Versions Compared

Old Version 2

changes.mady.by.user Avi Deitcher

Saved on

compared with

New Version Current

changes.mady.by.user Avi Deitcher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Any device presenting this onboard certificate can self-register.

Code Block
languageyml
apiVersion: "eve.lfedge.org/v1beta1"

...


kind: OnboardCertificate

...


metadata:

...


  name: onboard-cert-25

...


  namespace: enterprise1

...


spec:

...


  certificate: TFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTFla05EUVdNclowRjNTVUpCWjBsQ1FWUkJUa0puYTNGb2EybEhPWGN3UWtGUmMwWkJSRUZXVFZKTmQwVlJXVVJXVVZGRVJYZHdjbVJYU213S1kyMDFiR1JIVm5wTlFqUllSRlJKZVUxRWEzZE5WRUV6VGtSTmVrOVdiMWhFVkUxNVRVUm5lVTlVUVROT1JFMTZUMVp2ZDBaVVJWUk5Ra1ZIUVRGVlJRcEJlRTFMWVROV2FWcFlTblZhV0ZKc1kzcERRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlRDdG5DbWgxZVVzMEswZ3dSRGRXUVZWUUwwdEdWbFZRUkhRcllrTnhiMEZTYkRNeVlteEhaV0pxYlZJeGRuZEdZalJYYlhkSVdEWmhOVFZMU0hWbmNGb3lUbThLVVVjNVQzcEhkMjVNWmpKeGRGSlBZbkpvTHk5bFkxbFBaRmxDVjNWRWIySk1lbkYyYW05WllWZFlZVnB1TVhKVllYY3dSekZuYUhab1ZYUTVSbE56YlFwd1NHeHNXVzh3YzJOU1ZGRnhkMWRyUXpOaVprMXpkWFpYUkd0cGFsRlVjMnhzYTFBNVdXZENjMFJZYlZBNU4zaEdkR0pXT0ZodFVtOXpkREZhUTJOS0Nua3hiRUpSU0RGM1R6TlNNR2h4YkUxUGNGZG9ZVzlITUhObldqWldhR3g1YW5OVk0xZHFiWGhFVm1abE5tczNObmx0WmpCM1MxZGhVWHBoUjFGdlpGZ0tlQ3RQWTJSaWJHcDNlVXh4VWs1U2NWaFljRGRIT1VOWVlXRkVPWGxYT1cxTlZ6UkRiVFI2VDFweU1VZG5SMDF3YkZSMGFWVTBiWFJSY1dKUmNYTjFWQXBaVVVRekwwaEVTVGg0TmpSMVZWQk5UbXRGUTBGM1JVRkJZVTVEVFVWQmQwUm5XVVJXVWpCUVFWRklMMEpCVVVSQlowdHJUVUU0UjBFeFZXUkZkMFZDQ2k5M1VVWk5RVTFDUVdZNGQwaFJXVVJXVWpCUFFrSlpSVVpJVWt0SVdHRXZTRFpPUlZaUFIzUjJSV00xVkRWM1UybHVkMGhOUVRCSFExTnhSMU5KWWpNS1JGRkZRa04zVlVGQk5FbENRVkZDVDNKeWQzSllkbVo1U2xWUFIxaFZiMXB6ZEdoTFUxZ3ZhRGRtZVdGa01WSnNiV3RQYzBoMldtMDNORUpNZURGNVFncHhTREZMU1hjMlozQktWMUpHUkVKc01GUlBPWFYxWWtvemNHMXRaMWx1WW5wUFRqRXJVVFJPV1dscWNsYzVXVEpwTXk5bWNDdEpTWEZFV0VwTFRYZHpDbFpsYjNWeWFHZFRTVkExU0RaSFJVMHZUalJLVjBJeU4xVTFXVWswVlZKQlNEWjFkRU14Vm5sblZVOUNUMHN3Tm5wQmVXbEJabWROVERseE0wVkZXRFVLVlZwVmVUQnVSRUV2WVhGUFZqVkdZa3hMTmxWek1tWnRNREpXUW05SVZFNTRURXBWYlV4b2FFSTJWVkZQUkRKSlpGRTJiRWhhUXpNdk9HVk5PVTR3T0FvcmNWSklObXM1UjI5dGRHbElUM2R5WkVwd1dqTklVa3huYVdoV1ZrUjZhbVIxWkRoMFVWUnRhVGwyUTBsWVFXeFJiek5vZWxabVJUbERhVTVEVEVSRENtWkZia2xVWTA1Q2VXbEtRbU42TldaVVVuZFhWa1JKWlc5QlYzTkZabTVJY1ROSGVRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0= # base64 encoded


Onboard CA

Any device presenting a certificate signed by this CA can self-register.

