Setting Up Kyma on GKE

Introduction to Kyma

Kyma allows you to customise enterprise applications by connecting third-party services whether it is hosted on the cloud or on your private data centre. It uses serverless computing and microservices architecture in order to allow quicker customization, regardless of the language they are written in.

It provides a number of cloud components and services that are required to collectively serve as an end-to-end solution. It also provides the advantages of performance, scalability, efficiency and above all security.

What is Uncommon in Kyma?

Think of a solution in which you can combine locally developed features with modern solutions under one umbrella?

Kyma does exactly this, it allows you to combine and enhance your solutions easily and quickly. Some of the major open-source projects like Istio, NATS, Kubeless, and Prometheus, establish the foundation of Kyma.

Setting Up Kyma on GKE Google Kubernetes Engine Cluster:

Following are the steps that are needed to deploy Kyma on a Google Kubernetes Engine (GKE) cluster.
There are some changes as compared to the actual document. kindly refer to the notes that are written where changes/errors can occur.

Prerequisites

Google Cloud Platform (GCP) project with Kubernetes Engine API enabled kubectl 1.12.0 Docker Docker Hub account gcloud
wget

It is recommended to get a free domain for your cluster using services like freenom.com

Prepare GKE cluster:

Open gcloud terminal on cloud or cmd for using gcloud SDK

1- Set the cluster name and the name of your GCP project as environment variables
As per Document:

export CLUSTER_NAME={CLUSTER_NAME_YOU_WANT}
export PROJECT={YOUR_GCP_PROJECT}

Example
export CLUSTER_NAME=project-kyma
export PROJECT=my-first-kyma-project

2- Create a cluster in the Australia-southeast1-b region. Run:
As per Document:

gcloud container --project "$PROJECT" clusters \
create "$CLUSTER_NAME" --zone "europe-west1-b" \
--cluster-version "1.12" --machine-type "n1-standard-4" \
--addons HorizontalPodAutoscaling,HttpLoadBalancing,KubernetesDashboard

Example:

gcloud container --project "$PROJECT" clusters \
create "$CLUSTER_NAME" --zone "australia-southeast1-b" \
--cluster-version "1.12" --machine-type "n1-standard-4" --network=kyma-vpc --subnetwork=kyma-subnet \
--addons HorizontalPodAutoscaling,HttpLoadBalancing,KubernetesDashboard

Note:

Above command in the document have default network and subnetwork so it doesn’t need to write it while cluster creation, whereas if you don’t have default network and subnetwork then you need to specify by adding the tags like in the example command.

Above command will create 3 node GKE cluster for kyma, and here machine type is “n1-standard-4” which means each node have the configuration of 4 CPU and 15 GB RAM which will overall become 12 CPU and 45 GB RAM for 3 nodes. If you change the machine type for example from “n1-standard-4” to “n1-standard-1”, Kyma will not be installed properly or continuously fail due to limited resource as there are 66 pods in total for kyma on GKE cluster.

3- Install Tiller on your GKE cluster. Run:
Document:

kubectl apply -f https://raw.githubusercontent.com/kyma-project/kyma/{RELEASE_TAG}/installation/resources/tiller.yaml

Example:

kubectl apply -f https://raw.githubusercontent.com/kyma-project/kyma/1.0.0/installation/resources/tiller.yaml

Note:
Change RELEASE_TAG with the version you want to install tiller

4- Add your account as the cluster administrator:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account)

5- DNS setup and TLS certificate generation

Export the domain name, project name, and DNS zone name as environment variables. Run the commands listed below:
As per Document:

export DOMAIN={YOUR_SUBDOMAIN} export DNS_NAME={YOUR_DOMAIN}. export PROJECT={YOUR_GOOGLE_PROJECT_ID}
export DNS_ZONE={YOUR_DNS_ZONE}

Example:

export DOMAIN=example.io export DNS_NAME=example.io. export PROJECT=my-first-kyma-project
export DNS_ZONE=myzone

Create a DNS-managed zone in your Google project. Run: gcloud dns –project=$PROJECT managed-zones create $DNS_ZONE
–description= –dns-name=$DNS_NAME

Delegate your domain to Google name servers.

Get the list of the name servers from the zone details.

This is a sample list: ns-cloud-b1.googledomains.com. ns-cloud-b2.googledomains.com. ns-cloud-b3.googledomains.com.
ns-cloud-b4.googledomains.com.

Set up your domain to use these name servers.

Note:
Be careful with this step, when you created the DNS-managed zone on GCP, it will give you the name servers then copy those name servers and if you are using freenom.com free domain then put these name servers there and wait for propagation. Basically, when the nameservers are changed, or DNS changes are made, you can expect a propagation time up to 24 hours. You can use https://dnschecker.org/ to check the domain propagation. Once your domain successfully propagates then move to further steps.

Check if everything is set up correctly and your domain is managed by Google name servers. Run:
host -t ns $DNS_NAME

Note:
A successful response returns the list of the name servers you fetched from GCP.

