c12s-kubespray/docs/downloads.md

Downloading binaries and containers
===================================

Kubespray supports several download/upload modes. The default is:

* Each node downloads binaries and container images on its own, which is
  ``download_run_once: False``.
* For K8s apps, pull policy is ``k8s_image_pull_policy: IfNotPresent``.
* For system managed containers, like kubelet or etcd, pull policy is
  ``download_always_pull: False``, which is pull if only the wanted repo and
  tag/sha256 digest differs from that the host has.

There is also a "pull once, push many" mode as well:

* Override the ``download_run_once: True`` to download container images and binaries only once
  then push to cluster nodes in batches. The default delegate node
  for pushing is the first `kube-master`.
* If your ansible runner node (aka the admin node) have password-less sudo and
  docker enabled, you may want to define the ``download_localhost: True``, which
  makes that node a delegate for pushing while running the deployment with
  ansible. This may be the case if cluster nodes cannot access each other via ssh
  or you want to use local docker images and binaries as a cache for multiple clusters.

Container images and binary files are described by the vars like ``foo_version``,
``foo_download_url``, ``foo_checksum`` for binaries and ``foo_image_repo``,
``foo_image_tag`` or optional  ``foo_digest_checksum`` for containers.

Container images may be defined by its repo and tag, for example:
`andyshinn/dnsmasq:2.72`. Or by repo and tag and sha256 digest:
`andyshinn/dnsmasq@sha256:7c883354f6ea9876d176fe1d30132515478b2859d6fc0cbf9223ffdc09168193`.

Note, the sha256 digest and the image tag must be both specified and correspond
to each other. The given example above is represented by the following vars:
```
dnsmasq_digest_checksum: 7c883354f6ea9876d176fe1d30132515478b2859d6fc0cbf9223ffdc09168193
dnsmasq_image_repo: andyshinn/dnsmasq
dnsmasq_image_tag: '2.72'
```
The full list of available vars may be found in the download's ansible role defaults.
Those also allow to specify custom urls and local repositories for binaries and container
images as well. See also the DNS stack docs for the related intranet configuration,
so the hosts can resolve those urls and repos.

## Offline environment

In case your servers don't have access to internet (for example when deploying on premises with security constraints), you'll have, first, to setup the appropriate proxies/caches/mirrors and/or internal repositories and registries and, then, adapt the following variables to fit your environment before deploying:

* At least `foo_image_repo` and `foo_download_url` as described before (i.e. in case of use of proxies to registries and binaries repositories, checksums and versions do not necessarily need to be changed).
  NB: Regarding `foo_image_repo`, when using insecure registries/proxies, you will certainly have to append them to the `docker_insecure_registries` variable in group_vars/all/docker.yml
* `pyrepo_index` (and optionally `pyrepo_cert`)
* Depending on the `container_manager`
  * When `container_manager=docker`, `docker_foo_repo_base_url`, `docker_foo_repo_gpgkey`, `dockerproject_bar_repo_base_url` and `dockerproject_bar_repo_gpgkey` (where `foo` is the distribution and `bar` is system package manager)
  * When `container_manager=crio`, `crio_rhel_repo_base_url` 
* When using Helm, `helm_stable_repo_url`
Add download_always_pull check and sha256 for docker images Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-19 14:50:04 +00:00			`Downloading binaries and containers`
			`===================================`

rename almost all mentions of kargo 2017-06-16 17:25:46 +00:00			`Kubespray supports several download/upload modes. The default is:`
Add download_always_pull check and sha256 for docker images Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-19 14:50:04 +00:00
			`* Each node downloads binaries and container images on its own, which is`
			``download_run_once: False``.
			* For K8s apps, pull policy is ``k8s_image_pull_policy: IfNotPresent``.
			`* For system managed containers, like kubelet or etcd, pull policy is`
			``download_always_pull: False``, which is pull if only the wanted repo and
			`tag/sha256 digest differs from that the host has.`

