[WIP] Self hosted: Add lgalloc integration setup #31796
Conversation
bobbyiliev
force-pushed
the
self-hosted-lgalloc-setup
branch
from
df2f61e to
1aafe74
Compare
misc/nvme-bootstrap/README.md
Outdated
|
|
||
| 1. Automatically detects NVMe instance store devices on your nodes | ||
| 2. Creates an LVM volume group from these devices | ||
| 3. Configures OpenEBS to provision persistent volumes from this storage |
There was a problem hiding this comment.
| 3. Configures OpenEBS to provision persistent volumes from this storage | |
| 3. Configures OpenEBS LVM Local-PV to provision persistent volumes from this storage |
OpenEBS is a whole family of providers, we should be specific about which we're using.
misc/nvme-bootstrap/README.md
Outdated
|
|
||
| # Disable Materialize Operator installation as it will require the storage class | ||
| # TODO: The module will support this configuration in the future | ||
| install_materialize_operator = false |
There was a problem hiding this comment.
We probably want to support this before releasing lgalloc support.
There was a problem hiding this comment.
Started working on that already here: MaterializeInc/terraform-aws-materialize#41
| docker build -t your-registry/nvme-bootstrap:latest . | ||
|
|
||
| # Push to your registry | ||
| docker push your-registry/nvme-bootstrap:latest |
There was a problem hiding this comment.
If they are pushing it themselves, where do we configure which bootstrap image to use in the terraform?
There was a problem hiding this comment.
Ah yes this is more of a note for myself while testing, next on my list is to add this to CI so we push the image to Docker hub. Open to suggestions on the Docker image name though!
misc/nvme-bootstrap/README.md
Outdated
|
|
||
| # Delete OpenEBS if no longer needed | ||
| helm uninstall openebs -n openebs | ||
| kubectl delete namespace openebs |
There was a problem hiding this comment.
What is this cleanup section cleaning up? If they ran the terraform, this would likely break their stack.
| # Function to detect cloud provider | ||
| detect_cloud_provider() { | ||
| # Check for AWS | ||
| if curl -s -m 5 http://169.254.169.254/latest/meta-data/ >/dev/null; then |
There was a problem hiding this comment.
The metadata service may not be available in all clusters. It is generally good security practice to disallow this.
Can we just pass in the cloud provider as an arg instead?
There was a problem hiding this comment.
I agree, lets just pass this in, if some doesn't know what what cloud they're deploying into then that's on them.
There was a problem hiding this comment.
I've changed this so now users can pass --cloud-provider same as we have it in orchestratord
| # the Business Source License, use of this software will be governed | ||
| # by the Apache License, Version 2.0. | ||
|
|
||
| set -xeo pipefail |
There was a problem hiding this comment.
| set -xeo pipefail | |
| set -xeuo pipefail |
| ;; | ||
| *) | ||
| echo "Usage: $0 [add|remove]" | ||
| exit 0 # Exit with success to avoid crash loop |
There was a problem hiding this comment.
As above, we probably want it to crash.
| serviceAccountName: nvme-setup-sa | ||
| initContainers: | ||
| - name: apply-taint | ||
| image: bobbyiliev/nvme-bootstrap:latest |
There was a problem hiding this comment.
This image is fine for testing, but probably should be moved to the materialize org with some automation for building/pushing it.
| initContainers: | ||
| - name: apply-taint | ||
| image: bobbyiliev/nvme-bootstrap:latest | ||
| command: ["/usr/local/bin/manage-taints.sh", "add"] |
There was a problem hiding this comment.
This should be set using a startup taint, not by the daemonset.
| effect: NoSchedule | ||
| - key: node-role.kubernetes.io/control-plane | ||
| operator: Exists | ||
| effect: NoSchedule |
There was a problem hiding this comment.
Why these other two tolerations?
| # Handle both standard Linux and Bottlerocket paths | ||
| if [ -d "/.bottlerocket" ]; then | ||
| # Bottlerocket specific path | ||
| BOTTLEROCKET_ROOT="/.bottlerocket/rootfs" | ||
| mapfile -t SSD_NVME_DEVICE_LIST < <(lsblk --json --output-all | jq -r '.blockdevices[] | select(.model // empty | contains("Amazon EC2 NVMe Instance Storage")) | .path') | ||
| for device in "${SSD_NVME_DEVICE_LIST[@]}"; do | ||
| nvme_devices+=("$BOTTLEROCKET_ROOT$device") | ||
| done | ||
| else | ||
| # Standard EC2 instances | ||
| mapfile -t nvme_devices < <(lsblk --json --output-all | jq -r '.blockdevices[] | select(.model // empty | contains("Amazon EC2 NVMe Instance Storage")) | .path') | ||
| fi | ||
| ;; | ||
| # Add more cloud providers here |
There was a problem hiding this comment.
If you're doing a case on cloud, I would turn this into a handle_aws function for readability... or an internal case/if for check_bottlerocket, check_linux.
| # the Business Source License, use of this software will be governed | ||
| # by the Apache License, Version 2.0. | ||
|
|
||
| set -xeo pipefail |
There was a problem hiding this comment.
you may want to include u in this -u as well
-u When the shell tries to expand an unset parameter other than
the '@' and '*' special parameters, it shall write a message
to standard error and the expansion shall fail with the
consequences specified in Section 2.8.1, Consequences of
Shell Errors.
| return 0 | ||
| } | ||
|
|
||
| # Main execution |
There was a problem hiding this comment.
nit: I think I prefer a main function function main() {...} to scope this logic.. it makes the script sourceable.
if [ "$0" == "${BASH_SOURCE[0]}" ]; then
# shellcheck disable=SC2068
main $@
fi| kubectl --server="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \ | ||
| --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ | ||
| --certificate-authority="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" \ | ||
| taint nodes "$NODE_NAME" "$TAINT_KEY=$TAINT_VALUE:$TAINT_EFFECT" --overwrite || { | ||
| echo "Warning: Failed to add taint, but continuing anyway" | ||
| } | ||
| } |
There was a problem hiding this comment.
Already discussed, but we shouldn't add the taint here, that should be part of the node_group, or whatever defines nodes in the particular k8s cluster.
bobbyiliev
force-pushed
the
self-hosted-lgalloc-setup
branch
from
181df29 to
60bd2f2
Compare
| @@ -0,0 +1,249 @@ | |||
| # OpenEBS NVMe Bootstrap for Materialize | |||
There was a problem hiding this comment.
I might delete this readme file all together, most of this is already available in the helm chart readme anyway, and the AWS specific implementation will be done via Terraform.
| @@ -0,0 +1,72 @@ | |||
| # Copyright Materialize, Inc. and contributors. All rights reserved. | |||
There was a problem hiding this comment.
Do we also need those yaml files as well?
We have this as an example in Terraform already: https://github.com/MaterializeInc/terraform-aws-materialize/pull/41/files#diff-17bfdd719dbe7e71d2a1611e4312e71e140ca1c05f2ba6cddf62b7ec4d1c38c2R113
Motivation
As per: https://github.com/MaterializeInc/cloud/issues/10880
Things that still need to be handled here: