diff --git a/tinkerbell/stack/README.md b/tinkerbell/stack/README.md index 75947770..ac9e815f 100644 --- a/tinkerbell/stack/README.md +++ b/tinkerbell/stack/README.md @@ -23,11 +23,11 @@ This chart boootraps a full Tinkerbell stack on a Kubernetes cluster using the H - Reverse proxy server - DHCP relay agent -This chart also installs a load balancer ([kube-vip](https://kube-vip.io/)) in order to be able to provide a service type loadBalancer IP for the Tinkerbell stack services and an Nginx server for handling proxying to the Tinkerbell service and for serving the Hook artifacts. +This chart also installs a load balancer ([kube-vip](https://kube-vip.io/)) in order to be able to provide a service type loadBalancer IP for the Nginx server that handles proxying to all the Tinkerbell services and for serving the Hook artifacts. This kube-vip load balancer is the default but can be disabled if another load balancer is preferred. ## Design details -The stack chart does not use an ingress object and controller. This is because most ingress controllers do not support UDP. Smee uses UDP for DHCP, TFTP, and Syslog services. The ingress controllers that do support UDP require a lot of extra configuration, custom resources, etc. The stack chart deploys a very light weight Nginx deployment with a straightforward configuration that accommodates all the Tinkerbell stack services and serving Hook artifacts. +The stack chart does not use an ingress object and controller. This is because most ingress controllers do not support multi-protocol (UDP, TCP, and gRPC in the Tinkerbell case). Smee uses UDP for DHCP, TFTP, and Syslog services. The ingress controllers that do support UDP require a lot of extra configuration, custom resources, etc. The Tinkerbell stack (Hegel and Smee) also needs the source IP or X-ForwardFor enabled to provide the appropriate data to clients. This is not generally available in an ingress controller. As such, the stack chart deploys a very light weight Nginx deployment with a straightforward configuration that accommodates all the Tinkerbell stack services and serving Hook artifacts. As [Gateway API](https://gateway-api.sigs.k8s.io/) (and the implementations of it) matures there is hope that it will be possible to use it to deploy the Tinkerbell stack instead. ## Prerequisites @@ -37,7 +37,7 @@ The stack chart does not use an ingress object and controller. This is because m ## Installing the Chart -Before installing the chart you'll want to customize the IP used for the load balancer (`global.publicIP`). This IP provides ingress for Hegel, Tink, and Smee (TFTP, HTTP, and SYSLOG endpoints as well as unicast DHCP requests). +Before installing the chart you'll want to customize the IP used for the load balancer (`global.publicIP`). This IP provides ingress for Hegel, Tink, and Smee (TFTP, HTTP, and SYSLOG endpoints as well as unicast DHCP requests). You'll also need to provide the trusted proxies for the Tinkerbell services. The trusted proxies are the IP addresses of the nodes in the cluster. The trusted proxies are used to set the `X-Forwarded-For` header in the Nginx configuration. This is necessary for the Tinkerbell services to get the correct client IP address. The `kubectl.go-template` file is provided to get the IP addresses of the nodes in the cluster. `kubectl get nodes -o go-template-file=stack/kubectl.go-template` Now, deploy the chart. @@ -130,3 +130,15 @@ hegel: | Name | Description | Value | | ---- | ----------- | ----- | | `smee.hostNetwork` | Whether to deploy Smee using `hostNetwork` on the pod spec. When `true` Smee will be able to receive DHCP broadcast messages. If `false`, Smee will be behind the load balancer VIP and will need to receive DHCP requests via unicast. | `true` | + +### JSON Schema + +Helm has the ability to validate a `values.yaml` file via a JSON schema (`values.schema.json`). See the [Helm documentation](https://helm.sh/docs/topics/charts/#schema-files) for more details. Each chart in the Tinkerbell stack has a very basic schema file that is used to validate either RBAC and/or trusted proxies. Each schema file is located next to the `values.yaml` file for each respective chart. + +### RBAC + +All Tinkerbell services need RBAC permissions to run in a Kubernetes cluster. There are two options for the type of RBAC that can be used. `Role` or `ClusterRole`. Each chart has its own way to toggle between the two. Most of them are located in their `values.yaml` file under `rbac.type`. There is also a global value in the Stack chart that can be used to set the RBAC type for all services. The global value is `global.rbac.type`. The default for all services and for the global value is `Role`. + +### Persistence + +The only persistence needed for the Tinkerbell stack is if you are downloading HookOS. By default HookOS is downloaded and stored in a local Persistent Volume. If you're cluster has a different storage class you want ot use, can override the default persistent volume claim by setting the `stack.hook.persistence.existingClaim` value.