|
1 | 1 | # Configuring Object Storage |
2 | 2 |
|
3 | | -A variety of Deis components rely on an object storage system to do their work. These components are: |
| 3 | +A variety of Deis Workflow components rely on an object storage system to do their work including storing application slugs, Docker images and database logs. |
4 | 4 |
|
5 | | -- [builder](https://github.com/deis/builder) |
6 | | -- [slugbuilder](https://github.com/deis/slugbuilder) |
7 | | -- [slugrunner](https://github.com/deis/slugrunner) |
8 | | -- [controller](https://github.com/deis/controller) |
9 | | -- [registry](https://github.com/deis/registry) |
10 | | -- [database](https://github.com/deis/postgres) |
| 5 | +Deis Workflow ships with [Minio][minio] by default, which provides in-cluster, ephemeral object storage. This means that _if the Minio server crashes, all data will be lost_. Therefore, **Minio should be used for development or testing only**. |
11 | 6 |
|
12 | | -These components are flexible and can work out of the box with almost any system that is compatible with the [S3 API](http://docs.aws.amazon.com/AmazonS3/latest/API/APIRest.html). |
| 7 | +## Configuring off-cluster Object Storage |
13 | 8 |
|
14 | | -## Minio |
| 9 | +Every component that relies on object storage uses two inputs for configuration: |
15 | 10 |
|
16 | | -Additionally, Deis ships with a [Minio](http://minio.io) [component](https://github.com/deis/minio) by default, which provides in-cluster, ephemeral object storage. This means that _if the Minio server crashes, all data will be lost_. Therefore, **Minio should be used for development or testing only**. |
| 11 | +1. Component-specific environment variables (e.g. `BUILDER_STORAGE` and `REGISTRY_STORAGE`) |
| 12 | +2. Access credentials stored as a Kubernetes secret named `objectstorage-keyfile` |
17 | 13 |
|
18 | | -In our beta release, the components listed above are configured by default to automatically use the Minio [service][k8s-service] for object storage. |
| 14 | +The helm chart for Deis Workflow can be easily configured to connect Workflow components to off-cluster object storage. Deis Workflow currently supports Google Compute Storage, Amazon S3 and Azure Blob Storage. |
19 | 15 |
|
20 | | -# Configuring the Deis Components |
| 16 | +* **Step 1:** Create storage buckets for each of the Workflow subsystems: builder, registry and database |
| 17 | + * Note: Depending on your chosen object storage you may need to provide globally unique bucket names. |
| 18 | + * Note: If you provide credentials with sufficient access to the underlying storage, Workflow components will create the buckets if they do not exist. |
| 19 | +* **Step 2:** If applicable, generate credentials that have write access to the storage buckets created in Step 1 |
| 20 | +* **Step 3:** If you haven't already fetched the helm chart, do so with `helm fetch deis/workflow-beta2` |
| 21 | +* **Step 4:** Open the helm chart with `helm edit workflow-beta2` and look for the template file `tpl/generate_params.toml` |
| 22 | +* **Step 5:** Update the `storage` parameter to reference the storage platform you are using: `s3`, `azure`, `gcs` |
| 23 | +* **Step 6:** Update the values in the section which corresponds to your storage type, including region, bucket names and access credentials |
| 24 | + * Note: you do not need to base64 encode any of these values as Helm will handle encoding automatically |
| 25 | +* **Step 7:** Save your changes and re-generate the helm chart by running `helm generate -x manifests workflow-beta2` |
| 26 | +* **Step 8:** Check the generated file in your manifests directory, you should see `deis-objectstorage-secret.yaml` |
21 | 27 |
|
22 | | -Every Deis component that relies on object storage relies on the following two inputs for configuration: |
| 28 | +You are now ready to `helm install workflow-beta2` using your desired object storage. |
23 | 29 |
|
24 | | -- An environment variable that describe what object storage system to use. |
25 | | -- A configuration file ([objectstorage.toml][objectstorage-toml]) to provide access credentials for the object storage system. |
26 | | - - We suggest storing the contents of these files in [Kubernetes secrets][k8s-secret] and mounting them as volumes to each pod. |
27 | | - - See [the workflow-dev chart](https://github.com/deis/charts/tree/master/workflow-dev) for examples of using and mounting secrets. |
