Skip to content

Commit

Permalink
feat: better support of caddy as a k8s load balancer
Browse files Browse the repository at this point in the history
This introduces quite a few changes to make it easier to run Caddy as a load
balancer in Kubernetes:

- Make it possible to start/stop a selection of resources with ``tutor k8s
  start/stop [names...]``.
- Make it easy to deploy an independent LoadBalancer by converting the caddy
  service to a NodePort when ``ENABLE_WEB_PROXY=false``.
- Add a ``app.kubernetes.io/component: loadbalancer`` label to the LoadBalancer
  service.
- Add ``app.kubernetes.io/name`` labels to all services.
- Preserve the LoadBalancer service in ``tutor k8s stop`` commands.
- Wait for the caddy deployment to be ready before running initialisation jobs.

Close #532.
  • Loading branch information
regisb committed Nov 29, 2021
1 parent 87b67cb commit 9dcd666
Show file tree
Hide file tree
Showing 4 changed files with 126 additions and 32 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ Note: Breaking changes between versions are indicated by "💥".

## Unreleased

- [Feature] Better support of Caddy as a load balancer in Kubernetes:
- Make it possible to start/stop a selection of resources with ``tutor k8s start/stop [names...]``.
- Make it easy to deploy an independent LoadBalancer by converting the caddy service to a ClusterIP when ``ENABLE_WEB_PROXY=false``.
- Add a ``app.kubernetes.io/component: loadbalancer`` label to the LoadBalancer service.
- Add ``app.kubernetes.io/name`` labels to all services.
- Preserve the LoadBalancer service in ``tutor k8s stop`` commands.
- Wait for the caddy deployment to be ready before running initialisation jobs.
- [Security] On Kubernetes, convert all NodePort services to ClusterIP to guarantee network isolation from outside the cluster.
- [Bugfix] Remove trailing slashes in docker-compose files for [compatibility with docker-compose v2 in WSL](https://github.com/docker/compose/issues/8558).
- [Improvement] `settheme` now works with preview domain.
Expand Down
18 changes: 15 additions & 3 deletions docs/k8s.rst
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,22 @@ The Kubernetes cluster should have at least 4Gb of RAM on each node. When runnin
.. image:: img/virtualbox-minikube-system.png
:alt: Virtualbox memory settings for Minikube

Ingress controller and SSL/TLS certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Load Balancer and SSL/TLS certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As of Tutor v11, it is no longer required to setup an Ingress controller to access your platform. Instead Caddy exposes a LoadBalancer service and SSL/TLS certificates are transparently generated at runtime.
By default, Tutor deploys a `LoadBalancer <https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer>`__ service that exposes the Caddy deployment to the outside world. As in the local installation, this service is responsible for transparently generating SSL/TLS certificates at runtime. You will need to point your DNS records to this LoadBalancer object before the platform can work correctly. Thus, you should first start the Caddy load balancer, with::

tutor k8s start caddy

Then, configure your DNS records to point at the external IP address of the Caddy service::

kubectl --namespace openedx get services/caddy

Once the DNS records are configured, you should verify that the Caddy container has properly generated the SSL/TLS certificates by checking the container logs::

tutor k8s logs -f caddy

If, for some reason, you would like to deploy your own load balancer, you should set ``ENABLE_WEB_PROXY=false`` just like in the :ref:`local installation <web_proxy>`. Then, point your load balancer at the "caddy" service, which will be a `ClusterIP <https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types>`__.

S3-like object storage with `MinIO <https://www.minio.io/>`_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expand Down
99 changes: 70 additions & 29 deletions tutor/commands/k8s.py
Original file line number Diff line number Diff line change
Expand Up @@ -194,9 +194,16 @@ def quickstart(context: click.Context, non_interactive: bool) -> None:
)


@click.command(help="Run all configured Open edX services")
@click.command(
short_help="Run all configured Open edX resources",
help=(
"Run all configured Open edX resources. You may limit this command to "
"some resources by passing name arguments."
),
)
@click.argument("names", metavar="name", nargs=-1)
@click.pass_obj
def start(context: Context) -> None:
def start(context: Context, names: List[str]) -> None:
config = tutor_config.load(context.root)
# Create namespace, if necessary
# Note that this step should not be run for some users, in particular those
Expand All @@ -214,34 +221,68 @@ def start(context: Context) -> None:
"--selector",
"app.kubernetes.io/component=namespace",
)
# Create volumes
utils.kubectl(
"apply",
"--kustomize",
tutor_env.pathjoin(context.root),
"--wait",
"--selector",
"app.kubernetes.io/component=volume",
)
# Create everything else except jobs
utils.kubectl(
"apply",
"--kustomize",
tutor_env.pathjoin(context.root),
"--selector",
"app.kubernetes.io/component notin (job,volume,namespace)",
)

