From 2aa0a048c365a201cc47f55da21f02b0c35ad454 Mon Sep 17 00:00:00 2001 From: craig Date: Tue, 12 Nov 2024 11:09:46 +0000 Subject: [PATCH] updates for install doc Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED Update observability resources to use gateway-system namespace (#969) Signed-off-by: David Martin add example for external api usage --- config/install/README.md | 25 ++- .../observability/kustomization.yaml | 2 +- config/install/standard/kustomization.yaml | 2 +- .../istio/service-monitor-istiod.yaml | 4 +- doc/user-guides/external-api.md | 173 ++++++++++++++++++ 5 files changed, 193 insertions(+), 13 deletions(-) create mode 100644 doc/user-guides/external-api.md diff --git a/config/install/README.md b/config/install/README.md index 03cc13f95..522e1a7bc 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -11,16 +11,22 @@ Install the Sail and Kuadrant Operators via OLM: -> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/olm/catalogsource.yaml` or if you are familiar with kustomize you could apply your own kustomization. +> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/install/standard/kustomization.yaml`. + +> Note: We are using the `--context` flag here this is useful if installing on more than one cluster otherwise it is not needed + +``` +export ctx=replace-with-your-context +``` ``` -kubectl apply -k config/install/standard +kubectl apply -k config/install/standard --context=$ctx ``` 3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: ``` -kubectl get deployments -n kuadrant-system +kubectl get deployments -n kuadrant-system --context=$ctx ``` ``` @@ -37,12 +43,13 @@ limitador-operator-controller-manager 1/1 1 1 83m ``` -kubectl get deployments -n gateway-system +kubectl get deployments -n gateway-system --context=$ctx ``` ``` NAME READY UP-TO-DATE AVAILABLE AGE +istiod 1/1 1 1 61s sail-operator 1/1 1 1 81m ``` @@ -54,12 +61,12 @@ sail-operator 1/1 1 1 81m To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps: 1) Depending on your choice of cloud provider: - - setup the needed `$CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory + - setup the needed `$CLOUD_PROVIDER-credentials.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `config/install/configure/aws` directory 3) execute the configure for that cloud provider ``` -kubectl apply -k config/install/configure/aws +kubectl apply -k config/install/configure/aws --context=$ctx ``` @@ -70,7 +77,7 @@ This will configure Kuadrant and Sail installing their components as well as set Validate Kuadrant is ready via the kuadrant resource status condition ``` -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx ``` @@ -81,7 +88,7 @@ At this point Kuadrant is ready to use. Below are some additonal configuration t create a `redis-credential.env` in the `config/install/configure/redis-storage` dir ``` -kubectl apply -k config/install/configure/redis-storage +kubectl apply -k config/install/configure/redis-storage --context=$ctx ``` @@ -92,7 +99,7 @@ This will setup limitador to use provided redis connection URL as a backend stor Validate Kuadrant is in a ready state as before: ``` -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx ``` diff --git a/config/install/configure/observability/kustomization.yaml b/config/install/configure/observability/kustomization.yaml index a3704bde8..f6c19b492 100644 --- a/config/install/configure/observability/kustomization.yaml +++ b/config/install/configure/observability/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.5.0 + - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0 - ../../../observability/openshift/ - ../../../observability/prometheus/monitors/ diff --git a/config/install/standard/kustomization.yaml b/config/install/standard/kustomization.yaml index 58e209420..bc2d521e8 100644 --- a/config/install/standard/kustomization.yaml +++ b/config/install/standard/kustomization.yaml @@ -13,4 +13,4 @@ patches: metadata: name: kuadrant-operator-catalog spec: - image: quay.io/kuadrant/kuadrant-operator-catalog:1.0.0-rc1 #change this to the version you want to install + image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4 #change this to the version you want to install diff --git a/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml b/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml index e2af452b7..c4215fc39 100644 --- a/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml +++ b/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml @@ -2,11 +2,11 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: istiod - namespace: istio-system + namespace: gateway-system spec: namespaceSelector: matchNames: - - istio-system + - gateway-system selector: matchLabels: app: istiod diff --git a/doc/user-guides/external-api.md b/doc/user-guides/external-api.md new file mode 100644 index 000000000..e67bc276a --- /dev/null +++ b/doc/user-guides/external-api.md @@ -0,0 +1,173 @@ +# Using Gateway API and Kuadrant with APIs outside of the cluster + + +### Overview + +In some cases, the application and API endpoints are exposed in a host external to the cluster where you are a running Gateway API and Kuadrant but you do not want it accessible directly via the public internet. If you want to have external traffic come into a Gateway API defined Gateway and protected by Kuadrant policies first being proxied to the existing legacy endpoints, this guide will give you some example of how to achieve this. + + +### What we will do +- Have an API in a private location become accessible via a public hostname +- Setup a gateway and HTTPRoute to expose this private API via our new Gateway on a (public) domain. +- proxy valid requests through to our back-end API service +- Add auth and rate limiting and TLS to our public Gateway to protect it + + + +### Pre Requisites + +- [Kuadrant and Gateway API installed (with Istio as the gateway provider)](https://docs.kuadrant.io/0.11.0/kuadrant-operator/doc/install/install-kubernetes/) +- Existing API on separate cluster accessible via HTTP from the Gateway cluster + + +What we want to achieve: + +``` + ------------------- DMZ -----------------| + | + |-------------------------------- internal network -----------------------------------| + load balancer | | + | - | | |----------k8s cluster-----------| | |----- Legacy API Location --------| | + | | | | Gateway Kuadrant | | | | | + | | | | ----- ----- | | | | | +---public traffic--my.api.com-----> | | |<--| | | | | HTTP (my.api.local) Backend | | + | | | | | | ----- | | | ----- ----- | | + | | | | ----- -----------proxy---(my.api.local)-->| | ----------> | | | | + | | | | | | | ----- ----- | | + | - | | |--------------------------------| | |----------------------------------| | + | | | + |-----------------------------------------|--------------------------------------------| + | + ------------------- DMZ -----------------| +``` + + +Note for all of the resources defined here there is a copy of them under the examples folder + +1) Deploy a Gateway into the K8s cluster that will act as the main Ingress Gateway + +Define your external API hostname and Internal API hostname + +``` +export EXTERNAL_HOST=my.api.com +export INTERNAL_HOST=my.api.local + +``` + +```bash +kubectl apply -n gateway-system -f - <