| 30 | +## Object Storage Configuration and Credentials |
28 | 31 |
|
29 | | -The subsections herein explain how to configure these two inputs for each applicable component. |
| 32 | +During the `helm generate` step, Helm creates a Kubernetes secret in the Deis namespace named `objectstorage-keyfile`. The exact structure of the file depends on storage backend specified in `tpl/generate_params.toml`. |
30 | 33 |
|
31 | | -## [deis/builder](https://github.com/deis/builder) |
| 34 | +``` |
| 35 | +# Set the storage backend |
| 36 | +# |
| 37 | +# Valid values are: |
| 38 | +# - s3: Store persistent data in AWS S3 (configure in S3 section) |
| 39 | +# - azure: Store persistent data in Azure's object storage |
| 40 | +# - gcs: Store persistent data in Google Cloud Storage |
| 41 | +# - minio: Store persistent data on in-cluster Minio server |
| 42 | +storage = "minio" |
| 43 | +``` |
32 | 44 |
|
33 | | -### Environment Variables |
| 45 | +Individual components map the master credential secret to either secret-backed environment variables or volumes. See below for the component-by-component locations. |
34 | 46 |
|
35 | | -The builder looks for a `BUILDER_STORAGE` environment variable, which it then uses as a key to look up the object storage location and authentication information in a configuration file. See below for details on that file. |
| 47 | +## Component Details |
36 | 48 |
|
37 | | -### Credentials |
| 49 | +### [deis/builder](https://github.com/deis/builder) |
38 | 50 |
|
39 | | -The builder reads the credential information from a `objectstorage-keyfile` secret. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
| 51 | +The builder looks for a `BUILDER_STORAGE` environment variable, which it then uses as a key to look up the object storage location and authentication information from the `objectstore-creds` volume. |
40 | 52 |
|
41 | | -### Helm Chart |
| 53 | +### [deis/slugbuilder](https://github.com/deis/slugbuilder) |
42 | 54 |
|
43 | | -If you are using the [Helm Chart for Workflow][helm-chart], put your credentials in the [objectstorage.toml][objectstorage-toml] file before you run `helm generate`. Note that you don't need to base64-encode the credentials, as Helm will do that for you. For more information, see the [installation instructions][helm-install] for more details on using Helm. |
| 55 | +Slugbuilder is configured and launched by the builder component. Slugbuilder reads credential information from the standard `objectstorage-keyfile` secret. |
44 | 56 |
|
45 | | -## [deis/slugbuilder](https://github.com/deis/slugbuilder) |
| 57 | +If you are using slugbuilder as a standalone component the following configuration is important: |
46 | 58 |
|
47 | | -The slugbuilder is configured and launched by the builder inside a Deis cluster, so this section only applies if you intend to run it as a standalone component. |
| 59 | +- `TAR_PATH` - The location of the application `.tar` archive, relative to the configured bucket for builder e.g. `home/burley-yeomanry:git-3865c987/tar` |
| 60 | +- `PUT_PATH` - The location to upload the finished slug, relative to the configured bucket fof builder e.g. `home/burley-yeomanry:git-3865c987/push` |
48 | 61 |
|
49 | | -### Environment Variables |
| 62 | +**Note: these environment variables are case-sensitive** |
50 | 63 |
|
51 | | -The slugbuilder looks for the below environment variables to determine where to download code from and upload slugs to. |
| 64 | +### [deis/slugrunner](https://github.com/deis/slugrunner) |
52 | 65 |
|
53 | | -- `TAR_PATH` - The location of the `.tar` archive (which it will build) |
54 | | -- `PUT_PATH` - The location this component will upload the finished slug to |
| 66 | +Slugrunner is configured and launched by the controller inside a Workflow cluster. If you are using slugrunner as a standalone component the following configuration is important: |
55 | 67 |
|
56 | | -Note that these environment variables are case-sensitive. |
| 68 | +- `SLUG_URL` - environment variable containing the path of the slug, relative to the builder storage location, e.g. `home/burley-yeomanry:git-3865c987/push/slug.tgz` |
57 | 69 |
|
58 | | -### Credentials |
| 70 | +Slugrunner reads credential information from a `objectstorage-keyfile` secret in the current Kubernetes namespace. |
59 | 71 |
|
