Merge pull request #380 from appuio/install/exoscale/ccm

Update Exoscale install instructions to deploy the Exoscale CCM
appuio · Feb 28, 2025 · bad8a3d · bad8a3d
2 parents d152acd + 485ba9a
commit bad8a3d
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 15 deletions.
diff --git a/Makefile b/Makefile
@@ -15,7 +15,7 @@ else
 endif
 
 preview_cmd ?= $(engine_cmd) run --rm --publish 35729:35729 --publish 2020:2020 --volume "${PWD}":/preview/antora ghcr.io/vshn/antora-preview:3.1.4 --antora=docs --style=vshn
-vale_cmd ?= $(engine_cmd) run $(engine_opts) --volume "$${PWD}"/docs/modules:/pages:Z ghcr.io/vshn/vale:2.15.5 --minAlertLevel=error --config=/pages/ROOT/pages/.vale.ini /pages
+vale_cmd ?= $(engine_cmd) run $(engine_opts) --volume "$${PWD}"/docs/modules:/pages:Z ghcr.io/vshn/vale:2.27.0 --minAlertLevel=error --config=/pages/ROOT/pages/.vale.ini /pages
 
 UNAME := $(shell uname)
 ifeq ($(UNAME), Linux)

diff --git a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
@@ -55,7 +55,7 @@ include::partial$exoscale/environment-vars.adoc[]
 include::partial$install/vshn-input.adoc[]
 
 [#_create_iam_keys]
-=== Create restricted Exoscale IAM keys for object storage, AppCat and CSI driver
+=== Create restricted Exoscale IAM keys for object storage, AppCat, CSI driver and CCM
 
 [NOTE]
 ====
@@ -123,7 +123,10 @@ export APPCAT_SECRETKEY=$(echo "${appcat_credentials}" | jq -r '.secret')
 csidriver_role_id=$(exo iam role list -O json | \
   jq -r '.[] | select(.name=="csi-driver-exoscale") | .key')
 if [ -z "${csidriver_role_id}" ]; then
-echo '{
+cat << EOF | exo iam role create csi-driver-exoscale \
+  --description "Exoscale CSI Driver: Access to storage operations and zone list" \
+  --policy -
+{
   "default-service-strategy": "deny",
   "services": {
     "compute": {
@@ -136,10 +139,8 @@ echo '{
       ]
     }
   }
-}' | \
-exo iam role create csi-driver-exoscale \
-  --description "Exoscale CSI Driver: Access to storage operations and zone list" \
-  --policy -
+}
+EOF
 fi
 # Create access key
 csi_credentials=$(exo iam api-key create -O json \
@@ -148,6 +149,43 @@ export CSI_ACCESSKEY=$(echo "${csi_credentials}" | jq -r '.key')
 export CSI_SECRETKEY=$(echo "${csi_credentials}" | jq -r '.secret')
 ----
 
+. Create restricted API key for the Exoscale cloud-controller-manager
++
+[source,bash]
+----
+# Create Exoscale CCM Exoscale IAM role, if it doesn't exist yet in the organization
+ccm_role_id=$(exo iam role list -O json | \
+  jq -r '.[] | select(.name=="ccm-exoscale") | .key')
+if [ -z "${ccm_role_id}" ]; then
+cat <<EOF | exo iam role create ccm-exoscale \
+  --description "Exoscale CCM: Allow managing NLBs and reading instances/instance pools" \
+  --policy -
+{
+  "default-service-strategy": "deny",
+  "services": {
+    "compute": {
+      "type": "rules",
+      "rules": [
+        {
+          "expression": "operation in ['add-service-to-load-balancer', 'create-load-balancer', 'delete-load-balancer', 'delete-load-balancer-service', 'get-load-balancer', 'get-load-balancer-service', 'get-operation', 'list-load-balancers', 'reset-load-balancer-field', 'reset-load-balancer-service-field', 'update-load-balancer', 'update-load-balancer-service']",
+          "action": "allow"
+        },
+        {
+          "expression": "operation in ['get-instance', 'get-instance-pool', 'get-instance-type', 'list-instances', 'list-instance-pools', 'list-zones']",
+          "action": "allow"
+        }
+      ]
+    }
+  }
+}
+EOF
+fi
+# Create access key
+ccm_credentials=$(exo iam api-key create -O json \
+  "${CLUSTER_ID}_ccm-exoscale" ccm-exoscale)
+export CCM_ACCESSKEY=$(echo "${ccm_credentials}" | jq -r '.key')
+export CCM_SECRETKEY=$(echo "${ccm_credentials}" | jq -r '.secret')
+----
 
