This guide will walk you through deploying the full TKE stack on you local machine and allow you to play with the core components. It is highly recommended if you want to develop TKE and contribute regularly.
- Prerequisites
- Building TKE Components
- Create Self-signed Certificates
- Create Static Token
- Bootstrap TKE Core Components
- Access TKE Web UI
- FAQ
TKE supports running on Linux, Windows or macOS operating systems.
TKE requires Docker version 1.12+ to
run its underlying services as docker containers. Ensure the Docker daemon is working by running docker ps and check its version by running docker --version.
To install Docker,
- macOS: Use either "Docker for Mac" or “docker-machine”. See instructions here.
- Linux: Find instructions to install Docker for your Linux OS here.
etcd is a persistent non-sql database. TKE services share a running etcd as backend.
To install etcd,
- macOS: Install and start etcd as a local service
brew install etcd
brew services start etcd- Linux: Run a single node etcd using docker. See instructions here.
TKE is written in Go. See supported version here.
To install go,
- For macOS users,
brew install go
- For other users, see instructions here.
To configure go,
- Make sure your
$GOPATH,$GORROTand$PATHare configured correctly - Add
tkestack.ioto your Go env as below.go env -w GOPRIVATE="tkestack.io" go env -w GONOPROXY="tkestack.io"
TKE requires Node.js and NPM. See here for supported versions.
- For macOS users,
brew install nodejs
- For other users, see instructions here.
TKE contains 11 core components, a dependency list generator and a customized installer. For detail see here.
-
Clone TKE Repository
git clone --depth=1 https://github.com/tkestack/tke.git--depth=1parameter is optional and will ensure a smaller download. -
Build binaries
Once all the dependencies and requirements have been installed and configured, you can start compiling TKE on your local machine. Make sure to run it at the TKE root path.
cd tke make buildAfter the compilation is complete, you can get all the binary executables in the
_output/${host_os}/${host_arch}directory.
For security reasons, all TKE core components don't support insecure HTTP protocol. To enable SSL, you need to make a self-signed root certificate and a server certificate.
It is highly recommended to use the mkcert to generate certificates for developing and testing TKE, which simplifies the process to create certificates. see here for installation guide.
To create cert using mkcert,
cd tke
mkdir -p _debug/certificates
cd _debug/certificates
# Make a CA and install it to local trusted certificate store.
mkcert -install
# Make server certificate.
mkcert localhost 127.0.0.1 ::1You can find your certificates at
_debug/certificates/
├── localhost+2-key.pem
└── localhost+2.pem
0 directories, 2 files
Create a static token to authenticate all TKE API services.
cd tke
mkdir -p _debug
touch _debug/token.csv
echo 'token,admin,1,"administrator"' > _debug/token.csv
This section will walk you through how to bootstrap TKE on your local machine.
TKE contains 11 core components. For detail see here. In order for all the services to run properly, please make sure to follow the guide below to bootstrap them in order. You could skip the optional components if it is not needed.
For your convenient,
- Run the following command in the TKE root directory
- Export
${host_os}and${host_arch}to your environment variables according to your machine. You can find it in yourtke/_output/${host_os}/${host_arch}path. - Export
${root_store}to reference the path of your root certificate created by mkcert in the previous step. For macOS, the path is usually /Users/${username}/Library/Application Support/mkcert.