Code Block
languageyml
apiVersion: "eve.lfedge.org/v1beta1"

...


kind: OnboardCertificateAuthority

...


metadata:

...


  name: onboard-ceriticate-authority-13

...


  namespace: enterprise1

...


spec:

...


  certificate: TFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTFla05EUVdNclowRjNTVUpCWjBsQ1FWUkJUa0puYTNGb2EybEhPWGN3UWtGUmMwWkJSRUZXVFZKTmQwVlJXVVJXVVZGRVJYZHdjbVJYU213S1kyMDFiR1JIVm5wTlFqUllSRlJKZVUxRWEzZE5WRUV6VGtSTmVrOVdiMWhFVkUxNVRVUm5lVTlVUVROT1JFMTZUMVp2ZDBaVVJWUk5Ra1ZIUVRGVlJRcEJlRTFMWVROV2FWcFlTblZhV0ZKc1kzcERRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlRDdG5DbWgxZVVzMEswZ3dSRGRXUVZWUUwwdEdWbFZRUkhRcllrTnhiMEZTYkRNeVlteEhaV0pxYlZJeGRuZEdZalJYYlhkSVdEWmhOVFZMU0hWbmNGb3lUbThLVVVjNVQzcEhkMjVNWmpKeGRGSlBZbkpvTHk5bFkxbFBaRmxDVjNWRWIySk1lbkYyYW05WllWZFlZVnB1TVhKVllYY3dSekZuYUhab1ZYUTVSbE56YlFwd1NHeHNXVzh3YzJOU1ZGRnhkMWRyUXpOaVprMXpkWFpYUkd0cGFsRlVjMnhzYTFBNVdXZENjMFJZYlZBNU4zaEdkR0pXT0ZodFVtOXpkREZhUTJOS0Nua3hiRUpSU0RGM1R6TlNNR2h4YkUxUGNGZG9ZVzlITUhObldqWldhR3g1YW5OVk0xZHFiWGhFVm1abE5tczNObmx0WmpCM1MxZGhVWHBoUjFGdlpGZ0tlQ3RQWTJSaWJHcDNlVXh4VWs1U2NWaFljRGRIT1VOWVlXRkVPWGxYT1cxTlZ6UkRiVFI2VDFweU1VZG5SMDF3YkZSMGFWVTBiWFJSY1dKUmNYTjFWQXBaVVVRekwwaEVTVGg0TmpSMVZWQk5UbXRGUTBGM1JVRkJZVTVEVFVWQmQwUm5XVVJXVWpCUVFWRklMMEpCVVVSQlowdHJUVUU0UjBFeFZXUkZkMFZDQ2k5M1VVWk5RVTFDUVdZNGQwaFJXVVJXVWpCUFFrSlpSVVpJVWt0SVdHRXZTRFpPUlZaUFIzUjJSV00xVkRWM1UybHVkMGhOUVRCSFExTnhSMU5KWWpNS1JGRkZRa04zVlVGQk5FbENRVkZDVDNKeWQzSllkbVo1U2xWUFIxaFZiMXB6ZEdoTFUxZ3ZhRGRtZVdGa01WSnNiV3RQYzBoMldtMDNORUpNZURGNVFncHhTREZMU1hjMlozQktWMUpHUkVKc01GUlBPWFYxWWtvemNHMXRaMWx1WW5wUFRqRXJVVFJPV1dscWNsYzVXVEpwTXk5bWNDdEpTWEZFV0VwTFRYZHpDbFpsYjNWeWFHZFRTVkExU0RaSFJVMHZUalJLVjBJeU4xVTFXVWswVlZKQlNEWjFkRU14Vm5sblZVOUNUMHN3Tm5wQmVXbEJabWROVERseE0wVkZXRFVLVlZwVmVUQnVSRUV2WVhGUFZqVkdZa3hMTmxWek1tWnRNREpXUW05SVZFNTRURXBWYlV4b2FFSTJWVkZQUkRKSlpGRTJiRWhhUXpNdk9HVk5PVTR3T0FvcmNWSklObXM1UjI5dGRHbElUM2R5WkVwd1dqTklVa3huYVdoV1ZrUjZhbVIxWkRoMFVWUnRhVGwyUTBsWVFXeFJiek5vZWxabVJUbERhVTVEVEVSRENtWkZia2xVWTA1Q2VXbEtRbU42TldaVVVuZFhWa1JKWlc5QlYzTkZabTVJY1ROSGVRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0= # base64 encoded



