Deuxfleurs
/
garage
42
37
Fork 55
Code Issues 70 Pull Requests 6 Releases 29 Wiki Activity

Kubernetes? #241

New Issue
Closed
opened 2022-02-11 01:42:52 +00:00 by schmitch · 7 comments
schmitch commented 2022-02-11 01:42:52 +00:00
Copy Link

hello,
I'm trying out garage and tried to make it work inside kubernetes and can't figure out my head around it, if it really works there?

most of the time kubernetes works by dns, because in k8s all ip addresses are volatile.

it looks like it's build with ip addresses in mind, is there any way to use k8s at all?

hello, I'm trying out garage and tried to make it work inside kubernetes and can't figure out my head around it, if it really works there? most of the time kubernetes works by dns, because in k8s all ip addresses are volatile. it looks like it's build with ip addresses in mind, is there any way to use k8s at all?
quentin commented 2022-02-11 14:42:15 +00:00
Owner
Copy Link

Hi schmitch,

At Deuxfleurs, we are not using Kubernetes but Nomad, that has way less abstractions on the network. So for sure, I don't know what would be the idiomatic way to integrate Garage with Kubernetes.

At least, if you have a Consul server on your network, you can configure your Garage nodes to register themselves in Consul and they will be able to discover their other peers.

You may also try to expose your Garage's instance ports on the server IP address (NodePort?). And then, in the bootstrap_peer section, you could put the IP address of one of your instance to trigger the autodiscovery.

Hopefully, someone more knowledgeable in Kubernetes may be able to help you in a better way. I will try to ping the people I know that operate K8S clusters.

Hi schmitch, At Deuxfleurs, we are not using Kubernetes but Nomad, that has way less abstractions on the network. So for sure, I don't know what would be the idiomatic way to integrate Garage with Kubernetes. At least, if you have a Consul server on your network, you can configure your Garage nodes to register themselves in Consul and they will be able to discover their other peers. You may also try to expose your Garage's instance ports on the server IP address (NodePort?). And then, in the bootstrap_peer section, you could put the IP address of one of your instance to trigger the autodiscovery. Hopefully, someone more knowledgeable in Kubernetes may be able to help you in a better way. I will try to ping the people I know that operate K8S clusters.
trinity-1686a commented 2022-02-11 23:59:18 +00:00
Owner
Copy Link

Garage supports connecting to a node using something like <hex blob>@my-domain.tld:1234. You can use that in bootstrap_peers in config, or when doing garage node connect <peer-id>.
Internally, Garage will resolve this domain as soon as it learns about it (at each restart for bootstrap_peers, when you run the command for garage node connect).
I believe if a peer changes IP (keeping the same domain or not, but keeping the same public key), and if it manages to connect to any other peer, it should be able to learn IPs of all other peers and connect to them, allowing them to learn it's new IP in return.

Garage supports connecting to a node using something like `<hex blob>@my-domain.tld:1234`. You can use that in bootstrap_peers in config, or when doing `garage node connect <peer-id>`. Internally, Garage will resolve this domain as soon as it learns about it (at each restart for bootstrap_peers, when you run the command for `garage node connect`). I believe if a peer changes IP (keeping the same domain or not, but keeping the same public key), and if it manages to connect to any other peer, it should be able to learn IPs of all other peers and connect to them, allowing them to learn it's new IP in return.
quentin added the
Documentation
 label 2022-02-23 11:17:24 +00:00
withinboredom commented 2022-02-27 18:51:36 +00:00
Contributor
Copy Link

I'm trying out garage and tried to make it work inside kubernetes and can't figure out my head around it, if it really works there?

This seems like something that would live outside of k8s so if your cluster goes away you don't lose your data.

> I'm trying out garage and tried to make it work inside kubernetes and can't figure out my head around it, if it really works there? This seems like something that would live outside of k8s so if your cluster goes away you don't lose your data.
schmitch commented 2022-03-01 08:54:11 +00:00
Author
Copy Link

ok so from what I understand, if I correctly set bootstrap_peers to a valid DNS name and run garage node connect after a reboot it should work?

I think the biggest problem when it comes to garage than, that some processes are also hard to automate. Kubernetes is mostly a declarative system. I think for garage to work, somebody would need to write a wrapper, so that basically garage can be put into a Statefulset, which would be impossible at the moment (especially since there is no way of specifying a public key upfront.

the things looks really hard to me.
basically at the moment I think something like this would need to be automated by some wrapper inside k8s:

  1. start garage server
  2. wait for at least other 3 nodes to come online (the wrapper can queue k8s for that if there are other nodes inside the statefulset, i.e. k8s will apply a static dns name for each node)
  3. generate a config with bootstrap_peers (i.e. public_key is not known upfront) and upload it maybe into a config map or something
  4. get the config on all nodes
  5. restart garage server on all nodes with the new config
  6. call garage connect

thus this means the wrapper would probably also need to use k8s to have some kind of leader election.

btw. it's basically impossible to fill out rpc_public_addr upfront or keep STABLE ip addresses in k8s (some networks allow that, but most won't for a reason).