names = names or ["all"]
for name in names:
if name == "all":
# Create volumes
utils.kubectl(
"apply",
"--kustomize",
tutor_env.pathjoin(context.root),
"--wait",
"--selector",
"app.kubernetes.io/component=volume",
)
# Create everything else except jobs
utils.kubectl(
"apply",
"--kustomize",
tutor_env.pathjoin(context.root),
"--selector",
"app.kubernetes.io/component notin (job,volume,namespace)",
)
else:
utils.kubectl(
"apply",
"--kustomize",
tutor_env.pathjoin(context.root),
"--selector",
"app.kubernetes.io/name={}".format(name),
)


@click.command(help="Stop a running platform")
@click.command(
short_help="Stop a running platform",
help=(
"Stop a running platform by deleting all resources, except for volumes. "
"You may limit this command to some resources by passing name arguments."
),
)
@click.argument("names", metavar="name", nargs=-1)
@click.pass_obj
def stop(context: Context) -> None:
def stop(context: Context, names: List[str]) -> None:
config = tutor_config.load(context.root)
utils.kubectl(
"delete",
*resource_selector(config),
"deployments,services,configmaps,jobs",
)
names = names or ["all"]
resource_types = "deployments,services,configmaps,jobs"
not_lb_selector = "app.kubernetes.io/component!=loadbalancer"
for name in names:
if name == "all":
utils.kubectl(
"delete",
*resource_selector(config, not_lb_selector),
resource_types,
)
else:
utils.kubectl(
"delete",
*resource_selector(
config,
not_lb_selector,
"app.kubernetes.io/name={}".format(name),
),
resource_types,
)


@click.command(help="Reboot an existing platform")
Expand Down Expand Up @@ -286,9 +327,9 @@ def delete(context: Context, yes: bool) -> None:
def init(context: Context, limit: Optional[str]) -> None:
config = tutor_config.load(context.root)
runner = K8sJobRunner(context.root, config)
for service in ["mysql", "elasticsearch", "mongodb"]:
if tutor_config.is_service_activated(config, service):
wait_for_pod_ready(config, service)
for name in ["caddy", "elasticsearch", "mysql", "mongodb"]:
if tutor_config.is_service_activated(config, name):
wait_for_pod_ready(config, name)
jobs.initialise(runner, limit_to=limit)


Expand Down
34 changes: 34 additions & 0 deletions tutor/templates/k8s/services.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,33 @@ apiVersion: v1
kind: Service
metadata:
name: caddy
labels:
app.kubernetes.io/name: caddy
app.kubernetes.io/component: loadbalancer
spec:
type: LoadBalancer
ports:
- port: 80
name: http
{%- if ENABLE_HTTPS %}
- port: 443
name: https
{%- endif %}
selector:
app.kubernetes.io/name: caddy
{% else %}
---
apiVersion: v1
kind: Service
metadata:
name: caddy
labels:
app.kubernetes.io/name: caddy
spec:
type: ClusterIP
ports:
- port: {{ CADDY_HTTP_PORT }}
name: http
selector:
app.kubernetes.io/name: caddy
{% endif %}
Expand All @@ -20,6 +40,8 @@ apiVersion: v1
kind: Service
metadata:
name: cms
labels:
app.kubernetes.io/name: cms
spec:
type: ClusterIP
ports:
Expand Down Expand Up @@ -48,6 +70,8 @@ apiVersion: v1
kind: Service
metadata:
name: lms
labels:
app.kubernetes.io/name: lms
spec:
type: ClusterIP
ports:
Expand All @@ -62,6 +86,8 @@ apiVersion: v1
kind: Service
metadata:
name: elasticsearch
labels:
app.kubernetes.io/name: elasticsearch
spec:
type: ClusterIP
ports:
Expand All @@ -76,6 +102,8 @@ apiVersion: v1
kind: Service
metadata:
name: mongodb
labels:
app.kubernetes.io/name: mongodb
spec:
type: ClusterIP
ports:
Expand All @@ -90,6 +118,8 @@ apiVersion: v1
kind: Service
metadata:
name: mysql
labels:
app.kubernetes.io/name: mysql
spec:
type: ClusterIP
ports:
Expand All @@ -116,6 +146,8 @@ apiVersion: v1
kind: Service
metadata:
name: redis
labels:
app.kubernetes.io/name: redis
spec:
type: ClusterIP
ports:
Expand All @@ -130,6 +162,8 @@ apiVersion: v1
kind: Service
metadata:
name: smtp
labels:
app.kubernetes.io/name: smtp
spec:
type: ClusterIP
ports:
Expand Down

0 comments on commit 9dcd666

Please sign in to comment.