. 74 | 75 | 76 | 77 | 78 | For &kube; deployments prior to version 1.15, privileged must be enabled 79 | in kubelet 80 | 81 | 82 | 83 | 84 | The TasksMax property of the 85 | containerd service definition must be set to infinity 86 | 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /xml/cap_troubleshooting.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Troubleshooting 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | Cloud stacks are complex, and debugging deployment issues often requires 20 | digging through multiple layers to find the information you need. Remember 21 | that the &kubecf; releases must be deployed in the correct order, and that each 22 | release must deploy successfully, with no failed pods, before deploying the 23 | next release. 24 | 25 | 26 | Before proceeding with in depth troubleshooting, ensure the following have 27 | been met as defined in the Support Statement at . 28 | 29 | 30 | 31 | 32 | The &kube; cluster satisfies the Requirements listed here at 33 | . 34 | 35 | 36 | 37 | 38 | The kube-ready-state-check.sh script has been run on 39 | the target &kube; cluster and does not show any configuration problems. 40 | 41 | 42 | 43 | 44 | A &suse; Services or Sales Engineer has verified that &productname; works 45 | correctly on the target &kube; cluster. 46 | 47 | 48 | 49 | 50 | Logging 51 | 52 | 53 | There are two types of logs in a deployment of &productname;, applications 54 | logs and component logs. The following provides a brief overview of each log 55 | type and how to retrieve them for monitoring and debugging use. 56 | 57 | 58 | 59 | &log-types-and-fetch; 60 | 61 | 62 | Using Supportconfig 63 | 64 | 65 | If you ever need to request support, or just want to generate detailed 66 | system information and logs, use the supportconfig 67 | utility. Run it with no options to collect basic system information, and 68 | also cluster logs including &docker;, etcd, flannel, and Velum. 69 | supportconfig may give you all the information you need. 70 | 71 | 72 | 73 | supportconfig -h prints the options. Read the "Gathering 74 | System Information for Support" chapter in any &sle; &admin; to 75 | learn more. 76 | 77 | 78 | 79 | Deployment Is Taking Too Long 80 | 81 | 82 | A deployment step seems to take too long, or you see that some pods are not 83 | in a ready state hours after all the others are ready, or a pod shows a lot 84 | of restarts. This example shows not-ready pods many hours after the others 85 | have become ready: 86 | 87 | 88 | &prompt.user;kubectl get pods --namespace kubecf 89 | NAME READY STATUS RESTARTS AGE 90 | router-3137013061-wlhxb 0/1 Running 0 16h 91 | routing-api-0 0/1 Running 0 16h 92 | 93 | 94 | The Running status means the pod is bound to a node and 95 | all of its containers have been created. However, it is not 96 | Ready, which means it is not ready to service requests. 97 | Use kubectl to print a detailed description of pod events 98 | and status: 99 | 100 | 101 | &prompt.user;kubectl describe pod --namespace kubecf router-0 102 | 103 | 104 | This prints a lot of information, including IP addresses, routine events, 105 | warnings, and errors. You should find the reason for the failure in this 106 | output. 107 | 108 | 109 | 110 | &deployment-pod-status; 111 | 112 | 113 | 114 | Deleting and Rebuilding a Deployment 115 | 116 | 117 | There may be times when you want to delete and rebuild a deployment, for 118 | example when there are errors in your &values-filename; file, you wish to 119 | test configuration changes, or a deployment fails and you want to try it again. 120 | 121 | 122 | 123 | 124 | 125 | Remove the kubecf release. All resources associated with 126 | the release of the suse/kubecf chart will be removed. 127 | Replace the example release name with the one used during your installation. 128 | 129 | &prompt.user;helm uninstall kubecf 130 | 131 | 132 | 133 | Remove the kubecf namespace. Replace with the namespace 134 | where the suse/kubecf chart was installed. 135 | 136 | &prompt.user;kubectl delete namespace kubecf 137 | 138 | 139 | 140 | Remove the cf-operator release. All resources associated 141 | with the release of the suse/cf-operator chart will be 142 | removed. Replace the example release name with the one used during your 143 | installation. 144 | 145 | &prompt.user;helm uninstall cf-operator 146 | 147 | 148 | 149 | Remove the cf-operator namespace. Replace with the namespace 150 | where the suse/cf-operator chart was installed. 