Device CA

Any device presenting a device certificate signed by this CA can self-register.

Code Block
languageyml
apiVersion: "eve.lfedge.org/v1beta1"

...


kind: DeviceCertificateAuthority

...


metadata:

...


  name: device-certificate-authority-16

...


  namespace: enterprise1

...


spec:

...


  certificate: TFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTFla05EUVdNclowRjNTVUpCWjBsQ1FWUkJUa0puYTNGb2EybEhPWGN3UWtGUmMwWkJSRUZXVFZKTmQwVlJXVVJXVVZGRVJYZHdjbVJYU213S1kyMDFiR1JIVm5wTlFqUllSRlJKZVUxRWEzZE5WRUV6VGtSTmVrOVdiMWhFVkUxNVRVUm5lVTlVUVROT1JFMTZUMVp2ZDBaVVJWUk5Ra1ZIUVRGVlJRcEJlRTFMWVROV2FWcFlTblZhV0ZKc1kzcERRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlRDdG5DbWgxZVVzMEswZ3dSRGRXUVZWUUwwdEdWbFZRUkhRcllrTnhiMEZTYkRNeVlteEhaV0pxYlZJeGRuZEdZalJYYlhkSVdEWmhOVFZMU0hWbmNGb3lUbThLVVVjNVQzcEhkMjVNWmpKeGRGSlBZbkpvTHk5bFkxbFBaRmxDVjNWRWIySk1lbkYyYW05WllWZFlZVnB1TVhKVllYY3dSekZuYUhab1ZYUTVSbE56YlFwd1NHeHNXVzh3YzJOU1ZGRnhkMWRyUXpOaVprMXpkWFpYUkd0cGFsRlVjMnhzYTFBNVdXZENjMFJZYlZBNU4zaEdkR0pXT0ZodFVtOXpkREZhUTJOS0Nua3hiRUpSU0RGM1R6TlNNR2h4YkUxUGNGZG9ZVzlITUhObldqWldhR3g1YW5OVk0xZHFiWGhFVm1abE5tczNObmx0WmpCM1MxZGhVWHBoUjFGdlpGZ0tlQ3RQWTJSaWJHcDNlVXh4VWs1U2NWaFljRGRIT1VOWVlXRkVPWGxYT1cxTlZ6UkRiVFI2VDFweU1VZG5SMDF3YkZSMGFWVTBiWFJSY1dKUmNYTjFWQXBaVVVRekwwaEVTVGg0TmpSMVZWQk5UbXRGUTBGM1JVRkJZVTVEVFVWQmQwUm5XVVJXVWpCUVFWRklMMEpCVVVSQlowdHJUVUU0UjBFeFZXUkZkMFZDQ2k5M1VVWk5RVTFDUVdZNGQwaFJXVVJXVWpCUFFrSlpSVVpJVWt0SVdHRXZTRFpPUlZaUFIzUjJSV00xVkRWM1UybHVkMGhOUVRCSFExTnhSMU5KWWpNS1JGRkZRa04zVlVGQk5FbENRVkZDVDNKeWQzSllkbVo1U2xWUFIxaFZiMXB6ZEdoTFUxZ3ZhRGRtZVdGa01WSnNiV3RQYzBoMldtMDNORUpNZURGNVFncHhTREZMU1hjMlozQktWMUpHUkVKc01GUlBPWFYxWWtvemNHMXRaMWx1WW5wUFRqRXJVVFJPV1dscWNsYzVXVEpwTXk5bWNDdEpTWEZFV0VwTFRYZHpDbFpsYjNWeWFHZFRTVkExU0RaSFJVMHZUalJLVjBJeU4xVTFXVWswVlZKQlNEWjFkRU14Vm5sblZVOUNUMHN3Tm5wQmVXbEJabWROVERseE0wVkZXRFVLVlZwVmVUQnVSRUV2WVhGUFZqVkdZa3hMTmxWek1tWnRNREpXUW05SVZFNTRURXBWYlV4b2FFSTJWVkZQUkRKSlpGRTJiRWhhUXpNdk9HVk5PVTR3T0FvcmNWSklObXM1UjI5dGRHbElUM2R5WkVwd1dqTklVa3huYVdoV1ZrUjZhbVIxWkRoMFVWUnRhVGwyUTBsWVFXeFJiek5vZWxabVJUbERhVTVEVEVSRENtWkZia2xVWTA1Q2VXbEtRbU42TldaVVVuZFhWa1JKWlc5QlYzTkZabTVJY1ROSGVRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0= # base64 encoded


