Document steps to set up Multi-cluster ClusterSet with antctl #4096
Conversation
jianjuns
added
kind/documentation
jianjuns
force-pushed
the
multicluster-doc
branch
3 times, most recently
from
d0a2543
to
2f38cb3
Compare
Codecov Report
@@ Coverage Diff @@
## main #4096 +/- ##
==========================================
- Coverage 67.51% 59.11% -8.40%
==========================================
Files 297 298 +1
Lines 44988 45465 +477
==========================================
- Hits 30373 26876 -3497
- Misses 12238 16426 +4188
+ Partials 2377 2163 -214
|
| @@ -1,7 +1,7 @@ | |||
| apiVersion: v1 | |||
| kind: Secret | |||
| metadata: | |||
| name: leader-access-token | |||
| name: default-member-token | |||
| namespace: antrea-multicluster | |||
| annotations: | |||
| kubernetes.io/service-account.name: antrea-mc-member-access-sa | |||
There was a problem hiding this comment.
@luolanzone : it is not very important, but I wanted to rename the SA to "antrea-mc-member-default" to be consistent with the default token name, but did not find out how to change it. Could you let me know how to change the name?
Another question - make manifests in my dev VM updates many YAMLs. Is that due to my env, or it is possible YAMLs merged to the repo are not update to date?
There was a problem hiding this comment.
You need to replace member-access-sa to member-default on two files member_cluster_rolebinding.yaml and member_cluster_serviceaccount.yaml in the folder multicluster/configs/overlays/leader-ns/. You probably need to clean up the file on multicluster/bin/controller-gen and rerun make manifests. It has been upgrade to v0.9.
There was a problem hiding this comment.
Ok. Let us consider changing with a follow up PR.
docs/multicluster/antctl.md
Outdated
| Antrea v1.6.0, while other commands are supported since v1.8.0. These commands | ||
| cannot run inside the `antrea-controller`, `antrea-agent` or | ||
| `antrea-mc-controller` Pods. antctl needs a kubeconfig file to access the target | ||
| cluster's API server, and it will will look for the kubeconfig file at |
There was a problem hiding this comment.
| cluster's API server, and it will will look for the kubeconfig file at | |
| cluster's API server, and it will look for the kubeconfig file at |
docs/multicluster/quick-start.md
Outdated
|
|
||
| To execute any command in this section, `antctl` needs access to the target | ||
| cluster's API server, and it needs a kubeconfig file for that. Please refer to | ||
| the [`anctctl` Multi-cluster manual](antctl.md) to learn more about the |
There was a problem hiding this comment.
| the [`anctctl` Multi-cluster manual](antctl.md) to learn more about the | |
| the [`antctl` Multi-cluster manual](antctl.md) to learn more about the |
docs/multicluster/quick-start.md
Outdated
| leader, and also join the ClusterSet as a member. | ||
|
|
||
| ```bash | ||
| antctl mc init --clusterset test-clusterset --clusterid test-cluster-leader --create-token -o join-config.yml |
There was a problem hiding this comment.
| antctl mc init --clusterset test-clusterset --clusterid test-cluster-leader --create-token -o join-config.yml | |
| antctl mc init --clusterset test-clusterset --clusterid test-cluster-leader -n antrea-multicluster --create-token -o join-config.yml |
|
|
||
| ```bash | ||
| antctl mc init --clusterset test-clusterset --clusterid test-cluster-leader --create-token -o join-config.yml | ||
| antctl mc join --clusterid test-cluster-leader -n kube-system --config-file join-config.yml |
There was a problem hiding this comment.
When the --config-file is provided, we need provide clusterID in the the file instead of --clusterid.
There was a problem hiding this comment.
In the generated config file, we set clusterID and namespace to "". Will unmarshal still reset the field? If that is the case, maybe we should not add clusterID and namespace to the config file, or even better add them and other optional fields as comments.
@hjiajing
There was a problem hiding this comment.
Yes. If the clusterID is empty in the config file and specify it in the command line. It will reset when unmarshal. Maybe we can add some comments above the output config file to remind the users to edit the config file or delete the fields with empty value?
