From 79a1a19fab80ac5be8a34e42d175d4a77d72ab96 Mon Sep 17 00:00:00 2001 From: craig Date: Wed, 6 Nov 2024 12:29:13 +0000 Subject: [PATCH 01/16] add a basic kustomize install Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- .gitignore | 1 + config/install/README.md | 97 +++++++++++++++++++ .../install/configure/aws/cluster-issuer.yaml | 19 ++++ .../install/configure/aws/kustomization.yaml | 26 +++++ .../configure/azure/cluster-issuer.yaml | 25 +++++ .../configure/azure/kustomization.yaml | 27 ++++++ .../install/configure/gcp/cluster-issuer.yaml | 20 ++++ .../install/configure/gcp/kustomization.yaml | 27 ++++++ .../configure/kitchen-sink/kustomization.yaml | 9 ++ .../redis-storage/kustomization.yaml | 17 ++++ .../configure/redis-storage/limitador.yaml | 10 ++ .../install/configure/standard/kuadrant.yaml | 5 + .../configure/standard/kustomization.yaml | 5 + config/install/configure/standard/sail.yaml | 13 +++ .../tls-lets-encrypt/kustomization.yaml | 5 + config/install/standard/kustomization.yaml | 16 +++ config/install/standard/sail-operator.yaml | 26 +++++ doc/install/install-openshift.md | 45 +++++++-- doc/user-guides/secure-protect-connect.md | 16 ++- main.go | 4 +- 20 files changed, 400 insertions(+), 13 deletions(-) create mode 100644 config/install/README.md create mode 100644 config/install/configure/aws/cluster-issuer.yaml create mode 100644 config/install/configure/aws/kustomization.yaml create mode 100644 config/install/configure/azure/cluster-issuer.yaml create mode 100644 config/install/configure/azure/kustomization.yaml create mode 100644 config/install/configure/gcp/cluster-issuer.yaml create mode 100644 config/install/configure/gcp/kustomization.yaml create mode 100644 config/install/configure/kitchen-sink/kustomization.yaml create mode 100644 config/install/configure/redis-storage/kustomization.yaml create mode 100644 config/install/configure/redis-storage/limitador.yaml create mode 100644 config/install/configure/standard/kuadrant.yaml create mode 100644 config/install/configure/standard/kustomization.yaml create mode 100644 config/install/configure/standard/sail.yaml create mode 100644 config/install/configure/tls-lets-encrypt/kustomization.yaml create mode 100644 config/install/standard/kustomization.yaml create mode 100644 config/install/standard/sail-operator.yaml diff --git a/.gitignore b/.gitignore index 10897f3e1..a9e73b929 100644 --- a/.gitignore +++ b/.gitignore @@ -23,6 +23,7 @@ testbin/* .vscode *.swp *.swo +*.env *~ /kuadrant-operator tmp diff --git a/config/install/README.md b/config/install/README.md new file mode 100644 index 000000000..0bec3ef1e --- /dev/null +++ b/config/install/README.md @@ -0,0 +1,97 @@ +# Install Kaudrant and Sail via OLM + +- Pre-Req is that OLM (operator lifecycle manager) is already installed + +- (optional dependencies) + - If you want to use `TLSPolicy` you should install the cert-manager operator. + - AWS/Azure or GCP with DNS capabilities if you want to make use of `DNSPolicy`. + - Accessible Redis instance, if you want persistent storage for your rate limit counters. + + +Install the Sail and Kuadrant Operators via OLM: + + +> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/olm/catalogsource.yaml` or if you are familiar with kustomize you could apply your own kustomization. + +``` +kubectl apply -k config/install/standard +``` + +3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: + +``` +kubectl get deployments -n kuadrant-system +``` + +``` + +NAME READY UP-TO-DATE AVAILABLE AGE +authorino-operator 1/1 1 1 83m +dns-operator-controller-manager 1/1 1 1 83m +kuadrant-console-plugin 1/1 1 1 83m +kuadrant-operator-controller-manager 1/1 1 1 83m +limitador-operator-controller-manager 1/1 1 1 83m + +``` + + + +``` +kubectl get deployments -n gateway-system +``` + +``` + +NAME READY UP-TO-DATE AVAILABLE AGE +sail-operator 1/1 1 1 81m + +``` + +## Configure the installation + +### TLS and DNS integration + +To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps: + +1) Depending on your choice of cloud provider: + - setup the needed `CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory + +3) execute the configure for that cloud provider + +``` +kubectl apply -k config/install/configure/aws + +``` + +This will configure Kuadrant and Sail installing their components as well as setup the the credentials needed for access DNS zones in the cloud provider and create a lets-encrypt cluster issuer configured to use DNS based validation. + +### Validate + +Validate Kuadrant is ready via the kuadrant resource status condition + +``` +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml + +``` + +At this point Kuadrant is ready to use. Below are some additonal configuration that can be applied. + +### External Redis + +create a `redis-credential.env` in the `config/install/configure/redis-storage` dir + +``` +kubectl apply -k config/install/configure/redis-storage + +``` + +This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarilly unavailable as it restarts. + +### Validate + +Validate Kuadrant is in a ready state as before: + +``` +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml + +``` \ No newline at end of file diff --git a/config/install/configure/aws/cluster-issuer.yaml b/config/install/configure/aws/cluster-issuer.yaml new file mode 100644 index 000000000..6075fb10a --- /dev/null +++ b/config/install/configure/aws/cluster-issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: lets-encrypt-aws +spec: + acme: + privateKeySecretRef: + name: le-secret + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + route53: + accessKeyIDSecretRef: + key: AWS_ACCESS_KEY_ID + name: aws-credentials + region: us-east-1 #override if needed + secretAccessKeySecretRef: + key: AWS_SECRET_ACCESS_KEY + name: aws-credentials diff --git a/config/install/configure/aws/kustomization.yaml b/config/install/configure/aws/kustomization.yaml new file mode 100644 index 000000000..831238e72 --- /dev/null +++ b/config/install/configure/aws/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first! + +resources: + - ../standard + - cluster-issuer.yaml + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: aws-provider-credentials + namespace: cert-manager + envs: + - aws-credentials.env + type: 'kuadrant.io/aws' + - name: aws-provider-credentials + namespace: gateway-system + envs: + - aws-credentials.env + type: 'kuadrant.io/aws' diff --git a/config/install/configure/azure/cluster-issuer.yaml b/config/install/configure/azure/cluster-issuer.yaml new file mode 100644 index 000000000..0d552e2b3 --- /dev/null +++ b/config/install/configure/azure/cluster-issuer.yaml @@ -0,0 +1,25 @@ +## TODO +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-azure +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + # email: $EMAIL_ADDRESS + privateKeySecretRef: + name: letsencrypt + solvers: + - dns01: + azureDNS: + clientID: AZURE_CERT_MANAGER_SP_APP_ID + clientSecretSecretRef: + # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS. + name: azuredns-config + key: client-secret + subscriptionID: AZURE_SUBSCRIPTION_ID + tenantID: AZURE_TENANT_ID + resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP + hostedZoneName: AZURE_DNS_ZONE + # Azure Cloud Environment, default to AzurePublicCloud + environment: AzurePublicCloud diff --git a/config/install/configure/azure/kustomization.yaml b/config/install/configure/azure/kustomization.yaml new file mode 100644 index 000000000..0f7c0f03f --- /dev/null +++ b/config/install/configure/azure/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first! + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: azure-provider-credentials + namespace: kuadrant-system + envs: + - azure-credentials.env + type: 'kuadrant.io/azure' + - name: azure-provider-credentials + namespace: cert-manager + envs: + - azure-credentials.env + type: 'kuadrant.io/azure' + - name: azure-provider-credentials + namespace: gateway-system + envs: + - azure-credentials.env + type: 'kuadrant.io/azure' diff --git a/config/install/configure/gcp/cluster-issuer.yaml b/config/install/configure/gcp/cluster-issuer.yaml new file mode 100644 index 000000000..755f6b963 --- /dev/null +++ b/config/install/configure/gcp/cluster-issuer.yaml @@ -0,0 +1,20 @@ +## TODO +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-gcp +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + # email: $EMAIL_ADDRESS + privateKeySecretRef: + name: letsencrypt + solvers: + - dns01: + cloudDNS: + # The ID of the GCP project + project: $PROJECT_ID + # This is the secret used to access the service account + serviceAccountSecretRef: + name: gcp-provider-credentials + key: key.json diff --git a/config/install/configure/gcp/kustomization.yaml b/config/install/configure/gcp/kustomization.yaml new file mode 100644 index 000000000..54071c718 --- /dev/null +++ b/config/install/configure/gcp/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first! + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: gcp-provider-credentials + namespace: kuadrant-system + envs: + - gcp-credentials.env + type: 'kuadrant.io/gcp' + - name: gcp-provider-credentials + namespace: cert-manager + envs: + - gcp-credentials.env + type: 'kuadrant.io/gcp' + - name: gcp-provider-credentials + namespace: gateway-system + envs: + - gcp-credentials.env + type: 'kuadrant.io/gcp' diff --git a/config/install/configure/kitchen-sink/kustomization.yaml b/config/install/configure/kitchen-sink/kustomization.yaml new file mode 100644 index 000000000..74bde7691 --- /dev/null +++ b/config/install/configure/kitchen-sink/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../dns-aws + - ../dns-azure + - ../dns-gcp + - ../redis-storage + - ../tls-lets-encrypt diff --git a/config/install/configure/redis-storage/kustomization.yaml b/config/install/configure/redis-storage/kustomization.yaml new file mode 100644 index 000000000..862321f8f --- /dev/null +++ b/config/install/configure/redis-storage/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - limitador.yaml + +generatorOptions: + disableNameSuffixHash: true + labels: + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + +secretGenerator: + - name: redis-credentials + namespace: kuadrant-system + envs: + - redis-credentials.env + type: 'kuadrant.io/aws' diff --git a/config/install/configure/redis-storage/limitador.yaml b/config/install/configure/redis-storage/limitador.yaml new file mode 100644 index 000000000..cc06dbb50 --- /dev/null +++ b/config/install/configure/redis-storage/limitador.yaml @@ -0,0 +1,10 @@ +apiVersion: limitador.kuadrant.io/v1alpha1 +kind: Limitador +metadata: + name: limitador + namespace: kuadrant-system +spec: + storage: + redis: + configSecretRef: + name: redis-credentials diff --git a/config/install/configure/standard/kuadrant.yaml b/config/install/configure/standard/kuadrant.yaml new file mode 100644 index 000000000..4f7ebab0e --- /dev/null +++ b/config/install/configure/standard/kuadrant.yaml @@ -0,0 +1,5 @@ +apiVersion: kuadrant.io/v1beta1 +kind: Kuadrant +metadata: + name: kuadrant + namespace: kuadrant-system diff --git a/config/install/configure/standard/kustomization.yaml b/config/install/configure/standard/kustomization.yaml new file mode 100644 index 000000000..a09fcd6e0 --- /dev/null +++ b/config/install/configure/standard/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - sail.yaml + - kuadrant.yaml diff --git a/config/install/configure/standard/sail.yaml b/config/install/configure/standard/sail.yaml new file mode 100644 index 000000000..0db1b73e1 --- /dev/null +++ b/config/install/configure/standard/sail.yaml @@ -0,0 +1,13 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + namespace: gateway-system + updateStrategy: + type: InPlace + inactiveRevisionDeletionGracePeriodSeconds: 30 + version: v1.23.0 + values: + pilot: + autoscaleEnabled: false diff --git a/config/install/configure/tls-lets-encrypt/kustomization.yaml b/config/install/configure/tls-lets-encrypt/kustomization.yaml new file mode 100644 index 000000000..c28642a40 --- /dev/null +++ b/config/install/configure/tls-lets-encrypt/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - cluster-issuer.yaml diff --git a/config/install/standard/kustomization.yaml b/config/install/standard/kustomization.yaml new file mode 100644 index 000000000..58e209420 --- /dev/null +++ b/config/install/standard/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml + - sail-operator.yaml + - ../../deploy/olm + +patches: + - patch: |- + apiVersion: operators.coreos.com/v1alpha1 + kind: CatalogSource + metadata: + name: kuadrant-operator-catalog + spec: + image: quay.io/kuadrant/kuadrant-operator-catalog:1.0.0-rc1 #change this to the version you want to install diff --git a/config/install/standard/sail-operator.yaml b/config/install/standard/sail-operator.yaml new file mode 100644 index 000000000..56edd1251 --- /dev/null +++ b/config/install/standard/sail-operator.