Networks

Node Network

Creating an EVE-style device network requires the usage of two CRDs, one for configuration information, which can be reused, and one for the on-device network itself.

Note that the CRD NetworkConfig (below) is very similar in principle to the Kubernetes NetworkAttachmentDefinition

Network configuration:

Code Block
languageyml
apiVersion: "eve.lfedge.org/v1beta1"

...


kind: NetworkConfig

...


metadata:

...


  name: default-ipv4

...


  namespace: enterprise1

...


spec:

...


  ip: dhcp

...


  proxies:

...


  - https://10.100.100.1:8888


Network instantiation:


Code Block
languageyml
apiVersion: "eve.lfedge.org/v1beta1"

...


kind: DeviceNetwork

...


metadata:

...


  name: default-ipv4

...


  namespace: enterprise1

...


spec:

...


  networkConfig: default-ipv4

...



  affinity:

...


    nodeAffinity:

...


      requiredDuringSchedulingIgnoredDuringExecution:

...


        nodeSelectorTerms:

...


        - matchExpressions:

...


          - key: name

...


            operator: In

...


            values:

...


            - lab1-nuc

...


            - lab2-nuc


Workload Network

We leverage the cncf standard annotations on the workload to indicate desired networks on the actual workload.

Code Block
languageyml

...

annotations:

...


    k8s.v1.cni.cncf.io/networks: default-ipv4,macvlan2 # must exist on edge device

Storage

The EVE semantics for storage are as follows.

...

  • eve-blank: for a blank disk or mountpoint
  • eve-quay: from container image on quay.io
  • eve-docker: from container image on docker hub
  • etc.
Code Block
languageyml
apiVersion: storage.k8s.io/v1

...


kind: StorageClass

...


metadata:

...


  name: eve-quay

...


  namespace: enterprise1

...


provisioner: eve

...


parameters:

...


  type:

...

 container  # must be supported type: container, http, ftp, etc.

...


  URL: https://quay.io

...


  credentialsSecret: quay-creds # Secret enterprise1/quay-creds



for blank:

Code Block
languageyml
apiVersion: storage.k8s.io/v1

...


kind: StorageClass

...


metadata:

...


  name: eve-blank

...


provisioner: eve

...


parameters:

...


  type: blank


Credentials secrets, if needed, are affiliated with the StorageClass as credentialsRef.

We define Custom Resources for Image, and then use admissions controllers to validate that the requested resources exist when deploying a Pod that references them.


Code Block
languageyml
apiVersion: "eve.lfedge.org/v1beta1"

...


kind: Image

...


metadata:

...


  name: golden-ubuntu-2004

...


  namespace: enterprise1

...


spec:

...


  ref: corp1/ubuntu:20.04

...


  storageClass: eve-

...

quay  # must match the name of a StorageClass

...



  type:

...

 user  # can be any field; a controller may define special names; eve-os is reserved


The Image name is then used in a PersistentVolumeClaim. See below.

...

Golden filesystem image stored on FTP site, mounted as a filesystem. Defined using the StorageClass eve-ftp.