151 | 152 | &prompt.user;kubectl delete namespace cf-operator 153 | 154 | 155 | 156 | Verify all of the releases are removed. 157 | 158 | &prompt.user;helm list --all-namespaces 159 | 160 | 161 | 162 | Verify all of the namespaces are removed. 163 | 164 | &prompt.user;kubectl get namespaces 165 | 166 | 167 | 168 | 169 | Querying with Kubectl 170 | 171 | 172 | You can safely query with kubectl to get information 173 | about resources inside your &kube; cluster. kubectl cluster-info 174 | dump | tee clusterinfo.txt outputs a large amount of information 175 | about the &kube; master and cluster services to a text file. 176 | 177 | 178 | 179 | The following commands give more targeted information about your cluster. 180 | 181 | 182 | 183 | 184 | 185 | List all cluster resources: 186 | 187 | &prompt.user;kubectl get all --all-namespaces 188 | 189 | 190 | 191 | List all of your running pods: 192 | 193 | &prompt.user;kubectl get pods --all-namespaces 194 | 195 | 196 | 197 | List all of your running pods, their internal IP addresses, and which 198 | &kube; nodes they are running on: 199 | 200 | &prompt.user;kubectl get pods --all-namespaces --output wide 201 | 202 | 203 | 204 | See all pods, including those with Completed or Failed statuses: 205 | 206 | &prompt.user;kubectl get pods --show-all --all-namespaces 207 | 208 | 209 | 210 | List pods in one namespace: 211 | 212 | &prompt.user;kubectl get pods --namespace kubecf 213 | 214 | 215 | 216 | Get detailed information about one pod: 217 | 218 | &prompt.user;kubectl describe --namespace kubecf po/diego-cell-0 219 | 220 | 221 | 222 | Read the log file of a pod: 223 | 224 | &prompt.user;kubectl logs --namespace kubecf po/diego-cell-0 225 | 226 | 227 | 228 | List all &kube; nodes, then print detailed information about a single 229 | node: 230 | 231 | &prompt.user;kubectl get nodes 232 | &prompt.user;kubectl describe node 6a2752b6fab54bb889029f60de6fa4d5.infra.caasp.local 233 | 234 | 235 | 236 | List all containers in all namespaces, formatted for readability: 237 | 238 | &prompt.user;kubectl get pods --all-namespaces --output jsonpath="{..image}" |\ 239 | tr -s '[[:space:]]' '\n' |\ 240 | sort |\ 241 | uniq -c 242 | 243 | 244 | 245 | These two commands check node capacities, to verify that there are enough 246 | resources for the pods: 247 | 248 | &prompt.user;kubectl get nodes --output yaml | grep '\sname\|cpu\|memory' 249 | &prompt.user;kubectl get nodes --output json | \ 250 | jq '.items[] | {name: .metadata.name, cap: .status.capacity}' 251 | 252 | 253 | 254 | 255 | Admission webhook denied 256 | 257 | When switching back to Diego from Eirini, the error below can occur: 258 | 259 | 260 | &prompt.user;helm install kubecf suse/kubecf --namespace kubecf --values &values-file; 261 | Error: admission webhook "validate-boshdeployment.quarks.cloudfoundry.org" denied the request: Failed to resolve manifest: Failed to interpolate ops 'kubecf-user-provided-properties' for manifest 'kubecf': Applying ops on manifest obj failed in interpolator: Expected to find exactly one matching array item for path '/instance_groups/name=eirini' but found 0 262 | 263 | 264 | To avoid this error, remove the eirini-persi-broker configuration 265 | before running the command. 266 | 267 | 268 | 269 | Namespace does not exist 270 | 271 | When running a &helm; command, an error occurs stating that a namespace does not 272 | exist. To avoid this error, create the namespace manually with kubectl; before 273 | running the command: 274 | 275 | 276 | &prompt.user;kubectl create namespace name 277 | 278 | 279 | 280 | Log-cache Memory Allocation Issue 281 | 282 | The log-cache component currently has a memory allocation issue where the node 283 | memory available is reported instead of the one assigned to the container under 284 | cgroups. In such a situation, log-cache would start allocating memory based on 285 | these values, causing a varying range of issues (OOMKills, performance 286 | degradation, etc.). To address this issue, node affinity must be used to tie 287 | log-cache to nodes of a uniform size, and then declaring the cache percentage 288 | based on that number. A limit of 3% has been identified as sufficient. 289 | 290 | 291 | Add the following to your &values-filename;. In the node affinity 292 | configuration, the values for key and 293 | values may need to be changed depending on how notes in 294 | your cluster are labeled. For more information on labels, see 295 | . 