Skip to content

Commit

Permalink
Updated install doc (#986)
Browse files Browse the repository at this point in the history
* add a basic kustomize install

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Add observability steps and configuration (#1006)

Signed-off-by: David Martin <[email protected]>

* updates for install doc

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

Update observability resources to use gateway-system namespace (#969)

Signed-off-by: David Martin <[email protected]>

add example for external api usage

* remove links

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* Apply suggestions from code review

Co-authored-by: Rachel Lawton <[email protected]>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

* remove links
update multi cluster options

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* fix indent

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* re-add changes

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* re-add changes

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <[email protected]>

---------

Signed-off-by: David Martin <[email protected]>
Co-authored-by: Rachel Lawton <[email protected]>
Co-authored-by: David Martin <[email protected]>
  • Loading branch information
3 people authored Nov 14, 2024
1 parent 5e9176b commit 526b0c9
Show file tree
Hide file tree
Showing 33 changed files with 879 additions and 21 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ testbin/*
.vscode
*.swp
*.swo
*.env
*~
/kuadrant-operator
tmp
Expand Down
129 changes: 129 additions & 0 deletions config/install/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
# Install Kuadrant and Sail via OLM

## Prerequisites
- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo
- OLM (operator lifecycle manager)
- cert-manager
- [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html)
- [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/)
- AWS, Azure or GCP with DNS capabilities. (Optional)
- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional)


> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases)
> Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
## Setup the environment

```
kubectl apply -k config/install/standard
```

Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below:

```
kubectl get deployments -n kuadrant-system
# NAME READY UP-TO-DATE AVAILABLE AGE
# authorino-operator 1/1 1 1 83m
# dns-operator-controller-manager 1/1 1 1 83m
# kuadrant-console-plugin 1/1 1 1 83m
# kuadrant-operator-controller-manager 1/1 1 1 83m
# limitador-operator-controller-manager 1/1 1 1 83m
```



```
kubectl get deployments -n gateway-system
# NAME READY UP-TO-DATE AVAILABLE AGE
# istiod 1/1 1 1 61s
# sail-operator 1/1 1 1 81m
```

## Configure the installation

### TLS and DNS integration


Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS

```
kubectl apply -k config/install/configure/aws
```

This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation.

### Validate

Validate Kuadrant is ready via the kuadrant resource status condition

```
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
```

At this point Kuadrant is ready to use. Below are some additional configuration that can be applied.

### External Redis

create a `redis-credential.env` in the `config/install/configure/redis-storage` dir

```
kubectl apply -k config/install/configure/redis-storage
```

This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts.

### Validate

Validate Kuadrant is in a ready state as before:

```
kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
```

## Set up observability

Verify that user workload monitoring is enabled in your Openshift cluster.
If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this.


```bash
kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload
# (expected output)
# enableUserWorkload: true
```

Install the gateway & Kuadrant metrics components and configuration, including Grafana.

```bash
kubectl apply -k config/install/configure/observability
```

Configure the Openshift thanos-query instance as a data source in Grafana.

```bash
TOKEN="Bearer $(oc whoami -t)"
HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')"
echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env
echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env
kubectl apply -k config/observability/openshift/grafana
```

Create the example dashboards in Grafana

```bash
kubectl apply -k examples/dashboards
```

Access the Grafana UI, using the default user/pass of root/secret.
You should see the example dashboards in the 'monitoring' folder.
For more information on the example dashboards, check out the [documentation](https://docs.kuadrant.io/latest/kuadrant-operator/doc/observability/examples/).

```bash
kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}"
```
19 changes: 19 additions & 0 deletions config/install/configure/aws/cluster-issuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: lets-encrypt-aws
spec:
acme:
privateKeySecretRef:
name: le-secret
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
route53:
accessKeyIDSecretRef:
key: AWS_ACCESS_KEY_ID
name: aws-credentials
region: us-east-1 #override if needed
secretAccessKeySecretRef:
key: AWS_SECRET_ACCESS_KEY
name: aws-credentials
26 changes: 26 additions & 0 deletions config/install/configure/aws/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first!