Code Block
languageyml
apiVersion: v1

...


kind: PersistentVolumeClaim

...


metadata:

...


  name: fsclaim

...


spec:

...


  accessModes:

...


    -

...

 ReadWriteOnce  # can be ReadWriteOnce, ReadOnlyMany, etc.

...


  volumeMode:

...

 Filesystem  # can be Filesystem or Block

...


  resources:

...


    requests:

...


      storage:

...

 8Gi  # this is for the size
  storageClassName: eve-ftp

...


  dataSourceRef:

...


    group: eve.lfedge.org/v1beta1

...


    kind: image

...


    name: golden-ubuntu-2004


Golden VM image stored on FTP site, mounted as a block device. Defined using the StorageClass eve-ftp.

Code Block
languageyml
apiVersion: v1

...


kind: PersistentVolumeClaim

...


metadata:

...


  name: ubuntuclaim

...


spec:

...


  accessModes:

...


    -

...

 ReadWriteOnce  # can be ReadWriteOnce, ReadOnlyMany, etc.

...


  volumeMode:

...

 Block  # can be Filesystem or Block

...


  resources:

...


    requests:

...


      storage:

...

 8Gi  # this is for the size
  storageClassName: eve-image

...


  dataSourceRef:

...


    group: eve.lfedge.org/v1beta1

...


    kind: image

...


    name: golden-ubuntu-2004

Blank disk volume.

Code Block
languageyml
kind: PersistentVolumeClaim

...


metadata:

...


  name: blankdisk

...


spec:

...


  accessModes:

...


    - ReadWriteOnce

...


  volumeMode:

...

 Filesystem  # can be Filesystem or Block

...


  resources:

...


    requests:

...


      storage:

...

 8Gi  # this is for the size
  storageClassName: eve-blank


Status

The state of an Application, as reported by the controller, is set on the ApplicationStatus. For example:

Code Block
languageyml
apiVersion: eve.lfedge.org/v1beta1

...


kind: Application

...


metadata:

...


  name: app-ubuntu

...


  namespace: enterprise1

...


  annotations:

...


    k8s.v1.cni.cncf.io/networks: wlan-local,vpn-corp # must be known

...


spec:

...


  nodeSelector:  # reuse this because it is native to many resources

...


    name: edge-node-01

...


...

...


status:

...


  key: value

...


  key: value

The ApplicationStatus field is similar to the Kubernetes PodStatus, albeit not identical. The fields are as follows.

...

The states of the application are the ones currently supported by the EVE API. E.g. BOOTING, RUNNING, STARTED.

Complete Example

Code Block
languageyml
apiVersion: eve.lfedge.org/v1beta1

...


kind: Application

...


metadata:

...


  name: app-ubuntu

...


  namespace: enterprise1

...


  annotations:

...


    k8s.v1.cni.cncf.io/networks: wlan-local,vpn-corp # must be known

...


spec:

...


  nodeSelector:  # reuse this because it is native to many resources

...


    name: edge-node-01

...


  containers:

...


    - name: frontend

...


      image: golden-ubuntu-

...

2004  # must be an Image resource

...


      resources:         

...


        requests:

...


          cpu: 1.0

...


          memory:

...

 256M
          storage: 8G
      volumeMounts:
      - mountPath: "/var/www/html"

...


        name: mypd

...


      volumeDevices:

...


      - devicePath: "/dev/sda2"

...


        name: ubuntu

...


      - devicePath: "/dev/sda3"

...


        name: raw

...


  volumes:

...


    - name: pd

...


      persistentVolumeClaim:

...


        claimName: fsclaim

...


    - name: ubuntu

...


      persistentVolumeClaim:

...


        claimName: ubuntuclaim

...


    - name: raw

...


      ephemeral:

...


        volumeClaimTemplate:

...


          spec:

...


            accessModes:

...


              - ReadWriteOnce

...


            volumeMode: Block

...


            resources:

...


              requests:

...


                storage:

...

 8Gi
            storageClassName: blankdisk

Scheduling

We define higher-level scheduling constraints, specifically ApplicationDeployment, ApplicationDaemonSet, ApplicationStatefulSet. These are optional; a controller MAY implement them, but is not required to do so.

...