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: sail + name: gateway-system +--- +kind: OperatorGroup +apiVersion: operators.coreos.com/v1 +metadata: + name: sail + namespace: gateway-system +spec: + upgradeStrategy: Default +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: sailoperator + namespace: gateway-system +spec: + channel: candidates + installPlanApproval: Automatic + name: sailoperator + source: community-operators + sourceNamespace: openshift-marketplace diff --git a/doc/install/install-openshift.md b/doc/install/install-openshift.md index 41cae2a63..5b18e0790 100644 --- a/doc/install/install-openshift.md +++ b/doc/install/install-openshift.md @@ -42,7 +42,7 @@ export KUADRANT_VERSION='vX.Y.Z' Before you can use Kuadrant, you must install Gateway API v1 as follows: ```bash -kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml +kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml ``` ### Step 3 - Install cert-manager @@ -100,7 +100,7 @@ metadata: name: sailoperator namespace: gateway-system spec: - channel: 3.0-dp1 + channel: candidates installPlanApproval: Automatic name: sailoperator source: community-operators @@ -122,24 +122,34 @@ To configure the Istio Gateway API provider, run the following command: ```bash kubectl apply -f - < **Note:** It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster. @@ -343,9 +348,10 @@ The loadbalancing section here has the following attributes: - **geo:** This will be the geo used to decide whether to return records defined for this gateway based on the requesting client's location. This should be set even if you have one gateway in a single geo. - **defaultGeo:** For Azure and AWS, this will decide, if there should be a default geo. A default geo acts as a "catch-all" (GCP always sets a catch-all) for clients outside of the defined geo locations. There can only be one default value and so it is important you set `defaultGeo` as true for **one** and **only one** geo code for each of the gateways in that geo. -Wait for the DNSPolicy to marked as enforced: +Wait for the DNSPolicy to marked as accepted and enforced: ``` +kubectl --context $KUBECTL_CONTEXT wait dnspolicy simple-dnspolicy -n kuadrant-system --for=condition=accepted kubectl --context $KUBECTL_CONTEXT wait dnspolicy simple-dnspolicy -n kuadrant-system --for=condition=enforced ``` @@ -436,6 +442,12 @@ spec: EOF ``` +Ensure the new policy is enforced: + +``` +kubectl --context $KUBECTL_CONTEXT wait authpolicy toystore --for=condition=enforced +``` + ### ❽ Override the Gateway's RateLimitPolicy The gateway limits are a good set of limits for the general case, but as the developers of this API we know that we only want to allow a certain number of requests to specific users, and a general limit for all other users. diff --git a/main.go b/main.go index 8c7f6a3e9..9e217bc26 100644 --- a/main.go +++ b/main.go @@ -106,8 +106,8 @@ func main() { probeAddr string err error ) - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8880", "The address the metric endpoint binds to.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8881", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") From 5750271f6e8d81b93ef7891cb1838ad052a6f5d2 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Tue, 12 Nov 2024 09:14:04 +0000 Subject: [PATCH 02/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 0bec3ef1e..870f40703 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -54,7 +54,7 @@ sail-operator 1/1 1 1 81m To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps: 1) Depending on your choice of cloud provider: - - setup the needed `CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory + - setup the needed `$CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory 3) execute the configure for that cloud provider From 24ac3177e4f333c5921c42d5fd90992504975694 Mon Sep 17 00:00:00 2001 From: David Martin Date: Tue, 12 Nov 2024 17:26:44 +0000 Subject: [PATCH 03/16] Add observability steps and configuration (#1006) Signed-off-by: David Martin --- config/install/README.md | 44 +++++++++++++- .../observability/kustomization.yaml | 7 +++ .../openshift/grafana/.gitignore | 1 + .../openshift/grafana/dashboards.yaml | 59 +++++++++++++++++++ .../openshift/grafana/datasource.yaml | 20 +++++++ .../openshift/grafana/grafana.yaml | 19 ++++++ .../openshift/grafana/kustomization.yaml | 38 ++++++++++++ .../openshift/grafana/subscription.yaml | 13 ++++ .../openshift/kustomization.yaml | 7 +++ .../istio/service-monitor-istiod.yaml | 4 +- .../prometheus/monitors/istio/telemetry.yaml | 2 +- .../prometheus/monitors/kustomization.yaml | 7 +++ examples/dashboards/kustomization.yaml | 11 ++-- 13 files changed, 221 insertions(+), 11 deletions(-) create mode 100644 config/install/configure/observability/kustomization.yaml create mode 100644 config/observability/openshift/grafana/.gitignore create mode 100644 config/observability/openshift/grafana/dashboards.yaml create mode 100644 config/observability/openshift/grafana/datasource.yaml create mode 100644 config/observability/openshift/grafana/grafana.yaml create mode 100644 config/observability/openshift/grafana/kustomization.yaml create mode 100644 config/observability/openshift/grafana/subscription.yaml create mode 100644 config/observability/openshift/kustomization.yaml create mode 100644 config/observability/prometheus/monitors/kustomization.yaml diff --git a/config/install/README.md b/config/install/README.md index 870f40703..03cc13f95 