Providers Authentication#

Providers such as AWS require authentication to manage external resources. For each provider integrated into the SkyCluster Manager, a separate configuration must be created. All configurations are stored in the fixed skycluster-system namespace.

AWS Cloud#

In the AWS Console, navigate to Identity and Access Management (IAM) and create a new user. Ensure the user has the following permission policy: AmazonEC2FullAceess. Next, in the Security Credentials section, generate an access key. After obtaining the Access Key ID and Secret Access Key, export them as environmental variables and run the configuration script:

export AWS_ACCESS_KEY_ID=abcd....xwyz # replace with your ID
export AWS_SECRET_ACCESS_KEY=abcd....xwyz # replace with your Key

Then execute the command below to configure the AWS provider:

curl -s https://skycluster.io/configs/aws-cfg.sh | bash

Alternatively you can just copy the script below and run it:

aws-setup.sh

 1#!/bin/bash
 2
 3# Create the content of the credentials in a variable
 4creds_content="[default]
 5aws_access_key_id = $AWS_ACCESS_KEY_ID
 6aws_secret_access_key = $AWS_SECRET_ACCESS_KEY"
 7
 8# Echo the content and pipe it to base64 for encoding
 9creds_enc=$(echo "$creds_content" | base64 -w0)
10
11cat <<EOF | kubectl apply -f -
12apiVersion: aws.upbound.io/v1beta1
13kind: ProviderConfig
14metadata:
15  name: provider-cfg-aws
16  labels:
17    skycluster.io/managed-by: skycluster
18spec:
19  credentials:
20    source: Secret
21    secretRef:
22      name: secret-aws
23      namespace: skycluster-system
24      key: configs
25---
26apiVersion: v1
27kind: Secret
28metadata:
29  name: secret-aws
30  namespace: skycluster-system
31  labels:
32    skycluster.io/managed-by: skycluster
33    skycluster.io/provider-platform: aws
34    skycluster.io/secret-role: configs
35type: Opaque
36data:
37  configs: $creds_enc
38---
39apiVersion: v1
40kind: Secret
41metadata:
42  name: credentials-aws
43  namespace: skycluster-system
44  labels:
45    skycluster.io/managed-by: skycluster
46    skycluster.io/provider-platform: aws
47    skycluster.io/secret-role: credentials
48type: Opaque
49stringData:
50  aws_access_key_id: $AWS_ACCESS_KEY_ID
51  aws_secret_access_key: $AWS_SECRET_ACCESS_KEY
52---
53EOF

GCP Cloud#

Create a new project in Google Cloud and enable the following APIs:

  • Cloud Billing API

  • Kubernetes Engine API

  • Compute Engine API

Make sure to add a service account and generate a service account key file in JSON format and download the file. Then:

# Use absolute path to the service account key file
export GCP_SVC_ACC_PATH=/home/ubuntu/my-gcp-svc-acc.json
export PROJECT_ID=my-gcp-project-id

Then execute the command below to configure the GCP provider:

curl -s https://skycluster.io/configs/gcp-cfg.sh | bash

Alternatively, you can run the following script:

gcp-setup.sh

 1#!/bin/bash
 2
 3BASE64_ENCODED_GCP_SVC_ACC=$(cat "$GCP_SVC_ACC_PATH" | base64 -w0)
 4
 5if [[ -z "$BASE64_ENCODED_GCP_SVC_ACC" ]]; then
 6  echo "Failed to encode GCP service account file."
 7  exit 1
 8fi
 9
10# Apply the provider configuration
11cat <<EOF | kubectl apply -f -
12apiVersion: v1
13kind: Secret
14metadata:
15  name: secret-gcp
16  namespace: skycluster-system
17type: Opaque
18data:
19  configs: ${BASE64_ENCODED_GCP_SVC_ACC}
20---
21apiVersion: gcp.upbound.io/v1beta1
22kind: ProviderConfig
23metadata:
24  name: provider-cfg-gcp
25  labels:
26    skycluster.io/managed-by: skycluster
27spec:
28  projectID: ${PROJECT_ID}
29  credentials:
30    source: Secret
31    secretRef:
32      namespace: skycluster-system
33      name: secret-gcp
34      key: configs
35EOF

Azure Cloud#

Create a subscription and note your Subscription ID. Next you will need to create a service principal and authentication file. The easiest way to do this is through the CloudShell in the Azure portal. Open the Azure portal and then run the following command in the CloudShell to create the service principal:

export SUBS_ID=<subsc-id>
az ad sp create-for-rbac --name skycluster-setup  \
  --role Owner --sdk-auth \
  --scopes /subscriptions/${SUBS_ID} > azure_config.json