(correct me if I am wrong in the initial bootstrap process tough!)

when I'm rebooting a single node I guess I need to do the same, expect that I already have a valid config, thus I can skip step 2, 3, 4, 5 (as long as at least 1 other node is online)

(maybe I will try to look into it and make a simple wrapper to check if that works)

ok so from what I understand, if I correctly set `bootstrap_peers` to a valid DNS name and run `garage node connect` after a reboot it should work? I think the biggest problem when it comes to `garage` than, that some processes are also hard to automate. Kubernetes is mostly a declarative system. I think for garage to work, somebody would need to write a wrapper, so that basically `garage` can be put into a Statefulset, which would be impossible at the moment (especially since there is no way of specifying a public key upfront. the things looks really hard to me. basically at the moment I think something like this would need to be automated by some wrapper inside k8s: 1. start `garage server` 2. wait for at least other 3 nodes to come online (the wrapper can queue k8s for that if there are other nodes inside the statefulset, i.e. k8s will apply a static dns name for each node) 3. generate a config with bootstrap_peers (i.e. public_key is not known upfront) and upload it maybe into a config map or something 4. get the config on all nodes 5. restart `garage server` on all nodes with the new config 6. call `garage connect` thus this means the wrapper would probably also need to use k8s to have some kind of leader election. btw. it's basically impossible to fill out `rpc_public_addr` upfront or keep STABLE ip addresses in k8s (some networks allow that, but most won't for a reason). (correct me if I am wrong in the initial bootstrap process tough!) when I'm rebooting a single node I guess I need to do the same, expect that I already have a valid config, thus I can skip step 2, 3, 4, 5 (as long as at least 1 other node is online) (maybe I will try to look into it and make a simple wrapper to check if that works)
lx commented 2022-03-01 09:43:48 +00:00
Owner
Copy Link

ok so from what I understand, if I correctly set bootstrap_peers to a valid DNS name and run garage node connect after a reboot it should work?

You also have to put the public key of a node, something like this:

bootstrap_peers = [
	"ec79480e0ce52ae26fd00c9da684e4fa56658d9c64cdcecb094e936de0bfe71f@my.bootstrap.peer.dns.name:3901",
]

But maybe in your case something you could try is autodiscovery with Consul (I think Consul can probably run in kubernetes?).

btw. it's basically impossible to fill out rpc_public_addr upfront or keep STABLE ip addresses in k8s (some networks allow that, but most won't for a reason).

Yes it's true that's an issue. As said @withinboredom, Garage should probably be set up manually outside of your Kubernetes cluster. What we do at Deuxfleurs is run it in a Nomad cluster but using host networking, so that IP addresses of Garage nodes are the IP addresses of the machines they are running on (which don't change).

So basically I see two relatively easy solutions in your use case:

  1. Run Garage outside of Kubernetes
  2. Run Consul and Garage in Kubernetes, find a way for nodes to know their rpc_public_addr when they start (even if it's a new IP each time that's not a problem, just fill in the configuration dynamically), and let Garage nodes advertise themselves in the Consul catalog.

We could probably implement other autodiscovery mechanisms (maybe using the Kubernetes equivalent of the Consul catalog? I don't really know what that would be). Basically the following things would be required:

  1. When they start, Nodes have a way of registering their public key in the catalog
  2. There is a way to associate public keys of nodes with their IP addresses
    • either the node sends the IP when it registers its public key (what we do with Consul, but it requires to be able to set rpc_public_addr)
    • or there is a way to know what container is making the registration API call, and this allows us to determine its IP address)
  3. When nodes try to discover other nodes in the network, they can read the catalog and get a list of public key + IP address pairs, one for each node registered.

If you have information on how to do this with Kubernetes, we could probably work towards a prototype.