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -94,4 +94,46 @@ Validate Kuadrant is in a ready state as before: ``` kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml -``` \ No newline at end of file +``` + +## Set up observability + +Verify that user workload monitoring is enabled in your Openshift cluster. +If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this. + +```bash +kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload + +(expected output) +enableUserWorkload: true +``` + +Install the gateway & kuadrant metrics components and configuration, including Grafana. + +```bash +kubectl apply -k config/install/configure/observability +``` + +Configure the openshift thanos-query instance as a data source in Grafana. + +```bash +TOKEN="Bearer $(oc whoami -t)" +HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')" +echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env +echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env +kubectl apply -k config/observability/openshift/grafana +``` + +Create the example dashboards in Grafana + +```bash +kubectl apply -k examples/dashboards +``` + +Access the Grafana UI, using the default user/pass of root/secret. +You should see the example dashboards in the 'monitoring' folder. +For more information on the example dashboards, check out the [documentation](https://docs.kuadrant.io/latest/kuadrant-operator/doc/observability/examples/). + +```bash +kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}" +``` diff --git a/config/install/configure/observability/kustomization.yaml b/config/install/configure/observability/kustomization.yaml new file mode 100644 index 000000000..a3704bde8 --- /dev/null +++ b/config/install/configure/observability/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.5.0 + - ../../../observability/openshift/ + - ../../../observability/prometheus/monitors/ diff --git a/config/observability/openshift/grafana/.gitignore b/config/observability/openshift/grafana/.gitignore new file mode 100644 index 000000000..25c34f604 --- /dev/null +++ b/config/observability/openshift/grafana/.gitignore @@ -0,0 +1 @@ +datasource.env \ No newline at end of file diff --git a/config/observability/openshift/grafana/dashboards.yaml b/config/observability/openshift/grafana/dashboards.yaml new file mode 100644 index 000000000..10601e383 --- /dev/null +++ b/config/observability/openshift/grafana/dashboards.yaml @@ -0,0 +1,59 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-platform-engineer +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + configMapRef: + name: grafana-platform-engineer + key: platform_engineer.json +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-business-user +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + configMapRef: + name: grafana-business-user + key: business_user.json +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-controller-resources-metrics +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + configMapRef: + name: grafana-controller-resources-metrics + key: controller-resources-metrics.json +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-controller-runtime-metrics +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + configMapRef: + name: grafana-controller-runtime-metrics + key: controller-runtime-metrics.json +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-app-developer +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + configMapRef: + name: grafana-app-developer + key: app_developer.json diff --git a/config/observability/openshift/grafana/datasource.yaml b/config/observability/openshift/grafana/datasource.yaml new file mode 100644 index 000000000..aeeb84af2 --- /dev/null +++ b/config/observability/openshift/grafana/datasource.yaml @@ -0,0 +1,20 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource +metadata: + name: thanos-query-ds +spec: + datasource: + access: proxy + isDefault: true + jsonData: + httpHeaderName1: 'Authorization' + timeInterval: 5s + tlsSkipVerify: true + secureJsonData: + httpHeaderValue1: 'REPLACED_BY_ENV' + name: thanos-query-ds + type: prometheus + url: 'REPLACED_BY_ENV' + instanceSelector: + matchLabels: + dashboards: grafana diff --git a/config/observability/openshift/grafana/grafana.yaml b/config/observability/openshift/grafana/grafana.yaml new file mode 100644 index 000000000..ae70ab874 --- /dev/null +++ b/config/observability/openshift/grafana/grafana.yaml @@ -0,0 +1,19 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: Grafana +metadata: + labels: + dashboards: grafana + name: grafana +spec: + config: + auth: + disable_login_form: 'false' + log: + mode: console + security: + admin_password: secret + admin_user: root + route: + metadata: {} + spec: {} + version: 10.4.3 diff --git a/config/observability/openshift/grafana/kustomization.yaml b/config/observability/openshift/grafana/kustomization.yaml new file mode 100644 index 000000000..bda5b736b --- /dev/null +++ b/config/observability/openshift/grafana/kustomization.yaml @@ -0,0 +1,38 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: monitoring + +resources: + - grafana.yaml + - datasource.yaml + - dashboards.yaml + +# Generate a ConfigMap from the .env file +configMapGenerator: + - name: datasource-env-config + envs: + - datasource.env + +replacements: + - source: + kind: ConfigMap + name: datasource-env-config + fieldPath: data.TOKEN + targets: + - select: + kind: GrafanaDatasource + name: thanos-query-ds + fieldPaths: + - spec.datasource.secureJsonData.httpHeaderValue1 + - source: + kind: ConfigMap + name: datasource-env-config + fieldPath: data.HOST + targets: + - select: + kind: GrafanaDatasource + name: thanos-query-ds + fieldPaths: + - spec.datasource.url + diff --git a/config/observability/openshift/grafana/subscription.yaml b/config/observability/openshift/grafana/subscription.yaml new file mode 100644 index 000000000..2bd9fc89d --- /dev/null +++ b/config/observability/openshift/grafana/subscription.yaml @@ -0,0 +1,13 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + labels: + operators.coreos.com/grafana-operator.openshift-operators: "" + name: grafana-operator + namespace: openshift-operators +spec: + channel: v5 + installPlanApproval: Automatic + name: grafana-operator + source: community-operators + sourceNamespace: openshift-marketplace diff --git a/config/observability/openshift/kustomization.yaml b/config/observability/openshift/kustomization.yaml new file mode 100644 index 000000000..e03c5942b --- /dev/null +++ b/config/observability/openshift/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - telemetry.yaml + - kube-state-metrics.yaml + - grafana/subscription.yaml diff --git a/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml b/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml index e2af452b7..c4215fc39 100644 --- a/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml +++ b/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml @@ -2,11 +2,11 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: istiod - namespace: istio-system + namespace: gateway-system spec: namespaceSelector: matchNames: - - istio-system + - gateway-system selector: matchLabels: app: istiod diff --git a/config/observability/prometheus/monitors/istio/telemetry.yaml b/config/observability/prometheus/monitors/istio/telemetry.yaml index d39050a9a..c966e230d 100644 --- a/config/observability/prometheus/monitors/istio/telemetry.yaml +++ b/config/observability/prometheus/monitors/istio/telemetry.yaml @@ -2,7 +2,7 @@ apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: namespace-metrics - namespace: istio-system + namespace: gateway-system spec: metrics: - providers: diff --git a/config/observability/prometheus/monitors/kustomization.yaml b/config/observability/prometheus/monitors/kustomization.yaml new file mode 100644 index 000000000..889caa892 --- /dev/null +++ b/config/observability/prometheus/monitors/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - istio/service-monitor-istiod.yaml + - operators.yaml + diff --git a/examples/dashboards/kustomization.yaml b/examples/dashboards/kustomization.yaml index 96a64d330..cd26abf16 100644 --- a/examples/dashboards/kustomization.yaml +++ b/examples/dashboards/kustomization.yaml @@ -1,26 +1,23 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring + # grafana-dashboard dashboards as configmaps configMapGenerator: - name: grafana-app-developer - namespace: monitoring files: - ./app_developer.json - name: grafana-business-user - namespace: monitoring files: - ./business_user.json - name: grafana-platform-engineer - namespace: monitoring files: - ./platform_engineer.json -- name: grafana-controller-runtime - namespace: monitoring +- name: grafana-controller-runtime-metrics files: - ./controller-runtime-metrics.json -- name: grafana-controller-resources - namespace: monitoring +- name: grafana-controller-resources-metrics files: - ./controller-resources-metrics.json From 81352ae7d38d48749f92dea4aafcf5854663eab9 Mon Sep 17 00:00:00 2001 From: craig Date: Tue, 12 Nov 2024 11:09:46 +0000 Subject: [PATCH 04/16] updates for install doc Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED Update observability resources to use gateway-system namespace (#969) Signed-off-by: David Martin add example for external api usage --- config/install/README.md | 29 +-- .../observability/kustomization.yaml | 2 +- config/install/standard/kustomization.yaml | 2 +- .../openshift/grafana/.gitignore | 3 +- doc/user-guides/external-api.md | 176 ++++++++++++++++++ examples/external-api-istio.yaml | 94 ++++++++++ 6 files changed, 292 insertions(+), 14 deletions(-) create mode 100644 doc/user-guides/external-api.md create mode 100644 examples/external-api-istio.yaml diff --git a/config/install/README.md b/config/install/README.md index 03cc13f95..0df977049 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -11,16 +11,22 @@ Install the Sail and Kuadrant Operators via OLM: -> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/olm/catalogsource.yaml` or if you are familiar with kustomize you could apply your own kustomization. +> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/install/standard/kustomization.yaml`. + +> Note: We are using the `--context` flag here this is useful if installing on more than one cluster otherwise it is not needed + +``` +export ctx=replace-with-your-context +``` ``` -kubectl apply -k config/install/standard +kubectl apply -k config/install/standard --context=$ctx ``` 3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: ``` -kubectl get deployments -n kuadrant-system +kubectl get deployments -n kuadrant-system --context=$ctx ``` ``` @@ -37,12 +43,13 @@ limitador-operator-controller-manager 1/1 1 1 83m ``` -kubectl get deployments -n gateway-system +kubectl get deployments -n gateway-system --context=$ctx ``` ``` NAME READY UP-TO-DATE AVAILABLE AGE +istiod 1/1 1 1 61s sail-operator 1/1 1 1 81m ``` @@ -54,12 +61,12 @@ sail-operator 1/1 1 1 81m To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps: 1) Depending on your choice of cloud provider: - - setup the needed `$CLOUD_PROVIDER-credentals.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `install/configure/aws` directory + - setup the needed `$CLOUD_PROVIDER-credentials.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `config/install/configure/aws` directory 3) execute the configure for that cloud provider ``` -kubectl apply -k config/install/configure/aws +kubectl apply -k config/install/configure/aws --context=$ctx ``` @@ -70,29 +77,29 @@ This will configure Kuadrant and Sail installing their components as well as set Validate Kuadrant is ready via the kuadrant resource status condition ``` -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx ``` -At this point Kuadrant is ready to use. Below are some additonal configuration that can be applied. +At this point Kuadrant is ready to use. Below are some additional configuration that can be applied. ### External Redis create a `redis-credential.env` in the `config/install/configure/redis-storage` dir ``` -kubectl apply -k config/install/configure/redis-storage +kubectl apply -k config/install/configure/redis-storage --context=$ctx ``` -This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarilly unavailable as it restarts. +This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts. ### Validate Validate Kuadrant is in a ready state as before: ``` -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx ``` diff --git a/config/install/configure/observability/kustomization.yaml b/config/install/configure/observability/kustomization.yaml index a3704bde8..f6c19b492 100644 --- a/config/install/configure/observability/kustomization.yaml +++ b/config/install/configure/observability/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.5.0 + - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0 - ../../../observability/openshift/ - ../../../observability/prometheus/monitors/ diff --git a/config/install/standard/kustomization.yaml b/config/install/standard/kustomization.yaml index 58e209420..bc2d521e8 100644 --- a/config/install/standard/kustomization.yaml +++ b/config/install/standard/kustomization.yaml @@ -13,4 +13,4 @@ patches: metadata: name: kuadrant-operator-catalog spec: - image: quay.io/kuadrant/kuadrant-operator-catalog:1.0.0-rc1 #change this to the version you want to install + image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4 #change this to the version you want to install diff --git a/config/observability/openshift/grafana/.gitignore b/config/observability/openshift/grafana/.gitignore index 25c34f604..04f47aaef 100644 --- a/config/observability/openshift/grafana/.gitignore +++ b/config/observability/openshift/grafana/.gitignore @@ -1 +1,2 @@ -datasource.env \ No newline at end of file +datasource.env + diff --git a/doc/user-guides/external-api.md b/doc/user-guides/external-api.md new file mode 100644 index 000000000..26feb4063 --- /dev/null +++ b/doc/user-guides/external-api.md @@ -0,0 +1,176 @@ +# Using Gateway API and Kuadrant with APIs outside of the cluster + + +### Overview + +In some cases, the application and API endpoints are exposed in a host external to the cluster where you are a running Gateway API and Kuadrant but you do not want it accessible directly via the public internet. If you want to have external traffic come into a Gateway API defined Gateway and protected by Kuadrant policies first being proxied to the existing legacy endpoints, this guide will give you some example of how to achieve this. + + +### What we will do +- Have an API in a private location become accessible via a public hostname +- Setup a gateway and HTTPRoute to expose this private API via our new Gateway on a (public) domain. +- proxy valid requests through to our back-end API service +- Add auth and rate limiting and TLS to our public Gateway to protect it + + + +### Pre Requisites + +- [Kuadrant and Gateway API installed (with Istio as the gateway provider)](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) +- Existing API on separate cluster accessible via HTTP from the Gateway cluster + + +What we want to achieve: + +``` + ------------------- DMZ -----------------| + | + |-------------------------------- internal network -----------------------------------| + load balancer | | + | - | | |----------k8s cluster-----------| | |----- Legacy API Location --------| | + | | | | Gateway Kuadrant | | | | | + | | | | ----- ----- | | | | | +---public traffic--my.api.com-------->| | |<--| | | | | HTTP (my.api.local) Backend | | + | | | | | | ----- | | | ----- ----- | | + | | | | ----- -----------proxy---(my.api.local)-->| | ----------> | | | | + | | | | | | | ----- ----- | | + | - | | |--------------------------------| | |----------------------------------| | + | | | + |-----------------------------------------|--------------------------------------------| + | + ------------------- DMZ -----------------| +``` + + +Note for all of the resources defined here there is a copy of them under the [examples folder](https://github.com/Kuadrant/kuadrant-operator/examples/external-api-istio.yaml) + +1) Deploy a Gateway into the K8s cluster that will act as the main Ingress Gateway + +Define your external API hostname and Internal API hostname + +``` +export EXTERNAL_HOST=my.api.com +export INTERNAL_HOST=my.api.local + +``` + +```bash +kubectl apply -n gateway-system -f - < Date: Wed, 13 Nov 2024 15:50:43 +0000 Subject: [PATCH 05/16] remove links Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- doc/user-guides/external-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user-guides/external-api.md b/doc/user-guides/external-api.md index 26feb4063..335ab7c8b 100644 --- a/doc/user-guides/external-api.md +++ b/doc/user-guides/external-api.md @@ -16,7 +16,7 @@ In some cases, the application and API endpoints are exposed in a host external ### Pre Requisites -- [Kuadrant and Gateway API installed (with Istio as the gateway provider)](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) +- Kuadrant and Gateway API installed (with Istio as the gateway provider) - Existing API on separate cluster accessible via HTTP from the Gateway cluster From 10aa0ab36fdd9267ae157f693831103a021f5d85 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 07:20:32 +0000 Subject: [PATCH 06/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 0df977049..900ed6440 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -1,6 +1,13 @@ # Install Kaudrant and Sail via OLM -- Pre-Req is that OLM (operator lifecycle manager) is already installed +## Prerequisites +- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo +- OLM (operator lifecycle manager) +- cert-manager +- - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) +- - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) +- AWS, Azure or GCP with DNS capabilities. (Optional) +- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional) - (optional dependencies) - If you want to use `TLSPolicy` you should install the cert-manager operator. From f450f02abaa530b1af3bb7db58c53cc0c75d7530 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 07:20:43 +0000 Subject: [PATCH 07/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 900ed6440..be2b5d417 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -1,4 +1,4 @@ -# Install Kaudrant and Sail via OLM +# Install Kuadrant and Sail via OLM ## Prerequisites - Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo From 34fd655f4e7eaba9dd12cae9ad91b226cf6c53f7 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 07:21:01 +0000 Subject: [PATCH 08/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index be2b5d417..24a7a9b39 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -15,7 +15,6 @@ - Accessible Redis instance, if you want persistent storage for your rate limit counters. -Install the Sail and Kuadrant Operators via OLM: > Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/install/standard/kustomization.yaml`. From 3e5059a15c4c18640889f10c30f6f71988031f47 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 07:21:29 +0000 Subject: [PATCH 09/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 24a7a9b39..e0b31275a 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -17,7 +17,7 @@ -> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/install/standard/kustomization.yaml`. +> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) > Note: We are using the `--context` flag here this is useful if installing on more than one cluster otherwise it is not needed From 2a1a1152ffc56d7b189c34aac6f0f90855cd27e4 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 07:26:07 +0000 Subject: [PATCH 10/16] Apply suggestions from code review Co-authored-by: Rachel Lawton --- config/install/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index e0b31275a..4690ed12d 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -19,7 +19,7 @@ > Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) -> Note: We are using the `--context` flag here this is useful if installing on more than one cluster otherwise it is not needed +> Note: We are using the Kubectl `--context` flag. This is useful when installing on more than one cluster otherwise it is not needed. ``` export ctx=replace-with-your-context @@ -64,7 +64,6 @@ sail-operator 1/1 1 1 81m ### TLS and DNS integration -To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps: 1) Depending on your choice of cloud provider: - setup the needed `$CLOUD_PROVIDER-credentials.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `config/install/configure/aws` directory From 9294d684c06eb30192c25f4db1df4bf0bf7c2191 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 07:46:00 +0000 Subject: [PATCH 11/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 4690ed12d..1e229eded 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -22,7 +22,11 @@ > Note: We are using the Kubectl `--context` flag. This is useful when installing on more than one cluster otherwise it is not needed. ``` -export ctx=replace-with-your-context +# Typical single cluster context +export KUBECTL_CONTEXT=kind-kuadrant-local + +# Example context for additional 'multi cluster' clusters +# export KUBECTL_CONTEXT=kind-kuadrant-local-1 ``` ``` From 7d5c4381717675357226d71c344eae817b40b137 Mon Sep 17 00:00:00 2001 From: craig Date: Wed, 13 Nov 2024 15:50:43 +0000 Subject: [PATCH 12/16] remove links update multi cluster options Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 23 ++++++++--------------- main.go | 4 ++-- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index 1e229eded..a1559d79f 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -19,24 +19,17 @@ > Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) -> Note: We are using the Kubectl `--context` flag. This is useful when installing on more than one cluster otherwise it is not needed. +> Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) -``` -# Typical single cluster context -export KUBECTL_CONTEXT=kind-kuadrant-local - -# Example context for additional 'multi cluster' clusters -# export KUBECTL_CONTEXT=kind-kuadrant-local-1 -``` ``` -kubectl apply -k config/install/standard --context=$ctx +kubectl apply -k config/install/standard ``` 3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: ``` -kubectl get deployments -n kuadrant-system --context=$ctx +kubectl get deployments -n kuadrant-system ``` ``` @@ -53,7 +46,7 @@ limitador-operator-controller-manager 1/1 1 1 83m ``` -kubectl get deployments -n gateway-system --context=$ctx +kubectl get deployments -n gateway-system ``` ``` @@ -75,7 +68,7 @@ sail-operator 1/1 1 1 81m 3) execute the configure for that cloud provider ``` -kubectl apply -k config/install/configure/aws --context=$ctx +kubectl apply -k config/install/configure/aws ``` @@ -86,7 +79,7 @@ This will configure Kuadrant and Sail installing their components as well as set Validate Kuadrant is ready via the kuadrant resource status condition ``` -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml ``` @@ -97,7 +90,7 @@ At this point Kuadrant is ready to use. Below are some additional configuration create a `redis-credential.env` in the `config/install/configure/redis-storage` dir ``` -kubectl apply -k config/install/configure/redis-storage --context=$ctx +kubectl apply -k config/install/configure/redis-storage ``` @@ -108,7 +101,7 @@ This will setup limitador to use provided redis connection URL as a backend stor Validate Kuadrant is in a ready state as before: ``` -kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx +kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml ``` diff --git a/main.go b/main.go index 9e217bc26..8c7f6a3e9 100644 --- a/main.go +++ b/main.go @@ -106,8 +106,8 @@ func main() { probeAddr string err error ) - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8880", "The address the metric endpoint binds to.