add a basic kustomize install

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

.gitignore

@@ -23,6 +23,7 @@ testbin/*
 .vscode
 *.swp
 *.swo
+*.env
 *~
 /kuadrant-operator
 tmp

config/install/README.md

@@ -0,0 +1,87 @@
+# Install Kaudrant and Sail via OLM
+
+- Pre-Req is that OLM (operator lifecycle manager) is already installed
+
+- (optional dependencies)
+  - If you want to use `TLSPolicy` you should install the cert-manager operator. 
+  - AWS/Azure or GCP with DNS capabilities if you want to make use of `DNSPolicy`.
+  - Accessible Redis instance, if you want persistent storage for your rate limit counters.
+
+
+Install the Sail and Kuadrant Operators via OLM:
+
+
+> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/olm/catalogsource.yaml` or if you are familiar with kustomize you could apply your own kustomization.
+
+```
+kubectl apply -k config/install/standard
+``` 
+
+3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below:
+
+```
+kubectl get deployments -n kuadrant-system
+
+NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
+authorino-operator                      1/1     1            1           83m
+dns-operator-controller-manager         1/1     1            1           83m
+kuadrant-console-plugin                 1/1     1            1           83m
+kuadrant-operator-controller-manager    1/1     1            1           83m
+limitador-operator-controller-manager   1/1     1            1           83m
+
+```
+kubectl get deployments -n gateway-system
+
+NAME            READY   UP-TO-DATE   AVAILABLE   AGE
+sail-operator   1/1     1            1           81m
+
+```
+
+## Configure the installation
+
+### TLS and DNS integration
+
+To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps:
+
+1) Depending on your choice of cloud provider:
+    - setup the needed `CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory
+
+3) execute the configure for that cloud provider
+
+```
+kubectl apply -k config/install/configure/aws
+
+```
+
+This will configure Kuadrant and Sail installing their components as well as setup the the credentials needed for access DNS zones in the cloud provider and create a lets-encrypt cluster issuer configured to use DNS based validation.
+
+### Validate
+
+Validate Kuadrant is ready via the kuadrant resource status condition
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
+
+```
+
+At this point Kuadrant is ready to use. Below are some additonal configuration that can be applied.
+
+### External Redis
+
+create a `redis-credential.env` in the `config/install/configure/redis-storage` dir
+
+```
+kubectl apply -k config/install/configure/redis-storage
+
+```
+
+This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarilly unavailable as it restarts.
+
+### Validate
+
+Validate Kuadrant is in a ready state as before:
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
+
+```

config/install/configure/aws/cluster-issuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: lets-encrypt-aws
+spec:
+  acme:
+    privateKeySecretRef:
+      name: le-secret
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          route53:
+            accessKeyIDSecretRef:
+              key: AWS_ACCESS_KEY_ID
+              name: aws-credentials
+            region: us-east-1 #override if needed
+            secretAccessKeySecretRef:
+              key: AWS_SECRET_ACCESS_KEY
+              name: aws-credentials

config/install/configure/aws/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first!
+
+resources:
+  - ../standard
+  - cluster-issuer.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: aws-provider-credentials
+    namespace: cert-manager
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'
+  - name: aws-provider-credentials
+    namespace: gateway-system
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'

config/install/configure/azure/cluster-issuer.yaml

@@ -0,0 +1,25 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-azure
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          azureDNS:
+            clientID: AZURE_CERT_MANAGER_SP_APP_ID
+            clientSecretSecretRef:
+              # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
+              name: azuredns-config
+              key: client-secret
+            subscriptionID: AZURE_SUBSCRIPTION_ID
+            tenantID: AZURE_TENANT_ID
+            resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
+            hostedZoneName: AZURE_DNS_ZONE
+            # Azure Cloud Environment, default to AzurePublicCloud
+            environment: AzurePublicCloud

config/install/configure/azure/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: azure-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: cert-manager
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: gateway-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'

config/install/configure/gcp/cluster-issuer.yaml

@@ -0,0 +1,20 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-gcp
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          cloudDNS:
+            # The ID of the GCP project
+            project: $PROJECT_ID
+            # This is the secret used to access the service account
+            serviceAccountSecretRef:
+              name: gcp-provider-credentials
+              key: key.json

config/install/configure/gcp/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: gcp-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: cert-manager
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: gateway-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'

config/install/configure/kitchen-sink/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../dns-aws
+  - ../dns-azure
+  - ../dns-gcp
+  - ../redis-storage
+  - ../tls-lets-encrypt

config/install/configure/redis-storage/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - limitador.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: redis-credentials
+    namespace: kuadrant-system
+    envs:
+      - redis-credentials.env
+    type: 'kuadrant.io/aws'

config/install/configure/redis-storage/limitador.yaml

@@ -0,0 +1,10 @@
+apiVersion: limitador.kuadrant.io/v1alpha1
+kind: Limitador
+metadata:
+  name: limitador
+  namespace: kuadrant-system
+spec:
+  storage:
+    redis:
+      configSecretRef:
+        name: redis-credentials

config/install/configure/standard/kuadrant.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuadrant.io/v1beta1
+kind: Kuadrant
+metadata:
+  name: kuadrant
+  namespace: kuadrant-system

config/install/configure/standard/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - sail.yaml
+  - kuadrant.yaml

config/install/configure/standard/sail.yaml

@@ -0,0 +1,13 @@
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+  name: default
+spec:
+  namespace: gateway-system
+  updateStrategy:
+    type: InPlace
+    inactiveRevisionDeletionGracePeriodSeconds: 30
+  version: v1.23.0
+  values:
+    pilot:
+      autoscaleEnabled: false

config/install/configure/tls-lets-encrypt/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cluster-issuer.yaml

config/install/standard/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
+  - sail-operator.yaml
+  - ../../deploy/olm
+
+patches:
+  - patch: |-
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: CatalogSource
+      metadata:
+        name: kuadrant-operator-catalog
+      spec:
+        image: quay.io/kuadrant/kuadrant-operator-catalog:1.0.0-rc1  #change this to the version you want to install

config/install/standard/sail-operator.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: sail
+  name: gateway-system
+---
+kind: OperatorGroup
+apiVersion: operators.coreos.com/v1
+metadata:
+  name: sail
+  namespace: gateway-system
+spec:
+  upgradeStrategy: Default
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: sailoperator
+  namespace: gateway-system
+spec:
+  channel: candidates
+  installPlanApproval: Automatic
+  name: sailoperator
+  source: community-operators
+  sourceNamespace: openshift-marketplace