296 | 297 | properties: 298 | log-cache: 299 | log-cache: 300 | memory_limit_percent: 3 301 | 302 | operations: 303 | inline: 304 | - type: replace 305 | path: /instance_groups/name=log-cache/env?/bosh/agent/settings/affinity 306 | value: 307 | nodeAffinity: 308 | requiredDuringSchedulingIgnoredDuringExecution: 309 | nodeSelectorTerms: 310 | - matchExpressions: 311 | - key: kubernetes.io/hostname 312 | operator: In 313 | values: 314 | - LABEL_VALUE_OF_NODE 315 | 316 | 317 | 318 | -------------------------------------------------------------------------------- /xml/cap_user_cf_cli.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 11 | 12 | Deploying and Managing Applications with the &cf; Client 13 | 14 | 15 | yes 16 | 17 | 18 | 19 | Using the &cfcli; with &productname; 20 | 21 | 22 | The &cf; command line interface (&cfcli;) is for deploying and managing your 23 | applications. You may use it for all the orgs and spaces that you are a 24 | member of. Install the client on a workstation for remote administration of 25 | your &suse; &cf; instances. 26 | 27 | 28 | 29 | The complete guide is at 30 | Using the Cloud 31 | Foundry Command Line Interface, and source code with a demo video is 32 | on GitHub at 33 | Cloud 34 | Foundry CLI. 35 | 36 | 37 | 38 | The following examples demonstrate some of the commonly-used commands. The 39 | first task is to log into your new ∩ instance. 40 | You need to provide the API endpoint of your &productname; instance to log 41 | in. The API endpoint is the system_domain value you provided in 42 | &values-filename;, plus the 43 | api. prefix, as it shows in the above welcome screen. Set 44 | your endpoint, and use --skip-ssl-validation when you 45 | have self-signed SSL certificates. It asks for an e-mail address, but you 46 | must enter admin instead (you cannot change this to a 47 | different username, though you may create additional users), and the 48 | password is the one you created in 49 | &values-filename;: 50 | 51 | 52 | &prompt.user;cf login --skip-ssl-validation -a https://api.example.com 53 | API endpoint: https://api.example.com 54 | 55 | Email> admin 56 | 57 | Password> 58 | Authenticating... 59 | OK 60 | 61 | Targeted org system 62 | 63 | API endpoint: https://api.example.com (API version: 2.134.0) 64 | User: admin 65 | Org: system 66 | Space: No space targeted, use 'cf target -s SPACE' 67 | 68 | 69 | cf help displays a list of commands and options. 70 | cf help [command] provides information on specific 71 | commands. 72 | 73 | 74 | 75 | You may pass in your credentials and set the API endpoint in a single 76 | command: 77 | 78 | 79 | &prompt.user;cf login -u admin -p PASSWORD --skip-ssl-validation -a https://api.example.com 80 | 81 | 82 | Log out with cf logout. 83 | 84 | 85 | 86 | Change the admin password: 87 | 88 | 89 | &prompt.user;cf passwd 90 | Current Password> 91 | New Password> 92 | Verify Password> 93 | Changing password... 94 | OK 95 | Please log in again 96 | 97 | 98 | View your current API endpoint, user, org, and space: 99 | 100 | 101 | &prompt.user;cf target 102 | 103 | 104 | Switch to a different org or space: 105 | 106 | 107 | &prompt.user;cf target -o MY_ORG 108 | &prompt.user;cf target -s MY_SPACE 109 | 110 | 111 | List all apps in the current space: 112 | 113 | 114 | &prompt.user;cf apps 115 | 116 | 117 | Query the health and status of a particular app: 118 | 119 | 120 | &prompt.user;cf app MY_APP 121 | 122 | 123 | View app logs. The first example tails the log of a running app. The 124 | --recent option dumps recent logs instead of tailing, 125 | which is useful for stopped and crashed apps: 126 | 127 | 128 | &prompt.user;cf logs MY_APP 129 | &prompt.user;cf logs --recent MY_APP 130 | 131 | 132 | Restart all instances of an app: 133 | 134 | 135 | &prompt.user;cf restart MY_APP 136 | 137 | 138 | Restart a single instance of an app, identified by its index number, and 139 | restart it with the same index number: 140 | 141 | 142 | &prompt.user;cf restart-app-instance MY_APP APP_INSTANCE 143 | 144 | 145 | After you have set up a service broker (see 146 | ), create new services: 147 | 148 | 149 | &prompt.user;cf create-service SERVICE_NAME default MY_DB 150 | 151 | 152 | Then you may bind a service instance to an app: 153 | 154 | 155 | &prompt.user;cf bind-service MY_APP SERVICE_INSTANCE 156 | 157 | 158 | The most-used command is cf push, for pushing new apps 159 | and changes to existing apps. 160 | 161 | 162 | &prompt.user;cf push NEW_APP -b buildpack 163 | 164 | 165 | If you need to debug your application or run one-off tasks, start an SSH 166 | session into your application container. 