Download the azure_config.json file and export the path as an environmental variable:

export AZURE_CONFIG_PATH=/home/ubuntu/azure_config.json

Then execute the command below to configure the Azure provider:

curl -s https://skycluster.io/configs/azure-cfg.sh | bash

Alternatively, you can run the following script:

azure-setup.sh

 1#!/bin/bash
 2
 3cont_enc=$(cat $AZURE_CONFIG_PATH | base64 -w0)
 4
 5cat <<EOF | kubectl apply -f -
 6apiVersion: azure.upbound.io/v1beta1
 7metadata:
 8  name: provider-cfg-azure
 9  labels:
10    skycluster.io/managed-by: skycluster
11kind: ProviderConfig
12spec:
13  credentials:
14    source: Secret
15    secretRef:
16      namespace: skycluster-system
17      name: secret-azure
18      key: configs
19---
20apiVersion: v1
21kind: Secret
22metadata:
23  name: secret-azure
24  namespace: skycluster-system
25type: Opaque
26data:
27  configs: $cont_enc
28EOF

Openstack#

If you have on-premises infrastructure managed by Openstack you can follow the steps below:

export AUTH_URL="url"
export USERNAME="username"
export PASSWORD="pass"
export TENANT_NAME="project-name"
export REGION="region"
export USER_DOMAIN_NAME="Default"
export PROJECT_DOMAIN_NAME="Default"

Then execute the command below to configure your Openstack provider:

curl -s https://skycluster.io/configs/openstack-cfg.sh | bash

Alternatively, you can run the following script:

openstack-setup.sh

 1#!/bin/bash
 2
 3REGION_LOWER=$(echo $REGION | tr '[:upper:]' '[:lower:]')
 4
 5cat <<EOF | kubectl apply -f -
 6apiVersion: openstack.crossplane.io/v1beta1
 7kind: ProviderConfig
 8metadata:
 9  name: provider-cfg-os-${REGION_LOWER}
10  labels:
11    skycluster.io/managed-by: skycluster
12    skycluster.io/provider-platform: openstack
13    skycluster.io/provider-region: ${REGION_LOWER}
14spec:
15  credentials:
16    source: Secret
17    secretRef:
18      name: secret-os-${REGION_LOWER}
19      namespace: skycluster-system
20      key: configs
21---
22apiVersion: v1
23kind: Secret
24metadata:
25  name: secret-os-${REGION_LOWER}
26  namespace: skycluster-system
27type: Opaque
28stringData:
29  configs: |
30    {
31      "auth_url": "$AUTH_URL",
32      "region": "$REGION",
33      "user_name": "$USERNAME",
34      "password": "$PASSWORD",
35      "tenant_name": "$TENANT_NAME",
36      "project_domain_name": "$USER_DOMAIN_NAME",
37      "user_domain_name": "$USER_DOMAIN_NAME",
38      "insecure": "false"
39    }
40EOF

Repeat the steps for each additional openstack provider you want to configure.

SAVI Testbed (OpenStack Example)#

We offer computing resources for academic research through the SAVI Testbed, a distributed computing infrastructure built on the OpenStack framework. To request access, please contact us. Once granted access, use your USERNAME and PASSWORD and follow the steps below to configure the SAVI Testbed provider. You can choose from the following available regions: SCINET, VAUGHAN, BAHEN.

export AUTH_URL="http://iamv3.savitestbed.ca:5000/v3"
export USERNAME="USERNAME"
export PASSWORD="PASSWORD"
export TENANT_NAME="skycluster"
export REGION="SCINET|VAUGHAN|BAHEN"
export USER_DOMAIN_NAME="Default"
export PROJECT_DOMAIN_NAME="Default"

Then execute the command below to configure the provider:

curl -s https://skycluster.io/configs/openstack-cfg.sh | bash

Repeat the steps for each additional regions you want to configure.

On-premises Edge Clusters#

SkyCluster supports on-premises edge clusters, where a group of edge devices can be registered as an edge provider to run workloads. This enables orchestration of workloads across the devices.

A gateway device with a static IP address and specific internet-accessible ports is required. The gateway provides access to the edge devices and their internal IP addresses. SkyCluster uses SSH connections to configure both the gateway and worker nodes, installing K3S with the gateway serving as the controller and the edge devices functioning as worker nodes. This setup allows the edge cluster to operate independently while collaborating with other clusters to share application workloads.

Before setting up an edge cluster, ensure the following requirements are met:

  • The gateway device has a static IP address.

  • Port 443 on the gateway is accessible from the internet.

  • SSH access is enabled on the gateway and all worker nodes.

  • A private key is configured for SSH access on the gateway and all edge devices.

export GW_URL="http://gw.savitestbed.ca"
export PRIVATE_KEY_PATH=/path/to/private/key
export USERNAME="USERNAME"
export REGION="region-name"

export PRIVATE_KEY=$(cat $PRIVATE_KEY_PATH | base64 -w0)

curl -s https://skycluster.io/configs/on-premises-cfg.sh | bash