> ok so from what I understand, if I correctly set bootstrap_peers to a valid DNS name and run garage node connect after a reboot it should work? You also have to put the public key of a node, something like this: ``` bootstrap_peers = [ "ec79480e0ce52ae26fd00c9da684e4fa56658d9c64cdcecb094e936de0bfe71f@my.bootstrap.peer.dns.name:3901", ] ``` But maybe in your case something you could try is autodiscovery with Consul (I think Consul can probably run in kubernetes?). > btw. it's basically impossible to fill out rpc_public_addr upfront or keep STABLE ip addresses in k8s (some networks allow that, but most won't for a reason). Yes it's true that's an issue. As said @withinboredom, Garage should probably be set up manually outside of your Kubernetes cluster. What we do at Deuxfleurs is run it in a Nomad cluster but using host networking, so that IP addresses of Garage nodes are the IP addresses of the machines they are running on (which don't change). So basically I see two relatively easy solutions in your use case: 1. Run Garage outside of Kubernetes 2. Run Consul and Garage in Kubernetes, find a way for nodes to know their `rpc_public_addr` when they start (even if it's a new IP each time that's not a problem, just fill in the configuration dynamically), and let Garage nodes advertise themselves in the Consul catalog. We could probably implement other autodiscovery mechanisms (maybe using the Kubernetes equivalent of the Consul catalog? I don't really know what that would be). Basically the following things would be required: 1. When they start, Nodes have a way of registering their public key in the catalog 2. There is a way to associate public keys of nodes with their IP addresses - either the node sends the IP when it registers its public key (what we do with Consul, but it requires to be able to set `rpc_public_addr`) - or there is a way to know what container is making the registration API call, and this allows us to determine its IP address) 3. When nodes try to discover other nodes in the network, they can read the catalog and get a list of public key + IP address pairs, one for each node registered. If you have information on how to do this with Kubernetes, we could probably work towards a prototype.
quentin commented 2022-03-01 10:21:50 +00:00
Owner
Copy Link

I searched for "Kubernetes Autodiscovery" as this is this property we want, and we could integrate it in Garage, but it does not seem to be a common idiom.

K8S often uses etcd, and we could use it as a discovery service, similarly to Consul, but again, it seems that we would break K8S' abstraction by doing so.

I also found a documentation page about Cassandra + StatefulSet. As you mentioned, the difference is that we need to pre-generate a key.

This key is part of Garage's security features and we do not want to drop it. We need to understand how people are managing cluster applications on K8S that use TLS client auth between nodes of the cluster, as we will be able to translate their pattern to Garage.

I know that K8S has some Custom Resources and/or Custom Resource Definitions but it seems to be targeted to "human management" so not designed for programmatic access. Do you know if K8S defines some ways for an app to push some data about its states?

Edit: we might need to write some codes so Garage get a ServiceAccount then we might ask Garage to register some Secrets / ConfigMaps. We may take inspiration from Akka, a java library to ease distributed/clustered application devlopment, they have a K8S section in their doc.

I searched for "Kubernetes Autodiscovery" as this is this property we want, and we could integrate it in Garage, but it does not seem to be a common idiom. K8S often uses etcd, and we could use it as a discovery service, similarly to Consul, but again, it seems that we would break K8S' abstraction by doing so. I also found a documentation page about [Cassandra + StatefulSet](https://kubernetes.io/docs/tutorials/stateful-application/cassandra/). As you mentioned, the difference is that we need to pre-generate a key. This key is part of Garage's security features and we do not want to drop it. We need to understand how people are managing cluster applications on K8S that use TLS client auth between nodes of the cluster, as we will be able to translate their pattern to Garage. I know that K8S has some [Custom Resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) and/or [Custom Resource Definitions](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/) but it seems to be targeted to "human management" so not designed for programmatic access. Do you know if K8S defines some ways for an app to push some data about its states? --- Edit: we might need to write some codes so Garage get a [ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) then we might ask Garage to register some [Secrets](https://kubernetes.io/fr/docs/concepts/configuration/secret/) / [ConfigMaps](https://kubernetes.io/docs/concepts/configuration/configmap/). We may take inspiration from Akka, a java library to ease distributed/clustered application devlopment, they have a [K8S section in their doc](https://doc.akka.io/docs/akka-management/current/discovery/kubernetes.html).
schmitch commented 2022-03-01 15:52:29 +00:00
Author
Copy Link

btw. another good example for autodiscovery via k8s is patroni from zalando to bootstrap postgresql: https://github.com/zalando/patroni/blob/master/docs/kubernetes.rst

however their implementation might not be straight forward: https://github.com/zalando/patroni/blob/master/patroni/dcs/kubernetes.py
basically they created what somebody would need to do, to run garage on k8s at the moment. A wrapper "script" that register everything needed for service discovery and they put everything onto an endpoint, the same thing would be a little bit more work for garage since it probably needs an endpoint for each garage search and query them via k8s labels.

but kubernetes autodiscovery is something that basically everybody makes a little bit different, depending on the need.