60 | | -The slugbuilder reads the credential information from a `objectstorage-keyfile` secret. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
| 72 | +### [deis/controller](https://github.com/deis/controller) |
61 | 73 |
|
62 | | -### Helm Chart |
| 74 | +The controller is responsible for configuring the execution environment for buildpack-based applications. Controller copies `objectstorage-keyfile` into the application namespace so slugrunner can fetch the application slug. |
63 | 75 |
|
64 | | -The [Helm Chart for Workflow][helm-chart] contains no manifest for the slugbuilder. As noted above, the builder handles all configuration and lifecycle management for you. |
| 76 | +The controller interacts through Kubernetes APIs and does not use any environment variables for object storage configuration. |
65 | 77 |
|
66 | | -If, however, you wish to run the slugbuilder as a standalone component, you can use the `objectstorage-keyfile` secret to easily provide your pods with the credentials information they need. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
| 78 | +### [deis/registry](https://github.com/deis/registry) |
67 | 79 |
|
68 | | -## [deis/slugrunner](https://github.com/deis/slugrunner) |
| 80 | +The registry looks for a `REGISTRY_STORAGE` environment variable which it then uses as a key to look up the object storage location and authentication information. |
69 | 81 |
|
70 | | -The slugrunner is configured and launched by the controller inside a Deis cluster, so this section only applies if you intend to run it as a standalone component. |
| 82 | +The registry reads credential information by reading `/var/run/secrets/deis/registry/creds/objectstorage-keyfile`. |
71 | 83 |
|
72 | | -### Environment Variables |
| 84 | +This is the file location for the `objectstorage-keyfile` secret on the Pod filesystem. |
73 | 85 |
|
74 | | -The slugrunner uses the `SLUG_URL` environment variable to determine where to download the slug (that it will run) from. |
| 86 | +### [deis/database](https://github.com/deis/postgres) |
75 | 87 |
|
76 | | -### Credentials |
| 88 | +The database looks for a `DATABASE_STORAGE` environment variable, which it then uses as a key to look up the object storage location and authentication information |
77 | 89 |
|
78 | | -The slugrunner reads the credential information from a `objectstorage-keyfile` secret. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
| 90 | +Minio (`DATABASE_STORAGE=minio`): |
79 | 91 |
|
80 | | -### Helm Chart |
| 92 | +* `AWS_ACCESS_KEY_ID` via /var/run/secrets/deis/objectstore/creds/accesskey |
| 93 | +* `AWS_SECRET_ACCESS_KEY` via /var/run/secrets/deis/objectstore/creds/secretkey |
| 94 | +* `AWS_DEFAULT_REGION` is the Minio default of "us-east-1" |
| 95 | +* `BUCKET_NAME` is the on-cluster default of "dbwal" |
81 | 96 |
|
82 | | -The [Helm Chart for Workflow][helm-chart] contains no manifest for the slugrunner. As noted above, the controller handles all configuration and lifecycle management for you. |
| 97 | +AWS (`DATABASE_STORAGE=s3`): |
83 | 98 |
|
84 | | -If, however, you wish to run the slugrunner as a standalone component, you can use the `objectstorage-keyfile` secret to easily provide your pods with the credentials information they need. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
| 99 | +* `AWS_ACCESS_KEY_ID` via /var/run/secrets/deis/objectstore/creds/accesskey |
| 100 | +* `AWS_SECRET_ACCESS_KEY` via /var/run/secrets/deis/objectstore/creds/secretkey |
| 101 | +* `AWS_DEFAULT_REGION` via /var/run/secrets/deis/objectstore/creds/region |
| 102 | +* `BUCKET_NAME` via /var/run/secrets/deis/objectstore/creds/database-bucket |
85 | 103 |
|
86 | | -## [deis/controller](https://github.com/deis/controller) |
| 104 | +GCS (`DATABASE_STORAGE=gcs`): |
87 | 105 |
|
88 | | -When the controller needs to launch or scale a new buildpack application, it uses a [replication controller](http://kubernetes.io/docs/user-guide/replication-controller/). Since the slugrunner needs to download the slug to run, it needs the object storage location of the slug and the object storage credentials. |
| 106 | +* `GS_APPLICATION_CREDS` via /var/run/secrets/deis/objectstore/creds/key.json |
| 107 | +* `BUCKET_NAME` via /var/run/secrets/deis/objectstore/creds/database-bucket |
89 | 108 |
|
90 | | -### Environment Variables |
| 109 | +Azure (`DATABASE_STORAGE=azure`): |
