From 82945464bd2370684008765b5b0c0caa38cffb0b Mon Sep 17 00:00:00 2001 From: Stephan Feurer Date: Wed, 24 Jan 2024 12:21:51 +0100 Subject: [PATCH] Add cloudscale.ch architecture reference documentation --- .../images/ocp4-architecture-cloudscale.svg | 4 + .../references/cloudscale/architecture.adoc | 99 +++++++++++++++++++ .../references/exoscale/architecture.adoc | 2 +- docs/modules/ROOT/partials/nav.adoc | 3 + 4 files changed, 107 insertions(+), 1 deletion(-) create mode 100755 docs/modules/ROOT/assets/images/ocp4-architecture-cloudscale.svg create mode 100644 docs/modules/ROOT/pages/references/cloudscale/architecture.adoc diff --git a/docs/modules/ROOT/assets/images/ocp4-architecture-cloudscale.svg b/docs/modules/ROOT/assets/images/ocp4-architecture-cloudscale.svg new file mode 100755 index 00000000..eae10ef5 --- /dev/null +++ b/docs/modules/ROOT/assets/images/ocp4-architecture-cloudscale.svg @@ -0,0 +1,4 @@ + + + +
cloudscale.ch Zone
cloudscale.ch Zone
Cluster Machine Network
Cluster Machine Network
OpenShift 4 infrastructure nodes
4x 4vCPU/16GiB RAM
OpenShift 4 infrastruct...
OpenShift 4 worker nodes
3x 4vCPU/16GiB RAM
OpenShift 4 worker node...
Ingress Router
Ingress Router
Monitoring
Monitoring
Registry
Registry
Logging
Logging
...
...
Application A
Application A
Application B
Application B
Application C
Application C
Load Balancer Security Group
Load Balancer Security Group
DNS:
api.cluster.cust.vshnmanaged.net
DNS:...
DNS:
ingress.cluster.cust.vshnmanaged.net
*.apps.cluster.cust.vshnmanaged.net
DNS:...
Firewall rules:

ANY       -> 80/tcp   -> Ingress VIP*
ANY       -> 443/tcp  -> Ingress VIP*
ANY       -> 6443/tcp -> API VIP

*Should use PROXY protocol to
 preserve source IPs
Firewall rules:...
Other customer networks
Other customer networks
Other customer systems
Other customer sys...
Other customer systems
Other customer sys...
VSHN services

- LDAP / SSO
- GitLab
- Project Syn API
- Project Syn Vault
- acme-dns
- central metrics store
VSHN services...
Red Hat services

- OpenShift Update Service
- Container registries
- NTP servers
Red Hat services...
3rd party services