There was a problem hiding this comment.
I edit the code and add the "omitempty" for the clusterID in the join config file. Then the command works fine.
❯ antctl mc join --config-file=./config.yaml --clusterid test-cluster-east --kubeconfig /root/.kube/east
Created the Secret from the config file
ClusterClaim "id.k8s.io" created in Namespace kube-system
ClusterClaim "clusterset.k8s.io" created in Namespace kube-system
ClusterSet "test-clusterset" created in Namespace kube-system
Waiting for member cluster ready
Waiting for ClusterSet ready
Member cluster joined successfully|
|
||
| ```bash | ||
| antctl mc create membertoken test-cluster-leader-token -n antrea-multicluster -o test-cluster-leader-token.yml | ||
| antctl mc join --clusterid test-cluster-leader -n kube-system --config-file join-config.yml --token-secret-file test-cluster-leader-token.yml |
There was a problem hiding this comment.
I tried this command, it returns below error:
./bin/antctl-darwin mc join --clusterid test-cluster-leader -n kube-system --config-file join-config.yml --token-secret-file test-cluster-leader-token.yml
Failed to create the Secret from the config file: Secret "" is invalid: metadata.name: Required value: name or generateName is required
Error: Secret "" is invalid: metadata.name: Required value: name or generateName is required
@hjiajing Could you help to check if there is code issue? or please provide the right command.
There was a problem hiding this comment.
I tried the same command in my test env then it works well.
❯ antctl mc join --config-file=./config.yaml --clusterid=test-cluster-east --token-secret-file ./secret.yaml --kubeconfig /root/.kube/east
Created the Secret from the config file
ClusterClaim "id.k8s.io" created in Namespace kube-system
ClusterClaim "clusterset.k8s.io" created in Namespace kube-system
ClusterSet "test-clusterset" created in Namespace kube-system
Waiting for member cluster ready
Waiting for ClusterSet readyMaybe it's because the test-cluster-leader-token.yml is not a valid Secret yaml file?
There was a problem hiding this comment.
The question is I am using the file generated by above step antctl mc create membertoken test-cluster-leader-token -n antrea-multicluster -o test-cluster-leader-token.yml.
There was a problem hiding this comment.
Removed the "config file check" when creating Secret from YAML file. Updated the code now.
docs/multicluster/quick-start.md
Outdated
| Last, you need to choose a Node in cluster A to serve as the Multi-cluster | ||
| Gateway. The Node should have an IP that is reachable from the cluster B's | ||
| Gateway Node, so a tunnel can be created between the two Gateways. For more | ||
| information about Multi-cluster Gatweay, please refer to the [Multi-cluster |
There was a problem hiding this comment.
| information about Multi-cluster Gatweay, please refer to the [Multi-cluster | |
| information about Multi-cluster Gateway, please refer to the [Multi-cluster |
| Run the following command to make cluster B join the ClusterSet: | ||
|
|
||
| ```bash | ||
| antctl mc join --clusterid test-cluster-member -n kube-system --config-file join-config.yml |
There was a problem hiding this comment.
Ditto, test-cluster-member should be provided in join-config.yml.
docs/multicluster/quick-start.md
Outdated
| ClusterSet named `test-clusteraset` in the leader cluster and get a | ||
| ServiceAccount token for the member clusters (both cluster A and B in our case) | ||
| to access the leader cluster (cluster A in our case) API server. | ||
| ClusterSet named `test-clusteraset` in the leader cluster and a default token |
There was a problem hiding this comment.
| ClusterSet named `test-clusteraset` in the leader cluster and a default token | |
| ClusterSet named `test-clusterset` in the leader cluster and a default token |
docs/multicluster/quick-start.md
Outdated
| @@ -187,7 +308,7 @@ joining ClusterSet. For example, you can run the following commands to join the | |||
| ClusterSet in a member cluster with ID `test-cluster-member2`: | |||
|
|
|||
| ```bash | |||
| $kubectl apply -f leader-access-token.yml | |||
| $kubectl apply -f default-member-token.yml | |||
| $curl -L https://raw.githubusercontent.com/antrea-io/antrea/$TAG/multicluster/config/samples/clusterset_init/member-clusterset-template.yml > member-clusterset.yml | |||
| $sed -e 's/<LEADER_CLUSTER_IP>/172.10.0.11/g' -e 's/test-cluster-member/test-cluster-member2/g' member-clusterset.yml | kubectl apply -f - | |||
There was a problem hiding this comment.
| $sed -e 's/<LEADER_CLUSTER_IP>/172.10.0.11/g' -e 's/test-cluster-member/test-cluster-member2/g' member-clusterset.yml | kubectl apply -f - | |
| $sed -e 's/<LEADER_APISERVER_IP>/172.10.0.11/g' -e 's/test-cluster-member/test-cluster-member2/g' member-clusterset.yml | kubectl apply -f - |
jianjuns
force-pushed
the
multicluster-doc
branch
from
2f38cb3
to
767a887
Compare
docs/multicluster/quick-start.md
Outdated
|
|
||
| ```bash | ||
| $kubectl apply -f https://raw.githubusercontent.com/antrea-io/antrea/$TAG/multicluster/config/samples/clusterset_init/leader-clusterset-template.yml | ||
| $kubectl apply -f https://raw.githubusercontent.com/antrea-io/antrea/$TAG/multicluster/config/samples/clusterset_init/leader-access-token-template.yml | ||
| $kubectl get secret leader-access-token -n antrea-multicluster -o yaml | grep -w -e '^apiVersion' -e '^data' -e '^metadata' -e '^ *name:' -e '^kind' -e ' ca.crt' -e ' token:' -e '^type' -e ' namespace' | sed -e 's/kubernetes.io\/service-account-token/Opaque/g' -e 's/antrea-multicluster/kube-system/g' > leader-access-token.yml | ||
| $kubectl get secret leader-access-token -n antrea-multicluster -o yaml | grep -w -e '^apiVersion' -e '^data' -e '^metadata' -e '^ *name:' -e '^kind' -e ' ca.crt' -e ' token:' -e '^type' -e ' namespace' | sed -e 's/kubernetes.io\/service-account-token/Opaque/g' -e 's/antrea-multicluster/kube-system/g' > default-member-token.yml |
There was a problem hiding this comment.
You have changed the name of Secret from leader-access-token to default-member-token in the file leader-access-token-template.yml:
| $kubectl get secret leader-access-token -n antrea-multicluster -o yaml | grep -w -e '^apiVersion' -e '^data' -e '^metadata' -e '^ *name:' -e '^kind' -e ' ca.crt' -e ' token:' -e '^type' -e ' namespace' | sed -e 's/kubernetes.io\/service-account-token/Opaque/g' -e 's/antrea-multicluster/kube-system/g' > default-member-token.yml | |
| $kubectl get secret default-member-token -n antrea-multicluster -o yaml | grep -w -e '^apiVersion' -e '^data' -e '^metadata' -e '^ *name:' -e '^kind' -e ' ca.crt' -e ' token:' -e '^type' -e ' namespace' | sed -e 's/kubernetes.io\/service-account-token/Opaque/g' -e 's/antrea-multicluster/kube-system/g' > default-member-token.yml |
Add steps to set up a set up Multi-cluster ClusterSet using antctl commands to the Multi-cluster quick-start guide. Also made minor revisions to the Multi-cluster antctl and user guides, and the sample YAML templates. Signed-off-by: Jianjun Shen <shenj@vmware.com>
jianjuns
force-pushed
the
multicluster-doc
branch
from
767a887
to
e9840d8
Compare
|
@luolanzone @hjiajing : I plan to merge the PR to catch 1.18, but I do hope you guys can help verify the documented steps work with the current implementation. |
|
Sure. I will double check. Thanks. |
|
/skip-all |
Add steps to set up a set up Multi-cluster ClusterSet using antctl
commands to the Multi-cluster quick-start guide.
Also made minor revisions to the Multi-cluster antctl and user guides,
and the sample YAML template for creating a member token.
Signed-off-by: Jianjun Shen shenj@vmware.com