-
Notifications
You must be signed in to change notification settings - Fork 687
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #13 from datawire/nkrause/upgrade-to-pro
Nkrause/upgrade to pro
Showing
2 changed files
with
298 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
# Upgrading to Ambassador Pro | ||
|
||
If you are already using Ambassador open source, upgrading to using Ambassador Pro is straight-forward. In this demo we will walk-through integrating Ambassador Pro into your currently running Ambassador instance and show how quickly you can secure your APIs with JWT authentication. | ||
|
||
## 1. Install Ambassador Pro Resources | ||
|
||
Ambassador Pro relies on several Custom Resource Definition (CRDs) for configuration as well are requires a redis instance for rate limiting. | ||
|
||
We have published these resources for download at https://www.getambassador.io/yaml/ambassador-pro/upgrade.yaml or you can easily install them using `kubectl`. | ||
|
||
``` | ||
kubectl apply -f https://www.getambassador.io/yaml/ambassador/pro/upgrade.yaml | ||
``` | ||
|
||
## 2. Modify Ambassador Deployment | ||
|
||
Ambassador Pro is typically deployed as a sidecar to Ambassador allowing Ambassador to communicate with Pro services locally. | ||
|
||
To upgrade your current Ambassador instance to Ambassador Pro, you will need to edit Ambassador's deployment YAML. A full deployment will look something like this: | ||
|
||
```yaml | ||
--- | ||
apiVersion: extensions/v1beta1 | ||
kind: Deployment | ||
metadata: | ||
name: ambassador | ||
spec: | ||
replicas: 3 | ||
selector: | ||
matchLabels: | ||
service: ambassador | ||
template: | ||
metadata: | ||
annotations: | ||
sidecar.istio.io/inject: "false" | ||
"consul.hashicorp.com/connect-inject": "false" | ||
labels: | ||
service: ambassador | ||
spec: | ||
affinity: | ||
podAntiAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 100 | ||
podAffinityTerm: | ||
labelSelector: | ||
matchLabels: | ||
service: ambassador | ||
topologyKey: kubernetes.io/hostname | ||
serviceAccountName: ambassador | ||
containers: | ||
- name: ambassador | ||
image: quay.io/datawire/ambassador:%version% | ||
resources: | ||
limits: | ||
cpu: 1 | ||
memory: 400Mi | ||
requests: | ||
cpu: 200m | ||
memory: 100Mi | ||
env: | ||
- name: AMBASSADOR_NAMESPACE | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
ports: | ||
- name: http | ||
containerPort: 80 | ||
- name: https | ||
containerPort: 443 | ||
- name: admin | ||
containerPort: 8877 | ||
livenessProbe: | ||
httpGet: | ||
path: /ambassador/v0/check_alive | ||
port: 8877 | ||
initialDelaySeconds: 30 | ||
periodSeconds: 3 | ||
readinessProbe: | ||
httpGet: | ||
path: /ambassador/v0/check_ready | ||
port: 8877 | ||
initialDelaySeconds: 30 | ||
periodSeconds: 3 | ||
- name: ambassador-pro | ||
image: quay.io/datawire/ambassador_pro:amb-sidecar-%aproVersion% | ||
ports: | ||
- name: ratelimit-grpc | ||
containerPort: 8081 | ||
- name: ratelimit-debug | ||
containerPort: 6070 | ||
- name: auth-http | ||
containerPort: 8082 | ||
env: | ||
- name: REDIS_SOCKET_TYPE | ||
value: tcp | ||
- name: REDIS_URL | ||
value: ambassador-pro-redis:6379 | ||
- name: AMBASSADOR_LICENSE_KEY | ||
value: "" | ||
restartPolicy: Always | ||
``` | ||
As you can see, the only difference between this deployment and the default deployment [here](https://www.getambassador.io/yaml/ambassador/ambassador-no-rbac.yaml), is the addition of the `ambassador-pro` container. Adding this container to your Ambassador deployment and applying the YAML will install Ambassador Pro. | ||
|
||
|
||
```yaml | ||
... | ||
- name: ambassador-pro | ||
image: quay.io/datawire/ambassador_pro:amb-sidecar-%aproVersion% | ||
ports: | ||
- name: ratelimit-grpc | ||
containerPort: 8081 | ||
- name: ratelimit-debug | ||
containerPort: 6070 | ||
- name: auth-http | ||
containerPort: 8082 | ||
env: | ||
- name: REDIS_SOCKET_TYPE | ||
value: tcp | ||
- name: REDIS_URL | ||
value: ambassador-pro-redis:6379 | ||
- name: AMBASSADOR_LICENSE_KEY | ||
value: "" | ||
``` | ||
|
||
**Note:** Make sure to put your license key in the `AMBASSADOR_LICENSE_KEY` environment variable. | ||
|
||
## 3. Configure Additional Ambassador Pro Services | ||
|
||
Ambassador Pro has many more features such as rate limiting, OAuth integration, and more. | ||