6- Get the TLS certificate

Create a folder for certificates. Run: mkdir letsencrypt Create a new service account and assign it to the dns.admin role. Run these commands: gcloud iam service-accounts create dnsmanager –display-name “dnsmanager”
–project “$PROJECT”

gcloud projects add-iam-policy-binding $PROJECT \
–member serviceAccount:dnsmanager@$PROJECT.iam.gserviceaccount.com –role roles/dns.admin

Generate an access key for this account in the letsencrypt folder. Run: gcloud iam service-accounts keys create ./letsencrypt/key.json
–iam-account dnsmanager@$PROJECT.iam.gserviceaccount.com

Run the Certbot Docker image with the letsencrypt folder mounted. Certbot uses the key to apply DNS challenge for the certificate request and stores the TLS certificates in that folder. Run:

As per Document:

docker run -it --name certbot --rm -v "$(pwd)/letsencrypt:/etc/letsencrypt"
certbot/dns-google certonly -m YOUR_EMAIL_HERE --agree-tos --no-eff-email 
--dns-google --dns-google-credentials /etc/letsencrypt/key.json 
--server https://acme-v02.api.letsencrypt.org/directory -d "*.$DOMAIN"

Note: Sometimes, the document’s docker command gives an error and not let you generate the key and TLS certificate, so for this you need to run below commands to successfully generate key
and TLS certificate. Remember to change your email address in the second command

docker run -it --name certbot --rm -v "$(pwd)/letsencrypt:/etc/letsencrypt" 
certbot/dns-google certonly --agree-tos --manual --preferred-challenges=dns 
-d $DOMAIN -d *.$DOMAIN

docker run -it --name certbot --rm -v "$(pwd)/letsencrypt:/etc/letsencrypt" 
certbot/dns-google certonly -m asad.rashid@example.com --agree-tos --no-eff-email 
--dns-google --dns-google-credentials /etc/letsencrypt/key.json 
--server https://acme-v02.api.letsencrypt.org/directory -d "*.$DOMAIN"

Export the certificate and key as environment variables. Run these commands:
As per Document:

export TLS_CERT=$(cat ./letsencrypt/live/$DOMAIN/fullchain.pem | base64 | sed 's/ /\\ /g')
export TLS_KEY=$(cat ./letsencrypt/live/$DOMAIN/privkey.pem | base64 | sed 's/ /\\ /g')

Note:
These commands shall not export TLS_CERT and TLS_KEY properly because of the sed command it will not delete all the spaces in the file.

For the resolution you need to run these commands:

export TLS_CERT=$(cat ./letsencrypt/live/$DOMAIN/fullchain.pem | base64)
export TLS_KEY=$(cat ./letsencrypt/live/$DOMAIN/privkey.pem | base64)

Then write the output to two separate files like this:

echo $TLS_CERT > tlscert.txt
echo $TLS_KEY > tlskey.txt

The purpose of doing this is to delete the spaces and after removing space there might be some hidden special characters in the files, you need to remove that too by using a text editor that has the capability to show hidden special characters. Just find and replace command this will done the job.

After doing the above work, again run the export command:

export TLS_CERT=$(cat tlscert.txt)
export TLS_KEY=$(cat tlskey.txt)

7- Prepare the installation configuration file

Export the release version as an environment variable. Run: As per Document:
export LATEST={KYMA_RELEASE_VERSION}

Example:
export LATEST=1.0.0

Download the kyma-config-cluster.yaml and kyma-installer-cluster.yaml files from the latest release. Run:

wget https://github.com/kyma-project/kyma/releases/download/$LATEST/kyma-config-cluster.yaml
wget https://github.com/kyma-project/kyma/releases/download/$LATEST/kyma-installer-cluster.yaml

Prepare the deployment file.
cat kyma-installer-cluster.yaml <(echo -e “\n—“) kyma-config-cluster.yaml | sed -e “s/__.*__//g” > my-kyma.yaml

cat kyma-installer-cluster.yaml <(echo -e “\n—“) kyma-config-cluster.yaml | sed -e “s/__PROMTAIL_CONFIG_NAME__/promtail-k8s-1-14.yaml/g” | sed -e “s/__DOMAIN__/$DOMAIN/g” | sed -e “s/__TLS_CERT__/$TLS_CERT/g” | sed -e “s/__TLS_KEY__/$TLS_KEY/g” | sed -e “s/__.*__//g” > my-kyma.yaml

The output of this operation is my_kyma.yaml file. Use it to deploy Kyma on your GKE cluster.

8- Using your own image

Checkout kyma-project and enter the root folder.
git clone https://github.com/kyma-project/kyma.git

Note:
Be careful while cloning, above URL is for release 1.0 and if you accidentally check out other releases like from the master branch then Kyma will not be installed on GKE.

Build an image that is based on the current Installer image and includes the current installation and resources charts. Run:
docker build -t kyma-installer:latest -f tools/kyma-installer/kyma.Dockerfile .

Push the image to your Docker Hub:
As per Document:

docker tag kyma-installer:latest {YOUR_DOCKER_LOGIN}/kyma-installer:latest
docker push {YOUR_DOCKER_LOGIN}/kyma-installer:latest

Note: Here, you might get an error while pushing the image to your docker hub, for the resolution
run below commands, Remember to change your docker login id and password

docker tag kyma-installer:latest /kyma-installer:latest
sudo docker login -u "" -p "" docker.io
sudo docker push /kyma-installer:latest