Updated install doc (#986)

* add a basic kustomize install

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Add observability steps and configuration (#1006)

Signed-off-by: David Martin <[email protected]>

* updates for install doc

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

Update observability resources to use gateway-system namespace (#969)

Signed-off-by: David Martin <[email protected]>

add example for external api usage

* remove links

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Apply suggestions from code review

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* remove links
update multi cluster options

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* fix indent

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* re-add changes

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* re-add changes

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

---------

Signed-off-by: David Martin <[email protected]>
Co-authored-by: Rachel Lawton <[email protected]>
Co-authored-by: David Martin <[email protected]>

.gitignore

@@ -23,6 +23,7 @@ testbin/*
 .vscode
 *.swp
 *.swo
+*.env
 *~
 /kuadrant-operator
 tmp

config/install/README.md

@@ -0,0 +1,129 @@
+# Install Kuadrant and Sail via OLM
+
+## Prerequisites  
+- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo
+- OLM (operator lifecycle manager)
+- cert-manager 
+  - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html)
+  - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/)
+- AWS, Azure or GCP with DNS capabilities. (Optional)
+- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional)
+
+
+> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases)
+
+> Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
+
+## Setup the environment
+
+```
+kubectl apply -k config/install/standard
+``` 
+
+Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below:
+
+```
+kubectl get deployments -n kuadrant-system
+
+
+# NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
+# authorino-operator                      1/1     1            1           83m
+# dns-operator-controller-manager         1/1     1            1           83m
+# kuadrant-console-plugin                 1/1     1            1           83m
+# kuadrant-operator-controller-manager    1/1     1            1           83m
+# limitador-operator-controller-manager   1/1     1            1           83m
+```
+
+
+
+```
+kubectl get deployments -n gateway-system
+
+
+# NAME            READY   UP-TO-DATE   AVAILABLE   AGE
+# istiod          1/1     1            1           61s
+# sail-operator   1/1     1            1           81m
+```
+
+## Configure the installation
+
+### TLS and DNS integration
+
+
+Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS
+
+```
+kubectl apply -k config/install/configure/aws
+```
+
+This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation.
+
+### Validate
+
+Validate Kuadrant is ready via the kuadrant resource status condition
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
+```
+
+At this point Kuadrant is ready to use. Below are some additional configuration that can be applied.
+
+### External Redis
+
+create a `redis-credential.env` in the `config/install/configure/redis-storage` dir
+
+```
+kubectl apply -k config/install/configure/redis-storage
+```
+
+This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts.
+
+### Validate
+
+Validate Kuadrant is in a ready state as before:
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
+```
+
+## Set up observability
+
+Verify that user workload monitoring is enabled in your Openshift cluster.
+If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this.
+
+
+```bash
+kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload
+# (expected output)
+# enableUserWorkload: true
+```
+
+Install the gateway & Kuadrant metrics components and configuration, including Grafana.
+
+```bash
+kubectl apply -k config/install/configure/observability
+```
+
+Configure the Openshift thanos-query instance as a data source in Grafana.
+
+```bash
+TOKEN="Bearer $(oc whoami -t)"
+HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')"
+echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env
+echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env
+kubectl apply -k config/observability/openshift/grafana
+```
+
+Create the example dashboards in Grafana
+
+```bash
+kubectl apply -k examples/dashboards
+```
+
+Access the Grafana UI, using the default user/pass of root/secret.
+You should see the example dashboards in the 'monitoring' folder.
+For more information on the example dashboards, check out the [documentation](https://docs.kuadrant.io/latest/kuadrant-operator/doc/observability/examples/).
+
+```bash
+kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}"
+```

config/install/configure/aws/cluster-issuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: lets-encrypt-aws
+spec:
+  acme:
+    privateKeySecretRef:
+      name: le-secret
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          route53:
+            accessKeyIDSecretRef:
+              key: AWS_ACCESS_KEY_ID
+              name: aws-credentials
+            region: us-east-1 #override if needed
+            secretAccessKeySecretRef:
+              key: AWS_SECRET_ACCESS_KEY
+              name: aws-credentials

config/install/configure/aws/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first!
+
+resources:
+  - ../standard
+  - cluster-issuer.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: aws-provider-credentials
+    namespace: cert-manager
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'
+  - name: aws-provider-credentials
+    namespace: gateway-system
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'

config/install/configure/azure/cluster-issuer.yaml

@@ -0,0 +1,25 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-azure
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          azureDNS:
+            clientID: AZURE_CERT_MANAGER_SP_APP_ID
+            clientSecretSecretRef:
+              # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
+              name: azuredns-config
+              key: client-secret
+            subscriptionID: AZURE_SUBSCRIPTION_ID
+            tenantID: AZURE_TENANT_ID
+            resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
+            hostedZoneName: AZURE_DNS_ZONE
+            # Azure Cloud Environment, default to AzurePublicCloud
+            environment: AzurePublicCloud

config/install/configure/azure/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: azure-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: cert-manager
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: gateway-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'

config/install/configure/gcp/cluster-issuer.yaml

@@ -0,0 +1,20 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-gcp
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          cloudDNS:
+            # The ID of the GCP project
+            project: $PROJECT_ID
+            # This is the secret used to access the service account
+            serviceAccountSecretRef:
+              name: gcp-provider-credentials
+              key: key.json

config/install/configure/gcp/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: gcp-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: cert-manager
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: gateway-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'

config/install/configure/kitchen-sink/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../dns-aws
+  - ../dns-azure
+  - ../dns-gcp
+  - ../redis-storage
+  - ../tls-lets-encrypt

config/install/configure/observability/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0
+  - ../../../observability/openshift/
+  - ../../../observability/prometheus/monitors/

config/install/configure/redis-storage/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - limitador.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: redis-credentials
+    namespace: kuadrant-system
+    envs:
+      - redis-credentials.env
+    type: 'kuadrant.io/aws'

config/install/configure/redis-storage/limitador.yaml

@@ -0,0 +1,10 @@
+apiVersion: limitador.kuadrant.io/v1alpha1
+kind: Limitador
+metadata:
+  name: limitador
+  namespace: kuadrant-system
+spec:
+  storage:
+    redis:
+      configSecretRef:
+        name: redis-credentials

config/install/configure/standard/kuadrant.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuadrant.io/v1beta1
+kind: Kuadrant
+metadata:
+  name: kuadrant
+  namespace: kuadrant-system

config/install/configure/standard/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - sail.yaml
+  - kuadrant.yaml

config/install/configure/standard/sail.yaml

@@ -0,0 +1,13 @@
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+  name: default
+spec:
+  namespace: gateway-system
+  updateStrategy:
+    type: InPlace
+    inactiveRevisionDeletionGracePeriodSeconds: 30
+  version: v1.23.0
+  values:
+    pilot:
+      autoscaleEnabled: false

config/install/configure/tls-lets-encrypt/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cluster-issuer.yaml

config/install/standard/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
+  - sail-operator.yaml
+  - ../../deploy/olm
+
+patches:
+  - patch: |-
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: CatalogSource
+      metadata:
+        name: kuadrant-operator-catalog
+      spec:
+        image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4  #change this to the version you want to install