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8881", "The address the probe endpoint binds to.") + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") From fa64df8a370195d3162283623881d195b41a8ce1 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 14 Nov 2024 11:27:46 +0000 Subject: [PATCH 13/16] fix indent Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index a1559d79f..039d05fdc 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -4,8 +4,8 @@ - Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo - OLM (operator lifecycle manager) - cert-manager -- - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) -- - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) + - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html) + - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) - AWS, Azure or GCP with DNS capabilities. (Optional) - Accessible Redis instance, for persistent storage for your rate limit counters. (Optional) From e0bdf43bdb1aa43b401b76e5b6021b265eccc9c2 Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 14 Nov 2024 11:37:15 +0000 Subject: [PATCH 14/16] re-add changes Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index 039d05fdc..a10d9b324 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -21,17 +21,21 @@ > Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) +## Setup the environment ``` kubectl apply -k config/install/standard ``` -3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: +3) Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: ``` kubectl get deployments -n kuadrant-system ``` +Sample Output: + + ``` NAME READY UP-TO-DATE AVAILABLE AGE @@ -49,6 +53,8 @@ limitador-operator-controller-manager 1/1 1 1 83m kubectl get deployments -n gateway-system ``` +Sample Output: + ``` NAME READY UP-TO-DATE AVAILABLE AGE @@ -62,17 +68,14 @@ sail-operator 1/1 1 1 81m ### TLS and DNS integration -1) Depending on your choice of cloud provider: - - setup the needed `$CLOUD_PROVIDER-credentials.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `config/install/configure/aws` directory - -3) execute the configure for that cloud provider +Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS ``` kubectl apply -k config/install/configure/aws ``` -This will configure Kuadrant and Sail installing their components as well as setup the the credentials needed for access DNS zones in the cloud provider and create a lets-encrypt cluster issuer configured to use DNS based validation. +This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation. ### Validate @@ -110,20 +113,20 @@ kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml Verify that user workload monitoring is enabled in your Openshift cluster. If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this. + ```bash kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload - -(expected output) -enableUserWorkload: true +# (expected output) +# enableUserWorkload: true ``` -Install the gateway & kuadrant metrics components and configuration, including Grafana. +Install the gateway & Kuadrant metrics components and configuration, including Grafana. ```bash kubectl apply -k config/install/configure/observability ``` -Configure the openshift thanos-query instance as a data source in Grafana. +Configure the Openshift thanos-query instance as a data source in Grafana. ```bash TOKEN="Bearer $(oc whoami -t)" From ebcba323cafd53051c15777f63c95381bde0e9db Mon Sep 17 00:00:00 2001 From: craig Date: Thu, 14 Nov 2024 12:08:11 +0000 Subject: [PATCH 15/16] re-add changes Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- config/install/README.md | 40 +++++++++------------------------------- 1 file changed, 9 insertions(+), 31 deletions(-) diff --git a/config/install/README.md b/config/install/README.md index a10d9b324..301414ea7 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -9,13 +9,6 @@ - AWS, Azure or GCP with DNS capabilities. (Optional) - Accessible Redis instance, for persistent storage for your rate limit counters. (Optional) -- (optional dependencies) - - If you want to use `TLSPolicy` you should install the cert-manager operator. - - AWS/Azure or GCP with DNS capabilities if you want to make use of `DNSPolicy`. - - Accessible Redis instance, if you want persistent storage for your rate limit counters. - - - > Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases) @@ -31,36 +24,25 @@ kubectl apply -k config/install/standard ``` kubectl get deployments -n kuadrant-system -``` - -Sample Output: - - -``` -NAME READY UP-TO-DATE AVAILABLE AGE -authorino-operator 1/1 1 1 83m -dns-operator-controller-manager 1/1 1 1 83m -kuadrant-console-plugin 1/1 1 1 83m -kuadrant-operator-controller-manager 1/1 1 1 83m -limitador-operator-controller-manager 1/1 1 1 83m +# NAME READY UP-TO-DATE AVAILABLE AGE +# authorino-operator 1/1 1 1 83m +# dns-operator-controller-manager 1/1 1 1 83m +# kuadrant-console-plugin 1/1 1 1 83m +# kuadrant-operator-controller-manager 1/1 1 1 83m +# limitador-operator-controller-manager 1/1 1 1 83m ``` ``` kubectl get deployments -n gateway-system -``` - -Sample Output: - -``` -NAME READY UP-TO-DATE AVAILABLE AGE -istiod 1/1 1 1 61s -sail-operator 1/1 1 1 81m +# NAME READY UP-TO-DATE AVAILABLE AGE +# istiod 1/1 1 1 61s +# sail-operator 1/1 1 1 81m ``` ## Configure the installation @@ -72,7 +54,6 @@ Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider director ``` kubectl apply -k config/install/configure/aws - ``` This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation. @@ -83,7 +64,6 @@ Validate Kuadrant is ready via the kuadrant resource status condition ``` kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml - ``` At this point Kuadrant is ready to use. Below are some additional configuration that can be applied. @@ -94,7 +74,6 @@ create a `redis-credential.env` in the `config/install/configure/redis-storage` ``` kubectl apply -k config/install/configure/redis-storage - ``` This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts. @@ -105,7 +84,6 @@ Validate Kuadrant is in a ready state as before: ``` kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml - ``` ## Set up observability From 154e72dd2ce09e91d97ebf8f9d53e3d1d33d440d Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 14 Nov 2024 12:30:18 +0000 Subject: [PATCH 16/16] Update config/install/README.md Co-authored-by: Rachel Lawton --- config/install/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/install/README.md b/config/install/README.md index 301414ea7..b63eb4270 100644 --- a/config/install/README.md +++ b/config/install/README.md @@ -20,7 +20,7 @@ kubectl apply -k config/install/standard ``` -3) Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: +Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below: ``` kubectl get deployments -n kuadrant-system