167 | 168 | &prompt.user;cf ssh MY_APP 169 | 170 | 171 | When the SSH connection is established, run the following to have the 172 | environment match that of the application and its associated buildpack. 173 | 174 | &prompt.user;/tmp/lifecycle/shell 175 | 176 | 177 | -------------------------------------------------------------------------------- /xml/common_copyright_gfdl.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 14 | 18 | 19 | 20 | yes 21 | 22 | 23 | 24 | Copyright © 2006– 25 | 26 | &suse; LLC and contributors. All rights reserved. 27 | 28 | 29 | Permission is granted to copy, distribute and/or modify this document under 30 | the terms of the GNU Free Documentation License, Version 1.2 or (at your 31 | option) version 1.3; with the Invariant Section being this copyright notice 32 | and license. A copy of the license version 1.2 is included in the section 33 | entitled GNU Free Documentation License. 34 | 35 | 36 | For &suse; trademarks, see 37 | . All other 38 | third-party trademarks are the property of their respective owners. Trademark 39 | symbols (®, ™ etc.) denote trademarks of &suse; and its affiliates. 40 | Asterisks (*) denote third-party trademarks. 41 | 42 | 43 | All information found in this book has been compiled with utmost attention to 44 | detail. However, this does not guarantee complete accuracy. Neither &suse; LLC, 45 | its affiliates, the authors nor the translators shall be held liable for 46 | possible errors or the consequences thereof. 47 | 48 | 49 | -------------------------------------------------------------------------------- /xml/common_intro_available_doc_i.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 12 | Available Documentation 13 | 14 | 15 | 16 | 17 | 18 | 19 | no 20 | 21 | 22 | 23 | 24 | We provide HTML and PDF versions of our books in different languages. 25 | Documentation for our products is available at 26 | , where you can also 28 | find the latest updates and browse or download the documentation in various 29 | formats. 30 | 31 | 32 | 33 | The following documentation is available for this product: 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | The &productname; guide is a comprehensive guide providing deployment, 42 | administration, and user guides, and architecture and minimum system 43 | requirements. 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /xml/common_intro_feedback_i.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 9 | 10 | Feedback 11 | 12 | 13 | 14 | yes 15 | 16 | 17 | 18 | 19 | Several feedback channels are available: 20 | 21 | 22 | 23 | 24 | Bugs and Enhancement Requests 25 | 26 | 27 | For services and support options available for your product, refer to 28 | . 29 | 30 | 31 | 32 | To report bugs for a product component, go to 33 | , log in, and 34 | click Create New. 35 | 36 | 37 | 38 | 39 | User Comments 40 | 41 | 42 | We want to hear your comments about and suggestions for this manual and 43 | the other documentation included with this product. Use the User Comments 44 | feature at the bottom of each page in the online documentation or go to 45 | and 46 | enter your comments there. 47 | 48 | 49 | 50 | 51 | Mail 52 | 53 | 54 | For feedback on the documentation of this product, you can also send a 55 | mail to doc-team@suse.com. Make sure to include the 56 | document title, the product version and the publication date of the 57 | documentation. To report errors or suggest enhancements, provide a concise 58 | description of the problem and refer to the respective section number and 59 | page (or URL). 60 | 61 | 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /xml/common_intro_making_i.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 9 | 13 | About the Making of This Documentation 14 | 15 | 16 | 17 | 18 | yes 19 | 20 | 21 | 22 | 23 | This documentation is written in 24 | GeekoDoc, 25 | a subset of 26 | DocBook 5. 29 | The XML source files were validated by jing (see 30 | ), processed by 31 | xsltproc, and converted into XSL-FO using a customized 32 | version of Norman Walsh's stylesheets. The final PDF is formatted through FOP 33 | from 34 | Apache 36 | Software Foundation. The open source tools and the environment used to 37 | build this documentation are provided by the DocBook Authoring and Publishing 38 | Suite (DAPS). The project's home page can be found at 39 | . 40 | 41 | 42 | 43 | The XML source code of this documentation can be found at 44 | . 