Using Servlet without KDP
It is possible to run the servlet component without running a fully fleged KDP installation. All that is necessary is a running kcp installation.
Prerequisites
- A running kcp installation.
- A kubeconfig with admin or comparable permissions in a specific kcp workspace.
APIExport Setup
Before installing the Servlet it is necessary to create an APIExport
on kcp. This is automatically generated by KDP if you create a Service
object.
The APIExport
should be empty, because it is updated later by the Servlet. An example file could look like this:
apiVersion: apis.kcp.io/v1alpha1
kind: APIExport
metadata:
name: test.kubermatic.io
spec: {}
Create a file with a similar content (you most likely want to change the name, as that is the API group under which your published resources will be made available) and create it in a kcp workspace of your choice:
$ kubectl create -f ./apiexport.yaml
apiexport/test.kubermatic.io created
Servlet Installation
The Servlet can be installed into any namespace, but in our example we are going with kdp-system
.
Now that the APIExport
is created, switch to the Kubernetes cluster from which you wish to publish resources. You will need to ensure that a kubeconfig with access to the workspace that the APIExport
has been created is stored as a Secret
on this cluster. Make sure that the kubeconfig points to the right workspace (not necessarily the root
workspace).
This can be done via a command like this:
$ kubectl create secret generic kcp-kubeconfig -n kdp-system --from-file=kubeconfig=admin.kubeconfig
The next step is preparing a values.yaml
file for the Servlet Helm chart. We need to pass the target APIExport
, a name for the Servlet itself and a reference to the kubeconfig secret we just created.
servlet:
# Required: the name of the APIExport in the KDP Platform that this Servlet
# is supposed to serve.
apiExportName: "test.kubermatic.io"
# Required: this Servlet's public name, will be shown in the KDP Platform,
# purely for informational purposes.
servletName: "unique-test"
# Required: Name of the Kubernetes Secret that contains a "kubeconfig" key,
# with the kubeconfig provided by the KDP Platform to access it.
platformKubeconfig: "kcp-kubeconfig"
# Create additional RBAC on the service cluster.
rbac:
createClusterRole: true
rules:
# in order to create APIResourceSchemas
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
# so copies of remote objects can be placed in their target namespaces
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- create
In addition, it is important to create RBAC rules for the resources you want to publish. If you want to publish the Certificate
resource as created by cert-manager, you will need to append the following ruleset:
# so we can manage certificates
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- '*'
Once this values.yaml
file is prepared, install a recent development build of the Servlet:
helm install servlet oci://quay.io/kubermatic/helm-charts/kdp-servlet --version 9.9.9-9fc9a430d95f95f4b2210f91ef67b3ec153b5cab -f values.yaml -n kdp-system
Two servlet
Pods should start in the kdp-system
namespace. If they crash you will need to identify the reason from container logs. A possible issue is that the provided kubeconfig does not have permissions against the target kcp workspace.
Publish Resources
Once the Servlet Pods are up and running, you should be able to follow Publishing Resources. Be aware that the remaining KDP documentation assumes you are working on a KDP installation, and as such might show you screenshots of the KDP dashboard. Such a UI to manage resources does not exist if you use the servlet without, and you will need to create objects from the command line directly.
Consume Service
Once resources have been published through the Servlet, they can be consumed on the kcp side (i.e. objects on kcp will be synced back and forth with the service cluster). Follow the manual steps to consume services.