Using Tigera Secure EE

Tigera Secure EE is a software-defined network solution that can be used with Kubernetes. For those familiar with Calico, Tigera Secure EE is essentially Calico with enterprise features on top.

Support for Tigera Secure EE in CDK is provided in the form of a tigera-secure-ee subordinate charm, which can be used instead of flannel or calico.

Deploying CDK with Tigera Secure EE

Before you start, you will need:

  • Tigera Secure EE licence key
  • Tigera private Docker registry credentials (provided as a Docker config.json)

Note: Tigera Secure EE's network traffic, much like Calico's, is filtered on many clouds. It will work on MAAS, and can work on AWS if you manually configure instances to disable source/destination checking.

To start, deploy CDK with Tigera Secure EE:

juju deploy cs:~containers/kubernetes-tigera-secure-ee

Configure the tigera-secure-ee charm with your licence key and registry credentials:

juju config tigera-secure-ee \
  license-key=$(base64 -w0 license.yaml) \
  registry-credentials=$(base64 -w0 config.json)

Wait for the deployment to settle before continuing on.

Using the built-in elasticsearch-operator

Caution: The built-in elasticsearch-operator is only recommended for testing or demonstrative purposes. For production deployments, please skip down to the next section.

For testing and quick start purposes, the tigera-secure-ee charm deploys elasticsearch-operator into your Kubernetes cluster by default. For it to properly work, you will need to create a StorageClass.

The easiest way to do this is with the hostpath provisioner. Create a file named elasticsearch-storage.yaml containing the following:

# This manifest implements elasticsearch-storage using local host-path volumes.
# It is not suitable for production use; and only works on single node clusters.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: elasticsearch-storage
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
provisioner: kubernetes.io/host-path

---

apiVersion: v1
kind: PersistentVolume
metadata:
  name: tigera-elasticsearch-1
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /var/tigera/elastic-data/1
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: elasticsearch-storage

---

apiVersion: v1
kind: PersistentVolume
metadata:
  name: tigera-elasticsearch-2
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /var/tigera/elastic-data/2
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: elasticsearch-storage

Apply elasticsearch-storage.yaml:

kubectl apply -f elasticsearch-storage.yaml

Once you have a StorageClass available, delete the existing PVC and pods so Kubernetes will recreate them using the new StorageClass:

kubectl delete pvc -n calico-monitoring es-data-es-data-tigera-elasticsearch-default-0
kubectl delete pvc -n calico-monitoring es-data-es-master-tigera-elasticsearch-default-0
kubectl delete po -n calico-monitoring es-data-tigera-elasticsearch-default-0
kubectl delete po -n calico-monitoring es-master-tigera-elasticsearch-default-0

For a more robust storage solution, consider deploying Ceph with CDK, as documented in the Storage section. This will create a default StorageClass that elasticsearch-operator will use automatically.

Using your own ElasticSearch

Disable the built-in elasticsearch operator:

juju config tigera-secure-ee enable-elasticsearch-operator=false

Then follow this guide from Tigera: Using your own ElasticSearch for logs

Accessing cnx-manager

The cnx-manager service is exposed as a NodePort on port 30003. Run the following command to open port 30003 on the workers:

juju run --application kubernetes-worker open-port 30003

Then connect to https://<kubernetes-worker-ip>:30003 in your web browser. Use the Kubernetes admin credentials to log in (you can find these in the kubeconfig file created on kubernetes-master units at /home/ubuntu/config).

Accessing kibana

The kibana service is exposed as a NodePort on port 30601. Run the following command to open port 30601 on the workers:

juju run --application kubernetes-worker open-port 30601

Caution: Do not open this port if your kubernetes-worker units are exposed on a network you do not trust. Kibana does not require credentials to use

Then connect to http://<kubernetes-worker-ip>:30601 in your web browser.

Using a private Docker registry

For a general introduction to using a private Docker registry with CDK, please refer to the Private Docker Registry page.

In addition to the steps documented there, you will need to upload the following images to the registry:

docker.elastic.co/elasticsearch/elasticsearch-oss:6.4.3
docker.elastic.co/kibana/kibana-oss:6.4.3
quay.io/tigera/calicoctl:v2.3.0
quay.io/tigera/calicoq:v2.3.0
quay.io/tigera/cnx-apiserver:v2.3.0
quay.io/tigera/cnx-manager:v2.3.0
quay.io/tigera/cnx-manager-proxy:v2.3.0
quay.io/tigera/cnx-node:v2.3.0
quay.io/tigera/cnx-queryserver:v2.3.0
quay.io/tigera/es-proxy:v2.3.0
quay.io/tigera/fluentd:v2.3.0
quay.io/tigera/kube-controllers:v2.3.0
quay.io/tigera/cloud-controllers:v2.3.0
quay.io/tigera/typha:v2.3.0
quay.io/tigera/intrusion-detection-job-installer:v2.3.0
quay.io/tigera/es-curator:v2.3.0
quay.io/coreos/configmap-reload:v0.0.1
quay.io/coreos/prometheus-config-reloader:v0.0.3
quay.io/coreos/prometheus-operator:v0.18.1
quay.io/prometheus/alertmanager:v0.14.0
quay.io/prometheus/prometheus:v2.2.1
docker.io/upmcenterprises/elasticsearch-operator:0.2.0
docker.io/busybox:latest
docker.io/alpine:3.7

And configure Tigera Secure EE to use the registry with this shell script:

export IP=`juju run --unit docker-registry/0 'network-get website --ingress-address'`
export PORT=`juju config docker-registry registry-port`
export REGISTRY=$IP:$PORT
juju config tigera-secure-ee registry=$REGISTRY