Updated install doc

.gitignore

@@ -23,6 +23,7 @@ testbin/*
 .vscode
 *.swp
 *.swo
+*.env
 *~
 /kuadrant-operator
 tmp

config/install/README.md

@@ -0,0 +1,146 @@
+# Install Kaudrant and Sail via OLM
+
+- Pre-Req is that OLM (operator lifecycle manager) is already installed
+
+- (optional dependencies)
+  - If you want to use `TLSPolicy` you should install the cert-manager operator. 
+  - AWS/Azure or GCP with DNS capabilities if you want to make use of `DNSPolicy`.
+  - Accessible Redis instance, if you want persistent storage for your rate limit counters.
+
+
+Install the Sail and Kuadrant Operators via OLM:
+
+
+> Note: By default this will install the "latest" or "main" of kuadrant. To change that, pick a release from the releases page in the kuadrant operator and change the image in the `config/deploy/install/standard/kustomization.yaml`.
+
+> Note: We are using the `--context` flag here this is useful if installing on more than one cluster otherwise it is not needed
+
+```
+export ctx=replace-with-your-context
+```
+
+```
+kubectl apply -k config/install/standard --context=$ctx
+``` 
+
+3) verify kuadrant and sail operators are installed. Note this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below:
+
+```
+kubectl get deployments -n kuadrant-system --context=$ctx
+```
+
+```
+
+NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
+authorino-operator                      1/1     1            1           83m
+dns-operator-controller-manager         1/1     1            1           83m
+kuadrant-console-plugin                 1/1     1            1           83m
+kuadrant-operator-controller-manager    1/1     1            1           83m
+limitador-operator-controller-manager   1/1     1            1           83m
+
+```
+
+
+
+```
+kubectl get deployments -n gateway-system --context=$ctx
+```
+
+```
+
+NAME            READY   UP-TO-DATE   AVAILABLE   AGE
+istiod          1/1     1            1           61s
+sail-operator   1/1     1            1           81m
+
+```
+
+## Configure the installation
+
+### TLS and DNS integration
+
+To setup the DNS and TLS integration (TLS also uses DNS for verification) follow these steps:
+
+1) Depending on your choice of cloud provider:
+    - setup the needed `$CLOUD_PROVIDER-credentials.env` in the cloud provider directory. E.G create `aws-credentials.env` in the `config/install/configure/aws` directory
+
+3) execute the configure for that cloud provider
+
+```
+kubectl apply -k config/install/configure/aws --context=$ctx
+
+```
+
+This will configure Kuadrant and Sail installing their components as well as setup the the credentials needed for access DNS zones in the cloud provider and create a lets-encrypt cluster issuer configured to use DNS based validation.
+
+### Validate
+
+Validate Kuadrant is ready via the kuadrant resource status condition
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx
+
+```
+
+At this point Kuadrant is ready to use. Below are some additional configuration that can be applied.
+
+### External Redis
+
+create a `redis-credential.env` in the `config/install/configure/redis-storage` dir
+
+```
+kubectl apply -k config/install/configure/redis-storage --context=$ctx
+
+```
+
+This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts.
+
+### Validate
+
+Validate Kuadrant is in a ready state as before:
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml --context=$ctx
+
+```
+
+## Set up observability
+
+Verify that user workload monitoring is enabled in your Openshift cluster.
+If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this.
+
+```bash
+kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload
+
+(expected output)
+enableUserWorkload: true
+```
+
+Install the gateway & kuadrant metrics components and configuration, including Grafana.
+
+```bash
+kubectl apply -k config/install/configure/observability
+```
+
+Configure the openshift thanos-query instance as a data source in Grafana.
+
+```bash
+TOKEN="Bearer $(oc whoami -t)"
+HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')"
+echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env
+echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env
+kubectl apply -k config/observability/openshift/grafana
+```
+
+Create the example dashboards in Grafana
+
+```bash
+kubectl apply -k examples/dashboards
+```
+
+Access the Grafana UI, using the default user/pass of root/secret.
+You should see the example dashboards in the 'monitoring' folder.
+For more information on the example dashboards, check out the [documentation](https://docs.kuadrant.io/latest/kuadrant-operator/doc/observability/examples/).
+
+```bash
+kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}"
+```

config/install/configure/aws/cluster-issuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: lets-encrypt-aws
+spec:
+  acme:
+    privateKeySecretRef:
+      name: le-secret
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          route53:
+            accessKeyIDSecretRef:
+              key: AWS_ACCESS_KEY_ID
+              name: aws-credentials
+            region: us-east-1 #override if needed
+            secretAccessKeySecretRef:
+              key: AWS_SECRET_ACCESS_KEY
+              name: aws-credentials

config/install/configure/aws/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first!
+
+resources:
+  - ../standard
+  - cluster-issuer.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: aws-provider-credentials
+    namespace: cert-manager
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'
+  - name: aws-provider-credentials
+    namespace: gateway-system
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'

config/install/configure/azure/cluster-issuer.yaml

@@ -0,0 +1,25 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-azure
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          azureDNS:
+            clientID: AZURE_CERT_MANAGER_SP_APP_ID
+            clientSecretSecretRef:
+              # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
+              name: azuredns-config
+              key: client-secret
+            subscriptionID: AZURE_SUBSCRIPTION_ID
+            tenantID: AZURE_TENANT_ID
+            resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
+            hostedZoneName: AZURE_DNS_ZONE
+            # Azure Cloud Environment, default to AzurePublicCloud
+            environment: AzurePublicCloud

config/install/configure/azure/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: azure-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: cert-manager
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: gateway-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'

config/install/configure/gcp/cluster-issuer.yaml

@@ -0,0 +1,20 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-gcp
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          cloudDNS:
+            # The ID of the GCP project
+            project: $PROJECT_ID
+            # This is the secret used to access the service account
+            serviceAccountSecretRef:
+              name: gcp-provider-credentials
+              key: key.json

config/install/configure/gcp/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: gcp-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: cert-manager
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: gateway-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'

config/install/configure/kitchen-sink/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../dns-aws
+  - ../dns-azure
+  - ../dns-gcp
+  - ../redis-storage
+  - ../tls-lets-encrypt

config/install/configure/observability/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0
+  - ../../../observability/openshift/
+  - ../../../observability/prometheus/monitors/

config/install/configure/redis-storage/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - limitador.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: redis-credentials
+    namespace: kuadrant-system
+    envs:
+      - redis-credentials.env
+    type: 'kuadrant.io/aws'

config/install/configure/redis-storage/limitador.yaml

@@ -0,0 +1,10 @@
+apiVersion: limitador.kuadrant.io/v1alpha1
+kind: Limitador
+metadata:
+  name: limitador
+  namespace: kuadrant-system
+spec:
+  storage:
+    redis:
+      configSecretRef:
+        name: redis-credentials

config/install/configure/standard/kuadrant.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuadrant.io/v1beta1
+kind: Kuadrant
+metadata:
+  name: kuadrant
+  namespace: kuadrant-system

config/install/configure/standard/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - sail.yaml
+  - kuadrant.yaml

config/install/configure/standard/sail.yaml

@@ -0,0 +1,13 @@
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+  name: default
+spec:
+  namespace: gateway-system
+  updateStrategy:
+    type: InPlace
+    inactiveRevisionDeletionGracePeriodSeconds: 30
+  version: v1.23.0
+  values:
+    pilot:
+      autoscaleEnabled: false

config/install/configure/tls-lets-encrypt/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cluster-issuer.yaml