			`There is also a "pull once, push many" mode as well:`

Enable delegating all downloads (binaries, images, kubeadm images) (#4420) * Download to delegate and sync files when download_run_once * Fail on error after saving container image * Do not set changed status when downloaded container was up to date * Only sync containers when they are actually required Previously, non-required images (pull_required=false as image existed on target host) were synced to the target hosts. This failed as the image was not downloaded to the download_delegate and hence was not available for syncing. * Sync containers when only missing on some hosts * Consider images with multiple repo tags * Enable kubeadm images pull/syncing with download_delegate * Use kubeadm images list to pull/sync 'kubeadm config images pull' is replaced by collecting the images list with 'kubeadm config images list' and using the commonly used method of pull/syncing the images. * Ensure containers are downloaded and synced for all hosts * Fix download/syncing when download_delegate is a kubernetes host 2019-05-01 08:10:56 +00:00			* Override the ``download_run_once: True`` to download container images and binaries only once
Add download_always_pull check and sha256 for docker images Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-19 14:50:04 +00:00			`then push to cluster nodes in batches. The default delegate node`
Enable delegating all downloads (binaries, images, kubeadm images) (#4420) * Download to delegate and sync files when download_run_once * Fail on error after saving container image * Do not set changed status when downloaded container was up to date * Only sync containers when they are actually required Previously, non-required images (pull_required=false as image existed on target host) were synced to the target hosts. This failed as the image was not downloaded to the download_delegate and hence was not available for syncing. * Sync containers when only missing on some hosts * Consider images with multiple repo tags * Enable kubeadm images pull/syncing with download_delegate * Use kubeadm images list to pull/sync 'kubeadm config images pull' is replaced by collecting the images list with 'kubeadm config images list' and using the commonly used method of pull/syncing the images. * Ensure containers are downloaded and synced for all hosts * Fix download/syncing when download_delegate is a kubernetes host 2019-05-01 08:10:56 +00:00			for pushing is the first `kube-master`.
Add download_always_pull check and sha256 for docker images Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-19 14:50:04 +00:00			`* If your ansible runner node (aka the admin node) have password-less sudo and`
			docker enabled, you may want to define the ``download_localhost: True``, which
Enable delegating all downloads (binaries, images, kubeadm images) (#4420) * Download to delegate and sync files when download_run_once * Fail on error after saving container image * Do not set changed status when downloaded container was up to date * Only sync containers when they are actually required Previously, non-required images (pull_required=false as image existed on target host) were synced to the target hosts. This failed as the image was not downloaded to the download_delegate and hence was not available for syncing. * Sync containers when only missing on some hosts * Consider images with multiple repo tags * Enable kubeadm images pull/syncing with download_delegate * Use kubeadm images list to pull/sync 'kubeadm config images pull' is replaced by collecting the images list with 'kubeadm config images list' and using the commonly used method of pull/syncing the images. * Ensure containers are downloaded and synced for all hosts * Fix download/syncing when download_delegate is a kubernetes host 2019-05-01 08:10:56 +00:00			`makes that node a delegate for pushing while running the deployment with`
			`ansible. This may be the case if cluster nodes cannot access each other via ssh`
			`or you want to use local docker images and binaries as a cache for multiple clusters.`
Add download_always_pull check and sha256 for docker images Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-19 14:50:04 +00:00
			Container images and binary files are described by the vars like ``foo_version``,
			``foo_download_url``, ``foo_checksum`` for binaries and ``foo_image_repo``,
			``foo_image_tag`` or optional ``foo_digest_checksum`` for containers.

			`Container images may be defined by its repo and tag, for example:`
			`andyshinn/dnsmasq:2.72`. Or by repo and tag and sha256 digest:
			`andyshinn/dnsmasq@sha256:7c883354f6ea9876d176fe1d30132515478b2859d6fc0cbf9223ffdc09168193`.

			`Note, the sha256 digest and the image tag must be both specified and correspond`
			`to each other. The given example above is represented by the following vars:`
			```
			`dnsmasq_digest_checksum: 7c883354f6ea9876d176fe1d30132515478b2859d6fc0cbf9223ffdc09168193`
			`dnsmasq_image_repo: andyshinn/dnsmasq`
			`dnsmasq_image_tag: '2.72'`
			```
			`The full list of available vars may be found in the download's ansible role defaults.`
			`Those also allow to specify custom urls and local repositories for binaries and container`
			`images as well. See also the DNS stack docs for the related intranet configuration,`
			`so the hosts can resolve those urls and repos.`
Offline environment documentation 2018-09-19 12:18:51 +00:00
			`## Offline environment`

			`In case your servers don't have access to internet (for example when deploying on premises with security constraints), you'll have, first, to setup the appropriate proxies/caches/mirrors and/or internal repositories and registries and, then, adapt the following variables to fit your environment before deploying:`

			* At least `foo_image_repo` and `foo_download_url` as described before (i.e. in case of use of proxies to registries and binaries repositories, checksums and versions do not necessarily need to be changed).
			NB: Regarding `foo_image_repo`, when using insecure registries/proxies, you will certainly have to append them to the `docker_insecure_registries` variable in group_vars/all/docker.yml
Offline deployment: PyPi repo (#3542) 2018-10-24 05:22:09 +00:00			* `pyrepo_index` (and optionally `pyrepo_cert`)
Offline environment documentation 2018-09-19 12:18:51 +00:00			* Depending on the `container_manager`
			* When `container_manager=docker`, `docker_foo_repo_base_url`, `docker_foo_repo_gpgkey`, `dockerproject_bar_repo_base_url` and `dockerproject_bar_repo_gpgkey` (where `foo` is the distribution and `bar` is system package manager)
			* When `container_manager=crio`, `crio_rhel_repo_base_url`
			* When using Helm, `helm_stable_repo_url`