Edit:

I will look into it if I might have a good solution also based on something somebody written inside element:

https://matrix.to/#/!BCLqSdZmZvTrJncZYQ:zinz.dev/$DZ7hOBZAPi7GfjTiybwH6U1hqK0e3a5Q2FVrdUK6V68?via=zinz.dev&via=matrix.org&via=deuxfleurs.fr

btw. another good example for autodiscovery via k8s is patroni from zalando to bootstrap postgresql: https://github.com/zalando/patroni/blob/master/docs/kubernetes.rst however their implementation might not be straight forward: https://github.com/zalando/patroni/blob/master/patroni/dcs/kubernetes.py basically they created what somebody would need to do, to run `garage` on k8s at the moment. A wrapper "script" that register everything needed for service discovery and they put everything onto an endpoint, the same thing would be a little bit more work for garage since it probably needs an endpoint for each garage search and query them via k8s labels. but kubernetes autodiscovery is something that basically everybody makes a little bit different, depending on the need. Edit: I will look into it if I might have a good solution also based on something somebody written inside element: https://matrix.to/#/!BCLqSdZmZvTrJncZYQ:zinz.dev/$DZ7hOBZAPi7GfjTiybwH6U1hqK0e3a5Q2FVrdUK6V68?via=zinz.dev&via=matrix.org&via=deuxfleurs.fr
lx closed this issue 2022-03-14 09:47:36 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
main-0.9.x
db-no-unsafe
main-0.8.x
k2v/shared_http_client
feat/website-redir
smithy2
test/compilation
poc/nomad-ci
test-ci-wait
pnet_datalink-0.33.0
optimal-layout
k2v-watch-range
db-debug-log
build-convert-db
demonstrate-cargo2nix-bug
dangerous/no-fsync
dev0.7.3
doc/benchmarks
bug/check_static
bucket-cors-more
storage-optimizations
old-main
v1.0.0
v0.9.4
v1.0.0-rc1
v0.8.7
v0.9.3
v0.9.2
v0.8.6
v0.9.2-rc1
v0.9.1
v0.8.5
v0.10.0-beta1
v0.9.0
v0.9.0-rc2
v0.9.0-rc1
v0.9.0-beta4
v0.9.0-beta3
v0.9.0-beta2
v0.8.4
v0.9.0-beta1
v0.8.3
v0.8.3-rc1
format_table-v0.1.1
format_table-v0.1.0
v0.8.2
v0.8.1
v0.8.0
v0.8.0-rc2
v0.8.0-rc1
v0.8.0-dangerous-no-fsync
v0.8.0-beta2-k2v
v0.8.0-beta2
v0.8.0-beta1-k2v
v0.8.0-beta1
v0.7.99.3-k2v
v0.7.3
v0.7.3-beta2
v0.7.3-beta1
v0.7.2.1
v0.7.2
v0.7.2_ci-test-2
v0.7.2+ci-test-version
v0.7.99.2-k2v
v0.7.99.1-k2v
v0.7.99-k2v
v0.7.2-k2v
v0.7.1-admin-k2v-2
v0.7.1-admin-k2v
v0.7.1-k2v
v0.7.1
v0.7.0
v0.7.0-rc1
v0.6.1
v0.6.0
v0.6.0-rc1
v0.5.1
v0.5.0.1
v0.5.0
v0.5-beta1
v0.4.0
v0.4-rc2
v0.4-rc1
0.4-beta
0.4-alpha
v0.3.0.2
v0.3.0.1
v0.3.0
v0.2.1.5
v0.2.1
v0.2.0
0.1.1b
0.1.1
0.1.0b
0.1.0
Labels
Clear labels   
AdminAPI

Issues concerning the administration API

  
Bug

   
Check AWS

The behaviour should be checked against AWS S3

  
CI

Issues with Nix, Drone, Rust Compiler, etc.

  
Correctness

Issues of theoretical correctness that may impact edge-case scenarios

  
Critical

   
Documentation

   
Ideas

For abstract ideas/proposal to make Garage better, to better communicate our not yet achieved aims

  
Improvement

   
Low priority

For issues that we don't want to spend time on until made absolutely necessary

  
Newcomer

A bug that should be newcomer friendly.

  
Performance

   
S3 Compatibility

   
Testing

   
Usability

Propositions to make Garage easier to operate, by improving error reporting, CLI, etc.

No Label
AdminAPI
Bug
Check AWS
CI
Correctness
Critical
Documentation
Ideas
Improvement
Low priority
Newcomer
Performance
S3 Compatibility
Testing
Usability
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
5 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#241
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?