45 | 46 | 47 | -------------------------------------------------------------------------------- /xml/common_intro_support_statement_i.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 10 | Support Statement for &productname; 11 | 12 | 13 | 14 | 15 | 16 | 17 | yes 18 | 19 | 20 | 21 | 22 | To receive support, you need an appropriate subscription with &suse;. For more 23 | information, see 24 | . 25 | 26 | 27 | The following definitions apply: 28 | 29 | 30 | Version Support 31 | 32 | Technical Support and Troubleshooting (L1 - L2): SUSE will provide technical 33 | support and troubleshooting for version 2.1 until May 31, 2022. 34 | 35 | 36 | Patches and updates (L3): SUSE will provide patches and updates for 2.1 (e.g. 37 | 2.1.1, 2.1.2) to resolve critical bugs or address high severity security issues. 38 | The patches may include updates from upstream Cloud Foundry releases. 39 | 40 | 41 | &productname; closely follows upstream &cf; releases which may implement 42 | fixes and changes which are not backwards compatible with previous releases. 43 | &suse; will backport patches for critical bugs and security issues on a best 44 | efforts basis. 45 | 46 | 47 | 48 | Platform Support 49 | 50 | &productname; is fully supported on Amazon EKS, Microsoft Azure AKS, Google 51 | GKE, Rancher Kubernetes Engine (RKE), and RKE Government (RKE2) Each release 52 | is tested by &productname; QA on these platforms. 53 | 54 | 55 | &productname; is fully supported on &caasp;, wherever it happens to be 56 | installed. If &caasp; is supported on a particular cloud service provider 57 | (CSP), the customer can get support for &productname; in that context. 58 | 59 | 60 | &suse; can provide support for &productname; on 3rd party/generic &kube; on a 61 | case-by-case basis provided: 62 | 63 | 64 | 65 | 66 | The &kube; cluster satisfies the Requirements listed here at 67 | . 68 | 69 | 70 | 71 | 72 | The kube-ready-state-check.sh script has been run on 73 | the target &kube; cluster and does not show any configuration problems. 74 | 75 | 76 | 77 | 78 | A &suse; Services or Sales Engineer has verified that &productname; works 79 | correctly on the target &kube; cluster. 80 | 81 | 82 | 83 | 84 | 85 | Technology Previews 86 | 87 | Technology previews are packages, stacks, or features delivered by &suse; 88 | to provide glimpses into upcoming innovations. The previews are included for 89 | your convenience to give you the chance to test new technologies within your 90 | environment. We would appreciate your feedback! If you test a technology 91 | preview, please contact your &suse; representative and let them know about 92 | your experience and use cases. Your input is helpful for future development. 93 | 94 | 95 | However, technology previews come with the following limitations: 96 | 97 | 98 | 99 | 100 | Technology previews are still in development. Therefore, they may be functionally 101 | incomplete, unstable, or in other ways not suitable 102 | for production use. 103 | 104 | 105 | 106 | 107 | Technology previews are not supported. 108 | 109 | 110 | 111 | 112 | Details and functionality of technology previews are subject to change. 113 | As a result, upgrading to subsequent releases of a technology preview may 114 | be impossible and require a fresh installation. 115 | 116 | 117 | 118 | 119 | Technology previews can be dropped at any time. For example, if &suse; 120 | discovers that a preview does not meet the customer or market needs, or does 121 | not prove to comply with enterprise standards. &suse; does not commit to 122 | providing a supported version of such technologies in the future. 123 | 124 | 125 | 126 | 127 | 128 | For an overview of technology previews shipped with your product, see the 129 | release notes at . 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /xml/common_intro_target_audience_i.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 13 | Required Background 14 | 15 | 16 | 17 | 18 | yes 19 | 20 | 21 | 22 | 23 | To keep the scope of these guidelines manageable, certain technical 24 | assumptions have been made: 25 | 26 | 27 | 28 | 29 | 30 | You have some computer experience and are familiar with common technical 31 | terms. 32 | 33 | 34 | 35 | 36 | You are familiar with the documentation for your system and the network on 37 | which it runs. 38 | 39 | 40 | 41 | 42 | You have a basic understanding of Linux systems. 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /xml/common_intro_typografie_i.