Naiserator is a Kubernetes operator that handles the lifecycle of the CustomResource
called nais.io/Application
.
The main goal of Naiserator is to simplify application deployment by providing a high-level abstraction tailored for the NAIS-platform.
Naiserator supersedes naisd.
When an Application
resource is created in Kubernetes (see
example application),
Naiserator will generate several resources that work together to form a complete deployment:
Deployment
that runs a specified number of application instances,Service
which points to the application endpoint,Ingress
adding TLS termination and virtualhost support,Horizontal pod autoscaler
for automatic application scaling,Service account
for granting correct permissions to managed resources.
These resources will remain in Kubernetes until the Application
resource is deleted.
Parameter | Description | Default | Required |
---|---|---|---|
metadata.name | Name of the application | x | |
metadata.namespace | Which namespace the application will be deployed to | x | |
metadata.labels.team | mailnick/tag | x | |
spec.image | Docker image location, including version | x | |
spec.port | The HTTP port exposed by the container | x | |
spec.strategy.type | Specifies the strategy used to replace old Pods by new ones | RollingUpdate | |
spec.liveness.path | Path of the liveness probe | x | |
spec.liveness.port | Port for probe | spec.port | |
spec.liveness.initialDelay | Number of seconds after the container has started before liveness probes are initiated | 20 | |
spec.liveness.timeout | Number of seconds after which the probe times out | 1 | |
spec.liveness.periodSeconds | How often (in seconds) to perform the probe | 10 | |
spec.liveness.failureThreshold | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the Pod. In case of readiness probe the Pod will be marked Unready |
3 | |
spec.readiness.path | Path of the readiness probe | x | |
spec.readiness.port | Port for probe | spec.port | |
spec.readiness.initialDelay | Number of seconds after the container has started before readiness probes are initiated | 20 | |
spec.readiness.timeout | Number of seconds after which the probe times out | 1 | |
spec.replicas.min | Minimum number of replicas | 2 | |
spec.replicas.max | Maximum number of replicas | 4 | |
spec.cpuThresholdPercentage | Total CPU percentage threshold on deployment, at which point it will increase number of pods if current < max . See container lifecycle hooks documentation |
||
spec.prometheus.enabled | If true, the pod will be scraped for metrics by Prometheus | false | |
spec.prometheus.path | Path to Prometheus metrics | /metrics | |
spec.resources | See compute resources guide | ||
spec.resources.limits.cpu | App will have its CPU usage throttled if exceeding this limit | 500m | |
spec.resources.limits.memory | App will be killed if exceeding this limit | 512Mi | |
spec.resources.requests | App is guaranteed the requested resources and will be scheduled on nodes with at least this amount of resources available | ||
spec.resources.requests.cpu | Guaranteed amount of CPU | 200m | |
spec.resources.requests.memory | Guaranteed amount of memory | 256Mi | |
spec.ingresses | List of ingress URLs that will route HTTP traffic to the application | ||
spec.secrets | DEPRECATED. Synonym to spec.vault.enabled . Please use the new syntax. |
false | |
spec.vault.enabled | If set to true, fetch secrets from Vault and inject into the pods | false | |
spec.vault.sidecar | If set to true, will extend tokens time to live | false | |
spec.vault.paths | Overriding the paths array is optional, and will give you fine-grained control over which vault paths that will be mounted on the file system. |
||
spec.vault.paths.[].kvPath | Path to Vault key/value store that should be mounted into the file system | /kv/environment/zone/application/namespace | |
spec.vault.paths.[].mountPath | File system path that the secrets will be mounted into | /var/run/secrets/nais.io/vault | |
spec.configMaps.files | List of ConfigMap resources that will have their contents mounted into the container as files. Files appear as /var/run/configmaps/<name>/<key> . |
||
spec.env | List of name and value that will become environment variables in the container | ||
spec.preStopHookPath | A HTTP GET will be issued to this endpoint at least once before the pod is terminated | /stop | |
spec.leaderElection | If true, a HTTP endpoint will be available at $ELECTOR_PATH that returns the current leader |
false | |
spec.webproxy | Expose web proxy configuration to the application using the $HTTP_PROXY , $HTTPS_PROXY and $NO_PROXY environment variables |
false | |
spec.logformat | Format of the logs from the container, if not in plain text or JSON | accesslog | |
spec.logtransform | The transformation of the logs, if they should be handled differently than plain text or JSON | dns_loglevel | |
spec.secureLogs.enabled | If true, mount a volume for secure logs in the pod | false | |
spec.service.port | Port for the default service | 80 |
In the examples directory you can see a typical nais.yaml
file
These environment variables will be injected into your application container
variable | example | source |
---|---|---|
NAIS_APP_NAME | myapp | metadata.name from nais.yaml |
NAIS_NAMESPACE | default | metadata.namespace from nais.yaml |
NAIS_APP_IMAGE | navikt/myapp:69 | spec.image from nais.yaml |
NAIS_CLUSTER_NAME | prod-fss | naiserator runtime context |
In order to switch from naisd to Naiserator, you need to complete a few migration tasks. See migration from naisd to naiserator for a detailed explanation of the steps involved.
- Kubernetes v1.11.0 or later
- The Go programming language, version 1.11 or later
- goimports
- Docker Desktop or other Docker release compatible with Kubernetes
- Kubernetes, either through minikube or a local cluster
You can deploy the most recent release of Naiserator by applying to your cluster:
kubectl apply -f hack/resources/
Go modules
are used for dependency tracking. Make sure you do export GO111MODULE=on
before running any Go commands.
It is no longer needed to have the project checked out in your $GOPATH
.
kubectl apply -f pkg/apis/naiserator/v1alpha1/application.yaml
kubectl apply -f examples/app.yaml
make local
In order to use the Kubernetes Go library, we need to use classes that work together with the interfaces in that library. Those classes are mostly boilerplate code, and to ensure healthy and happy developers, we use code generators for that.
When the CRD changes, or additional Kubernetes resources need to be generated, you have to run code generation:
make codegen-crd
make codegen-updater
git add -A
git commit -a -m "Update boilerplate k8s API code"