-
Create
_debug/auth-api.jsonClick to show sample config
_debug/auth-api.json
{ "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "etcd": { "servers": ["http://127.0.0.1:2379"] }, "authentication": { "token_auth_file": "_debug/token.csv", "privileged_username": "admin" }, "generic": { "external_hostname": "localhost", "external_port": 9451 }, "auth": { "assets_path": "./pkg/auth/web", "init_client_id": "client", "init_client_secret": "secret", "init_client_redirect_uris": [ "http://localhost:9442/callback", "http://127.0.0.1:9442/callback", "https://localhost:9441/callback", "https://127.0.0.1:9441/callback" ] } } -
Run
tke-auth-api$ _output/${host_os}/${host_arch}/tke-auth-api -C _debug/auth-api.json
-
Create
_debug/auth-api-client-config.yamlClick to view sample config
_debug/auth-api-client-config.yaml
apiVersion: v1 kind: Config clusters: - name: tke cluster: certificate-authority: ${root_store}/mkcert/rootCA.pem server: https://127.0.0.1:9451 users: - name: admin user: token: token current-context: tke contexts: - context: cluster: tke user: admin name: tke
-
Create
_debug/auth-controller.jsonClick to view sample config
_debug/auth-controller.json
{ "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "client": { "auth": { "api_server_client_config": "_debug/auth-api-client-config.yaml" } }, "features":{ "category_path": "hack/auth/category.json", "policy_path": "hack/auth/policy.json", "tenant_admin": "admin", "tenant_admin_secret": "secret" } } -
Run
tke-auth-controller:$ _output/${host_os}/${host_arch}/tke-auth-controller -C _debug/auth-controller.json
-
Create
_debug/platform-api.jsonClick to view sample config
_debug/platform-api.json
{ "authentication": { "oidc": { "client_id": "client", "issuer_url": "https://localhost:9451/oidc", "ca_file": "${root_store}/mkcert/rootCA.pem", "username_prefix": "-", "username_claim": "name", "tenantid_claim": "federated_claims" }, "token_auth_file": "_debug/token.csv" }, "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "etcd": { "servers": ["http://127.0.0.1:2379"] } } -
Run
tke-platform-api$ _output/${host_os}/${host_arch}/tke-platform-api -C _debug/platform-api.json
-
Create
_debug/platform-api-client-config.yamlClick to view sample config
_debug/platform-api-client-config.yaml
apiVersion: v1 kind: Config clusters: - name: tke cluster: certificate-authority: ${root_store}/mkcert/rootCA.pem server: https://127.0.0.1:9443 users: - name: admin user: token: token current-context: tke contexts: - context: cluster: tke user: admin name: tke
-
Create
_debug/platform-controller.jsonClick to view sample config
_debug/platform-controller.json
{ "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "client": { "platform": { "api_server_client_config": "_debug/platform-api-client-config.yaml" } } } -
Run
tke-platform-controller$ _output/${host_os}/${host_arch}/tke-platform-controller -C _debug/platform-controller.json
-
Create
_debug/registry-api.jsonClick to view sample config
_debug/registry-api.json
{ "authentication": { "oidc": { "client_id": "client", "issuer_url": "https://localhost:9451/oidc", "ca_file": "${root_store}/mkcert/rootCA.pem", "token_review_path": "/auth/authn", "username_prefix": "-", "username_claim": "name", "tenantid_claim": "federated_claims" }, "requestheader": { "username_headers": "X-Remote-User", "group_headers": "X-Remote-Groups", "extra_headers_prefix": "X-Remote-Extra-", "client_ca_file": "${root_store}/mkcert/rootCA.pem" }, "token_auth_file": "_debug/token.csv" }, "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "etcd": { "servers": [ "http://127.0.0.1:2379" ] }, "registry_config": "_debug/registry-config.yaml" } -
Create
registry-config.yamlClick to view sample config
registry-config.yaml
