Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #13 from datawire/nkrause/upgrade-to-pro
Browse files Browse the repository at this point in the history
Nkrause/upgrade to pro
iNoahNothing authored Apr 3, 2019

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
2 parents f76514c + 0d89578 commit 5695099
Showing 2 changed files with 298 additions and 0 deletions.
146 changes: 146 additions & 0 deletions user-guide/upgrade-to-pro.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
# Upgrading to Ambassador Pro

If you are already using Ambassador open source, upgrading to using Ambassador Pro is straight-forward. In this demo we will walk-through integrating Ambassador Pro into your currently running Ambassador instance and show how quickly you can secure your APIs with JWT authentication.

## 1. Install Ambassador Pro Resources

Ambassador Pro relies on several Custom Resource Definition (CRDs) for configuration as well are requires a redis instance for rate limiting.

We have published these resources for download at https://www.getambassador.io/yaml/ambassador-pro/upgrade.yaml or you can easily install them using `kubectl`.

```
kubectl apply -f https://www.getambassador.io/yaml/ambassador/pro/upgrade.yaml
```

## 2. Modify Ambassador Deployment

Ambassador Pro is typically deployed as a sidecar to Ambassador allowing Ambassador to communicate with Pro services locally.

To upgrade your current Ambassador instance to Ambassador Pro, you will need to edit Ambassador's deployment YAML. A full deployment will look something like this:

```yaml
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ambassador
spec:
replicas: 3
selector:
matchLabels:
service: ambassador
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
"consul.hashicorp.com/connect-inject": "false"
labels:
service: ambassador
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
service: ambassador
topologyKey: kubernetes.io/hostname
serviceAccountName: ambassador
containers:
- name: ambassador
image: quay.io/datawire/ambassador:%version%
resources:
limits:
cpu: 1
memory: 400Mi
requests:
cpu: 200m
memory: 100Mi
env:
- name: AMBASSADOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8877
livenessProbe:
httpGet:
path: /ambassador/v0/check_alive
port: 8877
initialDelaySeconds: 30
periodSeconds: 3
readinessProbe:
httpGet:
path: /ambassador/v0/check_ready
port: 8877
initialDelaySeconds: 30
periodSeconds: 3
- name: ambassador-pro
image: quay.io/datawire/ambassador_pro:amb-sidecar-%aproVersion%
ports:
- name: ratelimit-grpc
containerPort: 8081
- name: ratelimit-debug
containerPort: 6070
- name: auth-http
containerPort: 8082
env:
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: ambassador-pro-redis:6379
- name: AMBASSADOR_LICENSE_KEY
value: ""
restartPolicy: Always
```
As you can see, the only difference between this deployment and the default deployment [here](https://www.getambassador.io/yaml/ambassador/ambassador-no-rbac.yaml), is the addition of the `ambassador-pro` container. Adding this container to your Ambassador deployment and applying the YAML will install Ambassador Pro.


```yaml
...
- name: ambassador-pro
image: quay.io/datawire/ambassador_pro:amb-sidecar-%aproVersion%
ports:
- name: ratelimit-grpc
containerPort: 8081
- name: ratelimit-debug
containerPort: 6070
- name: auth-http
containerPort: 8082
env:
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: ambassador-pro-redis:6379
- name: AMBASSADOR_LICENSE_KEY
value: ""
```

**Note:** Make sure to put your license key in the `AMBASSADOR_LICENSE_KEY` environment variable.

## 3. Configure Additional Ambassador Pro Services

Ambassador Pro has many more features such as rate limiting, OAuth integration, and more.

### Enabling Rate limiting

For more information on configuring rate limiting, consult the [Advanced Rate Limiting tutorial ](/user-guide/advanced-rate-limiting) for information on configuring rate limits.

### Enabling Single Sign-On

For more information on configuring the OAuth filter, see the [Single Sign-On with OAuth and OIDC](/user-guide/oauth-oidc-auth) documentation.

### Enabling Service Preview

Service Preview requires a command-line client, `apictl`. For instructions on configuring Service Preview, see the [Service Preview tutorial](/docs/dev-guide/service-preview).

### Enabling Consul Connect integration

Ambassador Pro's Consul Connect integration is deployed as a separate Kubernetes service. For instructions on deploying Consul Connect, see the [Consul Connect integration guide](/user-guide/consul-connect-ambassador).
152 changes: 152 additions & 0 deletions yaml/ambassador/pro/upgrade.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: ambassador
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- namespaces
- secrets
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["create", "update", "patch", "get", "list", "watch"]
- apiGroups: ["getambassador.io"]
resources:
- filters
- ratelimits
- filterpolicies
verbs: ["get", "list", "watch"]

######################################################################
# Create a CRDs used to configure ambassador-pro
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: filterpolicies.getambassador.io
spec:
group: getambassador.io
version: v1beta2
versions:
- name: v1beta2
served: true
storage: true
scope: Namespaced
names:
plural: filterpolicies
singular: filterpolicy
kind: FilterPolicy
shortNames:
- fp
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: filters.getambassador.io
spec:
group: getambassador.io
version: v1beta2
versions:
- name: v1beta2
served: true
storage: true
scope: Namespaced
names:
plural: filters
singular: filter
kind: Filter
shortNames:
- fil
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ratelimits.getambassador.io
spec:
group: getambassador.io
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
scope: Namespaced
names:
plural: ratelimits
singular: ratelimit
kind: RateLimit
shortNames:
- rl

######################################################################
# Redis for Ambassador Pro ratelimit
---
apiVersion: v1
kind: Service
metadata:
name: ambassador-pro-redis
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: 6379
selector:
service: ambassador-pro-redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ambassador-pro-redis
spec:
replicas: 1
selector:
matchLabels:
service: ambassador-pro-redis
template:
metadata:
labels:
service: ambassador-pro-redis
spec:
containers:
- name: redis
image: redis:5.0.1
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
labels:
service: ambassador-pro
name: ambassador-pro
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: AuthService
name: ambassador-pro-auth
proto: grpc
auth_service: 127.0.0.1:8082
allow_request_body: false # setting this to 'true' allows Plugin and External filters to access the body, but has performance overhead
---
# This mapping needs to exist, but is never actually followed.
apiVersion: ambassador/v1
kind: Mapping
name: callback_mapping
prefix: /callback
service: NoTaReAlSeRvIcE
---
apiVersion: ambassador/v1
kind: RateLimitService
name: ambassador-pro-ratelimit
service: "127.0.0.1:8081"
spec:
type: ClusterIP
ports:
- name: ambassador-pro
port: 80
selector:
service: ambassador

0 comments on commit 5695099

Please sign in to comment.