From e19741824e1cbd104a2957f80f494cfd077e2aa3 Mon Sep 17 00:00:00 2001 From: Michael Nairn Date: Thu, 27 Jan 2022 16:55:16 +0000 Subject: [PATCH 1/2] Update namespace to kuadrant-system Changes the default namespace from `kuadrant-operator-system` to `kuadrant-system`. The kuadrant controller is currently hard coded to use `kuadrant-system` when creating resources, so using it here ensures all kuadrant resources end up in the same ns. Will also make docs between the operator/controller/kuadrantcl repos more consistent. --- .github/workflows/test.yaml | 2 +- ...adrant-operator.clusterserviceversion.yaml | 94 +++++++++---------- config/default/kustomization.yaml | 2 +- .../controller/kustomization.template.yaml | 3 + .../controller/kustomization.yaml | 3 + config/dependencies/kustomization.yaml | 3 +- config/deploy/kustomization.yaml | 2 +- config/deploy/olm/kustomization.yaml | 2 +- config/deploy/olm/subscription.yaml | 2 +- make/kind.mk | 2 +- 10 files changed, 60 insertions(+), 55 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 7e7cde66f..b92383f29 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -72,7 +72,7 @@ jobs: make deploy - name: Wait for deployment run: | - kubectl -n kuadrant-operator-system wait --timeout=300s --for=condition=Available deployments --all + kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all # Note: This doesn't run any actual tests yet! - name: Run make undeploy run: | diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml index 70a82dc88..0091b9bf2 100644 --- a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -209,38 +209,26 @@ spec: - create serviceAccountName: kuadrant-operator-controller-manager deployments: - - name: kuadrant-operator-controller-manager + - name: kuadrant-controller-manager spec: replicas: 1 selector: matchLabels: + app: kuadrant control-plane: controller-manager strategy: {} template: metadata: labels: + app: kuadrant control-plane: controller-manager spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: {} - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect + - --config=controller_manager_config.yaml command: - /manager - image: quay.io/kuadrant/kuadrant-operator:latest + image: quay.io/kuadrant/kuadrant-controller:latest livenessProbe: httpGet: path: /healthz @@ -256,37 +244,68 @@ spec: periodSeconds: 10 resources: limits: - cpu: 200m - memory: 100Mi + cpu: 100m + memory: 30Mi requests: cpu: 100m memory: 20Mi securityContext: allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /controller_manager_config.yaml + name: manager-config + subPath: controller_manager_config.yaml + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: {} securityContext: runAsNonRoot: true - serviceAccountName: kuadrant-operator-controller-manager + serviceAccountName: kuadrant-controller-manager terminationGracePeriodSeconds: 10 - - name: kuadrant-controller-manager + volumes: + - configMap: + name: kuadrant-manager-config + name: manager-config + - name: kuadrant-operator-controller-manager spec: replicas: 1 selector: matchLabels: - app: kuadrant control-plane: controller-manager strategy: {} template: metadata: labels: - app: kuadrant control-plane: controller-manager spec: containers: - args: - - --config=controller_manager_config.yaml + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: {} + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect command: - /manager - image: quay.io/kuadrant/kuadrant-controller:latest + image: quay.io/kuadrant/kuadrant-operator:latest livenessProbe: httpGet: path: /healthz @@ -302,36 +321,17 @@ spec: periodSeconds: 10 resources: limits: - cpu: 100m - memory: 30Mi + cpu: 200m + memory: 100Mi requests: cpu: 100m memory: 20Mi securityContext: allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /controller_manager_config.yaml - name: manager-config - subPath: controller_manager_config.yaml - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: {} securityContext: runAsNonRoot: true - serviceAccountName: kuadrant-controller-manager + serviceAccountName: kuadrant-operator-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - configMap: - name: kuadrant-manager-config - name: manager-config permissions: - rules: - apiGroups: diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 67e616766..dcab6dcba 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,5 +1,5 @@ # Adds namespace to all resources. -namespace: kuadrant-operator-system +namespace: kuadrant-system # Value of this field is prepended to the # names of all resources, e.g. a deployment named diff --git a/config/dependencies/controller/kustomization.template.yaml b/config/dependencies/controller/kustomization.template.yaml index 02a0b53d1..749dab8ce 100644 --- a/config/dependencies/controller/kustomization.template.yaml +++ b/config/dependencies/controller/kustomization.template.yaml @@ -1,2 +1,5 @@ resources: - github.com/Kuadrant/kuadrant-controller/config/default?ref=${KUADRANT_CONTROLLER_GITREF} + +patchesStrategicMerge: + - delete-ns.yaml diff --git a/config/dependencies/controller/kustomization.yaml b/config/dependencies/controller/kustomization.yaml index a365daac4..678c7601a 100644 --- a/config/dependencies/controller/kustomization.yaml +++ b/config/dependencies/controller/kustomization.yaml @@ -1,2 +1,5 @@ resources: - github.com/Kuadrant/kuadrant-controller/config/default?ref=main + +patchesStrategicMerge: + - delete-ns.yaml diff --git a/config/dependencies/kustomization.yaml b/config/dependencies/kustomization.yaml index 9e8d2d148..de897e9bb 100644 --- a/config/dependencies/kustomization.yaml +++ b/config/dependencies/kustomization.yaml @@ -1,4 +1,4 @@ -namespace: kuadrant-operator-system +namespace: kuadrant-system resources: - controller @@ -6,6 +6,5 @@ resources: - limitador patchesStrategicMerge: - - controller/delete-ns.yaml - authorino/delete-ns.yaml - limitador/delete-ns.yaml diff --git a/config/deploy/kustomization.yaml b/config/deploy/kustomization.yaml index 07a3d2a6e..e28931fe8 100644 --- a/config/deploy/kustomization.yaml +++ b/config/deploy/kustomization.yaml @@ -1,4 +1,4 @@ -namespace: kuadrant-operator-system +namespace: kuadrant-system resources: - ../default diff --git a/config/deploy/olm/kustomization.yaml b/config/deploy/olm/kustomization.yaml index ab5fe9df5..22009d8ba 100644 --- a/config/deploy/olm/kustomization.yaml +++ b/config/deploy/olm/kustomization.yaml @@ -1,5 +1,5 @@ # Adds namespace to all resources. -namespace: kuadrant-operator-system +namespace: kuadrant-system resources: - namespace.yaml diff --git a/config/deploy/olm/subscription.yaml b/config/deploy/olm/subscription.yaml index 095b456fa..58a9456e7 100644 --- a/config/deploy/olm/subscription.yaml +++ b/config/deploy/olm/subscription.yaml @@ -4,6 +4,6 @@ metadata: name: kuadrant spec: source: kuadrant-operator-catalog - sourceNamespace: kuadrant-operator-system + sourceNamespace: kuadrant-system name: kuadrant-operator channel: "alpha" diff --git a/make/kind.mk b/make/kind.mk index 6be069d3d..885e61b2a 100644 --- a/make/kind.mk +++ b/make/kind.mk @@ -24,4 +24,4 @@ kind-create-kuadrant-cluster: kind-create-cluster ## Create a kind cluster with $(KIND) load docker-image $(IMG) --name $(KIND_CLUSTER_NAME) $(MAKE) install $(MAKE) deploy - kubectl -n kuadrant-operator-system wait --timeout=300s --for=condition=Available deployments --all + kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all From ed446eab57843d90a9ec95cccdd49671a1ca1fb5 Mon Sep 17 00:00:00 2001 From: Michael Nairn Date: Wed, 26 Jan 2022 13:35:29 +0000 Subject: [PATCH 2/2] Add istio make commands Add istio makefile with targets to help install/uninstall istio using istoctl. The default is to install it in it's own namespace `istio-system` since this is more likely how it will be deployed in a real world scenario. The install is also using the `default` profile which installs an ingress controller into the istio namespace `istio-ingressgateway`. Any example port-forward commands need to point to this ingress service: ``` kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 ``` A temporary patch for the istio install and make targets to configure a hard coded kuadrant/authorino setup for dev/test purposes is also added. These are triggered using seperate make targets `istio-install-with-patch` and `post-deploy-hacks` and will be removed once the operator itself has taken over the responsibility of creating/configuring these resources. --- .github/workflows/test.yaml | 6 +++ Makefile | 11 +++++ config/dependencies/authorino/authorino.yaml | 14 +++++++ .../dependencies/istio/default-gateway.yaml | 15 +++++++ .../istio/patches/istio-externalProvider.yaml | 9 ++++ make/istio.mk | 42 +++++++++++++++++++ make/kind.mk | 3 +- 7 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 config/dependencies/authorino/authorino.yaml create mode 100644 config/dependencies/istio/default-gateway.yaml create mode 100644 config/dependencies/istio/patches/istio-externalProvider.yaml create mode 100644 make/istio.mk diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index b92383f29..6175fa310 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -64,6 +64,9 @@ jobs: - name: Run make install run: | make install + - name: Run make istio-install + run: | + make istio-install - name: Load test image run: | kind load docker-image ${{ env.TEST_IMG }} --name ${{ env.KIND_CLUSTER_NAME }} @@ -73,6 +76,9 @@ jobs: - name: Wait for deployment run: | kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all + - name: Run make istio-install-with-patch + run: | + make istio-install-with-patch # Note: This doesn't run any actual tests yet! - name: Run make undeploy run: | diff --git a/Makefile b/Makefile index 5c7ef1279..c0c288b7d 100644 --- a/Makefile +++ b/Makefile @@ -176,6 +176,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/deploy | kubectl apply -f - + ${MAKE} post-deploy-hacks undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/deploy | kubectl delete -f - @@ -190,10 +191,20 @@ uninstall-olm: deploy-olm: ## Deploy controller to the K8s cluster specified in ~/.kube/config using OLM catalog image. $(KUSTOMIZE) build config/deploy/olm | kubectl apply -f - + ${MAKE} post-deploy-hacks undeploy-olm: ## Undeploy controller from the K8s cluster specified in ~/.kube/config using OLM catalog image. $(KUSTOMIZE) build config/deploy/olm | kubectl delete -f - +#This target is temporary to aid dev/test of the operator. Eventually it will be the responsibility of the +# operator itself to create/configure these things as part of the reconciliation of a kuadrant CR. +post-deploy-hacks: + # Wait for deployment to complete + timeout 60s bash -c 'until kubectl -n kuadrant-system get deployments/kuadrant-operator-controller-manager; do sleep 10; done;' + kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all + kubectl apply -f config/dependencies/istio/default-gateway.yaml -n kuadrant-system + kubectl apply -f config/dependencies/authorino/authorino.yaml -n kuadrant-system + CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.7.0) diff --git a/config/dependencies/authorino/authorino.yaml b/config/dependencies/authorino/authorino.yaml new file mode 100644 index 000000000..49bf82e04 --- /dev/null +++ b/config/dependencies/authorino/authorino.yaml @@ -0,0 +1,14 @@ +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: authorino + namespace: kuadrant-system +spec: + replicas: 1 + clusterWide: false + listener: + tls: + enabled: false + oidcServer: + tls: + enabled: false diff --git a/config/dependencies/istio/default-gateway.yaml b/config/dependencies/istio/default-gateway.yaml new file mode 100644 index 000000000..e0f4b04d9 --- /dev/null +++ b/config/dependencies/istio/default-gateway.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kuadrant-gateway + namespace: kuadrant-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" diff --git a/config/dependencies/istio/patches/istio-externalProvider.yaml b/config/dependencies/istio/patches/istio-externalProvider.yaml new file mode 100644 index 000000000..63463af86 --- /dev/null +++ b/config/dependencies/istio/patches/istio-externalProvider.yaml @@ -0,0 +1,9 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + extensionProviders: + - name: "kuadrant-authorization" + envoyExtAuthzGrpc: + service: "authorino-authorino-authorization.kuadrant-system.svc.cluster.local" + port: 50051 diff --git a/make/istio.mk b/make/istio.mk new file mode 100644 index 000000000..b1e9260a3 --- /dev/null +++ b/make/istio.mk @@ -0,0 +1,42 @@ + +##@ Istio + +## Targets to help install and configure istio + +ISTIO_PATCHES_DIR = config/dependencies/istio/patches +ISTIO_NAMESPACE = istio-system +ISTIO_INSTALL_OPTIONS ?= --set profile=default \ + --set values.gateways.istio-ingressgateway.autoscaleEnabled=false \ + --set values.pilot.autoscaleEnabled=false \ + --set values.global.istioNamespace=$(ISTIO_NAMESPACE) + +# istioctl tool +ISTIOCTL=$(shell pwd)/bin/istioctl +ISTIOVERSION = 1.12.1 +$(ISTIOCTL): + mkdir -p $(PROJECT_PATH)/bin + $(eval TMP := $(shell mktemp -d)) + cd $(TMP); curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=$(ISTIOVERSION) sh - + cp $(TMP)/istio-$(ISTIOVERSION)/bin/istioctl ${ISTIOCTL} + -rm -rf $(TMP) + +.PHONY: istioctl +istioctl: $(ISTIOCTL) ## Download istioctl locally if necessary. + +.PHONY: istio-install +istio-install: istioctl ## Install istio. + $(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS) + +#Note: This target is here temporarily to aid dev/test of the operator. Eventually it will be the responsibility of the +# operator itself to configure istio as part of the reconciliation of a kuadrant CR. +.PHONY: istio-install-with-patch +istio-install-with-patch: istioctl ## Install istio with patch to add authorino auth extension. + $(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS) -f $(ISTIO_PATCHES_DIR)/istio-externalProvider.yaml + +.PHONY: istio-uninstall +istio-uninstall: istioctl ## Uninstall istio. + $(ISTIOCTL) x uninstall -y --purge + +.PHONY: istio-verify-install +istio-verify-install: istioctl ## Verify istio installation. + $(ISTIOCTL) verify-install -i $(ISTIO_NAMESPACE) diff --git a/make/kind.mk b/make/kind.mk index 885e61b2a..1cad3ec9f 100644 --- a/make/kind.mk +++ b/make/kind.mk @@ -19,9 +19,10 @@ kind-delete-cluster: ## Delete the "kuadrant-local" kind cluster. .PHONY: kind-create-kuadrant-cluster kind-create-kuadrant-cluster: export IMG := quay.io/kuadrant/kuadrant-operator:dev -kind-create-kuadrant-cluster: kind-create-cluster ## Create a kind cluster with kuadrant deployed. +kind-create-kuadrant-cluster: kind-create-cluster istio-install ## Create a kind cluster with kuadrant deployed. $(MAKE) docker-build $(KIND) load docker-image $(IMG) --name $(KIND_CLUSTER_NAME) $(MAKE) install $(MAKE) deploy kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all + $(MAKE) istio-install-with-patch