apiVersion: registry.config.tkestack.io/v1 kind: RegistryConfiguration storage: fileSystem: rootDirectory: _debug/registry security: tokenPrivateKeyFile: keys/private_key.pem tokenPublicKeyFile: keys/public.crt adminPassword: secret adminUsername: admin httpSecret: secret defaultTenant: default
-
Run
tke-registry-api$ _output/${host_os}/${host_arch}/tke-registry-api -C _debug/registry-api.json
-
Create
_debug/business-api.jsonClick to view sample config
_debug/business-api.json
{ "authentication": { "oidc": { "client_id": "client", "issuer_url": "https://localhost:9451/oidc", "ca_file": "${root_store}/mkcert/rootCA.pem", "username_prefix": "-", "username_claim": "name", "tenantid_claim": "federated_claims" }, "token_auth_file": "_debug/token.csv" }, "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "etcd": { "servers": ["http://127.0.0.1:2379"] }, "client": { "platform": { "api_server_client_config": "_debug/platform-api-client-config.yaml" } } } -
Run
tke-business-api$ _output/${host_os}/${host_arch}/tke-business-api -C _debug/business-api.json
-
Create
_debug/business-api-client-config.yamlClick to view sample config
_debug/business-api-client-config.yaml
apiVersion: v1 kind: Config clusters: - name: tke cluster: certificate-authority: ${root_store}/mkcert/rootCA.pem server: https://127.0.0.1:9447 users: - name: admin user: token: token current-context: tke contexts: - context: cluster: tke user: admin name: tke
-
Create
_debug/business-controller.jsonClick to view sample config
_debug/business-controller.json
{ "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "client": { "platform": { "api_server_client_config": "_debug/platform-api-client-config.yaml" }, "business": { "api_server_client_config": "_debug/business-api-client-config.yaml" } } } -
Run
tke-business-controller$ _output/${host_os}/${host_arch}/tke-business-controller -C _debug/business-controller.json
-
Run influxDB docker container
tke-monitor-controllerrequires a influxDB with database name "projects" as backend to store the monitoring data.sudo docker volume create influxdb sudo docker run -d -p 8086:8086 --volume=influxdb:/var/lib/influxdb --name influxdb influxdb:latest curl -XPOST 'http://localhost:8086/query' --data-urlencode 'q=CREATE DATABASE "projects"' -
Create
_debug/monitor-config.yamlClick to view sample config
_debug/monitor-config.yaml
apiVersion: monitor.config.tkestack.io/v1 kind: MonitorConfiguration storage: influxDB: servers: - address: http://localhost:8086
-
Create
_debug/monitor-api-client-config.yamlClick to view sample config
_debug/monitor-api-client-config.yaml
apiVersion: v1 kind: Config clusters: - name: tke cluster: certificate-authority: ${root_store}/mkcert/rootCA.pem server: https://127.0.0.1:9455 users: - name: admin user: token: token current-context: tke contexts: - context: cluster: tke user: admin name: tke
-
Create
_debug/monitor-api.jsonClick to view sample config
_debug/monitor-api.json
{ "authentication": { "oidc": { "client_id": "client", "issuer_url": "https://localhost:9451/oidc", "ca_file": "${root_store}/mkcert/rootCA.pem", "username_prefix": "-", "username_claim": "name", "tenantid_claim": "federated_claims" }, "token_auth_file": "_debug/token.csv" }, "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "etcd": { "servers": ["http://127.0.0.1:2379"] }, "client": { "platform": { "api_server_client_config": "_debug/platform-api-client-config.yaml" } }, "monitor_config": "_debug/monitor-config.yaml" } -
Run
tke-monitor-api$ _output/${host_os}/${host_arch}/tke-monitor-api -C _debug/monitor-api.json
-
Create
_debug/monitor-controller.jsonClick to view sample config
_debug/monitor-controller.json
Delete the business block if you didn't enable the TKE Business Service previously.