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 12 | 13 | 14 | Documentation Conventions 15 | 16 | 17 | 18 | yes 19 | 20 | 21 | 22 | 23 | The following notices and typographical conventions are used in this 24 | documentation: 25 | 26 | 27 | 28 | 29 | 30 | /etc/passwd: directory names and file names 31 | 32 | 33 | 34 | 35 | PLACEHOLDER: replace 36 | PLACEHOLDER with the actual value 37 | 38 | 39 | 40 | 41 | PATH: the environment variable PATH 42 | 43 | 44 | 45 | 46 | ls, : commands, options, and 47 | parameters 48 | 49 | 50 | 51 | 52 | user: users or groups 53 | 54 | 55 | 56 | 57 | package name : name of a package 58 | 59 | 60 | 61 | 62 | , 63 | F1 : a key to press or a key combination; keys 64 | are shown in uppercase as on a keyboard 65 | 66 | 67 | 68 | 69 | File, File Save 70 | As : menu items, buttons 71 | 72 | 73 | 74 | 75 | This paragraph is only relevant for the &amd64;/&intel64; architecture. The 76 | arrows mark the beginning and the end of the text block. 77 | 78 | 79 | This paragraph is only relevant for the architectures 80 | &zseries; and &power;. The arrows 81 | mark the beginning and the end of the text block. 82 | 83 | 84 | 85 | 86 | Dancing Penguins (Chapter 87 | Penguins, ↑Another Manual): This is a reference 88 | to a chapter in another manual. 89 | 90 | 91 | 92 | 93 | Commands that must be run with &rootuser; privileges. Often you can also 94 | prefix these commands with the sudo command to run them 95 | as non-privileged user. 96 | 97 | &prompt.root;command 98 | &prompt.user;sudo command 99 | 100 | 101 | 102 | Commands that can be run by non-privileged users. 103 | 104 | &prompt.user;command 105 | 106 | 107 | 108 | Notices 109 | 110 | 111 | Warning Notice 112 | 113 | Vital information you must be aware of before proceeding. Warns you about 114 | security issues, potential loss of data, damage to hardware, or physical 115 | hazards. 116 | 117 | 118 | 119 | Important Notice 120 | 121 | Important information you should be aware of before proceeding. 122 | 123 | 124 | 125 | Note Notice 126 | 127 | Additional information, for example about differences in software 128 | versions. 129 | 130 | 131 | 132 | Tip Notice 133 | 134 | Helpful information, like a guideline or a piece of practical advice. 135 | 136 | 137 | 138 | 139 | 140 | -------------------------------------------------------------------------------- /xml/common_legal.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | %entities; 6 | ]> 7 | 8 | 12 | GNU Licenses 13 | 14 | 15 | 16 | yes 17 | 18 | 19 | 20 | This appendix contains the GNU Free Documentation License version 1.2. 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /xml/entity-decl.ent: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | &values-file;"> 24 | 25 | Deployment, Administration, and User Guide"> 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | &yast; Control Center"> 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 99 | 100 | 101 | 102 | &exampleuser_plain;"> 103 | 104 | 105 | 106 | &exampleuserII_plain;"> 107 | 108 | 109 | 110 | exampleuserIII_plain"> 111 | 112 | 113 | users"> 114 | 115 | 116 | root"> 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | Open vSwitch"> 136 | 137 | 138 | 139 | systemd"> 140 | cron"> 141 | oprofile"> 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | AppArmor"> 152 | AppArmor®"> 153 | sudo"> 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | lvmcache"> 199 | bcache"> 200 | libvirt"> 201 | libvirtd"> 202 | 203 | 204 | qemu-system-ARCH"> 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | Deployment Guide"> 224 | Installation Quick Start"> 225 | Administration Guide"> 226 | Reference"> 227 | Start-Up"> 228 | 229 | 230 | 231 | 232 | 233 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | MAC"> 257 | MAC"> 258 | MAC"> 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | F2"> 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | root # "> 287 | &exampleuser_plain; > "> 288 | &exampleuserII_plain; > "> 289 | 290 | 291 | 292 | 293 | 294 | 295 | 310 | 311 | 312 | %network-entities; 313 | 314 | 315 | %repeat-entities; 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | %dbcent; 324 | 325 | 326 | 327 | -------------------------------------------------------------------------------- /xml/network-decl.ent: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | -------------------------------------------------------------------------------- /xml/schema.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 8 | 9 | --------------------------------------------------------------------------------