91 | 110 |
|
92 | | -The controller needs no environment variables for object storage configuration. |
| 111 | +* `WABS_ACCOUNT_NAME` via /var/run/secrets/deis/objectstore/creds/accountname |
| 112 | +* `WABS_ACCESS_KEY` via /var/run/secrets/deis/objectstore/creds/accountkey |
| 113 | +* `BUCKET_NAME` via /var/run/secrets/deis/objectstore/creds/database-container |
93 | 114 |
|
94 | | -### Credentials |
95 | | - |
96 | | -Since the object storage location information comes from the builder, the controller only needs access to the credentials information. The controller gets this information by accessing the `minio-user` secret (even if it's not using Minio as the object storage system) directly from the Kubernetes API. |
97 | | - |
98 | | -No paths need to be mounted into the pod. Simply ensure that the secret exists in your Kubernetes cluster with the correct credentials. |
99 | | - |
100 | | -### Helm Chart |
101 | | - |
102 | | -If you are using the [Helm Chart for Workflow][helm-chart], put your credentials in the [objectstorage.toml][objectstorage-toml] file before you run `helm generate`. Note that you don't need to base64-encode the credentials, as Helm will do that for you. For more information, see the [installation instructions][helm-install] for more details on using Helm. |
103 | | - |
104 | | -## [deis/registry](https://github.com/deis/registry) |
105 | | - |
106 | | -The registry is configured slightly differently from most of the other components. Read on for details. |
107 | | - |
108 | | -### Environment Variables |
109 | | - |
110 | | -The registry looks for a `REGISTRY_STORAGE` environment variable, which it then uses as a key to look up the object storage location and authentication information in a configuration file. See below for details on that file. |
111 | | - |
112 | | -### Credentials |
113 | | - |
114 | | -The registry reads the credential information from a `/var/run/secrets/deis/registry/creds/objectstorage-keyfile` file. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
115 | | - |
116 | | -### Helm Chart |
117 | | - |
118 | | -If you are using the [Helm Chart for Workflow][helm-chart], put your credentials in the [objectstorage.toml][objectstorage-toml] file before you run `helm generate`. Note that you don't need to base64-encode the credentials, as Helm will do that for you. For more information, see the [installation instructions][helm-install] for more details on using Helm. |
119 | | - |
120 | | -## [deis/database](https://github.com/deis/postgres) |
121 | | - |
122 | | -### Environment Variables |
123 | | - |
124 | | -The database looks for a `DATABASE_STORAGE` environment variable, which it then uses as a key to look up the object storage location and authentication information in a configuration file. See below for details on that file. |
125 | | - |
126 | | -### Credentials |
127 | | - |
128 | | -The database reads the credential information from a `objectstorage-keyfile` secret. This is generated automatically (as part of the `helm generate` command) based on the configuration options given in the [objectstorage.toml file][objectstorage-toml] file. |
129 | | - |
130 | | -### Helm Chart |
131 | | - |
132 | | -If you are using the [Helm Chart for Workflow][helm-chart], put your credentials in the [objectstorage.toml][objectstorage-toml] file before you run `helm generate`. Note that you don't need to base64-encode the credentials, as Helm will do that for you. For more information, see the [installation instructions][helm-install] for more details on using Helm. |
133 | | - |
134 | | - |
135 | | -[helm-chart]: https://github.com/deis/charts/tree/master/workflow-dev |
136 | | -[minio-user-secret]: https://github.com/deis/charts/blob/master/workflow-dev/manifests/deis-minio-secret-user.yaml |
137 | | -[helm-install]: https://github.com/deis/workflow/blob/master/src/installing-workflow/installing-deis-workflow.md |
138 | | -[objectstorage-toml]: https://github.com/deis/charts/blob/master/workflow-dev/tpl/objectstorage.toml |
139 | | -[k8s-service]: http://kubernetes.io/docs/user-guide/services/ |
140 | | -[k8s-secret]: http://kubernetes.io/docs/user-guide/secrets/ |
| 115 | +[minio]: ../understanding-workflow/components.md#object-storage |
| 116 | +[generate-params-toml]: https://github.com/deis/charts/blob/master/workflow-dev/tpl/generate_params.toml |
0 commit comments