|
||
### Enabling Rate limiting | ||
|
||
For more information on configuring rate limiting, consult the [Advanced Rate Limiting tutorial ](/user-guide/advanced-rate-limiting) for information on configuring rate limits. | ||
|
||
### Enabling Single Sign-On | ||
|
||
For more information on configuring the OAuth filter, see the [Single Sign-On with OAuth and OIDC](/user-guide/oauth-oidc-auth) documentation. | ||
|
||
### Enabling Service Preview | ||
|
||
Service Preview requires a command-line client, `apictl`. For instructions on configuring Service Preview, see the [Service Preview tutorial](/docs/dev-guide/service-preview). | ||
|
||
### Enabling Consul Connect integration | ||
|
||
Ambassador Pro's Consul Connect integration is deployed as a separate Kubernetes service. For instructions on deploying Consul Connect, see the [Consul Connect integration guide](/user-guide/consul-connect-ambassador). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,152 @@ | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRole | ||
metadata: | ||
name: ambassador | ||
rules: | ||
- apiGroups: [""] | ||
resources: | ||
- services | ||
- endpoints | ||
- namespaces | ||
- secrets | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: [""] | ||
resources: | ||
- configmaps | ||
verbs: ["create", "update", "patch", "get", "list", "watch"] | ||
- apiGroups: ["getambassador.io"] | ||
resources: | ||
- filters | ||
- ratelimits | ||
- filterpolicies | ||
verbs: ["get", "list", "watch"] | ||
|
||
###################################################################### | ||
# Create a CRDs used to configure ambassador-pro | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: filterpolicies.getambassador.io | ||
spec: | ||
group: getambassador.io | ||
version: v1beta2 | ||
versions: | ||
- name: v1beta2 | ||
served: true | ||
storage: true | ||
scope: Namespaced | ||
names: | ||
plural: filterpolicies | ||
singular: filterpolicy | ||
kind: FilterPolicy | ||
shortNames: | ||
- fp | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: filters.getambassador.io | ||
spec: | ||
group: getambassador.io | ||
version: v1beta2 | ||
versions: | ||
- name: v1beta2 | ||
served: true | ||
storage: true | ||
scope: Namespaced | ||
names: | ||
plural: filters | ||
singular: filter | ||
kind: Filter | ||
shortNames: | ||
- fil | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: ratelimits.getambassador.io | ||
spec: | ||
group: getambassador.io | ||
version: v1beta1 | ||
versions: | ||
- name: v1beta1 | ||
served: true | ||
storage: true | ||
scope: Namespaced | ||
names: | ||
plural: ratelimits | ||
singular: ratelimit | ||
kind: RateLimit | ||
shortNames: | ||
- rl | ||
|
||
###################################################################### | ||
# Redis for Ambassador Pro ratelimit | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: ambassador-pro-redis | ||
spec: | ||
type: ClusterIP | ||
ports: | ||
- port: 6379 | ||
targetPort: 6379 | ||
selector: | ||
service: ambassador-pro-redis | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: ambassador-pro-redis | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
service: ambassador-pro-redis | ||
template: | ||
metadata: | ||
labels: | ||
service: ambassador-pro-redis | ||
spec: | ||
containers: | ||
- name: redis | ||
image: redis:5.0.1 | ||
restartPolicy: Always | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
labels: | ||
service: ambassador-pro | ||
name: ambassador-pro | ||
annotations: | ||
getambassador.io/config: | | ||
--- | ||
apiVersion: ambassador/v1 | ||
kind: AuthService | ||
name: ambassador-pro-auth | ||
proto: grpc | ||
auth_service: 127.0.0.1:8082 | ||
allow_request_body: false # setting this to 'true' allows Plugin and External filters to access the body, but has performance overhead | ||
--- | ||
# This mapping needs to exist, but is never actually followed. | ||
apiVersion: ambassador/v1 | ||
kind: Mapping | ||
name: callback_mapping | ||
prefix: /callback | ||
service: NoTaReAlSeRvIcE | ||
--- | ||
apiVersion: ambassador/v1 | ||
kind: RateLimitService | ||
name: ambassador-pro-ratelimit | ||
service: "127.0.0.1:8081" | ||
spec: | ||
type: ClusterIP | ||
ports: | ||
- name: ambassador-pro | ||
port: 80 | ||
selector: | ||
service: ambassador |