resources:
- ../standard
- cluster-issuer.yaml

generatorOptions:
disableNameSuffixHash: true
labels:
app.kubernetes.io/part-of: kuadrant
app.kubernetes.io/managed-by: kustomize

secretGenerator:
- name: aws-provider-credentials
namespace: cert-manager
envs:
- aws-credentials.env
type: 'kuadrant.io/aws'
- name: aws-provider-credentials
namespace: gateway-system
envs:
- aws-credentials.env
type: 'kuadrant.io/aws'
25 changes: 25 additions & 0 deletions config/install/configure/azure/cluster-issuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
## TODO
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-azure
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
# email: $EMAIL_ADDRESS
privateKeySecretRef:
name: letsencrypt
solvers:
- dns01:
azureDNS:
clientID: AZURE_CERT_MANAGER_SP_APP_ID
clientSecretSecretRef:
# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
name: azuredns-config
key: client-secret
subscriptionID: AZURE_SUBSCRIPTION_ID
tenantID: AZURE_TENANT_ID
resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
hostedZoneName: AZURE_DNS_ZONE
# Azure Cloud Environment, default to AzurePublicCloud
environment: AzurePublicCloud
27 changes: 27 additions & 0 deletions config/install/configure/azure/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first!

generatorOptions:
disableNameSuffixHash: true
labels:
app.kubernetes.io/part-of: kuadrant
app.kubernetes.io/managed-by: kustomize

secretGenerator:
- name: azure-provider-credentials
namespace: kuadrant-system
envs:
- azure-credentials.env
type: 'kuadrant.io/azure'
- name: azure-provider-credentials
namespace: cert-manager
envs:
- azure-credentials.env
type: 'kuadrant.io/azure'
- name: azure-provider-credentials
namespace: gateway-system
envs:
- azure-credentials.env
type: 'kuadrant.io/azure'
20 changes: 20 additions & 0 deletions config/install/configure/gcp/cluster-issuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
## TODO
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-gcp
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
# email: $EMAIL_ADDRESS
privateKeySecretRef:
name: letsencrypt
solvers:
- dns01:
cloudDNS:
# The ID of the GCP project
project: $PROJECT_ID
# This is the secret used to access the service account
serviceAccountSecretRef:
name: gcp-provider-credentials
key: key.json
27 changes: 27 additions & 0 deletions config/install/configure/gcp/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first!

generatorOptions:
disableNameSuffixHash: true
labels:
app.kubernetes.io/part-of: kuadrant
app.kubernetes.io/managed-by: kustomize

secretGenerator:
- name: gcp-provider-credentials
namespace: kuadrant-system
envs:
- gcp-credentials.env
type: 'kuadrant.io/gcp'
- name: gcp-provider-credentials
namespace: cert-manager
envs:
- gcp-credentials.env
type: 'kuadrant.io/gcp'
- name: gcp-provider-credentials
namespace: gateway-system
envs:
- gcp-credentials.env
type: 'kuadrant.io/gcp'
9 changes: 9 additions & 0 deletions config/install/configure/kitchen-sink/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../dns-aws
- ../dns-azure
- ../dns-gcp
- ../redis-storage
- ../tls-lets-encrypt
7 changes: 7 additions & 0 deletions config/install/configure/observability/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0
- ../../../observability/openshift/
- ../../../observability/prometheus/monitors/
17 changes: 17 additions & 0 deletions config/install/configure/redis-storage/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- limitador.yaml

generatorOptions:
disableNameSuffixHash: true
labels:
app.kubernetes.io/part-of: kuadrant
app.kubernetes.io/managed-by: kustomize

secretGenerator:
- name: redis-credentials
namespace: kuadrant-system
envs:
- redis-credentials.env
type: 'kuadrant.io/aws'
10 changes: 10 additions & 0 deletions config/install/configure/redis-storage/limitador.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
name: limitador
namespace: kuadrant-system
spec:
storage:
redis:
configSecretRef:
name: redis-credentials
5 changes: 5 additions & 0 deletions config/install/configure/standard/kuadrant.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
name: kuadrant
namespace: kuadrant-system
5 changes: 5 additions & 0 deletions config/install/configure/standard/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- sail.yaml
- kuadrant.yaml
13 changes: 13 additions & 0 deletions config/install/configure/standard/sail.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: sailoperator.io/v1alpha1
kind: Istio
metadata:
name: default
spec:
namespace: gateway-system
updateStrategy:
type: InPlace
inactiveRevisionDeletionGracePeriodSeconds: 30
version: v1.23.0
values:
pilot:
autoscaleEnabled: false
5 changes: 5 additions & 0 deletions config/install/configure/tls-lets-encrypt/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- cluster-issuer.yaml
16 changes: 16 additions & 0 deletions config/install/standard/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
- sail-operator.yaml
- ../../deploy/olm

patches:
- patch: |-
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: kuadrant-operator-catalog
spec:
image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4 #change this to the version you want to install
Loading

0 comments on commit 526b0c9

Please sign in to comment.