{ "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "client": { "monitor": { "api_server_client_config": "_debug/monitor-api-client-config.yaml" }, "business": { "api_server_client_config": "_debug/business-api-client-config.yaml" } }, "monitor_config": "_debug/monitor-config.yaml" } -
Run
tke-monitor-controller$ _output/${host_os}/${host_arch}/tke-monitor-controller -C _debug/monitor-controller.json
-
Create
_debug/notify-api.jsonClick to view sample config
_debug/notify-api.json
{ "authentication": { "oidc": { "client_id": "client", "issuer_url": "https://localhost:9451/oidc", "ca_file": "${root_store}/mkcert/rootCA.pem", "username_prefix": "-", "username_claim": "name", "tenantid_claim": "federated_claims" }, "requestheader": { "username_headers": "X-Remote-User", "group_headers": "X-Remote-Groups", "extra_headers_prefix": "X-Remote-Extra-", "client_ca_file": "${root_store}/mkcert/rootCA.pem" }, "token_auth_file": "_debug/token.csv" }, "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "etcd": { "servers": ["http://127.0.0.1:2379"] }, "client": { "platform": { "api_server_client_config": "_debug/platform-api-client-config.yaml" } } } -
Run
tke-notify-api$ _output/${host_os}/${host_arch}/tke-notify-api -C _debug/notify-api.json
-
Create
_debug/notify-api-client-config.yamlClick to view sample config
_debug/notify-api-client-config.yaml
apiVersion: v1 kind: Config clusters: - name: tke cluster: certificate-authority: ${root_store}/mkcert/rootCA.pem server: https://127.0.0.1:9457 users: - name: admin user: token: token current-context: tke contexts: - context: cluster: tke user: admin name: tke
-
Create
_debug/notify-controller.jsonClick to view sample config
_debug/notify-controller.json
{ "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "client": { "notify": { "api_server_client_config": "_debug/notify-api-client-config.yaml" } } } -
Run
tke-notify-controller$ _output/${host_os}/${host_arch}/tke-notify-controller -C _debug/notify-controller.json
-
Create
_debug/gateway-config.yamlClick to view sample config
_debug/gateway-config.yaml
Depending on what TKE optional services you have started, uncomment the corresponding code to allow tke-gateway to discover optional services.
apiVersion: gateway.config.tkestack.io/v1 kind: GatewayConfiguration components: auth: address: https://127.0.0.1:9451 passthrough: caFile: ${root_store}/mkcert/rootCA.pem platform: address: https://127.0.0.1:9443 passthrough: caFile: ${root_store}/mkcert/rootCA.pem ### Optional Services ### # TKE Registry # registry: # address: https://127.0.0.1:9453 # passthrough: # caFile: ${root_store}/mkcert/rootCA.pem # TKE Business # business: # address: https://127.0.0.1:9447 # frontProxy: # caFile: ${root_store}/mkcert/rootCA.pem # clientCertFile: certificates/localhost+2-client.pem # clientKeyFile: certificates/localhost+2-client-key.pem # TKE Monitor # monitor: # address: https://127.0.0.1:9455 # passthrough: # caFile: ${root_store}/mkcert/rootCA.pem # TKE Notify # notify: # address: https://127.0.0.1:9457 # passthrough: # caFile: ${root_store}/mkcert/rootCA.pem
-
Create
_debug/gateway.jsonClick to view sample config
_debug/gateway.json
{ "authentication": { "oidc": { "client_secret": "secret", "client_id": "client", "issuer_url": "https://localhost:9451/oidc", "ca_file": "${root_store}/mkcert/rootCA.pem", "username_prefix": "-", "username_claim": "name", "tenantid_claim": "federated_claims" } }, "secure_serving": { "tls_cert_file": "_debug/certificates/localhost+2.pem", "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" }, "gateway_config": "_debug/gateway-config.yaml" } -
Run
tke-gateway$ _output/${host_os}/${host_arch}/tke-gateway -C _debug/gateway.json
Once all the TKE services are up and running, you can access TKE Web UI from your browser:
The username and password are specified in the launch configuration of
the tke-auth component:
- Username: admin
- Password: secret
> Question: How do I get the DEBUG log?
Answer: By default, all the core components have INFO level log. You can add the following block to your json config to enable DEBUG log.
"log": {
"level": "debug"
}
> Question: How do I find the config options of TKE services?
Answer: Instead of using -C to pass the configuration file to run TKE services, you can simply use -h to get a full list of options.