- OpsGenie
- Passbolt
- Let's Encrypt
- Container registries
3rd party services...
managed by VSHN
managed by VSHN
managed by cloudscale.ch
managed by cloudscale.ch
managed by Customer, optional
managed by Customer, optional
80/tcp 443/tcp
80/tcp 443/tcp
Load Balancer
Load Balancer
API IP
API IP
Ingress IP
Ingress IP
OpenShift 4 Control plane nodes
3x 4vCPU/16GiB RAM
OpenShift 4 Control pla...
Kubernetes API
Kubernetes API
Scheduler
Scheduler
Controllers
Controllers
OpenShift API
OpenShift API
etcd
etcd
Service Network – Cilium eBPF rules – 172.30.0.0/16
Service Network – Cilium eBPF rules – 172.30.0.0/16
Pod Network – Cilium VXLAN – 10.128.0.0/14
Pod Network – Cilium VXLAN – 10.128.0.0/14
6443/tcp
6443/tcp
Egress IP
Egress IP Text is not SVG - cannot display \ No newline at end of file diff --git a/docs/modules/ROOT/pages/references/cloudscale/architecture.adoc b/docs/modules/ROOT/pages/references/cloudscale/architecture.adoc new file mode 100644 index 00000000..ba27bcb5 --- /dev/null +++ b/docs/modules/ROOT/pages/references/cloudscale/architecture.adoc @@ -0,0 +1,99 @@ +:infra-type: cloudscale.ch +:infra-svg: ocp4-architecture-cloudscale.svg += APPUiO Managed OpenShift 4 on {infra-type} + +== Architecture overview + +include::partial$architecture/overview.adoc[] + +== {infra-type} requirements + +APPUiO Managed OpenShift 4 on {infra-type} needs a https://docs.openshift.com/container-platform/4.14/installing/installing_bare_metal/installing-bare-metal.html#installation-load-balancing-user-infra_installing-bare-metal[Load Balancer setup] that must meet the following requirements: + +1. API load balancer: Provides a common endpoint to interact with OpenShift and Kubernetes. + +2. Ingress load balancer: Provides an endpoint for application traffic flowing in from outside the cluster. + +See the https://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal.html#installation-requirements-user-infra_installing-bare-metal[upstream documentation] for details on {infra-type} requirements. + + +== Networking + +=== Machine network + +include::partial$architecture/networking-cluster.adoc[] + +=== Virtual IPs + +To expose applications and the Kubernetes API outside the cluster, APPUiO Managed OpenShift 4 manages three floating IPs: + +1. The "API VIP" for the Kubernetes and OpenShift API. +APPUiO Managed OpenShift 4 uses a public floating IP as the API VIP. +2. The "Ingress VIP" for the OpenShift Ingress Router. +APPUiO Managed OpenShift 4 uses a public floating IP as the Ingress VIP. +2. The "Egress VIP" for outgoing traffic of the nodes. +APPUiO Managed OpenShift 4 uses a public floating IP for outgoing traffic. + +APPUiO Managed OpenShift 4 uses {infra-type} Load Balancer to manage the API and ingress VIPs and distributes traffic to the master / infrastructure nodes and {infra-type} vRouter for outgoing traffic. + +=== Pod and service networks + +include::partial$architecture/networking-pods.adoc[] + +=== Exposing the cluster + +We provide a CNAME target record to point additional DNS records to. + +=== External services + +include::partial$architecture/networking-external.adoc[] + +== Storage + +include::partial$architecture/storage.adoc[] + +== Glossary + +=== Components {infra-type} + +[cols="1,3,1"] +|=== +|Name|Description|provided by + +|Load Balancer +a|cloudscale.ch Load Balancer provide fail-over ingress to your cluster. +This service is provided by {infra-type}. + +The main load balancer represents the virtual network device and is assigned VIP addresses (virtual IP addresses) through which incoming traffic is received. +Traffic is distributed to the the individual endpoints, defined in a pool. + +See https://www.cloudscale.ch/en/api/v1#load-balancers[Upstream Documentation]. + +|{infra-type} + +|vRouter +a|A virtual router is a software function that replicates the functionality of a hardware-based router. +This service is provided by {infra-type}. + +|{infra-type} + +|S3 compatible storage +a|Various OpenShift components require S3 compatible storage. +This storage is provided by {infra-type}. + +The main APPUiO Managed OpenShift 4 components that use object storage are + +* OpenShift integrated image registry +* OpenShift logging stack +* APPUiO Managed cluster backups +|{infra-type} + +|=== + +=== Components General + +include::partial$architecture/glossary-general.adoc[] + +=== Other terms + +include::partial$architecture/glossary-others.adoc[] diff --git a/docs/modules/ROOT/pages/references/exoscale/architecture.adoc b/docs/modules/ROOT/pages/references/exoscale/architecture.adoc index 7d8e38c7..cc96a081 100644 --- a/docs/modules/ROOT/pages/references/exoscale/architecture.adoc +++ b/docs/modules/ROOT/pages/references/exoscale/architecture.adoc @@ -34,7 +34,7 @@ To expose applications and the Kubernetes API outside the cluster, APPUiO Manage 1. The "API VIP" for the Kubernetes and OpenShift API. APPUiO Managed OpenShift 4 uses a public floating IP as the API VIP. -2. The "Ingress VIP" for the OpenShift Ingress Router +2. The "Ingress VIP" for the OpenShift Ingress Router. APPUiO Managed OpenShift 4 uses a public floating IP as the Ingress VIP. APPUiO Managed OpenShift 4 uses two Load Balancer instances to manage the API and ingress VIPs and distributes traffic to the master / infrastructure nodes. diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc index 970ac108..55b8fcd9 100644 --- a/docs/modules/ROOT/partials/nav.adoc +++ b/docs/modules/ROOT/partials/nav.adoc @@ -14,6 +14,8 @@ ** xref:oc4:ROOT:references/architecture/metering-data-flow-appuio-managed.adoc[Resource Usage Reporting] ** xref:oc4:ROOT:references/architecture/single_sign_on.adoc[] +** xref:oc4:ROOT:references/cloudscale/architecture.adoc[cloudscale.ch] + ** xref:oc4:ROOT:references/exoscale/architecture.adoc[Exoscale] *** xref:oc4:ROOT:explanations/exoscale/limitations.adoc[Limitations] @@ -25,6 +27,7 @@ * Supported Infrastructures ** cloudscale.ch +*** xref:oc4:ROOT:references/cloudscale/architecture.adoc[Architecture] *** xref:oc4:ROOT:references/cloudscale/config.adoc[Configuration] *** xref:oc4:ROOT:how-tos/cloudscale/install.adoc[Install] // Node management