 [#_bootstrap_bucket]
 === Set up S3 buckets for the cluster
@@ -234,6 +272,11 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/appcat/provider-exoscale \
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/exoscale/csi_driver \
   access_key=${CSI_ACCESSKEY} \
   secret_key=${CSI_SECRETKEY}
+
+# Set the CCM Exoscale Credentials
+vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/exoscale/ccm \
+  access_key=${CCM_ACCESSKEY} \
+  secret_key=${CCM_SECRETKEY}
 ----
 
 include::partial$get-hieradata-token-from-vault.adoc[]

diff --git a/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc b/docs/modules/ROOT/partials/install/bootstrap-nodes.adoc
@@ -43,7 +43,7 @@ done && echo -e "\nAPI is up"
 [NOTE]
 ====
 We need to temporarily adjust the Cilium config to not use full kube-proxy replacement, since we currently don't have a way to disable the initial OpenShift-managed kube-proxy deployment.
-Additionally, Because the cloudscale Cloud Controller Manager accesses the K8s API via service IP, we need to configure Cilium to provide partial kube-proxy replacement so that the CCM can start and untaint the control plane nodes so that other pods can be scheduled.
+Additionally, because the {provider} Cloud Controller Manager accesses the K8s API via service IP, we need to configure Cilium to provide partial kube-proxy replacement so that the CCM can start and untaint the control plane nodes so that other pods can be scheduled.
 ====
 +
 [source,bash]

diff --git a/docs/modules/ROOT/partials/install/install-config-cloudscale-exoscale.adoc b/docs/modules/ROOT/partials/install/install-config-cloudscale-exoscale.adoc
@@ -16,16 +16,10 @@ apiVersion: v1
 metadata:
   name: ${CLUSTER_ID} <1>
 baseDomain: ${BASE_DOMAIN} <1>
-ifeval::["{provider}" == "cloudscale"]
 platform:
   external:
-    platformName: cloudscale
+    platformName: {provider}
     cloudControllerManager: External
-endif::[]
-ifeval::["{provider}" == "exoscale"]
-platform:
-  none: {}
-endif::[]
 networking:
   networkType: Cilium
 pullSecret: |

diff --git a/docs/modules/ROOT/partials/install/prepare-commodore.adoc b/docs/modules/ROOT/partials/install/prepare-commodore.adoc
@@ -54,6 +54,16 @@ if ls openshift4.y*ml 1>/dev/null 2>&1; then
 fi
 ----
 
+ifeval::["{provider}" == "exoscale"]
+. Include the Exoscale cloud-controller-manager Commodore component
++
+[source,bash]
+----
+yq eval -i '.applications += "exoscale-cloud-controller-manager"' ${CLUSTER_ID}.yml
+git commit -a -m "Deploy Exoscale cloud-controller-manager on ${CLUSTER_ID}"
+----
+endif::[]
+
 . Add Cilium to cluster configuration
 +
 [NOTE]

diff --git a/docs/modules/ROOT/partials/install/run-installer.adoc b/docs/modules/ROOT/partials/install/run-installer.adoc
@@ -56,6 +56,19 @@ yq -i e ".stringData.access-token=\"${CLOUDSCALE_API_TOKEN}\"" \
   ${INSTALLER_DIR}/manifests/cloudscale-cloud-controller-manager_01_secret_0_secret.yml
 ----
 endif::[]
+ifeval::["{provider}" == "exoscale"]
+. Copy cloud-controller-manager manifests
++
+[source,bash,]
+----
+for f in catalog/manifests/exoscale-cloud-controller-manager/*; do
+  cp $f ${INSTALLER_DIR}/manifests/exoscale_ccm_$(basename $f)
+done
+
+yq -i e ".stringData.api-key=\"${CCM_ACCESSKEY}\",.stringData.api-secret=\"${CCM_SECRETKEY}\"" \
+  ${INSTALLER_DIR}/manifests/exoscale_ccm_01_secret.yaml
+----
+endif::[]
 
 . Copy pre-rendered Cilium manifests
 +